Brion Vibber wrote:
Dan Collins wrote:
On a similar topic, why is nagios.wikimedia.org behind a password now? Does it really need to be secured?
Apparently in order to be able to update things through the nagios UI, we needed to enable password protection. There's probably some sane way of still allowing read-only visitors without demanding a password, though.
Apparently the nagios developers are so confident that nagios's command interface has arbitrary shell execution vulnerabilities that they go to extreme lengths to prevent you from enabling it in an environment without password protection.
I would chalk it up to paranoia, except that Nagios NRPE has a similar protection against enabling parameters to check commands, and it turns out that those parameters are indeed passed through to the shell without proper escaping.
-- Tim Starling