-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NRDP check results can overflow into /tmp #6
Comments
Possible duplicate of #5 |
I had a look at the other issue before I submitted this one, and it is not the same as far as I can see. The problem with tempnam() is that if e.g. We saw the problem in a setup with a RAM-disk for check results. Some of the nagios services stopped unexpectedly, and the incoming NRDP checks quickly filled the RAM-disk, and then continued to fill "/tmp". |
You need to add the following into your http.conf (VirtualHost) configuration: php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/" The above was taken from my blog entry on NRDP. Yours might just need something more like this (if using Ubuntu): php_admin_value open_basedir "/usr/local/nagios/var/spool/checkresults/:/tmp/" Here is what my Apache Config entry looks like; I used higher ports for NRDP so it would fit more in with NRPE (5667) and NSCA (NRDP's replacement at 5666). NRDP insecure set to 5668, and secure 5669: # Source URL: http://nuxref.com
# Specifically: http://nuxref.com/2016/11/24/nrdp-nagios-core-centos-7-x/
Listen 5668
Listen 5669 https
<VirtualHost *:5668>
ServerAdmin webmaster@localhost
ErrorLog /var/log/httpd/nrdp_error_log
CustomLog /var/log/httpd/nrdp_access_log common
LogLevel warn
# PHP configuration to make it possible to write
# into /var/nagios/spool/checkresults/
php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/"
DocumentRoot /usr/share/nrdp/http
<IfModule mod_rewrite.c>
RewriteEngine On
# Disable all requests that are not POST or GET
RewriteCond %{REQUEST_METHOD} !^(POST|GET) [NC]
# # Consider using the below entry instead of the above ^ if you wish
# # to disable the manual website that accepts entries
# RewriteCond %{REQUEST_METHOD} !^(POST) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
<Location />
# SSLRequireSSL
Options ExecCGI
Options FollowSymLinks
<IfVersion >= 2.3>
<RequireAll>
Require all granted
#AuthName "NRDP Access"
#AuthType Basic
#AuthUserFile /etc/nagios/htpasswd.users
#Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
#AuthName "NRDP Access"
#AuthType Basic
#AuthUserFile /etc/nagios/htpasswd.users
#Require valid-user
</IfVersion>
</Location>
</VirtualHost>
<VirtualHost *:5669>
ServerAdmin webmaster@localhost
ErrorLog /var/log/httpd/nrdp_error_log
CustomLog /var/log/httpd/nrdp_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog /var/log/nrdp_ssl_access_log
LogLevel warn
# PHP configuration to make it possible to write
# into /var/nagios/spool/checkresults/
php_admin_value open_basedir "/etc/nrdp/:/usr/share/nrdp/http/:/var/nagios/nrdp/:/var/nagios/spool/checkresults/:/tmp/"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Prevent CRIME attack
SSLCompression off
DocumentRoot /usr/share/nrdp/http
<IfModule mod_rewrite.c>
RewriteEngine On
# Disable all requests that are not POST or GET
RewriteCond %{REQUEST_METHOD} !^(POST|GET) [NC]
# # Consider using the below entry instead of the above ^ if you wish
# # to disable the manual website that accepts entries
# RewriteCond %{REQUEST_METHOD} !^(POST) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
<Location />
SSLRequireSSL
Options ExecCGI
Options FollowSymLinks
<IfVersion >= 2.3>
<RequireAll>
Require all granted
#AuthName "NRDP Access"
#AuthType Basic
#AuthUserFile /etc/nrdp/htpasswd.users
#Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
#AuthName "NRDP Access"
#AuthType Basic
#AuthUserFile /etc/nrdp/htpasswd.users
#Require valid-user
</IfVersion>
</Location>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost> |
Should be fixed in dfca357 but will test it before closing this... |
Normally NRDP check results end up in $cfg["check_results_dir"] but if e.g. the disk is full the results can end up in /tmp instead, resulting in thousands/millions of files in /tmp and a full disk, etc. on large setups.
The problem is caused by the use of $tmpname = tempnam($cfg["check_results_dir],"c");
As per the official documentation of tempnam it is not garanteed that the file created is actually in the requested directory. NRDP should check if the created file is actually in $cfg["check_results_dir]. If not it should delete the file and return an error, e.g. "handle_api_error(ERROR_BAD_CHECK_RESULTS_DIR);"
This is applicable for both nrdp/server/index.php and nrdp/server/plugins/nagioscorepassivecheck/nagioscorepassivecheck.php
The text was updated successfully, but these errors were encountered: