int main(int argc, char **argv) { check_privileges(); clear(); init_tty(); setup_signals(); struct pollfd ufds[2] = { { .fd = STDIN_FILENO, .events = POLLIN, .revents = 0 }, { .fd = -1, .events = POLLIN, .revents = 0 }
int main(int argc, char **argv){ int result=OK; int x; char buffer[MAX_INPUT_BUFFER]; char *env_string=NULL; #ifdef HAVE_SSL DH *dh; char seedfile[FILENAME_MAX]; int i,c; #endif /* set some environment variables */ asprintf(&env_string,"NRPE_MULTILINESUPPORT=1"); putenv(env_string); asprintf(&env_string,"NRPE_PROGRAMVERSION=%s",PROGRAM_VERSION); putenv(env_string); /* process command-line args */ result=process_arguments(argc,argv); if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE){ printf("\n"); printf("NRPE - Nagios Remote Plugin Executor\n"); printf("Copyright (c) 1999-2008 Ethan Galstad ([email protected])\n"); printf("Version: %s\n",PROGRAM_VERSION); printf("Last Modified: %s\n",MODIFICATION_DATE); printf("License: GPL v2 with exemptions (-l for more info)\n"); #ifdef HAVE_SSL printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n"); #endif #ifdef HAVE_LIBWRAP printf("TCP Wrappers Available\n"); #endif printf("\n"); #ifdef ENABLE_COMMAND_ARGUMENTS printf("***************************************************************\n"); printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n"); printf("** Read the NRPE SECURITY file for more information **\n"); printf("***************************************************************\n"); printf("\n"); #endif #ifndef HAVE_LIBWRAP printf("***************************************************************\n"); printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n"); printf("** Read the NRPE SECURITY file for more information **\n"); printf("***************************************************************\n"); printf("\n"); #endif } if(show_license==TRUE) display_license(); else if(result!=OK || show_help==TRUE){ printf("Usage: nrpe [-n] -c <config_file> <mode>\n"); printf("\n"); printf("Options:\n"); printf(" -n = Do not use SSL\n"); printf(" <config_file> = Name of config file to use\n"); printf(" <mode> = One of the following two operating modes:\n"); printf(" -i = Run as a service under inetd or xinetd\n"); printf(" -d = Run as a standalone daemon\n"); printf("\n"); printf("Notes:\n"); printf("This program is designed to process requests from the check_nrpe\n"); printf("plugin on the host(s) running Nagios. It can run as a service\n"); printf("under inetd or xinetd (read the docs for info on this), or as a\n"); printf("standalone daemon. Once a request is received from an authorized\n"); printf("host, NRPE will execute the command/plugin (as defined in the\n"); printf("config file) and return the plugin output and return code to the\n"); printf("check_nrpe plugin.\n"); printf("\n"); } if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE) exit(STATE_UNKNOWN); /* open a connection to the syslog facility */ /* facility name may be overridden later */ get_log_facility(NRPE_LOG_FACILITY); openlog("nrpe",LOG_PID,log_facility); /* make sure the config file uses an absolute path */ if(config_file[0]!='/'){ /* save the name of the config file */ strncpy(buffer,config_file,sizeof(buffer)); buffer[sizeof(buffer)-1]='\x0'; /* get absolute path of current working directory */ strcpy(config_file,""); getcwd(config_file,sizeof(config_file)); /* append a forward slash */ strncat(config_file,"/",sizeof(config_file)-2); config_file[sizeof(config_file)-1]='\x0'; /* append the config file to the path */ strncat(config_file,buffer,sizeof(config_file)-strlen(config_file)-1); config_file[sizeof(config_file)-1]='\x0'; } /* read the config file */ result=read_config_file(config_file); /* exit if there are errors... */ if(result==ERROR){ syslog(LOG_ERR,"Config file '%s' contained errors, aborting...",config_file); return STATE_CRITICAL; } /* generate the CRC 32 table */ generate_crc32_table(); /* initialize macros */ for(x=0;x<MAX_COMMAND_ARGUMENTS;x++) macro_argv[x]=NULL; #ifdef HAVE_SSL /* initialize SSL */ if(use_ssl==TRUE){ SSL_library_init(); SSLeay_add_ssl_algorithms(); meth=SSLv23_server_method(); SSL_load_error_strings(); /* use week random seed if necessary */ if(allow_weak_random_seed && (RAND_status()==0)){ if(RAND_file_name(seedfile,sizeof(seedfile)-1)) if(RAND_load_file(seedfile,-1)) RAND_write_file(seedfile); if(RAND_status()==0){ syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is highly discouraged"); srand(time(NULL)); for(i=0;i<500 && RAND_status()==0;i++){ for(c=0;c<sizeof(seedfile);c+=sizeof(int)){ *((int *)(seedfile+c))=rand(); } RAND_seed(seedfile,sizeof(seedfile)); } } } if((ctx=SSL_CTX_new(meth))==NULL){ syslog(LOG_ERR,"Error: could not create SSL context.\n"); exit(STATE_CRITICAL); } /* ADDED 01/19/2004 */ /* use only TLSv1 protocol */ SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* use anonymous DH ciphers */ SSL_CTX_set_cipher_list(ctx,"ADH"); dh=get_dh512(); SSL_CTX_set_tmp_dh(ctx,dh); DH_free(dh); if(debug==TRUE) syslog(LOG_INFO,"INFO: SSL/TLS initialized. All network traffic will be encrypted."); } else{ if(debug==TRUE) syslog(LOG_INFO,"INFO: SSL/TLS NOT initialized. Network encryption DISABLED."); } #endif /* if we're running under inetd... */ if(use_inetd==TRUE){ /* make sure we're not root */ check_privileges(); /* redirect STDERR to /dev/null */ close(2); open("/dev/null",O_WRONLY); /* handle the connection */ handle_connection(0); } /* else daemonize and start listening for requests... */ else if(fork()==0){ /* we're a daemon - set up a new process group */ setsid(); /* close standard file descriptors */ close(0); close(1); close(2); /* redirect standard descriptors to /dev/null */ open("/dev/null",O_RDONLY); open("/dev/null",O_WRONLY); open("/dev/null",O_WRONLY); chdir("/"); /*umask(0);*/ /* handle signals */ signal(SIGQUIT,sighandler); signal(SIGTERM,sighandler); signal(SIGHUP,sighandler); /* log info to syslog facility */ syslog(LOG_NOTICE,"Starting up daemon"); /* write pid file */ if(write_pid_file()==ERROR) return STATE_CRITICAL; /* drop privileges */ drop_privileges(nrpe_user,nrpe_group); /* make sure we're not root */ check_privileges(); do{ /* reset flags */ sigrestart=FALSE; sigshutdown=FALSE; /* wait for connections */ wait_for_connections(); /* free all memory we allocated */ free_memory(); if(sigrestart==TRUE){ /* read the config file */ result=read_config_file(config_file); /* exit if there are errors... */ if(result==ERROR){ syslog(LOG_ERR,"Config file '%s' contained errors, bailing out...",config_file); return STATE_CRITICAL; } } }while(sigrestart==TRUE && sigshutdown==FALSE); /* remove pid file */ remove_pid_file(); syslog(LOG_NOTICE,"Daemon shutdown\n"); } #ifdef HAVE_SSL if(use_ssl==TRUE) SSL_CTX_free(ctx); #endif /* We are now running in daemon mode, or the connection handed over by inetd has been completed, so the parent process exits */ return STATE_OK; }
void https_service_conn(int conn_sock, SSL_CTX *ctx) { char buf[MAX_BUF_LENGTH]; int count, retv; struct message *msg; /* openssl library definitions */ SSL* ssl; ssl = SSL_new(ctx); if (ssl == NULL) { perror("cannot create SSL object!"); return; } SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(ssl, conn_sock); SSL_set_accept_state(ssl); retv = SSL_accept(ssl); if (retv < 0) goto ERROR; count = SSL_read(ssl, buf, MAX_BUF_LENGTH-1); if (count < 0) goto ERROR; buf[count] = '\0'; printf(buf); if (!strncmp(buf, "GET", 3)) { char url[256]; strtok(buf, " "); strcpy(url, https_s.dir); strcat(url, strtok(NULL, " ")); if (strcmp(url, "index.html")) { write_url_ssl(ssl, buf, url); } else if (strcmp(url, "guest_panel.html")) { if (check_privileges()) { write_url_ssl(ssl, buf, url); } else { write_404_ssl(ssl, buf, "<html><body>You don't have access! Go away!</body></html>"); } } else if (strcmp(url, "admin_panel.html")) { if (check_privileges() == ADMIN_PRIV) { write_url_ssl(ssl, buf, url); } else { write_404_ssl(ssl, buf, "<html><body>You don't have access! Go away!</body></html>"); } } } if (!strncmp(buf, "POST", 4)) { int i; char *tmp; char *password; char *username; int admin_login = 1; int guest_login = 1; char *ble = buf; if ((tmp = strstr(buf, "username")) != NULL) { if (strcmp("username", strtok(tmp, "=&"))) { admin_login = 0; guest_login = 0; } username = strtok(NULL, "=&"); printf("user: %s\n", username); if (strcmp(username, https_d.admin_username)) admin_login = 0; if (strcmp(username, https_d.guest_username)) guest_login = 0; if (strcmp("password", strtok(NULL, "=&"))) { admin_login = 0; guest_login = 0; } password = strtok(NULL, "=&"); printf("pass: %s\n", password); if (strcmp(password, https_d.admin_password)) admin_login = 0; if (strcmp(password, https_d.guest_password)) guest_login = 0; if (admin_login) { /* * save session id with appropriate flag */ save_session(ssl, ADMIN_PRIV); write_url_ssl(ssl, buf, "admin_login.html"); } if (guest_login) { /* * save session id with appropriate flag */ save_session(ssl, GUEST_PRIV); write_url_ssl(ssl, buf, "guest_login.html"); } if (!admin_login && !guest_login) { write_404_ssl(ssl, buf, "<html><body>Logging has failed! Go away!</body></html>"); } //printf(buf); } else if ((tmp = strstr(buf, "killall")) != NULL) { /* killal has been issued */ if (check_privileges(ssl) == ADMIN_PRIV) { system("killall.sh"); } else { write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>"); } } else if ((tmp = strstr(buf, "poweroff")) != NULL) { if (check_privileges(ssl) == ADMIN_PRIV) { system("poweroff.sh"); } else { write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>"); } } else if ((tmp = strstr(buf, "something")) != NULL) { if (check_privileges(ssl) == ADMIN_PRIV) { system("something.sh"); } else { write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>"); } } } SSL_shutdown(ssl); SSL_free(ssl); close(conn_sock); exit(EXIT_SUCCESS); ERROR: SSL_shutdown(ssl); SSL_free(ssl); close(conn_sock); exit(EXIT_FAILURE); }