NRPE command doesn't work when called from remote host

[spoko22]

Hello,
first of all: I know there were already questions about this issue, but even using their answers I still cannot figure out why my command is not working.
What I want to do is call a script on remote host using NRPE. However, this what the script is going to do may be only executed by specific user: tomcat.

I tried even the least secure solution, just to make it work - with no luck unfortunately.

1. My nrpe.cfg has entry:

Code: Select all

command[debug_now]=/usr/local/bin/debug_now

2. Script /usr/local/bin/debug_now looks like:

Code: Select all

#!/bin/sh
whoami
echo "Debug..."
sudo -u tomcat whoami
echo "Debug finished"

3. My sudoers on host, where I try to execute this script:

Code: Select all

Defaults        env_reset
Defaults !requiretty
root    ALL=(ALL) ALL
(...) a few not relevant users
nagios ALL=(ALL)     NOPASSWD: ALL

%tomcat ALL=(ALL) NOPASSWD: /bin/su - tomcat
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat stop
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat start
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat restart

I also tried

Code: Select all

nagios ALL=(tomcat)

but as it was not working I went for ALL.

4.Permissions

Code: Select all

-rwxr-xr-x 1 root staff 582 Dec  2 11:11 /usr/local/bin/debug_now

which is the same as all other scripts in this directory; all of them work fine, none of them needs to use sudo though.

5. Output when run in local shell as nagios

Code: Select all

~$ sudo -u nagios /usr/local/bin/debug_now
nagios
Debug...
tomcat
Debug finished

6. Output when run from remote host using NRPE

Code: Select all

~$ /usr/lib/nagios/plugins/check_nrpe -H (... ip here) -c debug_now
nagios
Debug...
Debug finished

As you can see, the line where user nagios has to do something as user tomcat is not showing at all.

I'm pretty sure I covered everything but still something is missing. Could you try to point me out my problem?

EDIT.
If this may be useful - I use Debian 6.0.7, Nagios 3.2.0, NRPE v2.12

[lgroschen]

Ok, after a little testing I found that you need to allow your script to run as sudo when called from sudoers to access to passwordless output.

nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/<yourplugin.sh>

and make sure that this is commented out with '#':
Default requiretty

Then go to your /usr/local/nagios/etc/nrpe.cfg file and add this to your executed script:

command[debug_now]=/usr/bin/sudo /usr/local/nagios/libexec/debug_now.sh

I tested it it and got the output you are looking for:

Code: Select all

[root@XIdevel libexec]# ./check_nrpe -H 192.168.4.35 -c debug_now
root
Debug...
tomcat
Debug finished

[spoko22]

Oh God, I feel so ashamed right now. Solution in my original post was fine. What was that I was struggling for about a week?

...
...
...

You have to RESTART nagios-nrpe-server after changing sudoers, reload is not enough.

[lgroschen]

Glad you have it working! Just to note you might not want to leave nagios as all=(all) nopasswd:all since you have the plugin working and know you only need to give that script sudoers access through nrpe like in my example.

Locked.