Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

locate cron script doesn't believe I'm root. #213

Open
2 tasks done
Stricken1670 opened this issue Aug 12, 2024 · 8 comments
Open
2 tasks done

locate cron script doesn't believe I'm root. #213

Stricken1670 opened this issue Aug 12, 2024 · 8 comments
Labels
upstream Third party issue

Comments

@Stricken1670
Copy link

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
Trying to locate a specific file results in the following interaction:

root@fwleb02:~ # locate blacklistd
locate: the locate database '/var/db/locate.database' is smaller than 256 bytes large.

To create a new database, please run the following command as root:

  /etc/periodic/weekly/310.locate

root@fwleb02:~ # /etc/periodic/weekly/310.locate

Rebuilding locate database:
Must be root.
root@fwleb02:~ # whoami
root

I hope you can reproduce the issue.

@fichtner fichtner transferred this issue from opnsense/core Aug 12, 2024
@fichtner fichtner added the upstream Third party issue label Aug 12, 2024
@fichtner
Copy link
Member

fichtner commented Aug 12, 2024

Can you output this?

# sh -x /etc/periodic/weekly/310.locate

Cheers,
Franco

@Stricken1670
Copy link
Author

Most certainly:

root@fwleb02:~ # sh -x /etc/periodic/weekly/310.locate
+ [ -r /etc/defaults/periodic.conf ]
+ . /etc/defaults/periodic.conf
+ periodic_conf_files='/etc/periodic.conf /etc/periodic.conf.local /etc/periodic.conf'
+ local_periodic=/etc/periodic
+ anticongestion_sleeptime=3600
+ daily_diff_flags='-b -U 0'
+ daily_output=root
+ daily_show_success=YES
+ daily_show_info=YES
+ daily_show_badconfig=NO
+ daily_clean_disks_enable=NO
+ daily_clean_disks_files='[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*'
+ daily_clean_disks_days=3
+ daily_clean_disks_verbose=YES
+ daily_clean_tmps_enable=NO
+ daily_clean_tmps_dirs=/tmp
+ daily_clean_tmps_days=3
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap .sujournal'
+ daily_clean_tmps_verbose=YES
+ daily_clean_preserve_enable=YES
+ daily_clean_preserve_days=7
+ daily_clean_preserve_verbose=YES
+ daily_clean_msgs_enable=YES
+ daily_clean_msgs_days=''
+ daily_clean_rwho_enable=YES
+ daily_clean_rwho_days=7
+ daily_clean_rwho_verbose=YES
+ daily_clean_hoststat_enable=YES
+ daily_backup_passwd_enable=YES
+ daily_backup_aliases_enable=YES
+ sysctl -n security.jail.jailed
+ [ 0 '=' 0 ]
+ daily_backup_gpart_enable=YES
+ daily_backup_gpart_verbose=NO
+ daily_backup_efi_enable=NO
+ daily_backup_gmirror_enable=NO
+ daily_backup_gmirror_verbose=NO
+ daily_backup_zfs_enable=NO
+ daily_backup_zfs_props_enable=NO
+ daily_backup_zfs_get_flags=all
+ daily_backup_zfs_list_flags=''
+ daily_backup_zpool_get_flags=all
+ daily_backup_zpool_list_flags=-v
+ daily_backup_zfs_verbose=NO
+ daily_calendar_enable=NO
+ daily_accounting_enable=YES
+ daily_accounting_compress=NO
+ daily_accounting_flags=-q
+ daily_accounting_save=3
+ daily_status_disks_enable=YES
+ daily_status_disks_df_flags='-l -h'
+ daily_status_graid_enable=NO
+ daily_status_zfs_enable=NO
+ daily_status_zfs_zpool_list_enable=YES
+ daily_status_gmirror_enable=NO
+ daily_status_graid3_enable=NO
+ daily_status_gstripe_enable=NO
+ daily_status_gconcat_enable=NO
+ daily_status_mfi_enable=NO
+ daily_status_network_enable=YES
+ daily_status_network_usedns=YES
+ daily_status_network_netstat_flags='-d -W'
+ daily_status_uptime_enable=YES
+ daily_status_mailq_enable=YES
+ daily_status_mailq_shorten=NO
+ daily_status_include_submit_mailq=YES
+ daily_status_security_enable=YES
+ daily_status_security_inline=NO
+ daily_status_security_output=root
+ daily_status_mail_rejects_enable=YES
+ daily_status_mail_rejects_logs=3
+ daily_status_mail_rejects_shorten=NO
+ daily_ntpd_leapfile_enable=YES
+ daily_status_ntpd_enable=NO
+ daily_queuerun_enable=YES
+ daily_submit_queuerun=YES
+ daily_status_world_kernel=YES
+ daily_scrub_zfs_enable=NO
+ daily_scrub_zfs_pools=''
+ daily_scrub_zfs_default_threshold=35
+ daily_trim_zfs_enable=NO
+ daily_trim_zfs_pools=''
+ daily_trim_zfs_flags=''
+ daily_local=/etc/daily.local
+ weekly_output=root
+ weekly_show_success=YES
+ weekly_show_info=YES
+ weekly_show_badconfig=NO
+ weekly_locate_enable=YES
+ weekly_whatis_enable=YES
+ weekly_noid_enable=NO
+ weekly_noid_dirs=/
+ weekly_status_security_enable=YES
+ weekly_status_security_inline=NO
+ weekly_status_security_output=root
+ weekly_local=/etc/weekly.local
+ monthly_output=root
+ monthly_show_success=YES
+ monthly_show_info=YES
+ monthly_show_badconfig=NO
+ monthly_accounting_enable=YES
+ monthly_status_security_enable=YES
+ monthly_status_security_inline=NO
+ monthly_status_security_output=root
+ monthly_local=/etc/monthly.local
+ security_show_success=YES
+ security_show_info=YES
+ security_show_badconfig=NO
+ security_status_logdir=/var/log
+ security_status_diff_flags='-b -U 0'
+ security_status_chksetuid_enable=YES
+ security_status_chksetuid_period=daily
+ security_status_neggrpperm_enable=YES
+ security_status_neggrpperm_period=daily
+ security_status_chkmounts_enable=YES
+ security_status_chkmounts_period=daily
+ security_status_noamd=NO
+ security_status_chkuid0_enable=YES
+ security_status_chkuid0_period=daily
+ security_status_passwdless_enable=YES
+ security_status_passwdless_period=daily
+ security_status_logincheck_enable=YES
+ security_status_logincheck_period=daily
+ security_status_ipfwdenied_enable=YES
+ security_status_ipfwdenied_period=daily
+ security_status_ipfdenied_enable=YES
+ security_status_ipfdenied_period=daily
+ security_status_pfdenied_enable=YES
+ security_status_pfdenied_period=daily
+ security_status_pfdenied_additionalanchors=''
+ security_status_ipfwlimit_enable=YES
+ security_status_ipfwlimit_period=daily
+ security_status_ipf6denied_enable=YES
+ security_status_ipf6denied_period=daily
+ security_status_kernelmsg_enable=YES
+ security_status_kernelmsg_period=daily
+ security_status_loginfail_enable=YES
+ security_status_loginfail_period=daily
+ security_status_tcpwrap_enable=YES
+ security_status_tcpwrap_period=daily
+ [ -z '' ]
+ source_periodic_confs_defined=yes
+ source_periodic_confs
+ local i sourced_files
+ sourced_files=:/etc/periodic.conf:
+ [ -r /etc/periodic.conf ]
+ sourced_files=:/etc/periodic.conf::/etc/periodic.conf.local:
+ [ -r /etc/periodic.conf.local ]
+ echo ''

+ echo 'Rebuilding locate database:'
Rebuilding locate database:
+ . /etc/locate.rc
+ : /var/db/locate.database
+ locdb=/var/db/locate.database
+ touch /var/db/locate.database
+ rc=0
+ chown nobody /var/db/locate.database
+ chmod 644 /var/db/locate.database
+ cd /
+ echo /usr/libexec/locate.updatedb
+ nice -n 5 su -fm nobody
Must be root.
+ rc=3
+ chmod 444 /var/db/locate.database
+ exit 3

@fichtner
Copy link
Member

If I had to guess it's hitting here:

https://github.com/opnsense/core/blob/10aa7878cf5e49c2125d8752c20ca6dea048c1de/src/sbin/opnsense-shell#L48-L53

But to be frank piping to su(1) doesn't seem very elegant to me:

echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3

How does a shell expect to know it's supposed to execute a command from stdin? This doesn't appear to be documented in su(1) either, but it's also not new scripting.

The bigger issue here is that the root shell is set to "opnsense-shell" I believe, but we actually want that.

Cheers,
Franco

@fichtner
Copy link
Member

Ok I think this executes a root shell but then wants it to run with user "nobody". This is quite inconvenient. :)

@hboetes
Copy link

hboetes commented Aug 12, 2024

I just tried running the script with this diff applied:

root@fwleb02:~ # diff -u /etc/periodic/weekly/310.locate 310.locate 
--- /etc/periodic/weekly/310.locate	2024-08-07 18:11:22.000000000 +0200
+++ 310.locate	2024-08-12 21:02:09.924076000 +0200
@@ -24,7 +24,7 @@
 	chmod 644 $locdb || rc=3
 
 	cd /
-	echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
+	nice -n 5 su -fm nobody -c /usr/libexec/locate.updatedb || rc=3 
 	chmod 444 $locdb || rc=3;;
 
     *)  rc=0;;

Now it works fine.

@doktornotor
Copy link

doktornotor commented Aug 23, 2024

@hboetes - you have undone the upstream "security fix" which is done in order to not index and disclose top-secret files. Considering this totally pointless on environments such as OPNsense, use /usr/libexec/locate.updatedb directly, ignore its moaning about root and forget about the periodic script (which does not run periodically anyway since that is not desired on OPNsense either).

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=21535

@fichtner
Copy link
Member

Is that the reason for piping random commands to a shell hidden behind su to a user that doesn't maybe even have a shell? What is this?

@doktornotor
Copy link

It's been there for too long to trace the original commit, breaking various things on the way. Before 2000 for sure.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=17074

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
upstream Third party issue
Development

No branches or pull requests

4 participants