Cron user jobs run as root when "Run" is pressed

  • Hi, I'm new here, this is my first post.


    I'd like to report a problem. In OMV4, but I haven't tested 5, I have some cron jobs that are supposed to run as a given user. They do, when started by cron. However, when I test them pressing "Run" in the cron UI, they're run as root. I think this is dangerous, not to mention the jobs basically behaves differently than expected (different user id, different working dir).


    It's easy to test. Just create a new job, with command `whoami && pwd` and you'll find it out.

  • It works properly for me using your 'whoami && pwd' test case.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Is this the correct way of reporting bugs? Should I post/write somewhere else? Thanks.

    The code does sudo as the user you set the job to run as. Not sure why it isn't working on your system since it is working correctly on my and gderf's systems. https://github.com/openmediava…engined/rpc/cron.inc#L169

    omv 5.6.4 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I tried and I was not able to replicate it, but I didn't dream it so I tried harder and I can replicate the problem now.


    If you try `whoami && pwd` you'll get `user` and `/`, but it should be `/home/user`. Indeed, if you try `pwd && whoami`you'll get `/` and `root`. It looks like `sudo` is applied only to the first part of the &&. This is because the resulting command is `sudo --user=user part1 && part2`, and the shell runs the 2nd part as root.


    There's the possibility of bypassing sudo for users able to define jobs, running arbitrary code as root.


    Last but not least, IMHO the working directory should be `$HOME` of user, not `/`.

  • I think the "Run" command should execute the job script that cron executes and that contains the actual command, not the command directly. It's more elegant and safe and it would support multiple commands if these are written in the cron job script.


    Even without this refactoring, the command should be at least properly escaped.

  • This is happening because only the first command (before the &&) is run as sudo. So, you are half correct that one of the command is run as root. And why pwd doesn't give you what you are expecting when it is the first command is because it is sudo'ing as the user and not changing to the user's directory due to the non-interactive flag. If you were running scripts instead of multiple commands, it works correctly. If your script relies on the present working directory being the user's home directory, you should modify the script to go to home first.

    I think the "Run" command should execute the job script that cron executes and that contains the actual command, not the command directly. It's more elegant and safe and it would support multiple commands if these are written in the cron job script.


    Even without this refactoring, the command should be at least properly escaped.

    It probably could execute the script it creates when creating the cron job but this seems easier to fix with the job you run in the cron job than changing the OMV code.


    And you mention safe but since you can run as root, it is your job to make sure your script doesn't do something bad.


    As for escaping, I guess the OMV code could convert && to ; but you could as well.

    omv 5.6.4 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I can achieve what I need to do in various ways, but I still believe a fix should be implemented in OMV because escaping a sudo so easily and running commands as root when it should not be, in my case discovered just by change, should be prevented.

  • I can achieve what I need to do in various ways, but I still believe a fix should be implemented in OMV because escaping a sudo so easily and running commands as root when it should not be, in my case discovered just by change, should be prevented.

    File an issue or a pull request then - https://github.com/OpenMediaVault/openmediavault

    omv 5.6.4 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • ragazzojp

    Added the Label resolved

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!