We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #0978: Fix security issue with mk-job on Linux

ComponentChecks & Agents
TitleFix security issue with mk-job on Linux
Date2014-05-26 10:34:20
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.5i3
LevelProminent Change
ClassSecurity Fix
CompatibilityIncompatible - Manual interaction might be required

By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.

This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.

Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:

root@linux# mkdir -p /var/lib/check_mk_agent/job
root@linux# chown foo.foo /var/lib/check_mk_agent/job

If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.

If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:

root@linux# chmod 755 /var/lib/check_mk_agent/job