ERROR: my_system() seteuid(0): Operation not permitted

[SundanceRaphael]

According to issue #139 I have still the error message in log.

ERROR: my_system() seteuid(0): Operation not permitted.

Maybe the error should be a warning and get some more detail information.

Requested plugin permissions client
drwxrwxr-x 2 nagios nagios 4096 Jun 28 08:47 .
drwxr-xr-x 8 nagios nagios 4096 Jun 16 14:48 ..
-rwxr-xr-x 1 root nagios 178028 Jun 16 14:48 check_apt
-rwxr-xr-x 1 root nagios 6897 Jun 16 14:48 check_asterisk.pl
-rwxr-xr-x 1 root nagios 1978 Jun 16 14:48 check_asterisk_sip_peers.sh
-rwxr-xr-x 1 root nagios 2242 Jun 16 14:48 check_breeze
-rwxr-xr-x 1 root nagios 182764 Jun 16 14:48 check_by_ssh
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_clamd -> check_tcp
-rwxr-xr-x 1 root nagios 132228 Jun 16 14:48 check_cluster
-rwxr-xr-x 1 root nagios 5582 Jun 16 14:48 check_cpu_stats.sh
-rwsr-xr-x 1 root nagios 180956 Jun 16 14:48 check_dhcp
-rwxr-xr-x 1 root nagios 195376 Jun 16 14:48 check_disk
-rwxr-xr-x 1 root nagios 9289 Jun 16 14:48 check_disk_smb
-rwxr-xr-x 1 root nagios 99908 Jun 16 14:48 check_dummy
-rwxr-xr-x 1 root nagios 3349 Jun 16 14:48 check_file_age
-rwxr-xr-x 1 root nagios 6315 Jun 16 14:48 check_flexlm
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_ftp -> check_tcp
-rwxr-xr-x 1 root nagios 307656 Jun 16 14:48 check_http
-rwsr-xr-x 1 root nagios 190608 Jun 16 14:48 check_icmp
-rwxr-xr-x 1 root nagios 141184 Jun 16 14:48 check_ide_smart
-rwxr-xr-x 1 root nagios 15123 Jun 16 14:48 check_ifoperstatus
-rwxr-xr-x 1 root nagios 12600 Jun 16 14:48 check_ifstatus
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_imap -> check_tcp
-rwsr-xr-x 1 root nagios 972 Jun 16 14:48 check_init_service
-rwxr-xr-x 1 root nagios 6887 Jun 16 14:48 check_ircd
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_jabber -> check_tcp
-rwxr-xr-x 1 root nagios 156688 Jun 16 14:48 check_ldap
lrwxrwxrwx 1 root root 10 Jun 16 14:48 check_ldaps -> check_ldap
-rwxr-xr-x 1 root nagios 153840 Jun 16 14:48 check_load
-rwxr-xr-x 1 root nagios 5995 Jun 16 14:48 check_log
-rwxr-xr-x 1 root nagios 21480 Jun 16 14:48 check_mailq
-rwxr-xr-x 1 root nagios 141744 Jun 16 14:48 check_mrtg
-rwxr-xr-x 1 root nagios 141120 Jun 16 14:48 check_mrtgtraf
-rwxr-xr-x 1 root nagios 175180 Jun 16 14:48 check_mysql
-rwxr-xr-x 1 root nagios 163556 Jun 16 14:48 check_mysql_query
-rwxr-xr-x 1 root nagios 152868 Jun 16 14:48 check_nagios
-rwxr-xr-x 1 root nagios 25602 Jun 16 14:48 check_netstat.pl
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_nntp -> check_tcp
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_nntps -> check_tcp
-rwxrwxr-x 1 nagios nagios 142864 Jun 28 08:47 check_nrpe
-rwxr-xr-x 1 root nagios 184660 Jun 16 14:48 check_nt
-rwxr-xr-x 1 root nagios 188504 Jun 16 14:48 check_ntp
-rwxr-xr-x 1 root nagios 177648 Jun 16 14:48 check_ntp_peer
-rwxr-xr-x 1 root nagios 170168 Jun 16 14:48 check_ntp_time
-rwxr-xr-x 1 root nagios 210412 Jun 16 14:48 check_nwstat
-rwxr-xr-x 1 root nagios 3290 Jun 27 15:44 check_open_files.pl
-rwxr-xr-x 1 root nagios 8781 Jun 16 14:48 check_oracle
-rwxr-xr-x 1 root nagios 159048 Jun 16 14:48 check_overcr
-rwxr-xr-x 1 root nagios 170680 Jun 16 14:48 check_pgsql
-rwxr-xr-x 1 root nagios 189436 Jun 16 14:48 check_ping
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_pop -> check_tcp
-rwxr-xr-x 1 root nagios 186224 Jun 16 14:48 check_procs
-rwxr-xr-x 1 root nagios 157256 Jun 16 14:48 check_real
-rwxr-xr-x 1 root nagios 9581 Jun 16 14:48 check_rpc
-rwxr-xr-x 1 root nagios 1455 Jun 16 14:48 check_sensors
-rwxr-xr-x 1 root nagios 2174 Jun 16 14:48 check_services
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_simap -> check_tcp
-rwxr-xr-x 1 root nagios 7599 Jun 16 14:48 check_sip
-rwxr-xr-x 1 root nagios 241680 Jun 16 14:48 check_smtp
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_spop -> check_tcp
-rwxr-xr-x 1 root nagios 155540 Jun 16 14:48 check_ssh
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_ssmtp -> check_tcp
-rwxr-xr-x 1 root nagios 138596 Jun 16 14:48 check_swap
-rwxr-xr-x 1 root nagios 230712 Jun 16 14:48 check_tcp
-rwxr-xr-x 1 root nagios 156400 Jun 16 14:48 check_time
lrwxrwxrwx 1 root root 9 Jun 16 14:48 check_udp -> check_tcp
-rwxr-xr-x 1 root nagios 167688 Jun 16 14:48 check_ups
-rwxr-xr-x 1 root nagios 132196 Jun 16 14:48 check_uptime
-rwxr-xr-x 1 root nagios 130568 Jun 16 14:48 check_users
-rwxr-xr-x 1 root nagios 2936 Jun 16 14:48 check_wave
-rwxr-xr-x 1 root nagios 710 Jun 16 14:48 check_yum
-rwxr-xr-x 1 root nagios 3435 Jun 16 14:48 custom_check_mem
-rwxr-xr-x 1 root nagios 915 Jun 16 14:48 custom_check_procs
-rwxr-xr-x 1 root nagios 4176 Jun 16 14:48 nagisk.pl
-rwxr-xr-x 1 root nagios 128316 Jun 16 14:48 negate
-rwxr-xr-x 1 root nagios 122768 Jun 16 14:48 urlize
-rwxr-xr-x 1 root nagios 1864 Jun 16 14:48 utils.pm
-rwxr-xr-x 1 root nagios 2791 Jun 16 14:48 utils.sh

