From 7ca8c3ec2f5b5c7c65e2c8d11b01c2f5d99af955 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Fri, 4 Jan 2019 15:29:25 +0100 Subject: [PATCH 1/2] Impersonate as Icinga user, not root This requires write permissions for - etc/features-* - etc/*.conf - var/{lib,cache}/icinga2/* Typically permissions are handled by prepare-dirs, or the respective CLI commands are run as root either way. fixes #4947 --- lib/cli/apisetupcommand.cpp | 2 +- lib/cli/featuredisablecommand.cpp | 2 +- lib/cli/featureenablecommand.cpp | 2 +- lib/cli/nodesetupcommand.cpp | 2 +- lib/cli/nodewizardcommand.cpp | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/cli/apisetupcommand.cpp b/lib/cli/apisetupcommand.cpp index d68aeedd5..fcfb9c8cd 100644 --- a/lib/cli/apisetupcommand.cpp +++ b/lib/cli/apisetupcommand.cpp @@ -24,7 +24,7 @@ String ApiSetupCommand::GetShortDescription() const ImpersonationLevel ApiSetupCommand::GetImpersonationLevel() const { - return ImpersonateRoot; + return ImpersonateIcinga; } int ApiSetupCommand::GetMaxArguments() const diff --git a/lib/cli/featuredisablecommand.cpp b/lib/cli/featuredisablecommand.cpp index df8e35062..95a4a26d7 100644 --- a/lib/cli/featuredisablecommand.cpp +++ b/lib/cli/featuredisablecommand.cpp @@ -36,7 +36,7 @@ int FeatureDisableCommand::GetMaxArguments() const ImpersonationLevel FeatureDisableCommand::GetImpersonationLevel() const { - return ImpersonateRoot; + return ImpersonateIcinga; } /** diff --git a/lib/cli/featureenablecommand.cpp b/lib/cli/featureenablecommand.cpp index 7426e56ca..0cf906648 100644 --- a/lib/cli/featureenablecommand.cpp +++ b/lib/cli/featureenablecommand.cpp @@ -36,7 +36,7 @@ int FeatureEnableCommand::GetMaxArguments() const ImpersonationLevel FeatureEnableCommand::GetImpersonationLevel() const { - return ImpersonateRoot; + return ImpersonateIcinga; } /** diff --git a/lib/cli/nodesetupcommand.cpp b/lib/cli/nodesetupcommand.cpp index e250b19b8..cd588a95c 100644 --- a/lib/cli/nodesetupcommand.cpp +++ b/lib/cli/nodesetupcommand.cpp @@ -71,7 +71,7 @@ std::vector NodeSetupCommand::GetArgumentSuggestions(const String& argum ImpersonationLevel NodeSetupCommand::GetImpersonationLevel() const { - return ImpersonateRoot; + return ImpersonateIcinga; } /** diff --git a/lib/cli/nodewizardcommand.cpp b/lib/cli/nodewizardcommand.cpp index bb48bfc75..3a6719ae6 100644 --- a/lib/cli/nodewizardcommand.cpp +++ b/lib/cli/nodewizardcommand.cpp @@ -37,7 +37,7 @@ String NodeWizardCommand::GetShortDescription() const ImpersonationLevel NodeWizardCommand::GetImpersonationLevel() const { - return ImpersonateRoot; + return ImpersonateIcinga; } int NodeWizardCommand::GetMaxArguments() const From 7174dcd2652fe9493bddacd7d10ee1f9e3b2f993 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Wed, 3 Apr 2019 09:51:35 +0200 Subject: [PATCH 2/2] Upgrading docs: Mention CLI commands --- doc/16-upgrading-icinga-2.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/16-upgrading-icinga-2.md b/doc/16-upgrading-icinga-2.md index 222f3c341..5853f8fc1 100644 --- a/doc/16-upgrading-icinga-2.md +++ b/doc/16-upgrading-icinga-2.md @@ -67,6 +67,23 @@ The [IdoMysqlConnection](09-object-types.md#objecttype-idomysqlconnection) and [ objects provide a new attribute named `last_failover` which shows the last failover timestamp. This value also is available in the [ido](10-icinga-template-library.md#itl-icinga-ido) CheckCommand output. + +### CLI Commands + +CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list` +required root permissions previously. Since the file permissions allow +the Icinga user to change things already, and users kept asking to +run Icinga on their own webspace without root permissions, this is now possible +with 2.11. + +If you are running the commands with a different user than the +compiled `ICINGA_USER` and `ICINGA_GROUP` CMake settings (`icinga` everywhere, +except Debian with `nagios` for historical reasons`), ensure that this +user has the capabilities to change to a different user. + +If you still encounter problems, run the aforementioned CLI commands as root, +or with sudo. + ## Upgrading to v2.10 ### Path Constant Changes