From: Daniel F. Dickinson Date: Thu, 15 Jan 2026 12:41:05 +0000 (-0500) Subject: zabbix: use separate users for agent and server X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=907e9c6b1ea4635275d8d640f5083b3656229ecc;p=feed%2Fpackages.git zabbix: use separate users for agent and server For security, per upstream recommendations, use a separate user for the agent daemon and the server daemon. Signed-off-by: Daniel F. Dickinson --- diff --git a/admin/zabbix/Makefile b/admin/zabbix/Makefile index c7b75caa3d..023ea1c46a 100644 --- a/admin/zabbix/Makefile +++ b/admin/zabbix/Makefile @@ -56,7 +56,6 @@ define Package/zabbix/Default SUBMENU:=Zabbix TITLE:=Zabbix URL:=https://www.zabbix.com/ - USERID:=zabbix=53:zabbix=53 DEPENDS+=$(ICONV_DEPENDS) +libpcre2 +zlib endef @@ -67,6 +66,7 @@ define Package/zabbix-agentd PROVIDES:=zabbix-agentd VARIANT:=nossl DEFAULT_VARIANT:=1 + USERID:=zabbix-agent=53:zabbix-agent=53 endef define Package/zabbix-agentd-openssl @@ -75,6 +75,7 @@ define Package/zabbix-agentd-openssl DEPENDS+= +libevent2-pthreads +libopenssl PROVIDES:=zabbix-agentd VARIANT:=openssl + USERID:=zabbix-agent=53:zabbix-agent=53 endef define Package/zabbix-agentd-gnutls @@ -83,6 +84,7 @@ define Package/zabbix-agentd-gnutls DEPENDS+= +libevent2-pthreads +libgnutls PROVIDES:=zabbix-agentd VARIANT:=gnutls + USERID:=zabbix-agent=53:zabbix-agent=53 endef define Package/zabbix-extra-mac80211 @@ -161,6 +163,7 @@ define Package/zabbix-server/Default +libevent2-pthreads \ +libevent2-extra \ +fping + USERID:=zabbix-server=70:zabbix-server=70 endef define Package/zabbix-server diff --git a/admin/zabbix/files/zabbix_agentd.init b/admin/zabbix/files/zabbix_agentd.init index 2938caff4d..04bef3730d 100755 --- a/admin/zabbix/files/zabbix_agentd.init +++ b/admin/zabbix/files/zabbix_agentd.init @@ -13,8 +13,8 @@ start_service() { [ -f ${CONFIG} ] || return 1 - mkdir -p /var/run/zabbix - chown zabbix:zabbix /var/run/zabbix + mkdir -p /var/run/zabbix-agent + chown zabbix-agent:zabbix-agent /var/run/zabbix-agent procd_open_instance procd_set_param command ${PROG} -c ${CONFIG} -f diff --git a/admin/zabbix/files/zabbix_server.defaults b/admin/zabbix/files/zabbix_server.defaults index 4b14067eeb..4a8638a9e8 100644 --- a/admin/zabbix/files/zabbix_server.defaults +++ b/admin/zabbix/files/zabbix_server.defaults @@ -1,3 +1,3 @@ #!/bin/sh -chown zabbix:zabbix /etc/zabbix_server.conf +chown zabbix-server:zabbix-server /etc/zabbix_server.conf diff --git a/admin/zabbix/files/zabbix_server.init b/admin/zabbix/files/zabbix_server.init index a6b49460b4..bcbdb41cd7 100755 --- a/admin/zabbix/files/zabbix_server.init +++ b/admin/zabbix/files/zabbix_server.init @@ -27,12 +27,12 @@ start_service() { return 1 fi - mkdir -p /var/run/zabbix - chown zabbix:zabbix /var/run/zabbix + mkdir -p /var/run/zabbix-server + chown zabbix-server:zabbix-server /var/run/zabbix-server procd_open_instance procd_set_param command ${PROG} -c ${CONFIG} -f - procd_set_param user zabbix + procd_set_param user zabbix-server procd_set_param limits nofile="16384 100000" procd_set_param file ${CONFIG} procd_set_param respawn diff --git a/admin/zabbix/patches/010-change-agentd-config.patch b/admin/zabbix/patches/010-change-agentd-config.patch index 024b56e879..894b224119 100644 --- a/admin/zabbix/patches/010-change-agentd-config.patch +++ b/admin/zabbix/patches/010-change-agentd-config.patch @@ -31,7 +31,7 @@ Signed-off-by: Daniel F. Dickinson -# Default: -# PidFile=/tmp/zabbix_agentd.pid +# Zabbix always creates a PidFile. Make sure it is where we want it. -+PidFile=/var/run/zabbix/zabbix_agentd.pid ++PidFile=/var/run/zabbix-agent/zabbix_agentd.pid + +# use syslog +LogType=system diff --git a/admin/zabbix/patches/020-change-server-config.patch b/admin/zabbix/patches/020-change-server-config.patch index 493638dae2..bdd6f1764d 100644 --- a/admin/zabbix/patches/020-change-server-config.patch +++ b/admin/zabbix/patches/020-change-server-config.patch @@ -45,7 +45,7 @@ Signed-off-by: Daniel F. Dickinson +# Although procd does not require a pid file, zabbix uses the pidfile to +# shut down correctly on receipt of a TERM or INT signal. -+PidFile=/var/run/zabbix/zabbix_server.pid ++PidFile=/var/run/zabbix-server/zabbix_server.pid + ### Option: SocketDir # IPC socket directory.