The current practice of having /usr/nagios/libexec owned by the nagios user (instead of root) prevents nagios commands from running on boxes with grsec/trustedpath installed. A fix for this would be to have the directory owned by root, as is /usr/nagios/bin. The error output is as follows:
The current practice of having /usr/nagios/libexec owned by the nagios user (instead of root) prevents nagios commands from running on boxes with grsec/trustedpath installed. A fix for this would be to have the directory owned by root, as is /usr/nagios/bin. The error output is as follows: denied untrusted exec of /usr/nagios/libexec/check_procs by /bin/bash The permissions are: drwxr-xr-x 2 root root 4096 Oct 24 18:50 bin drwxr-x--- 3 nagios nagios 4096 Oct 24 18:50 libexec Thank you for your time. --Narayan Newton
I'd also like to have it root:nagios and not group-writable, because it would be easier to allow the user nagios to run some check_* programs via sudo that might need elevated privileges, for example on grsecurity kernels. Currently I'm using a shellscript-wrapper that is located in a directory not writable by user nagios. The script is allowed to be run via sudo by the user nagios.
Thanks for filing this bug. While hardened does like things to work out of the box with grsec/TPE we do not maintain this package. netmon(lance) however does and is a grsec user. So this change should not be a problem. Reassigning it to netmon@ for review.
Jokey asked me about this bug on irc today.. I suggested the root:nagios thing already suggested by mailto:wschlich@gentoo.org
Fixed in nagios-plugins et al.