Debian Bug report logs - #333837
cron.daily/standard tries to backup shadow and gshadow which fails on SELinux

version graph

Package: cron; Maintainer for cron is Javier Fernández-Sanguino Peña <jfs@debian.org>; Source for cron is src:cron.

Reported by: Erich Schubert <erich@debian.org>

Date: Thu, 13 Oct 2005 23:03:04 UTC

Severity: wishlist

Tags: help

Found in version cron/3.0pl1-91

Fixed in version 3.0pl1-117

Done: Javier Fernández-Sanguino Peña <jfs@computer.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cron.daily/standard tries to backup shadow and gshadow which fails on SELinux
Date: Fri, 14 Oct 2005 00:51:30 +0200
Package: cron
Version: 3.0pl1-91
Severity: normal

Cron tries to backup shadow and gshadow, but cron doesn't have read
access to these files. On SELinux, this backup should be handled by a
special task (with special permissions), so cron.daily/standard should
not backup these files on an SELinux enabled system.

Example code fragment to test for SELinux:
if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled;
then
	# run only if SELinux enabled
fi

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.13-rc4
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8)

Versions of packages cron depends on:
ii  adduser                       3.67.2     Add and remove users and groups
ii  debianutils                   2.14.3     Miscellaneous utilities specific t
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libpam0g                      0.79-3     Pluggable Authentication Modules l
ii  libselinux1                   1.26-1     SELinux shared libraries

Versions of packages cron recommends:
ii  postfix [mail-transport-agen 2.2.4-1.0.1 A high-performance mail transport 

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #8 received at 333837@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Erich Schubert <erich@debian.org>, 333837@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#333837: cron.daily/standard tries to backup shadow and gshadow which fails on SELinux
Date: Fri, 14 Oct 2005 09:00:10 +0200
[Message part 1 (text/plain, inline)]
severity 333837 wishlist
thanks

On Fri, Oct 14, 2005 at 12:51:30AM +0200, Erich Schubert wrote:
> Package: cron
> Version: 3.0pl1-91
> Severity: normal
> 
> Cron tries to backup shadow and gshadow, but cron doesn't have read
> access to these files. On SELinux, this backup should be handled by a
> special task (with special permissions), so cron.daily/standard should
> not backup these files on an SELinux enabled system.

Errr.. The cron.daily/standard tasks are run by root, as root runs cron. If
you don't want those tasks in your SElinux system then disable them, it's
that simple.

I'm not going to add this:

> Example code fragment to test for SELinux:
> if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled;
> then
> 	# run only if SELinux enabled
> fi

Because people with SElinux that have granted root access (and to the cron
process) to those files (i.e. have a proper SElinux policy in place) will
disable the tasks even though they would execute fine.

What I *might* add is a check in the tasks so that it will only try to copy
the shadow/gshadow files if they are readable, i.e., change:

        if [ -f /etc/shadow ] ; then

to
        if [ -f /etc/shadow ] && [ -r /etc/shadow ] ; then

Regards

Javier

[signature.asc (application/pgp-signature, inline)]

Severity set to `wishlist'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #15 received at 333837@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: russell@coker.com.au, Manoj Srivastava <srivasta@debian.org>, 333837@bugs.debian.org
Subject: Re: Bug#333837: cron.daily/standard tries to backup shadow and gshadow which fails on SELinux
Date: Fri, 14 Oct 2005 13:13:20 +0200
Hi Javier, Hello Manoj, Russel,
[... /etc/cron.daily/standard trying to backup shadow,gshadow which
doesn't
work on SELinux due to permissions ...]
> Because people with SElinux that have granted root access (and to the cron
> process) to those files (i.e. have a proper SElinux policy in place) will
> disable the tasks even though they would execute fine.

People doing so are bypassing some important part of the security system
IMHO.
The proper SELinux-solution would be to move the backup parts into a
separate script, and assign a special role to that one.

