When browsing journalctl in whonix-workstation-17 based qube, I noticed there is panic-on-oops called via sudo every 10 seconds. I haven’t figured out what calls it. Is that intentional?
2 Likes
Confirmed bug.
No, that should only be run once after boot.
File:
/etc/profile.d/30_security-misc.sh
Symlinks to it:
/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh
/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc
The rationale for starting it through that mechanism was: There might be kernel oops during boot which might be hardware issues we can do nothing about. But once that stage is reached, there should be no more and any kernel oops then could be security issues (exploitation attempts).
This is probably happening due to sdwdate-gui qrexec calls. Qubes qrexec calls results in processing /etc/profile.d and/or /etc/X11/Xsession.d. related: output by `/etc/profile.d` (or `/etc/X11/Xsession.d`?) scripts breaks Qubes UpdatesProxy · Issue #8610 · QubesOS/qubes-issues · GitHub
There you said:
Shell startup scripts should never output anything, exactly because it breaks machine-readable output. This is well known fact, and includes for example things like scp, rsync. I don’t think qubes.UpdatesProxy needs to be any special here.
So it seems that’s a bug in security-misc to use that mechanism to run a script which then has a sudoers exceptions.
I guess a systemd unit file would be more suitable for this.
1 Like
It doesn’t output anything on terminal, it outputs to system journal. But yes, a systemd unit with proper ordering would be more suitable.
2 Likes
1 Like
This is now in the testers repository.
1 Like