Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#647193: /usr/sbin/cron: (*system*) NUMBER OF HARD LINKS > 1 (/etc/crontab)

57 views
Skip to first unread message

xavier renaut

unread,
Oct 31, 2011, 11:20:01 AM10/31/11
to
Package: cron
Version: 3.0pl1-120
Severity: normal


I hard link /etc/crontab to track it under svn, but
to have the checkout somewhere else than /etc/

So /etc/crontab has 2 hardlinks,
and cron is now complaining about it :
Oct 3 09:35:01 natch /usr/sbin/cron[3878]: (*system*) NUMBER OF HARD LINKS > 1 (/etc/crontab)

I saw an old vulnerability where cron and hardlinks
are involved : http://xforce.iss.net/xforce/xfdb/34097,
but the actual flaw was wrong rights on a directory.


Is there something to do ? or the security gain is too high for this to be fixed ?

thanks



-- Package-specific info:
--- EDITOR:
not set

--- /usr/bin/editor:
/bin/nano

--- /usr/bin/crontab:
-rwxr-sr-x 1 root crontab 34048 Sep 18 17:21 /usr/bin/crontab

--- /var/spool/cron:
drwxr-xr-x 5 root root 120 Dec 1 2008 /var/spool/cron

--- /var/spool/cron/crontabs:
drwx-wx--T 2 root crontab 96 Oct 18 22:21 /var/spool/cron/crontabs

--- /etc/cron.d:
drwxr-xr-x 2 root root 360 Oct 26 16:24 /etc/cron.d

--- /etc/cron.daily:
drwxr-xr-x 2 root root 840 Oct 3 09:28 /etc/cron.daily

--- /etc/cron.hourly:
drwxr-xr-x 2 root root 80 Oct 3 09:19 /etc/cron.hourly

--- /etc/cron.monthly:
drwxr-xr-x 2 root root 112 Oct 3 09:19 /etc/cron.monthly

--- /etc/cron.weekly:
drwxr-xr-x 2 root root 184 Oct 3 09:19 /etc/cron.weekly


-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (550, 'stable'), (449, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35.4.2.6.35.4-3-ws.2010.09.14 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cron depends on:
ii adduser 3.112 add and remove users and groups
ii debianutils 3.4 Miscellaneous utilities specific t
ii dpkg 1.15.8.4 Debian package management system
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libpam-runtime 1.1.1-4 Runtime support for the PAM librar
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip

Versions of packages cron recommends:
ii exim4 4.72-1 metapackage to ease Exim MTA (v4)
ii exim4-daemon-heavy [mail-tran 4.72-1 Exim MTA (v4) daemon with extended

Versions of packages cron suggests:
pn anacron <none> (no description available)
pn checksecurity <none> (no description available)
ii logrotate 3.7.8-6 Log rotation utility

Versions of packages cron is related to:
pn libnss-ldap <none> (no description available)
pn libnss-ldapd <none> (no description available)
pn libpam-ldap <none> (no description available)
pn libpam-mount <none> (no description available)
ii nis 3.17-31 clients and daemons for the Networ
pn nscd <none> (no description available)

-- Configuration Files:
/etc/crontab changed:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
0 0 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts -v --report /etc/cron.daily 2>&1 | awk '{print "[" strftime() "] " $0;fflush()}' >> /var/log/cron.daily.log 2>&1 )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

/etc/default/cron changed:
READ_ENV="yes"
EXTRA_OPTS="-L 15"


-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Christian Kastner

unread,
Oct 31, 2011, 7:30:01 PM10/31/11
to
Hi,

On 2011-10-31 15:32, xavier renaut wrote:
> I hard link /etc/crontab to track it under svn, but
> to have the checkout somewhere else than /etc/
>
> So /etc/crontab has 2 hardlinks,
> and cron is now complaining about it :
> Oct 3 09:35:01 natch /usr/sbin/cron[3878]: (*system*) NUMBER OF HARD LINKS > 1 (/etc/crontab)
>
> Is there something to do ? or the security gain is too high for this to be fixed ?

I'm afraid it's the latter; we can't allow that for security reasons.

What you could do is make /etc/crontab a symlink to the file in svn. The
symlink owner must be root, see cron(8).

Christian

PS: Personally, I can highly recommend the use a configuration
management system such as puppet or cfengine. etckeeper might also be of
interest to you.


signature.asc

Georges Khaznadar

unread,
Aug 27, 2023, 2:30:04 PM8/27/23
to
Hello,

this bug report is now twelve years old.

As Christian Kastner proposed a reasonable workaround for xavier
renaut's use case, and as xavier renaut sent no reply for many years, I
close this bug report.

Best regards, Georges.

Christian Kastner a écrit :
--
Georges KHAZNADAR et Jocelyne FOURNIER
22 rue des mouettes, 59240 Dunkerque France.
Téléphone +33 (0)3 28 29 17 70

signature.asc
0 new messages