locate cron script doesn't believe I'm root.

[Stricken1670]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug
Trying to locate a specific file results in the following interaction:

root@fwleb02:~ # locate blacklistd
locate: the locate database '/var/db/locate.database' is smaller than 256 bytes large.

To create a new database, please run the following command as root:

  /etc/periodic/weekly/310.locate

root@fwleb02:~ # /etc/periodic/weekly/310.locate

Rebuilding locate database:
Must be root.
root@fwleb02:~ # whoami
root

I hope you can reproduce the issue.

[fichtner]

Can you output this?

# sh -x /etc/periodic/weekly/310.locate

Cheers,
Franco

[Stricken1670]

Most certainly:

root@fwleb02:~ # sh -x /etc/periodic/weekly/310.locate
+ [ -r /etc/defaults/periodic.conf ]
+ . /etc/defaults/periodic.conf
+ periodic_conf_files='/etc/periodic.conf /etc/periodic.conf.local /etc/periodic.conf'
+ local_periodic=/etc/periodic
+ anticongestion_sleeptime=3600
+ daily_diff_flags='-b -U 0'
+ daily_output=root
+ daily_show_success=YES
+ daily_show_info=YES
+ daily_show_badconfig=NO
+ daily_clean_disks_enable=NO
+ daily_clean_disks_files='[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*'
+ daily_clean_disks_days=3
+ daily_clean_disks_verbose=YES
+ daily_clean_tmps_enable=NO
+ daily_clean_tmps_dirs=/tmp
+ daily_clean_tmps_days=3
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap'
+ daily_clean_tmps_ignore='.X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix quota.user quota.group .snap .sujournal'
+ daily_clean_tmps_verbose=YES
+ daily_clean_preserve_enable=YES
+ daily_clean_preserve_days=7
+ daily_clean_preserve_verbose=YES
+ daily_clean_msgs_enable=YES
+ daily_clean_msgs_days=''
+ daily_clean_rwho_enable=YES
+ daily_clean_rwho_days=7
+ daily_clean_rwho_verbose=YES
+ daily_clean_hoststat_enable=YES
+ daily_backup_passwd_enable=YES
+ daily_backup_aliases_enable=YES
+ sysctl -n security.jail.jailed
+ [ 0 '=' 0 ]
+ daily_backup_gpart_enable=YES
+ daily_backup_gpart_verbose=NO
+ daily_backup_efi_enable=NO
+ daily_backup_gmirror_enable=NO
+ daily_backup_gmirror_verbose=NO
+ daily_backup_zfs_enable=NO
+ daily_backup_zfs_props_enable=NO
+ daily_backup_zfs_get_flags=all
+ daily_backup_zfs_list_flags=''
+ daily_backup_zpool_get_flags=all
+ daily_backup_zpool_list_flags=-v
+ daily_backup_zfs_verbose=NO
+ daily_calendar_enable=NO
+ daily_accounting_enable=YES
+ daily_accounting_compress=NO
+ daily_accounting_flags=-q
+ daily_accounting_save=3
+ daily_status_disks_enable=YES
+ daily_status_disks_df_flags='-l -h'
+ daily_status_graid_enable=NO
+ daily_status_zfs_enable=NO
+ daily_status_zfs_zpool_list_enable=YES
+ daily_status_gmirror_enable=NO
+ daily_status_graid3_enable=NO
+ daily_status_gstripe_enable=NO
+ daily_status_gconcat_enable=NO
+ daily_status_mfi_enable=NO
+ daily_status_network_enable=YES
+ daily_status_network_usedns=YES
+ daily_status_network_netstat_flags='-d -W'
+ daily_status_uptime_enable=YES
+ daily_status_mailq_enable=YES
+ daily_status_mailq_shorten=NO
+ daily_status_include_submit_mailq=YES
+ daily_status_security_enable=YES
+ daily_status_security_inline=NO
+ daily_status_security_output=root
+ daily_status_mail_rejects_enable=YES
+ daily_status_mail_rejects_logs=3
+ daily_status_mail_rejects_shorten=NO
+ daily_ntpd_leapfile_enable=YES
+ daily_status_ntpd_enable=NO
+ daily_queuerun_enable=YES
+ daily_submit_queuerun=YES
+ daily_status_world_kernel=YES
+ daily_scrub_zfs_enable=NO
+ daily_scrub_zfs_pools=''
+ daily_scrub_zfs_default_threshold=35
+ daily_trim_zfs_enable=NO
+ daily_trim_zfs_pools=''
+ daily_trim_zfs_flags=''
+ daily_local=/etc/daily.local
+ weekly_output=root
+ weekly_show_success=YES
+ weekly_show_info=YES
+ weekly_show_badconfig=NO
+ weekly_locate_enable=YES
+ weekly_whatis_enable=YES
+ weekly_noid_enable=NO
+ weekly_noid_dirs=/
+ weekly_status_security_enable=YES
+ weekly_status_security_inline=NO
+ weekly_status_security_output=root
+ weekly_local=/etc/weekly.local
+ monthly_output=root
+ monthly_show_success=YES
+ monthly_show_info=YES
+ monthly_show_badconfig=NO
+ monthly_accounting_enable=YES
+ monthly_status_security_enable=YES
+ monthly_status_security_inline=NO
+ monthly_status_security_output=root
+ monthly_local=/etc/monthly.local
+ security_show_success=YES
+ security_show_info=YES
+ security_show_badconfig=NO
+ security_status_logdir=/var/log
+ security_status_diff_flags='-b -U 0'
+ security_status_chksetuid_enable=YES
+ security_status_chksetuid_period=daily
+ security_status_neggrpperm_enable=YES
+ security_status_neggrpperm_period=daily
+ security_status_chkmounts_enable=YES
+ security_status_chkmounts_period=daily
+ security_status_noamd=NO
+ security_status_chkuid0_enable=YES
+ security_status_chkuid0_period=daily
+ security_status_passwdless_enable=YES
+ security_status_passwdless_period=daily
+ security_status_logincheck_enable=YES
+ security_status_logincheck_period=daily
+ security_status_ipfwdenied_enable=YES
+ security_status_ipfwdenied_period=daily
+ security_status_ipfdenied_enable=YES
+ security_status_ipfdenied_period=daily
+ security_status_pfdenied_enable=YES
+ security_status_pfdenied_period=daily
+ security_status_pfdenied_additionalanchors=''
+ security_status_ipfwlimit_enable=YES
+ security_status_ipfwlimit_period=daily
+ security_status_ipf6denied_enable=YES
+ security_status_ipf6denied_period=daily
+ security_status_kernelmsg_enable=YES
+ security_status_kernelmsg_period=daily
+ security_status_loginfail_enable=YES
+ security_status_loginfail_period=daily
+ security_status_tcpwrap_enable=YES
+ security_status_tcpwrap_period=daily
+ [ -z '' ]
+ source_periodic_confs_defined=yes
+ source_periodic_confs
+ local i sourced_files
+ sourced_files=:/etc/periodic.conf:
+ [ -r /etc/periodic.conf ]
+ sourced_files=:/etc/periodic.conf::/etc/periodic.conf.local:
+ [ -r /etc/periodic.conf.local ]
+ echo ''

