Debian Bug report logs - #210838
Fix to #18333 (?) locks users out of their crontabs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kenneth Pronovici <pronovic@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Fix to #18333 (?) locks users out of their crontabs

Date: Sat, 13 Sep 2003 22:48:53 -0500

[Message part 1 (text/plain, inline)]

Package: cron
Version: 3.0pl1-77
Severity: serious

Apologies if this is a duplicate.  I've looked through all of the bugs
listed in the BTS, and it doesn't seem to be there.  I just can't
believe I'm the first person to see this...

It looks like the fix to #18333 (the setgid change) has locked my users
out of their crontabs.   I knew the change was coming, but I wasn't
expecting this to happen.

Immediately after I upgraded, my users started seeing:

   agamemnon:/home/pronovic> crontab -l
   crontabs/pronovic: Permission denied

I can fix the problem by either making /usr/bin/crontab setuid root
again:

    agamemnon:/root# ls -l /usr/bin/crontab
    -rwxr-sr-x    1 root     crontab     26872 2003-09-06 18:57 /usr/bin/crontab*

   agamemnon:/root# chown root:root /usr/bin/crontab

   agamemnon:/root# chmod 4755 /usr/bin/crontab

or by changing the crontab to be owned by the specific user (which does
seem like the "correct" fix):

   agamemnon:/root# ls -l /var/spool/cron/crontabs/
   total 4
   -rw-------    1 root     crontab      1300 Sep  8 20:13 pronovic

   agamemnon:/root# chown pronovic:crontab /var/spool/cron/crontabs/pronovic

I'll note that I was suprised to see the crontab file owned
root:crontab, since on my stable box, it's owned root:users (users is
the primary group for the pronovic user).  I assume that the group
changed from users to crontab during the upgrade, but I would have
expected the owner to change from root to pronovic at the same time.

Users who try to add a completely new crontab see a similar problem:

   bogus@agamemnon:/$ crontab -e
   no crontab for bogus - using an empty one
   crontab: installing new crontab
   crontabs/tmp.p7sApJ: Permission denied
   crontab: edits left in /tmp/crontab.M0mR3x/crontab

   bogus@agamemnon:/$ ls -l /tmp/crontab.M0mR3x/crontab
   -rw-------    1 bogus   crontab         6 Sep 13 22:30 /tmp/crontab.M0mR3x/crontab

Note that the temporary file *is* owned sensibly.  The problem is that
the file can't be written to the crontabs directory.  So, I can fix this
by changing permissions on the crontabs directory:

   agamemnon:/root# ls -l /var/spool/cron
   total 4
   drwxr-xr-x    2 root     crontab      4096 Sep  8 20:13 crontabs/

   agamemnon:/root# chmod 2775 /var/spool/cron/crontabs

Let me know if there's any other information I can get you.

Thanks,

KEN

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux agamemnon 2.4.18 #1 Sun Aug 17 17:40:33 CDT 2003 i686
Locale: LANG=en, LC_CTYPE=en_US (ignored: LC_ALL set to en_US)

Versions of packages cron depends on:
ii  adduser                       3.51       Add and remove users and groups
ii  debianutils                   2.5.5      Miscellaneous utilities specific t
ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
ii  libpam0g                      0.76-14    Pluggable Authentication Modules l

-- debconf information:
* cron/checksecurity: 

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 210838@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <steveg@moregruel.net>

To: Kenneth Pronovici <pronovic@debian.org>, 210838@bugs.debian.org

Subject: Re: Bug#210838: Fix to #18333 (?) locks users out of their crontabs

Date: Sun, 14 Sep 2003 11:45:23 -0500

On 13-Sep-03, 22:48 (CDT), Kenneth Pronovici <pronovic@debian.org> wrote: 
> It looks like the fix to #18333 (the setgid change) has locked my users
> out of their crontabs.   I knew the change was coming, but I wasn't
> expecting this to happen.

Neither was I -- I didn't get my system back to the "pre-setgid" state
when I tested it. Sorry. For some reason, I got it in my head that the
old ones already had the userid set.

> or by changing the crontab to be owned by the specific user (which does
> seem like the "correct" fix):

Right. This is what it should be.

> I'll note that I was suprised to see the crontab file owned
> root:crontab, since on my stable box, it's owned root:users (users is
> the primary group for the pronovic user).  I assume that the group
> changed from users to crontab during the upgrade, but I would have
> expected the owner to change from root to pronovic at the same time.

It should have. In fact, if you'd gone through -75 and/or -76, they
would have, which is why more people haven't hit this.

> Users who try to add a completely new crontab see a similar problem:

Okay, that's new and unexpected.

> Note that the temporary file *is* owned sensibly.  The problem is that
> the file can't be written to the crontabs directory.  So, I can fix this
> by changing permissions on the crontabs directory:
> 
>    agamemnon:/root# ls -l /var/spool/cron
>    total 4
>    drwxr-xr-x    2 root     crontab      4096 Sep  8 20:13 crontabs/

That's wrong. It should be (with the setgid crontab) 

drwx-wx--T     2 root     crontab      4096 Sep  9 08:37 crontabs/

aka 'chmod 1730 crontabs' The difference from '2775' is mostly about not
leaking info about other peoples crontabs.

> Let me know if there's any other information I can get you.

Nope, excellent bug report - I wish all I got were so complete. I'll
get a fixed cron package out today. In the meantime, assuming all your
usernames have no spaces or other funny characters, doing this command
as root in /var/spool/cron/crontabs should fix it (assuming you haven't
already):

	for u in * ; do chown $u $u; done


Steve


-- 
Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Message #15 received at 210838-close@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <stevegr@debian.org>

To: 210838-close@bugs.debian.org

Subject: Bug#210838: fixed in cron 3.0pl1-78

Date: Sun, 14 Sep 2003 18:17:20 -0400

Source: cron
Source-Version: 3.0pl1-78

We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive:

cron_3.0pl1-78.diff.gz
  to pool/main/c/cron/cron_3.0pl1-78.diff.gz
cron_3.0pl1-78.dsc
  to pool/main/c/cron/cron_3.0pl1-78.dsc
cron_3.0pl1-78_i386.deb
  to pool/main/c/cron/cron_3.0pl1-78_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 210838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Greenland <stevegr@debian.org> (supplier of updated cron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 14 Sep 2003 16:53:36 -0500
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-78
Distribution: unstable
Urgency: low
Maintainer: Steve Greenland <stevegr@debian.org>
Changed-By: Steve Greenland <stevegr@debian.org>
Description: 
 cron       - management of regular background processing
Closes: 108492 203737 210838
Changes: 
 cron (3.0pl1-78) unstable; urgency=low
 .
   * Okay, I think the owner/group fixup in for setgid crontabs is finally
     as right as it's going to be. It will work for usernames with spaces,
     and if the user doesn't exist (e.g. old crontab for a deleted user),
     it will print an error message but not exit, which I think is okay. If
     you have a username with a newline in it, then you deserve to lose,
     and you will (closes: #210838).
   * Allow cron to run in foreground. Possibly useful for running it under
     monitoring tools like runit, monit, daemontools, etc. Thanks to Erich
     Schubert for the patch (closes: #108492)
   * Use the PAM environment settings, if so configured. (closes: #203737)
Files: 
 da19789f900370d5c00685bf39c04026 560 admin important cron_3.0pl1-78.dsc
 9060f6af14f421ca21ccb939476e5df9 42439 admin important cron_3.0pl1-78.diff.gz
 91c2d96c1fa3430639cfdf60494f7464 55722 admin important cron_3.0pl1-78_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/ZORpdiZsUPux21MRAmqxAJ9y0H+sMf/I3DXnCEIKzExoc1AbTgCfY88N
ajCHYye9LUYNwxC/UvR8MUg=
=p2RN
-----END PGP SIGNATURE-----

