NRPE enhancement

Dave Viner dviner at yahoo-inc.com
Mon Dec 23 17:50:32 CET 2002
Previous message: NRPE enhancement
Next message: NRPE enhancement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Rue,
	Security is a great reason for limiting the commands that NRPE is able to execute.  But my suggested enhancement wouldn't allow NRPE to execute any command that isn't listed in the cfg file.  That is, the NRPE would still need to find the path to the executable in the nrpe.cfg file, then use any remaining information as arguments passed to the executable.  It is true that this is less secure that forcing the entire command line (executable and arguments) in the config file.  But, so long as the executables are well authored and handle unexpected arguments well, I think this enhancement would not significantly decrease security.  Do you think that specifying arguments would make NRPE significantly less secure?


Dave


-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of Rue Turner
Sent: Friday, December 20, 2002 1:33 PM
To: Naios Users
Subject: Re: [Nagios-users] NRPE enhancement


dave,

I think the reson for this choice of configuration is security. If the
nrpe was allowed to run whatever it was asked it would be easy to
compromise your machines. This way although your configs are hefty (mine
have almost a hundred lines in) you can only ask it to run commands from
this library.

rue


On Fri, 2002-12-20 at 17:35, Dave Viner wrote:
> Hi,
> 	I'd like to suggest an enhancement to NRPE, and if people think this is a
> good idea, I'll try to make a patch to support my suggestion.  Currently the
> nrpe.cfg file specifies all the commands in this fashion:
> 	command[check_disk1]=/usr/local/nagios/libexec/check_disk 80 95 /dev/hda1
> As result of this design is that if you want to check something like
> /dev/hda1 and /dev/hdb1, you need two seperate lines in the nrpe.cfg file.
> 	So, I'd like to propose that we extend NRPE to allow for the arguments to a
> command to be specified by the central Nagios server instead of in the
> nrpe.cfg.  The idea is that the nrpe.cfg would have one command line which
> maps a key, 'check_disk', to a local executable,
> '/usr/local/nagios/libexec/check_disk'.  The rest would be specified from
> the central Nagios server in some manner.
> 	I think this would great simplify the nrpe.cfg files, and reduce a lot of
> redundant command definitions that differ only in the arguments they
> require.  Also, it would mean that you'd need to update your nrpe.cfg very
> rarely.  In fact, you'd only need to update it when you add a new plugin.
> 	I don't have a concrete suggestion for implementing this yet, because I
> want to see if the community is interested in this idea first.  Has this
> idea been suggested previously?  Is anyone currently interested in the idea
> or would I be the only consumer of such a service?
> 
> thanks
> dave
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
> Time is running out!  Thinkgeek.com has the coolest gifts for
> your favorite geek.   Let your fingers do the typing.   Visit Now.
> T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users


                      r u e  t u r n e r
  · t · h · i · n · l · a · y · e · r · 
 
-- index, n.: Alphabetical list of words of no possible interest where
an alphabetical list of subjects with references ought to be.


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Previous message: NRPE enhancement
Next message: NRPE enhancement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list