tildeslash / Monit / issues / #253 - monit console commands do not work with readonly privileges on UI — Bitbucket

Issue #253 new

Harivardhan Pyaram created an issue 2015-09-18

If we restrict access to the Monit webserver with one readonly user and one md5 encrypted superuser, the console commands like monit summary or even monit stop and start fail.

Basically, until unless there is at least one user password in cleartext with full privileges in the control file, monit can not be used through the console.

Comments (7)

Harivardhan Pyaram reporter
- attached Screenshot-2.png
monit is being run as root and the file permissions are rw for root.
- 2015-09-18T21:42:57+00:00
Harivardhan Pyaram reporter
- edited description
- 2015-09-18T21:45:30+00:00
Tildeslash repo owner
- marked as enhancement
- 2015-09-19T08:54:10+00:00
Tildeslash repo owner
The monit command line communicates with monit daemon via the HTTP interface, which uses BasicAuthentication to protect it (we recommend to enable SSL to protect the credentials). When you execute monit CLI command, it reads the monit configuration file (same way as if you start monit) and gets monit credentials from it. If the configuration file has only non-cleartext credentials for admin access, then the CLI cannot read the password and cannot authenticate.

This limitation is documented in monit manual (https://mmonit.com/monit/documentation/monit.html#Authentication):
```
If the Monit command line interface is being used, at least one cleartext password is necessary (see bellow), otherwise the Monit command line
interface will not be able to connect to the Monit web interface.
```
If there is read-only cleartext password, actions which require admin privileges like start/stop/restart/monitor/unmonitor cannot be performed. We may allow "status" and "summary" though.

Alternatively SSL client certificate authentication can be used in the next monit version (work in progress) - it will allow to replace BasicAuthentication with client certificate, no cleartext password will be needed.
- 2015-09-19T09:05:22+00:00
Harivardhan Pyaram reporter
Would'nt it be easier for monit to use the md5 user profile specified in the control file just like it does for the Web UI?? I mean if it doesn't find a cleartext password with full privileges, it should use the profile with full privileges. Or if there's a way to give username and passwords through monit console commands to different profiles it would be better. It would give two different user experiences just like in the UI.
- 2015-09-24T22:50:30+00:00
Harivardhan Pyaram reporter
@tildeslash: any plans to implement this enhancement??
- 2016-05-02T18:27:30+00:00
Tildeslash repo owner
- removed version
Removing version: 5.14 (automated comment)
- 2016-06-19T18:47:48+00:00
Log in to comment

Assignee: Tildeslash

Type: enhancement

Priority: major

Status: new

Component: Monit

Version: –

Votes: 0

Watchers: 3