[Nagios-devel] =?utf-8?q?Security_bug_or_feature=3F_Servicegroups?=

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

[Nagios-devel] =?utf-8?q?Security_bug_or_feature=3F_Servicegroups?=

Post by Guest »

Hey list and fellow Nagios developers,

as you might have noticed, there's a discussion ongoing on
oss-security[1]
regarding bug report #456[2].

I'm the one who discovered the described issue, and I still believe that
it's a bug with security implications, even though not everyone seems to
be convinced.

I'll try to give a brief description of the issue:

The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks
hostnames to unauthorized users as part of servicegroups. All of
servicegroup overview, summary and grid list each and every hostname
that
is part of a servicegroup, regardless whether the HTTP user is listed in
contacts/contactgroups for this host.

In my opinion this is a security issue - at least on multi-user (e.g.
multi-customer) Nagios-setups. I guess that most ISPs which give their
customers access to the Nagios CGIs don't want to provide a full list
of monitored hosts to their customers as a side-effect.

One reason for confusion is the following entry from Nagios3
changelog[3]:

3.4.0 - 05/04/2012
ENHANCEMENTS
[...]
- Users can now see hostgroups and servicegroups that contain at least
one host or service they are authorized for, instead of having to
be authorized for them all (Ethan Galstad)


The indisputable part of this change is, that users are allowed to see
hostgroups and servicegroups with at least one authorized host or
service. Unclear is, whether this means "group and all its group
members", or "group and only authorized group members".

Unfortunately, no Nagios developer speaked up yet about this issue. Thus
there's still a lot confusion about it.

You can find my patch at the Nagios Issue Tracker. This patch changes
status.cgi behaviour to show only group members (hosts/services) that
the user is authorized to see.

A comment about this issue by the Nagios Developers whould be highly
appreciated. In case that the described (and critizised) behaviour of
status.cgi is intended, the distribution security teams can move on.

If on the other hand you agree with me, that this issue should be
fixed, I'll continue to work with the security teams in order to
provide patched Nagios packages for their distributions.

Thanks for your work on Nagios, it's a very valuable piece of software!

Kind regards,
jonas

[1] http://www.openwall.com/lists/oss-security/2013/06/26/6
[2] http://tracker.nagios.org/view.php?id=456
[3] http://www.nagios.org/projects/nagiosco ... ry/core-3x






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: jonas@freesources.org
Top
Locked

Return to “Open Source Nagios Projects”