[Pkg-nagios-devel] Bug#538828: Bug#538828: nagios3-common: README.Debian fails to explain why external commands are disabled

Sascha Wilde wilde at intevation.de
Wed Jul 29 14:28:57 UTC 2009

Jan Wagner <waja at cyconet.org> writes:
> On Monday 27 July 2009, Sascha Wilde wrote:
>> While this explains why external commands don't work it does not explain
>> the rational behind disabelilng them.  "as a security feature" is an meta
>> explaination which does not allow an administrator to evaluate the pros and
>> cons on re-enabeling the commands feature.
>> The README should state what are the concrete risks of enabeling "external
>> commands" and what problems are known.  This is needed so that an
>> administrator can make an qualified decision on this subject.
> what about reading (and hopefully understanding) the documentation?

Always a good idea.  ;-)

I guess you are referring to docs/security.html:

 4. Lock Down The External Command File.  [...] If you've installed
    Nagios on a machine that is dedicated to monitoring and admin tasks
    and is not used for public accounts, that should be fine. If you've
    installed it on a public or multi-user machine (not recommended),
    allowing the web server user to have write access to the command
    file can be a security problem. After all, you don't want just any
    user on your system controlling Nagios through the external command
    file. In this case, I would suggest only granting write access on
    the command file to the nagios user and using something like CGIWrap
    to run the CGIs as the nagios user instead of nobody.

Anyway README.Debian documents Debian specific changes and decisions and
if the only reasons for disabling "external commands" are those
discussed in the official documentation you should add a pointer to the
relevant passage.  Without such an clarification one could (and I
certainly did) assume that you have additional reasons for considering
the feature a possible security threat.  Especially as the Nagios
documentation does not make a specifically strong point of this
potential problem (the problem only exists when Nagios is installed in
non-recommended ways).

Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20090729/0faf6307/attachment.pgp>

More information about the Pkg-nagios-devel mailing list