NCPA user as default is root

[cristhofer.perez]

Hello,

I want to know if the NCPA user that execute the plugins as default is root. Is not this insecure?
It can be changed for other user? If you can, how?

Best regards,
Cristhofer.

[tmcdonald]

There is a "uid" setting in the ncpa.cfg that should default to "nagios" but on my system it appears to still run as root and not drop privileges.

What NCPA version and OS+Version are you on?

[jolson]

I am experiencing the same issues as tmcdonald - NCPA is running as root on my CentOS 7 box.

It looks like the NCPA user will execute plugins by default as root. It's possible to get the ncpa_listener to run under the 'nagios' user by launching it from that shell:

Code: Select all

su - nagios
/etc/init.d/ncpa_listener start

[cristhofer.perez]

Hello, thanks you all.

I'm using Red Hat Enterprise Linux Server release 5.5 on my clients.

Thanks Jolson, I'm going to check your solution.

[cristhofer.perez]

Hello,

First at all I kill the ncpa_listener process.
When I tried to execute ncpa_listener as nagios user I need to change the owner of /usr/local/ncpa/var/ncpa_listener.pid.

Code: Select all

bash-4.1$ /etc/init.d/ncpa_listener start
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/cx_Freeze-4.3.4-py2.7-linux-x86_64.egg/cx_Freeze/initscripts/Console.py", line 27, in <module>
  File "ncpa_posix_listener.py", line 67, in <module>
  File "/root/Development/ncpa/agent/ncpadaemon.py", line 69, in main
  File "/root/Development/ncpa/agent/ncpadaemon.py", line 133, in start
  File "/root/Development/ncpa/agent/ncpadaemon.py", line 276, in check_pid
IOError: [Errno 13] Permission denied: '/usr/local/ncpa/var/ncpa_listener.pid'
Started listener...

First I use

Code: Select all

chmod ugo+rwx

Start without problems but when I tried to access to [url]https://<CLIENT%20IP>:5693/api/?token=mytoken[/url] I get ERR_CONNECTION_RESET
With root user I can access without problems to the URL.

Then I use

Code: Select all

sudo chown nagios:nagcmd ncpa_listener.pid 

I get the same problem.

NOTES:
I stopped iptables service.
On server I use Nagios XI 2014R2.7
On client I download the lastest version of NCPA.
I'm using Red Hat Enterprise Linux Server release 5.5 on my clients and server.

The ncpa.cfg look like

Code: Select all

[listener]
uid = nagios
certificate = adhoc
loglevel = info
ip = 0.0.0.0
gid = nagcmd
logfile = var/ncpa_listener.log
port = 5693
pidfile = var/ncpa_listener.pid
# Available versions: PROTOCOL SSLv2, SSLv3, TLSv1
ssl_version = TLSv1

[passive]
uid = nagios
handlers = nrds,nrdp
loglevel = info
gid = nagcmd
sleep = 300
logfile = var/ncpa_passive.log
pidfile = var/ncpa_passive.pid

[nrdp]
token = nrdptoken
hostname = yourhostname
parent = yourparent

[nrds]
URL = None
CONFIG_VERSION = None
TOKEN = None
CONFIG_NAME = None
CONFIG_OS = None

[api]
community_string = mytoken

[plugin directives]
plugin_path = plugins/
.sh = /bin/sh $plugin_name $plugin_args
.ps1 = powershell -ExecutionPolicy Bypass -File $plugin_name $plugin_args
.vbs = cscript $plugin_name $plugin_args //NoLogo

[passive checks]
%HOSTNAME%|cpu usage = /cpu/percent --warning 20 --critical 30
%HOSTNAME%|swap usage = /memory/swap/percent --warning 40 --critical 80
%HOSTNAME%|memory usage = /memory/virtual/percent --warning 60 --critical 80

[lmiltchev]

I was able to recreate the issue. Even though, I was able to start the ncpa_posix_listener and ncpa_posix_passive as nagios user, I was not able to access the API in the web UI or run any checks (as nagios user) for that matter.

Code: Select all

/usr/local/nagios/libexec/check_ncpa.py -H x.x.x.x -t 'mytoken' -P 5693 -M cpu/percent -w 20 -c 40
UNKNOWN: Error occurred while running the plugin. Use the verbose flag for more details.

Our developers are aware of the issue and will be looking into it. Thanks for bringing our attention to this!

[cristhofer.perez]

Thanks you all. Let me know about any solution.

[lmiltchev]

Just wanted to give you heads up. I posted an internal bug report (TASK ID 5828). Also, I posted the issue on GitHub here:

https://github.com/NagiosEnterprises/ncpa/issues/181

Please, feel free to make comments and provide additional information which might help our developers with troubleshooting the issue. Thanks!

[eloyd]

Neither this issue, nor the github issue are effectively solved. We have a requirement to run NCPA for one of our users and it cannot run as root. So far, there does not seem to be a solution to this problem, unless NCPA 2.0 fixes it, which I see no sign of.

[lmiltchev]

As far as I know, in NCPA 2.0.0 the daemon will be running as root but the plugins will be running as the user/group specified in the ncpa.cfg by dropping root permissions before running a plugin.