[Bug 849720] New: "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied
https://bugzilla.novell.com/show_bug.cgi?id=849720 https://bugzilla.novell.com/show_bug.cgi?id=849720#c0 Summary: "at" command immediately exit with: Cannot create atjob file /var/spool/atjobs/...: Permission denied Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: i586 OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: siftspam-dev@fpchico.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=566771) --> (http://bugzilla.novell.com/attachment.cgi?id=566771) Excerpt of strace output showing open() system call failure User-Agent: Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 Installed at-3.1.13-5.1.2.i586 rpm. Added user 'guest' to /etc/at.deny. Tried to execute an "at" command but it immediately exited with error "Cannot create atjob file /var/spool/atjobs/a0000a015ff720: Permission denied". Ran the command again using strace: sudo strace -u myuser -o /tmp/x.log /usr/bin/at 0000 The tail of the strace output shows that an open system call is failing with EACCES: open("/var/spool/atjobs/a0000a015ff720", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0400) = -1 EACCES (Permission denied) Related file permissions and /etc/at.deny contents: #sudo ls -ld /usr/bin/at /var/spool/atjobs/ -rwsr-xr-x 1 root trusted 51156 Sep 27 17:22 /usr/bin/at drwx------ 2 at at 4096 Nov 8 19:40 /var/spool/atjobs/ #sudo ls -l /etc/at.{allow,deny} ls: cannot access /etc/at.allow: No such file or directory -rw-r----- 1 root root 68 Nov 8 21:00 /etc/at.deny #sudo cat /etc/at.{allow,deny} cat: /etc/at.allow: No such file or directory root bin daemon lp mail news uucp games man wwwrun ftp nobody guest Reproducible: Always Steps to Reproduce: Execute the "at" command. E.g.: at 0000 Actual Results: warning: commands will be executed using /bin/sh Cannot create atjob file /var/spool/atjobs/a0000a015ff720: Permission denied Expected Results: Accept commands for the job from standard input and schedule them for execution. Installed RC2 from 32-bit Live DVD. Updates installed from default repo's using Apper and Yast. Also posted for forum: https://forums.opensuse.org/english/get-technical-help-here/pre-release-beta... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c
Fred P
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c
Xiyuan Liu
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c1
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c2
--- Comment #2 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c3
Michal Vyskocil
However then their logic is still weird, as then there dont need to be PRIV_START/PRIV_END.
I do see only one reason - to create files with the same user id, which belongs to caller of at command. However I've changed permissions such way and have added a debug patch listing uid/euid/gid/egid. But it did not work as I've expected # ls -lh /usr/bin/at -rwsr-sr-x 1 root trusted 52K Nov 11 15:39 /usr/bin/at # ls -ld /var/spool/atjobs/ drw-rw---- 1 at trusted 8 Nov 11 15:40 /var/spool/atjobs/ # getent group | grep trusted trusted:x:42: $ at 0000 warning: commands will be executed using /bin/sh DEBUG: uid:10112, euid:10112, gid:100, egid:42 Cannot create atjob file /var/spool/atjobs/a00004016005e4: Permission denied but process with egid trusted should be able to write to trusted group writable directory, or have I overlooked something? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c4
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c5
--- Comment #5 from Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c6
--- Comment #6 from Michal Vyskocil
I also have trouble finding something like an "at" upstream git?
There is upstream ftp: ftp://ftp.debian.org/debian/pool/main/a/at/ Welcome to 90's ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c7
Michal Vyskocil
$ atrm 1 DEBUG: uid:25, euid:10112, gid:100, egid:25 Cannot unlink a000010160092c: Permission denied
This is weird, there is case ATRM: REDUCE_PRIV(daemon_uid, daemon_gid) whis does setreuid(10112, 0) setregid(100, 42) setregid(25, 100) setreuid(25, 10112) and with all *id munging afterward, we can't remove at job. In Debian this does work because they do have /usr/bin/at and /var/spool/cron/atjobs daemon:daemon, where SUSE's setup is very different. So it is obvious the code does expect very specific setup of at and jobs dir. The point is what to do know - to clone Debian's setup or to use an another way? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c8
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c9
--- Comment #9 from Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c10
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c12
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c13
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=849720
https://bugzilla.novell.com/show_bug.cgi?id=849720#c14
--- Comment #14 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com