git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
blob: fa4df1c8ead432eab65ca7250dfa0411bb00b8df (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
#!/bin/sh

# ########################################################################
# This program is part of $PROJECT_NAME$
# License: GPL License (see COPYING)
# Authors:
#  Baron Schwartz
# ########################################################################

# ########################################################################
# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
# ########################################################################
exec 2>&1

# ########################################################################
# Set up constants, etc.
# ########################################################################
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# ########################################################################
# Run the program.
# ########################################################################
main() {
   # Get options
   for o; do
      case "${o}" in
         -c)              shift; OPT_CRIT="${1}"; shift; ;;
         --defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
         -g)              shift; OPT_UNIX_GROUP="${1}"; shift; ;;
         -H)              shift; OPT_HOST="${1}"; shift; ;;
         -l)              shift; OPT_USER="${1}"; shift; ;;
         -L)              shift; OPT_LOPA="${1}"; shift; ;;
         -p)              shift; OPT_PASS="${1}"; shift; ;;
         -P)              shift; OPT_PORT="${1}"; shift; ;;
         -S)              shift; OPT_SOCK="${1}"; shift; ;;
         -u)              shift; OPT_UNIX_USER="${1}"; shift; ;;
         -w)              shift; OPT_WARN="${1}"; shift; ;;
         --version)       grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
         --help)          perl -00 -ne 'm/^  Usage:/ && print' "$0"; exit 0 ;;
         -*)              echo "Unknown option ${o}.  Try --help."; exit 1; ;;
      esac
   done
   OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
   OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
   if [ -e '/etc/nagios/mysql.cnf' ]; then
      OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
   fi
   if is_not_sourced; then
      if [ -n "$1" ]; then
         echo "WARN spurious command-line options: $ _æ_ "
         exit 1
      fi
   fi

   # Set the exit status in case there are any problems.
   NOTE="UNK could not determine the datadir location."

   # Set up files to hold one or more data directory locations.
   local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
   local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
   trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT

   # If any connection option was given, then try to log in to find the datadir.
   if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
      # If this fails (e.g. we can't log in), then there will be no line in the
      # file, and later we won't change the exit code / note away from "UNK".
      mysql_exec "SELECT IF( _æ_  _æ_ datadir LIKE '/%',  _æ_  _æ_ datadir, CONCAT( _æ_  _æ_ basedir,  _æ_  _æ_ datadir))" >> "${DATADIRS}"
   else
      # Find all MySQL server instances.
      for pid in $(_pidof mysqld); do
         ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
      done
      # The ${TEMP} file may now contain lines like the following sample:
      # 13822     /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
      #           --basedir=/usr --datadir=/var/lib/mysql/data/ \
      #           --pid-file=/var/run/mysqld/mysqld.pid \
      #           --socket=/var/run/mysqld/mysqld.sock
      # Now the task is to read find any reference to a --datadir option.
      # We store these into the $DATADIRS temp file.
      # TODO: maybe in the future we can detect the user/group under which the
      # process runs, and assume that is the right value, rather than defaulting
      # to 'mysql'.
      while read pid command; do
         if echo "${command}" | grep datadir >/dev/null 2>&1; then
            # Strip off everything up to and including --datadir=
            command="${command##*--datadir=}"
            # Strip off any options that follow this, assuming that there's not
            # a space followed by a dash in the datadir's path.
            echo "${command%% -*}" >> "${DATADIRS}"
         fi
      done < "${TEMP}"
   fi

   WRONG=""
   NOTE2=""
   > ${TEMP}
   while read datadir; do
      FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
      if [ "${FILES}" ]; then
         WRONG=1
         NOTE2="${NOTE2:+${NOTE2} }${FILES}"
      fi
      NOTE="OK all files/directories have correct ownership."
   done < "${DATADIRS}"

   if [ -s "${TEMP}" ]; then
      NOTE="UNK `cat ${TEMP}`"
   elif [ "${WRONG}" ]; then
      if [ "${OPT_CRIT}" ]; then
         NOTE="CRIT files with wrong ownership: ${NOTE2}"
      else
         NOTE="WARN files with wrong ownership: ${NOTE2}"
      fi
   fi

   echo $NOTE
}

# ########################################################################
# Execute a MySQL command.
# ########################################################################
mysql_exec() {
   mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
      ${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
      ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
      ${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
      ${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
}

