AnswerBun.com

Troubles monitoring a zimbra installation with nagios

Server Fault Asked by lorenzog on January 3, 2022

I am trying to monitor my legacy zimbra installation (running on an outdated Ubuntu 8.x) from my nagios install (running on a more recent OpenBSD).

The problem is that when I run check_nrpe from the nagios server it complains:

nagios-server$ sudo su -m _nagios -c "/usr/local/libexec/nagios/check_nrpe -H ZIMBRA_HOST -c check_zimbra"
CHECK_NRPE: No output returned from daemon.

Note that the zimbra server’s NRPE configuration runs:

command[check_zimbra]=/usr/lib/nagios/plugins/check_zimbra.pl

On the other hand, running the plugin locally on the zimbra server works fine from root:

zimbra-server# ./check_zimbra.pl 
HOST : ZIMBRA_HOST, ldap : OK, logger : STOPPED and zmlogswatchctl down, mailbox : OK, mta : STOPPED and zmmtaconfigctl down and zmsaslauthdctl down, snmp : STOPPED, spell : OK, stats : OK

However, running it as nagios user on the zimbra server complains about the path:

zimbra-server# su -m nagios -c "./check_zimbra.pl" 
Insecure $ENV{PATH} while running setuid at ./check_zimbra.pl line 32.

Line 32 recites:

7  $zimbra_status_command='/opt/zimbra/bin/zmcontrol status';
[snip]
32 open (ZMSTATUS, "$zimbra_status_command |");

I have a suspicion it might have something to do with suid perl. In fact, following this advice and adding this line to the check_zimbra.pl file,

delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

I get the following:

zimbra-server# su -m nagios -c "./check_zimbra.pl" 
Insecure dependency in piped open while running setuid at /opt/zimbra/bin/zmcontrol line 389.

Anyhow, on the zimbra server I have installed the check_zimbra.pl plugin, which is suid zimbra so I can run it from the nagios user:

zimbra-server# ls -la check_zimbra.pl 
-rwsr-xr-x 1 zimbra root 2885 2010-01-11 21:14 check_zimbra.pl

I have modified /etc/sudoers so that the nagios user can run the appropriate zimbra monitoring tool:

%nagios ALL=(zimbra) NOPASSWD:/opt/zimbra/bin/zmcontrol

I am stuck.. is there any other way to run the check_zimbra.pl plugin as nagios user, being able to run the zmcontrol status command as zimbra user..?

Thanks,

One Answer

perldoc perlsec states that should set @ENV{'PATH'} to a known value, not unset it !

Blockquote For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.

Answered by Paul Ezvan on January 3, 2022

Add your own answers!

Related Questions

Linux systemd: remove slice

1  Asked on September 20, 2020 by mike-s

   

Local subnet behind Tinc VPN not reachable

0  Asked on September 20, 2020 by user3786071

       

Running FlexLM License Server in a Docker Container

1  Asked on September 19, 2020 by gogators

   

Hyper V VM restarting in a loop – How to see VM output?

0  Asked on September 16, 2020 by maralc

   

AWS service like ansible

1  Asked on September 16, 2020 by exeral

   

Compress several files with different names

2  Asked on September 14, 2020 by snowdembr

 

systemd networkd is restarted after systemctl stop

1  Asked on September 14, 2020 by barisdad

   

Issue with HAProxy 2.0.7 setup with tproxy on Centos-7

0  Asked on September 13, 2020 by shailendra-pratap-singh

         

Local install of powershell instead of https://shell.azure.com?

1  Asked on September 13, 2020 by bruce-adams

   

puppet master is not executing autosign script

0  Asked on September 12, 2020 by nick-g

     

Varnish 404 error every few hours

1  Asked on September 11, 2020 by wpdeve

   

Thunderbird can’t connect to my mail server

3  Asked on September 3, 2020 by mustafa-chelik

       

Ask a Question

Get help from others!

© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP