empty result with scripts

[Carlimeunier]

Hello, I have these issue with scripts. It runs on remote poller 2017-02-08 14:00:02 - SPINE: Poller[4] Device[1] Description[Main Poller] ERROR: Empty result [10.10.102.201]: '/usr/bin/perl /data/www/cacti/scripts/ping.pl '10.10.102.201''

And here it is the file permission : rwxrwxrwx 1 www cacti 1034 Feb 2 18:20 ping.pl

ENV :

• Freebsd
• Cacti 1.0.1
• Spine 1.0.0
• PHP 7.0.12

Thanks

[cigamit]

Please provide ./configure output, and run spine this way for one pass..

./spine -R -V 5 -f 1 -l 1 -S

[cigamit]

Also, run the command by hand. Likely FreeBSD has a minor difference in ping output:

/usr/bin/perl /data/www/cacti/scripts/ping.pl '10.10.102.201'

[Carlimeunier]

when i run the script by hand, there is no error : /usr/bin/perl /data/www/cacti/scripts/ping.pl '10.1.92.201' 0.072

[cigamit]

Yea, that looks correct. Odd. That debug output will be important.

[Carlimeunier]

When i make ./configure then , i have this output ( it seems to work ) : ./spine -R -V 5 -f 1 -l 1 -S -p 4 -C /usr/local/spine/etc/spine.conf

Device[1] DEBUG: The NIFTY POPEN returned the following File Descriptor 7 Device[1] TH[1] DS[18379] SCRIPT: perl /data/www/cacti/scripts/loadavg_multi.pl, output: 1min:0.18 5min:0.18 10min:0.11 Device[1] DEBUG: The NIFTY POPEN returned the following File Descriptor 7 Device[1] TH[1] DS[18380] SCRIPT: perl /data/www/cacti/scripts/unix_users.pl '', output: 1 Device[1] DEBUG: The NIFTY POPEN returned the following File Descriptor 7 Device[1] TH[1] DS[18382] SCRIPT: /usr/bin/perl /data/www/cacti/scripts/ping.pl '10.1.92.201', output: 0.120

But with the install spine bin : /usr/local/spine/bin/spine -R -V 5 -f 1 -l 1 -S -p 4 -C /usr/local/spine/etc/spine.conf

i have this : Device[1] DEBUG: The NIFTY POPEN returned the following File Descriptor 7 Insecure dependency in piped open while running setgid at /data/www/cacti/scripts/ping.pl line 21. Device[1] ERROR: Empty result [10.1.92.201]: '/usr/bin/perl /data/www/cacti/scripts/ping.pl '10.1.92.201 Device[1] TH[1] DS[18382] SCRIPT: /usr/bin/perl /data/www/cacti/scripts/ping.pl '10.1.92.201', output: U

the ./configure output :

Here is the output of ./configure : checking build system type... amd64-unknown-freebsd10.3 checking host system type... amd64-unknown-freebsd10.3 checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... config/install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for gawk... (cached) nawk checking for gcc... no checking for cc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether cc accepts -g... yes checking for cc option to accept ISO C89... none needed checking whether cc understands -c and -o together... yes checking for style of include used by make... GNU checking dependency style of cc... gcc3 checking how to run the C preprocessor... cc -E checking whether ln -s works... yes checking how to print strings... printf checking for a sed that does not truncate output... /usr/bin/sed checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for fgrep... /usr/bin/grep -F checking for ld used by cc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking the maximum length of command line arguments... 196608 checking how to convert amd64-unknown-freebsd10.3 file names to amd64-unknown-freebsd10.3 format... func_convert_file_noop checking how to convert amd64-unknown-freebsd10.3 file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... no checking how to associate runtime and link libraries... printf %s\n checking for ar... ar checking for archiver @FILE support... no checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from cc object... ok checking for sysroot... no checking for a working dd... /bin/dd checking how to truncate binary pipes... /bin/dd bs=4096 count=1 checking for mt... mt checking if mt is a manifest tool... no checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for dlfcn.h... yes checking for objdir... .libs checking if cc supports -fno-rtti -fno-exceptions... yes checking for cc option to produce PIC... -fPIC -DPIC checking if cc PIC flag -fPIC -DPIC works... yes checking if cc static flag -static works... yes checking if cc supports -c -o file.o... yes checking if cc supports -c -o file.o... (cached) yes checking whether the cc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... freebsd10.3 ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking whether to enable -Wall... no checking for help2man... /usr/local/bin/help2man checking for help2man... /usr/local/bin/help2man checking for threadsafe gethostbyname()... no checking for gethostbyname_r in -lnls... no checking for socket in -lsocket... no checking for floor in -lm... yes checking for pthread_exit in -lpthread... yes checking for deflate in -lz... yes checking for kstat_close in -lkstat... no checking for CRYPTO_realloc in -lcrypto... yes checking for ANSI C header files... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking sys/wait.h usability... yes checking sys/wait.h presence... yes checking for sys/wait.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking assert.h usability... yes checking assert.h presence... yes checking for assert.h... yes checking ctype.h usability... yes checking ctype.h presence... yes checking for ctype.h... yes checking errno.h usability... yes checking errno.h presence... yes checking for errno.h... yes checking signal.h usability... yes checking signal.h presence... yes checking for signal.h... yes checking math.h usability... yes checking math.h presence... yes checking for math.h... yes checking malloc.h usability... no checking malloc.h presence... no checking for malloc.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking for signal.h... (cached) yes checking stdarg.h usability... yes checking stdarg.h presence... yes checking for stdarg.h... yes checking stdio.h usability... yes checking stdio.h presence... yes checking for stdio.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for netinet/in_systm.h... yes checking for netinet/in.h... yes checking for netinet/ip.h... yes checking for netinet/ip_icmp.h... yes checking for unsigned long long... yes checking for long long... yes checking for an ANSI C-conforming const... yes checking for size_t... yes checking whether time.h and sys/time.h may both be included... yes checking whether struct tm is in sys/time.h or time.h... time.h checking return type of signal handlers... void checking for malloc... yes checking for calloc... yes checking for gettimeofday... yes checking for strerror... yes checking for strtoll... yes checking priv.h usability... no checking priv.h presence... no checking for priv.h... no checking whether we are using Solaris privileges... no checking sys/capability.h usability... yes checking sys/capability.h presence... yes checking for sys/capability.h... yes checking whether we are using Linux Capabilities... no checking if Net-SNMP needs crypto support... no checking for snmp_timeout in -lnetsnmp... no checking for the spine results buffer size... 1024 bytes checking for the maximum simultaneous spine scripts... 20 checking for the maximum MySQL buffer size... 65536 checking whether we are using traditional popen... no checking whether to verify net-snmp library vs header versions... no checking for glibc gethostbyname_r... yes checking for Solaris/Irix gethostbyname_r... no checking for HP-UX gethostbyname_r... no checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating config/config.h config.status: executing depfiles commands config.status: executing libtool commands`

[pautiina]

@Carlimeunier show please you crontab file. I have this problem when i run poller.php proccess from not root you user not have permission for run /bin/ping or /sbin/ping

[Carlimeunier]

@pautiina I have this in /etc/crontab : /5 * cacti /usr/local/bin/php /data/www/cacti/poller.php > /dev/null 2> /var/log/poller_error.log

[pautiina]

@Carlimeunier you must run from root orchmod +x /bin/ping

[Carlimeunier]

I already have this : # ls -al /sbin/ping -r-sr-xr-x 1 root wheel 28080 Jan 16 12:11 /sbin/ping

[pautiina]

you can do this chmod -s /sbin/ping BUT I NOT RECOMMEND DO IT, maybe you need add your cacti user to wheel group or change on crontab filie user from cacti to root.

[Carlimeunier]

It works when i modify crontab user by root.Thanks

To summarize, this behavior is only on freebsd ?

[pautiina]

I dont now, maybe on Linux use sudo. I dont like linux I love FreeBSD:)

[cigamit]

Okay, this is a non-issue. You just need to set the ping binary uid at the group level, and make the poller user a member of that group. Running the poller as root is NOT a good idea.

chmod g+s ping

[Carlimeunier]

I did what you said : set suid to ping and add cacti user to root group but i stull have the same issue. # ls -al /sbin/ping -r-sr-sr-x 1 root wheel 28080 Jan 16 12:11 /sbin/ping # id cacti uid=10013(cacti) gid=107(cacti) groups=107(cacti),0(wheel)

[cigamit]

Resolved, please test again.

[Carlimeunier]

Thanks! it works