[smokeping-users] using sudo in an alert

Jim Long smokeping at museum.rain.com
Fri Jul 27 02:25:03 CEST 2012 

On Fri, Jul 27, 2012 at 12:42:23AM +0100, Andrew Pattison wrote:
> I cannot su to the smokeping user for some reason. Perhaps this is because
> the smokeping user's shell is set to /bin/false.

Regardless of smokeping's shell setting, as root, you should be
able to use the -m flag:

monitor : 17:10:07 /home/long> su
Password:
(now I'm root:)
monitor : /root# su -m smokeping
(now I'm smokeping:)
$ touch /tmp/foo
$ ls -l /tmp/foo
-rw-r--r--  1 smokeping  wheel  0 Jul 26 17:10 /tmp/foo
$

Now try 'sudo script.py' and look for showstoppers.  Another basic
thing, the first line of script.py should be an interpreter that knows
how to deal with .py files.  Some .py files on my system have

$ head -1 /usr/local/bin/pilfile.py
#!/usr/local/bin/python2.7

I'm open to correction, but in order for a .py script to be executable,
it must have that line at the top, and the .py script must also have the
execute permission bit set.

For .py files which lack either of those requirements (or even if they
do meet both), an alternate way to invoke a script is to explicitly call
the _interpreter_ and pass the script name as an argument, e.g.

/usr/local/bin/python2.7 /usr/local/bin/pilfile.py

You might try changing your smokeping config to use something like

sudo /usr/local/bin/python2.7 /path/to/your/script.py

Be sure to fully restart smokeping and maybe your web server to be 100%
certain that your new configuration takes effect, and you're not just
re-testing the previous configuration.

> The script is to switch GPIO pins on my new Raspberry Pi (see
> www.raspberrypi.org). The script needs to run as root so that it can access
> the GPIO pins.
> 
> I tried running a shell script on the same alert using sudo and without
> sudo. It only works without sudo. Here is the relevant line from
> /etc/sudoers:
> 
> smokeping ALL=(ALL) NOPASSWD: ALL

For testing, that's good, but it's a security risk to keep that
long term.  If someone cracks your smokeping installation, they'll
own your box.  Once your troubleshooting is complete, tighten down
the sudoers file so that the only command smokeping can run is
the alert script.

Jim




> Thanks
> 
> Andrew.
> 
> On 27 July 2012 00:13, Jim Long <smokeping at museum.rain.com> wrote:
> 
> > On Thu, Jul 26, 2012 at 11:56:41PM +0100, Andrew Pattison wrote:
> > > I tried that but it still doesn't work. The alert is triggered as it is
> > > logged in /var/messages but either smokeping is not calling the script or
> > > the call is failing. Any ideas?
> > >
> > > Andrew.
> >
> > Once again, please pardon the basics.
> >
> > Using su, change your effective user ID to the smokeping user,
> > whatever user you run smokeping under (the user account under
> > which the alerts get invoked).  Verify that this is so:
> >
> > $ touch /tmp/foo
> > $ ls -l /tmp/foo
> > (should show zero bytes, ownership by smokeping user)
> > $ rm /tmp/foo
> >
> > Then manually invoke the same sudo command line that you're using
> > in the alerts.  Does it ask you for a password?  If so, your
> > sudoers file is not set up correctly.
> >
> > Set your script aside, and try this script 'test.sh' instead:
> >
> > #!/bin/sh
> > rm -rf /tmp/smokeping-sudo.log
> > ( date; set; echo '--' ) > /tmp/smokeping-sudo.log
> >
> > Does that write data into /tmp/smokeping-sudo.log?  Examine the
> > set output to confirm that the effective user ID is root/UID 0.
> > Since that script runs under sudo as root, you should also see
> > that /tmp/smokeping-sudo.log is owned by root.
> >
> > Lastly, consider whether your entire alert script really needs to
> > run under sudo or just one specific command (or only a small
> > number).  Think about whether it is feasible to call the script
> > directly, and use sudo only from within the script, on only those
> > few commands where it is necessary.  Are there any weird
> > characters in your sudo command line that should be quoted or
> > escaped?  Can you share the contents of your alert command and
> > the pertinent line of your sudoers file, and some 'ps' output
> > that shows the username you use to run smokeping under?
> >
> > Hope this helps.
> >
> > Jim
> >
> >
> > > On 25 July 2012 17:23, Ryan Becker <rb14060 at gmail.com> wrote:
> > >
> > > > Try using the absolute path to the script in the sudoers file.  Also,
> > the
> > > > /etc/sudoers file should NOT be edited directly, you should be using
> > the
> > > > visudo command as root.
> > > >
> > > > On Wed, Jul 25, 2012 at 4:41 AM, Andrew Pattison <andrum99 at gmail.com
> > >wrote:
> > > >
> > > >> I've got something similar in in /etc/sudoers already.
> > > >>
> > > >> Thanks
> > > >>
> > > >> Andrew.
> > > >>
> > > >>
> > > >> On 24 July 2012 23:15, Ryan Becker <rb14060 at gmail.com> wrote:
> > > >>
> > > >>> Make sure that the user is allowed to execute the script without a
> > > >>> password.  Here's an example that you can modify to suit your
> > > >>> needs: techbnc ALL = NOPASSWD: /usr/sbin/csf
> > > >>> In this example the user techbnc is allowed to call /usr/sbin/csf
> > > >>> without needing a password.  What's happening is that normally when
> > sudo is
> > > >>> called, it asks for the password and Smokeping has no way to provide
> > that
> > > >>> password.  By adding the user to the file with NOPASSWD, they are
> > allowed
> > > >>> to execute the script without being password prompted and therefore
> > > >>> Smokeping will be able to complete the action.
> > > >>>
> > > >>> On Tue, Jul 24, 2012 at 5:35 PM, Andrew Pattison <andrum99 at gmail.com
> > >wrote:
> > > >>>
> > > >>>> I am trying to set up smokeping with an alert script. The alert
> > script
> > > >>>> is called like this entry in /etc/smokeping/config.d/Alerts:
> > > >>>>
> > > >>>> to = |sudo script.py
> > > >>>>
> > > >>>> When called as simply |script.py this works fine, but with sudo the
> > > >>>> script does not get called. How can I get this working?
> > > >>>>
> > > >>>> Thanks
> > > >>>>
> > > >>>> Andrew.
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> smokeping-users mailing list
> > > >>>> smokeping-users at lists.oetiker.ch
> > > >>>> https://lists.oetiker.ch/cgi-bin/listinfo/smokeping-users
> > > >>>>
> > > >>>>
> > > >>>
> > > >>
> > > >
> >
> > > _______________________________________________
> > > smokeping-users mailing list
> > > smokeping-users at lists.oetiker.ch
> > > https://lists.oetiker.ch/cgi-bin/listinfo/smokeping-users
> >
> >

More information about the smokeping-users mailing list