Module: check_mk
Branch: master
Commit: ab88f7a4712416e2569eb60819164b69269423d4
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ab88f7a4712416…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon May 15 15:20:20 2017 +0200
4682 SEC Add permission "Can add or modify executables" to be able to fine tune
access rights
It is now possible to explicitly allow/deny users of WATO to add or modify executables.
This done with the new permission <i>Can add or modify executables</i>. By
default
only users with the role <i>Administrator</i> have this permission.
There are different places in Check_MK where an admin, the user of the configuration
GUI, can use the GUI to add executable code to Check_MK.
For example when configuring datasource programs, the user inserts a command line for
gathering monitoring data. This command line is then executed during monitoring by
Check_MK.
Another example is the upload of extension packages (MKPs).
These functions have in common that the user provides data that is executed by Check_MK
later in the context of Check_MK.
If you want to ensure that your WATO users can not "inject" arbitrary
executables
into your Check_MK installation, you only need to revoke this permission.
This permission is needed in addition to the other component related permissions.
For example you need the <tt>wato.rulesets</tt> permission together with the
new
permission to be able to configure rulesets where bare command lines are configured.
These things are protected by the new permission at the moment:
<ul>
<li>Ruleset: Classical active and passive monitoring checks</li>
<li>Ruleset: Datasource programs</li>
<li>Ruleset: Configuring custom host check command</li>
<li>Host diagnostic page: Setting arbritary command line as datasource
program</li>
<li>Configure event console actions</li>
<li>
<strong>Incompatible</strong>: User with the role <i>Users</i> are
allowed to edit rulesets
for the WATO folders they are permitted on. In previous versions they were also able to
insert arbitrary commands into the rulesets mentioned above. This has now been removed
(by default) for security reasons. If you still need this functionality, you need to
set the new permission to <i>yes</i> for this role.
CMK-963
Change-Id: Ic52c52e53b8cbd10c8f2af064559ff0bed9b41c7
---
cmk/gui/wato/__init__.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index 86b72d0..4413e06 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -15178,13 +15178,13 @@ def load_plugins(force):
config.declare_permission("wato.add_or_modify_executables",
_("Can add or modify executables"),
- _("There are different places in Check_MK where an admin, the user of the
configuration "
- "GUI, can use the GUI to add executable code to Check_MK. For example when
configuring "
+ _("There are different places in Check_MK where an admin can use the GUI to
add "
+ "executable code to Check_MK. For example when configuring "
"datasource programs, the user inserts a command line for gathering
monitoring data. "
"This command line is then executed during monitoring by Check_MK. Another
example is "
"the upload of extension packages (MKPs). All these functions have in
"
- "common that the user provides data that is executed by Check_MK later.
"
- "If you want to ensure that your WATO users can not \"inject\"
arbitrary executables "
+ "common that the user provides data that is executed by Check_MK. "
+ "If you want to ensure that your WATO users cannot \"inject\"
arbitrary executables "
"into your Check_MK installation, you only need to remove this permission
for them. "
"This permission is needed in addition to the other component related
permissions. "
"For example you need the <tt>wato.rulesets</tt> permission
together with this "