Skip to content
Permalink
Browse files

Added patch to allow bash command substitutions, disabled by default.

Previously, if command arguments were enabled, NRPE would allow arguments
of the form $(...), which would cause a bash command substitution and could
be used for malicious intent. This patch adds both a configure-time option,
--enable-bash-command-substitution, and a configuration file option,
allow_bash_command_substitution. Both of these, along with the 
--enable-command-args configure-time option and the dont_blame_nrpe 
configuration file option must be enabled or arguments containing $(
will be rejected.

In addition, some clean-up of the configure.in script was done so options
display nicely when the --help argument is specified to the configure script.

This patch addresses bug #400.
  • Loading branch information...
Eric Stanley
Eric Stanley committed Dec 17, 2012
1 parent 5e2d701 commit eaaebb3c2925f9aee74319b61264ee535784b859
Showing with 5,913 additions and 3,195 deletions.
  1. +1 −0 Changelog
  2. +26 −0 SECURITY
  3. +5,786 −3,171 configure
  4. +53 −20 configure.in
  5. +2 −0 include/config.h.in
  6. +18 −0 sample-config/nrpe.cfg.in
  7. +27 −4 src/nrpe.c
@@ -5,6 +5,7 @@ NRPE Changelog

x.xx - xx/xx/xxxx
-----------------
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
@@ -27,6 +27,17 @@ should be considered a security risk, and you should only use
it if you know what you're doing!


BASH COMMAND SUBSTITUTION
-------------------------

Even with the metacharacter restrictions below, if command arguments
are enabled, it is still possible to send bash command substitions
in the form $(...) as an agrument. This is explicity disabled by
default, but can be enabled by a configure-time option and a
configuration file option. Enabling this option is VERY RISKY and
its use is HIGHLY DISCOURAGED.


ENABLING ARGUMENTS
------------------

@@ -40,6 +51,21 @@ do two things:
file to 1.


ENABLING BASH COMMAND SUBSTITUTION
----------------------------------

To enable support for arguments containing bash command substitions,
you must do two things:

1. Enable arguments as described above

2. Include the --enable-bash-command-substitution configure
option when running the configure script

3. Set the 'allow_bash_command_substitutions' directive in the
NRPE config file to 1.


ILLEGAL METACHARS
-----------------

0 comments on commit eaaebb3

Please sign in to comment.
You can’t perform that action at this time.