Menu
▾
▴
[Xymon-developer] SF.net SVN: xymon:[6776] trunk
|
From: <st...@us...> - 2011-11-27 21:32:24
|
Revision: 6776
http://xymon.svn.sourceforge.net/xymon/?rev=6776&view=rev
Author: storner
Date: 2011-11-27 21:32:18 +0000 (Sun, 27 Nov 2011)
Log Message:
-----------
web access controls: Provide option to check access to certain web CGI's using an Apache-style "group" access file. This may be useful to protect against unauthorized access to information about a host by manipulating URL's to reference hosts directly.
Modified Paths:
--------------
trunk/lib/webaccess.c
trunk/lib/webaccess.h
trunk/web/acknowledge.c
trunk/web/appfeed.c
trunk/web/enadis.c
trunk/web/svcstatus.c
Added Paths:
-----------
trunk/web/xymonwebaccess.5
Modified: trunk/lib/webaccess.c
===================================================================
--- trunk/lib/webaccess.c 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/lib/webaccess.c 2011-11-27 21:32:18 UTC (rev 6776)
@@ -89,8 +89,30 @@
xfree(key);
onepg = strtok(NULL, ",");
}
+ xfree(pages);
- xfree(pages);
+ if (hostname) {
+ /* See if user is a member of a group named by the hostname */
+ key = (char *)malloc(strlen(hostname) + strlen(username) + 2);
+ sprintf(key, "%s %s", hostname, username);
+ if (xtreeFind(acctree, key) != xtreeEnd(acctree)) {
+ xfree(key);
+ return 1;
+ }
+ xfree(key);
+ }
+
+ if (testname) {
+ /* See if user is a member of a group named by the testname */
+ key = (char *)malloc(strlen(testname) + strlen(username) + 2);
+ sprintf(key, "%s %s", testname, username);
+ if (xtreeFind(acctree, key) != xtreeEnd(acctree)) {
+ xfree(key);
+ return 1;
+ }
+ xfree(key);
+ }
+
return 0;
}
Modified: trunk/lib/webaccess.h
===================================================================
--- trunk/lib/webaccess.h 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/lib/webaccess.h 2011-11-27 21:32:18 UTC (rev 6776)
@@ -11,7 +11,7 @@
#ifndef __WEBACCESS_H__
#define __WEBACCESS_H__
-typedef enum { WEB_ACC_VIEW, WEB_ACCESS_CONTROL, WEB_ACCESS_ADMIN } web_access_type_t;
+typedef enum { WEB_ACCESS_VIEW, WEB_ACCESS_CONTROL, WEB_ACCESS_ADMIN } web_access_type_t;
extern void *load_web_access_config(char *accessfn);
extern int web_access_allowed(char *username, char *hostname, char *testname, web_access_type_t acc);
Modified: trunk/web/acknowledge.c
===================================================================
--- trunk/web/acknowledge.c 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/web/acknowledge.c 2011-11-27 21:32:18 UTC (rev 6776)
@@ -201,6 +201,7 @@
int argi;
char *envarea = NULL;
int obeycookies = 1;
+ char *accessfn = NULL;
for (argi = 1; (argi < argc); argi++) {
if (argnmatch(argv[argi], "--env=")) {
@@ -220,6 +221,11 @@
else if (strcmp(argv[argi], "--no-cookies") == 0) {
obeycookies = 0;
}
+ else if (argnmatch(argv[argi], "--access=")) {
+ char *p = strchr(argv[argi], '=');
+ accessfn = strdup(p+1);
+ }
+
}
redirect_cgilog("ack");
@@ -353,11 +359,18 @@
if (remaddr) sprintf(acking_user + strlen(acking_user), " (%s)", remaddr);
}
+ /* Load the host data (for access control) */
+ if (accessfn) {
+ load_hostnames(xgetenv("HOSTSCFG"), NULL, get_fqdn());
+ load_web_access_config(accessfn);
+ }
+
addtobuffer(response, "<center>\n");
for (awalk = ackhead; (awalk); awalk = awalk->next) {
