[icinga-users] [Icinga-users] Security Request file ownership for icinga

Mikael Fridh fridh at stardoll.com
Fri Aug 7 23:57:50 CEST 2009


2009/5/14  <TKocher at spirit21.de>:
> Congratulation to the new project!!! I wish all of you success and I want to
> contribute as much as I can.
> Currently, I am using several nagios 3.0 installations. I compiled the
> source code as it is given by the nagios web site. And installed the
> environment as root user with the command "make install".
>
> Unfortunately the nagios binary and other files are owned by the nagios user
> by default, instead of the root user.
> It would be much more secure and corporate audit resistant, if as much as
> possible files are owned by root:root

It makes sense, but why aren't you packaging in your distribution's
package format of choice?

It could be pretty much as simple as removing $(INSTALL_OPTS) from a
bunch of Makefile.in files.

Unless you want it more complicated, for example modifying Makefiles
and configure scripts to allow specifying
--with-config-group=icingaadmins,  --with-plugin-group=icingaadmins
etc.

I read alot of the feedback on this original post and I don't get who
has a system where you would have to install Nagios/Icinga as root,
but then allow _whatever user you installed it for_ full access from
there on. If a non-privileged user wants to Install nagios and run it
as his own user he'd just --prefix install it into his own home
directory, or another path he has access to.

Anyone needing bizarre ownership separation needs to roll their own...
but the default root install should result in a bare-minimun
privs/ownership -- separating the runtime data from binaries and
configuration.

By removing INSTALL_OPTS from Makefiles in all places except for logs
dir, result dir and command file it would result in ROOT ownership if
installed with "sudo make install", and CURRENT_USER ownership if
"make install" as an unprivileged user.

This should all be moot points for anyone serious about security who
would roll their own packaging anyway and not rely on 'make install'
onto a live system.


Sample fix (maybe?):

diff --git a/Makefile.in b/Makefile.in
index 903eb1b..a67117d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -225,12 +225,12 @@ install-unstripped:
        $(MAKE) install-basic

 install-basic:
-       $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LIBEXECDIR)
+       $(INSTALL) -m 775 -d $(DESTDIR)$(LIBEXECDIR)
        $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LOGDIR)
        $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LOGDIR)/archives
        $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CHECKRESULTDIR)
        if [ $(INSTALLPERLSTUFF) = yes ]; then \
-               $(INSTALL) -m 664 $(INSTALL_OPTS) p1.pl $(DESTDIR)$(BINDIR); \
+               $(INSTALL) -m 664 p1.pl $(DESTDIR)$(BINDIR); \
        fi;

        @echo ""
@@ -256,19 +256,19 @@ install-basic:


 install-config:
-       $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR)
-       $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR)/objects
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/icinga.cfg
$(DESTDIR)$(CFGDIR)/icinga.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/cgi.cfg
$(DESTDIR)$(CFGDIR)/cgi.cfg
-       $(INSTALL) -b -m 660 $(INSTALL_OPTS)
sample-config/resource.cfg $(DESTDIR)$(CFGDIR)/resource.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/templates.cfg
$(DESTDIR)$(CFGDIR)/objects/templates.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/commands.cfg
$(DESTDIR)$(CFGDIR)/objects/commands.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/contacts.cfg
$(DESTDIR)$(CFGDIR)/objects/contacts.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/timeperiods.cfg
$(DESTDIR)$(CFGDIR)/objects/timeperiods.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/localhost.cfg
$(DESTDIR)$(CFGDIR)/objects/localhost.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/windows.cfg
$(DESTDIR)$(CFGDIR)/objects/windows.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/printer.cfg
$(DESTDIR)$(CFGDIR)/objects/printer.cfg
-       $(INSTALL) -b -m 664 $(INSTALL_OPTS)
sample-config/template-object/switch.cfg
$(DESTDIR)$(CFGDIR)/objects/switch.cfg
+       $(INSTALL) -m 775 -d $(DESTDIR)$(CFGDIR)
+       $(INSTALL) -m 775 -d $(DESTDIR)$(CFGDIR)/objects
+       $(INSTALL) -b -m 664 sample-config/icinga.cfg
$(DESTDIR)$(CFGDIR)/icinga.cfg
+       $(INSTALL) -b -m 664 sample-config/cgi.cfg $(DESTDIR)$(CFGDIR)/cgi.cfg
+       $(INSTALL) -b -m 660 sample-config/resource.cfg
$(DESTDIR)$(CFGDIR)/resource.cfg
+       $(INSTALL) -b -m 664
sample-config/template-object/templates.cfg
$(DESTDIR)$(CFGDIR)/objects/templates.cfg
+       $(INSTALL) -b -m 664
sample-config/template-object/commands.cfg
$(DESTDIR)$(CFGDIR)/objects/commands.cfg
+       $(INSTALL) -b -m 664
sample-config/template-object/contacts.cfg
$(DESTDIR)$(CFGDIR)/objects/contacts.cfg
+       $(INSTALL) -b -m 664
sample-config/template-object/timeperiods.cfg
$(DESTDIR)$(CFGDIR)/objects/timeperiods.cfg
+       $(INSTALL) -b -m 664
sample-config/template-object/localhost.cfg
$(DESTDIR)$(CFGDIR)/objects/localhost.cfg
+       $(INSTALL) -b -m 664 sample-config/template-object/windows.cfg
$(DESTDIR)$(CFGDIR)/objects/windows.cfg
+       $(INSTALL) -b -m 664 sample-config/template-object/printer.cfg
$(DESTDIR)$(CFGDIR)/objects/printer.cfg
+       $(INSTALL) -b -m 664 sample-config/template-object/switch.cfg
$(DESTDIR)$(CFGDIR)/objects/switch.cfg

        @echo ""
        @echo "*** Config files installed ***"
diff --git a/base/Makefile.in b/base/Makefile.in
index dc309e6..b7c4b2b 100644
--- a/base/Makefile.in
+++ b/base/Makefile.in
@@ -202,9 +202,9 @@ install-unstripped:
        $(MAKE) install-basic

 install-basic:
-       $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR)
-       $(INSTALL) -m 774 $(INSTALL_OPTS) @icinga_name@ $(DESTDIR)$(BINDIR)
-       $(INSTALL) -m 774 $(INSTALL_OPTS) @icingastats_name@ $(DESTDIR)$(BINDIR)
+       $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR)
+       $(INSTALL) -m 774 @icinga_name@ $(DESTDIR)$(BINDIR)
+       $(INSTALL) -m 774 @icingastats_name@ $(DESTDIR)$(BINDIR)

 strip-post-install:
        $(STRIP) $(DESTDIR)$(BINDIR)/@icinga_name@

...

etc.

--
Mike




More information about the icinga-users mailing list