ZABBIX Forums  
  #1  
Old 04-12-2017, 17:31
fcatto fcatto is offline
Junior Member
 
Join Date: Oct 2017
Posts: 2
Default How to use user zabbix intead of root to get hardware info

Are there another way to use system.hw.chassis key without enable root user for zabbix agent?

I know that enabling AllowRoot=1 on zabbix-agent.conf it works, but I want keep zabbix default user running.
Reply With Quote
  #2  
Old 04-12-2017, 22:07
kloczek kloczek is offline
Senior Member
 
Join Date: Jun 2006
Location: UK/London
Posts: 872
Default

Quote:
Originally Posted by fcatto View Post
Are there another way to use system.hw.chassis key without enable root user for zabbix agent?

I know that enabling AllowRoot=1 on zabbix-agent.conf it works, but I want keep zabbix default user running.
zabbix agent system.hw.chassis key is accessing to the /sys/firmware/dmi/tables/DMI and part of DMI interface allows to talk with CPU MI engine (Management Interface) which has in CPU own small Minix based operating system.
As this part of the HW interface is very sensitive from security point of view I would be very careful. Probably best way reading DMI data would be modify Linux sysfs to expose somewhere under /sys/firmware/dmi separated entry with hw description in RO mode. As for example /proc/cpuinfo is readable for everyone there is no probably any reasons why at least some parts of the DMI table data should not be accessible in RO mode as well.
Reply With Quote
  #3  
Old 04-12-2017, 22:39
kloczek kloczek is offline
Senior Member
 
Join Date: Jun 2006
Location: UK/London
Posts: 872
Default

Seems it is some possibly. Just done small test on my laptop

Code:
[tkloczko@domek ~]$ /usr/sbin/zabbix_agentd -t system.hw.chassis
system.hw.chassis                             [m|ZBX_NOTSUPPORTED] [Cannot obtain hardware information.]
[tkloczko@domek ~]$ sudo getcap /usr/sbin/zabbix_agentd
[tkloczko@domek ~]$ sudo setcap cap_dac_read_search+ep /usr/sbin/zabbix_agentd
[tkloczko@domek ~]$ /usr/sbin/zabbix_agentd -t system.hw.chassis
system.hw.chassis                             [s|Sony Corporation VPCSB2M9E 27547484-5001800 Notebook]
[tkloczko@domek ~]$ sudo getcap /usr/sbin/zabbix_agentd
/usr/sbin/zabbix_agentd = cap_dac_read_search+ep
Disable read DAC gives ability to read any file in the system and as it is still quite heavy ax still you need to be careful about use this.
Nevertheless at least it has way lower impact than executing agent as root process because wit agent started as root process will have RW access to everything.
BTW: seems disable read DAC may be useful on monitoring agent logs monitoring keys when zabbix user has no R access to the monitored logs.

Maybe it is another capability which will allow give less power to zabbix agent (?) ..

I'm not sure is it will be possible to give only read access to zabbix_agent binary only on access to /sys/firmware/dmi/tables/DMI over SELinux.
Nevertheless still I think that the best way to sort this out would be rewrite a bit kernel DMI interface to expose HW type over regular sysfs file with 444 mode like it is on /proc/cpuinfo.

Last edited by kloczek; 04-12-2017 at 23:08.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 12:03.