search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
842 stars 638 forks source link

Zabbix plugin - root option available in UI but not enabled in code #2646

Closed greggitter closed 2 years ago

greggitter commented 2 years ago

Describe the bug Marking "Enable sudo root permissions" on the Zabbix Agent in General does not enable root in config file /local/etc/zabbix_agentd.conf. Checking the script, the value appears to be hardcoded (i.e., AllowRoot=0). Manually editing the setting in the file and restarting the zabbix agent solves the issue.

To Reproduce Steps to reproduce the behavior:

  1. Verify settings in the config file mentioned above.
  2. Mark Enable sudo root permissions on the UI form, save changes.
  3. Verify the config file again and note it has not changed.
  4. OR just look at the script that saves settings and note it's hardcoded instead of referring to the user's choice. I think it's here: /usr/local/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf (if not please advise)

Expected behavior See above.

Screenshots N/A

Relevant log files N/A

Additional context N/A

Environment OPNsense 21.7.5 (amd64, OpenSSL) though this doesn't appear to be a new bug as the template hasn't changed for many months.

Thanks.

OPNsense-bot commented 2 years ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

fraenki commented 2 years ago

The option "Enable sudo root permissions" works as intended and it's behaviour is documented in the help text:

When enabled, a sudo rule is created to grant full root access to Zabbix Agent. This may be required for certain checks.

This enables the use of root provileges in User Parameters. So instead of adding a User Parameter with "Command" set to i.e. echo test, you can now set it to sudo echo test and Zabbix Agent will run this command as user root.

Checking the script, the value appears to be hardcoded (i.e., AllowRoot=0).

This setting is hardcoded on purpose. We do not allow running the Zabbix Agent service as root for security reasons.

fraenki commented 2 years ago

I've updated the help text in https://github.com/opnsense/plugins/pull/2670/commits/18268e266bafa5b6b6296616c627b3bbe84dbbcc to be more clear on this.

greggitter commented 2 years ago

Well, I can tell you Zabbix is unable to check if processes are active WITHOUT setting the AllowRoot parameter to 1. OK, I'll take a look at the other side, not sure how to issue a sudo command from the server side. Thanks.

fraenki commented 2 years ago

You need to set two Tunables in System: Settings: Tunables so that Zabbix Agent can see other processes:

security.bsd.see_other_gids [1->0] | Unprivileged processes may see subjects/objects with different real gid
security.bsd.see_other_uids [1->0] | Unprivileged processes may see subjects/objects with different real uid

https://docs.opnsense.org/troubleshooting/hardening.html?highlight=see_other_uids#user-group-separation-security-bsd

greggitter commented 2 years ago

Excellent, thanks!