Native TCP wrapper support, misc cleanup

Changelog

@@ -5,7 +5,8 @@ NRPE Changelog
 
 2.1 - ??/??/2003
 ----------------
-- Host names can now be specified in allowed host list
+- Replaced host access list with TCP wrapper support
+- Removed length restrictions for command names and command lines
 - Configure script patch for getopt_long on Solaris
 
 

Makefile.in

@@ -1,13 +1,13 @@
 ###############################
 # Makefile for NRPE
 #
-# Last Modified: 01-16-2003
+# Last Modified: 10-14-2003
 ###############################
 
 
 # Source code directories
 SRC_BASE=./src/
-SRC_COMMON=./common/
+SRC_INCLUDE=./include/
 
 all:
 	cd $(SRC_BASE); $(MAKE) ; cd ..
@@ -51,7 +51,8 @@ clean:
 
 distclean: clean
 	cd $(SRC_BASE); $(MAKE) $@ ; cd ..
-	rm -f config.log config.status config.cache nrpe.cfg nrpe.xinetd subst $(SRC_COMMON)/config.h init-script init-script.debian init-script.freebsd
+	rm -f config.log config.status config.cache nrpe.cfg nrpe.xinetd subst $(SRC_INCLUDE)/config.h init-script init-script.debian init-script.freebsd
+	rm -f sample-config/*.cfg sample-config/*.xinetd
 	rm -f Makefile
 
 devclean: distclean

README

@@ -70,6 +70,14 @@ make much use of this addon.
 
 
 
+Configuring
+-----------
+
+Sample config files for the NRPE daemon are located in the
+sample-config/ subdirectory.
+
+
+
 Running Under INETD or XINETD
 -----------------------------
 

SECURITY

@@ -2,6 +2,25 @@
 NRPE SECURITY README
 ********************
 
+
+TCP WRAPPER SUPPORT
+===================
+
+NRPE 2.1 includes native support for TCP wrappers.  The older
+host access list directive was removed from the config file.
+Make sure your system supports TCP wrappers before running NRPE.
+Once you compile NRPE you can check to see if it has wrapper
+support built in by running the daemon from the command line
+without any arguments like this:
+
+	./nrpe --help
+
+
+
+
+COMMAND ARGUMENTS
+=================
+
 NRPE 2.0 includes the ability for clients to supply arguments to
 commands which should be run.  Please note that this feature
 should be considered a security risk, and you should only use

common/common.h

@@ -1,69 +0,0 @@
-/************************************************************************
- *
- * COMMON.H - NRPE Common Include File
- * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
- * Last Modified: 03-05-2003
- *
- * License:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- ************************************************************************/
-
-#include "config.h"
-
-#define PROGRAM_VERSION "2.0"
-#define MODIFICATION_DATE "09-08-2003"
-
-#define OK		0
-#define ERROR		-1
-
-#define TRUE		1
-#define FALSE		0
-
-#define STATE_UNKNOWN  	3	/* service state return codes */
-#define	STATE_CRITICAL 	2
-#define STATE_WARNING 	1
-#define STATE_OK       	0
-
-
-#define DEFAULT_SOCKET_TIMEOUT	10	/* timeout after 10 seconds */
-
-#define MAX_INPUT_BUFFER	2048	/* max size of most buffers we use */
-#define MAX_FILENAME_LENGTH     256
-
-#define MAX_HOST_ADDRESS_LENGTH	256	/* max size of a host address */
-
-#define NRPE_HELLO_COMMAND      "_NRPE_CHECK"
-
-#define MAX_COMMAND_ARGUMENTS   16
-
-
-/**************** PACKET STRUCTURE DEFINITION **********/
-
-#define QUERY_PACKET		1		/* id code for a packet containing a query */
-#define	RESPONSE_PACKET		2		/* id code for a packet containing a response */
-
-#define NRPE_PACKET_VERSION_2   2               /* packet version identifier */
-#define NRPE_PACKET_VERSION_1	1		/* older packet version identifiers (no longer supported) */
-
-#define MAX_PACKETBUFFER_LENGTH	1024		/* max amount of data we'll send in one query/response */
-
-typedef struct packet_struct{
-	int16_t   packet_version;
-	int16_t   packet_type;
-	u_int32_t crc32_value;
-	int16_t   result_code;
-	char      buffer[MAX_PACKETBUFFER_LENGTH];
-        }packet;

