Bugzilla – Bug 1150534
AUDIT-1: cacti: review of cron job file(s): /etc/cron.d/cacti
Last modified: 2020-02-28 12:07:04 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.
cacti installs a cron file in /etc/cron.d/cacti. It should be reviewed and
subsequently whitelisted if all is well.
The cacti cron job runs /srv/www/cacti/poller.php as the 'wwwrun' user every
five minutes. This PHP program is large and complex and thus a high risk
candidate. It's difficult to complete review it.
The plus side is that is only runs as the 'wwwrun' user but still there might
linger things like symlink attacks or local code execution in some way. The
program works a lot with a local sqlite database but also spawns shell
commands to some extent.
So I had a look today and yes, it's difficult to review. I have two concerns:
- A lot of data is taken from the cacti installation and used to influence how the jobs run. I couldn't find a direct way to exploit it in the time I spent on this, but most of the time was just me getting to grips with the codebase.
I think this is kind of unavoidable with a program like this. When starting from scratch one could chose a design that has some well defined entry points that could be audited, but it is what it is.
- In poller.ph
575 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
allows plugins to add arguments to the commands being executed. These arguments are not escaped, so it's left to the plugins to do this. I checked the default plugins and none of them are problematic. I'll talk to upstream if this is something that could be hardened without breaking existing plugins.
So with that I think we should whitelist the cron job since it's essential for cacti.
Thank you Johannes for double-checking this package. I'll submit a
whitelisting for the cron job.
@email@example.com: please care for bug 1160867.
the whitelisting will soon be submitted. I decoupled this audit bug from the
hardening requested in bug 1160867. Therefore closing this bug here.