NRPE patch for metachars
Jason Martin
jhmartin at toger.us
Tue Aug 3 18:13:42 CEST 2004
I was the one who made the complaint; the problem is that
allowing metacharacters leaves one wide open for attack.
Allowing metacharacters without requiring ssl / tcp wrappers
just makes it too easy for someone to misuse NRPE and I'd hate
for NRPE to get on the 'bad' list in the IT Security world. I
solved it by base64 encoding the regular expression (using a
very simple perl script in the check command definition so the
expression was cleartext in the nagios config) prior to
sending it and modifying the plugin to handle decoding it.
-Jason Martin
On Tue, Aug 03, 2004 at 11:35:05AM -0400, Stephen Carpenter wrote:
> I noticed a bit ago someone else had the same problem I did: trying
> to pass a perl regular expression to a check failed due to a rather
> paranoid restriction in NRPE.
>
> I submitted a patch to nagios at nagios.org a while ago but heard
> nothing, so I figure maybe sending it to this list will help someone.
> I have added a new config option:
>
> allow_metachars=1
>
> This and command line arguments has vastly simplified my life.
>
> === Allow Metachars Patch ===
> here is the patch:
> RCS file: /usr/local/cvsroot/build/nrpe2/src/src/nrpe.c,v
> retrieving revision 1.1
> retrieving revision 1.2
> diff -u -r1.1 -r1.2
> --- nrpe.c 29 Dec 2003 17:30:05 -0000 1.1
> +++ nrpe.c 24 Jun 2004 15:28:29 -0000 1.2
> @@ -67,6 +67,7 @@
> char *nrpe_group=NULL;
>
> int allow_arguments=FALSE;
> +int allow_metachars=FALSE;
>
> int show_help=FALSE;
> int show_license=FALSE;
> @@ -381,6 +382,9 @@
> else if(!strcmp(varname,"dont_blame_nrpe"))
> allow_arguments=(atoi(varvalue)==1)?TRUE:FALSE;
>
> + else if(!strcmp(varname,"allow_metachars"))
> + allow_metachars=(atoi(varvalue)==1)?TRUE:FALSE;
> +
> else if(!strcmp(varname,"command_timeout")){
> command_timeout=atoi(varvalue);
> if(command_timeout<1){
> @@ -1295,7 +1299,7 @@
> }
>
> /* make sure request doesn't contain nasties */
> - if(contains_nasty_metachars(pkt->buffer)==TRUE){
> + if(! allow_metachars &&
> contains_nasty_metachars(pkt->buffer)==TRUE){
> syslog(LOG_ERR,"Error: Request contained illegal
> metachars!");
> return ERROR;
> }
> === END ===
>
--
This isn't hell, but I can see it from here.
This message is PGP/MIME signed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20040803/8ba695cf/attachment.sig>
More information about the Users
mailing list