[Pkg-nagios-devel] Bug#659928: icinga-cgi: icinga users improvements
Christoph Anton Mitterer
calestyo at scientia.net
Wed Feb 15 00:08:46 UTC 2012
Package: icinga-cgi
Version: 1.6.1-2
Severity: wishlist
Hi.
Icinga seems to have several user/groupnames hardcoded.
--with-icinga-user=nagios
--with-icinga-group=nagios
--with-command-user=nagios
--with-command-group=nagios
--with-web-user=www-data
--with-web-group=www-data
(and yes I've know about dpkg-statoverride :-P)
Some things I've noticed:
a) Why are the icinga user/group and command user/group the same?
Don't we miss privilege separation by this?
I haven't checked yet whether this sets just some config defaults or not...
have you an idea? I mean can it easily be changed?
(Actually I must admit, that I don't know (yet) what the command user is used for).
b) web user / www-data
While this is good for works-out-of-the-box(TM) it's bad for security
(no privilege separation, which can be easily done by mod_suexec, or fastcgi).
As far as I can see (tell me if I'm wrong) this is _ONLY_ used in:
debian/rules: chgrp www-data ${b}/icinga-common/var/cache/icinga
debian/rules: chown root:www-data ${b}/icinga-common/var/lib/icinga/rw
So couldn't we make this configurable via debconf?! I.e. defaulting to www-data
but giving the user the choice to use something different?
Cheers,
Chris.
More information about the Pkg-nagios-devel
mailing list