Everyone can issue commands on Service and Host - posible bug in nagios

Jan Tomasek jan at tomasek.cz
Thu Apr 13 13:00:34 CEST 2006


Hi,

I'm running Nagios version 2.2 and I discovered that permisions are not
correctly evaluated at host and service groups by CGI interface.

I have defined:

define contactgroup {
  contactgroup_name       radius2.zcu.cz
  alias                   radius2.zcu.cz
  members                 cizek, petrovic
}

define contactgroup {
  contactgroup_name       radius.zcu.cz
  alias                   radius.zcu.cz
  members                 cizek, petrovic
}

define host {
  use                     generic-host
  host_name               radius.zcu.cz
  alias                   radius.zcu.cz
  address                 147.228.52.13
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  notifications_enabled   0
  contact_groups          radius.zcu.cz
}

define host {
  use                     generic-host
  host_name               radius2.zcu.cz
  alias                   radius2.zcu.cz
  address                 147.228.52.23
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  notifications_enabled   0
  contact_groups          radius2.zcu.cz
}

define host {
  use                     generic-host
  host_name               aggregated.zcu.cz
  alias                   aggregated.zcu.cz
  address                 127.0.0.1
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  contact_groups          radius.zcu.cz,radius2.zcu.cz
}

define service {
  use                             ping-service
  host_name                       radius.zcu.cz
  service_description             PING
  contact_groups                  radius.zcu.cz
  check_command			  check_ping!100.0,20%!500.0,60%
}

.
.
.

define hostgroup {
  hostgroup_name  zcu.cz
  alias           Everyone at zcu.cz
  members         radius.zcu.cz, radius2.zcu.cz, aggregated.zcu.cz
}

Every host have defined buch services but I show only one here. In
cgi.cfg I've:

main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_authentication=1
authorized_for_system_information=semiks,adamec,polish
authorized_for_configuration_information=semiks,adamec,polish
authorized_for_system_commands=semiks
authorized_for_all_services=*
authorized_for_all_hosts=*
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90

I expect that on hostgroup zcu.cz can only users cizek, petrovic issue
comands. But sadly other users can also disable/enable checks,
notification... It looks like command authorization for hostgroups and
servicegroups is not working properly. Authorization for hosts and
services alone is working correctly.

Can I provide some more information to developers to get this fixed? At
this moment I put authorized=FALSE; to:

	case CMD_ENABLE_HOSTGROUP_SVC_NOTIFICATIONS:
	case CMD_DISABLE_HOSTGROUP_SVC_NOTIFICATIONS:
	case CMD_ENABLE_HOSTGROUP_HOST_NOTIFICATIONS:
	case CMD_DISABLE_HOSTGROUP_HOST_NOTIFICATIONS:
	case CMD_ENABLE_HOSTGROUP_SVC_CHECKS:
	case CMD_DISABLE_HOSTGROUP_SVC_CHECKS:
	case CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME:
	case CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME:
	case CMD_ENABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
	case CMD_DISABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
	case CMD_ENABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
	case CMD_DISABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
	case CMD_ENABLE_SERVICEGROUP_SVC_CHECKS:
	case CMD_DISABLE_SERVICEGROUP_SVC_CHECKS:
	case CMD_SCHEDULE_SERVICEGROUP_HOST_DOWNTIME:
	case CMD_SCHEDULE_SERVICEGROUP_SVC_DOWNTIME:

in function commit_command_data() in cgi/cmd.c but that is not fix. That
is ughly hack which disable this functions for everyone.

Thanks for any posible help.
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060413/18927912/attachment.sig>


More information about the Users mailing list