Nagios Macro Tokens accessible in NRPE check s cripts?
Ralph.Grothe at itdz-berlin.de
Ralph.Grothe at itdz-berlin.de
Fri Aug 12 16:17:46 CEST 2005
On nrpe host I defined these two for testing:
command[display_env]=env|sort
command[display_hostname]=printf '$HOSTNAME$:\t%s' $HOSTNAME
What I get, running these via check_nrpe from Nagios server,
is not what I would have expected.
$ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_env
BASH_ENV=/root/.bashrc
Wonder where BASH_ENV came from since I set up nrpe to be run
under someone else's uid.
Can only imagine it's been inheritted from inetd.
Whereas here it seems $HOSTNAME is taken from (root's?)
environment
but $HOSTNAME$ in particular seems to be ignored
(it otherwise should hold evo01, the relocatable package's
hostname)
$ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_hostname
$HOSTNAME$: nemesis$
I know that a processe's environment can also easily be tainted
(that's why there's taint check mode in Perl for instance).
So I would gather that env is deliberately redefined by nrpe
to prevent exploits (e.g. relocationg a shared lib path etc.).
So what I want isn't supported, right?
> -----Original Message-----
> From: nagios-users-admin at lists.sourceforge.net
> [mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of
> Ralph.Grothe at itdz-berlin.de
> Sent: Friday, August 12, 2005 3:37 PM
> To: nagios-users at lists.sourceforge.net
> Subject: [Nagios-users] Nagios Macro Tokens accessible in NRPE
check
> scripts?
>
>
> Hello,
>
> it says somewhere in the docs that as of Nagios V2 check
scripts
> (plug-ins) can access the Nagios macro tokens
> (such as $HOSTNAME$) through their environment as env vars.
>
> You may be wondering why I would want to get something as
> redundant as the hostname
> (where the script on the remote nrpe host could simply run a
> "uname -n" or similar, couldn't it)?
>
> Well, it's a bit more convoluted because what is supposed to
> stand in $HOSTNAME$
> is an alias for a relocatable IP address that each packet (or
> service group,
> depending on your cluster software's terminology) of a cluster
is
> provided with
> (think of separate webservers or databases with their own
> hostname and IP).
>
> On the other hand I want to avoid opening up for exploits by
> allowing nrpe arguments
> (viz. dont_blame_nrpe=1)
>
> I could circumvent the necessity of passed in arguments, by
> keeping some flexibility,
> if I had access to the macros like $HOSTNAME$.
>
> So is that given?
>
> Regards
>
> Ralph
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference &
EXPO
> September 19-22, 2005 * San Francisco, CA * Development
> Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
> Testing & QA
> Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS
> when reporting any issue.
> ::: Messages without supporting info will risk being sent to
/dev/null
>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list