Module: check_mk Branch: master Commit: 76b29d95d0f4899f29796bbb7a468ffdec822302 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=76b29d95d0f489… Author: Andreas Boesl <ab(a)mathias-kettner.de> Date: Thu Jul 10 14:11:48 2014 +0200 FIX table servicegroups: fixed service visibility when using group_authorization AUTH_STRICT This only applies with the setting group_authorization = AUTH_STRICT When an auth user was given the livestatus table servicegroups did not check if the auth user had permissions to all objects of the servicegroup. As a result the user was able to view servicegroups, even if he was not a contact for every object in it. However, the "forbidden" object itself was not returned, just a subset of the group. This was incorrect. The user needs to be contact of every element in this group. Otherwise he should not see the group at all.. --- .werks/951 | 16 ++++++++++++++++ ChangeLog | 1 + livestatus/src/TableServices.cc | 30 +++++++++++++++++++++++++----- 3 files changed, 42 insertions(+), 5 deletions(-) diff --git a/.werks/951 b/.werks/951 new file mode 100644 index 0000000..413602e --- /dev/null +++ b/.werks/951 @@ -0,0 +1,16 @@ +Title: table servicegroups: fixed service visibility when using group_authorization AUTH_STRICT +Level: 1 +Component: livestatus +Version: 1.2.5i5 +Date: 1404994147 +Class: fix + +This only applies with the setting group_authorization = AUTH_STRICT + +When an auth user was given the livestatus table servicegroups did not check if the auth +user had permissions to all objects of the servicegroup. +As a result the user was able to view servicegroups, even if he was not a contact for every object in it. +However, the "forbidden" object itself was not returned, just a subset of the group. +This was incorrect. The user needs to be contact of every element in this group. +Otherwise he should not see the group at all.. + diff --git a/ChangeLog b/ChangeLog index e7312ec..bd991b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,7 @@ Livestatus: * 0988 FIX: livedump: Fix exception in case no contact groups are defined for a service + * 0951 FIX: table servicegroups: fixed service visibility when using AUTH_STRICT... HW/SW-Inventory: * 0625 hw/sw inventory now reads the kernel version and architecture for linux and windows diff --git a/livestatus/src/TableServices.cc b/livestatus/src/TableServices.cc index a21a8ac..781e30b 100644 --- a/livestatus/src/TableServices.cc +++ b/livestatus/src/TableServices.cc @@ -68,14 +68,34 @@ void TableServices::answerQuery(Query *query) if (_by_group) { servicegroup *sgroup = servicegroup_list; servicebygroup sg; + bool show_sgroup; + + // When g_group_authorization is set to AUTH_STRICT we need to pre-check + // if every service of this group is visible to the _auth_user + bool requires_precheck = query->authUser() && g_group_authorization == AUTH_STRICT; + while (sgroup) { + show_sgroup = true; sg._servicegroup = sgroup; servicesmember *mem = sgroup->members; - while (mem) { - memcpy(&sg._service, mem->service_ptr, sizeof(service)); - if (!query->processDataset(&sg)) - break; - mem = mem->next; + if (requires_precheck) { + while (mem) { + if (!is_authorized_for(query->authUser(), mem->service_ptr->host_ptr, mem->service_ptr)) { + show_sgroup = false; + break; + } + mem = mem->next; + } + } + + if (show_sgroup) { + mem = sgroup->members; + while (mem) { + memcpy(&sg._service, mem->service_ptr, sizeof(service)); + if (!query->processDataset(&sg)) + break; + mem = mem->next; + } } sgroup = sgroup->next; }