Everyone can issue commands on Service and Host - posible bug in nagios

Morris, Patrick patrick.morris at hp.com
Thu Apr 13 16:18:35 CEST 2006


You've authorized everyone for everything:

authorized_for_all_services=*
authorized_for_all_hosts=*

-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net] On Behalf Of Jan
Tomasek
Sent: Thursday, April 13, 2006 4:01 AM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] Everyone can issue commands on Service and Host
- posible bug in nagios

Hi,

I'm running Nagios version 2.2 and I discovered that permisions are not
correctly evaluated at host and service groups by CGI interface.

I have defined:

define contactgroup {
  contactgroup_name       radius2.zcu.cz
  alias                   radius2.zcu.cz
  members                 cizek, petrovic
}

define contactgroup {
  contactgroup_name       radius.zcu.cz
  alias                   radius.zcu.cz
  members                 cizek, petrovic
}

define host {
  use                     generic-host
  host_name               radius.zcu.cz
  alias                   radius.zcu.cz
  address                 147.228.52.13
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  notifications_enabled   0
  contact_groups          radius.zcu.cz
}

define host {
  use                     generic-host
  host_name               radius2.zcu.cz
  alias                   radius2.zcu.cz
  address                 147.228.52.23
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  notifications_enabled   0
  contact_groups          radius2.zcu.cz
}

define host {
  use                     generic-host
  host_name               aggregated.zcu.cz
  alias                   aggregated.zcu.cz
  address                 127.0.0.1
  check_command           host-is-alive
  max_check_attempts      10
  notification_interval   120
  notification_period     24x7
  notification_options    d,r
  contact_groups          radius.zcu.cz,radius2.zcu.cz
}

define service {
  use                             ping-service
  host_name                       radius.zcu.cz
  service_description             PING
  contact_groups                  radius.zcu.cz
  check_command			  check_ping!100.0,20%!500.0,60%
}

.
.
.

define hostgroup {
  hostgroup_name  zcu.cz
  alias           Everyone at zcu.cz
  members         radius.zcu.cz, radius2.zcu.cz, aggregated.zcu.cz
}

Every host have defined buch services but I show only one here. In
cgi.cfg I've:

main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_authentication=1
authorized_for_system_information=semiks,adamec,polish
authorized_for_configuration_information=semiks,adamec,polish
authorized_for_system_commands=semiks
authorized_for_all_services=*
authorized_for_all_hosts=*
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90

I expect that on hostgroup zcu.cz can only users cizek, petrovic issue
comands. But sadly other users can also disable/enable checks,
notification... It looks like command authorization for hostgroups and
servicegroups is not working properly. Authorization for hosts and
services alone is working correctly.

Can I provide some more information to developers to get this fixed? At
this moment I put authorized=FALSE; to:

	case CMD_ENABLE_HOSTGROUP_SVC_NOTIFICATIONS:
	case CMD_DISABLE_HOSTGROUP_SVC_NOTIFICATIONS:
	case CMD_ENABLE_HOSTGROUP_HOST_NOTIFICATIONS:
	case CMD_DISABLE_HOSTGROUP_HOST_NOTIFICATIONS:
	case CMD_ENABLE_HOSTGROUP_SVC_CHECKS:
	case CMD_DISABLE_HOSTGROUP_SVC_CHECKS:
	case CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME:
	case CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME:
	case CMD_ENABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
	case CMD_DISABLE_SERVICEGROUP_SVC_NOTIFICATIONS:
	case CMD_ENABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
	case CMD_DISABLE_SERVICEGROUP_HOST_NOTIFICATIONS:
	case CMD_ENABLE_SERVICEGROUP_SVC_CHECKS:
	case CMD_DISABLE_SERVICEGROUP_SVC_CHECKS:
	case CMD_SCHEDULE_SERVICEGROUP_HOST_DOWNTIME:
	case CMD_SCHEDULE_SERVICEGROUP_SVC_DOWNTIME:

in function commit_command_data() in cgi/cmd.c but that is not fix. That
is ughly hack which disable this functions for everyone.

Thanks for any posible help.
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list