|Component||Checks & Agents|
|Title||Fix security issue with mk-job on Linux|
|Checkmk Edition||Checkmk Raw Edition (CRE)|
|Compatibility||Incompatible - Manual interaction might be required|
By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.
This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.
Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:
root@linux# mkdir -p /var/lib/check_mk_agent/job root@linux# chown foo.foo /var/lib/check_mk_agent/job
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.
If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:
root@linux# chmod 755 /var/lib/check_mk_agent/job