Source: icinga2 Version: 2.4.10-1 Severity: important Tags: security
Hi. Several files in Icinga2 are shipped with owner www-data, namely at least these: /var/cache/icinga2 /var/log/icinga2 /var/log/icinga2/icinga2.log /var/log/icinga2/icinga2.log.5.xz /run/icinga2 /run/icinga2/cmd /run/icinga2/cmd/icinga2.cmd This is quite unfortunate for any proper production setup where the PHP code should of course not run with the user/group of the webserver (and thus have full access to any other stuff served by such webserver). It's even more problematic, when one considers that other programs may run on the server and be executed in the context off the webserver, and thus have access to anything somehow readable for www-data. This happens out of the box, even when e.g. Icinga Web isn't even installed. Example (perhaps not the most realistic one): A server that runs icinga and some PHP web forum software. If the later has a security issue, it may be possible for it to access the external command pipe, and therby getting knowledge of the whole network topology of some organisation. Well of course I don't say it's smart to run such web forum on the same node as Icinga ;-) but this should just illustrate the point. Especially having a fixed www-data owner affects any PHP SAPI other than mod_php, which allow (or enforce) to run as a different user, just as it should be. One way would be to use dpkg-statoverride, but that's IMHO also a bit limited and it requires manual admin "setup". However, AFAIU, this alone wouldn't anyway help for everything in /run/icinga2, as this is on a tmpfs. But, AFAIU, this is set by DAEMON_USER, DAEMON_GROUP and DAEMON_CMDGROUP, which can be nicely configured in /etc/default/icinga2 . So it *is* already possibly to change this with some manual work. Could you possibly consider to go another way here? The idea would be to not use www-data but e.g. <some special group>, and people could add those users who are allowed access, to that group,... e.g. www-data, or cgi-suexec, or cgi-icingaweg (if they have a setup where their Icinga Web2 alone runs under that user). I think that would make the whole scheme much more powerful and even allow people to add further users to the specia groups and give them access. So perhaps not just cgi-suexec would be member of "icingacmdgroup", but also john.doe or super-smart-remote-script-account. In any case, it feels a bit all too open to set these owners to www-data, which is why I marked this bug important and tagged is security. Just a little breach in anything that runs in the webserver context, may already give full access to Icinga, which is IMO not so desirable Cheers, Chris.
