This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2235247 - rsyslog omprog failed under some file permissions
Summary: rsyslog omprog failed under some file permissions
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rsyslog
Version: 9.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Attila Lakatos
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-28 06:54 UTC by tbsky
Modified: 2023-09-19 17:48 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-19 17:48:14 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rsyslog rsyslog pull 5223 0 None open omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set 2023-09-12 10:45:09 UTC
Red Hat Issue Tracker   RHEL-5196 0 None Migrated None 2023-09-19 17:48:09 UTC
Red Hat Issue Tracker RHELPLAN-166659 0 None None None 2023-08-28 06:56:14 UTC
Red Hat Issue Tracker SECENGSP-5438 0 None None None 2023-09-04 09:17:05 UTC

Description tbsky 2023-08-28 06:54:10 UTC 
Hi:
  We have a rsyslog omprog script which is working fine under RHEL7/8. we tried it under RHEL 9.2/9.3 stream but it failed to load. we tried to figure why and found omprog is sensitive about script owner/permissions. my example rsyslog files are below:

============
>cat /etc/rsyslog.d/example.conf
module(load="omprog")
*.* action(type="omprog" binary="/usr/bin/a.sh")

>cat /usr/bin/a.sh
#!/usr/bin/bash
while true;do
        sleep 1
done

>ls -la /usr/bin/a.sh
-rwx------ 1 bin bin 45 Aug 26 23:36 /usr/bin/a.sh
============

The rsyslog error messages are below:

Aug 26 23:40:39 test.example.com rsyslogd[1691]: child process (pid 1695) exited with status 126 [v8.2102.0-117.el9]
Aug 26 23:40:39 test.example.com rsyslogd[1691]: omprog: program '/usr/bin/a.sh' (pid 1695) terminated; will be restarted [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2119 ]
Aug 26 23:40:39 test.example.com rsyslogd[1691]: action 'action-0-omprog' suspended (module 'omprog'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2007 ]
Aug 26 23:40:40 test.example.com postfix/smtpd[1707]: disconnect from unknown[95.214.26.184] ehlo=1 auth=0/1 quit=1 commands=2/3
Aug 26 23:40:40 test.example.com rsyslogd[1691]: action 'action-0-omprog' resumed (module 'omprog') [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2359 ]


The workaround is easy. if we "chown root.root a.sh" or "chmod 755 a.sh" then rsyslog is happy loading the script. we have tried rsyslog version "8.2102.0-113" and "8.2102.0-117" (comes from stream) under RHEL 9.2.
Comment 1 Attila Lakatos 2023-08-29 07:53:06 UTC 
Hello,

I think this is caused by the recent capability dropping feature.
I assume that rsyslog is running as root by default on your system. The /usr/bin/a.sh file has read/write/execute permission bits set for the owner of the file. However, when omprog creates a fork to be able to execute the program in the background, the capabilities are not inherited. Due to that the following happens:
1. /usr/bin/a.sh is owned by bin:bin
2. the file has no permission bits set for group/others
3. rsyslog is not the owner of the file
4. Results in not being able to execute the prog.

Imagine if user with ID of "bin" was compromised, it could easily modify the content of your prog, perform some malicious activity. I recommend to change the ownership of the a.sh prog or use the workaround that you suggested.
Comment 2 tbsky 2023-09-04 09:15:09 UTC 
Hi:
   Thanks a lot for your explanation. Indeed rsyslog is running as root by default under RHEL.I think I will change the owner of the program to root to solve the problem. Thanks again for your help!
Comment 3 tbsky 2023-09-05 16:34:05 UTC 
Hi
   After further testing, unfortunately the script can not work under current design. my script need to write analyze result to non-root files for non-root process to read. under current "capability dropping" design, the script has limit below:

1. the script must own by root or world executable (eg: permission 755)
2. the script can only write root-owner directory or world writable directory (eg: permission 777)

   It seems a very strange design and I don't know how to workaround it. I tried suid and sudo (which rsyslog refuse to run) but nothing works. the script seems running under user "root" but has no root privilege. 

   Finally I can only downgrade to RHEL 9.0 version (rsyslog-8.2102.0-101.el9_0.1) to restore the previous working behavior.

   My RHEL 9.2/Stream testing config like below:

======
>cat /etc/rsyslog.d/example.conf
module(load="omprog")
*.* action(type="omprog" binary="/usr/bin/a.sh" output="/tmp/result.log)

>cat /usr/bin/a.sh
#!/bin/bash
whoami
whoami >/tmp/test/me
while true;do
        sleep 1
done

>mkdir /tmp/test; chmod 700 /tmp/test; chown bin.bin /tmp/test; systemctl restart rsyslog

>cat /tmp/result.log
root
/usr/bin/a.sh: line 3: /tmp/test/me: Permission denied
Comment 4 Attila Lakatos 2023-09-06 07:09:14 UTC 
Hello,

I tried your reproducer and I got the same results for rhel8.9 as well, where the cap dropping feature is not available.

