Module: check_mk Branch: master Commit: dde6e566e3c12e1a79b4cc399d99235c056c59b3 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=dde6e566e3c12e… Author: Andreas Boesl &lt;ab(a)mathias-kettner.de&gt; Date: Fri May 30 11:44:03 2014 +0200 runas: new plugin script to include and execute mrpe, local and plugin scripts as different user With the new plugin <tt>runas</tt> you can configure additional include files and directories for mrpe, local and plugin scripts. You can also change the user context of each of these scripts. It allows non-root users to add additional scripts which might get executed with reduced permission. --- .werks/928 | 39 +++++++++++++++++++++++++++ ChangeLog | 3 ++- agents/plugins/mrpe_include | 4 +++ agents/plugins/runas | 61 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 106 insertions(+), 1 deletion(-) diff --git a/.werks/928 b/.werks/928 new file mode 100644 index 0000000..76d7e0f --- /dev/null +++ b/.werks/928 @@ -0,0 +1,39 @@ +Title: runas: new plugin script to include and execute mrpe, local and plugin scripts as different user +Level: 2 +Component: checks +Version: 1.2.5i3 +Date: 1401442173 +Class: feature + +With the new plugin <tt>runas</tt> you can configure additional include files and +directories for mrpe, local and plugin scripts. You can also change the user context +of each of these scripts. It allows non-root users to add additional scripts which might +get executed with reduced permission. + +This check is configured with the configuration file <tt>runas.cfg</tt>. +In a default installation this file is located within the Check_MK config directory under <tt>/etc/check_mk/runas.cfg</tt>. + +The <tt>runas.cfg</tt> configuration syntax is as follow +[Script type] [User context] [File / Directory ] + +The <tt>Script type</tt> can be set to <tt>mrpe</tt>, <tt>local</tt> and <tt>plugin</tt>. +The <tt>User context</tt> represents the user. If you do not want to change the context set this field to <tt>-</tt> +Depending on the script type the third value points to a file or directory. +The mrpe type requires a target file which contains the mrpe commands. +Local and plugins types require are target folder, which contains the executable local and plugin scripts.<br> + +Here is an example configuration: + +F+:/etc/check_mk/runas.cfg +mrpe ab /home/ab/mrpe_commands.cfg +mrpe lm /home/lm/mrpe_commands.cfg +mrpe - /root/mrpe/extra_commands.cfg +plugin ab /var/ab/plugins +local ab /var/ab/local +F-: + +<b>Note:</b>You need to set up the local and plugin scripts in different folders, because the line +<tt>plugin ab /var/ab/plugins</tt> indicates that all executable files within this folder are treated as plugins. + + + diff --git a/ChangeLog b/ChangeLog index ab94946..0bcc9df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,8 +64,9 @@ * 0926 windows agent: local / plugin scripts now get the REMOTE_HOST as environment variable * 0163 kaspersky_av_quarantine,kaspersky_av_tasks,kaspersky_av_updates: New checks for kaspersky anti virus on linux * 0164 symantec_av_progstate,symantec_av_quarantine, symantec_av_updates: New checks for Symantec Anti Virus on Linux - * 0165 ups checks now supports also GE devices (Thanks to Andy Taylor)... * 0927 windows agent: now able to evaluate logfiles written in unicode (2 bytes per character)... + * 0165 ups checks now supports also GE devices (Thanks to Andy Taylor)... + * 0928 runas: new plugin script to include and execute mrpe, local and plugin scripts as different user... * 0777 FIX: special agent emcvnx: did not work with security file authentication... * 0786 FIX: zfsget: fixed compatibility with older Solaris agents... * 0809 FIX: brocade_fcport: Fixed recently introduced problem with port speed detection diff --git a/agents/plugins/mrpe_include b/agents/plugins/mrpe_include index 3fcfb64..4691548 100755 --- a/agents/plugins/mrpe_include +++ b/agents/plugins/mrpe_include @@ -1,4 +1,8 @@ #!/bin/bash + +# Note: This script is deprecated and has been replaced by the script runas +# which is able to handle mrpe, local and plugin scripts + echo '<<<mrpe>>>' grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/mrpe_include.cfg" | \ while read user include diff --git a/agents/plugins/runas b/agents/plugins/runas new file mode 100755 index 0000000..ed514d6 --- /dev/null +++ b/agents/plugins/runas @@ -0,0 +1,61 @@ +#!/bin/bash + +# This plugin allows to execute mrpe, local and plugin skripts with a different user context +# It is configured with in the file $MK_CONFDIR/runas.cfg +# +# Syntax: +# [Script type] [User context] [File / Directory] +# +# Example configuration +# # Execute mrpe commands in given files under specific user +# # A '-' means no user context switch +# mrpe ab /home/ab/mrpe_commands.cfg +# mrpe lm /home/lm/mrpe_commands.cfg +# mrpe - /root/mrpe/extra_commands.cfg +# +# Excecute -executable- files in the target directories under specific user context +# plugin ab /var/ab/plugins +# local ab /var/ab/local +# + +grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/runas.cfg" | \ +while read type user include +do + if [ -d $include -o \( "$type" == "mrpe" -a -f $include \) ] ; then + PREFIX="" + if [ "$user" != "-" ] ; then + PREFIX="su $user -c " + fi + + # mrpe includes + if [ "$type" == "mrpe" ] ; then + echo "<<<mrpe>>>" + grep -Ev '^[[:space:]]*($|#)' "$include" | \ + while read descr cmdline + do + PLUGIN=${cmdline%% *} + if [ -n "$PREFIX" ] ; then + cmdline="$PREFIX\"$cmdline\"" + fi + OUTPUT=$(eval "$cmdline") + echo -n "(${PLUGIN##*/}) $descr $? $OUTPUT" | tr \\n \\1 + echo + done + # local and plugin includes + elif [ "$type" == "local" -o "$type" == "plugin" ] ; then + if [ "$type" == "local" ] ; then + echo "<<<local>>>" + fi + find $include -executable -type f | \ + while read filename + do + if [ -n "$PREFIX" ] ; then + cmdline="$PREFIX\"$filename\"" + else + cmdline=$filename + fi + $cmdline + done + fi + fi +done