| View previous topic :: View next topic |
| Author |
Message |
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
 Posted: Tue Mar 19, 2024 7:12 am Post subject: fcron, clamav: Could not chdir to HOME dir '/dev/null' |
 |
|
Hi,
I have a (f)cron job for clamav:
| Code: | # fcrontab -u clamav -l
2024-03-19 08:09:00 INFO listing clamav's fcrontab
%daily,first(45m) * 05-10,14-17 fangfrisch -c /etc/fangfrisch.conf refresh |
However in the logs I find a message about wrong HOME:
| Code: | [fcron] Could not chdir to HOME dir '/dev/null'. Trying to chdir to '/'.: Not a directory
[fcron] Job 'fangfrisch -c /etc/fangfrisch.conf refresh' started for user clamav (pid 4977) |
Indeed, HOME is set to /dev/null:
| Code: | # grep clamav /etc/passwd
clamav:x:130:969:System user; clamav:/dev/null:/sbin/nologin |
The cronjob seems to work anyway. Should I fix the HOME and file a bug report? Should fcron provide a bugfix?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
 |
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Wed Mar 20, 2024 11:06 pm Post subject: |
|
|
| Scanning the fcron manpages, i couldn't immediately see anything that might clarify the intended behaviour in this situation. It might be worth opening a new issue in the repo asking the dev about it. |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 9:15 am Post subject: |
|
|
So you mean, having a user with a /dev/null HOME is perfectly valid for cronjobs, and the issue is about fcron?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Thu Mar 21, 2024 10:31 am Post subject: |
|
|
| As far as i can tell, POSIX doesn't specify any particular behaviour when HOME is "/dev/null". Having something like "/dev/null" os "/var/empty" as the value of HOME for certain 'system users', including services such as clamav, seems perfectly legitimate to me, for security reasons. So outside of any informal conventions that might exist, it would be up to specific implementations to decide how to handle such values. |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 10:34 am Post subject: |
|
|
As expected, the developer points to the invalid home being /dev/null:
https://github.com/yo8192/fcron/issues/25
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Thu Mar 21, 2024 10:39 am Post subject: |
|
|
It seems, clamav is not the only one doing that. Maybe it's up to the distribution setting this kind of home directories. Only nologin-accounts are affected, maybe for double-securing that this account can't be used for logins and is only used for background processes:
| Code: | # grep null /etc/passwd
man:x:13:15:System user; man:/dev/null:/sbin/nologin
fcron:x:101:247:A user for sys-process/fcron:/dev/null:/sbin/nologin
messagebus:x:102:246:System user; messagebus:/dev/null:/sbin/nologin
distcc:x:240:240:User used to run distcc daemon:/dev/null:/sbin/nologin
ntp:x:123:123:user for ntp daemon:/dev/null:/sbin/nologin
mysql:x:60:60:MySQL program user; user account removed @ 2022-07-26:/dev/null:/sbin/nologin
gkrellmd:x:103:102:user for gkrellm daemon; user account removed @ 2023-01-31:/dev/null:/sbin/nologin
tcpdump:x:104:101:added by portage for tcpdump:/dev/null:/sbin/nologin
dnsmasq:x:106:997:User for net-dns/dnsmasq:/dev/null:/sbin/nologin
vnstat:x:109:993:User for vnstat network monitoring:/dev/null:/sbin/nologin
hsqldb:x:110:992:added by portage for hsqldb:/dev/null:/bin/sh
ddclient:x:112:990:added by portage for ddclient:/dev/null:/sbin/nologin
systemd-bus-proxy:x:115:984:added by portage for systemd:/dev/null:/sbin/nologin
systemd-network:x:116:983:added by portage for systemd:/dev/null:/sbin/nologin
systemd-resolve:x:117:982:added by portage for systemd:/dev/null:/sbin/nologin
systemd-timesync:x:118:981:added by portage for systemd:/dev/null:/sbin/nologin
nullmail:x:88:88:added by portage for nullmailer:/var/nullmailer:/sbin/nologin
saned:x:120:979:User for media-gfx/sane-backends:/dev/null:/sbin/nologin
dhcp:x:122:977:user for dhcp daemon; user account removed @ 2022-07-26:/dev/null:/sbin/nologin
sockd:x:125:214:A user for net-proxy/dante:/dev/null:/sbin/nologin
