Bug#855416: check_running_kernel: don't search /boot/lost+found

Fri, 17 Feb 2017 11:12:54 -0800 

Package: nagios-plugins-contrib
Version: 20.20170118
Severity: normal
Tags: patch

Hello,

recent changes to check_running_kernel introduced a find on /boot, which
includes /boot/lost+found on ext2/3/4 partitions and in turn produces an
error message if the check is run by a non-root user:

# sudo -u nagios /usr/lib/nagios/plugins/check_running_kernel 
find: ‘/boot/lost+found’: Permission denied
WARNING: Running kernel does not match on-disk kernel image: [Linux version 
4.9.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 20161229 
(Debian 6.3.0-2) ) #1 SMP Debian 4.9.2-2 (2017-01-12) != Linux version 
4.9.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 20170124 
(Debian 6.3.0-5) ) #1 SMP Debian 4.9.6-3 (2017-01-28)]

This can easily be fixed by excluding /boot/lost+found in the find
command.

Instead of

$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' -and -name 
"vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname 
-r)" | sort)

do

$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path 
/boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" 
-or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort)

In my opinion, this would be a good thing as there's no need to run
check_running_kernel as user root. For security reasons, as few checks
as possible should be executed with root permissions.

Cheers,
 jonas

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- /usr/lib/nagios/plugins/check_running_kernel.orig   2017-01-18 
21:18:18.000000000 +0000
+++ /usr/lib/nagios/plugins/check_running_kernel        2017-02-17 
19:08:16.425332437 +0000
@@ -185,8 +185,8 @@
 
 searched=""
 for on_disk in \
-       $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' 
-and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer 
"/boot/vmlinuz-$(uname -r)" | sort) \
-       $([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -name 
'kfreebsd*' -and -name "kfreebsd-$(uname -r).gz" -or -name 'kfreebsd*' -and 
-newer "/boot/kfreebsd-$(uname -r).gz" | sort); do
+       $([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path 
/boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" 
-or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) \
+       $([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -not \( -path 
/boot/lost+found -prune \) -name 'kfreebsd*' -and -name "kfreebsd-$(uname 
-r).gz" -or -name 'kfreebsd*' -and -newer "/boot/kfreebsd-$(uname -r).gz" | 
sort); do
 
        if [ -e "$on_disk" ]; then
                if [ -z "$STRINGS" ]; then

Reply via email to