NRDP check results can overflow into /tmp

[lepmeh]

Normally NRDP check results end up in $cfg["check_results_dir"] but if e.g. the disk is full the results can end up in /tmp instead, resulting in thousands/millions of files in /tmp and a full disk, etc. on large setups.

The problem is caused by the use of $tmpname = tempnam($cfg["check_results_dir],"c");
As per the official documentation of tempnam it is not garanteed that the file created is actually in the requested directory. NRDP should check if the created file is actually in $cfg["check_results_dir]. If not it should delete the file and return an error, e.g. "handle_api_error(ERROR_BAD_CHECK_RESULTS_DIR);"
This is applicable for both nrdp/server/index.php and nrdp/server/plugins/nagioscorepassivecheck/nagioscorepassivecheck.php

[tmcnag]

Possible duplicate of #5

[lepmeh]

I had a look at the other issue before I submitted this one, and it is not the same as far as I can see.

The problem with tempnam() is that if e.g.
$cfg["check_results_dir"] = "/usr/local/nagios/var/spool/checkresults" you'd expect the file it creates to end up in that directory. However if the directory isn't writable, the system tmp dir is used instead, often "/tmp". (See http://php.net/manual/en/function.tempnam.php ).
As NRDP doesn't remove the file itself, and expects another service to remove the files it is important to check that the file that tempnam returns is in the directory that is specified.

We saw the problem in a setup with a RAM-disk for check results. Some of the nagios services stopped unexpectedly, and the incoming NRDP checks quickly filled the RAM-disk, and then continued to fill "/tmp".

[caronc]

You need to add the following into your http.conf (VirtualHost) configuration:

php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/"

The above was taken from my blog entry on NRDP. Yours might just need something more like this (if using Ubuntu):

php_admin_value open_basedir "/usr/local/nagios/var/spool/checkresults/:/tmp/"

Here is what my Apache Config entry looks like; I used higher ports for NRDP so it would fit more in with NRPE (5667) and NSCA (NRDP's replacement at 5666). NRDP insecure set to 5668, and secure 5669:

# Source URL: http://nuxref.com
# Specifically: http://nuxref.com/2016/11/24/nrdp-nagios-core-centos-7-x/
Listen 5668
Listen 5669 https

<VirtualHost *:5668>
   ServerAdmin webmaster@localhost
   ErrorLog /var/log/httpd/nrdp_error_log
   CustomLog /var/log/httpd/nrdp_access_log common
   LogLevel warn

   # PHP configuration to make it possible to write
   # into /var/nagios/spool/checkresults/
   php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/"

   DocumentRoot /usr/share/nrdp/http

   <IfModule mod_rewrite.c>
      RewriteEngine On
      # Disable all requests that are not POST or GET
      RewriteCond %{REQUEST_METHOD} !^(POST|GET) [NC]
      # # Consider using the below entry instead of the above ^ if you wish
      # # to disable the manual website that accepts entries
      # RewriteCond %{REQUEST_METHOD} !^(POST) [NC]
      RewriteRule ^(.*)$ - [F,L]
   </IfModule>

   <Location />
      #  SSLRequireSSL
      Options ExecCGI
      Options FollowSymLinks
      <IfVersion >= 2.3>
         <RequireAll>
            Require all granted
            #AuthName "NRDP Access"
            #AuthType Basic
            #AuthUserFile /etc/nagios/htpasswd.users
            #Require valid-user
         </RequireAll>
      </IfVersion>
      <IfVersion < 2.3>
         Order allow,deny
         Allow from all
         #AuthName "NRDP Access"
         #AuthType Basic
         #AuthUserFile /etc/nagios/htpasswd.users
         #Require valid-user
      </IfVersion>
   </Location>

</VirtualHost>

<VirtualHost *:5669>
   ServerAdmin webmaster@localhost
   ErrorLog /var/log/httpd/nrdp_error_log
   CustomLog /var/log/httpd/nrdp_ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   TransferLog /var/log/nrdp_ssl_access_log
   LogLevel warn

   # PHP configuration to make it possible to write
   # into /var/nagios/spool/checkresults/
   php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/"

   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

   # Prevent CRIME attack
   SSLCompression off

   DocumentRoot /usr/share/nrdp/http

   <IfModule mod_rewrite.c>
      RewriteEngine On
      # Disable all requests that are not POST or GET
      RewriteCond %{REQUEST_METHOD} !^(POST|GET) [NC]
      # # Consider using the below entry instead of the above ^ if you wish
      # # to disable the manual website that accepts entries
      # RewriteCond %{REQUEST_METHOD} !^(POST) [NC]
      RewriteRule ^(.*)$ - [F,L]
   </IfModule>

   <Location />
      SSLRequireSSL
      Options ExecCGI
      Options FollowSymLinks
      <IfVersion >= 2.3>
         <RequireAll>
            Require all granted
            #AuthName "NRDP Access"
            #AuthType Basic
            #AuthUserFile /etc/nrdp/htpasswd.users
            #Require valid-user
         </RequireAll>
      </IfVersion>
      <IfVersion < 2.3>
         Order allow,deny
         Allow from all
         #AuthName "NRDP Access"
         #AuthType Basic
         #AuthUserFile /etc/nrdp/htpasswd.users
         #Require valid-user
      </IfVersion>
   </Location>

   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

[jomann09]

Should be fixed in dfca357 but will test it before closing this...