Page 1 of 2
NCPA user as default is root
Posted: Tue Jun 16, 2015 12:18 pm
by cristhofer.perez
Hello,
I want to know if the NCPA user that execute the plugins as default is root. Is not this insecure?
It can be changed for other user? If you can, how?
Best regards,
Cristhofer.
Re: NCPA user as default is root
Posted: Tue Jun 16, 2015 3:13 pm
by tmcdonald
There is a "uid" setting in the ncpa.cfg that should default to "nagios" but on my system it appears to still run as root and not drop privileges.
What NCPA version and OS+Version are you on?
Re: NCPA user as default is root
Posted: Tue Jun 16, 2015 3:17 pm
by jolson
I am experiencing the same issues as tmcdonald - NCPA is running as root on my CentOS 7 box.
It looks like the NCPA user will execute plugins by default as root. It's possible to get the ncpa_listener to run under the 'nagios' user by launching it from that shell:
Code: Select all
su - nagios
/etc/init.d/ncpa_listener start
Re: NCPA user as default is root
Posted: Wed Jun 17, 2015 2:39 am
by cristhofer.perez
Hello, thanks you all.
I'm using Red Hat Enterprise Linux Server release 5.5 on my clients.
Thanks Jolson, I'm going to check your solution.
Re: NCPA user as default is root
Posted: Wed Jun 17, 2015 3:09 am
by cristhofer.perez
Hello,
First at all I kill the ncpa_listener process.
When I tried to execute ncpa_listener as nagios user I need to change the owner of /usr/local/ncpa/var/ncpa_listener.pid.
Code: Select all
bash-4.1$ /etc/init.d/ncpa_listener start
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/cx_Freeze-4.3.4-py2.7-linux-x86_64.egg/cx_Freeze/initscripts/Console.py", line 27, in <module>
File "ncpa_posix_listener.py", line 67, in <module>
File "/root/Development/ncpa/agent/ncpadaemon.py", line 69, in main
File "/root/Development/ncpa/agent/ncpadaemon.py", line 133, in start
File "/root/Development/ncpa/agent/ncpadaemon.py", line 276, in check_pid
IOError: [Errno 13] Permission denied: '/usr/local/ncpa/var/ncpa_listener.pid'
Started listener...
First I use
Start without problems but when I tried to access to [url]https://<CLIENT%20IP>:5693/api/?token=mytoken[/url] I get
ERR_CONNECTION_RESET
With root user I can access without problems to the URL.
Then I use
Code: Select all
sudo chown nagios:nagcmd ncpa_listener.pid
I get the same problem.
NOTES:
I stopped iptables service.
On server I use Nagios XI 2014R2.7
On client I download the lastest version of NCPA.
I'm using Red Hat Enterprise Linux Server release 5.5 on my clients and server.
The ncpa.cfg look like
Code: Select all
[listener]
uid = nagios
certificate = adhoc
loglevel = info
ip = 0.0.0.0
gid = nagcmd
logfile = var/ncpa_listener.log
port = 5693
pidfile = var/ncpa_listener.pid
# Available versions: PROTOCOL SSLv2, SSLv3, TLSv1
ssl_version = TLSv1
[passive]
uid = nagios
handlers = nrds,nrdp
loglevel = info
gid = nagcmd
sleep = 300
logfile = var/ncpa_passive.log
pidfile = var/ncpa_passive.pid
[nrdp]
token = nrdptoken
hostname = yourhostname
parent = yourparent
[nrds]
URL = None
CONFIG_VERSION = None
TOKEN = None
CONFIG_NAME = None
CONFIG_OS = None
[api]
community_string = mytoken
[plugin directives]
plugin_path = plugins/
.sh = /bin/sh $plugin_name $plugin_args
.ps1 = powershell -ExecutionPolicy Bypass -File $plugin_name $plugin_args
.vbs = cscript $plugin_name $plugin_args //NoLogo
[passive checks]
%HOSTNAME%|cpu usage = /cpu/percent --warning 20 --critical 30
%HOSTNAME%|swap usage = /memory/swap/percent --warning 40 --critical 80
%HOSTNAME%|memory usage = /memory/virtual/percent --warning 60 --critical 80
Re: NCPA user as default is root
Posted: Wed Jun 17, 2015 10:11 am
by lmiltchev
I was able to recreate the issue. Even though, I was able to start the ncpa_posix_listener and ncpa_posix_passive as nagios user, I was not able to access the API in the web UI or run any checks (as nagios user) for that matter.
Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H x.x.x.x -t 'mytoken' -P 5693 -M cpu/percent -w 20 -c 40
UNKNOWN: Error occurred while running the plugin. Use the verbose flag for more details.
Our developers are aware of the issue and will be looking into it. Thanks for bringing our attention to this!
Re: NCPA user as default is root
Posted: Wed Jun 17, 2015 10:39 am
by cristhofer.perez
Thanks you all. Let me know about any solution.
Re: NCPA user as default is root
Posted: Wed Jun 17, 2015 11:28 am
by lmiltchev
Just wanted to give you heads up. I posted an internal bug report (TASK ID 5828). Also, I posted the issue on GitHub here:
https://github.com/NagiosEnterprises/ncpa/issues/181
Please, feel free to make comments and provide additional information which might help our developers with troubleshooting the issue. Thanks!
Re: NCPA user as default is root
Posted: Wed Sep 14, 2016 1:38 pm
by eloyd
Neither this issue, nor the github issue are effectively solved. We have a requirement to run NCPA for one of our users and it cannot run as root. So far, there does not seem to be a solution to this problem, unless NCPA 2.0 fixes it, which I see no sign of.
Re: NCPA user as default is root
Posted: Thu Sep 15, 2016 10:36 am
by lmiltchev
As far as I know, in NCPA 2.0.0 the daemon will be running as root but the plugins will be running as the user/group specified in the ncpa.cfg by dropping root permissions before running a plugin.