ZABBIX FEATURE REQUESTS
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-2122

User type "Zabbix User" can't modify media in their own profile

    Details

      Description

      I have many users in my environment that are of type "Zabbix User". These users cannot even manage media in their own profile. We have lots of cases were teams in our company have one or two "Zabbix Admin" users to enable all their monitoring, but thanks to this very weird quirk in Zabbix, everyone else on their team can't even add their own media to be able to receive emails from actions. The only people who can add media for the "Zabbix User" users are "Zabbix Super Admin" users. This is painful at best. The only workaround I've found is to make these "Zabbix User" users be of type "Zabbix Admin". The unfortunate side to that is that they then see the "Configuration" tab. Yes, I have them in their own read-only group so that they can't make changes, but it's tacky.

      1. user-media-change.patch
        7 kB
        Michal Humpula
      2. user-media-fix-2.4.4.patch
        7 kB
        Raul
      3. zabbix-2.2.5-0001-ZBXNEXT-2122-Allow-regular-users-to-change-their-own.patch
        7 kB
        Volker Fröhlich
      4. zabbix-2.2.5-ZBNXEXT-2122-1.patch
        8 kB
        Volker Fröhlich
      5. ZBXNEXT-2122-2.4.2.patch
        7 kB
        Corey Shaw
      6. ZBXNEXT-2122-fixed.patch
        7 kB
        Corey Shaw

        Issue Links

          Activity

          Hide
          Corey Shaw added a comment - - edited

          Attached ZBXNEXT-2122.patch. This is for Zabbix 2.2.1. It removes the permissions checks around adding/deleting/updating media types in CUser.php. It also enables the Media tab for all users.

          Edit: Patch has been removed due to the security hole it widened. A fixed patch will be posted shortly.

          Show
          Corey Shaw added a comment - - edited Attached ZBXNEXT-2122 .patch. This is for Zabbix 2.2.1. It removes the permissions checks around adding/deleting/updating media types in CUser.php. It also enables the Media tab for all users. Edit: Patch has been removed due to the security hole it widened. A fixed patch will be posted shortly.
          Hide
          Corey Shaw added a comment - - edited

          Well, this patch of mine revealed a security hole in Zabbix. With the patch, any zabbix user can modify the media for any other Zabbix user by using the API. That got me thinking that the only thing I did was remove the check that makes sure that the currently logged in user was least of type "Zabbix Admin". Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. I reverted my patch and did a quick check. A "Zabbix Admin" user can modify the media for any users in the zabbix system!

          In summary, there is a security hole in Zabbix where users of type "Zabbix Admin" can modify the media for any user by going through the API. My patch just made the original hole a little wider.

          Show
          Corey Shaw added a comment - - edited Well, this patch of mine revealed a security hole in Zabbix. With the patch, any zabbix user can modify the media for any other Zabbix user by using the API. That got me thinking that the only thing I did was remove the check that makes sure that the currently logged in user was least of type "Zabbix Admin". Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. I reverted my patch and did a quick check. A "Zabbix Admin" user can modify the media for any users in the zabbix system! In summary, there is a security hole in Zabbix where users of type "Zabbix Admin" can modify the media for any user by going through the API. My patch just made the original hole a little wider.
          Hide
          Corey Shaw added a comment -

          Added ZBXNEXT-2122-fixed.patch. This patch incorporates the changes from the patch attached to ZBX-7693. The security hole is fixed in this patch and it allows the "Zabbix User" type to modify their own media both in the API and in the Web UI.

          Show
          Corey Shaw added a comment - Added ZBXNEXT-2122 -fixed.patch. This patch incorporates the changes from the patch attached to ZBX-7693 . The security hole is fixed in this patch and it allows the "Zabbix User" type to modify their own media both in the API and in the Web UI.
          Hide
          azurIt added a comment -

          Is this going to be integrated into zabbix?

          Show
          azurIt added a comment - Is this going to be integrated into zabbix?
          Hide
          Arjen van Tol added a comment -

          Issue still exists in Zabbix 2.2. This action is still unassigned, when will this be this fixed?

