On Thu, Aug 17, 2006 at 01:57:05PM +0200, John GALLET wrote:
As Charles writes, you can use "sudo" to permit the hobbit user to run the privileged commands with root privs. The risk in doing that obviously is that if a user manages to break into your box and get shell access as the "hobbit" user, then he can run those same commands with root privileges.
When it comes to security, a lot of things don't seem "obvious" to me !
Well, security often is far from obvious. If it were, we wouldn't have all those security incidents with computers.
Especially the part about breaking into my box with the hobbit user. It's not named "hobbit", neither is its group. I use iptable and only allow INPUT on 1984 from my boxes, I htpassword protect all the hobbit cgi directories and run them as "nobody/nobody" and the shell account passwd is strong. But I can very easily have forgotten some *basic* security measure that applies to Hobbit (and which I am not familiar with because I don't run such daemons in general).
Securing Hobbit isn't very different from securing any kind of network service, and it sounds like you have it pretty much nailed down.
Hobbit in itself doesn't provide a whole lot of security settings; so far I have been quite happy to have security handled outside Hobbit by firewalls, Apache htaccess checks and general unix permissions. There is one security feature that you might want to look into: hobbitd (the core daemon) has a series of options controlling which IP-adresses it will accept certain commands from. The "--admin-senders" option especially controls who may ask the Hobbit server to delete or rename hosts being monitored; if you're going to attack a server, it sure is nice if you can delete it from the monitoring system first - so that should be locked down. The default setting in hobbitlaunch.cfg only allows these commands to come from the Hobbit server itself.
A related option - the --maint-senders option - controls who can send commands to disable monitoring of a host. This is NOT restricted by default; if you only enable/disable hosts and tests via the built-in Hobbit web-utilities, then you can restrict this also to only accept such commands from the Hobbit server itself.
Finally, the "--status-senders" option controls who may update the status of a test. This is not turned on by default, so anyone can send in a status update for any host/service that Hobbit monitors. If you enable this, then only the host itself is allowed to send updates; the Hobbit server itself and any other servers running network tests must be allowed to send status updates.
All of these are described in the hobbitd(8) man-page.
Regards, Henrik