Brian, I've added the SRU information. Let me know if I missed anything, thanks.
** Description changed: + [Impact] + + When scanning NRPE's port with nmap, the NRPE server removes its PID + file and log an error. This cause the init script to lose track of the + daemon because it normally uses its PID. This behavior is probably what + caused many bug reports about "Network server bind failure (98: Address + already in use)". + + This problematic behavior is especially annoying when combined with + vulnerability scanner performing DC-wide port scan (ex: OpenVAS). + + The proposed fix (backported from Saucy) makes sure the daemon does not + remove its PID when a TCP connection does not complete. + + [Test Case] + + 1. Make sure NRPE is installed and running + sudo apt-get install nagios-nrpe-server + 2. Run nmap TCP Connect scan on the NRPE port from *another machine in the same LAN* + sudo apt-get install nmap + sudo nmap <target IP> -p 5666 -sT -PN + 3. Notice those messages in the target's syslog + May 30 17:20:22 log01 nrpe[19313]: Error: Network server getpeername() failure (107: Transport endpoint is not connected) + May 30 17:20:22 log01 nrpe[19313]: Daemon shutdown + + Note: the daemon shutdown message is wrong as it's still running. + + [Regression Potential] + + The proposed fix allows child processes to gracefully handle + partial/incomplete TCP connections. The modified code is not used during + normal operation so regular Nagios monitoring shouldn't be impacted. + + The patch was also tested to work well on Precise so regression risk is + fairly low. + + [Other Info] + + Along with the graceful handling of incomplete TCP connections, the hardening flags passed to the linker are corrected in the merge proposal. This other fix has very low regression risk as it is included in Ubuntu since Quantal (see LP: #1000379) and was meant to be included in Precise. It is a typo fix (with some side effects). + + --- original bug report --- + During a nmap scan, NRPE logs this error and removes its PID : Feb 15 22:35:05 pm nrpe[2917]: Error: Network server getpeername() failure (107: Transport endpoint is not connected) Feb 15 22:35:05 pm nrpe[2917]: Daemon shutdown Despite what it logs, the daemon is still running but since the PID file is gone, the init script stop working: # ps aux| grep nrpe nagios 2908 0.0 0.3 25344 1144 ? Ss 22:34 0:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d # /etc/init.d/nagios-nrpe-server status - * nagios-nrpe is not running + * nagios-nrpe is not running Scanning the NRPE port again with nmap further confirms the PID removal behaviour (the PID logged is incremented too?): Feb 15 22:36:19 pm nrpe[2922]: Error: Network server getpeername() failure (107: Transport endpoint is not connected) Feb 15 22:36:19 pm nrpe[2922]: Cannot remove pidfile '/var/run/nagios/nrpe.pid' - check your privileges. Feb 15 22:36:19 pm nrpe[2922]: Daemon shutdown # ps aux| grep nrpe nagios 2908 0.0 0.3 25344 1144 ? Ss 22:34 0:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d This problematic behaviour was confirmed on Lucid, Precise, Quantal and Raring. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1126890 Title: nrpe removes its PID when scanned by nmap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1126890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
