From 1e2387474a449452b78520b9ad96a8b4b5e99722 Mon Sep 17 00:00:00 2001
From: Harald Pfeiffer <coding@lirion.de>
Date: Wed, 17 Apr 2019 19:07:19 +0200
Subject: initial commit of source fetch

---
 .../nagios/bin/pmp-check-mysql-file-privs          | 289 +++++++++++++++++++++
 1 file changed, 289 insertions(+)
 create mode 100755 nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs

(limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs')

diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
new file mode 100755
index 0000000..fa4df1c
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs
@@ -0,0 +1,289 @@
+#!/bin/sh
+
+# ########################################################################
+# This program is part of $PROJECT_NAME$
+# License: GPL License (see COPYING)
+# Authors:
+#  Baron Schwartz
+# ########################################################################
+
+# ########################################################################
+# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
+# ########################################################################
+exec 2>&1
+
+# ########################################################################
+# Set up constants, etc.
+# ########################################################################
+STATE_OK=0
+STATE_WARNING=1
+STATE_CRITICAL=2
+STATE_UNKNOWN=3
+STATE_DEPENDENT=4
+
+# ########################################################################
+# Run the program.
+# ########################################################################
+main() {
+   # Get options
+   for o; do
+      case "${o}" in
+         -c)              shift; OPT_CRIT="${1}"; shift; ;;
+         --defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
+         -g)              shift; OPT_UNIX_GROUP="${1}"; shift; ;;
+         -H)              shift; OPT_HOST="${1}"; shift; ;;
+         -l)              shift; OPT_USER="${1}"; shift; ;;
+         -L)              shift; OPT_LOPA="${1}"; shift; ;;
+         -p)              shift; OPT_PASS="${1}"; shift; ;;
+         -P)              shift; OPT_PORT="${1}"; shift; ;;
+         -S)              shift; OPT_SOCK="${1}"; shift; ;;
+         -u)              shift; OPT_UNIX_USER="${1}"; shift; ;;
+         -w)              shift; OPT_WARN="${1}"; shift; ;;
+         --version)       grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
+         --help)          perl -00 -ne 'm/^  Usage:/ && print' "$0"; exit 0 ;;
+         -*)              echo "Unknown option ${o}.  Try --help."; exit 1; ;;
+      esac
+   done
+   OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
+   OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
+   if [ -e '/etc/nagios/mysql.cnf' ]; then
+      OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
+   fi
+   if is_not_sourced; then
+      if [ -n "$1" ]; then
+         echo "WARN spurious command-line options: $@"
+         exit 1
+      fi
+   fi
+
+   # Set the exit status in case there are any problems.
+   NOTE="UNK could not determine the datadir location."
+
+   # Set up files to hold one or more data directory locations.
+   local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
+   local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
+   trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT
+
+   # If any connection option was given, then try to log in to find the datadir.
+   if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
+      # If this fails (e.g. we can't log in), then there will be no line in the
+      # file, and later we won't change the exit code / note away from "UNK".
+      mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}"
+   else
+      # Find all MySQL server instances.
+      for pid in $(_pidof mysqld); do
+         ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
+      done
+      # The ${TEMP} file may now contain lines like the following sample:
+      # 13822     /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
+      #           --basedir=/usr --datadir=/var/lib/mysql/data/ \
+      #           --pid-file=/var/run/mysqld/mysqld.pid \
+      #           --socket=/var/run/mysqld/mysqld.sock
+      # Now the task is to read find any reference to a --datadir option.
+      # We store these into the $DATADIRS temp file.
+      # TODO: maybe in the future we can detect the user/group under which the
+      # process runs, and assume that is the right value, rather than defaulting
+      # to 'mysql'.
+      while read pid command; do
+         if echo "${command}" | grep datadir >/dev/null 2>&1; then
+            # Strip off everything up to and including --datadir=
+            command="${command##*--datadir=}"
+            # Strip off any options that follow this, assuming that there's not
+            # a space followed by a dash in the datadir's path.
+            echo "${command%% -*}" >> "${DATADIRS}"
+         fi
+      done < "${TEMP}"
+   fi
+
+   WRONG=""
+   NOTE2=""
+   > ${TEMP}
+   while read datadir; do
+      FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
+      if [ "${FILES}" ]; then
+         WRONG=1
+         NOTE2="${NOTE2:+${NOTE2} }${FILES}"
+      fi
+      NOTE="OK all files/directories have correct ownership."
+   done < "${DATADIRS}"
+
+   if [ -s "${TEMP}" ]; then
+      NOTE="UNK `cat ${TEMP}`"
+   elif [ "${WRONG}" ]; then
+      if [ "${OPT_CRIT}" ]; then
+         NOTE="CRIT files with wrong ownership: ${NOTE2}"
+      else
+         NOTE="WARN files with wrong ownership: ${NOTE2}"
+      fi
+   fi
+
+   echo $NOTE
+}
+
+# ########################################################################
+# Execute a MySQL command.
+# ########################################################################
+mysql_exec() {
+   mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
+      ${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
+      ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
+      ${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
+      ${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
+}
+
+# ########################################################################
+# A wrapper around pidof, which might not exist. The first argument is the
+# command name to match.
+# ########################################################################
+_pidof() {
+   if ! pidof "${1}" 2>/dev/null; then
+      ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
+   fi
+}
+
+# ########################################################################
+# Determine whether this program is being executed directly, or sourced/included
+# from another file.
+# ########################################################################
+is_not_sourced() {
+   [ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
+}
+
+# ########################################################################
+# Execute the program if it was not included from another file.
+# This makes it possible to include without executing, and thus test.
+# ########################################################################
+if is_not_sourced; then
+   OUTPUT=$(main "$@")
+   EXITSTATUS=$STATE_UNKNOWN
+   case "${OUTPUT}" in
+      UNK*)  EXITSTATUS=$STATE_UNKNOWN;  ;;
+      OK*)   EXITSTATUS=$STATE_OK;       ;;
+      WARN*) EXITSTATUS=$STATE_WARNING;  ;;
+      CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
+   esac
+   echo "${OUTPUT}"
+   exit $EXITSTATUS
+fi
+
+# ############################################################################
+# Documentation
+# ############################################################################
+: <<'DOCUMENTATION'
+=pod
+
+=head1 NAME
+
+pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.
+
+=head1 SYNOPSIS
+
+  Usage: pmp-check-mysql-file-privs [OPTIONS]
+  Options:
+    -c CRIT         Critical threshold; makes a privilege issue critical.
+    --defaults-file FILE Only read mysql options from the given file.
+                    Defaults to /etc/nagios/mysql.cnf if it exists.
+    -g GROUP        The Unix group who should own the files; default mysql.
+    -H HOST         MySQL hostname.
+    -l USER         MySQL username.
+    -L LOGIN-PATH   Use login-path to access MySQL (with MySQL client 5.6).
+    -p PASS         MySQL password.
+    -P PORT         MySQL port.
+    -S SOCKET       MySQL socket file.
+    -u USER         The Unix user who should own the files; default mysql.
+    -w WARN         Warning threshold; ignored.
+    --help          Print help and exit.
+    --version       Print version and exit.
+  Options must be given as --option value, not --option=value or -Ovalue.
+  Use perldoc to read embedded documentation with more details.
+
+=head1 DESCRIPTION
+
+This Nagios plugin checks to make sure that the MySQL data directory, and its
+contents, is owned by the correct Unix user and group. If the ownership is
+incorrect, then the server might fail due to lack of permission to modify its
+data.  For example, suppose a system administrator enters a database directory
+and creates a file that is owned by root.  Now a database administrator issues a
+DROP TABLE command, which fails because it is unable to remove the file and thus
+the non-empty directory cannot be removed either.
+
+The plugin accepts the -g and -u options to specify which Unix user and group
+should own the data directory and its contents. This is usually the user account
+under which MySQL runs, which is mysql by default on most systems.  The plugin
+assumes that user and group by default, too.
+
+The plugin accepts the -w and -c options for compatibility with standard Nagios
+plugin conventions, but they are not based on a threshold. Instead, the plugin
+raises a warning by default, and if the -c option is given, it raises an error
+instead, regardless of the option's value.
+
+By default, this plugin will attempt to detect all running instances of MySQL,
+and verify the data directory ownership for each one.  It does this purely by
+examining the Unix process table with the C<ps> tool.  However, in some cases
+the process's command line does not list the path to the data directory.  If the
+tool fails to detect the MySQL server process, or if you wish to limit the check
+to a single instance in the event that there are multiple instances on a single
+server, then you can specify MySQL authentication options.  This will cause the
+plugin to skip examining the Unix processlist, log into MySQL, and examine the
+datadir variable from SHOW VARIABLES to find the location of the data directory.
+
+In case an user you are calling this plugin from has no permissions to examine
+the datadir the plugin raises an unknown with the explanation.
+
+=head1 PRIVILEGES
+
+This plugin executes the following commands against MySQL:
+
+=over
+
+=item *
+
+C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>.
+
+=back
+
+This plugin executes the following UNIX commands that may need special privileges:
+
+=over
+
+=item *
+
+ps
+
+=item *
+
+find C<datadir>
+
+=back
+
+The plugin should be able to either get variables from MySQL or find mysqld
+PID using C<ps> command.
+
+On BSD, if C<sysctl> option C<security.bsd.see_other_uids> is set to 0, C<ps>
+will not return mysqld PID if the plugin run from non-root user.
+
+Also an user you run the plugin from should be able to access MySQL datadir
+files, so you may want to add it into mysql unix group etc.
+
+=head1 COPYRIGHT, LICENSE, AND WARRANTY
+
+This program is copyright 2012-$CURRENT_YEAR$ Baron Schwartz, 2012-$CURRENT_YEAR$ Percona Inc.
+Feedback and improvements are welcome.
+
+THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation, version 2.  You should have received a copy of the GNU General
+Public License along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+
+=head1 VERSION
+
+$PROJECT_NAME$ pmp-check-mysql-file-privs $VERSION$
+
+=cut
+
+DOCUMENTATION
-- 
cgit v1.2.3