Just a side note, a new version of rsyslog will contain libcapng.default global directive, which turns off this feature, upstream: https://www.rsyslog.com/doc/master/rainerscript/global.html#libcapng-default
Comment 5 tbsky 2023-09-07 01:52:08 UTC 
Hi:
   Do you mean your rhel 8.9 get "Permission denied" result also?
   I have tried the versions below:

   8.2102.0-13.el8 (comes with RHEL 8.8) at RHEL 8.8 => script works fine
   8.2102.0-15.el8 (get from stream) at RHEL 8.8 => script works fine
   8.2102.0-105.el9 at RHEL 9.2 => script works fine
   8.2102.0-111.el9 at RHEL 9.2 => script broken and get "Permission denied"

   So look at the changelog between 8.2102.0-105.el9 and 8.2102.0-111.el9. indeed the changelog below seems the reason as you said:

* Mon Nov 21 2022 Attila Lakatos <alakatos> - 8.2102.0-107
- Drop capabilities to only the neccessary set with libcap-ng
  resolves: rhbz#2127404

  8.2102.0-107.el9 was removed from stream so I can not test it to make sure. is there place I can get the version?
Comment 6 Attila Lakatos 2023-09-12 10:45:10 UTC 
Hello,

Thanks for your patience. I did some testing and it turns out that the bounding set was not adjusted when capabilities were dropped.
I made some changes upstream and submitted a PR (I've attached it to this BZ) to fix this problem, feel free to check it out. In the description I've explained why this happens and what can be done to fix this. Thanks. We can backport it if upstream accepts the patch.

In the meantime, could you try the scratch-build out and test whether it works for you? I would appreciate that.
https://kojihub.stream.centos.org/koji/taskinfo?taskID=2813062
Comment 7 tbsky 2023-09-12 14:40:32 UTC 
Hi:
   Unfortunately the new build didn't work for me. the result is the same as previous 8.2102.0-111 and 8.2102.0-117. I tried several times to make sure. then I downgrade to 8.2102.0-105 to make sure the testing script works again.

   I was using this rpm: https://kojihub.stream.centos.org/kojifiles/work/tasks/3067/2813067/rsyslog-8.2102.0-117.el9.TESTINGONLY.x86_64.rpm

   Thanks for your kind help!
Comment 8 Attila Lakatos 2023-09-13 05:41:29 UTC 
May I ask you to post your reproducer again? Just to be sure. Thanks.
Comment 9 tbsky 2023-09-13 06:09:48 UTC 
Hi:
   ok. the testing environment is RHEL 9.2 under rsyslog >= 8.2102.0-107 with files below:

=========
>cat /etc/rsyslog.d/example.conf
module(load="omprog")
*.* action(type="omprog" binary="/usr/bin/a.sh" output="/tmp/result.log)

>cat /usr/bin/a.sh
#!/bin/bash
whoami
whoami >/tmp/test/me
while true;do
        sleep 1
done

>ls -la /usr/bin/a.sh
-rwx------ 1 root root 68 Sep  6 00:24 /usr/bin/a.sh


>rm -f /tmp/result.log; rm -rf /tmp/test; mkdir /tmp/test; chmod 700 /tmp/test; chown bin.bin /tmp/test; systemctl restart rsyslog

>cat /tmp/result.log
root
/usr/bin/a.sh: line 3: /tmp/test/me: Permission denied

>cat /tmp/test/me
cat: /tmp/test/me: No such file or directory
=========


when the script works correctly under 8.2102.0-105:
>cat /tmp/result.log
root

>cat /tmp/test/me
root
Comment 10 Attila Lakatos 2023-09-18 12:28:59 UTC 
I accidentally did not backport the entire patch from upstream PR. Now it should be fixed. Please try again with:
https://kojihub.stream.centos.org/koji/taskinfo?taskID=2837242

Let me know if you have selinux enabled. If yes, are there any AVCs?
Comment 11 tbsky 2023-09-19 14:30:58 UTC 
Hi:
   the new rpm is working fine. I don't have selinux enabled (selinux=0 as boot parameter).
   It works under the testing environment and our original script also works fine.
   thanks again for your kind help!
Comment 12 RHEL Program Management 2023-09-19 17:32:55 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 13 RHEL Program Management 2023-09-19 17:48:14 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Note You need to log in before you can comment on or make changes to this bug.