[Pkg-nagios-devel] does it seem feasible to make the icinga/nagios packages users/groups configurable

Christoph Anton Mitterer calestyo at scientia.net
Wed Jun 27 21:24:09 UTC 2012 

Hey Alexander.


On Thu, 2012-06-21 at 19:47 +0200, Alexander Wirt wrote:
> People are too stupid to read the docs now where permissions are really
> simple. I won't make it even more complicated.
Valid point ;-)


I was however just playing around with separating icing-cgi,
icginga-web, icinga itself and the users that are allowed to write/read
to status.dat, external commands and friends.


With the result that the following very easy solution may work and solve
all the above:

- Add a system user/group, e.g. "nagios-ext" (for nagios external
commands/status/or whatever...)

- Make these files/dirs that are right now group-owned by www-data,
group-owned by nagios-ext.

To stay backwards compatible and allow the easy-works-for-most setup you
prefer:
- Add the nagios-ext group as a secondary group to the www-data user.
Of course this should be done only once at installation (not at
upgrades), or one should somehow be able to prevent this, for those who
don't want to allow the webserver direct access.


Seems really simple to me, not much maintenance hassle for you guys,
works out of the box as now, but also allows "more complex" setups.

I'd try to write some patches, if you accept :)



I did about the following now and that seems to work:
- Icinga runs as nagios user/group
- Icinga CGI runs as cgi-icinga-cgi user/group (yes that naming has some
sense for me ;-)
- Icinga Web runs as cgi-icinga-web user/group
- status.dat, the external commands file and friends are owned by
nagios-ext
- access to the icinga DB (idoutils) is only allowed to the nagios and
cgi-icinga-web users
- access to icinga_web DB is only allowed to the cgi-icinga-web user

So far that seems to go well :-)


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6014 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120627/39bc8368/attachment.bin>

More information about the Pkg-nagios-devel mailing list