[Nagiosplug-devel] [ nagiosplug-Patches-1878144 ] check_mailq need root privileges

SourceForge.net noreply at sourceforge.net
Thu Jan 24 16:17:57 CET 2008

Patches item #1878144, was opened at 2008-01-23 15:24
Message generated for change (Comment added) made by lausser
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: gerhard lausser (lausser)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_mailq need root privileges

Initial Comment:
i have several Linux servers, where you need special privileges to execute /usr/bin/mailq.
On these servers i got:

-bash-2.05b$ check_mailq -w 1 -c 5
Program mode requires special privileges, e.g., root or TrustedUser.
CRITICAL: Error code 78 returned from /usr/bin/mailq

Allowing the Nagios user to call check_mailq with sudo was not an option, because the plugins are owned and writable by this user himself.
Yet it was possible to get sudo privileges for the /usr/bin/mailq command. I then patched check_mailq so that it first would ask "sudo -l" if $utils::PATH_TO_MAILQ is among the priviledged commands and if yes, call it with "sudo $utils::PATH_TO_MAILQ" instead.
I appended the patch.
Do you think this could be an option for plugins in general? I am sure, there are other installations which prefer 
sudo "/usr/bin/command inside the plugin"
over sudo plugin

Greetings from Munich,


>Comment By: gerhard lausser (lausser)
Date: 2008-01-24 16:17

Logged In: YES 
Originator: YES

Thanks for not trying to make my life harder!
What i wanted to achieve is: 
- Compile the plugins once so that they can be used on every linux server
without individual changes. (compile check_mailq on Suse where mailq can be
executed by everyone and it will run unchanged on a RedHat where you need
sudo rights to execute mailq)
- If the plugin needs to call an external command, let the plugin decide
wether to execute it with or without sudo.

But your proposal Nr.2 would be an acceptable compromise. This way one can
distribute individual utils.pm which ihmo is preferable to individual



Comment By: Thomas Guyot (dermoth)
Date: 2008-01-23 23:06

Logged In: YES 
Originator: NO

Hmmmm.... I'm not trying to make you life harder but I still don't like
your solution... So what comes to my mind is:

1. Use a different group for the Nagios team, and male the
directories/plugins writable by that team

2. We could maybe do something like (not looking at the code, so it will
likely need to be adapted):
if ($PATH_TO_MAILQ =~ m/^(.*\/sudo)\s+(.*)$/) {
  if (-x $1 && -x $2) {
} elsif (-x $PATH_TO_MAILQ) {

3 (ideal but most complex to implement): Add a --with-sudo-command
detection and option in configure, and a switch in mailq to use it.


Comment By: gerhard lausser (lausser)
Date: 2008-01-23 16:55

Logged In: YES 
Originator: YES

Setting PATH_TO_MAILQ to "sudo mailq" doesn't work, because there are some

if (-x $PATH_TO_MAILQ) {
in the code.
Removing write permissions for the plugins is not an option. There is an
extra nagios team which owns the plugin directories and which has to be
able to do updates for the nagios client software on all servers any time.
Configuring the plugins so that mailq is called with sudo by default would
require two versions of the plugin. One for the servers (SuSE) where
everyone may execute mailq and one for the others where mailq is restricted
to root.


Comment By: Thomas Guyot (dermoth)
Date: 2008-01-23 16:24

Logged In: YES 
Originator: NO

Why don't you just remove any write permissions from Nagios for the plugin
and plugin's folder? If you have dependencies you can also use a different
path. Make it owned from root with read access for Nagios or everyone, for

I don't believe adding sudo commands in plugin scripts is a viable
solution, however an alternative would be to define the mailq path/command
as "/usr/bin/sudo /usr/bin/mailq" or whichever path you need.

./configure --with-mailq-command="/usr/bin/sudo /usr/bin/mailq"

I haven't tried but this may work already... If it don't and you have a
fix for that, we'll merge it (and document this trick in the web site).



You can respond by visiting: 

More information about the Devel mailing list