Nagios Macro Tokens accessible in NRPE check s cripts?

Ralph.Grothe at itdz-berlin.de Ralph.Grothe at itdz-berlin.de
Fri Aug 12 16:17:46 CEST 2005


On nrpe host I defined these two for testing:

command[display_env]=env|sort
command[display_hostname]=printf '$HOSTNAME$:\t%s' $HOSTNAME



What I get, running these via check_nrpe from Nagios server,
is not what I would have expected.

$ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_env
BASH_ENV=/root/.bashrc


Wonder where BASH_ENV came from since I set up nrpe to be run
under someone else's uid.
Can only imagine it's been inheritted from inetd.


Whereas here it seems $HOSTNAME is taken from (root's?)
environment
but $HOSTNAME$ in particular seems to be ignored
(it otherwise should hold evo01, the relocatable package's
hostname)


$ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_hostname
$HOSTNAME$:     nemesis$


I know that a processe's environment can also easily be tainted
(that's why there's taint check mode in Perl for instance).
So I would gather that env is deliberately redefined by nrpe
to prevent exploits (e.g. relocationg a shared lib path etc.).


So what I want isn't supported, right?




> -----Original Message-----
> From: nagios-users-admin at lists.sourceforge.net
> [mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of
> Ralph.Grothe at itdz-berlin.de
> Sent: Friday, August 12, 2005 3:37 PM
> To: nagios-users at lists.sourceforge.net
> Subject: [Nagios-users] Nagios Macro Tokens accessible in NRPE
check
> scripts?
> 
> 
> Hello,
> 
> it says somewhere in the docs that as of Nagios V2 check
scripts
> (plug-ins) can access the Nagios macro tokens
> (such as $HOSTNAME$) through their environment as env vars.
> 
> You may be wondering why I would want to get something as
> redundant as the hostname 
> (where the script on the remote nrpe host could simply run a
> "uname -n" or similar, couldn't it)?
> 
> Well, it's a bit more convoluted because what is supposed to
> stand in $HOSTNAME$
> is an alias for a relocatable IP address that each packet (or
> service group,
> depending on your cluster software's terminology) of a cluster
is
> provided with
> (think of separate webservers or databases with their own
> hostname and IP).
> 
> On the other hand I want to avoid opening up for exploits by
> allowing nrpe arguments
> (viz. dont_blame_nrpe=1)
> 
> I could circumvent the necessity of passed in arguments, by
> keeping some flexibility,
> if I had access to the macros like $HOSTNAME$.
> 
> So is that given?
> 
> Regards
> 
> Ralph
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference &
EXPO
> September 19-22, 2005 * San Francisco, CA * Development 
> Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * 
> Testing & QA
> Security * Process Improvement & Measurement * 
> http://www.sqe.com/bsce5sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS 
> when reporting any issue. 
> ::: Messages without supporting info will risk being sent to
/dev/null
> 


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list