sudo still not working

[JensErat]

Although sudo has been added to resolve some issues with "actions that require sudo", it still does not seem to work.

I guess that either it has to be linked somewhere Zabbix is looking for it, or at least the zabbix user added to the sudoers group (however it is called in centos).

How to reproduce

• Open trigger overview (Monitoring -> Triggers)
• For any event, click the host name (in "Host" column)
• Click "Detect operating system"

  Expected output

Result of operation, probably by running nmap or similar tools.

Actual output

Error message:

sh: sudo: command not found

[berngp]

@JensErat to make this work I did the following:

$yum install nmap

Then added the zabbix sudoer file at /etc/sudoers.d/zabbix

Defaults:zabbix !requiretty
zabbix    ALL = (ALL)         NOPASSWD: ALL

The above is too permissive but I just wanted to see it running. It should be changed to something like

zabbixs   ALL = (root)        NOPASSWD: /usr/bin/nmap -O *

Let me know your thoughts and will push a feature branch.

[JensErat]

By the way, thinking deeper about Zabbix, sudo and nmap I stumbled over a post Reminder of why we don't suid root binaries that read/write to the filesystem., and I wouldn't be sure that this changed to a reasonable amount until today. I decided not to give Zabbix root privileges, neither general nor through nmap.

For a Zabbix _developer setup providing these might be very well fine, though.

[berngp]

@JensErat thanks for the link! So I am i'm thinking of two options:

1. it need to be documented and mentioned that the image should not be used for production.
2. remove zabbix sudo access and document why.

[JensErat]

You could also dump scripts somewhere for enabling such potentially insecure configurations, and document running this if somebody wants to use sudo and nmap.

[berngp]

@JensErat I can keep nmap and sudo but instead of enabling zabbix as sudoer by default I can create a file in /etc/sudoers.d/zabbix.disabled that serves as an example on how to do so. If someone wants to change it they can just rename the file.

[berngp]

Reopening the issue. Per the discussion above we will not enable the zabbix user as part of the sudoers. We will create the /etc/sudoers.d/zabbix.disabled file and if needed the user will have to explicitly call a flag through the ENTRYPOINT to enable it before starting Zabbix.

[Surf-Tracer]

I have a similar problem (zabbix24-agent-2.4.4) after update sudo: not found But after /usr/local/etc/rc.d/zabbix_agentd restart everything works fine When I do restart my server. Scripts do not work again.

[berngp]

@Surf-Tracer is that issue related with this image?

[Surf-Tracer]

@berngp Sorry I do not know. I think something yes