Werk #19274: Agent updater runs under the agent controller user
| Component | Agent bakery | ||||
| Title | Agent updater runs under the agent controller user | ||||
| Date | Feb 11, 2026 | ||||
| Level | Trivial Change | ||||
| Class | New Feature | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
The agent updater (cmk-update-agent) now operates under the agent controller user (typically cmk-agent) instead of root when an agent controller is present.
This change came as a side effect of the unified agent controller/updater register command from Werk #19273, where the agent updater is called as subprocess of the agent controller. We decided to take the opportunity and operate the agent updater with least privileges entirely.
What changed
Previously, the agent updater ran as root. It now switches to the agent controller user on startup. For operations that require installing an agent package, the updater temporarily elevates its effective user only when calling the system's package manager. For all other operations, the privilege drop to the agent controller user is permanent.
As part of this change, the agent updater's state and log files have moved to dedicated subfolders owned by the agent controller user:
- state file:
$MK_VARDIR/cmk-update-agent/cmk-update-agent.state - log file:
$MK_VARDIR/log/cmk-update-agent/cmk-update-agent.log
(where $MK_VARDIR defaults to /var/lib/check_mk_agent in multi directory deployment and to /opt/checkmk/agent/default/runtime in single directory deployment)
Existing files are migrated automatically during agent update.