common/config.h.in

@@ -1,232 +0,0 @@
-/************************************************************************
- *
- * NRPE Common Header File
- * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
- * Last Modified: 06-19-2003
- *
- * License:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- ************************************************************************/
-
-#ifndef _CONFIG_H
-#define _CONFIG_H
-
-#include <stdio.h>
-#include <stdlib.h>
-
-
-#define DEFAULT_SERVER_PORT	@nrpe_port@	/* default port to use */
-
-#undef ENABLE_COMMAND_ARGUMENTS
-
-#undef STDC_HEADERS
-#undef HAVE_STRDUP
-#undef HAVE_STRSTR
-#undef HAVE_STRTOUL 
-#undef HAVE_INITGROUPS
-
-#undef SIZEOF_INT
-#undef SIZEOF_SHORT
-#undef SIZEOF_LONG
-
-/* stupid stuff for u_int32_t */
-#undef U_INT32_T_IS_USHORT
-#undef U_INT32_T_IS_UINT
-#undef U_INT32_T_IS_ULONG
-#undef U_INT32_T_IS_UINT32_T
-
-#ifdef U_INT32_T_IS_USHORT
-typedef unsigned short u_int32_t;
-#endif
-#ifdef U_INT32_T_IS_ULONG
-typedef unsigned long u_int32_t;
-#endif
-#ifdef U_INT32_T_IS_UINT
-typedef unsigned int u_int32_t;
-#endif
-#ifdef U_INT32_T_IS_UINT32_t
-typedef uint32_t u_int32_t;
-#endif
-
-/* stupid stuff for int32_t */
-#undef INT32_T_IS_SHORT
-#undef INT32_T_IS_INT
-#undef INT32_T_IS_LONG
-
-#ifdef INT32_T_IS_USHORT
-typedef short int32_t;
-#endif
-#ifdef INT32_T_IS_ULONG
-typedef long int32_t;
-#endif
-#ifdef INT32_T_IS_UINT
-typedef int int32_t;
-#endif
-
-
-#define SOCKET_SIZE_TYPE ""
-#define GETGROUPS_T ""
-#define RETSIGTYPE ""
-
-#undef HAVE_GETOPT_H
-#ifdef HAVE_GETOPT_H
-#include <getopt.h>
-#endif
-
-#undef HAVE_STRINGS_H
-#undef HAVE_STRING_H
-#ifdef HAVE_STRINGS_H
-#include <strings.h>
-#endif
-#ifdef HAVE_STRINGS_H
-#include <string.h>
-#endif
-
-#undef HAVE_UNISTD_H
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-
-#undef HAVE_SIGNAL_H
-#ifdef HAVE_SIGNAL_H
-#include <signal.h>
-#endif
-
-#undef HAVE_SYSLOG_H
-#ifdef HAVE_SYSLOG_H
-#include <syslog.h>
-#endif
-
-#undef HAVE_SYS_STAT_H
-#ifdef HAVE_SYS_STAT_H
-#include <sys/stat.h>
-#endif
-
-#undef HAVE_FCNTL_H
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-
-#undef HAVE_SYS_TYPES_H
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-
-#undef HAVE_SYS_WAIT_H
-#ifdef HAVE_SYS_WAIT_H
-#include <sys/wait.h>
-#endif
-
-#ifndef WEXITSTATUS
-# define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8)
-#endif
-#ifndef WIFEXITED
-# define WIFEXITED(stat_val) (((stat_val) & 255) == 0)
-#endif
-
-#undef HAVE_ERRNO_H
-#ifdef HAVE_ERRNO_H
-#include <errno.h>
-#endif
-
-/* needed for the time_t structures we use later... */
-#undef TIME_WITH_SYS_TIME
-#undef HAVE_SYS_TIME_H
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-#  include <sys/time.h>
-# else
-#  include <time.h>
-# endif
-#endif
-
-
-#undef HAVE_SYS_SOCKET_H
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-
-#undef HAVE_SOCKET
-#ifdef HAVE_SOCKET_H
-#include <socket.h>
-#endif
-
-#undef HAVE_NETINET_IN_H
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-
-#undef HAVE_ARPA_INET_H
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-
-#undef HAVE_NETDB_H
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-
-#undef HAVE_CTYPE_H
-#ifdef HAVE_CTYPE_H
-#include <ctype.h>
-#endif
-
-#undef HAVE_PWD_H
-#ifdef HAVE_PWD_H
-#include <pwd.h>
-#endif
- 
-#undef HAVE_GRP_H
-#ifdef HAVE_GRP_H
-#include <grp.h>
-#endif
-
-#undef HAVE_DIRENT_H
-#ifdef HAVE_DIRENT_H
-#include <dirent.h>
-#endif
-
-#undef HAVE_SSL
-#ifdef HAVE_SSL
-#include <rsa.h>
-#include <crypto.h>
-#include <dh.h>
-#include <pem.h>
-#include <ssl.h>
-#include <err.h>
-#include <rand.h>
-#endif
-
-#undef HAVE_KRB5_H
-#ifdef HAVE_KRB5_H
-#include <krb5.h>
-#endif
-
-#undef HAVE_INTTYPES_H
-#undef HAVE_STDINT_H
-#ifdef HAVE_INTTYPES_H
-#include <inttypes.h>
-#else
-#ifdef HAVE_STDINT_H
-#include <stdint.h>
-#endif
-#endif
-
-#endif

configure

@@ -535,9 +535,9 @@ fi
 
 
 PKG_NAME=nrpe
-PKG_VERSION="2.0"
+PKG_VERSION="2.1"
 PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="09-08-2003"
+PKG_REL_DATE="10-14-2003"
 
 
 ac_aux_dir=
@@ -1136,7 +1136,7 @@ EOF
 
 fi
 
-for ac_hdr in ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h unistd.h arpa/inet.h netinet/in.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h
+for ac_hdr in ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
@@ -1977,15 +1977,58 @@ else
 fi
 
 
+echo $ac_n "checking for main in -lwrap""... $ac_c" 1>&6
+echo "configure:1982: checking for main in -lwrap" >&5
+ac_lib_var=`echo wrap'_'main | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lwrap  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1990 "configure"
+#include "confdefs.h"
+
+int main() {
+main()
+; return 0; }
+EOF
+if { (eval echo configure:1997: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+	LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+	cat >> confdefs.h <<\EOF
+#define HAVE_LIBWRAP 1
+EOF
+
+	
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
 for ac_func in strdup strstr strtoul initgroups
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:1984: checking for $ac_func" >&5
+echo "configure:2027: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1989 "configure"
+#line 2032 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char $ac_func(); below.  */
@@ -2008,7 +2051,7 @@ $ac_func();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2055: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
@@ -2034,9 +2077,9 @@ done
 
 
 echo $ac_n "checking for type of socket size""... $ac_c" 1>&6
-echo "configure:2038: checking for type of socket size" >&5
+echo "configure:2081: checking for type of socket size" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2040 "configure"
+#line 2083 "configure"
 #include "confdefs.h"
 #include <stdlib.h>
 #include <sys/types.h>
@@ -2046,7 +2089,7 @@ int main() {
 int a = send(1, (const void *)0, (size_t *) 0, (int *) 0);
 ; return 0; }
 EOF
-if { (eval echo configure:2050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2093: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   cat >> confdefs.h <<\EOF
 #define SOCKET_SIZE_TYPE size_t
@@ -2107,7 +2150,7 @@ fi
 
 if test x$check_for_ssl = xyes; then
 	echo $ac_n "checking for SSL""... $ac_c" 1>&6
-echo "configure:2111: checking for SSL" >&5
+echo "configure:2154: checking for SSL" >&5
 	found_ssl=no
 	for dir in $ssl_inc_dir /usr/local/openssl /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr; do
 		ssldir="$dir"
@@ -2146,11 +2189,11 @@ EOF
 		else
 			sslbin=$ssldir/bin/openssl
 		fi
-		$sslbin dhparam -out /dev/null -C 512 > src/dh.h
+		$sslbin dhparam -out /dev/null -C 512 > include/dh.h
 	fi
 
 		echo $ac_n "checking for Kerberos include files""... $ac_c" 1>&6
-echo "configure:2154: checking for Kerberos include files" >&5
+echo "configure:2197: checking for Kerberos include files" >&5
 	found_kerberos=no
 	for dir in $kerberos_inc_dir /usr/kerberos/include; do
 		kerbdir="$dir"
@@ -2220,7 +2263,7 @@ fi
 # Extract the first word of "perl", so it can be a program name with args.
 set dummy perl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2224: checking for $ac_word" >&5
+echo "configure:2267: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2307,7 +2350,7 @@ done
 ac_given_srcdir=$srcdir
 ac_given_INSTALL="$INSTALL"
 
-trap 'rm -fr `echo "Makefile src/Makefile subst common/config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+trap 'rm -fr `echo "Makefile src/Makefile subst include/config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
 EOF
 cat >> $CONFIG_STATUS <<EOF
 
@@ -2348,6 +2391,7 @@ s%@SET_MAKE@%$SET_MAKE%g
 s%@CPP@%$CPP%g
 s%@OTHERLIBS@%$OTHERLIBS%g
 s%@SOCKETLIBS@%$SOCKETLIBS%g
+s%@LIBWRAPLIBS@%$LIBWRAPLIBS%g
 s%@HAVE_SSL@%$HAVE_SSL%g
 s%@nrpe_user@%$nrpe_user%g
 s%@nrpe_grp@%$nrpe_grp%g
@@ -2475,7 +2519,7 @@ ac_eD='%g'
 if test "${CONFIG_HEADERS+set}" != set; then
 EOF
 cat >> $CONFIG_STATUS <<EOF
-  CONFIG_HEADERS="common/config.h"
+  CONFIG_HEADERS="include/config.h"
 EOF
 cat >> $CONFIG_STATUS <<\EOF
 fi
@@ -2573,11 +2617,11 @@ rm -fr confdefs* $ac_clean_files
 test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
 
