By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that /var/lib/check_mk_agent/job
was installed with the permissions 1777, just as /tmp. That way
a normal user could have placed a symlink to a file there that is only readable
by root. The content of that file would then appear in the agent output.
This has been fixed by not longer using /var/lib/check_mk_agent/job directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of /usr/bin/mk-job, so please make sure that if you update
the agent that you also update mk-job.
Also you now have to create job subdirectories for non-root jobs manually.
If you have a job running as user foo, then do:
root@linux:~# mkdir -p /var/lib/check_mk_agent/job
root@linux:~# chown foo:foo /var/lib/check_mk_agent/job
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by
an RPM/DEB created from the source code with make rpm or make deb
then the permissions of /var/lib/check_mk_agent/job are automatically
If you have installed the agent manually then please make sure that the permissions
of the job directory are set properly:
root@linux:~# chmod 755 /var/lib/check_mk_agent/job
To the list of all Werks