RFE: Nonprivileged Postgresql Status Checks

This is really a follow-on to Bug #636. That bug solved a long-standing mystery for me. As described there, every five minutes, there is an su session logged by syslog, as follows:

Feb 1 1:00:00 Host1 su(pam_unix)[12345]: session opened for user postgres by (uid=0)
Feb 1 1:00:00 Host1 su(pam_unix)[12345]: session closed for user postgres

These messages give no information as to which process is calling su, so it didn't occur to us that Webmin was responsible. At first glance, it appears as a possible security threat (break-in attempt, etc.). Disabling postgresql doesn't prevent the su messages either. In order to do that, the server administrator would have to turn off the Postgresql status monitor in Webmin, which must have been enabled automatically by the Virtualmin installation. (We did not set it up manually and didn't realize it was there.)

So, on to the request. It seems that other monitoring systems are able to check on Postgresql without requiring root access and su to this user account, and it would be great if Webmin could use similar methods. For example, see the very popular Nagios (formerly NetSaint) plugin, called check_pgsql. Documentation is available here:


The current home page for Nagios Plugins is here:

The SourceForge page is here:

Here is some info from the plugin help text, which indicates that it does not require privileged access:

This plugin tests a PostgreSQL DBMS to determine whether it is active and accepting queries. In its current operation, it simply connects to the specified database, and then disconnects. If no database is specified, it connects to the template1 database, which is present in every functioning PostgreSQL DBMS.

The plugin will connect to a local postmaster if no host is specified. To connect to a remote host, be sure that the remote postmaster accepts TCP/IP connections (start the postmaster with the -i option).

Typically, the nagios user (unless the --logname option is used) should be able to connect to the database without a password. The plugin can also send a password, but no effort is made to obsure or encrypt the password.

Closed (fixed)