I have a guest account setup in cacti, but the user has to log in with a password. The problem is if I put:
Code: Select all
http://<ip-address-of-cacti-box>/cacti/graph_view.php?action=preview&host_id=1&filter=Shouldn't this force a login?
SC
Security problem?
Moderators: Developers, Moderators
-
ScaredyCat
- Posts: 7
- Joined: Thu Aug 18, 2005 6:20 am
Security problem?
Hi,
I have a guest account setup in cacti, but the user has to log in with a password. The problem is if I put:
in my browser (even after clearing cache, closing browser etc) I can still see anything I want (in the graphs section).
Shouldn't this force a login?
SC
I have a guest account setup in cacti, but the user has to log in with a password. The problem is if I put:
Shouldn't this force a login?
SC
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Nope, it shouldn't..... Guest access does not validate the password. It just uses the permissions of the guest, if enabled, to allow anonymous viewing of graphs. So you should make sure that the guest account has minimal rights.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
ScaredyCat
- Posts: 7
- Joined: Thu Aug 18, 2005 6:20 am
Guest access from the login page validates the password, why would it not be forced to log in - ie you can bypass it. Seems a bit odd that's all..rony wrote:Nope, it shouldn't..... Guest access does not validate the password. It just uses the permissions of the guest, if enabled, to allow anonymous viewing of graphs. So you should make sure that the guest account has minimal rights.
SC
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
When you goto graph_view.php and are not already logged in, cacti will attempt to use the defined "Guest User" to grant access, without a password, allowing anonymous access. This behavor is complete intential.
If you would like to disable this, and require guest to use a password to view graphs, then you need to remove the "Guest User" from the Settings->Authenication.
If you would like to disable this, and require guest to use a password to view graphs, then you need to remove the "Guest User" from the Settings->Authenication.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
ScaredyCat
- Posts: 7
- Joined: Thu Aug 18, 2005 6:20 am
Perfect - removed the guest access and it forced the login page so the guest account could log in - thanks...rony wrote:When you goto graph_view.php and are not already logged in, cacti will attempt to use the defined "Guest User" to grant access, without a password, allowing anonymous access. This behavor is complete intential.
If you would like to disable this, and require guest to use a password to view graphs, then you need to remove the "Guest User" from the Settings->Authenication.
I was just a little concerned I didn't see any reference to this in the docs. Perhaps it's worth highlighting - then again I may just be paranoid...
SC
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Next major version of cacti will have the guest user access disabled by default and it will be fully documented.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Who is online
Users browsing this forum: No registered users and 3 guests