Re: FreeBSD and monit status

[Christian Hopp]

On 12 Sep 2002, Jan-Henrik Haukeland wrote:

> Christian Hopp <address@hidden> writes:
>
> > And now for something completely different... I asked before if we
> > should include a check for the permissions of the monitrc file.  IMO
> > monit must not start if the permissions are not 0600, 0400, 0500.
> > Opinions?
>
> Agree. We can put the test in env.c since this code runs early.

I could do.

> > Maybe we should think about a different way of saving the password.
> > We could use the htpasswd program of apache or we directly store it in
> > monit as md5, et al, like this
> >
> > set httpd port 2812
> >         allow admin:md5:6af286f0509e7c166abf710850f44fc4
> >         allow foo:nis:monituser
> >         allow foo:htpasswd:/opt/monit/htpasswd
>
> Nah, since monit does not utilize ssl or other encryption at the http
> level the user will have to provide a password in cleartext from
> within the browser (for Basic Auth), which could easily be sniffed. In
> other words this does not solve the fundamental problem. Besides md5
> will not work since monit implements Basic Authentication by comparing
> cleartext base64 encoded passwords.

Anyways, there was a thinking mistake of mine.  If we do not provide the
cleartext passwd... how should cli interface communicate with the server.

I don't see sniffing so critical, because it is not wise to let monit run
on anything else but localhost. You can easily let programs like stunnel
do the external communication.

C.Hopp


-- 
Christian Hopp                                email: address@hidden
Institut für Elektrische Informationstechnik             fon: +49-5323-72-2113
Technische Universität Clausthal                         fax: +49-5323-72-3197
  pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc  (2001-11-22)