diff -ur nagios-2.5.org/base/config.c nagios-2.5/base/config.c --- nagios-2.5.org/base/config.c 2005-12-26 18:18:14.000000000 -0500 +++ nagios-2.5/base/config.c 2006-11-10 19:04:00.000000000 -0500 @@ -166,8 +166,7 @@ extern host **host_hashlist; extern service **service_hashlist; - - +extern char *default_permissions; /******************************************************************/ /************** CONFIGURATION INPUT FUNCTIONS *********************/ @@ -1418,6 +1417,22 @@ #endif } + else if(!strcmp(variable,"default_permissions")){ + if(default_permissions!=NULL) + free(default_permissions); + default_permissions=(char *)strdup(value); + if(default_permissions==NULL){ + strcpy(error_message,"Could not allocate memory for default permissions string"); + error=TRUE; + break; + } + strip(default_permissions); + +#ifdef DEBUG1 + printf("\t\tdefault_permissions set to '%s'\n",default_permissions); +#endif + } + /* ignore old/external variables */ else if(!strcmp(variable,"status_file")) continue; @@ -1636,6 +1651,8 @@ int total_objects=0; int warnings=0; int errors=0; + char *temp_contactgroup_name; + char *perms; #ifdef DEBUG0 printf("pre_flight_check() start\n"); @@ -2230,10 +2247,21 @@ /* make sure each contactgroup is used in at least one host or service definition or escalation */ for(temp_host=host_list;temp_host!=NULL;temp_host=temp_host->next){ for(temp_contactgroupsmember=temp_host->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ - if(!strcmp(temp_contactgroup->group_name,temp_contactgroupsmember->group_name)){ + + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + + if(!strcmp(temp_contactgroup->group_name,temp_contactgroup_name)){ found=TRUE; + if (temp_contactgroup_name) + free (temp_contactgroup_name); break; } + if (temp_contactgroup_name) + free (temp_contactgroup_name); } if(found==TRUE) break; @@ -2241,10 +2269,21 @@ if(found==FALSE){ for(temp_service=service_list;temp_service!=NULL;temp_service=temp_service->next){ for(temp_contactgroupsmember=temp_service->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ - if(!strcmp(temp_contactgroup->group_name,temp_contactgroupsmember->group_name)){ + + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + + if(!strcmp(temp_contactgroup->group_name,temp_contactgroup_name)){ found=TRUE; + if (temp_contactgroup_name) + free (temp_contactgroup_name); break; } + if (temp_contactgroup_name) + free (temp_contactgroup_name); } if(found==TRUE) break; @@ -2253,10 +2292,20 @@ if(found==FALSE){ for(temp_se=serviceescalation_list;temp_se!=NULL;temp_se=temp_se->next){ for(temp_contactgroupsmember=temp_se->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ - if(!strcmp(temp_contactgroup->group_name,temp_contactgroupsmember->group_name)){ + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + + if(!strcmp(temp_contactgroup->group_name,temp_contactgroup_name)){ + if (temp_contactgroup_name) + free (temp_contactgroup_name); found=TRUE; break; } + if (temp_contactgroup_name) + free (temp_contactgroup_name); } if(found==TRUE) break; @@ -2265,10 +2314,20 @@ if(found==FALSE){ for(temp_he=hostescalation_list;temp_he!=NULL;temp_he=temp_he->next){ for(temp_contactgroupsmember=temp_he->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ - if(!strcmp(temp_contactgroup->group_name,temp_contactgroupsmember->group_name)){ + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + + if(!strcmp(temp_contactgroup->group_name,temp_contactgroup_name)){ found=TRUE; + if (temp_contactgroup_name) + free (temp_contactgroup_name); break; } + if (temp_contactgroup_name) + free (temp_contactgroup_name); } if(found==TRUE) break; diff -ur nagios-2.5.org/base/nagios.c nagios-2.5/base/nagios.c --- nagios-2.5.org/base/nagios.c 2006-07-13 17:57:33.000000000 -0400 +++ nagios-2.5/base/nagios.c 2006-11-06 10:28:00.000000000 -0500 @@ -208,7 +208,7 @@ circular_buffer service_result_buffer; pthread_t worker_threads[TOTAL_WORKER_THREADS]; - +char *default_permissions; /* Following main() declaration required by older versions of Perl ut 5.00503 */ #ifdef EMBEDDEDPERL diff -ur nagios-2.5.org/base/notifications.c nagios-2.5/base/notifications.c --- nagios-2.5.org/base/notifications.c 2006-04-07 18:24:13.000000000 -0400 +++ nagios-2.5/base/notifications.c 2006-11-06 10:07:56.000000000 -0500 @@ -45,7 +45,7 @@ extern char *generic_summary; - +extern char *default_permissions; /******************************************************************/ /***************** SERVICE NOTIFICATION FUNCTIONS *****************/ @@ -832,7 +832,7 @@ /* find all contacts for this service */ for(temp_contact=contact_list;temp_contact!=NULL;temp_contact=temp_contact->next){ - if(is_contact_for_service(svc,temp_contact)==TRUE) + if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'n')==TRUE) add_notification(temp_contact); } } @@ -1572,7 +1572,7 @@ /* get all contacts for this host */ for(temp_contact=contact_list;temp_contact!=NULL;temp_contact=temp_contact->next){ - if(is_contact_for_host(hst,temp_contact)==TRUE) + if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'n')==TRUE) add_notification(temp_contact); } } diff -ur nagios-2.5.org/cgi/cgiauth.c nagios-2.5/cgi/cgiauth.c --- nagios-2.5.org/cgi/cgiauth.c 2006-10-08 19:35:18.000000000 -0400 +++ nagios-2.5/cgi/cgiauth.c 2006-11-10 19:20:43.000000000 -0500 @@ -43,8 +43,7 @@ extern int services_have_been_read; extern int serviceescalations_have_been_read; extern int hostescalations_have_been_read; - - +extern char *default_permissions; /* get current authentication information */ int get_authentication_information(authdata *authinfo){ @@ -218,11 +217,11 @@ temp_contact=find_contact(authinfo->username); /* see if this user is a contact for the host */ - if(is_contact_for_host(hst,temp_contact)==TRUE) + if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'r')==TRUE) return TRUE; /* see if this user is an escalated contact for the host */ - if(is_escalated_contact_for_host(hst,temp_contact)==TRUE) + if(is_escalated_contact_for_host_perm(hst,temp_contact,default_permissions,'r')==TRUE) return TRUE; return FALSE; @@ -295,18 +294,18 @@ return FALSE; /* if this user is authorized for this host, they are for all services on it as well... */ - if(is_authorized_for_host(temp_host,authinfo)==TRUE) - return TRUE; + /* if(is_authorized_for_host(temp_host,authinfo)==TRUE) + return TRUE;*/ /* find the contact */ temp_contact=find_contact(authinfo->username); /* see if this user is a contact for the service */ - if(is_contact_for_service(svc,temp_contact)==TRUE) + if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'r')==TRUE) return TRUE; /* see if this user is an escalated contact for the service */ - if(is_escalated_contact_for_service(svc,temp_contact)==TRUE) + if(is_escalated_contact_for_service_perm(svc,temp_contact,default_permissions,'r')==TRUE) return TRUE; return FALSE; @@ -419,20 +418,20 @@ if(temp_contact && temp_contact->can_submit_commands==FALSE) return FALSE; - /* see if this user is a contact for the host */ - if(is_contact_for_host(temp_host,temp_contact)==TRUE) + /* see if this user is a contact for the host with permissions */ + if(is_contact_for_host_perm(temp_host,temp_contact,default_permissions,'x')==TRUE) return TRUE; /* see if this user is an escalated contact for the host */ - if(is_escalated_contact_for_host(temp_host,temp_contact)==TRUE) + if(is_escalated_contact_for_host_perm(temp_host,temp_contact,default_permissions,'x')==TRUE) return TRUE; - /* this user is a contact for the service, so they have permission... */ - if(is_contact_for_service(svc,temp_contact)==TRUE) + /* see if this user is a contact for the service with permissions */ + if(is_contact_for_service_perm(svc,temp_contact,default_permissions,'x')==TRUE) return TRUE; /* this user is an escalated contact for the service, so they have permission... */ - if(is_escalated_contact_for_service(svc,temp_contact)==TRUE) + if(is_escalated_contact_for_service_perm(svc,temp_contact,default_permissions,'x')==TRUE) return TRUE; /* this user is not a contact for the host, so they must have been given