FS#59307 - [zabbix-server] permission problem with 3.4.11

Attached to Project: Arch Linux
Opened by vince (wins) - Thursday, 12 July 2018, 06:14 GMT
Last edited by Florian Pritz (bluewind) - Thursday, 25 October 2018, 08:01 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Florian Pritz (bluewind)
Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
extra/zabbix-server 3.4.11-1 package have a some problems:
can't use fping, can't use snmp traps:
Jul 12 08:49:08 zabbix zabbix_server[1165]: cannot stat SNMP trapper file "/tmp/zabbix_traps.tmp": [2] No such file or directory
ls -la /tmp/zabbix_traps.tmp
-rw-r--r-- 1 root root 1721 Jul 12 08:47 /tmp/zabbix_traps.tmp
Jul 12 09:13:18 catbox zabbix_server[8854]: ping: socket: Operation not permitted

Here is solution:
Set directives PrivateDevices=yes PrivateTmp=yes in systemd startup file to
PrivateDevices=no
PrivateTmp=no
This task depends upon

Closed by  Florian Pritz (bluewind)
Thursday, 25 October 2018, 08:01 GMT
Reason for closing:  Fixed
Comment by Stephen Cox (stephencox) - Thursday, 12 July 2018, 13:47 GMT
Can confirm bug, suggested solution working
Comment by Florian Pritz (bluewind) - Thursday, 19 July 2018, 16:14 GMT
I suggest that you reconfigure the trap file path to something outside /tmp and with proper permissions. Putting files with known names into /tmp is a security risk since you are vulnerable to a symlink race. I'm not quite sure how SNMP works in zabbix, but after reading some docs, it seems that snmptrapd from net-snmp is used. Do you have to configure that manually or does it ship with a config?

As for ping failing, this is due to PrivateDevices=yes which forces NoNewPrivileges=yes. Sadly this can't be turned off again so there the only choice is to either use something else or remove the option. Bartłomiej?
Comment by vince (wins) - Tuesday, 24 July 2018, 07:41 GMT
cat /etc/snmp/snmptrapd.conf
authCommunity execute <community>
perl do "/usr/bin/zabbix_trap_receiver.pl";
--
Script "zabbix_trap_receiver.pl" is provided in original zabbix package. It's generate trap file in zabbix-readable format.
Comment by Florian Pritz (bluewind) - Tuesday, 24 July 2018, 07:56 GMT
In that case I suggest that you change the SNMPTrapperFile setting in the zabbix server config as well as the script.
Comment by vince (wins) - Tuesday, 24 July 2018, 09:05 GMT
I can change snmptraperfile location to zabbix-server homedir. Is it correct?
Comment by Florian Pritz (bluewind) - Tuesday, 24 July 2018, 09:06 GMT
If the trap receiver has permissions to write to that file, that should be fine, yes.
Comment by vince (wins) - Tuesday, 24 July 2018, 09:39 GMT
Comment by vince (wins) - Wednesday, 25 July 2018, 04:34 GMT
I think, that the best way to do this - redefine TmpDir= in zabbix-server config to zabbix homedir.
Comment by Florian Pritz (bluewind) - Sunday, 05 August 2018, 16:36 GMT
Can you check if pinging works if you add the following line to the service?
CapabilityBoundingSet=CAP_NET_RAW
Comment by Florian Pritz (bluewind) - Tuesday, 23 October 2018, 21:18 GMT
This should be fixed with the 4.0 package. Can you check?
Comment by vince (wins) - Thursday, 25 October 2018, 08:00 GMT
Hi!
I changed location for snmp-trapper file from /tmp to ~zabbix-server.
Everything is ok ;)

Loading...