[Bug 786096] New: cron does not close file descriptors before invocation of commands
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c0 Summary: cron does not close file descriptors before invocation of commands Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: All OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: f+novell@congenio.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0 When I use lvm2 commands within a shell script that is being called from cron, I always get errors like these in the cron mails: File descriptor 5 (/var/spool/cron/tabs) leaked on lvcreate invocation. Parent PID 15139: /bin/sh File descriptor 6 (/etc/cron.d) leaked on lvcreate invocation. Parent PID 15139: /bin/sh File descriptor 7 (/etc/crontab) leaked on lvcreate invocation. Parent PID 15139: /bin/sh It shows that lvm2 regards open file descriptors as a security hole, complains and then closes them. This behaviour can be temporarily fixed by setting the undocumented environment variable LVM_SUPPRESS_FD_WARNINGS. However, it should be fixed in cron itself - there is a similar bug in Debian, so the bug could be fixed upstream (maybe it already is). Reproducible: Always Steps to Reproduce: Use any lvm2 command in a cron script. Actual Results: Mail containing errors about leaked file descriptors that cron left open: File descriptor 5 (/var/spool/cron/tabs) leaked on lvcreate invocation. Parent PID 15139: /bin/sh File descriptor 6 (/etc/cron.d) leaked on lvcreate invocation. Parent PID 15139: /bin/sh File descriptor 7 (/etc/crontab) leaked on lvcreate invocation. Parent PID 15139: /bin/sh Expected Results: No error output. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, | |suse-beta@cboltz.de AssignedTo|bnc-team-screening@forge.pr |vdziewiecki@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c1 Markus Zimmermann <markus.zimmermann@nethead.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |markus.zimmermann@nethead.a | |t --- Comment #1 from Markus Zimmermann <markus.zimmermann@nethead.at> 2012-10-28 22:38:46 UTC --- I have the same errors executing my backup scripts with cron. I am also wondering if this is a problem and how to fix it as the messages are kind of annoying. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c2 --- Comment #2 from Sebastian Krahmer <krahmer@suse.com> 2012-10-29 12:37:28 UTC --- I could confirm this on a 12.2. Checking... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|cron does not close file |VUL-1: cron does not close |descriptors before |file descriptors before |invocation of commands |invocation of commands -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c3 --- Comment #3 from Markus Zimmermann <markus.zimmermann@nethead.at> 2012-10-29 12:43:05 UTC --- I forgot. I am using 12.2 too and this did not appear with 11.4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c4 --- Comment #4 from Sebastian Krahmer <krahmer@suse.com> 2012-10-29 15:08:57 UTC --- Created an attachment (id=511207) --> (http://bugzilla.novell.com/attachment.cgi?id=511207) cronie-fdleak.diff Vojtech, could you check whether this patch works? I hope it has no side effects that cron scripts rely on opened fd's other than 0,1,2. Its not really a security issue, all files that are leaked are opened read-only and can be seen by users anyway. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c5 --- Comment #5 from Uwe Meyer-Gruhl <f+novell@congenio.de> 2012-10-29 17:35:54 UTC --- Initially, I did not think about the security implication, but I believe, that there actually is one: The open file and directory handles are not neccessarily already readable by users - for example with a user-specific crontab. There may be credentials in those files which are readably by cron but not by other users. So, IMO, there may be a privilege elevation issue, but those files can be seen only by the command that is being called, so the chance is slim. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c6 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low --- Comment #6 from Swamp Workflow Management <swamp@suse.de> 2012-10-29 23:00:17 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c7 --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2012-10-30 08:32:35 UTC --- The only regular file that leaks a read-only fd is /etc/crontab which is readable by users anyway. So there is not really a security issue; only bad coding style. A fix in Factory should suffice. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Matthias Weckbecker <mweckbecker@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-1: cron does not close |VUL-1: cron: does not close |file descriptors before |file descriptors before |invocation of commands |invocation of commands -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c8 --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2012-10-30 19:50:58 CET --- (In reply to comment #7)
The only regular file that leaks a read-only fd is /etc/crontab which is readable by users anyway. So there is not really a security issue; only bad coding style.
That depends ;-) # grep /etc/crontab /etc/permissions* /etc/permissions.easy:/etc/crontab root:root 644 /etc/permissions.paranoid:/etc/crontab root:root 600 /etc/permissions.secure:/etc/crontab root:root 600 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c9 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #9 from Marcus Meissner <meissner@suse.com> 2012-11-02 13:52:38 UTC --- Does this affect only openSUSE version of cron, or also SLES versions? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c10 Wojtek Dziewięcki <vdziewiecki@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #10 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2012-11-09 12:45:56 UTC --- (In reply to comment #4)
Vojtech, could you check whether this patch works?
Yes, I can confirm that the patch eliminates this behaviour. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c11 --- Comment #11 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2012-11-09 16:23:48 UTC --- (In reply to comment #9)
Does this affect only openSUSE version of cron, or also SLES versions?
Only openSUSE. I cannot reproduce with the cron version taken from SLE-11 repos. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c12 --- Comment #12 from Marcus Meissner <meissner@suse.com> 2012-11-12 14:21:33 UTC --- can you file a maintenancerequest for this issue for 12.2? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |vdziewiecki@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c13 Wojtek Dziewięcki <vdziewiecki@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|vdziewiecki@suse.com | --- Comment #13 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-01-02 14:35:19 UTC --- Maintenance request number is #146826. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c14 --- Comment #14 from Sebastian Krahmer <krahmer@suse.com> 2013-01-08 12:52:34 UTC --- Hm, if we do updates for 12.2 we need a CVE. requesting one... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c15 --- Comment #15 from Sebastian Krahmer <krahmer@suse.com> 2013-01-09 08:17:03 UTC --- CVE-2012-6097 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c16 --- Comment #16 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-01-09 11:44:16 UTC --- Ok now it's #146826 with CVE in changes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:1212:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c19 --- Comment #19 from Sebastian Krahmer <krahmer@suse.com> 2013-01-09 15:52:53 UTC --- For the record:
From Vincent Danen:
Ok, so did some more digging based on some info from one of our developers that we had patched this in Fedora. Looks like this patch introduced the leak on 2011-04-28: http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=acdf4ae8456... +28f54582 And this patch reverted it on 2011-06-29: http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=b19007ca9fd... +1d5e0419 So it looks like only 1.4.8 was affected by this (which, judging by the patch in your bugzilla is the same version you're seeing as affected). That might be a better patch to use than what you're using. Anyways, this only affects 1.4.8 (for any others using cronie and concerned as to whether or not they might be affected). This was also reported to our bugzilla here: https://bugzilla.redhat.com/show_bug.cgi?id=717505 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c20 --- Comment #20 from Wojtek Dziewięcki <vdziewiecki@suse.com> 2013-01-09 17:33:49 UTC --- We might replace our patch with this one next time we release an update for cron. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:1212:moderate |obs:running:1212:moderate | |obs:running:1244:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c21 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coolo@suse.com --- Comment #21 from Stephan Kulow <coolo@suse.com> 2013-02-07 12:19:03 CET --- the patch is broken - crond will crash on every invocation of a cron script. Did we really release that an update for 12.2? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c22 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED | --- Comment #22 from Stephan Kulow <coolo@suse.com> 2013-02-07 12:23:40 CET --- causing 802345 - please remove the patch from the online repos -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:1212:moderate |obs:running:1244:moderate |obs:running:1244:moderate | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:1244:moderate | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c23 --- Comment #23 from Marcus Meissner <meissner@suse.com> 2013-02-07 12:17:56 UTC --- we did _two_ releases, the second fixing the issue. I think 12.3 does not have the fixed patch... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c24 --- Comment #24 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-07 14:00:16 CET --- This is an autogenerated message for OBS integration: This bug (786096) was mentioned in https://build.opensuse.org/request/show/151578 Factory / cronie -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c25 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #25 from Marcus Meissner <meissner@suse.com> 2013-02-07 13:57:13 UTC --- I submitted it for Factorys ... please test. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=786096 https://bugzilla.novell.com/show_bug.cgi?id=786096#c26 --- Comment #26 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-08 15:00:22 CET --- This is an autogenerated message for OBS integration: This bug (786096) was mentioned in https://build.opensuse.org/request/show/154915 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com