Slightly OT, .. 5.5 Nagios

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Slightly OT, .. 5.5 Nagios

L. V. Lammert
Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine
with the system, but it appears that there are some new dependencies for
the web UI:

# pkg_add nagios-web-4.0.1-chroot
Can't install php-gd-5.4.24 because of libraries
|library X11.16.0 not found
| not found anywhere
|library Xpm.9.0 not found
| not found anywhere
|library freetype.22.0 not found
| not found anywhere

X has never been installed on this box, .. why now?

        Lee

Reply | Threaded
Open this post in threaded view
|

Re: Slightly OT, .. 5.5 Nagios

Philip Guenther-2
On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
> Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine
> with the system, but it appears that there are some new dependencies for
> the web UI:
...
> X has never been installed on this box, .. why now?

http://www.openbsd.org/faq/faq4.html#FilesNeededX

Reply | Threaded
Open this post in threaded view
|

Re: Slightly OT, .. 5.5 Nagios

L. V. Lammert
On Mon, 28 Sep 2015, Philip Guenther wrote:

> On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
> > Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine
> > with the system, but it appears that there are some new dependencies for
> > the web UI:
> ...
> > X has never been installed on this box, .. why now?
>
> http://www.openbsd.org/faq/faq4.html#FilesNeededX
>
Of course, .. the question was about Nagios [hence the slightly OT].

        Lee

Reply | Threaded
Open this post in threaded view
|

Re: Slightly OT, .. 5.5 Nagios

Stuart Henderson
In reply to this post by Philip Guenther-2
On 2015-09-28, Philip Guenther <[hidden email]> wrote:

> On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
>> Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine
>> with the system, but it appears that there are some new dependencies for
>> the web UI:
> ...
>> X has never been installed on this box, .. why now?
>
> http://www.openbsd.org/faq/faq4.html#FilesNeededX
>
>

Also note: if this is on a 32-bit machine (e.g. i386), the time_t
change breaks things with nagios and icinga. Fixed for icinga in
the OpenBSD 5.7 package (patches in 200+ places for this) but nagios
is comparatively unloved. ;)

If you're running amd64 then this issue won't affect you.

Reply | Threaded
Open this post in threaded view
|

Re: Slightly OT, .. 5.5 Nagios

L. V. Lammert
On Tue, 29 Sep 2015, Stuart Henderson wrote:

> Also note: if this is on a 32-bit machine (e.g. i386), the time_t
> change breaks things with nagios and icinga. Fixed for icinga in
> the OpenBSD 5.7 package (patches in 200+ places for this) but nagios
> is comparatively unloved. ;)
>
Interesting, .. so, the nagios package is broken? Removing and
reinstalling after upgrading to 5.5 DNW on i386?

In this case, the nagios 4.0.1 chroot does run, but it does exhibit some
weird symptoms:

 * It will not start daemonized - it can only be started in the foreground
   and detached;

Thanks!
        Lee

Reply | Threaded
Open this post in threaded view
|

Re: Slightly OT, .. 5.5 Nagios

Stuart Henderson
On 2015/09/28 19:34, L. V. Lammert wrote:

> On Tue, 29 Sep 2015, Stuart Henderson wrote:
>
> > Also note: if this is on a 32-bit machine (e.g. i386), the time_t
> > change breaks things with nagios and icinga. Fixed for icinga in
> > the OpenBSD 5.7 package (patches in 200+ places for this) but nagios
> > is comparatively unloved. ;)
> >
> Interesting, .. so, the nagios package is broken? Removing and
> reinstalling after upgrading to 5.5 DNW on i386?
>
> In this case, the nagios 4.0.1 chroot does run, but it does exhibit some
> weird symptoms:
>
>  * It will not start daemonized - it can only be started in the foreground
>    and detached;
>
> Thanks!
> Lee

Yes. I'm not sure which exact symptoms you'll run into, but anything that
displays or logs times is fairly likely to crash.

The simplest path to getting things working again properly on i386 is
probably to upgrade to 5.7 and switch to icinga, it uses the same config
format and the pkg-readme file has advice on migrating.

