Cacti session security
Moderators: Developers, Moderators
As I said above, I believe this is a feature, not a bug. It appears the developers wanted users to have guest access to charts by default. Looking at the history of the source files, this behavior has been in the code for years. If you dig a little, the manual explains the behavior:
However, if your desire is to operate a closed system, then it's easy to be misled because the behavior runs counter to what you'd expect: on most systems, a guest must login to have access. Guests wouldn't be automatically logged in for certain pages, as they are with Cacti.
The behavior is easy to change once you understand it. I would vote to add a note to this effect during installation and probably a disclaimer in the User Management section.
This feature probably helps a good many Cacti admins, because they don't have to do any work to share their graphs with others.By default this user only has rights to view, but not change all graphs. This enables any unauthenticated user to visit graph_view.php and view your graphs. This behavior can be changed by either changing the realm permissions for the "guest" user, or disabling the guest user altogether under Cacti Settings.
However, if your desire is to operate a closed system, then it's easy to be misled because the behavior runs counter to what you'd expect: on most systems, a guest must login to have access. Guests wouldn't be automatically logged in for certain pages, as they are with Cacti.
The behavior is easy to change once you understand it. I would vote to add a note to this effect during installation and probably a disclaimer in the User Management section.
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Next major release will have this feature disabled by default.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Okay, problem is clear and I believe it is by design:
- Pasting the URL (from admin account) does not show Console tab.
- Removing the guest account stops this behaviour and show a welcome login screen
Btw: I wasnt criticizing the Cacti project. I love this marvelous tool! I never thought about security and this software is running on a server which needs al the security there is. So maybe somebody can tell how to use cacti in perspective to security.
Also a tip: In the gui of Barracudas spam-firewall you can set ip addresses to restrict access to the console functionality. I dont see much harm in reading rrd files and draw graphs from it (what basicly happens when in user mode I presume?). Maybe its easy to implement and in some extend better for security?
Tanks for helping out with this matter!
Cheers,
Martijn
- Pasting the URL (from admin account) does not show Console tab.
- Removing the guest account stops this behaviour and show a welcome login screen
Btw: I wasnt criticizing the Cacti project. I love this marvelous tool! I never thought about security and this software is running on a server which needs al the security there is. So maybe somebody can tell how to use cacti in perspective to security.
Also a tip: In the gui of Barracudas spam-firewall you can set ip addresses to restrict access to the console functionality. I dont see much harm in reading rrd files and draw graphs from it (what basicly happens when in user mode I presume?). Maybe its easy to implement and in some extend better for security?
Tanks for helping out with this matter!
Cheers,
Martijn
Who is online
Users browsing this forum: No registered users and 1 guest