Wir nutzen Cookies, um Ihnen eine optimale Nutzung dieser Webseite zu ermöglichen. Mehr Informationen finden Sie im Datenschutzhinweis. Wir nehmen an, dass Sie damit einverstanden sind, falls Sie diese Webseite weiter besuchen.

Ihre Cookie-Einstellungen
Ihre Einstellungen wurden aktualisiert.
Damit die Änderungen wirksam werden, löschen Sie bitte Ihre Browser-Cookies und den Cache und laden dann die Seite neu.

Werk #0978: Fix security issue with mk-job on Linux

KomponenteChecks & Agents
TitelFix security issue with mk-job on Linux
Datum2014-05-26 10:34:20
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.5i3
LevelProminent Change
KlasseSecurity Fix
KompatibilitätIncompatible - Manual interaction might be required

By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.

This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.

Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:

root@linux# mkdir -p /var/lib/check_mk_agent/job
root@linux# chown foo.foo /var/lib/check_mk_agent/job

If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.

If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:

root@linux# chmod 755 /var/lib/check_mk_agent/job