[smokeping-users] using sudo in an alert

Jim Long smokeping at museum.rain.com
Fri Jul 27 19:19:03 CEST 2012 

On Fri, Jul 27, 2012 at 05:36:41PM +0100, Andrew Pattison wrote:
> I used the -m flag with su to change to the smokeping user and my script
> ran fine using sudo on the command line. The test of writing to /tmp did
> not work due to file permissions, but creating a file in another place that
> I had opened up the permissions on worked and showed the user and group and
> smokeping:smokeping. I have a bang line in the script and it runs when I
> call it on the command line as ./adsl_alert.py. Maybe the line in my Alerts
> file is wrong? Here it is:
> 
> to = |/usr/bin/sudo /home/pi/adsl_alert.py
> 
> Thanks
> 
> Andrew.

And just for paranoia, what is the output from:

ls -ld /home/pi /home/pi/adsl_alert.py

I don't use alerts in smokeping, so I can't say about the syntax,
but you might try quotes around the whole thing, like

to = "|/usr/bin/sudo /home/pi/adsl_alert.py"

If that still doesn't help, then to continue with the debugging,
I would suggest this:

Comment out your smokeping alert line, and change it to be just a
dummy test script.  Something like

#to = "|/usr/bin/sudo /home/pi/adsl_alert.py"
to = |/home/pi/test.sh

That new 'to' line has no spaces, so we probably don't need
quotes.  Now put this in /home/pi/test.sh:

#!/bin/sh
(
	date
	whoami
	echo test.sh : "$@"
	echo --
	echo
) >> /home/pi/test.log 2>&1

Make it 'chmod 755' so that it's executable.  This should perform
some simple echo statements every time smokeping raises an alert,
and the data should be readable via:

less /home/pi/test.log

The file will grow and grow with each alert that is raised.

See if it looks like smokeping is passing reasonable data to the
alert script.  I'd be curious to see the output, since I'm not
otherwise familiar with using alerts.  Once you're satisfied that
test.sh is being called correctly, add two new lines to it, to
become:

#!/bin/sh
(
        date
        whoami
        echo test.sh : "$@"
        echo
	sudo /home/pi/adsl_alert.py
        echo --
        echo
) >> /home/pi/test.log 2>&1

I don't know whether your /home/pi/adsl_alert.py script requires
parameters $1 $2 $3 ... etc. to be passed, but if so, do it thus:

	sudo /home/pi/adsl_alert.py "$1" "$2" "$3" "$4" "$5"

If test.sh works with the sudo call inside it, then maybe the
workaround to your problem is to have smokeping use a simple bash
script (.sh) as the alert script, and use that script as a
'wrapper' around the sudo call:

