pnp4nagios-bin: Don't use world-readable permissions for process_perfdata.cfg.

This would allow local users to read the Gearman shared key; thanks to
Christoph Anton Mitterer for reporting this!
Fixes CVE-2012-3457
Closes: #683879

diff --git a/debian/changelog b/debian/changelog
index dc262ceb3e016556146adff6ee84ef8662167bd2..c0097626476ece8637cd17fa6b64b69dc41cabcd 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ pnp4nagios (0.6.19-1) UNRELEASED; urgency=low
   * debian/nagios.cfg:
     - Unified whitespacing; thanks to Christoph Anton Mitterer for the patch
       (Closes: #683471).
+  * debian/pnp4nagios-bin.postinst:
+    - Don't use world-readable permissions for process_perfdata.cfg as this
+      would allow local users to read the Gearman shared key; thanks to
+      Christoph Anton Mitterer for reporting this; fixes CVE-2012-3457
+      (Closes: #683879).
 
  -- Sebastian Harl <tokkee@debian.org>  Thu, 24 Jan 2013 14:50:27 +0100
 

diff --git a/debian/pnp4nagios-bin.postinst b/debian/pnp4nagios-bin.postinst
index d3bc3404f0f3b10e03188dfe10e95fa234947f5a..56a23bae9536af63b95f5751cbe6a81674761220 100644 (file)
--- a/debian/pnp4nagios-bin.postinst
+++ b/debian/pnp4nagios-bin.postinst
@@ -45,6 +45,8 @@ case "$1" in
                setperm nagios nagios   770 /var/spool/pnp4nagios/nagios
                setperm nagios nagios   770 /var/spool/pnp4nagios/npcd
 
+               setperm root nagios     640 /etc/pnp4nagios/process_perfdata.cfg
+
                if [ -d /etc/nagios3/conf.d/ ]; then
                        if [ ! -e /etc/nagios3/conf.d/pnp4nagios.cfg ]; then
                                ln -s /etc/pnp4nagios/nagios.cfg /etc/nagios3/conf.d/pnp4nagios.cfg