Merge "Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments"

2020-11-03 12:58:30 +00:00 · 2020-11-03 12:58:30 +00:00 · 8b5cc65de5
commit 8b5cc65de5
parent 6abe0f8d3a 25b97b332f
1 changed files with 11 additions and 0 deletions
--- a/files/nagios/collect_ceph_osd_services.py
+++ b/files/nagios/collect_ceph_osd_services.py
@ -6,6 +6,7 @@

 import os
 import subprocess
+from pwd import getpwnam

 # fasteners only exists in Bionic, so this will fail on xenial and trusty
 try:
@ -71,6 +72,16 @@ def do_status():
    with open(_tmp_file, 'wt') as f:
        f.writelines(lines)

+    # In cis hardened environments check_ceph_osd_services cannot
+    # read _tmp_file due to restrained permissions (#LP1879667).
+    # Changing the owner of the file to nagios solves this problem.
+    # check_ceph_osd_services.py removes this file, so make
+    # sure that we change permissions on a file that exists.
+    nagios_uid = getpwnam('nagios').pw_uid
+    nagios_gid = getpwnam('nagios').pw_gid
+    if os.path.isfile(_tmp_file):
+        os.chown(_tmp_file, nagios_uid, nagios_gid)
+

 def run_main():
    # on bionic we can interprocess lock; we don't do it for older platforms