#!/bin/sh
sudo /home/pi/adsl_alert.py


Hope this helps,

Jim





xxx
> On 27 July 2012 01:25, Jim Long <smokeping at museum.rain.com> wrote:
> 
> > On Fri, Jul 27, 2012 at 12:42:23AM +0100, Andrew Pattison wrote:
> > > I cannot su to the smokeping user for some reason. Perhaps this is
> > because
> > > the smokeping user's shell is set to /bin/false.
> >
> > Regardless of smokeping's shell setting, as root, you should be
> > able to use the -m flag:
> >
> > monitor : 17:10:07 /home/long> su
> > Password:
> > (now I'm root:)
> > monitor : /root# su -m smokeping
> > (now I'm smokeping:)
> > $ touch /tmp/foo
> > $ ls -l /tmp/foo
> > -rw-r--r--  1 smokeping  wheel  0 Jul 26 17:10 /tmp/foo
> > $
> >
> > Now try 'sudo script.py' and look for showstoppers.  Another basic
> > thing, the first line of script.py should be an interpreter that knows
> > how to deal with .py files.  Some .py files on my system have
> >
> > $ head -1 /usr/local/bin/pilfile.py
> > #!/usr/local/bin/python2.7
> >
> > I'm open to correction, but in order for a .py script to be executable,
> > it must have that line at the top, and the .py script must also have the
> > execute permission bit set.
> >
> > For .py files which lack either of those requirements (or even if they
> > do meet both), an alternate way to invoke a script is to explicitly call
> > the _interpreter_ and pass the script name as an argument, e.g.
> >
> > /usr/local/bin/python2.7 /usr/local/bin/pilfile.py
> >
> > You might try changing your smokeping config to use something like
> >
> > sudo /usr/local/bin/python2.7 /path/to/your/script.py
> >
> > Be sure to fully restart smokeping and maybe your web server to be 100%
> > certain that your new configuration takes effect, and you're not just
> > re-testing the previous configuration.
> >
> > > The script is to switch GPIO pins on my new Raspberry Pi (see
> > > www.raspberrypi.org). The script needs to run as root so that it can
> > access
> > > the GPIO pins.
> > >
> > > I tried running a shell script on the same alert using sudo and without
> > > sudo. It only works without sudo. Here is the relevant line from
> > > /etc/sudoers:
> > >
> > > smokeping ALL=(ALL) NOPASSWD: ALL
> >
> > For testing, that's good, but it's a security risk to keep that
> > long term.  If someone cracks your smokeping installation, they'll
> > own your box.  Once your troubleshooting is complete, tighten down
> > the sudoers file so that the only command smokeping can run is
> > the alert script.
> >
> > Jim
> >
> >
> >
> >
> > > Thanks
> > >
> > > Andrew.
> > >
> > > On 27 July 2012 00:13, Jim Long <smokeping at museum.rain.com> wrote:
> > >
> > > > On Thu, Jul 26, 2012 at 11:56:41PM +0100, Andrew Pattison wrote:
> > > > > I tried that but it still doesn't work. The alert is triggered as it
> > is
> > > > > logged in /var/messages but either smokeping is not calling the
> > script or
> > > > > the call is failing. Any ideas?
> > > > >
> > > > > Andrew.
> > > >
> > > > Once again, please pardon the basics.
> > > >
> > > > Using su, change your effective user ID to the smokeping user,
> > > > whatever user you run smokeping under (the user account under
> > > > which the alerts get invoked).  Verify that this is so:
> > > >
> > > > $ touch /tmp/foo
> > > > $ ls -l /tmp/foo
> > > > (should show zero bytes, ownership by smokeping user)
> > > > $ rm /tmp/foo
> > > >
> > > > Then manually invoke the same sudo command line that you're using
> > > > in the alerts.  Does it ask you for a password?  If so, your
> > > > sudoers file is not set up correctly.
> > > >
> > > > Set your script aside, and try this script 'test.sh' instead:
> > > >
> > > > #!/bin/sh
> > > > rm -rf /tmp/smokeping-sudo.log
> > > > ( date; set; echo '--' ) > /tmp/smokeping-sudo.log
> > > >
> > > > Does that write data into /tmp/smokeping-sudo.log?  Examine the
> > > > set output to confirm that the effective user ID is root/UID 0.
> > > > Since that script runs under sudo as root, you should also see
> > > > that /tmp/smokeping-sudo.log is owned by root.
> > > >
> > > > Lastly, consider whether your entire alert script really needs to
> > > > run under sudo or just one specific command (or only a small
> > > > number).  Think about whether it is feasible to call the script
> > > > directly, and use sudo only from within the script, on only those
> > > > few commands where it is necessary.  Are there any weird
> > > > characters in your sudo command line that should be quoted or
> > > > escaped?  Can you share the contents of your alert command and
> > > > the pertinent line of your sudoers file, and some 'ps' output
> > > > that shows the username you use to run smokeping under?
> > > >
> > > > Hope this helps.
> > > >
> > > > Jim
> > > >
> > > >
> > > > > On 25 July 2012 17:23, Ryan Becker <rb14060 at gmail.com> wrote:
> > > > >
> > > > > > Try using the absolute path to the script in the sudoers file.
> >  Also,
> > > > the
> > > > > > /etc/sudoers file should NOT be edited directly, you should be
> > using
> > > > the
> > > > > > visudo command as root.
> > > > > >
> > > > > > On Wed, Jul 25, 2012 at 4:41 AM, Andrew Pattison <
> > andrum99 at gmail.com
> > > > >wrote:
> > > > > >
> > > > > >> I've got something similar in in /etc/sudoers already.
> > > > > >>
> > > > > >> Thanks
> > > > > >>
> > > > > >> Andrew.
> > > > > >>
> > > > > >>
> > > > > >> On 24 July 2012 23:15, Ryan Becker <rb14060 at gmail.com> wrote:
> > > > > >>
> > > > > >>> Make sure that the user is allowed to execute the script without
> > a
> > > > > >>> password.  Here's an example that you can modify to suit your
> > > > > >>> needs: techbnc ALL = NOPASSWD: /usr/sbin/csf
> > > > > >>> In this example the user techbnc is allowed to call /usr/sbin/csf
> > > > > >>> without needing a password.  What's happening is that normally
> > when
> > > > sudo is
> > > > > >>> called, it asks for the password and Smokeping has no way to
> > provide
> > > > that
> > > > > >>> password.  By adding the user to the file with NOPASSWD, they are
> > > > allowed
> > > > > >>> to execute the script without being password prompted and
> > therefore
> > > > > >>> Smokeping will be able to complete the action.
> > > > > >>>
> > > > > >>> On Tue, Jul 24, 2012 at 5:35 PM, Andrew Pattison <
> > andrum99 at gmail.com
> > > > >wrote:
> > > > > >>>
> > > > > >>>> I am trying to set up smokeping with an alert script. The alert
> > > > script
> > > > > >>>> is called like this entry in /etc/smokeping/config.d/Alerts:
> > > > > >>>>
> > > > > >>>> to = |sudo script.py
> > > > > >>>>
> > > > > >>>> When called as simply |script.py this works fine, but with sudo
> > the
> > > > > >>>> script does not get called. How can I get this working?
> > > > > >>>>
> > > > > >>>> Thanks
> > > > > >>>>
> > > > > >>>> Andrew.
> > > > > >>>>
> > > > > >>>> _______________________________________________
> > > > > >>>> smokeping-users mailing list
> > > > > >>>> smokeping-users at lists.oetiker.ch
> > > > > >>>> https://lists.oetiker.ch/cgi-bin/listinfo/smokeping-users
> > > > > >>>>
> > > > > >>>>
> > > > > >>>
> > > > > >>
> > > > > >
> > > >
> > > > > _______________________________________________
> > > > > smokeping-users mailing list
> > > > > smokeping-users at lists.oetiker.ch
> > > > > https://lists.oetiker.ch/cgi-bin/listinfo/smokeping-users
> > > >
> > > >
> >

More information about the smokeping-users mailing list