#!/bin/sh

# ########################################################################
# This program is part of $PROJECT_NAME$
# License: GPL License (see COPYING)
# Authors:
#  Baron Schwartz
# ########################################################################

# ########################################################################
# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
# ########################################################################
exec 2>&1

# ########################################################################
# Set up constants, etc.
# ########################################################################
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# ########################################################################
# Run the program.
# ########################################################################
main() {
   # Get options
   for o; do
      case "${o}" in
         -c)              shift; OPT_CRIT="${1}"; shift; ;;
         --defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
         -g)              shift; OPT_UNIX_GROUP="${1}"; shift; ;;
         -H)              shift; OPT_HOST="${1}"; shift; ;;
         -l)              shift; OPT_USER="${1}"; shift; ;;
         -L)              shift; OPT_LOPA="${1}"; shift; ;;
         -p)              shift; OPT_PASS="${1}"; shift; ;;
         -P)              shift; OPT_PORT="${1}"; shift; ;;
         -S)              shift; OPT_SOCK="${1}"; shift; ;;
         -u)              shift; OPT_UNIX_USER="${1}"; shift; ;;
         -w)              shift; OPT_WARN="${1}"; shift; ;;
         --version)       grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
         --help)          perl -00 -ne 'm/^  Usage:/ && print' "$0"; exit 0 ;;
         -*)              echo "Unknown option ${o}.  Try --help."; exit 1; ;;
      esac
   done
   OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
   OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
   if [ -e '/etc/nagios/mysql.cnf' ]; then
      OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
   fi
   if is_not_sourced; then
      if [ -n "$1" ]; then
         echo "WARN spurious command-line options: $@"
         exit 1
      fi
   fi

   # Set the exit status in case there are any problems.
   NOTE="UNK could not determine the datadir location."

   # Set up files to hold one or more data directory locations.
   local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
   local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
   trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT

   # If any connection option was given, then try to log in to find the datadir.
   if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
      # If this fails (e.g. we can't log in), then there will be no line in the
      # file, and later we won't change the exit code / note away from "UNK".
      mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}"
   else
      # Find all MySQL server instances.
      for pid in $(_pidof mysqld); do
         ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
      done
      # The ${TEMP} file may now contain lines like the following sample:
      # 13822     /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
      #           --basedir=/usr --datadir=/var/lib/mysql/data/ \
      #           --pid-file=/var/run/mysqld/mysqld.pid \
      #           --socket=/var/run/mysqld/mysqld.sock
      # Now the task is to read find any reference to a --datadir option.
      # We store these into the $DATADIRS temp file.
      # TODO: maybe in the future we can detect the user/group under which the
      # process runs, and assume that is the right value, rather than defaulting
      # to 'mysql'.
      while read pid command; do
         if echo "${command}" | grep datadir >/dev/null 2>&1; then
            # Strip off everything up to and including --datadir=
            command="${command##*--datadir=}"
            # Strip off any options that follow this, assuming that there's not
            # a space followed by a dash in the datadir's path.
            echo "${command%% -*}" >> "${DATADIRS}"
         fi
      done < "${TEMP}"
   fi

   WRONG=""
   NOTE2=""
   > ${TEMP}
   while read datadir; do
      FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
      if [ "${FILES}" ]; then
         WRONG=1
         NOTE2="${NOTE2:+${NOTE2} }${FILES}"
      fi
      NOTE="OK all files/directories have correct ownership."
   done < "${DATADIRS}"

   if [ -s "${TEMP}" ]; then
      NOTE="UNK `cat ${TEMP}`"
   elif [ "${WRONG}" ]; then
      if [ "${OPT_CRIT}" ]; then
         NOTE="CRIT files with wrong ownership: ${NOTE2}"
      else
         NOTE="WARN files with wrong ownership: ${NOTE2}"
      fi
   fi

   echo $NOTE
}

# ########################################################################
# Execute a MySQL command.
# ########################################################################
mysql_exec() {
   mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
      ${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
      ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
      ${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
      ${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
}

# ########################################################################
# A wrapper around pidof, which might not exist. The first argument is the
# command name to match.
# ########################################################################
_pidof() {
   if ! pidof "${1}" 2>/dev/null; then
      ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
   fi
}

# ########################################################################
# Determine whether this program is being executed directly, or sourced/included
# from another file.
# ########################################################################
is_not_sourced() {
   [ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
}

