We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #7344: Changing all setuid root binaries to use linux capabilities

ComponentCore & Setup
TitleChanging all setuid root binaries to use linux capabilities
Date2019-05-03 08:02:39
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.6.0b1
LevelProminent Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

In Linux there is the option to give a binary a SETUID bit. This bit gives the processes created by the binary all privileges of the binary file owner. There is also a more advanced concept called "linux capabilities" which makes it possible to give these processes only a specific set of permissions.

In past versions Check_MK used SETUID root binaries in several places for different reasons.

  • check_dhcp / check_icmp: Active check plugins which need this permission to be able to open their raw sockets for sending and receiving their packets.
  • bin/mkeventd_open514: Open SNMP trap or sylog ports for receiving messages.
  • lib/cmc/icmpsender / lib/cmc/icmpreceiver: CEE/CME only: Open raw sockets for sending and receiving packets.

SETUID root binaries are problematic in terms of security, because they could be used for getting root privileges in case an attacker finds an attackable security flaw in them. Once exploited the attacker would gain full root access on the Check_MK system.

Because all of these binaries need the privilege for a very specific known reason, we have now removed the SETUID bit from these binaries and are now setting individual linux capabilities to them.

The capabilities have the advantage that they don't give full root access to the processes created with the binary. Instead they give only a defined set of permissions.