 
-perl subst nrpe.cfg
 perl subst init-script
 perl subst init-script.debian
 perl subst init-script.freebsd
-perl subst nrpe.xinetd
+perl subst sample-config/nrpe.cfg
+perl subst sample-config/nrpe.xinetd
 
 
 echo ""

configure.in

@@ -5,13 +5,13 @@ define([AC_CACHE_LOAD],)
 define([AC_CACHE_SAVE],)
 
 AC_INIT(src/nrpe.c)
-AC_CONFIG_HEADER(common/config.h)
+AC_CONFIG_HEADER(include/config.h)
 AC_PREFIX_DEFAULT(/usr/local/nagios)
 
 PKG_NAME=nrpe
-PKG_VERSION="2.0"
+PKG_VERSION="2.1"
 PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="09-08-2003"
+PKG_REL_DATE="10-14-2003"
 
 dnl Figure out how to invoke "install" and what install options to use.
 
@@ -26,7 +26,7 @@ dnl Checks for header files.
 AC_HEADER_STDC
 AC_HEADER_TIME
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h unistd.h arpa/inet.h netinet/in.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
+AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
 
 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
@@ -88,6 +88,11 @@ dnl Checks for library functions.
 AC_CHECK_LIB(nsl,main,SOCKETLIBS="$SOCKETLIBS -lnsl")
 AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket")
 AC_SUBST(SOCKETLIBS)
+AC_CHECK_LIB(wrap,main,[
+	LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+	AC_DEFINE(HAVE_LIBWRAP)
+	])
+AC_SUBST(LIBWRAPLIBS)
 AC_CHECK_FUNCS(strdup strstr strtoul initgroups)
 
 AC_MSG_CHECKING(for type of socket size)
@@ -161,7 +166,7 @@ if test x$check_for_ssl = xyes; then
 		else
 			sslbin=$ssldir/bin/openssl
 		fi
-		$sslbin dhparam -out /dev/null -C 512 > src/dh.h
+		$sslbin dhparam -out /dev/null -C 512 > include/dh.h
 	fi
 
 	dnl RedHat 8.0 and 9.0 include openssl compiled with kerberos, so we must include header file
@@ -201,11 +206,11 @@ AC_ARG_ENABLE(command-args,--enable-command-args allows clients to specify comma
 AC_PATH_PROG(PERL,perl)
 AC_OUTPUT(Makefile src/Makefile subst)
 
-perl subst nrpe.cfg
 perl subst init-script
 perl subst init-script.debian
 perl subst init-script.freebsd
-perl subst nrpe.xinetd
+perl subst sample-config/nrpe.cfg
+perl subst sample-config/nrpe.xinetd
 
