commit: 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 4 15:46:25 2016 +0000
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sun Dec 4 16:10:13 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6371a02d
net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.
The new version 4.2.3 was added to fix CVE-2016-8641 in commit
c9f880e. However, the root privilege exploit results from the use of
"chown" in the init script. We don't use upstream's init script, so a
proper fix requires an update to our init script as well.
The following changes were made to the init script:
* We no longer attempt to delete the external command file before
starting or stopping the daemon. It's not clear why this was done,
and that file should not exist unless the user intentionally
creates it.
* We do not create or change ownership of /var/nagios/nagios.log or
/var/nagios/status.sav when starting the daemon. The log file path
is defined in the config file, so the hard-coded path in the init
script might not have referred to the true location of the log file.
And when the nagios daemon creates these files on its own, they
should already have the correct permissions and ownership. By
removing the "chown", we have actually fixed the root privilege
exploit in CVE-2016-8641.
* The two files /var/nagios/status.log and /var/nagios/nagios.tmp are
not deleted after the daemon has shut down. I can come up with no
compelling argument to do so.
Gentoo-Bug: 600864
Package-Manager: portage-2.3.0
net-analyzer/nagios-core/files/nagios4-r1 | 46 ++++++++++++++++++++++
...re-4.2.3.ebuild => nagios-core-4.2.3-r1.ebuild} | 2 +-
2 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/net-analyzer/nagios-core/files/nagios4-r1
b/net-analyzer/nagios-core/files/nagios4-r1
new file mode 100644
index 00000000..dd2495c
--- /dev/null
+++ b/net-analyzer/nagios-core/files/nagios4-r1
@@ -0,0 +1,46 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+nagios_config="/etc/nagios/nagios.cfg"
+
+command="/usr/sbin/nagios"
+command_args="-d ${nagios_config}"
+pidfile="/var/nagios/nagios.lock"
+start_stop_daemon_args="-e HOME=/var/nagios/home"
+
+depend(){
+ need net
+ use dns logger firewall
+ after mysql postgresql
+}
+
+reload(){
+ checkconfig || return 1
+ ebegin "Reloading configuration"
+ start-stop-daemon --signal HUP --pidfile ${pidfile}
+ eend $?
+}
+
+checkconfig(){
+ ebegin "Verifying config files"
+
+ # Silent Check
+ ${command} -v ${nagios_config} > /dev/null 2>&1 && return 0
+
+ # Now we know there's a problem. Run the check again and
+ # this time, display the errors.
+ ${command} -v ${nagios_config}
+ eend $? "Configuration Error. Please fix your config file."
+}
+
+start_pre() {
+ # Without this, the "start" action will appear to succeed even
+ # when the config file contains errors and the daemon failed to
+ # start.
+ checkconfig || return 1
+}
diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
similarity index 99%
rename from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
rename to net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
index f3d1d3e..2852d62 100644
--- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
+++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
@@ -142,7 +142,7 @@ src_install() {
insopts --mode=0644 # Back to the default...
fi
- newinitd "${FILESDIR}"/nagios4 nagios
+ newinitd "${FILESDIR}"/nagios4-r1 nagios
newconfd "${FILESDIR}"/conf.d nagios
if use web ; then
