How limit external commands to no-admin users?


#1

Hi all

My environment is quite complex, specially regarding security policies.
I would use external commands via CGI interface, but I can not permit to ALL nagios users.

My httpd have been started from www (unix user); putting this user in the nagios group I permit to write the nagios.cmd file to everyone !

I need to limit this “write access” only to a unix/apache user only.

Is it possible? How?

I try to modify httpd.conf file, but … I do not know how !

Thanks
Marco


#2

in cgi.cfg check for the line

authorized_for_system_commands=

You should define only the user which has to be able to give commands (or maybe a usergroup, but i don’t know if this works, never tried with a group)

Luca
Edited Thu Mar 17 2005, 04:54PM ]


#3

The line authorized_for_system_commands is used for control Nagios process (ex: shutdown, restart, …).
The line authorized_for_all_services or _all_hosts permit to manage every external command to the users listed.
I need something that limit these possibilities to ALL the other users for ALL services/hosts (ex: prevent add notifications or schedule dowtime, etc.)


#4

[quote=“bvzm71”]I need to limit this “write access” only to a unix/apache user only.
Marco[/quote]

Then do not put any names in the cgi.cfg file
authorized_for_system_information=
authorized_for_system_commands=
authorized_for_configuration_information=
Try it, you will see that you can’t restart the server, shutdown the server, etc from the website, if, you have enabled authentication.


#5

Using those options in cgi.cfg I do not limit the possibilities fo users…they still can schedul downtime for hosts/services, add comment, etc.etc.
You mean “system command”…they are still forbidden to normal users.
Thanks
Marco


#6

OK, this is the best I could come up with so far.

order deny,allow
deny from all
allow from addYOURipONLY

Looks like it would work to me.