 
 dnl Review options

nrpe.cfg.in

@@ -1,153 +0,0 @@
-#############################################################################
-# Sample NRPE Config File 
-# Written by: Ethan Galstad (nagios@nagios.org)
-# 
-# Last Modified: 03-05-2003
-#
-# NOTES:
-# This is a sample configuration file for the NRPE daemon.  It needs to be
-# located on the remote host that is running the NRPE daemon, not the host
-# from which the check_nrpe client is being executed.
-#############################################################################
-
-
-
-# PORT NUMBER
-# Port number we should wait for connections on.
-# NOTE: This must be a non-priviledged port (i.e. > 1024).
-# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
-
-server_port=@nrpe_port@
-
-
-
-# SERVER ADDRESS
-# Address that nrpe should bind to in case there are more than one interface
-# and you do not want nrpe to bind on all interfaces.
-# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
-
-#server_address=192.168.1.1
-
-
-
-# ALLOWED HOST ADDRESSES
-# This is a comma-delimited list of IP address of hosts that are allowed
-# to talk to the NRPE daemon.
-#
-# NOTE: The daemon only does rudimentary checking of the client's IP
-#       address.  I would highly recommend adding entries in your
-#	/etc/hosts.allow file to allow only the specified host to connect
-#	to the port you are running this daemon on.
-#
-# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
-
-allowed_hosts=127.0.0.1
-
-
-
-# NRPE USER
-# This determines the effective user that the NRPE daemon should run as.  
-# You can either supply a username or a UID.
-# 
-# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
-
-nrpe_user=@nrpe_user@
-
-
-
-# NRPE GROUP
-# This determines the effective group that the NRPE daemon should run as.  
-# You can either supply a group name or a GID.
-# 
-# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
-
-nrpe_group=@nrpe_grp@
-
-
-
-# COMMAND ARGUMENT PROCESSING
-# This option determines whether or not the NRPE daemon will allow clients
-# to specify arguments to commands that are executed.  This option only works
-# if the daemon was configured with the --enable-command-args configure script
-# option.  
-#
-# *** ENABLING THIS OPTION IS A SECURITY RISK! *** 
-# Read the SECURITY file for information on some of the security implications
-# of enabling this variable.
-#
-# Values: 0=do not allow arguments, 1=allow command arguments
-
-dont_blame_nrpe=0
-
-
-
-# DEBUGGING OPTION
-# This option determines whether or not debugging messages are logged to the
-# syslog facility.
-# Values: 0=debugging off, 1=debugging on
-
-debug=0
-
-
-
-# COMMAND TIMEOUT
-# This specifies the maximum number of seconds that the NRPE daemon will
-# allow plugins to finish executing before killing them off.
-
-command_timeout=60
-
-
-
-# INCLUDE CONFIG FILE
-# This directive allows you to include definitions from an external config file.
-
-#include=<somefile.cfg>
-
-
-
-# INCLUDE CONFIG DIRECTORY
-# This directive allows you to include definitions from config files (with a
-# .cfg extension) in one or more directories (with recursion).
-
-#include_dir=<somedirectory>
-#include_dir=<someotherdirectory>
-
-
-
-# COMMAND DEFINITIONS
-# Command definitions that this daemon will run.  Definitions
-# are in the following format:
-#
-# command[<command_name>]=<command_line>
-#
-# When the daemon receives a request to return the results of <command_name>
-# it will execute the command specified by the <command_line> argument.
-#
-# Unlike Nagios, the command line cannot contain macros - it must be
-# typed exactly as it should be executed.
-#
-# Note: Any plugins that are used in the command lines must reside
-# on the machine that this daemon is running on!  The examples below
-# assume that you have plugins installed in a /usr/local/nagios/libexec
-# directory.  Also note that you will have to modify the definitions below
-# to match the argument format the plugins expect.  Remember, these are
-# examples only!
-
-# The following examples use hardcoded command arguments...
-
-command[check_users]=@libexecdir@/check_users -w 5 -c 10
-command[check_load]=@libexecdir@/check_load -w 15,10,5 -c 30,25,20
-command[check_disk1]=@libexecdir@/check_disk -w 20 -c 10 -p /dev/hda1
-command[check_disk2]=@libexecdir@/check_disk -w 20 -c 10 -p /dev/hdb1
-command[check_zombie_procs]=@libexecdir@/check_procs -w 5 -c 10 -s Z
-command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200 
-
-# The following examples allow user-supplied arguments and can
-# only be used if the NRPE daemon was compiled with support for 
-# command arguments *AND* the dont_blame_nrpe directive in this
-# config file is set to '1'...
-
-#command[check_users]=@libexecdir@/check_users -w $ARG1$ -c $ARG2$
-#command[check_load]=@libexecdir@/check_load -w $ARG1$ -c $ARG2$
-#command[check_disk]=@libexecdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
-#command[check_procs]=@libexecdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$

nrpe.spec

@@ -1,5 +1,5 @@
 %define name nrpe
-%define version 2.0
+%define version 2.1
 %define release 1
 %define nsusr nagios
 %define nsgrp nagios

nrpe.xinetd.in

@@ -1,15 +0,0 @@
-# default: on
-# description: NRPE (Nagios Remote Plugin Executor)
-service nsca
-{
-       	flags           = REUSE
-        socket_type     = stream        
-       	wait            = no
-        user            = @nrpe_user@
-	group		= @nrpe_grp@
-       	server          = @bindir@/nrpe
-        server_args     = -c @sysconfdir@/nrpe.cfg --inetd
-       	log_on_failure  += USERID
-        disable         = no
-	only_from       = 127.0.0.1
-}

src/Makefile.in

@@ -1,17 +1,18 @@
 ###############################
 # Makefile for NRPE
 #
-# Last Modified: 10-05-2003
+# Last Modified: 10-14-2003
 ###############################
 
 
 # Source code directories
-SRC_COMMON=../common
+SRC_INCLUDE=../include
 
 CC=@CC@
 CFLAGS=@CFLAGS@ @DEFS@
 LDFLAGS=@LDFLAGS@ @LIBS@
 SOCKETLIBS=@SOCKETLIBS@
+LIBWRAPLIBS=@LIBWRAPLIBS@
 OTHERLIBS=@OTHERLIBS@
 
 CP=@CP@
@@ -19,10 +20,10 @@ CP=@CP@
 
 all: nrpe check_nrpe
 
-nrpe: nrpe.c nrpe.h utils.c utils.h $(SRC_COMMON)/common.h $(SRC_COMMON)/config.h
-	$(CC) $(CFLAGS) -o $@ nrpe.c utils.c $(LDFLAGS) $(SOCKETLIBS) $(OTHERLIBS)
+nrpe: nrpe.c utils.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(SRC_INCLUDE)/config.h
+	$(CC) $(CFLAGS) -o $@ nrpe.c utils.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(OTHERLIBS)
 
