-
Defect (Security)
-
Resolution: Fixed
-
Blocker
-
2.0.17, 2.2.12, 3.0.2
It has been added to "userparameter_mysql.conf" in ZBXNEXT-849
Note - it included to agent packages as well.
When executing user parameters, zabbix agent execute provided command using /bin/sh path to shell.
On different distros this path is a symbolic link to different shells.
For example on CentOS, OpenSUSE it's "bash", where it works well.
But on Debian (maybe Ubuntu too?) it's "dash", and the user parameter produces error:
# zabbix_get -s localhost -k mysql.size[] sh: 1: [[: not found sh: 1: : Permission denied sh: 1: [[: not found sh: 1: : Permission denied 9154856857 # zabbix_get -s localhost -k mysql.size[uname] sh: 1: [[: not found uname: extra operand ‘]]’ Try 'uname --help' for more information. sh: 1: [[: not found sh: 1: : Permission denied 9154856857 # zabbix_get -s localhost -k mysql.size[,uname] sh: 1: [[: not found sh: 1: : Permission denied sh: 1: [[: not found uname: extra operand ‘]]’ Try 'uname --help' for more information. 9154856857
Moreover - 1st and 2nd key params will be executed as commands with "]]" as command parameter, which may be considered as a small vulnerability.
Why small - because the "]]" parameter most likely will cause syntax error for binary tools in OS.
To fix this issue for dash I suggest to rewrite the user parameter a bit.
Existing:
UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
suggested one:
UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([ "$1" = "all" ] || [ ! "$1" ] || echo " where table_schema='$1'")$([ "$2" = "all" ] || [ ! "$2" ] || echo " and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
(note - an additional space added for better SQL syntax)
Basically change is [[ true || true ]] to [ true ] || [ true ]
On bash and dash woks well.
I've tested suggested change on other available shells (on Debian 8), results:
- csh (version 20110502-2.1) and tcsh (version 6.18.01-3) both shell for both styles (existing, suggested) produce:
Illegal variable name.
- zsh (version 5.0.7-5): for both styles:
zsh:1: parse error near `""' zsh:1: parse error in command substitution
- ksh (version 93u+20120801-1) works well for both styles
As an idea, I've tried to add "bash" as a prefix for the complete command line.
Of course it works with any mentioned shell (tested) link to /bin/sh, but requires bash installed, which is not the case for any distro by default:
UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo " and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
(also - single quotes have been changed to double quotes and escaped)
Need to decide which way we will go.