Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Check if passwordless sudo can be used in a bash script or nagios check

Published: 30-01-2014 | Author: Remy van Elst | Text only version of this article


❗ This post is over seven years old. It may no longer be up to date. Opinions may have changed.

This is a simple trick to see if you can use passwordless sudo in a script. This for example can be usefull in a Nagios plugin which requires sudo. Instead of putting the sudo line in your README and otherwise having a NRPE Unable to parse result error, you could just give a nice warning message plus the right sudo configuration rule.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

The example below comes from a Nagios plugin which checks if an OSSEC server has disconnected agents. The nagios user should have a special exception in /etc/sudoers to allow calling the ossec command with elevated privileges. If the sudo is not successful it gives a nice error plus the required config to add to /etc/sudoers:

AGENTS="$(sudo -n /var/ossec/bin/list_agents -n 2>&1)"
if [[ ${?} != "0" ]]; then
    echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?"
    echo "Add the following to /etc/sudoers USING VISUDO!:"
    echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n"
    exit 3
fi

Instead of seeing a "Unable to parse output" error in Nagios we get a nice UNKNOWN warning actually telling us what's wrong, like so:

# sudo -u nagios  bash /etc/nagios-plugins/ossec-agents.sh
UNKNOWN: Unable to execute list_agents. Is sudo configured?
Add the following to /etc/sudoers USING VISUDO!:
nagios  ALL=NOPASSWD:  /var/ossec/bin/list_agents -n

The trick is using the -n / non-interactive option with sudo. The man page tells us the following:

-n' The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message and exit. 

Which is perfect to test passwordless login instead of letting it just fail.

Tags: articles , bash , monitoring , nagios , nrpe , sudo