nagios + chroot (test on openbsd)
Mike McClure
mmcclure at pneservices.com
Thu Mar 6 17:06:58 CET 2003
Julien,
I just finished successfully installing Nagios into a chroot'ed Apache on OpenBSD 3.2.
My suggestion: Don't do it. Run Apache as non-chroot.
It's just not worth it, because there are a TON of problems you have to overcome.
It took me many many hours to solve them all. The security gained just isn't worth
the time, IMHO.
On another note, why are you running this on 3.3-current? Bad idea for a production
system, my friend. Run 3.2-stable.
Anyway, if you still insist on doing it, remember that you have TWO root file
systems. One is under /var/www/, the other is under /.
The stuff that runs from the daemon, such as the plugins, see / as the root. The
CGIs see /var/www/ as the root. Part of my solution was to make a /var/www/var/www/
-> /var/www symbolic link. That helped fix a lot of the plugin problems.
Also, use ldd to find out what shared libraries you need for anything that isn't
fully static. It sounds like your CGIs are definitely not static. FWIW, I did not
compile anything statically, all the shared libs are under /var/www/
HTH,
- Mike
>
> on openbsd 3.3-beta, i'm trying to get nagios working with chroot apache
>
> as cgi-bin (normally in sbin) use same conf files as nagios daemon, i
> must have same path in the two and also chroot nagios (maybe try to
> duplicate conf files, idea ?)
>
> on openbsd, apache is in /var/www
> i choose to install in /var/www/users/nagios for daemon/etc/...
> and /var/www/htdocs/nagios for share/sbin/libexec
>
> i compile in static nagios/cgi-bin & plugins (mainly thanks to benny patch)
> i need to change cgi/Makefile path (erase /var/www part) as path is hard
> coded in for compile (and return normal for make install) and in
> common/locations.h.
> and few changes in cfg files
> i can start nagios in chroot, but two problems i have not find solution
> for the moment
>
> all plugins return in nagios.log
> ---
> [1046955533] Warning: Return code of 127 for check of service 'SSH' on
> host 'toto' was out of bounds.
> Make sure the plugin you're trying to run actually exists
> ---
>
> path is good and when i chroot a root shell in /var/www, i can execute them
> check_ssh need /etc/protocols: ok
> check_dns: segmentation fault
> check_tcp complains about /etc/protocols, but works
> check_disk is no more
> check_ups ok
> others later.
>
>
> second
> tac.cgi return in browser binary data with
> ---
> Failure reading ld.so
> Bad magic: ld.so
> Cannot map ld.so
> crt0: update /usr/libexec/ld.so
> ld.so failed
> ---
> and some binary between and html code too
>
> nagios is static, nothing change when i add a ld.so in chroot and for
> fun trying to ktrace it (always in chroot) gives a core with
> 22023 ktrace RET ktrace 0
> 22023 ktrace CALL execve(0xcfbfdb0f,0xcfbfda98,0xcfbfdaa0)
> 22023 ktrace NAMI "/usr/libexec/ld.so"
> 22023 ld.so EMUL "native"
> 22023 ld.so RET execve 0
> 22023 ld.so PSIG SIGSEGV SIG_DFL code 1 addr=0x20 trapno=1
> 22023 ld.so PSIG SIGSEGV SIG_DFL code 0 addr=0x0 trapno=0
> 22023 ld.so NAMI "ld.so.core"
>
> in chroot shell, normal response, but
> Error: Could not open main config file '/opt/nagios/etc/nagios.cfg'
> (before it doesn't find cgi.cfg, but correct with common/locations.h)
>
> /opt/nagios was the place were i install before testing chroot but which
> is no more used
> bash-2.05b$ grep "/opt" /tmp2/nagios/nagios-1.0/*
> /tmp2/nagios/nagios-1.0/functions:PATH=/opt/gnu/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
>
> so i don't know where it comes from.
>
>
> Regards
>
> Julien
>
> Note: also, nagios, started with chroot -u nagios -g nagios $ChrootBase,
> complains about it cannot change uid/gid, but doesn't matter a lot
>
> Note2: please cc.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
> for complex code. Debugging C/C++ programs can leave you feeling lost and
> disoriented. TotalView can help you find your way. Available on major UNIX
> and Linux platforms. Try it free. www.etnus.com
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any
> issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
>
--
Mike McClure, CCIE # 5125, CISSP # 30232
PNE Services, Inc. - http://www.pneservices.com
mmcclure at pneservices.com
mobile: 913-636-5590
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list