[icinga-users] Fwd: [Nagios-devel] host/servicegroup commands

[Robert Marxreiter]

Hello,

this bug seems to apply to icinga as well.

Regards
- Robert

-------- Original Message --------
Subject:        [Nagios-devel] host/servicegroup commands
Date:   Sat, 25 Jun 2011 17:11:29 +0200
From:   Sven Nierlein <sven.nierl...@consol.de>
Reply-To:       Nagios Developers List <nagios-de...@lists.sourceforge.net>
To:     nagios-de...@lists.sourceforge.net



Hi,

One of our customers found a bug in the nagios cgis. It's easy to reproduce:

1. create a new user
2. give him authorized_for_all_services and authorized_for_all_hosts in
your cgi.cfg

The contact should now be able to see all hosts and services but should
not be allowed to submit any commands.
However, if the contact submits hostgroup or servicegroup commands, they
are accepted and executed.
The attached patch fixes that behavior.

Regards,
   Sven



Index: cgi/cmd.c
===================================================================
--- cgi/cmd.c	(revision 1749)
+++ cgi/cmd.c	(working copy)
@@ -1735,7 +1735,7 @@
 
 		/* see if the user is authorized to issue a command... */
 		temp_hostgroup=find_hostgroup(hostgroup_name);
-		if(is_authorized_for_hostgroup(temp_hostgroup,&current_authdata)==TRUE)
+		if(is_authorized_for_hostgroup_commands(temp_hostgroup,&current_authdata)==TRUE)
 			authorized=TRUE;
 
 		/* clean up the comment data if scheduling downtime */
@@ -1776,7 +1776,7 @@
 		/* see if the user is authorized to issue a command... */
 
 		temp_servicegroup=find_servicegroup(servicegroup_name);
-		if(is_authorized_for_servicegroup(temp_servicegroup,&current_authdata)==TRUE)
+		if(is_authorized_for_servicegroup_commands(temp_servicegroup,&current_authdata)==TRUE)
 			authorized=TRUE;
 
 		break;
Index: cgi/cgiauth.c
===================================================================
--- cgi/cgiauth.c	(revision 1749)
+++ cgi/cgiauth.c	(working copy)
@@ -486,3 +486,39 @@
         }
 
 
+/* check is the current user is authorized to issue commands relating to a particular servicegroup */
+int is_authorized_for_servicegroup_commands(servicegroup *sg, authdata *authinfo){
+	servicesmember *temp_servicesmember;
+	service *temp_service;
+
+	if(sg==NULL)
+		return FALSE;
+
+	/* see if user is authorized for all services commands in the servicegroup */
+	for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){
+		temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description);
+		if(is_authorized_for_service_commands(temp_service,authinfo)==FALSE)
+			return FALSE;
+	        }
+
+	return TRUE;
+        }
+
+
+/* check is the current user is authorized to issue commands relating to a particular hostgroup */
+int is_authorized_for_hostgroup_commands(hostgroup *hg, authdata *authinfo){
+	hostsmember *temp_hostsmember;
+	host *temp_host;
+
+	if(hg==NULL)
+		return FALSE;
+
+	/* see if user is authorized for all hosts in the hostgroup */
+	for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){
+		temp_host=find_host(temp_hostsmember->host_name);
+		if(is_authorized_for_host_commands(temp_host,authinfo)==FALSE)
+			return FALSE;
+	        }
+
+	return TRUE;
+        }
Index: include/cgiauth.h
===================================================================
--- include/cgiauth.h	(revision 1749)
+++ include/cgiauth.h	(working copy)
@@ -63,6 +63,9 @@
 int is_authorized_for_hostgroup(hostgroup *,authdata *);
 int is_authorized_for_servicegroup(servicegroup *,authdata *);
 
+int is_authorized_for_hostgroup_commands(hostgroup *,authdata *);
+int is_authorized_for_servicegroup_commands(servicegroup *,authdata *);
+
 int is_authorized_for_configuration_information(authdata *);
 
 int is_authorized_for_read_only(authdata *);



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a 
definitive record of customers, application performance, security 
threats, fraudulent activity and more. Splunk takes this data and makes 
sense of it. Business sense. IT sense. Common sense.. 
http://p.sf.net/sfu/splunk-d2d-c1

_______________________________________________
Nagios-devel mailing list
nagios-de...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a 
definitive record of customers, application performance, security 
threats, fraudulent activity and more. Splunk takes this data and makes 
sense of it. Business sense. IT sense. Common sense.. 
http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users