forked from inuits/monitoring-plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpmp-check-mysql-file-privs
executable file
·254 lines (210 loc) · 9.91 KB
/
pmp-check-mysql-file-privs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
#!/bin/sh
# ########################################################################
# This program is part of Percona Monitoring Plugins
# License: GPL License (see COPYING)
# Authors:
# Baron Schwartz
# ########################################################################
# ########################################################################
# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
# ########################################################################
exec 2>&1
# ########################################################################
# Set up constants, etc.
# ########################################################################
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
EXITSTATUS=$STATE_UNKNOWN
# ########################################################################
# Run the program.
# ########################################################################
main() {
# Get options
for o; do
case "${o}" in
-c) shift; OPT_CRIT="${1}"; shift; ;;
--defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
-g) shift; OPT_UNIX_GROUP="${1}"; shift; ;;
-H) shift; OPT_HOST="${1}"; shift; ;;
-l) shift; OPT_USER="${1}"; shift; ;;
-p) shift; OPT_PASS="${1}"; shift; ;;
-P) shift; OPT_PORT="${1}"; shift; ;;
-S) shift; OPT_SOCK="${1}"; shift; ;;
-u) shift; OPT_UNIX_USER="${1}"; shift; ;;
-w) shift; OPT_WARN="${1}"; shift; ;;
--version) grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
--help) perl -00 -ne 'm/^ Usage:/ && print' "$0"; exit 0 ;;
-*) echo "Unknown option ${o}. Try --help."; exit 1; ;;
esac
done
OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
if [ -e '/etc/nagios/mysql.cnf' ]; then
OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
fi
# Set the exit status in case there are any problems.
EXITSTATUS=$STATE_UNKNOWN
NOTE="UNK could not determine the datadir location."
# Set up files to hold one or more data directory locations.
local TEMP=$(mktemp "/tmp/${0##*/}.XXXX") || exit $?
local DATADIRS=$(mktemp "/tmp/${0##*/}.XXXX") || exit $?
trap 'rm -rf "${TEMP}" "${DATADIRS}" >/dev/null 2>&1' EXIT
# If any connection option was given, then try to log in to find the datadir.
if [ "${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
# If this fails (e.g. we can't log in), then there will be no line in the
# file, and later we won't change the exit code / note away from "UNK".
mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}"
else
# Find all MySQL server instances.
for pid in $(_pidof mysqld); do
ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
done
# The ${TEMP} file may now contain lines like the following sample:
# 13822 /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
# --basedir=/usr --datadir=/var/lib/mysql/data/ \
# --pid-file=/var/run/mysqld/mysqld.pid \
# --socket=/var/run/mysqld/mysqld.sock
# Now the task is to read find any reference to a --datadir option.
# We store these into the $DATADIRS temp file.
# TODO: maybe in the future we can detect the user/group under which the
# process runs, and assume that is the right value, rather than defaulting
# to 'mysql'.
while read pid command; do
if echo "${command}" | grep datadir >/dev/null 2>&1; then
# Strip off everything up to and including --datadir=
command="${command##*--datadir=}"
# Strip off any options that follow this, assuming that there's not
# a space followed by a dash in the datadir's path.
echo "${command%% -*}" >> "${DATADIRS}"
fi
done < "${TEMP}"
fi
WRONG=""
NOTE2=""
while read datadir; do
FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}")" || exit $?
if [ "${FILES}" ]; then
WRONG=1
NOTE2="${NOTE2:+${NOTE2} }${FILES}"
fi
EXITSTATUS=$STATE_OK
NOTE="OK all files/directories have correct ownership."
