Debian Bug report logs - #756479
nagios-nrpe-server: Ignores dont_blame_nrpe=1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Huijsmans <huysmans@koffie.nu>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Wed, 30 Jul 2014 10:36:55 +0200

Package: nagios-nrpe-server
Version: 2.15-1
Severity: important

Dear Maintainer,


*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Upgrade from 2.13-3.1 to 2.15-1

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Downgrade to 2.13-3

   * What was the outcome of this action?

Listens to dont_blame_nrpe again.

   * What outcome did you expect instead?

>From the upgrade, that this wouldn't break.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (60, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.ISO8859-15, LC_CTYPE=en_US.ISO8859-15 (charmap=ISO-8859-15) (ignored: LC_ALL set to en_US.ISO8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages nagios-nrpe-server depends on:
ii  adduser      3.113+nmu3
ii  libc6        2.19-7
ii  libssl1.0.0  1.0.1h-3
ii  libwrap0     7.6.q-25
ii  lsb-base     4.1+Debian13

Versions of packages nagios-nrpe-server recommends:
ii  nagios-plugins        1.5-3
ii  nagios-plugins-basic  1.5-3

nagios-nrpe-server suggests no packages.

-- Configuration Files:
/etc/nagios/nrpe.cfg changed:
log_facility=daemon
pid_file=/var/run/nrpe.pid
server_port=5666
server_address=*********
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=*********
 
dont_blame_nrpe=1
allow_bash_command_substitution=0
debug=0
command_timeout=60
connection_timeout=300
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 
include=/etc/nagios/nrpe_local.cfg
include_dir=/etc/nagios/nrpe.d/

/etc/nagios/nrpe_local.cfg changed:
command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
command[check_load]=/usr/lib/nagios/plugins/check_load --warning=$ARG1$,$ARG2$,$ARG3$ --critical=$ARG4$,$ARG5$,$ARG6$
command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$
command[check_mailq_postfix]=/usr/lib/nagios/plugins/check_mailq -w $ARG1$ -c $ARG2$ -M postfix
command[check_apt]=/usr/bin/sudo /usr/local/sbin/check-apt-upgrade.pl --run-apt
command[check_raid]=/usr/local/sbin/nagios_raid


-- no debconf information

Message #10 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Jan Huijsmans <huysmans@koffie.nu>, 756479@bugs.debian.org

Cc: Debian Bug Tracking System <control@bugs.debian.org>

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Wed, 30 Jul 2014 13:57:39 +0200

tag 756479 wontfix
thanks

On Wed, 30 Jul 2014, Jan Huijsmans wrote:

> Package: nagios-nrpe-server
> Version: 2.15-1
> Severity: important
> 
> Dear Maintainer,
> 
> 
> *** Reporter, please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
> 
> Upgrade from 2.13-3.1 to 2.15-1
> 
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 
> Downgrade to 2.13-3
> 
>    * What was the outcome of this action?
> 
> Listens to dont_blame_nrpe again.
> 
>    * What outcome did you expect instead?
> 
> >From the upgrade, that this wouldn't break.
This change is on intention. Please read the NEWS file.

Alex

Message #17 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Rauscher, Jörg <Joerg.Rauscher@polar-mohr.com>

To: <756479@bugs.debian.org>

Subject: enable -enable-command-args again, please

Date: Thu, 31 Jul 2014 09:48:54 +0200

[Message part 1 (text/plain, inline)]

Dear Maintainer,

i know, that you compiled without -enable-command-args and you wrote in the NEWS.Debian file, that you disabled it because there are security problems and that this feature is often used wrong. 
Some people need this feature to manage monitoring parameters central. Your nrpe.cfg disables this feature by default (don't_blame_nrpe=0) and the features comment shows everyone, that enable it could be a security Problem.

For my opinion, disable this feature by default should be enough. If someone need this feature, he must compile his own nrpe server version. Maybe he need to do it on hundreds of Machines and he has to do it again, if the Debian Packet is updated. I don't think that Compile nrpe without this feature is a real security advantage because if someone need it, he will compile with this support except of only enable this feature. 

I Agree with you, that this option could be a security risk, but it is possible to reduce the risk by setting allowed_hosts to restric who is able to communicate with nrpe. 

It would be nice if you would compile with -enable-command-args again. It would give more flexibility how to use nrpe and all people who use command args wouldn't need to manage their own version of this packet.



Best regards

Jörg, Rauscher

[Message part 2 (text/html, inline)]

Message #22 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Rauscher@buxtehude.debian.org, Jörg <Joerg.Rauscher@polar-mohr.com>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: enable -enable-command-args again, please

Date: Thu, 31 Jul 2014 13:48:06 +0200

On Thu, 31 Jul 2014, Rauscher@buxtehude.debian.org wrote:

> Dear Maintainer,
> 
> i know, that you compiled without -enable-command-args and you wrote in the NEWS.Debian file, that you disabled it because there are security problems and that this feature is often used wrong. 
> Some people need this feature to manage monitoring parameters central. Your nrpe.cfg disables this feature by default (don't_blame_nrpe=0) and the features comment shows everyone, that enable it could be a security Problem.
> 
> For my opinion, disable this feature by default should be enough. If someone need this feature, he must compile his own nrpe server version. Maybe he need to do it on hundreds of Machines and he has to do it again, if the Debian Packet is updated. I don't think that Compile nrpe without this feature is a real security advantage because if someone need it, he will compile with this support except of only enable this feature. 
> 
> I Agree with you, that this option could be a security risk, but it is possible to reduce the risk by setting allowed_hosts to restric who is able to communicate with nrpe. 
> 
> It would be nice if you would compile with -enable-command-args again. It would give more flexibility how to use nrpe and all people who use command args wouldn't need to manage their own version of this packet.
No, sorry. I won't do this and the security agreed that this would be the
most sane solution. But you are of course free to take over maintenance of
nrpe.

Alex

Message #27 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Jan Huijsmans <huysmans@koffie.nu>

To: Alexander Wirt <formorer@debian.org>, 756479@bugs.debian.org

Cc: Debian Bug Tracking System <control@bugs.debian.org>

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Thu, 31 Jul 2014 15:25:58 +0200

So you solve ignorant users by disabling a feature of the software
package. That would leave the choice between recompiling every time
there is an update to fix the cripled package, stay at the 2.13 level or
ditch Debian after 18 years.

On 30/07/14 13:57, Alexander Wirt wrote:
> tag 756479 wontfix
> thanks
> 
> On Wed, 30 Jul 2014, Jan Huijsmans wrote:
> 
>> Package: nagios-nrpe-server
>> Version: 2.15-1
>> Severity: important
>>
>> Dear Maintainer,
>>
>>
>> *** Reporter, please consider answering these questions, where appropriate ***
>>
>>    * What led up to the situation?
>>
>> Upgrade from 2.13-3.1 to 2.15-1
>>
>>    * What exactly did you do (or not do) that was effective (or
>>      ineffective)?
>>
>> Downgrade to 2.13-3
>>
>>    * What was the outcome of this action?
>>
>> Listens to dont_blame_nrpe again.
>>
>>    * What outcome did you expect instead?
>>
>> >From the upgrade, that this wouldn't break.
> This change is on intention. Please read the NEWS file.
> 
> Alex
> 


-- 
---

Jan Huijsmans              huysmans@koffie.nu

... cannot activate /dev/brain, no response from main coffee server

Message #32 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Jan Huijsmans <huysmans@koffie.nu>

Cc: 756479@bugs.debian.org, Debian Bug Tracking System <control@bugs.debian.org>

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Thu, 31 Jul 2014 17:19:23 +0200

On Thu, 31 Jul 2014, Jan Huijsmans wrote:

> So you solve ignorant users by disabling a feature of the software
> package. That would leave the choice between recompiling every time
> there is an update to fix the cripled package, stay at the 2.13 level or
> ditch Debian after 18 years.
As said, feel free to take over the work. I never wanted to maintain nrpe, it
just happened.

Alex

Message #37 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Michal Zelinka <misacek@misacek.net>

To: 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sun, 3 Aug 2014 19:38:32 +0200

Dear god. Yeah, I see, it just happened. It just happened that ignorants and fools like you
just got that privilege to be part of such an important software project like Debian is. Un-
fortunately. This mentality of yours and similar is even more dangerous than a payed “feel-
free-to-destroy-everyhing” stupid mentality invented in Red Hat.

I wish Debian could return back to its bright era again, when it was taken as the most seri-
ous player on a Linux field, having a power to produce healthy and useful ideas.

This really is NOT the way.

On Thu, 31 Jul 2014 17:19:23 +0200 Alexander Wirt <formorer@debian.org> wrote:
> On Thu, 31 Jul 2014, Jan Huijsmans wrote:
> 
> > So you solve ignorant users by disabling a feature of the software
> > package. That would leave the choice between recompiling every time
> > there is an update to fix the cripled package, stay at the 2.13 level or
> > ditch Debian after 18 years.
> As said, feel free to take over the work. I never wanted to maintain nrpe, it
> just happened.
> 
> Alex
> 
> 

Message #42 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Michal Zelinka <misacek@misacek.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sun, 3 Aug 2014 19:51:25 +0200

On Sun, 03 Aug 2014, Michal Zelinka wrote:

> Dear god. Yeah, I see, it just happened. It just happened that ignorants and fools like you
> just got that privilege to be part of such an important software project like Debian is. Un-
> fortunately. This mentality of yours and similar is even more dangerous than a payed “feel-
> free-to-destroy-everyhing” stupid mentality invented in Red Hat.
So thats it. Feel free to take whatever crap you want. 

Consider nrpe orphaned. I won't touch it again. 

Alex

Message #47 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Oskar Liljeblad <oskar@osk.mine.nu>

To: 756479@bugs.debian.org

Cc: pkg-nagios-devel@lists.alioth.debian.org

Subject: nagios-nrpe-server: --enable-command-args

Date: Wed, 27 Aug 2014 08:56:42 +0200

C'mon. Did you actually think nobody would complain about this?
For us, nagios-nrpe-server is unusable without --enable-command-args.
You haven't made nagios-nrpe-server more secure, you've just limited
the options of the users.

Regards,

Oskar

Message #52 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Oskar Liljeblad <oskar@osk.mine.nu>, 756479@bugs.debian.org

Cc: pkg-nagios-devel@lists.alioth.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: --enable-command-args

Date: Wed, 27 Aug 2014 06:24:35 -0700

On Wed, 27 Aug 2014, Oskar Liljeblad wrote:

> C'mon. Did you actually think nobody would complain about this?
> For us, nagios-nrpe-server is unusable without --enable-command-args.
> You haven't made nagios-nrpe-server more secure, you've just limited
> the options of the users.
I tend to disagree. And if you think the removal of --enable-command-args
wasn't thought about a long time with several discussions you are wrong.

Alex

P.S. my offer to give the package to someone else is of course still valid

Message #57 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Thomas Rechberger <t.rechberger@gmail.com>

To: 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: --enable-command-args

Date: Sun, 04 Jan 2015 12:51:39 +0100

On Wed, 27 Aug 2014 06:24:35 -0700 Alexander Wirt <formorer@debian.org> 
wrote:

> I tend to disagree. And if you think the removal of --enable-command-args
> wasn't thought about a long time with several discussions you are wrong.
>

So did you now completely remove it because i am not able to enable it 
even when i compile the sources.

I did the following and it still can not execute any arguments with 
dont_blame_nrpe set:

apt-get source nagios-nrpe-server
apt-get install libssl-dev dpatch debhelper libwrap0-dev autotools-dev 
build-essential
ln -s /usr/lib/x86_64-linux-gnu/libssl.so /usr/lib/libssl.so
./configure --enable-command-args
make all
dpkg-buildpackage -rfakeroot
dpkg -i nagios-nrpe-server_2.15-1_amd64.deb

Message #62 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Thomas Rechberger <t.rechberger@gmail.com>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: --enable-command-args

Date: Sun, 4 Jan 2015 13:02:36 +0100

On Sun, 04 Jan 2015, Thomas Rechberger wrote:

> On Wed, 27 Aug 2014 06:24:35 -0700 Alexander Wirt <formorer@debian.org>
> wrote:
> 
> > I tend to disagree. And if you think the removal of --enable-command-args
> > wasn't thought about a long time with several discussions you are wrong.
> >
> 
> So did you now completely remove it because i am not able to enable it even
> when i compile the sources.
> 
> I did the following and it still can not execute any arguments with
> dont_blame_nrpe set:
> 
> apt-get source nagios-nrpe-server
> apt-get install libssl-dev dpatch debhelper libwrap0-dev autotools-dev
> build-essential
> ln -s /usr/lib/x86_64-linux-gnu/libssl.so /usr/lib/libssl.so
> ./configure --enable-command-args
> make all
> dpkg-buildpackage -rfakeroot
> dpkg -i nagios-nrpe-server_2.15-1_amd64.deb
That won't work. dpkg-buildpackage executes configure again. Edit
debian/rules.

Alex

Message #67 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Ben Shephard <ben.shephard@insuranceinitiatives.com>

To: 756479@bugs.debian.org

Date: Fri, 26 Jun 2015 16:29:07 +0100

[Message part 1 (text/plain, inline)]

Thanks for the deprecation warning in previous releases... Oh yeah there
wasn't one.  nor is there anything to say this has been disabled in the
default config file in fact it's still there with a big fat warning about
the dangers of turning it on. I agree it's a security issue especially if
used incorrectly but then so is telnetd and I don't see anyone removing
that from the Debian repos any time soon. I now have two machines I'm
unable to monitor without a lot of faff. It's not like I can't recompile it
and enable it  again but that just wastes everyone's time. I do plan on
rewriting my 10000 lines of nagios configs to take this into account but
that's a mammoth task which requires some planning which could have been
done if users had been given a bit of prior warning.

-- 
The contents of this email and any attachments are intended solely for the 
use of the individual or entity to which it is addressed. If you are not 
the intended recipient, please destroy this message, delete any copies held 
on your systems and notify the sender immediately. Persons other than the 
intended recipient should not retain, copy or use this e-mail for any 
purpose, nor disclose all or part of its content to any other person.

[Message part 2 (text/html, inline)]

Message #72 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Patrik Schindler <poc@pocnet.net>

To: 756479@bugs.debian.org

Subject: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sun, 12 Jul 2015 20:01:31 +0200

Hello,

following the discussion, I see no other option for me than recompile nrpe with command args enabled and set it to hold.

About the arguments flowing between the paticipants of this bug report: I don't know about prior discussions. Most Debian users don't know about these. And I think people like Jan Huijsmans and Michal Zelinka are unneccessarily rude. I understand Alexander Wirt. Maintaining software he was somehow pestered into only to get beaten off with decision he made and is supported by the debian security team is not a nice thing.

Now everyone is pissed and nrpe_server is orphan. Also not a good way.

But I must agree that (from the users's point) silently disabling a feature some people were relying on without any warning is not a good way. What *could* have been done in this case was utilizing a message pop up like some other packages do when substancial an incompatible changes in the software were about to happen with the installation. Could have saved me debugging time.

:wq! PoC

Message #77 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Patrik Schindler <poc@pocnet.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sun, 12 Jul 2015 22:20:52 +0200

On Sun, 12 Jul 2015, Patrik Schindler wrote:

> Hello,
> 
> following the discussion, I see no other option for me than recompile nrpe with command args enabled and set it to hold.
> 
> About the arguments flowing between the paticipants of this bug report: I don't know about prior discussions. Most Debian users don't know about these. And I think people like Jan Huijsmans and Michal Zelinka are unneccessarily rude. I understand Alexander Wirt. Maintaining software he was somehow pestered into only to get beaten off with decision he made and is supported by the debian security team is not a nice thing.
> 
> Now everyone is pissed and nrpe_server is orphan. Also not a good way.
> 
> But I must agree that (from the users's point) silently disabling a feature some people were relying on without any warning is not a good way. What *could* have been done in this case was utilizing a message pop up like some other packages do when substancial an incompatible changes in the software were about to happen with the installation. Could have saved me debugging time.
Like the news entry?:
nagios-nrpe (2.15-1) unstable; urgency=high

This update disables the command-args support in nrpe. The feature
has several security problems and is often used wrong. If you have to
use this feature recompile the package with --enable-command-args
in debian/rules.

-- Alexander Wirt <formorer@debian.org>  Tue, 15 Jul 2014 09:52:48
+0200

in a properly configured system with apt-listchanges, this is a popup.

Alex

Message #82 received at 756479@bugs.debian.org (full text, mbox, reply):

From: David Rosenstrauch <darose@darose.net>

To: 756479@bugs.debian.org

Date: Tue, 1 Sep 2015 10:50:29 -0400

So what is the recommended workaround for users who are currently 
relying on this functionality?

Message #87 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: David Rosenstrauch <darose@darose.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Tue, 1 Sep 2015 16:58:59 +0200

On Tue, 01 Sep 2015, David Rosenstrauch wrote:

> So what is the recommended workaround for users who are currently relying on
> this functionality?
either get your environment fixed, or build your own package.

Alex

Message #92 received at 756479@bugs.debian.org (full text, mbox, reply):

From: David Rosenstrauch <darose@darose.net>

To: Alexander Wirt <formorer@debian.org>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Tue, 1 Sep 2015 11:12:51 -0400

On 09/01/2015 10:58 AM, Alexander Wirt wrote:
> On Tue, 01 Sep 2015, David Rosenstrauch wrote:
>
>> So what is the recommended workaround for users who are currently relying on
>> this functionality?
> either get your environment fixed, or build your own package.
>
> Alex

Not sure what you mean by "get your environment fixed"?

Presumably a "fixed environment" means "one that doesn't use 
'dont_blame_nrpe'".  That's fair enough.  But that also obviously 
removes previously working functionality

So that's exactly what I was asking:  for someone who was previously 
making use of this functionality, and no longer should, what might a 
"fixed environment" look like?  What is the recommended/more secure way 
to pass parms to a remote NRPE process now?  Or, if it's recommended 
that one not pass parms to NRPE, what is recommended instead.


For a concrete example, I'm currently monitoring machines for disk 
space.  Most machines I check for at least 20% disk space free.  But on 
machines with large disks, 20% is excessive, so I drop that to 10%.  So 
the 20%/10% is a parm that I pass to NRPE.  What would be the 
recommended way to implement functionality like this going forward?

Message #97 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: David Rosenstrauch <darose@darose.net>

Cc: 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Tue, 1 Sep 2015 17:15:11 +0200

On Tue, 01 Sep 2015, David Rosenstrauch wrote:

> On 09/01/2015 10:58 AM, Alexander Wirt wrote:
> >On Tue, 01 Sep 2015, David Rosenstrauch wrote:
> >
> >>So what is the recommended workaround for users who are currently relying on
> >>this functionality?
> >either get your environment fixed, or build your own package.
> >
> >Alex
> 
> Not sure what you mean by "get your environment fixed"?
> 
> Presumably a "fixed environment" means "one that doesn't use
> 'dont_blame_nrpe'".  That's fair enough.  But that also obviously removes
> previously working functionality
> 
> So that's exactly what I was asking:  for someone who was previously making
> use of this functionality, and no longer should, what might a "fixed
> environment" look like?  What is the recommended/more secure way to pass
> parms to a remote NRPE process now?  Or, if it's recommended that one not
> pass parms to NRPE, what is recommended instead.
nrpe has several, not fixable security problems with argument parsing. You
should not use it at all. A secure alternative would be to use check_by_ssh.

> For a concrete example, I'm currently monitoring machines for disk space.
> Most machines I check for at least 20% disk space free.  But on machines
> with large disks, 20% is excessive, so I drop that to 10%.  So the 20%/10%
> is a parm that I pass to NRPE.  What would be the recommended way to
> implement functionality like this going forward?
Either use check_by_ssh or use a configuration management system like puppet
to write out your nrpe configuration with different parameters. 

Alex

Message #102 received at 756479@bugs.debian.org (full text, mbox, reply):

From: David Rosenstrauch <darose@darose.net>

To: Alexander Wirt <formorer@debian.org>, 756479@bugs.debian.org

Subject: Re: Bug#756479: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Tue, 1 Sep 2015 11:24:31 -0400

On 09/01/2015 11:15 AM, Alexander Wirt wrote:
> On Tue, 01 Sep 2015, David Rosenstrauch wrote:
>
>> On 09/01/2015 10:58 AM, Alexander Wirt wrote:
>>> On Tue, 01 Sep 2015, David Rosenstrauch wrote:
>>>
>>>> So what is the recommended workaround for users who are currently relying on
>>>> this functionality?
>>> either get your environment fixed, or build your own package.
>>>
>>> Alex
>>
>> Not sure what you mean by "get your environment fixed"?
>>
>> Presumably a "fixed environment" means "one that doesn't use
>> 'dont_blame_nrpe'".  That's fair enough.  But that also obviously removes
>> previously working functionality
>>
>> So that's exactly what I was asking:  for someone who was previously making
>> use of this functionality, and no longer should, what might a "fixed
>> environment" look like?  What is the recommended/more secure way to pass
>> parms to a remote NRPE process now?  Or, if it's recommended that one not
>> pass parms to NRPE, what is recommended instead.
> nrpe has several, not fixable security problems with argument parsing. You
> should not use it at all. A secure alternative would be to use check_by_ssh.
>
>> For a concrete example, I'm currently monitoring machines for disk space.
>> Most machines I check for at least 20% disk space free.  But on machines
>> with large disks, 20% is excessive, so I drop that to 10%.  So the 20%/10%
>> is a parm that I pass to NRPE.  What would be the recommended way to
>> implement functionality like this going forward?
> Either use check_by_ssh or use a configuration management system like puppet
> to write out your nrpe configuration with different parameters.
>
> Alex
>

Ah.  I wasn't aware of that check_by_ssh plugin.  I'll give that a look.

Thanks!

DR

Message #107 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: David Rosenstrauch <darose@darose.net>

Cc: 756479@bugs.debian.org

Subject: Re: Bug#756479: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Tue, 1 Sep 2015 17:27:52 +0200

On Tue, 01 Sep 2015, David Rosenstrauch wrote:

> On 09/01/2015 11:15 AM, Alexander Wirt wrote:
> >On Tue, 01 Sep 2015, David Rosenstrauch wrote:
> >
> >>On 09/01/2015 10:58 AM, Alexander Wirt wrote:
> >>>On Tue, 01 Sep 2015, David Rosenstrauch wrote:
> >>>
> >>>>So what is the recommended workaround for users who are currently relying on
> >>>>this functionality?
> >>>either get your environment fixed, or build your own package.
> >>>
> >>>Alex
> >>
> >>Not sure what you mean by "get your environment fixed"?
> >>
> >>Presumably a "fixed environment" means "one that doesn't use
> >>'dont_blame_nrpe'".  That's fair enough.  But that also obviously removes
> >>previously working functionality
> >>
> >>So that's exactly what I was asking:  for someone who was previously making
> >>use of this functionality, and no longer should, what might a "fixed
> >>environment" look like?  What is the recommended/more secure way to pass
> >>parms to a remote NRPE process now?  Or, if it's recommended that one not
> >>pass parms to NRPE, what is recommended instead.
> >nrpe has several, not fixable security problems with argument parsing. You
> >should not use it at all. A secure alternative would be to use check_by_ssh.
> >
> >>For a concrete example, I'm currently monitoring machines for disk space.
> >>Most machines I check for at least 20% disk space free.  But on machines
> >>with large disks, 20% is excessive, so I drop that to 10%.  So the 20%/10%
> >>is a parm that I pass to NRPE.  What would be the recommended way to
> >>implement functionality like this going forward?
> >Either use check_by_ssh or use a configuration management system like puppet
> >to write out your nrpe configuration with different parameters.
> >
> >Alex
> >
> 
> Ah.  I wasn't aware of that check_by_ssh plugin.  I'll give that a look.
If you use it with ssh multiplexing
(https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing, look for
ControlMaster and ControlPersist) the overhead from ssh isn't that big. 

Alex

> 
> Thanks!
> 
> DR

Message #112 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Fabien COELHO <fabien@coelho.net>

Cc: David Rosenstrauch <darose@darose.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Fri, 22 Jan 2016 11:17:39 +0100

On Fri, 22 Jan 2016, Fabien COELHO wrote:

> 
> Sigh. I've lost 1 hour on this "improvement".
> 
> Please note that there is still a bug: the installed "/etc/nagios/nrpe.cfg"
> configuration file now contains a option which is ignored, but AFAICS there
> is no warning about that fact in the file nor in the log when starting nrpe,
> so people will keep trying to enable it and fail without understanding that
> it is in fact ignored.
> 
> >nrpe has several, not fixable security problems with argument parsing.
> 
> I do believe that.
> 
> >You should not use it at all.
> 
> You do *NOT* know about other people context and balance of risks.
> 
> Debian is for grownups, you do not have to "decide" for us as if we were
> children. I know my risks and benefits, and I can make the decision whether
> to enable arguments or not, you do not have to take this decision for me.
> The option name says it all "dont_blame_nrpe": *MY* responsability, not
> yours.
> 
> >A secure alternative would be to use check_by_ssh.
> 
> I disagree that using check_by_ssh is obviously better, because it means
> allowing a shell access and a private key without password on the server, or
> endless efforts to maintain some ssh-agent somewhere which have their own
> risks... I'm not sure I can see how this is much better than nrpe with
> arguments and IP control, for me this is the same.
> 
> The "just compile your own package" is a laughable fix: If I wanted to do
> that, I would not use Debian in the first place.
Stop complaining, start maintaining packages. It is a shame that all those
complainers weren't able to build a "fixed" package.

Alex

Message #117 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Fabien COELHO <fabien@coelho.net>

To: Alexander Wirt <formorer@debian.org>

Cc: David Rosenstrauch <darose@darose.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Fri, 22 Jan 2016 11:11:33 +0100 (CET)

Sigh. I've lost 1 hour on this "improvement".

Please note that there is still a bug: the installed 
"/etc/nagios/nrpe.cfg" configuration file now contains a option which is 
ignored, but AFAICS there is no warning about that fact in the file nor in 
the log when starting nrpe, so people will keep trying to enable it and 
fail without understanding that it is in fact ignored.

> nrpe has several, not fixable security problems with argument parsing.

I do believe that.

> You should not use it at all.

You do *NOT* know about other people context and balance of risks.

Debian is for grownups, you do not have to "decide" for us as if we were 
children. I know my risks and benefits, and I can make the decision 
whether to enable arguments or not, you do not have to take this decision 
for me. The option name says it all "dont_blame_nrpe": *MY* 
responsability, not yours.

> A secure alternative would be to use check_by_ssh.

I disagree that using check_by_ssh is obviously better, because it means 
allowing a shell access and a private key without password on the server, 
or endless efforts to maintain some ssh-agent somewhere which have their 
own risks... I'm not sure I can see how this is much better than nrpe with 
arguments and IP control, for me this is the same.

The "just compile your own package" is a laughable fix: If I wanted to do 
that, I would not use Debian in the first place.

-- 
Fabien.

Message #122 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Fabien COELHO <fabien@coelho.net>

To: Alexander Wirt <formorer@debian.org>

Cc: David Rosenstrauch <darose@darose.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Fri, 22 Jan 2016 11:39:59 +0100 (CET)

Hello Alexander,


ISTM that you did not answer about my point that the current configuration 
file is misleading, as the 'dont_blame_nrpe' option is ignored but there 
is no warning about that fact in the file nor in the log. If it had been 
the case, I would have lost much less time.

>> The "just compile your own package" is a laughable fix: If I wanted to do
>> that, I would not use Debian in the first place.

> Stop complaining,

You may understand that the decision you took to remove a feature was not 
a good one. This feature already had clear caveats that allow admins to 
make an informed decision, as the grownups they are. Mostly.

> start maintaining packages.

I already contribute to several free softwares, although not by 
maintaining Debian packages: I cannot do everything, that is life.

> It is a shame that all those complainers weren't able to build a "fixed" 
> package.

I know I (probably) can, but then I have to manage de deployment and so, a 
significant effort which should not have been needed in the first place.

-- 
Fabien.

Message #127 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Fabien COELHO <fabien@coelho.net>

Cc: David Rosenstrauch <darose@darose.net>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: (no subject)

Date: Fri, 22 Jan 2016 11:43:21 +0100

On Fri, 22 Jan 2016, Fabien COELHO wrote:

> 
> Hello Alexander,
> 
> 
> ISTM that you did not answer about my point that the current configuration
> file is misleading, as the 'dont_blame_nrpe' option is ignored but there is
> no warning about that fact in the file nor in the log. If it had been the
> case, I would have lost much less time.
Thats another bug in nrpe. 

> 
> >>The "just compile your own package" is a laughable fix: If I wanted to do
> >>that, I would not use Debian in the first place.
> 
> >Stop complaining,
> 
> You may understand that the decision you took to remove a feature was not a
> good one. This feature already had clear caveats that allow admins to make
> an informed decision, as the grownups they are. Mostly.
It was a good one as people stopped complaining against me for getting their
boxes hacked. My life is a lot easier since then.

> 
> >start maintaining packages.
> 
> I already contribute to several free softwares, although not by maintaining
> Debian packages: I cannot do everything, that is life.
> 
> >It is a shame that all those complainers weren't able to build a "fixed"
> >package.
> 
> I know I (probably) can, but then I have to manage de deployment and so, a
> significant effort which should not have been needed in the first place.

Alex

Message #132 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Jan Tomasek <jan@tomasek.cz>

To: 756479@bugs.debian.org

Subject: Re: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sat, 23 Apr 2016 14:47:20 +0200

Hi,

I'm another one who spend some time examining why after upgrade is nrpe
not working.

I've read whole thread about this Bug#756479 and can't find any
reference to description how to to exploit nagios-nrpe-server with

dont_blame_nrpe=0
allow_bash_command_substitution=0

I've been searching form CVE at
https://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html
and only relevant is https://www.cvedetails.com/cve/CVE-2014-2913/

but again no way how to exploit when this functionality is disabled -
which is by default in config file. I would prefer to have back package
which do not require recompiling.

Please take this mail as another voice for returning functionality back
into Debian package.

Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

Message #137 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Jan Tomasek <jan@tomasek.cz>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Sat, 23 Apr 2016 15:23:35 +0200

On Sat, 23 Apr 2016, Jan Tomasek wrote:

> Hi,
> 
> I'm another one who spend some time examining why after upgrade is nrpe
> not working.
> 
> I've read whole thread about this Bug#756479 and can't find any
> reference to description how to to exploit nagios-nrpe-server with
> 
> dont_blame_nrpe=0
> allow_bash_command_substitution=0
> 
> I've been searching form CVE at
> https://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html
> and only relevant is https://www.cvedetails.com/cve/CVE-2014-2913/
> 
> but again no way how to exploit when this functionality is disabled -
> which is by default in config file. I would prefer to have back package
> which do not require recompiling.
> 
> Please take this mail as another voice for returning functionality back
> into Debian package.
And just to say it again, the package is orphaned. Anyone is free to bring it
back.

Alex

Message #142 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Falk Brockerhoff <fb@smartterra.de>

To: 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Tue, 10 May 2016 15:56:15 +0200

Alex,

I understand that you aren’t happy as the maintainer of this package. Unfortunately I don’t have any coding skills, so that I’m not able to support you. Sorry for this.

But I’m a user of this package and really do need the „dont_blame_nrpe“. Why can’t you just put it back in? It was you, who disabled this configuration option. I do not ask you to correct another man’s mistake.

Regards,

Falk

Message #147 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Falk Brockerhoff <fb@smartterra.de>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Tue, 10 May 2016 16:12:21 +0200

On Tue, 10 May 2016, Falk Brockerhoff wrote:

> Alex,
> 
> I understand that you aren’t happy as the maintainer of this package. Unfortunately I don’t have any coding skills, so that I’m not able to support you. Sorry for this.
> 
> But I’m a user of this package and really do need the „dont_blame_nrpe“. Why can’t you just put it back in? It was you, who disabled this configuration option. I do not ask you to correct another man’s mistake.
it wasn't a mistake.

It was on purpose, the right decision and decided together with the security
team.

Alex

Message #152 received at 756479@bugs.debian.org (full text, mbox, reply):

From: "diego.roccia@gmail.com" <diego.roccia@gmail.com>

To: 756479@bugs.debian.org

Subject: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Thu, 8 Sep 2016 00:46:39 +0200

[Message part 1 (text/plain, inline)]

I too am experiencing big problems with this change. It blocked all my
debian  8 upgrade.
It doesn't make sense to remove a feature because it can be used the wrong
way

-- 
Diego Roccia
diego.roccia (at) gmail (dot) com

[Message part 2 (text/html, inline)]

Message #157 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Thorsten Eggert <thorsten.eggert@gmail.com>

To: 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Mon, 7 Nov 2016 13:14:10 +0100

Hi Alex,
I would call my self an experienced programmer, I also ran into trouble 
with this and debugged more time than it's worth...

How can I get the maintainer of this package?


greetings

Thorsten

Message #162 received at 756479@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Thorsten Eggert <thorsten.eggert@gmail.com>, 756479@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#756479: Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1

Date: Mon, 7 Nov 2016 13:26:11 +0100

On Mon, 07 Nov 2016, Thorsten Eggert wrote:

> Hi Alex,
> I would call my self an experienced programmer, I also ran into trouble with
> this and debugged more time than it's worth...
You should not in any kind use this security flawed feature, however:

> How can I get the maintainer of this package?
https://www.debian.org/doc/manuals/debian-faq/ch-contributing.en.html and ask
for membership of pkg-nagios on alioth. 

Alex

Message #165 received at 773840-done@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

To: 773840-done@bugs.debian.org

Subject: nagios-nrpe: NRPE configured without --enable-command-args on build

Date: Sun, 4 Dec 2016 15:22:09 +0100

On Tue, 07 Jul 2015 10:57:42 -0700 Matt Taggart wrote:
> I recently learned of a secure replacement for nrpe. The check-mk nagios
> add on provides 'mrpe' which is a drop in replacement for nrpe, you can
> use it with existing nrpe checks but they get run via check-mk's
> transport, which can use ssh. I moved some of my existing nrpe scripts
> to that, and I plan to eventually transition them to native check-mk
> scripts for performance reasons.
> 
> In addition to replacing nrpe, there is also a check-mk agent that
> replaces the also insecurce nagios-statd (agent 'ps').
> 
> It took some effort to transition, but now everything is done over
> ssh (even on private networks) and also check-mk comes with so many
> plugins that I have a lot more checks now and was able to get rid of
> some custom checks.
> 
> Check it out, I think you'll like it. I have some notes on how to
> transition things I should post somewhere...

check-mk is indeed a good alternative to NRPE.

Alexander Wirt made the right to choice to disable the command-args
option, its security track record is terrible.

Users who rely on custom arguments for plugins are advised to provision
the host specific NRPE configuration with their configuration management
system of choice. Or alternatively maintain a custom nagios-nrpe package
in their local APT repository. The package in Debian is correct to not
enable this feature.

I'm closing this issue because the Debian package will not re-enable
this option in the foreseeable future.

Kind Regards,

Bas

Send a report that this bug log contains spam.