Thruk icon indicating copy to clipboard operation
Thruk copied to clipboard

Published 20 hours ago verified publisher icon sni

Full Access when user has the roles authorized_for_system_commands and authorized_for_configuration_information

Open moritz-makandra opened this issue 2 years ago • 2 comments

Describe the bug

When I give an user the roles authorized_for_system_commands and authorized_for_configuration_information at the same time, it is like giving the user the authorized_for_admin role.

This behaviour is not expected or documented in any way.

My goal is to have a group that can send system commands and see configuration information, but has no access to all services.

Thruk Version 2.46.2

To Reproduce Steps to reproduce the behavior:

  1. Create a contact_grop
  2. add the contact group to the roles authorized_for_system_commands and authorized_for_configuration_information
  3. add a user to the contact_group
  4. log in and have full permissions

Expected behavior In my opinion this behaviour is very dangerous, because I wasn't aware of this. I would suggest to remove this if possible: https://github.com/sni/Thruk/blob/316da1607071a6e123c89826fc46bf6351507669/lib/Thruk/Authentication/User.pm#L338

moritz-makandra avatar Jan 19 '22 15:01 moritz-makandra

That's for historical reasons. There was no "admin" role before, so Thruk assumed admin rights if those system/config permissions were granted. But this would be something which could be changed for a 3.x release. Besides that, does adding the "readonly" role help in your case? Besides, if you trust someone to shutdown the hole monitoring system (which is possible with system commands) then you should trust them for single hosts/services as well.

sni avatar May 05 '22 09:05 sni

Is there any documentation about this behaviour?

My goal was to set up a group, that is basically an admin account, but with some hosts/service checks hidden. We have some checks we cannot fix, but we have them for alerting another team. So we want to hide this kind of alerts from our alert overview. So there is no concerns regarding trust. I agree on, giving the system commands privilege to a low level account is a bad idea.

The "readonly" role helps us with the accounts for the other team, which checks we manage for, but not for our accounts I described in the use case above.

moritz-makandra avatar May 16 '22 08:05 moritz-makandra

it is mentioned here: http://thruk.org/documentation/configuration.html#_component-thruk-plugin-bp http://thruk.org/documentation/configuration.html#_component-thruk-plugin-configtool

but i now added a note here http://thruk.org/documentation/cgi-cfg.html#_authorized_for_admin as well. And i also added a deprecation note in the changelog.

sni avatar May 30 '23 23:05 sni