Checkmk git commits

checkmk-commits@lists.checkmk.com

1 participants
64679 discussions

Check_MK Git: check_mk: SEC: Replaced insecure auth.secret mechanism

by Lars Michelsen

Module: check_mk Branch: master Commit: 5416397199adf777de261cdaa8880138b83e1706 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5416397199adf7… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Nov 12 14:15:08 2014 +0100 SEC: Replaced insecure auth.secret mechanism --- .werks/1069 | 25 +++++++++++++++++++++++++ ChangeLog | 2 ++ web/htdocs/lib.py | 14 ++++++++++++++ web/htdocs/login.py | 12 ++++++++---- web/htdocs/wato.py | 12 +----------- 5 files changed, 50 insertions(+), 15 deletions(-) diff --git a/.werks/1069 b/.werks/1069 new file mode 100644 index 0000000..86467f7 --- /dev/null +++ b/.werks/1069 @@ -0,0 +1,25 @@ +Title: Replaced insecure auth.secret mechanism +Level: 2 +Component: multisite +Compatible: incomp +Version: 1.2.5i7 +Date: 1415797737 +Class: security + +We replaced a insecure mechanism of generating the auth.secret which +is used during construction of the authentication cookies when a user +logs into the Check_MK Web GUI to make the authentication cookie only +valid for an individual site or a group of sites connected in a +distributed setup. + +What you have to know about: + +When the first user accesses the Web GUI after the update to this version, +all currently valid auth cookies of all users will be invalidated. As a +result all users will need to login again. + +In distributed setups you will also need to do a replication from the +master site (which generated a new secret) to all slave sites (which +generated another secret themselfs). The replication will synchronize +the new secret of the master to all slaves which should make the +transparent authentication between all sites work again. diff --git a/ChangeLog b/ChangeLog index 9cf93bd..9cf34d9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ * 1493 Added config option "Default filter group" to set the initial network topology view filter... * 1497 Implemented password policy capabilities for local users... * 1499 SEC: Fixed XSS injections in different places... + * 1069 SEC: Replaced insecure auth.secret mechanism... + NOTE: Please refer to the migration notes! * 1164 FIX: Fixed links from servicegroup overviews to single servicegroups * 1166 FIX: Also prevting stylesheet update issues during version updates (just like for JS files) * 1481 FIX: Fix broken layout of Host-, Service- and Contactgroup filters diff --git a/web/htdocs/lib.py b/web/htdocs/lib.py index 3477ca1..64bde40 100644 --- a/web/htdocs/lib.py +++ b/web/htdocs/lib.py @@ -133,6 +133,20 @@ except: a.sort() return a +# We should use /dev/random here for cryptographic safety. But +# that involves the great problem that the system might hang +# because of loss of entropy. So we hope /dev/urandom is enough. +# Furthermore we filter out non-printable characters. The byte +# 0x00 for example does not make it through HTTP and the URL. +def get_random_string(size): + secret = "" + urandom = file("/dev/urandom") + while len(secret) < size: + c = urandom.read(1) + if ord(c) >= 48 and ord(c) <= 90: + secret += c + return secret + # Generates a unique id def gen_id(): try: diff --git a/web/htdocs/login.py b/web/htdocs/login.py index e7007e8..13a81bf 100644 --- a/web/htdocs/login.py +++ b/web/htdocs/login.py @@ -50,7 +50,6 @@ def site_cookie_name(site_id = None): # Reads the auth secret from a file. Creates the files if it does # not exist. Having access to the secret means that one can issue valid # cookies for the cookie auth. -# FIXME: Secret auch replizieren def load_secret(): secret_path = '%s/auth.secret' % os.path.dirname(defaults.htpasswd_file) secret = '' @@ -58,9 +57,14 @@ def load_secret(): secret = file(secret_path).read().strip() # Create new secret when this installation has no secret - if secret == '': - secret = md5(str(time.time())).hexdigest() - file(secret_path, 'w').write(secret + "\n") + # + # In past versions we used another bad approach to generate a secret. This + # checks for such secrets and creates a new one. This will invalidate all + # current auth cookies which means that all logged in users will need to + # renew their login after update. + if secret == '' or len(secret) == 32: + secret = get_random_string(256) + file(secret_path, 'w').write(secret) return secret diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 08fcac2..aef5840 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -11029,17 +11029,7 @@ def get_login_secret(create_on_demand = False): except: if not create_on_demand: return None - # We should use /dev/random here for cryptographic safety. But - # that involves the great problem that the system might hang - # because of loss of entropy. So we hope /dev/urandom is enough. - # Furthermore we filter out non-printable characters. The byte - # 0x00 for example does not make it through HTTP and the URL. - secret = "" - urandom = file("/dev/urandom") - while len(secret) < 32: - c = urandom.read(1) - if ord(c) >= 48 and ord(c) <= 90: - secret += c + secret = get_random_string(32) write_settings_file(path, secret) return secret

