summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Orlitzky <mjo@gentoo.org>2016-12-04 10:46:25 -0500
committerMichael Orlitzky <mjo@gentoo.org>2016-12-04 11:10:13 -0500
commit6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3 (patch)
tree12adc9263d7f36bdc17ba80a54cc95e8ae9d1d94 /net-analyzer
parentapp-shells/bash: Removed old. (diff)
downloadgentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.tar.gz
gentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.tar.bz2
gentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.zip
net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.
The new version 4.2.3 was added to fix CVE-2016-8641 in commit c9f880e. However, the root privilege exploit results from the use of "chown" in the init script. We don't use upstream's init script, so a proper fix requires an update to our init script as well. The following changes were made to the init script: * We no longer attempt to delete the external command file before starting or stopping the daemon. It's not clear why this was done, and that file should not exist unless the user intentionally creates it. * We do not create or change ownership of /var/nagios/nagios.log or /var/nagios/status.sav when starting the daemon. The log file path is defined in the config file, so the hard-coded path in the init script might not have referred to the true location of the log file. And when the nagios daemon creates these files on its own, they should already have the correct permissions and ownership. By removing the "chown", we have actually fixed the root privilege exploit in CVE-2016-8641. * The two files /var/nagios/status.log and /var/nagios/nagios.tmp are not deleted after the daemon has shut down. I can come up with no compelling argument to do so. Gentoo-Bug: 600864 Package-Manager: portage-2.3.0
Diffstat (limited to 'net-analyzer')
-rw-r--r--net-analyzer/nagios-core/files/nagios4-r146
-rw-r--r--net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild (renamed from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild)2
2 files changed, 47 insertions, 1 deletions
diff --git a/net-analyzer/nagios-core/files/nagios4-r1 b/net-analyzer/nagios-core/files/nagios4-r1
new file mode 100644
index 000000000000..dd2495c10953
--- /dev/null
+++ b/net-analyzer/nagios-core/files/nagios4-r1
@@ -0,0 +1,46 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+nagios_config="/etc/nagios/nagios.cfg"
+
+command="/usr/sbin/nagios"
+command_args="-d ${nagios_config}"
+pidfile="/var/nagios/nagios.lock"
+start_stop_daemon_args="-e HOME=/var/nagios/home"
+
+depend(){
+ need net
+ use dns logger firewall
+ after mysql postgresql
+}
+
+reload(){
+ checkconfig || return 1
+ ebegin "Reloading configuration"
+ start-stop-daemon --signal HUP --pidfile ${pidfile}
+ eend $?
+}
+
+checkconfig(){
+ ebegin "Verifying config files"
+
+ # Silent Check
+ ${command} -v ${nagios_config} > /dev/null 2>&1 && return 0
+
+ # Now we know there's a problem. Run the check again and
+ # this time, display the errors.
+ ${command} -v ${nagios_config}
+ eend $? "Configuration Error. Please fix your config file."
+}
+
+start_pre() {
+ # Without this, the "start" action will appear to succeed even
+ # when the config file contains errors and the daemon failed to
+ # start.
+ checkconfig || return 1
+}
diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
index f3d1d3e68a40..2852d62f083a 100644
--- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
+++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
@@ -142,7 +142,7 @@ src_install() {
insopts --mode=0644 # Back to the default...
fi
- newinitd "${FILESDIR}"/nagios4 nagios
+ newinitd "${FILESDIR}"/nagios4-r1 nagios
newconfd "${FILESDIR}"/conf.d nagios
if use web ; then