Ubuntu
cron package

@reboot jobs don't start for sssd users

Bug #1593317 reported by Ludwin Janvier on 2016-06-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cron (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

How to reproduce:

* Have a sssd user with a @reboot task:
# crontab -lu sssd-user
@reboot date > /tmp/$LOGNAME-crontab
* reboot
* the task was not started. look at systemctl logs:
# systemctl status cron
● cron.service - Regular background program processing daemon
   Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled)
   Active: active (running) since jeu. 2016-06-16 17:58:15 CEST; 5min ago
     Docs: man:cron(8)
Main PID: 931 (cron)
   CGroup: /system.slice/cron.service
           └─931 /usr/sbin/cron -f

juin 16 17:58:15 hostname systemd[1]: Started Regular background program processing daemon.
juin 16 17:58:15 hostname cron[931]: (CRON) INFO (pidfile fd = 3)
juin 16 17:58:17 hostname cron[931]: (CRON) INFO (Running @reboot jobs)
juin 16 17:58:18 hostname CRON[1068]: pam_sss(cron:account): Request to sssd failed. Connexion refusée
juin 16 17:58:19 hostname cron[931]: Le service d'authentification n'a pas pu récupérer les informations d'authentification

# systemctl status sssd.service
* sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2016-06-16 17:58:29 CEST; 7min ago
  Process: 878 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 1167 (sssd)
   CGroup: /system.slice/sssd.service
           |-1167 /usr/sbin/sssd -D -f
           |-1168 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --debug-to-files
           |-1214 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           |-1215 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
           `-1216 /usr/lib/x86_64-linux-gnu/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files

Jun 16 17:58:15 hostname systemd[1]: Starting System Security Services Daemon...
Jun 16 17:58:28 hostname sssd[1167]: Starting up
Jun 16 17:58:29 hostname sssd[be[1168]: Starting up
Jun 16 17:58:29 hostname systemd[1]: Started System Security Services Daemon.
Jun 16 17:58:29 hostname sssd[1216]: Starting up
Jun 16 17:58:29 hostname sssd[1215]: Starting up
Jun 16 17:58:29 hostname sssd[1214]: Starting up

As you can see, the @reboot jobs are started a few seconds before my sssd domain.

* How to fix it
Tell systemd to start cron after sssd.
File /lib/systemd/system/cron.service, section [unit], add
After=sssd.service

This patch seems to have no effect on systems with no sssd service

Tags:

CVE References

2017-9525

Ludwin Janvier (lud-janvier) on 2016-06-16

tags:

added: xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-28:

Download full text (6.9 KiB)

This bug was fixed in the package cron - 3.0pl1-133ubuntu1

---------------
cron (3.0pl1-133ubuntu1) eoan; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/control:
      + Move MTA to Suggests field.
    - d/cron.default: change to a deprecated message to make it clear
      that the file is no longer in use.
  * Dropped changes, no longer needed:
    - Drop upstart system jobs; transition completed as of 18.04.
    - Handle /etc/init.d/cron symlink→ real file transition; completed as of
      18.04.

cron (3.0pl1-133) unstable; urgency=medium

  * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open
    If these files exist, then they must be readable by the user executing
    crontab(1). Users will now be denied by default if they aren't.
    (LP: #1813833)
  * SECURITY: Fix for possible DoS by use-after-free
    A user reported a use-after-free condition in the cron daemon, leading to a
    possible Denial-of-Service scenario by crashing the daemon.
    (Closes: #809167)
  * SECURITY: DoS: Fix unchecked return of calloc()
    Florian Weimer discovered that a missing check for the return value of
    calloc() could crash the daemon, which could be triggered by a very
    large crontab created by a user.
  * Enforce maximum crontab line count of 1000 to prevent a malicious user
    from creating an excessivly large crontab. The daemon will log a warning
    for existing files, and crontab(1) will refuse to create new ones.
  * Add d/NEWS altering to the new 1000 lines limit.
  * Move /var/run/crond.reboot to /run/crond.reboot.
  * crontab.5: Reverse the info on tilde expansion. When setting PATH, most
    shells will not expand a tilde. Thanks, Tim Landscheidt, for the analysis.
    (Closes: #801328)
  * Fixes for numerous man page issues. Remove trailing whitespace, use proper
    escapes, etc. Thanks, Bjarni Ingi Gislason! (Closes: #893575, #893579)
  * crontab.1: Drop duplicate DIAGNOSTICS header.
  * daemon: Only support the 'x' debug option in debug builds.

cron (3.0pl1-132) unstable; urgency=medium

  [ Christian Kastner ]
  * postinst: Properly test for regular file
    cron.postinst checked for a regular file by parsing the stat output,
    instead of simply relying on test(1)
  * Mark package cron as Multi-Arch: foreign (Closes: #878363)

[ Stéphane Blondon ]
* Add forgotten '\n' to a line in the crontab header (Closes: #898119)

cron (3.0pl1-131) unstable; urgency=medium

  [ Boyuan Yang ]
  * debian/control:
    - Merge duplicated build-dependency entry for debhelper
    - Update Vcs-* fields and use git repo under Salsa Debian group
      (Closes: #913484)
    - Add dependency to sensible-utils (Closes: #913483)
  * debian/rules: Do not explicitly invoke dpkg-architecture for architecture
    variables. Instead we are now using /usr/share/dpkg/architecture.mk to
    provide them

