Provided by: xymon_4.3.30-1build2_amd64 bug


       xymon-webaccess - Web-based access controls in Xymon


       Xymon  does not provide any built-in authentication (login) mechanism.  Instead, it relies
       on the access controls available in your web server, e.g. the Apache mod_auth modules.

       This provides a simple way of controlling access to the physical directories that make  up
       the  pages  and subpages with the hosts defined in your Xymon hosts.cfg(5) setup - you can
       use the Apache "require" setting to allow or deny  access  to  information  on  any  page,
       usually  through  the  use of a "Require group ..." setting. The group name then refers to
       one or more groups in an Apache AuthGroupFile file.

       However, this does not work for the Xymon CGI  programs  since  they  are  used  to  fetch
       information  about all hosts in Xymon, but there is only a single directory holding all of
       the CGI's. So here you can only require that the user is logged-in  (the  Apache  "Require
       valid-user"  directive).  A  user with a login can - if he knows the hostname - manipulate
       the request sent to the webserver and fetch information about any status  by  use  of  the
       Xymon CGI programs, even though he cannot see the overview webpages.

       To  alleviate  this  situation,  the  following  Xymon CGI's support a "--access=FILENAME"
       option, where FILENAME is an Apache compatible group-definitions file:

       When invoked with this option the CGI will read the  Apache  group-definitions  file,  and
       assume that an Apache group maps to a Xymon page, and then - based on the logged-in userid
       - determine which pages and hosts the user is allowed access to.  Only  information  about
       those hosts will be made available by the CGI tool.

       Members of the group root has access to all hosts.

       Access  will also be granted, if the user is a member of a group with the same name as the
       host being requested, or as the statuscolumn being requested.


       The   Apache   "Authentication,   Authorization   and   Access   Control"   documentation,