Bug 1150543 - AUDIT-1: froxlor: review of cron job file(s): /etc/cron.d/froxlor
AUDIT-1: froxlor: review of cron job file(s): /etc/cron.d/froxlor
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Segitz
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 11:54 UTC by Matthias Gerstner
Modified: 2020-03-04 16:51 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 11:54:16 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

froxlor ships a cron file in /etc/cron.d/froxlor. It should be reviewed and be
whitelisted if all is well.
Comment 1 Matthias Gerstner 2019-11-06 10:53:43 UTC
So it looks like Froxlor is pretty much broken on current Tumbleweed. The cron
file contains this line:

*/1 * * * *     root    /usr/bin/nice -n 5 /usr/bin/php -q /srv/www/froxlor/scripts/froxlor_master_cronjob.php

But the installation is actually found in /srv/www/htdocs, so the script will
never be found resulting in errors from cron like this:

```
Could not open input file: /srv/www/froxlor/scripts/froxlor_master_cronjob.php
```

This error message pops up every minute, accumulating in my root's mailbox.

Trying to actually start apache2 with froxlor also fails, because the
configuration in /etc/apache2/conf.d/froxlor contains mods_auth directives
that are no longer compatible with the installed Apache it seems.

It's good that the cron job isn't found, though, because this is no secure
setup. The `froxlor_master_cronjob.php` is supposed to be run as root, but it
includes PHP files not owned by root. For example:

drwxr-xr-x 7 wwwrun root 4.0K  6. Nov 11:50 /srv/www/htdocs/froxlor/lib/

So this folder containing all PHP include files is owned by `wwwrun`, meaning
the `wwwrun` user can cause code execution as root every minute, should the
cron job actually be found.

In bug 958100 there's already the discussion about whether froxlor should be
dropped from Factory/Tumbleweed. I think the current situation of the package
points into this direction. I don't want to whitelist this cron job in its
current form.
Comment 2 Matthias Gerstner 2020-01-30 10:34:53 UTC
Thanks Johannes for taking another look at this package. As you can see in
comment 1 this package is generally in a bad state and if you don't find any
improvements here then I think we can close this as WONTFIX. The package will
then not build any more in Factory and a delete request is in order.
Comment 3 Johannes Segitz 2020-03-04 13:07:13 UTC
I'll start with this today
Comment 4 Johannes Segitz 2020-03-04 16:51:37 UTC
(In reply to Johannes Segitz from comment #3)
so I didn't read through the bug because I wanted to set it up first. After stumbling over the first few problems described by Matthias I read it through. I tried to look up if this issue is also upstream and found three new issues. So I think we should just drop it. I filed a drop request
https://build.opensuse.org/request/show/781586