********************
NRPE SECURITY README
********************

NRPE 2.0 includes the ability for clients to supply arguments to
commands which should be run.  Please note that this feature
should be considered a security risk, and you should only use
it if you know what you're doing!


ENABLING ARGUMENTS
------------------

To enable support for command argument in the daemon, you must
do two things:

   1.  Run the configure script with the --enable-command-args 
       option

   2.  Set the 'dont_blame_nrpe' directive in the NRPE config
       file to 1.


ILLEGAL METACHARS
-----------------

To help prevent some nasty things from being done by evil 
clients, the following twelve metacharacters are not allowed
in client command arguments:

   | ` & > < ' " \ [ ] { }

Any client request which contains the abovementioned metachars
is discarded.  Also, the bang character (!) is not allowed, as
it is used internally as a delimiter between command arguments.


USER/GROUP RESTRICTIONS
-----------------------

The NRPE daemon cannot be run with (effective) root user/group
privileges.  You must run the daemon with an account that does
not have superuser rights.  Use the nrpe_user and nrpe_group
directives in the config file to specify which user/group the
daemon should run as.


ENCRYPTION
----------

If you do enable support for command arguments in the NRPE daemon,
make sure that you encrypt communications either by using:

   1.  Stunnel (see http://www.stunnel.org for more info)
   2.  Native SSL support

Do NOT assume that just because the daemon is behind a firewall
that you are safe!  Always encrypt NRPE traffic!


USING ARGUMENTS
---------------

How do you use command arguments?  Well, lets say you define a
command in the NRPE config file that looks like this:

	command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$

You could then call the check_nrpe plugin like this:

	./check_nrpe -H <host> -c check_users -a 5 10

The arguments '5' and '10' get substituted into the appropriate
$ARGx$ macros in the command ($ARG1$ and $ARG2$, respectively).
The command that would be executed by the NRPE daemon would look
like this:

	/usr/local/nagios/libexec/check_users -w 5 -c 10

You can supply up to 16 arguments to be passed to the command
for substitution in $ARG$ macros ($ARG1$ - $ARG16$).




    -- Ethan Galstad (nagios@nagios.org)

