From: Sebastian Harl <sh@teamix.net>
Date: Thu, 24 Jan 2013 14:51:26 +0000 (+0100)
Subject: pnp4nagios-bin: Don't use world-readable permissions for process_perfdata.cfg.
X-Git-Tag: v_0_6_19-1~3
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=bccfaa1137ee987c762ed293ae738510fe54f72e;hp=38290cab6a81e47d6bf694ebb1553658e67536ac;p=pkg-pnp4nagios.git

pnp4nagios-bin: Don't use world-readable permissions for process_perfdata.cfg.

This would allow local users to read the Gearman shared key; thanks to
Christoph Anton Mitterer for reporting this!
Fixes CVE-2012-3457
Closes: #683879
---

diff --git a/debian/changelog b/debian/changelog
index dc262ce..c009762 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ pnp4nagios (0.6.19-1) UNRELEASED; urgency=low
   * debian/nagios.cfg:
     - Unified whitespacing; thanks to Christoph Anton Mitterer for the patch
       (Closes: #683471).
+  * debian/pnp4nagios-bin.postinst:
+    - Don't use world-readable permissions for process_perfdata.cfg as this
+      would allow local users to read the Gearman shared key; thanks to
+      Christoph Anton Mitterer for reporting this; fixes CVE-2012-3457
+      (Closes: #683879).
 
  -- Sebastian Harl <tokkee@debian.org>  Thu, 24 Jan 2013 14:50:27 +0100
 
diff --git a/debian/pnp4nagios-bin.postinst b/debian/pnp4nagios-bin.postinst
index d3bc340..56a23ba 100644
--- a/debian/pnp4nagios-bin.postinst
+++ b/debian/pnp4nagios-bin.postinst
@@ -45,6 +45,8 @@ case "$1" in
 		setperm nagios nagios	770 /var/spool/pnp4nagios/nagios
 		setperm nagios nagios	770 /var/spool/pnp4nagios/npcd
 
+		setperm root nagios	640 /etc/pnp4nagios/process_perfdata.cfg
+
 		if [ -d /etc/nagios3/conf.d/ ]; then
 			if [ ! -e /etc/nagios3/conf.d/pnp4nagios.cfg ]; then
 				ln -s /etc/pnp4nagios/nagios.cfg /etc/nagios3/conf.d/pnp4nagios.cfg