Server Fault Asked by lorenzog on January 3, 2022
I am trying to monitor my legacy zimbra installation (running on an outdated Ubuntu 8.x) from my nagios install (running on a more recent OpenBSD).
The problem is that when I run check_nrpe from the nagios server it complains:
nagios-server$ sudo su -m _nagios -c "/usr/local/libexec/nagios/check_nrpe -H ZIMBRA_HOST -c check_zimbra"
CHECK_NRPE: No output returned from daemon.
Note that the zimbra server’s NRPE configuration runs:
command[check_zimbra]=/usr/lib/nagios/plugins/check_zimbra.pl
On the other hand, running the plugin locally on the zimbra server works fine from root:
zimbra-server# ./check_zimbra.pl
HOST : ZIMBRA_HOST, ldap : OK, logger : STOPPED and zmlogswatchctl down, mailbox : OK, mta : STOPPED and zmmtaconfigctl down and zmsaslauthdctl down, snmp : STOPPED, spell : OK, stats : OK
However, running it as nagios user on the zimbra server complains about the path:
zimbra-server# su -m nagios -c "./check_zimbra.pl"
Insecure $ENV{PATH} while running setuid at ./check_zimbra.pl line 32.
Line 32 recites:
7 $zimbra_status_command='/opt/zimbra/bin/zmcontrol status';
[snip]
32 open (ZMSTATUS, "$zimbra_status_command |");
I have a suspicion it might have something to do with suid perl. In fact, following this advice and adding this line to the check_zimbra.pl file,
delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
I get the following:
zimbra-server# su -m nagios -c "./check_zimbra.pl"
Insecure dependency in piped open while running setuid at /opt/zimbra/bin/zmcontrol line 389.
Anyhow, on the zimbra server I have installed the check_zimbra.pl plugin, which is suid zimbra so I can run it from the nagios user:
zimbra-server# ls -la check_zimbra.pl
-rwsr-xr-x 1 zimbra root 2885 2010-01-11 21:14 check_zimbra.pl
I have modified /etc/sudoers so that the nagios user can run the appropriate zimbra monitoring tool:
%nagios ALL=(zimbra) NOPASSWD:/opt/zimbra/bin/zmcontrol
I am stuck.. is there any other way to run the check_zimbra.pl plugin as nagios user, being able to run the zmcontrol status command as zimbra user..?
Thanks,
perldoc perlsec states that should set @ENV{'PATH'} to a known value, not unset it !
Blockquote For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.
Answered by Paul Ezvan on January 3, 2022
0 Asked on September 20, 2020 by user3786071
1 Asked on September 19, 2020 by gogators
0 Asked on September 16, 2020 by maralc
1 Asked on September 14, 2020 by barisdad
3 Asked on September 13, 2020 by doltknuckle
0 Asked on September 13, 2020 by shailendra-pratap-singh
1 Asked on September 13, 2020 by bruce-adams
1 Asked on September 12, 2020 by mavsafe
0 Asked on September 12, 2020 by nick-g
1 Asked on September 11, 2020 by wpdeve
1 Asked on September 9, 2020 by mvi-solutions
3 Asked on September 3, 2020 by mustafa-chelik
0 Asked on September 3, 2020 by nikel
1 Asked on August 31, 2020 by mohammad-nikravan
0 Asked on August 31, 2020 by jugmac00
5 Asked on August 29, 2020 by shevek
1 Asked on August 25, 2020 by kevin-sedgley
Get help from others!
Recent Questions
Recent Answers
© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP