Giving limited sudo(8) privileges to NRPE
In this recipe, we'll learn how to deal with the difficulty of executing permissions for NRPE. The majority of standard Nagios plugins don't require special privileges to run, although this also depends on how stringent your system's security restrictions are. However, some of the plugins require being run as root or perhaps as another user other than nagios. This is sometimes the case with plugins that need to make requests of system-level resources such as checking the integrity of RAID arrays.
There are four general approaches to fixing this:
Bad: Change the plugins to
setuid, meaning that they will always be run as the user who owns them, no matter who executes them. The problem with this is that setting this bit allows anyone to run the program asroot, not justnrpe, a very common vector for exploits.Worse: Run
nrpeasrootor as the appropriate user. This is done by changing thenrpe_userandnrpe_groupproperties innrpe.cfg. This is even...
