Skip to content
Permalink
Browse files

Fix security issue with mk-job on Linux

By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.

This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.

Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:

C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-:
  • Loading branch information...
MathiasKettner committed May 26, 2014
1 parent a495387 commit a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce
Showing with 50 additions and 6 deletions.
  1. +26 −0 .werks/978
  2. +2 −0 ChangeLog
  3. +13 −3 agents/check_mk_agent.linux
  4. +8 −2 agents/mk-job
  5. +1 −1 check_mk.spec
@@ -0,0 +1,26 @@
Title: Fix security issue with mk-job on Linux
Level: 2
Component: checks
Version: 1.2.5i3
Date: 1401093260
Class: incomp

By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.

This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.

Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:

C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo.foo /var/lib/check_mk_agent/job
C-:

@@ -56,6 +56,8 @@
NOTE: Please refer to the migration notes!
* 0920 blade_bays: now also detects if blade server is switched off
* 0977 check_traceroute: new active check for checking presence and absence of routes...
* 0978 Fix security issue with mk-job on Linux...
NOTE: Please refer to the migration notes!
* 0777 FIX: special agent emcvnx: did not work with security file authentication...
* 0786 FIX: zfsget: fixed compatibility with older Solaris agents...
* 0809 FIX: brocade_fcport: Fixed recently introduced problem with port speed detection
@@ -495,10 +495,20 @@ then
done
fi

# Get statistics about monitored jobs
if cd /var/lib/check_mk_agent/job; then
# Get statistics about monitored jobs. Below the job directory there
# is a sub directory per user that ran a job. That directory must be
# owned by the user so that a symlink or hardlink attack for reading
# arbitrary files can be avoided.
if pushd /var/lib/check_mk_agent/job >/dev/null; then
echo '<<<job>>>'
head -n -0 -v *
for username in *
do
if [ -d "$username" ] && cd "$username" ; then
su "$username" -c "head -n -0 -v *"
cd ..
fi
done
popd > /dev/null
fi

# Gather thermal information provided e.g. by acpi
@@ -39,12 +39,18 @@ if [ $# -lt 2 ]; then
exit 1
fi

OUTPUT_PATH=/var/lib/check_mk_agent/job
MYSELF=$(id -nu)
OUTPUT_PATH=/var/lib/check_mk_agent/job/$MYSELF
IDENT=$1
shift

if [ ! -d "$OUTPUT_PATH" ]; then
mkdir -p "$OUTPUT_PATH"
if [ "$MYSELF" = root ] ; then
mkdir -p "$OUTPUT_PATH"
else
echo "ERROR: Missing output directory $OUTPUT_PATH for non-root user '$MYSELF'." >&2
exit 1
fi
fi

if ! type $1 >/dev/null 2>&1; then
@@ -197,7 +197,7 @@ rm -rf $RPM_BUILD_ROOT
%dir /usr/lib/check_mk_agent/local
%dir /usr/lib/check_mk_agent/plugins
%dir /var/lib/check_mk_agent
%dir %attr(1777,-,-)/var/lib/check_mk_agent/job
%dir /var/lib/check_mk_agent/job

%files agent-scriptless
%config(noreplace) /etc/xinetd.d/check_mk

0 comments on commit a2ef8d0

Please sign in to comment.
You can’t perform that action at this time.