Ad Widget

Collapse

UserCommands executed with gid set to root?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    UserCommands executed with gid set to root?

    hi,

    Given the fact wie have an agentd running with Uid and Gid set to
    "zabbix":

    [email protected]:~/deb/build-area/usr/bin$ ps -U zabbix -o user,group,pid
    USER GROUP PID
    zabbix zabbix 11245
    zabbix zabbix 11246
    [..]

    and one User command, executing /usr/bin/id (or /usr/bin/groups):

    UserParameter=id,/usr/bin/id

    now. zabbix_get -shost -kid returns the following output:

    [email protected]:~/deb/build-area/usr/bin$ ./zabbix_get -slocalhost -kid
    uid=107(zabbix) gid=110(zabbix) groups=0(root),102(lpadmin),1001(wheel)
    Last edited by abi; 25-11-2007, 17:14.

    #2
    hi again,

    i think this is due to the fact that the zabbix_agentd process only uses
    setuid/setgid to drop its privileges. Now i think on linux, if setuid is
    invoked from an user with uid 0, the old uid/gid is saved to the saved
    set-uid/gid.

    The agent uses popen in order to execute the UserCommands. I think popen just
    as exec* resets the gid to the saved-set-gid, which is then 0, thus the
    executed programm ends up with gid set to root.

    Is this wanted behavior?

    Comment


      #3
      hi again guys,

      so well, i think zabbix should call initgroups() in order to set
      the process group information right, here is the full bugreport
      and probably solution:

      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452682

      @devs: what do you think about this?

      Comment


        #4
        hi again,

        heres the patch:

        Code:
        --- /home/abi/zabbix-1.4.2/src/libs/zbxnix/daemon.c     2007-08-20 21:22:22.000000000 +0200
        +++ /tmp/zabbix-1.4.2/src/libs/zbxnix/daemon.c  2007-11-25 15:53:31.890046746 +0100
        @@ -90,20 +90,33 @@
                pid_t                   pid;
                struct passwd           *pwd;
                struct sigaction        phan;
        +       char user[7] = "zabbix";
         
                /* running as root ?*/
                if((0 == allow_root) && (0 == getuid() || 0 == getgid()))
                {
        -               pwd = getpwnam("zabbix");
        +               pwd = getpwnam(user);
                        if (NULL == pwd)
                        {
                                zbx_error("User zabbix does not exist.");
                                zbx_error("Cannot run as root !");
                                exit(FAIL);
                        }
        -               if( (setgid(pwd->pw_gid) ==-1) || (setuid(pwd->pw_uid) == -1) )
        +               if( (setgid(pwd->pw_gid) ==-1) )
                        {
        -                       zbx_error("Cannot setgid or setuid to zabbix [%s].", strerror(errno));
        +                       zbx_error("Cannot setgid to zabbix [%s].", strerror(errno));
        +                       exit(FAIL);
        +               }
        +
        +               if( (initgroups(user, pwd->pw_gid) == -1) ) 
        +               {
        +                       zbx_error("Cannot initgroups to zabbix [%s].", strerror(errno));
        +                       exit(FAIL);
        +               }
        +
        +               if( (setuid(pwd->pw_uid) ==-1) )
        +               {
        +                       zbx_error("Cannot setuid to zabbix [%s].", strerror(errno));
                                exit(FAIL);
                        }
        not sure if we should count this as security issue?

        Comment


          #5
          Yes, I think this is a security issue! I modified the patch sightly to compile under all platforms. It is already committed to 1.4.x and trunk. It means that the fix will be included in 1.4.3 which is about to be released.

          I appreciate the detailed description and the patch very much!

          The problem was logged as ZBX-189 for your reference.
          Alexei Vladishev
          Creator of Zabbix, Product manager
          New York | Tokyo | Riga
          My Twitter

          Comment

          Working...
          X