NRPE permissions problem

[Marc Powell]

On May 13, 2009, at 7:17 AM, Thomas Stearn wrote:

> I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server.  It is  
> monitoring all things fine on multiple targets except the one below.
>
> On a certain target, I am trying to monitor my /var/log/auth.log  
> file for bad activity, such as failed password attempts, or attempts  
> to login as invalid users, etc.
>
> I am trying to do this via the check_log plugin via nrpe, but, I get  
> a "Log check error: Log file /var/log/auth.log is not readable!"  
> when the server checks on it.
>
> The easiest way I have to reproduce the error is the following  
> manually executed command from the host server:
> /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw
>
> I know that it means that the file cannot be opened during the  
> check, but, I don't understand why.
>
> ls -l of /var/log/auth.log:
> -rw-r----- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log
>
> In /etc/groups, I have added the "nagios" user to the adm group, so  
> I would think it should work.

[chop]

> So, I know it will work if I loosen the permissions on /var/log/ 
> auth.log, but, I'd prefer to keep them as tight as possible.
>
> When I am logged into the target as nagios and execute "id", I get,
> uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios)
>
> When I embed "id" into the check_log script, I get:
> uid=5308(nagios) gid=5309(nagios)
>
> so, it would seem that it does not inherit the groups as I would  
> assume it would.

I'm certain this was recently discussed but my search-fu is weak this  
morning. It might have been on -devel or nagios-plugins though... I  
didn't follow closely but the gist of it (I believe) is that xinetd  
drops/ignores any secondary groups the user is a member of before  
starting the server. No secondary groups, no access in your case.  
Looking at my xinetd.conf man page, I see the following which may  
help. You may also have better search-fu than me and can find the  
original thread...

        groups           Takes  either  "yes" or "no".  If the groups  
attribute
                         is set to "yes", then  the  server  is   
executed  with
                         access  to  the groups that the server's  
effective UID
                         has access to.  If the  groups  attribute   
is  set  to
                         "no",  then  the  server  runs  with  no  
supplementary
                         groups.  This attribute must be set to "yes"  
for  many
                         BSD  systems.   This  attribute  can  be   
set  in  the
                         defaults section as well.


--
Marc


------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null