Werk 16550 was adapted. The following is the new Werk, a diff is shown at the end of the
message.
Title: Linux remote alert handlers not running under non-root user
Class: fix
Compatible: compat
Component: agents
Date: 1710234878
Edition: cee
Level: 1
Version: 2.2.0p26
In the ruleset <em>Remote alert handlers (Linux)</em>, you have to specify
a user under that the remote alert handler will be executed on agent side.
This user is set to <em>root</em> by default, but it's possible to choose
an arbitrary user.
But, when choosing a non-root user, the alert handlers previously
failed to execute, because the handler files got deployed with root-ownership
and were not readable by others.
To fix the problem, the ownership of the files now get changed to the specified
user.
Security note:
In general, it's important that all internal files of the Checkmk
agent have root ownership, as they might be read/executed by the Checkmk agent
under root.
However, this is not the case for remote alert handlers, as they
always get executed under the specified user.
As an additional security measure, the dispatcher on agent side
checks the ownership of installed remote alert handlers, and refuses to execute
non-root owned handlers when called via SSH with root rights.
------------------------------------<diff>-------------------------------------------
Title: Linux remote alert handlers not running under non-root user
Class: fix
Compatible: compat
Component: agents
Date: 1710234878
Edition: cee
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
In the ruleset <em>Remote alert handlers (Linux)</em>, you have to specify
a user under that the remote alert handler will be executed on agent side.
This user is set to <em>root</em> by default, but it's possible to
choose
an arbitrary user.
But, when choosing a non-root user, the alert handlers previously
failed to execute, because the handler files got deployed with root-ownership
and were not readable by others.
To fix the problem, the ownership of the files now get changed to the specified
user.
Security note:
In general, it's important that all internal files of the Checkmk
agent have root ownership, as they might be read/executed by the Checkmk agent
under root.
However, this is not the case for remote alert handlers, as they
always get executed under the specified user.
As an additional security measure, the dispatcher on agent side
checks the ownership of installed remote alert handlers, and refuses to execute
non-root owned handlers when called via SSH with root rights.