Werk #978: Fix security issue with mk-job on Linux

Component Checks & agents
Title Fix security issue with mk-job on Linux
Date May 26, 2014
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.2.5i3
Level Prominent Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that /var/lib/check_mk_agent/job was installed with the permissions 1777, just as /tmp. That way a normal user could have placed a symlink to a file there that is only readable by root. The content of that file would then appear in the agent output.

This has been fixed by not longer using /var/lib/check_mk_agent/job directly, but by creating a separate subdirectory below that for each user. This is done by a new version of /usr/bin/mk-job, so please make sure that if you update the agent that you also update mk-job.

Also you now have to create job subdirectories for non-root jobs manually. If you have a job running as user foo, then do:

root@linux:~# mkdir -p /var/lib/check_mk_agent/job
root@linux:~# chown foo:foo /var/lib/check_mk_agent/job

If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with make rpm or make deb then the permissions of /var/lib/check_mk_agent/job are automatically fixed.

If you have installed the agent manually then please make sure that the permissions of the job directory are set properly:

root@linux:~# chmod 755 /var/lib/check_mk_agent/job

To the list of all Werks