From git at monitoring-plugins.org Fri Feb 6 13:00:13 2026 From: git at monitoring-plugins.org (=?UTF-8?Q?GitHub?=) Date: Fri, 6 Feb 2026 13:00:13 +0100 (CET) Subject: =?UTF-8?Q?=5Bmonitoring-plugins=5D_OpenBSD=3A_pledge=282=29_some_network-?= =?UTF-8?Q?facing_checks_=2E=2E=2E?= Message-ID: <20260206120013.4C37F1FFBF@orwell.monitoring-plugins.org> Module: monitoring-plugins Branch: master Commit: cef40299a93233f043f5b0821a9ad2c69dd612f7 Author: Alvar Committer: GitHub Date: Fri Feb 6 11:58:38 2026 +0000 URL: https://www.monitoring-plugins.org/repositories/monitoring-plugins/commit/?id=cef40299 OpenBSD: pledge(2) some network-facing checks (#2225) OpenBSD's pledge(2) system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer. This change starts by calling pledge(2) in some network-facing checks, removing the more dangerous privileges, such as executing other files. My initial motivation came from check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, the pledge(2) calls result in check_icmp to only being allowed to interact with the network and to setuid(2) to the calling user later on. Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with pledge(2)-ing check_curl - having a huge codebase and all -, check_ntp_time, check_smtp, check_ssh, and check_tcp. For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check. --- plugins-root/check_icmp.c | 17 +++++++++++++++++ plugins/check_curl.c | 17 +++++++++++++++++ plugins/check_ntp_time.c | 12 ++++++++++++ plugins/check_smtp.c | 12 ++++++++++++ plugins/check_ssh.c | 12 ++++++++++++ plugins/check_tcp.c | 12 ++++++++++++ 6 files changed, 82 insertions(+) diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index e536e31c..1390a03e 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz } int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - dns is required for name lookups (given up later) + * - id is required for temporary privilege drops in configparsing and for + * permanent privilege dropping after opening the socket (given up later) */ + pledge("stdio rpath inet dns id", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -836,6 +845,10 @@ int main(int argc, char **argv) { crash("failed to parse config"); } +#ifdef __OpenBSD__ + pledge("stdio inet dns id", NULL); +#endif // __OpenBSD__ + const check_icmp_config config = tmp_config.config; if (config.output_format_is_set) { @@ -898,6 +911,10 @@ int main(int argc, char **argv) { return 1; } +#ifdef __OpenBSD__ + pledge("stdio inet", NULL); +#endif // __OpenBSD__ + if (sockset.socket4) { int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl)); if (debug) { diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 1dec8a2a..19d36237 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_ #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts, CA and/or client certs + * - wpath is required to write --cookie-jar (possibly given up later) + * - inet is required for sockets + * - dns is required for name lookups */ + pledge("stdio rpath wpath inet dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -135,6 +143,15 @@ int main(int argc, char **argv) { const check_curl_config config = tmp_config.config; +#ifdef __OpenBSD__ + if (!config.curl_config.cookie_jar_file) { + if (verbose >= 2) { + printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n")); + } + pledge("stdio rpath inet dns", NULL); + } +#endif // __OpenBSD__ + if (config.output_format_is_set) { mp_set_format(config.output_format); } diff --git a/plugins/check_ntp_time.c b/plugins/check_ntp_time.c index 9e0beb9c..afa6d16c 100644 --- a/plugins/check_ntp_time.c +++ b/plugins/check_ntp_time.c @@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) { } int main(int argc, char *argv[]) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -674,6 +682,10 @@ int main(int argc, char *argv[]) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + const check_ntp_time_config config = tmp_config.config; if (config.output_format_is_set) { diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e8c35f58..03335665 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/); static int verbose = 0; int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -113,6 +121,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + const check_smtp_config config = tmp_config.config; if (config.output_format_is_set) { diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c index f6c8d551..84b70a53 100644 --- a/plugins/check_ssh.c +++ b/plugins/check_ssh.c @@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_v char *remote_protocol); int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -74,6 +82,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + check_ssh_config config = tmp_config.config; mp_check overall = mp_check_init(); diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 09806373..430f1218 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563; const int DEFAULT_CLAMD_PORT = 3310; int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -216,6 +224,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + config = paw.config; if (verbosity > 0) { From git at monitoring-plugins.org Fri Feb 6 13:00:13 2026 From: git at monitoring-plugins.org (=?UTF-8?Q?GitHub?=) Date: Fri, 6 Feb 2026 13:00:13 +0100 (CET) Subject: =?UTF-8?Q?=5Bmonitoring-plugins=5D_Make_IPv6_unconditional_=28=232219=29?= Message-ID: <20260206120014.2FE1A1FF8F@orwell.monitoring-plugins.org> Module: monitoring-plugins Branch: master Commit: 0f0865c910096c95594ac09929708e84934e46df Author: Lorenz K?stle <12514511+RincewindsHat at users.noreply.github.com> Committer: GitHub Date: Fri Feb 6 12:59:58 2026 +0100 URL: https://www.monitoring-plugins.org/repositories/monitoring-plugins/commit/?id=0f0865c9 Make IPv6 unconditional (#2219) This commits removes the detection of IPv6 availability. The IPv6 code in the plugins is used unconditionally now. --- configure.ac | 24 ------------------------ plugins/check_curl.c | 2 +- plugins/check_curl.d/check_curl_helpers.c | 2 +- plugins/check_http.c | 4 ---- plugins/check_ldap.c | 4 ---- plugins/check_ntp_peer.c | 4 ---- plugins/check_ntp_time.c | 4 ---- plugins/check_ping.c | 4 ---- plugins/check_smtp.c | 4 ---- plugins/check_ssh.c | 4 ---- plugins/check_tcp.c | 4 ---- plugins/netutils.c | 10 ---------- plugins/netutils.h | 4 ---- 13 files changed, 2 insertions(+), 72 deletions(-) diff --git a/configure.ac b/configure.ac index 7361434a..ae7eb30b 100644 --- a/configure.ac +++ b/configure.ac @@ -475,30 +475,6 @@ AC_ARG_WITH([ipv6], [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])], [], [with_ipv6=check]) -dnl Check for AF_INET6 support - unistd.h required for Darwin -if test "$with_ipv6" != "no"; then - AC_CACHE_CHECK([for IPv6 support], np_cv_sys_ipv6, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#ifdef HAVE_UNISTD_H - #include - #endif - #include - #include ]], [[struct sockaddr_in6 sin6; - void *p; - - sin6.sin6_family = AF_INET6; - sin6.sin6_port = 587; - p = &sin6.sin6_addr;]])],[np_cv_sys_ipv6=yes],[np_cv_sys_ipv6=no]) - ]) - if test "$np_cv_sys_ipv6" = "no" -a "$with_ipv6" != "check"; then - AC_MSG_FAILURE([--with-ipv6 was given, but test for IPv6 support failed]) - fi - if test "$np_cv_sys_ipv6" = "yes"; then - AC_DEFINE(USE_IPV6,1,[Enable IPv6 support]) - fi - with_ipv6="$np_cv_sys_ipv6" -fi - - dnl Checks for Kerberos. Must come before openssl checks for Redhat EL 3 AC_CHECK_HEADERS(krb5.h,FOUNDINCLUDE=yes,FOUNDINCLUDE=no) if test "$FOUNDINCLUDE" = "no"; then diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 19d36237..95e45282 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1265,7 +1265,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) { result.config.curl_config.sin_family = AF_INET; break; case '6': -#if defined(USE_IPV6) && defined(LIBCURL_FEATURE_IPV6) +#if defined(LIBCURL_FEATURE_IPV6) result.config.curl_config.sin_family = AF_INET6; #else usage4(_("IPv6 support not available")); diff --git a/plugins/check_curl.d/check_curl_helpers.c b/plugins/check_curl.d/check_curl_helpers.c index 5af00973..ad31b847 100644 --- a/plugins/check_curl.d/check_curl_helpers.c +++ b/plugins/check_curl.d/check_curl_helpers.c @@ -488,7 +488,7 @@ check_curl_configure_curl(const check_curl_static_curl_config config, curl_easy_setopt(result.curl_state.curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)"); } -#if defined(USE_IPV6) && defined(LIBCURL_FEATURE_IPV6) +#if defined(LIBCURL_FEATURE_IPV6) else if (config.sin_family == AF_INET6) { handle_curl_option_return_code( curl_easy_setopt(result.curl_state.curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), diff --git a/plugins/check_http.c b/plugins/check_http.c index d2f080c7..71f94b91 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -544,11 +544,7 @@ bool process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case 'v': /* verbose */ verbose = true; diff --git a/plugins/check_ldap.c b/plugins/check_ldap.c index 1b2e2826..333dae41 100644 --- a/plugins/check_ldap.c +++ b/plugins/check_ldap.c @@ -462,11 +462,7 @@ check_ldap_config_wrapper process_arguments(int argc, char **argv) { } break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage(_("IPv6 support not available\n")); -#endif break; case output_format_index: { parsed_output_format parser = mp_parse_output_format(optarg); diff --git a/plugins/check_ntp_peer.c b/plugins/check_ntp_peer.c index 26f74286..06737a27 100644 --- a/plugins/check_ntp_peer.c +++ b/plugins/check_ntp_peer.c @@ -640,11 +640,7 @@ check_ntp_peer_config_wrapper process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case '?': /* print short usage statement if args not parsable */ diff --git a/plugins/check_ntp_time.c b/plugins/check_ntp_time.c index afa6d16c..5955d22e 100644 --- a/plugins/check_ntp_time.c +++ b/plugins/check_ntp_time.c @@ -640,11 +640,7 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case '?': /* print short usage statement if args not parsable */ diff --git a/plugins/check_ping.c b/plugins/check_ping.c index 61feb958..e1ee0f5c 100644 --- a/plugins/check_ping.c +++ b/plugins/check_ping.c @@ -246,11 +246,7 @@ check_ping_config_wrapper process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': /* IPv6 only */ -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage(_("IPv6 support not available\n")); -#endif break; case 'H': /* hostname */ { char *ptr = optarg; diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 03335665..701af7b0 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -819,11 +819,7 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case 'V': /* version */ print_revision(progname, NP_VERSION); diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c index 84b70a53..911f6787 100644 --- a/plugins/check_ssh.c +++ b/plugins/check_ssh.c @@ -173,11 +173,7 @@ process_arguments_wrapper process_arguments(int argc, char **argv) { address_family = AF_INET; break; case '6': -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case 'r': /* remote version */ result.config.remote_version = optarg; diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 430f1218..49a8c4c1 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -583,11 +583,7 @@ static check_tcp_config_wrapper process_arguments(int argc, char **argv, check_t address_family = AF_INET; break; case '6': // Apparently unused TODO -#ifdef USE_IPV6 address_family = AF_INET6; -#else - usage4(_("IPv6 support not available")); -#endif break; case 'H': /* hostname */ config.host_specified = true; diff --git a/plugins/netutils.c b/plugins/netutils.c index b4c6ff0a..f9933ebd 100644 --- a/plugins/netutils.c +++ b/plugins/netutils.c @@ -38,11 +38,7 @@ mp_state_enum socket_timeout_state = STATE_CRITICAL; mp_state_enum econn_refuse_state = STATE_CRITICAL; bool was_refused = false; -#if USE_IPV6 int address_family = AF_UNSPEC; -#else -int address_family = AF_INET; -#endif /* handles socket timeouts */ void socket_timeout_alarm_handler(int sig) { @@ -348,7 +344,6 @@ void host_or_die(const char *str) { } bool is_addr(const char *address) { -#ifdef USE_IPV6 if (address_family == AF_INET && is_inet_addr(address)) { return true; } @@ -356,11 +351,6 @@ bool is_addr(const char *address) { if (address_family == AF_INET6 && is_inet6_addr(address)) { return true; } -#else - if (is_inet_addr(address)) { - return true; - } -#endif return false; } diff --git a/plugins/netutils.h b/plugins/netutils.h index dbd22398..f3d046c3 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h @@ -78,12 +78,8 @@ bool dns_lookup(const char *, struct sockaddr_storage *, int); void host_or_die(const char *str); #define resolve_host_or_addr(addr, family) dns_lookup(addr, NULL, family) #define is_inet_addr(addr) resolve_host_or_addr(addr, AF_INET) -#ifdef USE_IPV6 # define is_inet6_addr(addr) resolve_host_or_addr(addr, AF_INET6) # define is_hostname(addr) resolve_host_or_addr(addr, address_family) -#else -# define is_hostname(addr) resolve_host_or_addr(addr, AF_INET) -#endif extern unsigned int socket_timeout; extern mp_state_enum socket_timeout_state;