Alex Burger wrote:
r: View in web interface
x: Submit commands for this host/service
w: Not really needed yet. Maybe some of the other programs that allow
you to modify the configuration files could use w to allow a user to
modify the host / service.
n: Notify if contact has a pager or email defined
I also changed it so that you will only see a service if you are a
contact for it. I think this is the same change that Ton mentioned in
his last email. I did this to test the 'r' permission.
For backwards compatibility, the default would be rwxn.
Attached is an updated patch that adds a 'default_permissions' option to
nagios.cfg and cgi.cfg that Steve Shipway suggested. From
sample-config/cgi.cfg.in:
# DEFAULT HOST/SERVICE PERMISSIONS
# This option contains a list of default permissions for hosts and
# services that will be used when permissions are not explicitly
# set on a host or service. When not defined, the default is all
# permissions (rwxn). Note: This option must be set the same in
# both cgi.cfg and nagios.cfg.
#default_permissions=rwxn
As you can see, the option needs to be in both config files although I
would prefer to have it only in nagios.cfg. It is needed in nagios.cfg
for base/notifications.c which has nothing to do with the cgi. If
someone knows how to combine the two, please let me know, but I suspect
that the cgi and main nagios programs are completely separate from each
other.
If anyone can do some testing I would appreciate it.
Alex
diff -ur nagios-2.5.org/base/config.c nagios-2.5/base/config.c
--- nagios-2.5.org/base/config.c 2005-12-26 18:18:14.000000000 -0500
+++ nagios-2.5/base/config.c 2006-11-06 10:14:42.000000000 -0500
@@ -166,8 +166,7 @@
extern host **host_hashlist;
extern service **service_hashlist;
-
-
+extern char *default_permissions;
/******************************************************************/
/************** CONFIGURATION INPUT FUNCTIONS *********************/
@@ -1418,6 +1417,22 @@
#endif
}
+ else if(!strcmp(variable,"default_permissions")){
+ if(default_permissions!=NULL)
+ free(default_permissions);
+ default_permissions=(char *)strdup(value);
+ if(default_permissions==NULL){
+ strcpy(error_message,"Could not allocate memory
for default permissions string");
+ error=TRUE;
+ break;
+ }
+ strip(default_permissions);
+
+#ifdef DEBUG1
+ printf("\t\tdefault_permissions set to
'%s'\n",default_permissions);
+#endif
+ }
+
/* ignore old/external variables */
else if(!strcmp(variable,"status_file"))
continue;
diff -ur nagios-2.5.org/base/nagios.c nagios-2.5/base/nagios.c
--- nagios-2.5.org/base/nagios.c 2006-07-13 17:57:33.000000000 -0400
+++ nagios-2.5/base/nagios.c 2006-11-06 10:28:00.000000000 -0500
@@ -208,7 +208,7 @@
circular_buffer service_result_buffer;
pthread_t worker_threads[TOTAL_WORKER_THREADS];
-
+char *default_permissions;
/* Following main() declaration required by older versions of Perl ut 5.00503
*/
#ifdef EMBEDDEDPERL
diff -ur nagios-2.5.org/base/notifications.c nagios-2.5/base/notifications.c
--- nagios-2.5.org/base/notifications.c 2006-04-07 18:24:13.000000000 -0400
+++ nagios-2.5/base/notifications.c 2006-11-06 10:07:56.000000000 -0500
@@ -45,7 +45,7 @@
extern char *generic_summary;
-
+extern char *default_permissions;
/******************************************************************/
/***************** SERVICE NOTIFICATION FUNCTIONS *****************/
@@ -832,7 +832,7 @@
/* find all contacts for this service */
for(temp_contact=contact_list;temp_contact!=NULL;temp_contact=temp_contact->next){
- if(is_contact_for_service(svc,temp_contact)==TRUE)
+
if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'n')==TRUE)
add_notification(temp_contact);
}
}
@@ -1572,7 +1572,7 @@
/* get all contacts for this host */
for(temp_contact=contact_list;temp_contact!=NULL;temp_contact=temp_contact->next){
- if(is_contact_for_host(hst,temp_contact)==TRUE)
