Red Hat Bugzilla – Bug 697485
cronie doesn't drop privileges before popen
Last modified: 2015-09-27 22:04:51 EDT
Description of problem: When a cronjob is invoked from non-root crontab and produces output, postfix logs warning: Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command has set-uid root file permissions Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: or the command is run from a set-uid root process Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command must be installed without set-uid root file permissions May be as well problem in cronie package... Version-Release number of selected component (if applicable): [root@n2rhps76 ~]# uname -a Linux n2rhps76 2.6.32-71.el6.i686 #1 SMP Wed Sep 1 01:26:34 EDT 2010 i686 i686 i386 GNU/Linux [root@n2rhps76 ~]# rpm -q postfix postfix-2.6.6-2.el6.i686 [root@n2rhps76 ~]# rpm -qf /usr/sbin/crond cronie-1.4.4-2.el6.i686 How reproducible: always Steps to Reproduce: 1. create non-root cronjob which produces output 2. 3. Actual results: Expected results: Additional info:
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
Also observed in Red Hat 6.1 with postfix-2.6.6-2.2.el6_1.x86_64 In the mail log: postfix/sendmail[3196]: warning: the Postfix sendmail command has set-uid root file permissions postfix/sendmail[3196]: warning: or the command is run from a set-uid root process postfix/sendmail[3196]: warning: the Postfix sendmail command must be installed without set-uid root file permissions Others have this problem too: http://lists.opensuse.org/archive/opensuse-bugs/2011-04/msg04539.html This is a message by the "sendmail" program of postfix I took a look at the source: In sendmail.c of postfix 2.8 (i.e. a later release) /* * Some sites mistakenly install Postfix sendmail as set-uid root. Drop * set-uid privileges only when root, otherwise some systems will not * reset the saved set-userid, which would be a security vulnerability. */ if (geteuid() == 0 && getuid() != 0) { msg_warn("the Postfix sendmail command has set-uid root file permissions"); msg_warn("or the command is run from a set-uid root process"); msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions"); set_ugid(getuid(), getgid()); } I.e. this is triggered if we are not root (getuid() != 0) but our effective uid is root (geteuid() == 0), i.e. the process is privileged and could do a setuid(0). I can't imagine how that could be the case here :-( Turns out the thing that ran at the time the above went into the log is CROND[3189]: (root) CMD (/usr/lib64/sa/sa1 -S DISK 1 1) It may well drop permissions, confusing postfix. Oh well, minor annoyance. ---> SUGGESTING TO CHANGE BUG TITLE TO: "Postfix sendmail complains about set-uid root file permissions"
We are seeing this on RHEL 6.3 servers for cron jobs run as non-root users as well. Not a show stopper, but indeed annoying. Aug 3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command has set-uid root file permissions Aug 3 01:20:01 postfix/sendmail[5263]: warning: or the command is run from a set-uid root process Aug 3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4). http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec For more information see http://bugs.centos.org/view.php?id=5571 and https://bugzilla.novell.com/show_bug.cgi?id=690166
(In reply to comment #5) Thanks for info. > The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4). > Confirmed. > http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff; > h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec > It doesn't seem to be this commit.
Created attachment 653151 [details] Backported fix
Thanks for the patch.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1681.html
(In reply to errata-xmlrpc from comment #16) > Since the problem described in this bug report should be > resolved in a recent advisory, it has been closed with a > resolution of ERRATA. > > For information on the advisory, and where to find the updated > files, follow the link below. > > If the solution does not work for you, open a new bug report. > > http://rhn.redhat.com/errata/RHBA-2013-1681.html I have recently discovered that this change breaks cron for users with home directories which are stored in AFS. The code change in patch cronie-1.4.4-popen697485.patch which was applied in 1.4.4-9.el6 adds a call to the cron_change_user_permanently function to do the setreuid call to drop privileges. This is clearly necessary but there is a (probably unintended) side-effect which is that access is denied whenever the home directory in the passwd file is inaccessible (in our case due to a lack of Kerberos ticket and AFS tokens). We have always worked around this inaccessible home directory problem for AFS users by setting the HOME environment variable in the crontab, that strategy works fine with version 1.4.4-7.el6 which does not contain the patch. Could the patch be changed to do the setreuid call without the seemingly unnecessary chdir check? Regards, Stephen Quinney