Brion Vibber wrote:
Dan Collins wrote:
On a similar topic, why is
nagios.wikimedia.org
behind a password now? Does
it really need to be secured?
Apparently in order to be able to update things through the nagios UI,
we needed to enable password protection. There's probably some sane way
of still allowing read-only visitors without demanding a password, though.
Apparently the nagios developers are so confident that nagios's command
interface has arbitrary shell execution vulnerabilities that they go to
extreme lengths to prevent you from enabling it in an environment without
password protection.
I would chalk it up to paranoia, except that Nagios NRPE has a similar
protection against enabling parameters to check commands, and it turns out
that those parameters are indeed passed through to the shell without
proper escaping.
-- Tim Starling