From e039d58020bddb3e25e47a5f8de24d0a78c45442 Mon Sep 17 00:00:00 2001 From: Ramon Novoa Date: Fri, 19 Nov 2010 14:18:34 +0000 Subject: [PATCH] 2010-11-19 Ramon Novoa * pandora_agent, AIX/pandora_agent.conf, pandora_agent_daemon, Linux/pandora_agent.conf, HP-UX/pandora_agent.conf, NT4/pandora_agent.conf, SunOS/pandora_agent.conf, FreeBSD/pandora_agent.conf: Added a new configuration option that lets the agent run as a different user by changing the process' EUID. * pandora_agent_installer: Several fixes. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3609 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_agents/unix/AIX/pandora_agent.conf | 3 + pandora_agents/unix/ChangeLog | 11 ++ .../unix/FreeBSD/pandora_agent.conf | 3 + pandora_agents/unix/HP-UX/pandora_agent.conf | 3 + pandora_agents/unix/Linux/pandora_agent.conf | 3 + pandora_agents/unix/NT4/pandora_agent.conf | 5 +- pandora_agents/unix/SunOS/pandora_agent.conf | 3 + pandora_agents/unix/pandora_agent | 15 ++ pandora_agents/unix/pandora_agent_daemon | 8 +- pandora_agents/unix/pandora_agent_installer | 145 +++++++++--------- 10 files changed, 118 insertions(+), 81 deletions(-) diff --git a/pandora_agents/unix/AIX/pandora_agent.conf b/pandora_agents/unix/AIX/pandora_agent.conf index b9d617faad..bf0476251e 100755 --- a/pandora_agents/unix/AIX/pandora_agent.conf +++ b/pandora_agents/unix/AIX/pandora_agent.conf @@ -82,6 +82,9 @@ transfer_mode tentacle # If set to 1 allows the agent to be configured via the web console (Only Enterprise version) # remote_config 1 +# User the agent will run as +#pandora_user root + # Secondary server configuration # ============================== diff --git a/pandora_agents/unix/ChangeLog b/pandora_agents/unix/ChangeLog index 53b58a62c3..8bec2b06f1 100644 --- a/pandora_agents/unix/ChangeLog +++ b/pandora_agents/unix/ChangeLog @@ -1,3 +1,14 @@ +2010-11-19 Ramon Novoa + + * pandora_agent, AIX/pandora_agent.conf, + pandora_agent_daemon, Linux/pandora_agent.conf, + HP-UX/pandora_agent.conf, NT4/pandora_agent.conf, + SunOS/pandora_agent.conf, FreeBSD/pandora_agent.conf: Added a new + configuration option that lets the agent run as a different user + by changing the process' EUID. + + * pandora_agent_installer: Several fixes. + 2010-11-15 Raúl Mateos * pandora_agent*, pandora_exec, plugins/pandora_update: Small changes: diff --git a/pandora_agents/unix/FreeBSD/pandora_agent.conf b/pandora_agents/unix/FreeBSD/pandora_agent.conf index d6620d0f40..e2cf6a4d35 100755 --- a/pandora_agents/unix/FreeBSD/pandora_agent.conf +++ b/pandora_agents/unix/FreeBSD/pandora_agent.conf @@ -88,6 +88,9 @@ transfer_mode tentacle # If set to 1 allows the agent to be configured via the web console (Only Enterprise version) # remote_config 1 +# User the agent will run as +#pandora_user root + # Secondary server configuration # ============================== diff --git a/pandora_agents/unix/HP-UX/pandora_agent.conf b/pandora_agents/unix/HP-UX/pandora_agent.conf index bb76f3abc6..7c768b816c 100755 --- a/pandora_agents/unix/HP-UX/pandora_agent.conf +++ b/pandora_agents/unix/HP-UX/pandora_agent.conf @@ -82,6 +82,9 @@ transfer_mode tentacle # If set to 1 allows the agent to be configured via the web console (Only Enterprise version) # remote_config 1 +# User the agent will run as +#pandora_user root + # Secondary server configuration # ============================== diff --git a/pandora_agents/unix/Linux/pandora_agent.conf b/pandora_agents/unix/Linux/pandora_agent.conf index 0d48912adc..fcc31cb0a7 100755 --- a/pandora_agents/unix/Linux/pandora_agent.conf +++ b/pandora_agents/unix/Linux/pandora_agent.conf @@ -100,6 +100,9 @@ transfer_mode tentacle # Number of threads to execute modules in parallel #agent_threads 1 +# User the agent will run as +pandora_user ramon + # Secondary server configuration # ============================== diff --git a/pandora_agents/unix/NT4/pandora_agent.conf b/pandora_agents/unix/NT4/pandora_agent.conf index d130ee39cd..c93ba642b7 100644 --- a/pandora_agents/unix/NT4/pandora_agent.conf +++ b/pandora_agents/unix/NT4/pandora_agent.conf @@ -100,6 +100,9 @@ remote_config 1 # Number of threads to execute modules in parallel #agent_threads 1 +# User the agent will run as +#pandora_user root + # Secondary server configuration # ============================== @@ -137,4 +140,4 @@ module_begin module_name Free_RAM module_type generic_data module_exec mem | grep "XMS" | gawk "{ print $1 }" -module_end \ No newline at end of file +module_end diff --git a/pandora_agents/unix/SunOS/pandora_agent.conf b/pandora_agents/unix/SunOS/pandora_agent.conf index 7ae88a9394..676bcd055a 100755 --- a/pandora_agents/unix/SunOS/pandora_agent.conf +++ b/pandora_agents/unix/SunOS/pandora_agent.conf @@ -82,6 +82,9 @@ transfer_mode tentacle # If set to 1 allows the agent to be configured via the web console (Only Enterprise version) # remote_config 1 +# User the agent will run as +#pandora_user root + # Secondary server configuration # ============================== diff --git a/pandora_agents/unix/pandora_agent b/pandora_agents/unix/pandora_agent index 13f79a1db9..f7ee0ce133 100755 --- a/pandora_agents/unix/pandora_agent +++ b/pandora_agents/unix/pandora_agent @@ -1293,6 +1293,20 @@ print_usage unless ($#ARGV == 0); $ConfDir = fix_directory ($ARGV[0]); error ("Directory '$ConfDir' does not exist.") unless (-d "$ConfDir"); +# Get user to run as +my $pandora_user = read_config ('pandora_user'); +if (defined ($pandora_user)) { + # Change the EUID + my $pandora_user_uid = getpwnam ($pandora_user); + if (!defined ($pandora_user_uid)) { + error ("Cannot get uid for user $pandora_user. Does the user exist and can we read /etc/passwd?"); + } + $> = $pandora_user_uid; + if ($> != $pandora_user_uid) { + error ("Cannot run as $pandora_user: Insufficient permissions."); + } +} + # Guess the OS version $OS_VERSION = guess_os_version ($OS); @@ -1301,6 +1315,7 @@ md5_init (); # Start logging start_log (); +log_message ('log', 'Running as user ' . getpwuid ($>)); # Read configuration file read_config (); diff --git a/pandora_agents/unix/pandora_agent_daemon b/pandora_agents/unix/pandora_agent_daemon index 966c81e30e..70b01c9b06 100755 --- a/pandora_agents/unix/pandora_agent_daemon +++ b/pandora_agents/unix/pandora_agent_daemon @@ -22,7 +22,6 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin PANDORA_PATH=/etc/pandora -PANDORA_USER=root DAEMON=/usr/bin/pandora_agent LOGFILE=/var/log/pandora/pandora_agent.log @@ -73,12 +72,7 @@ case "$1" in echo "Cannot launch again. Aborting." exit 1 fi - if [ "$PANDORA_USER" = "root" ] - then - nohup $DAEMON $PANDORA_PATH 2> $LOGFILE & - else - sudo -u $PANDORA_USER $DAEMON $PANDORA_PATH >/dev/null 2> $LOGFILE & - fi + nohup $DAEMON $PANDORA_PATH 2> $LOGFILE & rm nohup.out 2> /dev/null sleep 2 PANDORA_PID=`pidof_pandora` diff --git a/pandora_agents/unix/pandora_agent_installer b/pandora_agents/unix/pandora_agent_installer index 51a278b899..8bdf7c5d63 100755 --- a/pandora_agents/unix/pandora_agent_installer +++ b/pandora_agents/unix/pandora_agent_installer @@ -26,7 +26,7 @@ TENTACLE=/usr/bin/tentacle_client PANDORA_MAN=/usr/share/man MODE=$1 -PANDORA_BASE=$2 +PANDORA_BASE=`echo $2 | sed -e 's/\/$//'` PANDORA_USER=$3 # Check for Perl 5.6.x or higher available @@ -170,19 +170,75 @@ install () { echo "Checking Pandora FMS Agent on $PANDORA_BASE$PANDORA_BIN...." fi - echo "Creating Pandora FMS Agent home directory at $PANDORA_BASE$PANDORA_HOME" - if [ ! -z "$PANDORA_BASE" ] + # Alter dynamically the daemon launcher and setup the new path + # if PANDORA_BASE is customized. + + if [ ! -z "$PANDORA_BASE" ] + then + if [ "$OS_NAME" = "FreeBSD" ] then - mkdir -p $PANDORA_BASE 2> /dev/null - mkdir -p $PANDORA_BASE/var/log 2> /dev/null - mkdir -p $PANDORA_BASE/$PANDORA_MAN/man1 2> /dev/null - if [ "$OS_NAME" = "FreeBSD" ] - then - mkdir -p $PANDORA_BASE/usr/local/bin 2> /dev/null - else - mkdir -p $PANDORA_BASE/usr/bin 2> /dev/null - fi + DAEMON_SCRIPT=FreeBSD/pandora_agent + DAEMON_TEMP=pandora_agent_daemon_temp + else + DAEMON_SCRIPT=pandora_agent_daemon + DAEMON_TEMP=pandora_agent_daemon_temp fi + + AGENT_CFG=$OS_NAME/pandora_agent.conf + AGENT_CFG_TEMP=$OS_NAME/pandora_agent.conf.temp + + echo $PANDORA_BASE > PANDORA_BASE.temp + sed 's/\//\\\//g' PANDORA_BASE.temp > PANDORA_BASE.temp2 + + PANDORA_BASE_DECODED=`cat PANDORA_BASE.temp2` + rm PANDORA_BASE.temp PANDORA_BASE.temp2 + + if [ "$OS_NAME" = "FreeBSD" ] + then + sed -e "s/^PATH\=[.]*/PATH\=$PANDORA_BASE_DECODED\/usr\/local\/bin\:/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e "s/^command\=[.]*/command\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e 's/^command_args\=\"[.]*/command_args\=\"$PANDORA_BASE_DECODED/g' $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e 's/^required_files\=\"[.]*/required_files\=\"$PANDORA_BASE_DECODED/g' $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + else + sed -e "s/^PATH\=[.]*/PATH\=$PANDORA_BASE_DECODED\/usr\/bin\:/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e "s/^PANDORA_PATH\=[.]*/PANDORA_PATH\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e "s/^LOGFILE\=[.]*/LOGFILE\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + + sed -e "s/^DAEMON\=[.]*/DAEMON\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP + mv $DAEMON_TEMP $DAEMON_SCRIPT + fi + + sed -e "s/^temporal [.]*/temporal $PANDORA_BASE_DECODED/g" $AGENT_CFG > $AGENT_CFG_TEMP + mv $AGENT_CFG_TEMP $AGENT_CFG + + sed -e "s/^logfile [.]*/logfile $PANDORA_BASE_DECODED/g" $AGENT_CFG > $AGENT_CFG_TEMP + mv $AGENT_CFG_TEMP $AGENT_CFG + fi + echo "Creating Pandora FMS Agent home directory at $PANDORA_BASE$PANDORA_HOME" + if [ ! -z "$PANDORA_BASE" ] + then + mkdir -p $PANDORA_BASE 2> /dev/null + mkdir -p $PANDORA_BASE/var/log 2> /dev/null + mkdir -p $PANDORA_BASE/$PANDORA_MAN/man1 2> /dev/null + if [ "$OS_NAME" = "FreeBSD" ] + then + mkdir -p $PANDORA_BASE/usr/local/bin 2> /dev/null + else + mkdir -p $PANDORA_BASE/usr/bin 2> /dev/null + fi + fi mkdir -p $PANDORA_BASE$PANDORA_HOME 2> /dev/null @@ -196,10 +252,10 @@ install () { # Set the user the agent will run as if [ "$PANDORA_USER" != "" ] then - sed -e "s/^\s*PANDORA_USER=.*/PANDORA_USER=$PANDORA_USER/" pandora_agent_daemon > pandora_agent_daemon.tmp 2> /dev/null && \ - mv pandora_agent_daemon.tmp pandora_agent_daemon - rm -f pandora_agent_daemon.tmp 2> /dev/null + sed -e "s/.*pandora_user .*/pandora_user $PANDORA_USER/" $AGENT_CFG > $AGENT_CFG_TEMP 2> /dev/null && \ + mv $AGENT_CFG_TEMP $AGENT_CFG chmod 755 pandora_agent_daemon + chown -R $PANDORA_USER $PANDORA_BASE else PANDORA_USER="root" fi @@ -269,64 +325,7 @@ install () { chown root:root $PANDORA_BASE$PANDORA_LOG_DIR/$PANDORA_LOG fi - # Alter dynamically the daemon launcher and setup the new path - # if PANDORA_BASE is customized. - - if [ ! -z "$PANDORA_BASE" ] - then - if [ "$OS_NAME" = "FreeBSD" ] - then - DAEMON_SCRIPT=FreeBSD/pandora_agent - DAEMON_TEMP=pandora_agent_daemon_temp - else - DAEMON_SCRIPT=pandora_agent_daemon - DAEMON_TEMP=pandora_agent_daemon_temp - fi - - AGENT_CFG=$OS_NAME/pandora_agent.conf - AGENT_CFG_TEMP=$OS_NAME/pandora_agent.conf.temp - - echo $PANDORA_BASE > PANDORA_BASE.temp - sed 's/\//\\\//g' PANDORA_BASE.temp > PANDORA_BASE.temp2 - - PANDORA_BASE_DECODED=`cat PANDORA_BASE.temp2` - rm PANDORA_BASE.temp PANDORA_BASE.temp2 - - if [ "$OS_NAME" = "FreeBSD" ] - then - sed -e "s/^PATH\=[.]*/PATH\=$PANDORA_BASE_DECODED\/usr\/local\/bin\:/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e "s/^command\=[.]*/command\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e 's/^command_args\=\"[.]*/command_args\=\"$PANDORA_BASE_DECODED/g' $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e 's/^required_files\=\"[.]*/required_files\=\"$PANDORA_BASE_DECODED/g' $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - else - sed -e "s/^PATH\=[.]*/PATH\=$PANDORA_BASE_DECODED\/usr\/bin\:/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e "s/^PANDORA_PATH\=[.]*/PANDORA_PATH\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e "s/^LOGFILE\=[.]*/LOGFILE\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - - sed -e "s/^DAEMON\=[.]*/DAEMON\=$PANDORA_BASE_DECODED/g" $DAEMON_SCRIPT > $DAEMON_TEMP - mv $DAEMON_TEMP $DAEMON_SCRIPT - fi - - sed -e "s/^temporal [.]*/temporal $PANDORA_BASE_DECODED/g" $AGENT_CFG > $AGENT_CFG_TEMP - mv $AGENT_CFG_TEMP $AGENT_CFG - - sed -e "s/^logfile [.]*/logfile $PANDORA_BASE_DECODED/g" $AGENT_CFG > $AGENT_CFG_TEMP - mv $AGENT_CFG_TEMP $AGENT_CFG - fi - - echo "Copying default agent configuration to $PANDORA_BASE$PANDORA_CFG/pandora_agent.conf" + echo "Copying default agent configuration to $PANDORA_BASE$PANDORA_CFG/pandora_agent.conf" cp $OS_NAME/pandora_agent.conf $PANDORA_BASE$PANDORA_CFG/pandora_agent.conf chmod 600 $PANDORA_BASE$PANDORA_CFG/pandora_agent.conf