We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #6710: Limit crash reporting functionality to permitted users

ComponentGUI
TitleLimit crash reporting functionality to permitted users
Date2018-09-23 20:38:59
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.4.0p37,1.6.0b1,1.5.0p5
LevelTrivial Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

The crash reporting functionality of the GUI, which shows a lot of detailed information about the internal state of the GUI, has been limited to be shown only to permitted users.

The crash report could be used by attackers to get internal information about the application state and secrets processed by the GUI.

All not permitted users will now only see a short message about the occurred crash. Some more information is written to var/log/web.log.

Only authenticated administrative users are allowed to see and submit crash reports by default.

If you like to give all your users the right to see and send crash reports give them the permission "See crash reports"

A problem with this change may be that some crashes occur only in very specific situations, for example for specific users. In such a case it may be hard to get detailed information about the situation when the crash reporting is not available. We plan to add an improved crash reporting in future versions to make all occurred crashes available to the Check_MK administrator for later debugging.

CMK-1037