NCPA 3.0.1 tmp pem file permission.

NagiosEnterprises / ncpa

Nagios Cross-Platform Agent

Other

176 stars 94 forks source link

NCPA 3.0.1 tmp pem file permission. #1082

Open dccitd opened 9 months ago

dccitd commented 9 months ago

Just tried to updated our redhat servers from 2.4.1 to 3.0.1, noticed that the new agent creates a tmp file. When try and stop the agent it has permission problems and it can't delete the file.

Example. -rw-------. 1 root root 290282 Dec 18 14:14 /tmp/tmpiurju2zpcacert.pem

Error ncpa[140027]: Exception ignored in: <generator object _tempfile at 0x7f03e5b7f840> ncpa[140027]: Traceback (most recent call last): ncpa[140027]: File "importlib/resources/_common.py", line 87, in _tempfile ncpa[140027]: PermissionError: [Errno 1] Operation not permitted: '/tmp/tmpiurju2zpcacert.pem'

I had to change the uid in the ncpa.cfg file to root for it to work.

uid = root gid = nagios

ne-bbahn commented 9 months ago

We are aware of this issue and are working on it. These are generated automatically by Python For now,

these files will be removed automatically when you restart the machine
you can remove them manually/via a script
via changing the uid to root as you have done. I would NOT suggest the route you have chosen as you are giving NCPA root permissions, which is potentially unsecure.

At the moment, one of these files is created whenever NCPA is restarted until we can find a way to fix this.

MrPippin66 commented 9 months ago

This all seems to be coming from the 'certifi' module, which I don't understand why it's in the NCPA package. I think only certain invocations of "pip" would need it.

ne-bbahn commented 9 months ago

This all seems to be coming from the 'certifi' module, which I don't understand why it's in the NCPA package. I think only certain invocations of "pip" would need it.

The certifi module is a part of Python's testing library and is also included with the requests module, which we do use. I am currently investigating into this issue.

mbbv commented 8 months ago

Setting the User and Group to 'nagios' in the systemd service file seems to fix the issue. The tmp file ends up being owned by nagios:nagios and therefore the process can remove it at stop time.

ne-bbahn commented 6 months ago

Setting the User and Group to 'nagios' in the systemd service file seems to fix the issue. The tmp file ends up being owned by nagios:nagios and therefore the process can remove it at stop time.

Unfortunately this solution causes permissions issues which break NCPA on several distros, so this cannot be used as a solution to this problem.