You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch changes the permissions of the systemd unit file for Nagios from 755 to 644. The system is vulnerable because there are systemd unit files with insecure permissions. Systemd unit file permission are considered insecure in the following situations:
At least one of user, group and others has an execute permission bit.
Others has a write permission bit.
Group has a write permission bit.
Making these changes are due to security concerns for Nagios XI which uses Nagios Core. Switching 755 to 644 permissions removes the execution bits from all the groups thus making the systemd unit files secure.
Unfortunately, that will break other init types than systemd. That Makefile recipe is used for all types, the INIT_DIR & INIT_FILE being decided by AX_NAGIOS_GET_INIT & AX_NAGIOS_GET_PATHS.
It looks like install-daemoninit:, just under that, has an exception to modify the perms for systemd but also runs various commands that shouldn't be run for packaging. You might want to add a similar systemd check to install-init: and conditionally use the different perms.
Unfortunately, that will break other init types than systemd. That Makefile recipe is used for all types, the INIT_DIR & INIT_FILE being decided by AX_NAGIOS_GET_INIT & AX_NAGIOS_GET_PATHS.
It looks like install-daemoninit:, just under that, has an exception to modify the perms for systemd but also runs various commands that shouldn't be run for packaging. You might want to add a similar systemd check to install-init: and conditionally use the different perms.
Thank you for your review I greatly appreciated it. I did some further investigation and found a way to solve this issue without modify Nagios Core.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This patch changes the permissions of the systemd unit file for Nagios from 755 to 644. The system is vulnerable because there are systemd unit files with insecure permissions. Systemd unit file permission are considered insecure in the following situations:
Making these changes are due to security concerns for Nagios XI which uses Nagios Core. Switching 755 to 644 permissions removes the execution bits from all the groups thus making the systemd unit files secure.
https://www.baeldung.com/linux/systemd-unit-file-permissions
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_systemd_unit_files_to_customize_and_optimize_your_system/assembly_working-with-systemd-unit-files_working-with-systemd#proc_creating-custom-unit-files_assembly_working-with-systemd-unit-files