How limit external commands to no-admin users?


Hi all

My environment is quite complex, specially regarding security policies.
I would use external commands via CGI interface, but I can not permit to ALL nagios users.

My httpd have been started from www (unix user); putting this user in the nagios group I permit to write the nagios.cmd file to everyone !

I need to limit this “write access” only to a unix/apache user only.

Is it possible? How?

I try to modify httpd.conf file, but … I do not know how !



in cgi.cfg check for the line


You should define only the user which has to be able to give commands (or maybe a usergroup, but i don’t know if this works, never tried with a group)

Edited Thu Mar 17 2005, 04:54PM ]


The line authorized_for_system_commands is used for control Nagios process (ex: shutdown, restart, …).
The line authorized_for_all_services or _all_hosts permit to manage every external command to the users listed.
I need something that limit these possibilities to ALL the other users for ALL services/hosts (ex: prevent add notifications or schedule dowtime, etc.)


[quote=“bvzm71”]I need to limit this “write access” only to a unix/apache user only.

Then do not put any names in the cgi.cfg file
Try it, you will see that you can’t restart the server, shutdown the server, etc from the website, if, you have enabled authentication.


Using those options in cgi.cfg I do not limit the possibilities fo users…they still can schedul downtime for hosts/services, add comment, etc.etc.
You mean “system command”…they are still forbidden to normal users.


OK, this is the best I could come up with so far.

order deny,allow
deny from all
allow from addYOURipONLY

Looks like it would work to me.