Ad Widget

Collapse

Which user should be running zabbix_agentd

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • BG-Monitor
    Junior Member
    • Aug 2009
    • 8
    #1

    Which user should be running zabbix_agentd

    I've read that the zabbix_agentd process should only be run by the zabbix user - that appears to be the only reason this user is created during installation.

    However, I currently get zabbix_agentd to start automatically on system boot by adding the following line to /etc/rc.local :

    /usr/local/sbin/zabbix_agentd

    (I couldn't get it working by adding scripts to rc3.d)

    This is just going to get started by root isn't it.

    But I've rebooted my Agent machine many times to test this, and it works fine.

    I'll be grateful for any comments/suggestions
    Tags: None
    • krimson
      Member
      • Sep 2008
      • 49
      #2
      Running it as root is unsafe. If the agent were hacked somehow, the hacker would have instant root access on your server.

      It is better to run it using an unprivileged user (zabbix). You can use sudo if you need to run commands as root from the agent.

        Comment

        • BG-Monitor
          Junior Member
          • Aug 2009
          • 8
          #3
          OK, that makes sense - but how do I run the agent as non-root when using the /etc/rc.local startup script ? (or rc3.d for that matter)

            Comment

            • krimson
              Member
              • Sep 2008
              • 49
              #4
              Originally posted by BG-Monitor
              OK, that makes sense - but how do I run the agent as non-root when using the /etc/rc.local startup script ? (or rc3.d for that matter)
              There are a few initscripts that come with the Zabbix sources (in the misc subdirectory). Either copy one from there or make your own script with something like:

              su - zabbix -c /path/to/zabbix_agentd

              That will switch to user zabbix and fire up (-c) the zabbix_agentd binary.

                Comment

                • NOB
                  Senior Member
                  Zabbix Certified Specialist
                  • Mar 2007
                  • 469
                  #5
                  Hi BG-Monitor

                  Originally posted by BG-Monitor
                  OK, that makes sense - but how do I run the agent as non-root when using the /etc/rc.local startup script ? (or rc3.d for that matter)
                  Of course, you always start the zabbix_agentd as root from the init script !

                  The zabbix_agentd will detect it is started as root and will change
                  to the user zabbix (hard-coded in the source).

                  That's why the user zabbix is created.

                  If you don't want to create the user zabbix you can
                  use a different user but in that case you'll have to modify the
                  init script to use su to change to this user as mentioned in the previous post.

                  Knowing that a user zabbix exists on any monitored server is
                  not really a security hole. You can specify /bin/false as the
                  "shell" for this user making the user useless for attacks.

                  Regards

                  Norbert.

                    Comment

                    Previous template Next
                    Working...