Raymii.org IEC Resistor logo

Quis custodiet ipsos custodes?
RSS Feed

Check if passwordless sudo can be used in a bash script or nagios check

30-01-2014 | Remy van Elst

This is a simple trick to see if you can use passwordless sudo in a script. This for example can be usefull in a Nagios plugin which requires sudo. Instead of putting the sudo line in your README and otherwise having a NRPE Unable to parse result error, you could just give a nice warning message plus the right sudo configuration rule.

The example below comes from a Nagios plugin which checks if an OSSEC server has disconnected agents. The nagios user should have a special exception in /etc/sudoers to allow calling the ossec command with elevated privileges. If the sudo is not successful it gives a nice error plus the required config to add to /etc/sudoers:

AGENTS="$(sudo -n /var/ossec/bin/list_agents -n 2>&1)"
if [[ ${?} != "0" ]]; then
    echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?"
    echo "Add the following to /etc/sudoers USING VISUDO!:"
    echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n"
    exit 3
fi

Instead of seeing a "Unable to parse output" error in Nagios we get a nice UNKNOWN warning actually telling us what's wrong, like so:

# sudo -u nagios  bash /etc/nagios-plugins/ossec-agents.sh
UNKNOWN: Unable to execute list_agents. Is sudo configured?
Add the following to /etc/sudoers USING VISUDO!:
nagios  ALL=NOPASSWD:  /var/ossec/bin/list_agents -n

The trick is using the -n / non-interactive option with sudo. The man page tells us the following:

-n' The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message and exit. 

Which is perfect to test passwordless login instead of letting it just fail.


Tags: bash, monitoring, nagios, nrpe, sudo,