[Nagiosplug-devel] --with-nagios-user/group options

Ton Voon ton.voon at altinity.com
Sun Mar 11 02:08:17 CET 2007


On 6 Mar 2007, at 23:32, Gavin Carr wrote:

>> Any other thoughts? I'd be especially interested from packagers if
>> this way makes it easier or not. If not, then maybe switching back to
>> --with-nagios-user/group is preferable. One possibility is that the
>> default behaviour is as current, but if --with-nagios-user/group is
>> set, to specifically use those settings.
>
> Packaging is definitely cleaner if there is no _requirement_ that a
> nagios user or group exist at build time. So I think we want the
> current behaviour available, but supporting --with-nagios-user/group
> seems useful behaviour too, for the direct-install case.

I've had a long think about this and I think it is stupid to *not*  
support --with-nagios-user/group. Currently I run post-install  
commands of:

find /usr/local/nagios/libexec ! -perm -4000 -exec chown  
nagios:nagios {}
find /usr/local/nagios/libexec -perm -4000 | while read file; do  
chgrp nagios $file; chmod u+s $file; done

to set the permissions afterwards. But this is a very common use case  
(in Gavin's terms, the direct-install case).

The whole point about configure scripts is to make common cases work  
by selecting appropriate flags. So my current thinking is to do this:

  - if you leave out with-nagios-user/group, it will install with the  
user that runs "make install". If user is root, then the setuid  
plugins will get installed in addition. This mimics coreutils, apache  
and mysql's behaviour
  - if you choose --with-nagios-user, then the normal plugins will be  
given ownership of the executables
  - if you choose --with-nagios-group, then the normal and root  
plugins will be given group ownership of the executables
  - if you choose a new --without-world-permissions, then normal and  
root plugins will not have world read or execute permissions

So you gain most security by running ./configure --with-nagios-user=X  
--with-nagios-group=Y --without-world-permissions. Any other fine  
tuning of this would be left as an exercise to the user.

The decision to install root plugins is made by whether you decide to  
install as root.

I've had a quick look whether I can do this within the autoconf/ 
automake/libtool build chain and I can't find a supported method (the  
old AM_INSTALL_PROGRAM_FLAGS in plugins/Makefile.am in release 1.4.2  
doesn't appear to work anymore). I've sent an email to the automake  
mailing list to see what is the recommended way of doing this.

Ton

http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon






More information about the Devel mailing list