Bug 672074
Summary: | Weird permissions in package | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Chris Adams <linux> |
Component: | nagios | Assignee: | Peter Lemenkov <lemenkov> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | el6 | CC: | gauret, jose.p.oliveira.oss, lberns1, lemenkov, linux, mgregg, ondrejj, shawn.starr |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nagios-3.2.3-8.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-02-02 19:28:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Adams
2011-01-23 18:23:43 UTC
Confirmed (Hi Peter ! ;-) ) (In reply to comment #0) > Most of the files in the Nagios package are group-writable (owned by group > root), which is somewhat odd. My problem is that /usr/sbin/nagios is perm 771; > there is no reason for it to be world-readable but not world-executable. > > I would like /usr/sbin/nagios to be world-executable because I have my Nagios > config owned by a separate group (so a certain group of users can edit it > directly). They have sudo access to "service nagios reload", but they can't > check the config directly with "/usr/sbin/nagios -v /etc/nagios/nagios.cfg". Done. > Also, /var/log/nagios is world-readable, which means that anything that goes in > the Nagios config (such as SNMP community strings) is world-readable in > /var/log/nagios/objects.cache. This should probably be group apache and mode > 750 (so the CGIs can read it but nobody else). Since the directory is owned by > the RPM and not marked config, this can't be changed locally (any nagios RPM > update will reset the ownership/permissions to what the RPM specifies). I dropped directory permissions down to 0750, but I'm not sure about group change from nagios to apache. is it really necessary? I mean if we change it, then users from nagios group won't see anything until they will be added to nagios. I think it would be better to add apache into nagios group. What do you think, folks? nagios-3.2.3-8.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/nagios-3.2.3-8.fc14 nagios-3.2.3-8.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/nagios-3.2.3-8.fc13 nagios-3.2.3-8.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/nagios-3.2.3-8.el6 > I think it would be better to add apache into nagios group. What do you think,
> folks?
I'd vote for that, but I'm no security expert.
nagios-3.2.3-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nagios'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/nagios-3.2.3-8.el6 nagios-3.2.3-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. nagios-3.2.3-8.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. nagios-3.2.3-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
> I dropped directory permissions down to 0750, but I'm not sure about group
> change from nagios to apache. is it really necessary? I mean if we change it,
> then users from nagios group won't see anything until they will be added to
> nagios.
>
> I think it would be better to add apache into nagios group. What do you think,
> folks?
That's what I had to do. For quite some time I was getting this:
Whoops!
Error: Could not read object configuration data!
It took a while to figure out that /var/log/nagios was not world readable (until I found this bug report :). Once I added apache to the nagios group everything worked
I was having this same problem on Fedora 15, nagios version nagios-3.2.3-10.fc15.x86_64 I needed to add apache to the nagios group in order to get the nagios cgi's working. |