nagios-nrpe has a useflag "command-args" with is disabled by default. But configure seems not to respect --disable-command-args. Reproducible: Always Steps to Reproduce: 1. USE="-command-args" emerge nagios-nrpe Actual Results: dev marcel # /usr/bin/nrpe NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available *************************************************************** ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** ** Read the NRPE SECURITY file for more information ** *************************************************************** Expected Results: dev marcel # /usr/bin/nrpe NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available *************************************************************** ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** ** Read the NRPE SECURITY file for more information ** ***************************************************************
Created attachment 297887 [details] configure-patch Fix for configure
(In reply to comment #0) > Expected Results: > ... > *************************************************************** > ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** > ** Read the NRPE SECURITY file for more information ** > *************************************************************** Expected Results should certainly be... dev marcel # /usr/bin/nrpe NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available without Command Arguments-Information
Created attachment 297893 [details, diff] configure.in-patch A possible configure.in-patch (i'm not very familar with build systems ;)) to use autoconf afterwards. Works for me...
If UNCONFIRMED refers to the bug, I can confirm I did not change that setting, and an emerge of 3.2.3 (#nagios says is last stable) yielded: nrpe --version nrpe: unrecognized option '--version' NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available *************************************************************** ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** ** Read the NRPE SECURITY file for more information ** *************************************************************** If the patch is UNCONFIRMED, sorry, I haven't the skill to test that, and this comment is just noise.
Weird! I have dont_blame_nrpe=0 in the config file. Apparently the binary alarms even if it's not set to 1 in the config file... This might be better handled by the Nagios team to alarm only if both conditions (compile flag PLUS config change) have happened. Obviously you don't want to assume either way in the compilation for a distro... Or, at least, I wouldn't. I apologize that so many people will receive two emails from me in rapid succession...
Fixed in 2.13-r1.
Christian, netmon, can we stabilize 2.13-r1?
(In reply to comment #7) > Christian, netmon, can we stabilize 2.13-r1? We're using 2.13 since a few days now on about 50 servers so I'd tend to say yes.
I just bumped to -r2 because of a typo.
Ok, thanks, let's go. Arches, please test and mark stable: =net-analyzer/nagios-nrpe-2.13-r2 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA.
x86 stable
ppc stable
Is it continuation of bug #289722?:)
(In reply to comment #15) > Is it continuation of bug #289722?:) Seems so ;) But now with really conditional command-args-feature...
alpha/sparc stable
ppc64 stable, last arch done
Thanks, folks. This feels like a B2 issue to me, user-assisted code execution. GLSA request filed.
This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F).