[Pkg-nagios-devel] Bug#831745: Bug#831745: icinga2: file/directory permission issues

Christoph Anton Mitterer calestyo at scientia.net
Mon Jul 18 22:01:23 UTC 2016 

Control: tag -1 - moreinfo


On Mon, 2016-07-18 at 23:36 +0200, Alexander Wirt wrote:
> Several files in Icinga2 are shipped with owner www-data, namely at
> > least
> > these:
> > /var/cache/icinga2
> drwxr-x---  2 nagios   www-data  4096 Jul 18 23:33 icinga2
> 
> 
> > 
> > /var/log/icinga2
> drwxr-s---  4 nagios     www-data        4096 Jul 18 06:36 icinga2
> 
> You are wrong.
I didn't say user-owner, but just owner… and as your own quoting shows,
it's group-owned by www-data.


> That one is a must. Otherwise webfrontends are not able to send
> commands.
> So what exactly is your point?
As I wrote, if one doesn't rund mod_php, but CGI or FPM, the effective
user won't be www-data, and thus accessing the external command socket
won't work.
So in fact the webfrontends aren't able to send commands. :-(


Not to talk about again, about all the security issues that come along
with that.

Oh and is there, from the Icinga Web side, any need to access stuff
/var/log/icinga2/ in /var/cache/icinga2 at all?
I couldn't find that so far.



On Mon, 2016-07-18 at 23:37 +0200, Alexander Wirt wrote:
> Same as for icinga and I tell you again: we don't support changing
> users.
Well I didn't ask for changing the user/group Icinga itself runs under
but this is about the files it creates for interaction with non-Icinga
stuff (e.g. Icinga Web).

Also the group solution I've proposed is really pretty simple and done
so by many solutions (most notably you already do it with Icinga Web 2
yourself, which has the icingaweb2 group).

Anyway, if you insist on not allowing people a bit more powerful
configuration choices, than please:
- make at least DAEMON_CMDGROUP configurable for systemd-users, and
- have a look on the security issues implied by anything running in the
  webserver's context being able access Icinga by default


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160719/1b474782/attachment.bin>

More information about the Pkg-nagios-devel mailing list