[Bug 1028975] New: server:monitoring/nagios: /var/spool/nagios/nagios.cmd with wrong group
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975 Bug ID: 1028975 Summary: server:monitoring/nagios: /var/spool/nagios/nagios.cmd with wrong group Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: lars.vogdt@suse.com Reporter: wagner-thomas@gmx.at QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: nix@opensuse.org Found By: --- Blocker: --- I installed nagios 4.3.1 in Leap 42.2 from server:monitoring. During installation an empty folder /var/spool/nagios is created. Upon first start of nagios the named pipe /var/spool/nagios is created with user "nagios" and group "nagios". However, it should be created as group "nagcmd" in order to allow control of nagios via the webinterface (like re-sheduling a check). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975#c3
Ansgar Esztermann
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975#c4
Lars Vogdt
Upstream installs $CHECKRESULTDIR with setgid $command_grp (so when nagios creates the named pipe, it is owned by group nagcmd automatically), but we don't.
Unless there's some compelling reason not to, I'd prefer reverting to upstream behaviour here. However, this must not be done in %post. Instead, the %attr entry needs to be changed. If there are no objections, I'll create an SR.
Absolutely fine with me. Let's add security here to also have a look and give their ok. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975
http://bugzilla.opensuse.org/show_bug.cgi?id=1028975#c5
--- Comment #5 from Lars Vogdt
From my memory: setting the setguid (I assume the "setuid" in the changes file is a typo) bit for the directory would allow any application in the nagioscmd group to write into this directory.
While this might be wanted for most systems, the current "default" is a bit more secure as it only allows the nagios daemon itself to write into the directory. Using a permissions file, that allows to adapt the permissions for the directory, might be a possible solution here that allows a very secure standard installation while informed users could change the setup via the permission file (and calling "chkstat --system --set"). -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com