diff options
author | Ilya Mashchenko <ilya@netdata.cloud> | 2020-04-06 10:05:04 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-06 10:05:04 +0300 |
commit | fe2273567a56d22a551c0becd3fef16696e87e8c (patch) | |
tree | 67c51c6f73fe6ed601529b712ccdbfcc8ff72751 | |
parent | 5e766c5ae16bcddd15e5656ac759784af03d9fdf (diff) |
charts.d/libreswan: fix sudo check (#8569)
If libreswan_sudo parameter is set (which is default) netdata executes ipsec with sudo without checking if it has permissions to do it. As a result a user receives security notices on daily bases:
user NOT in sudoers ; TTY=unknown ; PWD=/etc/netdata ; USER=root ; COMMAND=/usr/sbin/ipsec whack --trafficstatus
This PR adds the check.
-rw-r--r-- | collectors/charts.d.plugin/libreswan/libreswan.chart.sh | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/collectors/charts.d.plugin/libreswan/libreswan.chart.sh b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh index 3d0d3e3f7d..1320983a53 100644 --- a/collectors/charts.d.plugin/libreswan/libreswan.chart.sh +++ b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh @@ -37,6 +37,16 @@ declare -A libreswan_established_add_time=() # we need this to avoid converting tunnel names to chart IDs on every iteration declare -A libreswan_tunnel_charts=() +is_able_sudo_ipsec() { + if ! sudo -n -l "${IPSEC_CMD}" whack --status > /dev/null 2>&1; then + return 1 + fi + if ! sudo -n -l "${IPSEC_CMD}" whack --trafficstatus > /dev/null 2>&1; then + return 1 + fi + return 0 +} + # run the ipsec command libreswan_ipsec() { if [ ${libreswan_sudo} -ne 0 ]; then @@ -92,6 +102,11 @@ libreswan_check() { return 1 fi + if [ ${libreswan_sudo} -ne 0 ] && ! is_able_sudo_ipsec; then + error "not enough permissions to execute ipsec with sudo. Disabling Libreswan plugin." + return 1 + fi + # check that we can collect data libreswan_get || return 1 |