[ Bjarni Ingi Gislason ]
* crontab.1: Some format fixes in the manual. (Closes: #893576)

This bug was fixed in the package cron - 3.0pl1-133ubuntu1

---------------
cron (3.0pl1-133ubuntu1) eoan; urgency=low

* Merge from Debian unstable.  Remaining changes:
    - debian/control:
      + Move MTA to Suggests field.
    - d/cron.default: change to a deprecated message to make it clear
      that the file is no longer in use.
  * Dropped changes, no longer needed:
    - Drop upstart system jobs; transition completed as of 18.04.
    - Handle /etc/init.d/cron symlink→ real file transition; completed as of
      18.04.

cron (3.0pl1-133) unstable; urgency=medium

cron (3.0pl1-132) unstable; urgency=medium

[ Stéphane Blondon ]
  * Add forgotten '\n' to a line in the crontab header (Closes: #898119)

cron (3.0pl1-131) unstable; urgency=medium

[ Bjarni Ingi Gislason ]
  * crontab.1: Some format fixes in the manual. (Closes: #893576)

[ Christian Kastner ]
  * d/control:
    - Switch Build-Depends from debhelper to debhelper-compat
    - Add Rules-Requires-Root: no
      We don't need (fake)root for building the package
    - Drop ancient dpkg Pre-Depends and Breaks
      The versioned dependencies are older than oldoldstable
    - Bump debhelper compatibility level to 12
    - Switch to https in Homepage field
    - Bump Standards-Version to 4.3.0
    - binary package cron:
      + Add Pre-Depends: ${misc:Pre-Depends} for init-system-helpers
      + Switch cron MTA Recommends to default-mta | mail-transport-agent
        Recommend these virtual packages rather than specific MTAs
      + Move unqualified debhelper control files to from * to cron.*
  * Remove now obsolete d/compat
  * d/rules:
    - systemd sequence has been removed in compatibility level 11
    - Drop override_dh_compress
      Examples are no longer compressed in compatibility level 12
  * d/copyright:
    - Switch URL to official MRCF 1.0 policy
    - Ustream-Contact -> Upstream-Contact
  * Remove ancient cruft from maintainer scripts
    This cruft dealt with conffile tasks from before oldoldstable. As we don't
    provide a direct upgrade path from older releases, this is just maintenance
    overhead
  * Drop empty preinst maintainer script, as a result of the cruft removal
  * d/watch
    - Update to format version 4
    - Switch to https
  * Remove trailing whitespace from changelog
  * Remove trailing whitespace from debian/control

cron (3.0pl1-130) unstable; urgency=medium

* debian/postinst: Do not do check if /var/spool/cron/crontabs if empty
    (Closes: 892720, 892721, 892724)
  * debian/cron.service:
      - Add dependency on nss-user-lookup.target in the definition which
        properly fixes the issues when cron is started before centralised user
        repositories are available (e.g. LDAP or Active Directory). This
        should avoid errors in syslog similar to the following:
        "crond[PID]: (CRON) bad username (/etc/cron.d/JOBNAME)"
        (Closes: #767016, #801384, #783665) (LP: #1593317)
      - Also remove Type=idle change added in previous upload, which was not
        the correct fix to apply.
      - Add automatic restart on failure (Closes: #834728)
  * debian/cron.init: Revert previous change - instead of adding $all, add sssd
    to the services that should be started/stopped before/after cron.
  * crontab.5:
     - Add improvements and fixes to manpage provided by Philip Hands
      (Closes: #792572)
     - Document that system wide defaults run from 6 am to 7 am.
      (Closes: #757191)
     - Document how asterisks are processed in dom and dow fields using
       patch provided by Christian Pekeler (Closes: #840601)
       Also see https://treats.wdt.io/cron-bug.html
  * debian/crontab.main, crontab.5: Add documentation comments similarly as to
    how Fedora / Red Hat Enterprise Linux documents (crontab package). This
    comments more descriptive and provides inexperienced users with a better
    understanding of the syntax.  (Closes: #705570)

cron (3.0pl1-129) unstable; urgency=medium

* Acknowledge NMU
  * debian/cron.init, debian/cron.service: Make sure cron is started last and
    stopped first, with patch provided by Harald Dunke
    (Closes: #767016, #801384, #783665) (LP: #1593317)
  * crontab.1: Document limitation due to account renaming as described in
    Ubuntu's bug 73398
  * crontab.5: Document the need to set the DISPLAY environment when running
    scheduled tasks that interact with the user's desktop environment
    (LP: #891869)
  * cron.8: Fix typo (Closes: 819832)
  * debian/control: Replace dh-systemd dependency with debhelper (lintian fix)
  * debian/README.Debian: Update maintainer address

[ Christian Kastner ]
  * debian/postinst: Fix for CVE-2017-9525: group crontab to root escalation via postinst
  as described by Alexander Peslyak (Solar Designer) in
  http://www.openwall.com/lists/oss-security/2017/06/08/3
  (Closes: 864466)

-- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 22 Apr 2019 16:08:45 -0700

Changed in cron (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntucron package