NCPA v3 giving insufficient permissions when running a plugin even though group access has read permissions

[ssaxnagios]

NCPA v3 check_logfiles giving insufficient permissions when running the plugin even though group access has read permissions

NCPA v2.4.1 works but NCPA v3 doesn't.

Tested on RHEL 7, 8, and 9.

It seems like it's not honoring the group permissions when the plugin is run it's almost like it's run as a different user.

[Meloknight89]

I can confirm the same on RHEL 8 whille using the check_docker.py script.

[tannermsmith1]

I had to move uid and gid to the [general] section of the ncpa.cfg file to allow passive checks to function again. This was likely changed since ncpa_passive and ncpa_listener became one systemd unit of ncpa in v3. Might want to review your cfg file. The new config reference shows that change: https://www.nagios.org/ncpa/help.php#undefined

[graham-collinson]

It looks as though only the group configured in the ncpa.cfg is available for any plugins that are running. In v2 the plugins could see all groups configured on the OS for the user ncpa is running as.

[graham-collinson]

ncpadaemon.py in v2.4.1 used to set supplemental groups:

            os.setgid(self.gid)
            os.setgroups(gids)
            os.setuid(self.uid)

v3 only uses setgid and setuid.

    def set_uid_gid(self):
        """Drop root privileges"""
        self.logger.debug("Daemon - set_uid_gid()")
        if self.gid:
            try:
                os.setgid(self.gid)
            except OSError as e:
                self.logger.exception(e)
        if self.uid:
            try:
                os.setuid(self.uid)
            except OSError as e:
                self.logger.exception(e)

v2 branch had a fix for this in v2.1.2 / commit 27fae2f

[ne-bbahn]

This is solved. There is another permission issue relating to Debian systems, but as seen above, I have made an issue for that.