at:x:25:25:user for at daemon:/dev/null:/sbin/nologin
tss:x:126:973:Trusted Software Stack for TPMs user:/dev/null:/sbin/nologin
rtkit:x:127:972:User for the Realtime Policy and Watchdog Daemon; user account removed @ 2022-11-04:/dev/null:/sbin/nologin
clamav:x:130:969:System user; clamav:/dev/null:/sbin/nologin
davfs2:x:420:999:System user; davfs2:/dev/null:/sbin/nologin
openvpn:x:999:966:User for net-vpn/openvpn:/dev/null:/sbin/nologin
nm-openvpn:x:998:965:A user for net-vpn/networkmanager-openvpn:/dev/null:/sbin/nologin
pcap:x:377:377:User for capturing network traffic:/dev/null:/sbin/nologin
avahi:x:61:61:user for avahi:/dev/null:/sbin/nologin
svn:x:399:399:System user; svn:/dev/null:/sbin/nologin |
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Thu Mar 21, 2024 11:51 am Post subject: |
|
|
Quoting the dev in that thread:
| Quote: | | that's not even a dir! |
Well, yeah. That's the point.  If a service that doesn't need to be writing to its home directory, is trying to write to its home directory, that might indicate something is amiss, including an attempted exploitation of a security vulnerability. Sending the attempted write to /dev/null disrupts any such attempt.
Setting HOME like this, and SHELL to something like "/sbin/nologin", as in the output you shared, is a common practice. The dev isn't obligated by POSIX to allow for this, and there might or might not be a convention in this regard that other cron implementations follow, but i personally wouldn't want to use any cron implementation that didn't allow for this. |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1661
|
| Posted: Thu Mar 21, 2024 1:17 pm Post subject: |
|
|
| If a home directory is required for clamav on a system, one can set ACCT_USER_CLAMAV_HOME in make.conf to a valid directory then rebuild acct-user/clamav. |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1537
Location: South America
|
| Posted: Thu Mar 21, 2024 4:39 pm Post subject: |
|
|
| flexibeast wrote: | Quoting the dev in that thread:
| Quote: | | that's not even a dir! |
Well, yeah. That's the point. If a service that doesn't need to be writing to its home directory, [...] |
Looking at the code (for version 3.3.1), the message comes from this fragment of function become_user():
job.c
| Code: | /* make sure HOME is defined and change dir to it */
if (chdir(home) != 0) {
error_e("Could not chdir to HOME dir '%s'. Trying to chdir to '/'.",
home);
if (chdir("/") < 0)
die_e("Could not chdir to HOME dir /");
} |
This is called when the daemon needs to run something with a certain effective user, and can't a priori know if that something (such as an arbitrary cron job) wants to write to the working directory. The working directory has to be some directory, so the fcron author(s) seemingly thought it would be wise to use the user's home directory retrieved from the account database. However, if chdir() fails, error_e() is not fatal, and "/" is used instead. All one sees in that case is the message in the OP. Hence, the "it looks like fcron falls back to '/' so it all seems fine from fcron's point of view?" remark in the GitHub issue.
If the message is annoying, grknight's solution seems the best.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Fri Mar 22, 2024 12:25 am Post subject: |
|
|
| GDH-gentoo wrote: | | This is called when the daemon needs to run something with a certain effective user, and can't a priori know if that something (such as an arbitrary cron job) wants to write to the working directory. The working directory has to be some directory, so the fcron author(s) seemingly thought it would be wise to use the user's home directory retrieved from the account database. However, if chdir() fails, error_e() is not fatal, and "/" is used instead. All one sees in that case is the message in the OP. Hence, the "it looks like fcron falls back to '/' so it all seems fine from fcron's point of view?" remark in the GitHub issue. |
Good point. i stand corrected. |
|
| Back to top |
|
|
|
Other Things Gentoo
