UserCommands executed with gid set to root?

abi · #1 25-11-2007, 13:35

hi,

Given the fact wie have an agentd running with Uid and Gid set to
"zabbix":

foo@bar:~/deb/build-area/usr/bin$ ps -U zabbix -o user,group,pid
USER GROUP PID
zabbix zabbix 11245
zabbix zabbix 11246
[..]

and one User command, executing /usr/bin/id (or /usr/bin/groups):

UserParameter=id,/usr/bin/id

now. zabbix_get -shost -kid returns the following output:

foo@bar:~/deb/build-area/usr/bin$ ./zabbix_get -slocalhost -kid
uid=107(zabbix) gid=110(zabbix) groups=0(root),102(lpadmin),1001(wheel)

abi · #2 25-11-2007, 14:19

hi again,

i think this is due to the fact that the zabbix_agentd process only uses
setuid/setgid to drop its privileges. Now i think on linux, if setuid is
invoked from an user with uid 0, the old uid/gid is saved to the saved
set-uid/gid.

The agent uses popen in order to execute the UserCommands. I think popen just
as exec* resets the gid to the saved-set-gid, which is then 0, thus the
executed programm ends up with gid set to root.

Is this wanted behavior?

abi · #3 25-11-2007, 15:36

hi again guys,

so well, i think zabbix should call initgroups() in order to set
the process group information right, here is the full bugreport
and probably solution:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452682

@devs: what do you think about this?

abi · #4 25-11-2007, 15:55

hi again,

heres the patch:

Code:

--- /home/abi/zabbix-1.4.2/src/libs/zbxnix/daemon.c     2007-08-20 21:22:22.000000000 +0200
+++ /tmp/zabbix-1.4.2/src/libs/zbxnix/daemon.c  2007-11-25 15:53:31.890046746 +0100
@@ -90,20 +90,33 @@
        pid_t                   pid;
        struct passwd           *pwd;
        struct sigaction        phan;
+       char user[7] = "zabbix";
 
        /* running as root ?*/
        if((0 == allow_root) && (0 == getuid() || 0 == getgid()))
        {
-               pwd = getpwnam("zabbix");
+               pwd = getpwnam(user);
                if (NULL == pwd)
                {
                        zbx_error("User zabbix does not exist.");
                        zbx_error("Cannot run as root !");
                        exit(FAIL);
                }
-               if( (setgid(pwd->pw_gid) ==-1) || (setuid(pwd->pw_uid) == -1) )
+               if( (setgid(pwd->pw_gid) ==-1) )
                {
-                       zbx_error("Cannot setgid or setuid to zabbix [%s].", strerror(errno));
+                       zbx_error("Cannot setgid to zabbix [%s].", strerror(errno));
+                       exit(FAIL);
+               }
+
+               if( (initgroups(user, pwd->pw_gid) == -1) ) 
+               {
+                       zbx_error("Cannot initgroups to zabbix [%s].", strerror(errno));
+                       exit(FAIL);
+               }
+
+               if( (setuid(pwd->pw_uid) ==-1) )
+               {
+                       zbx_error("Cannot setuid to zabbix [%s].", strerror(errno));
                        exit(FAIL);
                }

not sure if we should count this as security issue?

Alexei · #5 28-11-2007, 16:33

Yes, I think this is a security issue! I modified the patch sightly to compile under all platforms. It is already committed to 1.4.x and trunk. It means that the fix will be included in 1.4.3 which is about to be released.

I appreciate the detailed description and the patch very much!

The problem was logged as ZBX-189 for your reference.