Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

Check if passwordless sudo can be used in a bash script or nagios check

Published: 30-01-2014 | Author: Remy van Elst | Text only version of this article


❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.

This is a simple trick to see if you can use passwordless sudo in a script. This for example can be usefull in a Nagios plugin which requires sudo. Instead of putting the sudo line in your README and otherwise having a NRPE Unable to parse result error, you could just give a nice warning message plus the right sudo configuration rule.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below. It means the world to me if you show your appreciation and you'll help pay the server costs:

GitHub Sponsorship

PCBWay referral link (You get $5, I get $20 after you've placed an order)

Digital Ocea referral link ($200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!)

The example below comes from a Nagios plugin which checks if an OSSEC server has disconnected agents. The nagios user should have a special exception in /etc/sudoers to allow calling the ossec command with elevated privileges. If the sudo is not successful it gives a nice error plus the required config to add to /etc/sudoers:

AGENTS="$(sudo -n /var/ossec/bin/list_agents -n 2>&1)"
if [[ ${?} != "0" ]]; then
    echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?"
    echo "Add the following to /etc/sudoers USING VISUDO!:"
    echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n"
    exit 3
fi

Instead of seeing a "Unable to parse output" error in Nagios we get a nice UNKNOWN warning actually telling us what's wrong, like so:

# sudo -u nagios  bash /etc/nagios-plugins/ossec-agents.sh
UNKNOWN: Unable to execute list_agents. Is sudo configured?
Add the following to /etc/sudoers USING VISUDO!:
nagios  ALL=NOPASSWD:  /var/ossec/bin/list_agents -n

The trick is using the -n / non-interactive option with sudo. The man page tells us the following:

-n' The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message and exit.

Which is perfect to test passwordless login instead of letting it just fail.

Tags: articles , bash , monitoring , nagios , nrpe , sudo