On Wed, Jul 29, 2009 at 04:28:57PM +0200, Sascha Wilde wrote: > I guess you are referring to docs/security.html: > > 4. Lock Down The External Command File. [...] If you've installed > Nagios on a machine that is dedicated to monitoring and admin tasks > and is not used for public accounts, that should be fine. If you've > installed it on a public or multi-user machine (not recommended), > allowing the web server user to have write access to the command > file can be a security problem. After all, you don't want just any > user on your system controlling Nagios through the external command > file. In this case, I would suggest only granting write access on > the command file to the nagios user and using something like CGIWrap > to run the CGIs as the nagios user instead of nobody. > > Anyway README.Debian documents Debian specific changes and decisions and > if the only reasons for disabling "external commands" are those > discussed in the official documentation you should add a pointer to the > relevant passage. Without such an clarification one could (and I > certainly did) assume that you have additional reasons for considering > the feature a possible security threat. Especially as the Nagios > documentation does not make a specifically strong point of this > potential problem (the problem only exists when Nagios is installed in > non-recommended ways).
I bet that most nagios test installations get installed on boxes where Nagios is not alone on the web server. I do not feel particularly comfortable with shipping the external command file writeable by the web server in the default configuration and think strongly that this should be a conscious decision of the local admin. Jan, you might want to tag this bug wontfix if you do not intend to make the suggested changes. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
