recent update to sudo breaks bacula_jobs check with psql #94
Description
There has been a recent change to sudo on Ubuntu:
sudo (1.9.15p5-3ubuntu5.24.04.1) noble-security; urgency=medium
* SECURITY UPDATE: Local Privilege Escalation via host option
- debian/patches/CVE-2025-32462.patch: only allow specifying a host
when listing privileges.
- CVE-2025-32462
...
-- Marc Deslauriers <[email protected]> Wed, 25 Jun 2025 08:42:53 -0400
This breaks the bacula_jobs check:
# /usr/lib/check_mk_agent/plugins/bacula_jobs
<<<bacula_jobs:sep(9)>>>
sudo: a remote host may only be specified when listing privileges.
#
Analysis
The problem arises here:
if [ "$dbhost" ]; then
DB_HOST_OPT="--host=$dbhost"
fi
...
... | sudo "$DB_HOST_OPT" -u "$dbuser" "$psql_bin" --tuples-only -AF $'\t' "$dbname" "$dbuser"
I have dbhost=localhost, but sudo --host=localhost <anything> is no longer permitted (except sudo --host=localhost -l)
Setting dbhost to empty string doesn't work, because DB_HOST_OPT is quoted; sudo then tries to run the empty string as a command.
# /usr/lib/check_mk_agent/plugins/bacula_jobs
<<<bacula_jobs:sep(9)>>>
sudo: : command not found
Workaround
I am able to work around it like this in /etc/check_mk/bacula.cfg by providing a dummy argument in DB_HOST_OPT, and setting dbhost to empty string to avoid the script overwriting it:
##### This is a frig to work around sudo brokenness #####
dbhost=
DB_HOST_OPT="--prompt=dontcare"
##### End frig #####
backend_type=pgsql
dbname=bacula
dbuser=bacula
Proposed solution
I think the whole $DB_HOST_OPT needs to be removed from sudo psql.
--- bacula_jobs.orig 2021-08-03 22:24:22
+++ bacula_jobs 2025-07-01 11:09:15
@@ -31,7 +31,7 @@
echo "psql executable cannot be found!" >&2
exit 1
fi
- echo "Select JobId, Name, JobStatus, EndTime FROM Job WHERE EndTime BETWEEN NOW() - interval '30 days' AND NOW();" | sudo "$DB_HOST_OPT" -u "$dbuser" "$psql_bin" --tuples-only -AF $'\t' "$dbname" "$dbuser"
+ echo "Select JobId, Name, JobStatus, EndTime FROM Job WHERE EndTime BETWEEN NOW() - interval '30 days' AND NOW();" | sudo -u "$dbuser" "$psql_bin" --tuples-only -AF $'\t' "$dbname" "$dbuser"
else
# default: MySQL / MariaDB
mysql_bin=$(which mysql)
(and maybe the plugin help text should be updated)
Note: you can't move $DB_HOST_OPT to being a psql flag (like it is for mysql), because although --host=localhost is valid, that makes psql use a TCP/IP connection instead of a Unix socket, and prompts for a password:
# sudo -u postgres psql --host=localhost bacula
Password for user postgres:
(Perhaps it would be useful to have a feature to specify dbhost/dbuser/dbpassword for connecting to a remote postgres database, but that's additional functionality that doesn't exist today)