Werk #16550: Linux remote alert handlers not running under non-root user

Komponente Agent bakery
Titel Linux remote alert handlers not running under non-root user
Datum 12.03.2024
Level Kleine Änderung
Klasse Bugfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.4.0b1 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b3 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p26 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

In the ruleset Remote alert handlers (Linux), you have to specify a user under that the remote alert handler will be executed on agent side. This user is set to root by default, but it's possible to choose an arbitrary user.

But, when choosing a non-root user, the alert handlers previously failed to execute, because the handler files got deployed with root-ownership and were not readable by others. To fix the problem, the ownership of the files now get changed to the specified user.

Security note: In general, it's important that all internal files of the Checkmk agent have root ownership, as they might be read/executed by the Checkmk agent under root. However, this is not the case for remote alert handlers, as they always get executed under the specified user. As an additional security measure, the dispatcher on agent side checks the ownership of installed remote alert handlers, and refuses to execute non-root owned handlers when called via SSH with root rights.

Zur Liste aller Werks