[Pkg-nagios-devel] Bug#831745: icinga2: file/directory permission issues

Christoph Anton Mitterer calestyo at scientia.net
Mon Jul 18 21:21:59 UTC 2016 

Source: icinga2
Version: 2.4.10-1
Severity: important
Tags: security


Hi.

Several files in Icinga2 are shipped with owner www-data, namely at least
these:
/var/cache/icinga2
/var/log/icinga2
/var/log/icinga2/icinga2.log
/var/log/icinga2/icinga2.log.5.xz
/run/icinga2
/run/icinga2/cmd
/run/icinga2/cmd/icinga2.cmd


This is quite unfortunate for any proper production setup where the PHP
code should of course not run with the user/group of the webserver (and thus
have full access to any other stuff served by such webserver).

It's even more problematic, when one considers that other programs may run
on the server and be executed in the context off the webserver, and thus
have access to anything somehow readable for www-data.
This happens out of the box, even when e.g. Icinga Web isn't even installed.

Example (perhaps not the most realistic one):
A server that runs icinga and some PHP web forum software.
If the later has a security issue, it may be possible for it to access the
external command pipe, and therby getting knowledge of the whole network
topology of some organisation.
Well of course I don't say it's smart to run such web forum on the same node
as Icinga ;-) but this should just illustrate the point.


Especially having a fixed www-data owner affects any PHP SAPI other than
mod_php, which allow (or enforce) to run as a different user, just as it
should be.


One way would be to use dpkg-statoverride, but that's IMHO also a bit limited
and it requires manual admin "setup".

However, AFAIU, this alone wouldn't anyway help for everything in /run/icinga2,
as this is on a tmpfs.
But, AFAIU, this is set by DAEMON_USER, DAEMON_GROUP and DAEMON_CMDGROUP,
which can be nicely configured in /etc/default/icinga2 .



So it *is* already possibly to change this with some manual work.
Could you possibly consider to go another way here?

The idea would be to not use www-data but e.g. <some special group>, and people
could add those users who are allowed access, to that group,... e.g. www-data,
or cgi-suexec, or cgi-icingaweg (if they have a setup where their Icinga Web2
alone runs under that user).

I think that would make the whole scheme much more powerful and even allow people
to add further users to the specia groups and give them access.
So perhaps not just cgi-suexec would be member of "icingacmdgroup", but also
john.doe or super-smart-remote-script-account.



In any case, it feels a bit all too open to set these owners to www-data,
which is why I marked this bug important and tagged is security.
Just a little breach in anything that runs in the webserver context, may
already give full access to Icinga, which is IMO not so desirable


Cheers,
Chris.

More information about the Pkg-nagios-devel mailing list