Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
-
We run Observium CE version 0.14.4.5185
Description
Account "user1", with access level "Normal User" has configured access to device "server1". That server shares network segment with some other servers and for example "router1"
When user1 go to see his server's port status, in the Details page, he will find all the others servers information like:
- names used in observium,
- interfaces names, like Eth0
- IP addresses (in this shared segment)
- name, port name/number on the router1
Even the labels are not links, and user1 can't go further accessing more information about other devices, I don't think that information must be available to him.
I file this bug, because that prevents me to give my client access to the monitoring.
Link to the mailing list: http://postman.memetic.org/pipermail/observium/2014-July/007197.html
Best Regards!
Attachments
Activity
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: classic default workflow [ 11773 ] | New: Observium workflow [ 13228 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Comment | [ This bug is a reason for me to not use Observium and I will take a good look at LibreNMS. Cause this is something that just should not be a problem. ] |
| Attachment | New: fix_permission_shared_subnet_port.patch [ 12620 ] |
Attached path will hide shared subnet devices, if user does not have access.
About alert list I think that should already be solved, but I do not use it so cannot confirm 100%.
| Comment | [ I just added 50 routers having same subnet. This is really a big bug and it needs to be solved. I can't have my customer seeing information about other interfaces on routers he is not allowed to see. Just because 1 interface on my customer router has same IP as the others. Then they are just able to view each other. The name of those other devices that are shown have names and vlan information on them that are private information. I hope this case is being looked at as a serious case. ] |
| Comment | [ Hi, I just installed observium and Added about 50 routers to test this. They all belong to same subnet. I also gave access too our customer to view his connection. Then I noticed this flaw. He is able to see on the port interface last section about 50 other interfaces that have the same IP subnet. Because I added ofcourse 50 routers on same subnet. Now I feel like I have to remove my customer access so he is not able to view information on those interfaces that are not made for their eyes. This should be something really easy to fix. And I'm pretty amazed that it has not been fixed yet. ] |
I don't mind device names or interface names being shown, but right now normal users can see the alert list and all the alert rules making it a problem for me to allow any access to customer ports at this point.
Fixed in r7667.