[Bug 1593317] Re: @reboot jobs don't start for sssd users
Launchpad Bug Tracker
1593317 at bugs.launchpad.net
Sun Apr 28 06:43:32 UTC 2019
This bug was fixed in the package cron - 3.0pl1-133ubuntu1
---------------
cron (3.0pl1-133ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Move MTA to Suggests field.
- d/cron.default: change to a deprecated message to make it clear
that the file is no longer in use.
* Dropped changes, no longer needed:
- Drop upstart system jobs; transition completed as of 18.04.
- Handle /etc/init.d/cron symlink→ real file transition; completed as of
18.04.
cron (3.0pl1-133) unstable; urgency=medium
* SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open
If these files exist, then they must be readable by the user executing
crontab(1). Users will now be denied by default if they aren't.
(LP: #1813833)
* SECURITY: Fix for possible DoS by use-after-free
A user reported a use-after-free condition in the cron daemon, leading to a
possible Denial-of-Service scenario by crashing the daemon.
(Closes: #809167)
* SECURITY: DoS: Fix unchecked return of calloc()
Florian Weimer discovered that a missing check for the return value of
calloc() could crash the daemon, which could be triggered by a very
large crontab created by a user.
* Enforce maximum crontab line count of 1000 to prevent a malicious user
from creating an excessivly large crontab. The daemon will log a warning
for existing files, and crontab(1) will refuse to create new ones.
* Add d/NEWS altering to the new 1000 lines limit.
* Move /var/run/crond.reboot to /run/crond.reboot.
* crontab.5: Reverse the info on tilde expansion. When setting PATH, most
shells will not expand a tilde. Thanks, Tim Landscheidt, for the analysis.
(Closes: #801328)
* Fixes for numerous man page issues. Remove trailing whitespace, use proper
escapes, etc. Thanks, Bjarni Ingi Gislason! (Closes: #893575, #893579)
* crontab.1: Drop duplicate DIAGNOSTICS header.
* daemon: Only support the 'x' debug option in debug builds.
cron (3.0pl1-132) unstable; urgency=medium
[ Christian Kastner ]
* postinst: Properly test for regular file
cron.postinst checked for a regular file by parsing the stat output,
instead of simply relying on test(1)
* Mark package cron as Multi-Arch: foreign (Closes: #878363)
[ Stéphane Blondon ]
* Add forgotten '\n' to a line in the crontab header (Closes: #898119)
cron (3.0pl1-131) unstable; urgency=medium
[ Boyuan Yang ]
* debian/control:
- Merge duplicated build-dependency entry for debhelper
- Update Vcs-* fields and use git repo under Salsa Debian group
(Closes: #913484)
- Add dependency to sensible-utils (Closes: #913483)
* debian/rules: Do not explicitly invoke dpkg-architecture for architecture
variables. Instead we are now using /usr/share/dpkg/architecture.mk to
provide them
[ Bjarni Ingi Gislason ]
* crontab.1: Some format fixes in the manual. (Closes: #893576)
[ Christian Kastner ]
* d/control:
- Switch Build-Depends from debhelper to debhelper-compat
- Add Rules-Requires-Root: no
We don't need (fake)root for building the package
- Drop ancient dpkg Pre-Depends and Breaks
The versioned dependencies are older than oldoldstable
- Bump debhelper compatibility level to 12
- Switch to https in Homepage field
- Bump Standards-Version to 4.3.0
- binary package cron:
+ Add Pre-Depends: ${misc:Pre-Depends} for init-system-helpers
+ Switch cron MTA Recommends to default-mta | mail-transport-agent
Recommend these virtual packages rather than specific MTAs
+ Move unqualified debhelper control files to from * to cron.*
* Remove now obsolete d/compat
* d/rules:
- systemd sequence has been removed in compatibility level 11
- Drop override_dh_compress
Examples are no longer compressed in compatibility level 12
* d/copyright:
- Switch URL to official MRCF 1.0 policy
- Ustream-Contact -> Upstream-Contact
* Remove ancient cruft from maintainer scripts
This cruft dealt with conffile tasks from before oldoldstable. As we don't
provide a direct upgrade path from older releases, this is just maintenance
overhead
* Drop empty preinst maintainer script, as a result of the cruft removal
* d/watch
- Update to format version 4
- Switch to https
* Remove trailing whitespace from changelog
* Remove trailing whitespace from debian/control
cron (3.0pl1-130) unstable; urgency=medium
* debian/postinst: Do not do check if /var/spool/cron/crontabs if empty
(Closes: 892720, 892721, 892724)
* debian/cron.service:
- Add dependency on nss-user-lookup.target in the definition which
properly fixes the issues when cron is started before centralised user
repositories are available (e.g. LDAP or Active Directory). This
should avoid errors in syslog similar to the following:
"crond[PID]: (CRON) bad username (/etc/cron.d/JOBNAME)"
(Closes: #767016, #801384, #783665) (LP: #1593317)
- Also remove Type=idle change added in previous upload, which was not
the correct fix to apply.
