From: ?

Paul L. Allen pla at softflare.com
Tue Mar 9 22:42:48 CET 2004

Previous message: From: ?
Next message: From: ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mohamed S. writes: 

> Hmmm the machine has qmail-send on it, /usr/bin/mail works as well...so
> im guessing it's using the mail() function to send..

If you look in misccommands.cfg you will find out exactly what it is using.
Which, unless you have altered it, will be the mail program (not function). 

An alternative to using mail would be qmail's replacement for sendmail.
It accepts sendmail's -t option to take the from and to address from the
body of the mail.  It also accepts sendmail's -f option so you can specify
the envelope sender (that way bounces end up somewhere useful).  I think
you don't need the -oi option and that the qmail version does that by
default (but doesn't complain if you use it) - but you'd better check
that yourself. 

Anyone who wants to use the real sendmail and is paranoid OUGHT to use the
 -oi option, unless sendmail has finally made that the default to prevent
exploits of CGI scripts - I haven't used real sendmail for anything
serious for three years, so I don't know if it still needs the -oi or not
(I'd put it in to be safe, but that's because I used to worry about people
exploiting sendmail).  Without the -oi, somebody could manage to arrange
for plugin output to have a bare . in the middle with what follows being
a shell command. OK, it would run as nagios, so the worst it could do is
trash your nagios installation after grabbing /etc/passwd (is there any
distro that doesn't use shadow passwords these days?).  But it's very
easy to add -oi, a lot easier than examining every plugin in great detail
to see if somebody could control part of the output. 

Another option would be to change misccommands.cfg to call a custom shell
or perl script to send your mail using whatever esoteric means you wish.
You can get really creative that way. :) 

-- 
Paul Allen
Softflare Support 

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: From: ?
Next message: From: ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list