Users not authorized to use cgis are still able to use them.

[jbowen7]

Regarding each of the authorized_for_* parameters in nagios.cfg, I've only listen myself to be able to have full access to the cgis, however I'm logged in as another user right now and I've found that they too can issue external commands.

Anyone know what could be causing this behavior?

relevant variables:

Code: Select all

use_authentication=1
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin

[slansing]

What did you do in the interface to produce this result? I'd like to try and reproduce it. Can the user change or view anything listed in the authorized_for_* list? What version of Nagios Core are you using?

[jbowen7]

Well unfortunately I changed quite a bit of variables in my Nagios setup to really isolate the problem.
1) I moved a Nagios 2 installation on a CentOS to an Ubuntu machine
2) I Upgraded to Nagios3 which was in the repos
3) I ditched apache for nginx

From the data I've gathered I believe the issue is with Nginx. I'm thinking that nginx is bypassing nagios cgi authentication, but I'm still looking into how Nagios implements the cgi security.. but it's a good bet the problem is with Nginx. I'll will post my findings.

nginx.cnf:

Code: Select all

server {
      listen      80 ;
      server_name myServer.com;
      ## redirect http to https ##
      rewrite        ^ https://$server_name$request_uri? permanent;
}
server {
	listen   443;
	server_name  myServer.com;
		
	#SSL
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

 
	access_log  /var/log/nginx/nagios.access.log;
	error_log   /var/log/nginx/nagios.error.log info;
 
	expires 31d;
 
	root /usr/share/nagios3/htdocs;	
	index index.php index.html;
 
        auth_basic "The Monitor has Restricted Access";
        auth_basic_user_file /etc/nagios3/www/htpasswd.users;
	
	#location /stylesheets {
	location /nagios/stylesheets {
		alias /etc/nagios3/www/stylesheets;
	}
 
        location ~ \.cgi$ {
	#location ~ ^/.*cgi.*$ {
                root /usr/lib/cgi-bin/nagios3;
 
		rewrite	 ^/nagios/cgi-bin/(.*)$ /$1;		
		rewrite  ^/cgi-bin/(.*)$ /$1;
	
 		include /etc/nginx/fastcgi_params;
                
		fastcgi_param AUTH_USER $remote_user;
                fastcgi_param REMOTE_USER $remote_user;
                fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios3$fastcgi_script_name;	
		
		fastcgi_pass fcgiwrap;
        }
	
 
	location ~ \.php$ {
                include /etc/nginx/fastcgi_params;
                fastcgi_pass php;
        }
	

	location ~* \.(css|js|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
	
}

[slansing]

That is a total possibility, we have seen this behavior before with nginx as Nagios is specifically designed to work with Apache authentication. Would you have a chance to fork your Core install to an ubuntu system running Apache2?

[jbowen7]

Yeah, I'll do that. Should be able to get it done tomorrow. Will post results.

[abrist]

Nginx and cgis do not get along so well. Core cgis really assume apache2. Let us know how the test goes.