Using smartctl without sudo
I have an Ubuntu server (3.19.0-21-generic #21-Ubuntu SMP Sun Jun 14 18:31:11 UTC 2015 x86_64 Linux-3.19.0-21-generic-x86_64-with-Ubuntu-15.04-vivid). It has a 4-disk RAID-6 array. I keep an eye on the health of the disks by periodically interrogating each disk with this piece of Python-code:
t1 = time.time()
if ((t1 - self.lasttime) > (4.5*60)):
self.vars = commands.getoutput("sudo smartctl -A " + self.diskid + " |awk 'NR>4'").splitlines()
self.health = commands.getoutput("sudo smartctl -H " + self.diskid + " |awk 'NR>4'").splitlines()
self.selftest = commands.getoutput("sudo smartctl -l selftest " + self.diskid + " |grep '\# 1'")
self.lasttime = t1
where self.diskid is (obviously the disk-ID) e.g. /dev/sdc.
I use the output of these commands to track various disk parameters (e.g. temperature and state) and post-process the data for (graphing and textual states) reporting on a webpage.
I also like to keep an eye on the logs, but the above command spams journalctl with lots of stuff like this:
Jun 17 16:46:07 boson sudo[18429]: beheer : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -l selftest /dev/sdc
Jun 17 16:46:07 boson sudo[18429]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 17 16:46:07 boson sudo[18429]: pam_unix(sudo:session): session closed for user root
One of these for each smartctl command issued and that repeats for each disk.
This makes it hard to spot oddities when browsing through the logs. I know about the filtering capabilities of journalctl they are no real help. It also causes the logs to become unreasonably large, which I think is an issue.
So, to relieve journalctl I thought I might forego with the sudo. But, obviously smartctl requires root-permissions.
I added nobody ALL=NOPASSWD:/usr/sbin/smartctl to /etc/sudoers.
Then e.g. smartctl -H /dev/sdc seems to work but returns an error:
Smartctl open device: /dev/sdc failed: Permission denied
So, I added my administrator account to the disk group.
Now, smartctl -H /dev/sdc still seems to work but returns this message.
Probable ATA device behind a SAT layer
Try an additional '-d ata' or '-d sat' argument.
And that's where I'm kinda stuck.
For those wondering:
$ sudo smartctl -H /dev/sdc
smartctl 6.4 2014-10-07 r4002 [x86_64-linux-3.19.0-21-generic] (local build)
Copyright (C) 2002-14, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
So, using sudo gives the expected results.
smartmontools is installed:
$ dpkg -l smartmontools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===========================-==================-==================-===========================================================
ii smartmontools 6.3+svn4002-2 amd64 control and monitor storage systems using S.M.A.R.T.
$ systemctl list-units |grep smart
smartd.service loaded active running Self Monitoring and Reporting Technology (SMART) Daemon
Answer
- Restrict users who can run this this command. Something like this:
sudo chmod o-x /usr/sbin/smartctl && sudo chown :admin /usr/sbin/smartctl - Use
sudo chmod u+s /usr/sbin/smartctlto allow any who run this command - it will run with root permissions.
I suppose this should be run in the install script cause command smartctl is useless without root permissions and should be run only by admin group