Hi all
My environment is quite complex, specially regarding security policies.
I would use external commands via CGI interface, but I can not permit to ALL nagios users.
My httpd have been started from www (unix user); putting this user in the nagios group I permit to write the nagios.cmd file to everyone !
I need to limit this “write access” only to a unix/apache user only.
Is it possible? How?
I try to modify httpd.conf file, but … I do not know how !
Thanks
Marco
in cgi.cfg check for the line
authorized_for_system_commands=
You should define only the user which has to be able to give commands (or maybe a usergroup, but i don’t know if this works, never tried with a group)
Luca
Edited Thu Mar 17 2005, 04:54PM ]
The line authorized_for_system_commands is used for control Nagios process (ex: shutdown, restart, …).
The line authorized_for_all_services or _all_hosts permit to manage every external command to the users listed.
I need something that limit these possibilities to ALL the other users for ALL services/hosts (ex: prevent add notifications or schedule dowtime, etc.)
[quote=“bvzm71”]I need to limit this “write access” only to a unix/apache user only.
Marco[/quote]
Then do not put any names in the cgi.cfg file
authorized_for_system_information=
authorized_for_system_commands=
authorized_for_configuration_information=
Try it, you will see that you can’t restart the server, shutdown the server, etc from the website, if, you have enabled authentication.
Using those options in cgi.cfg I do not limit the possibilities fo users…they still can schedul downtime for hosts/services, add comment, etc.etc.
You mean “system command”…they are still forbidden to normal users.
Thanks
Marco
OK, this is the best I could come up with so far.
order deny,allow
deny from all
allow from addYOURipONLY
Looks like it would work to me.