debmon/nagios-nrpe
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 3.0.1-3

Browse Source
This commit is contained in:
Bas Couwenberg
2016-12-24 10:24:09 +01:00
committed by Mario Fetka
parent 373f63f6da 76f2f414ed
commit 9a2dafa86c
118 changed files with 17710 additions and 10915 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
debian/NEWS vendored
View File

@@ -1,3 +1,32 @@
nagios-nrpe (3.0.1-1) unstable; urgency=medium
The check_nrpe command definition has been updated to remove the
arguments option, because nagios-nrpe-server does not support
command arguments since 2.15-1. And the check_nrpe_1arg command
definition has been removed.
If you're using the check_nrpe_1arg command in your Nagios/Icinga
configuration, you need to replace it with check_nrpe.
SSL support is disabled by default, the reworked SSL/TLS support in
NRPE requires configuration before it can be used. Read the
instructions in /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz
before enabling SSL support in /etc/default/nagios-nrpe-server.
The default check_nrpe command in check_nrpe.cfg has been updated
to disable SSL by default too. The check_nrpe_ssl command has been
added to connect to the NRPE daemon over SSL.
Beware that the new NRPE daemon only works with old check_nrpe
plugins when SSL support is disabled on both sides, likewise the
new check_nrpe plugin only works with the old NRPE daemon when SSL
support is disabled.
To use SSL between the NRPE client and server, configuring Stunnel
is recommended.
-- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 01:16:46 +0100
nagios-nrpe (2.15-1) unstable; urgency=high
This update disables the command-args support in nrpe. The feature

2
debian/README.Debian vendored
View File

@@ -20,4 +20,4 @@ The current implementation does not verify client or server and uses
pregenerated key data by default. It cannot be fixed right away because
it would break the existing NRPE protocol.
Please refer to the file SECURITY in this directory for more information.
Please refer to the file SECURITY.md in this directory for more information.

3
debian/README.source vendored
View File

@@ -1,3 +0,0 @@
This package uses dpatch for its patch management, see
/usr/share/doc/dpatch/README.source.gz if you are unfamiliar with it.

84
debian/changelog vendored
View File

@@ -1,10 +1,84 @@
nagios-nrpe (2.15-200) UNRELEASED; urgency=medium
nagios-nrpe (3.0.1-3) unstable; urgency=medium
* Non-maintainer upload.
* Recompile with --enable-command-args
* Bigger version number to replace debmon backages
* Add reload command to systemd service file.
* Make missing EnvironmentFile non-fatal in systemd service.
-- Mario Fetka <mario.fetka@gmail.com> Fri, 24 Jun 2016 15:52:30 +0200
-- Bas Couwenberg <sebastic@debian.org> Sat, 24 Dec 2016 10:24:09 +0100
nagios-nrpe (3.0.1-2) unstable; urgency=medium
* Add systemd service file and tmpfiles.d configuration.
(closes: #665422)
* Update nrpe manpage to include new options.
-- Bas Couwenberg <sebastic@debian.org> Fri, 23 Dec 2016 23:15:19 +0100
nagios-nrpe (3.0.1-1) unstable; urgency=medium
* Update check_nrpe.cfg to remove command with arguments.
(LP: #975918)
* Disable SSL support by default, requires configuration.
It also doesn't work well with old check_nrpe versions.
* Move from experimental to unstable.
-- Bas Couwenberg <sebastic@debian.org> Fri, 09 Dec 2016 00:15:29 +0100
nagios-nrpe (3.0.1-1~exp1) experimental; urgency=medium
[ Alexander Wirt ]
* Sync uploaders with reality.
(closes: #773441)
[ Bas Couwenberg ]
* New upstream release.
- Reworked SSL/TLS. See the README.SSL.md file for full info.
(closes: #547092)
* Add myself to Uploaders.
* Add Vcs-* fields to control file.
(closes: #755507)
* Change nagios-plugins dependencies to monitoring-plugins.
* Switch from dpatch to source format 3.0 (quilt).
(closes: #756410)
* Drop obsolete patch: 04_weird_output.dpatch.
* Restructure control file with cme.
* Reorder (build) dependencies.
* Add Homepage field to control file.
* Update copyright file using copyright-format 1.0.
* Add gbp.conf to use pristine-tar by default.
* Update build dependency to use openssl 1.0.
* Enable all hardening buildflags.
(closes: #728218)
* Enable parallel builds.
* Suggest xinetd | inetd.
(closes: #662247)
* Include PDF & ODT documentation in docs.
(closes: #662249)
* Update watch file to handle common issues.
* Add upstream metadata.
* Merge nrpe.cfg patches into single patch.
(closes: #660583)
* Use configure option to set custom PID directory instead of patch.
* Drop 09_noremove_pid.patch, fixed upstream. Refresh remaining patches.
* Add patch to use pre-generated dh.h for reproducible builds.
* Override dh_auto_build to build all targets.
* Use dh-autoreconf instead of autotools-dev.
* Use exit status 0 in init script when inetd is configured.
(closes: #775924)
* Include README.SSL.md in docs.
* Bump Standards-Version to 3.9.8, changes:
Vcs-* fields, copyright-format 1.0.
[ Benjamin Drung ]
* Use dh_auto_configure to enable default hardening flags.
(closes: #843805)
* Fix copyright-refers-to-symlink-license.
(closes: #756414)
[ Chris Lamb ]
* Make the build reproducible.
(closes: #834857)
-- Bas Couwenberg <sebastic@debian.org> Sun, 04 Dec 2016 18:36:54 +0100
nagios-nrpe (2.15-1) unstable; urgency=high

8
debian/check_nrpe.cfg vendored
View File

@@ -1,11 +1,11 @@
# this command runs a program $ARG1$ with arguments $ARG2$
# this command runs a program $ARG1$ with no arguments and disables SSL support
define command {
command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -a $ARG2$
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
}
# this command runs a program $ARG1$ with no arguments
# this command runs a program $ARG1$ with no arguments and enables SSL support
define command {
command_name check_nrpe_1arg
command_name check_nrpe_ssl
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

27
debian/control vendored
View File

@@ -1,17 +1,28 @@
Source: nagios-nrpe
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Uploaders: Bas Couwenberg <sebastic@debian.org>
Section: net
Priority: optional
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Uploaders: sean finney <seanius@debian.org>, Jason Thomas <jason@debian.org>, Alexander Wirt <formorer@debian.org>
Build-Depends: debhelper (>= 9), openssl, dpatch (>= 2.0.32~), libssl-dev, libwrap0-dev, autotools-dev (>= 20100122.1)
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9),
dh-autoreconf,
dh-systemd,
libssl1.0-dev,
libwrap0-dev,
openssl
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
Homepage: https://github.com/NagiosEnterprises/nrpe
Package: nagios-nrpe-server
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.0-3)
Depends: lsb-base,
${shlibs:Depends},
${misc:Depends}
Recommends: monitoring-plugins-basic | monitoring-plugins
Suggests: xinetd | inetd
Pre-Depends: adduser
Conflicts: nagios-nrpe-doc
Recommends: nagios-plugins-basic | nagios-plugins
Description: Nagios Remote Plugin Executor Server
Nagios is a host/service/network monitoring and management system.
.
@@ -23,7 +34,8 @@ Description: Nagios Remote Plugin Executor Server
Package: nagios-nrpe-plugin
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Depends: ${shlibs:Depends},
${misc:Depends}
Conflicts: nagios-nrpe-doc
Description: Nagios Remote Plugin Executor Plugin
Nagios is a host/service/network monitoring and management system.
@@ -33,4 +45,3 @@ Description: Nagios Remote Plugin Executor Plugin
.
This is a plugin that is run on the Nagios host and is used to contact the
NRPE process on remote hosts.

101
debian/copyright vendored
View File

@@ -1,37 +1,78 @@
This package was debianized by Jason Thomas <jason@debian.org> on
Wed, 14 Jan 2004 16:13:36 +1100.
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: NRPE
Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com>
Source: https://github.com/NagiosEnterprises/nrpe
It was downloaded from http://www.nagios.org/download/extras.php
Files: *
Copyright: 1999-2008, Ethan Galstad (nagios@nagios.org)
2009, Nagios Core Development Team and Community Contributors
License: GPL-2+ with OpenSSL exception
Current Debian Maintainers: The nagios packaging team
http://alioth.debian.org/projects/pkg-nagios/
Files: include/acl.h
src/acl.c
Copyright: 2011, Kaspersky Lab ZAO
License: GPL-2+
Mailing-List:
pkg-nagios-devel@lists.alioth.debian.org
Files: src/snprintf.c
Copyright: Patrick Powell 1995
License: attribution
This code is based on code written by Patrick Powell (papowell@astart.com)
It may be used for any purpose as long as this notice remains intact
on all source code distributions
Upstream Author: Ethan Galstad (nagios@nagios.org)
Files: debian/*
Copyright: 2004, Jason Thomas <jason@debian.org>
License: GPL-2+
Copyright (c) 1999-2009 Ethan Galstad (nagios@nagios.org)
License:
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
On Debian systems, the complete text of the GNU General Public
License can be found in /usr/share/common-licenses/GPL.
There is an exception in the sourcecode for linking against openssl:
This program is released under the GPL (see below) with the additional
exemption that compiling, linking, and/or using OpenSSL is allowed.
The file src/snprintf.c is Copyright 1995 by Patrick Powell
This code is based on code written by Patrick Powell (papowell@astart.com)
It may be used for any purpose as long as this notice remains intact
on all source code distributions
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
.
On Debian systems, the complete text of version 2 of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL-2'.
License: GPL-2+ with OpenSSL exception
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later
version.
.
In addition, as a special exception, the author of this
program gives permission to link the code of its
release with the OpenSSL project's "OpenSSL" library (or
with modified versions of it that use the same license as
the "OpenSSL" library), and distribute the linked
executables. You must obey the GNU General Public
License in all respects for all of the code used other
than "OpenSSL". If you modify this file, you may extend
this exception to your version of the file, but you are
not obligated to do so. If you do not wish to do so,
delete this exception statement from your version.
.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.
.
You should have received a copy of the GNU General Public
License along with this package; if not, write to the Free
Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
.
On Debian systems, the full text of the GNU General Public
License version 2 can be found in the file
`/usr/share/common-licenses/GPL-2'.

3
debian/docs vendored
View File

@@ -1,3 +0,0 @@
README
LEGAL
SECURITY

16
debian/gbp.conf vendored Normal file
View File

@@ -0,0 +1,16 @@
[DEFAULT]
# The default name for the upstream branch is "upstream".
# Change it if the name is different (for instance, "master").
upstream-branch = upstream
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
debian-branch = master
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
upstream-tag = upstream/%(version)s
# Always use pristine-tar.
pristine-tar = True

2
debian/nagios-nrpe-plugin.install vendored
View File

@@ -1,2 +1,2 @@
src/check_nrpe usr/lib/nagios/plugins/
src/check_nrpe usr/lib/nagios/plugins/
debian/check_nrpe.cfg etc/nagios-plugins/config/

16
debian/nagios-nrpe-server.default vendored
View File

@@ -1,12 +1,18 @@
# defaults file for nagios-nrpe-server
# (this file is a /bin/sh compatible fragment)
# DAEMON_OPTS are any extra cmdline parameters you'd like to
# pass along to the nrpe daemon
#DAEMON_OPTS="--no-ssl"
# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the
# nrpe daemon.
#
# The -n option disables SSL support.
# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
NRPE_OPTS="-n"
# NICENESS is if you want to run the server at a different nice() priority
# NICENESS is if you want to run the server at a different nice() priority.
# (only used by the init script)
#NICENESS=5
# INETD is if you want to run the server via inetd (default=0, run as daemon)
# INETD is if you want to run the server via inetd (default=0, run as daemon).
# (only used by the init script)
#INETD=0

