| View previous topic :: View next topic |
| Author |
Message |
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
 Posted: Tue Mar 19, 2024 7:12 am Post subject: fcron, clamav: Could not chdir to HOME dir '/dev/null' |
 |
|
Hi,
I have a (f)cron job for clamav:
| Code: | # fcrontab -u clamav -l
2024-03-19 08:09:00 INFO listing clamav's fcrontab
%daily,first(45m) * 05-10,14-17 fangfrisch -c /etc/fangfrisch.conf refresh |
However in the logs I find a message about wrong HOME:
| Code: | [fcron] Could not chdir to HOME dir '/dev/null'. Trying to chdir to '/'.: Not a directory
[fcron] Job 'fangfrisch -c /etc/fangfrisch.conf refresh' started for user clamav (pid 4977) |
Indeed, HOME is set to /dev/null:
| Code: | # grep clamav /etc/passwd
clamav:x:130:969:System user; clamav:/dev/null:/sbin/nologin |
The cronjob seems to work anyway. Should I fix the HOME and file a bug report? Should fcron provide a bugfix?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
 |
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 432
Location: Naarm/Melbourne, Australia
|
| Posted: Wed Mar 20, 2024 11:06 pm Post subject: |
|
|
| Scanning the fcron manpages, i couldn't immediately see anything that might clarify the intended behaviour in this situation. It might be worth opening a new issue in the repo asking the dev about it. |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 9:15 am Post subject: |
|
|
So you mean, having a user with a /dev/null HOME is perfectly valid for cronjobs, and the issue is about fcron?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 432
Location: Naarm/Melbourne, Australia
|
| Posted: Thu Mar 21, 2024 10:31 am Post subject: |
|
|
| As far as i can tell, POSIX doesn't specify any particular behaviour when HOME is "/dev/null". Having something like "/dev/null" os "/var/empty" as the value of HOME for certain 'system users', including services such as clamav, seems perfectly legitimate to me, for security reasons. So outside of any informal conventions that might exist, it would be up to specific implementations to decide how to handle such values. |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 10:34 am Post subject: |
|
|
As expected, the developer points to the invalid home being /dev/null:
https://github.com/yo8192/fcron/issues/25
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 10:39 am Post subject: |
|
|
It seems, clamav is not the only one doing that. Maybe it's up to the distribution setting this kind of home directories. Only nologin-accounts are affected, maybe for double-securing that this account can't be used for logins and is only used for background processes:
| Code: | # grep null /etc/passwd
man:x:13:15:System user; man:/dev/null:/sbin/nologin
fcron:x:101:247:A user for sys-process/fcron:/dev/null:/sbin/nologin
messagebus:x:102:246:System user; messagebus:/dev/null:/sbin/nologin
distcc:x:240:240:User used to run distcc daemon:/dev/null:/sbin/nologin
ntp:x:123:123:user for ntp daemon:/dev/null:/sbin/nologin
mysql:x:60:60:MySQL program user; user account removed @ 2022-07-26:/dev/null:/sbin/nologin
gkrellmd:x:103:102:user for gkrellm daemon; user account removed @ 2023-01-31:/dev/null:/sbin/nologin
tcpdump:x:104:101:added by portage for tcpdump:/dev/null:/sbin/nologin
dnsmasq:x:106:997:User for net-dns/dnsmasq:/dev/null:/sbin/nologin
vnstat:x:109:993:User for vnstat network monitoring:/dev/null:/sbin/nologin
hsqldb:x:110:992:added by portage for hsqldb:/dev/null:/bin/sh
ddclient:x:112:990:added by portage for ddclient:/dev/null:/sbin/nologin
systemd-bus-proxy:x:115:984:added by portage for systemd:/dev/null:/sbin/nologin
systemd-network:x:116:983:added by portage for systemd:/dev/null:/sbin/nologin
systemd-resolve:x:117:982:added by portage for systemd:/dev/null:/sbin/nologin
systemd-timesync:x:118:981:added by portage for systemd:/dev/null:/sbin/nologin
nullmail:x:88:88:added by portage for nullmailer:/var/nullmailer:/sbin/nologin
saned:x:120:979:User for media-gfx/sane-backends:/dev/null:/sbin/nologin
dhcp:x:122:977:user for dhcp daemon; user account removed @ 2022-07-26:/dev/null:/sbin/nologin
sockd:x:125:214:A user for net-proxy/dante:/dev/null:/sbin/nologin
at:x:25:25:user for at daemon:/dev/null:/sbin/nologin
tss:x:126:973:Trusted Software Stack for TPMs user:/dev/null:/sbin/nologin
rtkit:x:127:972:User for the Realtime Policy and Watchdog Daemon; user account removed @ 2022-11-04:/dev/null:/sbin/nologin
clamav:x:130:969:System user; clamav:/dev/null:/sbin/nologin
davfs2:x:420:999:System user; davfs2:/dev/null:/sbin/nologin
openvpn:x:999:966:User for net-vpn/openvpn:/dev/null:/sbin/nologin
nm-openvpn:x:998:965:A user for net-vpn/networkmanager-openvpn:/dev/null:/sbin/nologin
pcap:x:377:377:User for capturing network traffic:/dev/null:/sbin/nologin
avahi:x:61:61:user for avahi:/dev/null:/sbin/nologin
svn:x:399:399:System user; svn:/dev/null:/sbin/nologin |
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 432
Location: Naarm/Melbourne, Australia
|
| Posted: Thu Mar 21, 2024 11:51 am Post subject: |
|
|
Quoting the dev in that thread:
| Quote: | | that's not even a dir! |
Well, yeah. That's the point.  If a service that doesn't need to be writing to its home directory, is trying to write to its home directory, that might indicate something is amiss, including an attempted exploitation of a security vulnerability. Sending the attempted write to /dev/null disrupts any such attempt.
Setting HOME like this, and SHELL to something like "/sbin/nologin", as in the output you shared, is a common practice. The dev isn't obligated by POSIX to allow for this, and there might or might not be a convention in this regard that other cron implementations follow, but i personally wouldn't want to use any cron implementation that didn't allow for this. |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1902
|
| Posted: Thu Mar 21, 2024 1:17 pm Post subject: |
|
|
| If a home directory is required for clamav on a system, one can set ACCT_USER_CLAMAV_HOME in make.conf to a valid directory then rebuild acct-user/clamav. |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1677
Location: South America
|
| Posted: Thu Mar 21, 2024 4:39 pm Post subject: |
|
|
| flexibeast wrote: | Quoting the dev in that thread:
| Quote: | | that's not even a dir! |
Well, yeah. That's the point. If a service that doesn't need to be writing to its home directory, [...] |
Looking at the code (for version 3.3.1), the message comes from this fragment of function become_user():
job.c
| Code: | /* make sure HOME is defined and change dir to it */
if (chdir(home) != 0) {
error_e("Could not chdir to HOME dir '%s'. Trying to chdir to '/'.",
home);
if (chdir("/") < 0)
die_e("Could not chdir to HOME dir /");
} |
This is called when the daemon needs to run something with a certain effective user, and can't a priori know if that something (such as an arbitrary cron job) wants to write to the working directory. The working directory has to be some directory, so the fcron author(s) seemingly thought it would be wise to use the user's home directory retrieved from the account database. However, if chdir() fails, error_e() is not fatal, and "/" is used instead. All one sees in that case is the message in the OP. Hence, the "it looks like fcron falls back to '/' so it all seems fine from fcron's point of view?" remark in the GitHub issue.
If the message is annoying, grknight's solution seems the best.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 432
Location: Naarm/Melbourne, Australia
|
| Posted: Fri Mar 22, 2024 12:25 am Post subject: |
|
|
| GDH-gentoo wrote: | | This is called when the daemon needs to run something with a certain effective user, and can't a priori know if that something (such as an arbitrary cron job) wants to write to the working directory. The working directory has to be some directory, so the fcron author(s) seemingly thought it would be wise to use the user's home directory retrieved from the account database. However, if chdir() fails, error_e() is not fatal, and "/" is used instead. All one sees in that case is the message in the OP. Hence, the "it looks like fcron falls back to '/' so it all seems fine from fcron's point of view?" remark in the GitHub issue. |
Good point. i stand corrected. |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
| Posted: Wed Jun 19, 2024 12:55 pm Post subject: |
|
|
Hi, do we have any official reference that settings a users home to /dev/null is a valid setting? It seems that this home is set for accounts that are only needed for process environments while disallowing interactive logins. Is Gentoo the only distribution doing that?
At least in the upstream bug I was not able to convince the developer that home being /dev/null is a valid situation.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
RumpletonBongworth
n00b
Joined: 17 Jun 2024
Posts: 74
|
| Posted: Wed Jun 19, 2024 4:04 pm Post subject: |
|
|
| Massimo B. wrote: | Hi, do we have any official reference that settings a users home to /dev/null is a valid setting? It seems that this home is set for accounts that are only needed for process environments while disallowing interactive logins. Is Gentoo the only distribution doing that?
At least in the upstream bug I was not able to convince the developer that home being /dev/null is a valid situation. |
Gentoo is probably not the only distribution that has ever done this but I doubt that you'll find anything that credibly validates it as a practice. I agree with the developer. The consequence of setting /dev/null as a home directory is that chdir(2) syscalls will fail where given its path. But what particular reason is there to want for that as an outcome? It doesn't provide any concrete security guarantees; a given application can still respond to the failure in any way it pleases. The application is certainly not obligated to drop what it is doing and abort. It doesn't even necessarily disable interactive logins! For login(1) and sshd(8) at least, specifying /sbin/nologin as a 'shell' is rather more useful.
All in all, it just seems to be an effective way of achieving broadly undefinable behaviour. I'd probably just specify /var/empty for unprivileged accounts that have no reasonably definable home directory because:
- one need not guess at how a given application is going to handle chdir(2) otherwise failing
- without CAP_DAC_OVERRIDE, a non-root EUID can't modify anything there anyway
- subsequent syscalls involving relative paths not leading outside of /var/empty will always fail since it is empty (they might as well)
|
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1810
Location: PB, Germany
|
| Posted: Mon Jun 24, 2024 3:26 pm Post subject: |
|
|
| RumpletonBongworth wrote: | | All in all, it just seems to be an effective way of achieving broadly undefinable behaviour. |
Does that mean, you would recommend a change request for Gentoo to change that? Anybody else? Afterwards I could file a bug report for that, if I'm sure there is some stronger opinion about that here.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
RumpletonBongworth
n00b
Joined: 17 Jun 2024
Posts: 74
|
| Posted: Mon Jun 24, 2024 3:44 pm Post subject: |
|
|
| Massimo B. wrote: | | Does that mean, you would recommend a change request for Gentoo to change that? |
Yes, I would. As far as I can gather, the practice amounts only to a nuisance at best. At the very least, the answer to the question, why do this, ought to be a better one than to say that we always have. |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1677
Location: South America
|
| Posted: Mon Jun 24, 2024 9:24 pm Post subject: |
|
|
| Massimo B. wrote: | | Anybody else? |
I recommend doing nothing, since fcron (still talking about it, right?) handles this gracefully, as explained, or doing what grknight said if the logged message is considered annoying.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
|
Other Things Gentoo
