[Nagiosplug-devel] --with-nagios-user/group options
Ethan Galstad
nagios at nagios.org
Mon Mar 12 21:40:25 CET 2007
Gavin Carr wrote:
> On Sun, Mar 11, 2007 at 01:08:17AM +0000, Ton Voon wrote:
>> The whole point about configure scripts is to make common cases work
>> by selecting appropriate flags. So my current thinking is to do this:
>>
>> - if you leave out with-nagios-user/group, it will install with the
>> user that runs "make install". If user is root, then the setuid
>> plugins will get installed in addition. This mimics coreutils, apache
>> and mysql's behaviour
>> - if you choose --with-nagios-user, then the normal plugins will be
>> given ownership of the executables
>> - if you choose --with-nagios-group, then the normal and root
>> plugins will be given group ownership of the executables
>> - if you choose a new --without-world-permissions, then normal and
>> root plugins will not have world read or execute permissions
>
> This all looks good to me.
>
>> So you gain most security by running ./configure --with-nagios-user=X
>> --with-nagios-group=Y --without-world-permissions. Any other fine
>> tuning of this would be left as an exercise to the user.
>>
>> The decision to install root plugins is made by whether you decide to
>> install as root.
>
> Do you mean 'install' or 'install setuid'? If the former, then non-root
> packagers are still going to want a way of installing those plugins, so
> we still will need a 'make install-root' or some such eh?
>
> I actually prefer the 'install setuid' option - always install everything,
> and then make root plugins setuid if effective user is root. That does
> the right thing in the direct-install case, and makes life easy for
> packagers too.
>
> Cheers,
> Gavin
>
>
Both of these options sound good by me too.
Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org
More information about the Devel
mailing list