[Nagiosplug-devel] --with-nagios-user/group options

[Gavin Carr]

On Sun, Mar 11, 2007 at 01:08:17AM +0000, Ton Voon wrote:
> The whole point about configure scripts is to make common cases work  
> by selecting appropriate flags. So my current thinking is to do this:
> 
>   - if you leave out with-nagios-user/group, it will install with the  
> user that runs "make install". If user is root, then the setuid  
> plugins will get installed in addition. This mimics coreutils, apache  
> and mysql's behaviour
>   - if you choose --with-nagios-user, then the normal plugins will be  
> given ownership of the executables
>   - if you choose --with-nagios-group, then the normal and root  
> plugins will be given group ownership of the executables
>   - if you choose a new --without-world-permissions, then normal and  
> root plugins will not have world read or execute permissions

This all looks good to me.

> So you gain most security by running ./configure --with-nagios-user=X  
> --with-nagios-group=Y --without-world-permissions. Any other fine  
> tuning of this would be left as an exercise to the user.
> 
> The decision to install root plugins is made by whether you decide to  
> install as root.

Do you mean 'install' or 'install setuid'? If the former, then non-root
packagers are still going to want a way of installing those plugins, so
we still will need a 'make install-root' or some such eh?

I actually prefer the 'install setuid' option - always install everything,
and then make root plugins setuid if effective user is root. That does 
the right thing in the direct-install case, and makes life easy for 
packagers too.

Cheers,
Gavin