samba: properly check if it is allowed to run smbstatus with su… (#7655)

* samba: use `sudo -n -l COMMAND` instead of `sudo -v` to check whether we allowed to run the COMMAND

* ExecutableService: log executable command

2 files changed, 20 insertions, 12 deletions

diff --git a/collectors/python.d.plugin/python_modules/bases/FrameworkServices/ExecutableService.py b/collectors/python.d.plugin/python_modules/bases/FrameworkServices/ExecutableService.py
index f63cb7c2f9..dea50eea0d 100644
--- a/collectors/python.d.plugin/python_modules/bases/FrameworkServices/ExecutableService.py
+++ b/collectors/python.d.plugin/python_modules/bases/FrameworkServices/ExecutableService.py
@@ -22,12 +22,14 @@ class ExecutableService(SimpleService):
         Get raw data from executed command
         :return: <list>
         """
+        command = command or self.command
+        self.debug("Executing command '{0}'".format(' '.join(command)))
         try:
-            p = Popen(command if command else self.command, stdout=PIPE, stderr=PIPE)
+            p = Popen(command, stdout=PIPE, stderr=PIPE)
         except Exception as error:
-            self.error('Executing command {command} resulted in error: {error}'.format(command=command or self.command,
-                                                                                       error=error))
+            self.error('Executing command {0} resulted in error: {1}'.format(command, error))
             return None
+
         data = list()
         std = p.stderr if stderr else p.stdout
         for line in std:
diff --git a/collectors/python.d.plugin/samba/samba.chart.py b/collectors/python.d.plugin/samba/samba.chart.py
index ac89c29b00..542cfc6fc6 100644
--- a/collectors/python.d.plugin/samba/samba.chart.py
+++ b/collectors/python.d.plugin/samba/samba.chart.py
@@ -21,7 +21,6 @@ import re
 from bases.collection import find_binary
 from bases.FrameworkServices.ExecutableService import ExecutableService
 
-
 disabled_by_default = True
 
 update_every = 5
@@ -96,6 +95,9 @@ CHARTS = {
     }
 }
 
+SUDO = 'sudo'
+SMBSTATUS = 'smbstatus'
+
 
 class Service(ExecutableService):
     def __init__(self, configuration=None, name=None):
@@ -105,20 +107,24 @@ class Service(ExecutableService):
         self.rgx_smb2 = re.compile(r'(smb2_[^:]+|syscall_.*file_bytes):\s+(\d+)')
 
     def check(self):
-        sudo_binary, smbstatus_binary = find_binary('sudo'), find_binary('smbstatus')
+        sudo_binary = find_binary(SUDO)
+        if not sudo_binary:
+            self.error("can't locate '{0}' binary".format(SUDO))
+            return False
 
-        if not (sudo_binary and smbstatus_binary):
-            self.error("Can\'t locate 'sudo' or 'smbstatus' binary")
+        smbstatus_binary = find_binary(SMBSTATUS)
+        if not smbstatus_binary:
+            self.error("can't locate '{0}' binary".format(SMBSTATUS))
             return False
 
-        self.command = [sudo_binary, '-v']
-        err = self._get_raw_data(stderr=True)
-        if err:
-            self.error(''.join(err))
+        command = [sudo_binary, '-n', '-l', smbstatus_binary, '-P']
+        smbstatus = '{0} -P'.format(smbstatus_binary)
+        allowed = self._get_raw_data(command=command)
+        if not (allowed and allowed[0].strip() == smbstatus):
+            self.error("not allowed to run sudo for command '{0}'".format(smbstatus))
             return False
 
         self.command = ' '.join([sudo_binary, '-n', smbstatus_binary, '-P'])
-
         return ExecutableService.check(self)
 
     def _get_data(self):