Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-17254

Debian init scripts insecure pidfile

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Fixed
    • Icon: Trivial Trivial
    • 5.2 (plan)
    • None
    • Packages (C)
    • None
    • Debian 10.2 (up-to-date)
      Zabbix 4.4
      sysvinit (no systemd)
    • Sprint 60 (Jan 2020), Sprint 61 (Feb 2020), Sprint 62 (Mar 2020), Sprint 63 (Apr 2020), Sprint 64 (May 2020), Sprint 65 (Jun 2020), Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020)
    • 0.5

      Steps to reproduce:

      /etc/init.d/zabbix-agent stop

      Result:

      [....] Stopping Zabbix agent: zabbix_agentdstart-stop-daemon: matching only on non-root pidfile /var/run/zabbix/zabbix_agentd.pid is insecure

      Same with server and probably with proxy too.

      Expected:

      [ ok ] zabbix_agentd stopping...done.

      Now it is not possible to stop agent/server/... or package update (there is stop action too). From dpkg manpage:

      Warning: using this match option with a world-writable pidfile or using it alone with a daemon that writes the pidfile as an unprivileged (non-root) user will be refused with an error (since version 1.19.3) as this is a security risk, because either any user can write to it, or if the daemon gets compromised, the contents of the pidfile cannot be trusted, and then a privileged runner (such as an init script executed as root) would end up acting on any system process. Using /dev/null is exempt from these checks.

      Fix: include "--user zabbix" in init script. Patch of agent init script:

      48c48
      <     start-stop-daemon --oknodo --stop --pidfile $PID --retry $RETRY

      >     start-stop-daemon --oknodo --stop --pidfile $PID --user zabbix --retry $RETRY

            yurii Jurijs Klopovskis
            jackc Jan Korbel
            Team I
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: