Module: check_mk
Branch: master
Commit: 258a71a2d23440bb65ba6d8352d97dbacce55433
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=258a71a2d23440…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 17 20:14:59 2018 +0200
6621 SEC Add permission to prevent users from editing "Deploy custom files with
agent" rule set
Using the rule set "Deploy custom files with agent" it is possible to select
custom files
to be distributed with the agents built using the Agent Bakery. As this is rule set may
add custom executable code to the agents it makes sense to be able to control the
permission
for this more explicitly.
If you want to make sure that administrative users can not add those custom files to the
agents, you can now use the rule set "Configure custom agent file deployments"
to revoke
this permission.
Change-Id: Iaf9c5d8b763d1f6d24decf8dceed5282dbf85e71
---
.werks/6621 | 17 +++++++++++++++++
cmk/gui/plugins/wato/utils/__init__.py | 2 ++
2 files changed, 19 insertions(+)
diff --git a/.werks/6621 b/.werks/6621
new file mode 100644
index 0000000..d2fa9d1
--- /dev/null
+++ b/.werks/6621
@@ -0,0 +1,17 @@
+Title: Add permission to prevent users from editing "Deploy custom files with
agent" rule set
+Level: 1
+Component: agents
+Compatible: compat
+Edition: cee
+Version: 1.6.0i1
+Date: 1537207681
+Class: security
+
+Using the rule set "Deploy custom files with agent" it is possible to select
custom files
+to be distributed with the agents built using the Agent Bakery. As this is rule set may
+add custom executable code to the agents it makes sense to be able to control the
permission
+for this more explicitly.
+
+If you want to make sure that administrative users can not add those custom files to the
+agents, you can now use the rule set "Configure custom agent file deployments"
to revoke
+this permission.
diff --git a/cmk/gui/plugins/wato/utils/__init__.py
b/cmk/gui/plugins/wato/utils/__init__.py
index fdab5c4..c5fbb79 100644
--- a/cmk/gui/plugins/wato/utils/__init__.py
+++ b/cmk/gui/plugins/wato/utils/__init__.py
@@ -987,6 +987,8 @@ def may_edit_ruleset(varname):
return config.user.may("wato.services") or
config.user.may("wato.rulesets")
elif varname in [ "custom_checks", "datasource_programs" ]:
return config.user.may("wato.rulesets") and
config.user.may("wato.add_or_modify_executables")
+ elif varname == "agent_config:custom_files":
+ return config.user.may("wato.rulesets") and
config.user.may("wato.agent_deploy_custom_files")
else:
return config.user.may("wato.rulesets")