Added patch to allow bash command substitutions, disabled by default.

Previously, if command arguments were enabled, NRPE would allow arguments
of the form $(...), which would cause a bash command substitution and could
be used for malicious intent. This patch adds both a configure-time option,
--enable-bash-command-substitution, and a configuration file option,
allow_bash_command_substitution. Both of these, along with the 
--enable-command-args configure-time option and the dont_blame_nrpe 
configuration file option must be enabled or arguments containing $(
will be rejected.

In addition, some clean-up of the configure.in script was done so options
display nicely when the --help argument is specified to the configure script.

This patch addresses bug #400.

Changelog

@@ -5,6 +5,7 @@ NRPE Changelog
 
 x.xx - xx/xx/xxxx
 -----------------
+- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
 - Patched to shutdown SSL connection completely (Jari Takkala)
 - Added SRC support on AIX (Thierry Bertaud)
 - Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)

SECURITY

@@ -27,6 +27,17 @@ should be considered a security risk, and you should only use
 it if you know what you're doing!
 
 
+BASH COMMAND SUBSTITUTION
+-------------------------
+
+Even with the metacharacter restrictions below, if command arguments 
+are enabled, it is still possible to send bash command substitions 
+in the form $(...) as an agrument. This is explicity disabled by 
+default, but can be enabled by a configure-time option and a
+configuration file option. Enabling this option is VERY RISKY and 
+its use is HIGHLY DISCOURAGED.
+
+
 ENABLING ARGUMENTS
 ------------------
 
@@ -40,6 +51,21 @@ do two things:
        file to 1.
 
 
+ENABLING BASH COMMAND SUBSTITUTION
+----------------------------------
+
+To enable support for arguments containing bash command substitions, 
+you must do two things:
+
+   1.  Enable arguments as described above
+
+   2.  Include the --enable-bash-command-substitution configure
+       option when running the configure script
+
+   3.  Set the 'allow_bash_command_substitutions' directive in the 
+       NRPE config file to 1.
+
+
 ILLEGAL METACHARS
 -----------------
 

configure.in

@@ -233,7 +233,8 @@ dnl Stolen from Python code: loewis@users.sourceforge.net
 #	])
 
 dnl Does user want to check for SSL?
-AC_ARG_ENABLE(ssl,--enable-ssl enables native SSL support,[
+AC_ARG_ENABLE([ssl],
+	AS_HELP_STRING([--enable-ssl],[enables native SSL support]),[
 	if test x$enableval = xyes; then
 		check_for_ssl=yes
 	else
@@ -245,18 +246,20 @@ dnl Optional SSL library and include paths
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
-AC_ARG_WITH(ssl,--with-ssl=DIR sets location of the SSL installation,[
-	ssl_dir=$withval
-	])
-AC_ARG_WITH(ssl-inc,--with-ssl-inc=DIR sets location of the SSL include files,[
-	ssl_inc_dir=$withval
-	])
-AC_ARG_WITH(ssl-lib,--with-ssl-lib=DIR sets location of the SSL libraries,[
-	ssl_lib_dir=$withval
-	])
-AC_ARG_WITH(kerberos-inc,--with-kerberos-inc=DIR sets location of the Kerberos include files,[
-	kerberos_inc_dir=$withval
-	])
+AC_ARG_WITH([ssl],
+	AS_HELP_STRING([--with-ssl=DIR],[sets location of the SSL installation]),
+	[ssl_dir=$withval])
+AC_ARG_WITH([ssl-inc],
+	AS_HELP_STRING([--with-ssl-inc=DIR],
+		[sets location of the SSL include files]),
+	[ ssl_inc_dir=$withval])
+AC_ARG_WITH([ssl-lib],
+	AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]),
+	[ssl_lib_dir=$withval])
+AC_ARG_WITH([kerberos-inc],
+	AS_HELP_STRING([--with-kerberos-inc=DIR],
+		[sets location of the Kerberos include files]),
+	[kerberos_inc_dir=$withval])
 