char *msgline = (char *)malloc(1024 + (awalk->hostname ? strlen(awalk->hostname) : 0) + (awalk->testname ? strlen(awalk->testname) : 0));
if (!awalk->checked) continue;
+ if (!web_access_allowed(getenv("REMOTE_USER"), awalk->hostname, awalk->testname, WEB_ACCESS_CONTROL)) continue;
if ((reqtype == ACK_ONE) && (awalk->id != sendnum)) continue;
Modified: trunk/web/appfeed.c
===================================================================
--- trunk/web/appfeed.c 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/web/appfeed.c 2011-11-27 21:32:18 UTC (rev 6776)
@@ -80,7 +80,7 @@
int argi;
char *criticalconfig = NULL;
char *envarea = NULL;
- char *groupfile = NULL;
+ char *accessfn = NULL;
char *userid = getenv("REMOTE_USER");
FILE *output = stdout;
@@ -109,9 +109,9 @@
char *p = strchr(argv[argi], '=');
criticalconfig = strdup(p+1);
}
- else if (argnmatch(argv[argi], "--groupfile=")) {
+ else if (argnmatch(argv[argi], "--access=")) {
char *p = strchr(argv[argi], '=');
- groupfile = strdup(p+1);
+ accessfn = strdup(p+1);
}
}
@@ -135,9 +135,9 @@
freesendreturnbuf(sres);
/* Load the host data (for access control) */
- if (groupfile) {
+ if (accessfn) {
load_hostnames(xgetenv("HOSTSCFG"), NULL, get_fqdn());
- load_web_access_config(groupfile);
+ load_web_access_config(accessfn);
}
/* Load the critical config */
@@ -171,7 +171,7 @@
hostname = gettok(bol, "|");
testname = (hostname ? gettok(NULL, "|") : NULL);
- if (groupfile) useit = web_access_allowed(userid, hostname, testname, WEB_ACC_VIEW);
+ if (accessfn) useit = web_access_allowed(userid, hostname, testname, WEB_ACCESS_VIEW);
}
if (useit) {
Modified: trunk/web/enadis.c
===================================================================
--- trunk/web/enadis.c 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/web/enadis.c 2011-11-27 21:32:18 UTC (rev 6776)
@@ -269,6 +269,7 @@
char *fullmsg = "No cause specified";
char *envarea = NULL;
int obeycookies = 1;
+ char *accessfn = NULL;
if ((username == NULL) || (strlen(username) == 0)) username = "unknown";
if ((userhost == NULL) || (strlen(userhost) == 0)) userhost = userip;
@@ -288,6 +289,10 @@
else if (strcmp(argv[argi], "--debug") == 0) {
debug = 1;
}
+ else if (argnmatch(argv[argi], "--access=")) {
+ char *p = strchr(argv[argi], '=');
+ accessfn = strdup(p+1);
+ }
}
redirect_cgilog("enadis");
@@ -377,11 +382,25 @@
}
if (preview) printf("<table align=\"center\" summary=\"Actions performed\" width=\"60%%\">\n");
+
+
if (action == ACT_SCHED_CANCEL) {
do_one_host(NULL, NULL, username);
}
else {
- for (i = 0; (i < hostcount); i++) do_one_host(hostnames[i], fullmsg, username);
+ /* Load the host data (for access control) */
+ if (accessfn) {
+ load_web_access_config(accessfn);
+
+ for (i = 0; (i < hostcount); i++) {
+ if (web_access_allowed(getenv("REMOTE_USER"), hostnames[i], NULL, WEB_ACCESS_CONTROL)) {
+ do_one_host(hostnames[i], fullmsg, username);
+ }
+ }
+ }
+ else {
+ for (i = 0; (i < hostcount); i++) do_one_host(hostnames[i], fullmsg, username);
+ }
}
if (preview) {
printf("<tr><td align=center><br><br><form method=\"GET\" ACTION=\"%s\"><input type=submit value=\"Continue\"></form></td></tr>\n", xgetenv("HTTP_REFERER"));
Modified: trunk/web/svcstatus.c
===================================================================
--- trunk/web/svcstatus.c 2011-11-27 21:28:18 UTC (rev 6775)
+++ trunk/web/svcstatus.c 2011-11-27 21:32:18 UTC (rev 6776)