Reply | Threaded
Open this post in threaded view
|

Re: X security claims in FAQ considering Xorg setuid root binary (was: Slightly OT, .. 5.5 Nagios)

Tim Kuijsten-3
In reply to this post by Philip Guenther-2
Op 28-09-15 om 23:29 schreef Philip Guenther:
> On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
> ...
>> X has never been installed on this box, .. why now?
>
> http://www.openbsd.org/faq/faq4.html#FilesNeededX
>

 From the FAQ:
"By itself, installing X on a system does not change the risk of
external security issues."

I might be misinterpreting "external" here, but considering some files
from the X sets[1], wouldn't the following be more accurate: "Installing
X adds one setuid root binary and some setgid non-root binaries on a
system, but apart from that does not change the risk of external
security issues."?

[1] from xbase57.tgz and xserv57.tgz:
-rwsr-xr-x  1 root  wheel  2651992 Aug 12 15:28 /usr/X11R6/bin/Xorg
-rwxr-sr-x  1 root  auth   2970888 Mar  7  2015 /usr/X11R6/bin/xlock
-rwxr-sr-x  1 root  utmp    594648 Aug 12 15:24 /usr/X11R6/bin/xterm

Reply | Threaded
Open this post in threaded view
|

Re: X security claims in FAQ considering Xorg setuid root binary (was: Slightly OT, .. 5.5 Nagios)

Ted Unangst-6
Tim Kuijsten wrote:

> Op 28-09-15 om 23:29 schreef Philip Guenther:
> > On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
> > ...
> >> X has never been installed on this box, .. why now?
> >
> > http://www.openbsd.org/faq/faq4.html#FilesNeededX
> >
>
>  From the FAQ:
> "By itself, installing X on a system does not change the risk of
> external security issues."
>
> I might be misinterpreting "external" here, but considering some files
> from the X sets[1], wouldn't the following be more accurate: "Installing
> X adds one setuid root binary and some setgid non-root binaries on a
> system, but apart from that does not change the risk of external
> security issues."?

those are local security issues.

Reply | Threaded
Open this post in threaded view
|

Re: X security claims in FAQ considering Xorg setuid root binary (was: Slightly OT, .. 5.5 Nagios)

Theo de Raadt
In reply to this post by Tim Kuijsten-3
> Op 28-09-15 om 23:29 schreef Philip Guenther:
> > On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert <[hidden email]> wrote:
> > ...
> >> X has never been installed on this box, .. why now?
> >
> > http://www.openbsd.org/faq/faq4.html#FilesNeededX
> >
>
>  From the FAQ:
> "By itself, installing X on a system does not change the risk of
> external security issues."
>
> I might be misinterpreting "external" here, but considering some files
> from the X sets[1], wouldn't the following be more accurate: "Installing
> X adds one setuid root binary and some setgid non-root binaries on a
> system, but apart from that does not change the risk of external
> security issues."?
>
> [1] from xbase57.tgz and xserv57.tgz:
> -rwsr-xr-x  1 root  wheel  2651992 Aug 12 15:28 /usr/X11R6/bin/Xorg
> -rwxr-sr-x  1 root  auth   2970888 Mar  7  2015 /usr/X11R6/bin/xlock
> -rwxr-sr-x  1 root  utmp    594648 Aug 12 15:24 /usr/X11R6/bin/xterm

External means connetions from the outside.  Since nothing from the X
set will be be running, there is no risk.

As to your list, the setuid binary is privsep, and the other two are
privdrop.  They were refactored in OpenBSD specifically to reduce risk.

I think your text is a bit short.  Maybe you could write up 10-20
paragraphs.  Then the document will become even more unwieldly, and
noone will read it.

/sarc

In all seriousness, I think the statement made in the FAQ is short,
true, and satisfactory for 99.9% of usage cases.  Extending this with
concepts people must judge using outdated mindsets, will push more
towards avoiding X set installs, and then lead to far greater problems
with use of packages.  This needs to be balanced.

We don't need to make narrow claims that other systems avoid.

So in summary, leave the text alone.  It is doing the best it can do.
The world is not perfect.  We could make it more perfect by removing
X support from 500 packages....

/sarc