int main(int argc, char **argv)
{
check_privileges();
clear();
init_tty();
setup_signals();
struct pollfd ufds[2] =
{
{ .fd = STDIN_FILENO, .events = POLLIN, .revents = 0 },
{ .fd = -1, .events = POLLIN, .revents = 0 }
int main(int argc, char **argv){
int result=OK;
int x;
char buffer[MAX_INPUT_BUFFER];
char *env_string=NULL;
#ifdef HAVE_SSL
DH *dh;
char seedfile[FILENAME_MAX];
int i,c;
#endif
/* set some environment variables */
asprintf(&env_string,"NRPE_MULTILINESUPPORT=1");
putenv(env_string);
asprintf(&env_string,"NRPE_PROGRAMVERSION=%s",PROGRAM_VERSION);
putenv(env_string);
/* process command-line args */
result=process_arguments(argc,argv);
if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE){
printf("\n");
printf("NRPE - Nagios Remote Plugin Executor\n");
printf("Copyright (c) 1999-2008 Ethan Galstad ([email protected])\n");
printf("Version: %s\n",PROGRAM_VERSION);
printf("Last Modified: %s\n",MODIFICATION_DATE);
printf("License: GPL v2 with exemptions (-l for more info)\n");
#ifdef HAVE_SSL
printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n");
#endif
#ifdef HAVE_LIBWRAP
printf("TCP Wrappers Available\n");
#endif
printf("\n");
#ifdef ENABLE_COMMAND_ARGUMENTS
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
#ifndef HAVE_LIBWRAP
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
}
if(show_license==TRUE)
display_license();
else if(result!=OK || show_help==TRUE){
printf("Usage: nrpe [-n] -c <config_file> <mode>\n");
printf("\n");
printf("Options:\n");
printf(" -n = Do not use SSL\n");
printf(" <config_file> = Name of config file to use\n");
printf(" <mode> = One of the following two operating modes:\n");
printf(" -i = Run as a service under inetd or xinetd\n");
printf(" -d = Run as a standalone daemon\n");
printf("\n");
printf("Notes:\n");
printf("This program is designed to process requests from the check_nrpe\n");
printf("plugin on the host(s) running Nagios. It can run as a service\n");
printf("under inetd or xinetd (read the docs for info on this), or as a\n");
printf("standalone daemon. Once a request is received from an authorized\n");
printf("host, NRPE will execute the command/plugin (as defined in the\n");
printf("config file) and return the plugin output and return code to the\n");
printf("check_nrpe plugin.\n");
printf("\n");
}
if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE)
exit(STATE_UNKNOWN);
/* open a connection to the syslog facility */
/* facility name may be overridden later */
get_log_facility(NRPE_LOG_FACILITY);
openlog("nrpe",LOG_PID,log_facility);
/* make sure the config file uses an absolute path */
if(config_file[0]!='/'){
/* save the name of the config file */
strncpy(buffer,config_file,sizeof(buffer));
buffer[sizeof(buffer)-1]='\x0';
/* get absolute path of current working directory */
strcpy(config_file,"");
getcwd(config_file,sizeof(config_file));
/* append a forward slash */
strncat(config_file,"/",sizeof(config_file)-2);
config_file[sizeof(config_file)-1]='\x0';
/* append the config file to the path */
strncat(config_file,buffer,sizeof(config_file)-strlen(config_file)-1);
config_file[sizeof(config_file)-1]='\x0';
}
/* read the config file */
result=read_config_file(config_file);
/* exit if there are errors... */
if(result==ERROR){
syslog(LOG_ERR,"Config file '%s' contained errors, aborting...",config_file);
return STATE_CRITICAL;
}
/* generate the CRC 32 table */
generate_crc32_table();
/* initialize macros */
for(x=0;x<MAX_COMMAND_ARGUMENTS;x++)
macro_argv[x]=NULL;
#ifdef HAVE_SSL
/* initialize SSL */
if(use_ssl==TRUE){
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth=SSLv23_server_method();
SSL_load_error_strings();
/* use week random seed if necessary */
if(allow_weak_random_seed && (RAND_status()==0)){
if(RAND_file_name(seedfile,sizeof(seedfile)-1))
if(RAND_load_file(seedfile,-1))
RAND_write_file(seedfile);
if(RAND_status()==0){
syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is highly discouraged");
srand(time(NULL));
for(i=0;i<500 && RAND_status()==0;i++){
for(c=0;c<sizeof(seedfile);c+=sizeof(int)){
*((int *)(seedfile+c))=rand();
}
RAND_seed(seedfile,sizeof(seedfile));
}
}
}
if((ctx=SSL_CTX_new(meth))==NULL){
syslog(LOG_ERR,"Error: could not create SSL context.\n");
exit(STATE_CRITICAL);
}
/* ADDED 01/19/2004 */
/* use only TLSv1 protocol */
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* use anonymous DH ciphers */
SSL_CTX_set_cipher_list(ctx,"ADH");
dh=get_dh512();
SSL_CTX_set_tmp_dh(ctx,dh);
DH_free(dh);
if(debug==TRUE)
syslog(LOG_INFO,"INFO: SSL/TLS initialized. All network traffic will be encrypted.");
}
else{
if(debug==TRUE)
syslog(LOG_INFO,"INFO: SSL/TLS NOT initialized. Network encryption DISABLED.");
}
#endif
/* if we're running under inetd... */
