Package: sudo
Version: 1.6.9p17-2+lenny1
Severity: important
We use the following sudo rule to grant a remote nagios host access via snmp to
the command line of a RAID controller.
snmp ALL=NOPASSWD:/opt/areca/cli64*
I don't know if it's needed, but here's the related snmpd.conf line:
extend check_areca /opt/areca/check_areca.pl
and the sudo line in check_areca.pl:
[...]
my $areca_cli = '/opt/areca/cli64';
[...]
@output = `sudo $areca_cli vsf info`;
[...]
This worked fine with sudo version 1.6.8p12-4. After a system update yesterday,
this stopped working and nagios reports an error.
Starting the nagios check from the remote host manually shows this:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for snmp:
Command: cli64 vsf info failed, 256, aborting!
and the according line in auth.log
Apr 21 08:48:47 VUMEM004 sudo: pam_unix(sudo:auth): authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= user=snmp
Removing the wildcard or downgrading to 1.6.8p12-4 resolves the problem.
One thing I don't yet understand: if I execute the same sudo command locally in
a shell as user snmp on the host (not via snmp) I don't get the sudo error.
$ whoami
snmp
$ sudo /opt/areca/cli64 vsf info
# Name Raid# Level Capacity Ch/Id/Lun State
===============================================================================
1 ARC-1210-VOL#00 1 Raid6 4000.0GB 00/00/00 Normal
===============================================================================
GuiErrMsg<0x00>: Success.
I don't see the difference, in both cases the script is executed as user snmp.
Nethertheless, downgrading or removing the wildcard solves the problem, so I
guess it has something to do with the update.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo depends on:
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
sudo recommends no packages.
sudo suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
