zabbix: use separate users for agent and server

For security, per upstream recommendations, use a separate user for the agent daemon and the server daemon. Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
2026-04-15 10:51:55 +00:00 · 2026-01-15 07:41:05 -05:00
parent 1f3251545d
commit 907e9c6b1e
6 changed files with 12 additions and 9 deletions
--- a/admin/zabbix/Makefile
+++ b/admin/zabbix/Makefile
@@ -56,7 +56,6 @@ define Package/zabbix/Default
  SUBMENU:=Zabbix
  TITLE:=Zabbix
  URL:=https://www.zabbix.com/
-  USERID:=zabbix=53:zabbix=53
  DEPENDS+=$(ICONV_DEPENDS) +libpcre2 +zlib
 endef

@@ -67,6 +66,7 @@ define Package/zabbix-agentd
  PROVIDES:=zabbix-agentd
  VARIANT:=nossl
  DEFAULT_VARIANT:=1
+  USERID:=zabbix-agent=53:zabbix-agent=53
 endef

 define Package/zabbix-agentd-openssl
@@ -75,6 +75,7 @@ define Package/zabbix-agentd-openssl
  DEPENDS+= +libevent2-pthreads +libopenssl
  PROVIDES:=zabbix-agentd
  VARIANT:=openssl
+  USERID:=zabbix-agent=53:zabbix-agent=53
 endef

 define Package/zabbix-agentd-gnutls
@@ -83,6 +84,7 @@ define Package/zabbix-agentd-gnutls
  DEPENDS+= +libevent2-pthreads +libgnutls
  PROVIDES:=zabbix-agentd
  VARIANT:=gnutls
+  USERID:=zabbix-agent=53:zabbix-agent=53
 endef

 define Package/zabbix-extra-mac80211
@@ -161,6 +163,7 @@ define Package/zabbix-server/Default
    +libevent2-pthreads \
    +libevent2-extra \
    +fping
+  USERID:=zabbix-server=70:zabbix-server=70
 endef

 define Package/zabbix-server
--- a/admin/zabbix/files/zabbix_agentd.init
+++ b/admin/zabbix/files/zabbix_agentd.init
@@ -13,8 +13,8 @@ start_service() {

 	[ -f ${CONFIG} ] || return 1

-	mkdir -p /var/run/zabbix
-	chown zabbix:zabbix /var/run/zabbix
+	mkdir -p /var/run/zabbix-agent
+	chown zabbix-agent:zabbix-agent /var/run/zabbix-agent

 	procd_open_instance
 	procd_set_param command ${PROG} -c ${CONFIG} -f
--- a/admin/zabbix/files/zabbix_server.defaults
+++ b/admin/zabbix/files/zabbix_server.defaults
@@ -1,3 +1,3 @@
 #!/bin/sh

-chown zabbix:zabbix /etc/zabbix_server.conf
+chown zabbix-server:zabbix-server /etc/zabbix_server.conf
--- a/admin/zabbix/files/zabbix_server.init
+++ b/admin/zabbix/files/zabbix_server.init
@@ -27,12 +27,12 @@ start_service() {
 		return 1
 	fi

-	mkdir -p /var/run/zabbix
-	chown zabbix:zabbix /var/run/zabbix
+	mkdir -p /var/run/zabbix-server
+	chown zabbix-server:zabbix-server /var/run/zabbix-server

 	procd_open_instance
 	procd_set_param command ${PROG} -c ${CONFIG} -f
-	procd_set_param user zabbix
+	procd_set_param user zabbix-server
 	procd_set_param limits nofile="16384 100000"
 	procd_set_param file ${CONFIG}
 	procd_set_param respawn
--- a/admin/zabbix/patches/010-change-agentd-config.patch
+++ b/admin/zabbix/patches/010-change-agentd-config.patch
@@ -31,7 +31,7 @@ Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
 -# Default:
 -# PidFile=/tmp/zabbix_agentd.pid
 +# Zabbix always creates a PidFile. Make sure it is where we want it.
-+PidFile=/var/run/zabbix/zabbix_agentd.pid
+PidFile=/var/run/zabbix-agent/zabbix_agentd.pid
 +
 +# use syslog
 +LogType=system
--- a/admin/zabbix/patches/020-change-server-config.patch
+++ b/admin/zabbix/patches/020-change-server-config.patch
@@ -45,7 +45,7 @@ Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
 
 +# Although procd does not require a pid file, zabbix uses the pidfile to
 +# shut down correctly on receipt of a TERM or INT signal.
-+PidFile=/var/run/zabbix/zabbix_server.pid
+PidFile=/var/run/zabbix-server/zabbix_server.pid
 +
 ### Option: SocketDir
 #	IPC socket directory.