-check_nrpe: check_nrpe.c utils.c utils.h $(SRC_COMMON)/common.h $(SRC_COMMON)/config.h
+check_nrpe: check_nrpe.c utils.c $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(SRC_INCLUDE)/config.h
 	$(CC) $(CFLAGS) -o $@ check_nrpe.c utils.c $(LDFLAGS) $(SOCKETLIBS) $(OTHERLIBS)
 
 clean:

src/check_nrpe.c

@@ -4,7 +4,7 @@
  * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
  * License: GPL
  *
- * Last Modified: 09-08-2003
+ * Last Modified: 10-14-2003
  *
  * Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
  *
@@ -17,9 +17,9 @@
  *
  ********************************************************************************************/
 
-#include "../common/common.h"
-#include "../common/config.h"
-#include "utils.h"
+#include "../include/common.h"
+#include "../include/config.h"
+#include "../include/utils.h"
 
 
 #define DEFAULT_NRPE_COMMAND	"_NRPE_CHECK"  /* check version of NRPE daemon */

src/dh.h

@@ -1,25 +0,0 @@
-#ifndef HEADER_DH_H
-#include <openssl/dh.h>
-#endif
-DH *get_dh512()
-	{
-	static unsigned char dh512_p[]={
-		0x8A,0x10,0xFF,0x62,0x71,0x55,0xC2,0x7A,0xAF,0xF9,0x9B,0x5E,
-		0x7F,0xFF,0xBF,0x22,0x44,0x18,0x5F,0x07,0x82,0x91,0xBE,0xDC,
-		0xFF,0xEB,0x6E,0x95,0xA3,0xB1,0xA3,0x88,0x5C,0x93,0xFE,0x94,
-		0x77,0x6D,0xA3,0x84,0x40,0xAC,0xBF,0x4C,0x46,0xC2,0x9B,0x33,
-		0xFC,0xBE,0x3E,0x93,0x38,0xEC,0xC6,0x45,0xB7,0x3F,0xDF,0x4E,
-		0x23,0xFA,0x5C,0x73,
-		};
-	static unsigned char dh512_g[]={
-		0x02,
-		};
-	DH *dh;
-
-	if ((dh=DH_new()) == NULL) return(NULL);
-	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-		{ DH_free(dh); return(NULL); }
-	return(dh);
-	}

src/nrpe.c

@@ -4,7 +4,7 @@
  * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
  * License: GPL
  *
- * Last Modified: 09-09-2003
+ * Last Modified: 10-14-2003
  *
  * Command line: nrpe -c <config_file> [--inetd | --daemon]
  *
@@ -18,13 +18,18 @@
  * 
  ******************************************************************************/
 
-#include "../common/common.h"
-#include "../common/config.h"
-#include "nrpe.h"
-#include "utils.h"
+#include "../include/common.h"
+#include "../include/config.h"
+#include "../include/nrpe.h"
+#include "../include/utils.h"
 
 #ifdef HAVE_SSL
-#include "dh.h"
+#include "../include/dh.h"
+#endif
+
+#ifdef HAVE_LIBWRAP
+int allow_severity=LOG_INFO;
+int deny_severity=LOG_WARNING;
 #endif
 
 #define DEFAULT_COMMAND_TIMEOUT	60			/* default timeout for execution of plugins */
@@ -55,7 +60,6 @@ char    *command_name=NULL;
 char    *macro_argv[MAX_COMMAND_ARGUMENTS];
 
 char    config_file[MAX_INPUT_BUFFER]="nrpe.cfg";
-char    allowed_hosts[MAX_INPUT_BUFFER];
 int     server_port=DEFAULT_SERVER_PORT;
 char    server_address[16]="0.0.0.0";
 int     socket_timeout=DEFAULT_SOCKET_TIMEOUT;
@@ -104,6 +108,9 @@ int main(int argc, char **argv){
 		printf("License: GPL with exemptions (-l for more info)\n");
 #ifdef HAVE_SSL
 		printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n");
+#endif
+#ifdef HAVE_LIBWRAP
+		printf("TCP Wrappers Available\n");
 #endif
 		printf("\n");
 #ifdef ENABLE_COMMAND_ARGUMENTS
@@ -112,6 +119,13 @@ int main(int argc, char **argv){
 		printf("**      Read the NRPE SECURITY file for more information     **\n");
 		printf("***************************************************************\n");
 		printf("\n");
+#endif
+#ifndef HAVE_LIBWRAP
+		printf("***************************************************************\n");
+		printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE!  **\n");
+		printf("**      Read the NRPE SECURITY file for more information     **\n");
+		printf("***************************************************************\n");
+		printf("\n");
 #endif
 	        }
 
@@ -227,7 +241,7 @@ int main(int argc, char **argv){
 		signal(SIGHUP, SIG_IGN);
 
 		chdir("/");
-		umask(0);
+		/*umask(0);*/
 
 		/* close standard file descriptors */
 		close(0);
@@ -345,15 +359,6 @@ int read_config_file(char *filename){
                         server_address[sizeof(server_address)-1]='\0';
                         }
 
