cgiwrap-users

[cgiwrap-users] CGIWrap and Nagios issues

[James T. <ja...@lo...>]

Hi

I've configured Nagios and Apache to work with CGIWrap.  I sym-linked a 
/home/nagios/public_html/ directory to the Nagios CGI directory 
/usr/local/nagios/sbin.  Everything seems to work and cgiwrap seems to 
be working but I also use authentication (Digest authentication) to 
authenticate my users.  In Nagios authenticated users are then used to 
determine what access is granted to the Nagios web console.  But after 
installing CGIWrap Nagios seems unable to work out what user is signed 
in and hence doesn't correctly authorize users.  In Nagios this shows up 
as the signed in user name being replaced with a ?, ie. instead of the 
console saying jsmith is signed in it says that ? is signed in.

I am running Red Hat ES 4 with Apache 2.0.52, Nagios 2.0b3 and cgiwrap 
3.9.  Happy to provide any further information if this is not detailed 
enough.

Thanks in advance

James Turnbull

-- 
James Turnbull <ja...@lo...>
---
Author of Hardening Linux, Apress
(http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

Re: [cgiwrap-users] CGIWrap and Nagios issues

[James T. <ja...@lo...>]

James Turnbull wrote:

> Hi
>
> I've configured Nagios and Apache to work with CGIWrap.  I sym-linked 
> a /home/nagios/public_html/ directory to the Nagios CGI directory 
> /usr/local/nagios/sbin.  Everything seems to work and cgiwrap seems to 
> be working but I also use authentication (Digest authentication) to 
> authenticate my users.  In Nagios authenticated users are then used to 
> determine what access is granted to the Nagios web console.  But after 
> installing CGIWrap Nagios seems unable to work out what user is signed 
> in and hence doesn't correctly authorize users.  In Nagios this shows 
> up as the signed in user name being replaced with a ?, ie. instead of 
> the console saying jsmith is signed in it says that ? is signed in.
>
To add further information - I have noted from the documentation that 
CGIWrap doesn't work with .htaccess files - does this imply it doesn't 
work with Apache authentication directives that are contained in either 
.htaccess files or the httpd.conf file?

Regards

James Turnbull

-- 
James Turnbull <ja...@lo...>
---
Author of Hardening Linux, Apress
(http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

Re: [cgiwrap-users] CGIWrap and Nagios issues

[Jeremy C. <cg...@jd...>]

Using ScriptAlias and the like to map CGI executions to usernames
and the like won't result in Apache honouring .htaccess.  I believe
the problem to be more related to Apache than cgiwrap.

For workarounds, there's only one that I've found: use a <Directory>
or <Location> block and add appropriate .htaccess-esque rules there.
Aren't the oversights of Apache wonderful?  ;-)

Example configuration: one of our virtualhosts uses cgiwrap to assist
in managing their web board software (ugh...).  The board requires
authentication to post (but not read).  Since cgiwrap is involved,
there is no way to achieve the authentication without actually
modifying the CGI to do the authentication itself (rather than rely
on Apache's .htaccess allow/deny and authentication directives).
To alleviate this problem, I had to do the following within our
Apache config, within their <VirtualHost> block:

  ScriptAlias /cgi-bin/   "/usr/local/www/cgi-bin/cgiwrap/user/"

  <Location /cgi-bin/bbs/secure>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile "/home/user/cgi-bin/bbs/secure/.htpasswd"
    Require valid-user
  </Location>

{rant}
Aren't the oversights of Apache wonderful?  For a webserver that
something like 80-90% of the Internet relies on, I'd expect it to
have better logic/directives for handling such situations.  Hell,
better yet, solve the problem altogether: add setuid() support for
CGIs and documents to Apache natively, WITHOUT suexec (which is just
an ugly hack).  And while they're at it, add rate-limiting support,
and proper bandwidth monitoring to the stock Apache server, rather
than relying on half-ass third-party modules which don't work or
require you to patch the Apache core to get SHM to work...
{/rant}

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |

On Wed, Jul 06, 2005 at 08:13:18PM +1000, James Turnbull wrote:
> James Turnbull wrote:
> 
> >Hi
> >
> >I've configured Nagios and Apache to work with CGIWrap.  I sym-linked 
> >a /home/nagios/public_html/ directory to the Nagios CGI directory 
> >/usr/local/nagios/sbin.  Everything seems to work and cgiwrap seems to 
> >be working but I also use authentication (Digest authentication) to 
> >authenticate my users.  In Nagios authenticated users are then used to 
> >determine what access is granted to the Nagios web console.  But after 
> >installing CGIWrap Nagios seems unable to work out what user is signed 
> >in and hence doesn't correctly authorize users.  In Nagios this shows 
> >up as the signed in user name being replaced with a ?, ie. instead of 
> >the console saying jsmith is signed in it says that ? is signed in.
> >
> To add further information - I have noted from the documentation that 
> CGIWrap doesn't work with .htaccess files - does this imply it doesn't 
> work with Apache authentication directives that are contained in either 
> .htaccess files or the httpd.conf file?
> 
> Regards
> 
> James Turnbull
> 
> -- 
> James Turnbull <ja...@lo...>
> ---
> Author of Hardening Linux, Apress
> (http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
> ---
> PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
> 
> 
> 
> 

