[Bug 849720] New: "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

newer
[Bug 849436] New: logrotate syslog...

bugzilla_noreply＠novell.com

9 Nov 2013 9 Nov '13

12:36

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c0 Summary: "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: i586 OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: siftspam-dev@fpchico.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=566771) --> (http://bugzilla.novell.com/attachment.cgi?id=566771) Excerpt of strace output showing open() system call failure User-Agent: Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 Installed at-3.1.13-5.1.2.i586 rpm. Added user 'guest' to /etc/at.deny. Tried to execute an "at" command but it immediately exited with error "Cannot create atjob file /var/spool/atjobs/a0000a015ff720: Permission denied". Ran the command again using strace: sudo strace -u myuser -o /tmp/x.log /usr/bin/at 0000 The tail of the strace output shows that an open system call is failing with EACCES: open("/var/spool/atjobs/a0000a015ff720", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0400) = -1 EACCES (Permission denied) Related file permissions and /etc/at.deny contents: #sudo ls -ld /usr/bin/at /var/spool/atjobs/ -rwsr-xr-x 1 root trusted 51156 Sep 27 17:22 /usr/bin/at drwx------ 2 at at 4096 Nov 8 19:40 /var/spool/atjobs/ #sudo ls -l /etc/at.{allow,deny} ls: cannot access /etc/at.allow: No such file or directory -rw-r----- 1 root root 68 Nov 8 21:00 /etc/at.deny #sudo cat /etc/at.{allow,deny} cat: /etc/at.allow: No such file or directory root bin daemon lp mail news uucp games man wwwrun ftp nobody guest Reproducible: Always Steps to Reproduce: Execute the "at" command. E.g.: at 0000 Actual Results: warning: commands will be executed using /bin/sh Cannot create atjob file /var/spool/atjobs/a0000a015ff720: Permission denied Expected Results: Accept commands for the job from standard input and schedule them for execution. Installed RC2 from 32-bit Live DVD. Updates installed from default repo's using Apper and Yast. Also posted for forum: https://forums.opensuse.org/english/get-technical-help-here/pre-release-beta... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

9 Nov 9 Nov

12:38

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c Fred P changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #566771|application/octet-stream |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Nov 11 Nov

03:27

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c Xiyuan Liu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |mvyskocil@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:22

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c1 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Status|NEW |ASSIGNED CC| |meissner@suse.com, | |security-team@suse.de --- Comment #1 from Michal Vyskocil 2013-11-11 12:22:06 UTC --- Following like looks suspicious setresuid32(-1, 1008, -1) = 0 This changes the effective user id back from root. Comparing to 12.2, the at.c has been changed this way @@ -296,14 +325,18 @@ * bit. yes, this is a kluge. */ cmask = umask(s_irusr | s_iwusr | s_ixusr); + seteuid(real_uid); if ((fd = open(atfile, o_creat | o_excl | o_trunc | o_wronly, s_irusr)) == -1) perr("cannot create atjob file %.500s", atfile); + seteuid(effective_uid); so it seems that code now assumes at least group writable /var/spool/atjobs/? But as it does not seem to preserve egid, chmod g+w did not worked. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:00

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c2 --- Comment #2 from Sebastian Krahmer 2013-11-11 14:00:54 UTC --- Indeed, their logic seems wrong. The whole writefile() code is surrounded by PRIV_START/PRIV_END, so the creation of lockfile succeeds. This however is in the same directory, so the creation of the spoolfile should also require the same privs. But for some reason they reduce/restore the privs for the open(atfile...) *inside* their guarded PRIV_START/PRIV_END. I think they might assume /usr/bin/at to be setgid "trusted", e.g. mode 06755. and /var/spool/atjobs to be trusted+w. However then their logic is still weird, as then there dont need to be PRIV_START/PRIV_END. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:17

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c3 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |krahmer@suse.com --- Comment #3 from Michal Vyskocil 2013-11-11 15:17:52 UTC --- (In reply to comment #2)

...

However then their logic is still weird, as then there dont need to be PRIV_START/PRIV_END.

I do see only one reason - to create files with the same user id, which belongs to caller of at command. However I've changed permissions such way and have added a debug patch listing uid/euid/gid/egid. But it did not work as I've expected # ls -lh /usr/bin/at -rwsr-sr-x 1 root trusted 52K Nov 11 15:39 /usr/bin/at # ls -ld /var/spool/atjobs/ drw-rw---- 1 at trusted 8 Nov 11 15:40 /var/spool/atjobs/ # getent group | grep trusted trusted:x:42: $ at 0000 warning: commands will be executed using /bin/sh DEBUG: uid:10112, euid:10112, gid:100, egid:42 Cannot create atjob file /var/spool/atjobs/a00004016005e4: Permission denied but process with egid trusted should be able to write to trusted group writable directory, or have I overlooked something? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:31

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c4 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|krahmer@suse.com | --- Comment #4 from Sebastian Krahmer 2013-11-11 15:31:32 UTC --- Thats weird indeed. Sure there is no SELinux policy in place or so that forbids that? Removing the surrounding seteuid calls should be no problem, if the former fchown(fd2, real_uid, real_gid) afterwards is introduced again. I dont know why they changed that. Unfortunally I dont have a 13.1 in place for testing right now. I also have trouble finding something like an "at" upstream git? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Nov 12 Nov

12:40

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c5 --- Comment #5 from Michal Vyskocil 2013-11-12 12:40:44 UTC --- Well, now at does work with -%verify(not mode) %attr(4750,root,trusted) %{_bindir}/at +%verify(not mode) %attr(6755,root,trusted) %{_bindir}/at -%attr(700,at,at) %dir /var/spool/atjobs +%attr(1770,at,trusted) %dir /var/spool/atjobs so the permissions package would need to be adapted as well. What does not work is atrm $ atrm 1 DEBUG: uid:25, euid:10112, gid:100, egid:25 Cannot unlink a000010160092c: Permission denied -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:41

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c6 --- Comment #6 from Michal Vyskocil 2013-11-12 12:41:40 UTC --- (In reply to comment #4)

...

I also have trouble finding something like an "at" upstream git?

There is upstream ftp: ftp://ftp.debian.org/debian/pool/main/a/at/ Welcome to 90's ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:02

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c7 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |krahmer@suse.com --- Comment #7 from Michal Vyskocil 2013-11-12 13:02:02 UTC --- (In reply to comment #5)

...

$ atrm 1 DEBUG: uid:25, euid:10112, gid:100, egid:25 Cannot unlink a000010160092c: Permission denied

This is weird, there is case ATRM: REDUCE_PRIV(daemon_uid, daemon_gid) whis does setreuid(10112, 0) setregid(100, 42) setregid(25, 100) setreuid(25, 10112) and with all *id munging afterward, we can't remove at job. In Debian this does work because they do have /usr/bin/at and /var/spool/cron/atjobs daemon:daemon, where SUSE's setup is very different. So it is obvious the code does expect very specific setup of at and jobs dir. The point is what to do know - to clone Debian's setup or to use an another way? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:52

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c8 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|krahmer@suse.com | --- Comment #8 from Sebastian Krahmer 2013-11-12 13:52:49 UTC --- IMHO, we should just revert the change from comment#1, and re-introduce the fchown(), as apparently their fixes are not suitable for our setup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:48

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c9 --- Comment #9 from Michal Vyskocil 2013-11-12 15:48:10 UTC --- OK, implemented in https://build.opensuse.org/package/rdiff/Base:System/at?linkrev=base&rev=72 @fred: fixed at can be downloaded from http://download.opensuse.org/repositories/home:/mvyskocil:/branches:/Base:/S... feel free to test -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Nov 13 Nov

09:49

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c10 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #10 from Michal Vyskocil 2013-11-13 09:49:19 UTC --- Hi maintenance, submitted at to 13.1-update via 206726 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:00

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c11 --- Comment #11 from Bernhard Wiedemann 2013-11-13 11:00:10 CET --- This is an autogenerated message for OBS integration: This bug (849720) was mentioned in https://build.opensuse.org/request/show/206726 13.1 / at -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:08

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c12 Benjamin Brunner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|maintenance@opensuse.org | --- Comment #12 from Benjamin Brunner 2013-11-13 11:08:32 CET --- Thanks Michal, I've started an update. See openSUSE:Maintenance:2232. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:17

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c13 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #13 from Michal Vyskocil 2013-11-13 10:17:28 UTC --- closing the bug then -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Nov 25 Nov

10:05

New subject: [Bug 849720] "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c14 --- Comment #14 from Swamp Workflow Management 2013-11-25 10:05:04 UTC --- openSUSE-RU-2013:1756-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 849720 CVE References: Sources used: openSUSE 13.1 (src): at-3.1.13-5.4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

3815

Age (days ago)

3831

Last active (days ago)

List overview

Download

16 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 849720] New: "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied

tags

participants (1)