[Pkg-nagios-devel] Bug#604053: nsca: starts as daemon although disabled in debconf

Bernd Zeimetz bzed at debian.org
Fri Nov 19 20:14:34 UTC 2010 

Package: nsca
Version: 2.7.2
Severity: serious

Installing nsca and answering 'no' to the debcanf question which asks if
you want to run the nsca daemon still results in a running daemon with a
pretty unusual PID:

4294967295 12373   1  0 21:08 ?        00:00:00 /usr/sbin/nsca --daemon -c /etc/nsca.cfg

I'm filing this as serious as I consider daemons which run and listen on
tcp ports without being configured to do so as a security issue.
Especially when they run with a UID which might b in use otherwise.
I'd guess it tries to use -1 as UID as that was the UID of nobody some
ancient times ago.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35.7-think (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nsca depends on:
ii  debconf [debconf-2.0]         1.5.36     Debian configuration management sy
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  libmcrypt4                    2.5.8-3.1  De-/Encryption Library

nsca recommends no packages.

Versions of packages nsca suggests:
pn  nagios                        <none>     (no description available)
ii  nagios-plugins                1.4.15-2   Plugins for the nagios network mon
ii  nagios-plugins-basic          1.4.15-2   Plugins for the nagios network mon

-- Configuration Files:
/etc/init.d/nsca changed:
DAEMON=/usr/sbin/nsca
NAME=nsca
DESC="Nagios Service Check Acceptor"
CONF=/etc/nsca.cfg
OPTS="--daemon -c $CONF"
PIDFILE="/var/run/nsca.pid"
if [ ! -x $DAEMON ]; then
	exit 0
fi
get_config(){
	grep "^[[:space:]]*$1=" $CONF 2>/dev/null | tail | cut -d= -f2-
}
PIDFILE=`get_config pid_file`
if [ -z "$PIDFILE" ];  then 
	# then this is the default PIDFILE
	PIDFILE="/var/run/nsca.pid"
	# run nsca in the foreground, and have s-s-d fork it for us
	OPTS="-f $OPTS"
	# and then this is how we call SSD
	SSD_STARTOPTS="--background --pidfile $PIDFILE --make-pidfile"
	SSD_STOPOPTS="--pidfile $PIDFILE"
else
	# but if pid_file is set, we don't have to do anything
	SSD_STARTOPTS="--pidfile $PIDFILE"
	SSD_STOPOPTS="--pidfile $PIDFILE"
fi
SSD_START="/sbin/start-stop-daemon --oknodo -S $SSD_STARTOPTS --exec $DAEMON"
SSD_STOP="/sbin/start-stop-daemon --oknodo -K $SSD_STOPOPTS --exec $DAEMON"
die(){
	echo $@
	exit 1
}
case "$1" in
start)
	echo -n "Starting $DESC: "
	if [ ! -d "/var/run/nagios" ]; then
		mkdir -p /var/run/nagios || die "ERROR: couldn't create /var/run/nagios"
	fi
	$SSD_START -- $OPTS || die "ERROR: could not start $NAME."
	echo "$NAME."
;;
stop)
	echo -n "Stopping $DESC: "
	$SSD_STOP -- $OPTS || die "ERROR: could not stop $NAME."
	rm -f $PIDFILE
	echo "$NAME."
;;
reload|force-reload)
	echo -n "Reloading $DESC: "
	$SSD_STOP --signal HUP -- $OPTS || die "ERROR: could not reload $NAME."
	echo "$NAME."
;;
restart)
	$0 stop
	$0 start
;;
esac

/etc/nsca.cfg changed:
pid_file=/var/run/nsca.pid
server_port=5667
nsca_user=nagios
nsca_group=nogroup
debug=0
command_file=/var/lib/nagios3/rw/nagios.cmd
alternate_dump_file=/var/run/nagios/nsca.dump
aggregate_writes=0
append_to_file=0
max_packet_age=30
decryption_method=1

/etc/send_nsca.cfg changed:
encryption_method=1


-- debconf information:
  nsca/run-nsca-daemon:

More information about the Pkg-nagios-devel mailing list