Bug#452682: zabbix - zabbix-agent: UserParameters are execuited with gid 0
On Thursday 29 November 2007 10:21, Michael Ablassmeier wrote: well, its not like random users have access to the zabbix frontend, thats right. So they indeed have a good level of trust (or should have). However, its still possible for them to root remote machines, given the fact the zabbix admin gives them access to the item configuration and there is an flexible user parameter .. This is CVE id CVE-2007-6210, please reference it in any changelogs and announcements. Could you also ask upstream to put it into their changelog and announcement? The DSA is ready, except for some buildd issues. Thijs pgpQoHhQnBQ7M.pgp Description: PGP signature
Bug#452682: zabbix - zabbix-agent: UserParameters are execuited with gid 0
Hi Michael, On Wed, November 28, 2007 17:48, Michael Ablassmeier wrote: to be a bit more specific about this: an privileged user (root) may configure an UserParameter like this one in /etc/zabbix/zabbix-agentd.conf (hard core example): UserParameter=cat[*],cat $1 Thank you for contacting us about it. It's definitely a bug which should be fixed, but I'm trying to assess whether it's severe enough to warrant a DSA. Zabbix is a monitoring tool. I would therefore assume that zabbix' users already have quite a level of implied trust; it's not quite common that a random user has access to zabbix and can exectute commands, right? Or am I missing something? thanks, Thijs
Bug#452682: zabbix - zabbix-agent: UserParameters are execuited with gid 0
hi Thijs, On Thu, Nov 29, 2007 at 10:02:18AM +0100, Thijs Kinkhorst wrote: On Wed, November 28, 2007 17:48, Michael Ablassmeier wrote: to be a bit more specific about this: an privileged user (root) may configure an UserParameter like this one in /etc/zabbix/zabbix-agentd.conf (hard core example): UserParameter=cat[*],cat $1 Thank you for contacting us about it. It's definitely a bug which should be fixed, but I'm trying to assess whether it's severe enough to warrant a DSA. im not sure either .. Zabbix is a monitoring tool. I would therefore assume that zabbix' users already have quite a level of implied trust; it's not quite common that a random user has access to zabbix and can exectute commands, right? Or am I missing something? well, its not like random users have access to the zabbix frontend, thats right. So they indeed have a good level of trust (or should have). However, its still possible for them to root remote machines, given the fact the zabbix admin gives them access to the item configuration and there is an flexible user parameter .. If you guys decide its not worth a DSA, im going to upload a fixed version to stable-propsed-updates - or something. bye, - michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]