Re: [cgiwrap-users] CGIWrap and Nagios issues

[James T. <ja...@lo...>]

Jeremy Chadwick wrote:

>Using ScriptAlias and the like to map CGI executions to usernames
>and the like won't result in Apache honouring .htaccess.  I believe
>the problem to be more related to Apache than cgiwrap.
>
>For workarounds, there's only one that I've found: use a <Directory>
>or <Location> block and add appropriate .htaccess-esque rules there.
>
>Aren't the oversights of Apache wonderful?  ;-)
>
Sadly I am not using a .htaccess file and in fact putting the directives 
directly into the httpd.conf file like:

    <Directory "/usr/local/nagios/sbin/">
        AllowOverride None
        Options ExecCGI
        Order allow,deny
        Allow from all
        AuthName "Nagios Access"
        AuthType Digest
        AuthDigestFile /usr/local/nagios/etc/htdigest.users
        Require valid-user
    </Directory>

This does not seem to fix the problem.  Any other ideas would be much 
appreciated.  What little hair I have left I am slowly pulling out. :)

Regards

James Turnbull

-- 
James Turnbull <ja...@lo...>
---
Author of Hardening Linux, Apress
(http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

Re: [cgiwrap-users] CGIWrap and Nagios issues

[Jeremy C. <cg...@jd...>]

I don't think <Directory> will work.  Use a <Location>.  :-)

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |

On Wed, Jul 06, 2005 at 09:25:21PM +1000, James Turnbull wrote:
> Jeremy Chadwick wrote:
> 
> >Using ScriptAlias and the like to map CGI executions to usernames
> >and the like won't result in Apache honouring .htaccess.  I believe
> >the problem to be more related to Apache than cgiwrap.
> >
> >For workarounds, there's only one that I've found: use a <Directory>
> >or <Location> block and add appropriate .htaccess-esque rules there.
> >
> >Aren't the oversights of Apache wonderful?  ;-)
> >
> Sadly I am not using a .htaccess file and in fact putting the directives 
> directly into the httpd.conf file like:
> 
>    <Directory "/usr/local/nagios/sbin/">
>        AllowOverride None
>        Options ExecCGI
>        Order allow,deny
>        Allow from all
>        AuthName "Nagios Access"
>        AuthType Digest
>        AuthDigestFile /usr/local/nagios/etc/htdigest.users
>        Require valid-user
>    </Directory>
> 
> This does not seem to fix the problem.  Any other ideas would be much 
> appreciated.  What little hair I have left I am slowly pulling out. :)
> 
> Regards
> 
> James Turnbull
> 
> -- 
> James Turnbull <ja...@lo...>
> ---
> Author of Hardening Linux, Apress
> (http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
> ---
> PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
> 
> 
> 
> 

Re: [cgiwrap-users] CGIWrap and Nagios issues

[Nathan N. <nn...@um...>]

Directory will definately not work, because apache has no idea what directory
is being used... That is all handled internally to cgiwrap.

On Wed, Jul 06, 2005 at 05:23:30AM -0700, Jeremy Chadwick wrote:
> I don't think <Directory> will work.  Use a <Location>.  :-)
> 
> -- 
> | Jeremy Chadwick                                 jdc at parodius.com |
> | Parodius Networking                        http://www.parodius.com/ |
> | UNIX Systems Administrator                   Mountain View, CA, USA |
> | Making life hard for others since 1977.                             |
> 
> On Wed, Jul 06, 2005 at 09:25:21PM +1000, James Turnbull wrote:
> > Jeremy Chadwick wrote:
> > 
> > >Using ScriptAlias and the like to map CGI executions to usernames
> > >and the like won't result in Apache honouring .htaccess.  I believe
> > >the problem to be more related to Apache than cgiwrap.
> > >
> > >For workarounds, there's only one that I've found: use a <Directory>
> > >or <Location> block and add appropriate .htaccess-esque rules there.
> > >
> > >Aren't the oversights of Apache wonderful?  ;-)
> > >
> > Sadly I am not using a .htaccess file and in fact putting the directives 
> > directly into the httpd.conf file like:
> > 
> >    <Directory "/usr/local/nagios/sbin/">
> >        AllowOverride None
> >        Options ExecCGI
> >        Order allow,deny
> >        Allow from all
> >        AuthName "Nagios Access"
> >        AuthType Digest
> >        AuthDigestFile /usr/local/nagios/etc/htdigest.users
> >        Require valid-user
> >    </Directory>
> > 
> > This does not seem to fix the problem.  Any other ideas would be much 
> > appreciated.  What little hair I have left I am slowly pulling out. :)
> > 
> > Regards
> > 
> > James Turnbull
> > 
> > -- 
> > James Turnbull <ja...@lo...>
> > ---
> > Author of Hardening Linux, Apress
> > (http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
> > ---
> > PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> cgiwrap-users mailing list
> cgi...@li...
> https://lists.sourceforge.net/lists/listinfo/cgiwrap-users
> 

------------------------------------------------------------
Nathan Neulinger                       EMail:  nn...@um...
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216