[Pkg-nagios-devel] Bug#855416: check_running_kernel: don't search /boot/lost+found

Jonas Meurer jonas at freesources.org
Fri Feb 17 19:09:44 UTC 2017

Package: nagios-plugins-contrib
Version: 20.20170118
Severity: normal
Tags: patch


recent changes to check_running_kernel introduced a find on /boot, which
includes /boot/lost+found on ext2/3/4 partitions and in turn produces an
error message if the check is run by a non-root user:

# sudo -u nagios /usr/lib/nagios/plugins/check_running_kernel 
find: ‘/boot/lost+found’: Permission denied
WARNING: Running kernel does not match on-disk kernel image: [Linux version 4.9.0-1-amd64 (debian-kernel at lists.debian.org) (gcc version 6.3.0 20161229 (Debian 6.3.0-2) ) #1 SMP Debian 4.9.2-2 (2017-01-12) != Linux version 4.9.0-1-amd64 (debian-kernel at lists.debian.org) (gcc version 6.3.0 20170124 (Debian 6.3.0-5) ) #1 SMP Debian 4.9.6-3 (2017-01-28)]

This can easily be fixed by excluding /boot/lost+found in the find

Instead of

$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort)


$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort)

In my opinion, this would be a good thing as there's no need to run
check_running_kernel as user root. For security reasons, as few checks
as possible should be executed with root permissions.


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
--- /usr/lib/nagios/plugins/check_running_kernel.orig	2017-01-18 21:18:18.000000000 +0000
+++ /usr/lib/nagios/plugins/check_running_kernel	2017-02-17 19:08:16.425332437 +0000
@@ -185,8 +185,8 @@
 for on_disk in \
-	$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) \
-	$([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -name 'kfreebsd*' -and -name "kfreebsd-$(uname -r).gz" -or -name 'kfreebsd*' -and -newer "/boot/kfreebsd-$(uname -r).gz" | sort); do
+	$([ -f "/boot/vmlinuz-$(uname -r)" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'vmlinuz*' -and -name "vmlinuz-$(uname -r)" -or -name 'vmlinuz*' -and -newer "/boot/vmlinuz-$(uname -r)" | sort) \
+	$([ -f "/boot/kfreebsd-$(uname -r).gz" ] && find /boot/ -not \( -path /boot/lost+found -prune \) -name 'kfreebsd*' -and -name "kfreebsd-$(uname -r).gz" -or -name 'kfreebsd*' -and -newer "/boot/kfreebsd-$(uname -r).gz" | sort); do
 	if [ -e "$on_disk" ]; then
 		if [ -z "$STRINGS" ]; then

More information about the Pkg-nagios-devel mailing list