Hi Brett,
Hopefully I can help answer some of this, though perhaps not as in-depth as you need. The Agent running as root should be, generally, the requested/recommended configuration from Automic/Broadcom:
https://docs.automic.com/documentation/webhelp/english/AA/12.3/DOCU/12.3/Automic%20Automation%20Guides/help.htm#Installation_Manual/InstallAgents/InstallAgentUNIX.htm?Highlight=unix%20agent
The agent for UNIX operating systems can be installed to either run as a privileged or an unprivileged process. It is recommended to install it as a privileged process because only in this mode, the agent can operate with full capabilities.
There are two methods to start the agent with root privileges:
-
Start the agent directly under the user root.
-
Define root as owner, assign the group where the start user has to be a member of, set the execute bit for the group and set the SetUID (s-bit) for the agent file owner.
Example
- chown root ucxjlx6
- chgrp admin ucxjlx6
- chmod 4550
--
This shouldn't allow the jobs themselves to run as root, however, unless you specify the root user/pw in a login object - the user in the Login Object is the user that should be executing the commands on the server the Agent resides on (generally one with much less permission/access than root).
In other words, as long as your user permissions are secure I don't think this should be a problem. They'll have whatever access they normally have when logging in with that user via login object/job in Automic.
------------------------------
[Sr. Systems Engineer]
[BECU]
------------------------------
Original Message:
Sent: 10-17-2019 02:25 PM
From: Brett Jenkins
Subject: Verify Agent setup
I have inherited an Automic environment that I believe is not set up corrrectly:
The client servers are Oracle Linux/RedHat linux. On each server there is an application running as a defined user, ie, wm, siadmin, ifwadmin, etc.
The current setup, all automic related files are under /opt/automic. The userid for that server's application owns all directories and files under /opt/automic. For some reason, the automic ServiceManager and Agent is being started by a configuration manager product called CFEngine. I was told that was the only way they could get this setup to work because the effective ID was always root while the real ID was the application ID, or vice-versa. So, they configured CFEngine to fork a shell under the application ID and then fork another shell to start the ServiceManager and Agent.
I have been advised to change all ownership to root:root, run the processes as root, and make sure any user running jobs has r/w/x to the Agent's temp directory. This obviously will work as root can do whatever it wants, but is that setup exploitable? Is there any way a user can execute a script to do nefarious things, or run a job that does something like reboot the server, delete OS files, change root password etc?