NRPE - command arguments, security?

Andy Shellam andy.shellam-lists at mailnetwork.co.uk
Tue Apr 10 16:12:09 CEST 2007


Certainly.
Imagine you have this command in your nrpe.cfg file:

command[check_disk]=/usr/local/nagios/libexec/chec_disk -p $ARG1$

and you want to pass "/usr" as the parameter to check the disk space 
available to the /usr directory.
Now, imagine some rogue has discovered you're running NRPE on your 
server, connects to it, and sends the command check_disk with "/usr && 
rm -rf /" as the argument.

NRPE will pass out to the shell the command 
"/usr/local/nagios/libexec/chec_disk -p /usr && rm -rf /"
which will cause it to run the plugin, then erase the entire contents of 
your server's file system.

To be fair, I think it's only a risk if your server is wide open in 
other ways, such as:

- NRPE allowing any host to connect to it
- No firewall restrictions
- sudo security really permissive

etc.  So if you know that only your Nagios server can connect to Nagios 
(restricted by firewalls and allowed_hosts in nrpe.cfg) I think, with a 
bit of extra attention paid to command definitions, you'll be OK.  But 
that's just my opinion.

Note you also have to have compiled NRPE with an extra option to allow 
command arguments (./configure --enable-command-args) as well as setting 
the option in the config file.

Andy.


chiel wrote:
> Hi all,
>  
> I have just implemented some NRPE servers and I want to allow "command 
> arguments" with nrpe.
> In the security readme form nrpe I see that this is a security issue 
> and you must set "dont_blame_nrpe" (only the argument name already...).
>  
> The only thing is that I don't see any reason in the docs why this is 
> so dangerous. Can somebody please explain?
>  
> chiel
>  
>  
>  
> !DSPAM:37,461b98af89291579711602!
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> !DSPAM:37,461b98af89291579711602!
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null
>
> !DSPAM:37,461b98af89291579711602!
>   


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list