Page 1 of 1
Users not authorized to use cgis are still able to use them.
Posted: Fri Sep 27, 2013 2:12 am
by jbowen7
Regarding each of the authorized_for_* parameters in nagios.cfg, I've only listen myself to be able to have full access to the cgis, however I'm logged in as another user right now and I've found that they too can issue external commands.
Anyone know what could be causing this behavior?
relevant variables:
Code: Select all
use_authentication=1
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
Re: Users not authorized to use cgis are still able to use t
Posted: Fri Sep 27, 2013 9:48 am
by slansing
What did you do in the interface to produce this result? I'd like to try and reproduce it. Can the user change or view anything listed in the authorized_for_* list? What version of Nagios Core are you using?
Re: Users not authorized to use cgis are still able to use t
Posted: Fri Sep 27, 2013 9:37 pm
by jbowen7
Well unfortunately I changed quite a bit of variables in my Nagios setup to really isolate the problem.
1) I moved a Nagios 2 installation on a CentOS to an Ubuntu machine
2) I Upgraded to Nagios3 which was in the repos
3) I ditched apache for nginx
From the data I've gathered I believe the issue is with Nginx. I'm thinking that nginx is bypassing nagios cgi authentication, but I'm still looking into how Nagios implements the cgi security.. but it's a good bet the problem is with Nginx. I'll will post my findings.
nginx.cnf:
Code: Select all
server {
listen 80 ;
server_name myServer.com;
## redirect http to https ##
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name myServer.com;
#SSL
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
access_log /var/log/nginx/nagios.access.log;
error_log /var/log/nginx/nagios.error.log info;
expires 31d;
root /usr/share/nagios3/htdocs;
index index.php index.html;
auth_basic "The Monitor has Restricted Access";
auth_basic_user_file /etc/nagios3/www/htpasswd.users;
#location /stylesheets {
location /nagios/stylesheets {
alias /etc/nagios3/www/stylesheets;
}
location ~ \.cgi$ {
#location ~ ^/.*cgi.*$ {
root /usr/lib/cgi-bin/nagios3;
rewrite ^/nagios/cgi-bin/(.*)$ /$1;
rewrite ^/cgi-bin/(.*)$ /$1;
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios3$fastcgi_script_name;
fastcgi_pass fcgiwrap;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass php;
}
location ~* \.(css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
Re: Users not authorized to use cgis are still able to use t
Posted: Sat Sep 28, 2013 12:03 am
by slansing
That is a total possibility, we have seen this behavior before with nginx as Nagios is specifically designed to work with Apache authentication. Would you have a chance to fork your Core install to an ubuntu system running Apache2?
Re: Users not authorized to use cgis are still able to use t
Posted: Sun Sep 29, 2013 10:42 pm
by jbowen7
Yeah, I'll do that. Should be able to get it done tomorrow. Will post results.
Re: Users not authorized to use cgis are still able to use t
Posted: Mon Sep 30, 2013 9:23 am
by abrist
Nginx and cgis do not get along so well. Core cgis really assume apache2. Let us know how the test goes.