After installing net-analyzer/icinga, its configuration file /etc/icinga/icinga.cfg is owned (and writable) by the "icinga" user. In the init script, we have, start_pre() { checkpath -d -o icinga:icinga \ $(get_config temp_path) \ $(dirname $(get_config lock_file)) \ $(dirname $(get_config log_file)) \ $(dirname $(get_config status_file)) checkpath -f -o icinga:icinga $(get_config log_file) rm -f $(get_config command_file) } But what does get_config do? It reads data from /etc/icinga/icinga.cfg! So to gain root, all the icinga user has to do is e.g. set the temp_path to /root, and the next time the init script is started, checkpath will make /root owned by icinga:icinga.
Well, we could change the ownership of the directory and the file to root. I cannot do anything while this bug is locked down, so unlock it and I'll fix it, or you can fix it.
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > Well, we could change the ownership of the directory and the file to root. > > I cannot do anything while this bug is locked down, so unlock it and I'll > fix it, or you can fix it. I'm no longer able to modify the bug's visibility =/ I found this while I was looking for init scripts with vulnerable "get_config" functions, but a day later, I found a much bigger issue with nagios-core (bug 629380) that supersedes this one. Since that bug is public, this one might as well be. Basically, all of the files installed by nagios (and icinga) have the wrong ownership. For example, so long as "icinga" owns the daemon executable, $ ls /usr/sbin/icinga -rwxr-xr-x 1 icinga icinga 760K 2017-08-31 13:11 /usr/sbin/icinga there's no point in fixing the config file -- he can gain root whenever the service is started. I think that *all* of the installed files should be owned by root, but maybe there's an edge case I'm missing. The masked nagios-core-4.3.4 in the tree is an experiment to see what I can get away with -- the same thing will probably be right for icinga.
ya, the way I packaged icinga was to basically copy the nagios ebuild, so that makes sense. icinga is a fork of nagios (icinga2 is a rewrite). I'll open this bug up then. I'm cc'd on the other bug, but let me know what you find for perms. I migrated to icinga2 a while ago so it's harder for me to test.
changed it to root:root in 1.14.0-r1 (in the dependant bug), not sure if we want to close this in favor of that one.
Yeah, the problem turned out to be a lot larger and is covered in the other bug. *** This bug has been marked as a duplicate of bug 638186 ***