On Thu, 31 Jul 2014, rausc...@buxtehude.debian.org wrote: > Dear Maintainer, > > i know, that you compiled without -enable-command-args and you wrote in the > NEWS.Debian file, that you disabled it because there are security problems > and that this feature is often used wrong. > Some people need this feature to manage monitoring parameters central. Your > nrpe.cfg disables this feature by default (don't_blame_nrpe=0) and the > features comment shows everyone, that enable it could be a security Problem. > > For my opinion, disable this feature by default should be enough. If someone > need this feature, he must compile his own nrpe server version. Maybe he need > to do it on hundreds of Machines and he has to do it again, if the Debian > Packet is updated. I don't think that Compile nrpe without this feature is a > real security advantage because if someone need it, he will compile with this > support except of only enable this feature. > > I Agree with you, that this option could be a security risk, but it is > possible to reduce the risk by setting allowed_hosts to restric who is able > to communicate with nrpe. > > It would be nice if you would compile with -enable-command-args again. It > would give more flexibility how to use nrpe and all people who use command > args wouldn't need to manage their own version of this packet. No, sorry. I won't do this and the security agreed that this would be the most sane solution. But you are of course free to take over maintenance of nrpe.
Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
