On May 12, 2007, at 7:24 AM, Simon Bailey wrote:
hi,
i just installed zenoss from RPM on a Redhat Enterprise 5 box. i
saw it at a
demonstration last december in washington and am looking forward to
trying it
out.
however, i do have some minor gripes about the RPM install process.
a) i want to be able to use a database other than localhost.
standard practice,
doesn't make sense to me to not be able to do so.
The source based installation method allows you to select the
hostname, port, root mysql username, root mysql password, zenoss
username, zenoss password, and zenoss database name. It gives you
the full control you're looking for. But, in order to use the source
based installation method you must have a development environment.
The RPM offers a tradeoff: easier installation but with less
flexibility (choices) during installation time.
We want to support unattended installation via the RPM so we default
the configuration items you describe to what we believe most people
will use. In your case it's different, but you can override the
defaults using zendmd (or the GUI). You'll have to repopulate the
database but that's not overly complex.
b) when starting zenoss for the first time, it prompts for the root
password
whish is then displayed in plain text on the screen!!!
It's prompting you for the password because the default blank root
password isn't working.
try adding 'stty -echo' before the 'read response' line (line 68) in
$ZENHOME/bin/install-functions.sh and 'stty echo' after that line.
that turns
off terminal echoes, cf also http://tldp.org/LDP/abs/html/
system.html#SECRETPW .
This prompt moved into the set_mysql function in build-functions.sh,
and I changed the root password section to stty -echo before the prompt:
http://dev.zenoss.org/trac/changeset/5331
c) another security gripe:
http://community.zenoss.com/docs/install-guides/install-on-redhat-
enterprise-linux/
mr. huckins suggests turning off iptables altogether. please don't
suggest this.
any inexperienced user following those instructions will do so and
offer an open
box to the world. not a good idea. as this page is specific for
RHEL, better to
offer instructions on how to edit /etc/sysconfig/iptables to add
those ports.
I sent Sam some new instructions. Please review them:
http://community.zenoss.com/docs/install-guides/install-on-redhat-
enterprise-linux/
d) a brief glance through the installation scripts seems to suggest
that zenoss
replaces without taking into account any previous content /etc/
sudoers and
/etc/snmp.conf. i haven't verified this yet, but it seems to be
very wrong if it
is doing so.
In 1.X we lay down a new /etc/sudoers. And by default we put zenoss
in the wheel group. That was awful and we were aware of the security
problems it created. This led to changeset 5200:
http://dev.zenoss.org/trac/changeset/5200
This added a line to /etc/sudoers that allowed zenoss to run all
commands as root. It was bad, but it was less bad than replacing /
etc/sudoers altogether. But we (and the Debian folks) were still
unhappy. This led to ticket #1446:
http://dev.zenoss.org/trac/ticket/1446
Note the changesets associated with the ticket.
In 2.0 we no longer require sudo. Instead we use a setuid program
named zensocket to bind to port 514 or 162 and then it passes a file
descriptor number to zensyslog/zentrap. We do something similar for
ICMP packets (zenping).
Bottom line: we killed off sudo in 2.0.
e) zenoss installs scripts into the sysV boot directories. good
idea, better
idea even to make it support chkconfig for RedHat derived systems.
also a brief
check of my rc*.d directories makes me also assume that kill links
aren't
installed.
I created a ticket for this and made the changes you requested.
Please review the changeset associated with this ticket:
http://dev.zenoss.org/trac/ticket/1477
i can offer patches for problems b), c) and e) fairly immediately
if required.
a) is beyond my knowledge, as i know almost zilch about zope. for
d), i'd
probably have to dig deeper into the code and know more about the
installation
process. i'm assuming this only happens with RPM based installations.
sorry for firing off these gripes in such a huffy manner, i feel a
monitoring
application should be more security aware.
Thanks for pointing those out. If you come across some other
security issues please send 'em in! :)
-c
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