-		else if(!strcmp(varname,"allowed_hosts")){
-			if(strlen(input_buffer)>sizeof(allowed_hosts)){
-				syslog(LOG_ERR,"Allowed hosts list too long in config file '%s' - Line %d\n",filename,line);
-				return ERROR;
-			        }
-			strncpy(allowed_hosts,varvalue,sizeof(allowed_hosts));
-			allowed_hosts[sizeof(allowed_hosts)-1]='\x0';
-		        }
-
 		else if(strstr(input_buffer,"command[")){
 			temp_buffer=strtok(varname,"[");
 			temp_buffer=strtok(NULL,"]");
@@ -390,9 +395,8 @@ int read_config_file(char *filename){
 		        }
 
 		else{
-			syslog(LOG_ERR,"Unknown option specified in config file '%s' - Line %d\n",filename,line);
-
-			return ERROR;
+			syslog(LOG_WARNING,"Unknown option specified in config file '%s' - Line %d\n",filename,line);
+			continue;
 		        }
 
 	        }
@@ -477,13 +481,25 @@ int read_config_dir(char *dirname){
 int add_command(char *command_name, char *command_line){
 	command *new_command;
 
+	if(command_name==NULL || command_line==NULL)
+		return ERROR;
+
 	/* allocate memory for the new command */
 	new_command=(command *)malloc(sizeof(command));
 	if(new_command==NULL)
 		return ERROR;
 
-	strcpy(new_command->command_name,command_name);
-	strcpy(new_command->command_line,command_line);
+	new_command->command_name=strdup(command_name);
+	if(new_command->command_name==NULL){
+		free(new_command);
+		return ERROR;
+	        }
+	new_command->command_line=strdup(command_line);
+	if(new_command->command_line==NULL){
+		free(new_command->command_name);
+		free(new_command);
+		return ERROR;
+	        }
 
 	/* add new command to head of list in memory */
 	new_command->next=command_list;
@@ -521,6 +537,9 @@ void wait_for_connections(void){
 	char connecting_host[16];
 	pid_t pid;
 	int flag=1;
+#ifdef HAVE_LIBWRAP
+	struct request_info req;
+#endif
 
 	/* create a socket for listening */
 	sock=socket(AF_INET,SOCK_STREAM,0);
@@ -578,7 +597,6 @@ void wait_for_connections(void){
 
 	if(debug==TRUE){
 		syslog(LOG_DEBUG,"Listening for connections on port %d\n",htons(myname.sin_port));
-		syslog(LOG_DEBUG,"Allowing connections from: %s\n",allowed_hosts);
 	        }
 
 	/* listen for connection requests - fork() if we get one */
@@ -636,24 +654,27 @@ void wait_for_connections(void){
 				if(debug==TRUE)
 					syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(nptr->sin_addr),nptr->sin_port);
 
-				/* is this is a blessed machine? */
-				snprintf(connecting_host,sizeof(connecting_host),"%s",inet_ntoa(nptr->sin_addr));
-				connecting_host[sizeof(connecting_host)-1]='\x0';
+#ifdef HAVE_LIBWRAP
 
-				if(!is_an_allowed_host(connecting_host)){
+				/* Check whether or not connections are allowed from this host */
+				request_init(&req,RQ_DAEMON,"nrpe",RQ_FILE,new_sd,0);
+				fromhost(&req);
 
-				        /* log error to syslog facility */
-					syslog(LOG_DEBUG,"Host %s is not allowed to talk to us!",connecting_host);
-			                }
-				else{
+				if(!hosts_access(&req)){
 
-				        /* log info to syslog facility */
-					if(debug==TRUE)
-						syslog(LOG_DEBUG,"Host address checks out ok");
+					syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
 
-				        /* handle the client connection */
-					handle_connection(new_sd);
-			                }
+					/* refuse the connection */
+					refuse(&req);
+
+					/* should not be reached */
+					syslog(LOG_ERR,"libwrap refuse() returns!");
+					exit(STATE_CRITICAL);
+					}
+#endif
+
+				/* handle the client connection */
+				handle_connection(new_sd);
 
 				/* log info to syslog facility */
 				if(debug==TRUE)
@@ -941,59 +962,6 @@ void handle_connection(int sock){
 
 
 
