From b90717e25a5a7eebe52505e49525c937bebbcf8e Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Tue, 31 May 2022 22:33:07 -0400 Subject: [PATCH] Make ownership check consistent with cmk-agent 2.1 The new CheckMK agent uses UID 998 (dynamic) for itself. This causes ownership problems with the old logic of this check. Move instead to a range, where the UIDs from 200-599 are reserved for administrators, and check for this range explicitly. Also eliminates the exceptions for ceph and 2000 from previous iterations. --- .../files/usr/lib/check_mk_agent/plugins/ownership | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/base/files/usr/lib/check_mk_agent/plugins/ownership b/roles/base/files/usr/lib/check_mk_agent/plugins/ownership index eec3805..c041ec7 100755 --- a/roles/base/files/usr/lib/check_mk_agent/plugins/ownership +++ b/roles/base/files/usr/lib/check_mk_agent/plugins/ownership @@ -1,16 +1,18 @@ #!/bin/bash # File ownership check for Check_MK +# Ensures that no files outside of homedirs are owned by administrative users # Installed by PVC ansible -UID_MAX=199 +ADMIN_UID_MIN=200 +ADMIN_UID_MAX=599 # http://www.debian.org/doc/debian-policy/ch-opersys.html # 0-99: Globally allocated by the Debian project -# 100-199: (PVC) Dynamically allocated system users and groups +# 100-199: (PVC) Dynamically allocated system users # 200-299: (PVC) provisioning users # 300-499: (PVC) reserved # 500-599: (PVC) system administrators -# 600-999: (PVC) reserved +# 600-999: (PVC) Dynamically allocated service users # 64045: (PVC) ceph function is_element_of { @@ -43,7 +45,7 @@ for FILESYSTEM in ${FILESYSTEMs[@]}; do fi fi FILEs+=($FILE) - done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \ + done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \ -not \( -type d -a \( -path /media -o -path /mnt \) \) \ -not \( -name '.*.swp' -a -mtime -3 \) \ -not \( -path '*/.git' -o -path '*/.git/*' \) \