[ZBX-17254] Debian init scripts insecure pidfile Created: 2020 Jan 31  Updated: 2024 Apr 10  Resolved: 2020 Oct 09

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Packages (C)
Affects Version/s: None
Fix Version/s: 5.2 (plan)

Type: Problem report Priority: Trivial
Reporter: Jan Korbel Assignee: Jurijs Klopovskis
Resolution: Fixed Votes: 1
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified
Environment:

Debian 10.2 (up-to-date)
Zabbix 4.4
sysvinit (no systemd)

Sub-Tasks:
Key
 Summary
 Type
 Status
 Assignee
ZBX-18824 Fix for Zabbix 5.0, please? Sub-task Confirmed Jurijs Klopovskis  
Team: Team I
Sprint: Sprint 60 (Jan 2020), Sprint 61 (Feb 2020), Sprint 62 (Mar 2020), Sprint 63 (Apr 2020), Sprint 64 (May 2020), Sprint 65 (Jun 2020), Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020)
Story Points: 0.5

 Description   

Steps to reproduce:

/etc/init.d/zabbix-agent stop

Result:

[....] Stopping Zabbix agent: zabbix_agentdstart-stop-daemon: matching only on non-root pidfile /var/run/zabbix/zabbix_agentd.pid is insecure

Same with server and probably with proxy too.

Expected:

[ ok ] zabbix_agentd stopping...done.

Now it is not possible to stop agent/server/... or package update (there is stop action too). From dpkg manpage:

Warning: using this match option with a world-writable pidfile or using it alone with a daemon that writes the pidfile as an unprivileged (non-root) user will be refused with an error (since version 1.19.3) as this is a security risk, because either any user can write to it, or if the daemon gets compromised, the contents of the pidfile cannot be trusted, and then a privileged runner (such as an init script executed as root) would end up acting on any system process. Using /dev/null is exempt from these checks.

Fix: include "--user zabbix" in init script. Patch of agent init script:

48c48
<     start-stop-daemon --oknodo --stop --pidfile $PID --retry $RETRY

>     start-stop-daemon --oknodo --stop --pidfile $PID --user zabbix --retry $RETRY

 Comments   
Comment by Harri [ 2020 Jun 07 ]

I verified the suggested fix using zabbix-agent version 1:4.4.9-1+buster.

Comment by Jurijs Klopovskis [ 2020 Sep 25 ]

Fixed on pre 5.2.0beta1.

Added explicit user setting into init files and systemd services files for agent, server & proxy on deb-based distros.

Generated at Sun May 25 07:20:15 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.