+
if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'n')==TRUE)
add_notification(temp_contact);
}
}
diff -ur nagios-2.5.org/cgi/cgiauth.c nagios-2.5/cgi/cgiauth.c
--- nagios-2.5.org/cgi/cgiauth.c 2006-10-08 19:35:18.000000000 -0400
+++ nagios-2.5/cgi/cgiauth.c 2006-11-06 09:44:08.000000000 -0500
@@ -43,8 +43,7 @@
extern int services_have_been_read;
extern int serviceescalations_have_been_read;
extern int hostescalations_have_been_read;
-
-
+extern char *default_permissions;
/* get current authentication information */
int get_authentication_information(authdata *authinfo){
@@ -218,7 +217,7 @@
temp_contact=find_contact(authinfo->username);
/* see if this user is a contact for the host */
- if(is_contact_for_host(hst,temp_contact)==TRUE)
+
if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'r')==TRUE)
return TRUE;
/* see if this user is an escalated contact for the host */
@@ -295,14 +294,14 @@
return FALSE;
/* if this user is authorized for this host, they are for all services
on it as well... */
- if(is_authorized_for_host(temp_host,authinfo)==TRUE)
- return TRUE;
+ /* if(is_authorized_for_host(temp_host,authinfo)==TRUE)
+ return TRUE;*/
/* find the contact */
temp_contact=find_contact(authinfo->username);
/* see if this user is a contact for the service */
- if(is_contact_for_service(svc,temp_contact)==TRUE)
+
if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'r')==TRUE)
return TRUE;
/* see if this user is an escalated contact for the service */
@@ -419,16 +418,16 @@
if(temp_contact && temp_contact->can_submit_commands==FALSE)
return FALSE;
- /* see if this user is a contact for the host */
- if(is_contact_for_host(temp_host,temp_contact)==TRUE)
+ /* see if this user is a contact for the host with permissions
*/
+
if(is_contact_for_host_perm(temp_host,temp_contact,default_permissions,'x')==TRUE)
return TRUE;
/* see if this user is an escalated contact for the host */
if(is_escalated_contact_for_host(temp_host,temp_contact)==TRUE)
return TRUE;
- /* this user is a contact for the service, so they have
permission... */
- if(is_contact_for_service(svc,temp_contact)==TRUE)
+ /* see if this user is a contact for the service with
permissions */
+
if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'x')==TRUE)
return TRUE;
/* this user is an escalated contact for the service, so they
have permission... */
@@ -469,8 +468,8 @@
if(temp_contact && temp_contact->can_submit_commands==FALSE)
return FALSE;
- /* this user is a contact for the host, so they have
permission... */
- if(is_contact_for_host(hst,temp_contact)==TRUE)
+ /* see if this user is a contact for the host with permissions
*/
+
if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'x')==TRUE)
return TRUE;
/* this user is an escalated contact for the host, so they have
permission... */
diff -ur nagios-2.5.org/cgi/cgiutils.c nagios-2.5/cgi/cgiutils.c
--- nagios-2.5.org/cgi/cgiutils.c 2006-05-20 14:37:29.000000000 -0400
+++ nagios-2.5/cgi/cgiutils.c 2006-11-06 10:26:55.000000000 -0500
@@ -113,6 +113,8 @@
int default_statusmap_layout_method=0;
int default_statuswrl_layout_method=0;
+char *default_permissions=NULL;
+
extern hostgroup *hostgroup_list;
extern contactgroup *contactgroup_list;
extern command *command_list;
@@ -458,6 +460,13 @@
continue;
ping_syntax=strdup(temp_buffer);
}
+ else if(strstr(input,"default_permissions=")==input){
+ temp_buffer=strtok(input,"=");
+ temp_buffer=strtok(NULL,"\n");
+ if(temp_buffer==NULL)
+ continue;
+ default_permissions=strdup(temp_buffer);
+ }
}
diff -ur nagios-2.5.org/common/objects.c nagios-2.5/common/objects.c
--- nagios-2.5.org/common/objects.c 2006-10-08 19:35:18.000000000 -0400
+++ nagios-2.5/common/objects.c 2006-11-06 09:43:01.000000000 -0500
@@ -71,7 +71,6 @@
hostescalation **hostescalation_hashlist=NULL;
serviceescalation **serviceescalation_hashlist=NULL;
-
#ifdef NSCORE
