Module: check_mk
Branch: master
Commit: dde6e566e3c12e1a79b4cc399d99235c056c59b3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=dde6e566e3c12e…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri May 30 11:44:03 2014 +0200
runas: new plugin script to include and execute mrpe, local and plugin scripts as
different user
With the new plugin <tt>runas</tt> you can configure additional include files
and
directories for mrpe, local and plugin scripts. You can also change the user context
of each of these scripts. It allows non-root users to add additional scripts which might
get executed with reduced permission.
---
.werks/928 | 39 +++++++++++++++++++++++++++
ChangeLog | 3 ++-
agents/plugins/mrpe_include | 4 +++
agents/plugins/runas | 61 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/.werks/928 b/.werks/928
new file mode 100644
index 0000000..76d7e0f
--- /dev/null
+++ b/.werks/928
@@ -0,0 +1,39 @@
+Title: runas: new plugin script to include and execute mrpe, local and plugin scripts as
different user
+Level: 2
+Component: checks
+Version: 1.2.5i3
+Date: 1401442173
+Class: feature
+
+With the new plugin <tt>runas</tt> you can configure additional include files
and
+directories for mrpe, local and plugin scripts. You can also change the user context
+of each of these scripts. It allows non-root users to add additional scripts which might
+get executed with reduced permission.
+
+This check is configured with the configuration file <tt>runas.cfg</tt>.
+In a default installation this file is located within the Check_MK config directory under
<tt>/etc/check_mk/runas.cfg</tt>.
+
+The <tt>runas.cfg</tt> configuration syntax is as follow
+[Script type] [User context] [File / Directory ]
+
+The <tt>Script type</tt> can be set to <tt>mrpe</tt>,
<tt>local</tt> and <tt>plugin</tt>.
+The <tt>User context</tt> represents the user. If you do not want to change
the context set this field to <tt>-</tt>
+Depending on the script type the third value points to a file or directory.
+The mrpe type requires a target file which contains the mrpe commands.
+Local and plugins types require are target folder, which contains the executable local
and plugin scripts.<br>
+
+Here is an example configuration:
+
+F+:/etc/check_mk/runas.cfg
+mrpe ab /home/ab/mrpe_commands.cfg
+mrpe lm /home/lm/mrpe_commands.cfg
+mrpe - /root/mrpe/extra_commands.cfg
+plugin ab /var/ab/plugins
+local ab /var/ab/local
+F-:
+
+<b>Note:</b>You need to set up the local and plugin scripts in different
folders, because the line
+<tt>plugin ab /var/ab/plugins</tt> indicates that all executable files within
this folder are treated as plugins.
+
+
+
diff --git a/ChangeLog b/ChangeLog
index ab94946..0bcc9df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -64,8 +64,9 @@
* 0926 windows agent: local / plugin scripts now get the REMOTE_HOST as environment
variable
* 0163 kaspersky_av_quarantine,kaspersky_av_tasks,kaspersky_av_updates: New checks
for kaspersky anti virus on linux
* 0164 symantec_av_progstate,symantec_av_quarantine, symantec_av_updates: New checks
for Symantec Anti Virus on Linux
- * 0165 ups checks now supports also GE devices (Thanks to Andy Taylor)...
* 0927 windows agent: now able to evaluate logfiles written in unicode (2 bytes per
character)...
+ * 0165 ups checks now supports also GE devices (Thanks to Andy Taylor)...
+ * 0928 runas: new plugin script to include and execute mrpe, local and plugin scripts
as different user...
* 0777 FIX: special agent emcvnx: did not work with security file authentication...
* 0786 FIX: zfsget: fixed compatibility with older Solaris agents...
* 0809 FIX: brocade_fcport: Fixed recently introduced problem with port speed
detection
diff --git a/agents/plugins/mrpe_include b/agents/plugins/mrpe_include
index 3fcfb64..4691548 100755
--- a/agents/plugins/mrpe_include
+++ b/agents/plugins/mrpe_include
@@ -1,4 +1,8 @@
#!/bin/bash
+
+# Note: This script is deprecated and has been replaced by the script runas
+# which is able to handle mrpe, local and plugin scripts
+
echo '<<<mrpe>>>'
grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/mrpe_include.cfg" | \
while read user include
diff --git a/agents/plugins/runas b/agents/plugins/runas
new file mode 100755
index 0000000..ed514d6
--- /dev/null
+++ b/agents/plugins/runas
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# This plugin allows to execute mrpe, local and plugin skripts with a different user
context
+# It is configured with in the file $MK_CONFDIR/runas.cfg
+#
+# Syntax:
+# [Script type] [User context] [File / Directory]
+#
+# Example configuration
+# # Execute mrpe commands in given files under specific user
+# # A '-' means no user context switch
+# mrpe ab /home/ab/mrpe_commands.cfg
+# mrpe lm /home/lm/mrpe_commands.cfg
+# mrpe - /root/mrpe/extra_commands.cfg
+#
+# Excecute -executable- files in the target directories under specific user context
+# plugin ab /var/ab/plugins
+# local ab /var/ab/local
+#
+
+grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/runas.cfg" | \
+while read type user include
+do
+ if [ -d $include -o \( "$type" == "mrpe" -a -f $include \) ] ;
then
+ PREFIX=""
+ if [ "$user" != "-" ] ; then
+ PREFIX="su $user -c "
+ fi
+
+ # mrpe includes
+ if [ "$type" == "mrpe" ] ; then
+ echo "<<<mrpe>>>"
+ grep -Ev '^[[:space:]]*($|#)' "$include" | \
+ while read descr cmdline
+ do
+ PLUGIN=${cmdline%% *}
+ if [ -n "$PREFIX" ] ; then
+ cmdline="$PREFIX\"$cmdline\""
+ fi
+ OUTPUT=$(eval "$cmdline")
+ echo -n "(${PLUGIN##*/}) $descr $? $OUTPUT" | tr \\n \\1
+ echo
+ done
+ # local and plugin includes
+ elif [ "$type" == "local" -o "$type" ==
"plugin" ] ; then
+ if [ "$type" == "local" ] ; then
+ echo "<<<local>>>"
+ fi
+ find $include -executable -type f | \
+ while read filename
+ do
+ if [ -n "$PREFIX" ] ; then
+ cmdline="$PREFIX\"$filename\""
+ else
+ cmdline=$filename
+ fi
+ $cmdline
+ done
+ fi
+ fi
+done