Schedule An Immediate Check - I have rtfm and stfw no help
Karl DeBisschop
karl at debisschop.net
Tue Feb 11 06:07:54 CET 2003
On Mon, 2003-02-10 at 13:31, Carroll, Jim P [Contractor] wrote:
> Glad you got it working.
>
> I'm puzzling over why you're bothering with username 'nobody' at all,
Sad but but true fact --- many packages run apache as 'nobody'
I'd recommend that the poster change that -- for the reasons you
suggest, it is not a great idea.
> instead of 'apache' or 'http' or whatever you run your webserver under.
> What you've effectively done is grant more privs to user 'nobody', which
> should really be just that, nobody. Let someone login as 'nobody' (which
> isn't really a realistic scenario, but anyway...), and voila, they have
> access to your nagios.cmd file, something you probably don't want.
>
> Let me take a step backwards. What username are you running Apache under?
> (I'm making the wild assumption that you're running Apache at all.) Once
> you have that info, what group(s) does that username belong to? Ideally
> that username would belong to 'nagiocmd'. For your particular
> customization, you've added 'nobody' to 'nagiocmd', but the prescribed
> approach is to have apache belong to 'nagiocmd'.
>
> As for the particulars of the indicated link, let me try to follow the
> documentation 'as is' and see what we get (modified to use 'foo' instead of
> 'rw', since I already have a 'rw'):
>
> $ mkdir /usr/local/nagios/var/foo
> $ chown nagios.nagiocmd /usr/local/nagios/var/foo
> $ chmod u+rwx /usr/local/nagios/var/foo
> $ chmod g+rw /usr/local/nagios/var/foo
> $ chmod g+s /usr/local/nagios/var/foo
> $ ls -ld /usr/local/nagios/var/foo
> drwxrwsr-x 2 nagios nagiocmd 4096 Feb 10 12:23
> /usr/local/nagios/var/foo
>
> So you are partly right: Yes, the result isn't the same as the more secure
> mode of 2770. But as near as I can see, this would still work for you.
> Notice that the group mode is 'rws' and not 'rwS', which is what you had to
> begin with (which would prevent things from working).
>
> If you're satisfied with the security of your host at this point, then don't
> change anything.
I end up with this, using RPM install:
$ ls -ld /var/spool/nagios/nagios.cmd
prw-rw---- 1 nagios www 0 Feb 8 09:23 /var/spool/nagios/nagios.cmd
$ ls -ld /var/spool/nagios/
drwxrwxr-x 2 nagios root 4096 Feb 8 09:14 /var/spool/nagios/
> > -----Original Message-----
> > From: Michael W. Oliver [mailto:michael at gargantuan.com]
> > Sent: Monday, February 10, 2003 11:14 AM
> > To: Carroll, Jim P [Contractor]
> > Cc: nagios-users at lists.sourceforge.net
> > Subject: Re: [Nagios-users] Schedule An Immediate Check - I have rtfm
> > and stfw no help
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Monday, February 10, 2003 10:46, you wrote:
> > > I wasn't too keen on the notion of adding 'nobody' to
> > 'nagiocmd'. Having
> > > said that, let's move forwards.
> > >
> > > To illustrate which usernames should be a member of 'nagiocmd':
> > >
> > > $ groups apache nagios
> > > apache : apache nagiocmd
> > > nagios : nagios nagiocmd
> > >
> >
> > # grep nagiocmd /etc/group
> > nagiocmd:*:55554:nagios,nobody
> >
> > # grep nagios /etc/group
> > nagios:*:55555:nagios
> > nagiocmd:*:55554:nagios,nobody
> >
> >
> > # grep nobody /etc/group
> > nobody:*:65534:
> > nagiocmd:*:55554:nagios,nobody
> >
> > So, you can see that the user 'nobody' is in the correct
> > group... more
> > below...
> >
> > > I also noticed you have the wrong perms on
> > /usr/local/nagios/var/rw --
> > > try this:
> > >
> > > $ chmod 2770 /usr/local/nagios/var/rw
> > > $ ls -ld /usr/local/nagios/var/rw
> > > drwxrws--- 2 nagios nagiocmd 4096 Feb 7 11:44
> > > /usr/local/nagios/var/rw
> > >
> > > You must have done a "chmod 2760" on the 'rw' directory.
> > You need mode
> > > 2770.
> > >
> > > Do all this, then restart nagios. Then do a:
> > >
> > > ls -l /usr/local/nagios/var/rw
> > >
> > > and see what nagios.cmd has for permissions.
> > >
> > > Everything should be good to go at this point.
> > >
> > > jc
> >
> > # pwd
> > /usr/local/nagios/var/rw
> >
> >
> > # ls -alF
> > total 2
> > drwxrwS--- 2 nagios nagiocmd 512 Feb 5 15:11 ./
> > drwxrwxr-x 4 nagios nagios 512 Feb 10 11:59 ../
> > prw-rw---- 1 nagios nagiocmd 0 Feb 5 15:11 nagios.cmd|
> >
> > Now, I just figured out what was wrong... and you are right!
> > In the above,
> > you see the permissions on /usr/local/nagios/var/rw as
> > 'drwxrwS---', which
> > is the result of following the instructions at:
> >
> > http://nagios.sourceforge.net/docs/1_0/commandfile.html
> >
> > I took your advice and changed it to 2770 (drwxrws---,
> > lowercase 's'), and
> > now it works just as it should.
> >
> > The documentation assumes an initial state of g+x on
> > /usr/local/nagios/var/rw, which isn't the case for me.
> > Following the doc
> > to change the permissions to 'g+rw' resulted in 'drwxrwS---',
> > or 2760,
> > instead of the desired 'drwxrws---'. Perhaps the doc could
> > use 'chmod
> > 2770' instead of listing three chmod commands which still
> > didn't give the
> > desired result (for me, anyway).
> >
> > Thanks very much for your help jc, you da man.
> > - --
> > -
> > -------------------------------+------------------------------
> > ----------
> > Michael W. Oliver, CCNP | "The tree of liberty must be
> > refreshed
> > michael at gargantuan.com | from time to time with the blood of
> > http://michael.gargantuan.com/ | patriots and tyrants."
> > (via IPv4 and IPv6) | - President Thomas Jefferson
> > IPv6 ASPathTree, Looking Glass
> > +----------------------------------------
> > gpg --keyserver pgpkeys.mit.edu --recv-keys C5FAA3C9
> > -
> > --------------------------------------------------------------
> > ----------
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (FreeBSD)
> >
> > iD8DBQE+R93ksWv7q8X6o8kRAu/ZAJ9Ulmy7hGrA0lWYEVFHZZ4J7GqOfQCeJ6VG
> > N47XQ+IxkiNcl1d5+PVOmVA=
> > =LxVN
> > -----END PGP SIGNATURE-----
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
More information about the Users
mailing list