227273 – net-mgmt/py-pdagent: wrong permissions on /var/db/pdagent directories

Bug 227273 - net-mgmt/py-pdagent: wrong permissions on /var/db/pdagent directories

Summary: net-mgmt/py-pdagent: wrong permissions on /var/db/pdagent directories

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Mark Felder

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-03 21:38 UTC by bgdnlp
Modified:	2018-04-11 13:01 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (feld)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bgdnlp 2018-04-03 21:38:45 UTC

Permissions on directories under /var/db/pdagent are set incorrectly making it impossible to send alerts to PagerDuty unless user is either root or nobody. Attempting to send something as a normal user results in:

Exception: Can't write to directory /var/db/pdagent/outqueue/tmp, please check permissions


Here's the permissions taken from a CentOS install:
# find /var/lib/pdagent/ -type d -exec ls -dl {} \;
drwxr-xr-x. 5 pdagent pdagent 67 Mar 26 09:16 /var/lib/pdagent/
drwxr-xr-x. 6 pdagent pdagent 50 Apr  3 18:10 /var/lib/pdagent/outqueue
drwxr-x---. 2 pdagent pdagent 6 Sep 15  2017 /var/lib/pdagent/outqueue/err
drwxr-x-wx. 2 pdagent pdagent 6 Apr  3 18:10 /var/lib/pdagent/outqueue/pdq
drwxr-x---. 2 pdagent pdagent 12288 Apr  3 19:16 /var/lib/pdagent/outqueue/suc
drwxr-x-wx. 2 pdagent pdagent 6 Apr  3 18:10 /var/lib/pdagent/outqueue/tmp
drwxr-xr-x. 2 pdagent pdagent 49 Mar 26 09:16 /var/lib/pdagent/scripts
drwxrwxr-x. 2 pdagent pdagent 39 Apr  3 18:10 /var/lib/pdagent/db

Comment 1 Mark Felder freebsd_committer

2018-04-05 16:19:50 UTC

It was my intention to require the administrator to set the owner by altering the user of the daemon in /etc/rc.conf so it can be used by the target service. 

Example:

pdagent_user="nagios"

I thought I had a pkg-message explaining this, but it seems that is missing. I'll add a default pdagent user/group for the service so it's easier to just add the user(s) that need to issue commands to the pdagent group, but the issue will still remain. In my opinion the permissions on the CentOS are far too lax and it should not be world-writable...

Comment 2 commit-hook freebsd_committer

2018-04-05 16:38:10 UTC

A commit references this bug:

Author: feld
Date: Thu Apr  5 16:37:19 UTC 2018
New revision: 466569
URL: https://svnweb.freebsd.org/changeset/ports/466569

Log:
  net-mgmt/py-pdagent: Add dedicated user/group

  - Also add pkg-message informing how to permit users and services access

  PR:		227273

Changes:
  head/net-mgmt/py-pdagent/Makefile
  head/net-mgmt/py-pdagent/files/pdagentd.in
  head/net-mgmt/py-pdagent/pkg-message

Comment 3 Mark Felder freebsd_committer

2018-04-05 16:40:23 UTC

This should solve the issue and confusion. It does still differ from CentOS, but should ease your pain. Please send me feedback if you have further comments or concerns.

Comment 4 bgdnlp 2018-04-05 16:52:38 UTC

I see what you're saying. So, using their file permissions means that basically anyone with access to the machine would be able to raise and alert in PagerDuty, either by calling the script or by writing to those directories directly.

The alternative that I see is to have 'tmp' and 'pdq' directories set to 730 permissions, owned by pdagent:pdagent and have 'nagios' (or zabbix, or whatever) be part of pdagent group so that it can write to that directory. That way only the intended services would be able to send PD alerts. That also means that people following PagerDuty instructions to set up the agent will get an error when running pd-send manually to test if it works.

I'm not sure the extra security is worth it, but it's your call.

One issue I see with directories set to 775 is that now anyone can read the alerts sent because of the read permissions. Again, not sure if that's a problem, but presumably those alerts might disclose information? Also, they've set 'err' and 'suc' directories to 750, maybe they have a reason for that, I don't know.

775 and adding 'zabbix' to 'pdagent' group does work though.

Comment 5 commit-hook freebsd_committer

2018-04-05 17:12:38 UTC

A commit references this bug:

Author: feld
Date: Thu Apr  5 17:11:39 UTC 2018
New revision: 466572
URL: https://svnweb.freebsd.org/changeset/ports/466572

Log:
  net/py-pdagent: Further increase security

  Limit access to alert data files which could hold sensitive information

  PR:		227273

Changes:
  head/net-mgmt/py-pdagent/Makefile
  head/net-mgmt/py-pdagent/files/pdagentd.in

Comment 6 commit-hook freebsd_committer

2018-04-11 13:01:55 UTC

A commit references this bug:

Author: feld
Date: Wed Apr 11 13:01:27 UTC 2018
New revision: 467046
URL: https://svnweb.freebsd.org/changeset/ports/467046

Log:
  MFH: r466569 r466572

  net-mgmt/py-pdagent: Add dedicated user/group

  - Also add pkg-message informing how to permit users and services access

  net/py-pdagent: Further increase security

  Limit access to alert data files which could hold sensitive information

  PR:		227273

Changes:
_U  branches/2018Q2/
  branches/2018Q2/net-mgmt/py-pdagent/Makefile
  branches/2018Q2/net-mgmt/py-pdagent/files/pdagentd.in
  branches/2018Q2/net-mgmt/py-pdagent/pkg-message