int __nagios_object_structure_version=CURRENT_OBJECT_STRUCTURE_VERSION;
#endif
@@ -4926,6 +4925,8 @@
/* find a contact group from the list in memory */
contactgroup * find_contactgroup(char *name){
contactgroup *temp_contactgroup;
+ char *temp_contactgroup_name;
+ char *perms;
#ifdef DEBUG0
printf("find_contactgroup() start\n");
@@ -4934,11 +4935,21 @@
if(name==NULL || contactgroup_hashlist==NULL)
return NULL;
-
for(temp_contactgroup=contactgroup_hashlist[hashfunc1(name,CONTACTGROUP_HASHSLOTS)];temp_contactgroup
&&
compare_hashdata1(temp_contactgroup->group_name,name)<0;temp_contactgroup=temp_contactgroup->nexthash);
+ /* Ignore permissions */
+ temp_contactgroup_name = strdup(name);
+ perms = strchr(temp_contactgroup_name, ':');
+ if (perms)
+ *perms = '\0';
+
+
for(temp_contactgroup=contactgroup_hashlist[hashfunc1(temp_contactgroup_name,CONTACTGROUP_HASHSLOTS)];temp_contactgroup
&&
compare_hashdata1(temp_contactgroup->group_name,temp_contactgroup_name)<0;temp_contactgroup=temp_contactgroup->nexthash);
- if(temp_contactgroup &&
(compare_hashdata1(temp_contactgroup->group_name,name)==0))
+ if(temp_contactgroup &&
(compare_hashdata1(temp_contactgroup->group_name,temp_contactgroup_name)==0))
return temp_contactgroup;
+ if(temp_contactgroup_name)
+ free(temp_contactgroup_name);
+
+
#ifdef DEBUG0
printf("find_contactgroup() end\n");
#endif
@@ -5427,7 +5438,9 @@
int is_contact_for_host(host *hst, contact *cntct){
contactgroupsmember *temp_contactgroupsmember;
contactgroup *temp_contactgroup;
-
+ char *temp_contactgroup_name;
+ char *perms;
+
if(hst==NULL || cntct==NULL){
return FALSE;
}
@@ -5435,8 +5448,16 @@
/* search all contact groups of this host */
for(temp_contactgroupsmember=hst->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){
+ /* Ignore permissions */
+ temp_contactgroup_name =
strdup(temp_contactgroupsmember->group_name);
+ perms = strchr(temp_contactgroup_name, ':');
+ if (perms)
+ *perms = '\0';
+
/* find the contact group */
-
temp_contactgroup=find_contactgroup(temp_contactgroupsmember->group_name);
+ temp_contactgroup=find_contactgroup(temp_contactgroup_name);
+ if (temp_contactgroup_name)
+ free (temp_contactgroup_name);
if(temp_contactgroup==NULL)
continue;
@@ -5447,6 +5468,56 @@
return FALSE;
}
+/* tests whether a contact is a contact for a particular host with write
permissions */
+int is_contact_for_host_perm(host *hst, contact *cntct, char *default_perm,
char perm){
+ contactgroupsmember *temp_contactgroupsmember;
+ contactgroup *temp_contactgroup;
+ char *temp_contactgroup_name;
+ char *perms;
+
+ if(hst==NULL || cntct==NULL){
+ return FALSE;
+ }
+
+ /* search all contact groups of this host */
+
for(temp_contactgroupsmember=hst->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){
+
+ /* Check for permissions */
+ temp_contactgroup_name =
strdup(temp_contactgroupsmember->group_name);
+ perms = strchr(temp_contactgroup_name, ':');
+ if (perms) {
+ perms = strchr(perms, perm);
+ if (! (perms)) { /* permission not found so deny */
+ if (temp_contactgroup_name)
+ free(temp_contactgroup_name);
+ continue;
+ }
+ }
+ else if (default_perm) {
+ /* No permissions defined for host, but default permissions
found */
+ perms = strchr(default_perm, perm);
+ if (! (perms)) { /* permission not found so deny */
+ if (temp_contactgroup_name)
+ free(temp_contactgroup_name);
+ continue;
+ }
+ }
+
+ /* No permissions set so defaulting to full access, or user
has permission */
+
+ /* find the contact group */
+ temp_contactgroup=find_contactgroup(temp_contactgroup_name);
+ if (temp_contactgroup_name)
+ free(temp_contactgroup_name);
+ if(temp_contactgroup==NULL)
+ continue;
+
+
if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE)
+ return TRUE;
+ }
+
+ return FALSE;
+ }
/* tests whether or not a contact is an escalated contact for a particular
host */
@@ -5481,6 +5552,8 @@
