another question
Andreas Ericsson
ae at op5.se
Tue Jan 4 18:03:25 CET 2005
Joe Pruett wrote:
>>Yes, the difference is that files created by the webserver aren't group
>>nagioscmd and the webserver doesn't default to the nagioscmd group which
>>has implications beyond nagios if you're running other web apps on the
>>same machine.
>
>
> anything running under the web server will have the permissions of
> nagioscmd. so any php, ssi, cgi will have those perms and be able to
> write to the nagios.cmd pipe. my setup will allow any web process to
> invoke cmd.cgi which seems like a lesser exposure.
>
>
>>I don't know what you believe the issue to be with the current
>>authentication system but IMHO, it's very simple and flexible as is and
>>works across a wide range of webservers with no special requirements
>>other than .htaccess support. .htaccess supports a wide range of
>>authentication mechanisms allowing for the administrator to choose the
>>auth mechanism that suits their environment best (PAM, LDAP, etc). Any
>>coded auth system is going to be much more limited.
>
>
> if nagios had its own auth mechanism, then cmd.cgi could verify that info
> and thereby eliminate the ability for random people to submit commands to
> nagios via any of the methods i mention above. this all assumes a server
> that runs other applications. if you have a dedicated nagios box, then
> things aren't as complicated. also if you had a builtin auth mechanism,
> you could timeout sessions, control which functions various people can do
> (now that is just done by matching the web username to the nagios contact
> name), and eventually you'd be able to easily add/change/remove access via
> the web interface. i assume that long term nagios will have the ability
> to add/change/remove objects via the web as well so all of this would tie
> nicely together.
>
Feel free to start hacking. If you do it in a secure and clean manner
I'm sure Ethan will include at least parts of it in the upcoming PHP gui.
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Lead Developer
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
More information about the Developers
mailing list