[Pkg-nagios-devel] Bug#659928: Bug#659928: icinga-cgi: icinga users improvements
Alexander Wirt
formorer at formorer.de
Wed Feb 15 15:08:38 UTC 2012
Christoph Anton Mitterer schrieb am Wednesday, den 15. February 2012:
> Am 15.02.2012 08:32, schrieb Alexander Wirt:
> >>Some things I've noticed:
> >>a) Why are the icinga user/group and command user/group the same?
> >>Don't we miss privilege separation by this?
> >?
> Well it seems upstream suggests running these as different users?!
it makes not really sense. And not they don't run as different users, just
files have different permissions.
> >>I haven't checked yet whether this sets just some config
> >>defaults or not...
> >>have you an idea? I mean can it easily be changed?
> >>(Actually I must admit, that I don't know (yet) what the command
> >>user is used for).
> >?
> >Sorry, I don't understand what you want.
>
> AFAIU the command user is used to allow executing commands, right?
> Now when this is the same then the icinga user (both nagios) someone
> who would only need the command user could possibly also attack
> stuff running as icinga user?!
Show me a proof of this theory.
> >>b) web user / www-data
> >>While this is good for works-out-of-the-box(TM) it's bad for
> >>security
> >>(no privilege separation, which can be easily done by
> >>mod_suexec, or fastcgi).
> >>As far as I can see (tell me if I'm wrong) this is _ONLY_ used in:
> >>debian/rules: chgrp www-data ${b}/icinga-common/var/cache/icinga
> >>debian/rules: chown root:www-data
> >>${b}/icinga-common/var/lib/icinga/rw
> >>
> >>So couldn't we make this configurable via debconf?! I.e.
> >>defaulting to www-data
> >>but giving the user the choice to use something different?
> >Nope. Running apache as anything else than www-data is not really
> >supported.
> >This package is designed to work out of the box and not to do debconf
> >abusing.
>
> Well this is even integrated in the apache packages themselves,...
> to run several apaches all under different users.
> And even if you have just one, you can easily change the user of
> your cgi by modsuexec, which should be done in any reasonable
> environment.
Go ahead, send patches. For me this is a wontfix as I don't see any benefit
from it.
Alex
More information about the Pkg-nagios-devel
mailing list