int is_contact_for_service(service *svc, contact *cntct){
contactgroupsmember *temp_contactgroupsmember;
contactgroup *temp_contactgroup;
+ char *temp_contactgroup_name;
+ char *perms;
if(svc==NULL || cntct==NULL)
return FALSE;
@@ -5488,8 +5561,16 @@
/* search all contact groups of this service */
for(temp_contactgroupsmember=svc->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){
+ /* Ignore permissions */
+ temp_contactgroup_name =
strdup(temp_contactgroupsmember->group_name);
+ perms = strchr(temp_contactgroup_name, ':');
+ if (perms)
+ *perms = '\0';
+
/* find the contact group */
-
temp_contactgroup=find_contactgroup(temp_contactgroupsmember->group_name);
+ temp_contactgroup=find_contactgroup(temp_contactgroup_name);
+ if (temp_contactgroup_name)
+ free (temp_contactgroup_name);
if(temp_contactgroup==NULL)
continue;
@@ -5500,6 +5581,56 @@
return FALSE;
}
+/* tests whether a contact is a contact for a particular service */
+int is_contact_for_service_perm(service *svc, contact *cntct, char
*default_perm, char perm){
+ contactgroupsmember *temp_contactgroupsmember;
+ contactgroup *temp_contactgroup;
+ char *temp_contactgroup_name;
+ char *perms;
+
+ if(svc==NULL || cntct==NULL)
+ return FALSE;
+
+ /* search all contact groups of this service */
+
for(temp_contactgroupsmember=svc->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){
+
+
+ /* Check for permissions */
+ temp_contactgroup_name =
strdup(temp_contactgroupsmember->group_name);
+ perms = strchr(temp_contactgroup_name, ':');
+ if (perms) {
+ perms = strchr(perms, perm);
+ if (! (perms)) { /* permission not found so deny */
+ if (temp_contactgroup_name)
+ free(temp_contactgroup_name);
+ continue;
+ }
+ }
+ else if (default_perm) {
+ /* No permissions defined for service, but default
permissions found */
+ perms = strchr(default_perm, perm);
+ if (! (perms)) { /* permission not found so deny */
+ if (temp_contactgroup_name)
+ free(temp_contactgroup_name);
+ continue;
+ }
+ }
+
+ /* No permissions set so defaulting to full access, or user
has permission */
+
+ /* find the contact group */
+ temp_contactgroup=find_contactgroup(temp_contactgroup_name);
+ if (temp_contactgroup_name)
+ free (temp_contactgroup_name);
+ if(temp_contactgroup==NULL)
+ continue;
+
+
if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE)
+ return TRUE;
+ }
+
+ return FALSE;
+ }
/* tests whether or not a contact is an escalated contact for a particular
service */
diff -ur nagios-2.5.org/sample-config/cgi.cfg.in
nagios-2.5/sample-config/cgi.cfg.in
--- nagios-2.5.org/sample-config/cgi.cfg.in 2005-05-05 17:37:25.000000000
-0400
+++ nagios-2.5/sample-config/cgi.cfg.in 2006-11-06 10:31:16.000000000 -0500
@@ -170,6 +170,16 @@
+# DEFAULT HOST/SERVICE PERMISSIONS
+# This option contains a list of default permissions for hosts and
+# services that will be used when permissions are not explicitly
+# set on a host or service. When not defined, the default is all
+# permissions (rwxn). Note: This option must be set the same in
+# both cgi.cfg and nagios.cfg.
+
+#default_permissions=rwxn
+
+
# STATUSMAP BACKGROUND IMAGE
# This option allows you to specify an image to be used as a
diff -ur nagios-2.5.org/sample-config/nagios.cfg.in
nagios-2.5/sample-config/nagios.cfg.in
--- nagios-2.5.org/sample-config/nagios.cfg.in 2005-11-23 17:28:03.000000000
-0500
+++ nagios-2.5/sample-config/nagios.cfg.in 2006-11-06 10:31:15.000000000
-0500
@@ -951,5 +951,16 @@
+# DEFAULT HOST/SERVICE PERMISSIONS
+# This option contains a list of default permissions for hosts and
+# services that will be used when permissions are not explicitly
+# set on a host or service. When not defined, the default is all
+# permissions (rwxn). Note: This option must be set the same in
+# both cgi.cfg and nagios.cfg.
+
+#default_permissions=rwxn
+
+
+
# EOF (End of file)
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
