Executing mailq as the nagios user on Fedora 12

Rick Wargo

January 13th, 2010 - 11:45am

I added a new check command to nagios to check the sendmail mail queue but received an error while executing within nagios:

/usr/bin/mailq = can not chdir(/var/spool/mqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
CRITICAL: Error code 78 returned from /usr/bin/mailq

This is because the nagios process (which runs as the nagios user) does not have the permissions to look at the spool directory for mail (/var/spool/mqueue) – the permissions on that directory are 700 and owned by root.

The fix is to permit nagios to execute this command as root and also to run the /usr/bin/mailq program with sudo in the check_mailq perl script.

Step 1: Modify check_mailq
Edit the check_mailq file, after making a backup of the file. Search for the place where the mailq is opened for reading from the pipe and add /usr/bin/sudo prior to the command. The resulting line looks like the following (note: this is does using sendmail as the MTA):

if (! open (MAILQ, "/usr/bin/sudo $utils::PATH_TO_MAILQ | " ) ) {

Step 2: Modify sudoers
Edit the sudoers file to give nagios permission to execute /usr/bin/mailq as root without requiring a password. I accomplished this by adding the following line to the end of the file:

nagios ALL= (root) NOPASSWD: /usr/bin/mailq

Test prior to reloading nagios by executing the check_mailq command as nagios:

su nagios -c "./check_mailq -w 5 -c 10"

If you see an error message about a tty, like:

sudo: sorry, you must have a tty to run sudo

or in nagios:

CRITICAL: Error code 1 returned from /usr/bin/mailq

you will need to either comment out the line about requiring the tty (Defaults requiretty), or add a new line not requiring the tty for nagios:

Defaults:nagios !requiretty

Share and Enjoy:

This entry was posted on Wednesday, January 13th, 2010 at 11:45 am and is filed under nagios, WILT. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 Responses to “Executing mailq as the nagios user on Fedora 12”

Arun Shetty Says:
January 25th, 2010 at 7:54 am
This doesnt work I see the following error

ERROR: could not open /usr/bin/mailq
Matt Says:
March 25th, 2010 at 11:57 am
I had a similar problem as Arun. In my case, it was because the utils.pm was pointing to a soft-link, rather than the executable. Changing MAILQ in utils.pm to directly point to /usr/bin/exim (I use Debian Lenny, and Exim4 is the MTA).
That got me around the above error, but now I get a /usr/bin/exim4 is not executable by (uid xxx:gid(xxx:xxx)) – the UID and GID for nagios.
Ugh. Thanks for pointing me in the right direction, though. I’ll let you know if I find a solution.
Cheers,
Matt
Nadeem Says:
July 12th, 2010 at 1:07 pm
Thanks,
Works for me. I am on FC 10.
Chris Says:
March 1st, 2011 at 4:35 am
This got me to the next stage that I required. Needs a little bit of unix knowledege to get this done but great article; Thanks!
jamshid Says:
August 25th, 2011 at 3:11 am
Thanks for the informative article.
I was stuck with this problem for weeks!
As per your suggestion I ran su command first (I added the shell option because by default nagiios account has no shell on Fedora 15)
su -s /bin/bash nagios -c “./check_mailq -w 5 -c 10″
When Linux complained that sudo requires a tty then I added the following entry to sudoers file:
Defaults:nagios !requiretty
Problem fixed! Thanks and keep up the good work.
10function Says:
November 10th, 2011 at 10:37 am
A simplest way is to add nagios user in exim group. (/etc/group file).
With this solution There is no need to modify check_mailq plugin and using sudo.
PS : On Debian , group is called Debian-exim
Milosch Says:
October 2nd, 2012 at 5:35 pm
Thank you for this. Perfect!