<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000099"> One person suggested my openssl version might be too new (0.9.8). I just removed it and installed 0.9.7i, older enough version to be safe and one that I know another user has in a working configuration. After compiling it, I then recompiled NRPE against it and copied the files in place. It still fails with the same error. /var/log/system.log shows: <blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as user/group root! </blockquote> I had it set to run as nobody:nobody, but that wasn’t working. I even tried setting to run as daemon:wheel, but the same results. Finally, I created a nagios user and configured /etc/xinetd.d/nrpe to run as nagios:nagios and updated /etc/nagios/nrpe.cfg to use the same. However, all remote tests still result in the following: >From the server: <blockquote>[nagios@nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H seth CHECK_NRPE: Error - Could not complete SSL handshake. </blockquote> >From the client: <blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as user/group root! </blockquote> Scouring Google shows that the “cannot be run as ... root” error is in the nrpe.c code. What I can’t figure out is why its trying to run as root instead of the configured user... Anyone running NRPE with xinetd for Mac’s? I’m frustrated enough that I almost just want to use check_by_ssh, but I’d prefer to get this working and keep things consistent (ie: with NRPE). My /etc/nagios/nrpe.cfg and /etc/xinetd.d/nrpe are below: <blockquote>seth:/etc/xinetd.d root# pwd /etc/xinetd.d seth:/etc/xinetd.d root# cat nrpe # /etc/xinetd.d/nrpe # description: NRPE # default: on service nrpe { flags = REUSE socket_type = stream port = 5666 wait = no user = nagios group = nagios server = /usr/local/sbin/nrpe server_args = -c /etc/nagios/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 10.1.1.170 } </blockquote> --------------------------- <blockquote>seth:/etc/nagios root# pwd /etc/nagios seth:/etc/nagios root# cat nrpe.cfg ############################################################################# # Sample NRPE Config File # Written by: Ethan Galstad (<a class="moz-txt-link-abbreviated" href="mailto:nagios@nagios.org">nagios@nagios.org</a>) # # Last Modified: 11-23-2007 # # NOTES: # This is a sample configuration file for the NRPE daemon. It needs to be # located on the remote host that is running the NRPE daemon, not the host # from which the check_nrpe client is being executed. ############################################################################# # LOG FACILITY # The syslog facility that should be used for logging purposes. log_facility=daemon # PID FILE # The name of the file in which the NRPE daemon should write it's process ID # number. The file is only written if the NRPE daemon is started by the root # user and is running in standalone mode. pid_file=/var/run/nrpe.pid # PORT NUMBER # Port number we should wait for connections on. # NOTE: This must be a non-priviledged port (i.e. > 1024). # NOTE: This option is ignored if NRPE is running under either inetd or xinetd server_port=5666 # SERVER ADDRESS # Address that nrpe should bind to in case there are more than one interface # and you do not want nrpe to bind on all interfaces. # NOTE: This option is ignored if NRPE is running under either inetd or xinetd #server_address=127.0.0.1 # NRPE USER # This determines the effective user that the NRPE daemon should run as. # You can either supply a username or a UID. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd nrpe_user=nagios # NRPE GROUP # This determines the effective group that the NRPE daemon should run as. # You can either supply a group name or a GID. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd nrpe_group=nagios # ALLOWED HOST ADDRESSES # This is an optional comma-delimited list of IP address or hostnames # that are allowed to talk to the NRPE daemon. # # Note: The daemon only does rudimentary checking of the client's IP # address. I would highly recommend adding entries in your /etc/hosts.allow # file to allow only the specified host to connect to the port # you are running this daemon on. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd allowed_hosts=127.0.0.1 # COMMAND ARGUMENT PROCESSING # This option determines whether or not the NRPE daemon will allow clients # to specify arguments to commands that are executed. This option only works # if the daemon was configured with the --enable-command-args configure script # option. # # *** ENABLING THIS OPTION IS A SECURITY RISK! *** # Read the SECURITY file for information on some of the security implications # of enabling this variable. # # Values: 0=do not allow arguments, 1=allow command arguments dont_blame_nrpe=0 # COMMAND PREFIX # This option allows you to prefix all commands with a user-defined string. # A space is automatically added between the specified prefix string and the # command line from the command definition. # # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** # Usage scenario: # Execute restricted commmands using sudo. For this to work, you need to add # the nagios user to your /etc/sudoers. An example entry for alllowing # execution of the plugins from might be: # # nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ # # This lets the nagios user run all commands in that directory (and only them) # without asking for a password. If you do this, make sure you don't give # random users write access to that directory or its contents! # command_prefix=/usr/bin/sudo # DEBUGGING OPTION # This option determines whether or not debugging messages are logged to the # syslog facility. # Values: 0=debugging off, 1=debugging on debug=0 # COMMAND TIMEOUT # This specifies the maximum number of seconds that the NRPE daemon will # allow plugins to finish executing before killing them off. command_timeout=60 # CONNECTION TIMEOUT # This specifies the maximum number of seconds that the NRPE daemon will # wait for a connection to be established before exiting. This is sometimes # seen where a network problem stops the SSL being established even though # all network sessions are connected. This causes the nrpe daemons to # accumulate, eating system resources. Do not set this too low. connection_timeout=300 # WEEK RANDOM SEED OPTION # This directive allows you to use SSL even if your system does not have # a /dev/random or /dev/urandom (on purpose or because the necessary patches # were not applied). The random number generator will be seeded from a file # which is either a file pointed to by the environment valiable $RANDFILE # or $HOME/.rnd. If neither exists, the pseudo random number generator will # be initialized and a warning will be issued. # Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness #allow_weak_random_seed=1 # INCLUDE CONFIG FILE # This directive allows you to include definitions from an external config file. #include=<somefile.cfg> # INCLUDE CONFIG DIRECTORY # This directive allows you to include definitions from config files (with a # .cfg extension) in one or more directories (with recursion). #include_dir=<somedirectory> #include_dir=<someotherdirectory> # COMMAND DEFINITIONS # Command definitions that this daemon will run. Definitions # are in the following format: # # command[<command_name>]=<command_line> # # When the daemon receives a request to return the results of <command_name> # it will execute the command specified by the <command_line> argument. # # Unlike Nagios, the command line cannot contain macros - it must be # typed exactly as it should be executed. # # Note: Any plugins that are used in the command lines must reside # on the machine that this daemon is running on! The examples below # assume that you have plugins installed in a /usr/local/nagios/libexec # directory. Also note that you will have to modify the definitions below # to match the argument format the plugins expect. Remember, these are # examples only! # The following examples use hardcoded command arguments... command[check_disks]=/usr/local/nagios/libexec/check_disk -m -e -w 10% -c 5% command[check_load]=/usr/local/nagios/libexec/check_load -r -w 5.0 -c 10.0 command[check_memory]=/usr/local/nagios/libexec/check_memory.pl -w 10% -c 5% command[check_swap]=/usr/local/nagios/libexec/check_swap -a -w 50% -c 20% command[check_ntp]=/usr/local/nagios/libexec/check_ntp_time -H 10.1.1.14 -w 1.0 -c 1.5 command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200 command[check_users]=/usr/local/nagios/libexec/check_users -w 25 -c 50 </blockquote> <pre class="moz-signature" cols="72"> A. Davis Email: <a class="moz-txt-link-abbreviated" href="mailto:nccomp@gmail.com">nccomp@gmail.com</a> "There is no limit to what a man can accomplish if he doesn't care who gets the credit." - Ronald Reagan </pre> Andrew Davis wrote: <blockquote cite="mid:49C24156.8070803@gmail.com" type="cite"> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> My /etc/xinetd.d/nrpe is below: # /etc/xinetd.d/nrpe # description: NRPE # default: on service nrpe { flags = REUSE socket_type = stream port = 5666 wait = no # user = nobody user = daemon # group = nobody group = wheel server = /usr/local/sbin/nrpe server_args = -c /etc/nagios/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 10.1.1.170 } Originally, it was set to nobody:nobody. As a test, I set it to daemon:wheel. In all cases, it gives the "cannot run as root" error. I guess I can try making a Nagios user & group and testing with that. <pre class="moz-signature" cols="72"> A. Davis Email: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:nccomp@gmail.com">nccomp@gmail.com</a> "There is no limit to what a man can accomplish if he doesn't care who gets the credit." - Ronald Reagan </pre> Allan Clark wrote: <blockquote cite="mid:37c712e0903181419q4fda28e8o83b1cd5464f69ab3@mail.gmail.com" type="cite">Reply is bottom-posted. <div class="gmail_quote">On Wed, Mar 18, 2009 at 16:57, Andrew Davis <<a moz-do-not-send="true" href="mailto:nccomp@gmail.com">nccomp@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div