Introduction
This how-to describes how to make NRPE execute scripts as another user, like root or backupadmin. This can be useful for plugins that control system services and similar.
It's not recommended to run check plugins or other scripts with NRPE as root - passing non-sanitized arguments to a script could result in arbitrary code execution with system level privileges.
Use the following guide with caution!
Prerequisites
You will need the application sudo, root access to the system and basic UNIX knowledge. The commands below show you how to install sudo on RHEL and Debian-based Linux distributions:
# yum install -y sudo
# apt-get install -y sudo
sudo configuration
We will start by checking which user the NRPE daemon runs as:
# grep "nrpe_user=" /path/to/nrpe.conf
nrpe_user=nrpeuser
Run the sudo configuration tool visudo:
# visudo
You might get prompted to select a text editor - select your editor of choice and continue.
Add the row below under "Defaults specification" to enable execution of sudo commands without a TTY:
Defaults: nrpeuser !requiretty
Create a new row and add one of the following lines to enable password-less execution of specified command as root or another user:
# Allows running a script as root without any arguments
nrpeuser ALL=(root) NOPASSWD: /path/to/script ""
# Allows running a script as root with fixed arguments
nrpeuser ALL=(root) NOPASSWD: /path/to/script --option-1 "a" --option-2 "b"
# Allows running a script as root with any arguments
# THIS COULD BE DANGEROUS AND IS _NOT_ RECOMMENDED
nrpeuser ALL=(root) NOPASSWD: /path/to/script
Save and exit the text editor to close the visudo utility.
Listing sudo permissions
You can use the "sudo -l" command as the user running NRPE to list allowed commands.
This can help you debug issues - some characters needs to be escaped when used with sudo and similar
NRPE configuration
Open a NRPE commands configuration file (for example /etc/nrpe.d/custom.cfg) with your text editor of choice and prefix desired command with sudo:
# Commands with arguments in quotes needs to be escaped with a backslash
command[check_example]=/usr/bin/sudo /path/to/script --option-1 \"a\" --option-2 \"b\"
Save and exit the text editor.
After restarting the NRPE daemon you should now be able to run scripts with NRPE as another user!
Comments
0 comments
Please sign in to leave a comment.