[Nagiosplug-devel] --with-nagios-user/group options

Ethan Galstad nagios at nagios.org
Mon Mar 12 21:40:25 CET 2007


Gavin Carr wrote:
> On Sun, Mar 11, 2007 at 01:08:17AM +0000, Ton Voon wrote:
>> The whole point about configure scripts is to make common cases work  
>> by selecting appropriate flags. So my current thinking is to do this:
>>
>>   - if you leave out with-nagios-user/group, it will install with the  
>> user that runs "make install". If user is root, then the setuid  
>> plugins will get installed in addition. This mimics coreutils, apache  
>> and mysql's behaviour
>>   - if you choose --with-nagios-user, then the normal plugins will be  
>> given ownership of the executables
>>   - if you choose --with-nagios-group, then the normal and root  
>> plugins will be given group ownership of the executables
>>   - if you choose a new --without-world-permissions, then normal and  
>> root plugins will not have world read or execute permissions
> 
> This all looks good to me.
> 
>> So you gain most security by running ./configure --with-nagios-user=X  
>> --with-nagios-group=Y --without-world-permissions. Any other fine  
>> tuning of this would be left as an exercise to the user.
>>
>> The decision to install root plugins is made by whether you decide to  
>> install as root.
> 
> Do you mean 'install' or 'install setuid'? If the former, then non-root
> packagers are still going to want a way of installing those plugins, so
> we still will need a 'make install-root' or some such eh?
> 
> I actually prefer the 'install setuid' option - always install everything,
> and then make root plugins setuid if effective user is root. That does 
> the right thing in the direct-install case, and makes life easy for 
> packagers too.
> 
> Cheers,
> Gavin
> 
> 

Both of these options sound good by me too.


Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org




More information about the Devel mailing list