Created attachment 492256 [details] zabbix-server.init The zabbix init scripts give ownership of their PID file directories to the "zabbix" user: start_pre() { checkpath -d -m 0775 -o zabbix:zabbix /run/zabbix } This can be exploited by the "zabbix" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of that PID file (which "zabbix" controls). This can be used to e.g. reboot the system, or kill off your firewall. The PID file setting for the server is contained in the configuration file, and is not overrideable on the command-line, which makes things a little annoying. The simplest thing you can do is run zabbix in the foreground and let OpenRC background it and manage the PID file. I'm attaching an example init script that does that -- but beware, you will need to comment out the "PidFile" entry in the zabbix server config. The other Zabbix services (agent, ...) can probably be handled similarly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f27532b104c6463ee4a8897148afe5de949a333 commit 0f27532b104c6463ee4a8897148afe5de949a333 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-02-19 07:46:05 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-02-19 07:46:48 +0000 package.mask: Mask net-analyzer/zabbix for vulnerabilities Bug: https://bugs.gentoo.org/629882 Bug: https://bugs.gentoo.org/629884 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
Created attachment 614602 [details] zabbix-agent.init Created an init script for zabbix-agent, based on https://bugs.gentoo.org/attachment.cgi?id=492256, doing essentially the same. It requires PidFile in /etc/zabbix/zabbix-agentd.conf to be set to an empty string, otherwise two pid files will be created, one still owned zabbix:zabbix.
Tests have revealed that unfortunately the same does not work for zabbix-proxy, which requires its own pid file to work and setting PidFile to the empty string in zabbix-proxy.conf does not allow the process to successfully start.
I have to correct myself: Setting PidFile to an empty string in either the agent's or the proxy's configuration file does not actually work, as both components refuse to start in this case. For the agent it works with PidFile=/dev/null but that's not true for at least the proxy, which wants to lock its pid file. I haven't tested the server component but suspect it behaves the same way as the proxy.
Created attachment 615198 [details] zabbix systemd units FWIW, here also better systemd units.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dd83ba9636be855abf97ac682cd55be731f0ce2 commit 9dd83ba9636be855abf97ac682cd55be731f0ce2 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-02-28 15:01:10 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-02-28 15:02:00 +0000 net-analyzer/zabbix: bumps + security fixes + rewritten + removed obsolete 1) many changes and improvements 2) config directory and files are not writeable by zabbix 3) creation of pid file disabled in zabbix, using s-s-d instead Bug: https://bugs.gentoo.org/629882 Bug: https://bugs.gentoo.org/709926 Bug: https://bugs.gentoo.org/629884 Closes: https://bugs.gentoo.org/665960 Closes: https://bugs.gentoo.org/670652 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> net-analyzer/zabbix/Manifest | 10 +- net-analyzer/zabbix/files/2.2/init.d/zabbix-agentd | 28 - net-analyzer/zabbix/files/2.2/init.d/zabbix-proxy | 27 - net-analyzer/zabbix/files/2.2/init.d/zabbix-server | 26 - .../zabbix/files/2.2/patches/zbx7479.patch | 83 --- .../zabbix/files/2.2/patches/zbx8151.patch | 53 -- net-analyzer/zabbix/files/2.2/zabbix_agent.conf | 81 --- net-analyzer/zabbix/files/2.2/zabbix_agentd.conf | 278 --------- net-analyzer/zabbix/files/2.2/zabbix_proxy.conf | 519 ---------------- net-analyzer/zabbix/files/2.2/zabbix_server.conf | 546 ----------------- net-analyzer/zabbix/files/3.0/init.d/zabbix-agentd | 28 - net-analyzer/zabbix/files/3.0/init.d/zabbix-proxy | 27 - net-analyzer/zabbix/files/3.0/init.d/zabbix-server | 26 - net-analyzer/zabbix/files/3.0/zabbix_agent.conf | 81 --- net-analyzer/zabbix/files/3.0/zabbix_agentd.conf | 390 ------------ net-analyzer/zabbix/files/3.0/zabbix_proxy.conf | 674 --------------------- net-analyzer/zabbix/files/3.0/zabbix_server.conf | 635 ------------------- .../zabbix/files/zabbix-3.0.30-mysql8.patch | 17 + .../zabbix-3.0.30-security-disable-PidFile.patch | 49 ++ ...fix.patch => zabbix-4.0.18-modulepathfix.patch} | 0 .../zabbix-4.0.18-security-disable-PidFile.patch | 49 ++ net-analyzer/zabbix/files/zabbix-agentd.init | 20 + net-analyzer/zabbix/files/zabbix-agentd.service | 10 +- .../zabbix-jmx-proxy => zabbix-jmx-proxy.conf} | 0 .../zabbix-jmx-proxy => zabbix-jmx-proxy.init} | 0 net-analyzer/zabbix/files/zabbix-proxy.init | 20 + net-analyzer/zabbix/files/zabbix-proxy.service | 8 +- net-analyzer/zabbix/files/zabbix-server.init | 19 + net-analyzer/zabbix/files/zabbix-server.service | 11 +- net-analyzer/zabbix/zabbix-2.2.16-r1.ebuild | 340 ----------- net-analyzer/zabbix/zabbix-3.0.28.ebuild | 330 ---------- .../{zabbix-3.4.15.ebuild => zabbix-3.0.30.ebuild} | 204 ++++--- net-analyzer/zabbix/zabbix-4.0.13.ebuild | 332 ---------- .../{zabbix-4.2.7.ebuild => zabbix-4.0.18.ebuild} | 207 ++++--- net-analyzer/zabbix/zabbix-4.4.0-r1.ebuild | 333 ---------- .../{zabbix-4.4.5.ebuild => zabbix-4.4.6.ebuild} | 204 ++++--- 36 files changed, 523 insertions(+), 5142 deletions(-)
please review the fix whether it is sufficient. keeping masked for now. idk how to add checkpath to systemd so i'd appreciate either patch or direct fix by someone who knows how to do that.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c13d1a00d3372475df99db6c23a90ad0294a3252 commit c13d1a00d3372475df99db6c23a90ad0294a3252 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-03-20 10:08:47 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-03-20 10:09:02 +0000 package.mask: unmasked net-analyzer/zabbix Bug: https://bugs.gentoo.org/629882 Bug: https://bugs.gentoo.org/629884 Bug: https://bugs.gentoo.org/709926 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> profiles/package.mask | 7 ------- 1 file changed, 7 deletions(-)
Resetting sanity check; package list is empty or all packages are done.
This issue was resolved and addressed in GLSA 202101-11 at https://security.gentoo.org/glsa/202101-11 by GLSA coordinator Aaron Bauman (b-man).
