docker-zabbix icon indicating copy to clipboard operation
docker-zabbix copied to clipboard

Published 20 hours ago verified publisher icon berngp

sudo still not working

Open JensErat opened this issue 9 years ago • 9 comments

Although sudo has been added to resolve some issues with "actions that require sudo", it still does not seem to work.

I guess that either it has to be linked somewhere Zabbix is looking for it, or at least the zabbix user added to the sudoers group (however it is called in centos).

How to reproduce

  • Open trigger overview (Monitoring -> Triggers)
  • For any event, click the host name (in "Host" column)
  • Click "Detect operating system"

Expected output

Result of operation, probably by running nmap or similar tools.

Actual output

Error message:

sh: sudo: command not found

JensErat avatar Mar 06 '15 22:03 JensErat

@JensErat to make this work I did the following:

$yum install nmap

Then added the zabbix sudoer file at /etc/sudoers.d/zabbix

Defaults:zabbix !requiretty
zabbix    ALL = (ALL)         NOPASSWD: ALL

The above is too permissive but I just wanted to see it running. It should be changed to something like

zabbixs   ALL = (root)        NOPASSWD: /usr/bin/nmap -O *

Let me know your thoughts and will push a feature branch.

berngp avatar Mar 09 '15 08:03 berngp

By the way, thinking deeper about Zabbix, sudo and nmap I stumbled over a post Reminder of why we don't suid root binaries that read/write to the filesystem., and I wouldn't be sure that this changed to a reasonable amount until today. I decided not to give Zabbix root privileges, neither general nor through nmap.

For a Zabbix _developer setup providing these might be very well fine, though.

JensErat avatar Mar 20 '15 14:03 JensErat

@JensErat thanks for the link! So I am i'm thinking of two options:

  1. it need to be documented and mentioned that the image should not be used for production.
  2. remove zabbix sudo access and document why.

berngp avatar Mar 20 '15 21:03 berngp

You could also dump scripts somewhere for enabling such potentially insecure configurations, and document running this if somebody wants to use sudo and nmap.

JensErat avatar Mar 20 '15 22:03 JensErat

@JensErat I can keep nmap and sudo but instead of enabling zabbix as sudoer by default I can create a file in /etc/sudoers.d/zabbix.disabled that serves as an example on how to do so. If someone wants to change it they can just rename the file.

berngp avatar Mar 20 '15 22:03 berngp

Reopening the issue. Per the discussion above we will not enable the zabbix user as part of the sudoers. We will create the /etc/sudoers.d/zabbix.disabled file and if needed the user will have to explicitly call a flag through the ENTRYPOINT to enable it before starting Zabbix.

berngp avatar Mar 26 '15 17:03 berngp

I have a similar problem (zabbix24-agent-2.4.4) after update sudo: not found But after /usr/local/etc/rc.d/zabbix_agentd restart everything works fine When I do restart my server. Scripts do not work again.

Surf-Tracer avatar May 16 '15 12:05 Surf-Tracer

@Surf-Tracer is that issue related with this image?

berngp avatar Jun 01 '15 21:06 berngp

@berngp Sorry I do not know. I think something yes

Surf-Tracer avatar Jul 26 '15 10:07 Surf-Tracer