Successfully complied and started on CentOS 5.3 x86

I'd like to vote for this patch. I didn't try it yet but it seems to solve an issue I also have with the zabbix user not having enough permissions. I guess it will help but with system.run where the zabbix-agent should be able to read data which is only available to root. I have used sudo for this in the past but it seems this patch would make it easier.

I can see and agree with the usefulness of this script but with the current server-agent security model I would suggest some caution. While I haven't had the chance to dig in deep with what you are doing, just the ability to tell the Zabbix agent to look inside a file as a privilaged user can have some bad consequences right now. Most of the bad consequences come from the ability to spoof a server connection to the agent which in turn can be used to dump config files as a privilaged user, which in turn gives more information for someone to exploit your environment.

Just some thoughts. I'll have to dig deeper but I like the idea overall.

you can specify a whitelist of files that are allowed for access.
so you just specify /var/log/{messages,syslog}, and your shadow still should be safe.

Could or should this patch be modified to allow for privilege separation when running remote commands? It would be helpful if the zabbix agent could securely restart important processes should something go awry, such as cron, syslog, or even sshd.

You can use sudo for this. Ie. give zabbix user some sudo command rights
with visudo command (edit /etc/sudoers):
zabbix ALL = NOPASSWD: /path/crond restart, /path/syslog restart

After that zabbix-user can execute (no passwd asked):
sudo /path/crond restart

Theoretically it is possible to extend the functionality so that the agent can execute commands as a privileged user. Before this gets implemented, the way ZABBIX executes commands should be audited and fixed, tho - this probably would be some massive amount of work (especially regarding argument parsing/interpretation etc).

Using sudo would of course work, too, but:

- Not every system has sudo or has some security policies in place which forbid non-interactive or non-admin users to use it
- You'd have another piece of (rather complex) configuration to maintain and roll-out on your systems

I have thought about implementing privileged execution in the patch, but it requires a little bit more effort in the design. It should be as zero-config as possible but must ensure that it cannot be abused for malicious purposes (e.g. by being tricked to run something it shouldn't).

Maybe people have input for this topic, so we could put up the design together and make it ready for implementation.

Unfortunately our security policies do not allow for passwordless SUDO. We have a rather dirty hack of a program that "securely" stores passwords that could be used for sudo, but it has not worked well with the zabbix agent.

Adding something like an SSL cert for authenticating the server would prevent anything from spoofing the proxy/server. As stated earlier regarding reading log files, a white list of approved commands could also limit the impact of any security issues.