Debian Bug report logs - #210467
CRON: Does not work with symlinks anymore

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Melkor <morgoth@free.fr>

To: submit@bugs.debian.org

Subject: CRON: Does not work with symlinks anymore

Date: Thu, 11 Sep 2003 20:29:23 +0200

Package: cron
Version: 3.0pl1-77
Severity: normal

I faced a somewhat very annoying bug recently with cron. I use a centralised
configuration system and for compatibility I symlink the config files I change
in /etc. This way, with a simple ls -l I can differenciate the default config
files from those I changed myself. It also allows simpler backup of
configuration files as all modified files are in the same place.

Here is an example : ls -l /etc
......
crontab -> /opt/Repository/Configs/crontab
......
hostname
hosts -> /opt/Repository/Configs/hosts
hosts.allow
hosts.deny
......
inittab -> /opt/Repository/Configs/inittab
inputrc -> /opt/Repository/Configs/inputrc
issue
......

And it worked for a long time until a new version of cron came. The syslog
kept saying at every launch of the cron service:
/usr/sbin/cron[20175]: (CRON) INFO (pidfile fd = 3)
/usr/sbin/cron[20176]: (CRON) STARTUP (fork ok)
/usr/sbin/cron[20176]: (*system*) CAN'T OPEN (/etc/crontab)
/usr/sbin/cron[20176]: (*system*AWStats) CAN'T OPEN (/etc/cron.d/AWStats)
/usr/sbin/cron[20176]: (*system*FetchMail) CAN'T OPEN (/etc/cron.d/FetchMail)
/usr/sbin/cron[20176]: (*system*RSyncBackup) CAN'T OPEN (/etc/cron.d/RSyncBackup)

And, of course, all these files are symlinks to my real files stored in the
repository (which is just a directory within the same FS, nothing particular
about it). When I remove the symlinks and copy the real files at the same
place, the syslog becomes :
/usr/sbin/cron[20284]: (CRON) INFO (pidfile fd = 3)
/usr/sbin/cron[20285]: (CRON) STARTUP (fork ok)

This is very annoying as I loose all the benefit of my centralised repository.
It worked for years without any trouble and now it's broken. I've searched the
changelogs (cron and debian) but I haven't seen anything revelant about the
disruption of support for symlinks for the cron files.


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hades 2.4.21 #1 Tue Sep 9 17:20:59 CEST 2003 i686 GNU/Linux
Locale: LANG=POSIX, LC_CTYPE="POSIX"

Versions of packages cron depends on:
ii  adduser        3.51           Add and remove users and groups
ii  debianutils    2.5.4          Miscellaneous utilities specific to Debian
ii  libc6          2.3.2-5        GNU C Library: Shared libraries and Timezone
ii  libpam0g       0.76-14        Pluggable Authentication Modules library


-- 
Melkor <morgoth@free.fr>

Message #10 received at 210467@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <steveg@moregruel.net>

To: Melkor <morgoth@free.fr>, 210467@bugs.debian.org

Subject: Re: Bug#210467: CRON: Does not work with symlinks anymore

Date: Thu, 11 Sep 2003 14:43:20 -0500

On 11-Sep-03, 13:29 (CDT), Melkor <morgoth@free.fr> wrote: 
> It worked for years without any trouble and now it's broken. I've searched the
> changelogs (cron and debian) but I haven't seen anything revelant about the
> disruption of support for symlinks for the cron files.

It was part of the recent changes to make crontab "setgid" rather than
setuid "root". I added some checks to the reading of the crontabs,
requiring that they be real files (rather symlinks, pipes, etc.). For
the user crontabs in /var/spool/cron/crontabs, this is a requirment.
However, I'm not sure that it's required for the system crontabs
(/etc/crontab and /etc/cron.d/*), since if someone can create symlinks
there, you're already screwed.

Does someone who knows more about this want to comment on advisability
of letting the system crontabs be symlinks?

Steve

-- 
Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Message #15 received at 210467@bugs.debian.org (full text, mbox, reply):

From: Melkor <morgoth@free.fr>

To: Steve Greenland <steveg@moregruel.net>

Cc: 210467@bugs.debian.org

Subject: Re: Bug#210467: CRON: Does not work with symlinks anymore

Date: Thu, 11 Sep 2003 22:35:12 +0200

-11.09.2003 21:43:20-, « Steve Greenland (steveg@moregruel.net) »
wrote about « Re: Bug#210467: CRON: Does not work with symlinks anymore »

SG> It was part of the recent changes to make crontab "setgid" rather than
SG> setuid "root". I added some checks to the reading of the crontabs,
SG> requiring that they be real files (rather symlinks, pipes, etc.). For
SG> the user crontabs in /var/spool/cron/crontabs, this is a requirment.

That seems fair and a good solution to prevent security issues.

SG> However, I'm not sure that it's required for the system crontabs
SG> (/etc/crontab and /etc/cron.d/*), since if someone can create symlinks
SG> there, you're already screwed.

Right. If someone is able to create symlinks, he can create files so the
system is already badly compromised.

SG> Does someone who knows more about this want to comment on advisability
SG> of letting the system crontabs be symlinks?

Maybe one solution would be a la Apache. The directive Options have an
argument "SymLinksIfOwnerMatch". Why not do the same to tighten the security a
bit? If the owner of the symlink is the same as the pointed file then cron
will assume that symlink is legitimate and follow it.

That's just a suggestion.

Thanks for the quick reply !

-- 
Melkor <morgoth@free.fr>

Message #20 received at 210467@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <steveg@moregruel.net>

To: Melkor <morgoth@free.fr>

Cc: 210467@bugs.debian.org

Subject: Re: Bug#210467: CRON: Does not work with symlinks anymore

Date: Thu, 11 Sep 2003 16:28:38 -0500

On 11-Sep-03, 15:35 (CDT), Melkor <morgoth@free.fr> wrote: 
> If the owner of the symlink is the same as the pointed file then cron
> will assume that symlink is legitimate and follow it.

That's a reasonable approach, although subject to races, since you can't
check the ownership of both atomically - checking link, then file, and
then restat()ing the link is probably sufficient. I'd probably also
require that it be symlink->file, not symlink->symlink->file, if I can
do that without too much pain. I think I'm going to bounce this off of
Matt Zimmerman and Solar Designer as well.

Steve

-- 
Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Message #25 received at 210467@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Steve Greenland <steveg@moregruel.net>, 210467@bugs.debian.org

Subject: Re: Bug#210467: CRON: Does not work with symlinks anymore

Date: Thu, 11 Sep 2003 18:00:27 -0400

On Thu, Sep 11, 2003 at 04:28:38PM -0500, Steve Greenland wrote:

> On 11-Sep-03, 15:35 (CDT), Melkor <morgoth@free.fr> wrote: 
> > If the owner of the symlink is the same as the pointed file then cron
> > will assume that symlink is legitimate and follow it.
> 
> That's a reasonable approach, although subject to races, since you can't
> check the ownership of both atomically - checking link, then file, and
> then restat()ing the link is probably sufficient. I'd probably also
> require that it be symlink->file, not symlink->symlink->file, if I can
> do that without too much pain. I think I'm going to bounce this off of
> Matt Zimmerman and Solar Designer as well.

I assume it's too hairy to have different checks for /etc than for
/var/spool/cron, right?  That would be ideal.  The crontabs in /etc are
purely root's territory and can be treated with less suspicion.

Failing that, symlinks owned by root should be OK.  Since the crontabs dir
is +t, there should be relatively few pitfalls when checking ownership.

-- 
 - mdz

Message #30 received at 210467@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <steveg@moregruel.net>

To: Matt Zimmerman <mdz@debian.org>

Cc: 210467@bugs.debian.org

Subject: Re: Bug#210467: CRON: Does not work with symlinks anymore

Date: Fri, 12 Sep 2003 07:43:58 -0500

On 11-Sep-03, 17:00 (CDT), Matt Zimmerman <mdz@debian.org> wrote: 
> I assume it's too hairy to have different checks for /etc than for
> /var/spool/cron, right?  That would be ideal.  The crontabs in /etc are
> purely root's territory and can be treated with less suspicion.

No, that's actually was I was considering. I just wanted to make sure I
wasn't missing something.

Thanks,
Steve

-- 
Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Message #35 received at 210467-close@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <stevegr@debian.org>

To: 210467-close@bugs.debian.org

Subject: Bug#210467: fixed in cron 3.0pl1-80

Date: Wed, 17 Sep 2003 20:32:18 -0400

Source: cron
Source-Version: 3.0pl1-80

We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive:

cron_3.0pl1-80.diff.gz
  to pool/main/c/cron/cron_3.0pl1-80.diff.gz
cron_3.0pl1-80.dsc
  to pool/main/c/cron/cron_3.0pl1-80.dsc
cron_3.0pl1-80_i386.deb
  to pool/main/c/cron/cron_3.0pl1-80_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 210467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Greenland <stevegr@debian.org> (supplier of updated cron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 17 Sep 2003 19:15:55 -0500
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-80
Distribution: unstable
Urgency: low
Maintainer: Steve Greenland <stevegr@debian.org>
Changed-By: Steve Greenland <stevegr@debian.org>
Description: 
 cron       - management of regular background processing
Closes: 210467 211117 211245
Changes: 
 cron (3.0pl1-80) unstable; urgency=low
 .
   * Kill one last spurious syslog() (closes: #211117, #211245)
   * Allow system crontabs to be symlinks (closes: #210467)
Files: 
 2138c9e4b441a2831b0d53addaf165c9 560 admin important cron_3.0pl1-80.dsc
 16bb1b684cfa74b58f1816bb6fe009d7 42886 admin important cron_3.0pl1-80.diff.gz
 a8b01c1a4e2b4b543f4f3d3b032b554b 56362 admin important cron_3.0pl1-80_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/aPnpdiZsUPux21MRAm7TAJ48V0krnccAYzTIE1CT9krsBXLcrQCdFaOb
d6MYuWqGdbMGB/yh8LMxvHo=
=hVlu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.