Schedule An Immediate Check - I have rtfm and stfw no help

Karl DeBisschop karl at debisschop.net
Tue Feb 11 06:07:54 CET 2003


On Mon, 2003-02-10 at 13:31, Carroll, Jim P [Contractor] wrote:
> Glad you got it working.
> 
> I'm puzzling over why you're bothering with username 'nobody' at all,

Sad but but true fact --- many packages run apache as 'nobody'

I'd recommend that the poster change that -- for the reasons you
suggest, it is not a great idea.

> instead of 'apache' or 'http' or whatever you run your webserver under.
> What you've effectively done is grant more privs to user 'nobody', which
> should really be just that, nobody.  Let someone login as 'nobody' (which
> isn't really a realistic scenario, but anyway...), and voila, they have
> access to your nagios.cmd file, something you probably don't want.
> 
> Let me take a step backwards.  What username are you running Apache under?
> (I'm making the wild assumption that you're running Apache at all.)  Once
> you have that info, what group(s) does that username belong to?  Ideally
> that username would belong to 'nagiocmd'.  For your particular
> customization, you've added 'nobody' to 'nagiocmd', but the prescribed
> approach is to have apache belong to 'nagiocmd'.
> 
> As for the particulars of the indicated link, let me try to follow the
> documentation 'as is' and see what we get (modified to use 'foo' instead of
> 'rw', since I already have a 'rw'):
> 
> $ mkdir /usr/local/nagios/var/foo
> $ chown nagios.nagiocmd /usr/local/nagios/var/foo
> $ chmod u+rwx /usr/local/nagios/var/foo
> $ chmod g+rw /usr/local/nagios/var/foo
> $ chmod g+s /usr/local/nagios/var/foo
> $ ls -ld /usr/local/nagios/var/foo
> drwxrwsr-x    2 nagios   nagiocmd     4096 Feb 10 12:23
> /usr/local/nagios/var/foo
> 
> So you are partly right:  Yes, the result isn't the same as the more secure
> mode of 2770.  But as near as I can see, this would still work for you.
> Notice that the group mode is 'rws' and not 'rwS', which is what you had to
> begin with (which would prevent things from working).
> 
> If you're satisfied with the security of your host at this point, then don't
> change anything.

I end up with this, using RPM install:

$ ls -ld /var/spool/nagios/nagios.cmd 
prw-rw---- 1 nagios  www     0 Feb  8 09:23 /var/spool/nagios/nagios.cmd
$ ls -ld /var/spool/nagios/
drwxrwxr-x 2 nagios  root 4096 Feb  8 09:14 /var/spool/nagios/


> > -----Original Message-----
> > From: Michael W. Oliver [mailto:michael at gargantuan.com]
> > Sent: Monday, February 10, 2003 11:14 AM
> > To: Carroll, Jim P [Contractor]
> > Cc: nagios-users at lists.sourceforge.net
> > Subject: Re: [Nagios-users] Schedule An Immediate Check - I have rtfm
> > and stfw no help
> > 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Monday, February 10, 2003 10:46, you wrote:
> > > I wasn't too keen on the notion of adding 'nobody' to 
> > 'nagiocmd'.  Having
> > > said that, let's move forwards.
> > >
> > > To illustrate which usernames should be a member of 'nagiocmd':
> > >
> > > $ groups apache nagios
> > > apache : apache nagiocmd
> > > nagios : nagios nagiocmd
> > >
> > 
> > # grep nagiocmd /etc/group
> > nagiocmd:*:55554:nagios,nobody
> > 
> > # grep nagios /etc/group
> > nagios:*:55555:nagios
> > nagiocmd:*:55554:nagios,nobody
> >                                                               
> >                                                                       
> > # grep nobody /etc/group
> > nobody:*:65534:
> > nagiocmd:*:55554:nagios,nobody
> > 
> > So, you can see that the user 'nobody' is in the correct 
> > group... more 
> > below...
> > 
> > > I also noticed you have the wrong perms on 
> > /usr/local/nagios/var/rw --
> > > try this:
> > >
> > > $ chmod 2770 /usr/local/nagios/var/rw
> > > $ ls -ld /usr/local/nagios/var/rw
> > > drwxrws---    2 nagios   nagiocmd     4096 Feb  7 11:44
> > > /usr/local/nagios/var/rw
> > >
> > > You must have done a "chmod 2760" on the 'rw' directory.  
> > You need mode
> > > 2770.
> > >
> > > Do all this, then restart nagios.  Then do a:
> > >
> > >   ls -l /usr/local/nagios/var/rw
> > >
> > > and see what nagios.cmd has for permissions.
> > >
> > > Everything should be good to go at this point.
> > >
> > > jc
> > 
> > # pwd
> > /usr/local/nagios/var/rw
> >                                                               
> >                                                                       
> > # ls -alF
> > total 2
> > drwxrwS---  2 nagios  nagiocmd  512 Feb  5 15:11 ./
> > drwxrwxr-x  4 nagios  nagios    512 Feb 10 11:59 ../
> > prw-rw----  1 nagios  nagiocmd    0 Feb  5 15:11 nagios.cmd|
> > 
> > Now, I just figured out what was wrong... and you are right!  
> > In the above, 
> > you see the permissions on /usr/local/nagios/var/rw as 
> > 'drwxrwS---', which 
> > is the result of following the instructions at:
> > 
> > http://nagios.sourceforge.net/docs/1_0/commandfile.html
> > 
> > I took your advice and changed it to 2770 (drwxrws---, 
> > lowercase 's'), and 
> > now it works just as it should.
> > 
> > The documentation assumes an initial state of g+x on 
> > /usr/local/nagios/var/rw, which isn't the case for me.  
> > Following the doc 
> > to change the permissions to 'g+rw' resulted in 'drwxrwS---', 
> > or 2760, 
> > instead of the desired 'drwxrws---'.  Perhaps the doc could 
> > use 'chmod 
> > 2770' instead of listing three chmod commands which still 
> > didn't give the 
> > desired result (for me, anyway).
> > 
> > Thanks very much for your help jc, you da man.
> > - -- 
> > - 
> > -------------------------------+------------------------------
> > ----------
> >        Michael W. Oliver, CCNP | "The tree of liberty must be 
> > refreshed
> >         michael at gargantuan.com |   from time to time with the blood of
> > http://michael.gargantuan.com/ |   patriots and tyrants."
> >            (via IPv4 and IPv6) |     - President Thomas Jefferson
> > IPv6 ASPathTree, Looking Glass 
> > +----------------------------------------
> > gpg --keyserver pgpkeys.mit.edu --recv-keys C5FAA3C9
> > - 
> > --------------------------------------------------------------
> > ----------
> > 
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (FreeBSD)
> > 
> > iD8DBQE+R93ksWv7q8X6o8kRAu/ZAJ9Ulmy7hGrA0lWYEVFHZZ4J7GqOfQCeJ6VG
> > N47XQ+IxkiNcl1d5+PVOmVA=
> > =LxVN
> > -----END PGP SIGNATURE-----
> > 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com




More information about the Users mailing list