[Nagiosplug-devel] [ nagiosplug-Patches-1878144 ] check_mailq need root privileges

SourceForge.net noreply at sourceforge.net
Wed Jan 23 23:06:33 CET 2008


Patches item #1878144, was opened at 2008-01-23 09:24
Message generated for change (Comment added) made by dermoth
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1878144&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: gerhard lausser (lausser)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_mailq need root privileges

Initial Comment:
Hi,
i have several Linux servers, where you need special privileges to execute /usr/bin/mailq.
On these servers i got:

-bash-2.05b$ check_mailq -w 1 -c 5
Program mode requires special privileges, e.g., root or TrustedUser.
CRITICAL: Error code 78 returned from /usr/bin/mailq

Allowing the Nagios user to call check_mailq with sudo was not an option, because the plugins are owned and writable by this user himself.
Yet it was possible to get sudo privileges for the /usr/bin/mailq command. I then patched check_mailq so that it first would ask "sudo -l" if $utils::PATH_TO_MAILQ is among the priviledged commands and if yes, call it with "sudo $utils::PATH_TO_MAILQ" instead.
I appended the patch.
Do you think this could be an option for plugins in general? I am sure, there are other installations which prefer 
sudo "/usr/bin/command inside the plugin"
over sudo plugin

Greetings from Munich,
Gerhard

----------------------------------------------------------------------

>Comment By: Thomas Guyot (dermoth)
Date: 2008-01-23 17:06

Message:
Logged In: YES 
user_id=375623
Originator: NO

Hmmmm.... I'm not trying to make you life harder but I still don't like
your solution... So what comes to my mind is:

1. Use a different group for the Nagios team, and male the
directories/plugins writable by that team

2. We could maybe do something like (not looking at the code, so it will
likely need to be adapted):
if ($PATH_TO_MAILQ =~ m/^(.*\/sudo)\s+(.*)$/) {
  if (-x $1 && -x $2) {
...
  }
} elsif (-x $PATH_TO_MAILQ) {
...

3 (ideal but most complex to implement): Add a --with-sudo-command
detection and option in configure, and a switch in mailq to use it.


----------------------------------------------------------------------

Comment By: gerhard lausser (lausser)
Date: 2008-01-23 10:55

Message:
Logged In: YES 
user_id=613416
Originator: YES

Setting PATH_TO_MAILQ to "sudo mailq" doesn't work, because there are some

if (-x $PATH_TO_MAILQ) {
in the code.
Removing write permissions for the plugins is not an option. There is an
extra nagios team which owns the plugin directories and which has to be
able to do updates for the nagios client software on all servers any time.
Configuring the plugins so that mailq is called with sudo by default would
require two versions of the plugin. One for the servers (SuSE) where
everyone may execute mailq and one for the others where mailq is restricted
to root.
Gerhard

----------------------------------------------------------------------

Comment By: Thomas Guyot (dermoth)
Date: 2008-01-23 10:24

Message:
Logged In: YES 
user_id=375623
Originator: NO

Why don't you just remove any write permissions from Nagios for the plugin
and plugin's folder? If you have dependencies you can also use a different
path. Make it owned from root with read access for Nagios or everyone, for
example.

I don't believe adding sudo commands in plugin scripts is a viable
solution, however an alternative would be to define the mailq path/command
as "/usr/bin/sudo /usr/bin/mailq" or whichever path you need.

./configure --with-mailq-command="/usr/bin/sudo /usr/bin/mailq"

I haven't tried but this may work already... If it don't and you have a
fix for that, we'll merge it (and document this trick in the web site).

Thanks

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1878144&group_id=29880




More information about the Devel mailing list