Hello community,
here is the log from the commit of package nagios for openSUSE:Factory checked
in at 2020-04-07 10:31:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nagios (Old)
and /work/SRC/openSUSE:Factory/.nagios.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nagios"
Tue Apr 7 10:31:53 2020 rev:17 rq:791853 version:4.4.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/nagios/nagios.changes 2020-02-04
19:55:08.405384130 +0100
+++ /work/SRC/openSUSE:Factory/.nagios.new.3248/nagios.changes 2020-04-07
10:32:45.342610710 +0200
@@ -1,0 +2,17 @@
+Mon Apr 6 15:55:26 UTC 2020 - l...@linux-schulserver.de - 4.4.5
+
+- fix boo#1156309, CVE-2019-3698 : Symbolic Link (Symlink) following
+ vulnerability in the cronjob allows local attackers to cause cause
+ DoS or potentially escalate privileges by winning a race.
+- enhance systemd service: check nagios config before reloading
+- enable build for SLE11 by excluding some special macros and
+ directories via 'sles_version != 11' condition
+- add nagios-archive.service and nagios-archive.timer as replacement
+ for the script in cron.weekly: no need for cron on systemd systems
+- run set_permissions and verifyscript for /etc/cron.weekly on those
+ distributions that need it
+- enhance rpmlint: ignore empty htpasswd file
+- enable php apache module and not php5 on newer distributions
+- try to harden the rcnagios script
+
+-------------------------------------------------------------------
New:
----
nagios-archive.service
nagios-archive.timer
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nagios.spec ++++++
--- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.638613702 +0200
+++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.642613707 +0200
@@ -49,6 +49,8 @@
Source11: %{name}-html-pages.tar.bz2
Source12: %{name}.service
Source13: %{name}.tmpfiles
+Source14: %{name}-archive.timer
+Source15: %{name}-archive.service
Source20: %{name}-rpmlintrc
# PATCH-FIX-UPSTREAM unescape hex characters in CGI input - avoid addional '+'
Patch3: nagios-fix_encoding_trends.cgi.patch
@@ -87,6 +89,8 @@
BuildRequires: pkgconfig(systemd)
Source100: nagios_systemd
%{?systemd_ordering}
+%else
+Recommends: cron
%endif
Provides: monitoring_daemon
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -97,10 +101,10 @@
Requires(pre): %fillup_prereq
%if 0%{?suse_version} < 01200
Requires(pre): %insserv_prereq
+Requires: cron
%endif
Requires(pre): shadow
Recommends: %{name}-www
-Recommends: cron
# this package contains shared tools with icinga
Recommends: monitoring-tools
Recommends: icinga-monitoring-tools
@@ -355,7 +359,16 @@
# sysconfig script
install -D -m 0644 %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.%{name}
# install cronjob (gzip' the logfiles)
-install -D -m 0755 %{SOURCE4} %{buildroot}%{_sysconfdir}/cron.weekly/%{name}
+%if %{with systemd}
+sed -e 's|__NAGIOS_USER__|%{nagios_user}|g' \
+ -e 's|__NAGIOS_GROUP__|%{nagios_group}|g' %{SOURCE4} >
%{buildroot}%{_sbindir}/nagios-archive
+install -Dm0644 %{SOURCE14} %{buildroot}/%{_unitdir}/nagios-archive.timer
+install -Dm0644 %{SOURCE15} %{buildroot}/%{_unitdir}/nagios-archive.service
+%else
+mkdir %{buildroot}%{_sysconfdir}/cron.weekly
+sed -e 's|__NAGIOS_USER__|%{nagios_user}|g' \
+ -e 's|__NAGIOS_GROUP__|%{nagios_group}|g' %{SOURCE4} >
%{buildroot}%{_sysconfdir}/cron.weekly/%{name}
+%endif
# install empty htpasswd file (boo#961115)
touch %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users
# important ghost files
@@ -410,7 +423,7 @@
fi
fi
%if %{with systemd}
-%service_add_pre %{name}.service
+%service_add_pre %{name}.service %{name}-archive.service %{name}-archive.timer
%endif
%post
@@ -432,31 +445,39 @@
fi
fi
%if %{with systemd}
-%service_add_post %{name}.service
+%service_add_post %{name}.service %{name}-archive.service %{name}-archive.timer
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%fillup_only
%else
%{fillup_and_insserv %{name}}
+%if 0%{?sles_version} != 11
+%set_permissions /etc/cron.weekly/
+%endif
+%endif
+%if 0%{?sles_version} != 11
+%set_permissions /var/spool/nagios/
%endif
-%set_permissions /var/spool/nagios
%preun
%if %{with systemd}
-%service_del_preun %{name}.service
+%service_del_preun %{name}.service %{name}-archive.service
%{name}-archive.timer
%else
%stop_on_removal %{name}
%endif
%postun
%if %{with systemd}
-%service_del_postun %{name}.service
+%service_del_postun %{name}.service %{name}-archive.service
%{name}-archive.timer
%else
%restart_on_update %{name}
%{insserv_cleanup}
%endif
%verifyscript
