[Nagiosplug-devel] --with-nagios-user/group options

[Ton Voon]

Hi Ethan,

On 5 Mar 2007, at 20:33, Ethan Galstad wrote:

> The --with-nagios-user/group configure script options have disappeared
> and cause some problems if you install the plugins as the root user
> (which you have to do for the check_dhcp and check_icmp plugins).
>
> The ownership on the plugins is root.root, which would normally be  
> fine,
> except for the face that the check_dhcp and check_icmp have to (1) be
> setuid root and (2) be executable by the nagios user.  The perms can't
> get set properly now that the --with-nagios-user/group options are  
> gone.
>
> For the time being I've written instructions on how to fix the
> permissions, but that isn't optimal.  Is there are reason why these
> configure script options were removed?
>

My reasoning for the removal of the --with-nagios-user/group was to  
be more like GNU coreutils. I think this is more packaging friendly,  
since a user does not need to be created on the packaging server. It  
also seems to be how other projects handle installs: I've downloaded  
Apache and GNU coreutils and a "make install" shows that files are  
installed by the current user. Mysql's documentation also suggests  
that setting user/group permissions are a separate task: http:// 
dev.mysql.com/doc/refman/5.1/en/quick-install.html

I think it is a packager or an implementor's job to tie down any  
permissions to be as secure as they wish (change all plugins to be  
nagios user executable only, setup sudo instead, etc).

I concede that the root plugins are not useable immediately. Checking  
coreutils, they run "chmod a=rx,u+s" and "chown root" for the su  
binary, which we should do as well for the root plugins. I've just  
committed that to CVS and updated various docs to try and make this  
clearer.

For your quick start guide, the "make install-root" step is not  
required as all the plugin compile and install steps are done as the  
root user. The chown and chmod steps can also be removed (though  
permissions are open).

However, there is quite a bit of confusion about this, probably due  
to the plugins "doing it how other projects are doing it", rather  
than "how Nagios does it" - this is not a complaint, just an  
observation.

Any other thoughts? I'd be especially interested from packagers if  
this way makes it easier or not. If not, then maybe switching back to  
--with-nagios-user/group is preferable. One possibility is that the  
default behaviour is as current, but if --with-nagios-user/group is  
set, to specifically use those settings.

Ton

http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon