[Nagios-devel] RFC: Security model granularity
Posted: Fri Mar 07, 2003 2:47 am
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C2E496.E7BBFF40
Content-Type: text/plain
Hi!
Just wanted an opinion on the security model in Nagios. At the moment, if a
web user is listed as a contact for a host, they see all the services under
this host. This doesn't really work in our environment as we want only
certain services to show for one team (Unix team) and other services to show
for other teams (app support).
The attached patch will allow this granularity, but at the expense of having
to list the contactgroups in each service. The diff is against Nagios 1.0.
As a consequence I'm seeing other issues at the moment, like if you send an
external command of ENABLE_HOST_SVC_CHECK it will enable all services not
just ones the user is allow to change, but I wanted to find out what others
thought about this change to the security model.
Ton
>
This private and confidential e-mail has been sent to you by Egg.
The Egg group of companies includes Egg Banking plc
(registered no. 2999842), Egg Financial Products Ltd (registered
no. 3319027) and Egg Investments Ltd (registered no. 3403963) which
carries out investment business on behalf of Egg and is regulated
by the Financial Services Authority.
Registered in England and Wales. Registered offices: 1 Waterhouse Square,
138-142 Holborn, London EC1N 2NA.
If you are not the intended recipient of this e-mail and have
received it in error, please notify the sender by replying with
'received in error' as the subject and then delete it from your
mailbox.
------_=_NextPart_000_01C2E496.E7BBFF40
Content-Type: application/octet-stream;
name="auth.c.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="auth.c.patch"
*** auth.c.1.0 Fri Mar 7 10:11:38 2003=0A=
--- auth.c Fri Mar 7 10:11:51 2003=0A=
***************=0A=
*** 268,280 ****=0A=
--- 268,284 ----=0A=
return TRUE;=0A=
=0A=
/* find the host */=0A=
+ /* Taking this out=0A=
temp_host=3Dfind_host(svc->host_name,NULL);=0A=
if(temp_host=3D=3DNULL)=0A=
return FALSE;=0A=
+ */=0A=
=0A=
/* if this user is authorized for this host, they are for all =
services on it as well... */=0A=
+ /* Removing this as it allows granular viewing of services=0A=
if(is_authorized_for_host(temp_host,authinfo)=3D=3DTRUE)=0A=
return TRUE;=0A=
+ */=0A=
=0A=
/* find the contact */=0A=
temp_contact=3Dfind_contact(authinfo->username,NULL);=0A=
------_=_NextPart_000_01C2E496.E7BBFF40--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C2E496.E7BBFF40
Content-Type: text/plain
Hi!
Just wanted an opinion on the security model in Nagios. At the moment, if a
web user is listed as a contact for a host, they see all the services under
this host. This doesn't really work in our environment as we want only
certain services to show for one team (Unix team) and other services to show
for other teams (app support).
The attached patch will allow this granularity, but at the expense of having
to list the contactgroups in each service. The diff is against Nagios 1.0.
As a consequence I'm seeing other issues at the moment, like if you send an
external command of ENABLE_HOST_SVC_CHECK it will enable all services not
just ones the user is allow to change, but I wanted to find out what others
thought about this change to the security model.
Ton
>
This private and confidential e-mail has been sent to you by Egg.
The Egg group of companies includes Egg Banking plc
(registered no. 2999842), Egg Financial Products Ltd (registered
no. 3319027) and Egg Investments Ltd (registered no. 3403963) which
carries out investment business on behalf of Egg and is regulated
by the Financial Services Authority.
Registered in England and Wales. Registered offices: 1 Waterhouse Square,
138-142 Holborn, London EC1N 2NA.
If you are not the intended recipient of this e-mail and have
received it in error, please notify the sender by replying with
'received in error' as the subject and then delete it from your
mailbox.
------_=_NextPart_000_01C2E496.E7BBFF40
Content-Type: application/octet-stream;
name="auth.c.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="auth.c.patch"
*** auth.c.1.0 Fri Mar 7 10:11:38 2003=0A=
--- auth.c Fri Mar 7 10:11:51 2003=0A=
***************=0A=
*** 268,280 ****=0A=
--- 268,284 ----=0A=
return TRUE;=0A=
=0A=
/* find the host */=0A=
+ /* Taking this out=0A=
temp_host=3Dfind_host(svc->host_name,NULL);=0A=
if(temp_host=3D=3DNULL)=0A=
return FALSE;=0A=
+ */=0A=
=0A=
/* if this user is authorized for this host, they are for all =
services on it as well... */=0A=
+ /* Removing this as it allows granular viewing of services=0A=
if(is_authorized_for_host(temp_host,authinfo)=3D=3DTRUE)=0A=
return TRUE;=0A=
+ */=0A=
=0A=
/* find the contact */=0A=
temp_contact=3Dfind_contact(authinfo->username,NULL);=0A=
------_=_NextPart_000_01C2E496.E7BBFF40--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]