another question

Marc Powell marc at ena.com
Tue Jan 4 16:38:18 CET 2005



> -----Original Message-----
> From: nagios-devel-admin at lists.sourceforge.net [mailto:nagios-devel-
> admin at lists.sourceforge.net] On Behalf Of Joe Pruett
> Sent: Tuesday, January 04, 2005 9:01 AM
> To: nagios-devel at lists.sourceforge.net
> Subject: RE: [Nagios-devel] another question
> 
> > My remembrance of the setup documentation is that you add your web
> > server user to the nagioscmd group, not run the web server with the
gid
> > of nagioscmd. They're very different and firmly based on standard
unix
> > permission methodology. Actually quoting from the doccos --
> >
> > "Next we're going to create a new group whose members include the
user
> > the web server is running as and the user Nagios is running as.
Let's
> > say we call this new group 'nagiocmd' (you can name it differently
if
> > you wish). On RedHat Linux you can use the following command to add
a
> > new group (other systems may differ):
> >
> > /usr/sbin/groupadd nagiocmd
> >
> > Next, add the web server user (nobody or apache, etc) and the Nagios
> > user (nagios) to the newly created group with the following
commands:
> >
> > /usr/sbin/usermod -G nagiocmd nagios
> > /usr/sbin/usermod -G nagiocmd nobody"
> >
> >  -- http://nagios.sourceforge.net/docs/2_0/commandfile.html --
> >
> > There is nothing that says run the web server as gid nagioscmd.
> 
> if the web server isn't running with that gid in its effective list,
it
> does no good.  that is why you have to restart the server to pick up
that
> new gid.

Yes, the difference is that files created by the webserver aren't group
nagioscmd and the webserver doesn't default to the nagioscmd group which
has implications beyond nagios if you're running other web apps on the
same machine.

> i now see the comment at the top of the faq indicating that using
cgiwrap
> is recommended for multi user machines.  i'm still curious about
nagios
> having its own auth mechanism to help with this problem (and others as
> well since .htaccess auth isn't the best method).

I don't know what you believe the issue to be with the current
authentication system but IMHO, it's very simple and flexible as is and
works across a wide range of webservers with no special requirements
other than .htaccess support. .htaccess supports a wide range of
authentication mechanisms allowing for the administrator to choose the
auth mechanism that suits their environment best (PAM, LDAP, etc). Any
coded auth system is going to be much more limited.

--
Marc



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt




More information about the Developers mailing list