Sorry, but you are not authorized to commit the specified...

[ians]

Hello,

I have been getting started with Nagios and finding it to very helpful, but I am having an issue with executing some commands. When I try to acknowledge an alert, view process information, or change notifications (for example), all while logged in to the Nagios web interface as nagiosadmin, I get a message which says:

Sorry, but you are not authorized to commit the specified command.
Read the section of the documentation that deals with authentication and authorization in the CGIs for more information.

I have looked in the documentation, and found some additional information online, but so far have been unable to resolve my issue.

Here's what I have for authorizations in cgi.cfg:

Code: Select all

authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin

The permissions for the cgi programs also appear to be set generously:

Code: Select all

-rwxrwxr-x 1 nagios nagcmd 254680 2011-05-24 10:13 avail.cgi
-rwxrwxr-x 1 nagios nagcmd 251224 2011-05-24 10:13 cmd.cgi
-rwxrwxr-x 1 nagios nagcmd 221816 2011-05-24 10:13 config.cgi
-rwxrwxr-x 1 nagios nagcmd 266904 2011-05-24 10:13 extinfo.cgi
-rwxrwxr-x 1 nagios nagcmd 217912 2011-05-24 10:13 histogram.cgi
-rwxrwxr-x 1 nagios nagcmd 193208 2011-05-24 10:13 history.cgi
-rwxrwxr-x 1 nagios nagcmd 193176 2011-05-24 10:13 notifications.cgi
-rwxrwxr-x 1 nagios nagcmd 184952 2011-05-24 10:13 outages.cgi
-rwxrwxr-x 1 nagios nagcmd 189336 2011-05-24 10:13 showlog.cgi
-rwxrwxr-x 1 nagios nagcmd 258744 2011-05-24 10:13 status.cgi
-rwxrwxr-x 1 nagios nagcmd 213880 2011-05-24 10:13 statusmap.cgi
-rwxrwxr-x 1 nagios nagcmd 209624 2011-05-24 10:13 statuswml.cgi
-rwxrwxr-x 1 nagios nagcmd 193176 2011-05-24 10:13 statuswrl.cgi
-rwxrwxr-x 1 nagios nagcmd 217816 2011-05-24 10:13 summary.cgi
-rwxrwxr-x 1 nagios nagcmd 205528 2011-05-24 10:13 tac.cgi
-rwxrwxr-x 1 nagios nagcmd 222008 2011-05-24 10:13 trends.cgi

Here is the relevant section of the apache config file for nagios:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user
</Directory>

I have verified that the www-data user (which runs the apache process) is a member of the nagios and nagcmd groups. I do not see anything in the apache access or error logs or the nagios.log relating to a permission error.

At this point I'm feeling stumped. Any suggestions?

[jsmurphy]

I've seen this before when I did (and absent mindedly botched) an install on an OpenSuSE 11.1 box and it turned out to be a file permissions issue.

Is nagcmd your command group or your nagios group? for arguments sake we'll say nagios should be the user, nagiosgroup is the nagios group and nagcmd is the command group. Your permissions for the CGI's should be nagios nagiosgroup not nagcmd.

[ians]

Thank you for the reply. I remembered that the group had initially been the nagios group and I had changed it to nagcmd at some point in the troubleshooting process. I switched it back and things are somewhat better. I can now see the process information, but I was not able to turn notifications on and off for services (I got the same error saying that I did not have the permission).

I may be able to live with it at this point. Thank you for your help!

[SDohmen]

We have the same problem with the debian installs we use. After some googling around i found the fix for this:

Code: Select all

/etc/init.d/nagios3 stop 
dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw 
dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3 
/etc/init.d/nagios3 start

It should be adaptable for other installations aswell.

[ians]

Thank you for the suggestion, but it did not seem to resolve the issue for me. I just saw the permission error again when trying to schedule downtime for a host.

[jsmurphy]

SDohmen was sort of on the money, but try checking that the /usr/local/nagios/var/rw folder (and sub files) belongs to nagios:nagcmd user and group respectively that should hopefully solve your issue.

