Werk #16550: Linux remote alert handlers not running under non-root user

Component Agent bakery
Title Linux remote alert handlers not running under non-root user
Date Mar 12, 2024
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b3 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p26 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

In the ruleset Remote alert handlers (Linux), you have to specify a user under that the remote alert handler will be executed on agent side. This user is set to root by default, but it's possible to choose an arbitrary user.

But, when choosing a non-root user, the alert handlers previously failed to execute, because the handler files got deployed with root-ownership and were not readable by others. To fix the problem, the ownership of the files now get changed to the specified user.

Security note: In general, it's important that all internal files of the Checkmk agent have root ownership, as they might be read/executed by the Checkmk agent under root. However, this is not the case for remote alert handlers, as they always get executed under the specified user. As an additional security measure, the dispatcher on agent side checks the ownership of installed remote alert handlers, and refuses to execute non-root owned handlers when called via SSH with root rights.

To the list of all Werks