Permission error after patching

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
hanover23
Posts: 8
Joined: Tue Jan 09, 2018 2:01 pm

Permission error after patching

Post by hanover23 »

Hello -

I run Nagios Core 4.3.2, and after applying the latest patches available from EPEL, I've started to get a permissions error when I run the syntax check command nagios -v /etc/nagios/nagios.cfg.

Nagios continues to run without apparent issue, but here is the output I get when I run the syntax checker:

Code: Select all

# nagios -v /etc/nagios/nagios.cfg

Nagios Core 4.3.2
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 2017-05-09
License: GPL

Website: https://www.nagios.org
Reading configuration data...
   Read main config file okay...
Error: Cannot open config file '/etc/nagios/objects/contacts.cfg' for reading: Permission denied
   Error processing object config files!

***> One or more problems was encountered while processing the config files...

     Check your configuration file(s) to ensure that they contain valid
     directives and data definitions.  If you are upgrading from a previous
     version of Nagios, you should be aware that some variables/definitions
     may have been removed or modified in this version.  Make sure to read
     the HTML documentation regarding the config files, as well as the
     'Whats New' section to find out what has changed.
Here is the file listing of contacts.cfg:

-rw-rw-r-- 1 root nagios 18031 Sep 19 13:35 /etc/nagios/objects/contacts.cfg

Kind of new to Nagios, so if anyone has advice on what these file permissions ought to be, I'd appreciate it. tia.
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Permission error after patching

Post by dwhitfield »

Different location, but here are my permissions:

Code: Select all

-rw-rw-r-- 1 apache nagios 1367 Jan  8 22:42 /usr/local/nagios/etc/contacts.cfg
If you aren't using apache, you could try chown nagios.nagios contacts.cfg
hanover23
Posts: 8
Joined: Tue Jan 09, 2018 2:01 pm

Re: Permission error after patching

Post by hanover23 »

No luck...I tried changing the file owner to match yours...even tried to assign "other" to be able to write to contacts.cfg...but the "permissions" issue remains with this contact.cfg when running nagios -v /etc/nagios/objects/nagios.cfg.
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Permission error after patching

Post by dwhitfield »

What's the output of

Code: Select all

sestatus
grep apache /etc/passwd
grep apache /etc/group
grep nag /etc/group
grep nag /etc/passwd
?

Can you upgrade your nagios to 4.3.4? There have been a few bugs patched, which might be related.

Please attach your /etc/sudoers (or wherever the sudoers file is located).
hanover23
Posts: 8
Joined: Tue Jan 09, 2018 2:01 pm

Re: Permission error after patching

Post by hanover23 »

Hey -

Here are the settings you requested:

# sestatus
SELinux status: disabled

# grep apache /etc/passwd
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

# grep apache /etc/group
apache:x:48:nagios
nagios:x:501:apache

# grep nag /etc/group
apache:x:48:nagios
nagios:x:501:apache

# grep nag /etc/passwd
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
nagios:x:435:501::/var/spool/nagios:/sbin/nologin

It may be a couple of days before I can get to updating to Nagios 4.3.4 but will plan to do that soon.

Also, here is my sudoers file:

Code: Select all

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem

## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

%sudousers             ALL=(ALL)       NOPASSWD: ALL
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Permission error after patching

Post by dwhitfield »

Change that nagios line to nagios:x:500:500::/home/nagios:/bin/bash (or to some sort of actual shell), and see if that gets you going. The /home/nagios shouldn't really matter as long as the nagios user actually has access to that location.
hanover23
Posts: 8
Joined: Tue Jan 09, 2018 2:01 pm

Re: Permission error after patching

Post by hanover23 »

I updated to Nagios 4.3.4 and also switched the nagios user login shell from /sbin/nologin to /bin/bash.

If I execute the following command as root, I still get this permission error:

nagios -v /etc/nagios/nagios.cfg

However, if I execute that command as the nagios user (I can now login with it due to the shell change above), I get a valid syntax check. Not sure why that is, since root has access to everything. Maybe it's a bug...
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Permission error after patching

Post by tgriep »

Edit the /etc/group file and change the following lines from

Code: Select all

nagios:x:501:apache
to

Code: Select all

nagios:x:501:apache,nagios
Save the file and see if the verification works.
The nagios user has to be in the nagios group
Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked