[Pkg-nagios-devel] Bug#538828: Bug#538828: Bug#538828: nagios3-common: README.Debian fails to explain why external commands are disabled
Marc Haber
mh+debian-packages at zugschlus.de
Sun Dec 13 07:41:43 UTC 2009
On Wed, Jul 29, 2009 at 04:28:57PM +0200, Sascha Wilde wrote:
> I guess you are referring to docs/security.html:
>
> 4. Lock Down The External Command File. [...] If you've installed
> Nagios on a machine that is dedicated to monitoring and admin tasks
> and is not used for public accounts, that should be fine. If you've
> installed it on a public or multi-user machine (not recommended),
> allowing the web server user to have write access to the command
> file can be a security problem. After all, you don't want just any
> user on your system controlling Nagios through the external command
> file. In this case, I would suggest only granting write access on
> the command file to the nagios user and using something like CGIWrap
> to run the CGIs as the nagios user instead of nobody.
>
> Anyway README.Debian documents Debian specific changes and decisions and
> if the only reasons for disabling "external commands" are those
> discussed in the official documentation you should add a pointer to the
> relevant passage. Without such an clarification one could (and I
> certainly did) assume that you have additional reasons for considering
> the feature a possible security threat. Especially as the Nagios
> documentation does not make a specifically strong point of this
> potential problem (the problem only exists when Nagios is installed in
> non-recommended ways).
I bet that most nagios test installations get installed on boxes where
Nagios is not alone on the web server. I do not feel particularly
comfortable with shipping the external command file writeable by the
web server in the default configuration and think strongly that this
should be a conscious decision of the local admin.
Jan, you might want to tag this bug wontfix if you do not intend to
make the suggested changes.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Pkg-nagios-devel
mailing list