Home / server / Questions / 465850
In Process
lorenzog
Asked: 2013-01-11 08:03:27 +0800 CST

Troubles monitoring a zimbra installation with nagios

  • 772

I am trying to monitor my legacy zimbra installation (running on an outdated Ubuntu 8.x) from my nagios install (running on a more recent OpenBSD).

The problem is that when I run check_nrpe from the nagios server it complains:

nagios-server$ sudo su -m _nagios -c "/usr/local/libexec/nagios/check_nrpe -H ZIMBRA_HOST -c check_zimbra"
CHECK_NRPE: No output returned from daemon.

Note that the zimbra server's NRPE configuration runs:

command[check_zimbra]=/usr/lib/nagios/plugins/check_zimbra.pl

On the other hand, running the plugin locally on the zimbra server works fine from root:

zimbra-server# ./check_zimbra.pl 
HOST : ZIMBRA_HOST, ldap : OK, logger : STOPPED and zmlogswatchctl down, mailbox : OK, mta : STOPPED and zmmtaconfigctl down and zmsaslauthdctl down, snmp : STOPPED, spell : OK, stats : OK

However, running it as nagios user on the zimbra server complains about the path:

zimbra-server# su -m nagios -c "./check_zimbra.pl" 
Insecure $ENV{PATH} while running setuid at ./check_zimbra.pl line 32.

Line 32 recites:

7  $zimbra_status_command='/opt/zimbra/bin/zmcontrol status';
[snip]
32 open (ZMSTATUS, "$zimbra_status_command |");

I have a suspicion it might have something to do with suid perl. In fact, following this advice and adding this line to the check_zimbra.pl file, 

delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

I get the following:

zimbra-server# su -m nagios -c "./check_zimbra.pl" 
Insecure dependency in piped open while running setuid at /opt/zimbra/bin/zmcontrol line 389.

Anyhow, on the zimbra server I have installed the check_zimbra.pl plugin, which is suid zimbra so I can run it from the nagios user:

zimbra-server# ls -la check_zimbra.pl 
-rwsr-xr-x 1 zimbra root 2885 2010-01-11 21:14 check_zimbra.pl

I have modified /etc/sudoers so that the nagios user can run the appropriate zimbra monitoring tool:

%nagios ALL=(zimbra) NOPASSWD:/opt/zimbra/bin/zmcontrol

I am stuck.. is there any other way to run the check_zimbra.pl plugin as nagios user, being able to run the zmcontrol status command as zimbra user..?

Thanks,

perl

1 Answers

  1. perldoc perlsec states that should set @ENV{'PATH'} to a known value, not unset it !

    Blockquote For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.

    • 0