174824 – net-analyzer/nagios-core installed with wrong UID

Bug 174824 - net-analyzer/nagios-core installed with wrong UID

Summary: net-analyzer/nagios-core installed with wrong UID

Status:	RESOLVED LATER

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Netmon project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	172480
	Show dependency tree

Reported:	2007-04-16 18:21 UTC by John Skopis
Modified:	2007-06-10 09:27 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Skopis 2007-04-16 18:21:42 UTC

Hello,
    I did find this similar report:
http://bugs.gentoo.org/show_bug.cgi?id=134344
But there issue is different than the one I experianced.

The bug I found is that the user 'nagios' is added with the passwd entry:
nagios:x:105:1023:added by portage for nagios-plugins:/dev/null:/bin/bash

The default suexec config (/etc/apache2/suexec-config):
uidmin=1000

This causes problems w/ the nagios cgi frontend + external commands as the command pipe has the permissions:
prw-rw---- 1 nagios nagios 0 Apr 16 12:24 /var/nagios/rw/nagios.cmd

There are two (good) solutions that I can think of:
1) create a user 'nagioscgi' and add to the 'nagios' group. This should satisfy the suexec requirements
2) create nagios with a UID greater than 1000

Reproducible: Always

Steps to Reproduce:
1. install nagios + apache22 + suexec
2. configure nagios to allow external commands 
3. attempt an external command

Actual Results:  
external command fails because cgi app does not have permission to the nagios external command pipe and/or 'nagios' UID is less than 1000 (makes suexec fail)

Expected Results:  
Users configured in nagios w/ extenrnal command privledges should be able to execute them.

Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6-vanilla, glibc-2.3.6-r5, 2.6.99-e44584d67748925a27b532f6897e4c31 i686)
=================================================================
System uname: 2.6.99-e44584d67748925a27b532f6897e4c31 i686 Intel(R) Xeon(TM) CPU 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 08 Apr 2007 22:00:08 +0000
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -fweb -mtune=pentium4 -mcpu=pentium4 -fomit-frame-pointer -fforce-addr -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -fweb -mtune=pentium4 -mcpu=pentium4 -fomit-frame-pointer -fforce-addr -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa apache2 authdaemond bash-completion berkdb bzip2 chroot cracklib crypt cscope devfs26 directfb diskio erandom expat fam fontconfig fortran gettext glibc-omitfp guile hardened hardenedphp iconv imap ipv6 jpeg kerberos ldap libwww lm_sensors logrotate mailwrapper midi mmx mp3 mysql ncurses nis nls nptl nptlonly ogg opengl pam perl pic png postfix postgres pri python readline ruby sasl sdk server sftplogging sguil smux snmp socks socks5 sse sse2 ssl svg tcpd tiff truetype urandom vhosts x86 xml xml2 xorg xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev

2007-06-10 09:27:33 UTC

(In reply to comment #0)
> There are two (good) solutions that I can think of:
> 1) create a user 'nagioscgi' and add to the 'nagios' group. This should satisfy
> the suexec requirements
> 2) create nagios with a UID greater than 1000

I'd prefer the first one, adding this as an additional info for users who really need this additional user account should work. Next problem though would be the docroot, which defaults to /var/www while Nagios CGI's are installed to /usr/nagios/sbin. I can't think of a good solution right now, but I'll try to keep this in  mind for Nagios-3 Ebuilds - for now I won't change the directory layout in the Nagios-2 series.