[Nagiosplug-devel] --with-nagios-user/group options
Ton Voon
ton.voon at altinity.com
Sun Mar 11 02:08:17 CET 2007
On 6 Mar 2007, at 23:32, Gavin Carr wrote:
>> Any other thoughts? I'd be especially interested from packagers if
>> this way makes it easier or not. If not, then maybe switching back to
>> --with-nagios-user/group is preferable. One possibility is that the
>> default behaviour is as current, but if --with-nagios-user/group is
>> set, to specifically use those settings.
>
> Packaging is definitely cleaner if there is no _requirement_ that a
> nagios user or group exist at build time. So I think we want the
> current behaviour available, but supporting --with-nagios-user/group
> seems useful behaviour too, for the direct-install case.
I've had a long think about this and I think it is stupid to *not*
support --with-nagios-user/group. Currently I run post-install
commands of:
find /usr/local/nagios/libexec ! -perm -4000 -exec chown
nagios:nagios {}
find /usr/local/nagios/libexec -perm -4000 | while read file; do
chgrp nagios $file; chmod u+s $file; done
to set the permissions afterwards. But this is a very common use case
(in Gavin's terms, the direct-install case).
The whole point about configure scripts is to make common cases work
by selecting appropriate flags. So my current thinking is to do this:
- if you leave out with-nagios-user/group, it will install with the
user that runs "make install". If user is root, then the setuid
plugins will get installed in addition. This mimics coreutils, apache
and mysql's behaviour
- if you choose --with-nagios-user, then the normal plugins will be
given ownership of the executables
- if you choose --with-nagios-group, then the normal and root
plugins will be given group ownership of the executables
- if you choose a new --without-world-permissions, then normal and
root plugins will not have world read or execute permissions
So you gain most security by running ./configure --with-nagios-user=X
--with-nagios-group=Y --without-world-permissions. Any other fine
tuning of this would be left as an exercise to the user.
The decision to install root plugins is made by whether you decide to
install as root.
I've had a quick look whether I can do this within the autoconf/
automake/libtool build chain and I can't find a supported method (the
old AM_INSTALL_PROGRAM_FLAGS in plugins/Makefile.am in release 1.4.2
doesn't appear to work anymore). I've sent an email to the automake
mailing list to see what is the recommended way of doing this.
Ton
http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon
More information about the Devel
mailing list