It should look pretty much like this in terms of permissions:
ls -l /usr/local/nagios/var/
drwxrwxr-x 2 nagios nagiosgroup 20480 Jan 20 00:00 archives
-rw-r--r-- 1 nagios nagiosgroup 6 Jan 20 07:00 nagios.lock
-rw-rw-rw- 1 nagios nagiosgroup 903605 Jan 20 09:29 nagios.log
srwxr-xr-x 1 nagios nagiosgroup 0 Nov 17 14:45 ndo.sock
-rw-r--r-- 1 nagios nagiosgroup 0 Jan 12 2011 ndo2db.debug
-rw-r--r-- 1 nagios nagiosgroup 5 Nov 17 14:45 ndo2db.lock
-rw-rw-r-- 1 nagios nagiosgroup 0 Jan 20 07:00 ndomod.tmp
-rw-r--r-- 1 nagios nagiosgroup 5598587 Jan 20 07:00 objects.cache
-rw------- 1 nagios nagiosgroup 9214115 Jan 20 09:00 retention.dat
drwxrwsr-x 2 nagios nagcmd 4096 Jan 20 07:00 rw
drwxrwxr-x 3 nagios nagiosgroup 4096 Apr 22 2010 spool
-rw-rw-r-- 1 nagios nagiosgroup 9201752 Jan 20 09:34 status.dat

ls -l /usr/local/nagios/var/rw/
total 0
prw-rw---- 1 nagios nagcmd 0 Jan 20 07:00 nagios.cmd

[ians]

I had high hopes for this one when I saw that the group for the rw directory was www-data. I recursively set it to nagcmd and restarted Nagios, but still no luck. When I try to schedule downtime I still see the message saying that I am not authorized to commit the specified command.

[jsmurphy]

Make sure that the apache user is a member of both the nagios group and the nagcmd group in /etc/group... if that isn't the issue I'm really not too sure what else can cause that message other than permissions

[mguthrie]

If apache runs as the www-data user you'll need to add that user to the nagcmd group, and make sure groups have RWX permissions for that directory.

[ians]

I verified that the www-data user is a member of both groups:

Code: Select all

cat /etc/group | grep www-data
www-data:x:33:nagios
nagios:x:1001:www-data
nagcmd:x:1002:nagios,www-data

I also verified that permissions seem to be set correctly on the directory and on the CGI files themselves:

Code: Select all

ls -l
total 24
drwxrwxr-x  2 nagios nagios 4096 2011-05-24 10:13 bin
drwxrwxr-x  4 nagios nagios 4096 2012-01-19 15:12 etc
drwxrwxr-x  2 nagios nagios 4096 2010-03-25 09:05 libexec
drwxrwxr-x  2 nagios nagios 4096 2011-05-24 10:13 sbin
drwxrwxr-x 10 nagios nagios 4096 2011-05-24 10:13 share
drwxrwxr-x  5 nagios nagios 4096 2012-01-23 10:15 var
cd sbin
ls -l
total 3464
-rwxrwxr-x 1 nagios nagios 254680 2011-05-24 10:13 avail.cgi
-rwxrwxr-x 1 nagios nagios 251224 2011-05-24 10:13 cmd.cgi
-rwxrwxr-x 1 nagios nagios 221816 2011-05-24 10:13 config.cgi
-rwxrwxr-x 1 nagios nagios 266904 2011-05-24 10:13 extinfo.cgi
-rwxrwxr-x 1 nagios nagios 217912 2011-05-24 10:13 histogram.cgi
-rwxrwxr-x 1 nagios nagios 193208 2011-05-24 10:13 history.cgi
-rwxrwxr-x 1 nagios nagios 193176 2011-05-24 10:13 notifications.cgi
-rwxrwxr-x 1 nagios nagios 184952 2011-05-24 10:13 outages.cgi
-rwxrwxr-x 1 nagios nagios 189336 2011-05-24 10:13 showlog.cgi
-rwxrwxr-x 1 nagios nagios 258744 2011-05-24 10:13 status.cgi
-rwxrwxr-x 1 nagios nagios 213880 2011-05-24 10:13 statusmap.cgi
-rwxrwxr-x 1 nagios nagios 209624 2011-05-24 10:13 statuswml.cgi
-rwxrwxr-x 1 nagios nagios 193176 2011-05-24 10:13 statuswrl.cgi
-rwxrwxr-x 1 nagios nagios 217816 2011-05-24 10:13 summary.cgi
-rwxrwxr-x 1 nagios nagios 205528 2011-05-24 10:13 tac.cgi
-rwxrwxr-x 1 nagios nagios 222008 2011-05-24 10:13 trends.cgi

I'm running out of ideas at this point. Any suggestions welcomed.