[Bug 910500] New: mdcheck @ cron errors: /var/lib/mdcheck/.md-check-8965: line 5: none: No such file or directory
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 Bug ID: 910500 Summary: mdcheck @ cron errors: /var/lib/mdcheck/.md-check-8965: line 5: none: No such file or directory Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: x86-64 OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: grantksupport@operamail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- on uname -a Linux lab010.DOMAIN.net 3.18.0-2.g99a9f76-xen #1 SMP Sun Dec 14 10:25:49 UTC 2014 (99a9f76) x86_64 x86_64 x86_64 GNU/Linux lsb_release -rd Description: openSUSE 13.2 (Harlequin) (x86_64) Release: 13.2 mdadm --version mdadm - v3.3.1 - 5th June 2014 i am getting these email notices from system cron every couple of days ... From: "(Cron Daemon)" <cron-admin=lab010.DOMAIN.net@DOMAIN.net> To: cron-admin=lab010.DOMAIN.net@DOMAIN.net Subject: Cron <root@server> source /etc/sysconfig/mdadm; [ -n "$MDADM_CHECK_DURATION" -a -x /usr/share/mdadm/mdcheck ] && /usr/share/mdadm/mdcheck --continue --duration "$MDADM_CHECK_DURATION" Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=569> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=POSIX> X-Cron-Env: <LC_CTYPE=en_US.UTF-8> X-Cron-Env: <PATH=/sbin:/usr/sbin:/bin:/usr/bin> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> ... /var/lib/mdcheck/.md-check-8965: line 5: none: No such file or directory /var/lib/mdcheck/.md-check-8965: line 5: none: No such file or directory /usr/share/mdadm/mdcheck: line 109: echo: write error: Invalid argument they originate from grep -rlni mdcheck /etc/cron* /etc/cron.d/mdadm cat /etc/cron.d/mdadm # # cron.d/mdadm - regular redundancy checks # # Start checking each month early in the morning. # Continue each day until all done PATH=/sbin:/usr/sbin:/bin:/usr/bin 0 1 * * 0 root source /etc/sysconfig/mdadm; [ -n "$MDADM_CHECK_DURATION" -a -x /usr/share/mdadm/mdcheck -a $(date +\%d) -le 7 ] && /usr/share/mdadm/mdcheck --duration "$MDADM_CHECK_DURATION" 0 1 * * 1-6 root source /etc/sysconfig/mdadm; [ -n "$MDADM_CHECK_DURATION" -a -x /usr/share/mdadm/mdcheck ] && /usr/share/mdadm/mdcheck --continue --duration "$MDADM_CHECK_DURATION" checking cat /usr/share/mdadm/mdcheck ... # To support '--continue', arrays are identified by UUID and the 'sync_completed' # value is stored in /var/lib/mdcheck/$UUID ... sysname() { set `ls -lLd $1` maj=${5%,} min=$6 readlink -f /sys/dev/block/$maj:$min } .. for dev in /dev/md?* do [ -e "$dev" ] || continue sys=`sysname $dev` ... echo $start > $fl 109 echo $start > $sys/md/sync_min echo check > $sys/md/sync_action ... on my system ls -al /var/lib/mdcheck/ total 16K drwxr-xr-x 2 root root 4.0K Dec 17 01:56 ./ drwxr-xr-x 78 root root 4.0K Dec 15 13:59 ../ -rw-r--r-- 1 root root 319 Dec 13 01:00 .md-check-13566 -rw-r--r-- 1 root root 319 Dec 15 01:00 .md-check-17179 and cat /proc/mdstat | grep md md0 : active raid1 sdb1[1] sda1[0] md1 : active raid1 sda2[0] sdb2[2] md2 : active raid10 sdd1[1] sde1[4] sdc1[0] sdf1[3] ls -al /sys/dev/block/ | egrep "md0|md1|md2" lrwxrwxrwx 1 root root 0 Dec 17 05:56 9:0 -> ../../devices/virtual/block/md0/ lrwxrwxrwx 1 root root 0 Dec 17 05:56 9:1 -> ../../devices/virtual/block/md1/ lrwxrwxrwx 1 root root 0 Dec 17 05:56 9:2 -> ../../devices/virtual/block/md2/ ls -al /sys/dev/block/9:{0,1,2}/md/sync_min -rw-r--r-- 1 root root 4.0K Dec 17 06:00 /sys/dev/block/9:0/md/sync_min -rw-r--r-- 1 root root 4.0K Dec 17 06:00 /sys/dev/block/9:1/md/sync_min -rw-r--r-- 1 root root 4.0K Dec 17 01:00 /sys/dev/block/9:2/md/sync_min cat /etc/sysconfig/mdadm MDADM_DELAY=60 MDADM_MAIL="gk@DOMAIN.com" MDADM_PROGRAM="" MDADM_RAIDDEVICES="/dev/md0 /dev/md1 /dev/md2" MDADM_SCAN=yes MDADM_CONFIG="/etc/mdadm.conf" MDADM_SEND_MAIL_ON_START=yes BOOT_MD_USE_MDADM_CONFIG=yes MDADM_DEVICE_TIMEOUT="60" MDADM_CHECK_DURATION="12 hours" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 grant k <grantksupport@operamail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|--- |Community User Assignee|bnc-team-screening@forge.pr |nfbrown@suse.com |ovo.novell.com | Target Milestone|--- |13.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 Neil Brown <nfbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |grantksupport@operamail.com Flags| |needinfo?(grantksupport@ope | |ramail.com) --- Comment #1 from Neil Brown <nfbrown@suse.com> --- Hi What version of the mdadm package do you have installed? rpm -q mdadm what is the content of the .md-check files in /var/lib/mdcheck ?? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 grant k <grantksupport@operamail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(grantksupport@ope | |ramail.com) | --- Comment #2 from grant k <grantksupport@operamail.com> --- (In reply to Neil Brown from comment #1)
Hi
What version of the mdadm package do you have installed?
rpm -q mdadm
rpm -q mdadm mdadm-3.3.1-5.10.1.x86_64
what is the content of the .md-check files in /var/lib/mdcheck ??
cat /var/lib/mdcheck/.md-check-13566 MD_LEVEL=raid10 MD_DEVICES=4 MD_METADATA=1.2 MD_UUID=b1c263cd:1c42565b:f3f1926d:db1811d3 MD_NAME=<none>:nas03 MD_DEVICE_sdc1_ROLE=0 MD_DEVICE_sdc1_DEV=/dev/sdc1 MD_DEVICE_sdd1_ROLE=1 MD_DEVICE_sdd1_DEV=/dev/sdd1 MD_DEVICE_sde1_ROLE=2 MD_DEVICE_sde1_DEV=/dev/sde1 MD_DEVICE_sdf1_ROLE=3 MD_DEVICE_sdf1_DEV=/dev/sdf1 cat /var/lib/mdcheck/.md-check-17179 MD_LEVEL=raid10 MD_DEVICES=4 MD_METADATA=1.2 MD_UUID=b1c263cd:1c42565b:f3f1926d:db1811d3 MD_NAME=<none>:nas03 MD_DEVICE_sdc1_ROLE=0 MD_DEVICE_sdc1_DEV=/dev/sdc1 MD_DEVICE_sdd1_ROLE=1 MD_DEVICE_sdd1_DEV=/dev/sdd1 MD_DEVICE_sde1_ROLE=2 MD_DEVICE_sde1_DEV=/dev/sde1 MD_DEVICE_sdf1_ROLE=3 MD_DEVICE_sdf1_DEV=/dev/sdf1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 --- Comment #3 from grant k <grantksupport@operamail.com> --- this morning, it's: /var/lib/mdcheck/.md-check-22591: line 5: none: No such file or directory /var/lib/mdcheck/.md-check-22591: line 5: none: No such file or directory where, still ls -al /var/lib/mdcheck/ total 16K drwxr-xr-x 2 root root 4.0K Dec 18 01:00 ./ drwxr-xr-x 78 root root 4.0K Dec 15 13:59 ../ -rw-r--r-- 1 root root 319 Dec 13 01:00 .md-check-13566 -rw-r--r-- 1 root root 319 Dec 15 01:00 .md-check-17179 those 'old' files, I suspect, are not involved ... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 tosiara tosiara <tosiara@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tosiara@gmail.com --- Comment #4 from tosiara tosiara <tosiara@gmail.com> --- I also got 3 emails since I have upgraded to 13.2 Cron <root@server> source /etc/sysconfig/mdadm; [ -n "$MDADM_CHECK_DURATION" -a -x /usr/share/mdadm/mdcheck ] && /usr/share/mdadm/mdcheck --continue --duration "$MDADM_CHECK_DURATION" /usr/share/mdadm/mdcheck: line 109: echo: write error: Invalid argument -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 Shad Sterling <me@shadsterling.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |me@shadsterling.com, | |nfbrown@suse.com Flags| |needinfo?(nfbrown@suse.com) Severity|Normal |Critical --- Comment #5 from Shad Sterling <me@shadsterling.com> --- I think I'm having the same problem, with a different error message: /var/lib/mdcheck/.md-check-29228: line 5: syntax error near unexpected token `(' /var/lib/mdcheck/.md-check-29228: line 5: `MD_NAME=adumbrate:Backups (mirror set)' In my case, the problem is that mdadm --detail --export does not shell-escape its output. The error is triggered by lines 90 and 91 of /usr/share/mdadm/mdcheck : mdadm --detail --export "$dev" > $tmp || continue source $tmp Where "$tmp" in this case was set to "/var/lib/mdcheck/.md-check-29228" on line 68. The value of MD_NAME includes characters that must be escaped to appear in a string. In my case, it syntax errors on the parenthesis; in grant's case it tries to redirect stdin from a nonexistent file (it may also have created a file named ":nas03"). It looks like this bug makes it possible to execute arbitrary shell commands as root by including them in an MD_NAME, for example MD_NAME=; rm -rf / tosiara's error looks like a different problem. I have mdadm-3.3.1-5.3.1.x86_64 on openSUSE 13.2 (Harlequin) (x86_64) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 grant k <grantksupport@operamail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Flags|needinfo?(nfbrown@suse.com) |needinfo? --- Comment #6 from grant k <grantksupport@operamail.com> ---
It looks like this bug makes it possible to execute arbitrary shell commands as > root by including them in an MD_NAME, for example
MD_NAME=; rm -rf /
if true, cc'ing security-team -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 --- Comment #7 from Shad Sterling <me@shadsterling.com> --- As a temporary workaround to get the cronjob to work until mdadm is patched, it should be enough to change the MD_NAME to something that doesn't need escaping. Unfortunately, searching for ways to rename an md device only turns up ways to change the device node /dev/mdXXX. Is there a way to change the MD_NAME? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 --- Comment #8 from Neil Brown <nfbrown@suse.com> ---
Is there a way to change the MD_NAME?
Stop the array (if it is running), then assemble with --update=name --name=NewName -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=910500 Neil Brown <nfbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(security-team@sus | |e.de) --- Comment #10 from Neil Brown <nfbrown@suse.com> --- Thanks for the report. I have submitted an update for 13.2 and Factory which makes this change: +- mdadm --detail --export "$dev" > $tmp || continue ++ mdadm --detail --export "$dev" | grep '^MD_UUID=' > $tmp || continue to the mdcheck script. You could easily do that by hand rather than wait for the update. Comment #6 is correct that this could be a security issue. If a USB device with carefully crafted metadata were plugged into an openSUSE host, the array would be automatically assembled. If it was still there at 1am when the mdcheck script is run by cron, then shell code from the array name would be executed. Security-team: is there anything else I should do w.r.t. the security aspect? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com