Requested plugin permissions monitoring server

drwxrwsr-x 2 nagios nagios 4096 Jun 28 09:02 .
drwxr-xr-x 9 root root 4096 May 31 19:02 ..
-rwxr-xr-x 1 root nagios 183134 Jun 23 10:35 check_apt
-rwxrwxr-x 1 apache nagios 6897 May 31 19:02 check_asterisk.pl
-rwxrwxr-x 1 apache nagios 4173 May 31 19:03 check_bl
-rwxrwxr-x 1 apache nagios 2287 May 31 19:03 check_bpi.php
-rwxr-xr-x 1 root nagios 2346 Jun 23 10:35 check_breeze
-rwxr-xr-x 1 root nagios 185675 Jun 23 10:35 check_by_ssh
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_clamd -> check_tcp
-rwxr-xr-x 1 root nagios 142010 Jun 23 10:35 check_cluster
-r-sr-xr-x 1 root nagios 181663 Jun 23 10:35 check_dhcp
-rwxr-xr-x 1 root nagios 195030 Jun 23 10:35 check_dig
-rwxrwxr-x 1 apache nagios 3861 May 31 19:02 check_dir
-rwxr-xr-x 1 root nagios 196740 Jun 23 10:35 check_disk
-rwxr-xr-x 1 root nagios 9469 Jun 23 10:35 check_disk_smb
-rwxr-xr-x 1 root nagios 198367 Jun 23 10:35 check_dns
-rwxrwxr-x 1 apache nagios 8506 May 31 19:03 check_domain.php
-rwxr-xr-x 1 root nagios 90214 Jun 23 10:35 check_dummy
-rwxrwxr-x 1 apache nagios 5576 May 31 19:03 check_em01.pl
-rwxrwxr-x 1 apache nagios 38345 May 31 19:03 check_email_delivery
-rwxrwxr-x 1 apache nagios 20511 May 31 19:03 check_email_delivery_epn
-rwxrwxr-x 1 apache nagios 20039 May 31 19:02 check_email_loop.pl
-rwxrwxr-x 1 apache nagios 82970 May 31 19:03 check_esx3.pl
-rwxr-xr-x 1 root nagios 3860 Jun 23 10:35 check_file_age
-rwxr-xr-x 1 root nagios 6504 Jun 23 10:35 check_flexlm
-rwxr-xr-x 1 root nagios 187794 Jun 23 10:35 check_fping
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_ftp -> check_tcp
-rwxrwxr-x 1 apache nagios 3446 May 31 19:03 check_ftp_fully
-rwxr-xr-x 1 root nagios 181893 Jun 23 10:35 check_hpjd
-rwxr-xr-x 1 root nagios 362681 Jun 23 10:35 check_http
-r-sr-xr-x 1 root nagios 191723 Jun 23 10:35 check_icmp
-rwxr-xr-x 1 root nagios 149964 Jun 23 10:35 check_ide_smart
-rwxrwxr-x 1 apache nagios 1794 May 31 19:03 check_ifoperstatnag
-rwxr-xr-x 1 root nagios 15275 Jun 23 10:35 check_ifoperstatus
-rwxr-xr-x 1 root nagios 13423 Jun 23 10:35 check_ifstatus
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_imap -> check_tcp
-rwxrwxr-x 1 apache nagios 35413 May 31 19:03 check_imap_receive
-rwxrwxr-x 1 apache nagios 15576 May 31 19:03 check_imap_receive_epn
-rwxr-xr-x 1 root nagios 6984 Jun 23 10:35 check_ircd
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_jabber -> check_tcp
-rwxr-xr-x 1 root nagios 166870 Jun 23 10:35 check_ldap
lrwxrwxrwx 1 root nagios 10 Jun 23 10:35 check_ldaps -> check_ldap
-rwxr-xr-x 1 root nagios 163477 Jun 23 10:35 check_load
-rwxr-xr-x 1 root nagios 6669 Jun 23 10:35 check_log
-rwxr-xr-x 1 root nagios 22733 Jun 23 10:35 check_mailq
-rwxrwxr-x 1 apache nagios 66565 May 31 19:03 check_mongodb.py
-rwxrwxr-x 1 apache nagios 11876 May 31 19:03 check_mountpoints.sh
-rwxr-xr-x 1 root nagios 148626 Jun 23 10:35 check_mrtg
-rwxr-xr-x 1 root nagios 149871 Jun 23 10:35 check_mrtgtraf
-rwxrwxr-x 1 apache nagios 17546 May 31 19:03 check_mssql
-rwxrwxr-x 1 apache nagios 14446 May 31 19:03 check_mssql_database.py
-rwxrwxr-x 1 apache nagios 20473 May 31 19:03 check_mssql_server.py
-rwxr-xr-x 1 root nagios 194421 Jun 23 10:35 check_mysql
-rwxrwxr-x 1 apache nagios 122024 May 31 19:02 check_mysql_health
-rwxr-xr-x 1 root nagios 180947 Jun 23 10:35 check_mysql_query
-rwxr-xr-x 1 root nagios 164403 Jun 23 10:35 check_nagios
-rwxrwxr-x 1 apache nagios 14602 May 31 19:03 check_nagioslogserver.php
-rwxrwxr-x 1 apache nagios 7381 May 31 19:03 check_nagios_performance.php
-rwxrwxr-x 1 apache nagios 20601 May 31 19:03 check_nagiosxiserver.php
-rwxrwxr-x 1 apache nagios 10065 May 31 19:03 check_ncpa.py
-rwxrwxr-x 1 apache nagios 10037 May 31 19:03 check_nna.py
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_nntp -> check_tcp
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_nntps -> check_tcp
-rwxrwxr-x 1 nagios nagios 132516 Jun 28 08:43 check_nrpe
-rwxr-xr-x 1 root nagios 186283 Jun 23 10:35 check_nt
-rwxr-xr-x 1 root nagios 187203 Jun 23 10:35 check_ntp
-rwxr-xr-x 1 root nagios 183969 Jun 20 14:09 check_ntp_old
-rwxr-xr-x 1 root nagios 178960 Jun 23 10:35 check_ntp_peer
-rwxr-xr-x 1 root nagios 174933 Jun 23 10:35 check_ntp_time
-rwxr-xr-x 1 root nagios 215864 Jun 23 10:35 check_nwstat
-rwxr-xr-x 1 root nagios 9457 Jun 23 10:35 check_oracle
-rwxr-xr-x 1 root nagios 165246 Jun 23 10:35 check_overcr
-rwxr-xr-x 1 root nagios 188671 Jun 23 10:35 check_ping
-rwxrwxr-x 1 apache nagios 6183 May 31 19:02 check_pnp_rrds.pl
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_pop -> check_tcp
-rwxrwxr-x 1 apache nagios 388326 May 31 19:03 check_postgres.pl
-rwxr-xr-x 1 root nagios 195086 Jun 23 10:35 check_procs
-rwxrwxr-x 1 apache nagios 29938 May 31 19:03 check_radius_adv
-rwxr-xr-x 1 apache apache 3740 Jun 26 12:20 check_radius.pl
-rwxr-xr-x 1 root nagios 161424 Jun 23 10:35 check_real
-rwxr-xr-x 1 root nagios 9679 Jun 23 10:35 check_rpc
-rwxrwxr-x 1 apache nagios 9743 May 31 19:02 check_rrdtraf
-rwxrwxr-x 1 apache nagios 5299 May 31 19:02 check_rrdtraf.php
-rwxr-xr-x 1 root nagios 1533 Jun 23 10:35 check_sensors
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_simap -> check_tcp
-rwxrwxr-- 1 apache nagios 7599 May 31 19:02 check_sip
-rwxr-xr-x 1 root nagios 243731 Jun 23 10:35 check_smtp
-rwxrwxr-x 1 apache nagios 20226 May 31 19:03 check_smtp_send
-rwxrwxr-x 1 apache nagios 10440 May 31 19:03 check_smtp_send_epn
-rwxr-xr-x 1 root nagios 261104 Jun 23 10:35 check_snmp
-rwxrwxr-x 1 apache nagios 10983 May 31 19:02 check_snmp_boostedge.pl
-rwxrwxr-x 1 apache nagios 17866 May 31 19:02 check_snmp_cpfw.pl
-rwxrwxr-x 1 apache nagios 8763 May 31 19:02 check_snmp_css_main.pl
-rwxrwxr-x 1 apache nagios 16834 May 31 19:02 check_snmp_css.pl
-rwxrwxr-x 1 apache nagios 33722 May 31 19:02 check_snmp_env.pl
-rwxrwxr-x 1 apache nagios 23464 May 31 19:03 check_snmp_generic.pl
-rwxrwxr-x 1 apache nagios 31919 May 31 19:02 check_snmp_int.pl
-rwxrwxr-x 1 apache nagios 10140 May 31 19:02 check_snmp_linkproof_nhr.pl
-rwxrwxr-x 1 apache nagios 22931 May 31 19:03 check_snmp_load.pl
-rwxrwxr-x 1 apache nagios 23980 May 31 19:03 check_snmp_load_wizard.pl
-rwxrwxr-x 1 apache nagios 18782 May 31 19:02 check_snmp_mem.pl
-rwxrwxr-x 1 apache nagios 11930 May 31 19:02 check_snmp_nsbox.pl
-rwxrwxr-x 1 apache nagios 26296 May 31 19:03 check_snmp_process.pl
-rwxrwxr-x 1 apache nagios 26297 May 31 19:03 check_snmp_process_wizard.pl
-rwxrwxr-x 1 apache nagios 25538 May 31 19:03 check_snmp_storage.pl
-rwxrwxr-x 1 apache nagios 25539 May 31 19:03 check_snmp_storage_wizard.pl
-rwxrwxr-x 1 apache nagios 14521 May 31 19:02 check_snmp_vrrp.pl
-rwxrwxr-x 1 apache nagios 13120 May 31 19:03 check_snmp_win.pl
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_spop -> check_tcp
-rwxr-xr-x 1 root nagios 161520 Jun 23 10:35 check_ssh
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_ssmtp -> check_tcp
-rwxr-xr-x 1 root nagios 146550 Jun 23 10:35 check_swap
-rwxr-xr-x 1 root nagios 221385 Jun 23 10:35 check_tcp
-rwxrwxr-x 1 apache nagios 22094 May 31 19:03 check_tftp.sh
-rwxr-xr-x 1 root nagios 161654 Jun 23 10:35 check_time
lrwxrwxrwx 1 root nagios 9 Jun 23 10:35 check_udp -> check_tcp
-rwxr-xr-x 1 root nagios 173326 Jun 23 10:35 check_ups
-rwxr-xr-x 1 root nagios 142668 Jun 23 10:35 check_uptime
-rwxr-xr-x 1 root nagios 139687 Jun 23 10:35 check_users
-rwxr-xr-x 1 root nagios 3032 Jun 23 10:35 check_wave
-rwxrwxr-x 1 apache nagios 307 May 31 19:02 check_webinject.sh
-rwxrwxr-x 1 apache nagios 7065 May 31 19:03 check_win_snmp_disk.pl
-rwxrwxr-x 1 apache nagios 5885 May 31 19:03 check_wmi_plus.conf
-rwxrwxr-x 1 apache nagios 66087 May 31 19:03 check_wmi_plus.ini
-rwxrwxr-x 1 apache nagios 335380 May 31 19:03 check_wmi_plus.pl
-rwxrwxr-x 1 apache nagios 18185 May 31 19:03 check_xisla.php
-rwxrwxr-x 1 apache nagios 40695 May 31 19:03 folder_watch.pl
-rwxr-xr-x 1 root nagios 135768 Jun 23 10:35 negate
-rwxrwxr-x 1 apache nagios 42803 May 31 19:02 process_perfdata.pl
-rwxrwxr-x 1 apache nagios 66312 May 31 19:02 send_nsca
-rw-r--r-- 1 root nagios 16956 Jun 28 09:02 tmp_xi_vars.cfg
-rwxr-xr-x 1 root nagios 130687 Jun 23 10:35 urlize
-rwxr-xr-x 1 root nagios 1914 Jun 23 10:35 utils.pm
-rwxr-xr-x 1 root nagios 2791 Jun 23 10:35 utils.sh

Best regards
Sundance Raphael

[hedenface]

I believe that changing it to a warning is probably better - but it's still going to fill up your log files. I'll change the message to only be during debugging, as it obviously isn't a problem that prevents anything from running (like I had originally assumed).

Okay so I wrote the following test program (test.c):

#include <stdio.h>
#include <unistd.h>

int main() {

    /*  our uids */
    int root = 0;
    int bryan = 1000;
    int nagios = 998;

    int result = seteuid(bryan);
    printf(" seteuid(bryan) result: %d\n", result);

    result = seteuid(nagios);
    printf("seteuid(nagios) result: %d\n", result);

    result = seteuid(root);
    printf("  seteuid(root) result: %d\n", result);

    while (1) {
        sleep(1);
    }
}

I then compiled it with gcc test.c -o test and ran it as the 'bryan' user via ./test. It provided the following output:

bryan@Lappy686 ~ $ ./test 
 seteuid(bryan) result: 0
seteuid(nagios) result: -1
  seteuid(root) result: -1

Then, in another console I tested with ps aux | grep test and received the following output:

bryan@Lappy686 ~ $ ps aux | grep test
bryan    11611  0.0  0.0   4356   628 pts/2    S+   13:39   0:00 ./test

I killed it, and then started it as root with sudo ./test. It provided the following output:

bryan@Lappy686 ~ $ sudo ./test
 seteuid(bryan) result: 0
seteuid(nagios) result: -1
  seteuid(root) result: 0

I once again tested with ps aux | grep test and received:

bryan@Lappy686 ~ $ ps aux | grep test
root     11638  0.0  0.2  91652  4824 pts/2    S+   13:42   0:00 sudo ./test
root     11639  0.0  0.0   4356   724 pts/2    S+   13:42   0:00 ./test

So I guess the question is, what is the actual user that you're starting NRPE with? I think that some of the logic in this application was assumed that the user running NRPE would always be root, which we know isn't true. This is likely a bigger issue than we're seeing here, but it could probably be resolved pretty quick.

The fix for the debugging/warning messages is in commit: 005e20f

[hedenface]

Actually, on further analysis - I think I was being rather presumptuous. I added the check for the return on seteuid() because I wanted to fix all the compiler warnings. The reality is that this seteuid call is only required IF you start nrpe as root, otherwise there is no issue. So instead of having been assumed to start as root, it simply adds the ability for you to gain root back if required.

Either way, that's covered in the commit - more debugging/warning messages (that aren't really a warning if you didn't start nrpe as root to begin with).

[SundanceRaphael]

Thanks for help with fix it works.

Best Regards
Sundance Raphael