Limiting the use of `sudo -s`

Solution 1:

nagios ALL=NOPASSWD: /bin/bash -c /usr/lib/nagios/plugins/check_ide_smart *

This should work and allow arguments.

Solution 2:

FYI, you need to quote $@ in your shell script for it to work right:

#!/bin/sh
/bin/bash -c /usr/lib/nagios/plugins/check_ide_plugin "$@"

$@ is magic. From the bash manpage,

@ Expands to the positional parameters, starting from one. When the expansion occurs within double quotes, each parameter expands to a separate word. That is, "$@" is equivalent to "$1" "$2" ... If the double-quoted expansion occurs within a word, the expansion of the first parameter is joined with the beginning part of the original word, and the expansion of the last parameter is joined with the last part of the original word. When there are no positional parameters, "$@" and $@ expand to nothing (i.e., they are removed).

Also, starting bash won't spawn a pty; though I'm perplexed as to why your nagios plugin needs a terminal to run. It shouldn't. Maybe the actual problem is sudo's environment sanitization?

Solution 3:

Instead of using sudo -s and launching a root shell, just allow your nagios user to use sudo without a tty using !requiretty. Your /etc/sudoers should have the following:

# Allow Nagios extra privs
Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/lib/nagios/plugins/check_ide_plugin

... which will allow direct sudo access, without a password, and without a tty. You can leave the "check_ide_plugin" off if you want sudo access to all the plugins.

We also use NRPE, which seems a little safer than check_by_ssh, but it requires a little more setup. Same idea in /etc/sudoers tho, just swap nagios with nrpe. :)

~tommy