Bug 697485

Summary: cronie doesn't drop privileges before popen
Product: Red Hat Enterprise Linux 6 Reporter: Pavel Urban <fc-bugzilla>
Component: cronieAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: azelinka, bkurt, bughunt, jprokes, jwest, mpoole, squinney, sradvan, urkle
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cronie-1.4.4-9.el6 Doc Type: Bug Fix
Doc Text:
Cause: Cronie should drop user priviledges before calling system function popen. Consequence: In /var/log/crond can be seen warnings about changing privilidges. Fix: Privilidges are droped before calling popen. Result: No warnings, properly droped privilidges.
 Story Points: ---
Clone Of:
: 1890158 (view as bug list) Environment:
Last Closed: 2013-11-21 22:22:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 835616, 960054, 1890158    
Attachments:
Description Flags
Backported fix none

Description Pavel Urban 2011-04-18 12:42:16 UTC 
Description of problem:

When a cronjob is invoked from non-root crontab and produces output, postfix logs warning:
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command has set-uid root file permissions
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: or the command is run from a set-uid root process
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command must be installed without set-uid root file permissions

May be as well problem in cronie package...

Version-Release number of selected component (if applicable):
[root@n2rhps76 ~]# uname -a
Linux n2rhps76 2.6.32-71.el6.i686 #1 SMP Wed Sep 1 01:26:34 EDT 2010 i686 i686 i386 GNU/Linux
[root@n2rhps76 ~]# rpm -q postfix
postfix-2.6.6-2.el6.i686
[root@n2rhps76 ~]# rpm -qf /usr/sbin/crond
cronie-1.4.4-2.el6.i686


How reproducible:
always

Steps to Reproduce:
1. create non-root cronjob which produces output
2. 
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 RHEL Program Management 2011-04-18 13:17:58 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 David Tonhofer 2011-09-20 09:31:20 UTC 
Also observed in Red Hat 6.1 with postfix-2.6.6-2.2.el6_1.x86_64

In the mail log:

postfix/sendmail[3196]: warning: the Postfix sendmail command has set-uid root file permissions
postfix/sendmail[3196]: warning: or the command is run from a set-uid root process
postfix/sendmail[3196]: warning: the Postfix sendmail command must be installed without set-uid root file permissions

Others have this problem too:

http://lists.opensuse.org/archive/opensuse-bugs/2011-04/msg04539.html

This is a message by the "sendmail" program of postfix

I took a look at the source:

In sendmail.c of postfix 2.8 (i.e. a later release)

/*
 * Some sites mistakenly install Postfix sendmail as set-uid root. Drop
 * set-uid privileges only when root, otherwise some systems will not
 * reset the saved set-userid, which would be a security vulnerability.
 */

if (geteuid() == 0 && getuid() != 0) {
 msg_warn("the Postfix sendmail command has set-uid root file permissions");
 msg_warn("or the command is run from a set-uid root process");
 msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
 set_ugid(getuid(), getgid());
}

I.e. this is triggered if we are not root (getuid() != 0) but our effective uid is root (geteuid() == 0), i.e. the process is privileged and could do a setuid(0).

I can't imagine how that could be the case here :-(

Turns out the thing that ran at the time the above went into the log is

CROND[3189]: (root) CMD (/usr/lib64/sa/sa1 -S DISK 1 1)

It may well drop permissions, confusing postfix.

Oh well, minor annoyance.

---> SUGGESTING TO CHANGE BUG TITLE TO:

     "Postfix sendmail complains about set-uid root file permissions"
Comment 4 Kurt Bechstein 2012-08-03 15:51:34 UTC 
We are seeing this on RHEL 6.3 servers for cron jobs run as non-root users as well.  Not a show stopper, but indeed annoying.


Aug  3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command has set-uid root file permissions
Aug  3 01:20:01 postfix/sendmail[5263]: warning: or the command is run from a set-uid root process
Aug  3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
Comment 5 Edward Rudd 2012-11-26 23:30:28 UTC 
The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4).

http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec

For more information see http://bugs.centos.org/view.php?id=5571 and https://bugzilla.novell.com/show_bug.cgi?id=690166
Comment 6 Jaroslav Škarvada 2012-11-27 21:57:07 UTC 
(In reply to comment #5)
Thanks for info.

> The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4).
> 
Confirmed.

> http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;
> h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec
> 
It doesn't seem to be this commit.
Comment 7 Jaroslav Škarvada 2012-11-27 21:58:40 UTC 
Created attachment 653151 [details]
Backported fix
Comment 8 Marcela Mašláňová 2012-11-28 12:56:03 UTC 
Thanks for the patch.
Comment 16 errata-xmlrpc 2013-11-21 22:22:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1681.html
Comment 17 Stephen Quinney 2014-12-12 16:59:13 UTC 
(In reply to errata-xmlrpc from comment #16)
> Since the problem described in this bug report should be
> resolved in a recent advisory, it has been closed with a
> resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated
> files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> http://rhn.redhat.com/errata/RHBA-2013-1681.html

I have recently discovered that this change breaks cron for users with home directories which are stored in AFS.

The code change in patch cronie-1.4.4-popen697485.patch which was applied in 1.4.4-9.el6 adds a call to the cron_change_user_permanently function to do the setreuid call to drop privileges. This is clearly necessary but there is a (probably unintended) side-effect which is that access is denied whenever the home directory in the passwd file is inaccessible (in our case due to a lack of Kerberos ticket and AFS tokens). We have always worked around this inaccessible home directory problem for AFS users by setting the HOME environment variable in the crontab, that strategy works fine with version 1.4.4-7.el6 which does not contain the patch. Could the patch be changed to do the setreuid call without the seemingly unnecessary chdir check?

Regards,

Stephen Quinney