[PATCH 17/20] NRPE: Prevent NRPE binary from being owned by "nobody"

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 17/20] NRPE: Prevent NRPE binary from being owned by "nobody"
Date: Mon, 17 May 2021 21:06:50 +0200	[thread overview]
Message-ID: <ed8b7333-ee81-7261-1574-dc4febbf208d@ipfire.org> (raw)
In-Reply-To: <62f381bd-c870-107a-cd81-27cb283660bb@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 1516 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/nagios_nrpe | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lfs/nagios_nrpe b/lfs/nagios_nrpe
index a8b4b3676..260bcc810 100644
--- a/lfs/nagios_nrpe
+++ b/lfs/nagios_nrpe
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = nagios_nrpe
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = nagios-plugins
 
@@ -99,5 +99,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	install -v -m 644 ${DIR_SRC}/config/backup/includes/nagios_nrpe \
 		/var/ipfire/backup/addons/includes/nagios_nrpe
 
+	# Prevent NRPE binary from being owned by "nobody"
+	chown root:root /usr/lib/nagios/check_nrpe
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.26.2

next prev parent reply	other threads:[~2021-05-17 19:06 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-17 19:00 [PATCH 00/20] Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle Peter Müller
2021-05-17 19:00 ` [PATCH 01/20] GnuPG does not need to have a SUID bit set Peter Müller
2021-05-17 19:01   ` [PATCH 02/20] Core Update 157: remove SUID bit from /usr/bin/gpg Peter Müller
2021-05-17 19:01     ` [PATCH 03/20] /usr/bin/ping does not need a SUID bit if appropriate capabilities are set Peter Müller
2021-05-17 19:02       ` [PATCH 04/20] Core Update 157: Delete ssh-keysign binary Peter Müller
2021-05-17 19:02         ` [PATCH 05/20] DMA: do not ship a binary for creating mail boxes Peter Müller
2021-05-17 19:02           ` [PATCH 06/20] Core Update 157: Delete orphaned DMA mail box creation binary as well Peter Müller
2021-05-17 19:03             ` [PATCH 07/20] Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be executable Peter Müller
2021-05-17 19:03               ` [PATCH 08/20] Core Update 157: Ship changed iputils due to /usr/bin/ping changes Peter Müller
2021-05-17 19:04                 ` [PATCH 09/20] backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by nobody Peter Müller
2021-05-17 19:04                   ` [PATCH 10/20] SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ " Peter Müller
2021-05-17 19:04                     ` [PATCH 11/20] Core Update 157: Apply changed permissions to /var/ipfire/urlfilter/bin/ Peter Müller
2021-05-17 19:05                       ` [PATCH 12/20] Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being owned by nobody Peter Müller
2021-05-17 19:05                         ` [PATCH 13/20] Core Update 157: Apply changed permissions to /var/ipfire/updatexlrator/bin/ Peter Müller
2021-05-17 19:05                           ` [PATCH 14/20] OpenVPN: ovpn-leases.db for sure does not have to be executable Peter Müller
2021-05-17 19:06                             ` [PATCH 15/20] Core Update 157: Apply changed permissions to /var/ipfire/ovpn/ovpn-leases.db Peter Müller
2021-05-17 19:06                               ` [PATCH 16/20] Core Update 157: Remove executable bit less ugly Peter Müller
2021-05-17 19:06                                 ` Peter Müller [this message]
2021-05-17 19:07                                   ` [PATCH 18/20] nagios-plugins: Prevent Nagios plugins from being owned by nobody Peter Müller
2021-05-17 19:07                                     ` [PATCH 19/20] Squid: cachemgr.cgi does not have to be owned (hence writeable) " Peter Müller
2021-05-17 19:07                                       ` [PATCH 20/20] Core Update 157: Apply changed permissions to /srv/web/ipfire/cgi-bin/cachemgr.cgi Peter Müller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ed8b7333-ee81-7261-1574-dc4febbf208d@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox