Web UI security - how to implement access filter per group/host
Good day!
Now web-page is protected at web-server (Apache) level only. I see we can protect exact directory and may be file/script like: http://host:port/xymon/p_cominder/p_cominder.html
so we can allow some users see only some group pages.
But this does not protect direct metric links like: http://host:port/xymon-cgi/svcstatus.sh?HOST=miminos.cominder.eu&SERVICE=dis... if I know other (not my) host name I can get this information event I am not in group of that host.
And also at non-green Systems report user see ALL non-green hosts http://host:port/xymon/nongreen.html
Question: Does XyMon team have plans to implement groups/pages protection?
Or may be somebody know how to protect it with current version?
At present moment the only idea I see to have XyMon web UI as backgroud service and have foreground application with it's own authorisation - which will then request background XyMon service/web-page, filter out only what is required and return results to end user based on user's permissions and groups.
It will take time, but I can write such application. But, as result we have 2 applications instead of one. May be there is more simple solution?
Best regards,
Andrey Chervonets
SIA CoMinder http://www.cominder.eu/
On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets <A.Chervonets at cominder.eu> wrote:
Question: Does XyMon team have plans to implement groups/pages protection?
Or may be somebody know how to protect it with current version?
It isn't a top issue on my priority list. On my own site, I use Apache to grant/deny access to the pre-generated html-pages - but if you know the hostname, then it is trivial to construct a URL that will fetch the status of any host.
The easiest way to modify the current system is to add some security checks in the CGI shell-script wrappers, so that they check access based on the REMOTE_USER environment-variable that Apache provides when you require authentication for a web user. A simple example I use is that external users have a username which is an e-mail address - so the username contains a '@'. These users should not have access to the enable/disable scripts. So I wrote a small program to check if REMOTE_USER includes a '@', and if it doesn't then it just prints out an HTML page with status 403 (Access denied). If access is OK, then it invokes the enable/disable program in the usual way. The access-check program is then invoked first in the "enadis.sh" wrapper.
Regards, Henrik
On Mon, 29 Apr 2013 10:16:54 +0200, <henrik at hswn.dk> wrote:
On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets <A.Chervonets at cominder.eu> wrote:
Question: Does XyMon team have plans to implement groups/pages protection?
The easiest way to modify the current system is to add some security checks in the CGI shell-script wrappers, so that they check access based on the REMOTE_USER environment-variable that Apache provides when you require authentication for a web user.
Almost forgot there is a mechanism for this in place for some of the CGI scripts in Xymon. See the xymonwebaccess(5) man-page, also available at http://www.xymon.com/xymon/help/manpages/man5/xymonwebaccess.5.html
Regards, Henrik
participants (2)
-
A.Chervonets@cominder.eu
-
henrik@hswn.dk