NRPE plugin script run as nrpe but shell env is set to root

[vrkid]

Hi

I've encountered a problem with a NRPE plugin that I'm unable to explain (and thus resolve)...

I have a NRPE plugin (running on RHEL 5.5) written (in house) in BASH that in the last few days started failing and on the Nagios mornitor started appearing the message:

Code: Select all

check lockfile CRITICAL    04-11-2012 04:53:22     3d 6h 07m 13s    4/4    ERROR: cannot execute check as user root. Permission denied

even though the plugin runs as user nrpe on the system

Code: Select all

ps -ef | grep lockfile
nrpe     15593 15592  0 10:51 ?        00:00:00 /bin/bash /usr/lib64/nagios/plugins/check_lockfile

the command "pstree -cpaAul nrpe" gives the output:

Code: Select all

nrpe,15211 -c /etc/nagios/nrpe.cfg -d

nrpe,15712 -c /etc/nagios/nrpe.cfg -d
  `-nrpe,15713 -c /etc/nagios/nrpe.cfg -d
      `-check_lockfile,15714 /usr/lib64/nagios/plugins/check_lockfile
          `-sleep,15715 30

I've added the line "export > /tmp/check_lockfile.txt" to the script for debug purposes and the file created by it is owned by user nrpe:

Code: Select all

ls -lrt /tmp/check_lockfile_env.txt
-rw-r--r-- 1 nrpe nrpe 1022 Nov  7 10:51 /tmp/check_lockfile_env.txt

But the shell environment setup is actually for user root:

Code: Select all

declare -x G_BROKEN_FILENAMES="1"
declare -x HISTSIZE="1000"
declare -x HOME="/root"
declare -x HOSTNAME="SRVXX.example.com"
declare -x INPUTRC="/etc/inputrc"
declare -x LANG="en_US.UTF-8"
declare -x LESSOPEN="|/usr/bin/lesspipe.sh %s"
declare -x LOGNAME="root"
declare -x LS_COLORS="no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:"
declare -x MAIL="/var/spool/mail/root"
declare -x OLDPWD
declare -x PATH="/sbin:/usr/sbin:/bin:/usr/bin"
declare -x PWD="/"
declare -x SHELL="/bin/bash"
declare -x SHLVL="5"
declare -x TERM="xterm"
declare -x USER="root"
declare -x _="/usr/lib64/nagios/plugins/check_lockfile"

The plugin shell script is (please don't comment on the quality of the script):

Code: Select all

#!/bin/bash
# export bash environment into file for debug purposes
export >/tmp/check_lockfile_env.txt
# in order to have enough time to catch it in ps -ef and pstree put a very long sleep
sleep 30
if [ $USER != "nrpe" ]; then
        echo "ERROR: cannot execute check as user $USER. Permission denied"
        exit 2
fi
if [ -f /var/lock/lockfile ]; then
        tnow=$(date +%s)
        tfile=$(date +%s -r /var/lock/lockfile)
        agesecs=$(($tnow-$tfile))
        ageminutes=$(($agesecs/60))
        expires=60
        if [ $ageminutes -gt $expires ]; then
                echo "WARNING: lockfile found"
                exit 1
        fi
else
        echo "OK: no lockfile found"
        exit 0
fi

How can this be?



TIA
Paolo

[agriffin]

I'm not sure why the environment is set up correctly. Does it fix anything if you change line 6 to use the following comparison instead?

Code: Select all

if [ $(whoami) != "nrpe" ]; then

That should read the actual effective user rather than just checking an environment variable.