Werk #15328: mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora
Component | Checks & agents | ||||||||
Title | mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora | ||||||||
Date | Apr 5, 2024 | ||||||||
Level | Trivial Change | ||||||||
Class | Bug Fix | ||||||||
Compatibility | Incompatible - Manual interaction might be required | ||||||||
Checkmk versions & editions |
|
You are affected by this Werk if you use mk_oracle agent plugin on unix.
mk_oracle only works if it can find a sqlnet.ora in your $TNS_ADMIN folder. In the past, mk_oracle executed all oracle binaries as root, so sqlnet.ora was always readable. With Werk #16232 the oracle binaries are executed with a low privileged user, so it might be the case, that sqlnet.ora can not be read by this user.
mk_oracle will exit early if it can not read sqlnet.ora. The error message might look like:
/etc/check_mk/sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.
The error message will also be visible in the oracle_instance check.
If you use the agent bakery to roll out mk_oracle to unix servers using .rpm, .deb or Solaris .pkg packages, you have to use the 'sqlnet.ora permission group' bakery rule to adapt the group of the sqlnet.ora file, otherwise your permission changes might be overwritten by updating the agent.
Otherwise, it is sufficient to adapt the permissions.
If you install the agent on Unix using the tgz package, you will have to manually adjust the permissions of the sqlnet.ora file.