https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291025
Bug ID: 291025
Summary: periodic weekly/security runs scripts twice inside
jails (duplicate Security/daily security output)
Product: Base System
Version: 14.3-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
Environment:
/etc/rc.conf inside the jail:
cron_flags="-J 60"
hostname="qbittorrent.example.org"
# sendmail disabled, no custom periodic-related entries
/etc/periodic.conf inside the jail:
daily_status_network_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_ipfwdenied_enable="NO"
weekly_whatis_enable="NO"
weekly_locate_enable="NO"
security_status_neggrpperm_enable="NO"
daily_status_disks_enable="NO"
daily_status_uptime_enable="NO"
daily_ntpd_leapfile_enable="NO"
security_status_chksetuid_enable="NO"
security_status_chkuid0_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipf6denied_enable="NO"
security_status_tcpwrap_enable="NO"]
Description:
The effect is that the weekly and daily security outputs from the jail contain
the same blocks printed twice in the same message/run.
On the host system (outside jails), periodic daily/weekly behave normally; each
script is executed once and there are no duplicated blocks in the output.]
How to reproduce (weekly in the jail):
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
Inside the jail, temporarily set:
weekly_output=/tmp/weekly.debug
in /etc/periodic.conf.
Run periodic weekly manually inside the jail.
Inspect the file /tmp/weekly.debug.]
Actual result (weekly in the jail):
For example (simplified):
Security check:
(output mailed separately)
[...]
Security check:
(output mailed separately)
-- End of weekly output --
In other words, the Security check: (output mailed separately) block from the
weekly status-security script appears twice in a single periodic weekly run
inside the jail.]
How to reproduce (daily security in the jail):
1. Use the same qbittorrent jail with /etc/periodic.conf as described in the
Environment section.
2. Let cron run normally inside the jail with the default periodic daily line
in /etc/crontab.
3. Observe the daily security run output mail from that jail (or redirect
daily_output to a file and run periodic security manually).
Actual result (daily security in the jail):
Checking for passwordless accounts:
root::0:0::0:0:Charlie &:/root:/bin/sh
Checking login.conf permissions:
qbittorrent.example.org login failures:
Checking for passwordless accounts:
root::0:0::0:0:Charlie &:/root:/bin/sh
Checking login.conf permissions:
qbittorrent.example.org login failures:
-- End of security output --
This is from a single daily security run, not from two separate mails.]
Expected result:
One Security check: (output mailed separately) block per weekly run.
One set of daily security checks (passwordless accounts, login.conf
permissions, login failures, etc.) per daily security run.]
Additional information:
/etc/crontab contains only the standard periodic lines.
crontab -l -u root is empty (no additional cron jobs for periodic).
/var/log/cron inside the jail shows exactly one (root) CMD (periodic daily) per
day and one (root) CMD (periodic weekly) per week.
ps aux inside the jail shows exactly one /usr/sbin/cron process.
The duplication happens even when periodic weekly or periodic security is run
manually inside the jail with weekly_output / daily_output pointed to a file,
confirming that it is not caused by cron running the jobs twice.
Jails are created and managed with BastilleBSD. The generated jail.conf for the
qbittorrent jail looks like:
qbittorrent {
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
[...]
}
There are no extra exec.start lines and no jexec ... periodic jobs on the host.
The basejail release directory /usr/local/bastille/releases/14.3-RELEASE
contains only the standard /etc/periodic/{daily,weekly,monthly,security}
directories and no custom periodic scripts; /usr/local/etc/periodic in the
release is empty.
Given that:
The host behaves normally.
All jails show duplicated weekly and daily security output for a single
periodic run.
Cron is not running these jobs twice.
this seems to indicate an issue with how periodic runs weekly/security classes
inside jails in this environment.]
--
You are receiving this mail because:
You are the assignee for the bug.