          Show
          Arjen van Tol added a comment - Issue still exists in Zabbix 2.2. This action is still unassigned, when will this be this fixed?
          Hide
          Volker Fröhlich added a comment -

          Corey, this implementation involves a little risk:

          • Users may add media they should not:

          For instance, you may be running a somewhat global media type, like syslog or an IRC bot. I'm actually running a media type that manipulates routing. This could be implemented as a remote command, but people may still do it like this. These media types are not intended to be run more often than once at a time. If a user can add such a media, this can break things or even pose a security breach.

          • Users may receive messages not intended for them by adding a media:

          Imagine an operation notifying a group the user is part of. Media type is set to "SMS" there. Some users are known not to have SMS configured and thus don't receive notifications – on purpose. If the user can now add a SMS media, he suddenly is notified of something that may not be of his business. Furthermore, SMS usually cost money.

          I would generally want to see that as a user group option, whether a user is allowed to manipulate these settings or not. One could also limit it per media type. I'm afraid it could get fairly complex to meet all conceivable needs.

          Show
          Volker Fröhlich added a comment - Corey, this implementation involves a little risk: Users may add media they should not: For instance, you may be running a somewhat global media type, like syslog or an IRC bot. I'm actually running a media type that manipulates routing. This could be implemented as a remote command, but people may still do it like this. These media types are not intended to be run more often than once at a time. If a user can add such a media, this can break things or even pose a security breach. Users may receive messages not intended for them by adding a media: Imagine an operation notifying a group the user is part of. Media type is set to "SMS" there. Some users are known not to have SMS configured and thus don't receive notifications – on purpose. If the user can now add a SMS media, he suddenly is notified of something that may not be of his business. Furthermore, SMS usually cost money. I would generally want to see that as a user group option, whether a user is allowed to manipulate these settings or not. One could also limit it per media type. I'm afraid it could get fairly complex to meet all conceivable needs.
          Hide
          Arjen van Tol added a comment -

          Another perspective would be the ability of making each specific media type available to one or more usergroups.

          This way, a usergroup 'E-mail users' includes users which can enable/configure the e-mail media type.

          Much simpler in my eyes.

          Show
          Arjen van Tol added a comment - Another perspective would be the ability of making each specific media type available to one or more usergroups. This way, a usergroup 'E-mail users' includes users which can enable/configure the e-mail media type. Much simpler in my eyes.
          Hide
          Marc added a comment -

          Arjen van Tol, you mean something like this: ZBXNEXT-1670?

          Show
          Marc added a comment - Arjen van Tol , you mean something like this: ZBXNEXT-1670 ?
          Hide
          Volker Fröhlich added a comment -

          New patch to fit 2.2.5

          Show
          Volker Fröhlich added a comment - New patch to fit 2.2.5
          Hide
          Volker Fröhlich added a comment -

          Correction to the previous

          Show
          Volker Fröhlich added a comment - Correction to the previous
          Hide
          Corey Shaw added a comment -

          Ported to 2.4.2.

          This patch still includes the potential security issues that Volker mentioned previously. Whether or not those are a problem depends on the environment.

          Show
          Corey Shaw added a comment - Ported to 2.4.2. This patch still includes the potential security issues that Volker mentioned previously. Whether or not those are a problem depends on the environment.
          Hide
          Raul added a comment -

          Ported to 2.4.4

          Show
          Raul added a comment - Ported to 2.4.4
          Hide
          Antti Hurme added a comment - - edited

          Will this patch be ported to 3.0.1?

          Show
          Antti Hurme added a comment - - edited Will this patch be ported to 3.0.1?
          Hide
          Volker Fröhlich added a comment -

          I tried, but failed on my first attempt.

          Show
          Volker Fröhlich added a comment - I tried, but failed on my first attempt.
          Hide
          Michal Humpula added a comment -

          My iteration for user change (zabbix 3.0.4 based). Only the users with admin privileges can change their media.

          Show
          Michal Humpula added a comment - My iteration for user change (zabbix 3.0.4 based). Only the users with admin privileges can change their media.

            People

            • Assignee:
              Unassigned
              Reporter:
              Corey Shaw
            • Votes:
              9 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated: