[ZBX-6875] Users with no permissions to given hosts can create actions that run on those hosts Created: 2013 Aug 09  Updated: 2019 Dec 10

Status: Open
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A), Frontend (F)
Affects Version/s: 2.0.6
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: Corey Shaw Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: permissions, usability
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Users that have restricted read/write access to Zabbix can create actions that will run for servers that they do not have access to.

In my test I created a action that looked for a trigger with a name like "Disk" and had it run a "Remote Command" operation that simply put text in a file on the Zabbix server. My user had no access to a particular server, but when the trigger went off for it, the action fired and the text was put into the file.

 Comments   
Comment by richlv [ 2013 Aug 09 ]

this isn't that much of a bug as a limitation of the implementation.
once an action is saved, we have no way of finding out who did that (and even then, who made which particular changes...)

there are lots of other scenarios involving application conditions that have similar effects.

no idea what to do about it

Comment by Marc [ 2014 Feb 12 ]

Messages are covered by users or rather user groups.
For commands I could imagine to enforce having at least one host group set as action condition - except for users with Zabbix-Super-Admin role.

Generated at Sun Apr 06 12:43:48 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.