[Pkg-nagios-changes] [pkg-monitoring-plugins] 42/51: check_icmp/check_dhcp: Implementing setcap

Jan Wagner waja at moszumanska.debian.org
Mon Jul 7 14:36:25 UTC 2014


This is an automated email from the git hooks/post-receive script.

waja pushed a commit to branch master
in repository pkg-monitoring-plugins.

commit a6611b1e19bf49a2c42f3087c980c5aad78d5fc2
Author: Jan Wagner <waja at cyconet.org>
Date:   Wed Jul 2 13:54:23 2014 +0200

    check_icmp/check_dhcp: Implementing setcap
---
 debian/README.Debian                     | 18 ++++++++++++------
 debian/control                           |  1 +
 debian/monitoring-plugins-basic.postinst | 17 +++++++++++++++++
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/debian/README.Debian b/debian/README.Debian
index a3f4378..b17f17a 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -65,14 +65,20 @@ example if you're installing nrpe or nsca on a remote host), try the
 monitoring-plugins-basic package.
 
 ================================================================================
-plugins needing root privilege
+plugins needing root privilege or capabilities(7) set
 ================================================================================
 
-the check_dhcp, check_icmp and maybe others plugins require root privileges to
-run, because of the low-level packet mangling that they perform.
-but, in the interest of the "safe default", these plugins will not
-be installed with the suid bit set.  there are two recommended ways
-about overriding this on your system:
+the check_dhcp, check_icmp and maybe others plugins require root privileges or
+capabilities(7) to run, because of the low-level packet mangling that they
+perform. but, in the interest of the "safe default", these plugins will not
+be installed with the suid bit set.
+if setcap is able set the necessary capabilities, you are fine. if the setcap
+binary is not installed or not able to set the capabilities, you need to
+eighter set the capabilities (cap_net_raw+ep) for your own or provide root
+privileges.
+
+there are two recommended ways about providing root privilegethis on your
+system:
 
 - set the suid bit with dpkg-statoverride:
 
diff --git a/debian/control b/debian/control
index b32f2cc..a93ba0b 100644
--- a/debian/control
+++ b/debian/control
@@ -38,6 +38,7 @@ Description: Common files for plugins for nagios compatible monitoring
 Package: monitoring-plugins-basic
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, monitoring-plugins-common, procps, iputils-ping [linux-any], inetutils-ping (>= 2:1.9-1~) [kfreebsd-any hurd-any], ucf
+Recommends: libcap2-bin [linux-any]
 Replaces: nagios-plugins-basic (<< 1.6-1~)
 Breaks: nagios-plugins-basic (<< 1.6-1~)
 Suggests: nagios3 | icinga
diff --git a/debian/monitoring-plugins-basic.postinst b/debian/monitoring-plugins-basic.postinst
index a753cba..2a68e0e 100644
--- a/debian/monitoring-plugins-basic.postinst
+++ b/debian/monitoring-plugins-basic.postinst
@@ -4,9 +4,26 @@ set -e
 
 templdir=/usr/share/monitoring-plugins/templates-basic
 . /usr/share/monitoring-plugins/dpkg/functions
+plugindir=/usr/lib/nagios/plugins/
 
 if [ "$1" = "configure" ]; then
 	register_cfgs $2
+
+	# If we have setcap is installed, try setting cap_net_raw+ep,
+	# which allows us to make our binaries working without the
+        # setuid bit
+	if command -v setcap > /dev/null; then
+		if setcap cap_net_raw+ep ${plugindir}/check_icmp cap_net_raw+ep ${plugindir}/check_dhcp; then
+			echo "Setcap for check_icmp and check_dhcp worked!"
+		else
+			echo "Setcap for check_icmp and check_dhcp failed." >&2
+			echo "Please refer README.Debian.gz for using plugins needing" >&2
+			echo "higher privileges!" >&2
+		fi
+	else
+		echo "Setcap is not installed, please refer README.Debian.gz for using" >&2
+		echo "plugins needing higher privileges!" >&2
+	fi
 fi
 
 #DEBHELPER#

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-monitoring-plugins.git



More information about the Pkg-nagios-changes mailing list