1318773 – nrpe.service sets User/Group, prevents normal .cfg user/group setting

Bug 1318773 - nrpe.service sets User/Group, prevents normal .cfg user/group setting

Summary: nrpe.service sets User/Group, prevents normal .cfg user/group setting

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nrpe
Sub Component:
Version:	26
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Stephen John Smoogen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-17 18:43 UTC by Dan Mick
Modified:	2017-11-16 16:52 UTC (History)
CC List:	10 users (show)
Fixed In Version:	nrpe-3.1.1-1.fc24 nrpe-3.1.1-1.fc25 nrpe-3.1.1-1.el6 nrpe-3.1.1-1.el7 nrpe-3.1.1-1.fc26 nrpe-3.1.1-6.fc24 nrpe-3.1.1-6.fc25 nrpe-3.2.0-3.fc26 nrpe-3.2.0-6.el7 nrpe-3.2.0-6.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-09 15:54:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dan Mick 2016-03-17 18:43:13 UTC

Description of problem:

nrpe.service, added in the Fedora package (and in EPEL), sets User 
and Group to nrpe.  nrpe already has code to drop privilege to the 
configured user in nrpe.cfg (nrpe_user and nrpe_group), and they must
not be unset or set to root or the daemon refuses to run.  However,
setuid fails if the current user is not root.

nrpe.service should not set User or Group.


Version-Release number of selected component (if applicable):

2.15-7

How reproducible:

100%


Steps to Reproduce:
1. try to set nrpe_user in nrpe.cfg
2. note that it's running as nrpe, and log message that setuid failed
3. remove User and Group from service file, update systemd's cache
4. notice that nrpe.cfg settings now take effect

Actual results:


Expected results:


Additional info:

Comment 1 Ken Dreyer (Red Hat) 2016-08-01 14:44:27 UTC

Discussed upstream @ https://github.com/NagiosEnterprises/nrpe/issues/28

All, here is a branch to pull into the Rawhide packaging: https://github.com/ktdreyer/nrpe/tree/systemd-user

You can pull it like so:

  git pull https://github.com/ktdreyer/nrpe systemd-user

Comment 2 Fedora Admin XMLRPC Client 2017-01-17 19:36:38 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Fedora End Of Life 2017-02-28 09:56:04 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 4 Fedora Update System 2017-03-03 23:30:12 UTC

nrpe-3.0.1-4.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4f49632d3

Comment 5 Fedora Update System 2017-03-04 00:08:16 UTC

nrpe-3.0.1-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a89da38bf3

Comment 6 Fedora Update System 2017-03-05 04:20:34 UTC

nrpe-3.0.1-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4f49632d3

Comment 7 Fedora Update System 2017-03-05 04:23:23 UTC

nrpe-3.0.1-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a89da38bf3

Comment 8 Fedora Update System 2017-03-23 21:50:25 UTC

nrpe-3.0.1-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8f92515d27

Comment 9 Fedora Update System 2017-03-23 22:08:33 UTC

nrpe-3.0.1-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d12527a635

Comment 10 Fedora Update System 2017-03-24 19:53:06 UTC

nrpe-3.0.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8f92515d27

Comment 11 Fedora Update System 2017-03-24 20:24:30 UTC

nrpe-3.0.1-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d12527a635

Comment 12 Christian Kujau 2017-05-11 06:09:38 UTC

So, this still doesn't work with nrpe-3.0.1-6.fc25.x86_64. However, /etc/nagios/nrpe.cfg explains for both nrpe_user and nrpe_group:

  NOTE: This option is ignored if NRPE is running under either inetd or xinetd

While I too would like to set uid/gid via nrpe.cfg, the easy way out would be just to include "systemd" in this NOTE so that people are aware that this option is currently ignored with systemd systems.

Comment 13 Stephen John Smoogen 2017-05-11 19:09:37 UTC

I will open this upstream as this is more of a "please be clearer that it isn't supported under most systems"

Comment 14 Stephen John Smoogen 2017-05-11 19:22:38 UTC

Sees that this is part of a closed bug upstream. https://github.com/NagiosEnterprises/nrpe/issues/28 Kind of a loop here and will see what I can do to break out of it.

Comment 15 Christian Kujau 2017-05-12 04:42:50 UTC

I was just about to add a comment to #28 about how closing this issue makes it impossible to have a user-configurable NRPE setup on systemd installations, because edits to /usr/lib/systemd/system/nrpe.service would get overwritten of course. But @rubenk mentions "systemctl edit nrpe.service" and with that an override file is placed in /etc/systemd/system/nrpe.service.d/ - and that should be left alone during package updates.

So, while user/group settings in nrpe.cfg are still ignored (and the NOTE in this file should still be extended to mention "systemd", either by RH or by upstream), it is possible to have NRPE running under a different user/group on systemd systems and this bug could be closed, IMHO.

Comment 16 Christian Kujau 2017-05-12 04:49:24 UTC

FWIW, /etc/sysconfig/nrpe is ignored as well and could be removed. I don't see this file being shipped upstream.

Comment 17 Fedora Update System 2017-05-14 15:51:06 UTC

nrpe-3.1.0-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-665b1abde6

Comment 18 Fedora Update System 2017-05-15 06:35:28 UTC

nrpe-3.1.0-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-665b1abde6

Comment 19 Christian Kujau 2017-05-15 20:23:51 UTC

nrpe-3.1.0-3.fc25 doesn't ignore /etc/sysconfig/nrpe anymore, because nrpe.service has been adjusted:

 EnvironmentFile=/etc/sysconfig/nrpe
 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d $NRPE_SSL_OPT

The nrpe_user/nrpe_group stanzas in nrpe.cfg are still ignored, of course and a NOTE about systemd could be warranted. But that's a cosmetic issue, IMHO and "systemctl edit nrpe.service" can still be used to set the user/group:


# ps auxf | grep nrp[e]
nrpe     20135  0.0  0.1  44812  3076 ?  Ss   13:08   0:00 /usr/sbin/nrpe [...]

# systemctl edit nrpe.service
# cat /etc/systemd/system/nrpe.service.d/override.conf 
[Service]
User=nobody
Group=nobody

# systemctl restart nrpe
# ps auxf | grep nrp[e]
nobody   20591  0.0  0.1  46896  3296 ?  Ss   13:22   0:00 /usr/sbin/nrpe [...]

Comment 20 Fedora Update System 2017-06-14 23:42:45 UTC

nrpe-3.1.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

Comment 21 Fedora Update System 2017-06-15 00:03:01 UTC

nrpe-3.1.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

Comment 22 Fedora Update System 2017-06-15 00:37:01 UTC

nrpe-3.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

Comment 23 Fedora Update System 2017-06-15 00:47:15 UTC

nrpe-3.1.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

Comment 24 Fedora Update System 2017-06-15 01:02:31 UTC

nrpe-3.1.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

Comment 25 Fedora Update System 2017-06-15 09:48:18 UTC

nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

Comment 26 Fedora Update System 2017-06-15 09:48:24 UTC

nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

Comment 27 Fedora Update System 2017-06-15 10:57:37 UTC

nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

Comment 28 Fedora Update System 2017-06-15 10:59:34 UTC

nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

Comment 29 Fedora Update System 2017-06-15 14:01:38 UTC

nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

Comment 30 Fedora Update System 2017-07-04 00:19:41 UTC

nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2017-07-04 01:51:01 UTC

nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2017-07-04 04:17:32 UTC

nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2017-07-04 04:19:45 UTC

nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2017-07-07 22:55:31 UTC

nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 35 Christian Kujau 2017-07-10 19:29:27 UTC

So, for some reason the service file of nrpe-3.1.1-1.fc25.x86_64 has regressed to no longer contain the EnvironmentFile directive, thus not allowing to configure the nrpe service w/o editing the service file. Wasn't the whole systemd transition meant to make things easier? Also, CLOSED WONTFIX would have been more appropriate, IMHO.

The workaround from comment 19 still works, of course.

Comment 36 Stephen John Smoogen 2017-07-10 19:48:16 UTC

My general take on systemd (or any technology change) these days is:

You can make things easier for some people all of the time,
You can make things easier for all of the people some of the time,
But you can't make things easier for all of the people all of the time.

I am reopening the bug because the patch I thought I put in place which explains comment 19 got lost.

Comment 37 Fedora Update System 2017-07-11 18:13:10 UTC

nrpe-3.1.1-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa2fd169f9

Comment 38 Fedora Update System 2017-07-12 08:39:06 UTC

nrpe-3.1.1-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa2fd169f9

Comment 39 Fedora Update System 2017-07-12 15:52:51 UTC

nrpe-3.1.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9d9d9c0909

Comment 40 Fedora Update System 2017-07-12 16:24:37 UTC

nrpe-3.1.1-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ec253d8f54

Comment 41 Fedora Update System 2017-07-13 01:45:57 UTC

nrpe-3.1.1-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-18adf0fe26

Comment 42 Fedora Update System 2017-07-13 01:50:08 UTC

nrpe-3.1.1-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1f50be4847

Comment 43 Christian Kujau 2017-07-14 01:39:06 UTC

Thanks, with these comments in nrpe.cfg I think it is now clear to everybody on how to change these settings under systemd. This should have been fixed upstream of course, but I guess my comment there has not been noticed: https://github.com/NagiosEnterprises/nrpe/issues/28#issuecomment-300982599 - maybe I should open a follow-up bug for this.

Anyway, thanks for maintaining NRPE in Fedora! :)

Comment 44 Fedora Update System 2017-07-14 21:35:19 UTC

nrpe-3.2.0-1git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-487a01f0be

Comment 45 Fedora Update System 2017-07-14 22:26:41 UTC

nrpe-3.2.0-2git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7

Comment 46 Fedora Update System 2017-07-16 21:22:05 UTC

nrpe-3.2.0-2git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7

Comment 47 Fedora Update System 2017-07-19 19:39:27 UTC

nrpe-3.2.0-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4

Comment 48 Fedora Update System 2017-07-21 01:22:12 UTC

nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4

Comment 49 Fedora Update System 2017-07-23 21:50:36 UTC

nrpe-3.1.1-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 50 Fedora Update System 2017-07-23 22:54:07 UTC

nrpe-3.1.1-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 51 Fedora Update System 2017-08-04 20:18:31 UTC

nrpe-3.2.0-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c

Comment 52 Fedora Update System 2017-08-07 02:49:07 UTC

nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bb989d629b

Comment 53 Fedora Update System 2017-08-07 07:49:20 UTC

nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c

Comment 54 Fedora Update System 2017-08-09 15:54:01 UTC

nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 55 Fedora Update System 2017-11-16 15:47:38 UTC

nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 56 Fedora Update System 2017-11-16 16:52:48 UTC

nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.