authentication & access limit

Marc Powell mpowell at ena.com
Sat Nov 15 16:18:58 CET 2003

Previous message: authentication & access limit
Next message: "Pinging" a Win2k server
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 

	-----Original Message----- 
	From: Spyou [mailto:spyou at club-internet.fr] 
	Sent: Sat 11/15/2003 8:53 AM 
	To: nagios-users at lists.sourceforge.net 
	Cc: 
	Subject: [Nagios-users] authentication & access limit
	
	



	Hi, 


	I'm playing with Nagios (and netsaint before) for a while ... I have coded 
	some extra suffs, mainly some rrd interfaces to graph almost every datas 
	collected by nagios 

	I'd like to let customers access thoses graphs. The simplest way to link 
	nagios states to thoses graphs is to use the "service ext info" feature of 
	nagios. Each service that has an rrd graph now had a little button that 
	links to my cgis that displays the graphs 

	thoses CGI are called with an URL like 
	http://nagios.blabla.com/cgi-bin/mycgi.cgi?host=hostnameofthecustomer&service=servicename 

	Everything's fine ... but if a customer use 
	"mycgi.cgi?host=mybox&service=httphealth" and change the URL 
	"mycgi.cgi?host=neighborshost&service=httphealth" he will access 
	informations from another host that he's not supposed to be able to see 

	Has anyone an idea to limit access in mycgi.cgi so that people can only see 
	hosts & service they are contact for ? (please note : i don't wanna parse 
	the whole nagios config to get this info :)

	 

	--------

	You've just eliminated the only sure way to know if they're authorized for that host and service. If you wanted to be absolutely certain that the user was supposed to able to see information for a specific host you need to know if  they're associated with the host and that information is going to be in the nagios config files. An alternative would be to store a simplified version of that information in a database for your scripts use and just query that based on the value of HTTP_USER.

	 

	If you have authentication properly set up and customers will always be getting to your custom cgi through extinfo.cgi or status.cgi, you can check to make sure that HTTP_REFERRER is one of those cgi's and deny or redirect everything else. If they attempt to modify the URL as above then the referrer will be blank. I believe that some browsers will let you control the value of HTTP_REFERRER so an enterprising user could theoretically foil this thin skin of security.

	 

	--

	Marc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20031115/3758eef4/attachment.html>

Previous message: authentication & access limit
Next message: "Pinging" a Win2k server
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list