Nagios Support Forum

Posted: **Mon Dec 08, 2014 6:51 am**

Hello,
first of all: I know there were already questions about this issue, but even using their answers I still cannot figure out why my command is not working.
What I want to do is call a script on remote host using NRPE. However, this what the script is going to do may be only executed by specific user: tomcat.

I tried even the least secure solution, just to make it work - with no luck unfortunately.

1. My nrpe.cfg has entry:

Code: Select all

command[debug_now]=/usr/local/bin/debug_now

2. Script /usr/local/bin/debug_now looks like:

Code: Select all

#!/bin/sh
whoami
echo "Debug..."
sudo -u tomcat whoami
echo "Debug finished"

3. My sudoers on host, where I try to execute this script:

Code: Select all

Defaults        env_reset
Defaults !requiretty
root    ALL=(ALL) ALL
(...) a few not relevant users
nagios ALL=(ALL)     NOPASSWD: ALL

%tomcat ALL=(ALL) NOPASSWD: /bin/su - tomcat
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat stop
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat start
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat restart

I also tried

Code: Select all

nagios ALL=(tomcat)

but as it was not working I went for ALL.

4.Permissions

Code: Select all

-rwxr-xr-x 1 root staff 582 Dec  2 11:11 /usr/local/bin/debug_now

which is the same as all other scripts in this directory; all of them work fine, none of them needs to use sudo though.

5. Output when run in local shell as nagios

Code: Select all

~$ sudo -u nagios /usr/local/bin/debug_now
nagios
Debug...
tomcat
Debug finished

6. Output when run from remote host using NRPE

Code: Select all

~$ /usr/lib/nagios/plugins/check_nrpe -H (... ip here) -c debug_now
nagios
Debug...
Debug finished

As you can see, the line where user nagios has to do something as user tomcat is not showing at all.

I'm pretty sure I covered everything but still something is missing. Could you try to point me out my problem?

EDIT.
If this may be useful - I use Debian 6.0.7, Nagios 3.2.0, NRPE v2.12

Posted: **Mon Dec 08, 2014 1:11 pm**

Ok, after a little testing I found that you need to allow your script to run as sudo when called from sudoers to access to passwordless output.

nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/<yourplugin.sh>

and make sure that this is commented out with '#':
Default requiretty

Then go to your /usr/local/nagios/etc/nrpe.cfg file and add this to your executed script:

command[debug_now]=/usr/bin/sudo /usr/local/nagios/libexec/debug_now.sh

I tested it it and got the output you are looking for:

Code: Select all

[root@XIdevel libexec]# ./check_nrpe -H 192.168.4.35 -c debug_now
root
Debug...
tomcat
Debug finished

Posted: **Tue Dec 09, 2014 6:04 am**

Oh God, I feel so ashamed right now. Solution in my original post was fine. What was that I was struggling for about a week?

...
...
...

You have to RESTART nagios-nrpe-server after changing sudoers, reload is not enough.

Posted: **Tue Dec 09, 2014 10:18 am**

Glad you have it working! Just to note you might not want to leave nagios as all=(all) nopasswd:all since you have the plugin working and know you only need to give that script sudoers access through nrpe like in my example.

Locked.

Nagios Support Forum

NRPE command doesn't work when called from remote host

NRPE command doesn't work when called from remote host

Re: NRPE command doesn't work when called from remote host

Re: NRPE command doesn't work when called from remote host

Re: NRPE command doesn't work when called from remote host