Unable to run webinject.pl script as Nagios user on XI

[skynardo]

We are running Nagiox XI 2014R2.5 on RHEL 6 64bit. I have created a Web Transaction testdata/config xml files and when running from command line as root it returns:
[root@ut528 webinject]# /usr/local/nagiosxi/etc/components/webinject/webinject.pl -c portal_unigroupinc_com__Web_Transaction_config.xml
WebInject OK - All tests passed successfully in 0.428 seconds |time=0.428;30;;0

When switching to the nagios user it returns:
[nagios@ut528 webinject]$ /usr/local/nagiosxi/etc/components/webinject/webinject.pl -c portal_unigroupinc_com__Web_Transaction_config.xml
Can't do setuid (cannot exec sperl)

I found an old post that suggested installing perl-suidperl and since this package did not exist on my system I went ahead and installed it (perl-suidperl.x86_64 4:5.10.1-136.el6_6.1)

Now when running the same script as the nagios user it returns:
[nagios@ut528 ~]$ /usr/local/nagiosxi/etc/components/webinject/webinject.pl -c portal_unigroupinc_com__Web_Transaction_config.xml
Insecure dependency in open while running setuid at /usr/local/nagiosxi/etc/components/webinject/webinject.pl line 1114.

Any ideas?

[abrist]

Is there a reason why webinject.pl needs setuid?
What are the permissions are on the plugin and the xml config?

[skynardo]

[root@ut528 webinject]# pwd
/usr/local/nagiosxi/etc/components/webinject
[root@ut528 webinject]# ls -lrt
total 88
-rwsrwsr-x 1 apache nagios 63271 Feb 4 11:07 webinject.pl
-rw-r--r-- 1 apache nagios 222 Feb 19 10:50 portal_unigroupinc_com__Web_Transaction_config.xml
-rw-r--r-- 1 apache nagios 1423 Feb 19 11:33 portal_unigroupinc_com__Web_Transaction_testdata.xml
-rw-r--r-- 1 apache nagios 0 Feb 19 13:19 http.log
-rw-r--r-- 1 apache nagios 3184 Feb 19 13:19 results.xml
-rw-r--r-- 1 apache nagios 3174 Feb 19 13:19 results.html

[abrist]

Odd, your webinject.pl has an suid bit set:

-rwsrwsr-x 1 apache nagios 63271 Feb 4 11:07 webinject.pl

While mine does not. If you remove the bit, what happens?

Code: Select all

chmod -s /usr/local/nagiosxi/etc/components/webinject.pl

[skynardo]

After uninstalling perl-suidperl.x86_64 4:5.10.1-136.el6_6.1 and running chmod -s /usr/local/nagiosxi/etc/components/webinject/webinject.pl, both the CLI and Nagios checks are now working.

[nagios@ut528 ~]$ /usr/local/nagiosxi/etc/components/webinject/webinject.pl -c portal_unigroupinc_com__Web_Transaction_config.xml
WebInject OK - All tests passed successfully in 0.492 seconds |time=0.492;30;;0

As info, this server was installed on 2/4/2015 via xi-2014r2.5.tar.gz. Assuming the setuid is not required for some reason, we are on the way to synthetic web trans monitoring over here!

Thanks for the assistance.

[abrist]

No problem, glad to help. Lockin' 'er up!