explicit permissions to all service commands */ @@ -470,11 +469,11 @@ return FALSE; /* this user is a contact for the host, so they have permission... */ - if(is_contact_for_host(hst,temp_contact)==TRUE) + if(is_contact_for_host_perm(hst,temp_contact,default_permissions,'x')==TRUE) return TRUE; /* this user is an escalated contact for the host, so they have permission... */ - if(is_escalated_contact_for_host(hst,temp_contact)==TRUE) + if(is_escalated_contact_for_host_perm(hst,temp_contact,default_permissions,'x')==TRUE) return TRUE; /* this user is not a contact for the host, so they must have been given explicit permissions to all host commands */ diff -ur nagios-2.5.org/cgi/cgiutils.c nagios-2.5/cgi/cgiutils.c --- nagios-2.5.org/cgi/cgiutils.c 2006-05-20 14:37:29.000000000 -0400 +++ nagios-2.5/cgi/cgiutils.c 2006-11-07 19:51:58.000000000 -0500 @@ -113,6 +113,8 @@ int default_statusmap_layout_method=0; int default_statuswrl_layout_method=0; +char *default_permissions=NULL; + extern hostgroup *hostgroup_list; extern contactgroup *contactgroup_list; extern command *command_list; @@ -458,6 +460,13 @@ continue; ping_syntax=strdup(temp_buffer); } + else if(strstr(input,"default_permissions=")==input){ + temp_buffer=strtok(input,"="); + temp_buffer=strtok(NULL,"\n"); + if(temp_buffer==NULL) + continue; + default_permissions=strdup(temp_buffer); + } } diff -ur nagios-2.5.org/common/objects.c nagios-2.5/common/objects.c --- nagios-2.5.org/common/objects.c 2006-10-08 19:35:18.000000000 -0400 +++ nagios-2.5/common/objects.c 2006-11-10 19:14:54.000000000 -0500 @@ -71,7 +71,6 @@ hostescalation **hostescalation_hashlist=NULL; serviceescalation **serviceescalation_hashlist=NULL; - #ifdef NSCORE int __nagios_object_structure_version=CURRENT_OBJECT_STRUCTURE_VERSION; #endif @@ -4926,6 +4925,8 @@ /* find a contact group from the list in memory */ contactgroup * find_contactgroup(char *name){ contactgroup *temp_contactgroup; + char *temp_contactgroup_name; + char *perms; #ifdef DEBUG0 printf("find_contactgroup() start\n"); @@ -4934,11 +4935,21 @@ if(name==NULL || contactgroup_hashlist==NULL) return NULL; - for(temp_contactgroup=contactgroup_hashlist[hashfunc1(name,CONTACTGROUP_HASHSLOTS)];temp_contactgroup && compare_hashdata1(temp_contactgroup->group_name,name)<0;temp_contactgroup=temp_contactgroup->nexthash); + /* Ignore permissions */ + temp_contactgroup_name = strdup(name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + + for(temp_contactgroup=contactgroup_hashlist[hashfunc1(temp_contactgroup_name,CONTACTGROUP_HASHSLOTS)];temp_contactgroup && compare_hashdata1(temp_contactgroup->group_name,temp_contactgroup_name)<0;temp_contactgroup=temp_contactgroup->nexthash); - if(temp_contactgroup && (compare_hashdata1(temp_contactgroup->group_name,name)==0)) + if(temp_contactgroup && (compare_hashdata1(temp_contactgroup->group_name,temp_contactgroup_name)==0)) return temp_contactgroup; + if(temp_contactgroup_name) + free(temp_contactgroup_name); + + #ifdef DEBUG0 printf("find_contactgroup() end\n"); #endif @@ -5427,7 +5438,9 @@ int is_contact_for_host(host *hst, contact *cntct){ contactgroupsmember *temp_contactgroupsmember; contactgroup *temp_contactgroup; - + char *temp_contactgroup_name; + char *perms; + if(hst==NULL || cntct==NULL){ return FALSE; } @@ -5435,8 +5448,16 @@ /* search all contact groups of this host */ for(temp_contactgroupsmember=hst->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + /* find the contact group */ - temp_contactgroup=find_contactgroup(temp_contactgroupsmember->group_name); + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + if (temp_contactgroup_name) + free (temp_contactgroup_name); if(temp_contactgroup==NULL) continue; @@ -5447,6 +5468,56 @@ return FALSE; } +/* tests whether a contact is a contact for a particular host with execute permissions */ +int is_contact_for_host_perm(host *hst, contact *cntct, char *default_perm, char perm){ + contactgroupsmember *temp_contactgroupsmember; + contactgroup *temp_contactgroup; + char *temp_contactgroup_name; + char *perms; + + if(hst==NULL || cntct==NULL){ + return FALSE; + } + + /* search all contact groups of this host */ + for(temp_contactgroupsmember=hst->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + + /* Check for permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) { + perms = strchr(perms, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + else if (default_perm) { + /* No permissions defined for host, but default permissions found */ + perms = strchr(default_perm, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + + /* No permissions set so defaulting to full access, or user has permission */ + + /* find the contact group */ + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + if (temp_contactgroup_name) + free(temp_contactgroup_name); + if(temp_contactgroup==NULL) + continue; + + if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE) + return TRUE; + } + + return FALSE; + } /* tests whether or not a contact is an escalated contact for a particular host */ @@ -5476,11 +5547,68 @@ return FALSE; } +/* tests whether or not a contact is an escalated contact for a particular host with execute permissions */ +int is_escalated_contact_for_host_perm(host *hst, contact *cntct, char *default_perm, char perm){ + contactgroupsmember *temp_contactgroupsmember; + contactgroup *temp_contactgroup; + hostescalation *temp_hostescalation; + char *temp_contactgroup_name; + char *perms; + + + /* search all host escalations */ + for(temp_hostescalation=get_first_hostescalation_by_host(hst->name);temp_hostescalation!=NULL;temp_hostescalation=get_next_hostescalation_by_host(hst->name,temp_hostescalation)){ + + /* search all the contact groups in this escalation... */ + for(temp_contactgroupsmember=temp_hostescalation->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + + /* Check for permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) { + perms = strchr(perms, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + else if (default_perm) { + /* No permissions defined for host, but default permissions found */ + perms = strchr(default_perm, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + + /* No permissions set so defaulting to full access, or user has permission */ + + /* find the contact group */ + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + + if (temp_contactgroup_name) + free(temp_contactgroup_name); + + if(temp_contactgroup==NULL) + continue; + + /* see if the contact is a member of this contact group */ + if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE) + return TRUE; + } + } + + return FALSE; + } /* tests whether a contact is a contact for a particular service */ int is_contact_for_service(service *svc, contact *cntct){ contactgroupsmember *temp_contactgroupsmember; contactgroup *temp_contactgroup; + char *temp_contactgroup_name; + char *perms; if(svc==NULL || cntct==NULL) return FALSE; @@ -5488,8 +5616,16 @@ /* search all contact groups of this service */ for(temp_contactgroupsmember=svc->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + /* Ignore permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) + *perms = '\0'; + /* find the contact group */ - temp_contactgroup=find_contactgroup(temp_contactgroupsmember->group_name); + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + if (temp_contactgroup_name) + free (temp_contactgroup_name); if(temp_contactgroup==NULL) continue; @@ -5500,6 +5636,56 @@ return FALSE; } +/* tests whether a contact is a contact for a particular service with execute permissions */ +int is_contact_for_service_perm(service *svc, contact *cntct, char *default_perm, char perm){ + contactgroupsmember *temp_contactgroupsmember; + contactgroup *temp_contactgroup; + char *temp_contactgroup_name; + char *perms; + + if(svc==NULL || cntct==NULL) + return FALSE; + + /* search all contact groups of this service */ + for(temp_contactgroupsmember=svc->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + + + /* Check for permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) { + perms = strchr(perms, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + else if (default_perm) { + /* No permissions defined for service, but default permissions found */ + perms = strchr(default_perm, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + + /* No permissions set so defaulting to full access, or user has permission */ + + /* find the contact group */ + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + if (temp_contactgroup_name) + free (temp_contactgroup_name); + if(temp_contactgroup==NULL) + continue; + + if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE) + return TRUE; + } + + return FALSE; + } /* tests whether or not a contact is an escalated contact for a particular service */ @@ -5529,6 +5715,58 @@ } +/* tests whether or not a contact is an escalated contact for a particular service with execute permissions */ +int is_escalated_contact_for_service_perm(service *svc, contact *cntct, char *default_perm, char perm){ + serviceescalation *temp_serviceescalation; + contactgroupsmember *temp_contactgroupsmember; + contactgroup *temp_contactgroup; + char *temp_contactgroup_name; + char *perms; + + /* search all the service escalations */ + for(temp_serviceescalation=get_first_serviceescalation_by_service(svc->host_name,svc->description);temp_serviceescalation!=NULL;temp_serviceescalation=get_next_serviceescalation_by_service(svc->host_name,svc->description,temp_serviceescalation)){ + + /* search all the contact groups in this escalation... */ + for(temp_contactgroupsmember=temp_serviceescalation->contact_groups;temp_contactgroupsmember!=NULL;temp_contactgroupsmember=temp_contactgroupsmember->next){ + + /* Check for permissions */ + temp_contactgroup_name = strdup(temp_contactgroupsmember->group_name); + perms = strchr(temp_contactgroup_name, ':'); + if (perms) { + perms = strchr(perms, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + else if (default_perm) { + /* No permissions defined for service, but default permissions found */ + perms = strchr(default_perm, perm); + if (! (perms)) { /* permission not found so deny */ + if (temp_contactgroup_name) + free(temp_contactgroup_name); + continue; + } + } + + /* No permissions set so defaulting to full access, or user has permission */ + + /* find the contact group */ + temp_contactgroup=find_contactgroup(temp_contactgroup_name); + if(temp_contactgroup==NULL) + continue; + + /* see if the contact is a member of this contact group */ + if(is_contact_member_of_contactgroup(temp_contactgroup,cntct)==TRUE) + return TRUE; + } + } + + return FALSE; + } + + #ifdef NSCORE /* checks to see if there exists a circular parent/child path for a host */ diff -ur nagios-2.5.org/sample-config/cgi.cfg.in nagios-2.5/sample-config/cgi.cfg.in --- nagios-2.5.org/sample-config/cgi.cfg.in 2005-05-05 17:37:25.000000000 -0400 +++ nagios-2.5/sample-config/cgi.cfg.in 2006-11-06 10:31:16.000000000 -0500 @@ -170,6 +170,16 @@ +# DEFAULT HOST/SERVICE PERMISSIONS +# This option contains a list of default permissions for hosts and +# services that will be used when permissions are not explicitly +# set on a host or service. When not defined, the default is all +# permissions (rwxn). Note: This option must be set the same in +# both cgi.cfg and nagios.cfg. + +#default_permissions=rwxn + + # STATUSMAP BACKGROUND IMAGE # This option allows you to specify an image to be used as a diff -ur nagios-2.5.org/sample-config/nagios.cfg.in nagios-2.5/sample-config/nagios.cfg.in --- nagios-2.5.org/sample-config/nagios.cfg.in 2005-11-23 17:28:03.000000000 -0500 +++ nagios-2.5/sample-config/nagios.cfg.in 2006-11-06 10:31:15.000000000 -0500 @@ -951,5 +951,16 @@ +# DEFAULT HOST/SERVICE PERMISSIONS +# This option contains a list of default permissions for hosts and +# services that will be used when permissions are not explicitly +# set on a host or service. When not defined, the default is all +# permissions (rwxn). Note: This option must be set the same in +# both cgi.cfg and nagios.cfg. + +#default_permissions=rwxn + + + # EOF (End of file)