I have about 10 users using Nagios (which if I may add, is fabulous), one being myself and the others are clients who want to check the status of the server. I (admin) should be the only one who can execute external commands. I have read all the docs and have almost everything set up the way it should be, but I can’t seem to lock up cmd.cgi.
I set use_authentication=1 and all the other authorized_for_* to only admin. It works for all the other scripts, where the other users get an error saying they do not have access. However, for some wierd reason they are able to access cmd.cgi :x . I have my htaccess file setup, I have all the authorized_for_* settings set to admin, and am now out of ideas.
this problem has already come up and (if i’m not mistaken) there was no solution… if you are authorized for a host you can execute external commands…
If you find a way to limit the users please let us know…
Personally, I don’t think it’s an issue. They have authenticated, your logs show who has logged in, it shows who has issued commands, so it they want to “Stop accepting passive checks for this service” or any other type of command, then let them. This is not a toy, it’s not here for them to play around with. If they want to be malicious, then I’m sure your company has a policy in place to deal with people like that. Mistakes may happen, but all in all, not once in over 2 years has anyone issued ANY command on my nagios, and I have dozens if not more, users.
Having customer servers in our webfarm i don’t want them to touch the nagios configuration even under their responsabilty when it becomes our problem if their servers are unreachable… (and worse we don’t even know)
Under these circumstances it wouldn’t be bad to have users authorized for “viewing only”.