-
Problem report
-
Resolution: Fixed
-
Trivial
-
None
-
None
-
Debian 10.2 (up-to-date)
Zabbix 4.4
sysvinit (no systemd)
-
Team I
-
Sprint 60 (Jan 2020), Sprint 61 (Feb 2020), Sprint 62 (Mar 2020), Sprint 63 (Apr 2020), Sprint 64 (May 2020), Sprint 65 (Jun 2020), Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020)
-
0.5
Steps to reproduce:
/etc/init.d/zabbix-agent stop
Result:
[....] Stopping Zabbix agent: zabbix_agentdstart-stop-daemon: matching only on non-root pidfile /var/run/zabbix/zabbix_agentd.pid is insecure
Same with server and probably with proxy too.
Expected:
[ ok ] zabbix_agentd stopping...done.
Now it is not possible to stop agent/server/... or package update (there is stop action too). From dpkg manpage:
Warning: using this match option with a world-writable pidfile or using it alone with a daemon that writes the pidfile as an unprivileged (non-root) user will be refused with an error (since version 1.19.3) as this is a security risk, because either any user can write to it, or if the daemon gets compromised, the contents of the pidfile cannot be trusted, and then a privileged runner (such as an init script executed as root) would end up acting on any system process. Using /dev/null is exempt from these checks.
Fix: include "--user zabbix" in init script. Patch of agent init script:
48c48
< start-stop-daemon --oknodo --stop --pidfile $PID --retry $RETRY
—
> start-stop-daemon --oknodo --stop --pidfile $PID --user zabbix --retry $RETRY
1.
|
Fix for Zabbix 5.0, please? |
|
Confirmed | Jurijs Klopovskis |
