[Nagiosplug-devel] question on check_procs and shell environment

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/03/10 12:07 PM, Frost, Mark {PBC} wrote:
> It seems that the check_procs configuration used on HPUX (and it looks like AIX although I haven't tested that one) doesn't handle command arguments at all, although the command implies that it does.  It uses "/usr/bin/ps -el" as the execution command which does not return arguments.  The end result is that the "command" and "arguments" values are to the same value (i.e. command=sh and arguments=sh) which is pretty useless.  -a and --ereg-arguments-array just match on the command value.
> 
> By comparison, on Linux, these values are fully accessible.
> 
> While you can run 'ps' on HPUX and get more fields and better sets of arguments, you still don't quite get them all.  There are no variants of 'ps' on HPUX that will give all the fields that the check_procs command allows unless you turn on UNIX95 standards compliance.  Then you can make the HPUX 'ps'  function like Linux 'ps' and specify the fields you want.  However, this means you have to set an environment variable as in
> 
> UNIX95= /usr/bin/ps -ex -o 'state uid pid ppid vsz sz pcpu comm args'
> 
> I prefer to "really fix it" approach to "mostly fix it".
> 
> check_procs calls run_cmd().  The comments in the code seem to indicate that the idea of passing in any environment is not allowed other than the single variable that is hardcoded in run_cmd_open (LC_ALL=C).  I changed the code to also include the "UNIX95=" environment variable and check_procs works as it does on Linux.
> 
> The only way I can think of to make this work reasonably is to somehow allow passing in this environment variable via run_cmd() say via a compile time options like the setting of PS_COMMAND, but it's my impression that this is not something that anyone wants to do for security reasons under any circumstances.  I think the spopen() call is the wave of the future for these things, but it works similarly in that it doesn't allow environment arguments to be passed in.
> 
> Is this idea of passing in environment just something that is an impassible barrier?

Hi Mark,

Thank you for this very insightful explanation of the issues with
check_procs on HPUX. Do you know if the UNIX95 trick will work on any
decently-recent version of UX?

run_cmd() is deprecated in favour of cmd_run_array (where possible) and
cmd_run. It seems you are using an old version of check_procs as it
already uses cmd_run, which was changed on 2008-07-08 to fix some issues
(best would be using cmd_run_array, although I don't think it really
matter for check_procs).

So the best fix would be updating lib/utils_cmd.c to add functions that
allow passing arguments (flags could also be used to determine whenever
the environment should be added or replaced). I also think the
environment shouldn't be erased by default as it is right now (adding
LC_ALL=C should be the responsibility of the caller where needed...)

I can help help coding that as time allow (this means I can't right now
but keep bugging me ;) as needed!) Let me know if you need further
detail on what I'm suggesting here.

Thanks

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFLrYFa6dZ+Kt5BchYRAjuQAKDYcOlHiNNUUsRqyOVTGVw/iVO8JwCg4eak
+q52p54uA98+U9F43g90BE8=
=ADG9
-----END PGP SIGNATURE-----