pfSsh playback can't run as non-root after 24.11 update
-
I check status of the firewall services using some admittedly old nagios scripts which worked up until the 24.11 update. The script in question runs the command
/usr/local/sbin/pfSsh.php playback svc status unboundwhich works great as root. However, I run it a regular user that has the "Shell Account Access" permissions so it can issue the command via SSH from our monitoring system. Output as root:
Service unbound is running.Output as non-root:
pkill: signalling pid 80772: Operation not permitted pkill: signalling pid 70664: Operation not permitted pkill: signalling pid 1978: Operation not permitted pkill: signalling pid 16781: Operation not permitted pkill: signalling pid 26111: Operation not permitted pkill: signalling pid 88576: Operation not permitted pkill: signalling pid 1378: Operation not permitted pkill: signalling pid 32947: Operation not permitted pkill: signalling pid 14192: Operation not permitted pkill: signalling pid 80772: Operation not permitted Service unbound is stopped.Whatever changed with 24.11 was probably for the best, but I'd like to fix the script so I can continue monitoring services. Any suggestions?
-
@Troutpocket said in pfSsh playback can't run as non-root after 24.11 update:
Any suggestions?
"Talking" to unbound directly is probably a thing of the past.
Every self respecting process has now a "control(ler)" part these days. Use that to talk to unbound.
Example :[24.11-RELEASE][root@pfSense.bhf.tld]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.22.0 verbosity: 1 threads: 2 modules: 3 [ python validator iterator ] uptime: 94422 seconds options: control(ssl) unbound (pid 67273) is running...About 'root' : unbound runs with root privileges, so mister nobody wouldn't be able to look into 'DNS stuff of everybody'.
Also, pfSense isn't a multi user system anyway ... there is just 'one admin', like a car has only 'one driver'.edit
dpinger is a home (Netgate) build 'simple' process, and hasn't any fancy support, not even an /usr/local/etc/rc.d file.You can still check if it's running : look :
ps aux | grep 'dpinger'Dono what "apinger" is ...
-
The service status php script should still work though. Most likely it requires root and should not have run before. Some bug was fixed and now it correctly fails.
Can your user run other php shell playback sessions?
You might need to use the sudo package to allow it.
Steve
-
@stephenw10 Thanks for the suggestion. Any particular playback scripts you recommend I should use to test?
-
Try:
pfSsh.php playback gatewaystatusThat works here as a user with only the shell access privilege. But svc status fails.... which is interesting.
-
@stephenw10 Ya, that works. Nonetheless, I put a bandaid on it by adding a line to sudoers:
nagios ALL=(ALL) NOPASSWD:/usr/local/sbin/pfSsh.phpand adding a 'sudo' prefix to the command script. I'd rather not do that if the case is that the command should work without sudo, though.
-
Mmm, that is probably the way to go. Those scripts are expected to be run as root. Curious that it changed in 24.11 though.