Message #20 received at 210838@bugs.debian.org (full text, mbox, reply):

From: Fabio Massimo Di Nitto <fabbione@fabbione.net>

To: control@bugs.debian.org

Cc: 210838@bugs.debian.org

Subject: still problems

Date: Sat, 20 Sep 2003 08:51:25 +0200 (CEST)

reopen 210838 !
stop
quit
thanks

Hi Steve,
	the bug is still there with -80 (upgrading from -77). It seems
that the incriminated lines are in cron.postinst:

# Fixup crontab binary, directory and files for new group 'crontab'.

if dpkg --compare-versions "$2" lt "3.0pl1-79" ; then
    if ! dpkg-statoverride --list /usr/bin/crontab > /dev/null ; then

one of these 2 checks for some reason fails and it doesn't execute the
rest of the script to fix permissions and so on. Executing them by hand
made crontab -e working again (as user of course).

Thanks a lot
Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html

Message #27 received at 210838@bugs.debian.org (full text, mbox, reply):

From: Manoj Srivastava <srivasta@golden-gryphon.com>

To: 210838@bugs.debian.org

Subject: cron: additional information: crontab problems

Date: Sat, 20 Sep 2003 12:13:11 -0500

Package: cron
Version: 3.0pl1-80

__> crontab ~/etc/crontab
crontabs/tmp.Odp0u4: Permission denied
__> crontab -l
crontabs/srivasta: Permission denied
__> ls -als /usr/bin/crontab 
  28 -rwxr-xr-x    1 root     root        26872 Sep 17 19:18 /usr/bin/crontab
__> ls -als /var/spool/cron/
total 20
   4 drwxr-xr-x    5 root     root         4096 Mar  6  2003 .
   4 drwxr-xr-x   19 root     root         4096 Sep 19 14:35 ..
   4 drwx------    2 daemon   daemon       4096 Mar  6  2003 atjobs
   4 drwx------    2 daemon   daemon       4096 Jan 18  2002 atspool
   4 drwx-wx--T    2 root     crontab      4096 May 27 15:31 crontabs

__> dpkg-statoverride --list /usr/bin/crontab
__> echo $?
1

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux glaurung 2.4.22-dm #1 SMP Fri Sep 19 23:58:22 CDT 2003 i686
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to C)

Versions of packages cron depends on:
ii  adduser                       3.51       Add and remove users and groups
ii  debianutils                   2.5.5      Miscellaneous utilities specific t
ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
ii  libpam0g                      0.76-14    Pluggable Authentication Modules l

-- 
It is either through the influence of narcotic potions, of which all
primitive peoples and races speak in hymns, or through the powerful
approach of spring, penetrating with joy all of nature, that those
Dionysian stirrings arise, which in their intensification lead the
individual to forget himself completely. . . .Not only does the bond
between man and man come to be forged once again by the magic of the
Dionysian rite, but alienated, hostile, or subjugated nature again
celebrates her reconciliation with her prodigal son, man. Fred
Nietzsche, The Birth of Tragedy
Manoj Srivastava     <srivasta@acm.org>    <http://www.golden-gryphon.com/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Message #32 received at 210838@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: Steve Greenland <steveg@moregruel.net>

Cc: Kenneth Pronovici <pronovic@debian.org>, 210838@bugs.debian.org

Subject: Re: Bug#210838: Fix to #18333 (?) locks users out of their crontabs

Date: Sun, 21 Sep 2003 11:08:39 -0400

[Message part 1 (text/plain, inline)]

This one time, at band camp, Steve Greenland said:
> On 13-Sep-03, 22:48 (CDT), Kenneth Pronovici <pronovic@debian.org> wrote: 
> > Note that the temporary file *is* owned sensibly.  The problem is that
> > the file can't be written to the crontabs directory.  So, I can fix this
> > by changing permissions on the crontabs directory:
> > 
> >    agamemnon:/root# ls -l /var/spool/cron
> >    total 4
> >    drwxr-xr-x    2 root     crontab      4096 Sep  8 20:13 crontabs/
> 
> That's wrong. It should be (with the setgid crontab) 
> 
> drwx-wx--T     2 root     crontab      4096 Sep  9 08:37 crontabs/
> 
> aka 'chmod 1730 crontabs' The difference from '2775' is mostly about not
> leaking info about other peoples crontabs.

No, that's not right, at least not here:
steve:~$ ls -l /var/spool/cron/
total 12
drwx------    2 daemon   daemon       4096 2003-05-30 18:53 atjobs
drwx------    2 daemon   daemon       4096 2003-05-30 18:53 atspool
drwx-wx--T    2 root     crontab      4096 2003-09-03 08:03 crontabs
steve:~$ crontab -l
crontabs/steve: Permission denied
steve:~$ ls -l /usr/sbin/cron
-rwxr-xr-x    1 root     root        27480 2003-09-17 20:18 /usr/sbin/cron
steve:~$ ls -l /usr/bin/crontab
-rwxr-xr-x    1 root     root        26872 2003-09-17 20:18 /usr/bin/crontab
steve:~$ /usr/sbin/dpkg-statoverride --list /usr/bin/crontab
steve:~$ echo $?
1
steve:~$

cron isn't being installed setgid, and I haven't done anything to change
that, so it all falls apart.  Fortunately, this isn't a box with many
important cronjobs on it :)  It looks like the postinst didn't make the
changes it should have, pehaps because I upgrade pretty regularly.
Making the changes manually works fine, though.

HTH,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 210838-close@bugs.debian.org (full text, mbox, reply):

From: Steve Greenland <stevegr@debian.org>

To: 210838-close@bugs.debian.org

Subject: Bug#210838: fixed in cron 3.0pl1-81

Date: Sun, 21 Sep 2003 18:02:12 -0400

Source: cron
Source-Version: 3.0pl1-81

We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive:

cron_3.0pl1-81.diff.gz
  to pool/main/c/cron/cron_3.0pl1-81.diff.gz
cron_3.0pl1-81.dsc
  to pool/main/c/cron/cron_3.0pl1-81.dsc
cron_3.0pl1-81_i386.deb
  to pool/main/c/cron/cron_3.0pl1-81_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 210838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Greenland <stevegr@debian.org> (supplier of updated cron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 21 Sep 2003 16:37:16 -0500
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-81
Distribution: unstable
Urgency: low
Maintainer: Steve Greenland <stevegr@debian.org>
Changed-By: Steve Greenland <stevegr@debian.org>
Description: 
 cron       - management of regular background processing
Closes: 210838 211849
Changes: 
 cron (3.0pl1-81) unstable; urgency=low
 .
   * Only protect owner/group setting on individual user crontabs by
     version, the setgid setting of /usr/bin/crontab needs to happen every
     time (unless the admin has set something with
     dpkg-statoverride. (closes: #210838)
   * Change cron init script so that '/etc/init.d/cron {stop,restart}' only
     kill off the parent daemon, not currently running cron jobs. Much
     thanks to Dean Gaudet for the patch. (closes: #211849)
Files: 
 b62b8c1da0a3f5254c662b0dedc108bb 560 admin important cron_3.0pl1-81.dsc
 b92fcb084053b811ff2d4396915c7571 42940 admin important cron_3.0pl1-81.diff.gz
 db02d20f72c5a24cf4e639ed084cdd17 56556 admin important cron_3.0pl1-81_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/bh05diZsUPux21MRAlVeAJ9/upPhkLQ80SCEiWttiFpKwpwoGACdHPvJ
s9EcVPNb1tbAEXBGh68cHG0=
=0UrS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.