Bug 672074

Summary: Weird permissions in package
Product: [Fedora] Fedora EPEL Reporter: Chris Adams <linux>
Component: nagiosAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: gauret, jose.p.oliveira.oss, lberns1, lemenkov, linux, mgregg, ondrejj, shawn.starr
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nagios-3.2.3-8.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-02 19:28:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Adams 2011-01-23 18:23:43 UTC 
Most of the files in the Nagios package are group-writable (owned by group root), which is somewhat odd.  My problem is that /usr/sbin/nagios is perm 771; there is no reason for it to be world-readable but not world-executable.

I would like /usr/sbin/nagios to be world-executable because I have my Nagios config owned by a separate group (so a certain group of users can edit it directly).  They have sudo access to "service nagios reload", but they can't check the config directly with "/usr/sbin/nagios -v /etc/nagios/nagios.cfg".

Also, /var/log/nagios is world-readable, which means that anything that goes in the Nagios config (such as SNMP community strings) is world-readable in /var/log/nagios/objects.cache.  This should probably be group apache and mode 750 (so the CGIs can read it but nobody else).  Since the directory is owned by the RPM and not marked config, this can't be changed locally (any nagios RPM update will reset the ownership/permissions to what the RPM specifies).
Comment 1 Aurelien Bompard 2011-01-25 11:26:39 UTC 
Confirmed (Hi Peter ! ;-) )
Comment 2 Peter Lemenkov 2011-01-25 12:11:36 UTC 
(In reply to comment #0)
> Most of the files in the Nagios package are group-writable (owned by group
> root), which is somewhat odd.  My problem is that /usr/sbin/nagios is perm 771;
> there is no reason for it to be world-readable but not world-executable.
> 
> I would like /usr/sbin/nagios to be world-executable because I have my Nagios
> config owned by a separate group (so a certain group of users can edit it
> directly).  They have sudo access to "service nagios reload", but they can't
> check the config directly with "/usr/sbin/nagios -v /etc/nagios/nagios.cfg".

Done. 

> Also, /var/log/nagios is world-readable, which means that anything that goes in
> the Nagios config (such as SNMP community strings) is world-readable in
> /var/log/nagios/objects.cache.  This should probably be group apache and mode
> 750 (so the CGIs can read it but nobody else).  Since the directory is owned by
> the RPM and not marked config, this can't be changed locally (any nagios RPM
> update will reset the ownership/permissions to what the RPM specifies).

I dropped directory permissions down to 0750, but I'm not sure about group change from nagios to apache. is it really necessary? I mean if we change it, then users from nagios group won't see anything until they will be added to nagios.

I think it would be better to add apache into nagios group. What do you think, folks?
Comment 3 Fedora Update System 2011-01-25 12:58:56 UTC 
nagios-3.2.3-8.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/nagios-3.2.3-8.fc14
Comment 4 Fedora Update System 2011-01-25 12:59:03 UTC 
nagios-3.2.3-8.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/nagios-3.2.3-8.fc13
Comment 5 Fedora Update System 2011-01-25 12:59:10 UTC 
nagios-3.2.3-8.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/nagios-3.2.3-8.el6
Comment 6 Aurelien Bompard 2011-01-25 14:58:55 UTC 
> I think it would be better to add apache into nagios group. What do you think,
> folks?

I'd vote for that, but I'm no security expert.
Comment 7 Fedora Update System 2011-01-25 18:56:40 UTC 
nagios-3.2.3-8.el6 has been pushed to the Fedora EPEL 6 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update nagios'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/nagios-3.2.3-8.el6
Comment 8 Fedora Update System 2011-02-02 19:28:36 UTC 
nagios-3.2.3-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2011-02-02 19:36:33 UTC 
nagios-3.2.3-8.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2011-02-09 17:26:46 UTC 
nagios-3.2.3-8.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 E. Dean Sahutske 2011-04-26 18:27:00 UTC 
> I dropped directory permissions down to 0750, but I'm not sure about group
> change from nagios to apache. is it really necessary? I mean if we change it,
> then users from nagios group won't see anything until they will be added to
> nagios.
> 
> I think it would be better to add apache into nagios group. What do you think,
> folks?

That's what I had to do.  For quite some time I was getting this:

Whoops!

Error: Could not read object configuration data!

It took a while to figure out that /var/log/nagios was not world readable (until I found this bug report :).  Once I added apache to the nagios group everything worked
Comment 12 Michael Gregg 2011-08-26 03:34:46 UTC 
I was having this same problem on Fedora 15, nagios version nagios-3.2.3-10.fc15.x86_64

I needed to add apache to the nagios group in order to get the nagios cgi's working.