First of all: I know there were already questions about this issue, but even using their answers I still cannot figure out why my command is not working.
What I want to do is call a script on remote host using NRPE. However, this what the script is going to do may be only executed by specific user (let's call him userA
).
-
Now, my NRPE command looks like:
command[debug_now]=/usr/local/bin/debug_now
-
My sudoers have entry
nagios ALL=(tomcat) NOPASSWD: /usr/local/bin/debug_now
as I noticed user calling the scripts from nrpe.cfg is callednagios
. -
Script
/usr/local/bin/debug_now
looks like:#!/bin/sh whoami echo "Debug..." sudo -u tomcat whoami echo "Debug finished"
Script above has same permissions as other scripts can be executed by user nagios
. What's more, when it is executed locally it pretty prints:
nagios
Debug...
tomcat
Debug finished
and it's generally working as intended. However, when it's called from management host, it prints only
nagios
Debug...
Debug finished
This is caused probably by NRPE: Cannot read output
, which appears every time I try to sudo
anything from management host. I already tried adding to sudoers entry Defaults !requiretty
with no success. I use Debian 6.0.7. What can I do to make my script work, when called from management host?
EDIT.
First of all, directory /etc/sudoers.d/
contains only file README.
userA
real name should be tomcat
Let's take a look at visudo
output then:
Defaults env_reset
Defaults !requiretty
root ALL=(ALL) ALL
nagios ALL=(tomcat) NOPASSWD: /usr/bin/whoami
%www ALL=(ALL) NOPASSWD: /bin/su - www
%tomcat ALL=(ALL) NOPASSWD: /bin/su - tomcat
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat stop
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat start
%tomcat ALL=(ALL) NOPASSWD: /etc/init.d/tomcat restart
Please note I tried even nagios ALL=(tomcat) NOPASSWD: ALL
and nagios ALL=(ALL) NOPASSWD: ALL
. I also removed few user entries like username ALL=(ALL) NOPASSWD: ALL
.
NRPE
$ tail -n 1 /etc/nagios/nrpe.cfg
command[debug_now]=/usr/local/bin/debug_now
$ ls -l /usr/local/bin/debug_now
-rwxr-xr-x 1 root staff 573 Dec 2 09:06 /usr/local/bin/debug_now
$ ls -lh /usr/local | grep bin
drwxrwsr-x 2 root staff 4.0K Dec 2 09:12 bin
$ ls -lh /usr | grep local
drwxrwsr-x 14 root staff 4.0K Oct 22 2010 local
From another host
$ /usr/lib/nagios/plugins/check_nrpe -H <ip address> -c debug_now
nagios
Debug...
Debug finished
Best Answer
Oh God, I feel so ashamed right now.
Everything is fine. You need to RESTART
nagios-nrpe-server
after changingsudoers
, reload is not enough. Reload is fine if you only changenrpe.cfg
or other config file.@MadHatter, @Keith - thank you guys for your help!