Clobber password in check_radius process list aguments

git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1994 f882894a-f735-0410-b71e-b25c423dba1c

diff --git a/NEWS b/NEWS
index 674a274f05a870931a2f10828224f8d6037ca6a9..d01b678c94e9de0a9a0e706901a59d1c660704d6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -18,7 +18,7 @@ This file documents the major additions and syntax changes between releases.
        check_dig can now pass arguments dig by using -A/--dig-arguments (#1874041/#1889453)
        check_ntp and check_ntp_peer now show proper jitter/stratum thresholds longopts in --help
        check_dns now allow to repeat -a to match multiple possibly returned address (common with load balancers)
-       check_mysql now try clearing password in processlist just like check_mysql_query
+       check_mysql and check_radius now try clearing password in processlist just like check_mysql_query
        check_mysql and check_mysql_query now support sockets explicitely (-s, --socket)
        negate now has the ability to replace the status text as well (-s, --substitute)
        Added performance data to check_ping (Christian Schneemann)

diff --git a/plugins/check_radius.c b/plugins/check_radius.c
index 7ce820a875301d6fb6e1d9060340f435d705e92e..5021a57a5422ff195dd8e6f4020cd89d625bc92e 100644 (file)
--- a/plugins/check_radius.c
+++ b/plugins/check_radius.c
@@ -260,7 +260,13 @@ process_arguments (int argc, char **argv)
                        username = optarg;
                        break;
                case 'p':                                                                       /* password */
-                       password = optarg;
+                       password = strdup(optarg);
+
+                       /* Delete the password from process list */
+                       while (*optarg != '\0') {
+                               *optarg = 'X';
+                               optarg++;
+                       }
                        break;
                case 'n':                                                                       /* nas id */
                        nasid = optarg;
@@ -343,9 +349,9 @@ print_help (void)
   printf ("%s\n", _("name and password. A configuration file may also be present. The format of"));
   printf ("%s\n", _("the configuration file is described in the radiusclient library sources."));
        printf ("%s\n", _("The password option presents a substantial security issue because the"));
-  printf ("%s\n", _("password can be determined by careful watching of the command line in"));
-  printf ("%s\n", _("a process listing.  This risk is exacerbated because nagios will"));
-  printf ("%s\n", _("run the plugin at regular predictable intervals.  Please be sure that"));
+  printf ("%s\n", _("password can possibly be determined by careful watching of the command line"));
+  printf ("%s\n", _("in a process listing. This risk is exacerbated because nagios will"));
+  printf ("%s\n", _("run the plugin at regular predictable intervals. Please be sure that"));
   printf ("%s\n", _("the password used does not allow access to sensitive system resources."));
 
 #ifdef NP_EXTRA_OPTS