Hello, I did find this similar report: http://bugs.gentoo.org/show_bug.cgi?id=134344 But there issue is different than the one I experianced. The bug I found is that the user 'nagios' is added with the passwd entry: nagios:x:105:1023:added by portage for nagios-plugins:/dev/null:/bin/bash The default suexec config (/etc/apache2/suexec-config): uidmin=1000 This causes problems w/ the nagios cgi frontend + external commands as the command pipe has the permissions: prw-rw---- 1 nagios nagios 0 Apr 16 12:24 /var/nagios/rw/nagios.cmd There are two (good) solutions that I can think of: 1) create a user 'nagioscgi' and add to the 'nagios' group. This should satisfy the suexec requirements 2) create nagios with a UID greater than 1000 Reproducible: Always Steps to Reproduce: 1. install nagios + apache22 + suexec 2. configure nagios to allow external commands 3. attempt an external command Actual Results: external command fails because cgi app does not have permission to the nagios external command pipe and/or 'nagios' UID is less than 1000 (makes suexec fail) Expected Results: Users configured in nagios w/ extenrnal command privledges should be able to execute them. Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6-vanilla, glibc-2.3.6-r5, 2.6.99-e44584d67748925a27b532f6897e4c31 i686) ================================================================= System uname: 2.6.99-e44584d67748925a27b532f6897e4c31 i686 Intel(R) Xeon(TM) CPU 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sun, 08 Apr 2007 22:00:08 +0000 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -fweb -mtune=pentium4 -mcpu=pentium4 -fomit-frame-pointer -fforce-addr -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -fweb -mtune=pentium4 -mcpu=pentium4 -fomit-frame-pointer -fforce-addr -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa apache2 authdaemond bash-completion berkdb bzip2 chroot cracklib crypt cscope devfs26 directfb diskio erandom expat fam fontconfig fortran gettext glibc-omitfp guile hardened hardenedphp iconv imap ipv6 jpeg kerberos ldap libwww lm_sensors logrotate mailwrapper midi mmx mp3 mysql ncurses nis nls nptl nptlonly ogg opengl pam perl pic png postfix postgres pri python readline ruby sasl sdk server sftplogging sguil smux snmp socks socks5 sse sse2 ssl svg tcpd tiff truetype urandom vhosts x86 xml xml2 xorg xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #0) > There are two (good) solutions that I can think of: > 1) create a user 'nagioscgi' and add to the 'nagios' group. This should satisfy > the suexec requirements > 2) create nagios with a UID greater than 1000 I'd prefer the first one, adding this as an additional info for users who really need this additional user account should work. Next problem though would be the docroot, which defaults to /var/www while Nagios CGI's are installed to /usr/nagios/sbin. I can't think of a good solution right now, but I'll try to keep this in mind for Nagios-3 Ebuilds - for now I won't change the directory layout in the Nagios-2 series.