[SOLVED] Run single nagios check as different user

XXLRay · 08-12-2011, 07:10 AM

I have a problem with my ldap server. It only starts when all certificates defined by TLS_CACERTDIR in /etc/openldap/ldap.conf are readable. This is not a big issue for itself and can be fixed by "chmod -R +r /path/to/certdir".

Unfortunately updates e.g of the imap install new certificates in that directory and don't care whether the user ldap can read them or not. The ldap still keeps running. So far everything is fine. But when I have to reboot the ldap server host e.g. for kernel updates the ldap server does not boot. As I perform these reboots only rarely this usually causes confusion and trouble. I have a second and third fallback ldap server thus my system is still functional. Nevertheless it takes some time until I recognize that the primary ldap server has not come back. Then there is a lot of panic until I read my ldap-reboot-issue documentation and remember that there was a problem concerning the certificates.

I wrote a small script to check whether all files in a directory are readable:

Code:

#!/bin/bash

USAGE="
Checks if all files in the target directory are readable.

Usage: $(basename $0) [-h] -d <directory>
  directoy:  a folder in which all files shall be checked for read access

e.g.: $(basename $0) -d /var/log

"

while getopts hd: OPT
do
  case "$OPT" in
    h)  echo $USAGE
        exit 1
        ;;
    d)  DIRECTORY=$OPTARG
        ;;
  [?])  echo $USAGE >&2
        exit 1
        ;;
  esac
done

# check parameters
if [ "$DIRECTORY" == "" ]
then
  echo $USAGE
  exit 1
fi
ALLREADABLE=1

for FILE in $DIRECTORY/*
do
  if [ ! -r $FILE ]
  then
    ALLREADABLE=0
  fi
done

if [ $ALLREADABLE -eq 0 ]
then
  echo "Not all files in $DIRECTORY are readable. This might result from an automatic update. Check which files are affected manually"
  exit 1
else
  echo "ldap: All files in $DIRECTORY readable by $(whoami) - this is good!"
fi

exit 0

Currently I installed a cronjob to check the certificates "crontab -e -u ldap":

Code:

MAILTO="root"
00 14 * * * /path/to/checkFilesForRead.sh -d /etc/openldap/cacerts
MAILTO=""

But I would rather like to have it as a Nagios check. Is there a way to run this script via nrpe as user "ldap" where all other nrpe checks are performed by user "nrpe"? Or is there a different way to let a check executed as user "nrpe" inspect whether a file is readable by user "ldap"?

MensaWater · 08-12-2011, 11:12 AM

You could do sudo to run the script by giving nrpe (nagios) permission to run sudo without a password in the sudoers file.

You would of course have to modify the script to give standard Nagios exit codes.

XXLRay · 08-14-2011, 05:06 AM

Quote:

Originally Posted by MensaWater

You could do sudo to run the script by giving nrpe (nagios) permission to run sudo without a password in the sudoers file.

But it should run as user "ldap". Otherwise I only check whether the user "nrpe" can read the files and this is not what I want.

XXLRay · 08-15-2011, 06:21 AM

As the user "nrpe" is allowed to execute getfacl could even parse this output. But this will mean a lot of work for me. Isn't there an easier way?

XXLRay · 08-15-2011, 10:32 AM

I now set a default acl for the directory (which seems to be ignored/overwritten by some updates - note that you have to mount your hard drive with acls for that):

Code:

setfacl -m d:other::rx /etc/openldap/cacerts/

Furthermore I wrote a Nagios script where I am parsing the getfacl output (which should work even if your drive is mounted without acls) just in case someone is interested in it:

Code:

#!/bin/bash

USER="ldap"
USERGROUPS=$(groups $USER | sed 's/'${USER}' ://g')
FOLDER="/etc/openldap/cacerts"

for FILENAME in $FOLDER/*
do
  READPERMISSION=0

  # check read permissions for other
  ACLS=$(getfacl --absolute-names $FILENAME | grep "other::" | sed 's/other:://g')
  if [ "${ACLS:0:1}" == "r" ]
  then
    # check next file
    READPERMISSION=1
  fi

  if [ $READPERMISSION -eq 0 ]
  then
    # check permissions for group
    # check if ldap is in fetched group
    FETCHEDGROUP=$(getfacl --absolute-names $FILENAME | grep "# group : " | sed 's/# group : //g')
    if [ ${#FETCHEDGROUP} -ne 0 -a "$(groups $USER | grep "${FETCHEDGROUP}")" != "" ]
    then
      # ldap is in fetched group
      ACLS=$(getfacl --absolute-names $FILENAME | grep "group::" | sed 's/group:://g')
      if [ "${ACLS:0:1}" == "r" ]
      then
        READPERMISSION=1
      fi
    fi
  fi

  if [ $READPERMISSION -eq 0 ]
    then
    # check permissions for owner
    # check if ldap is owner
    OWNER=$(getfacl --absolute-names $FILENAME | grep "# owner: " | sed 's/# owner: //g')
    if [ "$OWNER" == "$USER" ]
    then
      # ldap is owner
      ACLS=$(getfacl --absolute-names $FILENAME | grep "user::" | sed 's/user:://g')
      if [ "${ACLS:0:1}" == "r" ]
      then
        READPERMISSION=1
      fi
    fi
  fi

  if [ $READPERMISSION -eq 0 ]
  then
    # check permissions for acl user
    ACLS=$(getfacl --absolute-names $FILENAME | grep "user:${USER}:" | sed 's/user:'${USER}'://g')
    if [ "${ACLS:0:1}" == "r" ]
    then
      READPERMISSION=1
    fi
  fi

  if [ $READPERMISSION -eq 0 ]
    then
    # check if one of users groups is in acls
    for USERGROUP in $USERGROUPS
    do
      ACLS=$(getfacl --absolute-names $FILENAME | grep "group:${USERGROUP}:" | sed 's/group:'${USERGROUP}'://g')
      if [ "${ACLS:0:1}" == "r" ]
      then
        READPERMISSION=1
        break
      fi
    done
  fi
  if [ $READPERMISSION -eq 0 ]
  then
    DETAILS="$USER cannot read $FILENAME. This might prevent ldap from booting. Check read permissions in $FOLDER . Perhaps a new certificate without read permissions for ldap has been installed by an update."
    break
  fi

done

if [ $READPERMISSION -eq 0 ]
then
  echo "$DETAILS"
  # exit on warning status
  exit 1
else
  echo "All files in $FOLDER are readable by $USER"
fi

exit 0

MensaWater · 08-15-2011, 11:09 AM

Quote:

Originally Posted by XXLRay

But it should run as user "ldap". Otherwise I only check whether the user "nrpe" can read the files and this is not what I want.

Glad you resolved your problem.

In answer to the above question: I was saying you can use sudo to allow nrpe to run commands. With sudoers you can run the command as another users. That is to say if you needed to run a command that only ran as ldap user you could put it in your sudoers as a Cmnd_Aliassomething like:
Cmnd_Alias LDAP = su -ldap -c <command>
You would add nrpe as a User_Alias then do a grant line that gave the nrpe User_Alias permission to run the LDAP Cmnd_Alias and add the NOPASSWORD option to the grant line so nrpe could execute the command without having to put in its own password (required to allow for automated checks by nrpe).

Since you found nrpe has permission to check what you needed you don't need the above but I figured I'd expand on it for anyone else looking at the thread in the future.