Custom plugin, permission problem

vtravalja · May 29, 2020, 6:57am

Hi, I have found one ruby plugin for checking freenas
FreeNAS plugin
, and it was all set and tested, so the script works as it is expected if I run it manually.

I have placed my plugin to default path of all plugins /usr/lib64/nagios/plugins/check_freenas_ruby
and I made super simple shell script to call that ruby script (it was not needed but I did it anyway)

#!/bin/bash

 source scl_source enable rh-ruby26
 /root/.rbenv/shims/ruby /usr/lib64/nagios/plugins/check_freenas_ruby/check_freenas.rb -s server.example.com -u root -p 'mysecretpassword'  -k -m zpool_usage -w 30 -c 40 -z Replica

My next step was to set this as a service to run in icinga2 itself, so I have created under zones.d/master/server.example.com.conf

and inside (since I am not an expert in icinga2 field) I have probably messy script:

// Endpoints & Zones
object Endpoint "server.example.com" {
}

object Zone "server.example.com" {
 endpoints = [ "server.example.com" ]
 parent = "master"
}

apply Service "check_freenas" {
check_command = "check_freenas"
assign where host.name == "server.example.com"
}

object CheckCommand "check_freenas" {
import "plugin-check-command"
command = [ "/usr/lib64/nagios/plugins/check_freenas" ]
}

// Host Objects
object Host "server.example.com" {
check_command = "hostalive"
address = "192.168.1.2"
vars.client_endpoint = name //follows the convention that host name == endpoint name
// Custom Optional Check - END
}

Now this service is shown in the icingaweb2 without issues and default plugins are working such as “ping”, but that custom ruby script is giving the error:

[2020-05-29 08:41:18 +0200] warning/PluginCheckTask: Check command for object ‘server.example.com!check_freenas’ (PID: 27951, arguments: ‘/usr/lib64/nagios/plugins/check_freenas’) terminated with exit code 126, output: /usr/lib64/nagios/plugins/check_freenas: line 4: /root/.rbenv/shims/ruby: Permission denied

If all other plugins are “root:root”, I even tried to set this plugin to have apache:icingaweb2 permissions, along with ruby binary (just for a test)… The output was the same.

Which permissions should this have to be able to execute and get info from my freenas server?

Brgds

rsx · May 29, 2020, 7:20am

You probably run your script manually as user root but icinga is executing the plugin as icinga/nagios (depending on your distribution). This may produce different results as you may have different environments and/or access rights. Therefore, it is always recommended to run manually tests as the icinga user.

homerjay · May 29, 2020, 7:24am

Hi.

It seems like the user icinga cannot execute

/root/.rbenv/shims/ruby

What happens, when you execute the script on the command line with user icinga? E.g.:

su -s /bin/bash -c "your_script_name" icinga

If needed, you can configure the CheckCommand to use sudo, e.g.:

command = [ "sudo", "/usr/lib64/nagios/plugins/check_freenas" ]

Greetings.

vtravalja · May 29, 2020, 8:07am

Hi again,

now I got new error:

warning/PluginCheckTask: Check command for object ‘server.example.com!check_freenas’ (PID: 16993, arguments: ‘sudo’ ‘/usr/lib64/nagios/plugins/check_freenas’) terminated with exit code 128, output: execvpe(sudo) failed: Permission denied

P.S. I added this icinga user into sudoers file:

#visudo

icinga ALL=(ALL) /usr/lib64/nagios/plugins/check_freenas

what now?

rsx · May 29, 2020, 8:12am

I’m sorry but in my opinion is this the wrong way because this will weakening security. In most case sudo is not necessary. In your case I’d assume you simply you should not use rbenv from user root but from your icinga user (if it is necessary at all - which I cannot comment on as I’m not familiar wich ruby).

vtravalja · May 29, 2020, 8:22am

I don’t see other options, except to proclaim both plugin as icinga:nagios…?

homerjay · May 29, 2020, 8:26am

Hi again.

I totally agree, that sudo should be avoided, if possible

@vtravalja :

What happens, if you try the following commands on commandline:

su -s /bin/bash -c "your_script_name" icinga
# and
sudo -u icinga "your_script_name"

Please note, that your posted part of the sudoers:

icinga ALL=(ALL) /usr/lib64/nagios/plugins/check_freenas

requires, that the user icinga has to use a password ( NOPASSWD: ) is missing.
This is problematic in this case.

Greetings.

vtravalja · May 29, 2020, 8:29am

actually NOPASSWD: is also set…

icinga  ALL=(ALL)       NOPASSWD:/usr/lib64/nagios/plugins/check_freenas

and this is the output

[root@server plugins]# su -s /bin/bash -c /usr/lib64/nagios/plugins/check_freenas icinga
/usr/lib64/nagios/plugins/check_freenas: line 4: /root/.rbenv/shims/ruby: Permission denied
[root@server plugins]# sudo -u icinga /usr/lib64/nagios/plugins/check_freenas
/usr/lib64/nagios/plugins/check_freenas: line 4: /root/.rbenv/shims/ruby: Permission denied

vtravalja · May 29, 2020, 8:54am

I got some progress in terms of getting this script to work. SELinux was causing problem, now I will try to revoke sudo and see what happens… I will report progress here, so if someone needs solution that it is here in the community

vtravalja · May 29, 2020, 9:08am

Unfortunately no, when I revoke sudo it does not work. I can set any permissions, it makes no difference, so what I did is, set sudo only to that script and set chattr +i to make check_freenas script immutable, that content cannot be changed and system abosed, unless it is first attribute modified by root, and then changed… It is not great security, but it will do