Using Nagios 3.0.3 when setting permissions for users in the cgi.cfg file, I set specific admin users for…
authorized_for_configuration_information
authorized_for_system_commands
authorized_for_all_service_commands
authorized_for_all_host_commands
and I put a “*” for these 2 directives…
authorized_for_all_services=*
authorized_for_all_hosts=*
In my mind and from what the description of these 2 directives has, any defined user should be able to log in and “see” things only. This is what I see for the most part, however, when logged in as a user that is NOT defined in the first 4 directives listed above I am able to run “Hostgroup Commands”.
To recreate:
- Login as a user that is not defined in the first 4 directives listed above.
- Go to “Hostgroup Summary”.
- Click on a hostgroup name that is in the parenthesis (i.e. (all_servers)).
- This will bring you to the “Hostgroup Commands” page. Try any of the commands listed here and they will work and not bring you to the “Not Enough Authority” page.
Again, when I go to an individual service or host and try to run a command, it gives me an error saying I do not have enough authority, but when I try hostgroup commands it allows them. In my mind this is a security bug, but maybe I don’t understand something fully. Any thoughts on this are appreciated.