[Xymon] Web UI security - how to implement access filter per group/host

henrik at hswn.dk henrik at hswn.dk
Mon Apr 29 10:16:54 CEST 2013


On Mon, 29 Apr 2013 09:54:01 +0300, Andrey Chervonets
<A.Chervonets at cominder.eu> wrote:

> Question:
> Does XyMon team have plans to implement groups/pages protection?
> 
> Or may be somebody know how to protect it with current version?

It isn't a top issue on my priority list. On my own site, I use Apache to
grant/deny access to the pre-generated html-pages - but if you know the
hostname, then it is trivial to construct a URL that will fetch the status
of any host.

The easiest way to modify the current system is to add some security
checks in the CGI shell-script wrappers, so that they check access based on
the REMOTE_USER environment-variable that Apache provides when you require
authentication for a web user. A simple example I use is that external
users have a username which is an e-mail address - so the username contains
a '@'. These users should not have access to the enable/disable scripts. So
I wrote a small program to check if REMOTE_USER includes a '@', and if it
doesn't then it just prints out an HTML page with status 403 (Access
denied). If access is OK, then it invokes the enable/disable program in the
usual way. The access-check program is then invoked first in the
"enadis.sh" wrapper.


Regards,
Henrik




More information about the Xymon mailing list