How to run nagios/icinga2 checks as a different user?

I have a question, what’s the best way of running a nagios task as another user? When out app runs it writes logs which owned by webuser so we can’t write to it unless we are webuser.

I am trying different approaches and I want to share what I have came to do as my result.

We use Ruby on rails. We have created scripts which is a part of the application which returns the appropriate exit codes.

Usefull stackexchange reply to how to allow certain command with visudo sudo - sudoers command with AND without arguments - Unix & Linux Stack Exchange

# ./zones.d/global-templates/commands.conf
object CheckCommand "webuser-ruby-runner" {
  import "plugin-check-command"

  command = ["/usr/bin/sudo", "-u", "webuser", PluginDir + "/check_ruby_runner" ]

  arguments = {
    "-rake" = {
      value = "$ruby_script$"
      required = true
      skip_key = true
      repeat_key = false

# /etc/icinga2/conf.d/services.conf
apply Service "webuser-ruby-runner" for (script in host.vars.webuser_ruby_scripts_daily) {
  import "generic-service"
  import "daily-service"

  display_name = "Ruby run " + script + " (daily)"
  check_command = "webuser-ruby-runner"
  command_endpoint = host.vars.remote_client

  vars.ruby_script = script

# zones.d/monitor/fakturabank.conf
object Host "fakturabank" {
  /* Import the default host template defined in `templates.conf`. */
  import "generic-host"
  # ...
  vars.webuser_ruby_scripts_daily = [

# on the client
# /usr/lib/nagios/plugins/check_ruby_runner

echo "Running as $(whoami)"

cd /var/www/apps/fakturabank/current;
export RAILS_ENV=production
/home/webuser/.rbenv/shims/bundle exec ruby $1

# $ visudo
nagios ALL=(webuser) NOPASSWD: /usr/lib/nagios/plugins/check_ruby_runner script/can_receive_ehf_response_test.rb