[Nagiosplug-devel] --with-nagios-user/group options
Ton Voon
ton.voon at altinity.com
Tue Mar 6 12:00:48 CET 2007
Hi Ethan,
On 5 Mar 2007, at 20:33, Ethan Galstad wrote:
> The --with-nagios-user/group configure script options have disappeared
> and cause some problems if you install the plugins as the root user
> (which you have to do for the check_dhcp and check_icmp plugins).
>
> The ownership on the plugins is root.root, which would normally be
> fine,
> except for the face that the check_dhcp and check_icmp have to (1) be
> setuid root and (2) be executable by the nagios user. The perms can't
> get set properly now that the --with-nagios-user/group options are
> gone.
>
> For the time being I've written instructions on how to fix the
> permissions, but that isn't optimal. Is there are reason why these
> configure script options were removed?
>
My reasoning for the removal of the --with-nagios-user/group was to
be more like GNU coreutils. I think this is more packaging friendly,
since a user does not need to be created on the packaging server. It
also seems to be how other projects handle installs: I've downloaded
Apache and GNU coreutils and a "make install" shows that files are
installed by the current user. Mysql's documentation also suggests
that setting user/group permissions are a separate task: http://
dev.mysql.com/doc/refman/5.1/en/quick-install.html
I think it is a packager or an implementor's job to tie down any
permissions to be as secure as they wish (change all plugins to be
nagios user executable only, setup sudo instead, etc).
I concede that the root plugins are not useable immediately. Checking
coreutils, they run "chmod a=rx,u+s" and "chown root" for the su
binary, which we should do as well for the root plugins. I've just
committed that to CVS and updated various docs to try and make this
clearer.
For your quick start guide, the "make install-root" step is not
required as all the plugin compile and install steps are done as the
root user. The chown and chmod steps can also be removed (though
permissions are open).
However, there is quite a bit of confusion about this, probably due
to the plugins "doing it how other projects are doing it", rather
than "how Nagios does it" - this is not a complaint, just an
observation.
Any other thoughts? I'd be especially interested from packagers if
this way makes it easier or not. If not, then maybe switching back to
--with-nagios-user/group is preferable. One possibility is that the
default behaviour is as current, but if --with-nagios-user/group is
set, to specifically use those settings.
Ton
http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon
More information about the Devel
mailing list