NetBSD Problem Report #43920

From www@NetBSD.org  Tue Sep 28 16:08:31 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id CCB6663B9B8
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 28 Sep 2010 16:08:31 +0000 (UTC)
Message-Id: <20100928160831.556CD63B8DB@www.NetBSD.org>
Date: Tue, 28 Sep 2010 16:08:31 +0000 (UTC)
From: bseklecki@collaborativefusion.com
Reply-To: bseklecki@collaborativefusion.com
To: gnats-bugs@NetBSD.org
Subject: pkgsrc/net/nagios-nrpe add options MK support for --enable-command-args
X-Send-Pr-Version: www-1.0

>Number:         43920
>Category:       pkg
>Synopsis:       pkgsrc/net/nagios-nrpe add options MK support for --enable-command-args
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 28 16:10:00 +0000 2010
>Closed-Date:    Tue Feb 22 15:26:33 +0000 2011
>Last-Modified:  Tue Feb 22 15:26:33 +0000 2011
>Originator:     Brian A. Seklecki
>Release:        NetBSD metrotitan 5.99.39 NetBSD 5.99.39 (GENERIC) #1: Fri Sep 17 14:46:31 EDT 2010  root@cauldron-nbsd-netbsd-6-i386.lab02.pitbpa0.priv.collaborativefusion.com:/home/netbsd/obj.i386/20100916-1706EDT/sys/arch/i386/compile/GENERIC i386
>Organization:
Collaborative Fusion, Inc.
>Environment:
NetBSD metrotitan 5.99.39 NetBSD 5.99.39 (GENERIC) #1: Fri Sep 17 14:46:31 EDT 2010  root@cauldron-nbsd-netbsd-6-i386.lab02.pitbpa0.priv.collaborativefusion.com:/home/netbsd/obj.i386/20100916-1706EDT/sys/arch/i386/compile/GENERIC i386
>Description:
This package is unmaintained.  By both the original author and there is no NetBSD Pkg maintainer.

Adding this MK option flag sync's it with FreeBSD's port.

This command line argument is pragmatic in all but enterprise organizations that can use Puppet or other system to distribute a system-specific NRPE config file to the system with all the system-specific args specified therein.

For other organizations using IP ACLs, TLS, and internal code audits, command line arguments are an acceptable trade off and minimalized attack vector if NRPE2 is run as a non-root user and given elevated access on a per-check basis with sudo(8)
>How-To-Repeat:
# diff -u options.mk.orig options.mk
--- options.mk.orig     2010-09-28 11:14:20.000000000 -0400
+++ options.mk  2010-09-28 11:16:51.000000000 -0400
@@ -1,7 +1,7 @@
 # $NetBSD: options.mk,v 1.2 2007/02/22 19:26:56 wiz Exp $

 PKG_OPTIONS_VAR=       PKG_OPTIONS.nagios-nrpe
-PKG_SUPPORTED_OPTIONS= ssl tcpwrappers
+PKG_SUPPORTED_OPTIONS= ssl tcpwrappers args
 PKG_SUGGESTED_OPTIONS= tcpwrappers

 .include "../../mk/bsd.options.mk"
@@ -13,6 +13,13 @@
 CONFIGURE_ARGS+=       --disable-ssl
 .endif

+.if !empty(PKG_OPTIONS:Margs)
+CONFIGURE_ARGS+=       --enable-command-args
+.else
+CONFIGURE_ARGS+=       --disable-command-args
+.endif
+
+
 .if !empty(PKG_OPTIONS:Mtcpwrappers)
 .  include "../../security/tcp_wrappers/buildlink3.mk"
 .endif

>Fix:
See patch above.

>Release-Note:

>Audit-Trail:
From: matthew sporleder <msporleder@gmail.com>
To: gnats-bugs@netbsd.org, 
	"Brian A. Seklecki" <lavalamp@spiritual-machines.org>
Cc: 
Subject: Re: pkg/43920 adds --enable-command-args to net/nagios-nrpe
Date: Wed, 29 Sep 2010 14:32:12 -0400

 I believe this should also be added to PKG_SUGGESTED_OPTIONS.

From: "OBATA Akio" <obache@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/43920 adds --enable-command-args to net/nagios-nrpe
Date: Sat, 02 Oct 2010 14:00:36 +0900

 On Thu, 30 Sep 2010 03:35:02 +0900, matthew sporleder <msporleder@gmail.com> wrote:

 >  I believe this should also be added to PKG_SUGGESTED_OPTIONS.

 I don't feel so, because configure alert **Security Risk**.

From: "Brian Seklecki (Mobile)" <bseklecki@collaborativefusion.com>
To: gnats-bugs@NetBSD.org
Cc: pkgsrc-bugs@netbsd.org
Subject: Re: pkg/43920 adds --enable-command-args to net/nagios-nrpe
Date: Sat, 2 Oct 2010 01:36:55 -0400 (Eastern Daylight Time)

 > I don't feel so, because configure alert **Security Risk**.
 >

 I have to agree :) Give the user the option to get thier box rooted.

 Sorry Matt!  Nagios is a crap shoot for security any way you look at it.

From: "Greg Troxel" <gdt@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43920 CVS commit: pkgsrc/net/nagios-nrpe
Date: Tue, 22 Feb 2011 15:09:07 +0000

 Module Name:	pkgsrc
 Committed By:	gdt
 Date:		Tue Feb 22 15:09:07 UTC 2011

 Modified Files:
 	pkgsrc/net/nagios-nrpe: options.mk

 Log Message:
 Add option nagios-nrpe-args, disabled by default.

 This option passes -enable-command-args to configure, and is intended
 to allow the use of arguments to nrpe.  From Brian A. Seklecki via PR
 pkg/43920.

 However, configure.in seems broken, and it seems command args are
 always enabled.


 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/nagios-nrpe/options.mk

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: gdt@NetBSD.org
State-Changed-When: Tue, 22 Feb 2011 15:26:33 +0000
State-Changed-Why:
patch mostly applied.   The part that passed --disable-command-args
was omitted...


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.