[ZBX-15955] Agent allows requests from any hosts if Server=localhost Created: 2019 Apr 06 Updated: 2024 Apr 10 Resolved: 2019 Apr 15 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G), Proxy (P), Server (S) |
Affects Version/s: | 4.0.6, 4.2.0, 4.4.0alpha1, 4.4 (plan) |
Fix Version/s: | 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan) |
Type: | Problem report | Priority: | Major |
Reporter: | Ivan Vanyushkin | Assignee: | Andris Mednis |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Ubuntu 16.04.6 LTS |
Issue Links: |
|
||||||||||||||||
Team: | Team A | ||||||||||||||||
Team: | Team A | ||||||||||||||||
Sprint: | Sprint 51 (Apr 2019) | ||||||||||||||||
Story Points: | 1 |
Description |
Steps to reproduce: # cat /etc/zabbix/zabbix_agentd.conf PidFile=/var/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log Server=localhost Result:
user@any-other-host:~# zabbix_get -s _agent_ip_ -p 10050 -k "agent.ping"
1
Expected:
user@any-other-host:~# zabbix_get -s _agent_ip_ -p 10050 -k "agent.ping"
zabbix_get [14433]: Get value error: connection closed during read
zabbix_get [14433]: Check access restrictions in Zabbix agent configuration
Agent Environment: Log: 1005:20190406:000153.503 Starting Zabbix Agent [vm-agent]. Zabbix 4.2.0 (revision 91746). 1005:20190406:000153.503 **** Enabled features **** 1005:20190406:000153.503 IPv6 support: YES 1005:20190406:000153.503 TLS support: YES 1005:20190406:000153.503 ************************** 1005:20190406:000153.503 using configuration file: /etc/zabbix/zabbix_agentd.conf 1005:20190406:000153.505 agent #0 started [main process] 1017:20190406:000153.505 agent #1 started [collector] 1020:20190406:000153.507 agent #3 started [listener #2] 1018:20190406:000153.508 agent #2 started [listener #1] 1021:20190406:000153.511 agent #4 started [listener #3] # getent ahosts localhost ::1 STREAM localhost ::1 DGRAM ::1 RAW 127.0.0.1 STREAM 127.0.0.1 DGRAM 127.0.0.1 RAW # grep -i 'hosts' /etc/nsswitch.conf hosts: files dns # cat /etc/resolv.conf nameserver 8.8.8.8 # ss -ltupn | grep -i zabbix tcp LISTEN 0 128 *:10050 *:* users:(("zabbix_agentd",pid=1021,fd=5),("zabbix_agentd",pid=1020,fd=5),("zabbix_agentd",pid=1018,fd=5),("zabbix_agentd",pid=1017,fd=5),("zabbix_agentd",pid=1005,fd=5)) tcp LISTEN 0 128 :::10050 :::* users:(("zabbix_agentd",pid=1021,fd=6),("zabbix_agentd",pid=1020,fd=6),("zabbix_agentd",pid=1018,fd=6),("zabbix_agentd",pid=1017,fd=6),("zabbix_agentd",pid=1005,fd=6)) # ps auxww | grep -i zabbix zabbix 1005 0.0 0.1 104940 3460 ? S 00:01 0:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf zabbix 1017 0.0 0.1 104940 2904 ? S 00:01 0:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec] zabbix 1018 0.0 0.2 104940 4740 ? S 00:01 0:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection] zabbix 1020 0.0 0.2 104940 4740 ? S 00:01 0:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection] zabbix 1021 0.0 0.2 104940 4740 ? S 00:01 0:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection] |
Comments |
Comment by Ivan Vanyushkin [ 2019 Apr 09 ] |
Example of common misuse use-case: Server=zabbix.example.com,localhost Expected: allow connections from zabbix.example.com and from zabbix_get locally. |
Comment by Andris Mednis [ 2019 Apr 15 ] |
Fixed in versions:
|