If I have a checkmk server with two sites A and B both running the same checkmk version 2.3.0p40 (for example).
What is now the exact problem that can occur?
The werk’s description says it is safe to run omd commands as user A (or user B).
The description also says it is unsafe to run omd commands as root. But if I’m already root, I can do whatever I want on that server, so what’s the point? I don’t get it.
What I read from the description is:
if I am root, I can modify the omd command in such a way that a site user can also become root. Well, that’s no surprise.
if I am site user A (or B), then I cannot do that. (“Calling omd inside the site context is safe, as there is no path for the site user to escalate to root from within it.”)
Yes, pretty much like Andreas explained. A Checkmk site user or cmkadmin (user A or user B in your example) can escalate privileges to root. Just to elaborate on that a little bit:
If, in your setup, root, user A, and cmkadmin are all the same person, then the privilege escalation doesn’t really get you anything.
OTOH, even if you don’t rely on the linux user separation directly, this also increases the impact in case some attacker gains access as cmkadmin via some other means, as now they can become root on the server.
Also note that, as the Werk states, “This escalation could also be triggered automatically by standard system operations such as post update triggers”, so you don’t necessarily have to wait for root to run the omd command.