Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-10741

included to sources user param mysql.size[] produces error on some shells

    Details

      Description

      It has been added to "userparameter_mysql.conf" in ZBXNEXT-849
      Note - it included to agent packages as well.

      When executing user parameters, zabbix agent execute provided command using /bin/sh path to shell.
      On different distros this path is a symbolic link to different shells.
      For example on CentOS, OpenSUSE it's "bash", where it works well.
      But on Debian (maybe Ubuntu too?) it's "dash", and the user parameter produces error:

      # zabbix_get -s localhost -k mysql.size[]
      sh: 1: [[: not found
      sh: 1: : Permission denied
      sh: 1: [[: not found
      sh: 1: : Permission denied
      9154856857
      
      # zabbix_get -s localhost -k mysql.size[uname]
      sh: 1: [[: not found
      uname: extra operand ‘]]’
      Try 'uname --help' for more information.
      sh: 1: [[: not found
      sh: 1: : Permission denied
      9154856857
      
      # zabbix_get -s localhost -k mysql.size[,uname]
      sh: 1: [[: not found
      sh: 1: : Permission denied
      sh: 1: [[: not found
      uname: extra operand ‘]]’
      Try 'uname --help' for more information.
      9154856857
      

      Moreover - 1st and 2nd key params will be executed as commands with "]]" as command parameter, which may be considered as a small vulnerability.
      Why small - because the "]]" parameter most likely will cause syntax error for binary tools in OS.

      To fix this issue for dash I suggest to rewrite the user parameter a bit.
      Existing:

      UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
      

      suggested one:

      UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([ "$1" = "all" ] || [ ! "$1" ] || echo " where table_schema='$1'")$([ "$2" = "all" ] || [ ! "$2" ] || echo " and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
      

      (note - an additional space added for better SQL syntax)
      Basically change is [[ true || true ]] to [ true ] || [ true ]
      On bash and dash woks well.

      I've tested suggested change on other available shells (on Debian 8), results:

      • csh (version 20110502-2.1) and tcsh (version 6.18.01-3) both shell for both styles (existing, suggested) produce:
        Illegal variable name.
        
      • zsh (version 5.0.7-5): for both styles:
        zsh:1: parse error near `""'
        zsh:1: parse error in command substitution
        
      • ksh (version 93u+20120801-1) works well for both styles

      As an idea, I've tried to add "bash" as a prefix for the complete command line.
      Of course it works with any mentioned shell (tested) link to /bin/sh, but requires bash installed, which is not the case for any distro by default:

      UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo " and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
      

      (also - single quotes have been changed to double quotes and escaped)

      Need to decide which way we will go.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              zalex_ua Oleksiy Zagorskyi
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: