Server Fault Asked by lorenzog on January 3, 2022
I am trying to monitor my legacy zimbra installation (running on an outdated Ubuntu 8.x) from my nagios install (running on a more recent OpenBSD).
The problem is that when I run check_nrpe from the nagios server it complains:
nagios-server$ sudo su -m _nagios -c "/usr/local/libexec/nagios/check_nrpe -H ZIMBRA_HOST -c check_zimbra"
CHECK_NRPE: No output returned from daemon.
Note that the zimbra server’s NRPE configuration runs:
command[check_zimbra]=/usr/lib/nagios/plugins/check_zimbra.pl
On the other hand, running the plugin locally on the zimbra server works fine from root:
zimbra-server# ./check_zimbra.pl
HOST : ZIMBRA_HOST, ldap : OK, logger : STOPPED and zmlogswatchctl down, mailbox : OK, mta : STOPPED and zmmtaconfigctl down and zmsaslauthdctl down, snmp : STOPPED, spell : OK, stats : OK
However, running it as nagios user on the zimbra server complains about the path:
zimbra-server# su -m nagios -c "./check_zimbra.pl"
Insecure $ENV{PATH} while running setuid at ./check_zimbra.pl line 32.
Line 32 recites:
7 $zimbra_status_command='/opt/zimbra/bin/zmcontrol status';
[snip]
32 open (ZMSTATUS, "$zimbra_status_command |");
I have a suspicion it might have something to do with suid perl. In fact, following this advice and adding this line to the check_zimbra.pl file,
delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
I get the following:
zimbra-server# su -m nagios -c "./check_zimbra.pl"
Insecure dependency in piped open while running setuid at /opt/zimbra/bin/zmcontrol line 389.
Anyhow, on the zimbra server I have installed the check_zimbra.pl plugin, which is suid zimbra so I can run it from the nagios user:
zimbra-server# ls -la check_zimbra.pl
-rwsr-xr-x 1 zimbra root 2885 2010-01-11 21:14 check_zimbra.pl
I have modified /etc/sudoers so that the nagios user can run the appropriate zimbra monitoring tool:
%nagios ALL=(zimbra) NOPASSWD:/opt/zimbra/bin/zmcontrol
I am stuck.. is there any other way to run the check_zimbra.pl plugin as nagios user, being able to run the zmcontrol status command as zimbra user..?
Thanks,
perldoc perlsec states that should set @ENV{'PATH'} to a known value, not unset it !
Blockquote For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.
Answered by Paul Ezvan on January 3, 2022
1 Asked on December 9, 2021 by tyr_90
3 Asked on December 9, 2021 by tom-klino
2 Asked on December 9, 2021
1 Asked on December 9, 2021 by 0leg
3 Asked on December 9, 2021
1 Asked on December 9, 2021 by sudip
3 Asked on December 9, 2021 by chris9834
1 Asked on December 9, 2021 by tuckson
1 Asked on December 9, 2021 by mkopriva
0 Asked on December 9, 2021 by bstorm
0 Asked on December 9, 2021
1 Asked on December 7, 2021 by davewolfs
2 Asked on December 7, 2021 by chandan-singh
1 Asked on December 7, 2021
google cloud platform google kubernetes engine https kubernetes websocket
2 Asked on December 7, 2021 by dg-dm
1 Asked on December 7, 2021
Get help from others!
Recent Answers
Recent Questions
© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP