diff options
author | Michael Orlitzky <mjo@gentoo.org> | 2016-12-04 10:46:25 -0500 |
---|---|---|
committer | Michael Orlitzky <mjo@gentoo.org> | 2016-12-04 11:10:13 -0500 |
commit | 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3 (patch) | |
tree | 12adc9263d7f36bdc17ba80a54cc95e8ae9d1d94 /net-analyzer | |
parent | app-shells/bash: Removed old. (diff) | |
download | gentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.tar.gz gentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.tar.bz2 gentoo-6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.zip |
net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.
The new version 4.2.3 was added to fix CVE-2016-8641 in commit
c9f880e. However, the root privilege exploit results from the use of
"chown" in the init script. We don't use upstream's init script, so a
proper fix requires an update to our init script as well.
The following changes were made to the init script:
* We no longer attempt to delete the external command file before
starting or stopping the daemon. It's not clear why this was done,
and that file should not exist unless the user intentionally
creates it.
* We do not create or change ownership of /var/nagios/nagios.log or
/var/nagios/status.sav when starting the daemon. The log file path
is defined in the config file, so the hard-coded path in the init
script might not have referred to the true location of the log file.
And when the nagios daemon creates these files on its own, they
should already have the correct permissions and ownership. By
removing the "chown", we have actually fixed the root privilege
exploit in CVE-2016-8641.
* The two files /var/nagios/status.log and /var/nagios/nagios.tmp are
not deleted after the daemon has shut down. I can come up with no
compelling argument to do so.
Gentoo-Bug: 600864
Package-Manager: portage-2.3.0
Diffstat (limited to 'net-analyzer')
-rw-r--r-- | net-analyzer/nagios-core/files/nagios4-r1 | 46 | ||||
-rw-r--r-- | net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild (renamed from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild) | 2 |
2 files changed, 47 insertions, 1 deletions
diff --git a/net-analyzer/nagios-core/files/nagios4-r1 b/net-analyzer/nagios-core/files/nagios4-r1 new file mode 100644 index 000000000000..dd2495c10953 --- /dev/null +++ b/net-analyzer/nagios-core/files/nagios4-r1 @@ -0,0 +1,46 @@ +#!/sbin/openrc-run +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="checkconfig" +extra_started_commands="reload" + +nagios_config="/etc/nagios/nagios.cfg" + +command="/usr/sbin/nagios" +command_args="-d ${nagios_config}" +pidfile="/var/nagios/nagios.lock" +start_stop_daemon_args="-e HOME=/var/nagios/home" + +depend(){ + need net + use dns logger firewall + after mysql postgresql +} + +reload(){ + checkconfig || return 1 + ebegin "Reloading configuration" + start-stop-daemon --signal HUP --pidfile ${pidfile} + eend $? +} + +checkconfig(){ + ebegin "Verifying config files" + + # Silent Check + ${command} -v ${nagios_config} > /dev/null 2>&1 && return 0 + + # Now we know there's a problem. Run the check again and + # this time, display the errors. + ${command} -v ${nagios_config} + eend $? "Configuration Error. Please fix your config file." +} + +start_pre() { + # Without this, the "start" action will appear to succeed even + # when the config file contains errors and the daemon failed to + # start. + checkconfig || return 1 +} diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild index f3d1d3e68a40..2852d62f083a 100644 --- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild +++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild @@ -142,7 +142,7 @@ src_install() { insopts --mode=0644 # Back to the default... fi - newinitd "${FILESDIR}"/nagios4 nagios + newinitd "${FILESDIR}"/nagios4-r1 nagios newconfd "${FILESDIR}"/conf.d nagios if use web ; then |