Everyone can issue commands on Service and Host - posible bug in nagios
Morris, Patrick
patrick.morris at hp.com
Thu Apr 13 16:18:35 CEST 2006
You've authorized everyone for everything:
authorized_for_all_services=*
authorized_for_all_hosts=*
-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net] On Behalf Of Jan
Tomasek
Sent: Thursday, April 13, 2006 4:01 AM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] Everyone can issue commands on Service and Host
- posible bug in nagios
Hi,
I'm running Nagios version 2.2 and I discovered that permisions are not
correctly evaluated at host and service groups by CGI interface.
I have defined:
define contactgroup {
contactgroup_name radius2.zcu.cz
alias radius2.zcu.cz
members cizek, petrovic
}
define contactgroup {
contactgroup_name radius.zcu.cz
alias radius.zcu.cz
members cizek, petrovic
}
define host {
use generic-host
host_name radius.zcu.cz
alias radius.zcu.cz
address 147.228.52.13
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
notifications_enabled 0
contact_groups radius.zcu.cz
}
define host {
use generic-host
host_name radius2.zcu.cz
alias radius2.zcu.cz
address 147.228.52.23
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
notifications_enabled 0
contact_groups radius2.zcu.cz
}
define host {
use generic-host
host_name aggregated.zcu.cz
alias aggregated.zcu.cz
address 127.0.0.1
check_command host-is-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
contact_groups radius.zcu.cz,radius2.zcu.cz
}
define service {
use ping-service
host_name radius.zcu.cz
service_description PING
contact_groups radius.zcu.cz
check_command check_ping!100.0,20%!500.0,60%
}
.
.
.
define hostgroup {
hostgroup_name zcu.cz
alias Everyone at zcu.cz
members radius.zcu.cz, radius2.zcu.cz, aggregated.zcu.cz
}
Every host have defined buch services but I show only one here. In
cgi.cfg I've:
main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_authentication=1
authorized_for_system_information=semiks,adamec,polish
authorized_for_configuration_information=semiks,adamec,polish
authorized_for_system_commands=semiks
authorized_for_all_services=*
authorized_for_all_hosts=*
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
I expect that on hostgroup zcu.cz can only users cizek, petrovic issue
comands. But sadly other users can also disable/enable checks,
notification... It looks like command authorization for hostgroups and
servicegroups is not working properly. Authorization for hosts and
services alone is working correctly.
Can I provide some more information to developers to get this fixed? At
this moment I put authorized=FALSE; to:
case CMD_ENABLE_HOSTGROUP_SVC_NOTIFICATIONS:
case CMD_DISABLE_HOSTGROUP_SVC_NOTIFICATIONS:
case CMD_ENABLE_HOSTGROUP_HOST_NOTIFICATIONS:
case CMD_DISABLE_HOSTGROUP_HOST_NOTIFICATIONS:
case CMD_ENABLE_HOSTGROUP_SVC_CHECKS:
case CMD_DISABLE_HOSTGROUP_SVC_CHECKS:
case CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME:
case CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME:
case CMD_ENABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
case CMD_DISABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
case CMD_ENABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
case CMD_DISABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
case CMD_ENABLE_SERVICEGROUP_SVC_CHECKS:
case CMD_DISABLE_SERVICEGROUP_SVC_CHECKS:
case CMD_SCHEDULE_SERVICEGROUP_HOST_DOWNTIME:
case CMD_SCHEDULE_SERVICEGROUP_SVC_DOWNTIME:
in function commit_command_data() in cgi/cmd.c but that is not fix. That
is ughly hack which disable this functions for everyone.
Thanks for any posible help.
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list