Description of problem: nrpe.service, added in the Fedora package (and in EPEL), sets User and Group to nrpe. nrpe already has code to drop privilege to the configured user in nrpe.cfg (nrpe_user and nrpe_group), and they must not be unset or set to root or the daemon refuses to run. However, setuid fails if the current user is not root. nrpe.service should not set User or Group. Version-Release number of selected component (if applicable): 2.15-7 How reproducible: 100% Steps to Reproduce: 1. try to set nrpe_user in nrpe.cfg 2. note that it's running as nrpe, and log message that setuid failed 3. remove User and Group from service file, update systemd's cache 4. notice that nrpe.cfg settings now take effect Actual results: Expected results: Additional info:
Discussed upstream @ https://github.com/NagiosEnterprises/nrpe/issues/28 All, here is a branch to pull into the Rawhide packaging: https://github.com/ktdreyer/nrpe/tree/systemd-user You can pull it like so: git pull https://github.com/ktdreyer/nrpe systemd-user
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
nrpe-3.0.1-4.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4f49632d3
nrpe-3.0.1-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a89da38bf3
nrpe-3.0.1-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4f49632d3
nrpe-3.0.1-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a89da38bf3
nrpe-3.0.1-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8f92515d27
nrpe-3.0.1-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d12527a635
nrpe-3.0.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8f92515d27
nrpe-3.0.1-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d12527a635
So, this still doesn't work with nrpe-3.0.1-6.fc25.x86_64. However, /etc/nagios/nrpe.cfg explains for both nrpe_user and nrpe_group: NOTE: This option is ignored if NRPE is running under either inetd or xinetd While I too would like to set uid/gid via nrpe.cfg, the easy way out would be just to include "systemd" in this NOTE so that people are aware that this option is currently ignored with systemd systems.
I will open this upstream as this is more of a "please be clearer that it isn't supported under most systems"
Sees that this is part of a closed bug upstream. https://github.com/NagiosEnterprises/nrpe/issues/28 Kind of a loop here and will see what I can do to break out of it.
I was just about to add a comment to #28 about how closing this issue makes it impossible to have a user-configurable NRPE setup on systemd installations, because edits to /usr/lib/systemd/system/nrpe.service would get overwritten of course. But @rubenk mentions "systemctl edit nrpe.service" and with that an override file is placed in /etc/systemd/system/nrpe.service.d/ - and that should be left alone during package updates. So, while user/group settings in nrpe.cfg are still ignored (and the NOTE in this file should still be extended to mention "systemd", either by RH or by upstream), it is possible to have NRPE running under a different user/group on systemd systems and this bug could be closed, IMHO.
FWIW, /etc/sysconfig/nrpe is ignored as well and could be removed. I don't see this file being shipped upstream.
nrpe-3.1.0-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-665b1abde6
nrpe-3.1.0-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-665b1abde6
nrpe-3.1.0-3.fc25 doesn't ignore /etc/sysconfig/nrpe anymore, because nrpe.service has been adjusted: EnvironmentFile=/etc/sysconfig/nrpe ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d $NRPE_SSL_OPT The nrpe_user/nrpe_group stanzas in nrpe.cfg are still ignored, of course and a NOTE about systemd could be warranted. But that's a cosmetic issue, IMHO and "systemctl edit nrpe.service" can still be used to set the user/group: # ps auxf | grep nrp[e] nrpe 20135 0.0 0.1 44812 3076 ? Ss 13:08 0:00 /usr/sbin/nrpe [...] # systemctl edit nrpe.service # cat /etc/systemd/system/nrpe.service.d/override.conf [Service] User=nobody Group=nobody # systemctl restart nrpe # ps auxf | grep nrp[e] nobody 20591 0.0 0.1 46896 3296 ? Ss 13:22 0:00 /usr/sbin/nrpe [...]
nrpe-3.1.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69
nrpe-3.1.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1
nrpe-3.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8
nrpe-3.1.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9
nrpe-3.1.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab
nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9
nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab
nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8
nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1
nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69
nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
So, for some reason the service file of nrpe-3.1.1-1.fc25.x86_64 has regressed to no longer contain the EnvironmentFile directive, thus not allowing to configure the nrpe service w/o editing the service file. Wasn't the whole systemd transition meant to make things easier? Also, CLOSED WONTFIX would have been more appropriate, IMHO. The workaround from comment 19 still works, of course.
My general take on systemd (or any technology change) these days is: You can make things easier for some people all of the time, You can make things easier for all of the people some of the time, But you can't make things easier for all of the people all of the time. I am reopening the bug because the patch I thought I put in place which explains comment 19 got lost.
nrpe-3.1.1-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa2fd169f9
nrpe-3.1.1-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa2fd169f9
nrpe-3.1.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9d9d9c0909
nrpe-3.1.1-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ec253d8f54
nrpe-3.1.1-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-18adf0fe26
nrpe-3.1.1-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1f50be4847
Thanks, with these comments in nrpe.cfg I think it is now clear to everybody on how to change these settings under systemd. This should have been fixed upstream of course, but I guess my comment there has not been noticed: https://github.com/NagiosEnterprises/nrpe/issues/28#issuecomment-300982599 - maybe I should open a follow-up bug for this. Anyway, thanks for maintaining NRPE in Fedora! :)
nrpe-3.2.0-1git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-487a01f0be
nrpe-3.2.0-2git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7
nrpe-3.2.0-2git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7
nrpe-3.2.0-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4
nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4
nrpe-3.1.1-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.1.1-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.2.0-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c
nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bb989d629b
nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c
nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.