[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Katrin Fischer changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #71 from Katrin Fischer --- Hi Nitesh, this bug has been fixed in 17.05 and later. 16.11 is no longer maintained and won't receive any updates. Please consider updating. If that's not an option asking on the mailing liston how to make this change locally would be better. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Nitesh Kumar Verma changed: What|Removed |Added Resolution|FIXED |--- Ever confirmed|1 |0 Status|CLOSED |UNCONFIRMED CC||verman...@gmail.com --- Comment #70 from Nitesh Kumar Verma --- Facing the same problem in my KOHA version 16.11. While trying to apply the said patch, I am not able to find the file 'koha-foreach.xml'. Guide me to find the file koha-foreach.xml so that may apply the patch. Regards, Dr. Nitesh Kumar Verma -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #69 from Katrin Fischer --- *** Bug 20786 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Martin Renvoize changed: What|Removed |Added Resolution|--- |FIXED Status|Pushed to Stable|RESOLVED CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Fridolin SOMERSchanged: What|Removed |Added CC||fridolin.som...@biblibre.co ||m --- Comment #68 from Fridolin SOMERS --- Pushed to 17.05.x for v17.05.11 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Nick Clemenschanged: What|Removed |Added Status|Pushed to Master|Pushed to Stable --- Comment #67 from Nick Clemens --- Awesome work all, backported to stable for 17.11.05 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Jonathan Druartchanged: What|Removed |Added Keywords|rel_18_05_candidate | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Nick Clemenschanged: What|Removed |Added CC||n...@bywatersolutions.com Status|Passed QA |Pushed to Master --- Comment #66 from Nick Clemens --- Pushed to master for 18.05, thanks to all for your hard work. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added QA Contact|testo...@bugs.koha-communit |m.de.r...@rijksmuseum.nl |y.org | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added Attachment #72373|0 |1 is obsolete|| --- Comment #64 from Marcel de Rooy --- Created attachment 72412 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72412=edit Bug 17717: Make cronjobs using koha-foreach use --chdir In order to patch production sites we need to adjust the shipped cronjobs so they are called with the --chdir option switch. Signed-off-by: Kyle M Hall Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #65 from Marcel de Rooy--- Created attachment 72413 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72413=edit Bug 17717: (QA follow-up) Fix typo chdir This test does obviously not achieve the desired result: [ "chdir" != "no" ] Trivial fix. Adding the same quotes around starting_dir (just as for Bug 19546). Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added Attachment #72372|0 |1 is obsolete|| --- Comment #63 from Marcel de Rooy --- Created attachment 72411 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72411=edit Bug 17717: Add a --chdir option switch for koha-foreach Until Perl 5.26, the current directory is added to @INC when running a Perl script [1]. Having the current directory in @INC means it can be tried to be traversed when performing a lib lookup. Since version 5.18, Perl dies when it finds an unreadable directory (permissions) in @INC that needs to be traversed. This behaviour won't change because Perl devs consider it an enhancement to security. [2] Because of this, we need to make sure our scripts are ran **from** a directory in which they have read permissions. Ths patch adds a --chdir option switch to the **koha-foreach** wrapper script, that makes the inner shells/scripts to be ran within the Koha instance's user home directory. The change is trivial and should be QAed easily. I tested this on a prod server: - Create a /tmp/test.pl file containing: use Modern::Perl; use Cwd; my $dir = getcwd; warn $dir; 1; A) then create a cronjob entry to run it using koha-foreach: (in /etc/cron.d/test): 1/* * * * * root koha-foreach perl /tmp/test.pl - Once I noticed the cronjob ran, I used mutt to read the emails in the root user. => FAIL: ... Subject: Cron koha-foreach --enabled perl /tmp/test.pl "/root" "/root" "/root" "/root" "/root" ... B) I then used the patched koha-foreach with different results: => SUCCESS: ... Subject: Cron /root/koha-foreach --chdir --enabled perl /tmp/test.pl "/var/lib/koha/acaderc" "/var/lib/koha/agro" "/var/lib/koha/anc" "/var/lib/koha/arico" "/var/lib/koha/artes" ... So this patch's approach works. But... C) master's koha-foreach seems to work just the same... I think it is because of my previous attempt to fix this by using sudo in koha-shell. So I think environmental conditions affect the behaviour (which shell is configured for cron, sudo configuration, etc). In conclusion, I think we should go ahead with this patch as it will solve peoples issues, and it is a right solution (option #5 on the list) to this Perl behaviour change. It doesn't cover other commands, but followup patches could do. I avoided /tmp as it is writable by any user... so it is an easy path for both exploiting by replacing some lib, and also because the existence of an unreadable dir that the interpreter could try to traverse (unreadable /tmp/Authen or /tmp/Koha will trigger the same error, and I assume people know what they are putting on the instance's dir, at least it will be easier to track). A followup patch takes care of making the cronjobs use --chdir when calling koha-foreach [1] https://lists.debian.org/debian-devel-announce/2016/08/msg00013.html [2] https://rt.perl.org/Public/Bug/Display.html?id=123795 Signed-off-by: Kyle M Hall Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added Status|BLOCKED |Passed QA Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=19546 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Marcel de Rooychanged: What|Removed |Added Status|Signed Off |BLOCKED --- Comment #62 from Marcel de Rooy --- Looking here. Something wrong still -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #61 from Marco Moreno--- Fair enough - trust your judgment. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #60 from Tomás Cohen Arazi--- (In reply to Marco Moreno from comment #59) > Couldn't it be done in once in a common library that is used everywhere, > like /usr/share/koha/bin/kohalib.pl? > > Sorry, I really don't know much about Koha's architecture and I trust you've > studied this more than I have. I understand the kohalib.pl approach, but I think it is too hacky and I don't think we should use it at all. So a solution there I wouldn't agree. Also, not all CLI scripts written in perl use it... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #59 from Marco Moreno--- Couldn't it be done in once in a common library that is used everywhere, like /usr/share/koha/bin/kohalib.pl? Sorry, I really don't know much about Koha's architecture and I trust you've studied this more than I have. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #58 from Tomás Cohen Arazi--- (In reply to Marco Moreno from comment #57) > Hmmm...I'm now reconsidering this and wonder if option #3 is really the best > solution by removing '.' from @INC. > > You made a good point about /tmp being a concern. This, plus the fact that > they have removed '.' from @INC in recent versions of Perl, has convinced me > that having '.' in @INC is generally a very bad idea and a major security > concern. > > Therefore, I want to propose revisiting comment #40 which removes '.' from > @INC in a common library early in the bootstrapping process. This > effectively undoes the "feature" added in Perl 5.18 and removed in Perl > 5.26. Additionally, this prevents exploits that attempt to insert '.' via > PERL5LIB. I considered that option. But we would need to do it on every script, and we would also be changing the current behaviour. Someone might be using their own lib (or version of some lib) on purpose and we'd be breaking them. So, for the general user base, we should stick with the cleaner solution IMHO. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #57 from Marco Moreno--- Hmmm...I'm now reconsidering this and wonder if option #3 is really the best solution by removing '.' from @INC. You made a good point about /tmp being a concern. This, plus the fact that they have removed '.' from @INC in recent versions of Perl, has convinced me that having '.' in @INC is generally a very bad idea and a major security concern. Therefore, I want to propose revisiting comment #40 which removes '.' from @INC in a common library early in the bootstrapping process. This effectively undoes the "feature" added in Perl 5.18 and removed in Perl 5.26. Additionally, this prevents exploits that attempt to insert '.' via PERL5LIB. It is a single line of code, does nothing if '.' doesn't exist in @INC, and doesn't require modifying crons. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Kyle M Hallchanged: What|Removed |Added Attachment #72368|0 |1 is obsolete|| Attachment #72369|0 |1 is obsolete|| --- Comment #55 from Kyle M Hall --- Created attachment 72372 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72372=edit Bug 17717: Add a --chdir option switch for koha-foreach Until Perl 5.26, the current directory is added to @INC when running a Perl script [1]. Having the current directory in @INC means it can be tried to be traversed when performing a lib lookup. Since version 5.18, Perl dies when it finds an unreadable directory (permissions) in @INC that needs to be traversed. This behaviour won't change because Perl devs consider it an enhancement to security. [2] Because of this, we need to make sure our scripts are ran **from** a directory in which they have read permissions. Ths patch adds a --chdir option switch to the **koha-foreach** wrapper script, that makes the inner shells/scripts to be ran within the Koha instance's user home directory. The change is trivial and should be QAed easily. I tested this on a prod server: - Create a /tmp/test.pl file containing: use Modern::Perl; use Cwd; my $dir = getcwd; warn $dir; 1; A) then create a cronjob entry to run it using koha-foreach: (in /etc/cron.d/test): 1/* * * * * root koha-foreach perl /tmp/test.pl - Once I noticed the cronjob ran, I used mutt to read the emails in the root user. => FAIL: ... Subject: Cron koha-foreach --enabled perl /tmp/test.pl "/root" "/root" "/root" "/root" "/root" ... B) I then used the patched koha-foreach with different results: => SUCCESS: ... Subject: Cron /root/koha-foreach --chdir --enabled perl /tmp/test.pl "/var/lib/koha/acaderc" "/var/lib/koha/agro" "/var/lib/koha/anc" "/var/lib/koha/arico" "/var/lib/koha/artes" ... So this patch's approach works. But... C) master's koha-foreach seems to work just the same... I think it is because of my previous attempt to fix this by using sudo in koha-shell. So I think environmental conditions affect the behaviour (which shell is configured for cron, sudo configuration, etc). In conclusion, I think we should go ahead with this patch as it will solve peoples issues, and it is a right solution (option #5 on the list) to this Perl behaviour change. It doesn't cover other commands, but followup patches could do. I avoided /tmp as it is writable by any user... so it is an easy path for both exploiting by replacing some lib, and also because the existence of an unreadable dir that the interpreter could try to traverse (unreadable /tmp/Authen or /tmp/Koha will trigger the same error, and I assume people know what they are putting on the instance's dir, at least it will be easier to track). A followup patch takes care of making the cronjobs use --chdir when calling koha-foreach [1] https://lists.debian.org/debian-devel-announce/2016/08/msg00013.html [2] https://rt.perl.org/Public/Bug/Display.html?id=123795 Signed-off-by: Kyle M Hall -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Kyle M Hallchanged: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 --- Comment #56 from Kyle M Hall--- Created attachment 72373 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72373=edit Bug 17717: Make cronjobs using koha-foreach use --chdir In order to patch production sites we need to adjust the shipped cronjobs so they are called with the --chdir option switch. Signed-off-by: Kyle M Hall -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717 Tomás Cohen Arazichanged: What|Removed |Added Summary|process_message_queue.pl: |Fix broken cronjobs due to |Can't locate|permissions of the current |Authen/CAS/Client/Response/ |directory |Failure.pm | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/