6
debian/nagios-nrpe-server.doc-base vendored Normal file
View File

@@ -0,0 +1,6 @@
Document: nagios-nrpe
Title: NRPE Documentation
Section: Network/Monitoring
Format: PDF
Files: /usr/share/doc/nagios-nrpe-server/*.pdf.gz

5
debian/nagios-nrpe-server.docs vendored Normal file
View File

@@ -0,0 +1,5 @@
LEGAL
README.md
README.SSL.md
SECURITY.md
docs/*

4
debian/nagios-nrpe-server.init vendored
View File

@@ -52,10 +52,10 @@ set -e
case "$1" in
start)
if [ "$INETD" = 1 ]; then
exit 1
exit 0
fi
log_daemon_msg "Starting $DESC" "$NAME"
start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $DAEMON_OPTS
start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $NRPE_OPTS
log_end_msg $?
;;
stop)

4
debian/nagios-nrpe-server.install vendored
View File

@@ -1,3 +1,3 @@
src/nrpe usr/sbin
src/nrpe usr/sbin
sample-config/nrpe.cfg etc/nagios
debian/nrpe_local.cfg etc/nagios
debian/nrpe_local.cfg etc/nagios

2
debian/nagios-nrpe-server.preinst vendored
View File

@@ -21,7 +21,7 @@ case "$1" in
# We have a nagios user.
if [ `id nagios -g -n` != "nagios" ] ; then
addgroup --system nagios || true
#this can fail sometimes (i.e. with LDAP) so ignore it
#this can fail sometimes (i.e. with LDAP) so ignore it
usermod -g nagios nagios || true
fi
else

23
debian/nagios-nrpe-server.service vendored Normal file
View File

@@ -0,0 +1,23 @@
[Unit]
Description=Nagios Remote Plugin Executor
Documentation=http://www.nagios.org/documentation
After=var-run.mount nss-lookup.target network.target local-fs.target remote-fs.target time-sync.target
Before=getty@tty1.service plymouth-quit.service xdm.service
Conflicts=nrpe.socket
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
Restart=on-abort
PIDFile=/var/run/nagios/nrpe.pid
EnvironmentFile=-/etc/default/nagios-nrpe-server
ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f $NRPE_OPTS
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid
TimeoutStopSec=60
User=nagios
Group=nagios
PrivateTmp=true
OOMScoreAdjust=-500

2
debian/nagios-nrpe-server.tmpfile vendored Normal file
View File

@@ -0,0 +1,2 @@
#Type Path Mode UID GID Age Argument
d /var/run/nagios 0755 nagios nagios - -

26
debian/nrpe.8 vendored
View File

@@ -19,7 +19,7 @@
nrpe \- Nagios Remote Plugin Executor - Server
.SH SYNOPSIS
.B nagios-nrpe
\fI-c <config_file> <mode>\fR
\fI[-n] -c <config_file> [-4|-6] <mode>\fR
.SH DESCRIPTION
.PP
The purpose of this addon is to allow you to execute Nagios plugins on a
@@ -28,16 +28,24 @@ remote host in as transparent a manner as possible.
This program runs as a background process on the remote host and processes
command execution requests from the check_nrpe plugin on the Nagios host.
.SH OPTIONS
.IP
<config_file> = Name of config file to use
.IP
<mode> = One of the following two operating modes:
.TP
\fB\-i\fR
= Run as a service under inetd or xinetd
\fB\-n\fR = Do not use SSL
.TP
\fB\-d\fR
= Run as a standalone daemon
\fB\-c\fR <config_file> = Name of config file to use
.TP
\fB\-4\fR = Use IPv4 only
.TP
\fB\-6\fR = Use IPv6 only
.TP
<mode> = One of the following two operating modes:
.TP
\fB\-i\fR = Run as a service under inetd or xinetd
.TP
\fB\-d\fR = Run as a standalone daemon
.TP
\fB\-d \-s\fR = Run as a subsystem under AIX
.TP
\fB\-d\fR = Don't fork() for systemd, launchd, etc.
.PP
Notes:
This program is designed to process requests from the check_nrpe

