[icinga-checkins] icinga.org: icinga-core/gbeutner/style: fixed: User can execute host/ servicegroup commands even if not authorized for (Sven Nierlein) #1679

git at icinga.org git at icinga.org
Tue Jul 12 15:18:17 CEST 2011


Module: icinga-core
Branch: gbeutner/style
Commit: ed01c63f5b238b053d3d6c3c951005ae7d2078e3
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=ed01c63f5b238b053d3d6c3c951005ae7d2078e3

Author: Ricardo Bartels <ricardo at bitchbrothers.com>
Date:   Sat Jun 25 22:40:51 2011 +0200

fixed: User can execute host/servicegroup commands even if not authorized for (Sven Nierlein) #1679

* now a user can only submit a command for host/servicegroups if he/she is authorized to submit
  commands for every member of the particular host/servicegroup

---

 Changelog         |    1 +
 cgi/cgiauth.c     |   36 ++++++++++++++++++++++++++++++++++++
 cgi/cmd.c         |    4 ++--
 include/cgiauth.h |    3 +++
 4 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index afa5441..c3e4b5f 100644
--- a/Changelog
+++ b/Changelog
@@ -24,6 +24,7 @@ FIXES
 
 * classic ui: fix cross site scripting vulnerability in config.cgi on config expander arguments #1605
 * classic ui: remove sidebar.html inclusion in index.html causing troubles on reload #1632
+* classic ui: fixed: User can execute host/servicegroup commands even if not authorized for (Sven Nierlein) #1679
 
 * install: fix event handlers cmd file location in contrib #1501
 
diff --git a/cgi/cgiauth.c b/cgi/cgiauth.c
index 8c25895..1a6f96d 100644
--- a/cgi/cgiauth.c
+++ b/cgi/cgiauth.c
@@ -858,3 +858,39 @@ int is_authorized_for_host_commands(host *hst, authdata *authinfo){
         }
 
 
+/* check is the current user is authorized to issue commands relating to a particular servicegroup */
+int is_authorized_for_servicegroup_commands(servicegroup *sg, authdata *authinfo){
+	servicesmember *temp_servicesmember;
+	service *temp_service;
+
+	if(sg==NULL)
+		return FALSE;
+
+	/* see if user is authorized for all services commands in the servicegroup */
+	for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){
+		temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description);
+		if(is_authorized_for_service_commands(temp_service,authinfo)==FALSE)
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+/* check is the current user is authorized to issue commands relating to a particular hostgroup */
+int is_authorized_for_hostgroup_commands(hostgroup *hg, authdata *authinfo){
+	hostsmember *temp_hostsmember;
+	host *temp_host;
+
+	if(hg==NULL)
+		return FALSE;
+
+	/* see if user is authorized for all hosts in the hostgroup */
+	for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){
+		temp_host=find_host(temp_hostsmember->host_name);
+		if(is_authorized_for_host_commands(temp_host,authinfo)==FALSE)
+			return FALSE;
+	}
+
+	return TRUE;
+}
diff --git a/cgi/cmd.c b/cgi/cmd.c
index 001e3d5..a2b79e6 100644
--- a/cgi/cmd.c
+++ b/cgi/cmd.c
@@ -2209,11 +2209,11 @@ void commit_command_data(int cmd){
 		   cmd==CMD_ENABLE_HOSTGROUP_SVC_CHECKS		|| cmd==CMD_DISABLE_HOSTGROUP_SVC_CHECKS || \
 		   cmd==CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME	|| cmd==CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME ){
 			temp_hostgroup=find_hostgroup(hostgroup_name);
-			if(is_authorized_for_hostgroup(temp_hostgroup,&current_authdata)==TRUE)
+			if(is_authorized_for_hostgroup_commands(temp_hostgroup,&current_authdata)==TRUE)
 				is_authorized[x]=TRUE;
 		} else {
 			temp_servicegroup=find_servicegroup(servicegroup_name);
-			if(is_authorized_for_servicegroup(temp_servicegroup,&current_authdata)==TRUE)
+			if(is_authorized_for_servicegroup_commands(temp_servicegroup,&current_authdata)==TRUE)
 				is_authorized[x]=TRUE;
 		}
 
diff --git a/include/cgiauth.h b/include/cgiauth.h
index bc333cb..5352197 100644
--- a/include/cgiauth.h
+++ b/include/cgiauth.h
@@ -69,6 +69,9 @@ int is_authorized_for_service_commands(service *,authdata *);
 int is_authorized_for_hostgroup(hostgroup *,authdata *);
 int is_authorized_for_servicegroup(servicegroup *,authdata *);
 
+int is_authorized_for_hostgroup_commands(hostgroup *,authdata *);
+int is_authorized_for_servicegroup_commands(servicegroup *,authdata *);
+
 int is_authorized_for_configuration_information(authdata *);
 
 int is_authorized_for_read_only(authdata *);





More information about the icinga-checkins mailing list