Web UI security - how to implement access filter per group/host
list Andrey Chervonets
Good day! Now web-page is protected at web-server (Apache) level only. I see we can protect exact directory and may be file/script like: http://host:port/xymon/p_cominder/p_cominder.html so we can allow some users see only some group pages. But this does not protect direct metric links like: http://host:port/xymon-cgi/svcstatus.sh?HOST=miminos.cominder.eu&SERVICE=disk if I know other (not my) host name I can get this information event I am not in group of that host. And also at non-green Systems report user see ALL non-green hosts http://host:port/xymon/nongreen.html Question: Does XyMon team have plans to implement groups/pages protection? Or may be somebody know how to protect it with current version? At present moment the only idea I see to have XyMon web UI as backgroud service and have foreground application with it's own authorisation - which will then request background XyMon service/web-page, filter out only what is required and return results to end user based on user's permissions and groups. It will take time, but I can write such application. But, as result we have 2 applications instead of one. May be there is more simple solution? Best regards, Andrey Chervonets SIA CoMinder http://www.cominder.eu/
list Henrik Størner
On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets
▸
<user-e7fb5c02322c@xymon.invalid> wrote:
Question: Does XyMon team have plans to implement groups/pages protection? Or may be somebody know how to protect it with current version?
It isn't a top issue on my priority list. On my own site, I use Apache to grant/deny access to the pre-generated html-pages - but if you know the hostname, then it is trivial to construct a URL that will fetch the status of any host. The easiest way to modify the current system is to add some security checks in the CGI shell-script wrappers, so that they check access based on the REMOTE_USER environment-variable that Apache provides when you require authentication for a web user. A simple example I use is that external users have a username which is an e-mail address - so the username contains a '@'. These users should not have access to the enable/disable scripts. So I wrote a small program to check if REMOTE_USER includes a '@', and if it doesn't then it just prints out an HTML page with status 403 (Access denied). If access is OK, then it invokes the enable/disable program in the usual way. The access-check program is then invoked first in the "enadis.sh" wrapper. Regards, Henrik
list Henrik Størner
▸
On Mon, 29 Apr 2013 10:16:54 +0200, <user-ce4a2c883f75@xymon.invalid> wrote:
On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets <user-e7fb5c02322c@xymon.invalid> wrote:Question: Does XyMon team have plans to implement groups/pages protection?The easiest way to modify the current system is to add some security checks in the CGI shell-script wrappers, so that they check access based on the REMOTE_USER environment-variable that Apache provides when you require authentication for a web user.
Almost forgot there is a mechanism for this in place for some of the CGI scripts in Xymon. See the xymonwebaccess(5) man-page, also available at http://www.xymon.com/xymon/help/manpages/man5/xymonwebaccess.5.html Regards, Henrik
list Andrey Chervonets
I am not very familiar with CGI, but knowing that it is possible we can do it. Thanks a lot! Best regards, Andrey Chervonets SIA CoMinder http://www.cominder.eu/ xymon-bounces at xymon.com wrote on 29.04.2013 13:00:01:
Subject: Re: [Xymon] Web UI security - how to implement access filter per group/host
▸
...
The easiest way to modify the current system is to add some security
checks in the CGI shell-script wrappers, so that they check access based
on
the REMOTE_USER environment-variable that Apache provides when you
require
authentication for a web user...
Regards,
Henrik