GNOME Bugzilla – Bug 332955
beagle-crawl-system fails when beagleindex user has no shell
Last modified: 2006-04-17 20:16:07 UTC
Upstreaming from: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183360 Description of problem: beagle-0.2.1-12 includes a cron task intended to crawl contents from several system-wide locations, like documentation files and applications shortcuts. This cron task is implemented by the /usr/libexec/ beagle-crawl-system sh script. Since beagle refuses to run as root, this crawling task is ran as user beagleindex, storing the indexes under /var/cache/beagle/indexes. The problem is that beagle-crawl-system runs as root and invokes beagle through su to impersonate beagleindex user. However, since the beagleindex user has no shell, the invocation to beable fails. I have attached a patch to impersonate the beagleindex user and invoking beagle using /bin/bash. Version-Release number of selected component (if applicable): beagle-0.2.1-12 How reproducible: Always Steps to Reproduce: 1. As root, launch /usr/libexec/beagle-crawl-system 2. Nothing will happen 3.
Patch is attached as: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=125406
*** Bug 332956 has been marked as a duplicate of this bug. ***
Since beagleindex user exists solely for running beagle-crawl, why not give the user a shell. Maybe make that explicit in documentation that during creating the user, give it a shell. Will giving a shell to a user who has no other use create a security problem ?
Probably. It's Fedora policy to set all system users to use the "nologin" shell. If nothing else, it helps determine who is a real user and who isn't.
Is using /bin/bash as the default shell a good idea for all distributions ?
We already assume bash throughout the code, so it's safe to depend on.
It's not wise to give a system user a shell. The most obvious reason is that in the event the system user gets a password set, a remote user can login as that user. I understand that this is not always a common occurrence, but why even leave this attack vector open when it's possible to fix this. Without a real shell, there is also the advantage that commands such as 'ssh user@host command' don't work. The old saying "An ounce of prevention is worth a pound of cure." applies here.
I was talking about the shell script that is run; mandating that the beagleindex user has a shell isn't acceptable.
Makes sense. I will commit the change sometime today. I do have another concern. Mono requires a writable MONO_SHARED_DIR to run. By default MONO_SHARED_DIR points to $HOME/.wapi which turned out to be a problem when I started beagle-crawl-system with a new beagleuser w/out shell or home directory. A common fix is to point MONO_SHARED_DIR to something like /tmp/.beagleuserwapi with permission 700 and delete it after crawling has been done. Is there any security risk in that ?
That should be fine I think. But make sure the files below MONO_SHARED_DIR are 600.
Created attachment 63645 [details] [review] nologin and nohome patch I am very bad at security. Someone please check the attached patch and let me know if its secure enough. The patch removes the requirement of a shell and homedirectory for beagle-crawl user.
All you should really do for a temporary directory is this command MONO_SHARED_DIR=`mktemp -dt beagleindexwapi.XXXXXXXXXX` That will create a temporary directory which is unique and has secure permissions (700). All you will have to do is delete the directory when you're done. This will create a dependency on the mktemp program (which is not POSIX), but it's well worth it as it does all the messy safe temporary file creation bits for you.
mktemp is included by default in my distribution and probably the most common ones. But is it safe to assume it exists in (almost) all distributions? I am trying to find out what other gnome projects use.
Created attachment 63734 [details] [review] updated patch using mktemp Any security races in this one ? (I dont think I should check for mktemp in ./configure, it looks be very common; should I ?)
Comment on attachment 63734 [details] [review] updated patch using mktemp >+export TMPDIR=/tmp >+ >+# Mono requires a writable wapi directory >+MONO_SHARED_DIR=`mktemp -d -p /tmp .beagleindexwapi.XXXXXXXXXX`|| ( echo "Can't create wapi directory!" ; exit 1 ) Did you want to pass $TMPDIR to mktemp instead of literal /tmp ?
Crap :( I wanted to pass $TMPDIR instead of literal /tmp? ---------------------- export TMPDIR=/tmp # Mono requires a writable wapi directory MONO_SHARED_DIR=`mktemp -d -p $TMPDIR .beagleindexwapi.XXXXXXXXXX`|| ( echo "Can't create wapi directory!" ; exit 1 ) ---------------------- Is that ok ?
> chown $CRAWL_USER.$CRAWL_USER $MONO_SHARED_DIR That won't work on some distros, not all of them have a group of the crawl user. Just doing "chown $CRAWL_USER $MONO_SHARED_DIR" should be enough.
Hmmm.. I was thinkg if having a directory with group permission set as root but beagleindex-writable might be insecure. Upon second thoughts, that shouldnt cause any security problem. I am committing the patch. Reopen if there are still any issues.