[Pkg-nagios-devel] Bug#683037: icinga: /var/{lib, cache}/icinga permissions

Christoph Anton Mitterer calestyo at scientia.net
Fri Jul 27 23:42:22 UTC 2012

Package: icinga
Version: 1.7.1-2
Severity: wishlist

Hi Alex.

I had a look over the permissions given to the files and directories
in /var/{lib,cache}/icinga.

There may be few places where the permissions could/should potentially be
restricted even a bit more.
It it helps, than perhaps you want to have a look at this :-) 

- /var/lib/icinga/status.dat
  - Why does it need o+r? It's already owned :www-data, so the CGI
    can access it and as /var/lib/icinga is o+x, AFAIU, any user on the
    system could read status.dat, which may contain sensitive information
    (emails and that like).
  - Not sure if g+w is needed... to the CGIs ever write to it?

- /var/lib/icinga/idomod.tmp
  I have no idea on that one... it's o+r... is that needed?
  Also its g+rw, gut the group is nagios, too.

- /var/lib/icinga/ido.sock
  Why is o+rx needed?

- /var/cache/icinga/objects.cache
  It's read by the CGIs so g+r and :www-data is needed... but I think
  o+r can/should be dropped.

Just for confirmation... (I think all of the following is already perfectly
- /var/lib/icinga/rw
  Is g+s with :www-data, so that the (re-)created icinga.cmd will derive that
  group, right?
- /var/lib/icinga/rw/icinga.cmd
  In turn is :www-data, so that CGI and icinga-web can submit commands, right?
- /var/lib/icinga/status.dat
  Is owned :www-data, cause the CGI uses it to get all information, right?
- /var/cache/icinga
  I guess g+s with :www-data is again needed so that objects.cache is
  created to be readable by the CGIs.
- /var/cache/icinga/retention.dat
  It's :www-data... but g= ... and I nowhere found that the CGIs or -web would
  read it... I guess this is just by "acceident" because retention.dat is in
  the same dir as objects.cache.

Hope that helps, :)

More information about the Pkg-nagios-devel mailing list