Closed infraweavers closed 4 years ago
I'm not actually sure why it is set to true but seeing as the default is false it should probably be updated to use the default setting. I'm pretty sure that there is no reason security-wise to set this value with nrpe.
Talked about this with @jomann09 - plugins are able to write data to /tmp and retrieve it on subsequent calls, so PrivateTmp is potentially a relevant security issue depending on what plugins you have installed. Individual users can set PrivateTmp to false if they have a need, but we're going to keep it on by default.
In: https://github.com/NagiosEnterprises/nrpe/blob/56492da4e4b55c8d188ed8114a88c18f0250ff55/startup/default-service.in#L23 and https://github.com/NagiosEnterprises/nrpe/blob/56492da4e4b55c8d188ed8114a88c18f0250ff55/startup/default-socket-svc.in#L12
The systemd unit is explicitly using
PrivateTmp=true
; this means that if a nagios check is using sudo and jps to run as a specific daemon's user and attach to java for monitoring GC or similiar thenjps
will fail to find the process. Example: https://exchange.nagios.org/directory/Plugins/Java-Applications-and-Servers/check_jstat/detailsI've had a look at the blame history and I can't see any particular reason for this to be on; it's not the behaviour in non-systemd systems, so I'm leaning towards suggesting that the default should be off?
-Rob