6
debian/patches/00list vendored
View File

@@ -1,6 +0,0 @@
02_nrpe.cfg_local-include.dpatch
03_support_nrpe.d.dpatch
05_pid_privileges.dpatch
06_pid_directory.dpatch
07_warn_ssloption.dpatch
09_noremove_pid.dpatch

19
debian/patches/02_nrpe.cfg_local-include.dpatch vendored
View File

@@ -1,19 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 02_nrpe.cfg_local-include.dpatch by <seanius@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Support nrpe_local.cfg
@DPATCH@
diff -urNad nagios-nrpe-2.4~/sample-config/nrpe.cfg.in nagios-nrpe-2.4/sample-config/nrpe.cfg.in
--- nagios-nrpe-2.4~/sample-config/nrpe.cfg.in 2006-02-03 23:02:32.000000000 +0100
+++ nagios-nrpe-2.4/sample-config/nrpe.cfg.in 2006-03-31 07:07:16.000000000 +0200
@@ -178,3 +178,8 @@
#command[check_load]=@libexecdir@/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=@libexecdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=@libexecdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+#
+# local configuration:
+# if you'd prefer, you can instead place directives here
+include=/etc/nagios/nrpe_local.cfg

22
debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch vendored Normal file
View File

@@ -0,0 +1,22 @@
Description: Support nrpe_local.cfg & nrpe.d directory.
Author: Sean Finney <seanius@debian.org>
Author: Alexander Wirt <formorer@debian.org>
Forwarded: not-needed
--- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in
@@ -301,3 +301,14 @@ command[check_total_procs]=@pluginsdir@/
#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+# local configuration:
+# if you'd prefer, you can instead place directives here
+
+include=/etc/nagios/nrpe_local.cfg
+
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+
+include_dir=/etc/nagios/nrpe.d/
+

21
debian/patches/03_support_nrpe.d.dpatch vendored
View File

@@ -1,21 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 03_support_nrpe.d.dpatch by Alexander Wirt <formorer@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Support an nrpe.d directory
@DPATCH@
diff -urNad nagios-nrpe-2.8.1~/sample-config/nrpe.cfg.in nagios-nrpe-2.8.1/sample-config/nrpe.cfg.in
--- nagios-nrpe-2.8.1~/sample-config/nrpe.cfg.in 2008-04-15 23:53:48.000000000 +0200
+++ nagios-nrpe-2.8.1/sample-config/nrpe.cfg.in 2008-04-15 23:54:48.000000000 +0200
@@ -211,3 +211,9 @@
# local configuration:
# if you'd prefer, you can instead place directives here
include=/etc/nagios/nrpe_local.cfg
+
+#
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+include_dir=/etc/nagios/nrpe.d/
+
+

20
debian/patches/04_weird_output.dpatch vendored
View File

@@ -1,20 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_weird_output.dpatch by <luk@luknote>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Clean buffer before use
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-nrpe~/src/nrpe.c pkg-nrpe/src/nrpe.c
--- pkg-nrpe~/src/nrpe.c 2012-04-30 09:36:53.000000000 +0200
+++ pkg-nrpe/src/nrpe.c 2012-04-30 09:52:47.890535825 +0200
@@ -1107,6 +1107,9 @@
/* disable connection alarm - a new alarm will be setup during my_system */
alarm(0);
+ // null buffer before using it!
+ memset(buffer,0,sizeof(buffer));
+
/* if this is the version check command, just spew it out */
if(!strcmp(command_name,NRPE_HELLO_COMMAND)){

27
debian/patches/05_pid_privileges.dpatch vendored
View File

@@ -1,27 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 05_pid_privileges.dpatch by <luk@luknote>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-nrpe~/src/nrpe.c pkg-nrpe/src/nrpe.c
--- pkg-nrpe~/src/nrpe.c 2014-05-23 20:42:27.000000000 +0200
+++ pkg-nrpe/src/nrpe.c 2014-07-15 14:09:45.027422047 +0200
@@ -317,13 +317,13 @@
/* log info to syslog facility */
syslog(LOG_NOTICE,"Starting up daemon");
+ /* drop privileges */
+ drop_privileges(nrpe_user,nrpe_group);
+
/* write pid file */
if(write_pid_file()==ERROR)
return STATE_CRITICAL;
- /* drop privileges */
- drop_privileges(nrpe_user,nrpe_group);
-
/* make sure we're not root */
check_privileges();

19
debian/patches/06_pid_directory.dpatch vendored
View File

@@ -1,19 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_pid_directory.dpatch by Alexander Wirt <formorer@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad nagios-nrpe-2.8.1~/sample-config/nrpe.cfg.in nagios-nrpe-2.8.1/sample-config/nrpe.cfg.in
--- nagios-nrpe-2.8.1~/sample-config/nrpe.cfg.in 2007-03-09 19:08:58.000000000 +0100
+++ nagios-nrpe-2.8.1/sample-config/nrpe.cfg.in 2009-07-06 07:43:09.000000000 +0200
@@ -16,7 +16,7 @@
# number. The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.
-pid_file=/var/run/nrpe.pid
+pid_file=/var/run/nagios/nrpe.pid

30
debian/patches/07_warn_ssloption.dpatch vendored
View File

@@ -1,30 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 07_warn_ssloption.dpatch by Thijs Kinkhorst <thijs@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Warn against inadequateness of NRPE's own SSL option.
--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100
+++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100
@@ -67,14 +67,17 @@
----------
If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
- 1. Stunnel (see http://www.stunnel.org for more info)
- 2. Native SSL support
+make sure that you encrypt communications either by using, for
+example, Stunnel (see http://www.stunnel.org for more info).
Do NOT assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic!
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
USING ARGUMENTS
---------------

28
debian/patches/07_warn_ssloption.patch vendored Normal file
View File

@@ -0,0 +1,28 @@
Description: Warn against inadequateness of NRPE's own SSL option.
Author: Thijs Kinkhorst <thijs@debian.org>
Forwarded: not-needed
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -82,14 +82,17 @@ daemon should run as.
#### ENCRYPTION ####
If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
- 1. Stunnel (see http://www.stunnel.org for more info)
- 2. Native SSL support (See the `README.SSL.md` file for more info)
+make sure that you encrypt communications by using, for example,
+Stunnel (see http://www.stunnel.org for more info).
*Do NOT* assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic!
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
#### USING ARGUMENTS ####

34
debian/patches/09_noremove_pid.dpatch vendored
View File

@@ -1,34 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 09_noremove_pid.dpatch by <simon.deziel@gmail.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Do not remove the PID file after a connection error (original patch
## DP: from Hiren Patel)
# Author: Hiren Patel
# From: http://comments.gmane.org/gmane.network.nagios.devel/6774
# Bug-Debian: #716949
# Bug-Ubuntu: https://launchpad.net/bugs/1126890
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-nrpe~/src/nrpe.c pkg-nrpe/src/nrpe.c
--- pkg-nrpe~/src/nrpe.c 2014-07-15 14:20:02.000000000 +0200
+++ pkg-nrpe/src/nrpe.c 2014-07-15 14:20:55.775429979 +0200
@@ -998,7 +998,7 @@
/* close socket prioer to exiting */
close(sock);
- return;
+ exit(STATE_CRITICAL);
}
/* handle signals */
@@ -1022,7 +1022,7 @@
/* close socket prior to exiting */
close(new_sd);
- return;
+ exit(STATE_CRITICAL);
}
/* is this is a blessed machine? */

24
debian/patches/10_reproducible_build.patch vendored Normal file
View File

@@ -0,0 +1,24 @@
Description: Make the build reproducible.
Author: Chris Lamb <lamby@debian.org>
Bug-Debian: https://bugs.debian.org/834857
Forwarded: https://github.com/NagiosEnterprises/nrpe/pull/78
Applied-Upstream: https://github.com/NagiosEnterprises/nrpe/commit/c6ca9766cae19bc194efa68ed85999e9c9756422
--- a/update-version
+++ b/update-version
@@ -20,11 +20,11 @@ fi
# Get date (two formats)
if [ -n "$2" ]; then
- LONGDATE=`date -d "$2" "+%B %d, %Y"`
- SHORTDATE=`date -d "$2" "+%m-%d-%Y"`
+ LONGDATE=$(LC_ALL=C date -u -d "$2" "+%B %d, %Y")
+ SHORTDATE=$(date -u -d "$2" "+%m-%d-%Y")
else
- LONGDATE=`date "+%B %d, %Y"`
- SHORTDATE=`date "+%m-%d-%Y"`
+ LONGDATE=$(LC_ALL=C date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%B %d, %Y")
+ SHORTDATE=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%m-%d-%Y")
fi
# Current version number

60
debian/patches/11_reproducible_dh.h.patch vendored Normal file
View File

@@ -0,0 +1,60 @@
Description: Use pre-generated dh.h for reproducible builds.
Author: Bas Couwenberg <sebastic@debian.org>
Bug-Debian: https://bugs.debian.org/834857
Forwarded: not-needed
--- /dev/null
+++ b/include/dh.h
@@ -0,0 +1,41 @@
+#ifndef HEADER_DH_H
+#include <openssl/dh.h>
+#endif
+DH *get_dh2048()
+ {
+ static unsigned char dh2048_p[]={
+ 0xE9,0x3C,0xF4,0xCE,0x63,0x0A,0x57,0x9A,0xD1,0x34,0x74,0xA1,
+ 0x3E,0xC3,0x93,0xB5,0x50,0x36,0x56,0x87,0x9F,0x8F,0xBC,0x74,
+ 0x15,0x03,0x1D,0x00,0x45,0xB0,0x2F,0xA3,0x2C,0xC1,0x13,0xFF,
+ 0x6C,0xF1,0xDB,0x36,0xB5,0xB5,0x49,0x2D,0x6A,0x8D,0x55,0xA1,
+ 0xE6,0x4C,0xD1,0xA9,0x07,0x24,0xC4,0xDF,0x3A,0x2A,0x9E,0xDB,
+ 0x4A,0x23,0xAD,0x56,0x79,0xA3,0x3D,0xC4,0xAD,0xE0,0x3E,0x17,
+ 0x3B,0x43,0x0F,0xB6,0x83,0xE4,0x52,0xFD,0x6D,0x74,0x03,0xB3,
+ 0x29,0x26,0xF2,0x29,0x0A,0xA2,0x33,0x56,0x0C,0x16,0xF7,0x81,
+ 0xBF,0xDC,0xB8,0xCE,0x78,0xC1,0x73,0xD6,0x48,0x54,0x2D,0x98,
+ 0xA5,0x7A,0xE3,0x38,0x8E,0x3D,0x75,0xDB,0x92,0x4D,0x76,0xC1,
+ 0xCD,0xE7,0x27,0xEE,0x09,0x89,0xFA,0xCE,0x7A,0xD6,0xDC,0x5B,
+ 0x08,0x6B,0xE8,0x7E,0x37,0x7B,0x40,0x89,0x72,0xBD,0x4E,0xF4,
+ 0x9A,0xDC,0x94,0xA3,0x7D,0x4C,0x15,0xE4,0xE1,0xA8,0x8D,0xF9,
+ 0xB2,0xF0,0x02,0x40,0x39,0x6C,0xDD,0x37,0x08,0xC1,0xE8,0x0B,
+ 0xAD,0x16,0x24,0x81,0x5F,0x24,0xD9,0x65,0x71,0x34,0x78,0xF3,
+ 0xFE,0x35,0xE0,0x20,0xFF,0x6D,0x41,0xE7,0xC8,0x8E,0x58,0x59,
+ 0x24,0x01,0x9A,0xC8,0xA7,0x8D,0x48,0x43,0x8E,0x34,0x7C,0xC1,
+ 0xB4,0xC8,0xD0,0x9C,0xBD,0xEA,0x83,0xC7,0xC9,0x86,0xFC,0xD1,
+ 0xA7,0xAF,0x5C,0x99,0x98,0xD1,0x82,0x78,0xE4,0xA4,0x1C,0xB5,
+ 0x87,0x72,0xD8,0x38,0x48,0x60,0xAE,0xCB,0x92,0xA2,0x79,0xFC,
+ 0x8F,0x1D,0x94,0xB5,0x88,0xA5,0xA4,0xE1,0xF5,0x98,0xBA,0xB2,
+ 0x06,0x22,0xA8,0x1B,
+ };
+ static unsigned char dh2048_g[]={
+ 0x02,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+ dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
--- a/configure.ac
+++ b/configure.ac
@@ -307,7 +307,7 @@ AC_ARG_ENABLE([ssl],
dnl Optional SSL library and include paths
if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE
- need_dh=yes
+ need_dh=no
AC_NAGIOS_GET_SSL
fi

4
debian/patches/series vendored Normal file
View File

@@ -0,0 +1,4 @@
02_nrpe.cfg_local-include_support_nrpe.d.patch
07_warn_ssloption.patch
10_reproducible_build.patch
11_reproducible_dh.h.patch

31
debian/rules vendored
View File

@@ -3,21 +3,34 @@
# newer dpkg set this by default.
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
# Include dpatch stuff.
include /usr/share/dpatch/dpatch.make
# Enable hardening build flags
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
CFLAGS += $(CPPFLAGS)
export AUTOHEADER=true
%:
dh $@ --with dpatch,autotools_dev
dh $@ --with autoreconf,systemd --parallel
override_dh_auto_configure:
./configure \
# Save deterministic "openssl dhparam" output.
cp include/dh.h include/dh.h.orig
dh_auto_configure -- \
--prefix=/usr \
--sysconfdir=/etc \
--libdir=/usr/lib/nagios \
--libexecdir=/usr/lib/nagios/plugins \
--localstatedir=/var \
--enable-ssl \
--with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib/nagios/plugins \
--libdir=/usr/lib/nagios \
--enable-command-args
--with-piddir=/var/run/nagios
# Restore deterministic "openssl dhparam" output.
cp include/dh.h.orig include/dh.h
override_dh_auto_build:
dh_auto_build -- all
override_dh_auto_install:

1
debian/source/format vendored Normal file
View File

@@ -0,0 +1 @@
3.0 (quilt)

6
debian/upstream/metadata vendored Normal file
View File

@@ -0,0 +1,6 @@
---
Bug-Database: https://github.com/NagiosEnterprises/nrpe/issues
Bug-Submit: https://github.com/NagiosEnterprises/nrpe/issues/new
Name: NRPE
Repository: https://github.com/NagiosEnterprises/nrpe.git
Repository-Browse: https://github.com/NagiosEnterprises/nrpe

6
debian/watch vendored
View File

@@ -1,3 +1,5 @@
version=3
http://sf.net/nagios/nrpe-([0-9.]+).tar.gz
opts=\
dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g \
http://sf.net/nagios/nrpe-([\d\.]+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))