# ########################################################################
# Execute the program if it was not included from another file.
# This makes it possible to include without executing, and thus test.
# ########################################################################
if is_not_sourced; then
   OUTPUT=$(main "$@")
   EXITSTATUS=$STATE_UNKNOWN
   case "${OUTPUT}" in
      UNK*)  EXITSTATUS=$STATE_UNKNOWN;  ;;
      OK*)   EXITSTATUS=$STATE_OK;       ;;
      WARN*) EXITSTATUS=$STATE_WARNING;  ;;
      CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
   esac
   echo "${OUTPUT}"
   exit $EXITSTATUS
fi

# ############################################################################
# Documentation
# ############################################################################
: <<'DOCUMENTATION'
=pod

=head1 NAME

pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.

=head1 SYNOPSIS

  Usage: pmp-check-mysql-file-privs [OPTIONS]
  Options:
    -c CRIT         Critical threshold; makes a privilege issue critical.
    --defaults-file FILE Only read mysql options from the given file.
                    Defaults to /etc/nagios/mysql.cnf if it exists.
    -g GROUP        The Unix group who should own the files; default mysql.
    -H HOST         MySQL hostname.
    -l USER         MySQL username.
    -L LOGIN-PATH   Use login-path to access MySQL (with MySQL client 5.6).
    -p PASS         MySQL password.
    -P PORT         MySQL port.
    -S SOCKET       MySQL socket file.
    -u USER         The Unix user who should own the files; default mysql.
    -w WARN         Warning threshold; ignored.
    --help          Print help and exit.
    --version       Print version and exit.
  Options must be given as --option value, not --option=value or -Ovalue.
  Use perldoc to read embedded documentation with more details.

=head1 DESCRIPTION

This Nagios plugin checks to make sure that the MySQL data directory, and its
contents, is owned by the correct Unix user and group. If the ownership is
incorrect, then the server might fail due to lack of permission to modify its
data.  For example, suppose a system administrator enters a database directory
and creates a file that is owned by root.  Now a database administrator issues a
DROP TABLE command, which fails because it is unable to remove the file and thus
the non-empty directory cannot be removed either.

The plugin accepts the -g and -u options to specify which Unix user and group
should own the data directory and its contents. This is usually the user account
under which MySQL runs, which is mysql by default on most systems.  The plugin
assumes that user and group by default, too.

The plugin accepts the -w and -c options for compatibility with standard Nagios
plugin conventions, but they are not based on a threshold. Instead, the plugin
raises a warning by default, and if the -c option is given, it raises an error
instead, regardless of the option's value.

By default, this plugin will attempt to detect all running instances of MySQL,
and verify the data directory ownership for each one.  It does this purely by
examining the Unix process table with the C<ps> tool.  However, in some cases
the process's command line does not list the path to the data directory.  If the
tool fails to detect the MySQL server process, or if you wish to limit the check
to a single instance in the event that there are multiple instances on a single
server, then you can specify MySQL authentication options.  This will cause the
plugin to skip examining the Unix processlist, log into MySQL, and examine the
datadir variable from SHOW VARIABLES to find the location of the data directory.

In case an user you are calling this plugin from has no permissions to examine
the datadir the plugin raises an unknown with the explanation.

=head1 PRIVILEGES

This plugin executes the following commands against MySQL:

=over

=item *

C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>.

=back

This plugin executes the following UNIX commands that may need special privileges:

=over

=item *

ps

=item *

find C<datadir>

=back

The plugin should be able to either get variables from MySQL or find mysqld
PID using C<ps> command.

On BSD, if C<sysctl> option C<security.bsd.see_other_uids> is set to 0, C<ps>
will not return mysqld PID if the plugin run from non-root user.

Also an user you run the plugin from should be able to access MySQL datadir
files, so you may want to add it into mysql unix group etc.

=head1 COPYRIGHT, LICENSE, AND WARRANTY

This program is copyright 2012-$CURRENT_YEAR$ Baron Schwartz, 2012-$CURRENT_YEAR$ Percona Inc.
Feedback and improvements are welcome.

THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, version 2.  You should have received a copy of the GNU General
Public License along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.

=head1 VERSION

$PROJECT_NAME$ pmp-check-mysql-file-privs $VERSION$

=cut

DOCUMENTATION