Fix Debian bug #482947: No --nas-ip-address option

| check_radius doesn't seem to provide any way to modify the | NAS-IP-Address attribute that it uses in the packets it sends, but it | does so for NAS-Identifier. | | Instead, it hardcodes the IP address that it gets from the | rc_own_ipaddress() library call, and that in turn translates into | calling gethostbyname() on the result of uname(). This call can easily | fail, and its result can easily be unsuitable - for example when the | Nagios instance uses its own virtual host, and you don't want the | original system hostname leaked to the RADIUS servers you monitor with | this. | | Furthermore, this behaviour is inconsistent with RFC 2865, which | defines the two attributes as analogous and never suggests hardcoding | the value of either of them in client software. Therefore, this commit adds the "-N, --nas-ip-address" option which allows for specifying the value of the NAS-IP-Address attribute. | I've also noticed that the original code for NAS-IP-Address hardcoding | is broken in its error handling - it does "return (ERROR_PC)", which | is meaningless in the context of check_radius.c. That actually seems | to be copy&waste from radiusclient-0.3.2/src/radexample.c. :) I fixed | that. | | While debugging, I also took the opportunity to decouple the | nas-identifier rc_avpair_add() instance from the initial three, | because this is just bad practice to lump a fourth optional attribute | into the same block with the required attributes, the error handling | for which is throwing the same daft message "Out of Memory?"... [ http://bugs.debian.org/482947 ] (Contributed by Josip Rodin, forwarded by Jan Wagner.)
author: Holger Weiss <holger@zedat.fu-berlin.de> 2010-04-11 14:33:44 (GMT)
committer: Holger Weiss <holger@zedat.fu-berlin.de> 2010-04-11 14:33:44 (GMT)
commit: 08f83072048f2c4c783c3216f5933f04b191847f (patch)
tree: cbdddc52c164cc8fc10719cfae706b672047d073
parent: ce3de90c9ec8589b66412a7070d3bf15abc41b01 (diff)
download: monitoring-plugins-08f83072048f2c4c783c3216f5933f04b191847f.tar.gz
2 files changed, 29 insertions, 13 deletions
diff --git a/NEWS b/NEWS
index 8ad698d..99d48e9 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ This file documents the major additions and syntax changes between releases.
        ENHANCEMENTS
        New check_ntp_peer -m and -n options to check the number of usable time sources ("truechimers")
        New check_disk_smb -a option which allows for specifying the IP address of the remote server
+        New check_radius -N option which allows for specifying the value of the NAS-IP-Address attribute
        FIXES
        Fix check_ircd binding to wrong interface (#668778)
        Add proxy-authorization option to check_http (Marcel Kuiper - #1323230, Bryan Irvine - #2863925)
diff --git a/plugins/check_radius.c b/plugins/check_radius.c
index 57b7090..3717625 100644
--- a/plugins/check_radius.c
+++ b/plugins/check_radius.c
@@ -69,6 +69,7 @@ char *server = NULL;
 char *username = NULL;
 char *password = NULL;
 char *nasid = NULL;
+char *nasipaddress = NULL;
 char *expect = NULL;
 char *config_file = NULL;
 unsigned short port = PW_AUTH_UDP_PORT;
@@ -161,19 +162,26 @@ main (int argc, char **argv)
        memset (&data, 0, sizeof(data));
        if (!(my_rc_avpair_add (&data.send_pairs, PW_SERVICE_TYPE, &service, 0) &&
                                my_rc_avpair_add (&data.send_pairs, PW_USER_NAME, username, 0) &&
-                                my_rc_avpair_add (&data.send_pairs, PW_USER_PASSWORD, password, 0) &&
+                                my_rc_avpair_add (&data.send_pairs, PW_USER_PASSWORD, password, 0)
-                                (nasid==NULL || my_rc_avpair_add (&data.send_pairs, PW_NAS_IDENTIFIER, nasid, 0))))
+                                ))
                die (STATE_UNKNOWN, _("Out of Memory?"));
-        /*
+        if (nasid != NULL) {
-         * Fill in NAS-IP-Address
+                if (!(my_rc_avpair_add (&data.send_pairs, PW_NAS_IDENTIFIER, nasid, 0)))
-         */
