"Cannot open log file '/var/log/nagios3/nagios.log' for reading" error from nagios web UI when view alert history etc.

Bug #1690380 reported by Jeremy Green on 2017-05-12
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nagios3 (Ubuntu)
Status tracked in Artful
Trusty
High
Marc Deslauriers
Xenial
High
Marc Deslauriers
Yakkety
High
Marc Deslauriers
Zesty
High
Marc Deslauriers
Artful
High
Marc Deslauriers

Bug Description

Ubuntu 16.04.2 LTS
nagios3 and nagios3-cgi 3.5.1.dfsg-2.1ubuntu1.1

If install nagios3 package and then view Alert History, Notification History or Events pages (and maybe others), e.g.:

http://localhost/cgi-bin/nagios3/history.cgi?host=localhost

Then get the following error in place of the information that should be there:

Error: Cannot open log file '/var/log/nagios3/nagios.log' for reading!

This issue:

https://github.com/NagiosEnterprises/nagioscore/issues/303

...suggests that this is caused by the fix for CVE-2016-9566:

https://github.com/NagiosEnterprises/nagioscore/commit/ff22fd0de4938781edcbd48512d2494ca3c9c41a

...which has been back ported to 3.5.1.dfsg-2.1ubuntu1.1 according to:

https://launchpad.net/ubuntu/xenial/+source/nagios3/+changelog

The permissions and ownership of nagios.log are:

$ ls -l /var/log/nagios3/nagios.log
-rw------- 1 nagios adm 189 May 12 13:45 /var/log/nagios3/nagios.log

CVE References

Jeremy Green (jgreen210) on 2017-05-12
description: updated
ChristianEhrhardt (paelzer) wrote :

Subscribing ubuntu-security to evaluate if this is really a regression-update bug due to CVEs.

tags: added: regression-update
ChristianEhrhardt (paelzer) wrote :

I can at leas confirm that I see the "fail to open" when just installing and opening the history as outlined in the report - yet I never use nagios so this might be normal (don't think so)?

For now setting to confirmed and let the security Team which knows what was changed review.

Changed in nagios3 (Ubuntu):
status: New → Confirmed
Jeremy Green (jgreen210) wrote :

If manually alter permissions (which isn't a persistent solution due to log rotation):

sudo chmod go+r /var/log/nagios3/nagios.log

Then can see things like this:

[2017-05-15 14:31:10] Nagios 3.5.1 starting... (PID=2141)

...here:

http://localhost/cgi-bin/nagios3/history.cgi?host=localhost&service=Current+Load

More usefully, you would be able to see when nagios checks fail etc. here too. I.e. this bug means it's only possible to see the current status using the nagios-cgi UI, not any history.

Jeremy Green (jgreen210) wrote :

This describes how this was fixed in nagios 4.3.0 upstream:

https://github.com/NagiosEnterprises/nagioscore/issues/303#issuecomment-305149033

Nish Aravamudan (nacc) wrote :

Hi Jeremy,

I don't think there was any intention that this bug would be fixed by that upload?

---

For reference, the upstream changes basically switched permissions to 0644 via:

https://github.com/NagiosEnterprises/nagioscore/commit/7af89e5886192dfbbb28317ed2e4883ee92e13e0
https://github.com/NagiosEnterprises/nagioscore/commit/d2481ed02e2ab64f83b6e9a43a65c74e791d343e

Given that the prior nagios3 upload (ubuntu1.1) came through security, we will want to backport through the same pockets. I'll ping Marc on IRC.

Nish Aravamudan (nacc) on 2017-06-02
Changed in nagios3 (Ubuntu):
status: Confirmed → Triaged
Jeremy Green (jgreen210) wrote :

That's right. I should have been more clear in my last comment (or have stayed silent). I wanted to point out that while 3.5.1.dfsg-2.1ubuntu1.2's changelog claims to "Fix permissions", it's fixing something entirely different to this issue.

Changed in nagios3 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nagios3 (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nagios3 (Ubuntu Yakkety):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nagios3 (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nagios3 (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nagios3 (Ubuntu Trusty):
status: New → In Progress
Changed in nagios3 (Ubuntu Xenial):
status: New → In Progress
Changed in nagios3 (Ubuntu Yakkety):
status: New → In Progress
Changed in nagios3 (Ubuntu Zesty):
status: New → In Progress
Changed in nagios3 (Ubuntu Artful):
status: Triaged → In Progress
Changed in nagios3 (Ubuntu Trusty):
importance: Undecided → High
Changed in nagios3 (Ubuntu Xenial):
importance: Undecided → High
Changed in nagios3 (Ubuntu Yakkety):
importance: Undecided → High
Changed in nagios3 (Ubuntu Zesty):
importance: Undecided → High
Changed in nagios3 (Ubuntu Artful):
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

I have uploaded packages fixing this regression to the security team's PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I'd appreciate it if someone could test them and verify they resolve the issue for them.

I'll publish them as a security regression fix once they have been tested successfully and have gone through QA.

Thanks!

Jeremy Green (jgreen210) wrote :

I can confirm that upgrading from 3.5.1.dfsg-2.1ubuntu1.1 to 3.5.1.dfsg-2.1ubuntu1.3 (from ppa:ubuntu-security-proposed/ppa) fixes this issue on xenial.

Installing ppa:ubuntu-security-proposed/ppa's 3.5.1.dfsg-2.1ubuntu1.3 on xenial without a previous nagios3 installed is OK too.

Marc Deslauriers (mdeslaur) wrote :

Thanks for the test! :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu5.2

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:28:33 -0400

Changed in nagios3 (Ubuntu Zesty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu1.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu1.3) xenial-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:32:56 -0400

Changed in nagios3 (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:32:05 -0400

Changed in nagios3 (Ubuntu Yakkety):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios3 - 3.5.1-1ubuntu1.3

---------------
nagios3 (3.5.1-1ubuntu1.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:33:27 -0400

Changed in nagios3 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu7

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu7) artful; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.

 -- Marc Deslauriers <email address hidden> Wed, 07 Jun 2017 12:48:05 -0400

Changed in nagios3 (Ubuntu Artful):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.