Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security #3

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Security #3

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a00e3bc
added option -c that allows reading password from redis config
TimoScheuer Apr 27, 2022
702ee05
Merge branch 'masterzen:master' into security
TimoScheuer Apr 28, 2022
269e1bf
added option -c that allows reading password from redis config
TimoScheuer Apr 27, 2022
7780f06
Merge branch 'security' of https://github.com/TimoScheuer/redis-snmp …
TimoScheuer Apr 28, 2022
a134b9b
fixed typo
TimoScheuer Apr 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 58 additions & 14 deletions redis-snmp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ my %opt = (
port => 6379,
refresh => 300,
host => 'localhost',
conf_path => '/etc/redis/redis.conf',
);

my %global_status = ();
Expand Down Expand Up @@ -501,6 +502,24 @@ sub VersionMessage {
print "redis-snmp $VERSION by brice.figureau\@daysofwonder.com\n";
}

sub read_config {
if (defined $opt{password}) {
dolog(LOG_DEBUG, "WARNING: The password option has been used but it is recommended to replace it by the \"-c\" option");
return;
}
if (open(CONFIG, "<", $opt{conf_path})) {
while(<CONFIG>) {
if (/^\s*requirepass\s+\"?([^\"]*)\"?[\s\r\n]*$/) {
$opt{password} = $1;
dolog(LOG_DEBUG, "Successfully read client password from redis server configuration \"$opt{conf_path}\"");
return;
}
}
close(CONFIG);
}
dolog(LOG_DEBUG, "WARNING: cannot read server configuration \"$opt{conf_path}\"");
}

sub run {
netsnmp_ds_set_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_NO_ROOT_ACCESS, 1);
my $agent = new NetSNMP::agent('Name' => 'redis', 'AgentX' => 1);
Expand All @@ -510,6 +529,7 @@ sub run {
'host|h=s',
'port|P=i',
'password|p=s',
'conf_path|conf-path|c=s',
'oid|o=s',
'refresh|r=i',
'daemon_pid|daemon-pid=s',
Expand All @@ -528,6 +548,8 @@ sub run {

openlog("redis-snmp", LOG_PID | LOG_PERROR, LOG_DAEMON);

read_config();

daemonize() if !$opt{'no-daemon'};

$regOID = new NetSNMP::OID($opt{oid});
Expand Down Expand Up @@ -580,19 +602,20 @@ __END__

redis-snmp [options]

-h HOST, --host=HOST connect to Redis on HOST
-P PORT, --port=PORT port to connect (default 6379)
-p PASS, --password=PASS use PASS as password to connect to redis
-o OID, --oid=OID registering OID
-r INT, --refresh=INT set refresh interval to INT (seconds)
--daemon-pid=FILE write PID to FILE instead of $default{pid}
-n, --no-daemon do not detach and become a daemon
-v, --verbose be verbose about what you do

-?, --help display this help and exit
--usage display detailed usage information
--man display program man page
-V, --version output version information and exit
-h HOST, --host=HOST connect to Redis on HOST
-P PORT, --port=PORT port to connect (default 6379)
-p PASS, --password=PASS use PASS as password to connect to redis
-c CONF, --conf-path=CONF path to the redis server configuration
-o OID, --oid=OID registering OID
-r INT, --refresh=INT set refresh interval to INT (seconds)
--daemon-pid=FILE write PID to FILE instead of $default{pid}
-n, --no-daemon do not detach and become a daemon
-v, --verbose be verbose about what you do

-?, --help display this help and exit
--usage display detailed usage information
--man display program man page
-V, --version output version information and exit

=head1 OPTIONS

Expand All @@ -608,7 +631,17 @@ port to connect (default 6379)

=item B<-p PASS, --password=PASS>

use PASS as password to connect to redis
use PASS as password to connect to redis (you should prefer using the
redis server configuration path because this avoids displaying the
password in the process table)

=item B<-c CONF, --conf-path=CONF>

path to the redis server configuration (e.g. to read the client password
that is necessary to get status information from the redis server).
If you use this otion then you do no more need to use option "-p". Remark:
Using the configuration path is more secure because it avoids showing the
password in the process list (e.g. "ps" command).

=item B<-o OID, --oid=OID>

Expand Down Expand Up @@ -653,4 +686,15 @@ output version information and exit
B<redis-snmp> is a small daemon that connects to a local snmpd daemon
to report statistics on a local or remote Redis server.

Using the "-c" option (path to redis server configuration) is preferred over
using the "-p" (redis client password to access server) because it avoids
showing the password in the process list. If both parameters are given
then "-p" is used for the pasword because it is more specific.

If you give neither "-p" nor "-c" optione then we try to read the redis
client password from the default redis server configuration
("/etc/redis/redis.conf"). In the case that the configuration file has
another path no password is used. For a cleanly installed redis server
(with client password set) this should fail.

=cut