This is a multi-part message in MIME format.
--------------050709040301030104000401
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
One of our customers found a bug in the nagios cgis. It's easy to reproduce:
1. create a new user
2. give him authorized_for_all_services and authorized_for_all_hosts in
your cgi.cfg
The contact should now be able to see all hosts and services but should
not be allowed to submit any commands.
However, if the contact submits hostgroup or servicegroup commands, they
are accepted and executed.
The attached patch fixes that behavior.
Regards,
Sven
--------------050709040301030104000401
Content-Type: text/x-patch;
name="0001-host_servicegroup_auth_fix.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="0001-host_servicegroup_auth_fix.patch"
Index: cgi/cmd.c
===================================================================
--- cgi/cmd.c (revision 1749)
+++ cgi/cmd.c (working copy)
@@ -1735,7 +1735,7 @@
/* see if the user is authorized to issue a command... */
temp_hostgroup=find_hostgroup(hostgroup_name);
- if(is_authorized_for_hostgroup(temp_hostgroup,¤t_authdata)==TRUE)
+ if(is_authorized_for_hostgroup_commands(temp_hostgroup,¤t_authdata)==TRUE)
authorized=TRUE;
/* clean up the comment data if scheduling downtime */
@@ -1776,7 +1776,7 @@
/* see if the user is authorized to issue a command... */
temp_servicegroup=find_servicegroup(servicegroup_name);
- if(is_authorized_for_servicegroup(temp_servicegroup,¤t_authdata)==TRUE)
+ if(is_authorized_for_servicegroup_commands(temp_servicegroup,¤t_authdata)==TRUE)
authorized=TRUE;
break;
Index: cgi/cgiauth.c
===================================================================
--- cgi/cgiauth.c (revision 1749)
+++ cgi/cgiauth.c (working copy)
@@ -486,3 +486,39 @@
}
+/* check is the current user is authorized to issue commands relating to a particular servicegroup */
+int is_authorized_for_servicegroup_commands(servicegroup *sg, authdata *authinfo){
+ servicesmember *temp_servicesmember;
+ service *temp_service;
+
+ if(sg==NULL)
+ return FALSE;
+
+ /* see if user is authorized for all services commands in the servicegroup */
+ for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){
+ temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description);
+ if(is_authorized_for_service_commands(temp_service,authinfo)==FALSE)
+ return FALSE;
+ }
+
+ return TRUE;
+ }
+
+
+/* check is the current user is authorized to issue commands relating to a particular hostgroup */
+int is_authorized_for_hostgroup_commands(hostgroup *hg, authdata *authinfo){
+ hostsmember *temp_hostsmember;
+ host *temp_host;
+
+ if(hg==NULL)
+ return FALSE;
+
+ /* see if user is authorized for all hosts in the hostgroup */
+ for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){
+ temp_host=find_host(temp_hostsmember->host_name);
+ if(is_authorized_for_host_commands(temp_host,authinfo)==FALSE)
+ return FALSE;
+ }
+
+ return TRUE;
+ }
Index: include/cgiauth.h
===================================================================
--- include/cgiauth.h (revision 1749)
+++ include/cgiauth.h (working copy)
@@ -63,6 +63,9 @@
int is_authorized_for_hostgroup(hostgroup *,authdata *);
int is_authorized_for_servicegroup(servicegroup *,authdata *);
+int is_authorized_for_hostgroup_commands(hostgroup *,authdata *);
+int is_authorized_for_servicegroup_commands(servicegroup *,authdata *);
+
int is_authorized_for_configuration_information(authdata *);
int is_authorized_for_read_only(authdata *);
--------------050709040301030104000401--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]