snmpd.conf: can't exec script (Permission denied)

Question

I am trying to exec command to perform checks through snmp.

I am on Debian 6.0

Here is my snmpd.conf file

rwcommunity public 172.23.129.0/29
syslocation "Blah
syscontact admin@domain.net
sysname belleville.domain.net
sysdescr "Syslog Domain Server"

disk /

load 5 10 10

#exec 1.3.6.1.4.1.2021.8 /usr/bin/python /usr/local/domain/tools/check-syslog.py
exec 1.3.6.1.4.1.2021.8 /usr/bin/python /tmp/check-syslog.py

Here is the output of snmpget:

snmpget -Of -cpublic -v1 belleville 1.3.6.1.4.1.2021.8.1.101.1
.iso.3.6.1.4.1.2021.8.1.101.1 = STRING: "/usr/bin/python: can't open file '/tmp/check-syslog.py': [Errno 13] Permission denied"

I don't understand the permission issue, as the rights on the file are 711 and owner root:root, located in /tmp folder. Anyway, this script is executed by root user, isn't it? So 700 should be enough anyway? This makes me think that this does not look like a permission trouble, even with this error message.

I hope someone has ever met this issue, and would be able to give me some advice :/

Thanks a lot for any piece of advice :)

score 2 · Answer 1 · answered Jul 17 '11 at 11:50

2

You've said that the script is located in /tmp; is your /tmp partition mounted noexec by any chance? That can be an occasional source of confusion.

answered Jul 17 '11 at 11:50

womble

95,029
29
173
228

Hi, Thx for you answer, but there is nothing like that in my /tmp dir – philippe Jul 19 '11 at 15:41

score 2 · Answer 2 · answered Jul 17 '11 at 20:51

2

snmpd might run with a different accout than root as well.

Check out by executing a test-script that executes "id".

answered Jul 17 '11 at 20:51

Nils

7,657
3
31
71

When I change the rights from 711 to 771, I still get the same problem. I have to change the rights to 777 to have an other output: – philippe Jul 19 '11 at 16:06
Sounds as if I am right. So what is the output of "id" after you did your 777? – Nils Jul 19 '11 at 19:58

score 1 · Answer 3 · answered Mar 03 '16 at 07:35

Not sure, that it is exactly your problem. We ran into the same one but with extend, where name is required and OID isn't. So our misconfigured snmp was executing only the last part of command line which wasn't executable file.

Your variant:

exec 1.3.6.1.4.1.2021.8 /usr/bin/python /tmp/check-syslog.py

will define /usr/bin/python and name and try to execute only /tmp/check-syslog.py without interpreter

Correct one with extension name check-syslog:

exec 1.3.6.1.4.1.2021.8 check-syslog /usr/bin/python /tmp/check-syslog.py

Your final example is clear and precisely what I needed in my situation. I wasn't having the issue you were having but other examples I've seen didn't have both the OID and the "extension name". +1 — harperville, Aug 16 '16 at 12:32

snmpd.conf: can't exec script (Permission denied)

3 Answers3