Schedule An Immediate Check - I have rtfm and stfw no help

Carroll, Jim P [Contractor] jcarro10 at sprintspectrum.com
Mon Feb 10 19:31:30 CET 2003


Glad you got it working.

I'm puzzling over why you're bothering with username 'nobody' at all,
instead of 'apache' or 'http' or whatever you run your webserver under.
What you've effectively done is grant more privs to user 'nobody', which
should really be just that, nobody.  Let someone login as 'nobody' (which
isn't really a realistic scenario, but anyway...), and voila, they have
access to your nagios.cmd file, something you probably don't want.

Let me take a step backwards.  What username are you running Apache under?
(I'm making the wild assumption that you're running Apache at all.)  Once
you have that info, what group(s) does that username belong to?  Ideally
that username would belong to 'nagiocmd'.  For your particular
customization, you've added 'nobody' to 'nagiocmd', but the prescribed
approach is to have apache belong to 'nagiocmd'.

As for the particulars of the indicated link, let me try to follow the
documentation 'as is' and see what we get (modified to use 'foo' instead of
'rw', since I already have a 'rw'):

$ mkdir /usr/local/nagios/var/foo
$ chown nagios.nagiocmd /usr/local/nagios/var/foo
$ chmod u+rwx /usr/local/nagios/var/foo
$ chmod g+rw /usr/local/nagios/var/foo
$ chmod g+s /usr/local/nagios/var/foo
$ ls -ld /usr/local/nagios/var/foo
drwxrwsr-x    2 nagios   nagiocmd     4096 Feb 10 12:23
/usr/local/nagios/var/foo

So you are partly right:  Yes, the result isn't the same as the more secure
mode of 2770.  But as near as I can see, this would still work for you.
Notice that the group mode is 'rws' and not 'rwS', which is what you had to
begin with (which would prevent things from working).

If you're satisfied with the security of your host at this point, then don't
change anything.

Food for thought.

jc

> -----Original Message-----
> From: Michael W. Oliver [mailto:michael at gargantuan.com]
> Sent: Monday, February 10, 2003 11:14 AM
> To: Carroll, Jim P [Contractor]
> Cc: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] Schedule An Immediate Check - I have rtfm
> and stfw no help
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Monday, February 10, 2003 10:46, you wrote:
> > I wasn't too keen on the notion of adding 'nobody' to 
> 'nagiocmd'.  Having
> > said that, let's move forwards.
> >
> > To illustrate which usernames should be a member of 'nagiocmd':
> >
> > $ groups apache nagios
> > apache : apache nagiocmd
> > nagios : nagios nagiocmd
> >
> 
> # grep nagiocmd /etc/group
> nagiocmd:*:55554:nagios,nobody
> 
> # grep nagios /etc/group
> nagios:*:55555:nagios
> nagiocmd:*:55554:nagios,nobody
>                                                               
>                                                                       
> # grep nobody /etc/group
> nobody:*:65534:
> nagiocmd:*:55554:nagios,nobody
> 
> So, you can see that the user 'nobody' is in the correct 
> group... more 
> below...
> 
> > I also noticed you have the wrong perms on 
> /usr/local/nagios/var/rw --
> > try this:
> >
> > $ chmod 2770 /usr/local/nagios/var/rw
> > $ ls -ld /usr/local/nagios/var/rw
> > drwxrws---    2 nagios   nagiocmd     4096 Feb  7 11:44
> > /usr/local/nagios/var/rw
> >
> > You must have done a "chmod 2760" on the 'rw' directory.  
> You need mode
> > 2770.
> >
> > Do all this, then restart nagios.  Then do a:
> >
> >   ls -l /usr/local/nagios/var/rw
> >
> > and see what nagios.cmd has for permissions.
> >
> > Everything should be good to go at this point.
> >
> > jc
> 
> # pwd
> /usr/local/nagios/var/rw
>                                                               
>                                                                       
> # ls -alF
> total 2
> drwxrwS---  2 nagios  nagiocmd  512 Feb  5 15:11 ./
> drwxrwxr-x  4 nagios  nagios    512 Feb 10 11:59 ../
> prw-rw----  1 nagios  nagiocmd    0 Feb  5 15:11 nagios.cmd|
> 
> Now, I just figured out what was wrong... and you are right!  
> In the above, 
> you see the permissions on /usr/local/nagios/var/rw as 
> 'drwxrwS---', which 
> is the result of following the instructions at:
> 
> http://nagios.sourceforge.net/docs/1_0/commandfile.html
> 
> I took your advice and changed it to 2770 (drwxrws---, 
> lowercase 's'), and 
> now it works just as it should.
> 
> The documentation assumes an initial state of g+x on 
> /usr/local/nagios/var/rw, which isn't the case for me.  
> Following the doc 
> to change the permissions to 'g+rw' resulted in 'drwxrwS---', 
> or 2760, 
> instead of the desired 'drwxrws---'.  Perhaps the doc could 
> use 'chmod 
> 2770' instead of listing three chmod commands which still 
> didn't give the 
> desired result (for me, anyway).
> 
> Thanks very much for your help jc, you da man.
> - -- 
> - 
> -------------------------------+------------------------------
> ----------
>        Michael W. Oliver, CCNP | "The tree of liberty must be 
> refreshed
>         michael at gargantuan.com |   from time to time with the blood of
> http://michael.gargantuan.com/ |   patriots and tyrants."
>            (via IPv4 and IPv6) |     - President Thomas Jefferson
> IPv6 ASPathTree, Looking Glass 
> +----------------------------------------
> gpg --keyserver pgpkeys.mit.edu --recv-keys C5FAA3C9
> - 
> --------------------------------------------------------------
> ----------
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (FreeBSD)
> 
> iD8DBQE+R93ksWv7q8X6o8kRAu/ZAJ9Ulmy7hGrA0lWYEVFHZZ4J7GqOfQCeJ6VG
> N47XQ+IxkiNcl1d5+PVOmVA=
> =LxVN
> -----END PGP SIGNATURE-----
> 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com




More information about the Users mailing list