I am setting up Nagios on some of my Linux servers and have run into a bit of an issue. The check_ide_smart plugin requires root access to the system to run. To run it, I use the check_by_ssh plugin to ssh into the nagios account on the remote host, then run check_ide_smart using sudo.
I initially added the following lines to /etc/sudoers to allow the program to work:
nagios ALL=NOPASSWD: /usr/lib/nagios/plugins/check_ide_smart
While this worked just fine when run locally, I was getting an issue when it was run from Nagios: no TTY was being spawned, which prevented the plugin from working.
I dug in the man page for sudo and found the -s option, which spawns a shell and executes the program in there. When I tried using sudo -s, I ran into permission issues since the -s apparently changes the command into /bin/bash -c /usr/lib/nagios/plugins/check_ide_smart, which is not allowed by the sudoers file. I tried changing the sudoers file to use that command instead, but that didn't work, and using quotation marks is a syntax error.
I eventually got it to work by using the following line in /etc/sudoers:
nagios ALL=/bin/bash
This feels really wrong to me since I'm allowing the nagios user to spawn a root shell, with which they can do anything.
At this point, I though that maybe, by putting the command in a shell script that the nagios user has read-only privileges on would work, so I created a shell script:
#!/bin/sh
/bin/bash -c /usr/lib/nagios/plugins/check_ide_plugin $@
Unfortunately, I could never get the passed parameters ( Edit: I needed to quote the $@) to correctly work with the plugin, so I don't know if this would work.$@ for it to work. Thanks @derobert and @pjz. I still don't know if it would work since I got it to work using @Mike Arthur's solution.
Is there a way that I can get sudo -s to work while not allowing the spawning of a root shell?
Answer:
Added the following line to /etc/sudoers:
nagios ALL=NOPASSWD: /bin/bash -c /usr/lib/nagios/plugins/check_ide_smart *
Note the trailing asterisk; without it, this does not work. Thanks @Mike Arthur for the answer.
Best Answer
nagios ALL=NOPASSWD: /bin/bash -c /usr/lib/nagios/plugins/check_ide_smart *This should work and allow arguments.