@@ -34,6 +34,7 @@
static char *multigraphs = ",disk,inode,qtree,quotas,snapshot,TblSpace,if_load,";
static int locatorbased = 0;
static char *critconfigfn = NULL;
+static char *accessfn = NULL;
/* CGI params */
static char *hostname = NULL;
@@ -193,6 +194,16 @@
if (parse_query() != 0) return 1;
+ /* Load the host data (for access control) */
+ if (accessfn) {
+ load_hostinfo(hostname);
+ load_web_access_config(accessfn);
+ if (!web_access_allowed(getenv("REMOTE_USER"), hostname, service, WEB_ACCESS_VIEW)) {
+ errormsg("Not available (restricted).");
+ return 1;
+ }
+ }
+
{
char *s;
@@ -718,6 +729,10 @@
char *p = strchr(argv[argi], '=');
critconfigfn = strdup(p+1);
}
+ else if (argnmatch(argv[argi], "--access=")) {
+ char *p = strchr(argv[argi], '=');
+ accessfn = strdup(p+1);
+ }
}
redirect_cgilog("svcstatus");
Added: trunk/web/xymonwebaccess.5
===================================================================
--- trunk/web/xymonwebaccess.5 (rev 0)
+++ trunk/web/xymonwebaccess.5 2011-11-27 21:32:18 UTC (rev 6776)
@@ -0,0 +1,56 @@
+.TH XYMON-WEBACCESS 5 "Version 4.3.5: 9 Sep 2011" "Xymon"
+.SH NAME
+xymon-webaccess \- Web-based access controls in Xymon
+
+.SH DESCRIPTION
+Xymon does not provide any built-in authentication (login) mechanism.
+Instead, it relies on the access controls available in your web server,
+e.g. the Apache \fBmod_auth\fR modules.
+
+This provides a simple way of controlling access to the physical
+directories that make up the pages and subpages with the hosts
+defined in your Xymon
+.I hosts.cfg(5)
+setup - you can use the Apache "require" setting to allow or deny
+access to information on any page, usually through the use of a
+"Require group ..." setting. The group name then refers to one
+or more groups in an Apache \fBAuthGroupFile\fR file.
+
+However, this does not work for the Xymon CGI programs since they
+are used to fetch information about all hosts in Xymon, but there
+is only a single directory holding all of the CGI's. So here you
+can only require that the user is logged-in (the Apache "Require valid-user"
+directive). A user with a login can - if he knows the hostname -
+manipulate the request sent to the webserver and fetch information
+about any status by use of the Xymon CGI programs, even though he
+cannot see the overview webpages.
+
+To alleviate this situation, the following Xymon CGI's support a
+"--access=FILENAME" option, where FILENAME is an Apache compatible
+group-definitions file:
+.br
+.I svcstatus.cgi(1)
+.br
+.I acknowledge.cgi(1)
+.br
+.I enadis.cgi(1)
+.br
+.I appfeed.cgi(1)
+
+When invoked with this option the CGI will read the Apache
+group-definitions file, and assume that an Apache \fBgroup\fR
+maps to a Xymon \fBpage\fR, and then - based on the logged-in userid -
+determine which pages and hosts the user is allowed access to.
+Only information about those hosts will be made available by the CGI
+tool.
+
+Members of the group \fBroot\fR has access to all hosts.
+
+Access will also be granted, if the user is a member of a group
+with the same name as the \fBhost\fR being requested, or as the
+\fBstatuscolumn\fR being requested.
+
+.SH "SEE ALSO"
+The Apache "Authentication, Authorization and Access Control" documentation,
+http://httpd.apache.org/docs/2.2/howto/auth.html
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|