Nagios Macro Tokens accessible in NRPE check s cripts?
Andreas Ericsson
ae at op5.se
Sat Aug 13 11:45:12 CEST 2005
Ralph.Grothe at itdz-berlin.de wrote:
> On nrpe host I defined these two for testing:
>
> command[display_env]=env|sort
> command[display_hostname]=printf '$HOSTNAME$:\t%s' $HOSTNAME
>
>
>
> What I get, running these via check_nrpe from Nagios server,
> is not what I would have expected.
>
> $ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_env
> BASH_ENV=/root/.bashrc
>
>
> Wonder where BASH_ENV came from since I set up nrpe to be run
> under someone else's uid.
> Can only imagine it's been inheritted from inetd.
>
>
> Whereas here it seems $HOSTNAME is taken from (root's?)
> environment
> but $HOSTNAME$ in particular seems to be ignored
> (it otherwise should hold evo01, the relocatable package's
> hostname)
>
>
> $ /opt/sw/nagios/libexec/check_nrpe -H evo01 -c display_hostname
> $HOSTNAME$: nemesis$
>
>
> I know that a processe's environment can also easily be tainted
> (that's why there's taint check mode in Perl for instance).
> So I would gather that env is deliberately redefined by nrpe
> to prevent exploits (e.g. relocationg a shared lib path etc.).
>
>
> So what I want isn't supported, right?
>
NRPE has no idea of Nagios' environment variables, as it's
a) A different process
b) Run on a different host
NRPE also maintains the environment it had when it started. If you want
the environment of another user to be inherited by NRPE, you *MUST*
start it as that user (via 'su -' or some other mechanism).
>
>
>
>
>>-----Original Message-----
>>From: nagios-users-admin at lists.sourceforge.net
>>[mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of
>>Ralph.Grothe at itdz-berlin.de
>>Sent: Friday, August 12, 2005 3:37 PM
>>To: nagios-users at lists.sourceforge.net
>>Subject: [Nagios-users] Nagios Macro Tokens accessible in NRPE
>
> check
>
>>scripts?
>>
>>
>>Hello,
>>
>>it says somewhere in the docs that as of Nagios V2 check
>
> scripts
>
>>(plug-ins) can access the Nagios macro tokens
>>(such as $HOSTNAME$) through their environment as env vars.
>>
>>You may be wondering why I would want to get something as
>>redundant as the hostname
>>(where the script on the remote nrpe host could simply run a
>>"uname -n" or similar, couldn't it)?
>>
>>Well, it's a bit more convoluted because what is supposed to
>>stand in $HOSTNAME$
>>is an alias for a relocatable IP address that each packet (or
>>service group,
>>depending on your cluster software's terminology) of a cluster
>
> is
>
>>provided with
>>(think of separate webservers or databases with their own
>>hostname and IP).
>>
>>On the other hand I want to avoid opening up for exploits by
>>allowing nrpe arguments
>>(viz. dont_blame_nrpe=1)
>>
>>I could circumvent the necessity of passed in arguments, by
>>keeping some flexibility,
>>if I had access to the macros like $HOSTNAME$.
>>
>>So is that given?
>>
>>Regards
>>
>>Ralph
>>
>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference &
>
> EXPO
>
>>September 19-22, 2005 * San Francisco, CA * Development
>>Lifecycle Practices
>>Agile & Plan-Driven Development * Managing Projects & Teams *
>>Testing & QA
>>Security * Process Improvement & Measurement *
>>http://www.sqe.com/bsce5sf
>>_______________________________________________
>>Nagios-users mailing list
>>Nagios-users at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/nagios-users
>>::: Please include Nagios version, plugin version (-v) and OS
>>when reporting any issue.
>>::: Messages without supporting info will risk being sent to
>
> /dev/null
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Lead Developer
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list