Hi, I just wish to share this topic I recently faced: my custom plugin had to run a command which required to be run with a specific user.
I’m running icinga2 on ubuntu and the daemon runs as user ‘nagios’.
I specifically needed to call /opt/zimbra/bin/zmprov as user ‘zimbra’ inside my custom plugin.
Running it as nagios user would fail.
Inside my plugin I use sudo this way:
sudo --user zimbra /opt/zimbra/bin/zmprov ...other options
I had to configure sudo on the zimbra host to give nagios user permissions to run this specific command as zimbra user without requiring password:
nano /etc/sudoers.d/04_nagios nagios ALL=(zimbra)NOPASSWD: /opt/zimbra/bin/zmprov
Because the command ‘zmprov’ can do many thing, I wish nagios to be able to call it only with certain options / sub-commands , i.e getAccount, getIdentity
I changed my sudo configuration using an alias to list all commands nagios user is allowed to run as zimbra user:
cat /etc/sudoers.d/04_nagios Cmnd_Alias MONITORING = /opt/zimbra/bin/zmprov getAccount, \ /opt/zimbra/bin/zmprov getidentity nagios ALL=(zimbra)NOPASSWD: MONITORING
I hope this example may be useful for others.