From checkmk-werks-lvl1@lists.checkmk.com Thu Apr 18 12:53:39 2024
From: Checkmk werks level 1 <checkmk-werks-lvl1@lists.checkmk.com>
To: checkmk-werks-lvl1@lists.checkmk.com
Subject: [2.2.0] Checkmk Werk 15327 created: mk_oracle: Follow-up to privilege
 escalation fix
Date: Thu, 18 Apr 2024 12:53:37 +0000
Message-ID: <1713444817.650590.725.nullmailer@localhost>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7188792124590693315=="

--===============7188792124590693315==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Title: mk_oracle: Follow-up to privilege escalation fix
Class: fix
Compatible: incomp
Component: checks
Date: 1712217578
Edition: cre
Level: 2
Version: 2.2.0p25

You might be affected by this Werk if you use <tt>mk_oracle</tt> on a unix
system.

You might be affected by this Werk if you use oracle wallet to connect to your
database.

You are definitively affected by this Werk if you use oracle wallet to connec=
t to your
database and used the instructions of our official documentation to setup your
configuration.

This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.=
3.0b4.


Since <a href=3D"https://checkmk.com/werk/16232">Werk #16232</a> we switch to=
 a
unprivileged user when executing oracle binaries. This causes problems when
using an oracle wallet as the unprivileged user might not be able to access
files defining the connection details and credentials.

We introduced an additional permission check to the <code>-t</code> "Just che=
ck
the connection" option of <code>mk_oracle</code>. It should help you modifying
the permissions to continue using <code>mk_oracle</code> with oracle wallet.

You can execute it with the following command:

<pre>
MK_CONFDIR=3D/etc/check_mk/ MK_VARDIR=3D/var/lib/check_mk_agent /usr/lib/chec=
k_mk_agent/plugins/mk_oracle --no-spool -t
</pre>

The path to mk_oracle might be different if you execute it asynchronously. Fo=
r a
60 second interval the path would be <code>/usr/lib/check_mk_agent/plugins/60=
/mk_oracle</code>

The script will test permissions of the files needed to connect to the databa=
se. It boils down to the following:

<code>mk_oracle</code> will switch to the owner of
<code>$ORACLE_HOME/bin/sqlplus</code> before executing <code>sqlplus</code>. =
So
this user has to have the following permissions:

<ul>
<li>read <code>$TNS_ADMIN/sqlnet.ora</code></li>
<li>read <code>$TNS_ADMIN/tnsnames.ora</code></li>
<li>execute the wallet folder (<code>/etc/check_mk/oracle_wallet</code> if fo=
llowed the official documentation)</li>
<li>read files inside the wallet folder (<code>/etc/check_mk/oracle_wallet/*<=
/code> if followed the official documentation)</li>
</ul>

Beside that we also fixed some bash syntax errors we introduced with
<a href=3D"https://checkmk.com/werk/16232">Werk #16232</a>.

See <a href=3D"https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Tr=
oubleshooting+mk+oracle+for+Windows+and+Linux">Troubleshooting mk_oracle for =
Windows and Linux</a>
for more information about troubleshooting this problem.



--===============7188792124590693315==--