Hi, Stephan Seitz: > I did a „setcap cap_sys_ptrace+eip > /usr/lib/nagios/plugins/check_procs”, but a normal user can’t still > check for running programs of another user. > > What did I wrong? > check_procs is a script, not a "real" executable. Since starting an interpreter with capabilities (or setuid, for that matter) of a script involves a race condition (kernel starts interpreter with script's rights, Joe Badass replaces the script with something nefarious, interpreter gets around to opening script) this is a good thing. So you need a small C helper program here. Or not so small -- Apache's suexec is a good example of almost-all of the things which can go wrong. -- -- Matthias Urlichs
Attachment:
signature.asc
Description: Digital signature