[2.2.0] Checkmk Werk 15327 created: mk_oracle: Follow-up to privilege escalation fix

Title: mk_oracle: Follow-up to privilege escalation fix Class: fix Compatible: incomp Component: checks Date: 1712217578 Edition: cre Level: 2 Version: 2.2.0p25 You might be affected by this Werk if you use <tt>mk_oracle</tt> on a unix system. You might be affected by this Werk if you use oracle wallet to connect to your database. You are definitively affected by this Werk if you use oracle wallet to connect to your database and used the instructions of our official documentation to setup your configuration. This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4. Since <a href="https://checkmk.com/werk/16232">Werk #16232</a> we switch to a unprivileged user when executing oracle binaries. This causes problems when using an oracle wallet as the unprivileged user might not be able to access files defining the connection details and credentials. We introduced an additional permission check to the <code>-t</code> "Just check the connection" option of <code>mk_oracle</code>. It should help you modifying the permissions to continue using <code>mk_oracle</code> with oracle wallet. You can execute it with the following command: <pre> MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t </pre> The path to mk_oracle might be different if you execute it asynchronously. For a 60 second interval the path would be <code>/usr/lib/check_mk_agent/plugins/60/mk_oracle</code> The script will test permissions of the files needed to connect to the database. It boils down to the following: <code>mk_oracle</code> will switch to the owner of <code>$ORACLE_HOME/bin/sqlplus</code> before executing <code>sqlplus</code>. So this user has to have the following permissions: <ul> <li>read <code>$TNS_ADMIN/sqlnet.ora</code></li> <li>read <code>$TNS_ADMIN/tnsnames.ora</code></li> <li>execute the wallet folder (<code>/etc/check_mk/oracle_wallet</code> if followed the official documentation)</li> <li>read files inside the wallet folder (<code>/etc/check_mk/oracle_wallet/*</code> if followed the official documentation)</li> </ul> Beside that we also fixed some bash syntax errors we introduced with <a href="https://checkmk.com/werk/16232">Werk #16232</a>. See <a href="https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Trou… mk_oracle for Windows and Linux</a> for more information about troubleshooting this problem.