[Pkg-nagios-devel] Bug#538828: Bug#538828: Bug#538828: nagios3-common: README.Debian fails to explain why external commands are disabled

Marc Haber mh+debian-packages at zugschlus.de
Sun Dec 13 07:41:43 UTC 2009 

On Wed, Jul 29, 2009 at 04:28:57PM +0200, Sascha Wilde wrote:
> I guess you are referring to docs/security.html:
> 
>  4. Lock Down The External Command File.  [...] If you've installed
>     Nagios on a machine that is dedicated to monitoring and admin tasks
>     and is not used for public accounts, that should be fine. If you've
>     installed it on a public or multi-user machine (not recommended),
>     allowing the web server user to have write access to the command
>     file can be a security problem. After all, you don't want just any
>     user on your system controlling Nagios through the external command
>     file. In this case, I would suggest only granting write access on
>     the command file to the nagios user and using something like CGIWrap
>     to run the CGIs as the nagios user instead of nobody.
> 
> Anyway README.Debian documents Debian specific changes and decisions and
> if the only reasons for disabling "external commands" are those
> discussed in the official documentation you should add a pointer to the
> relevant passage.  Without such an clarification one could (and I
> certainly did) assume that you have additional reasons for considering
> the feature a possible security threat.  Especially as the Nagios
> documentation does not make a specifically strong point of this
> potential problem (the problem only exists when Nagios is installed in
> non-recommended ways).

I bet that most nagios test installations get installed on boxes where
Nagios is not alone on the web server. I do not feel particularly
comfortable with shipping the external command file writeable by the
web server in the default configuration and think strongly that this
should be a conscious decision of the local admin.

Jan, you might want to tag this bug wontfix if you do not intend to
make the suggested changes.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Pkg-nagios-devel mailing list