[Nagios-devel] [PATCH] NRPE: regular expression checks for command
Posted: Fri Mar 21, 2008 10:07 am
Hi everybody!
The following patch for the NRPE agent adds a regular expression check facility
for command arguments, using POSIX' extended regular expressions via regcomp()/regexec().
This makes NRPE a little bit safer for uses where command arguments are needed.
Example:
I have the following command definitions in "nrpe.cfg":
command[check_echo1]=/bin/echo $ARG1=start|stop$
command[check_echo2]=/bin/echo $ARG1=[A-Za-z]+$
So the format of a macro is "$ARG=$", where "=" is optional.
NRPE will match the command line arguments against "^()$",
and reject the arguments that don't match:
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a start
start
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a stop
stop
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a reload
NRPE: Malformed macro in command 'check_echo1'
bjoern@james:~$ check_nrpe -H localhost -c check_echo2 -a something
something
bjoern@james:~$ check_nrpe -H localhost -c check_echo2 -a "something dangerous"
NRPE: Malformed macro in command 'check_echo2'
Regards,
Bjoern Beutel
------------------------------ snip ------------------------------------------
diff -rU 3 nrpe-2.12/configure.in nrpe-regexp/configure.in
--- nrpe-2.12/configure.in 2008-03-10 22:04:41.000000000 +0100
+++ nrpe-regexp/configure.in 2008-03-21 18:52:24.000000000 +0100
@@ -28,7 +28,7 @@
AC_HEADER_STDC
AC_HEADER_TIME
AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
+AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h regex.h)
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
diff -rU 3 nrpe-2.12/include/config.h.in nrpe-regexp/include/config.h.in
--- nrpe-2.12/include/config.h.in 2007-11-23 18:31:23.000000000 +0100
+++ nrpe-regexp/include/config.h.in 2008-03-21 18:50:26.000000000 +0100
@@ -243,6 +243,11 @@
#include
#endif
+#undef HAVE_REGEX_H
+#ifdef HAVE_REGEX_H
+#include
+#endif
+
#undef HAVE_KRB5_H
#ifdef HAVE_KRB5_H
#include
diff -rU 3 nrpe-2.12/src/nrpe.c nrpe-regexp/src/nrpe.c
--- nrpe-2.12/src/nrpe.c 2008-03-10 22:04:43.000000000 +0100
+++ nrpe-regexp/src/nrpe.c 2008-03-21 18:27:38.000000000 +0100
@@ -1199,38 +1199,44 @@
else
snprintf(raw_command,sizeof(raw_command)-1,"%s %s",command_prefix,temp_command->command_line);
raw_command[sizeof(raw_command)-1]='\x0';
- process_macros(raw_command,processed_command,sizeof(processed_command));
-
- /* log info to syslog facility */
- if(debug==TRUE)
- syslog(LOG_DEBUG,"Running command: %s",processed_command);
-
- /* run the command */
- strcpy(buffer,"");
- result=my_system(processed_command,command_timeout,&early_timeout,buffer,sizeof(buffer));
-
- /* log debug info */
- if(debug==TRUE)
- syslog(LOG_DEBUG,"Command completed with return code %d and output: %s",result,buffer);
-
- /* see if the command timed out */
- if(early_timeout==TRUE)
- snprintf(buffer,sizeof(buffer)-1,"NRPE: Command timed out after %d seconds\n",command_timeout);
- else if(!strcmp(buffer,""))
- snprintf(buffer,sizeof(buffer)-1,"NRPE: Unable to read output\n");
-
- buffer[sizeof(buffer)-1]='\x0';
-
- /* check return code bounds */
- if((result3)){
+ if (process_mac
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
The following patch for the NRPE agent adds a regular expression check facility
for command arguments, using POSIX' extended regular expressions via regcomp()/regexec().
This makes NRPE a little bit safer for uses where command arguments are needed.
Example:
I have the following command definitions in "nrpe.cfg":
command[check_echo1]=/bin/echo $ARG1=start|stop$
command[check_echo2]=/bin/echo $ARG1=[A-Za-z]+$
So the format of a macro is "$ARG=$", where "=" is optional.
NRPE will match the command line arguments against "^()$",
and reject the arguments that don't match:
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a start
start
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a stop
stop
bjoern@james:~$ check_nrpe -H localhost -c check_echo1 -a reload
NRPE: Malformed macro in command 'check_echo1'
bjoern@james:~$ check_nrpe -H localhost -c check_echo2 -a something
something
bjoern@james:~$ check_nrpe -H localhost -c check_echo2 -a "something dangerous"
NRPE: Malformed macro in command 'check_echo2'
Regards,
Bjoern Beutel
------------------------------ snip ------------------------------------------
diff -rU 3 nrpe-2.12/configure.in nrpe-regexp/configure.in
--- nrpe-2.12/configure.in 2008-03-10 22:04:41.000000000 +0100
+++ nrpe-regexp/configure.in 2008-03-21 18:52:24.000000000 +0100
@@ -28,7 +28,7 @@
AC_HEADER_STDC
AC_HEADER_TIME
AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
+AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h regex.h)
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
diff -rU 3 nrpe-2.12/include/config.h.in nrpe-regexp/include/config.h.in
--- nrpe-2.12/include/config.h.in 2007-11-23 18:31:23.000000000 +0100
+++ nrpe-regexp/include/config.h.in 2008-03-21 18:50:26.000000000 +0100
@@ -243,6 +243,11 @@
#include
#endif
+#undef HAVE_REGEX_H
+#ifdef HAVE_REGEX_H
+#include
+#endif
+
#undef HAVE_KRB5_H
#ifdef HAVE_KRB5_H
#include
diff -rU 3 nrpe-2.12/src/nrpe.c nrpe-regexp/src/nrpe.c
--- nrpe-2.12/src/nrpe.c 2008-03-10 22:04:43.000000000 +0100
+++ nrpe-regexp/src/nrpe.c 2008-03-21 18:27:38.000000000 +0100
@@ -1199,38 +1199,44 @@
else
snprintf(raw_command,sizeof(raw_command)-1,"%s %s",command_prefix,temp_command->command_line);
raw_command[sizeof(raw_command)-1]='\x0';
- process_macros(raw_command,processed_command,sizeof(processed_command));
-
- /* log info to syslog facility */
- if(debug==TRUE)
- syslog(LOG_DEBUG,"Running command: %s",processed_command);
-
- /* run the command */
- strcpy(buffer,"");
- result=my_system(processed_command,command_timeout,&early_timeout,buffer,sizeof(buffer));
-
- /* log debug info */
- if(debug==TRUE)
- syslog(LOG_DEBUG,"Command completed with return code %d and output: %s",result,buffer);
-
- /* see if the command timed out */
- if(early_timeout==TRUE)
- snprintf(buffer,sizeof(buffer)-1,"NRPE: Command timed out after %d seconds\n",command_timeout);
- else if(!strcmp(buffer,""))
- snprintf(buffer,sizeof(buffer)-1,"NRPE: Unable to read output\n");
-
- buffer[sizeof(buffer)-1]='\x0';
-
- /* check return code bounds */
- if((result3)){
+ if (process_mac
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]