Package: nagios-plugins-contrib Version: 20.20170118 Severity: normal Tags: patch
Hello, recent changes to check_running_kernel introduced a find on /boot, which includes /boot/lost+found on ext2/3/4 partitions and in turn produces an error message if the check is run by a non-root user: # sudo -u nagios /usr/lib/nagios/plugins/check_running_kernel find: ‘/boot/lost+found’: Permission denied WARNING: Running kernel does not match on-disk kernel image: [Linux version 4.9.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 20161229 (Debian 6.3.0-2) ) #1 SMP Debian 4.9.2-2 (2017-01-12) != Linux version 4.9.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 20170124 (Debian 6.3.0-5) ) #1 SMP Debian 4.9.6-3 (2017-01-28)] This can easily be fixed by excluding /boot/lost+found in the find command. Instead of $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) do $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) In my opinion, this would be a good thing as there's no need to run check_running_kernel as user root. For security reasons, as few checks as possible should be executed with root permissions. Cheers, jonas -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- /usr/lib/nagios/plugins/check_running_kernel.orig 2017-01-18 21:18:18.000000000 +0000 +++ /usr/lib/nagios/plugins/check_running_kernel 2017-02-17 19:08:16.425332437 +0000 @@ -185,8 +185,8 @@ searched="" for on_disk in \ - $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) \ - $([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -name 'kfreebsd*' -and -name "kfreebsd-$(uname -r).gz" -or -name 'kfreebsd*' -and -newer "/boot/kfreebsd-$(uname -r).gz" | sort); do + $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) \ + $([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'kfreebsd*' -and -name "kfreebsd-$(uname -r).gz" -or -name 'kfreebsd*' -and -newer "/boot/kfreebsd-$(uname -r).gz" | sort); do if [ -e "$on_disk" ]; then if [ -z "$STRINGS" ]; then