How to limit access to external command
Dennis Hünseler
dennis at huenseler.net
Fri Oct 12 10:53:10 CEST 2007
Hi Luca,
this part of your cgi.cfg should normaly control the use of the external
commands
> authorized_for_all_host_commands=nagiosadmin,web
> authorized_for_all_service_commands=nagiosadmin,web
This means that with your actual config the user nagiosadmin and the user
web should be allowed to set an external command like discribed in the
default cgi.cfg
<snip-->
# GLOBAL HOST/SERVICE COMMAND ACCESS
# These two options are comma-delimited lists of all usernames that
# can issue host or service related commands via the command
# CGI (cmd.cgi) for all hosts and services that are being monitored.
# By default, users can only issue commands for hosts or services
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
<snip--/>
kind regards
Dennis
> Hi all,
> i have enabled the external command and all work fine. now i wanto to
> limit the execution of external commands trought web interface to only
> few users but i don't know how can i do.
>
> I have 2 "users":
> - web: this is the admin, it work great no problem with this user(is
> only an apache user)
> - LucaGmail : this is the user that access the nagios web interface
> and i want to limit, it can view only the service and host associated
> to it (this is good) and can execute external commands (this is not
> good); (LucaGmail is a "contact" for nagios and an apache user).
>
> How can i limit the execution of external command?
>
> below you can see some configuration of my installation:
>
> in cgi.cfg
>
> I set "use_authentication" to 1
>
> default_user_name=nagiosadmin
> authorized_for_system_information=nagiosadmin,theboss,jdoe,web
> authorized_for_system_commands=nagiosadmin,web
> authorized_for_configuration_information=nagiosadmin,jdoe,web
> authorized_for_all_services=nagiosadmin,guest,web
> authorized_for_all_hosts=nagiosadmin,guest,web
> authorized_for_all_host_commands=nagiosadmin,web
> authorized_for_all_service_commands=nagiosadmin,web
>
> and in the htpasswd.user there are 2 users:
> web
> LucaGmail
>
> in the httpd.conf
>
> ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
> <Directory "/usr/local/nagios/sbin">
> Options ExecCGI FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> AuthName "Nagios Access"
> AuthType Basic
> AuthUserFile /usr/local/nagios/etc/htpasswd.users
> Require valid-user
> </Directory>
>
> an ls -la of "rw" directory give me:
>
> drwxrws--- 2 nagios nagcmd 4096 Oct 11 16:10 .
> drwxrwxr-x 5 nagios nagcmd 4096 Oct 12 10:19 ..
> prw-rw---- 1 nagios nagcmd 0 Oct 11 17:32 nagios.cmd
>
> in the nagcmd group there are these users:
> -apache (webserver user)
> -nagios
>
>
> sorry for my english... if you need more info ask without problem
>
> Thank you
> bye
> Luca
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list