git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
diff options
context:
space:
mode:
Diffstat (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs')
-rwxr-xr-xnagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs289
1 files changed, 289 insertions, 0 deletions
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
new file mode 100755
index 0000000..fa4df1c
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
@@ -0,0 +1,289 @@
+#!/bin/sh
+
+# ########################################################################
+# This program is part of $PROJECT_NAME$
+# License: GPL License (see COPYING)
+# Authors:
+# Baron Schwartz
+# ########################################################################
+
+# ########################################################################
+# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
+# ########################################################################
+exec 2>&1
+
+# ########################################################################
+# Set up constants, etc.
+# ########################################################################
+STATE_OK=0
+STATE_WARNING=1
+STATE_CRITICAL=2
+STATE_UNKNOWN=3
+STATE_DEPENDENT=4
+
+# ########################################################################
+# Run the program.
+# ########################################################################
+main() {
+ # Get options
+ for o; do
+ case "${o}" in
+ -c) shift; OPT_CRIT="${1}"; shift; ;;
+ --defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
+ -g) shift; OPT_UNIX_GROUP="${1}"; shift; ;;
+ -H) shift; OPT_HOST="${1}"; shift; ;;
+ -l) shift; OPT_USER="${1}"; shift; ;;
+ -L) shift; OPT_LOPA="${1}"; shift; ;;
+ -p) shift; OPT_PASS="${1}"; shift; ;;
+ -P) shift; OPT_PORT="${1}"; shift; ;;
+ -S) shift; OPT_SOCK="${1}"; shift; ;;
+ -u) shift; OPT_UNIX_USER="${1}"; shift; ;;
+ -w) shift; OPT_WARN="${1}"; shift; ;;
+ --version) grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
+ --help) perl -00 -ne 'm/^ Usage:/ && print' "$0"; exit 0 ;;
+ -*) echo "Unknown option ${o}. Try --help."; exit 1; ;;
+ esac
+ done
+ OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
+ OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
+ if [ -e '/etc/nagios/mysql.cnf' ]; then
+ OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
+ fi
+ if is_not_sourced; then
+ if [ -n "$1" ]; then
+ echo "WARN spurious command-line options: $@"
+ exit 1
+ fi
+ fi
+
+ # Set the exit status in case there are any problems.
+ NOTE="UNK could not determine the datadir location."
+
+ # Set up files to hold one or more data directory locations.
+ local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
+ local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
+ trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT
+
+ # If any connection option was given, then try to log in to find the datadir.
+ if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
+ # If this fails (e.g. we can't log in), then there will be no line in the
+ # file, and later we won't change the exit code / note away from "UNK".
+ mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}"
+ else
+ # Find all MySQL server instances.
+ for pid in $(_pidof mysqld); do
+ ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
+ done
+ # The ${TEMP} file may now contain lines like the following sample:
+ # 13822 /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
+ # --basedir=/usr --datadir=/var/lib/mysql/data/ \
+ # --pid-file=/var/run/mysqld/mysqld.pid \
+ # --socket=/var/run/mysqld/mysqld.sock
+ # Now the task is to read find any reference to a --datadir option.
+ # We store these into the $DATADIRS temp file.
+ # TODO: maybe in the future we can detect the user/group under which the
+ # process runs, and assume that is the right value, rather than defaulting
+ # to 'mysql'.
+ while read pid command; do
+ if echo "${command}" | grep datadir >/dev/null 2>&1; then
+ # Strip off everything up to and including --datadir=
+ command="${command##*--datadir=}"
+ # Strip off any options that follow this, assuming that there's not
+ # a space followed by a dash in the datadir's path.
+ echo "${command%% -*}" >> "${DATADIRS}"
+ fi
+ done < "${TEMP}"
+ fi
+
+ WRONG=""
+ NOTE2=""
+ > ${TEMP}
+ while read datadir; do
+ FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
+ if [ "${FILES}" ]; then
+ WRONG=1
+ NOTE2="${NOTE2:+${NOTE2} }${FILES}"
+ fi
+ NOTE="OK all files/directories have correct ownership."
+ done < "${DATADIRS}"
+
+ if [ -s "${TEMP}" ]; then
+ NOTE="UNK `cat ${TEMP}`"
+ elif [ "${WRONG}" ]; then
+ if [ "${OPT_CRIT}" ]; then
+ NOTE="CRIT files with wrong ownership: ${NOTE2}"
+ else
+ NOTE="WARN files with wrong ownership: ${NOTE2}"
+ fi
+ fi
+
+ echo $NOTE
+}
+
+# ########################################################################
+# Execute a MySQL command.
+# ########################################################################
+mysql_exec() {
+ mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
+ ${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
+ ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
+ ${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
+ ${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
+}
+
+# ########################################################################
+# A wrapper around pidof, which might not exist. The first argument is the
+# command name to match.
+# ########################################################################
+_pidof() {
+ if ! pidof "${1}" 2>/dev/null; then
+ ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
+ fi
+}
+
+# ########################################################################
+# Determine whether this program is being executed directly, or sourced/included
+# from another file.
+# ########################################################################
+is_not_sourced() {
+ [ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
+}
+
+# ########################################################################
+# Execute the program if it was not included from another file.
+# This makes it possible to include without executing, and thus test.
+# ########################################################################
+if is_not_sourced; then
+ OUTPUT=$(main "$@")
+ EXITSTATUS=$STATE_UNKNOWN
+ case "${OUTPUT}" in
+ UNK*) EXITSTATUS=$STATE_UNKNOWN; ;;
+ OK*) EXITSTATUS=$STATE_OK; ;;
+ WARN*) EXITSTATUS=$STATE_WARNING; ;;
+ CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
+ esac
+ echo "${OUTPUT}"
+ exit $EXITSTATUS
+fi
+
+# ############################################################################
+# Documentation
+# ############################################################################
+: <<'DOCUMENTATION'
+=pod
+
+=head1 NAME
+
+pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.
+
+=head1 SYNOPSIS
+
+ Usage: pmp-check-mysql-file-privs [OPTIONS]
+ Options:
+ -c CRIT Critical threshold; makes a privilege issue critical.
+ --defaults-file FILE Only read mysql options from the given file.
+ Defaults to /etc/nagios/mysql.cnf if it exists.
+ -g GROUP The Unix group who should own the files; default mysql.
+ -H HOST MySQL hostname.
+ -l USER MySQL username.
+ -L LOGIN-PATH Use login-path to access MySQL (with MySQL client 5.6).
+ -p PASS MySQL password.
+ -P PORT MySQL port.
+ -S SOCKET MySQL socket file.
+ -u USER The Unix user who should own the files; default mysql.
+ -w WARN Warning threshold; ignored.
+ --help Print help and exit.
+ --version Print version and exit.
+ Options must be given as --option value, not --option=value or -Ovalue.
+ Use perldoc to read embedded documentation with more details.
+
+=head1 DESCRIPTION
+
+This Nagios plugin checks to make sure that the MySQL data directory, and its
+contents, is owned by the correct Unix user and group. If the ownership is
+incorrect, then the server might fail due to lack of permission to modify its
+data. For example, suppose a system administrator enters a database directory
+and creates a file that is owned by root. Now a database administrator issues a
+DROP TABLE command, which fails because it is unable to remove the file and thus
+the non-empty directory cannot be removed either.
+
+The plugin accepts the -g and -u options to specify which Unix user and group
+should own the data directory and its contents. This is usually the user account
+under which MySQL runs, which is mysql by default on most systems. The plugin
+assumes that user and group by default, too.
+
+The plugin accepts the -w and -c options for compatibility with standard Nagios
+plugin conventions, but they are not based on a threshold. Instead, the plugin
+raises a warning by default, and if the -c option is given, it raises an error
+instead, regardless of the option's value.
+
+By default, this plugin will attempt to detect all running instances of MySQL,
+and verify the data directory ownership for each one. It does this purely by
+examining the Unix process table with the C<ps> tool. However, in some cases
+the process's command line does not list the path to the data directory. If the
+tool fails to detect the MySQL server process, or if you wish to limit the check
+to a single instance in the event that there are multiple instances on a single
+server, then you can specify MySQL authentication options. This will cause the
+plugin to skip examining the Unix processlist, log into MySQL, and examine the
+datadir variable from SHOW VARIABLES to find the location of the data directory.
+
+In case an user you are calling this plugin from has no permissions to examine
+the datadir the plugin raises an unknown with the explanation.
+
+=head1 PRIVILEGES
+
+This plugin executes the following commands against MySQL:
+
+=over
+
+=item *
+
+C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>.
+
+=back
+
+This plugin executes the following UNIX commands that may need special privileges:
+
+=over
+
+=item *
+
+ps
+
+=item *
+
+find C<datadir>
+
+=back
+
+The plugin should be able to either get variables from MySQL or find mysqld
+PID using C<ps> command.
+
+On BSD, if C<sysctl> option C<security.bsd.see_other_uids> is set to 0, C<ps>
+will not return mysqld PID if the plugin run from non-root user.
+
+Also an user you run the plugin from should be able to access MySQL datadir
+files, so you may want to add it into mysql unix group etc.
+
+=head1 COPYRIGHT, LICENSE, AND WARRANTY
+
+This program is copyright 2012-$CURRENT_YEAR$ Baron Schwartz, 2012-$CURRENT_YEAR$ Percona Inc.
+Feedback and improvements are welcome.
+
+THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation, version 2. You should have received a copy of the GNU General
+Public License along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+=head1 VERSION
+
+$PROJECT_NAME$ pmp-check-mysql-file-privs $VERSION$
+
+=cut
+
+DOCUMENTATION