Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
I'm trying to build a plugin that requires root privileges to successfully run. So far this has been helpful in making it work.
...
Option Three (Best):
Give the nagios user sudo access to run one command in this example the command is "lsof" and add "sudo" in the plugin script before the command you want to run.
# Add nagios to sudoers
vi /etc/sudoers
# nagios check (/usr/lib/nagios/plugins/check_user_openfiles)
nagios ALL=NOPASSWD: /bin/lsof
# In your script add "sudo" before the command.
sudo lsof | grep blah
However, I'm curious how the default Nagios plugins that need root privileges (check_dhcp and check_icmp) work and run successfully without doing anything with sudoers. Can anyone help me understand?
EDIT: meant root, not 'doot'
Last edited by pamplifier on Tue Jul 28, 2015 1:33 pm, edited 1 time in total.
/etc/sudoers is probably safer, because then you are saying "This specific user can run exactly these commands as root" whereas setting the binary to run as root allows *anyone* to run it and get root permissions. But yes, in either case you do assume some risk. A possibly safer route still would be to set up your syslog daemon to copy all messages matching a certain pattern (or involving a certain service/daemon/program) to log to a file that nagios would have access to, then running the plugin against that.
Decided to go the sudoers route for now, and it works great! I just have to make sure everything is closed off to possible attacks and abuse of the root privileges. Thank you!
seteuid might be useful later on, though I don't trust myself to get it exactly right at the moment, so I'm putting that method on the back-burner.
seteuid is nice for when you want the binary to drop privileges no matter what the suid bit is set to, who owns it, etc. There are of course some restrictions (I don't believe a binary run by nagios can seteuid to root, for example) but it's pretty straight-forward once you get it working.
pamplifier wrote:I just have to make sure everything is closed off to possible attacks and abuse of the root privileges.
Having just come back from a security conference, I can assure you this is pretty hard to get right 100% of the time even by the most seasoned coders :)
That being said, are we all clear to close this up?