[Nagiosplug-devel] --with-nagios-user/group options
Gavin Carr
gavin at openfusion.com.au
Sun Mar 11 23:43:05 CET 2007
On Sun, Mar 11, 2007 at 01:08:17AM +0000, Ton Voon wrote:
> The whole point about configure scripts is to make common cases work
> by selecting appropriate flags. So my current thinking is to do this:
>
> - if you leave out with-nagios-user/group, it will install with the
> user that runs "make install". If user is root, then the setuid
> plugins will get installed in addition. This mimics coreutils, apache
> and mysql's behaviour
> - if you choose --with-nagios-user, then the normal plugins will be
> given ownership of the executables
> - if you choose --with-nagios-group, then the normal and root
> plugins will be given group ownership of the executables
> - if you choose a new --without-world-permissions, then normal and
> root plugins will not have world read or execute permissions
This all looks good to me.
> So you gain most security by running ./configure --with-nagios-user=X
> --with-nagios-group=Y --without-world-permissions. Any other fine
> tuning of this would be left as an exercise to the user.
>
> The decision to install root plugins is made by whether you decide to
> install as root.
Do you mean 'install' or 'install setuid'? If the former, then non-root
packagers are still going to want a way of installing those plugins, so
we still will need a 'make install-root' or some such eh?
I actually prefer the 'install setuid' option - always install everything,
and then make root plugins setuid if effective user is root. That does
the right thing in the direct-install case, and makes life easy for
packagers too.
Cheers,
Gavin
More information about the Devel
mailing list