WARNING: my_system() seteuid(0): Operation not permitted

[ebasse-prog]

NRPE Client 4.0.3 work's (we receive a return code) but in log is WARNING: my_system() seteuid(0): Operation not permitted

What operation is not authorized?

Info:
CentOS Linux release 7.8.2003 (Core)

Log:
nrpe[73362]: Host x.x.x.x is asking for command 'check_mem' to be run...
nrpe[73362]: Running command: /usr/local/nagios/libexec/check_mem.pl -f -C -w 20 -c 10
nrpe[73363]: WARNING: my_system() seteuid(0): Operation not permitted
nrpe[73362]: Command completed with return code 0 and output: OK - 90.6% (18436420 kB) free.|TOTAL=20357920KB;;;; USED=1921500KB;16286336;18322128;; FREE=18436420KB;;;; CACHES=4052416KB
nrpe[73362]: Return Code: 0, Output: OK - 90.6% (18436420 kB) free.|TOTAL=20357920KB;;;; USED=1921500KB;16286336;18322128;; FREE=18436420KB;;;; CACHES=4052416KB;;;;
nrpe[73362]: Connection from x.x.x.x closed.

[sawolf]

Hi @ebasse-prog,

Honestly, I'm not completely sure what the error means. I can see a few related issues (#139 #140 #145 #147), but didn't find any context for why it's happening. Here's my understanding of the issue:

When running a plugin, NRPE does some work in my_system to change to root and then to drop its privileges to just the NRPE user/group. The attempted call to seteuid(0) is done because the drop_privileges function doesn't work on some systems otherwise. In this case it seems like the seteuid(0) fails but drop_privileges still works.

I would say that you're probably safe to ignore this error message, as long as you're getting check_results that are readable for check_nrpe.

Edit: I re-read one of the issues, and it mentioned that seteuid(0) is only needed if the NRPE daemon is started as root. So if you're starting it as nagios or some other user, that would explain why the operation fails but you're still able to get check results.

[hron84]

I'm not sure if it's related or not, but we facing with an issue with check_tcp plugin, it complains about the same. While I understand why an NRPE agent tries to be root and drop privileges, I have zero ideas why a Nagios plugin would like to do the same.

UPDATE: I revisited the problem. The problem persists in the nrpe.c about getting root back and dropping privileges. I think this code should only run if geteuid() !== 0 since an already non-root NRPE could not drop the privileges that it did not gained before.

[sawolf]

Thanks for the update, @hron84. What you're saying sounds reasonable to me. I'll look into this if/when we do the next NRPE release.

[StefThomas]

Hi,

I’m seeing this same warning with both NRPE v4.0.3 (RHEL 7.9) and NRPE v4.1.0 (RHEL 8.6). NRPE running as user "nrpe".

[nicutor]

Hi,

I am getting this issue on Rocky Linux release 9.3 (Blue Onyx), NRPE 4.1.0

Feb 22 19:15:35 server sudo[73840]:    nrpe : PWD=/ ; USER=root ; COMMAND=/usr/bin/python /usr/lib/nagios/check_litespeed.py -t bytes_out
Feb 22 19:15:35 server nrpe[73358]: WARNING: my_system() seteuid(0): Operation not permitted

Executing this with sudo from nrpe user works fine, but not thru NRPE.

What can be done?

[StefThomas]

Hi,

Do you have the following line in the sudo configuration for the nrpe user?

Defaults:nrpe      !requiretty

[nicutor]

Hi @StefThomas ,

Yes, I have that line on sudo file.
Actually the fix for this was to set PrivateTmp=false on /usr/lib/systemd/system/nrpe.service