Sensu checkdisk permission issue


I’m using Sensu’s Checkdisk to monitor every filesystem in servers but I get <CheckDisk WARNING: … Unable to read.> errors for many machines. I tried using “sudo” in “command” in a json file like

“command”: “sudo /opt/sensu/embedded/bin/check-disk-usage.rb -w :::disk.warning|92::: -c :::disk.critical|95::”

which returned

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified

I tried creating “sensu” in /etc/sudoers.d/ which didn’t work either.

Defaults:sensu secure_path="/opt/sensu/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

sensu ALL=(ALL) NOPASSWD: /opt/sensu/embedded/bin/check*.rb *
sensu ALL=(ALL) NOPASSWD: /opt/sensu/embedded/bin/metrics*.rb *

Any other solution i can use?


You either need to grant file user/group permissions or use a sudoers entry, I would caution against using wildcards in a sudoers file because of the security risks. As an attacker I would just need to create a file in /etc/sensu/embedded/bin/ (which could be pulled in with a dependency) that started with check- and ended in .rb. Additionally since you are using a wildcard in the arguments it is possible to change the intended behavior. Take for example the use case of adding /usr/bin/tail /var/log/* this would allow the user to run tail on any file regardless of filesystem and user/group permissions because you would be able to do tail /var/log/../../etc/passwd or similar. The sudoers file will protect file path escaping with a wildcard but not for arguments. The best solution (other than allowing sensu to access the file through user/group permissions) would be to create a wrapper script that would be called from sensu and then would execute the script with all the required arguments set. This avoids the wildcard expansion attacks.