src icon indicating copy to clipboard operation
src copied to clipboard
verified publisher icon opnsense

locate cron script doesn't believe I'm root.

Open Stricken1670 opened this issue 1 year ago • 8 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug Trying to locate a specific file results in the following interaction:

root@fwleb02:~ # locate blacklistd
locate: the locate database '/var/db/locate.database' is smaller than 256 bytes large.

To create a new database, please run the following command as root:

  /etc/periodic/weekly/310.locate

root@fwleb02:~ # /etc/periodic/weekly/310.locate

Rebuilding locate database:
Must be root.
root@fwleb02:~ # whoami
root

I hope you can reproduce the issue.

Stricken1670 avatar Aug 12 '24 12:08 Stricken1670

Can you output this?

# sh -x /etc/periodic/weekly/310.locate

Cheers, Franco

fichtner avatar Aug 12 '24 13:08 fichtner

Most certainly:

root@fwleb02:~ # sh -x /etc/periodic/weekly/310.locate
+ [ -r /etc/defaults/periodic.conf ]
+ . /etc/defaults/periodic.conf
+ periodic_conf_files='/etc/periodic.conf /etc/periodic.conf.local /etc/periodic.conf'
+ local_periodic=/etc/periodic
+ anticongestion_sleeptime=3600
+ daily_diff_flags='-b -U 0'
+ daily_output=root
+ daily_show_success=YES
+ daily_show_info=YES
+ daily_show_badconfig=NO
+ daily_clean_disks_enable=NO
+ daily_clean_disks_files='[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*'
+ daily_clean_disks_days=3
+ daily_clean_disks_verbose=YES
+ daily_clean_tmps_enable=NO
+ daily_clean_tmps_dirs=/tmp
+ daily_clean_tmps_days=3
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap .sujournal'
+ daily_clean_tmps_verbose=YES
+ daily_clean_preserve_enable=YES
+ daily_clean_preserve_days=7
+ daily_clean_preserve_verbose=YES
+ daily_clean_msgs_enable=YES
+ daily_clean_msgs_days=''
+ daily_clean_rwho_enable=YES
+ daily_clean_rwho_days=7
+ daily_clean_rwho_verbose=YES
+ daily_clean_hoststat_enable=YES
+ daily_backup_passwd_enable=YES
+ daily_backup_aliases_enable=YES
+ sysctl -n security.jail.jailed
+ [ 0 '=' 0 ]
+ daily_backup_gpart_enable=YES
+ daily_backup_gpart_verbose=NO
+ daily_backup_efi_enable=NO
+ daily_backup_gmirror_enable=NO
+ daily_backup_gmirror_verbose=NO
+ daily_backup_zfs_enable=NO
+ daily_backup_zfs_props_enable=NO
+ daily_backup_zfs_get_flags=all
+ daily_backup_zfs_list_flags=''
+ daily_backup_zpool_get_flags=all
+ daily_backup_zpool_list_flags=-v
+ daily_backup_zfs_verbose=NO
+ daily_calendar_enable=NO
+ daily_accounting_enable=YES
+ daily_accounting_compress=NO
+ daily_accounting_flags=-q
+ daily_accounting_save=3
+ daily_status_disks_enable=YES
+ daily_status_disks_df_flags='-l -h'
+ daily_status_graid_enable=NO
+ daily_status_zfs_enable=NO
+ daily_status_zfs_zpool_list_enable=YES
+ daily_status_gmirror_enable=NO
+ daily_status_graid3_enable=NO
+ daily_status_gstripe_enable=NO
+ daily_status_gconcat_enable=NO
+ daily_status_mfi_enable=NO
+ daily_status_network_enable=YES
+ daily_status_network_usedns=YES
+ daily_status_network_netstat_flags='-d -W'
+ daily_status_uptime_enable=YES
+ daily_status_mailq_enable=YES
+ daily_status_mailq_shorten=NO
+ daily_status_include_submit_mailq=YES
+ daily_status_security_enable=YES
+ daily_status_security_inline=NO
+ daily_status_security_output=root
+ daily_status_mail_rejects_enable=YES
+ daily_status_mail_rejects_logs=3
+ daily_status_mail_rejects_shorten=NO
+ daily_ntpd_leapfile_enable=YES
+ daily_status_ntpd_enable=NO
+ daily_queuerun_enable=YES
+ daily_submit_queuerun=YES
+ daily_status_world_kernel=YES
+ daily_scrub_zfs_enable=NO
+ daily_scrub_zfs_pools=''
+ daily_scrub_zfs_default_threshold=35
+ daily_trim_zfs_enable=NO
+ daily_trim_zfs_pools=''
+ daily_trim_zfs_flags=''
+ daily_local=/etc/daily.local
+ weekly_output=root
+ weekly_show_success=YES
+ weekly_show_info=YES
+ weekly_show_badconfig=NO
+ weekly_locate_enable=YES
+ weekly_whatis_enable=YES
+ weekly_noid_enable=NO
+ weekly_noid_dirs=/
+ weekly_status_security_enable=YES
+ weekly_status_security_inline=NO
+ weekly_status_security_output=root
+ weekly_local=/etc/weekly.local
+ monthly_output=root
+ monthly_show_success=YES
+ monthly_show_info=YES
+ monthly_show_badconfig=NO
+ monthly_accounting_enable=YES
+ monthly_status_security_enable=YES
+ monthly_status_security_inline=NO
+ monthly_status_security_output=root
+ monthly_local=/etc/monthly.local
+ security_show_success=YES
+ security_show_info=YES
+ security_show_badconfig=NO
+ security_status_logdir=/var/log
+ security_status_diff_flags='-b -U 0'
+ security_status_chksetuid_enable=YES
+ security_status_chksetuid_period=daily
+ security_status_neggrpperm_enable=YES
+ security_status_neggrpperm_period=daily
+ security_status_chkmounts_enable=YES
+ security_status_chkmounts_period=daily
+ security_status_noamd=NO
+ security_status_chkuid0_enable=YES
+ security_status_chkuid0_period=daily
+ security_status_passwdless_enable=YES
+ security_status_passwdless_period=daily
+ security_status_logincheck_enable=YES
+ security_status_logincheck_period=daily
+ security_status_ipfwdenied_enable=YES
+ security_status_ipfwdenied_period=daily
+ security_status_ipfdenied_enable=YES
+ security_status_ipfdenied_period=daily
+ security_status_pfdenied_enable=YES
+ security_status_pfdenied_period=daily
+ security_status_pfdenied_additionalanchors=''
+ security_status_ipfwlimit_enable=YES
+ security_status_ipfwlimit_period=daily
+ security_status_ipf6denied_enable=YES
+ security_status_ipf6denied_period=daily
+ security_status_kernelmsg_enable=YES
+ security_status_kernelmsg_period=daily
+ security_status_loginfail_enable=YES
+ security_status_loginfail_period=daily
+ security_status_tcpwrap_enable=YES
+ security_status_tcpwrap_period=daily
+ [ -z '' ]
+ source_periodic_confs_defined=yes
+ source_periodic_confs
+ local i sourced_files
+ sourced_files=:/etc/periodic.conf:
+ [ -r /etc/periodic.conf ]
+ sourced_files=:/etc/periodic.conf::/etc/periodic.conf.local:
+ [ -r /etc/periodic.conf.local ]
+ echo ''

+ echo 'Rebuilding locate database:'
Rebuilding locate database:
+ . /etc/locate.rc
+ : /var/db/locate.database
+ locdb=/var/db/locate.database
+ touch /var/db/locate.database
+ rc=0
+ chown nobody /var/db/locate.database
+ chmod 644 /var/db/locate.database
+ cd /
+ echo /usr/libexec/locate.updatedb
+ nice -n 5 su -fm nobody
Must be root.
+ rc=3
+ chmod 444 /var/db/locate.database
+ exit 3

Stricken1670 avatar Aug 12 '24 13:08 Stricken1670

If I had to guess it's hitting here:

https://github.com/opnsense/core/blob/10aa7878cf5e49c2125d8752c20ca6dea048c1de/src/sbin/opnsense-shell#L48-L53

But to be frank piping to su(1) doesn't seem very elegant to me:

https://github.com/opnsense/src/blob/a91e2fb9781e118d20ed07cb11c96641d56a196d/usr.sbin/periodic/etc/weekly/310.locate#L27

How does a shell expect to know it's supposed to execute a command from stdin? This doesn't appear to be documented in su(1) either, but it's also not new scripting.

The bigger issue here is that the root shell is set to "opnsense-shell" I believe, but we actually want that.

Cheers, Franco

fichtner avatar Aug 12 '24 14:08 fichtner

Ok I think this executes a root shell but then wants it to run with user "nobody". This is quite inconvenient. :)

fichtner avatar Aug 12 '24 14:08 fichtner

I just tried running the script with this diff applied:

root@fwleb02:~ # diff -u /etc/periodic/weekly/310.locate 310.locate 
--- /etc/periodic/weekly/310.locate	2024-08-07 18:11:22.000000000 +0200
+++ 310.locate	2024-08-12 21:02:09.924076000 +0200
@@ -24,7 +24,7 @@
 	chmod 644 $locdb || rc=3
 
 	cd /
-	echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
+	nice -n 5 su -fm nobody -c /usr/libexec/locate.updatedb || rc=3 
 	chmod 444 $locdb || rc=3;;
 
     *)  rc=0;;

Now it works fine.

hboetes avatar Aug 12 '24 19:08 hboetes

@hboetes - you have undone the upstream "security fix" which is done in order to not index and disclose top-secret files. Considering this totally pointless on environments such as OPNsense, use /usr/libexec/locate.updatedb directly, ignore its moaning about root and forget about the periodic script (which does not run periodically anyway since that is not desired on OPNsense either).

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=21535

doktornotor avatar Aug 23 '24 13:08 doktornotor

Is that the reason for piping random commands to a shell hidden behind su to a user that doesn't maybe even have a shell? What is this?

fichtner avatar Aug 23 '24 13:08 fichtner

It's been there for too long to trace the original commit, breaking various things on the way. Before 2000 for sure.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=17074

doktornotor avatar Aug 23 '24 14:08 doktornotor