On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets <A.Chervonets at cominder.eu> wrote:
Question: Does XyMon team have plans to implement groups/pages protection?
Or may be somebody know how to protect it with current version?
It isn't a top issue on my priority list. On my own site, I use Apache to grant/deny access to the pre-generated html-pages - but if you know the hostname, then it is trivial to construct a URL that will fetch the status of any host.
The easiest way to modify the current system is to add some security checks in the CGI shell-script wrappers, so that they check access based on the REMOTE_USER environment-variable that Apache provides when you require authentication for a web user. A simple example I use is that external users have a username which is an e-mail address - so the username contains a '@'. These users should not have access to the enable/disable scripts. So I wrote a small program to check if REMOTE_USER includes a '@', and if it doesn't then it just prints out an HTML page with status 403 (Access denied). If access is OK, then it invokes the enable/disable program in the usual way. The access-check program is then invoked first in the "enadis.sh" wrapper.
Regards, Henrik