From: Jonas Meurer <jonas@fr...> - 2013-06-26 15:28:42
Am 2013-05-13 18:02, schrieb Jonas Meurer:
> Am 12.05.2013 11:25, schrieb Andreas Ericsson:
>> On 2013-05-06 10:42, Jonas Meurer wrote:
>>> I fear that I discovered a security issue in Nagios 3.4.4
>>> All htaccess users, even if not listed in any authorized_for_*
>>> option, have full access to service group overview, summary and
>> It's a bit short on info. Servicegroups should be visible if the user
>> is a contact for any service in the group. If a user who has no auth
>> options and is not a contact for any service can see all
>> then yes, that's potentially a security issue.
> You're nearly correct with the second assumption. Users which are
> contact for _some_ services are able to see all services in service
> group overview, summary and grid.
> This problem affects everyone who restricts nagios access by using
> contacts. Unprivleged users are able to fetch the whole list of hosts
> and services on the Nagios setup in question.
I now prepared a patch to fix this security issue. You can find the
patch (both for nagios4 git master branch and for nagios3.4.4 release)
at the bug tracker (http://tracker.nagios.org/view.php?id=456).
I suggest to incorporate the patch into a security update of Nagios 3.4.
The issue is also reported to Debian BTS
PS: why do you always answer to the original sender only, keeping the
discussion private? May I suggest that you reply both to sender and
mailinglist in order to make the discussion public?
PPS: Is there a reason that SVN hosts three nagios repositories (2x git:
nagios-nagioscore, nagios-nagios, 1x svn: nagioscore) with only the git
repository 'nagios-nagioscore' being up-to-date? This is rather