another question

[Marc Powell]

> -----Original Message-----
> From: nagios-devel-admin at lists.sourceforge.net [mailto:nagios-devel-
> admin at lists.sourceforge.net] On Behalf Of Joe Pruett
> Sent: Tuesday, January 04, 2005 8:38 AM
> To: nagios-devel at lists.sourceforge.net
> Subject: Re: [Nagios-devel] another question
> 
> > setgid and setuid would affect the apache user as well (meaning an
> > exploit could choose which user to execute code as) and is strongly
> > discouraged by anyone with a clue to security. Using the suexec
feature
> > of apache is considered best practice for privilege separation
(although
> > that has its caveats as well).
> >
> > > i'm using setgid so far to good effect.
> > >
> >
> > Then you are possibly vulnerable.
> 
> but the faq is telling people to make the entire web server run with
the
> gid of nagioscmd.  for now i'm just using setgid nagios (not root) for
> testing, but i plan to create the dummy group for real use.  by
running
> the entire web server with that gid, any web page (php, ssi) or cgi
has
> the potential to submit commands without any authentication.  i guess
that
> any page could call the setgid binary directly as well and fake the
auth
> info. i agree that suexec would be good, but that requires very
specific
> directory layout, or recompliation of suexec.  has the idea of nagios
> having its own authentication system been looked at?  that would allow
a
> setgid cgi to only allow submission with proper credentials.
> 

My remembrance of the setup documentation is that you add your web
server user to the nagioscmd group, not run the web server with the gid
of nagioscmd. They're very different and firmly based on standard unix
permission methodology. Actually quoting from the doccos --

"Next we're going to create a new group whose members include the user
the web server is running as and the user Nagios is running as. Let's
say we call this new group 'nagiocmd' (you can name it differently if
you wish). On RedHat Linux you can use the following command to add a
new group (other systems may differ): 

/usr/sbin/groupadd nagiocmd 

Next, add the web server user (nobody or apache, etc) and the Nagios
user (nagios) to the newly created group with the following commands: 

/usr/sbin/usermod -G nagiocmd nagios
/usr/sbin/usermod -G nagiocmd nobody"

 -- http://nagios.sourceforge.net/docs/2_0/commandfile.html --

There is nothing that says run the web server as gid nagioscmd.

--
Marc



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt