Ad Widget

Collapse

external script returns "" when ran as user zabbix

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ptera
    Senior Member
    • Oct 2014
    • 109
    #1

    external script returns "" when ran as user zabbix

    external scripts that used to work under older version of zabbix now returns "" under 7.4.1 with Ubuntu Linux 24.04.3

    inception@superdog:~$ sudo /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
    -65
    inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
    inception@superdog:~$

    I have enabled AllowKey=system.run[*] in the agent config file.
    I have enable EnableGlobalScripts=1 in server config file.

    Not sure what else I am missing.

    Even more confusing is when ssh failed to add host to the host file the information from the script is returned at the end. (text in red)
    Value of type "string" is not suitable for value type "Numeric (unsigned)". Value "Failed to add the host to the list of known hosts (/var/lib/zabbix/.ssh/known_hosts).\r\n5710"

    I may have fixed some of these these by changing the ownership of the /var/lib/zabbix/.ssh to zabbix:zabbix mode 0700
    But other hosts still show "" being returned after being added to known_hosts.

    Here is the script
    #!/bin/sh

    ubntUser=admin
    ubntPass=##########

    sshPassBin=/usr/bin/sshpass
    sshBin=/usr/bin/ssh

    ubntHost=$1
    ubntKey=$2

    ${sshPassBin} -p ${ubntPass} ${sshBin} -o HostKeyAlgorithms=+ssh-dss -l ${ubntUser} ${ubntHost} -p 22 mca-status | grep "^${ubntKey}=" | cut -d= -f2
    Last edited by ptera; 21-08-2025, 17:23.
    Tags: None
    • tim.mooney
      Senior Member
      • Dec 2012
      • 1427
      #2
      Originally posted by ptera
      inception@superdog:~$ sudo /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
      -65
      inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
      That tells you that the script returns a value when you run it as root, but not when you run it as a non-privileged user.

      When something works as root but not as a normal user, the first thing you should consider is that it's a permission problem somewhere.

      Are you checking return values of each stage of the script. Something inside the script is failing, probably because of a permission issue, and that's the source of your difference.

      You don't say what language the script is written in, but if it's Bourne shell or similar (bash, zsh) you should be able to pass a '-x' on the script's shbang line to aid in debugging. If you run it again as root and non-root, you should see where the output starts to differ.

        Comment

        • ptera
          Senior Member
          • Oct 2014
          • 109
          #3
          The only difference between the two executions is no returned data.
          inception@superdog:~$ sudo /usr/lib/zabbix/externalscripts/ubntStatus20021 10.47.47.52 signal
          [sudo] password for inception:
          + ubntUser=admin
          + ubntPass=XXXXXXXXX
          + sshPassBin=/usr/bin/sshpass
          + sshBin=/usr/bin/ssh
          + ubntHost=10.47.47.52
          + ubntKey=signal
          + /usr/bin/sshpass -p XXXXXXXXXXX /usr/bin/ssh -oHostKeyAlgorithms=+ssh-dss -l admin 10.47.47.52 -p 22 mca-status
          + grep ^signal=
          + cut -d= -f2
          -64
          inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus20021 10.47.47.52 signal
          + ubntUser=admin
          + ubntPass=XXXXXXXXXXXX
          + sshPassBin=/usr/bin/sshpass
          + sshBin=/usr/bin/ssh
          + ubntHost=10.47.47.52
          + ubntKey=signal
          + /usr/bin/sshpass -p XXXXXXXXXXX /usr/bin/ssh -oHostKeyAlgorithms=+ssh-dss -l admin 10.47.47.52 -p 22 mca-status
          + grep ^signal=
          + cut -d= -f2
          inception@superdog:~$
          Last edited by ptera; 22-08-2025, 20:15.

            Comment

            • ptera
              Senior Member
              • Oct 2014
              • 109
              #4
              I tried making a copy of sshpass (sshpassz) and set ownership to zabbix.zabbix and made a copy of the script using sshpassz and got the same results.
              inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus20021 10.47.47.52 signal
              + ubntUser=admin
              + ubntPass=XXXXXXXXXXX
              + sshPassBin=/usr/bin/sshpassz
              + sshBin=/usr/bin/ssh
              + ubntHost=10.47.47.52
              + ubntKey=signal
              + /usr/bin/sshpassz -p XXXXXXXXXXX/usr/bin/ssh -oHostKeyAlgorithms=+ssh-dss -l admin 10.47.47.52 -p 22 mca-status
              + grep ^signal=
              + cut -d= -f2
              inception@superdog:~$
              Last edited by ptera; 22-08-2025, 20:15.

                Comment

                • ptera
                  Senior Member
                  • Oct 2014
                  • 109
                  #5
                  I even changed sudoers.d
                  #zabbix ALL = (ALL) NOPASSWD: /usr/bin/nmap -O *
                  zabbix ALL = (ALL) ALL
                  Still no data returned.
                  inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
                  inception@superdog:~$ sudo /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
                  -65
                  and yet after su zabbix
                  zabbix@superdog:/home/inception$ sudo /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
                  -64
                  Seems to me it did not work this way before. Hopefully this clears up.​
                  Nope
                  changed: Value of type "string" is not suitable for value type "Numeric (unsigned)". Value ""
                  Last edited by ptera; 22-08-2025, 19:19.

                    Comment

                    • ptera
                      Senior Member
                      • Oct 2014
                      • 109
                      #6
                      Now I am even more confused - I copied the script and gave it a different name then made the change in the item config for one host and now it works.
                      So tried that on another script but it does not work. Even more confused.
                      OK so I had to sudo -u root the command in the script for it to return a value.
                      And it stopped working again.
                      OK apparently zabbix is not performing the work of adding the DSA key fingerprint to knownhosts. I have to ssh to each host as the user zabbix and then the scripts start working. Fun.
                      Last edited by ptera; 22-08-2025, 21:12.

                        Comment

                        • ptera
                          Senior Member
                          • Oct 2014
                          • 109
                          #7
                          Last comment I tried copying a working the script and rename it back to the old name before the upgrade and it would not work. Not sure why the name of the file would matter.

                            Comment

                            • ptera
                              Senior Member
                              • Oct 2014
                              • 109
                              #8
                              Works now from both users on command line but not in zabbix application
                              inception@superdog:~$ sudo -u zabbix /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
                              [sudo] password for inception:
                              -65
                              inception@superdog:~$ su zabbix
                              zabbix@superdog:/home/inception$ sudo /usr/lib/zabbix/externalscripts/ubntStatus2002 10.47.47.52 signal
                              -65
                              zabbix@superdog:/home/inception$

                                Comment

                                • ptera
                                  Senior Member
                                  • Oct 2014
                                  • 109
                                  #9
                                  Now the script (ubntStatus20021) that was working in zabbix has stopped working. Returns "".

                                    Comment

                                    Previous template Next
                                    Working...