-%verify_permissions -e /var/spool/nagios
+%if ! %{with systemd}
+%verify_permissions -e /etc/cron.weekly/
+%endif
+%verify_permissions -e /var/spool/nagios/
%post www
wwwusr=%{nagios_command_user}
@@ -484,14 +505,18 @@
%{_sbindir}/a2enmod auth_basic >/dev/null
%{_sbindir}/a2enmod authz_user >/dev/null
%{_sbindir}/a2enmod version >/dev/null
- # enable php5 in apache config
- %{_sbindir}/a2enmod php5
+ # enable php in apache config
+ %if 0%{?sle_version} == 120000
+ %{_sbindir}/a2enmod php5 >/dev/null || :
+ %else
+ %{_sbindir}/a2enmod php >/dev/null || :
+ %endif
fi
-%if %{with systemd}
-%{_bindir}/systemctl try-restart apache2
-%else
-%restart_on_update apache2
-%endif
+ %if %{with systemd}
+ %{_bindir}/systemctl try-restart apache2
+ %else
+ %restart_on_update apache2
+ %endif
fi
%post www-dch
@@ -535,13 +560,18 @@
%attr(0755,root,root) %{nagios_libdir}/%{name}-exec-start-pre
%{_unitdir}/%{name}.service
%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%attr(0755,root,root) %{_sbindir}/nagios-archive
+%{_unitdir}/nagios-archive.timer
+%{_unitdir}/nagios-archive.service
%else
%attr(0755,root,root) %{_sysconfdir}/init.d/%{name}
%ghost %dir %{nslockfile_dir}
%attr(0644,%{nagios_user},%{nagios_group}) %verify(not md5 size mtime) %ghost
%config(missingok,noreplace) %{nslockfile}
-%endif
+%if 0%{?sles_version} != 11
%dir %{_sysconfdir}/cron.weekly
+%endif
%attr(0755,root,root) %{_sysconfdir}/cron.weekly/*
+%endif
%config(noreplace) %{nagios_sysconfdir}/*.cfg
%config(noreplace) %{nagios_sysconfdir}/objects/*.cfg
%ghost %config(missingok,noreplace) %{nagios_logdir}/config.err
++++++ nagios-archive.service ++++++
[Unit]
Description=Auto-Archiving of Nagios Logfiles
[Service]
Type=oneshot
ExecStart=/bin/bash -ce "/usr/sbin/nagios-archive"
++++++ nagios-archive.timer ++++++
[Unit]
Description=Auto-Archiving of Nagios Logfiles
[Timer]
OnCalendar=Sat *-*-* 03:00:00
AccuracySec=12h
Persistent=true
[Install]
WantedBy=timers.target
++++++ nagios-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.738613833 +0200
+++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.738613833 +0200
@@ -17,3 +17,5 @@
addFilter("tmpfile-not-in-filelist.*/var/run/nagios");
# not using the macro should not be a problem if we call the service directly:
addFilter("postin-without-tmpfile-creation.*/usr/lib/tmpfiles.d/nagios.conf");
+# see boo#961115 - CVE-2016-0726
+addFilter("zero-length.*/etc/nagios/htpasswd.users");
++++++ nagios.service ++++++
--- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.766613869 +0200
+++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.766613869 +0200
@@ -7,6 +7,7 @@
ExecStartPre=/usr/lib/nagios/nagios-exec-start-pre
ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg
ExecStart=/usr/sbin/nagios /etc/nagios/nagios.cfg
+ExecReload=/usr/sbin/nagios -v /etc/nagios/nagios.cfg
ExecReload=/bin/kill -HUP $MAINPID
[Install]
++++++ nagios_systemd ++++++
--- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.802613916 +0200
+++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.802613916 +0200
@@ -16,6 +16,8 @@
# Read config and log errors in logfile
config_check () {
+ test -f $NAGIOS_CFG_ERR_LOG && rm $NAGIOS_CFG_ERR_LOG
+ touch $NAGIOS_CFG_ERR_LOG || exit 1
case "$1" in
verbose)
$NAGIOS_BIN -v "$NAGIOS_CFG" >"$NAGIOS_CFG_ERR_LOG" 2>&1
++++++ suse.de-nagios ++++++
--- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.834613958 +0200
+++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.834613958 +0200
@@ -1,19 +1,35 @@
-#!/usr/bin/env bash
+#!/bin/bash
#
# Compress old nagios logfiles in /var/log/nagios/archives/
# once a week, if sysconfig variable is set to true
#
-if [[ -r /etc/sysconfig/nagios ]]; then
-. /etc/sysconfig/nagios
+CFG='/etc/nagios/nagios.cfg'
+SYSCFG='/etc/sysconfig/nagios'
+
+if [[ -r $SYSCFG ]]; then
+. $SYSCFG
else
- echo "/etc/sysconfig/nagios not found or not readable." >&2
+ echo "$SYSCFG not found or not readable." >&2
exit 1
fi
+if [[ -r $CFG ]]; then
+ NAGIOS_USER=$( grep ^nagios_user $CFG | tail -n 1 | sed 's@.*=@@' | tr -d
'[:cntrl:]')
+ NAGIOS_GROUP=$(grep ^nagios_group $CFG | tail -n 1 | sed 's@.*=@@' | tr -d
'[:cntrl:]')
+fi
+
+if [ -z "$NAGIOS_USER" ]; then
+ NAGIOS_USER='__NAGIOS_USER__'
+fi
+if [ -z "$NAGIOS_GROUP" ]; then
+ NAGIOS_GROUP='__NAGIOS_GROUP__'
+fi
+
if [[ $NAGIOS_COMPRESS_LOGFILES = "true" ]]; then
for f in /var/log/nagios/archives/*.log ; do
if [[ -r $f ]] ; then
- /usr/bin/bzip2 "$f"
+ setpriv --init-groups --ruid $NAGIOS_USER --rgid
$NAGIOS_GROUP \
+ --inh-caps -all --reset-env /usr/bin/bzip2 "$f"
fi
done
fi