if(use_inetd==TRUE){
/* make sure we're not root */
check_privileges();
/* redirect STDERR to /dev/null */
close(2);
open("/dev/null",O_WRONLY);
/* handle the connection */
handle_connection(0);
}
/* else daemonize and start listening for requests... */
else if(fork()==0){
/* we're a daemon - set up a new process group */
setsid();
/* close standard file descriptors */
close(0);
close(1);
close(2);
/* redirect standard descriptors to /dev/null */
open("/dev/null",O_RDONLY);
open("/dev/null",O_WRONLY);
open("/dev/null",O_WRONLY);
chdir("/");
/*umask(0);*/
/* handle signals */
signal(SIGQUIT,sighandler);
signal(SIGTERM,sighandler);
signal(SIGHUP,sighandler);
/* log info to syslog facility */
syslog(LOG_NOTICE,"Starting up daemon");
/* write pid file */
if(write_pid_file()==ERROR)
return STATE_CRITICAL;
/* drop privileges */
drop_privileges(nrpe_user,nrpe_group);
/* make sure we're not root */
check_privileges();
do{
/* reset flags */
sigrestart=FALSE;
sigshutdown=FALSE;
/* wait for connections */
wait_for_connections();
/* free all memory we allocated */
free_memory();
if(sigrestart==TRUE){
/* read the config file */
result=read_config_file(config_file);
/* exit if there are errors... */
if(result==ERROR){
syslog(LOG_ERR,"Config file '%s' contained errors, bailing out...",config_file);
return STATE_CRITICAL;
}
}
}while(sigrestart==TRUE && sigshutdown==FALSE);
/* remove pid file */
remove_pid_file();
syslog(LOG_NOTICE,"Daemon shutdown\n");
}
#ifdef HAVE_SSL
if(use_ssl==TRUE)
SSL_CTX_free(ctx);
#endif
/* We are now running in daemon mode, or the connection handed over by inetd has
been completed, so the parent process exits */
return STATE_OK;
}
void https_service_conn(int conn_sock, SSL_CTX *ctx)
{
char buf[MAX_BUF_LENGTH];
int count, retv;
struct message *msg;
/* openssl library definitions */
SSL* ssl;
ssl = SSL_new(ctx);
if (ssl == NULL) {
perror("cannot create SSL object!");
return;
}
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(ssl, conn_sock);
SSL_set_accept_state(ssl);
retv = SSL_accept(ssl);
if (retv < 0) goto ERROR;
count = SSL_read(ssl, buf, MAX_BUF_LENGTH-1);
if (count < 0) goto ERROR;
buf[count] = '\0';
printf(buf);
if (!strncmp(buf, "GET", 3)) {
char url[256];
strtok(buf, " ");
strcpy(url, https_s.dir);
strcat(url, strtok(NULL, " "));
if (strcmp(url, "index.html")) {
write_url_ssl(ssl, buf, url);
} else if (strcmp(url, "guest_panel.html")) {
if (check_privileges()) {
write_url_ssl(ssl, buf, url);
} else {
write_404_ssl(ssl, buf, "<html><body>You don't have access! Go away!</body></html>");
}
} else if (strcmp(url, "admin_panel.html")) {
if (check_privileges() == ADMIN_PRIV) {
write_url_ssl(ssl, buf, url);
} else {
write_404_ssl(ssl, buf, "<html><body>You don't have access! Go away!</body></html>");
}
}
}
if (!strncmp(buf, "POST", 4)) {
int i;
char *tmp;
char *password;
char *username;
int admin_login = 1;
int guest_login = 1;
char *ble = buf;
if ((tmp = strstr(buf, "username")) != NULL) {
if (strcmp("username", strtok(tmp, "=&"))) {
admin_login = 0;
guest_login = 0;
}
username = strtok(NULL, "=&");
printf("user: %s\n", username);
if (strcmp(username, https_d.admin_username)) admin_login = 0;
if (strcmp(username, https_d.guest_username)) guest_login = 0;
if (strcmp("password", strtok(NULL, "=&"))) {
admin_login = 0;
guest_login = 0;
}
password = strtok(NULL, "=&");
printf("pass: %s\n", password);
if (strcmp(password, https_d.admin_password)) admin_login = 0;
if (strcmp(password, https_d.guest_password)) guest_login = 0;
if (admin_login) {
/*
* save session id with appropriate flag
*/
save_session(ssl, ADMIN_PRIV);
write_url_ssl(ssl, buf, "admin_login.html");
}
if (guest_login) {
/*
* save session id with appropriate flag
*/
save_session(ssl, GUEST_PRIV);
write_url_ssl(ssl, buf, "guest_login.html");
}
if (!admin_login && !guest_login) {
write_404_ssl(ssl, buf, "<html><body>Logging has failed! Go away!</body></html>");
}
//printf(buf);
} else if ((tmp = strstr(buf, "killall")) != NULL) {
/* killal has been issued */
if (check_privileges(ssl) == ADMIN_PRIV) {
system("killall.sh");
} else {
write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>");
}
} else if ((tmp = strstr(buf, "poweroff")) != NULL) {
if (check_privileges(ssl) == ADMIN_PRIV) {
system("poweroff.sh");
} else {
write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>");
}
} else if ((tmp = strstr(buf, "something")) != NULL) {
if (check_privileges(ssl) == ADMIN_PRIV) {
system("something.sh");
} else {
write_404_ssl(ssl, buf, "<html><body>You cannot do that!Go away!</body></html>");
}
}
}
SSL_shutdown(ssl);
SSL_free(ssl);
close(conn_sock);
exit(EXIT_SUCCESS);
ERROR:
SSL_shutdown(ssl);
SSL_free(ssl);
close(conn_sock);
exit(EXIT_FAILURE);
}
