Branch: refs/heads/2.3.0
Home:
https://github.com/Checkmk/checkmk
Commit: babaf083cb022bfeada1c5c143c6c0a778ca7689
https://github.com/Checkmk/checkmk/commit/babaf083cb022bfeada1c5c143c6c0a77…
Author: Max Linke <max.linke(a)checkmk.com>
Date: 2024-02-26 (Mon, 26 Feb 2024)
Changed paths:
M cmk/gui/wato/_permissions.py
Log Message:
-----------
disable add_or_modify_executables on cse for admins
We have a few rules that allow modification of executables on the
server. Those options can be set via some rules. Current approach has
been to disable the corresponding rules. However those rules are
valuable to customers. For example "Host Check Command" was requested a
lot from our beta customers. We deactivate the rule because it allows
arbitrary commands to be executed on the server. Now with the
add_or_modify_executables permission removed the rule cannot be used
anymore for arbitrary code execution. Currently this works great because
on the CSE users cannot modify roles.
I also like this approach as it is more of a "catch all" than reviewing
individual rules.
Long term it would be nice if we could globally disable some permissions
on the CSE.
Change-Id: Ib1eb2743dc6811d95dbab233a0cbc64c350a427a
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications