[Nagiosplug-devel] [ nagiosplug-Feature Requests-642352 ] accept environ for check_by_ssh / others
SourceForge.net
noreply at sourceforge.net
Sun Dec 14 14:19:03 CET 2003
Feature Requests item #642352, was opened at 2002-11-22 11:12
Message generated for change (Comment added) made by kdebisschop
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397600&aid=642352&group_id=29880
Category: None
Group: Next Release (example)
Status: Open
Priority: 5
Submitted By: John Marquart (vaix)
Assigned to: Nobody/Anonymous (nobody)
Summary: accept environ for check_by_ssh / others
Initial Comment:
I came to realize that due to the use of spopen and the
execve call, that the check_by_ssh script will ignore
environmental variables.
I think it would be very usefull to potentially allow
environmental variables / a method for defining certain
variables.
For me, this came up, because I am using a kerberized
(or more properly a gssapi hacked) ssh. I would like the
ability to use the KRB5CCNAME environment variable
so that I can define a credentials cache for nagios to
use - and handle all check_by_ssh checks via gssapi
authentication.
I imagine that there are other hacks/uses of ssh which
also depend on the env variables to be correctly set.
Has anyone else come across problems w/ plugins that
use the spopen function not being able to properly set
environmental variables? Any solutions?
----------------------------------------------------------------------
>Comment By: Karl DeBisschop (kdebisschop)
Date: 2003-12-14 17:18
Message:
Logged In: YES
user_id=1671
Nothing conrete to add at the moment except to say that your
comments have been heard.
There is a sense in these comments that spopen is deficient
in not being able to handle ENV vars. I do want to comment
that the restriction is by design. And by design that goes
back to the early days of nagios.
Essentially, there is alway some security risk to allowing
ENV variables to get passed through. Not that you would do
it, but in practice not all sysadmins are aware that they
can be a vector for security breaches. So we decided to
default to disallowing their propagation (in fact, it was
easiest to pass them -- security in that respect was a
concious act).
That being said, I see their use too. I will think on this,
and see what we can com up with that balances the two
concerns a little better.
----------------------------------------------------------------------
Comment By: Simon Kitching (s_kitching)
Date: 2003-12-14 16:31
Message:
Logged In: YES
user_id=747680
I've been bitten by this one too.
I need to monitor a host that can only be accessed via ssh
via a SOCKS proxy. In order to enable socks proxying,
LD_PRELOAD and LD_LIBRARY_PATH are modified to cause the
custom socks networking library to be loaded instead of the
standard system one. But because check_by_ssh clears the
environment before invoking ssh, the child ssh process can't
connect.
I would like to see an extra option on the check_by_ssh
commandline to pass environment settings (eg "-u" for
"unsafe"?). This would of course mean altering spopen(...)
to have an extra param indicating whether the child process
should have a "clean" environment or inherit the parent's
environment.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397600&aid=642352&group_id=29880
More information about the Devel
mailing list