Alexandros Kosiaris has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/349221 )
Change subject: icinga: Fix permissions for /var/lib/nagios/rw
......................................................................
icinga: Fix permissions for /var/lib/nagios/rw
Per Debian Bug 571801 a more prudent way of allowing icinga web to
execute commands would be to rely on the sgid bit of directories making
sure that icinga restarts rely on the containing directory for providing
the correct permissions on the nagios.cmd file
Bug: T163286
Change-Id: I20a7306d6951eba3a2c43d27f574fcbbf1ff7ef1
---
M modules/icinga/manifests/init.pp
1 file changed, 4 insertions(+), 11 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/21/349221/1
diff --git a/modules/icinga/manifests/init.pp b/modules/icinga/manifests/init.pp
index 9d141ee..9871bd6 100644
--- a/modules/icinga/manifests/init.pp
+++ b/modules/icinga/manifests/init.pp
@@ -151,18 +151,11 @@
}
# Command folders / files to let icinga web to execute commands
+ # See Debian Bug 571801
file { '/var/lib/nagios/rw':
- ensure => directory,
- owner => 'icinga',
- group => 'nagios',
- mode => '0775',
- }
-
- file { '/var/lib/nagios/rw/nagios.cmd':
- ensure => present,
- owner => 'icinga',
- group => 'www-data',
- mode => '0664',
+ owner => 'icinga',
+ group => 'www-data',
+ mode => '2710', # The suid bit means new files inherit guid
}
# ensure icinga can write logs for ircecho, raid_handler etc.
--
To view, visit https://gerrit.wikimedia.org/r/349221
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I20a7306d6951eba3a2c43d27f574fcbbf1ff7ef1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
