Feature Request: Filesystem checks need to allow 'root' privilige to check some filesystems

[MrPippin66]

There are filesystem vendor requirements that disallow getting the status of a filesystem from either a non-privileged user or one that a member of the permissions needed to access the directory tree within which a filesystem is mounted.

We've addressed this by using the legacy "check_disk" NRPE command via "sudo" in the plugins.

But a longer term solution needs to exists to address this.

I see three solutions, two of which are bad or difficult to manage/implement. These are all specific to Unix platforms.

1. Run the "ncpa" listener/passive services with 'root' authority. This would be very bad

2. Run the "ncpa" listener/passive servicec with 'root' authority where it changes privilege to the "ncpa" user during normal runtime, but reverts to 'root' (even if via a config option) to run the disk check with 'root' authority. Still bad

3. Provide an external plugin version of the check disk code within the agent, which can in turn be set to run with "sudo" authority. This way the options for the standard check still apply, but can be run with 'root' authority if the implementer requires it, but doesn't require the security issues of allowing the services to inherently have 'root' privilege granted. This would be supplied in the standard distribution within the existing plugins directory.

[ccztux]

It is already possible to execute plugins via sudo. For your usecase you can execute the Nagios Core Plugin check_disk via sudo.

[MrPippin66]

I'm aware of the "sudo" support for plugins. And we're already using "check_disk".

The point of this request regards the built disk checks in NCPA, which don't currently provide the same functionality as "check_disk" (and which there's already a different feature request to address that).

The desire is for the built-in functions in NCPA to deprecate the need for using "check_disk", but of which that the issue I stated in this request would need to be addressed as well.

I don't view "use check_disk" as a desirable end solution.

And the current plugin you refer to is part of the original NRPE code path. Though "nrpe" is officially deprecated, and the plugins haven't officially been deprecated, I view them as non-viable as a long term solution.

AKA, the storage checks within "NCPA" need to provide all the functions "check_disk" was able to provide.

In the case of this feature request, it's to address the inability of the current storage checks to perform checks against storage on Unix systems that currently require privileged access to determine the storage use metrics.

[ericloyd]

There may be some confusion here. NCPA can run any (properly placed) code as a plugin. Nagios Core has a plugin called check_disk that can be put in the plugins directory for NCPA and run via sudo. This is not an "NRPE plugin" nor is it deprecated. It's the fully supported plugin from the Nagios Core plugins. Same code runs in Nagios XI as part of the embedded Nagios Core.

While I agree that the NCPA code should be able to do everything that this plugin can do, you can run it this way in a fully supported manner, since the check_disk plugin is fully supported, and running plugins in NCPA via sudo is also fully supported.

[MrPippin66]

I did state the plugins aren't officially deprecated. Only that the long term desire is for the functions that currently perform the like function in "NCPA" should fully provide the same the functions in the plugins commands.

And there are some commands in the plugins tree that will never by part of "ncpa", for that matter.