ID: 0978
Title: Fix security issue with mk-job on Linux
Component: Checks & Agents
Level: 2
Class: Incompatible Change
Version: 1.2.5i3
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that
<tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as
<tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent
output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt>
directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you
update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs
manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-: