Skip to content
This repository has been archived by the owner on Sep 17, 2021. It is now read-only.

sudo still not working #15

Open
JensErat opened this issue Mar 6, 2015 · 9 comments
Open

sudo still not working #15

JensErat opened this issue Mar 6, 2015 · 9 comments

Comments

@JensErat
Copy link
Contributor

JensErat commented Mar 6, 2015

Although sudo has been added to resolve some issues with "actions that require sudo", it still does not seem to work.

I guess that either it has to be linked somewhere Zabbix is looking for it, or at least the zabbix user added to the sudoers group (however it is called in centos).

How to reproduce

  • Open trigger overview (Monitoring -> Triggers)
  • For any event, click the host name (in "Host" column)
  • Click "Detect operating system"

Expected output

Result of operation, probably by running nmap or similar tools.

Actual output

Error message:

sh: sudo: command not found
@berngp
Copy link
Owner

berngp commented Mar 9, 2015

@JensErat to make this work I did the following:

$yum install nmap

Then added the zabbix sudoer file at /etc/sudoers.d/zabbix

Defaults:zabbix !requiretty
zabbix    ALL = (ALL)         NOPASSWD: ALL

The above is too permissive but I just wanted to see it running. It should be changed to something like

zabbixs   ALL = (root)        NOPASSWD: /usr/bin/nmap -O *

Let me know your thoughts and will push a feature branch.

@berngp berngp closed this as completed in 4f77990 Mar 19, 2015
@JensErat
Copy link
Contributor Author

By the way, thinking deeper about Zabbix, sudo and nmap I stumbled over a post Reminder of why we don't suid root binaries that read/write to the filesystem., and I wouldn't be sure that this changed to a reasonable amount until today. I decided not to give Zabbix root privileges, neither general nor through nmap.

For a Zabbix _developer setup providing these might be very well fine, though.

@berngp
Copy link
Owner

berngp commented Mar 20, 2015

@JensErat thanks for the link! So I am i'm thinking of two options:

  1. it need to be documented and mentioned that the image should not be used for production.
  2. remove zabbix sudo access and document why.

@JensErat
Copy link
Contributor Author

You could also dump scripts somewhere for enabling such potentially insecure configurations, and document running this if somebody wants to use sudo and nmap.

@berngp
Copy link
Owner

berngp commented Mar 20, 2015

@JensErat I can keep nmap and sudo but instead of enabling zabbix as sudoer by default I can create a file in /etc/sudoers.d/zabbix.disabled that serves as an example on how to do so. If someone wants to change it they can just rename the file.

@berngp berngp reopened this Mar 26, 2015
@berngp
Copy link
Owner

berngp commented Mar 26, 2015

Reopening the issue. Per the discussion above we will not enable the zabbix user as part of the sudoers. We will create the /etc/sudoers.d/zabbix.disabled file and if needed the user will have to explicitly call a flag through the ENTRYPOINT to enable it before starting Zabbix.

@Surf-Tracer
Copy link

I have a similar problem (zabbix24-agent-2.4.4) after update
sudo: not found
But after
/usr/local/etc/rc.d/zabbix_agentd restart
everything works fine
When I do restart my server. Scripts do not work again.

@berngp
Copy link
Owner

berngp commented Jun 1, 2015

@Surf-Tracer is that issue related with this image?

@Surf-Tracer
Copy link

@berngp Sorry I do not know. I think something yes

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@berngp @JensErat @Surf-Tracer