I added manoj and rjc to the CC list, since their opinion about this is
probably "most authorative", being the SELinux experts at Debian.

But you're welcome to clone this bug to selinux-policy-default that it
should make this backup work. Until then I'd suggest to use my approach
to remove one pitfall for people who want to try SELinux...

You can't transition security roles within a script, and the "can read
shadow" permission is probably a bit too much
for /etc/cron.daily/standard
which is to be considered a configuration file, not an application.

> What I *might* add is a check in the tasks so that it will only try to copy
> the shadow/gshadow files if they are readable, i.e., change:

I'm not sure if you are even allowed to getattr the file.
Even then this will only test for traditional unix permissions, and
since the cronjob runs as root it would expect it can read the file.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    Go away or i'll replace you with a very small shell script.     //\
    Der Anfang aller Erkenntnis ist das Staunen. --- Aristoteles    V_/_




Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #20 received at 333837@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Erich Schubert <erich@debian.org>, 333837@bugs.debian.org
Cc: russell@coker.com.au, Manoj Srivastava <srivasta@debian.org>
Subject: Re: Bug#333837: cron.daily/standard tries to backup shadow and gshadow which fails on SELinux
Date: Fri, 14 Oct 2005 15:45:02 +0200
[Message part 1 (text/plain, inline)]
On Fri, Oct 14, 2005 at 01:13:20PM +0200, Erich Schubert wrote:
> Hi Javier, Hello Manoj, Russel,
> [... /etc/cron.daily/standard trying to backup shadow,gshadow which
> doesn't
> work on SELinux due to permissions ...]
> > Because people with SElinux that have granted root access (and to the cron
> > process) to those files (i.e. have a proper SElinux policy in place) will
> > disable the tasks even though they would execute fine.
> 
> People doing so are bypassing some important part of the security system
> IMHO.
> The proper SELinux-solution would be to move the backup parts into a
> separate script, and assign a special role to that one.

BTW, that's what I intend to do in the short term as I want to remove
the cron tasks from the package and provide a, separate, 'cron-standard'
package with the tasks. That way the cron package would not carry any task. I
will consider (when I do that) breaking up the standard daily task to
separate the backup and the lost+found stuff.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #25 received at 333837@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 333837@bugs.debian.org, russell@coker.com.au, Manoj Srivastava <srivasta@debian.org>
Subject: Re: Bug#333837: cron.daily/standard tries to backup shadow and gshadow which fails on SELinux
Date: Fri, 14 Oct 2005 15:53:51 +0200
Hi,
> BTW, that's what I intend to do in the short term as I want to remove
> the cron tasks from the package and provide a, separate, 'cron-standard'
> package with the tasks. That way the cron package would not carry any task. I
> will consider (when I do that) breaking up the standard daily task to
> separate the backup and the lost+found stuff.

It's not so much about separating the backup and the lost+found stuff.
The latter might need special privileges, too, and these could be
joined.
I'm more unhappy with the nature of the program to backup shadow, passwd
and check for lost+found being in /etc instead of /usr/sbin or so.
IMHO this is more of a "conincidence" that you might want to run this
every day.
Maybe this should be a "backup-important-system-files" package instead.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
                 Friends are those who reach out for                 //\
                   your hand but touch your heart.                   V_/_
   Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.




Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #30 received at 333837@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: 333837@bugs.debian.org
Subject: cron, standard cronjobs and SELinux
Date: Wed, 13 Sep 2006 21:34:49 +0200
Hi,
Any plans on getting the cron package SELinux-compatible before the etch
release? SELinux is a pet release goal, you know...

