NRPE my_system() seteuid(0): Operation not permitted

This forum is intended for the discussion of Nagios plugin development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagiosplug-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

NRPE my_system() seteuid(0): Operation not permitted

Postby Edu » Tue Oct 23, 2018 9:28 am

See below, trying to run a restart service and keep getting seteuid errors. For testing purposes have the nagios user set to run anything. Thought maybe it was running as a different user than nagios but that isn't it..


Code: Select all
nagios    ALL=(ALL)       NOPASSWD: ALL


Code: Select all
[root@server etc]# su nagios
bash-4.2$ /usr/bin/sudo /bin/systemctl restart squid.service
bash-4.2$
bash-4.2$


Code: Select all
[1540302908] is_an_allowed_host (AF_INET): is host >10.5.0.25< an allowed host >10.5.0.25<
[1540302908] is_an_allowed_host (AF_INET): is host >10.5.0.25< an allowed host >10.5.0.25<
[1540302908] is_an_allowed_host (AF_INET): host is in allowed host list!
[1540302908] Host address is in allowed_hosts
[1540302908] Host 10.5.0.25 is asking for command 'squid_restart' to be run...
[1540302908] Running command: /usr/bin/sudo /bin/systemctl restart  squid.service
[1540302908] WARNING: my_system() seteuid(0): Operation not permitted
[1540302908] Command completed with return code 1 and output:
[1540302908] Return Code: 3, Output: NRPE: Unable to read output
[1540302908] Connection from 10.5.0.25 closed.


Code: Select all
# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios





Code: Select all
nagios     1390  0.0  0.0  44836  2740 ?        Ss   08:54   0:00 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f




Code: Select all
[Service]
Type=simple
Restart=on-abort
PIDFile=/usr/local/nagios/var/nrpe.pid
RuntimeDirectory=nrpe
RuntimeDirectoryMode=0755
ExecStart=/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /usr/local/nagios/var/nrpe.pid
TimeoutStopSec=60
User=nagios
Group=nagios
PrivateTmp=true
OOMScoreAdjust=-500
Edu
 
Posts: 2
Joined: Tue Oct 23, 2018 9:14 am

Re: NRPE my_system() seteuid(0): Operation not permitted

Postby npolovenko » Tue Oct 23, 2018 4:02 pm

@Edu, On the nrpe server please run:
sudo chmod u+s /bin/systemctl

What version of the NRPE are you running?

Please run the following commands and show me the output:
chage -l nagios
grep nag /etc/passwd
grep nag /etc/group


Let's add the following line to the /etc/sudoers file:
nagios ALL=NOPASSWD: /bin/systemctl restart *


Please show me the command definition + how the command is defined on the remote server.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
npolovenko
Support Tech
 
Posts: 2367
Joined: Mon May 15, 2017 5:00 pm

Re: NRPE my_system() seteuid(0): Operation not permitted

Postby Edu » Wed Oct 24, 2018 7:41 am

version 3.2.1

[root@server ~]# sudo chmod u+s /bin/systemctl
[root@server ~]# chage -l nagios
Last password change : Oct 22, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
[root@jcsd-server ~]# grep nag /etc/passwd
systemd-network:x:996:994:systemd Network Management:/:/sbin/nologin
nagios:x:995:993::/home/nagios:/bin/bash
[root@jcsd-server ~]# grep nag /etc/group
nagios:x:993:


no command definitions yet, just manually running check_nrpe

Code: Select all
[root@server etc]# /usr/local/nagios/libexec/check_nrpe -H 10.5.0.16 -p 1025 -c squid_restart
NRPE: Unable to read output


However, when I look at the service now it is at least restarting it as it should. So either your chmod or sysctl change fixed something. Just need to get some output now since systemctl doesn't output anything
Edu
 
Posts: 2
Joined: Tue Oct 23, 2018 9:14 am

Re: NRPE my_system() seteuid(0): Operation not permitted

Postby npolovenko » Wed Oct 24, 2018 3:52 pm

@Edu, You could create another command in the nrpe.cfg file to check if the process is running:
command[check_squid]=/usr/local/nagios/libexec/check_procs -a squid -c 1:1

/usr/local/nagios/libexec/check_nrpe -H 10.5.0.16 -c check_squid
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
npolovenko
Support Tech
 
Posts: 2367
Joined: Mon May 15, 2017 5:00 pm


Return to Nagios Plugin Development

Who is online

Users browsing this forum: No registered users and 1 guest