/etc/sudoers and piping

[ant2ne]

Why wont this work?!

Code: Select all

nagios   ALL=(ALL) NOPASSWD: /sbin/iptables -S INPUT | /usr/bin/wc -l

Code: Select all

[nagios@server ~]$ sudo  /sbin/iptables -S INPUT | /usr/bin/wc -l
[sudo] password for nagios:

[TrevorH]

Because it doesn't work like that. You need to allow it to run /sbin/iptables -S INPUT as that's the part that needs root privileges. Once the sudo part sends its output out, the next portion after the pipe runs as the user who invoked sudo and wc doesn't need root privileges.

[poky]

echo "/sbin/iptables -S INPUT | /usr/bin/wc -l" | sudo sh

[TrevorH]

There is zero requirement to run wc as root.

[ant2ne]

Access to /sbin/iptables -S is insecure. It gives nagios the ability to see what ports are open and from where. I can't give him that kind of power. I don't mind him knowing the number of rules, just not the details of those rules. Basically I'm trying to secure a monitoring script that I found on the net which checks to see if iptables is up or not. If it isn't up, it flags an alert and I can put it back up. Sometimes an SA may troubleshoot an issue and forget to re-enable iptables.

I can't add the path and script to the sudoers. Then if the script is compromized then nagios has reign on the box.

I can't allow nagios to gather more information than absolutely necessary to do its job.

One work around may be to have cron run

Code: Select all

 /sbin/iptables -S INPUT | /usr/bin/wc -l > /tmp/iptcount

and then nagios read /tmp/iptcount but that is another level of complexity I'd rather not manage.

Code: Select all

echo "/sbin/iptables -S INPUT | /usr/bin/wc -l" | sudo sh

also prompted for a password.

[ant2ne]

I'm going to go another route. Thanks.

i still would like to know why the sudoers file hates the pipe "|"