Sudo Configuration For Lilac

In order for Lilac to run nmap, the Nagios binary and to restart Nagios on demand, it must have privileges to do so. Unfortunately, the Nagios binary only allows root to run itself. So execution privileges on the executable is not enough. Instead, we must raise Lilac's privileges of that to root when performing those actions. This is securely done by using sudo.  sudo's homepage describes it's configuration. Installation of sudo is dependent on your operating system distribution. For example, Ubuntu already has it installed. Refer to your distribution's documentation to determine if sudo is installed.

We will go through a sample sudo configuration to show how to give Lilac privilege to execute the Nagios binary and restart it.

Assumptions

We make a few assumptions in these example. You may need to change these assumptions based on your installation.

  • Our web-server which runs Lilac runs as the www-data user.
  • The Nagios binary is located at /usr/local/nagios/bin/nagios.
  • The script and it's syntax to restart Nagios is /etc/init.d/nagios restart.
  • Sudo's configuration file is located at /etc/sudoers
  • Our NMAP binary is located at /usr/bin/nmap

Modifying the sudo configuration file

It is important to not make any syntax mistakes in this file. By doing so and then saving it, you may break your sudo configuration and may not be able to perform any sudo actions until it is fixed. First modify the /etc/sudoers file with root privileges with a text editor. For example:

sudo vim /etc/sudoers

Make sure that the statement Defaults requiretty is commented out. This allows Lilac to run sudo processes without needing a tty. 

#Defaults requiretty

We must then add new entries to our file to allow our web-server user to perform our tasks without a password. Add the following lines to the bottom of the file: 

www-data ALL=(ALL) NOPASSWD: /usr/bin/nmap
www-data ALL=(ALL) NOPASSWD: /usr/local/nagios/bin/nagios
www-data ALL=(ALL) NOPASSWD: /etc/init.d/nagios restart
www-data ALL=(ALL) NOPASSWD: /etc/init.d/nagios reload

After saving the file, Lilac should now be able to perform these tasks without issue.