I would like if you separated out the portions of the agent into a new process. (E.g. zabbix_exec, zabbix_agent_execd, or something..) This process would perform the following actions:
- Run scripts requested from server
- Process userparameters
- Remote execution
- SSH agent commands
- Basically anything else where the agent executes something provided by a custom command
This would gain large configuration flexibility and security benefits such as "Now being able to...":
- Filter access by host for this process (Firewall) <--- Critical!
- Change the listen port for these more dangerous types of agent commands
- Configure a different set of trusted IP's listed in the config to be allowed to run these more dangerous commands.
- Configure the daemon user separately for zabbix_agent and zabbix_exec
- Code greatly simplified in both the zabbix_agent and zabbix_sshd
- Configure separate sudo, apparmor, SElinux, etc for this process.
- Separate logging
- Tunnel this functionality over SSH/SSL very easily
As we don't have agent ssl or auth, this is IMO a critical security issue as well.
Splitting this code out to it's own daemon might even make it easier for you or someone else to implement server<->agent authentication and encryption.
Thanks for your time guys!