group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1686768@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 May 2017 17:09:05 -0000
Reply-to: Bug 1686768 <1686768@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu6

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu6) artful; urgency=medium

  * debian/patches/ubuntu/Fix-permissions-for-Host-Groups-reports.patch: Fix
    leaking hosts to restricted contacts as in upstream tracker
    http://tracker.nagios.org/view.php?id=619 (LP: #1686768).

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Fri, 28 Apr
2017 10:00:38 +0200

** Changed in: nagios3 (Ubuntu)
       Status: Fix Committed => Fix Released

** Bug watch added: tracker.nagios.org/ #619
   http://tracker.nagios.org/view.php?id=619

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

Status in nagios3 package in Ubuntu:
  Fix Released
Status in nagios3 source package in Trusty:
  Triaged
Status in nagios3 source package in Xenial:
  Triaged
Status in nagios3 source package in Yakkety:
  Triaged
Status in nagios3 source package in Zesty:
  Triaged

Bug description:
  [Impact]

   * It is possible for users to see information about servers that they
  have not been given permission to see

   * A fix should be backported because this is a security problem and
  causes Nagios to leak data

   * The patch introduces the proper checks on hostgroup permissions as
  per Nagios 4.2.2

  [Test Case]

   * Configure Nagios to monitor multiple servers
   * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Set the contact_groups property for one of the servers to be "admins,oneserver"
   * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
   * Login to Nagios as "jbloggs"
   * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below)

  [Regression Potential]

   * It's possible that this may create other issues when viewing
  hostgroups in the Nagios web interface although I have not seen any
  such issues, and this fix was deemed to be acceptable by the Nagios
  core team in Nagios 4.2.2 (tracker link below) so I think the chances
  of any issues are very low.

  [Other Info]
   
   * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in
   * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version

  [Original Description]

  There is a problem with the hostgroups reports that allows restricted
  contacts to see servers that do not belong to them provided they are
  in the same hostgroup.

  This issue was reported to the Nagios project in 2013 here (with
  screenshots, sample configs, etc):
  https://support.nagios.com/forum/viewtopic.php?f=7&t=21794

  It was fixed in Nagios 4.2.2 here:
  https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
  #diff-b89a219dd5a0ac3e4e07f1dfd721dd78

  This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
  however it seems likely that the fix in 4.2.2 could be backported to
  Nagios 3.5.x.

  lsb_release -rd output:
  Description:	Ubuntu 16.04.2 LTS
  Release:	16.04

  apt-cache policy nagios3 nagios3-cgi output:
  nagios3:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  nagios3-cgi:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions