Arch Linux

Hello,

Description:

After [some] recent upgrade zabbix couldn't test reachability of network devices via icmp ping, which is quite an important feature.

The error in logs was: fping failed: /usr/sbin/fping: can't create socket (must run as root?)
Despite fping having the necessary privileges (either via suid or filecap).

I tracked down the problem to the fact that the zabbix server is running with NoNewPrivs flag set to true (see http://man7.org/linux/man-pages/man2/prctl.2.html), which prevents the pinger process and its children from gaining extra privileges even though fping is suid and/or has fcaps.

This flag is set by systemd, as documented in https://www.freedesktop.org/software/systemd/man/systemd.exec.html

This is due to
1) the unit file contains PrivateDevices=yes and
2) as documented, NoNewPrivileges=yes is implied.

To quick fix the issue I've edited the unit file to have PrivateDevices=no and the problem disappeared.
Perhaps a better fix could be PrivateDevices=yes and NoNewPrivileges=no if supported by systemd, or something else entirely (possibly upstream escalation).

As mentioned, device reachability monitoring in zabbix is quite important feature to keep available.

Thanks
Michal

Additional info:
* package version(s)
extra/zabbix-server 3.4.13-1
Another user references same issue in bbs https://bbs.archlinux.org/viewtopic.php?id=239631


Steps to reproduce:
Run zabbix server with newest packages installed.