summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Guyot-Sionnest <dermoth@aei.ca>2014-01-25 09:22:09 (GMT)
committerThomas Guyot-Sionnest <dermoth@aei.ca>2014-01-25 09:22:09 (GMT)
commit68fe713335183dd37ced78821711c2a3f1ea2cc7 (patch)
treeb558cc2a200249002d2716a9e3803c272fb01aaf
parent25a289f307270bb8f814a2df923aeab50acd50c6 (diff)
downloadmonitoring-plugins-68fe713.tar.gz
Ignore MP_STATE_DIRECTORY in suid plugins
If a plugin still has suid privileges at the time np_enable_state() is called, the MP_STATE_DIRECTORY environment will be ignored. There is no need for a NEWS entry as no suid plugins use np_enable_state yet.
Diffstat
-rw-r--r--lib/tests/test_utils.c4
-rw-r--r--lib/utils_base.c22
-rw-r--r--lib/utils_base.h4
3 files changed, 21 insertions, 9 deletions
diff --git a/lib/tests/test_utils.c b/lib/tests/test_utils.c
index 12252f4..8c3ee22 100644
--- a/lib/tests/test_utils.c
+++ b/lib/tests/test_utils.c
@@ -38,7 +38,7 @@ main (int argc, char **argv)
38 state_data *temp_state_data; 38 state_data *temp_state_data;
39 time_t current_time; 39 time_t current_time;
40 40
41 plan_tests(150); 41 plan_tests(151);
42 42
43 ok( this_monitoring_plugin==NULL, "monitoring_plugin not initialised"); 43 ok( this_monitoring_plugin==NULL, "monitoring_plugin not initialised");
44 44
@@ -440,6 +440,8 @@ main (int argc, char **argv)
440 440
441 ok( this_monitoring_plugin==NULL, "Free'd this_monitoring_plugin" ); 441 ok( this_monitoring_plugin==NULL, "Free'd this_monitoring_plugin" );
442 442
443 ok( mp_suid() == FALSE, "test aren't suid" );
444
443 return exit_status(); 445 return exit_status();
444} 446}
445 447
diff --git a/lib/utils_base.c b/lib/utils_base.c
index 304b732..5c838d1 100644
--- a/lib/utils_base.c
+++ b/lib/utils_base.c
@@ -30,6 +30,8 @@
30#include <ctype.h> 30#include <ctype.h>
31#include <fcntl.h> 31#include <fcntl.h>
32#include <sys/stat.h> 32#include <sys/stat.h>
33#include <unistd.h>
34#include <sys/types.h>
33 35
34#define np_free(ptr) { if(ptr) { free(ptr); ptr = NULL; } } 36#define np_free(ptr) { if(ptr) { free(ptr); ptr = NULL; } }
35 37
@@ -415,14 +417,18 @@ void _cleanup_state_data() {
415char* _np_state_calculate_location_prefix(){ 417char* _np_state_calculate_location_prefix(){
416 char *env_dir; 418 char *env_dir;
417 419
418 /* FIXME: Undocumented */ 420 /* Do not allow passing MP_STATE_DIRECTORY in setuid plugins
419 env_dir = getenv("MP_STATE_DIRECTORY"); 421 * for security reasons */
420 if(env_dir && env_dir[0] != '\0') 422 if (mp_suid() == FALSE) {
421 return env_dir; 423 /* FIXME: Undocumented */
422 /* This is the former ENV, for backward-compatibility */ 424 env_dir = getenv("MP_STATE_DIRECTORY");
423 env_dir = getenv("NAGIOS_PLUGIN_STATE_DIRECTORY"); 425 if(env_dir && env_dir[0] != '\0')
424 if(env_dir && env_dir[0] != '\0') 426 return env_dir;
425 return env_dir; 427 /* This is the former ENV, for backward-compatibility */
428 env_dir = getenv("NAGIOS_PLUGIN_STATE_DIRECTORY");
429 if(env_dir && env_dir[0] != '\0')
430 return env_dir;
431 }
426 432
427 return NP_STATE_DIR_PREFIX; 433 return NP_STATE_DIR_PREFIX;
428} 434}
diff --git a/lib/utils_base.h b/lib/utils_base.h
index 86adecf..b4bd92e 100644
--- a/lib/utils_base.h
+++ b/lib/utils_base.h
@@ -102,4 +102,8 @@ void np_init(char *, int argc, char **argv);
102void np_set_args(int argc, char **argv); 102void np_set_args(int argc, char **argv);
103void np_cleanup(); 103void np_cleanup();
104 104
105/* mp_suid() returns true if the real and effective uids differs, such as when
106 * running a suid plugin */
107#define mp_suid() (getuid() != geteuid())
108
105#endif /* _UTILS_BASE_ */ 109#endif /* _UTILS_BASE_ */