What has happened to your plans of moving the standard cronjobs to a
different package, so we could provide an alternative package for that?
e.g. via "Depends: standard-cronjobs | system-cronjobs"
that would allow people to install "standard-selinux-cronjobs" instead.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
          There are only 10 types of people in the world:           //\
          Those who understand binary and those who don't           V_/_
   Die Freunde nennen sich aufrichtig. Die Feinde sind es: Daher
     man ihren Tadel zur Selbsterkenntnis benutzen sollte, als
           eine bittere Arznei.  --- Arthur Schopenhauer




Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #35 received at 333837@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Erich Schubert <erich@debian.org>, 333837@bugs.debian.org
Subject: Re: Bug#333837: cron, standard cronjobs and SELinux
Date: Sun, 17 Sep 2006 22:36:32 +0200
[Message part 1 (text/plain, inline)]
On Wed, Sep 13, 2006 at 09:34:49PM +0200, Erich Schubert wrote:
> Hi,
> Any plans on getting the cron package SELinux-compatible before the etch
> release? SELinux is a pet release goal, you know...

Unfortunately, I have not had time to develop a conffile transition package
to move the cron tasks and, also, base is now supposed to be frozen. If
someone could develop and test the 'cron-jobs-standard' package transition
process it could certainly speed that up.

> What has happened to your plans of moving the standard cronjobs to a
> different package, so we could provide an alternative package for that?
> e.g. via "Depends: standard-cronjobs | system-cronjobs"
> that would allow people to install "standard-selinux-cronjobs" instead.

They are still that, plans.  I proposed such a move a while back [1] but did
not get any comments on the available packages at people.debian.org. 

Sorry :(

Regards

Javier


[1] Message-ID: <20050309142043.GB16617@dat.etsit.upm.es>

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#333837; Package cron. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #40 received at 333837@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 333837@bugs.debian.org, selinux-devel@lists.alioth.debian.org
Subject: Re: Bug#333837: cron, standard cronjobs and SELinux
Date: Mon, 18 Sep 2006 00:57:54 +0200
Hello Javier,
I don't really know how to do a conffile transition properly.
And I'm cutting back my SELinux work a lot.

> Unfortunately, I have not had time to develop a conffile transition package
> to move the cron tasks and, also, base is now supposed to be frozen. If

That base is frozen definitely is bad for us... I'd hope we could still
get it in somehow. Because the cron jobs are somewhat a problem with
SELinux.

> someone could develop and test the 'cron-jobs-standard' package transition
> process it could certainly speed that up.

I'll see if I can test them at least.

> They are still that, plans.  I proposed such a move a while back [1] but did
> not get any comments on the available packages at people.debian.org. 

Many DDs don't read debian-devel@l.d.o 
you should have used planet, I guess...

> [1] Message-ID: <20050309142043.GB16617@dat.etsit.upm.es>

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
 Nothing prevents happiness like the memory of happiness. --- A. Gide //\
   Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald   V_/_
           sein Gleichgewicht verlieren. --- Michael Levine




Tags added: help Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. (Tue, 12 Feb 2008 01:18:03 GMT) Full text and rfc822 format available.

Reply sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
You have taken responsibility. (Tue, 03 Jul 2012 17:30:03 GMT) Full text and rfc822 format available.

Notification sent to Erich Schubert <erich@debian.org>:
Bug acknowledged by developer. (Tue, 03 Jul 2012 17:30:03 GMT) Full text and rfc822 format available.

Message #47 received at 333837-close@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 333837-close@bugs.debian.org
Subject: Fixed in version 3.0pl1-117
Date: Tue, 3 Jul 2012 19:26:45 +0200
[Message part 1 (text/plain, inline)]
Version: 3.0pl1-117

This bug was fixed in version 3.0pl1-117 of the cron package. The backup of
the passwords was moved over to a different package. From the changelog:

  * debian/standard.daily:
    - Backup of /etc/{passd,group} is no longer performed by cron; the task
      was handed over to src:shadow (see #554170). In Squeeze, this task will
      be performed redundantly by both packages (as discussed on
      debian-release)


Regards

Javier

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Aug 2012 07:28:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:43:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.