charts.d/libreswan: fix sudo check (#8569)

If libreswan_sudo parameter is set (which is default) netdata executes ipsec with sudo without checking if it has permissions to do it. As a result a user receives security notices on daily bases:

user NOT in sudoers ; TTY=unknown ; PWD=/etc/netdata ; USER=root ; COMMAND=/usr/sbin/ipsec whack --trafficstatus

This PR adds the check.

1 files changed, 15 insertions, 0 deletions

diff --git a/collectors/charts.d.plugin/libreswan/libreswan.chart.sh b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
index 3d0d3e3f7d..1320983a53 100644
--- a/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
+++ b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
@@ -37,6 +37,16 @@ declare -A libreswan_established_add_time=()
 # we need this to avoid converting tunnel names to chart IDs on every iteration
 declare -A libreswan_tunnel_charts=()
 
+is_able_sudo_ipsec() {
+  if ! sudo -n -l "${IPSEC_CMD}" whack --status > /dev/null 2>&1; then
+    return 1
+  fi
+  if ! sudo -n -l "${IPSEC_CMD}" whack --trafficstatus > /dev/null 2>&1; then
+    return 1
+  fi
+  return 0
+}
+
 # run the ipsec command
 libreswan_ipsec() {
   if [ ${libreswan_sudo} -ne 0 ]; then
@@ -92,6 +102,11 @@ libreswan_check() {
     return 1
   fi
 
+  if [ ${libreswan_sudo} -ne 0 ] && ! is_able_sudo_ipsec; then
+    error "not enough permissions to execute ipsec with sudo. Disabling Libreswan plugin."
+    return 1
+  fi
+
   # check that we can collect data
   libreswan_get || return 1