Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

RE: [Nagios-devel] another question

https://support.nagios.com/forum/viewtopic.php?t=18356

Page 1 of 1

RE: [Nagios-devel] another question

Posted: Tue Jan 04, 2005 6:52 am
by Guest

> -----Original Message-----
> From: [email protected] [mailto:nagios-devel-
> [email protected]] On Behalf Of Joe Pruett
> Sent: Tuesday, January 04, 2005 8:38 AM
> To: [email protected]
> Subject: Re: [Nagios-devel] another question
>=20
> > setgid and setuid would affect the apache user as well (meaning an
> > exploit could choose which user to execute code as) and is strongly
> > discouraged by anyone with a clue to security. Using the suexec
feature
> > of apache is considered best practice for privilege separation
(although
> > that has its caveats as well).
> >
> > > i'm using setgid so far to good effect.
> > >
> >
> > Then you are possibly vulnerable.
>=20
> but the faq is telling people to make the entire web server run with
the
> gid of nagioscmd. for now i'm just using setgid nagios (not root) for
> testing, but i plan to create the dummy group for real use. by
running
> the entire web server with that gid, any web page (php, ssi) or cgi
has
> the potential to submit commands without any authentication. i guess
that
> any page could call the setgid binary directly as well and fake the
auth
> info. i agree that suexec would be good, but that requires very
specific
> directory layout, or recompliation of suexec. has the idea of nagios
> having its own authentication system been looked at? that would allow
a
> setgid cgi to only allow submission with proper credentials.
>=20

My remembrance of the setup documentation is that you add your web
server user to the nagioscmd group, not run the web server with the gid
of nagioscmd. They're very different and firmly based on standard unix
permission methodology. Actually quoting from the doccos --

"Next we're going to create a new group whose members include the user
the web server is running as and the user Nagios is running as. Let's
say we call this new group 'nagiocmd' (you can name it differently if
you wish). On RedHat Linux you can use the following command to add a
new group (other systems may differ):=20

/usr/sbin/groupadd nagiocmd=20

Next, add the web server user (nobody or apache, etc) and the Nagios
user (nagios) to the newly created group with the following commands:=20

/usr/sbin/usermod -G nagiocmd nagios
/usr/sbin/usermod -G nagiocmd nobody"

-- http://nagios.sourceforge.net/docs/2_0/commandfile.html --

There is nothing that says run the web server as gid nagioscmd.

--
Marc






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited