I added a new check command to nagios to check the sendmail mail queue but received an error while executing within nagios:

/usr/bin/mailq = can not chdir(/var/spool/mqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
CRITICAL: Error code 78 returned from /usr/bin/mailq

This is because the nagios process (which runs as the nagios user) does not have the permissions to look at the spool directory for mail (/var/spool/mqueue) – the permissions on that directory are 700 and owned by root.

The fix is to permit nagios to execute this command as root and also to run the /usr/bin/mailq program with sudo in the check_mailq perl script.

Step 1: Modify check_mailq
Edit the check_mailq file, after making a backup of the file. Search for the place where the mailq is opened for reading from the pipe and add /usr/bin/sudo prior to the command. The resulting line looks like the following (note: this is does using sendmail as the MTA):

if (! open (MAILQ, "<em><strong>/usr/bin/sudo </strong></em>$utils::PATH_TO_MAILQ | " ) ) {

Step 2: Modify sudoers
Edit the sudoers file to give nagios permission to execute /usr/bin/mailq as root without requiring a password. I accomplished this by adding the following line to the end of the file:

nagios  ALL= (root)     NOPASSWD: /usr/bin/mailq

Test prior to reloading nagios by executing the check_mailq command as nagios:

su nagios -c "./check_mailq -w 5 -c 10"

If you see an error message about a tty, like:

sudo: sorry, you must have a tty to run sudo

or in nagios:

CRITICAL: Error code 1 returned from /usr/bin/mailq

you will need to either comment out the line about requiring the tty (Defaults requiretty), or add a new line not requiring the tty for nagios:

Defaults:nagios  !requiretty

This entry was posted on Wednesday, January 13th, 2010 at 11:45 am and is filed under WILT, nagios. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.