Perl script can't open file owned by root when called from process (Nagios)

Question

I have a VPS with Nagios installed, and I want to use Nagios to monitor the VPS resources in the /proc/user_beancounters file. The file has the following permissions:

-r-------- 1 root root 0 Oct 26 15:53 /proc/user_beancounters

So I downloaded the script from the Nagios Exchange:

https://exchange.nagios.org/directory/Plugins/Operating-Systems/*-Virtual-Environments/OpenVZ/check-beancounters/details

In the instructions it suggests to:

don’t forget to set the s-bit (chmod +s check_UBC.pl)

So, I copied the script over, and set the s-bit, then run it from the terminal as root. It works as expected. I then delete the temp file it created, su into the nagios user, and run the script. It works as expected. I delete the temp file it created, and start up Nagios. It can't read the /proc/user_beancounters file! The exact error I get, helpfully, is "could not read /proc/user_beancounters". This is, I believe, thrown by the line in the Perl script:

if (! open IN, "<", $UBC )
{
    print "could not read $UBC\n";
    exit $ERRORS{'CRITICAL'};
}

My OS is CentOS release 6.2 (Final).

My first thought is that it is some kind of SELinux voodoo, but there is no indication that SELinux is running on this server. Just in case, I tried the following:

echo 0 > /selinux/enforce

But this made no difference.

For reference, this is my nagios service running:

nagios   12939  0.0  0.0 203652  3404 ?        Ssl  15:39   0:00 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

And this is where I've put the Perl script:

-rwsr-sr-x 1 nagios nagios   2934 Oct 26 15:37 check_UBC.pl

Any suggestions as to what else I can try?

PS apologies if this should go in a different SE site - never sure with questions that involve scripts, permissions etc...

UPDATE 1

I created a shell script to see if I could 'emulate' the nagios service. It is extremely simple:

#!/bin/bash
/usr/lib64/nagios/plugins/check_UBC.pl

And now I have the following permissions:

-rwsr-sr-x 1 root root     2934 Oct 26 15:37 check_UBC.pl
-rwxrwxrwx 1 root root       51 Oct 26 19:29 check_UBC.sh

As root:

[root@/usr/lib64/nagios/plugins]$ ./check_UBC.pl 
  everything is fine..
[root@/usr/lib64/nagios/plugins]$ ./check_UBC.sh 
  everything is fine..

As nagios:

-bash-4.1$ ./check_UBC.pl
  everything is fine..
-bash-4.1$ ./check_UBC.sh
  everything is fine..

So still no clue...

UPDATE 2

My nagios command definition:

define command{
    command_name    check_beancounters
    command_line    $USER1$/check_UBC.pl
    }

And the service definition:

define service{
    use                             local-service
    host_name                       localhost
    service_description             VPS Beancounters
    check_command                   check_beancounters
    }

UPDATE 3

I managed to get it to work, but am not over the moon about giving the nagios user full sudo access with no password. In /etc/sudoers I put this on the last line:

nagios ALL=(ALL:ALL) NOPASSWD: ALL

And then changed my command definition to:

define command{
    command_name    check_beancounters
    command_line    sudo $USER1$/check_UBC.pl
    }

Apparently recent versions of linux will not respect the +s permission when running an interpreted script, only a binary. So I guess I will have to compile a binary wrapper for the script?

UPDATE 4

As per Joe Young's suggestion, I changed my visudo entry to:

nagios ALL=NOPASSWD: /usr/lib64/nagios/plugins/check_UBC.pl

Which hopefully is relatively harmless!

Answer 1

What would the risk be to change the permissions on /proc/user_beancounters to 444 (read for all?) It only contains a number, correct? Not sure if that particular file "sticks around" after a reboot, or worse, constantly gets replaced as the services are running, so this could be a problem still.

Also, consider trying to test for actual "existence" of the file, before you attempt to read from it. Since we're in /proc directory, things do change, from time to time....

Lastly, you are asking to open the file, but syntactically is it asking to open in a read only mode? You may want to try a system call to simply "cat" the file contents, in your shell script, and see if you get a response.

Answer 2

Try changing the owner of check_UBC.pl to root so that when nagios executes check_UBC.pl the script runs as setuid of it's owner root and not the nagios user.

chown root:root check_UBC.pl

EDIT:

Can you post your command definition that's calling check_UBC.pl?

The last thing I can think of to try is to install the perl-suid module: https://chrisjean.com/fix-setuid-cannot-exec-sperl/ Although, if check_UBC.pl runs from the command line with no problem, I'm not sure what difference it would make.