Bug 143191 - (*system*) BAD FILE MODE
(*system*) BAD FILE MODE
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: crontabs (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-17 04:00 EST by Jorge
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: vixie-cron-4.1-20_EL3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-26 11:13:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jorge 2004-12-17 04:00:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 
7.54  [es-ES]

Description of problem:
When i reboot the machine the cron daemnon don't executed the files 
in /etc/cron.d/*

The error is in /var/log/cron:

---------------------------
Dec 17 09:18:29 luquitas crond[2478]: (CRON) STARTUP (V5.0)
Dec 17 09:18:29 luquitas crond[2478]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
Dec 17 09:18:31 luquitas anacron[2507]: Anacron 2.3 started on 2004-
12-17
Dec 17 09:18:31 luquitas anacron[2507]: Normal exit (0 jobs run)
Dec 17 09:20:01 luquitas crond[3033]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:30:01 luquitas crond[3117]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:01 luquitas crond[3195]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:28 luquitas crond[3215]: (CRON) STARTUP (V5.0)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/sysstat)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
---------------------------

But before reboot the crontab entry works fine:

---------------------------
Dec 17 09:01:01 luquitas crond[4188]: (root) CMD (run-parts /etc/
cron.hourly)
Dec 17 09:05:01 luquitas crond[4205]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)
Dec 17 09:10:01 luquitas crond[4233]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:10:01 luquitas crond[4234]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)
Dec 17 09:15:01 luquitas crond[4304]: (root) CMD (/usr/bin/mrtg /etc/
mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /
var/lib/mrtg/mrtg.ok)

************* shutdown -r now ********************

Dec 17 09:18:29 luquitas crond[2478]: (CRON) STARTUP (V5.0)
Dec 17 09:18:29 luquitas crond[2478]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
Dec 17 09:18:31 luquitas anacron[2507]: Anacron 2.3 started on 2004-
12-17
Dec 17 09:18:31 luquitas anacron[2507]: Normal exit (0 jobs run)
Dec 17 09:20:01 luquitas crond[3033]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:30:01 luquitas crond[3117]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:01 luquitas crond[3195]: (root) CMD (/usr/lib/sa/sa1 1 
1)
Dec 17 09:40:28 luquitas crond[3215]: (CRON) STARTUP (V5.0)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/sysstat)
Dec 17 09:40:28 luquitas crond[3215]: (*system*) BAD FILE MODE (/etc/
cron.d/mrtg)
---------------------------



Version-Release number of selected component (if applicable):
(CRON) STARTUP (V5.0)

How reproducible:
Always

Steps to Reproduce:
1. the machine is up
2. chmod 755 /etc/cron.d/mrtg
3. "works fine many times"
4. shutdown -r now
5. "After reboot don't work"
6. chmod 755 /etc/cron.d/sysstat
7. sysstat entry don't work also    

Actual Results:  Nothing

Additional info:

The SELinux it's work in WARM mode
Comment 1 Jason Vas Dias 2004-12-17 11:28:12 EST
By default, ISC cron 4.1 enforces that all crontab files MUST have
mode 0600, and cannot be links - otherwise, they are ignored.
This was a security feature to close known vulnerabilities in cron.
We relaxed this somewhat to allow group/other read access - 
group/other write access or any execute access is still not allowed.

So to fix this, do :
   # chmod a-x,og-w /etc/cron.d/* /var/spool/cron/*

In vixie-cron-4.1-21 for FC3, I'm going to add the '-m <mode>' option, 
where '<mode>' is a 'umask'-like mask of crontab file mode bits 
NOT TO ACCEPT - by default, this is now 07133 - ie. any of
setuid/setgid/sticky, ugo-execute, or group/other write. 
With the '-m' option, you'll be able to disable all mode checking 
with '-m 0', which will also disable link checking .

 
    
Comment 2 Jason Vas Dias 2005-01-26 11:13:26 EST
This bug has been fixed with vixie-cron-4.1-20_FC3 
(and now also with vixie-cron-4.1-21_FC3) .

1. crond will now accept read-only crontab files by default

2. crond now has a '-p' option to turn off the default rejection
   of crontabs that have any of:
   - Write permission for group / other
   - any execute permission
   - more than one link

Note You need to log in before you can comment on or make changes to this bug.