Team D
[ZBX-25174] Zabbix smartctl plugin sudo permissions Created: 2024 Sep 04 Updated: 2024 Sep 18 Resolved: 2024 Sep 17 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Documentation (D) |
| Affects Version/s: | 5.0.43, 6.0.33, 7.0.3, 7.2.0alpha1 |
| Fix Version/s: | 6.0.34rc1, 7.0.4rc1, 7.2.0alpha1 |
| Type: | Documentation task | Priority: | Minor |
| Reporter: | adnet | Assignee: | Marina Generalova |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | SMART, agent2, configuration, permissions, smartctl, sudo | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Team: | Team D |
| Sprint: | Prev.Sprint, S24-W36/37 |
| Story Points: | 1 |
| Description |
|
See description in comments below. |
| Comments |
| Comment by adnet [ 2024 Sep 04 ] |
|
hi, I recently changed to zabbix agent2 to have the samrt plugin working. I tried to limit the sudoers because i dont want an issue on this plugin to mess with the disks. I am prevented to do that because the plugin do not use a standard way to launch the command smartctl. For exemple it can launch samrtctl --scan ... smartctl -j .... the -j is a format options so it should be after the real option like -scan --all or other. This way i can limit the smartctl in sudoer to the readonly commands. If you use format option in random place i cannot limit them. So my request here is to put the action parameter as the first one so i can limit sudo usage to a subset of reading probes and forbid options like -s, -B or -C etc.. i dont know if this is possible to secure that. I used zabbix 7.0.3. ii zabbix-agent2 1:7.0.3-1+ubuntu22.04 amd64 Zabbix network monitoring solution - agent best regards, |
| Comment by Alexander Vladishev [ 2024 Sep 04 ] |
|
To get the version of the "smartctl" utility, we need to run the command "smartctl -j -V". If the parameters are switched, the version will be returned in plain text format instead of JSON. Therefore, in this case, we cannot place the "-j" option at the end of the command. In other cases, the "-j" option is placed at the end of the command. |
| Comment by adnet [ 2024 Sep 04 ] |
|
oh if this is the only one then we can make it work. Thanks i will try this and come back.
regards, Ghislain. |
| Comment by adnet [ 2024 Sep 04 ] |
|
so
# pour ubuntu
zabbix ALL=(root) NOPASSWD: /usr/sbin/smartctl -a *, /usr/sbin/smartctl --all *, \
/usr/sbin/smartctl -H *, /usr/sbin/smartctl --health *, \
/usr/sbin/smartctl -i *, /usr/sbin/smartctl --info *, \
/usr/sbin/smartctl -x *, /usr/sbin/smartctl --xall *, \
/usr/sbin/smartctl -c *, /usr/sbin/smartctl --capabilities *, \
/usr/sbin/smartctl --scan *, /usr/sbin/smartctl -s *, \
/usr/sbin/smartctl -l error *, /usr/sbin/smartctl --log=error * , \
/usr/sbin/smartctl -j -V
# pour debian
zabbix ALL=(root) NOPASSWD: /sbin/smartctl -a *, /sbin/smartctl --all *, \
/sbin/smartctl -H *, /sbin/smartctl --health *, \
/sbin/smartctl -i *, /sbin/smartctl --info *, \
/sbin/smartctl -x *, /sbin/smartctl --xall *, \
/sbin/smartctl -c *, /sbin/smartctl --capabilities *, \
/sbin/smartctl --scan *, /sbin/smartctl -s *, \
/sbin/smartctl -l error *, /sbin/smartctl --log=error *, \
/sbin/smartctl -j -V
should do it ? |
| Comment by Alexander Vladishev [ 2024 Sep 04 ] |
|
Based on the code, the SMART plugin only uses these commands: /usr/sbin/smartctl -a * /usr/sbin/smartctl --scan * /usr/sbin/smartctl -j -V |
| Comment by adnet [ 2024 Sep 04 ] |
|
ok thanks a lot !
# pour ubuntu
zabbix ALL=(root) NOPASSWD: /usr/sbin/smartctl -a *, /usr/sbin/smartctl --all *, /usr/sbin/smartctl --scan *, /usr/sbin/smartctl -s *, /usr/sbin/smartctl -j -V
# pour debian
zabbix ALL=(root) NOPASSWD: /sbin/smartctl -a *, /sbin/smartctl --all *, /sbin/smartctl --scan *, /sbin/smartctl -s *, /sbin/smartctl -j -V
and we are good. |
| Comment by Edgar Akhmetshin [ 2024 Sep 05 ] |
|
Hello aqueos Thank you, confirmed. Regards, Edgar |
| Comment by adnet [ 2024 Sep 05 ] |
|
FYI i have a lot of zabbix agent crash and i wonder if the plugin here is a part of it: https://support.zabbix.com/browse/ZBX-25172 the symptoms are ram balooning to 50GO+ of the zabbix process. Each time a lot of smartctl process are in the wild waiting for sudo perhaps asking a password because of the rule i put. are we sure that the plugin is not leaking ram ? Also should sudo not be used with '-n' ? -n, --non-interactive Avoid prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit. regards, Ghislain. |
| Comment by Edgar Akhmetshin [ 2024 Sep 05 ] |
|
Please do not mix issues. This one is for enhancing sudo/permission example in the documentation. |
| Comment by adnet [ 2024 Sep 05 ] |
|
forget it it allready use -n |
| Comment by adnet [ 2024 Sep 05 ] |
|
ok sorry. |
| Comment by dimir [ 2024 Sep 05 ] |
|
aqueos One thing. Please, next time you create a ticket do not hesitate to fill in the description. |
| Comment by adnet [ 2024 Sep 05 ] |
|
sorry the interface is slow and buggy to me in FF, i have ghostery and ublock origin deactivated and it should be better now. best regards, Ghislain. |
| Comment by Marina Generalova [ 2024 Sep 16 ] |
|
Documentation updated: |