+                        die (STATE_UNKNOWN, _("Invalid NAS-Identifier"));
+        }
-        if ((client_id = my_rc_own_ipaddress ()) == 0)
-                return (ERROR_RC);
-        if (my_rc_avpair_add (&(data.send_pairs), PW_NAS_IP_ADDRESS, &client_id, 0) ==
+        if (nasipaddress != NULL) {
-                        NULL) return (ERROR_RC);
+                if (rc_good_ipaddr (nasipaddress))
+                        die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
+                if ((client_id = rc_get_ipaddr(nasipaddress)) == 0)
+                        die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
+        } else {
+                if ((client_id = my_rc_own_ipaddress ()) == 0)
+                        die (STATE_UNKNOWN, _("Can't find local IP for NAS-IP-Address"));
+        }
+        if (my_rc_avpair_add (&(data.send_pairs), PW_NAS_IP_ADDRESS, &client_id, 0) == NULL)
+                die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
        my_rc_buildreq (&data, PW_ACCESS_REQUEST, server, port, (int)timeout_interval,
                     retries);
@@ -211,6 +219,7 @@ process_arguments (int argc, char **argv)
                {"username", required_argument, 0, 'u'},
                {"password", required_argument, 0, 'p'},
                {"nas-id", required_argument, 0, 'n'},
+                {"nas-ip-address", required_argument, 0, 'N'},
                {"filename", required_argument, 0, 'F'},
                {"expect", required_argument, 0, 'e'},
                {"retries", required_argument, 0, 'r'},
@@ -222,7 +231,7 @@ process_arguments (int argc, char **argv)
        };
        while (1) {
-                c = getopt_long (argc, argv, "+hVvH:P:F:u:p:n:t:r:e:", longopts,
+                c = getopt_long (argc, argv, "+hVvH:P:F:u:p:n:N:t:r:e:", longopts,
                                                                         &option);
                if (c == -1 || c == EOF || c == 1)
@@ -267,6 +276,9 @@ process_arguments (int argc, char **argv)
                case 'n':                                                                       /* nas id */
                        nasid = optarg;
                        break;
+                case 'N':                                                                       /* nas ip address */
+                        nasipaddress = optarg;
+                        break;
                case 'F':                                                                       /* configuration file */
                        config_file = optarg;
                        break;
@@ -330,6 +342,8 @@ print_help (void)
  printf ("    %s\n", _("Password for autentication (SECURITY RISK)"));
  printf (" %s\n", "-n, --nas-id=STRING");
  printf ("    %s\n", _("NAS identifier"));
+  printf (" %s\n", "-N, --nas-ip-address=STRING");
+  printf ("    %s\n", _("NAS IP Address"));
  printf (" %s\n", "-F, --filename=STRING");
  printf ("    %s\n", _("Configuration file"));
  printf (" %s\n", "-e, --expect=STRING");
@@ -365,8 +379,9 @@ void
 print_usage (void)
 {
  printf (_("Usage:"));
-        printf ("%s -H host -F config_file -u username -p password [-n nas-id] [-P port]\n\
+        printf ("%s -H host -F config_file -u username -p password\n\
-                  [-t timeout] [-r retries] [-e expect]\n", progname);
+                        [-P port] [-t timeout] [-r retries] [-e expect]\n\
+                        [-n nas-id] [-N nas-ip-addr]\n", progname);
 }
author	Holger Weiss <holger@zedat.fu-berlin.de>	2010-04-11 14:33:44 (GMT)
committer	Holger Weiss <holger@zedat.fu-berlin.de>	2010-04-11 14:33:44 (GMT)
commit	08f83072048f2c4c783c3216f5933f04b191847f (patch)
tree	cbdddc52c164cc8fc10719cfae706b672047d073
parent	ce3de90c9ec8589b66412a7070d3bf15abc41b01 (diff)
download	monitoring-plugins-08f83072048f2c4c783c3216f5933f04b191847f.tar.gz

diff --git a/NEWS b/NEWS index 8ad698d..99d48e9 100644 --- a/NEWS +++ b/NEWS
@@ -4,6 +4,7 @@ This file documents the major additions and syntax changes between releases.
