[SOLVED] - Errors in perl scripts

[SpeedyGonzales]

Hello all

I have these errors repeating now for any unix scripts

Insecure $ENV{PATH} while running setgid at /usr/share/cacti/site/scripts/loadavg_multi.pl line 4.
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/site/scripts/ping.pl line 9.
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/site/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/site/scripts/query_unix_partitions.pl line 12.

I have updated and upgraded when this started which fixed a number of problems
As the main graphs are populating and it only being the unix based graphs not populating I do not want to roll back

Linux Mint 18.3
Apache2 2.4.25-3 deb9u4
Mysql v14.4 Distrib 5.7.21 x86_64
PHP 7.0.28
Cacti 0.8.8h+dsl-10

This install has been running for a couple of years

loadavg_multi.pl

#!/usr/bin/perl

#get load avg for 1;5;10 min
open(PROCESS, "env LC_ALL=C uptime | ");
#open(PROCESS, "env LC_ALL=C uptime");

$avg = <PROCESS>;
close(PROCESS);

# 9:36pm up 15 days, 11:37, 2 users, load average: 0.14, 0.13, 0.10

$avg =~ s/^.*:\s(\d+\.\d{2}),?\s(\d+\.\d{2}),?\s(\d+\.\d{2})$//;

print "1min:$1 5min:$2 10min:$3";



ping.pl

#!/usr/bin/perl

# take care for tcp:hostname or TCP:ip@
$host = $ARGV[0];
$host =~ s/tcp:/$1/gis;

# old linux version use "icmp_seq"
# newer use "icmp_req" instead
open(PROCESS, "ping -c 1 $host | grep 'icmp_[s|r]eq' | grep time |");
#open(PROCESS, "ping -c 1 $host | grep icmp_req | grep time ");

$ping = <PROCESS>;
close(PROCESS);
$ping =~ m/(.*time=)(.*) (ms|usec)/;

if ($2 == "") {
print "U"; # avoid cacti errors, but do not fake rrdtool stats
}elsif ($3 eq "usec") {
print $2/1000; # re-calculate in units of "ms"
}else{
print $2;
}



unix_processes.pl

#!/usr/bin/perl

open(PROCESS, "ps ax | grep -c : |");
$output = <PROCESS>;
close(PROCESS);
chomp($output);
print $output;



query_unix_partitions.pl

#!/usr/bin/perl

if (($ARGV[0] ne "query") && ($ARGV[0] ne "get") && ($ARGV[0] ne "index") && ($ARGV[0] ne "num_indexes")) {
print "usage:\n\n";
print "./query_unix_partitions.pl index\n";
print "./query_unix_partitions.pl num_indexes\n";
print "./query_unix_partitions.pl query {device,mount,total,used,available,percent}\n";
print "./query_unix_partitions.pl get {device,mount,total,used,available,percent} DEVICE\n";
exit;
}

open(DF, "/bin/df -P -k|");
#open(DF, "/bin/df -P -k");
#/dev/hda2 20157744 18553884 579860 97% /var
if (/^(\/\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)%\s+(\/\S*)$/) {
my %output = (
device => $1,
mount => $6,
total => $2,
used => $3,
available => $4,
percent => $5
);

if ($ARGV[0] eq "index") {
print "$1\n";
}elsif ($ARGV[0] eq "num_indexes") {
$count++;
}elsif (($ARGV[0] eq "get") && ($ARGV[2] eq $1)) {
print $output{$ARGV[1]};
}elsif ($ARGV[0] eq "query") {
print "$output{device}:$output{$ARGV[1]}\n";
}
}
}

close(DF);

if ($ARGV[0] eq "num_indexes") {
print "$count\n";
}


Can anyone help

SG

[phalek]

Check the "SetGUID" part from here:

https://www.urban-software.com/cacti-ho ... ne-poller/

There's also some new perl scripts which you can download. As usual, whatever you do, make a backup first.

[SpeedyGonzales]

Thanks phalek

instructions followed and new files uploaded

worked like a charm

all unix graphs now working

[SpeedyGonzales]

Hi again

does this affect ICMP ping in any way?

I now have 2 devices that were working fine but now it shows the devices as down although in the device settings it is getting a timed response from the ICMP ping

[phalek]

Can you post the code for the ping script ( place it in between code tags ) ?

[SpeedyGonzales]

It's the script I have just uploaded to fix the other unix graphs

#!/usr/bin/perl

# take care for tcp:hostname or TCP:ip@
$host = $ARGV[0];
$host =~ s/tcp:/$1/gis;

# old linux version use "icmp_seq"
# newer use "icmp_req" instead
open(PROCESS, "ping -c 1 $host | grep 'icmp_[s|r]eq' | grep time |");
#open(PROCESS, "ping -c 1 $host | grep icmp_req | grep time ");

$ping = <PROCESS>;
close(PROCESS);
$ping =~ m/(.*time=)(.*) (ms|usec)/;

if ($2 == "") {
print "U"; # avoid cacti errors, but do not fake rrdtool stats
}elsif ($3 eq "usec") {
print $2/1000; # re-calculate in units of "ms"
}else{
print $2;
}

[phalek]

Can you check if these commands return anything ( and post it here) :

Code: Select all

 ping -c 1 127.0.0.1 | grep 'icmp_[s|r]eq' | grep time

and from within the scripts directory:

Code: Select all

perl ping.pl 127.0.0.1

[SpeedyGonzales]

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms

and

0.0.28

[phalek]

Are you sure it is 0.0.28 instead of 0.028 ?

[SpeedyGonzales]

sorry, yes

0.028

[netniV]

ICMP pings require that you have root privileges to create socket-level packets I believe. This is why spine is normally set using SetUID as root and then downgrades itself.

[SpeedyGonzales]

it is

-rwxr-xr-x 1 root root 548 Apr 20 13:21 ping.pl

[netniV]

No, that looks like the root is owner, but I don't see the setuid bit.

Code: Select all

-rwsr-sr-x 1 root root 423864 Dec  7 14:38 /usr/local/spine/bin/spine

See the difference? Yours are executable, but unless the user is root when running the script, they won't have root privileges.

[SpeedyGonzales]

It is set the same as the others and they work

-rwxr-xr-x 1 root root 256 Jul 20 2015 diskfree.pl
-rwxr-xr-x 1 root root 92 Jul 20 2015 diskfree.sh
-rwxr-xr-x 1 root root 174 Jul 20 2015 linux_memory.pl
-rwxr-xr-x 1 root root 336 Apr 20 13:22 loadavg_multi.pl
-rwxr-xr-x 1 root root 401 Jul 20 2015 loadavg.pl
-rwxr-xr-x 1 root root 548 Apr 20 13:21 ping.pl

AND

"Can you check if these commands return anything ( and post it here) :
Code:
ping -c 1 127.0.0.1 | grep 'icmp_[s|r]eq' | grep time"

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms

"and from within the scripts directory:
Code:
perl ping.pl 127.0.0.1"

0.028

It seems to work fine but cacti is showing the devices with ICMP ping only as down on the monitor page

[tertius]

On a reasonably modern Linux system, it's not required to set the suid bit of any of the perl scripts, because the icmp stuff is done by calling programs like ping from the scripts. And ping has been given the capability to use icmp:

Code: Select all

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep

At least on my systems, redhat-based, the privilege to use raw sockets is given to ping not by suid, but by giving it the capability cap_net_raw. This is not visible in the file system by using ls, so many admins may not be aware of it. But if you just install from the distribution repositories, don't tamper with the system and just use it, it just works.