Everyone can issue commands on Service and Host - posible bug in nagios
Jan Tomasek
jan at tomasek.cz
Thu Apr 13 13:00:34 CEST 2006
Hi,
I'm running Nagios version 2.2 and I discovered that permisions are not
correctly evaluated at host and service groups by CGI interface.
I have defined:
define contactgroup {
contactgroup_name radius2.zcu.cz
alias radius2.zcu.cz
members cizek, petrovic
}
define contactgroup {
contactgroup_name radius.zcu.cz
alias radius.zcu.cz
members cizek, petrovic
}
define host {
use generic-host
host_name radius.zcu.cz
alias radius.zcu.cz
address 147.228.52.13
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
notifications_enabled 0
contact_groups radius.zcu.cz
}
define host {
use generic-host
host_name radius2.zcu.cz
alias radius2.zcu.cz
address 147.228.52.23
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
notifications_enabled 0
contact_groups radius2.zcu.cz
}
define host {
use generic-host
host_name aggregated.zcu.cz
alias aggregated.zcu.cz
address 127.0.0.1
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
contact_groups radius.zcu.cz,radius2.zcu.cz
}
define service {
use ping-service
host_name radius.zcu.cz
service_description PING
contact_groups radius.zcu.cz
check_command check_ping!100.0,20%!500.0,60%
}
.
.
.
define hostgroup {
hostgroup_name zcu.cz
alias Everyone at zcu.cz
members radius.zcu.cz, radius2.zcu.cz, aggregated.zcu.cz
}
Every host have defined buch services but I show only one here. In
cgi.cfg I've:
main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_authentication=1
authorized_for_system_information=semiks,adamec,polish
authorized_for_configuration_information=semiks,adamec,polish
authorized_for_system_commands=semiks
authorized_for_all_services=*
authorized_for_all_hosts=*
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
I expect that on hostgroup zcu.cz can only users cizek, petrovic issue
comands. But sadly other users can also disable/enable checks,
notification... It looks like command authorization for hostgroups and
servicegroups is not working properly. Authorization for hosts and
services alone is working correctly.
Can I provide some more information to developers to get this fixed? At
this moment I put authorized=FALSE; to:
case CMD_ENABLE_HOSTGROUP_SVC_NOTIFICATIONS:
case CMD_DISABLE_HOSTGROUP_SVC_NOTIFICATIONS:
case CMD_ENABLE_HOSTGROUP_HOST_NOTIFICATIONS:
case CMD_DISABLE_HOSTGROUP_HOST_NOTIFICATIONS:
case CMD_ENABLE_HOSTGROUP_SVC_CHECKS:
case CMD_DISABLE_HOSTGROUP_SVC_CHECKS:
case CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME:
case CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME:
case CMD_ENABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
case CMD_DISABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
case CMD_ENABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
case CMD_DISABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
case CMD_ENABLE_SERVICEGROUP_SVC_CHECKS:
case CMD_DISABLE_SERVICEGROUP_SVC_CHECKS:
case CMD_SCHEDULE_SERVICEGROUP_HOST_DOWNTIME:
case CMD_SCHEDULE_SERVICEGROUP_SVC_DOWNTIME:
in function commit_command_data() in cgi/cmd.c but that is not fix. That
is ughly hack which disable this functions for everyone.
Thanks for any posible help.
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060413/18927912/attachment.sig>
More information about the Users
mailing list