From 0cf34f23ae42a9d0e3e2858abca8fa1fbadf1542 Mon Sep 17 00:00:00 2001
From: Sven Velt <sven@velt.de>
Date: Mon, 11 Jun 2018 10:08:04 +0200
Subject: [PATCH] Add some more paths/regex to allowed commands

---
 ssh-wrapper.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/ssh-wrapper.py b/ssh-wrapper.py
index 8aea125..75f541d 100755
--- a/ssh-wrapper.py
+++ b/ssh-wrapper.py
@@ -7,12 +7,27 @@ import subprocess
 import sys
 
 allowed = [
-		r'^/usr/bin/lsb_release\s+-d$',
+		##### System informations
+		r'^/usr/bin/lsb_release\s+-d$',		# Linux
+		r'^/(usr/)?bin/uname\s+-mrs$',		# Linux, BSD & others
+
+		##### Complete command lines (Monitoring-Plugins on Debian)
 		r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$',
 		r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$',
 		r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+',
 		r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$',
-		# r'^/usr/lib/nagios/plugins/check_',
+
+		##### Simplified/combined (and a little bit less secure)
+
+		### most Linux distributions (with "sudo" and "doas")
+		# r'^/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
+		# r'^sudo\s+/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
+		# r'^doas\s+/usr/lib/(nagios/plugins|monitoring-plugins)/check_',
+
+		### *BSD (with "sudo" and "doas")
+		# r'^/usr/local/libexec/nagios/check_',
+		# r'^sudo\s+/usr/local/libexec/nagios/check_',
+		# r'^doas\s+/usr/local/libexec/nagios/check_',
 	]
 
 cmdline = os.getenv('SSH_ORIGINAL_COMMAND')