#!/bin/sh
# ########################################################################
# This program is part of $PROJECT_NAME$
# License: GPL License (see COPYING)
# Authors:
# Baron Schwartz
# ########################################################################
# ########################################################################
# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
# ########################################################################
exec 2>&1
# ########################################################################
# Set up constants, etc.
# ########################################################################
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
# ########################################################################
# Run the program.
# ########################################################################
main() {
# Get options
for o; do
case "${o}" in
-c) shift; OPT_CRIT="${1}"; shift; ;;
--defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
-g) shift; OPT_UNIX_GROUP="${1}"; shift; ;;
-H) shift; OPT_HOST="${1}"; shift; ;;
-l) shift; OPT_USER="${1}"; shift; ;;
-L) shift; OPT_LOPA="${1}"; shift; ;;
-p) shift; OPT_PASS="${1}"; shift; ;;
-P) shift; OPT_PORT="${1}"; shift; ;;
-S) shift; OPT_SOCK="${1}"; shift; ;;
-u) shift; OPT_UNIX_USER="${1}"; shift; ;;
-w) shift; OPT_WARN="${1}"; shift; ;;
--version) grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
--help) perl -00 -ne 'm/^ Usage:/ && print' "$0"; exit 0 ;;
-*) echo "Unknown option ${o}. Try --help."; exit 1; ;;
esac
done
OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
if [ -e '/etc/nagios/mysql.cnf' ]; then
OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
fi
if is_not_sourced; then
if [ -n "$1" ]; then
echo "WARN spurious command-line options: $ _æ_ "
exit 1
fi
fi
# Set the exit status in case there are any problems.
NOTE="UNK could not determine the datadir location."
# Set up files to hold one or more data directory locations.
local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT
# If any connection option was given, then try to log in to find the datadir.
if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
# If this fails (e.g. we can't log in), then there will be no line in the
# file, and later we won't change the exit code / note away from "UNK".
mysql_exec "SELECT IF( _æ_ _æ_ datadir LIKE '/%', _æ_ _æ_ datadir, CONCAT( _æ_ _æ_ basedir, _æ_ _æ_ datadir))" >> "${DATADIRS}"
else
# Find all MySQL server instances.
for pid in $(_pidof mysqld); do
ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
done
# The ${TEMP} file may now contain lines like the following sample:
# 13822 /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
# --basedir=/usr --datadir=/var/lib/mysql/data/ \
# --pid-file=/var/run/mysqld/mysqld.pid \
# --socket=/var/run/mysqld/mysqld.sock
# Now the task is to read find any reference to a --datadir option.
# We store these into the $DATADIRS temp file.
# TODO: maybe in the future we can detect the user/group under which the
# process runs, and assume that is the right value, rather than defaulting
# to 'mysql'.
while read pid command; do
if echo "${command}" | grep datadir >/dev/null 2>&1; then
# Strip off everything up to and including --datadir=
command="${command##*--datadir=}"
# Strip off any options that follow this, assuming that there's not
# a space followed by a dash in the datadir's path.
echo "${command%% -*}" >> "${DATADIRS}"
fi
done < "${TEMP}"
fi
WRONG=""
NOTE2=""
> ${TEMP}
while read datadir; do
FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
if [ "${FILES}" ]; then
WRONG=1
NOTE2="${NOTE2:+${NOTE2} }${FILES}"
fi
NOTE="OK all files/directories have correct ownership."
done < "${DATADIRS}"
if [ -s "${TEMP}" ]; then
NOTE="UNK `cat ${TEMP}`"
elif [ "${WRONG}" ]; then
if [ "${OPT_CRIT}" ]; then
NOTE="CRIT files with wrong ownership: ${NOTE2}"
else
NOTE="WARN files with wrong ownership: ${NOTE2}"
fi
fi
echo $NOTE
}
# ########################################################################
# Execute a MySQL command.
# ########################################################################
mysql_exec() {
mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
}
# ########################################################################
# A wrapper around pidof, which might not exist. The first argument is the
# command name to match.
# ########################################################################
_pidof() {
if ! pidof "${1}" 2>/dev/null; then
ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
fi
}
# ########################################################################
# Determine whether this program is being executed directly, or sourced/included
# from another file.
# ########################################################################
is_not_sourced() {
[ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
}
# ########################################################################
# Execute the program if it was not included from another file.
# This makes it possible to include without executing, and thus test.
# ########################################################################
if is_not_sourced; then
OUTPUT=$(main "$ _æ_ ")
EXITSTATUS=$STATE_UNKNOWN
case "${OUTPUT}" in
UNK*) EXITSTATUS=$STATE_UNKNOWN; ;;
OK*) EXITSTATUS=$STATE_OK; ;;
WARN*) EXITSTATUS=$STATE_WARNING; ;;
CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
esac
echo "${OUTPUT}"
exit $EXITSTATUS
fi
# ############################################################################
# Documentation
# ############################################################################
: <<'DOCUMENTATION'
=pod
=head1 NAME
pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.
=head1 SYNOPSIS
Usage: pmp-check-mysql-file-privs [OPTIONS]
Options:
-c CRIT Critical threshold; makes a privilege issue critical.
--defaults-file FILE Only read mysql options from the given file.
Defaults to /etc/nagios/mysql.cnf if it exists.
-g GROUP The Unix group who should own the files; default mysql.
-H HOST MySQL hostname.
-l USER MySQL username.
-L LOGIN-PATH Use login-path to access MySQL (with MySQL client 5.6).
-p PASS MySQL password.
-P PORT MySQL port.
-S SOCKET MySQL socket file.
-u USER The Unix user who should own the files; default mysql.
-w WARN Warning threshold; ignored.
--help Print help and exit.
--version Print version and exit.
Options must be given as --option value, not --option=value or -Ovalue.
Use perldoc to read embedded documentation with more details.
=head1 DESCRIPTION
This Nagios plugin checks to make sure that the MySQL data directory, and its
contents, is owned by the correct Unix user and group. If the ownership is
incorrect, then the server might fail due to lack of permission to modify its
data. For example, suppose a system administrator enters a database directory
and creates a file that is owned by root. Now a database administrator issues a
DROP TABLE command, which fails because it is unable to remove the file and thus
the non-empty directory cannot be removed either.
The plugin accepts the -g and -u options to specify which Unix user and group
should own the data directory and its contents. This is usually the user account
under which MySQL runs, which is mysql by default on most systems. The plugin
assumes that user and group by default, too.
The plugin accepts the -w and -c options for compatibility with standard Nagios
plugin conventions, but they are not based on a threshold. Instead, the plugin
raises a warning by default, and if the -c option is given, it raises an error
instead, regardless of the option's value.
By default, this plugin will attempt to detect all running instances of MySQL,
and verify the data directory ownership for each one. It does this purely by
examining the Unix process table with the C tool. However, in some cases
the process's command line does not list the path to the data directory. If the
tool fails to detect the MySQL server process, or if you wish to limit the check
to a single instance in the event that there are multiple instances on a single
server, then you can specify MySQL authentication options. This will cause the
plugin to skip examining the Unix processlist, log into MySQL, and examine the
datadir variable from SHOW VARIABLES to find the location of the data directory.
In case an user you are calling this plugin from has no permissions to examine
the datadir the plugin raises an unknown with the explanation.
=head1 PRIVILEGES
This plugin executes the following commands against MySQL:
=over
=item *
C