Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Check if passwordless sudo can be used in a bash script or nagios check

Published: 30-01-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a simple trick to see if you can use passwordless sudo in a script. Thisfor example can be usefull in a Nagios plugin which requires sudo. Instead ofputting the sudo line in your README and otherwise having a NRPE Unable to parseresult error, you could just give a nice warning message plus the right sudoconfiguration rule.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

The example below comes from a Nagios plugin which checks if an OSSECserver has disconnected agents. The nagios user should have a special exceptionin /etc/sudoers to allow calling the ossec command with elevated privileges.If the sudo is not successful it gives a nice error plus the required config toadd to /etc/sudoers:

AGENTS="$(sudo -n /var/ossec/bin/list_agents -n 2>&1)"if [[ ${?} != "0" ]]; then    echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?"    echo "Add the following to /etc/sudoers USING VISUDO!:"    echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n"    exit 3fi

Instead of seeing a "Unable to parse output" error in Nagios we get a niceUNKNOWN warning actually telling us what's wrong, like so:

# sudo -u nagios  bash /etc/nagios-plugins/ossec-agents.shUNKNOWN: Unable to execute list_agents. Is sudo configured?Add the following to /etc/sudoers USING VISUDO!:nagios  ALL=NOPASSWD:  /var/ossec/bin/list_agents -n

The trick is using the -n / non-interactive option with sudo. The manpage tells us the following:

-n' The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message and exit. 

Which is perfect to test passwordless login instead of letting it just fail.

Tags: articles, bash, monitoring, nagios, nrpe, sudo