| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- #!/usr/bin/env python
- import os
- import re
- import shlex
- import subprocess
- import sys
- allowed = [
- ##### System informations
- r'^/usr/bin/lsb_release\s+-d$', # Linux
- r'^/(usr/)?bin/uname\s+-mrs$', # Linux, BSD & others
- ##### Complete command lines (Monitoring-Plugins on Debian)
- r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$',
- r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$',
- r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+',
- r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$',
- ##### Simplified/combined (and a little bit less secure)
- ### most Linux distributions (with "sudo" and "doas")
- # r'^/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
- # r'^sudo\s+/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
- # r'^doas\s+/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
- ### *BSD (with "sudo" and "doas")
- # r'^/usr/local/libexec/nagios/check_',
- # r'^sudo\s+/usr/local/libexec/nagios/check_',
- # r'^doas\s+/usr/local/libexec/nagios/check_',
- ]
- cmdline = os.getenv('SSH_ORIGINAL_COMMAND')
- if not cmdline:
- print 'This is just a wrapper, no command specified!'
- sys.exit(3)
- for maybe in allowed:
- if re.match(maybe, cmdline):
- cmdline = shlex.split(cmdline)
- try:
- cmd = subprocess.Popen(cmdline, stdout=subprocess.PIPE)
- except Exception, exc:
- print 'Could not execute plugin ("%s"): %s' % (' '.join(cmdline), exc)
- sys.exit(3)
- else:
- print cmd.communicate()[0].rstrip()
- sys.exit(cmd.returncode)
- print '%s: No allowed command found!' % sys.argv[0]
- sys.exit(3)
|
