[dev.icinga.com #6409] exclude_customvar* is missing in cgi.cfg documentation

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/6409

Created by steppenwolf on 2014-06-04 17:52:11 +00:00

Assignee: Wolfgang Status: Closed (closed on 2014-07-19 13:37:57 +00:00) Target Version: 1.12 Last Update: 2014-07-19 13:37:57 +00:00 (in Redmine)

Icinga Version: Icinga Classic UI 1.11.3 (Backend r2.0.0-1.beta1) 

---

The content of custom variables (vars.*) appears on the host or service details (classicUI).

This is a welcome feature, but it is buggy/incomplete.

All vars.* get expanded unconditionally on the webinterface, sensitive and unsensitive data alike.

This information leak is unacceptable in a production environment.

I have attached a screenshot of the vars.* expansion, where a workaround also appears: vars are not expanded twice.

These are the command and service definitions that generated this:

/etc/icinga2/conf.d/hosts/localhost/http.conf:

object Service "http" { import "generic-service"

host_name = "localhost" check_command = "http2" vars.sla = "24x7" vars.httpuser = DummyUser vars.httppass = DummyPass vars.httpuri = "/icinga/" vars.htthost = "$address$" }

/etc/icinga2/conf.d/commands.conf:

object CheckCommand "http2" { import "plugin-check-command"

command = PluginDir + "/check_http"

arguments = { "-H" = "$htthost$", "-a" = "$httpuser$:$httppass$", "-u" = "$httpuri$" } }

/etc/icinga2/conf.d/hosts/localhost.conf

object Host "localhost" { import "generic-host"

address = "127.0.0.1" address6 = "::1"

vars.sla = "24x7" }

Attachments

• Selection_032.png steppenwolf - 2014-06-04 17:46:09 +00:00
• 0001-Docs-add-excludecustomvar-to-configcgi.patch Wolfgang - 2014-06-04 20:28:47 +00:00 - patch 1
• 0001-Docs-exclude-all-custom-vars.patch Wolfgang - 2014-06-04 20:28:58 +00:00 - patch 2

[icinga-migration]

Updated by steppenwolf on 2014-06-04 17:52:47 +00:00

[icinga-migration]

Updated by steppenwolf on 2014-06-04 17:55:27 +00:00

Ugh, sorry for the bad formatting of the config snippets

[icinga-migration]

Updated by mfriedrich on 2014-06-04 18:11:30 +00:00

Seems #4390 was never documented. I've initially added such a config option at implementation stage being fully aware of the possible exposure of these values.

I'd rather move this issue to 1.x docs and allow the documentation being fixed. Meanwhile you can open the cgi.cfg and add the required exclusions by yourself.

[icinga-migration]

Updated by steppenwolf on 2014-06-04 18:40:28 +00:00

exclude_customvar_name=*

I'd rather keep all hidden.

Thanks

[icinga-migration]

Updated by mfriedrich on 2014-06-04 18:58:12 +00:00

• Project changed from 19 to Docs
• Subject changed from The content of vars.* is leaked to the webinterface unless double replacement takes place to _excludecustomvar* is missing in cgi.cfg documentation
• Category set to Classic UI
• Status changed from New to Assigned
• Assigned to set to Wolfgang
• Priority changed from Normal to High
• Target Version set to 1.12

[icinga-migration]

Updated by Wolfgang on 2014-06-04 20:30:11 +00:00

• File added _0001-Docs-add-excludecustomvar-to-configcgi.patch_
• File added 0001-Docs-exclude-all-custom-vars.patch
• Status changed from Assigned to Feedback
• Done % changed from 0 to 80

Attached two git formatted patches containing the changes against next.

[icinga-migration]

Updated by mfriedrich on 2014-07-19 13:37:57 +00:00

• Status changed from Feedback to Closed
• Done % changed from 80 to 100