The current documentation states very clearly that running the agent with a different account other than the default "zabbix" one that is shared with a server/proxy running on the same machine is a best practice. ref: https://www.zabbix.com/documentation/7.2/en/manual/best_practices/security/access_control

The documentation then suggests how to do such a change, but the instructions given apply only to Zabbix Agent, and not Zabbix Agent 2 and are also lacking vital steps to have the Zabbix Agent 2 being able to run at all after the user is changed.

The proposal is to modify the documentation to add the steps necessary to correctly change the running user for Zabbix Agent 2.

1. Modify systemd service unit configuration: sudo systemctl edit zabbix-agent2.service:

[Service]
User=zabbix-agent2
Group=zabbix-agent2
PIDFile=/run/zabbix_agent/zabbix_agent2.pid
RuntimeDirectory=zabbix_agent
LogsDirectory=zabbix_agent

This will have the agent run with a zabbix-agent2 account and group identity and also instruct systemd to create temporary directory under /run and persistent one under /log (see SANDBOXING chapter in systemd.exec(5) for details)

2. Amend the configuration in /etc/zabbix/zabbix_agent2.conf with the new paths:

#PidFile=/run/zabbix/zabbix_agent2.pid
PidFile=/run/zabbix_agent/zabbix_agent2.pid

#LogFile=/var/log/zabbix/zabbix_agent2.log
LogFile=/var/log/zabbix_agent/zabbix_agent2.log

#PluginSocket=/run/zabbix/agent.plugin.sock
PluginSocket=/run/zabbix_agent/agent.plugin.sock

#ControlSocket=/run/zabbix/agent.sock
ControlSocket=/run/zabbix_agent/agent.sock

Directories are created dynamically by systemd and destroyed when unit stops.