net-snmp uses the same pre processor name "USE_OPENSSL" as we do.
To avoid the conflict, this commit renames it on our side to
"MOPL_USE_OPENSSL".
"MOPL" (better "MoPl"?) stands for Monitoring Plugins.
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
changes:
- CRYPTO_lock detection replaced in configure.ac. We don't use that
function anywhere, so just replace it with the suggested one from
https://wiki.openssl.org/index.php/Library_Initialization#Autoconf
- OPENSSL_NO_SSL2 is no longer defined while ssl2 is not included.
Set it ourself using the suggested openssl 1.1 version check from
https://wiki.openssl.org/index.php/1.1_API_Changes#Backward_compatibility
- openssl 1.1 sends a sigpipe if the connection is still open when
calling SSL_shutdown(), so move the close before the shutdown.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
This is an initial take at renaming the project to Monitoring Plugins.
It's not expected to be fully complete, and it is expected to break
things (The perl module for instance). More testing will be required
before this goes mainline.
if check_imap expects a string that never occurs, it currently waits forever
because thats how the imap protocoll works. Use a receive timeout in that case
so we can exit early with a proper error message.
The np_expect_match() function now returns one of three possible states
instead of just TRUE or FALSE:
- NP_MATCH_SUCCESS
- NP_MATCH_FAILURE
- NP_MATCH_RETRY
The NP_MATCH_RETRY state indicates that matching might succeed if
np_expect_match() is called with a longer input string. This allows
check_tcp to decide whether it makes sense to wait for additional data
from the server.
Closing the connection because the bytes received are less than the
buffer size assumes that all the bytes will be received in one go. This
is not always true!
"./check_tcp -6 -p 80 host" leads to an error:
TCP CRITICAL - Invalid hostname, address or socket: 127.0.0.1
because 127.0.0.1 is the fallback host, the tailing hostname
was ignored.