4	ENHANCEMENTS	4	ENHANCEMENTS
5	New check_ntp_peer -m and -n options to check the number of usable time sources ("truechimers")	5	New check_ntp_peer -m and -n options to check the number of usable time sources ("truechimers")
6	New check_disk_smb -a option which allows for specifying the IP address of the remote server	6	New check_disk_smb -a option which allows for specifying the IP address of the remote server
		7	New check_radius -N option which allows for specifying the value of the NAS-IP-Address attribute
7	FIXES	8	FIXES
8	Fix check_ircd binding to wrong interface (#668778)	9	Fix check_ircd binding to wrong interface (#668778)
9	Add proxy-authorization option to check_http (Marcel Kuiper - #1323230, Bryan Irvine - #2863925)	10	Add proxy-authorization option to check_http (Marcel Kuiper - #1323230, Bryan Irvine - #2863925)


diff --git a/plugins/check_radius.c b/plugins/check_radius.c index 57b7090..3717625 100644 --- a/plugins/check_radius.c +++ b/plugins/check_radius.c
@@ -69,6 +69,7 @@ char *server = NULL;
69	char *username = NULL;	69	char *username = NULL;
70	char *password = NULL;	70	char *password = NULL;
71	char *nasid = NULL;	71	char *nasid = NULL;
		72	char *nasipaddress = NULL;
72	char *expect = NULL;	73	char *expect = NULL;
73	char *config_file = NULL;	74	char *config_file = NULL;
74	unsigned short port = PW_AUTH_UDP_PORT;	75	unsigned short port = PW_AUTH_UDP_PORT;
@@ -161,19 +162,26 @@ main (int argc, char **argv)
161	memset (&data, 0, sizeof(data));	162	memset (&data, 0, sizeof(data));
162	if (!(my_rc_avpair_add (&data.send_pairs, PW_SERVICE_TYPE, &service, 0) &&	163	if (!(my_rc_avpair_add (&data.send_pairs, PW_SERVICE_TYPE, &service, 0) &&
163	my_rc_avpair_add (&data.send_pairs, PW_USER_NAME, username, 0) &&	164	my_rc_avpair_add (&data.send_pairs, PW_USER_NAME, username, 0) &&
164	my_rc_avpair_add (&data.send_pairs, PW_USER_PASSWORD, password, 0) &&	165	my_rc_avpair_add (&data.send_pairs, PW_USER_PASSWORD, password, 0)
165	(nasid==NULL \|\| my_rc_avpair_add (&data.send_pairs, PW_NAS_IDENTIFIER, nasid, 0))))	166	))
166	die (STATE_UNKNOWN, _("Out of Memory?"));	167	die (STATE_UNKNOWN, _("Out of Memory?"));
167		168
168	/*	169	if (nasid != NULL) {
169	* Fill in NAS-IP-Address	170	if (!(my_rc_avpair_add (&data.send_pairs, PW_NAS_IDENTIFIER, nasid, 0)))
170	*/	171	die (STATE_UNKNOWN, _("Invalid NAS-Identifier"));
171		172	}
172	if ((client_id = my_rc_own_ipaddress ()) == 0)
173	return (ERROR_RC);
174		173
175	if (my_rc_avpair_add (&(data.send_pairs), PW_NAS_IP_ADDRESS, &client_id, 0) ==	174	if (nasipaddress != NULL) {
176	NULL) return (ERROR_RC);	175	if (rc_good_ipaddr (nasipaddress))
		176	die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
		177	if ((client_id = rc_get_ipaddr(nasipaddress)) == 0)
		178	die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
		179	} else {
		180	if ((client_id = my_rc_own_ipaddress ()) == 0)
		181	die (STATE_UNKNOWN, _("Can't find local IP for NAS-IP-Address"));
		182	}
