From eaf61e51ac6a64e3d879248edd7b10f62e3c6aa3 Mon Sep 17 00:00:00 2001 From: Thomas Guyot-Sionnest Date: Tue, 20 May 2008 07:57:13 +0000 Subject: [PATCH] Clobber password in check_radius process list aguments git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1994 f882894a-f735-0410-b71e-b25c423dba1c --- NEWS | 2 +- plugins/check_radius.c | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 674a274..d01b678 100644 --- a/NEWS +++ b/NEWS @@ -18,7 +18,7 @@ This file documents the major additions and syntax changes between releases. check_dig can now pass arguments dig by using -A/--dig-arguments (#1874041/#1889453) check_ntp and check_ntp_peer now show proper jitter/stratum thresholds longopts in --help check_dns now allow to repeat -a to match multiple possibly returned address (common with load balancers) - check_mysql now try clearing password in processlist just like check_mysql_query + check_mysql and check_radius now try clearing password in processlist just like check_mysql_query check_mysql and check_mysql_query now support sockets explicitely (-s, --socket) negate now has the ability to replace the status text as well (-s, --substitute) Added performance data to check_ping (Christian Schneemann) diff --git a/plugins/check_radius.c b/plugins/check_radius.c index 7ce820a..5021a57 100644 --- a/plugins/check_radius.c +++ b/plugins/check_radius.c @@ -260,7 +260,13 @@ process_arguments (int argc, char **argv) username = optarg; break; case 'p': /* password */ - password = optarg; + password = strdup(optarg); + + /* Delete the password from process list */ + while (*optarg != '\0') { + *optarg = 'X'; + optarg++; + } break; case 'n': /* nas id */ nasid = optarg; @@ -343,9 +349,9 @@ print_help (void) printf ("%s\n", _("name and password. A configuration file may also be present. The format of")); printf ("%s\n", _("the configuration file is described in the radiusclient library sources.")); printf ("%s\n", _("The password option presents a substantial security issue because the")); - printf ("%s\n", _("password can be determined by careful watching of the command line in")); - printf ("%s\n", _("a process listing. This risk is exacerbated because nagios will")); - printf ("%s\n", _("run the plugin at regular predictable intervals. Please be sure that")); + printf ("%s\n", _("password can possibly be determined by careful watching of the command line")); + printf ("%s\n", _("in a process listing. This risk is exacerbated because nagios will")); + printf ("%s\n", _("run the plugin at regular predictable intervals. Please be sure that")); printf ("%s\n", _("the password used does not allow access to sensitive system resources.")); #ifdef NP_EXTRA_OPTS -- 2.30.2