Marc Powell wrote: > On Apr 7, 2009, at 1:26 PM, Patrick Morris wrote: > >> Here are the important stats: >> >> Nagios Version: Version 3.1.0 >> Proficiency Level: Pretty damned high > >> While the first command works fine, and sets the service to an OK >> state, >> the next two (which I've tried in various combinations) show up in the >> Nagios logs as having been sent, but do nothing. The check that >> appears >> in the config files keeps running instead of my check_ok check. >> >> Here's how it shows up in the logs: >> >> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_EVENT_HANDLER;dummy- >> host;DNS;check_ok >> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_CHECK_COMMAND;dummy- >> host;DNS;check_ok >> >> I've noticed the message is different if I use an invalid command, so >> I'm relatively sure I'm using the right ones; they just don't do >> anything. >> >> Event handlers are enabled for these services, but even if they >> weren't >> the check command should change, right? >> >> Am I doing something wrong here, or have I run into a bug? > > I'm not using 3.x yet but just to provide some feedback, what you're > doing looks reasonable from my reading of the documentation. I do see > this in 3.1.0's commands.c though -- > > /* SECURITY PATCH - disable these for the time being */ > switch(cmd){ > case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER: > case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER: > case CMD_CHANGE_HOST_EVENT_HANDLER: > case CMD_CHANGE_SVC_EVENT_HANDLER: > case CMD_CHANGE_HOST_CHECK_COMMAND: > case CMD_CHANGE_SVC_CHECK_COMMAND: > return ERROR; > } > > That's in the right section and my reading of the code is that it does > exactly that; prevent changing of those values... Maybe it's something > being worked on in the development branch? >
It's not. That snippet comes from Nov 30 2008 as a measure to prevent CVE-2008-5027 (cmd.cgi authorization bypass vulnerability) and CVE-2008-5028 (cross-site request forgery) from becoming remote command execution vulnerabilities. Ethan added that snippet as an extra security measure. It's been in Nagios since 3.0.4. Assuming both the patches I sent are applied, it's safe to remove that particular snippet and recompile Nagios. I wrote about the two vulnerabilities here in case anyone needs to refresh their memory: http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln http://blogs.op5.org/blog4.php/2008/11/11/cross-site-request-forgery-vulnerability-6 The patches to prevent them are available here: http://git.op5.org/git/?p=nagios.git;a=shortlog;h=refs/heads/security -- Andreas Ericsson andreas.erics...@op5.se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null