Giving limited sudo privileges to NRPE
In this recipe, we'll learn how to deal with the difficulty of execution permissions for NRPE. The majority of the standard Nagios plugins don't require special privileges to run, although this depends on how stringent your system's security restrictions are. However, some of the plugins require being run as root, or perhaps as a user other than nrpe. This is sometimes the case with plugins that need to make requests of system-level resources, such as checking the integrity of RAID arrays.
There are four general approaches to fixing this:
Bad: One method is to change the plugins to
setuid, meaning that they will always be run as the user who owns them, no matter who executes them. The problem with this is that setting this bit allows anyone to run the program asroot, not justnrpe, a very common vector for exploits.Worse: Another method is to run
nrpeasroot, or as the appropriate user. This is done by changing thenrpe_userandnrpe_groupproperties...
