hi Bas,

On Sun, Nov 25, 2007 at 12:21:17PM +0100, Bas van Schaik wrote:
> I'm sorry, I should have been a little bit more clear about this. The
> zabbix_agentd process runs as zabbix:zabbix indeed, but the so called
> "UserParameter" scripts run with user:group zabbix:root. Or at least,
> this is the output of such a script calling `id`:
> > uid=110(zabbix) gid=111(zabbix) groups=0(root)
> Where is the 'root' group coming from? The user 'zabbix' certainly is
> _not_ in the group 'root' on my servers!

i think this is due to the fact that the zabbix_agentd process only uses
setuid/setgid to drop its privileges. Now i think on linux, if setuid is
invoked from an user with uid 0, the old uid/gid is saved to the saved
set-uid/gid.

The agent uses popen in order to execute the UserCommands. I think popen just
as exec* resets the gid to the saved-set-gid, which is then 0, thus the
executed programm ends up with gid set to root.

Not sure if this is actually wanted by the zabbix devs, im going to have a talk
about this with upstream.

bye,
        - michael



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to