 dnl Check for SSL support
 dnl Modified version of Mark Ethan Trostler's macro <trostler@juniper.net>
@@ -362,13 +365,29 @@ if test x$check_for_ssl = xyes; then
 
 fi
 
-AC_ARG_WITH(log_facility,--with-log-facility=<facility> sets NRPE syslog facility,log_facility=$withval,log_facility=daemon)
+AC_ARG_WITH([log_facility],
+	AS_HELP_STRING([--with-log-facility=<facility>],
+		[sets NRPE syslog facility]),
+	[log_facility=$withval],
+	[log_facility=daemon])
 AC_SUBST(log_facility)
 AC_DEFINE_UNQUOTED(NRPE_LOG_FACILITY,["$log_facility"],[NRPE syslog facility])
 
-AC_ARG_WITH(nrpe_user,--with-nrpe-user=<user> sets user name to run NRPE,nrpe_user=$withval,nrpe_user=nagios)
-AC_ARG_WITH(nrpe_group,--with-nrpe-group=<group> sets group name to run NRPE,nrpe_group=$withval,nrpe_group=nagios)
-AC_ARG_WITH(nrpe_port,--with-nrpe-port=<port> sets port number for NRPE to listen on,nrpe_port=$withval,nrpe_port=5666)
+AC_ARG_WITH([nrpe_user],
+	AS_HELP_STRING([--with-nrpe-user=<user>],[sets user name to run NRPE]),
+	[nrpe_user=$withval],
+	[nrpe_user=nagios])
+
+AC_ARG_WITH([nrpe_group],
+	AS_HELP_STRING([--with-nrpe-group=<group>],[sets group name to run NRPE]),
+	[nrpe_group=$withval],
+	[nrpe_group=nagios])
+
+AC_ARG_WITH([nrpe_port],
+	AS_HELP_STRING([--with-nrpe-port=<port>],
+		[sets port number for NRPE to listen on]),
+	[nrpe_port=$withval],
+	[nrpe_port=5666])
 AC_SUBST(nrpe_user)
 AC_SUBST(nrpe_group)
 NRPE_INSTALL_OPTS="-o $nrpe_user -g $nrpe_group"
@@ -376,8 +395,16 @@ AC_SUBST(NRPE_INSTALL_OPTS)
 AC_SUBST(nrpe_port)
 AC_DEFINE_UNQUOTED(DEFAULT_SERVER_PORT,$nrpe_port,[Default port for NRPE daemon])
 
-AC_ARG_WITH(nagios_user,--with-nagios-user=<user> sets user name for file permissions,nagios_user=$withval,nagios_user=nagios)
-AC_ARG_WITH(nagios_group,--with-nagios-group=<grp> sets group name file permissions,nagios_group=$withval,nagios_group=nagios)
+AC_ARG_WITH([nagios_user],
+	AS_HELP_STRING([--with-nagios-user=<user>],
+		[sets user name for file permissions]),
+	[nagios_user=$withval],
+	[nagios_user=nagios])
+AC_ARG_WITH([nagios_group],
+	AS_HELP_STRING([--with-nagios-group=<grp>],
+		[sets group name file permissions]),
+	[nagios_group=$withval],
+	[nagios_group=nagios])
 AC_SUBST(nagios_user)
 AC_SUBST(nagios_group)
 NAGIOS_INSTALL_OPTS="-o $nagios_user -g $nagios_group"
@@ -410,7 +437,13 @@ if test "x$TARGET_OS" = "xSunOS" ; then
 fi
 AC_SUBST(TARGET_PLATFORM)
 
-AC_ARG_ENABLE(command-args,--enable-command-args allows clients to specify command arguments.  *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option!,AC_DEFINE_UNQUOTED(ENABLE_COMMAND_ARGUMENTS,[1],[Enable command-line arguments]))
+AC_ARG_ENABLE([command-args],
+	AS_HELP_STRING([--enable-command-args],[allows clients to specify command arguments.  *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option!]),
+	AC_DEFINE_UNQUOTED(ENABLE_COMMAND_ARGUMENTS,[1],[Enable command-line arguments]))
+
+AC_ARG_ENABLE([bash-command-substitution],
+	AS_HELP_STRING([--enable-bash-command-substitution],[allows clients to pass bash command substitutions of the form $(command).  *** THIS IS A HIGH SECURITY RISK! *** Read the SECURITY file before using this option!]),
+	AC_DEFINE_UNQUOTED(ENABLE_BASH_COMMAND_SUBSTITUTION,[1],[Enable bash command substitution]))
 
 
 AC_PATH_PROG(PERL,perl)

include/config.h.in

@@ -34,6 +34,8 @@
 
 #undef ENABLE_COMMAND_ARGUMENTS
 
+#undef ENABLE_BASH_COMMAND_SUBSTITUTION
+
 #undef socklen_t
 
 #undef HAVE_GETOPT_LONG

sample-config/nrpe.cfg.in

@@ -98,6 +98,24 @@ dont_blame_nrpe=0
 
 
 
+# BASH COMMAND SUBTITUTION
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments that contain bash command substitutions of the form
+# $(...).  This option only works if the daemon was configured with both 
+# the --enable-command-args and --enable-bash-command-substitution configure 
+# script options.
+#
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! *** 
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow bash command substitutions, 
+#         1=allow bash command substitutions
+
+allow_bash_command_substitution=0
+
+
+
 # COMMAND PREFIX
 # This option allows you to prefix all commands with a user-defined string.
 # A space is automatically added between the specified prefix string and the

src/nrpe.c

@@ -74,6 +74,7 @@ char    *pid_file=NULL;
 int     wrote_pid_file=FALSE;
 
 int     allow_arguments=FALSE;
+int     allow_bash_command_substitution=FALSE;
 
 int     allow_weak_random_seed=FALSE;
 
@@ -559,6 +560,9 @@ int read_config_file(char *filename){
 		else if(!strcmp(varname,"dont_blame_nrpe"))
 			allow_arguments=(atoi(varvalue)==1)?TRUE:FALSE;
 
+		else if(!strcmp(varname,"allow_bash_command_substitution"))
+			allow_bash_command_substitution=(atoi(varvalue)==1)?TRUE:FALSE;
+
  		else if(!strcmp(varname,"command_timeout")){
 			command_timeout=atoi(varvalue);
 			if(command_timeout<1){
@@ -836,6 +840,14 @@ void wait_for_connections(void){
 #ifdef ENABLE_COMMAND_ARGUMENTS
 	if(allow_arguments==TRUE)
 		syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments from clients!");
+#ifdef ENABLE_BASH_COMMAND_SUBSTITUTION
+	if(TRUE==allow_bash_command_substitution) {
+		if(TRUE==allow_arguments)
+			syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions!");
+		else
+			syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command argements from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions.");
+		}
+#endif
 #endif
 
 	syslog(LOG_INFO,"Listening for connections on port %d\n",htons(myname.sin_port));
@@ -1836,13 +1848,24 @@ int validate_request(packet *pkt){
 			if(!strcmp(macro_argv[x],"")){
 				syslog(LOG_ERR,"Error: Request contained an empty command argument");
 				return ERROR;
-		                }
-		        }
-	        }
+				}
+			if(strstr(macro_argv[x],"$(")) {
+#ifndef ENABLE_BASH_COMMAND_SUBSTITUTION
+				syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
+				return ERROR;
+#else
+				if(FALSE==allow_bash_command_substitution) {
+					syslog(LOG_ERR,"Error: Request contained a bash command substitution, but they are disallowed!");
+					return ERROR;
+					}
+#endif
+				}
+			}
+		}
 #endif
 
 	return OK;
-        }
+	}