"Cannot open log file '/var/log/nagios3/nagios.log' for reading" error from nagios web UI when view alert history etc.

Subscribing ubuntu-security to evaluate if this is really a regression-update bug due to CVEs.

I can at leas confirm that I see the "fail to open" when just installing and opening the history as outlined in the report - yet I never use nagios so this might be normal (don't think so)?

For now setting to confirmed and let the security Team which knows what was changed review.

If manually alter permissions (which isn't a persistent solution due to log rotation):

sudo chmod go+r /var/log/nagios3/nagios.log

Then can see things like this:

[2017-05-15 14:31:10] Nagios 3.5.1 starting... (PID=2141)

...here:

http://localhost/cgi-bin/nagios3/history.cgi?host=localhost&service=Current+Load

More usefully, you would be able to see when nagios checks fail etc. here too. I.e. this bug means it's only possible to see the current status using the nagios-cgi UI, not any history.

This describes how this was fixed in nagios 4.3.0 upstream:

https://github.com/NagiosEnterprises/nagioscore/issues/303#issuecomment-305149033

Not fixed by this:

https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu1.2

Hi Jeremy,

I don't think there was any intention that this bug would be fixed by that upload?

---

For reference, the upstream changes basically switched permissions to 0644 via:

https://github.com/NagiosEnterprises/nagioscore/commit/7af89e5886192dfbbb28317ed2e4883ee92e13e0
https://github.com/NagiosEnterprises/nagioscore/commit/d2481ed02e2ab64f83b6e9a43a65c74e791d343e

Given that the prior nagios3 upload (ubuntu1.1) came through security, we will want to backport through the same pockets. I'll ping Marc on IRC.

That's right. I should have been more clear in my last comment (or have stayed silent). I wanted to point out that while 3.5.1.dfsg-2.1ubuntu1.2's changelog claims to "Fix permissions", it's fixing something entirely different to this issue.

I have uploaded packages fixing this regression to the security team's PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I'd appreciate it if someone could test them and verify they resolve the issue for them.

I'll publish them as a security regression fix once they have been tested successfully and have gone through QA.

Thanks!

I can confirm that upgrading from 3.5.1.dfsg-2.1ubuntu1.1 to 3.5.1.dfsg-2.1ubuntu1.3 (from ppa:ubuntu-security-proposed/ppa) fixes this issue on xenial.

Installing ppa:ubuntu-security-proposed/ppa's 3.5.1.dfsg-2.1ubuntu1.3 on xenial without a previous nagios3 installed is OK too.

Thanks for the test! :)

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu5.2

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:28:33 -0400

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu1.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu1.3) xenial-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:32:56 -0400

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:32:05 -0400

This bug was fixed in the package nagios3 - 3.5.1-1ubuntu1.3

---------------
nagios3 (3.5.1-1ubuntu1.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:33:27 -0400

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu7

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu7) artful; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.

 -- Marc Deslauriers <email address hidden> Wed, 07 Jun 2017 12:48:05 -0400