Make ownership check consistent with cmk-agent 2.1
The new CheckMK agent uses UID 998 (dynamic) for itself. This causes ownership problems with the old logic of this check. Move instead to a range, where the UIDs from 200-599 are reserved for administrators, and check for this range explicitly. Also eliminates the exceptions for ceph and 2000 from previous iterations.
This commit is contained in:
parent
9e20e47903
commit
cbea6e284c
|
@ -1,16 +1,18 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# File ownership check for Check_MK
|
# File ownership check for Check_MK
|
||||||
|
# Ensures that no files outside of homedirs are owned by administrative users
|
||||||
# Installed by PVC ansible
|
# Installed by PVC ansible
|
||||||
|
|
||||||
UID_MAX=199
|
ADMIN_UID_MIN=200
|
||||||
|
ADMIN_UID_MAX=599
|
||||||
# http://www.debian.org/doc/debian-policy/ch-opersys.html
|
# http://www.debian.org/doc/debian-policy/ch-opersys.html
|
||||||
# 0-99: Globally allocated by the Debian project
|
# 0-99: Globally allocated by the Debian project
|
||||||
# 100-199: (PVC) Dynamically allocated system users and groups
|
# 100-199: (PVC) Dynamically allocated system users
|
||||||
# 200-299: (PVC) provisioning users
|
# 200-299: (PVC) provisioning users
|
||||||
# 300-499: (PVC) reserved
|
# 300-499: (PVC) reserved
|
||||||
# 500-599: (PVC) system administrators
|
# 500-599: (PVC) system administrators
|
||||||
# 600-999: (PVC) reserved
|
# 600-999: (PVC) Dynamically allocated service users
|
||||||
# 64045: (PVC) ceph
|
# 64045: (PVC) ceph
|
||||||
|
|
||||||
function is_element_of {
|
function is_element_of {
|
||||||
|
@ -43,7 +45,7 @@ for FILESYSTEM in ${FILESYSTEMs[@]}; do
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
FILEs+=($FILE)
|
FILEs+=($FILE)
|
||||||
done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
|
done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \
|
||||||
-not \( -type d -a \( -path /media -o -path /mnt \) \) \
|
-not \( -type d -a \( -path /media -o -path /mnt \) \) \
|
||||||
-not \( -name '.*.swp' -a -mtime -3 \) \
|
-not \( -name '.*.swp' -a -mtime -3 \) \
|
||||||
-not \( -path '*/.git' -o -path '*/.git/*' \) \
|
-not \( -path '*/.git' -o -path '*/.git/*' \) \
|
||||||
|
|
Loading…
Reference in New Issue