9 years, 11 months

Check_MK Git: check_mk: #1500 SEC Preventing livestatus injections in different places

by Lars Michelsen

Module: check_mk Branch: master Commit: b585e03dd7042a77d9dc641c4833ce45b776d5e4 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b585e03dd7042a… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Nov 12 15:38:13 2014 +0100 #1500 SEC Preventing livestatus injections in different places In some places strings provided by the users, e.g. by filling values into a form, are used to construct livestatus queries. This is, for example, done when filtering views or executing commands. Previous versions were directly using the strings provided by the user without escaping or filtering characters which could lead into some trouble. This has been fixed now. The strings provided by the user are now filtered before using them in livestatus queries. For the moment the only implemented action is to remove all newline (\n) characters from the values to prevent injections of non intended livestatus queries / commands. --- .werks/1500 | 17 +++++++++++++++++ ChangeLog | 1 + web/htdocs/actions.py | 8 ++++---- web/htdocs/lib.py | 9 +++++++++ web/htdocs/logwatch.py | 2 +- web/htdocs/prediction.py | 2 +- web/plugins/sidebar/search.py | 10 +++++----- web/plugins/views/commands.py | 13 +++++-------- web/plugins/visuals/filters.py | 24 ++++++++++++------------ 9 files changed, 55 insertions(+), 31 deletions(-) Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=b585e03dd7…

9 years, 11 months

Check_MK Git: check_mk: Enabled logging of general exceptions while processing multisite pages

by Lars Michelsen

Module: check_mk Branch: master Commit: 34c8711fc7c6fd09ac2e619aca30ad8e5aacd9ca URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=34c8711fc7c6fd… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Nov 12 13:39:43 2014 +0100 Enabled logging of general exceptions while processing multisite pages --- web/htdocs/index.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/htdocs/index.py b/web/htdocs/index.py index ff5e312..917fc0d 100644 --- a/web/htdocs/index.py +++ b/web/htdocs/index.py @@ -281,7 +281,7 @@ def handler(req, fields = None, profiling = True): html.header(_("Error")) html.show_error(unicode(e)) html.footer() - # apache.log_error(_("Error: %s") % (e,), apache.APLOG_ERR) + apache.log_error(_("Error: %s") % (e,), apache.APLOG_ERR) except livestatus.MKLivestatusNotFoundError, e: if plain_error:

9 years, 11 months

Check_MK Git: check_mk: #1498 FIX Fixed displaying of global settings titles / help texts

