ZABBIX BUGS AND ISSUES

Every "Zabbix Administrator" can discover the database password

Details

  • Zabbix ID:
    NA

Description

Every "Zabbix Administrator" can discover the database password, given there's a Zabbix agent on the server machine. Since agent and server are usually run by the same system user, they can access the same files. Therefore the agent can read the server configuration file. Any suitable item can hence report the password. While it can be avoided, it's probably true for most installations, including SUSE and Fedora/EPEL.

- Be a Zabbix Admin
- Add a new host if you don't have permissions for the server host
- Add an agent item like vfs.file.regexp[/etc/zabbix/zabbix_server.conf,^DBPassword] to that host
- Receive the password

Please change the documentation to suggest two different users for agent and server.

Sadly, this will cause packagers a lot of headache, because it jeopardizes working installations. Files formerly accessible by agents might no longer be accessible and the other way around.

I think creating a new user for the server causes fewest harm, because it hardly affects monitored machines. It can nevertheless cause issues with at least media scripts and external checks.

SELinux might help to ease the situation, but I think it should not be the primary protection.

Activity

Hide
richlv added a comment -

huge thanks for figuring this one out. seems simple, but wasn't brought up till now, as far as i recall.

essentially, our docs should highly suggest running server & agent on the same system with different usernames, and explain why

Show
richlv added a comment - huge thanks for figuring this one out. seems simple, but wasn't brought up till now, as far as i recall. essentially, our docs should highly suggest running server & agent on the same system with different usernames, and explain why
Hide
Martins Valkovskis added a comment - - edited

Documented at:
http://www.zabbix.com/documentation/2.0/manual/installation/install?&#create_user_account
http://www.zabbix.com/documentation/2.0/manual/concepts/server?&#process_user
http://www.zabbix.com/documentation/1.8/manual/installation/installation_from_source?&#step_1

Should be reviewed.

<richlv> looks good to me, but maybe we should use "database password" instead of "DBPassword" ?

<martins-v> yes, done so now.

<richlv> CLOSED

Show
Martins Valkovskis added a comment - - edited Documented at: http://www.zabbix.com/documentation/2.0/manual/installation/install?&#create_user_account http://www.zabbix.com/documentation/2.0/manual/concepts/server?&#process_user http://www.zabbix.com/documentation/1.8/manual/installation/installation_from_source?&#step_1 Should be reviewed. <richlv> looks good to me, but maybe we should use "database password" instead of "DBPassword" ? <martins-v> yes, done so now. <richlv> CLOSED
Hide
Oleksiy Zagorskyi added a comment -

Implementation of ZBXNEXT-1085 could help to avoid such security risks.

Show
Oleksiy Zagorskyi added a comment - Implementation of ZBXNEXT-1085 could help to avoid such security risks.
Hide
Oleksiy Zagorskyi added a comment -

And should we expect some changes on server(proxy?) daemon side?
Currently server started from root will switch to a 'zabbix' user account. So this task (use separate account for zabbix_server) should be solved at the init script level?

Show
Oleksiy Zagorskyi added a comment - And should we expect some changes on server(proxy?) daemon side? Currently server started from root will switch to a 'zabbix' user account. So this task (use separate account for zabbix_server) should be solved at the init script level?
Hide
richlv added a comment -

i don't see anything we could/should do on the daemon level at this time, but we can consult the devs as well

Show
richlv added a comment - i don't see anything we could/should do on the daemon level at this time, but we can consult the devs as well
Hide
Volker Fröhlich added a comment -

Are there news on this topic?

Shall we change the distribution packages? Can you even start the daemons as a different user, as they are now?

Show
Volker Fröhlich added a comment - Are there news on this topic? Shall we change the distribution packages? Can you even start the daemons as a different user, as they are now?
Hide
richlv added a comment -

you can start daemons as a different user if they are started as a non-root user. so this would probably have to be handled in the initscripts

Show
richlv added a comment - you can start daemons as a different user if they are started as a non-root user. so this would probably have to be handled in the initscripts
Hide
Alexei Vladishev added a comment -

Discussed with Rich and decided to close it.

Show
Alexei Vladishev added a comment - Discussed with Rich and decided to close it.
Hide
richlv added a comment -

to clarify, it was added to the docs, which could be considered fixing it

Show
richlv added a comment - to clarify, it was added to the docs, which could be considered fixing it
Hide
Volker Fröhlich added a comment -

Zabbix packages in Fedora 18 and zabbix20 in EPEL 6 solve the issue by running proxy and server as zabbixsrv.

zabbixsrv is still member of the group zabbix. The idea behind that was, to create least possible hassle when updating.

Show
Volker Fröhlich added a comment - Zabbix packages in Fedora 18 and zabbix20 in EPEL 6 solve the issue by running proxy and server as zabbixsrv. zabbixsrv is still member of the group zabbix. The idea behind that was, to create least possible hassle when updating.

People

Vote (0)
Watch (5)

Dates

  • Created:
    Updated:
    Resolved: