search

NagiosEnterprises / nrpe

NRPE Agent
GNU General Public License v2.0
257 stars 133 forks source link

4.0.2 nasty metachars #235

Closed benohara closed 4 years ago

benohara commented 4 years ago

After an update to 4.0.2 (both nrpe and check_nrpe) I can no longer pass arguments with a pipe | in them.

nasty_metachars had previously had the pipe symbol removed to allow it, but since the upgrade it triggers the 'Error: Request contained illegal metachars!'

mickael-ange commented 4 years ago

Today I updated nrpe due to FEDORA-EPEL-2020-b6453e2708 Moderate/Sec. nrpe-4.0.2-1.el7.x86_64. After the update the nasty_metachars in nrpe.cfg is not honored anymore.

Before the update, I was able to pass {}" chars with nrpe-3.2.1-8.el7.x86_64 with:

nasty_metachars=|`&><'[];
# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
# rpm -qi nrpe
Name        : nrpe
Version     : 4.0.2
Release     : 1.el7
Architecture: x86_64
Install Date: Thu 23 Apr 2020 09:15:51 AM CST
Group       : Applications/System
Size        : 373504
License     : GPLv2
Signature   : RSA/SHA256, Tue 07 Apr 2020 09:59:27 PM CST, Key ID 6a2faea2352c64e5
Source RPM  : nrpe-4.0.2-1.el7.src.rpm
Build Date  : Tue 07 Apr 2020 09:31:46 PM CST
Build Host  : buildvm-22.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.nagios.org
Bug URL     : https://bugz.fedoraproject.org/nrpe
Summary     : Host/service/network monitoring agent for Nagios
Description :
Nrpe is a system daemon that will execute various Nagios plugins
locally on behalf of a remote (monitoring) host that uses the
check_nrpe plugin.  Various plugins that can be executed by the
daemon are available at:
http://sourceforge.net/projects/nagiosplug

This package provides the core agent.
benohara commented 4 years ago

Suspect https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 but not sure howto fix :(

sawolf commented 4 years ago

Thanks for reporting this.

The most recent commit to master fixed the issue on my machine. If it doesn't work for you, let me know and we'll re-open the issue.

mickael-ange commented 4 years ago

@sawolf Thanks for the prompt fix. I recompiled using the latest commit you mentioned and it fixed the problem.

# On CentOS 7
sudo yum install -y autoconf automake libtool openssl-devel

git clone https://github.com/NagiosEnterprises/nrpe
cd nrpe
autoconf
# Config file directory has not been configured. I did not need it.
./configure --with-pluginsdir=/usr/lib64/nagios/plugins --bindir=/usr/sbin  --enable-command-args
make all
sudo make install-daemon
sudo systemctl restart nrpe

When do you think the bugfix could be possibility released? Thanks for the support.

nicutor commented 4 years ago

+1 here. Can you please push a new release out there on epel? Thank you!

sawolf commented 4 years ago

I'm going to wait a couple of days to see if any other bugs are reported against 4.0.2, but I can probably do a release next week (depending on when internal QA has a chance to look over it).

As for EPEL, @smooge is the point of contact, so I can't speak for him. He tends to be fairly prompt, though.

smooge commented 4 years ago

I am actually not the EPEL contact anymore on this. I have had to put all my energy into a major data-centre move. The current maintainer mhjacks at fedoraproject.org is very responsive also. [I do not know if they have a github account so not going to blindly @ them.]

sawolf commented 4 years ago

Oh! It looks like @mhjacks actually left an issue here ~1.5 months ago - I thought that was for a different project.

mhjacks commented 4 years ago

I personally prefer packaging proper releases, but I can pull a git commit if necessary. @sawolf please let me know if you feel this is worth a proper release, and if so I'll wait to package that. If not, I'll package the master branch at this commit.

nicutor commented 4 years ago

Hi @mhjacks,

We are using nrpe from EPEL and we cannot upgrade it because of this issue.

Some servers had automatic updates and the checks are not working anymore.

If you can release a new rpm we'll be great.

Thank you!

mhjacks commented 4 years ago

I've built test packages at https://copr.fedorainfracloud.org/coprs/mhjacks/nagios-packages/. If you test these successfully, I will push that package to EPEL. (It's already in rawhide). It will take 14 days after the build to reach stable. @nicutor

mickael-ange commented 4 years ago

Works for me on CentOS 7. Looking forward for the EPEL release. Thanks!

nicutor commented 4 years ago

@mhjacks Thank you. I will also test them today and let you know about.

mhjacks commented 4 years ago

This build has been submitted as FEDORA-EPEL-2020-4f8d42d788. I plan to release builds for the other released EPEL and Fedora streams as well. EDIT: I withdrew the old build because when I saw it show up in bodhi I realized I had some stray characters in the Release: field. Please test and add karma to make the transition to stable faster!

sawolf commented 4 years ago

FYI, we will be doing a 4.0.3 release with just this change. Once the internal QA team signs off on the changes, I'll do a release and leave another comment here.

sawolf commented 4 years ago

The QA team did find an issue with my change - see here for the latest release with the correction.

mhjacks commented 4 years ago

Thanks! The new tarball explodes as:

 tar tvf nrpe-4.0.3.tar.gz 
drwxrwxr-x root/root         0 2020-04-28 16:10 nrpe-nrpe-4.0.3/
-rw-rw-r-- root/root       693 2020-04-28 16:10 nrpe-nrpe-4.0.3/.gitignore
-rw-rw-r-- root/root       125 2020-04-28 16:10 nrpe-nrpe-4.0.3/.travis.yml
-rw-rw-r-- root/root     21840 2020-04-28 16:10 nrpe-nrpe-4.0.3/CHANGELOG.md
-rw-rw-r-- root/root      6287 2020-04-28 16:10 nrpe-nrpe-4.0.3/CONTRIBUTING.md
-rw-rw-r-- root/root       441 2020-04-28 16:10 nrpe-nrpe-4.0.3/LEGAL
-rw-rw-r-- root/root     15173 2020-04-28 16:10 nrpe-nrpe-4.0.3/LICENSE.md
-rw-rw-r-- root/root      6915 2020-04-28 16:10 nrpe-nrpe-4.0.3/Makefile.in
-rw-rw-r-- root/root     11692 2020-04-28 16:10 nrpe-nrpe-4.0.3/README.SSL.md
-rw-rw-r-- root/root     10023 2020-04-28 16:10 nrpe-nrpe-4.0.3/README.md
-rw-rw-r-- root/root      3647 2020-04-28 16:10 nrpe-nrpe-4.0.3/SECURITY.md
-rw-rw-r-- root/root       782 2020-04-28 16:10 nrpe-nrpe-4.0.3/THANKS

That is, as nrpe-nrpe-4.0.3 instead of the expected nrpe-4.0.3. Is that deliberate?

sawolf commented 4 years ago

That does seem a bit strange to me, but it's consistent for all of the "Source Code (tar.gz)" links going back to 3.x. I assume it gets named like that because the project is named "nrpe" and the tag is "nrpe-x.y.z".

We manually generate and attach the archive labelled "nrpe-x.y.z.tar.gz", which doesn't seem to have the issue. Are you able to use that instead?

mhjacks commented 4 years ago

I wound up repacking the tarball. Updates have been submitted for all supported Fedora and EPEL releases. Thanks! Next...nagios 4.4.6 :)