+ echo 'Rebuilding locate database:'
Rebuilding locate database:
+ . /etc/locate.rc
+ : /var/db/locate.database
+ locdb=/var/db/locate.database
+ touch /var/db/locate.database
+ rc=0
+ chown nobody /var/db/locate.database
+ chmod 644 /var/db/locate.database
+ cd /
+ echo /usr/libexec/locate.updatedb
+ nice -n 5 su -fm nobody
Must be root.
+ rc=3
+ chmod 444 /var/db/locate.database
+ exit 3

[fichtner]

If I had to guess it's hitting here:

https://github.com/opnsense/core/blob/10aa7878cf5e49c2125d8752c20ca6dea048c1de/src/sbin/opnsense-shell#L48-L53

But to be frank piping to su(1) doesn't seem very elegant to me:

src/usr.sbin/periodic/etc/weekly/310.locate

Line 27 in a91e2fb

echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3

How does a shell expect to know it's supposed to execute a command from stdin? This doesn't appear to be documented in su(1) either, but it's also not new scripting.

The bigger issue here is that the root shell is set to "opnsense-shell" I believe, but we actually want that.

Cheers,
Franco

[fichtner]

Ok I think this executes a root shell but then wants it to run with user "nobody". This is quite inconvenient. :)

[hboetes]

I just tried running the script with this diff applied:

root@fwleb02:~ # diff -u /etc/periodic/weekly/310.locate 310.locate 
--- /etc/periodic/weekly/310.locate	2024-08-07 18:11:22.000000000 +0200
+++ 310.locate	2024-08-12 21:02:09.924076000 +0200
@@ -24,7 +24,7 @@
 	chmod 644 $locdb || rc=3
 
 	cd /
-	echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
+	nice -n 5 su -fm nobody -c /usr/libexec/locate.updatedb || rc=3 
 	chmod 444 $locdb || rc=3;;
 
     *)  rc=0;;

Now it works fine.

[doktornotor]

@hboetes - you have undone the upstream "security fix" which is done in order to not index and disclose top-secret files. Considering this totally pointless on environments such as OPNsense, use /usr/libexec/locate.updatedb directly, ignore its moaning about root and forget about the periodic script (which does not run periodically anyway since that is not desired on OPNsense either).

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=21535

[fichtner]

Is that the reason for piping random commands to a shell hidden behind su to a user that doesn't maybe even have a shell? What is this?

[doktornotor]

It's been there for too long to trace the original commit, breaking various things on the way. Before 2000 for sure.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=17074