Werk #978: Fix security issue with mk-job on Linux
Komponente | Checks & agents |
Titel | Fix security issue with mk-job on Linux |
Datum | 26.05.2014 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.2.5i3 |
Level | Bedeutende Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.
This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.
Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:
root@linux:~# mkdir -p /var/lib/check_mk_agent/job
root@linux:~# chown foo:foo /var/lib/check_mk_agent/job
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.
If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:
root@linux:~# chmod 755 /var/lib/check_mk_agent/job