# ########################################################################
# A wrapper around pidof, which might not exist. The first argument is the
# command name to match.
# ########################################################################
_pidof() {
   if ! pidof "${1}" 2>/dev/null; then
      ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
   fi
}

# ########################################################################
# Determine whether this program is being executed directly, or sourced/included
# from another file.
# ########################################################################
is_not_sourced() {
   [ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
}

# ########################################################################
# Execute the program if it was not included from another file.
# This makes it possible to include without executing, and thus test.
# ########################################################################
if is_not_sourced; then
   OUTPUT=$(main "$ _æ_ ")
   EXITSTATUS=$STATE_UNKNOWN
   case "${OUTPUT}" in
      UNK*)  EXITSTATUS=$STATE_UNKNOWN;  ;;
      OK*)   EXITSTATUS=$STATE_OK;       ;;
      WARN*) EXITSTATUS=$STATE_WARNING;  ;;
      CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
   esac
   echo "${OUTPUT}"
   exit $EXITSTATUS
fi

# ############################################################################
# Documentation
# ############################################################################
: <<'DOCUMENTATION'
=pod

=head1 NAME

pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.

=head1 SYNOPSIS

  Usage: pmp-check-mysql-file-privs [OPTIONS]
  Options:
    -c CRIT         Critical threshold; makes a privilege issue critical.
    --defaults-file FILE Only read mysql options from the given file.
                    Defaults to /etc/nagios/mysql.cnf if it exists.
    -g GROUP        The Unix group who should own the files; default mysql.
    -H HOST         MySQL hostname.
    -l USER         MySQL username.
    -L LOGIN-PATH   Use login-path to access MySQL (with MySQL client 5.6).
    -p PASS         MySQL password.
    -P PORT         MySQL port.
    -S SOCKET       MySQL socket file.
    -u USER         The Unix user who should own the files; default mysql.
    -w WARN         Warning threshold; ignored.
    --help          Print help and exit.
    --version       Print version and exit.
  Options must be given as --option value, not --option=value or -Ovalue.
  Use perldoc to read embedded documentation with more details.

=head1 DESCRIPTION

This Nagios plugin checks to make sure that the MySQL data directory, and its
contents, is owned by the correct Unix user and group. If the ownership is
incorrect, then the server might fail due to lack of permission to modify its
data.  For example, suppose a system administrator enters a database directory
and creates a file that is owned by root.  Now a database administrator issues a
DROP TABLE command, which fails because it is unable to remove the file and thus
the non-empty directory cannot be removed either.

The plugin accepts the -g and -u options to specify which Unix user and group
should own the data directory and its contents. This is usually the user account
under which MySQL runs, which is mysql by default on most systems.  The plugin
assumes that user and group by default, too.

The plugin accepts the -w and -c options for compatibility with standard Nagios
plugin conventions, but they are not based on a threshold. Instead, the plugin
raises a warning by default, and if the -c option is given, it raises an error
instead, regardless of the option's value.

By default, this plugin will attempt to detect all running instances of MySQL,
and verify the data directory ownership for each one.  It does this purely by
examining the Unix process table with the C tool.  However, in some cases
the process's command line does not list the path to the data directory.  If the
tool fails to detect the MySQL server process, or if you wish to limit the check
to a single instance in the event that there are multiple instances on a single
server, then you can specify MySQL authentication options.  This will cause the
plugin to skip examining the Unix processlist, log into MySQL, and examine the
datadir variable from SHOW VARIABLES to find the location of the data directory.

In case an user you are calling this plugin from has no permissions to examine
the datadir the plugin raises an unknown with the explanation.

=head1 PRIVILEGES

This plugin executes the following commands against MySQL:

=over

=item *

C