Every "Zabbix Administrator" can discover the database password, given there's a Zabbix agent on the server machine. Since agent and server are usually run by the same system user, they can access the same files. Therefore the agent can read the server configuration file. Any suitable item can hence report the password. While it can be avoided, it's probably true for most installations, including SUSE and Fedora/EPEL.

• Be a Zabbix Admin
• Add a new host if you don't have permissions for the server host
• Add an agent item like vfs.file.regexp[/etc/zabbix/zabbix_server.conf,^DBPassword] to that host
• Receive the password

Please change the documentation to suggest two different users for agent and server.

Sadly, this will cause packagers a lot of headache, because it jeopardizes working installations. Files formerly accessible by agents might no longer be accessible and the other way around.

I think creating a new user for the server causes fewest harm, because it hardly affects monitored machines. It can nevertheless cause issues with at least media scripts and external checks.

SELinux might help to ease the situation, but I think it should not be the primary protection.