Werk #978: Fix security issue with mk-job on Linux
| Component | Checks & agents | ||
| Title | Fix security issue with mk-job on Linux | ||
| Date | May 26, 2014 | ||
| Level | Prominent Change | ||
| Class | Security Fix | ||
| Compatibility | Incompatible - Manual interaction might be required | ||
| Checkmk versions & editions |
|
By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.
This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.
Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:
root@linux:~# mkdir -p /var/lib/check_mk_agent/job
root@linux:~# chown foo:foo /var/lib/check_mk_agent/job
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.
If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:
root@linux:~# chmod 755 /var/lib/check_mk_agent/job