Facepalm – sudoers not working

DOH!!!!!

Always remember to check the command you are asking to be run as sudo…

Here I was the other day, setting up nagios nrpe agents on a new server at work, and I kept getting “NRPE Unknown” errors in the Nagios console.

Normally, this is down to the user who is running the command on the client server not having the permissions to execute the check_xxxx command, and, as these commands are potentially sensitive commands, they are run as a sudo command without a password.

On Debian, there is a lovely option to specify a secondary sudoers file under /etc/sudoers.d/sudoers, which allows an identical file to be copied to all servers, yet still have the main sudoers file to be unique in /etc/sudoers.

Now, I had copied this /etc/sudoers.d/sudoers file from another server for which I knew Nagios nrpe services were working…. Yet inexplicably, I was getting problems in the Nagios console, “NRPE Error – unknown” – which I know is NRPE not being able to run the remote command, 99% of the time a sudo error.

The last time I saw this I had screwed up the sudoers file, such that the nagios user didn’t have the permissions to run the commands with “NOPASSWD”.

In this case, that wasn’t the problem, after all I had copied the sudoers file from a working machine … Right?

Well, yes.
So that wasn’t the problem.

Log onto the client, su – from root to the nagios user, and of course, there is /bin/false for the nagios user – one small change later, at least for testing, the nagios user has a shell.

Try again, su – nagios, and I get a shell and a prompt, ok, good start.

Now, try /sbin/sudo /usr/lib/nagios/plugins/check_ntp, and what happens?
I get promoted to enter the nagios user’s password.

Hmmmm – last I looked I hadn’t even set one.

Exit nagios user, become root again, set (crap) password for user, su – to nagios user and try again, and even enter the (crap) password…

Same bloody error.

WTF!?!?!

Am I really going mad? (Ok don’t answer that one)
Ok, silly thought…

ls -al /usr/lib/nagios/plugins/check_ntp
/bin/bash: command not found.

Aaaaaaaaaah.

ls -al /usr/lib/nagios/plugins
.
..

Ooooooops… No files.

No files exist to run, let alone run via sudo.

Lesson to be learnt, sudo protects you from your own stupidity, if the command doesn’t exist, sudo will give you an error.

Second lesson to be learnt, make sure the commands you want to run as sudo actually exist!!!!

Definitely a facepalm day.

Avatar photo

About Kieran

Old school hacker, amateur photographer, petrolhead, geek, father. ( and I might just like planes ) http://www.kieranreynolds.co.uk
This entry was posted in *Nix, Geek-tech and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply