Assuming you're on Linux, just start the agent with a different user. There isn't anything special to run as a different user. Just make sure the the user can read the various config files for the agent.

Hi heaje,

I think what bircow wants to know is what are the steps to take in order to get zabbix-agent running under a different name than the one created by default i.e. zabbix.

I've installed zabbix server and agent from apt repos and they both run with the "zabbix" limited account by default.

As bircow stated out it is recommended in this configuration to get zabbix-agent to run under another account. Not being a linux guru I am to having issue understanding how this can be done.

I've created a "zabbix-agent" account with same home dir '/var/run/zabbix' and shell '/bin/false' than the originally created "zabbix". From my understanding this means that I cannot login or su the zabbix-agent in order to start it under this account.

Running it as root defaults to the "zabbix" account. Is this a hard-coded value? The idea (at least for me) is to start the zabbix-agent service as root and have run as zabbix-agent user account by default. Is this even possible?

Thanks in advance for all the linux noobs and sysadmin wanabees.
JS

Zabbix does not do any user switching on it's own. When you say "running it as root", do you mean when you use the init script to start the service it starts up as the "zabbix" user? Take a look in the init script. It will have something in there to cause it to start that way. Unless you have the "AllowRoot" parameter in the zabbix agent config file set to "1", it won't even allow you to start it using the root user. To test it out, don't use an init script, just try and run "zabbix_agentd -c <path_to_config_file>" as the root user.

You can run the Zabbix daemons as any user you want. You don't have to change any compile-time options or source code. If you're using an init script, just change the init script to run the command for the daemon as a different user (using 'sudo' or 'su' or some other method). If you want to test this out, create a user (as you already did), but temporarily set the shell to /bin/bash (or an equivalent). Then 'su' to the user and try to run "zabbix_agentd -c <path_to_config_file>". You'll see that it starts up just fine and that the process is running as that user.

I stand corrected. What I mentioned in my last post was how zabbix worked, but apparently that's not what it does now. I ran zabbix as an entirely different user before.

As you already mentioned, it is in fact changing to the zabbix user on it's own(it didn't do that before). I'll research this a bit and get back to you.

Hi Heaje,

Yeah... I looked everywhere really... The init script (and yes this is what I meant, starting the daemon with the init script), does not contain any ref to a particular user account group set except when it doesn't find the $DIR in which case it will create it and chown it as zabbix.zabbix.

As stated I don't compile from source but rather use dotdeb.org repos and am currently running Zabbix Agent (daemon) v2.0.9 (revision 39085) (08 October 2013).

Thanks in advance,
JS

k, I got it working as a different user again. If you try to start the daemon as root and have Allow_Root set to "0" in the config file, the daemon automatically tries to switch to the "zabbix" user. Without modifying source code, the trick is that the daemon command has to be run as the new user, so this would require you to do one of two things:

1. Change the init script to not just start the daemon, but start it as a specific user. I'm not terribly familiar with how Debian init scripts work (I use CentOS/RedHat/Gentoo), so unfortunately I can't give any pointers there.

2. Simply "su" to the user that should run the daemon and then manually start it up that way. Depending on your Linux distro, you may be able to just call the init script as that user and have it work.

Thanks for the heads up...

So I'll need to change the new user's shell to a valid one right (currently /bin/false) or will su still work in the current config, the idea being to give the agent least privileges /access to the system as possible.

I believe it would be a real handy feature to include this as a setting in the conf file?

Best,
JS

That depends on the route you take. Many distro init scripts use built-in functionality that allows you to start commands as different users. I don't believe you need a valid shell for that to work, but you'll need to test it out to be sure.

I 100% agree with you. There may be a feature request for it on support.zabbix.com already, so I'd search there. If one doesn't exist, create a feature request.

Hi Heaje,

Sorry for the late follow-up. Just to confirm you need to modify the init script to get it running under a different user:group pair but turned out to be more complicated than expected.

The following applies to hosts running debian wheezy and zabbix-agent bundled by dotdeb.org. The purpose is here to have zabbix_agentd start as zabbix-agent instead of default zabbix user.

• create a zabbix-agent user:group pair
  
  Code:

  useradd -M -d /var/run/zabbix-agent -s /bin/false -c "zabbix-agent account" zabbix-agent

• modify the zabbix-agent init script
  • modify the DIR path to match the one for zabbix-agent user
    
    Code:

    DIR=/var/run/zabbix-agent

  • make sure it will be chowned properly
    
    Code:

    chown -R zabbix-agent:zabbix-agent "$DIR"

  • force zabbix_agentd to start under the zabbix-agent user
    -> add
    
    Code:

    --chuid zabbix-agent:zabbix-agent

    -> everywhere there is a
    
    Code:

    start-stop-daemon

• update-rc.d
  
  Code:

  update-rc.d zabbix-agent defaults

• make sure zabbix-agent has the proper privs on log folder
  
  Code:

  chown -R zabbix-agent:zabbix-agent /var/log/zabbix-agent

• make sure logrotate will create new log files as zabbix-agent (in /etc/logrotate.d/zabbix-agent replace)
  
  Code:

  replace "create 0640 zabbix zabbix" with "create 0640 zabbix-agent zabbix-agent"

• and make sure it will target the proper pid file when executing the "postrotate" cmd (in /etc/logrotate.d/zabbix-agent replace)
  
  Code:

  "[ -e /var/run/zabbix/zabbix_agentd.pid ]" with "[ -e /var/run/zabbix-agent/zabbix_agentd.pid ]"

• make sure zabbix_agentd will create its PID file in the appropriate folder
  -> change the "PidFile" value in /etc/zabbix/zabbix_agentd.conf to
  
  Code:

  PidFile=/var/run/zabbix-agent/zabbix_agentd.pid

• restart zabbix-agent
  
  Code:

  service zabbix-agent restart

This worked for me and zabbix_agentd now starts under zabbix-agent user, creates a /var/run/zabbix-agent directory and its zabbix_agentd.pid file in it, and is able to write logs.

Hope this helps.
JayC

Are you sure its running as zabbix-agent? Did you check ps output? No matter what I could not make it run as zabbix-agent, its always file permission error to open log, if i change the path from /var/run/ to /tmp/zabbix-agent/ it will start but its still runs as zabbix user not zabbix-agent. have changed zabbix-agent.conf too

I wanted to start zabbix_agent from let's say zabbix_agent user from /opt/zabbix_agent (Yes i compilled sources with --prefix=/opt/zabbix_agent)
And
I've created zabbix_agent user and group. I've chown'ed that directory and managed 777 to log file and provide pid file in a directory with propper rights.
(zabbix_agentd.conf contains AllowRoot=0 and User=zabbix_agent)
So when I started the zabix_agent from zabbix_agent user I was getting an ERROR in log:
cannot recreate Zabbix semaphores for IPC key 0x7a000123 Semaphore ID 4294967541: [22] Invalid argument

And I wanted to write a question. But it's going to be an answer.

According to links bellow I solved that trouble. I should of reboot before that probably.

Hello, JayC

I have some questions about the steps described above

1) and make sure it will target the proper pid file when executing the "postrotate" cmd (in /etc/logrotate.d/zabbix-agent replace)
In the file /etc/logrotate.d/zabbix-agent I don't see the postrotate cmd. Where do I have to change this.

2) I am correct that there is one step missing in the procedure. I had to modify the service file located in (/lib/systemd/system/zabbix-agent.service) to point to the new PIDFile.
I had to change it to After this modification it worked properly for my system.