1 |
commit: 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3 |
2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Dec 4 15:46:25 2016 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Dec 4 16:10:13 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6371a02d |
7 |
|
8 |
net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641. |
9 |
|
10 |
The new version 4.2.3 was added to fix CVE-2016-8641 in commit |
11 |
c9f880e. However, the root privilege exploit results from the use of |
12 |
"chown" in the init script. We don't use upstream's init script, so a |
13 |
proper fix requires an update to our init script as well. |
14 |
|
15 |
The following changes were made to the init script: |
16 |
|
17 |
* We no longer attempt to delete the external command file before |
18 |
starting or stopping the daemon. It's not clear why this was done, |
19 |
and that file should not exist unless the user intentionally |
20 |
creates it. |
21 |
|
22 |
* We do not create or change ownership of /var/nagios/nagios.log or |
23 |
/var/nagios/status.sav when starting the daemon. The log file path |
24 |
is defined in the config file, so the hard-coded path in the init |
25 |
script might not have referred to the true location of the log file. |
26 |
|
27 |
And when the nagios daemon creates these files on its own, they |
28 |
should already have the correct permissions and ownership. By |
29 |
removing the "chown", we have actually fixed the root privilege |
30 |
exploit in CVE-2016-8641. |
31 |
|
32 |
* The two files /var/nagios/status.log and /var/nagios/nagios.tmp are |
33 |
not deleted after the daemon has shut down. I can come up with no |
34 |
compelling argument to do so. |
35 |
|
36 |
Gentoo-Bug: 600864 |
37 |
|
38 |
Package-Manager: portage-2.3.0 |
39 |
|
40 |
net-analyzer/nagios-core/files/nagios4-r1 | 46 ++++++++++++++++++++++ |
41 |
...re-4.2.3.ebuild => nagios-core-4.2.3-r1.ebuild} | 2 +- |
42 |
2 files changed, 47 insertions(+), 1 deletion(-) |
43 |
|
44 |
diff --git a/net-analyzer/nagios-core/files/nagios4-r1 b/net-analyzer/nagios-core/files/nagios4-r1 |
45 |
new file mode 100644 |
46 |
index 00000000..dd2495c |
47 |
--- /dev/null |
48 |
+++ b/net-analyzer/nagios-core/files/nagios4-r1 |
49 |
@@ -0,0 +1,46 @@ |
50 |
+#!/sbin/openrc-run |
51 |
+# Copyright 1999-2016 Gentoo Foundation |
52 |
+# Distributed under the terms of the GNU General Public License v2 |
53 |
+# $Id$ |
54 |
+ |
55 |
+extra_commands="checkconfig" |
56 |
+extra_started_commands="reload" |
57 |
+ |
58 |
+nagios_config="/etc/nagios/nagios.cfg" |
59 |
+ |
60 |
+command="/usr/sbin/nagios" |
61 |
+command_args="-d ${nagios_config}" |
62 |
+pidfile="/var/nagios/nagios.lock" |
63 |
+start_stop_daemon_args="-e HOME=/var/nagios/home" |
64 |
+ |
65 |
+depend(){ |
66 |
+ need net |
67 |
+ use dns logger firewall |
68 |
+ after mysql postgresql |
69 |
+} |
70 |
+ |
71 |
+reload(){ |
72 |
+ checkconfig || return 1 |
73 |
+ ebegin "Reloading configuration" |
74 |
+ start-stop-daemon --signal HUP --pidfile ${pidfile} |
75 |
+ eend $? |
76 |
+} |
77 |
+ |
78 |
+checkconfig(){ |
79 |
+ ebegin "Verifying config files" |
80 |
+ |
81 |
+ # Silent Check |
82 |
+ ${command} -v ${nagios_config} > /dev/null 2>&1 && return 0 |
83 |
+ |
84 |
+ # Now we know there's a problem. Run the check again and |
85 |
+ # this time, display the errors. |
86 |
+ ${command} -v ${nagios_config} |
87 |
+ eend $? "Configuration Error. Please fix your config file." |
88 |
+} |
89 |
+ |
90 |
+start_pre() { |
91 |
+ # Without this, the "start" action will appear to succeed even |
92 |
+ # when the config file contains errors and the daemon failed to |
93 |
+ # start. |
94 |
+ checkconfig || return 1 |
95 |
+} |
96 |
|
97 |
diff --git a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild |
98 |
similarity index 99% |
99 |
rename from net-analyzer/nagios-core/nagios-core-4.2.3.ebuild |
100 |
rename to net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild |
101 |
index f3d1d3e..2852d62 100644 |
102 |
--- a/net-analyzer/nagios-core/nagios-core-4.2.3.ebuild |
103 |
+++ b/net-analyzer/nagios-core/nagios-core-4.2.3-r1.ebuild |
104 |
@@ -142,7 +142,7 @@ src_install() { |
105 |
insopts --mode=0644 # Back to the default... |
106 |
fi |
107 |
|
108 |
- newinitd "${FILESDIR}"/nagios4 nagios |
109 |
+ newinitd "${FILESDIR}"/nagios4-r1 nagios |
110 |
newconfd "${FILESDIR}"/conf.d nagios |
111 |
|
112 |
if use web ; then |