-/* checks to see if a given host is allowed to talk to us */
-int is_an_allowed_host(char *connecting_host){
-	char temp_buffer[MAX_INPUT_BUFFER];
-	char *temp_ptr;
-	int result=0;
-        struct hostent *myhost;
-	char **pptr;
-	char resolved_addr[INET6_ADDRSTRLEN];
-
-	/* try and match IP addresses first */
-	strncpy(temp_buffer,allowed_hosts,sizeof(temp_buffer));
-	temp_buffer[sizeof(temp_buffer)-1]='\x0';
-
-	for(temp_ptr=strtok(temp_buffer,",");temp_ptr!=NULL;temp_ptr=strtok(NULL,",")){
-
-		if(!strcmp(connecting_host,temp_ptr)){
-			result=1;
-			break;
-		        }
-	        }
-
-	/* try DNS lookups if needed */
-	if(result==0){
-
-		strncpy(temp_buffer,allowed_hosts,sizeof(temp_buffer));
-		temp_buffer[sizeof(temp_buffer)-1]='\x0';
-
-		for(temp_ptr=strtok(temp_buffer,",");temp_ptr!=NULL;temp_ptr=strtok(NULL,",")){
-
-			myhost=gethostbyname(temp_ptr);
-			if(myhost!=NULL){
-
-				/* check all addresses for the host... */
-				for(pptr=myhost->h_addr_list;*pptr!=NULL;pptr++){
-
-					inet_ntop(myhost->h_addrtype,*pptr,resolved_addr,sizeof(resolved_addr));
-					if(!strcmp(resolved_addr,connecting_host)){
-						result=1;
-						break;
-					        }
-					}
-			        }
-
-			if(result==1)
-				break;
-		        }
-	        }
-
-	return result;
-        }
-
-
-
 /* handle signals */
 void sighandler(int sig){
 
@@ -1018,6 +986,8 @@ void free_memory(void){
 	this_command=command_list;
 	while(this_command!=NULL){
 		next_command=this_command->next;
+		free(this_command->command_name);
+		free(this_command->command_line);
 		free(this_command);
 		this_command=next_command;
 	        }

src/nrpe.h

@@ -1,36 +0,0 @@
-/************************************************************************
- *
- * NRPE.H - NRPE Include File
- * Copyright (c) 1999-2002 Ethan Galstad (nagios@nagios.org)
- * Last Modified: 02-21-2002
- *
- * License:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- ************************************************************************/
-
-
-/**************** COMMAND STRUCTURE DEFINITION **********/
-
-#define MAX_COMMANDNAME_LENGTH	32		/* maximum short name of a command */
-#define MAX_COMMANDLINE_LENGTH	1024		/* maximum command line length */
-
-typedef struct command_struct{
-	char command_name[MAX_COMMANDNAME_LENGTH];
-	char command_line[MAX_COMMANDLINE_LENGTH];
-	struct command_struct *next;
-        }command;
-

src/utils.c

@@ -5,7 +5,7 @@
  * License: GPL
  * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
  *
- * Last Modified: 06-04-2003
+ * Last Modified: 10-14-2003
  *
  * Description:
  *
@@ -29,8 +29,8 @@
  *
  ****************************************************************************/
 
-#include "../common/common.h"
-#include "utils.h"
+#include "../include/common.h"
+#include "../include/utils.h"
 
 static unsigned long crc32_table[256];
 

src/utils.h

@@ -1,62 +0,0 @@
-/************************************************************************************************
- *
- * UTILS.H - NRPE Utilities Include File
- *
- * License: GPL
- * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
- *
- * Last Modified: 06-04-2003
- *
- * Description:
- *
- * This file contains common include files and function definitions used in many of the plugins.
- *
- * License Information:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- ************************************************************************************************/
-
-#ifndef _UTILS_H
-#define _UTILS_H
-
-#include "../common/config.h"
-
-
-void generate_crc32_table(void);
-unsigned long calculate_crc32(char *, int);
-
-void randomize_buffer(char *,int);
-
-int my_tcp_connect(char *,int,int *);
-int my_connect(char *,int,int *,char *);
-
-int my_inet_aton(register const char *,struct in_addr *);
-
-void strip(char *);
-
-int sendall(int,char *,int *);
-int recvall(int,char *,int *,int);
-
-char *my_strsep(char **,const char *);
-
-void display_license(void);
-
-#endif
-
-
-
-
-

update-version

@@ -11,8 +11,8 @@ LONGDATE=`date "+%B %d, %Y"`
 SHORTDATE=`date "+%m-%d-%Y"`
 
 # Update version number and release date in common code
-perl -i -p -e "s/VERSION \".*\"/VERSION \"$1\"/;" common/common.h
-perl -i -p -e "s/MODIFICATION_DATE \".*\"/MODIFICATION_DATE \"$SHORTDATE\"/;" common/common.h
+perl -i -p -e "s/VERSION \".*\"/VERSION \"$1\"/;" include/common.h
+perl -i -p -e "s/MODIFICATION_DATE \".*\"/MODIFICATION_DATE \"$SHORTDATE\"/;" include/common.h
 
 # Update version number and release date in main code
 perl -i -p -e "s/Last Modified: [0-9].*/Last Modified: $SHORTDATE/;" src/nrpe.c