by Lars Michelsen

Module: check_mk Branch: master Commit: 75336537a3a119898aebc055347133e0ed2d27e4 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=75336537a3a119… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Nov 12 11:56:46 2014 +0100 #1498 FIX Fixed displaying of global settings titles / help texts Some titles were not displayed correctly or the help texts were missing. This is fixed now. --- .werks/1498 | 11 +++++++++++ ChangeLog | 1 + web/htdocs/wato.py | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.werks/1498 b/.werks/1498 new file mode 100644 index 0000000..01cc8a9 --- /dev/null +++ b/.werks/1498 @@ -0,0 +1,11 @@ +Title: Fixed displaying of global settings titles / help texts +Level: 1 +Component: wato +Class: fix +Compatible: compat +State: unknown +Version: 1.2.5i7 +Date: 1415789769 + +Some titles were not displayed correctly or the help texts were +missing. This is fixed now. diff --git a/ChangeLog b/ChangeLog index 4e23505..d92276f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,7 @@ * 1490 FIX: Timperiod excludes can now even be configured when creating a timeperiod... * 1491 FIX: Fixed bug in dynamic lists where removing an item was not always possible... * 1492 FIX: Fixed too long URL bug when deleting a timeperiod right after creating one + * 1498 FIX: Fixed displaying of global settings titles / help texts... Notifications: * 1168 FIX: HTML mails can now be configured to display graphs among each other... diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 3af6b8b..08fcac2 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -7396,7 +7396,7 @@ def render_global_configuration_variables(default_values, current_settings, show help_text = type(valuespec.help()) == unicode and valuespec.help().encode("utf-8") or valuespec.help() or '' title_text = type(valuespec.title()) == unicode and valuespec.title().encode("utf-8") or valuespec.title() title = '<a href="%s" class=%s title="%s">%s</a>' % \ - (edit_url, varname in current_settings and "modified" or "", + (edit_url, varname in current_settings and '"modified"' or '""', html.strip_tags(help_text), title_text) if varname in current_settings:

9 years, 11 months

Check_MK Git: check_mk: Allow hostname to be True in rule executor

by Mathias Kettner

Module: check_mk Branch: master Commit: 214a650973143c11a61607e5bf307e6575fc152f URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=214a650973143c… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Wed Nov 12 10:04:08 2014 +0100 Allow hostname to be True in rule executor --- modules/check_mk.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/check_mk.py b/modules/check_mk.py index 51916c0..f37deaf 100755 --- a/modules/check_mk.py +++ b/modules/check_mk.py @@ -1674,6 +1674,8 @@ def host_extra_conf(hostname, conf): else: raise MKGeneralException("Invalid entry '%r' in host configuration list: must have 2 or 3 entries" % (entry,)) + # Note: hostname may be True. This is an unknown generic host, that has + # no tags and that does not match any positive criteria in any rule. if hosttags_match_taglist(tags_of_host(hostname), tags) and \ in_extraconf_hostlist(hostlist, hostname): items.append(item) @@ -1887,8 +1889,8 @@ def in_extraconf_hostlist(hostlist, hostname): try: if not use_regex and hostname == hostentry: return not negate - # Handle Regex - elif use_regex and regex(hostentry).match(hostname): + # Handle Regex. Note: hostname == True -> generic unknown host + elif use_regex and hostname != True and regex(hostentry).match(hostname): return not negate except MKGeneralException: if opt_debug:

9 years, 11 months

Check_MK Git: check_mk: Improved debug capabilities of check_mail_loop

by Lars Michelsen

Module: check_mk Branch: master Commit: b30370e4d2b44a92ece4499940b0b5f51fb19a94 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b30370e4d2b44a… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Nov 12 08:29:42 2014 +0100 Improved debug capabilities of check_mail_loop --- doc/treasures/active_checks/check_mail_loop | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/doc/treasures/active_checks/check_mail_loop b/doc/treasures/active_checks/check_mail_loop index 7c92dc1..bc430b8 100755 --- a/doc/treasures/active_checks/check_mail_loop +++ b/doc/treasures/active_checks/check_mail_loop @@ -244,11 +244,11 @@ def fetch_mails(): retcode, messages = g_M.search(None, 'NOT', 'DELETED') if retcode == 'OK': for num in messages[0].split(' '): - ty, data = g_M.fetch(num, '(RFC822)') - if ty == 'OK': + try: + ty, data = g_M.fetch(num, '(RFC822)') mails[num] = email.message_from_string(data[0][1]) - else: - raise Exception('Failed to fetch mail %s (%s). Available messages: %r' % (num, data[0], messages)) + except Exception, e: + raise Exception('Failed to fetch mail %s (%s). Available messages: %r' % (num, e, messages)) # Now filter out the messages for this check pattern = re.compile('(?:Re: )?Check_MK-Mail-Loop ([^\s]+) ([^\s]+)') @@ -386,6 +386,10 @@ def close_mailbox(): g_M.logout() def main(): + # Enable showing protocol messages of imap for debugging + if debug: + imaplib.Debug = 4 + load_expected_mails() fetch_mails()

