No matter how much we may not like it, and no matter how insecure it can potentially be, we occasionally have to run Nagios check scripts (written in scripting languages) as root. (On a side note, this method is also used for my MultiBindAdmin project’s DNS file push). Here’s how to do it:
- Write your check script in the language of your choice and test as root.
- Grab setuid-prog.c from GitHub.
- uncomment the DEFINE for FULL_PATH, change the string to the full path to your script.
- Be sure your script is owned by root, and is chmod at most 755.
- Compile setuid-prog.c:
gcc -o {check_script_name}-wrapper setuid-prog.c - Put the resulting binary in your plugin directory.
- Assuming your checks run as user nagios and group nagios, chown the binary to root:nagios and chmod 4755.
This allows the use of the SUID bit with scripts.
Use at your own risk. I only recommend this on systems where the Nagios account is strongly authenticated, and where ALL users are trusted.
Comments
comments powered by Disqus