bgcolor="#ffffff" text="#000099">If I'm reading this correctly, the line about "NRPE daemon cannot be run as user/group root!" is directly from the source code of NRPE. Its not an xinetd thing. I've confirmed that xinetd is running and listening on port 5666. I tried changing the owner/group from nobody:nobody to another unprivileged user, but it didn't work. Same results. It appears that despite my configuring the /etc/nagios/nrpe.cfg and the /etc/xinetd.d/nrpe files to use a user other than root, it still tries to start it as the root user and thus when an incoming connection comes in, it gives the "NRPE daemon cannot be run as user/group root!" error. Any thoughts on how to rectify this? Since NRPE is working fine on Linux, is this just a Mac OS X thing? Any help would be immensely appreciated. AD <div> <div class="h5"> Andrew Davis wrote: <blockquote type="cite"> FYI: /var/log/system.log on the client shows: Mar 18 16:08:07 shu xinetd[29066]: START: nrpe pid=557 from=10.1.1.170 Mar 18 16:08:07 shu nrpe[557]: Error: NRPE daemon cannot be run as user/group root! whether I do the default test (with SSL) or use the -n flag to test w/o SSL. The odd thing is that the nrpe config in /etc/xinetd.d is set to run as nobody:nobody and /etc/nagios/nrpe.cfg is owned by nobody:nobody. Only /usr/local/sbin/nrpe is owned by root (as it should be), but is also set to 755 perms. I've compared to a Linux box I have with NRPE and xinetd working properly and the permissions are identical. I'm stumped... Andrew Davis wrote: <blockquote type="cite">I have two Mac OS X servers, one running 10.3, the other running 10.4. Neither can be upgraded to 10.5 due to third party s/w constraints. Both are PPC based XServe's. Trying to compile nrpe with: <blockquote>./configure --sysconfdir=/etc/nagios --enable-ssl </blockquote> Initially, I got the "cannot find ssl libraries" error: <blockquote>~ checking for SSL headers... SSL headers found in /usr/local/ssl checking for SSL libraries... configure: error: Cannot find ssl libraries </blockquote> I downloaded the latest openssl and built it with: <blockquote>./config --prefix=/usr/local shared --openssldir=/usr/local/openssl make make test make install </blockquote> I then had to edit ~/src/nrpe/configure and change the reference from libssl.so to libssl.dylib After that, nrpe compiled cleanly and I was able to move ~src/nrpe/src/nrpe to /usr/local/sbin and start xinetd up. I've confirmed that port 5666 is open and xinetd is running: <blockquote>/usr/local/src/nrpe-2.12/src root# ps waux|grep xinet|grep -v greproot 29066 0.0 -0.0 27484 308 ?? Ss 3:53PM 0:00.02 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive /usr/local/src/nrpe-2.12/src root# netstat -an|grep 5666tcp4 0 0 *.5666 *.* LISTEN </blockquote> However, when connecting from the remote server, I get: <blockquote>/usr/local/nagios/libexec/check_nrpe -H <a moz-do-not-send="true" href="http://host.mydomain.org" target="_blank">host.mydomain.org</a> CHECK_NRPE: Error - Could not complete SSL handshake. </blockquote> The same test but w/o SSL gives yields: <blockquote>[nagios@nephilim src]$ /usr/local/nagios/libexec/check_nrpe -n -H <a moz-do-not-send="true" href="http://host.mydomain.org" target="_blank">host.mydomain.org</a> CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. </blockquote> So two questions: 1) I'm a UNIX guy, but obviously Mac's are A) different and B) a tad different being BSD-based. So what's the proper way to stop/restart the xinetd daemon? 2) Any thoughts on SSL handshake error? I've googled it, but I'm not getting very far. Anyone have a step-by-step for compiling nagios plugins and NRPE from source on OS X 10.x (specifically 10.3 and 10.4)? I'm using NRPE for all other internal hosts, so I prefer to use it for the Mac's too. I know I could do it via check_by_ssh and get around this, but I prefer to use NRPE if I can. <pre cols="72">-- </pre> </blockquote> </blockquote> </div> </div> </div> </blockquote> <div> On a Mac, your xinetd is a bolt-on over the launchd that's there by default; you've obviously got it running. Since you're in /etc/xinetd.d/<something>, you need to cnfigure a different username via xinetd's config. Look for a /etc/xinetd.d/nrpe file, or similar, containing the config for your nrpe service. I tend to grep for the port number in order to find the file. Remember to check /local/* The time service has an example with juicy comments: service time { # This is for quick on or off of the service disable = yes ... ... # External services must fill out the following # user = # group = ... ... } Take a look there, see if you can choose a better username and/or group and if your port of xinetd honours it. I don't know if you have a nrpe user, or run it as nobody. A better option would be a proper launchd config, allowing you to shutdown xinetd if you're installing it there for this purpose only, but then it's a Mac-only thing, and would be more difficult to maintain for non-Mac people. Allan </div> </div> </blockquote> </blockquote> </body> </html>