Incorrect files permission error when applying config

[jmercier]

This is strange, when I apply a config in CCM on my new install I get this

The following configuration files have incorrect permissions:

/usr/local/nagios/etc/commands.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/contactgroups.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/contacts.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/contacttemplates.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/hostdependencies.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/hostescalations.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/hostextinfo.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/hostgroups.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/hosttemplates.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/servicedependencies.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/serviceescalations.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/serviceextinfo.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/servicegroups.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/servicetemplates.cfg (OWNER=root, GROUP=root, PERMS=u---------)
/usr/local/nagios/etc/timeperiods.cfg (OWNER=root, GROUP=root, PERMS=u---------)

Each of these config files needs to be writable by the apache and nagios users. To fix this problem, follow these steps:

Login to your Nagios XI server via SSH as the root user
Execute the following commands:
/usr/local/nagiosxi/scripts/reset_config_perms.sh


BUT I already executed the script and all my permissions are OK, I rebooted the server and still the same problem.

Also, my Selinux IS disabled, the output of getenforce is Disabled.

I don't know what to do at this point, some help would be welcomed

thanks

[bolson]

Can you run:

ls -l /usr/local/nagios/etc/

And post your result.

Thank you!

[jmercier]

[root@mtllxmonpvnag02 ~]# ls -l /usr/local/nagios/etc/
total 172
-rwxrwxr-x 1 apache nagios 744 Aug 5 12:19 cgi.cfg
-rw-rw-r-- 1 apache nagios 25752 Aug 5 12:22 commands.cfg
-rw-rw-r-- 1 apache nagios 1106 Aug 5 12:22 contactgroups.cfg
-rw-rw-r-- 1 apache nagios 1437 Aug 5 12:22 contacts.cfg
-rw-rw-r-- 1 apache nagios 1675 Aug 5 12:22 contacttemplates.cfg
-rw-rw-r-- 1 apache nagios 817 Aug 5 12:22 hostdependencies.cfg
-rw-rw-r-- 1 apache nagios 819 Aug 5 12:22 hostescalations.cfg
-rw-rw-r-- 1 apache nagios 837 Aug 5 12:22 hostextinfo.cfg
-rw-rw-r-- 1 apache nagios 967 Aug 5 12:22 hostgroups.cfg
drwsrwsr-x 2 apache nagios 26 Aug 5 12:22 hosts
-rw-rw-r-- 1 apache nagios 16082 Aug 5 12:22 hosttemplates.cfg
drwsrwsr-x 2 apache nagios 6 Aug 5 12:22 import
-rwxrwxr-x 1 apache nagios 6060 Aug 5 13:58 nagios.cfg
-rw-rw-r-- 1 apache nagios 2229 Aug 5 12:20 ndo2db.cfg
-rw-rw-r-- 1 apache nagios 4827 Aug 5 12:20 ndomod.cfg
-rw-rw-r-- 1 apache nagios 7988 Aug 5 12:20 nrpe.cfg
-rw-rw-r-- 1 apache nagios 5345 Aug 5 12:20 nsca.cfg
drwxrwsr-x 4 apache nagios 4096 Aug 5 12:22 pnp
-rwxrwxr-x 1 apache nagios 210 Aug 5 12:19 resource.cfg
-rw-rw-r-- 1 apache nagios 1627 Aug 5 12:20 send_nsca.cfg
-rw-rw-r-- 1 apache nagios 823 Aug 5 12:22 servicedependencies.cfg
-rw-rw-r-- 1 apache nagios 825 Aug 5 12:22 serviceescalations.cfg
-rw-rw-r-- 1 apache nagios 843 Aug 5 12:22 serviceextinfo.cfg
-rw-rw-r-- 1 apache nagios 813 Aug 5 12:22 servicegroups.cfg
drwsrwsr-x 2 apache nagios 26 Aug 5 12:22 services
-rw-rw-r-- 1 apache nagios 24852 Aug 5 12:22 servicetemplates.cfg
drwsrwsr-x 2 apache nagios 65 Aug 5 12:19 static
-rw-rw-r-- 1 apache nagios 3541 Aug 5 12:22 timeperiods.cfg

[scottwilkerson]

What version of Nagios XI are you running?

And are you sure these are on the same server?

The first item is showing all the files owned by root and the second shows the correct permissions.

Was this installed recently?
What OS is it installed on?

[bolson]

Please post the output of the following command:

Code: Select all

cat /etc/sudoers

[jmercier]

What version of Nagios XI are you running?

And are you sure these are on the same server?

The first item is showing all the files owned by root and the second shows the correct permissions.

Was this installed recently?
What OS is it installed on?

I'm positive it's on the same server. This is a new installation, its installed on RHEL7

[tgriep]

Can you post your /etc/sudoers file so we can check it's settings?

[jmercier]

Please post the output of the following command:

Code: Select all

cat /etc/sudoers

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
#Defaults requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
lxadmin ALL=(ALL) ALL
infra ALL=(ALL) NOPASSWD: ALL


## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias NAGIOSXI=nagios
User_Alias NAGIOSXIWEB=apache
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios checkconfig
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd status
NAGIOSXI ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/change_timezone.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/reset_config_perms.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/backup_xi.sh *
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/messages
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/httpd/error_log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/mysqld.log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXIWEB ALL = NOPASSWD:/etc/init.d/snmptt restart
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/repair_databases.sh
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *

[bolson]

Try to apply the configuration again and post the error message, if any.

[jmercier]

Thanks all for your help. I just found out the proble.

Thing is I'm installing Nagios with Ansible and I had a task that re-created the user Nagios after the installation (by mistake)