- Add automatic restart on failure (Closes: #834728)
* debian/cron.init: Revert previous change - instead of adding $all, add sssd
to the services that should be started/stopped before/after cron.
* crontab.5:
- Add improvements and fixes to manpage provided by Philip Hands
(Closes: #792572)
- Document that system wide defaults run from 6 am to 7 am.
(Closes: #757191)
- Document how asterisks are processed in dom and dow fields using
patch provided by Christian Pekeler (Closes: #840601)
Also see https://treats.wdt.io/cron-bug.html
* debian/crontab.main, crontab.5: Add documentation comments similarly as to
how Fedora / Red Hat Enterprise Linux documents (crontab package). This
comments more descriptive and provides inexperienced users with a better
understanding of the syntax. (Closes: #705570)
cron (3.0pl1-129) unstable; urgency=medium
* Acknowledge NMU
* debian/cron.init, debian/cron.service: Make sure cron is started last and
stopped first, with patch provided by Harald Dunke
(Closes: #767016, #801384, #783665) (LP: #1593317)
* crontab.1: Document limitation due to account renaming as described in
Ubuntu's bug 73398
* crontab.5: Document the need to set the DISPLAY environment when running
scheduled tasks that interact with the user's desktop environment
(LP: #891869)
* cron.8: Fix typo (Closes: 819832)
* debian/control: Replace dh-systemd dependency with debhelper (lintian fix)
* debian/README.Debian: Update maintainer address
[ Christian Kastner ]
* debian/postinst: Fix for CVE-2017-9525: group crontab to root escalation via postinst
as described by Alexander Peslyak (Solar Designer) in
http://www.openwall.com/lists/oss-security/2017/06/08/3
(Closes: 864466)
-- Steve Langasek <steve.langasek at ubuntu.com> Mon, 22 Apr 2019
16:08:45 -0700
** Changed in: cron (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9525
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cron in Ubuntu.
https://bugs.launchpad.net/bugs/1593317
Title:
@reboot jobs don't start for sssd users
Status in cron package in Ubuntu:
Fix Released
Bug description:
How to reproduce:
* Have a sssd user with a @reboot task:
# crontab -lu sssd-user
@reboot date > /tmp/$LOGNAME-crontab
* reboot
* the task was not started. look at systemctl logs:
# systemctl status cron
● cron.service - Regular background program processing daemon
Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled)
Active: active (running) since jeu. 2016-06-16 17:58:15 CEST; 5min ago
Docs: man:cron(8)
Main PID: 931 (cron)
CGroup: /system.slice/cron.service
└─931 /usr/sbin/cron -f
juin 16 17:58:15 hostname systemd[1]: Started Regular background program processing daemon.
juin 16 17:58:15 hostname cron[931]: (CRON) INFO (pidfile fd = 3)
juin 16 17:58:17 hostname cron[931]: (CRON) INFO (Running @reboot jobs)
juin 16 17:58:18 hostname CRON[1068]: pam_sss(cron:account): Request to sssd failed. Connexion refusée
juin 16 17:58:19 hostname cron[931]: Le service d'authentification n'a pas pu récupérer les informations d'authentification
# systemctl status sssd.service
* sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2016-06-16 17:58:29 CEST; 7min ago
Process: 878 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 1167 (sssd)
CGroup: /system.slice/sssd.service
|-1167 /usr/sbin/sssd -D -f
|-1168 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --debug-to-files
|-1214 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
|-1215 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
`-1216 /usr/lib/x86_64-linux-gnu/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
Jun 16 17:58:15 hostname systemd[1]: Starting System Security Services Daemon...
Jun 16 17:58:28 hostname sssd[1167]: Starting up
Jun 16 17:58:29 hostname sssd[be[1168]: Starting up
Jun 16 17:58:29 hostname systemd[1]: Started System Security Services Daemon.
Jun 16 17:58:29 hostname sssd[1216]: Starting up
Jun 16 17:58:29 hostname sssd[1215]: Starting up
Jun 16 17:58:29 hostname sssd[1214]: Starting up
As you can see, the @reboot jobs are started a few seconds before my
sssd domain.
* How to fix it
Tell systemd to start cron after sssd.
File /lib/systemd/system/cron.service, section [unit], add
After=sssd.service
This patch seems to have no effect on systems with no sssd service
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1593317/+subscriptions
More information about the foundations-bugs
mailing list