Security Bug in Nagios. Too much authority for "author

Using Nagios 3.0.3 when setting permissions for users in the cgi.cfg file, I set specific admin users for…

authorized_for_configuration_information
authorized_for_system_commands
authorized_for_all_service_commands
authorized_for_all_host_commands

and I put a “*” for these 2 directives…

authorized_for_all_services=*
authorized_for_all_hosts=*

In my mind and from what the description of these 2 directives has, any defined user should be able to log in and “see” things only. This is what I see for the most part, however, when logged in as a user that is NOT defined in the first 4 directives listed above I am able to run “Hostgroup Commands”.

To recreate:

  1. Login as a user that is not defined in the first 4 directives listed above.
  2. Go to “Hostgroup Summary”.
  3. Click on a hostgroup name that is in the parenthesis (i.e. (all_servers)).
  4. This will bring you to the “Hostgroup Commands” page. Try any of the commands listed here and they will work and not bring you to the “Not Enough Authority” page.

Again, when I go to an individual service or host and try to run a command, it gives me an error saying I do not have enough authority, but when I try hostgroup commands it allows them. In my mind this is a security bug, but maybe I don’t understand something fully. Any thoughts on this are appreciated.

You’re right. I have tested this on version 2 and version 3. Same thing happens. Although there are fewer commands available for hostgroups but then again, someone could disable the host/service checking or do something unappropriate.

Ok, thanks for the feedback. Any idea how to submit a bug report for Nagios. I tried looking around and didn’t find anything except for these forums.