Werk #15327: mk_oracle: Follow-up to privilege escalation fix

Component Checks & agents
Title mk_oracle: Follow-up to privilege escalation fix
Date Apr 4, 2024
Level Prominent Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b6 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p25 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p42 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

You might be affected by this Werk if you use mk_oracle on a unix system.

You might be affected by this Werk if you use oracle wallet to connect to your database.

You are definitively affected by this Werk if you use oracle wallet to connect to your database and used the instructions of our official documentation to setup your configuration.

This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4.

Since Werk #16232 we switch to a unprivileged user when executing oracle binaries. This causes problems when using an oracle wallet as the unprivileged user might not be able to access files defining the connection details and credentials.

We introduced an additional permission check to the -t "Just check the connection" option of mk_oracle. It should help you modifying the permissions to continue using mk_oracle with oracle wallet.

You can execute it with the following command:

MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t

The path to mk_oracle might be different if you execute it asynchronously. For a 60 second interval the path would be /usr/lib/check_mk_agent/plugins/60/mk_oracle

The script will test permissions of the files needed to connect to the database. It boils down to the following:

mk_oracle will switch to the owner of $ORACLE_HOME/bin/sqlplus before executing sqlplus. So this user has to have the following permissions:

  • read $TNS_ADMIN/sqlnet.ora
  • read $TNS_ADMIN/tnsnames.ora
  • execute the wallet folder (/etc/check_mk/oracle_wallet if followed the official documentation)
  • read files inside the wallet folder (/etc/check_mk/oracle_wallet/* if followed the official documentation)

Beside that we also fixed some bash syntax errors we introduced with Werk #16232.

See Troubleshooting mk_oracle for Windows and Linux for more information about troubleshooting this problem.

To the list of all Werks