Skip to content

Commit e8810de

Browse files
author
Sebastian Wolf
committed
check_by_ssh: Prevent users from using several SSH options which run local commands.
1 parent f47c8dd commit e8810de

File tree

3 files changed

+23
-2
lines changed

3 files changed

+23
-2
lines changed

NEWS

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
This file documents the major additions and syntax changes between releases.
22

3-
2.4.5 2023-05-15
3+
2.4.5 2023-05-31
44
FIXES
55
check_dns: Fix buffer overflow on Ubuntu 22.04 (#699)
66
check_sensors: Use grep instead of deprecated egrep (#697)
77
check_tcp: Add --sni as an alias to -N (#701)
8+
check_by_ssh: Prevent users from using ProxyCommand/LocalCommand/PermitLocalCommand (./configure --with-unrestricted-ssh-options=yes to re-enable)
89
build: fix bug when using VPATH builds (#700)
910

1011
2.4.4 2023-04-14

configure.ac

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,16 @@ then
418418
[path and arguments for invoking 'who'])
419419
fi
420420

421+
AC_ARG_WITH(unrestricted_ssh_options,
422+
[AS_HELP_STRING([--with-unrestricted-ssh-options],
423+
[allow any SSH options to be used with check_by_ssh])],
424+
[],
425+
[unrestricted_ssh_options=no])
426+
427+
if test "x$with_unrestricted_ssh_options" = xyes ; then
428+
AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
429+
fi
430+
421431
AC_ARG_WITH([ipv6],
422432
[AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
423433
[], [with_ipv6=check])

plugins/check_by_ssh.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
*****************************************************************************/
2828

2929
const char *progname = "check_by_ssh";
30-
const char *copyright = "2000-2014";
30+
const char *copyright = "2000-";
3131
const char *email = "devel@nagios-plugins.org";
3232

3333
#include "common.h"
@@ -304,6 +304,16 @@ process_arguments (int argc, char **argv)
304304
skip_stderr = atoi (optarg);
305305
break;
306306
case 'o': /* Extra options for the ssh command */
307+
308+
/* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
309+
#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
310+
if ( strcasestr(optarg, "ProxyCommand") != NULL
311+
|| strcasestr(optarg, "PermitLocalCommand") != NULL
312+
|| strcasestr(optarg, "LocalCommand") != NULL) {
313+
break;
314+
}
315+
#endif
316+
307317
comm_append("-o");
308318
comm_append(optarg);
309319
break;

0 commit comments

Comments
 (0)