hi Thijs,
On Thu, Nov 29, 2007 at 10:02:18AM +0100, Thijs Kinkhorst wrote:
> On Wed, November 28, 2007 17:48, Michael Ablassmeier wrote:
> > to be a bit more specific about this:
> >
> > an privileged user (root) may configure an UserParameter like this one in
> > /etc/zabbix/zabbix-agentd.conf (hard core example):
> >
> >
> > UserParameter=cat[*],cat $1
>
> Thank you for contacting us about it. It's definitely a bug which should
> be fixed, but I'm trying to assess whether it's severe enough to warrant a
> DSA.
im not sure either ..
> Zabbix is a monitoring tool. I would therefore assume that zabbix' users
> already have quite a level of implied trust; it's not quite common that a
> random user has access to zabbix and can exectute commands, right? Or am I
> missing something?
well, its not like random users have access to the zabbix frontend, thats right.
So they indeed have a good level of trust (or should have). However, its still
possible for them to root remote machines, given the fact the zabbix admin
gives them access to the item configuration and there is an flexible user
parameter ..
If you guys decide its not worth a DSA, im going to upload a fixed version to
stable-propsed-updates - or something.
bye,
- michael
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
