Make ownership check consistent with cmk-agent 2.1

The new CheckMK agent uses UID 998 (dynamic) for itself. This causes
ownership problems with the old logic of this check. Move instead to a
range, where the UIDs from 200-599 are reserved for administrators, and
check for this range explicitly. Also eliminates the exceptions for ceph
and 2000 from previous iterations.

roles/base/files/usr/lib/check_mk_agent/plugins/ownership

@@ -1,16 +1,18 @@
 #!/bin/bash
 
 # File ownership check for Check_MK
+# Ensures that no files outside of homedirs are owned by administrative users
 # Installed by PVC ansible
 
-UID_MAX=199
+ADMIN_UID_MIN=200
+ADMIN_UID_MAX=599
 # http://www.debian.org/doc/debian-policy/ch-opersys.html
 # 0-99: Globally allocated by the Debian project
-# 100-199: (PVC) Dynamically allocated system users and groups
+# 100-199: (PVC) Dynamically allocated system users
 # 200-299: (PVC) provisioning users
 # 300-499: (PVC) reserved
 # 500-599: (PVC) system administrators
-# 600-999: (PVC) reserved
+# 600-999: (PVC) Dynamically allocated service users
 # 64045:   (PVC) ceph
 
 function is_element_of {
@@ -43,7 +45,7 @@ for FILESYSTEM in ${FILESYSTEMs[@]}; do
             fi
         fi
         FILEs+=($FILE)
-    done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
+    done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \
         -not \( -type d -a \( -path /media -o -path /mnt \) \) \
         -not \( -name '.*.swp' -a -mtime -3 \) \
         -not \( -path '*/.git' -o -path '*/.git/*' \) \