[Pkg-nagios-devel] Bug#683037: icinga: /var/{lib, cache}/icinga permissions
Christoph Anton Mitterer
calestyo at scientia.net
Fri Jul 27 23:42:22 UTC 2012
Package: icinga
Version: 1.7.1-2
Severity: wishlist
Hi Alex.
I had a look over the permissions given to the files and directories
in /var/{lib,cache}/icinga.
There may be few places where the permissions could/should potentially be
restricted even a bit more.
It it helps, than perhaps you want to have a look at this :-)
- /var/lib/icinga/status.dat
- Why does it need o+r? It's already owned :www-data, so the CGI
can access it and as /var/lib/icinga is o+x, AFAIU, any user on the
system could read status.dat, which may contain sensitive information
(emails and that like).
- Not sure if g+w is needed... to the CGIs ever write to it?
- /var/lib/icinga/idomod.tmp
I have no idea on that one... it's o+r... is that needed?
Also its g+rw, gut the group is nagios, too.
- /var/lib/icinga/ido.sock
Why is o+rx needed?
- /var/cache/icinga/objects.cache
It's read by the CGIs so g+r and :www-data is needed... but I think
o+r can/should be dropped.
Just for confirmation... (I think all of the following is already perfectly
fine):
- /var/lib/icinga/rw
Is g+s with :www-data, so that the (re-)created icinga.cmd will derive that
group, right?
- /var/lib/icinga/rw/icinga.cmd
In turn is :www-data, so that CGI and icinga-web can submit commands, right?
- /var/lib/icinga/status.dat
Is owned :www-data, cause the CGI uses it to get all information, right?
- /var/cache/icinga
I guess g+s with :www-data is again needed so that objects.cache is
created to be readable by the CGIs.
- /var/cache/icinga/retention.dat
It's :www-data... but g= ... and I nowhere found that the CGIs or -web would
read it... I guess this is just by "acceident" because retention.dat is in
the same dir as objects.cache.
Hope that helps, :)
Chris.
More information about the Pkg-nagios-devel
mailing list