[Pkg-nagios-devel] Bug#659928: Bug#659928: icinga-cgi: icinga users improvements

Alexander Wirt formorer at formorer.de
Wed Feb 15 06:32:17 UTC 2012


Christoph Anton Mitterer schrieb am Wednesday, den 15. February 2012:

> Package: icinga-cgi
> Version: 1.6.1-2
> Severity: wishlist
> 
> 
> Hi.
> 
> Icinga seems to have several user/groupnames hardcoded.
>   --with-icinga-user=nagios
>   --with-icinga-group=nagios
>   --with-command-user=nagios
>   --with-command-group=nagios
>   --with-web-user=www-data
>   --with-web-group=www-data
> 
> (and yes I've know about dpkg-statoverride :-P)
> 
> 
> Some things I've noticed:
> a) Why are the icinga user/group and command user/group the same?
> Don't we miss privilege separation by this?
?
> 
> I haven't checked yet whether this sets just some config defaults or not...
> have you an idea? I mean can it easily be changed?
> (Actually I must admit, that I don't know (yet) what the command user is used for).
?
Sorry, I don't understand what you want.

> b) web user / www-data
> While this is good for works-out-of-the-box(TM) it's bad for security
> (no privilege separation, which can be easily done by mod_suexec, or fastcgi).
> As far as I can see (tell me if I'm wrong) this is _ONLY_ used in:
> debian/rules:	chgrp www-data ${b}/icinga-common/var/cache/icinga
> debian/rules:	chown root:www-data ${b}/icinga-common/var/lib/icinga/rw
> 
> So couldn't we make this configurable via debconf?! I.e. defaulting to www-data
> but giving the user the choice to use something different?
Nope. Running apache as anything else than www-data is not really supported.
This package is designed to work out of the box and not to do debconf
abusing.

Alex





More information about the Pkg-nagios-devel mailing list