done < "${DATADIRS}"
if [ "${WRONG}" ]; then
if [ "${OPT_CRIT}" ]; then
NOTE="CRIT files with wrong ownership: ${NOTE2}"
EXITSTATUS=$STATE_CRITICAL
else
EXITSTATUS=$STATE_WARNING
NOTE="WARN files with wrong ownership: ${NOTE2}"
fi
fi
echo $NOTE
exit $EXITSTATUS
}
# ########################################################################
# Execute a MySQL command.
# ########################################################################
mysql_exec() {
mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_USER:+-u"${OPT_USER}"} \
${OPT_PASS:+-p"${OPT_PASS}"} ${OPT_SOCK:+-S"${OPT_SOCK}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
-ss -e "$1"
}
# ########################################################################
# A wrapper around pidof, which might not exist. The first argument is the
# command name to match.
# ########################################################################
_pidof() {
if ! pidof "${1}" 2>/dev/null; then
ps -eo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
fi
}
# ########################################################################
# Execute the program if it was not included from another file.
# This makes it possible to include without executing, and thus test.
# ########################################################################
if [ "${0##*/}" = "pmp-check-mysql-file-privs" ] \
|| [ "${0##*/}" = "bash" -a "$_" = "$0" ]; then
main "$@"
fi
# ############################################################################
# Documentation
# ############################################################################
: <<'DOCUMENTATION'
=pod
=head1 NAME
pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.
=head1 SYNOPSIS
Usage: pmp-check-mysql-file-privs [OPTIONS]
Options:
-c CRIT Critical threshold; makes a missing PID file critical.
--defaults-file FILE Only read mysql options from the given file.
Defaults to /etc/nagios/mysql.cnf if it exists.
-g GROUP The Unix group who should own the files; default mysql.
-H HOST MySQL hostname.
-l USER MySQL username.
-p PASS MySQL password.
-P PORT MySQL port.
-S SOCKET MySQL socket file.
-u USER The Unix user who should own the files; default mysql.
-w WARN Warning threshold; ignored.
--help Print help and exit.
--version Print version and exit.
Options must be given as --option value, not --option=value or -Ovalue.
Use perldoc to read embedded documentation with more details.
=head1 DESCRIPTION
This Nagios plugin checks to make sure that the MySQL data directory, and its
contents, is owned by the correct Unix user and group. If the ownership is
incorrect, then the server might fail due to lack of permission to modify its
data. For example, suppose a system administrator enters a database directory
and creates a file that is owned by root. Now a database administrator issues a
DROP TABLE command, which fails because it is unable to remove the file and thus
the non-empty directory cannot be removed either.
The plugin accepts the -g and -u options to specify which Unix user and group
should own the data directory and its contents. This is usually the user account
under which MySQL runs, which is mysql by default on most systems. The plugin
assumes that user and group by default, too.
The plugin accepts the -w and -c options for compatibility with standard Nagios
plugin conventions, but they are not based on a threshold. Instead, the plugin
raises a warning by default, and if the -c option is given, it raises an error
instead, regardless of the option's value.
By default, this plugin will attempt to detect all running instances of MySQL,
and verify the data directory ownership for each one. It does this purely by
examining the Unix process table with the C<ps> tool. However, in some cases
the process's command line does not list the path to the data directory. If the
tool fails to detect the MySQL server process, or if you wish to limit the check
to a single instance in the event that there are multiple instances on a single
server, then you can specify MySQL authentication options. This will cause the
plugin to skip examining the Unix processlist, log into MySQL, and examine the
datadir variable from SHOW VARIABLES to find the location of the data directory.
=head1 PRIVILEGES
This plugin executes the following commands against MySQL:
=over
=item *
C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>.
=back
This plugin executes the following UNIX commands that may need special privileges:
=over
=item *
ps
=item *
find C<datadir>
=back
=head1 COPYRIGHT, LICENSE, AND WARRANTY
This program is copyright 2012 Baron Schwartz, 2012 Percona Inc.
Feedback and improvements are welcome.
THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, version 2. You should have received a copy of the GNU General
Public License along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
=head1 VERSION
Percona Monitoring Plugins pmp-check-mysql-file-privs 0.9.0
=cut
DOCUMENTATION