back to website

Werk #18570: Inotify: do not override permissions in agent plugin

Component Checks & agents
Title Inotify: do not override permissions in agent plugin
Date Sep 12, 2025
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p16 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p41
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

By overriding the umask value in the agent plugin, the permissions for the files written out to /var/lib/check_mk_agent/mk_inotify.* were too permissive (-rw-rw-rw), giving any user write access.

-rw-rw-rw- 1 root root   34 Nov  3 12:32 mk_inotify.configured
-rw-rw-rw- 1 root root    6 Nov  3 12:32 mk_inotify.pid
-rw-rw-rw- 1 root root  238 Nov  3 12:31 mk_inotify.stats.*

With this change, the files are now written with the host system's default permissions (usually umask 0022):

-rw-rw-r-- 1 root root   34 Nov  3 12:32 mk_inotify.configured
-rw-rw-r-- 1 root root    6 Nov  3 12:32 mk_inotify.pid
-rw-rw-r-- 1 root root  238 Nov  3 12:31 mk_inotify.stats.*

To apply this fix, you will need to have an agent installed with the updated mk_notify.py plugin. This change is considered incompatible because you may also need to manually re-trigger the plugin to restart its process.

With the new process running, you should see new files written out with the host's default file permissions.

Who's Affected:

Anyone who has deployed the inotify agent plugin in the past may be affected. You can see if you are affected by running the following command:

ls -al /var/lib/check_mk_agent/mk_inotify.*

If there are any file matches, then you are affected.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0
  • <=2.1.0 (EOL)

Mitigations:

You can mitigate this issue by either baking the inotify agent and deploying with the fix, or manually adapting the deployed agent by removing the line 125 of /usr/lib/check_mk_agent/plugins/mk_inotify.py:

os.umask(0)

Once updated, you will want to restart the inotify agent:

MK_CONFDIR=/etc/check_mk python3 /usr/lib/check_mk_agent/plugins/mk_inotify.py

Indicators of Compromise:

Inspect the file permissions of the log files by running:

ls -al /var/lib/check_mk_agent/mk_inotify.*

If any of these files have (-rw-rw-rw) permissions, consider reploying the agent with the fix.

Vulnerability Management:

We have rated the issue with a CVSS Score of 4.8 Medium (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N) and assigned CVE-2025-64996.

To the list of all Werks