Module: check_mk
Branch: master
Commit: a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2ef8d00c53ec9…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Mon May 26 10:38:16 2014 +0200
Fix security issue with mk-job on Linux
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that
<tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as
<tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent
output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt>
directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you
update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs
manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-:
---
.werks/978 | 26 ++++++++++++++++++++++++++
ChangeLog | 2 ++
agents/check_mk_agent.linux | 16 +++++++++++++---
agents/mk-job | 10 ++++++++--
check_mk.spec | 2 +-
5 files changed, 50 insertions(+), 6 deletions(-)
diff --git a/.werks/978 b/.werks/978
new file mode 100644
index 0000000..cf1034a
--- /dev/null
+++ b/.werks/978
@@ -0,0 +1,26 @@
+Title: Fix security issue with mk-job on Linux
+Level: 2
+Component: checks
+Version: 1.2.5i3
+Date: 1401093260
+Class: incomp
+
+By use of symlinks or hardlinks normal users could inject files to be read
+with root permissions. This was due to the fact that
<tt>/var/lib/check_mk_agent/job</tt>
+was installed with the permissions <tt>1777</tt>, just as
<tt>/tmp</tt>. That way
+a normal user could have placed a symlink to a file there that is only readable
+by <tt>root</tt>. The content of that file would then appear in the agent
output.
+
+This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt>
directly,
+but by creating a separate subdirectory below that for each user. This is done by
+a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you
update
+the agent that you also update <tt>mk-job</tt>.
+
+Also you now have to create job subdirectories for non-<tt>root</tt> jobs
manually.
+If you have a job running as user <tt>foo</tt>, then do:
+
+C+:
+RP:mkdir -p /var/lib/check_mk_agent/job
+RP:chown foo.foo /var/lib/check_mk_agent/job
+C-:
+
diff --git a/ChangeLog b/ChangeLog
index 0c9d45e..6ede67a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -56,6 +56,8 @@
NOTE: Please refer to the migration notes!
* 0920 blade_bays: now also detects if blade server is switched off
* 0977 check_traceroute: new active check for checking presence and absence of
routes...
+ * 0978 Fix security issue with mk-job on Linux...
+ NOTE: Please refer to the migration notes!
* 0777 FIX: special agent emcvnx: did not work with security file authentication...
* 0786 FIX: zfsget: fixed compatibility with older Solaris agents...
* 0809 FIX: brocade_fcport: Fixed recently introduced problem with port speed
detection
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index 1c9400a..15e416c 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -495,10 +495,20 @@ then
done
fi
-# Get statistics about monitored jobs
-if cd /var/lib/check_mk_agent/job; then
+# Get statistics about monitored jobs. Below the job directory there
+# is a sub directory per user that ran a job. That directory must be
+# owned by the user so that a symlink or hardlink attack for reading
+# arbitrary files can be avoided.
+if pushd /var/lib/check_mk_agent/job >/dev/null; then
echo '<<<job>>>'
- head -n -0 -v *
+ for username in *
+ do
+ if [ -d "$username" ] && cd "$username" ; then
+ su "$username" -c "head -n -0 -v *"
+ cd ..
+ fi
+ done
+ popd > /dev/null
fi
# Gather thermal information provided e.g. by acpi
diff --git a/agents/mk-job b/agents/mk-job
index e1df542..04da0c8 100755
--- a/agents/mk-job
+++ b/agents/mk-job
@@ -39,12 +39,18 @@ if [ $# -lt 2 ]; then
exit 1
fi
-OUTPUT_PATH=/var/lib/check_mk_agent/job
+MYSELF=$(id -nu)
+OUTPUT_PATH=/var/lib/check_mk_agent/job/$MYSELF
IDENT=$1
shift
if [ ! -d "$OUTPUT_PATH" ]; then
- mkdir -p "$OUTPUT_PATH"
+ if [ "$MYSELF" = root ] ; then
+ mkdir -p "$OUTPUT_PATH"
+ else
+ echo "ERROR: Missing output directory $OUTPUT_PATH for non-root user
'$MYSELF'." >&2
+ exit 1
+ fi
fi
if ! type $1 >/dev/null 2>&1; then
diff --git a/check_mk.spec b/check_mk.spec
index 3d7a93f..ffcf34c 100644
--- a/check_mk.spec
+++ b/check_mk.spec
@@ -197,7 +197,7 @@ rm -rf $RPM_BUILD_ROOT
%dir /usr/lib/check_mk_agent/local
%dir /usr/lib/check_mk_agent/plugins
%dir /var/lib/check_mk_agent
-%dir %attr(1777,-,-)/var/lib/check_mk_agent/job
+%dir /var/lib/check_mk_agent/job
%files agent-scriptless
%config(noreplace) /etc/xinetd.d/check_mk