[gentoo-commits] repo/gentoo:master commit in: net-analyzer/nagios-core/, net-analyzer/nagios-core/files/ - gentoo-commits

From:	Michael Orlitzky <mjo@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-analyzer/nagios-core/, net-analyzer/nagios-core/files/
Date:	Sun, 04 Dec 2016 16:11:02
Message-Id:	`1480867813.6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3.mjo@gentoo`

1

commit:     6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3

2

Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

3

AuthorDate: Sun Dec  4 15:46:25 2016 +0000

4

Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

5

CommitDate: Sun Dec  4 16:10:13 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6371a02d

7

8

net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.

9

10

The new version 4.2.3 was added to fix CVE-2016-8641 in commit

11

c9f880e. However, the root privilege exploit results from the use of

12

"chown" in the init script. We don't use upstream's init script, so a

13

proper fix requires an update to our init script as well.

14

15

The following changes were made to the init script:

16

17

  * We no longer attempt to delete the external command file before

18

    starting or stopping the daemon. It's not clear why this was done,

19

    and that file should not exist unless the user intentionally

20

    creates it.

21

22

  * We do not create or change ownership of /var/nagios/nagios.log or

23

    /var/nagios/status.sav when starting the daemon. The log file path

24

    is defined in the config file, so the hard-coded path in the init

25

    script might not have referred to the true location of the log file.

26

27

    And when the nagios daemon creates these files on its own, they

28

    should already have the correct permissions and ownership. By

29

    removing the "chown", we have actually fixed the root privilege

30

    exploit in CVE-2016-8641.

31

32

  * The two files /var/nagios/status.log and /var/nagios/nagios.tmp are

33

    not deleted after the daemon has shut down. I can come up with no

34

    compelling argument to do so.

35

36

Gentoo-Bug: 600864

37

38

Package-Manager: portage-2.3.0

39

40

 net-analyzer/nagios-core/files/nagios4-r1          | 46 ++++++++++++++++++++++

41

 ...re-4.2.3.ebuild => nagios-core-4.2.3-r1.ebuild} |  2 +-

42

 2 files changed, 47 insertions(+), 1 deletion(-)

43

44

diff --git a/net-analyzer/nagios-core/files/nagios4-r1 b/net-analyzer/nagios-core/files/nagios4-r1

45

new file mode 100644

46

index 00000000..dd2495c

47

--- /dev/null

48

+++ b/net-analyzer/nagios-core/files/nagios4-r1

49

@@ -0,0 +1,46 @@

50

+#!/sbin/openrc-run

51

+# Copyright 1999-2016 Gentoo Foundation

52

+# Distributed under the terms of the GNU General Public License v2

53

+# $Id$

54

+

55

+extra_commands="checkconfig"

56

+extra_started_commands="reload"

57

+

58

+nagios_config="/etc/nagios/nagios.cfg"

59

+

60

+command="/usr/sbin/nagios"

61

+command_args="-d ${nagios_config}"

62

+pidfile="/var/nagios/nagios.lock"

63

+start_stop_daemon_args="-e HOME=/var/nagios/home"

64

+

65

+depend(){

66

+	need net

67

+	use dns logger firewall

68

+	after mysql postgresql

69

+}

70

+

71

+reload(){

72

+	checkconfig || return 1

73

+	ebegin "Reloading configuration"

74

+	start-stop-daemon --signal HUP --pidfile ${pidfile}

75

+	eend $?

76

+}

77

+

78

+checkconfig(){

79

+	ebegin "Verifying config files"

80

+

81

+	# Silent Check

82

+	${command} -v ${nagios_config} > /dev/null 2>&1 && return 0

83

+

84

+	# Now we know there's a problem. Run the check again and

85

+	# this time, display the errors.

86

+	${command} -v ${nagios_config}

87

+	eend $? "Configuration Error. Please fix your config file."

88

+}

89

+

90

+start_pre() {

91

+	# Without this, the "start" action will appear to succeed even

92

+	# when the config file contains errors and the daemon failed to

93

+	# start.

94

+	checkconfig || return 1

95

+}

96

97

diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild

98

similarity index 99%

99

rename from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild

100

rename to net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild

101

index f3d1d3e..2852d62 100644

102

--- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild

103

+++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild

104

@@ -142,7 +142,7 @@ src_install() {

105

 		insopts --mode=0644 # Back to the default...

