Nagios has a plugin, check_dhcp
, that does exactly what you'd think. It's widely suggested to install it setuid root, because it uses SO_BINDTODEVICE
, which usually only root can do. Of course a similar thing can be accomplished with sudo
as well, but it remains that check_dhcp
would be executing with the whole of root privileges when it doesn't need them.
Unfortunately, check_dhcp
seems to be rather stupidly written for this usage, and does not make any attempt to drop root privileges after doing what it needs to do. This leads to at least one known security problem, but just generally is bad practice and I'd like to not do it.
So I'm wondering, is there some way I can enable check_dhcp
to do its necessary network interface frobbing, without granting it outright all root privileges? Perhaps something with capabilities, SELinux, AppArmor, or similar? Looking for a Linux solution — Ubuntu 14.04 in particular.
Best Answer
SO_BINDTODEVICE
requiresCAP_NET_RAW
.check_dhcp
also wants to bind to port 68, which requiresCAP_NET_BIND_SERVICE
. See capabilities(7) for detailed descriptions of the available capabilities.These two capabilities can be granted to the executable with
setcap
, like this:This should allow any user to run
check_dhcp
successfully, without possibly (if they can exploitcheck_dhcp
) giving them full root privileges.The plugin will still (rather stupidly) emit a warning:
To address this, you could:
np_warn_if_not_root
and recompile.