[Pkg-nagios-devel] Bug#659928: Bug#659928: icinga-cgi: icinga users improvements

Christoph Anton Mitterer calestyo at scientia.net
Wed Feb 15 15:00:26 UTC 2012


Am 15.02.2012 08:32, schrieb Alexander Wirt:
>> Some things I've noticed:
>> a) Why are the icinga user/group and command user/group the same?
>> Don't we miss privilege separation by this?
> ?
Well it seems upstream suggests running these as different users?!


>> I haven't checked yet whether this sets just some config defaults or 
>> not...
>> have you an idea? I mean can it easily be changed?
>> (Actually I must admit, that I don't know (yet) what the command 
>> user is used for).
> ?
> Sorry, I don't understand what you want.

AFAIU the command user is used to allow executing commands, right? Now 
when this is the same then the icinga user (both nagios) someone who 
would only need the command user could possibly also attack stuff 
running as icinga user?!


>> b) web user / www-data
>> While this is good for works-out-of-the-box(TM) it's bad for 
>> security
>> (no privilege separation, which can be easily done by mod_suexec, or 
>> fastcgi).
>> As far as I can see (tell me if I'm wrong) this is _ONLY_ used in:
>> debian/rules:	chgrp www-data ${b}/icinga-common/var/cache/icinga
>> debian/rules:	chown root:www-data 
>> ${b}/icinga-common/var/lib/icinga/rw
>>
>> So couldn't we make this configurable via debconf?! I.e. defaulting 
>> to www-data
>> but giving the user the choice to use something different?
> Nope. Running apache as anything else than www-data is not really 
> supported.
> This package is designed to work out of the box and not to do debconf
> abusing.

Well this is even integrated in the apache packages themselves,... to 
run several apaches all under different users.
And even if you have just one, you can easily change the user of your 
cgi by modsuexec, which should be done in any reasonable environment.

I don't see how this would prevent it from running out of the box,... 
just make it less manuall work by doing all calls to dpkg-statoverride 
automatically.
Would also save the users from finding out which locations they have 
adapt.


Chris.





More information about the Pkg-nagios-devel mailing list