Default root plugins

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
pamplifier
Posts: 21
Joined: Wed May 13, 2015 7:31 am

Default root plugins

Post by pamplifier »

I'm trying to build a plugin that requires root privileges to successfully run. So far this has been helpful in making it work.
...
Option Three (Best):
Give the nagios user sudo access to run one command in this example the command is "lsof" and add "sudo" in the plugin script before the command you want to run.

# Add nagios to sudoers
vi /etc/sudoers
# nagios check (/usr/lib/nagios/plugins/check_user_openfiles)
nagios ALL=NOPASSWD: /bin/lsof

# In your script add "sudo" before the command.
sudo lsof | grep blah
However, I'm curious how the default Nagios plugins that need root privileges (check_dhcp and check_icmp) work and run successfully without doing anything with sudoers. Can anyone help me understand?

EDIT: meant root, not 'doot'
Last edited by pamplifier on Tue Jul 28, 2015 1:33 pm, edited 1 time in total.
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Default doot plugins

Post by tmcdonald »

suid bit:

http://unix.stackexchange.com/questions ... t-properly

Code: Select all

root@localhost: /tmp/nagiosxi
$ ls -l /usr/local/nagios/libexec/check_icmp
-r-sr-xr-x 1 root root 181971 Feb  6 10:55 /usr/local/nagios/libexec/check_icmp
Was going to post in the other thread but I didn't hear back from you so it slipped my mind:

https://support.nagios.com/forum/viewto ... 6&start=10

Just be careful. suid means that plugin runs as root, so if there are vulnerabilities you are potentially opening yourself up to attack.
Former Nagios employee
pamplifier
Posts: 21
Joined: Wed May 13, 2015 7:31 am

Re: Default doot plugins

Post by pamplifier »

Thanks! I wasn't sure if I should have kept this question in the other thread, that's why I decided to make a new one in the specific Plugins forum.

I am worried about it as well, would the sudoers method be "safer"? Or am I just asking for trouble by needing root access in the first place?
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Default doot plugins

Post by tmcdonald »

/etc/sudoers is probably safer, because then you are saying "This specific user can run exactly these commands as root" whereas setting the binary to run as root allows *anyone* to run it and get root permissions. But yes, in either case you do assume some risk. A possibly safer route still would be to set up your syslog daemon to copy all messages matching a certain pattern (or involving a certain service/daemon/program) to log to a file that nagios would have access to, then running the plugin against that.
Former Nagios employee
pamplifier
Posts: 21
Joined: Wed May 13, 2015 7:31 am

Re: Default root plugins

Post by pamplifier »

Decided to go the sudoers route for now, and it works great! I just have to make sure everything is closed off to possible attacks and abuse of the root privileges. Thank you!

seteuid might be useful later on, though I don't trust myself to get it exactly right at the moment, so I'm putting that method on the back-burner.
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Default root plugins

Post by tmcdonald »

seteuid is nice for when you want the binary to drop privileges no matter what the suid bit is set to, who owns it, etc. There are of course some restrictions (I don't believe a binary run by nagios can seteuid to root, for example) but it's pretty straight-forward once you get it working.
pamplifier wrote:I just have to make sure everything is closed off to possible attacks and abuse of the root privileges.
Having just come back from a security conference, I can assure you this is pretty hard to get right 100% of the time even by the most seasoned coders :)

That being said, are we all clear to close this up?
Former Nagios employee
pamplifier
Posts: 21
Joined: Wed May 13, 2015 7:31 am

Re: Default root plugins

Post by pamplifier »

Yes, this can be closed. Thank you for helping me! My other thread can be closed too, I think
Locked