search

russellvt / pnp4nagios

PNP is an addon to Nagios/Icinga which analyzes performance data provided by plugins and stores them automatically into RRD-databases.
https://docs.pnp4nagios.org
GNU General Public License v2.0
5 stars 3 forks source link

Verify CVE-2017-16834 is fixed #14

Open russellvt opened 1 year ago

russellvt commented 1 year ago

We need to create and verify the fix for CVE-2017-16834.

Essentially, npcd may have some security issues due to root permission usage (ie. its startup file which use root, and then immediately switches to the unprivileged user.

I believe this is a "reaching" issue, as this requires access to the local system (ie. rather than being remotely exploitable), as well as a few other assumptions (ie. users being part of the unprivileged user's group, or have the ability to access that account).

Proper installations should be with root-owned configurations, and lock the user to the unprivileged user. As a workaround, you can run npcd with its own user, only verifying that the webserver has read access to the proper RRD files.

russellvt commented 1 year ago

This should have been fixed in 23c123f7a72ffc03a2819eddcc442b40fcdb63e3.