[checkmk-commits] Check_MK Git: check_mk: #1373 SEC Do not ouput complete command line when datasource programs fail

Mathias Kettner mk at mathias-kettner.de
Thu Aug 21 13:12:55 CEST 2014


Module: check_mk
Branch: master
Commit: 953c2b1734b2ff472a956db5fd9caf331f327294
URL:    http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=953c2b1734b2ff472a956db5fd9caf331f327294

Author: Mathias Kettner <mk at mathias-kettner.de>
Date:   Thu Aug 21 13:12:42 2014 +0200

#1373 SEC Do not ouput complete command line when datasource programs fail

When executing a datasource program like <tt>agent_vsphere</tt>
fails, then Check_MK used to output the complete command line
as plugin output of the Check_MK active check as part of an error
message. The commandline could contain passwords - however.  So this
has now been changed into just outputting the path to the executable
(e.g. <tt>/omd/sites/mysite/share/check_mk/agents/special/agent_vsphere</tt>).

---

 .werks/1373              |   15 +++++++++++++++
 ChangeLog                |    1 +
 modules/check_mk_base.py |    6 ++++--
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.werks/1373 b/.werks/1373
new file mode 100644
index 0000000..07d43d4
--- /dev/null
+++ b/.werks/1373
@@ -0,0 +1,15 @@
+Title: Do not ouput complete command line when datasource programs fail
+Level: 2
+Component: core
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.5i6
+Date: 1408619422
+
+When executing a datasource program like <tt>agent_vsphere</tt>
+fails, then Check_MK used to output the complete command line
+as plugin output of the Check_MK active check as part of an error
+message. The commandline could contain passwords - however.  So this
+has now been changed into just outputting the path to the executable
+(e.g. <tt>/omd/sites/mysite/share/check_mk/agents/special/agent_vsphere</tt>).
diff --git a/ChangeLog b/ChangeLog
index 17f90eb..cf9109b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 1.2.5i6:
     Core & Setup:
     * 1008 Overall check timeout for Check_MK checks now defaults to CRIT state...
+    * 1373 SEC: Do not ouput complete command line when datasource programs fail...
 
     Checks & Agents:
     * 0185 knuerr_rms_humidity, knuerr_rms_temp: Two new Checks to Monitor the Temperature and the Humidity on Knürr RMS Devices
diff --git a/modules/check_mk_base.py b/modules/check_mk_base.py
index 7d2277e..cd01442 100644
--- a/modules/check_mk_base.py
+++ b/modules/check_mk_base.py
@@ -656,6 +656,8 @@ def get_agent_info(hostname, ipaddress, max_cache_age):
 
 # Get data in case of external program
 def get_agent_info_program(commandline):
+    exepath = commandline.split()[0] # for error message, hide options!
+
     import subprocess
     if opt_verbose:
         sys.stderr.write("Calling external program %s\n" % commandline)
@@ -664,11 +666,11 @@ def get_agent_info_program(commandline):
         stdout, stderr = p.communicate()
         exitstatus = p.returncode
     except Exception, e:
-        raise MKAgentError("Could not execute '%s': %s" % (commandline, e))
+        raise MKAgentError("Could not execute '%s': %s" % (exepath, e))
 
     if exitstatus:
         if exitstatus == 127:
-            raise MKAgentError("Program '%s' not found (exit code 127)" % (commandline,))
+            raise MKAgentError("Program '%s' not found (exit code 127)" % exepath)
         else:
             raise MKAgentError("Agent exited with code %d: %s" % (exitstatus, stderr))
     return stdout



More information about the checkmk-commits mailing list