9 years, 11 months

Check_MK Git: check_mk: #1497 Implemented password policy capabilities for local users

by Lars Michelsen

Module: check_mk Branch: master Commit: 8558bc7b666011ad0f6793453ed2ed076b049edb URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8558bc7b666011… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Nov 11 16:14:49 2014 +0100 #1497 Implemented password policy capabilities for local users Passwords of local (htpasswd) users can now be enforced to be changed. Existing user sessions will be invalidated, the user will be logged off, needs to login again and change his password afterwards. This can be set in the user profile. A password policy can now be configured for globally all local users which can enforce the users to choose passwords of a minimal length which are using at least X character groups. It is also possible to define a maximum age for passwords, after which the user needs to change the password. --- .werks/1497 | 19 +++ ChangeLog | 1 + web/htdocs/index.py | 4 +- web/htdocs/login.py | 30 ++-- web/htdocs/userdb.py | 52 +++++-- web/htdocs/wato.py | 203 +++++++++++++++++++--------- web/plugins/config/builtin.py | 1 + web/plugins/pages/wato.py | 1 + web/plugins/wato/check_mk_configuration.py | 32 +++++ 9 files changed, 250 insertions(+), 93 deletions(-) Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=8558bc7b66…

9 years, 11 months

Check_MK Git: check_mk: New valuespec for Hostname or IPv4 Address

by Mathias Kettner

Module: check_mk Branch: master Commit: 7539c539435509d2d285c3a3d395cefabaa64866 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7539c539435509… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Nov 11 14:54:20 2014 +0100 New valuespec for Hostname or IPv4 Address --- web/htdocs/valuespec.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py index 8fdec8b..4abd944 100644 --- a/web/htdocs/valuespec.py +++ b/web/htdocs/valuespec.py @@ -562,6 +562,13 @@ class IPv4Address(IPv4Network): self.validate_ipaddress(value, varprefix) ValueSpec.custom_validate(self, value, varprefix) +# A host name with or without domain part. Also allow IP addresses +class Hostname(TextAscii): + def __init__(self, **kwargs): + TextAscii.__init__(self, **kwargs) + self._regex = re.compile('^[-0-9a-zA-Z_.]+$') + self._regex_error = _("Please enter a valid hostname or IPv4 address.") + # Valuespec for a HTTP Url (not HTTPS), that # automatically adds http:// to the value

9 years, 11 months

Check_MK Git: check_mk: Updated bug entries #2223

by Mathias Kettner

Module: check_mk Branch: master Commit: 6ee5eaaed50494d6036b4ca8cca7d0af0c4ec031 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6ee5eaaed50494… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Nov 11 14:09:28 2014 +0100 Updated bug entries #2223 --- .bugs/2223 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.bugs/2223 b/.bugs/2223 new file mode 100644 index 0000000..0efcc53 --- /dev/null +++ b/.bugs/2223 @@ -0,0 +1,10 @@ +Title: SNMPv3 garbles cmk -D and also WATO dialog +Component: core +State: open +Date: 2014-11-11 14:08:30 +Targetversion: 1.2.5i1 +Class: nastiness + +Hosts with SNMPv3 are not properly displayed in cmk -D. Also +in the WATO host dialog the str(...) of the 4/6-tuple of the +v3 settings is being displayed as a string.

9 years, 11 months

Check_MK Git: check_mk: Better detection of garbled command line

by Mathias Kettner

Module: check_mk Branch: master Commit: ac5896345fbf6d96d1ed1f9709e27e89b6f1e80b URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ac5896345fbf6d… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Tue Nov 11 13:52:58 2014 +0100 Better detection of garbled command line --- modules/check_mk.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/check_mk.py b/modules/check_mk.py index a2b433a..51916c0 100755 --- a/modules/check_mk.py +++ b/modules/check_mk.py @@ -6010,7 +6010,9 @@ if __name__ == "__main__": elif o in [ '-f', '--force' ]: opt_force = True elif o == '-c': - check_mk_configfile = a + if check_mk_configfile != 'a': + sys.stderr.write("Please use the option -c separated by the other options.\n") + sys.exit(1) elif o == '--cache': opt_use_cachefile = True check_max_cachefile_age = 1000000000

9 years, 11 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Checkmk git commits