Werk #16550: Linux remote alert handlers not running under non-root user
| Component | Agent bakery |
| Title | Linux remote alert handlers not running under non-root user |
| Date | Mar 12, 2024 |
| Checkmk Edition | Checkmk Enterprise (CEE) |
| Checkmk Version | 2.2.0p26 2.3.0b3 2.4.0b1 |
| Level | Trivial Change |
| Class | Bug Fix |
| Compatibility | Compatible - no manual interaction needed |
In the ruleset Remote alert handlers (Linux), you have to specify a user under that the remote alert handler will be executed on agent side. This user is set to root by default, but it's possible to choose an arbitrary user.
But, when choosing a non-root user, the alert handlers previously failed to execute, because the handler files got deployed with root-ownership and were not readable by others. To fix the problem, the ownership of the files now get changed to the specified user.
Security note: In general, it's important that all internal files of the Checkmk agent have root ownership, as they might be read/executed by the Checkmk agent under root. However, this is not the case for remote alert handlers, as they always get executed under the specified user. As an additional security measure, the dispatcher on agent side checks the ownership of installed remote alert handlers, and refuses to execute non-root owned handlers when called via SSH with root rights.
