Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
Command CGI Scheduled Downtime Patch
Solution: customer can only see his/her own machines when choosing "triggered by"
We have monitoring servers shared by several customers. Problem is that one user can enter a downtime and sees the other user's machines by using the "Triggered by" option. This is a severe security incident for us.
This has been fixed in a way that every customer can only see his own machines.
Concerned file:
cmd.c
Diff:
116 int string_to_time(char *,time_t *);
117
118 //PATCH
119 host *temp_host=NULL;
120 //PATCH END
121
122 int main(void){
1178 if(temp_downtime->type!=HOST_DOWNTIME)
1179 continue;
1180 // PATCH
1181 /* find the host... */
1182 temp_host=find_host(temp_downtime->host_name);
1183
1184 /* make sure user has rights to view this host */
1185
if(is_authorized_for_host(temp_host,¤t_authdata)==FALSE)
1186 continue;
1187 //PATCH END
1188 printf("
This has been fixed in a way that every customer can only see his own machines.
Concerned file:
cmd.c
Diff:
116 int string_to_time(char *,time_t *);
117
118 //PATCH
119 host *temp_host=NULL;
120 //PATCH END
121
122 int main(void){
1178 if(temp_downtime->type!=HOST_DOWNTIME)
1179 continue;
1180 // PATCH
1181 /* find the host... */
1182 temp_host=find_host(temp_downtime->host_name);
1183
1184 /* make sure user has rights to view this host */
1185
if(is_authorized_for_host(temp_host,¤t_authdata)==FALSE)
1186 continue;
1187 //PATCH END
1188 printf("
Reviews (0)
Be the first to review this listing!