Hi Christian, I've added an SRU template to the top of the description, hope this is sufficient?
I've also joined the #ubuntu-server IRC channel (as aaronr) so if there's anything further I can do to help push this fix through just let me know and I'd be happy to do so. ** Description changed: + [Impact] + + * It is possible for users to see information about servers that they + have not been given permission to see + + * A fix should be backported because this is a security problem and + causes Nagios to leak data + + * The patch introduces the proper checks on hostgroup permissions as + per Nagios 4.2.2 + + [Test Case] + + * Configure Nagios to monitor multiple servers + * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg) + * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg) + * Set the contact_groups property for one of the servers to be "admins,oneserver" + * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user + * Login to Nagios as "jbloggs" + * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below) + + [Regression Potential] + + * It's possible that this may create other issues when viewing + hostgroups in the Nagios web interface although I have not seen any such + issues, and this fix was deemed to be acceptable by the Nagios core team + in Nagios 4.2.2 (tracker link below) so I think the chances of any + issues are very low. + + [Other Info] + + * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in + * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version + + [Original Description] + There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup. This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https://support.nagios.com/forum/viewtopic.php?f=7&t=21794 It was fixed in Nagios 4.2.2 here: https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1 #diff-b89a219dd5a0ac3e4e07f1dfd721dd78 This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x. lsb_release -rd output: Description: Ubuntu 16.04.2 LTS Release: 16.04 apt-cache policy nagios3 nagios3-cgi output: nagios3: - Installed: 3.5.1.dfsg-2.1ubuntu1.1 - Candidate: 3.5.1.dfsg-2.1ubuntu1.1 - Version table: - *** 3.5.1.dfsg-2.1ubuntu1.1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages - 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages - 100 /var/lib/dpkg/status - 3.5.1.dfsg-2.1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + Installed: 3.5.1.dfsg-2.1ubuntu1.1 + Candidate: 3.5.1.dfsg-2.1ubuntu1.1 + Version table: + *** 3.5.1.dfsg-2.1ubuntu1.1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 100 /var/lib/dpkg/status + 3.5.1.dfsg-2.1ubuntu1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages nagios3-cgi: - Installed: 3.5.1.dfsg-2.1ubuntu1.1 - Candidate: 3.5.1.dfsg-2.1ubuntu1.1 - Version table: - *** 3.5.1.dfsg-2.1ubuntu1.1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages - 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages - 100 /var/lib/dpkg/status - 3.5.1.dfsg-2.1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + Installed: 3.5.1.dfsg-2.1ubuntu1.1 + Candidate: 3.5.1.dfsg-2.1ubuntu1.1 + Version table: + *** 3.5.1.dfsg-2.1ubuntu1.1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 100 /var/lib/dpkg/status + 3.5.1.dfsg-2.1ubuntu1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
