Page 1 of 1

NRPE my_system() seteuid(0): Operation not permitted

Posted: Tue Oct 23, 2018 9:28 am
by Edu
See below, trying to run a restart service and keep getting seteuid errors. For testing purposes have the nagios user set to run anything. Thought maybe it was running as a different user than nagios but that isn't it..

Code: Select all

nagios    ALL=(ALL)       NOPASSWD: ALL

Code: Select all

[root@server etc]# su nagios
bash-4.2$ /usr/bin/sudo /bin/systemctl restart squid.service
bash-4.2$
bash-4.2$

Code: Select all

[1540302908] is_an_allowed_host (AF_INET): is host >10.5.0.25< an allowed host >10.5.0.25<
[1540302908] is_an_allowed_host (AF_INET): is host >10.5.0.25< an allowed host >10.5.0.25<
[1540302908] is_an_allowed_host (AF_INET): host is in allowed host list!
[1540302908] Host address is in allowed_hosts
[1540302908] Host 10.5.0.25 is asking for command 'squid_restart' to be run...
[1540302908] Running command: /usr/bin/sudo /bin/systemctl restart  squid.service
[1540302908] WARNING: my_system() seteuid(0): Operation not permitted
[1540302908] Command completed with return code 1 and output:
[1540302908] Return Code: 3, Output: NRPE: Unable to read output
[1540302908] Connection from 10.5.0.25 closed.

Code: Select all

# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios


Code: Select all

nagios     1390  0.0  0.0  44836  2740 ?        Ss   08:54   0:00 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f

Code: Select all

[Service]
Type=simple
Restart=on-abort
PIDFile=/usr/local/nagios/var/nrpe.pid
RuntimeDirectory=nrpe
RuntimeDirectoryMode=0755
ExecStart=/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /usr/local/nagios/var/nrpe.pid
TimeoutStopSec=60
User=nagios
Group=nagios
PrivateTmp=true
OOMScoreAdjust=-500

Re: NRPE my_system() seteuid(0): Operation not permitted

Posted: Tue Oct 23, 2018 4:02 pm
by npolovenko
@Edu, On the nrpe server please run:
sudo chmod u+s /bin/systemctl
What version of the NRPE are you running?

Please run the following commands and show me the output:
chage -l nagios
grep nag /etc/passwd
grep nag /etc/group
Let's add the following line to the /etc/sudoers file:
nagios ALL=NOPASSWD: /bin/systemctl restart *
Please show me the command definition + how the command is defined on the remote server.

Re: NRPE my_system() seteuid(0): Operation not permitted

Posted: Wed Oct 24, 2018 7:41 am
by Edu
version 3.2.1

[root@server ~]# sudo chmod u+s /bin/systemctl
[root@server ~]# chage -l nagios
Last password change : Oct 22, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
[root@jcsd-server ~]# grep nag /etc/passwd
systemd-network:x:996:994:systemd Network Management:/:/sbin/nologin
nagios:x:995:993::/home/nagios:/bin/bash
[root@jcsd-server ~]# grep nag /etc/group
nagios:x:993:


no command definitions yet, just manually running check_nrpe

Code: Select all

[root@server etc]# /usr/local/nagios/libexec/check_nrpe -H 10.5.0.16 -p 1025 -c squid_restart
NRPE: Unable to read output
However, when I look at the service now it is at least restarting it as it should. So either your chmod or sysctl change fixed something. Just need to get some output now since systemctl doesn't output anything

Re: NRPE my_system() seteuid(0): Operation not permitted

Posted: Wed Oct 24, 2018 3:52 pm
by npolovenko
@Edu, You could create another command in the nrpe.cfg file to check if the process is running:
command[check_squid]=/usr/local/nagios/libexec/check_procs -a squid -c 1:1
/usr/local/nagios/libexec/check_nrpe -H 10.5.0.16 -c check_squid