Published: 30-01-2014 | Author: Remy van Elst | Text only version of this article

Table of Contents

This is a simple trick to see if you can use passwordless sudo in a script. This for example can be usefull in a Nagios plugin which requires sudo. Instead of putting the sudo line in your README and otherwise having a NRPE Unable to parse result error, you could just give a nice warning message plus the right sudo configuration rule.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

The example below comes from a Nagios plugin which checks if an OSSEC server has disconnected agents. The nagios user should have a special exception in /etc/sudoers to allow calling the ossec command with elevated privileges. If the sudo is not successful it gives a nice error plus the required config to add to /etc/sudoers :

AGENTS="$(sudo -n /var/ossec/bin/list_agents -n 2>&1)" if [[ ${?} != "0" ]]; then echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?" echo "Add the following to /etc/sudoers USING VISUDO!:" echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n" exit 3 fi

Instead of seeing a "Unable to parse output" error in Nagios we get a nice UNKNOWN warning actually telling us what's wrong, like so:

# sudo -u nagios bash /etc/nagios-plugins/ossec-agents.sh UNKNOWN: Unable to execute list_agents. Is sudo configured? Add the following to /etc/sudoers USING VISUDO!: nagios ALL=NOPASSWD: /var/ossec/bin/list_agents -n

The trick is using the -n / non-interactive option with sudo. The man page tells us the following:

-n' The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message and exit.

Which is perfect to test passwordless login instead of letting it just fail.

Tags: articles