$OpenBSD: README-main,v 1.3 2012/06/28 23:10:48 sthen Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

The check_dhcp and check_icmp plugins need elevated privileges to
run properly. As check_icmp drops privileges early, it is installed
suid root. check_dhcp normally runs entirely as root; as the code
quality of this plugin is not really good, it is not installed
suid root by default.

Instead of running the whole plugin as root, it is possible to run
it with systrace's privilege elevation feature. This way the plugin
runs as _nagios, but the individual system calls requiring privileges
are run as root.

1) Create a preliminary systrace policy for the plugin.

# cd ${TRUEPREFIX}/libexec/nagios
# systrace -A -d /tmp ./<plugin> <plugin arguments>

This creates a policy for the plugin <plugin> in /tmp.

2) Refine the policy and configure privilege elevation as required. This
is an example, permitting the bind(2) syscall as root.

native-bind: sockaddr eq "inet-[0.0.0.0]:68" then permit as root

3) Copy the systrace policy to /etc/systrace.

4) Run visudo as root and configure sudo for user _nagios like this.

_nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \
    ${TRUEPREFIX}/libexec/nagios/<plugin> <plugin arguments>

5) Configure the respective command in nagios.

define command {
	command_name check_dhcp
	command_line sudo /bin/systrace -a -c 550:550 $USER1$/<plugin> <plugin arguments>
}

6) In case of problems, systrace will log to /var/log/messages.
