No default "Unique ID" or make it unique

The type of information that would be disclosed would not be security related, and hence are not considered a security risk by me. It is just operational in nature. The purpose here is to make it "hard enough" to find, not fool proof. If this is your defense, then it is security by obscurity, which is not really security at all.

I would like to hear from other users of the module though before considering this one way or the other ...

Settings status for review. Please provide feedback.

I see your point now.

I understand the part where the patch adds a requirements thing, and I am happy to add it. What I don't get is how this patch addresses the "others can see my site's status" part. Please explain.

I think it is a better explanation, yes.

Let us wait for some time for other users of this module to pitch in ...

my $.02: We use this module with many sites, and therefore, I've created a script to implement it that sets our UA string with drush. Therefore, I'm not against adding an alert to the status page, but it doesn't affect us one way or another. IMO the information that the nagios status page provides is not that critical from a security standpoint - anyone trying to crack a site is just going to try the actual exploits and see if they work, rather than going through an additional step of seeing if the vulnerable update has been applied or not.

I've wondered why there was an unsafe default before but just changed the string every time to something unique.
Putting a notification on the status page and blocking unconfigured access seems like a clean solution. Just my $0.02

One remark about the patch, shouldn't the && below be a ||

+++ nagios.module	2 Jan 2010 01:45:14 -0000
@@ -121,9 +121,9 @@ function nagios_status_page() {
+  if ($_SERVER['HTTP_USER_AGENT'] != $ua && variable_get('nagios_ua', '') == '') {

Sorry, one nigly point here:

Shouldn't we be using access_callback for the check?

Also, I like the logic of:

if user_access('administer site configuration) || ($_SERVER['HTTP_USER_.....)

Then I can test it without hacking the code or my browser.

In fact, would be a nice feature to make a simple HTML table display of the results to use a status page for the admin. Or hook into the hook_status page if that makes sense.

-J

Seems like still there is no consensus on the best way forward with this.

I am leaning towards Jacob Singh's solution that allows an Admin to see the results via an access callback.

What do others think?

As for the hook_requirmenets parts, it seems like a no brainer to add it. Please separate it out into its own patch in a new issue, and that can go in immediately. Should not be hampered by the rest of the patch.

hook_requirements issue raised separately here: #1110654: Implement a hook_requirements() function to make sure a unique ID is set

+1 for JacobSingh suggestion of adding user_access

+1 also on JacobSingh's user_access suggestion. It would make testing and patching that much quicker.

Also, I agree with the original poster on the original issue. I'd rather be more obscure with this, rather than less. Maybe even having the option of checking the incoming ip address and throwing a page not found if it doesn't match. That's not a feature request... yet... just an example of my paranoia for reference. :)

Well Jacob's idea is gathering weight. I might make an executive decision on this and run with it...

+1 also on JacobSingh's user_access suggestion.

I'm also in for not showing anything at all on this page if the incorrect unique ID is not passed. I'm even for throwing a 404 or redirecting to the homepage.

Greg, I hope this patch helps you to make your 'executive decision'... :)

heh, thanks... yes, I need to allocate a day next week to patching d.o projects! Thanks for this!

Patch in #18 committed to 6.x-1.x-dev. Thanks! =)

Actually, I shouldn't close, this needs doing for D7 too.

Ported to D7.