Merge pull request #1035 from cgzones/master_mnc

munin-node-configure: prepare for taint mode and fix help message
munin-monitoring · Aug 26, 2018 · 91c2bde · 91c2bde
2 parents 2728c5b + 90f4cf2
commit 91c2bde
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 40 deletions.
diff --git a/dev_scripts/install b/dev_scripts/install
@@ -57,7 +57,7 @@ EOF
 
 configure_plugins() {
 	banner CONFIGURE PLUGINS
-	munin-node-configure --suggest --shell --families=contrib,auto --remove-also | sh -x
+	dev_scripts/run munin-node-configure --suggest --shell --families=contrib,auto --remove-also | sh -x
 }
 
 configure_node() {

diff --git a/dev_scripts/run b/dev_scripts/run
@@ -17,10 +17,10 @@ if [ -z "${1:-}" ]; then
 	usage
 fi
 
-if command=$(command -v "$1"); then
-	echo "# [dev/run] Found: ${command}"
-	echo "# [dev/run] Command line: " "$@"
-	exec "$@"
+if [ -x "${BASEDIR}/sandbox/bin/$1" ]; then
+	echo "# [dev/run] Found: ${BASEDIR}/sandbox/bin/$1"
+	echo "# [dev/run] Command line: /usr/bin/perl -T -Mlib=${BASEDIR}/sandbox/lib/perl5/ ${BASEDIR}/sandbox/bin/$@"
+	exec /usr/bin/perl -T -Mlib="${BASEDIR}/sandbox/lib/perl5/" "${BASEDIR}/sandbox/bin/$@"
 else
 	echo >&2 "Failed to find '$1'"
 	exit 1

diff --git a/script/munin-httpd b/script/munin-httpd
@@ -27,9 +27,6 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 use strict;
 use warnings;
 
-# Trust PERL5LIB from environment
-use lib map { /(.*)/ } split(/:/, ($ENV{PERL5LIB} || ''));
-
 package Munin::Master::Http;
 
 use HTTP::Server::Simple::CGI::PreFork;
@@ -61,7 +58,5 @@ sub handle_request
 
 package main;
 
-$ENV{PATH} = '/usr/bin:/bin';
-
 # start the server on port 4948
 Munin::Master::Http->new(4948)->run(prefork => 1, max_servers => 10);
diff --git a/script/munin-node b/script/munin-node
@@ -26,9 +26,6 @@
 use strict;
 use warnings;
 
-# Trust PERL5LIB from environment
-use lib map { /(.*)/ } split(/:/, ($ENV{PERL5LIB} || ''));
-
 use Getopt::Long;
 
 use Munin::Common::Defaults;
@@ -92,11 +89,6 @@ sub main
         conf_file    => $conffile,
     );
 
-    # Untaint $0 after Munin::Node::Server has had a chance of getting
-    # the original value
-    $0 =~ /([^\/]*)$/;
-    $0 = $1;
-
     return 0;
 }
 

diff --git a/script/munin-node-configure b/script/munin-node-configure
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -T
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -32,7 +32,6 @@ my $config = Munin::Node::Config->instance();
 my @all_families     = qw/auto manual contrib/;
 my @default_families = qw/auto/;
 
-
 sub main
 {
 	parse_args();
@@ -331,7 +330,15 @@ sub init_snmp
 sub run_plugin
 {
     my ($plugins, $plugin, $mode) = @_;
-    my $name = $plugin->{name};
+
+    # un-taint the plugin name cause it is getting executed
+    my $name;
+    if ($plugin->{name} =~ /^([\w-]+)$/x) {
+        $name = $1;
+    } else {
+        $plugin->log_error("Invalid plugin name '$plugin->{name}'");
+        return;
+    }
 
 	DEBUG("Running '$mode' on $name" );
     my $res = $plugins->{library}->fork_service($name, $mode);
@@ -349,10 +356,18 @@ sub run_plugin
 		# Definitely a bad sign
 		if ($plugin_signal) {
             $plugin->log_error("Died with signal $plugin_signal during $mode");
+            if (my @junk = grep !/^#/, @{ $res->{stderr} }) {
+               $plugin->log_error("Junk printed to stderr");
+               DEBUG("Junk printed to stderr: @junk");
+            }
 			return;
 		}
 		elsif ($plugin_exit) {
             $plugin->log_error("Non-zero exit during $mode ($plugin_exit)");
+            if (my @junk = grep !/^#/, @{ $res->{stderr} }) {
+               $plugin->log_error("Junk printed to stderr");
+               DEBUG("Junk printed to stderr: @junk");
+            }
             return;
 
 		}
@@ -463,7 +478,7 @@ plugins will be printed. These can be reviewed or piped directly into a shell
 to install the plugins.
 
 
-=head1 GENERAL OPTIONS
+=head1 OPTIONS
 
 =over 4
 
@@ -666,13 +681,13 @@ not this works with any particular device, we do not know.
 
 This is munin-node-configure (munin-node) v@@VERSION@@.
 
-=head1 AUTHOR
+=head1 AUTHORS
 
   Copyright (C) 2009-2010 Matthew Boyle
   Copyright (C) 2006 Nicolai Langfeldt
   Copyright (C) 2003-2005 Jimmy Olsen
 
-=head1 LICENSE
+=head1 COPYRIGHT
 
 This is free software; see the source for copying conditions. There is
 NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR

diff --git a/script/munin-run b/script/munin-run
@@ -25,9 +25,6 @@
 use strict;
 use warnings;
 
-# Trust PERL5LIB from environment
-use lib map { /(.*)/ } split(/:/, ($ENV{PERL5LIB} || ''));
-
 use Getopt::Long;
 
 use Munin::Common::Defaults;
@@ -47,20 +44,8 @@ my $paranoia = 0;
 
 my $config = Munin::Node::Config->instance();
 
-
 sub main
 {
-    # "Clean" environment to disable taint-checking on the environment. We _know_
-    # that the environment is insecure, but we want to let admins shoot themselves
-    # in the foot with it, if they want to.
-    foreach my $key (keys %ENV) {
-        $ENV{$key} =~ /^(.*)$/;
-        $ENV{$key} = $1;
-    }
-
-    $0 =~ /^(.*)$/;
-    $0 = $1;
-
     my ($plugin, $arg) = parse_args();
 
     # Loads the settings from munin-node.conf.

diff --git a/script/munin-update b/script/munin-update
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -T
 
 use warnings;
 use strict;