Werk #15328: mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora

Component Checks & agents
Title mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora
Date Apr 5, 2024
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b6 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p25 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p42 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

You are affected by this Werk if you use mk_oracle agent plugin on unix.

mk_oracle only works if it can find a sqlnet.ora in your $TNS_ADMIN folder. In the past, mk_oracle executed all oracle binaries as root, so sqlnet.ora was always readable. With Werk #16232 the oracle binaries are executed with a low privileged user, so it might be the case, that sqlnet.ora can not be read by this user.

mk_oracle will exit early if it can not read sqlnet.ora. The error message might look like:

/etc/check_mk/sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.

The error message will also be visible in the oracle_instance check.

If you use the agent bakery to roll out mk_oracle to unix servers using .rpm, .deb or Solaris .pkg packages, you have to use the 'sqlnet.ora permission group' bakery rule to adapt the group of the sqlnet.ora file, otherwise your permission changes might be overwritten by updating the agent.

Otherwise, it is sufficient to adapt the permissions.

If you install the agent on Unix using the tgz package, you will have to manually adjust the permissions of the sqlnet.ora file.

To the list of all Werks