From: <ega...@us...> - 2011-07-26 01:26:12
|
Revision: 1765 http://nagios.svn.sourceforge.net/nagios/?rev=1765&view=rev Author: egalstad Date: 2011-07-26 01:26:06 +0000 (Tue, 26 Jul 2011) Log Message: ----------- Fixed bug where unauthorized contacts could issue hostgroup and servicegroup commands (Sven Nierlein) Modified Paths: -------------- nagioscore/trunk/Changelog nagioscore/trunk/cgi/cgiauth.c nagioscore/trunk/cgi/cmd.c nagioscore/trunk/include/cgiauth.h Modified: nagioscore/trunk/Changelog =================================================================== --- nagioscore/trunk/Changelog 2011-07-26 01:16:44 UTC (rev 1764) +++ nagioscore/trunk/Changelog 2011-07-26 01:26:06 UTC (rev 1765) @@ -31,6 +31,7 @@ * Fixed flexible downtime on service hard state change doesn't get triggered/activated (Michael Friedrich) * Fixed XSS vulnerability in config.cgi and statusmap.cgi (Stefan Schurtz) * Fixed segfault when sending host notifications (Michael Friedrich) +* Fixed bug where unauthorized contacts could issue hostgroup and servicegroup commands (Sven Nierlein) WARNINGS Modified: nagioscore/trunk/cgi/cgiauth.c =================================================================== --- nagioscore/trunk/cgi/cgiauth.c 2011-07-26 01:16:44 UTC (rev 1764) +++ nagioscore/trunk/cgi/cgiauth.c 2011-07-26 01:26:06 UTC (rev 1765) @@ -486,3 +486,39 @@ } +/* check is the current user is authorized to issue commands relating to a particular servicegroup */ +int is_authorized_for_servicegroup_commands(servicegroup *sg, authdata *authinfo){ + servicesmember *temp_servicesmember; + service *temp_service; + + if(sg==NULL) + return FALSE; + + /* see if user is authorized for all services commands in the servicegroup */ + for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){ + temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description); + if(is_authorized_for_service_commands(temp_service,authinfo)==FALSE) + return FALSE; + } + + return TRUE; + } + + +/* check is the current user is authorized to issue commands relating to a particular hostgroup */ +int is_authorized_for_hostgroup_commands(hostgroup *hg, authdata *authinfo){ + hostsmember *temp_hostsmember; + host *temp_host; + + if(hg==NULL) + return FALSE; + + /* see if user is authorized for all hosts in the hostgroup */ + for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){ + temp_host=find_host(temp_hostsmember->host_name); + if(is_authorized_for_host_commands(temp_host,authinfo)==FALSE) + return FALSE; + } + + return TRUE; + } Modified: nagioscore/trunk/cgi/cmd.c =================================================================== --- nagioscore/trunk/cgi/cmd.c 2011-07-26 01:16:44 UTC (rev 1764) +++ nagioscore/trunk/cgi/cmd.c 2011-07-26 01:26:06 UTC (rev 1765) @@ -1735,7 +1735,7 @@ /* see if the user is authorized to issue a command... */ temp_hostgroup = find_hostgroup(hostgroup_name); - if(is_authorized_for_hostgroup(temp_hostgroup, ¤t_authdata) == TRUE) + if(is_authorized_for_hostgroup_commands(temp_hostgroup,¤t_authdata) == TRUE) authorized = TRUE; /* clean up the comment data if scheduling downtime */ @@ -1776,7 +1776,7 @@ /* see if the user is authorized to issue a command... */ temp_servicegroup = find_servicegroup(servicegroup_name); - if(is_authorized_for_servicegroup(temp_servicegroup, ¤t_authdata) == TRUE) + if(is_authorized_for_servicegroup_commands(temp_servicegroup,¤t_authdata) == TRUE) authorized = TRUE; break; Modified: nagioscore/trunk/include/cgiauth.h =================================================================== --- nagioscore/trunk/include/cgiauth.h 2011-07-26 01:16:44 UTC (rev 1764) +++ nagioscore/trunk/include/cgiauth.h 2011-07-26 01:26:06 UTC (rev 1765) @@ -62,6 +62,9 @@ int is_authorized_for_hostgroup(hostgroup *, authdata *); int is_authorized_for_servicegroup(servicegroup *, authdata *); + + int is_authorized_for_hostgroup_commands(hostgroup *, authdata *); + int is_authorized_for_servicegroup_commands(servicegroup *, authdata *); int is_authorized_for_configuration_information(authdata *); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |