Bug 143191

Summary: (*system*) BAD FILE MODE
Product: [Fedora] Fedora Reporter: Jorge <jnovonj>
Component: crontabsAssignee: Jason Vas Dias <jvdias>
Status: CLOSED CURRENTRELEASE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vixie-cron-4.1-20_EL3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-26 16:13:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jorge 2004-12-17 09:00:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 
7.54  [es-ES]

Description of problem:
When i reboot the machine the cron daemnon don't executed the files 
in /etc/cron.d/*

The error is in /var/log/cron:

---------------------------
Dec 17 09:18:29 luquitas crond[2478]: (CRON) STARTUP (V5.0)
Dec 17 09:18:29 luquitas crond[2478]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
Dec 17 09:18:31 luquitas anacron[2507]: Anacron 2.3 started on 2004-
12-17
Dec 17 09:18:31 luquitas anacron[2507]: Normal exit (0 jobs run)
Dec 17 09:20:01 luquitas crond[3033]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:30:01 luquitas crond[3117]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:01 luquitas crond[3195]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:28 luquitas crond[3215]: (CRON) STARTUP (V5.0)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/sysstat)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
---------------------------

But before reboot the crontab entry works fine:

---------------------------
Dec 17 09:01:01 luquitas crond[4188]: (root) CMD (run-parts /etc/
cron.hourly)
Dec 17 09:05:01 luquitas crond[4205]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)
Dec 17 09:10:01 luquitas crond[4233]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:10:01 luquitas crond[4234]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)
Dec 17 09:15:01 luquitas crond[4304]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)

************* shutdown -r now ********************

Dec 17 09:18:29 luquitas crond[2478]: (CRON) STARTUP (V5.0)
Dec 17 09:18:29 luquitas crond[2478]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
Dec 17 09:18:31 luquitas anacron[2507]: Anacron 2.3 started on 2004-
12-17
Dec 17 09:18:31 luquitas anacron[2507]: Normal exit (0 jobs run)
Dec 17 09:20:01 luquitas crond[3033]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:30:01 luquitas crond[3117]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:01 luquitas crond[3195]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:28 luquitas crond[3215]: (CRON) STARTUP (V5.0)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/sysstat)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
---------------------------



Version-Release number of selected component (if applicable):
(CRON) STARTUP (V5.0)

How reproducible:
Always

Steps to Reproduce:
1. the machine is up
2. chmod 755 /etc/cron.d/mrtg
3. "works fine many times"
4. shutdown -r now
5. "After reboot don't work"
6. chmod 755 /etc/cron.d/sysstat
7. sysstat entry don't work also    

Actual Results:  Nothing

Additional info:

The SELinux it's work in WARM mode

Comment 1 Jason Vas Dias 2004-12-17 16:28:12 UTC
By default, ISC cron 4.1 enforces that all crontab files MUST have
mode 0600, and cannot be links - otherwise, they are ignored.
This was a security feature to close known vulnerabilities in cron.
We relaxed this somewhat to allow group/other read access - 
group/other write access or any execute access is still not allowed.

So to fix this, do :
   # chmod a-x,og-w /etc/cron.d/* /var/spool/cron/*

In vixie-cron-4.1-21 for FC3, I'm going to add the '-m <mode>' option, 
where '<mode>' is a 'umask'-like mask of crontab file mode bits 
NOT TO ACCEPT - by default, this is now 07133 - ie. any of
setuid/setgid/sticky, ugo-execute, or group/other write. 
With the '-m' option, you'll be able to disable all mode checking 
with '-m 0', which will also disable link checking .

 
    

Comment 2 Jason Vas Dias 2005-01-26 16:13:26 UTC
This bug has been fixed with vixie-cron-4.1-20_FC3 
(and now also with vixie-cron-4.1-21_FC3) .

1. crond will now accept read-only crontab files by default

2. crond now has a '-p' option to turn off the default rejection
   of crontabs that have any of:
   - Write permission for group / other
   - any execute permission
   - more than one link