check_nrpe parses arguments to -a (with fix)

[John Sellens]

| You can avoid this problem by quoting any arguments passed with the -a
| option:
| 
| ../check_nrpe -H one -c hello -a "opt1 -V opt2 -xyz opt3"

That ends up being not quite the same, as it passes to the nrpe
daemon as a single argument:
    hello!opt1 -V opt2 -xyz opt3
rather than multiple arguments:
    hello!opt1!-V!opt2!-xyz!opt3

Because nrpe uses popen(), I think you can get the same end
result, by passing all plugin arguments from the check_nrpe
call, but I think it limits the restrictions you can do on
the nrpe side, using multiple arguments and separators of
one form or another.

I think it also prevents one from using quotes around the $ARGx$
arguments in the command definitions in the nrpe.cfg file.  So I
think it prevents one from guarding against shell tricks from the
nrpe side.  i.e. I would normally single quote all of the $ARGx$
references in nrpe.cfg, which would prevent problems with passing
a command over the network to the nrpe port like
    check_disk!/; rm -rf /
I'm arguing that it forces one to be less security-rigorous.

(i.e. I'm still hoping to convince you that check_nrpe should stop
parsing arguments once it gets to -a.)

Thanks - cheers!

John

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone