Thanks Andy, makes sense now. I have implemented the 3 security features you suggested so I will keep using it this way.
chiel ----- Original Message ----- From: "Andy Shellam" <[EMAIL PROTECTED]> To: "chiel" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Tuesday, April 10, 2007 4:12 PM Subject: Re: [Nagios-users] NRPE - command arguments, security? > Certainly. > Imagine you have this command in your nrpe.cfg file: > > command[check_disk]=/usr/local/nagios/libexec/chec_disk -p $ARG1$ > > and you want to pass "/usr" as the parameter to check the disk space > available to the /usr directory. > Now, imagine some rogue has discovered you're running NRPE on your server, > connects to it, and sends the command check_disk with "/usr && rm -rf /" > as the argument. > > NRPE will pass out to the shell the command > "/usr/local/nagios/libexec/chec_disk -p /usr && rm -rf /" > which will cause it to run the plugin, then erase the entire contents of > your server's file system. > > To be fair, I think it's only a risk if your server is wide open in other > ways, such as: > > - NRPE allowing any host to connect to it > - No firewall restrictions > - sudo security really permissive > > etc. So if you know that only your Nagios server can connect to Nagios > (restricted by firewalls and allowed_hosts in nrpe.cfg) I think, with a > bit of extra attention paid to command definitions, you'll be OK. But > that's just my opinion. > > Note you also have to have compiled NRPE with an extra option to allow > command arguments (./configure --enable-command-args) as well as setting > the option in the config file. > > Andy. > > > chiel wrote: >> Hi all, >> I have just implemented some NRPE servers and I want to allow "command >> arguments" with nrpe. >> In the security readme form nrpe I see that this is a security issue and >> you must set "dont_blame_nrpe" (only the argument name already...). >> The only thing is that I don't see any reason in the docs why this is so >> dangerous. Can somebody please explain? >> chiel >> !DSPAM:37,461b98af89291579711602! >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> >> !DSPAM:37,461b98af89291579711602! >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Nagios-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nagios-users >> ::: Please include Nagios version, plugin version (-v) and OS when >> reporting any issue. ::: Messages without supporting info will risk being >> sent to /dev/null >> >> !DSPAM:37,461b98af89291579711602! >> ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
