invoke sudo only with -g root and not (implicitly) with -u root

[calestyo]

Hi.

For many check binaries, it may be possible to run them as normal user (the one invoking check_raid) but only the root group added.

For those for which this is known, I'd suggest to change:

• the invocation of sudo to include "-g root"
• the sudoers Runas_Spec to be "(:root)".

This tightens things a bit more at least.

I tried it for sas2ircu and it seems to work there.

Cheers,
Chris.

[glensc]

this really depends on the system and what are your exact udev rules to setup /dev nodes. so you could instead write udev rule to add nagios user to have readonly access to the needed /dev node and omit sudo completely :)

[calestyo]

Well ok... so the let me propose amongst the following

• adding a new switch that disables the usage of sudo (for those who have udev rules)
• does it sound feasible to add udev-rules generator for those tools we know, just like we have now the sudoers generator?
• I still would recommend the -g root approach for those who either don't have udev, don't want to use it or where we don't know yet which rules to set up
  (btw: as said it works for sas2irco.... but does not work for megacli
• Would you further accept a patch, that adds "-u root" to sudo in all other cases (where we don't know -g root works)?
  Reason is, that -u root is just a default, that may however be changed on systems (like ours where it is set to nobody) and then check_root fails.
  It should have no further impact.

[calestyo]

Hi.

I've had a look at the all new version 3.0... nice...
But I still miss some sudo tightening... (i.e. this issue here)... :(

Where can I change the code in 3.0, to add sudo parameters per raid-check?

Thanks.

[glensc]

it is not implemented. if it would, i had posted note here, or at least associated commit

[glensc]

as for the original ticket, you may modify sudo rules, check_raid -S -d just prints what commands it needs the rules for. so if you write custom sudo rules (for example improve ones check_raid printed itself), which need different sudo invocation, the check_raid needs to be modified too, as it currently does not specify -u root or -g root. if you tighten the regexps, then check_raid sudo invocation does not need to be changed.

i am not sure how to solve this as i want check_raid to be automatic as possible. if you know which plugins work with filesystem permissions only (use /dev/ nodes, but no ioctl calls), then each check_raid plugin has sudo function, you can put better sudo lines there.

[glensc]

if you still don't understand the code and wish to contribute, please paste here expected sudo rules and expected commands to be run.

to get original sudo rules, invoke check_raid -S -d
to get original sudo commands, invoke check_raid -d

[boomertsfx]

We use check_raid.pl as root on Solaris which has worked well, but when we upgraded to the latest version, it now says it can't find sudo. We don't need sudo and Solaris doesn't come stock with sudo. Is there a way around this?

[glensc]

Create separate issue (or even PR) for your problem, don't hijack unrelated tickets.