Wir nutzen Cookies, um Ihnen eine optimale Nutzung dieser Webseite zu ermöglichen. Mehr Informationen finden Sie im Datenschutzhinweis. Wir nehmen an, dass Sie damit einverstanden sind, falls Sie diese Webseite weiter besuchen.

Ihre Cookie-Einstellungen
Ihre Einstellungen wurden aktualisiert.
Damit die Änderungen wirksam werden, löschen Sie bitte Ihre Browser-Cookies und den Cache und laden dann die Seite neu.

Werk #7344: Changing all setuid root binaries to use linux capabilities

KomponenteCore & Setup
TitelChanging all setuid root binaries to use linux capabilities
Datum2019-05-03 08:02:39
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.6.0b1
LevelProminent Change
KlasseSecurity Fix
KompatibilitätKompatibel - benötigt kein manuelles Eingreifen

In Linux there is the option to give a binary a SETUID bit. This bit gives the processes created by the binary all privileges of the binary file owner. There is also a more advanced concept called "linux capabilities" which makes it possible to give these processes only a specific set of permissions.

In past versions Check_MK used SETUID root binaries in several places for different reasons.

  • check_dhcp / check_icmp: Active check plugins which need this permission to be able to open their raw sockets for sending and receiving their packets.
  • bin/mkeventd_open514: Open SNMP trap or sylog ports for receiving messages.
  • lib/cmc/icmpsender / lib/cmc/icmpreceiver: CEE/CME only: Open raw sockets for sending and receiving packets.

SETUID root binaries are problematic in terms of security, because they could be used for getting root privileges in case an attacker finds an attackable security flaw in them. Once exploited the attacker would gain full root access on the Check_MK system.

Because all of these binaries need the privilege for a very specific known reason, we have now removed the SETUID bit from these binaries and are now setting individual linux capabilities to them.

The capabilities have the advantage that they don't give full root access to the processes created with the binary. Instead they give only a defined set of permissions.