Cronjob

Biosko · 01-06-2013, 01:11 AM

Hello,
I am running mailserver and I installed logwatch into it. Normally when I executed logwatch via console or cronscript with root user everything works fine. But planned cronjob not working properly.

I am receiving emails like:

Code:

/etc/cron.daily/0logwatch:
sendmail: error while loading shared libraries: libcrypto.so.1.0.0: cannot enable executable stack as shared object requires: Permission denied

So I started with investigation:

1. library with name libcrypto exist on system and there are 2 samples of it:

Code:

openssl-1.0.0-25.el6_3.1.x86_64 : A general purpose cryptography library with
                                : TLS implementation
Repo        : installed
Matched from:
Filename    : /usr/lib64/libcrypto.so.1.0.0



zimbra-core-7.2.1_GA_2790.RHEL6_64-20120815212147.x86_64 : Zimbra Core
Repo        : installed
Matched from:
Filename    : /opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0

2. I tried to find out what permissions they have, looks like lib in /usr dir have w for root, but it should not be cause of problem I think

Code:

-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/libcrypto.so.1.0.0
-r-xr-xr-x. root root system_u:object_r:lib_t:s0       /opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0

3. Then I found out, its SELinux related and I found this in audit.log

Code:

type=AVC msg=audit(1357439119.411:13817): avc:  denied  { execstack } for  pid=22452 comm="sendmail" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1357439119.411:13817): arch=c000003e syscall=10 success=no exit=-13 a0=7fff604bf000 a1=1000 a2=1000007 a3=7fc0c2ffb000 items=0 ppid=22159 pid=22452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=778 comm="sendmail" exe="/opt/zimbra/postfix-2.7.10.3z/sbin/sendmail" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

4. I found out that libraries have different GNU STACK
/usr/lib64/libcrypto.so.1.0.0

Code:

Elf file type is DYN (Shared object file)
Entry point 0x5ca00
There are 7 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000173324 0x0000000000173324  R E    200000
  LOAD           0x0000000000173cd0 0x0000000000373cd0 0x0000000000373cd0
                 0x0000000000021ad0 0x00000000000257b8  RW     200000
  DYNAMIC        0x000000000018b510 0x000000000038b510 0x000000000038b510
                 0x00000000000001c0 0x00000000000001c0  RW     8
  NOTE           0x00000000000001c8 0x00000000000001c8 0x00000000000001c8
                 0x0000000000000024 0x0000000000000024  R      4
  GNU_EH_FRAME   0x0000000000145654 0x0000000000145654 0x0000000000145654
                 0x00000000000085d4 0x00000000000085d4  R      4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     8
  GNU_RELRO      0x0000000000173cd0 0x0000000000373cd0 0x0000000000373cd0
                 0x0000000000018330 0x0000000000018330  R      1

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
   01     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
   02     .dynamic
   03     .note.gnu.build-id
   04     .eh_frame_hdr
   05    
   06     .ctors .dtors .jcr .data.rel.ro .dynamic .got

/opt/zimbra/openssl-1.0.0j/lib/libcrypto.so.1.0.0

Code:

Elf file type is DYN (Shared object file)
Entry point 0x60a40
There are 6 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000189f24 0x0000000000189f24  R E    200000
  LOAD           0x000000000018a000 0x000000000038a000 0x000000000038a000
                 0x0000000000022170 0x0000000000025c20  RW     200000
  DYNAMIC        0x00000000001a2070 0x00000000003a2070 0x00000000003a2070
                 0x00000000000001c0 0x00000000000001c0  RW     8
  NOTE           0x0000000000000190 0x0000000000000190 0x0000000000000190
                 0x0000000000000024 0x0000000000000024  R      4
  GNU_EH_FRAME   0x000000000015b46c 0x000000000015b46c 0x000000000015b46c
                 0x0000000000008804 0x0000000000008804  R      4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    8

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
   01     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
   02     .dynamic
   03     .note.gnu.build-id
   04     .eh_frame_hdr
   05

Ok the questions are now:
a) why it doesnt work if I can run logwatch succesfuly via console w/o errors but with crontab it cannot work?
b) which library is used when the task is executed from crontab of these 2? its from usr or zimbra dir? how to find it out?
c) how to solve this problem? any suggestions?

Thank you very much for your time

unSpawn · 01-06-2013, 07:42 AM

Quote:

Originally Posted by Biosko

why it doesnt work if I can run logwatch succesfuly via console w/o errors but with crontab it cannot work?

Context of the executing user at the console (as in 'secon --self') vs crond (as in '\ps --no-headers -Ccrond -olabel')?

Quote:

Originally Posted by Biosko

which library is used when the task is executed from crontab of these 2? its from usr or zimbra dir? how to find it out?

I'd say the Zimbra one as the other doesn't have execstack problems to begin with.

Quote:

Originally Posted by Biosko

how to solve this problem?

As you noted the CentOS library doesn't require the executable stack flag to be set. That is good (see http://people.redhat.com/drepper/selinux-mem.html for the explanation). Before setting the Zimbra SSL library to unconfined_execmem_exec_t I'd make a backup, symlink it to the stock CentOS one and see if you can get away with that.

Quote:

Originally Posted by Biosko

Thank you very much for your time

And thank you for a verbose post. It's always nice to see people post the details that should be listed to begin with.

Biosko · 01-07-2013, 08:36 PM

Thank you for your reply unSpawn.

What I tested:

1. When the command logwatch was ran by anacron -> I am receiving permission denied error I mentioned in first post.

2. When the command logwatch was ran by root via console(manually) -> Everything is OK. I am receiving log.

3. When the command logwatch was ran by crontab(is defined in crontab, no anacron script) ->

Code:

Can't exec "sendmail": No such file or directory at /usr/sbin/logwatch line 1040, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory

I thought that its problem that I have not linked alternatives, but I have. So acctually /usr/sbin/sendmail is link to /etc/alternatives/mta which is link to /opt/zimbra/postfix/sbin/sendmail.

Problem must be somewhere in execution.
So I opened logwatch.conf and changed sendmail -t into /opt/zimbra/postfix/sbin/sendmail -t.
Now I am receiving emails from logwatch by crontab.

I like anacron more but its also acceptable solution for me to receive this logs via crontab, because this server is always on and no interruptions.

In the end its working but I am still confused.

a) I dont understand why is crontab able to execute command logwatch which is in /usr/sbin directory but not able to execute sendmail command which is in the same directory.
b) I am facing like 3 different environments. 1. manually via console as root, 2. root crontab, 3. anacron
In every of these cases the situation is different. I thought that every of these use root environment but it looks like I was wrong. And I still dont know what is the difference between these 3 when executing command. In case 1 it works even it is only sendmail -t in logwatch.conf in case 2 it only works with absolute path in logwatch.conf in case 3 its not working at all.

unSpawn · 01-08-2013, 08:40 AM

Quote:

Originally Posted by Biosko

When the command logwatch was ran by crontab(is defined in crontab, no anacron script) ->

Code:

Can't exec "sendmail": No such file or directory at /usr/sbin/logwatch line 1040, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory

Run a cron job just accessing '/usr/bin/env' to see if "/usr/sbin" is in its PATH. If not you could just prefix the path as /usr/sbin/sendmail already symlinks to /opt/zimbra/postfix/sbin/sendmail.

Quote:

Originally Posted by Biosko

I dont understand why is crontab able to execute command logwatch which is in /usr/sbin directory but not able to execute sendmail command which is in the same directory.

If you would have posted /etc/cron.daily/*logwatch* it would have been easier to determine but generally speaking on installation Logwatch will either drop a symlink in /etc/cron.daily/ to the Perl scripts actual location or may create a cronjob file. The latter may include the full path to the Perl scripts actual location.

Quote:

Originally Posted by Biosko

I am facing like 3 different environments. 1. manually via console as root, 2. root crontab, 3. anacron
In every of these cases the situation is different. I thought that every of these use root environment but it looks like I was wrong. And I still dont know what is the difference between these 3 when executing command. In case 1 it works even it is only sendmail -t in logwatch.conf in case 2 it only works with absolute path in logwatch.conf in case 3 its not working at all.

In addition to what I wrote above you can gather information from inside the actual process and see for yourself:

Code:

#!/bin/bash --
/usr/bin/env
secon --self
\ps --no-headers -C`basename $(readlink /proc/$$/exe)` -olabel
exit 0

Biosko · 01-09-2013, 07:13 AM

Thank you for reply.

Here are outputs:
From user root

Code:

HOSTNAME=xxxx
SHELL=/bin/bash
TERM=linux
HISTSIZE=1000
USER=root
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
MAIL=/var/spool/mail/root
_=/usr/bin/env
PWD=/root
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
HOME=/root
SHLVL=2
LOGNAME=root
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Crontab

Code:

SHELL=/bin/sh
USER=root
PATH=/usr/bin:/bin
_=/usr/bin/env
PWD=/root
HOME=/root
SHLVL=2
LOGNAME=root
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Anacron

Code:

SHELL=/bin/bash
MAILTO=xxxx
USER=root
PATH=/sbin:/bin:/usr/sbin:/usr/bin
_=/usr/bin/env
PWD=/
HOME=/
SHLVL=4
LOGNAME=root
user: system_u
role: system_r
type: system_cronjob_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

So probably this explain, why I received command not found error from crontab.
Because it looks like there was no path defined to /usr/sbin.
Also it looks like on crontab vs anacron they have different user, role, type and maybe that is cause of that avc executable stack problem.

unSpawn · 01-09-2013, 09:13 AM

Quote:

Originally Posted by Biosko

So probably this explain, why I received command not found error from crontab.
Because it looks like there was no path defined to /usr/sbin.

Looks like it, yes.

Quote:

Originally Posted by Biosko

Also it looks like on crontab vs anacron they have different user, role, type and maybe that is cause of that avc executable stack problem.

No, the execstack problem is specific to the binary or library not the user.