Restricting access to disable/acknowledge etc
list Neil Simmonds
Hi all,
On my current prod Xymon (which was built by someone no longer with the company) we are required to supply a userid/passwd for disabling or acknowledging tests.
As far as I can see this is done through the <Directory "/usr/share/xymon/cgi-secure"> part of the httpd.conf (or on my new server Xymon.conf in /etc/httpd/conf.d )
I've got the conf set like the below which is the same as the working system, the /etc/xymon/ xymonpasswd file exists, is owned by apache user and had 64- permissions as required yet I'm not getting prompted for the password when I disable a test? Am I missing something?
<Directory "/usr/share/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
<IfModule mod_authz_core.c>
# Apache 2.4+
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
AuthUserFile /etc/xymon/xymonpasswd
AuthGroupFile /etc/xymon/xymongroups
AuthType Basic
AuthName "Xymon Administration"
<RequireAll>
# "valid-user" restricts access to anyone who is logged in.
Require valid-user
# "group admins" restricts access to users who have logged in, AND
# are members of the "admins" group in xymongroups.
# Require group admins
</RequireAll>
</Directory>
Studio is a trading name of Studio Retail Ltd which is authorised and regulated by the Financial Conduct Authority for consumer credit and general insurance. Studio Retail Ltd are members of the Finance and Leasing Association (FLA). Registered in England. No: 718151. Registered Office: Church Bridge House, Henry Street, Accrington, BB5 4EE NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Studio Retail Ltd and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Studio Retail Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Studio Retail Ltd reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error, please notify our careline on +44(0) XXX XXX XXXX.
list Axel Beckert
Hi Neil.
▸
On Mon, Feb 27, 2023 at 10:54:54AM +0000, Neil Simmonds wrote:As far as I can see this is done through the <Directory "/usr/share/xymon/cgi-secure"> part of the httpd.conf (or on my new server Xymon.conf in /etc/httpd/conf.d )
Sounds fitting.
▸
I've got the conf set like the below which is the same as the working system, the /etc/xymon/ xymonpasswd file exists, is owned by apache user and had 64- permissions as required yet I'm not getting prompted for the password when I disable a test? Am I missing something?
[?]
<IfModule mod_authz_core.c>
# Apache 2.4+
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>I suspects that the above, especially the "Require all granted" (which is Apache-ish for "let everyone in") overrides the following:
<RequireAll>
[?]
Require valid-user
[?]
</RequireAll>
Just remove the two <IfModule> blocks and you're probably fine. (Assuming that Apache 2.4.x is in use.) Kind regards, Axel -- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: user-bc188e45dae4@xymon.invalid \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: user-0064bde8d49d@xymon.invalid X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
list Neil Simmonds
Hi Axel, I double checked the old config and it had the second but not the first ifModule so I commented out the first and all is OK now. I'm pretty new to Apache config so the help is much appreciated. Thanks, Neil. P.S. Yes, it is Apache 2.4 -----Original Message----- From: Axel Beckert <user-bc188e45dae4@xymon.invalid> Sent: 27 February 2023 11:01 To: Neil Simmonds <user-884b0aec6dbf@xymon.invalid> Cc: xymon at xymon.com Subject: Re: [Xymon] Restricting access to disable/acknowledge etc [CAUTION] This is an external email. Do not click links or open any attachments unless you are sure they are safe.
▸
Hi Neil.
On Mon, Feb 27, 2023 at 10:54:54AM +0000, Neil Simmonds wrote:As far as I can see this is done through the <Directory "/usr/share/xymon/cgi-secure"> part of the httpd.conf (or on my new server Xymon.conf in /etc/httpd/conf.d )
Sounds fitting.
I've got the conf set like the below which is the same as the working system, the /etc/xymon/ xymonpasswd file exists, is owned by apache user and had 64- permissions as required yet I'm not getting prompted for the password when I disable a test? Am I missing something?
[?]
<IfModule mod_authz_core.c>
# Apache 2.4+
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>I suspects that the above, especially the "Require all granted" (which is Apache-ish for "let everyone in") overrides the following:
<RequireAll>
[?]
Require valid-user
[?]
</RequireAll>
Just remove the two <IfModule> blocks and you're probably fine.
(Assuming that Apache 2.4.x is in use.)
Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: user-bc188e45dae4@xymon.invalid \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: user-0064bde8d49d@xymon.invalid X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
Studio is a trading name of Studio Retail Ltd which is authorised and regulated by the Financial Conduct Authority for consumer credit and general insurance. Studio Retail Ltd are members of the Finance and Leasing Association (FLA). Registered in England. No: 718151. Registered Office: Church Bridge House, Henry Street, Accrington, BB5 4EE NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Studio Retail Ltd and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Studio Retail Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Studio Retail Ltd reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error, please notify our careline on +44(0) XXX XXX XXXX.
list René Vermare
Try to swap 'Order allow,deny' to 'Order deny,allow' Op maandag 27-02-2023 om 10:54 uur [tijdzone +0000], schreef Neil Simmonds:
▸
Hi all,
On my current prod Xymon (which was built by someone no longer with
the company) we are required to supply a userid/passwd for disabling
or acknowledging tests.
As far as I can see this is done through the <Directory
"/usr/share/xymon/cgi-secure"> part of the httpd.conf (or on my new
server Xymon.conf in /etc/httpd/conf.d )
I?ve got the conf set like the below which is the same as the working
system, the /etc/xymon/ xymonpasswd file exists, is owned by apache
user and had 64- permissions as required yet I?m not getting prompted
for the password when I disable a test? Am I missing something?
<Directory "/usr/share/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
<IfModule mod_authz_core.c>
# Apache 2.4+
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
AuthUserFile /etc/xymon/xymonpasswd
AuthGroupFile /etc/xymon/xymongroups
AuthType Basic
AuthName "Xymon Administration"
<RequireAll>
# "valid-user" restricts access to anyone who is logged in.
Require valid-user
# "group admins" restricts access to users who have logged in,
AND
# are members of the "admins" group in xymongroups.
# Require group admins
</RequireAll>
</Directory>
Studio is a trading name of Studio Retail Ltd which is authorised and
regulated by the Financial Conduct Authority for consumer credit and
general insurance. Studio Retail Ltd are members of the Finance and
Leasing Association (FLA). Registered in England. No: 718151.
Registered Office: Church Bridge House, Henry Street, Accrington, BB5
4EE NOTE: This email and any information contained within or attached
in a separate file is confidential and intended solely for the
Individual to whom it is addressed. The information or data included
is solely for the purpose indicated or previously agreed. Any
information or data included with this e-mail remains the property of
Studio Retail Ltd and the recipient will refrain from utilising the
information for any purpose other than that indicated and upon request
will destroy the information and remove it from their records. Any
views or opinions presented are solely those of the author and do not
necessarily represent those of Studio Retail Ltd. If you are not the
intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. No warranties or
assurances are made in relation to the safety and content of this
e-mail and any attachments. No liability is accepted for any
consequences arising from it. Studio Retail Ltd reserves the right to
monitor all e-mail communications through its internal and external
networks. If you have received this email in error, please notify our
careline on +44(0) XXX XXX XXXX. This message has been scanned for viruses with ClamAV at vermare.net