Grant sudo permissions for nrpe to run the check as root - linux

When I run service httpd status like root user I get httpd (pid 2932) is running... which is like expected.
Now, when I su nrpe and run the same cmd service httpd status I get httpd dead but subsys locked.
I'm kind of new to the Linux world but to me this smells like nrpe doesn't have the permissions to run this cmd so it gives mentioned output.
How can I grant sudo permissions to nrpe so it can run chis cmd as root?
I have a nagios plugin that checks httpd status and it gives httpd dead but subsys locked which is not what I need.
Thanks

You should be able to edit your sudo file by typing visudo as the root user.
To allow your nrpe user to run service without needing a password you first need to comment out the following lines if they exist:
#Defaults targetpw
#ALL ALL=(ALL) ALL
Then add the following line:
nrpe ALL=NOPASSWD: /usr/sbin/service
Now the nrpe user should be able to run "sudo service httpd status" without it asking for a password.
You should note though that this will give the nrpe user control to every service. If you're using Apache, you might want to try something like this instead:
nrpe ALL=NOPASSWD: /usr/sbin/apache2ctl

Related

How to make service not require superuser password entry?

I am doing the command service cron start in the shell which requires a superuser password entry. I am the root user on this (OracleVB running Ubuntu).
Is there a way to add this command to an approved user task where I can just type service cron start and not be prompted for a password?
Starting and stopping system services should only be possible for the root user.
You might want to enable your service to start at boot with systemctl enable --now yourservice instead.
You can always use systemctl status yourservice to check if it is currently running.

How to start Jenkins with a different user?

I am working with Jenkins and I want to start a script with forever using Jenkins with a different user named aroot.
So my build configuration I write this command:
sudo -u aroot forever start -a --uid 'server' bin/www
It works fine but forever still tries to access the jenkins user and when I try to see the scripts running under forever by using the command:
forever list
I see nothing. Why does this happen? I have changed the user to aroot but it still tries to start the script under jenkins user. What should I do here?
I even tried changing the default jenkins user to aroot but after this, the Jenkins just does not restart.
you should not need the forever thing going. just enable it from systemctl
# systemctl enable jenkins.service
how you get it to run as different users is by editing this file.
# vi /etc/sysconfig/jenkins
and changing this line to whatever user you want.
JENKINS_USER="aroot"
When you restart it will be running as that user but you will need to chown all files in /var/lib/jenkins so it has the correct ownership.

Systemd service unit file as user

I'm new to the concept of systemd unit files in Centos 7 but need to start up the MATLAB license manager at boot. MATLAB doesn't offer a specific solution on how to do this, and the following seems to work but asks for a password when typing systemctl start license-manager and systemctl stop license-manager. Is that expected?
Note this does need to run as a specific user and not as root.
Here is my /etc/systemd/system/license-manager.servicefile:
[Unit]
Description=MATLAB FlexLM license manager
[Service]
Type=forking
ExecStart=/usr/local/MATLAB/R2016a/etc/lmstart
ExecStop=/usr/local/MATLAB/R2016a/etc/lmdown
KillMode=none
Restart=on-failure
RestartSec=90
User=lmlicenseuser
[Install]
WantedBy=multi-user.target
You can try Crontab
bash$ crontab -e
then add the following line
#reboot /usr/local/MATLAB/R201Xx/etc/lmstart
This should resolve your issue.
Traditionally it is always expected for non-root users to be asked for a password when running commands as other users, yes.
However, because you have specified that it is a dependency of multi-user.target, it should always be started automatically whenever you reboot in future, so you shouldn't need to enter the password in future.
If for some reason you do still need to control it manually in future, you can use sudo and edit /etc/sudoers to allow those two particular commands to be run without a password, using NOPASSWD.

Can I control a user systemd using 'systemctl --user' after sudo su - myuser?

I have a service that I want to start with system startup. I have built a ap#.service definition for it as a template, because there could be many instances.
Defined in the root systemd, this works well, and starts and stops the service with the system. The service instance is installed with systemctl enable ap#inst1 as would be expected. Root is also able to start and stop the service without problems. The service runs in its own account (myuser), not root, controlled by User=myuser in the ap#.service template.
But I want user 'myuser' to be able to start and stop their own service, without compromising system security.
I switched to using a user systemd, and enabled lingering with loginctl enable-linger myuser. I then enable the service defined in the ~myuser/.config/systemd/user directory. The service now starts and stops cleanly with the system, as designed. If I log in to a terminal as 'myuser', systemctl --user start ap#inst1, and systemctl --user stop ap#inst1 both work perfectly.
However, if I log in as a different user (user2) and perform sudo su - myuser in a terminal, then systemctl --user commands now fail with error message "Failed to get D-Bus connection: no such file or directory".
How do I enable systemctl --user to work after a sudo su - myuser command to switch the user?
I found the answer on another site with further searches using different terms.
The solutions needed was to provide the shell with information to reach the correct DBUS for the user.
By adding the following environment variables to the shell before running systemctl --user, the DBUS problem is eliminated, and systemctl operates correctly.
export XDG_RUNTIME_DIR="/run/user/$UID"
export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"
To ensure that the DBUS_SESSION_BUS_ADDRESS is available in the sudo shell, I added the environment variables to ~/.bash_profile of the target userid. This requires that a login shell ( sudo su - myuser or sudo -l myuser) is created in order to create the correct environment.
Alternatively, add the creation of the environment variables to ~/.bashrc (or equivalent for other shells). The environment will then be established anew for all shell creations.
systemd 248 (released March 2021) introduced support for the syntax -M myuser# for specifying another user.
$ sudo systemctl --user -M myuser# start ap#inst1
A side-note:
If you want to get an interactive login shell for the user myuser
$ sudo machinectl shell myuser#

ElasticBeanstalk - Adding ec2-user to another group

I have a cron job that needs to be run under ec2-user on my EC2 instance and it needs to be able to write to the standard log files for my web app. However, the log files are owned by webapp (as per normal).
I've successfully changed the permissions on the log files so that they are accessible by both the owner and the group webapp:webapp. But where I'm running into trouble is when I try to add the ec2-user to the webapp group.
I can do it fine in SSH with sudo usermod -a -G webapp ec2-user but when I try to add this command via EB container-commands, I get an error saying that you must have a tty to run sudo. Running the command without sudo gives me /bin/sh: usermod: command not found.
Anybody know of any other way to be able to add ec2-user to the webapp group via the Elastic Beanstalk deployment config.
Not sure about the issue with the sudoers file, but generally a cleaner way to add a user to a group (than manually executing a command) is to use the users section of the .ebextensions file. For example, in .ebextensions/something.config:
users:
ec2-user:
groups:
- webapp
You should not use sudo, the deploy script is ran by root.
Also, this is a server command, do it in the commands section instead of container commands section.
commands:
01_set_user_role:
command: "usermod -a -G webapp ec2-user"
You need to run this command from a container_command before executing any commands with sudo:
echo Defaults:root \!requiretty >> /etc/sudoers
In context (in .ebextensions/yourconf.config)
container_commands:
001-enableroot:
command: echo Defaults:root \!requiretty >> /etc/sudoers #disables error related to needing a tty for sudo, allows running without cli

Resources