Run ITL command with sudo

ander.lopetegui · January 14, 2021, 12:54pm

Hello.

I need to execute the itl command file_age with sudo, because nagios has not permissions to read the file I want to check. Our idea is to add this command to sudoers in order to give permissions to execute the plugin check_file_age with sudo.
But I don’t know if it is possible to use the itl command file_age and somehow set to use sudo, because if not, I need to create a new custom command to run check_file_age with sudo, and I prefer not creating a new command.

So the question, is it possible to add sudo to a itl check_command?

ritzgu · January 14, 2021, 1:18pm

Hi @ander.lopetegui

You could change the command to command = [ "sudo", PluginDir + "/check_file_age" ], but:

The ITL content is updated with new releases. Please do not modify templates and/or objects as changes will be overridden without further notice. (source)

So maybe you should create a new command definition for this somewhere in /etc/icinga2.

Kind regards,
ritzgu

dgoetz · January 14, 2021, 4:21pm

For security reason I would prefer ACLs over sudo to give access to files.

But if you need it, I would wrap the original command and overwrite the command line.

object CheckCommand "my_file_age" {
  import "file_age"
  command = [ "/usr/bin/sudo", PluginDir + "/check_file_age" ]
}

This would be update-safe, get changes from updates and can also be done in Director.

ander.lopetegui · January 14, 2021, 2:38pm

Hi @ritzgu

As you said, I prefer not changing the ITL command, in case to need to add sudo I would create new command.
But I was asking if there is some variable to change ITL command and run with sudo, something like in this command

Thank

ritzgu · January 14, 2021, 3:46pm

Just had a look at the command definition of running_kernel. Here the variable running_kernel_use_sudo is evaluated:

if (use_sudo) {
    args = [ "sudo" ]
} else {
    args = []
}
args += [ PluginContribDir + "/check_running_kernel" ]

I may be wrong but i have not seen this in other commands yet.

ander.lopetegui · January 14, 2021, 4:25pm

That way is nice to implement.

It would be interesting if all commands had this feature by default.
I think, finally I will create a custom command with this use_sudo variable.

Al2Klimov · January 14, 2021, 6:03pm

Pro tip:

➜  icinga2 git:(master) cat sudocmd.conf
object CheckCommand "nosudo" {
	command = [ "nosudo" ]
	arguments = {
		"-n" = {
			value = "m"
		}
	}
}

template CheckCommand "withsudo" {
	command = [ "sudo" ] + command
}

object CheckCommand "nosudo-withsudo" {
	import "nosudo"
	import "withsudo"
}
➜  icinga2 git:(master) prefix/sbin/icinga2 daemon -c sudocmd.conf -C
[2021-01-14 19:01:45 +0100] information/cli: Icinga application loader (version: v2.12.0-426-g5f548c8f8)
[2021-01-14 19:01:45 +0100] information/cli: Loading configuration file(s).
[2021-01-14 19:01:45 +0100] warning/config: Ignoring directory '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.d/master' for unknown zone 'master'.
[2021-01-14 19:01:45 +0100] warning/config: Ignoring directory '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/api/zones/master' for unknown zone 'master'.
[2021-01-14 19:01:45 +0100] information/ConfigItem: Committing config item(s).
[2021-01-14 19:01:45 +0100] information/ConfigItem: Instantiated 2 CheckCommands.
[2021-01-14 19:01:45 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
[2021-01-14 19:01:45 +0100] information/ScriptGlobal: Dumping variables to file '/Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.vars'
[2021-01-14 19:01:45 +0100] information/cli: Finished validating the configuration file(s).
➜  icinga2 git:(master) prefix/sbin/icinga2 object list -t CheckCommand --name nosudo-withsudo
Object 'nosudo-withsudo' of type 'CheckCommand':
  % declared in 'sudocmd.conf', lines 14:1-14:37
  * __name = "nosudo-withsudo"
  * arguments
    % = modified in 'sudocmd.conf', lines 3:2-7:2
    * -n
      * value = "m"
  * command = [ "sudo", "nosudo" ]
    % = modified in 'sudocmd.conf', lines 2:2-2:23
    % = modified in 'sudocmd.conf', lines 11:2-11:31
  * env = null
  * execute
    % = modified in 'methods-itl.conf', lines 19:3-19:23
    % = modified in 'methods-itl.conf', lines 19:3-19:23
    * arguments = [ "checkable", "cr", "resolvedMacros", "useResolvedMacros" ]
    * deprecated = false
    * name = "Internal#PluginCheck"
    * side_effect_free = false
    * type = "Function"
  * name = "nosudo-withsudo"
  * package = "_etc"
  * source_location
    * first_column = 1
    * first_line = 14
    * last_column = 37
    * last_line = 14
    * path = "sudocmd.conf"
  * templates = [ "nosudo-withsudo", "plugin-check-command", "nosudo", "plugin-check-command", "withsudo" ]
    % = modified in 'sudocmd.conf', lines 14:1-14:37
    % = modified in 'methods-itl.conf', lines 18:2-18:94
    % = modified in 'sudocmd.conf', lines 1:0-1:27
    % = modified in 'methods-itl.conf', lines 18:2-18:94
    % = modified in 'sudocmd.conf', lines 10:1-10:32
  * timeout = 60
  * type = "CheckCommand"
  * vars = null
  * zone = ""
➜  icinga2 git:(master)