NRPE permissions problem

Thomas Stearn tom at edispatches.com
Wed May 13 17:33:53 CEST 2009
Previous message: NRPE permissions problem
Next message: NRPE permissions problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thank you!!!!!  That was so simple, and yet, no matter where I tried
searching, I could not come up with it!!!

It worked like a champ!

Tom

And, thanks again for the previous help ;-)


On Wed, May 13, 2009 at 10:44 AM, Marc Powell <marc at ena.com> wrote:

>
> On May 13, 2009, at 7:17 AM, Thomas Stearn wrote:
>
> > I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server.  It is
> > monitoring all things fine on multiple targets except the one below.
> >
> > On a certain target, I am trying to monitor my /var/log/auth.log
> > file for bad activity, such as failed password attempts, or attempts
> > to login as invalid users, etc.
> >
> > I am trying to do this via the check_log plugin via nrpe, but, I get
> > a "Log check error: Log file /var/log/auth.log is not readable!"
> > when the server checks on it.
> >
> > The easiest way I have to reproduce the error is the following
> > manually executed command from the host server:
> > /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw
> >
> > I know that it means that the file cannot be opened during the
> > check, but, I don't understand why.
> >
> > ls -l of /var/log/auth.log:
> > -rw-r----- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log
> >
> > In /etc/groups, I have added the "nagios" user to the adm group, so
> > I would think it should work.
>
> [chop]
>
> > So, I know it will work if I loosen the permissions on /var/log/
> > auth.log, but, I'd prefer to keep them as tight as possible.
> >
> > When I am logged into the target as nagios and execute "id", I get,
> > uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios)
> >
> > When I embed "id" into the check_log script, I get:
> > uid=5308(nagios) gid=5309(nagios)
> >
> > so, it would seem that it does not inherit the groups as I would
> > assume it would.
>
> I'm certain this was recently discussed but my search-fu is weak this
> morning. It might have been on -devel or nagios-plugins though... I
> didn't follow closely but the gist of it (I believe) is that xinetd
> drops/ignores any secondary groups the user is a member of before
> starting the server. No secondary groups, no access in your case.
> Looking at my xinetd.conf man page, I see the following which may
> help. You may also have better search-fu than me and can find the
> original thread...
>
>        groups           Takes  either  "yes" or "no".  If the groups
> attribute
>                         is set to "yes", then  the  server  is
> executed  with
>                         access  to  the groups that the server's
> effective UID
>                         has access to.  If the  groups  attribute
> is  set  to
>                         "no",  then  the  server  runs  with  no
> supplementary
>                         groups.  This attribute must be set to "yes"
> for  many
>                         BSD  systems.   This  attribute  can  be
> set  in  the
>                         defaults section as well.
>
>
> --
> Marc
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090513/5b6ab341/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: NRPE permissions problem
Next message: NRPE permissions problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list