How limit external commands to no-admin users?

Ben Polson ben.polson at ehealth.com
Mon Mar 21 17:50:32 CET 2005 

I think I see the issue.  The apache is only protecting the webserver from
displaying content in the /usr/local/nagios/var/rw folder.  This
configuration has nothing to do with the execution of cgi's which call to
that folder outside of the apache server's controls.  To protect the
execution of cgi's, you need to protect the cgi folder:

    <Directory /usr/local/nagios/sbin>
        AllowOverride None
        Options None
        Order Allow,Deny
        Allow from 10.212.0.0/255.255.255.0
    </Directory>

Adjust the folder path above to reflect your cgi-bin directory.

-Ben.


-----Original Message-----
From: Marco Borsani [mailto:m.borsani at it.net]
Sent: Monday, March 21, 2005 12:33 AM
To: Ben Polson; nagios-users
Subject: R: [Nagios-users] How limit external commands to no-admin
users?


Nothing change...
I still can perform external commands

Marco

-}-----Messaggio originale-----
-}Da: nagios-users-admin at lists.sourceforge.net
-}[mailto:nagios-users-admin at lists.sourceforge.net]Per conto di Ben Polson
-}Inviato: venerdi 18 marzo 2005 18.08
-}A: nagios-users
-}Oggetto: RE: [Nagios-users] How limit external commands to no-admin
-}users?
-}
-}
-}Try:
-}
-}    <Directory /usr/local/nagios/var/rw>
-}        AllowOverride None
-}        Options None
-}        Order Allow,Deny
-}        Allow from 10.212.0.0/255.255.255.0
-}    </Directory>
-}
-}-Ben.
-}
-}
-}-----Original Message-----
-}From: nagios-users-admin at lists.sourceforge.net
-}[mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of Marco
-}Borsani
-}Sent: Friday, March 18, 2005 8:37 AM
-}To: nagios-users
-}Subject: R: [Nagios-users] How limit external commands to no-admin
-}users?
-}
-}
-}I try to limit all users connected from a specific network, with the
-}followinf lines inside the httpd.conf, but nothing happen!
-}
-}    <Directory /usr/local/nagios/var/rw>
-}        AllowOverride None
-}        Options None
-}        Order Deny,Allow
-}        Deny from all
-}        Allow from 10.212.0.0/255.255.255.0
-}    </Directory>
-}
-}Why these lines have not impact on my environment?
-}
-}Marco
-}
-}-}-----Messaggio originale-----
-}-}Da: nagios-users-admin at lists.sourceforge.net
-}-}[mailto:nagios-users-admin at lists.sourceforge.net]Per conto di Marco
-}-}Borsani
-}-}Inviato: giovedi 17 marzo 2005 11.33
-}-}A: nagios-users
-}-}Oggetto: [Nagios-users] How limit external commands to no-admin users?
-}-}
-}-}
-}-}
-}-}Hi all
-}-}
-}-}My environment is quite complex, specially regarding security policies.
-}-}
-}-}I would use external commands via CGI interface, but I can not
-}-}permit to ALL
-}-}nagios users.
-}-}
-}-}My httpd have been started from www (unix user); putting this
-}user in the
-}-}nagios group I permit to write the nagios.cmd file to everyone !
-}-}
-}-}I need to limit this "write access" only to a unix/apache user only.
-}-}
-}-}Is it possible? How?
-}-}
-}-}I try to modify httpd.conf file, but .... I do not know how !
-}-}
-}-}Thanks
-}-}Marco
-}-}
-}-}
-}-}
-}-}-------------------------------------------------------
-}-}SF email is sponsored by - The IT Product Guide
-}-}Read honest & candid reviews on hundreds of IT Products from real users.
-}-}Discover which products truly live up to the hype. Start reading now.
-}-}http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
-}-}_______________________________________________
-}-}Nagios-users mailing list
-}-}Nagios-users at lists.sourceforge.net
-}-}https://lists.sourceforge.net/lists/listinfo/nagios-users
-}-}::: Please include Nagios version, plugin version (-v) and OS
-}-}when reporting any issue.
-}-}::: Messages without supporting info will risk being sent to /dev/null
-}
-}
-}
-}-------------------------------------------------------
-}SF email is sponsored by - The IT Product Guide
-}Read honest & candid reviews on hundreds of IT Products from real users.
-}Discover which products truly live up to the hype. Start reading now.
-}http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
-}_______________________________________________
-}Nagios-users mailing list
-}Nagios-users at lists.sourceforge.net
-}https://lists.sourceforge.net/lists/listinfo/nagios-users
-}::: Please include Nagios version, plugin version (-v) and OS
-}when reporting
-}any issue.
-}::: Messages without supporting info will risk being sent to /dev/null
-}
-}
-}
-}
-}
-}-------------------------------------------------------
-}SF email is sponsored by - The IT Product Guide
-}Read honest & candid reviews on hundreds of IT Products from real users.
-}Discover which products truly live up to the hype. Start reading now.
-}http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
-}_______________________________________________
-}Nagios-users mailing list
-}Nagios-users at lists.sourceforge.net
-}https://lists.sourceforge.net/lists/listinfo/nagios-users
-}::: Please include Nagios version, plugin version (-v) and OS
-}when reporting any issue.
-}::: Messages without supporting info will risk being sent to /dev/null






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

More information about the Users mailing list