		183	if (my_rc_avpair_add (&(data.send_pairs), PW_NAS_IP_ADDRESS, &client_id, 0) == NULL)
		184	die (STATE_UNKNOWN, _("Invalid NAS-IP-Address"));
177		185
178	my_rc_buildreq (&data, PW_ACCESS_REQUEST, server, port, (int)timeout_interval,	186	my_rc_buildreq (&data, PW_ACCESS_REQUEST, server, port, (int)timeout_interval,
179	retries);	187	retries);
@@ -211,6 +219,7 @@ process_arguments (int argc, char **argv)
211	{"username", required_argument, 0, 'u'},	219	{"username", required_argument, 0, 'u'},
212	{"password", required_argument, 0, 'p'},	220	{"password", required_argument, 0, 'p'},
213	{"nas-id", required_argument, 0, 'n'},	221	{"nas-id", required_argument, 0, 'n'},
		222	{"nas-ip-address", required_argument, 0, 'N'},
214	{"filename", required_argument, 0, 'F'},	223	{"filename", required_argument, 0, 'F'},
215	{"expect", required_argument, 0, 'e'},	224	{"expect", required_argument, 0, 'e'},
216	{"retries", required_argument, 0, 'r'},	225	{"retries", required_argument, 0, 'r'},
@@ -222,7 +231,7 @@ process_arguments (int argc, char **argv)
222	};	231	};
223		232
224	while (1) {	233	while (1) {
225	c = getopt_long (argc, argv, "+hVvH:P:F:u:p:n:t:r:e:", longopts,	234	c = getopt_long (argc, argv, "+hVvH:P:F:u:p:n:N:t:r:e:", longopts,
226	&option);	235	&option);
227		236
228	if (c == -1 \|\| c == EOF \|\| c == 1)	237	if (c == -1 \|\| c == EOF \|\| c == 1)
@@ -267,6 +276,9 @@ process_arguments (int argc, char **argv)
267	case 'n': /* nas id */	276	case 'n': /* nas id */
268	nasid = optarg;	277	nasid = optarg;
269	break;	278	break;
		279	case 'N': /* nas ip address */
		280	nasipaddress = optarg;
		281	break;
270	case 'F': /* configuration file */	282	case 'F': /* configuration file */
271	config_file = optarg;	283	config_file = optarg;
272	break;	284	break;
@@ -330,6 +342,8 @@ print_help (void)
330	printf (" %s\n", _("Password for autentication (SECURITY RISK)"));	342	printf (" %s\n", _("Password for autentication (SECURITY RISK)"));
331	printf (" %s\n", "-n, --nas-id=STRING");	343	printf (" %s\n", "-n, --nas-id=STRING");
332	printf (" %s\n", _("NAS identifier"));	344	printf (" %s\n", _("NAS identifier"));
		345	printf (" %s\n", "-N, --nas-ip-address=STRING");
		346	printf (" %s\n", _("NAS IP Address"));
333	printf (" %s\n", "-F, --filename=STRING");	347	printf (" %s\n", "-F, --filename=STRING");
334	printf (" %s\n", _("Configuration file"));	348	printf (" %s\n", _("Configuration file"));
335	printf (" %s\n", "-e, --expect=STRING");	349	printf (" %s\n", "-e, --expect=STRING");
@@ -365,8 +379,9 @@ void
365	print_usage (void)	379	print_usage (void)
366	{	380	{
367	printf (_("Usage:"));	381	printf (_("Usage:"));
368	printf ("%s -H host -F config_file -u username -p password [-n nas-id] [-P port]\n\	382	printf ("%s -H host -F config_file -u username -p password\n\
369	[-t timeout] [-r retries] [-e expect]\n", progname);	383	[-P port] [-t timeout] [-r retries] [-e expect]\n\
		384	[-n nas-id] [-N nas-ip-addr]\n", progname);
370	}	385	}
371		386
372		387