http://bugzilla.opensuse.org/show_bug.cgi?id=1028975 http://bugzilla.opensuse.org/show_bug.cgi?id=1028975#c3 Ansgar Esztermann changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #3 from Ansgar Esztermann --- Upstream installs $CHECKRESULTDIR with setgid $command_grp (so when nagios creates the named pipe, it is owned by group nagcmd automatically), but we don't. Unless there's some compelling reason not to, I'd prefer reverting to upstream behaviour here. However, this must not be done in %post. Instead, the %attr entry needs to be changed. If there are no objections, I'll create an SR. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1028975 http://bugzilla.opensuse.org/show_bug.cgi?id=1028975#c5 --- Comment #5 from Lars Vogdt --- JFYI from the changelog: -------------------------------------------------------------------- Fri Jul 8 11:35:37 UTC 2011 - lars@linux-schulserver.de - removed setuid bit from /var/spool/nagios - configure the right permissions on service start instead --------------------------------------------------------------------

From my memory: setting the setguid (I assume the "setuid" in the changes file is a typo) bit for the directory would allow any application in the nagioscmd group to write into this directory.

While this might be wanted for most systems, the current "default" is a bit more secure as it only allows the nagios daemon itself to write into the directory. Using a permissions file, that allows to adapt the permissions for the directory, might be a possible solution here that allows a very secure standard installation while informed users could change the setup via the permission file (and calling "chkstat --system --set"). -- You are receiving this mail because: You are on the CC list for the bug.