106

fi

107

108

-	newinitd "${FILESDIR}"/nagios4 nagios

109

+	newinitd "${FILESDIR}"/nagios4-r1 nagios

110

 	newconfd "${FILESDIR}"/conf.d nagios

111

112

 	if use web ; then

1	commit: 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3
2	Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
3	AuthorDate: Sun Dec 4 15:46:25 2016 +0000
4	Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5	CommitDate: Sun Dec 4 16:10:13 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6371a02d
7
8	net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.
9
10	The new version 4.2.3 was added to fix CVE-2016-8641 in commit
11	c9f880e. However, the root privilege exploit results from the use of
12	"chown" in the init script. We don't use upstream's init script, so a
13	proper fix requires an update to our init script as well.
14
15	The following changes were made to the init script:
16
17	* We no longer attempt to delete the external command file before
18	starting or stopping the daemon. It's not clear why this was done,
19	and that file should not exist unless the user intentionally
20	creates it.
21
22	* We do not create or change ownership of /var/nagios/nagios.log or
23	/var/nagios/status.sav when starting the daemon. The log file path
24	is defined in the config file, so the hard-coded path in the init
25	script might not have referred to the true location of the log file.
26
27	And when the nagios daemon creates these files on its own, they
28	should already have the correct permissions and ownership. By
29	removing the "chown", we have actually fixed the root privilege
30	exploit in CVE-2016-8641.
31
32	* The two files /var/nagios/status.log and /var/nagios/nagios.tmp are
33	not deleted after the daemon has shut down. I can come up with no
34	compelling argument to do so.
35
36	Gentoo-Bug: 600864
37
38	Package-Manager: portage-2.3.0
39
40	net-analyzer/nagios-core/files/nagios4-r1 \| 46 ++++++++++++++++++++++
41	...re-4.2.3.ebuild => nagios-core-4.2.3-r1.ebuild} \| 2 +-
42	2 files changed, 47 insertions(+), 1 deletion(-)
43
44	diff --git a/net-analyzer/nagios-core/files/nagios4-r1 b/net-analyzer/nagios-core/files/nagios4-r1
45	new file mode 100644
46	index 00000000..dd2495c
47	--- /dev/null
48	+++ b/net-analyzer/nagios-core/files/nagios4-r1
49	@@ -0,0 +1,46 @@
50	+#!/sbin/openrc-run
51	+# Copyright 1999-2016 Gentoo Foundation
52	+# Distributed under the terms of the GNU General Public License v2
53	+# $Id$
54	+
55	+extra_commands="checkconfig"
56	+extra_started_commands="reload"
57	+
58	+nagios_config="/etc/nagios/nagios.cfg"
59	+
60	+command="/usr/sbin/nagios"
61	+command_args="-d ${nagios_config}"
62	+pidfile="/var/nagios/nagios.lock"
63	+start_stop_daemon_args="-e HOME=/var/nagios/home"
64	+
65	+depend(){
66	+ need net
67	+ use dns logger firewall
68	+ after mysql postgresql
69	+}
70	+
71	+reload(){
72	+ checkconfig \|\| return 1
73	+ ebegin "Reloading configuration"
74	+ start-stop-daemon --signal HUP --pidfile ${pidfile}
75	+ eend $?
76	+}
77	+
78	+checkconfig(){
79	+ ebegin "Verifying config files"
80	+
81	+ # Silent Check
82	+ ${command} -v ${nagios_config} > /dev/null 2>&1 && return 0
83	+
84	+ # Now we know there's a problem. Run the check again and
85	+ # this time, display the errors.
86	+ ${command} -v ${nagios_config}
87	+ eend $? "Configuration Error. Please fix your config file."
88	+}
89	+
90	+start_pre() {
91	+ # Without this, the "start" action will appear to succeed even
92	+ # when the config file contains errors and the daemon failed to
93	+ # start.
94	+ checkconfig \|\| return 1
95	+}
96
97	diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
98	similarity index 99%
99	rename from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
100	rename to net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
101	index f3d1d3e..2852d62 100644
102	--- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild
103	+++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild
104	@@ -142,7 +142,7 @@ src_install() {
105	insopts --mode=0644 # Back to the default...
106	fi
107
108	- newinitd "${FILESDIR}"/nagios4 nagios
109	+ newinitd "${FILESDIR}"/nagios4-r1 nagios
110	newconfd "${FILESDIR}"/conf.d nagios
111
112	if use web ; then

Gentoo Archives: gentoo-commits