Finally your icinga-1.x counterpart to bug 629380. The problem here is the same as it was with nagios, except you have a few more affected files thanks to ido2db. From the summary,
Icinga installs two sets of files with insecure permissions: after
installation, the executables and the configuration files are all
owned by the same unprivileged user and group (typically, icinga)
that the daemon runs as. In one attack, the unprivileged user simply
replaces the icinga executable with one that does his bidding. A
slightly more complicated attack can be mounted by the unprivileged
user by scheduling a malicious service check and then altering icinga.cfg
to execute that check as root.
The ido2db daemon and its sample configuration file have the same issue.
And the tl;dr is to install everything as root:root unless icinga needs to write to it at runtime (not a lot of places). You can see how I fixed this for nagios-core by diffing nagios-core-4.3.3.ebuild against nagios-core-4.3.4.ebuild, but the new src_install in v4.3.4 is pretty easy to read, and you might be better off doing src_install from scratch.
As with nagios-core, we'll have to tell users how to secure their existing installations, because portage won't overwrite the existing owner/group.
at least with icinga the src-install install's unstripped by default, but working on it now
Created attachment 505596 [details, diff]
I don't run icinga anymore (moved entirely to icinga2), not sure who to get to test this as this point, but everything is moved to root:root like nagios.
OK, committed it as a revbump to 1.14.0, but as this isn't the best tested I'll wait a month before asking for stable.
Here's an issue I see:
fowners icinga:icinga /etc/icinga/eventhandlers
Is later overwritten by
fowners -R root:root /etc/icinga/
If eventhandlers doesn't need icinga:icinga, just kill that first line?
Doesn't seem like a hard issue, but it should be simplified, I'll comment it out for now though.
*** Bug 629282 has been marked as a duplicate of this bug. ***
Most of the permissions/ownership should be fixed in the latest v1.14.2, so that you no longer need to run fperms/fowners a million times.
1.14.2 is stable and the old bad versions are removed.
cleaned up, removing me from cc
Clean up done... @security please proceed.
Keywords for net-analyzer/icinga:
| a | |
| m | |
| d x | |
| 6 8 | |
| 4 6 | u |
| a a a p r s | | | n |
| l m r i p i h m s p m f f | e u s | r
| p d a m a p c s x p 6 3 a i b b | a s l | e
| h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p
| a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o
1.14.2 | o + ~ o o + + o + ~ o o o o o o o | 6 o 0 | gentoo
Removed on 17th March 2020: https://gitweb.gentoo.org/repo/gentoo.git/commit?id=d4e5a319c2fb1f17a2e26e5f560f15d1bd2f13de
This issue was resolved and addressed in
GLSA 202007-31 at https://security.gentoo.org/glsa/202007-31
by GLSA coordinator Sam James (sam_c).