fichtner
commented
3 months ago Can you output this?
# sh -x /etc/periodic/weekly/310.locateCheers, Franco
Open Stricken1670 opened 3 months ago
fichtner
commented
3 months ago Can you output this?
# sh -x /etc/periodic/weekly/310.locateCheers, Franco
Stricken1670
commented
3 months ago Most certainly:
root@fwleb02:~ # sh -x /etc/periodic/weekly/310.locate
+ [ -r /etc/defaults/periodic.conf ]
+ . /etc/defaults/periodic.conf
+ periodic_conf_files='/etc/periodic.conf /etc/periodic.conf.local /etc/periodic.conf'
+ local_periodic=/etc/periodic
+ anticongestion_sleeptime=3600
+ daily_diff_flags='-b -U 0'
+ daily_output=root
+ daily_show_success=YES
+ daily_show_info=YES
+ daily_show_badconfig=NO
+ daily_clean_disks_enable=NO
+ daily_clean_disks_files='[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*'
+ daily_clean_disks_days=3
+ daily_clean_disks_verbose=YES
+ daily_clean_tmps_enable=NO
+ daily_clean_tmps_dirs=/tmp
+ daily_clean_tmps_days=3
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap .sujournal'
+ daily_clean_tmps_verbose=YES
+ daily_clean_preserve_enable=YES
+ daily_clean_preserve_days=7
+ daily_clean_preserve_verbose=YES
+ daily_clean_msgs_enable=YES
+ daily_clean_msgs_days=''
+ daily_clean_rwho_enable=YES
+ daily_clean_rwho_days=7
+ daily_clean_rwho_verbose=YES
+ daily_clean_hoststat_enable=YES
+ daily_backup_passwd_enable=YES
+ daily_backup_aliases_enable=YES
+ sysctl -n security.jail.jailed
+ [ 0 '=' 0 ]
+ daily_backup_gpart_enable=YES
+ daily_backup_gpart_verbose=NO
+ daily_backup_efi_enable=NO
+ daily_backup_gmirror_enable=NO
+ daily_backup_gmirror_verbose=NO
+ daily_backup_zfs_enable=NO
+ daily_backup_zfs_props_enable=NO
+ daily_backup_zfs_get_flags=all
+ daily_backup_zfs_list_flags=''
+ daily_backup_zpool_get_flags=all
+ daily_backup_zpool_list_flags=-v
+ daily_backup_zfs_verbose=NO
+ daily_calendar_enable=NO
+ daily_accounting_enable=YES
+ daily_accounting_compress=NO
+ daily_accounting_flags=-q
+ daily_accounting_save=3
+ daily_status_disks_enable=YES
+ daily_status_disks_df_flags='-l -h'
+ daily_status_graid_enable=NO
+ daily_status_zfs_enable=NO
+ daily_status_zfs_zpool_list_enable=YES
+ daily_status_gmirror_enable=NO
+ daily_status_graid3_enable=NO
+ daily_status_gstripe_enable=NO
+ daily_status_gconcat_enable=NO
+ daily_status_mfi_enable=NO
+ daily_status_network_enable=YES
+ daily_status_network_usedns=YES
+ daily_status_network_netstat_flags='-d -W'
+ daily_status_uptime_enable=YES
+ daily_status_mailq_enable=YES
+ daily_status_mailq_shorten=NO
+ daily_status_include_submit_mailq=YES
+ daily_status_security_enable=YES
+ daily_status_security_inline=NO
+ daily_status_security_output=root
+ daily_status_mail_rejects_enable=YES
+ daily_status_mail_rejects_logs=3
+ daily_status_mail_rejects_shorten=NO
+ daily_ntpd_leapfile_enable=YES
+ daily_status_ntpd_enable=NO
+ daily_queuerun_enable=YES
+ daily_submit_queuerun=YES
+ daily_status_world_kernel=YES
+ daily_scrub_zfs_enable=NO
+ daily_scrub_zfs_pools=''
+ daily_scrub_zfs_default_threshold=35
+ daily_trim_zfs_enable=NO
+ daily_trim_zfs_pools=''
+ daily_trim_zfs_flags=''
+ daily_local=/etc/daily.local
+ weekly_output=root
+ weekly_show_success=YES
+ weekly_show_info=YES
+ weekly_show_badconfig=NO
+ weekly_locate_enable=YES
+ weekly_whatis_enable=YES
+ weekly_noid_enable=NO
+ weekly_noid_dirs=/
+ weekly_status_security_enable=YES
+ weekly_status_security_inline=NO
+ weekly_status_security_output=root
+ weekly_local=/etc/weekly.local
+ monthly_output=root
+ monthly_show_success=YES
+ monthly_show_info=YES
+ monthly_show_badconfig=NO
+ monthly_accounting_enable=YES
+ monthly_status_security_enable=YES
+ monthly_status_security_inline=NO
+ monthly_status_security_output=root
+ monthly_local=/etc/monthly.local
+ security_show_success=YES
+ security_show_info=YES
+ security_show_badconfig=NO
+ security_status_logdir=/var/log
+ security_status_diff_flags='-b -U 0'
+ security_status_chksetuid_enable=YES
+ security_status_chksetuid_period=daily
+ security_status_neggrpperm_enable=YES
+ security_status_neggrpperm_period=daily
+ security_status_chkmounts_enable=YES
+ security_status_chkmounts_period=daily
+ security_status_noamd=NO
+ security_status_chkuid0_enable=YES
+ security_status_chkuid0_period=daily
+ security_status_passwdless_enable=YES
+ security_status_passwdless_period=daily
+ security_status_logincheck_enable=YES
+ security_status_logincheck_period=daily
+ security_status_ipfwdenied_enable=YES
+ security_status_ipfwdenied_period=daily
+ security_status_ipfdenied_enable=YES
+ security_status_ipfdenied_period=daily
+ security_status_pfdenied_enable=YES
+ security_status_pfdenied_period=daily
+ security_status_pfdenied_additionalanchors=''
+ security_status_ipfwlimit_enable=YES
+ security_status_ipfwlimit_period=daily
+ security_status_ipf6denied_enable=YES
+ security_status_ipf6denied_period=daily
+ security_status_kernelmsg_enable=YES
+ security_status_kernelmsg_period=daily
+ security_status_loginfail_enable=YES
+ security_status_loginfail_period=daily
+ security_status_tcpwrap_enable=YES
+ security_status_tcpwrap_period=daily
+ [ -z '' ]
+ source_periodic_confs_defined=yes
+ source_periodic_confs
+ local i sourced_files
+ sourced_files=:/etc/periodic.conf:
+ [ -r /etc/periodic.conf ]
+ sourced_files=:/etc/periodic.conf::/etc/periodic.conf.local:
+ [ -r /etc/periodic.conf.local ]
+ echo ''
+ echo 'Rebuilding locate database:'
Rebuilding locate database:
+ . /etc/locate.rc
+ : /var/db/locate.database
+ locdb=/var/db/locate.database
+ touch /var/db/locate.database
+ rc=0
+ chown nobody /var/db/locate.database
+ chmod 644 /var/db/locate.database
+ cd /
+ echo /usr/libexec/locate.updatedb
+ nice -n 5 su -fm nobody
Must be root.
+ rc=3
+ chmod 444 /var/db/locate.database
+ exit 3If I had to guess it's hitting here:
But to be frank piping to su(1) doesn't seem very elegant to me:
How does a shell expect to know it's supposed to execute a command from stdin? This doesn't appear to be documented in su(1) either, but it's also not new scripting.
The bigger issue here is that the root shell is set to "opnsense-shell" I believe, but we actually want that.
Cheers, Franco
fichtner
commented
3 months ago Ok I think this executes a root shell but then wants it to run with user "nobody". This is quite inconvenient. :)
hboetes
commented
3 months ago I just tried running the script with this diff applied:
root@fwleb02:~ # diff -u /etc/periodic/weekly/310.locate 310.locate
--- /etc/periodic/weekly/310.locate 2024-08-07 18:11:22.000000000 +0200
+++ 310.locate 2024-08-12 21:02:09.924076000 +0200
@@ -24,7 +24,7 @@
chmod 644 $locdb || rc=3
cd /
- echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
+ nice -n 5 su -fm nobody -c /usr/libexec/locate.updatedb || rc=3
chmod 444 $locdb || rc=3;;
*) rc=0;;Now it works fine.
doktornotor
commented
3 months ago @hboetes - you have undone the upstream "security fix" which is done in order to not index and disclose top-secret files. Considering this totally pointless on environments such as OPNsense, use /usr/libexec/locate.updatedb directly, ignore its moaning about root and forget about the periodic script (which does not run periodically anyway since that is not desired on OPNsense either).
fichtner
commented
3 months ago Is that the reason for piping random commands to a shell hidden behind su to a user that doesn't maybe even have a shell? What is this?
doktornotor
commented
3 months ago It's been there for too long to trace the original commit, breaking various things on the way. Before 2000 for sure.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug Trying to locate a specific file results in the following interaction:
I hope you can reproduce the issue.