RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 697485 - cronie doesn't drop privileges before popen
Summary: cronie doesn't drop privileges before popen
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: cronie
Version: 6.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Marcela Mašláňová
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 835616 960054 1890158
TreeView+ depends on / blocked
 
Reported: 2011-04-18 12:42 UTC by Pavel Urban
Modified: 2020-10-21 14:35 UTC (History)
9 users (show)

Fixed In Version: cronie-1.4.4-9.el6
Doc Type: Bug Fix
Doc Text:
Cause: Cronie should drop user priviledges before calling system function popen. Consequence: In /var/log/crond can be seen warnings about changing privilidges. Fix: Privilidges are droped before calling popen. Result: No warnings, properly droped privilidges.
Clone Of:
: 1890158 (view as bug list)
Environment:
Last Closed: 2013-11-21 22:22:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Backported fix (434 bytes, patch)
2012-11-27 21:58 UTC, Jaroslav Škarvada 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1681 0 normal SHIPPED_LIVE cronie bug fix and enhancement update 2013-11-20 21:52:35 UTC

Description Pavel Urban 2011-04-18 12:42:16 UTC 
Description of problem:

When a cronjob is invoked from non-root crontab and produces output, postfix logs warning:
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command has set-uid root file permissions
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: or the command is run from a set-uid root process
Apr 17 03:21:01 n2rhps76 postfix/sendmail[5002]: warning: the Postfix sendmail command must be installed without set-uid root file permissions

May be as well problem in cronie package...

Version-Release number of selected component (if applicable):
[root@n2rhps76 ~]# uname -a
Linux n2rhps76 2.6.32-71.el6.i686 #1 SMP Wed Sep 1 01:26:34 EDT 2010 i686 i686 i386 GNU/Linux
[root@n2rhps76 ~]# rpm -q postfix
postfix-2.6.6-2.el6.i686
[root@n2rhps76 ~]# rpm -qf /usr/sbin/crond
cronie-1.4.4-2.el6.i686


How reproducible:
always

Steps to Reproduce:
1. create non-root cronjob which produces output
2. 
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 RHEL Program Management 2011-04-18 13:17:58 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 David Tonhofer 2011-09-20 09:31:20 UTC 
Also observed in Red Hat 6.1 with postfix-2.6.6-2.2.el6_1.x86_64

In the mail log:

postfix/sendmail[3196]: warning: the Postfix sendmail command has set-uid root file permissions
postfix/sendmail[3196]: warning: or the command is run from a set-uid root process
postfix/sendmail[3196]: warning: the Postfix sendmail command must be installed without set-uid root file permissions

Others have this problem too:

http://lists.opensuse.org/archive/opensuse-bugs/2011-04/msg04539.html

This is a message by the "sendmail" program of postfix

I took a look at the source:

In sendmail.c of postfix 2.8 (i.e. a later release)

/*
 * Some sites mistakenly install Postfix sendmail as set-uid root. Drop
 * set-uid privileges only when root, otherwise some systems will not
 * reset the saved set-userid, which would be a security vulnerability.
 */

if (geteuid() == 0 && getuid() != 0) {
 msg_warn("the Postfix sendmail command has set-uid root file permissions");
 msg_warn("or the command is run from a set-uid root process");
 msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
 set_ugid(getuid(), getgid());
}

I.e. this is triggered if we are not root (getuid() != 0) but our effective uid is root (geteuid() == 0), i.e. the process is privileged and could do a setuid(0).

I can't imagine how that could be the case here :-(

Turns out the thing that ran at the time the above went into the log is

CROND[3189]: (root) CMD (/usr/lib64/sa/sa1 -S DISK 1 1)

It may well drop permissions, confusing postfix.

Oh well, minor annoyance.

---> SUGGESTING TO CHANGE BUG TITLE TO:

     "Postfix sendmail complains about set-uid root file permissions"
Comment 4 Kurt Bechstein 2012-08-03 15:51:34 UTC 
We are seeing this on RHEL 6.3 servers for cron jobs run as non-root users as well.  Not a show stopper, but indeed annoying.


Aug  3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command has set-uid root file permissions
Aug  3 01:20:01 postfix/sendmail[5263]: warning: or the command is run from a set-uid root process
Aug  3 01:20:01 postfix/sendmail[5263]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
Comment 5 Edward Rudd 2012-11-26 23:30:28 UTC 
The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4).

http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec

For more information see http://bugs.centos.org/view.php?id=5571 and https://bugzilla.novell.com/show_bug.cgi?id=690166
Comment 6 Jaroslav Škarvada 2012-11-27 21:57:07 UTC 
(In reply to comment #5)
Thanks for info.

> The issue is actually fixed in Cronie 1.4.6 (RHEL 6 ships with 1.4.4).
> 
Confirmed.

> http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;
> h=dd21409b93dafa427cf31f45c2a7c75bfb9ae9ec
> 
It doesn't seem to be this commit.
Comment 7 Jaroslav Škarvada 2012-11-27 21:58:40 UTC 
Created attachment 653151 [details]
Backported fix
Comment 8 Marcela Mašláňová 2012-11-28 12:56:03 UTC 
Thanks for the patch.
Comment 16 errata-xmlrpc 2013-11-21 22:22:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1681.html
Comment 17 Stephen Quinney 2014-12-12 16:59:13 UTC 
(In reply to errata-xmlrpc from comment #16)
> Since the problem described in this bug report should be
> resolved in a recent advisory, it has been closed with a
> resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated
> files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> http://rhn.redhat.com/errata/RHBA-2013-1681.html

I have recently discovered that this change breaks cron for users with home directories which are stored in AFS.

The code change in patch cronie-1.4.4-popen697485.patch which was applied in 1.4.4-9.el6 adds a call to the cron_change_user_permanently function to do the setreuid call to drop privileges. This is clearly necessary but there is a (probably unintended) side-effect which is that access is denied whenever the home directory in the passwd file is inaccessible (in our case due to a lack of Kerberos ticket and AFS tokens). We have always worked around this inaccessible home directory problem for AFS users by setting the HOME environment variable in the crontab, that strategy works fine with version 1.4.4-7.el6 which does not contain the patch. Could the patch be changed to do the setreuid call without the seemingly unnecessary chdir check?

Regards,

Stephen Quinney
Note You need to log in before you can comment on or make changes to this bug.