External Command File Permissions


Notes

These instructions assume that you've installed Nagios on a dedicated monitoring/admin box that doesn't contain normal user accounts (i.e. isn't a public machine). If you've installed Nagios on a public/multi-user machine, I would suggest setting more restrictive permissions on the external command file and using something like CGIWrap to run the CGIs as a specific user. Failing to do so may allow normal users to control Nagios through the external command file! I'm guessing you don't want that. More information on securing Nagios can be found here.

Introduction

One of the most common problems people have seems to be with setting proper permissions for the external command file. You need to set the proper permission on the /usr/local/nagios/var/rw directory (or whatever the path portion of the command_file directive in your main configuration file is set to). I'll show you how to do this. Note: You must be root in order to do some of these steps...

Users and Groups

First, find the user that your web server process is running as. On many systems this is the user nobody, although it will vary depending on what OS/distribution you are running. You'll also need to know what user Nagios is effectively running as - this is specified with the nagios_user variable in the main config file.

Next we're going to create a new group whose members include the user the web server is running as and the user Nagios is running as. Let's say we call this new group 'nagiocmd' (you can name it differently if you wish). On RedHat Linux you can use the following command to add a new group (other systems may differ):

/usr/sbin/groupadd nagiocmd

Next, add the web server user (nobody or apache, etc) and the Nagios user (nagios) to the newly created group with the following commands:

/usr/sbin/usermod -G nagiocmd nagios
/usr/sbin/usermod -G nagiocmd nobody

Creating the directory

Next, create the directory where the command file should be stored. By default, this is /usr/local/nagios/var/rw, although it can be changed by modifying the path specified in thecommand_file directory.

mkdir /usr/local/nagios/var/rw

Setting directory permissions

Next, change the ownership of the directory that will be used to hold the command file...

chown nagios.nagiocmd /usr/local/nagios/var/rw

Make sure the Nagios user has full permissions on the directory...

chmod u+rwx /usr/local/nagios/var/rw

Make sure the group we created has full permissions on the directory.

chmod g+rwx /usr/local/nagios/var/rw

In order to force newly created files in the directory to inherit the group permissions from the directory, we need to enable the group sticky bit on the directory...

chmod g+s /usr/local/nagios/var/rw

Verifying the permissions

Check the permissions on the rw/ subdirectory by running 'ls -al /usr/local/nagios/var'. You should see something similiar to the following:

drwxrws---   2 nagios nagiocmd     1024 Aug 11 16:30 rw

Note that the user nagios is the owner of the directory and the group nagiocmd is the group owner of the directory. The nagios user has rwx permissions and group nagiocmd has rw permissions on the directory. Also, note that the group sticky bit is enabled. That's what we want...

Restart your web server

Once you set the proper permission on the directory containing the external command file, make sure to restart your web server. If you fail to do this, Apache will not be able to write to the external command file, even though the user it runs as is a member of the nagiocmd group.

Additional notes...

If you supplied the --with-command-grp=somegroup option when running the configure script, you can create the directory to hold the command file and set the proper permissions automatically by running 'make install-commandmode'.