[ZBXNEXT-2122] User type "Zabbix User" can't modify media in their own profile Created: 2014 Jan 23  Updated: 2018 Nov 22

Status: Open
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: 2.2.1
Fix Version/s: None

Type: Change Request Priority: Minor
Reporter: Corey Shaw Assignee: Unassigned
Resolution: Unresolved Votes: 14
Labels: patch, permissions, usermedia
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File ZBXNEXT-2122-2.4.2.patch     File ZBXNEXT-2122-fixed.patch     File user-media-change.patch     File user-media-fix-2.4.4.patch     File zabbix-2.2.5-0001-ZBXNEXT-2122-Allow-regular-users-to-change-their-own.patch     File zabbix-2.2.5-ZBNXEXT-2122-1.patch    
Issue Links:
Duplicate
is duplicated by ZBXNEXT-2821 Non-Admin users need to edit own Medi... Closed

 Description   

I have many users in my environment that are of type "Zabbix User". These users cannot even manage media in their own profile. We have lots of cases were teams in our company have one or two "Zabbix Admin" users to enable all their monitoring, but thanks to this very weird quirk in Zabbix, everyone else on their team can't even add their own media to be able to receive emails from actions. The only people who can add media for the "Zabbix User" users are "Zabbix Super Admin" users. This is painful at best. The only workaround I've found is to make these "Zabbix User" users be of type "Zabbix Admin". The unfortunate side to that is that they then see the "Configuration" tab. Yes, I have them in their own read-only group so that they can't make changes, but it's tacky.

 Comments   
Comment by Corey Shaw [ 2014 Jan 23 ]

Attached ZBXNEXT-2122.patch. This is for Zabbix 2.2.1. It removes the permissions checks around adding/deleting/updating media types in CUser.php. It also enables the Media tab for all users.

Edit: Patch has been removed due to the security hole it widened. A fixed patch will be posted shortly.

Comment by Corey Shaw [ 2014 Jan 23 ]

Well, this patch of mine revealed a security hole in Zabbix. With the patch, any zabbix user can modify the media for any other Zabbix user by using the API. That got me thinking that the only thing I did was remove the check that makes sure that the currently logged in user was least of type "Zabbix Admin". Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. I reverted my patch and did a quick check. A "Zabbix Admin" user can modify the media for any users in the zabbix system!

In summary, there is a security hole in Zabbix where users of type "Zabbix Admin" can modify the media for any user by going through the API. My patch just made the original hole a little wider.

Comment by Corey Shaw [ 2014 Jan 23 ]

Added ZBXNEXT-2122-fixed.patch. This patch incorporates the changes from the patch attached to ZBX-7693. The security hole is fixed in this patch and it allows the "Zabbix User" type to modify their own media both in the API and in the Web UI.

Comment by azurIt [ 2014 Mar 17 ]

Is this going to be integrated into zabbix?

Comment by Arjen van Tol [ 2014 Jun 12 ]

Issue still exists in Zabbix 2.2. This action is still unassigned, when will this be this fixed?

Comment by Volker Fröhlich [ 2014 Jul 03 ]

Corey, this implementation involves a little risk:

  • Users may add media they should not:

For instance, you may be running a somewhat global media type, like syslog or an IRC bot. I'm actually running a media type that manipulates routing. This could be implemented as a remote command, but people may still do it like this. These media types are not intended to be run more often than once at a time. If a user can add such a media, this can break things or even pose a security breach.

  • Users may receive messages not intended for them by adding a media:

Imagine an operation notifying a group the user is part of. Media type is set to "SMS" there. Some users are known not to have SMS configured and thus don't receive notifications – on purpose. If the user can now add a SMS media, he suddenly is notified of something that may not be of his business. Furthermore, SMS usually cost money.

I would generally want to see that as a user group option, whether a user is allowed to manipulate these settings or not. One could also limit it per media type. I'm afraid it could get fairly complex to meet all conceivable needs.

Comment by Arjen van Tol [ 2014 Jul 03 ]

Another perspective would be the ability of making each specific media type available to one or more usergroups.

This way, a usergroup 'E-mail users' includes users which can enable/configure the e-mail media type.

Much simpler in my eyes.

Comment by Marc [ 2014 Aug 02 ]

arjen, you mean something like this: ZBXNEXT-1670?

Comment by Volker Fröhlich [ 2014 Aug 27 ]

New patch to fit 2.2.5

Comment by Volker Fröhlich [ 2014 Sep 03 ]

Correction to the previous

Comment by Corey Shaw [ 2014 Nov 11 ]

Ported to 2.4.2.

This patch still includes the potential security issues that Volker mentioned previously. Whether or not those are a problem depends on the environment.

Comment by Raul [ 2015 Mar 03 ]

Ported to 2.4.4

Comment by Antti Hurme [ 2016 Apr 01 ]

Will this patch be ported to 3.0.1?

Comment by Volker Fröhlich [ 2016 Apr 01 ]

I tried, but failed on my first attempt.

Comment by Michal Humpula [ 2016 Aug 31 ]

My iteration for user change (zabbix 3.0.4 based). Only the users with admin privileges can change their media.

Comment by Christoph Haas [ 2018 Nov 22 ]

What happened to the original idea that users can change their own media settings? They still can't. So why is this issue closed?

Generated at Sat Apr 27 07:26:48 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.