NRPE does not respect "dont_blame_nrpe" argument

Status changed to 'Confirmed' because the bug affects multiple users.

This breaks a common usage pattern for nagios-nrpe-server. People want to dynamically adjust thresholds on checks performed by the nrpe agent. On top of that, there is no security hole in the default installation. People have to explicitly enable the security hole in two configuration directives with prominent warnings.

This feature has been disabled due to the security risks of using arguments with NRPE.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479

IMHO, this was a horribly bad decision upstream. If you've restricted your incoming NRPE source to a trusted one with UFW or similar, this is a perfectly safe thing to do and helps centrally manage lots of parameters. I think a default arg of 0 was enough to keep a safe config. Users who choose to enable an unsafe configuration without mitigations despite the documented warnings are idiots and the package shouldn't be crippled as a result.

I volunteer to maintain this package in Ubuntu and build with a different config than upstream. Please contact me.

Thank you for taking the time to report this bug and helping to make Ubuntu better.

@Brian

Thank you for volunteering to look after this package in Ubuntu! Please see https://wiki.ubuntu.com/SponsorshipProcess. Ubuntu developers work together by consensus rather than holding individual maintainerships for packages. So you don't specifically need permission or approval to look after the package, you can just do it by sending patches and they will be reviewed on an individual basis, and after creating a good track record you can apply for permission to upload directly.

If you can help, then I'll be happy to guide you through the process. I've subscribed to this bug so you can communicate with me here or in IRC.

In the case of this particular issue, we try in general to not deviate from Debian, so initially I'd look to make the change in Debian first and then Ubuntu packaging can follow that change. From the Debian bug linked to by Ben above, it looks like the Debian maintainer is happy for someone to take over the package there, so it seems to me that if you can volunteer your time then the right thing to do would be to take over as package maintainer in Debian, bring the Ubuntu package into sync with Debian and then anything you do with the package in Debian will automatically reflect in Ubuntu.

If you want to introduce a change in Ubuntu specifically by deviating from Debian, then I think that's fine providing that 0) it's the right thing for the Ubuntu project (ie. we have consensus, see point number 2); 1) you are prepared to look after it on an ongoing basis, which I think you've volunteered to do; and 2) in this case since it is a security issue I'd like the Ubuntu Security Team to be the final arbiter of the appropriateness of this particular change.

If given the above you still volunteer, then please let me know and we can ask the security team to review this for my point number 2 above.

Thanks!

Since the default position of Ubuntu is to follow Debian, I'll set this to Won't Fix for now. However if Brian (or anyone else) can take this on then this could change, subject to the details above.