Ad Widget

**Aly** · 24-07-2008, 09:22

Hmm, we should change the message..

Just add it to disabled group!

**Palmertree** · 24-07-2008, 14:15

This is not a supported Zabbix hack but my own.

To get rid of the menus and to make sure guest does not work, add the "Guest" account to disabled like Aly mentioned above and modify your page_header.php as follows:

Code:

diff -ruN zabbix-original/frontends/php/include/page_header.php zabbix/frontends/php/include/page_header.php
--- zabbix-original/frontends/php/include/page_header.php       2008-07-01 10:09:38.000000000 -0400
+++ zabbix/frontends/php/include/page_header.php        2008-07-22 10:20:54.000000000 -0400
@@ -267,6 +267,8 @@
 // Check permissions for main menu
                unset($deny);
                if(!defined('ZBX_PAGE_NO_AUTHERIZATION')){
+                        if($USER_DETAILS["alias"] == "guest")
+                                $deny = true;
                        if(isset($sub['user_type'])){
                                if($USER_DETAILS['type'] < $sub['user_type'])
                                        $deny = true;

**mnelson** · 24-07-2008, 17:29

Originally posted by Aly

Hmm, we should change the message..

Just add it to disabled group!

There is no reaction when I attempt to add it to the disabled group. It still says "enabled". Actions -> select -> status disabled -> add to does nothing.

No errors are logged to the zabbix_server.log either.

**mnelson** · 24-07-2008, 20:44

Never mind.

I whacked it and installed 1.4.6 which also won't let you delete the guest account, but tells you so when you try, and will allow you to set a password for it.

**Aly** · 24-07-2008, 21:59

First, you should create such group (with checked User disabled parameter), and after that add users to it. Adding users to such group will disable them for system.

That looks very logical to me... am I wrong?

**Mosquito** · 25-07-2008, 16:19

Just a question -

Why should I need to create a group for users I want to delete? That seems counter-productive to have to add a new group to disable a user. If I want to disable them, I want to remove them from the system, not add them to some 'disabled' group.

**mnelson** · 25-07-2008, 17:56

Doesn't make sense to me either, Mosquito. I can't envision a situation where I would want someone anonymous to be able to look at anything on my network. Why even let them log in? I would rather the guest account could just be deleted completely.

**Aly** · 28-07-2008, 09:17

Originally posted by Mosquito

Just a question -

Why should I need to create a group for users I want to delete? That seems counter-productive to have to add a new group to disable a user. If I want to disable them, I want to remove them from the system, not add them to some 'disabled' group.

It's because guest user can't be deleted, it's a system user, but can be disabled.

**hrlmec** · 27-09-2008, 00:25

"That looks very logical to me... am I wrong?"

Doesn't seem logical to me at all.

There should be one account by default. The admin account. People who want a guest account should have to specifically create one.

It should be secure by default, and people who want to open their monitoring to the world should have to intentionally do it.

At the very least, I should be able to delete this account and remove all traces of it from my Zabbix database.

**mgoodman** · 06-04-2011, 23:19

Agree...

The security model around users is a bit inconsistent...e.g. user permissions within groups is too secure/inflexible, this default guest account is insecure, etc.

I wouldn't say this problem is here in the name of security, but probably rather because there were some other technical issues that arose that prevented the guest user from being deleted.

Still a problem in 1.8.4...

Ad Widget

Deleting Guest Account

Deleting Guest Account

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment