[Pkg-nagios-devel] Bug#756479: Bug#756479: (no subject)

Fabien COELHO fabien at coelho.net
Fri Jan 22 10:11:33 UTC 2016

Sigh. I've lost 1 hour on this "improvement".

Please note that there is still a bug: the installed 
"/etc/nagios/nrpe.cfg" configuration file now contains a option which is 
ignored, but AFAICS there is no warning about that fact in the file nor in 
the log when starting nrpe, so people will keep trying to enable it and 
fail without understanding that it is in fact ignored.

> nrpe has several, not fixable security problems with argument parsing.

I do believe that.

> You should not use it at all.

You do *NOT* know about other people context and balance of risks.

Debian is for grownups, you do not have to "decide" for us as if we were 
children. I know my risks and benefits, and I can make the decision 
whether to enable arguments or not, you do not have to take this decision 
for me. The option name says it all "dont_blame_nrpe": *MY* 
responsability, not yours.

> A secure alternative would be to use check_by_ssh.

I disagree that using check_by_ssh is obviously better, because it means 
allowing a shell access and a private key without password on the server, 
or endless efforts to maintain some ssh-agent somewhere which have their 
own risks... I'm not sure I can see how this is much better than nrpe with 
arguments and IP control, for me this is the same.

The "just compile your own package" is a laughable fix: If I wanted to do 
that, I would not use Debian in the first place.


More information about the Pkg-nagios-devel mailing list