Nagios 2.0 init.d/nagios and daemonizing...

[Chris Stankaitis]

>>>
>>
>> Nagios user does not have permission to run the Nagios binary,
> 
> 
> That's why it fails. When nagios threads the dynamic linker keeps the 
> binary file open. There's no additional security risk in allowing the 
> pseudo-user to run its own binary. It does, after all, already have 
> access to all of its own memory, including the second PTE.
> 

I chmod'ed the nagios binary so that word has execute permissions, no 
change, I can not run nagios with the -d option as either root or nagios.

ll /usr/bin/nagios
-rwxr-xr-x    1 root     root       399096 Dec 15 17:49 /usr/bin/nagios


As you can see from my strace (snip here attached) the nagios 2.0 binary 
is dropping it privilages BEFORE it tries to write it's lock and thus 
dying when it can't write to /var/run

(snip)

setgroups32(1, [2006])                  = 0
setuid32(2006)                          = 0

.
.
.
open("/var/run/nagios.pid", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 
EACCES (Permission denied)



The following is an strace from my Nagios 1.2 box (snip here attached in 
msg)



open("/var/run/nagios.pid", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = 3
read(3, "", 10)                         = 0
clone(child_stack=0, 
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb75ef0c8) = 12735
exit_group(0)                           = ?


What you can see from here is that privilages are not droped at all the 
lock file is written AS ROOT, and the child is spawned, parent is killed 
as ROOT, and the child drops it's privilages...


I have attached both straces in full, so that you can see the whole picture.


--Chris

>  it's
> 
>> executed as root at which time Nagios drops it's privileges, from 
>> command line I am running it as root...  when Nagios init script is run
>> it *SHOULD* start Nagios, write the lock, chown things to 
>> nagios:nagios where needed and drop it's privileges, it isn't doing so 
>> at this time...
>>
>> Regardless even as root running the nagios -d flag is not working, and 
>> that is nagios daemon specific.
>>
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now. 
>> http://productguide.itmanagersjournal.com/
>> _______________________________________________
>> Nagios-users mailing list
>> Nagios-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>> ::: Please include Nagios version, plugin version (-v) and OS when 
>> reporting any issue. ::: Messages without supporting info will risk 
>> being sent to /dev/null
>>
> 

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nagios1.2-trace
URL: <https://www.monitoring-lists.org/archive/users/attachments/20041216/da76e368/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nagios2.0-trace
URL: <https://www.monitoring-lists.org/archive/users/attachments/20041216/da76e368/attachment-0001.ksh>