crontab-access: replace with wrapper, rename to crontab-access-real.

The wrapper has two purposes:
1. Not being a script, thereby eliminating the issues with setuid scripts.
2. Purging the environment. crontab-access-real has no need for any
   environment variables to do its work, so to prevent tampering with dynamic
   linker, libc, or guile, we may as well just unset them all.

This wrapper does introduce a requirement for a C compiler. Ideally it would
be conditional based on whether the wrapper is even going to be built, but
autoconf doesn't like that one bit. Someone with more experience with
autotools should sort that out. In the meantime I guess anyone wanting to
build without a C compiler being present is going to have to edit configure.ac
and re-run bootstrap.

* src/crontab-access.in: renamed to src/crontab-access-real.in
* src/crontab-access.c.in: new file, wrapper for crontab-access-real.
* Makefile.am: inform about crontab-access.c.in and name change to
  crontab-access-real. Put crontab-access-real in libexecdir.

4 files changed, 34 insertions, 3 deletions

diff --git a/Makefile.am b/Makefile.am
index 4aff2ae..2a87d72 100755
--- a/Makefile.am
+++ b/Makefile.am
@@ -26,11 +26,18 @@ noinst_SCRIPTS =
 
 if MULTI_USER
 bin_SCRIPTS += bin/crontab
-sbin_SCRIPTS = bin/cron bin/crontab-access
+sbin_SCRIPTS = bin/cron
+libexec_SCRIPTS = bin/crontab-access-real
+sbin_PROGRAMS = bin/crontab-access
 else
-noinst_SCRIPTS += bin/cron bin/crontab bin/crontab-access
+noinst_SCRIPTS += bin/cron bin/crontab bin/crontab-access-real
+noinst_PROGRAMS = bin/crontab-access
 endif
 
+# The dynamic linker should detect that it's being run for a setuid program,
+# but we take no chances.
+bin_crontab_access_LDFLAGS = -static
+
 # wrapper to be used in the build environment and for running tests.
 noinst_SCRIPTS += pre-inst-env
 
@@ -81,6 +88,8 @@ compiled_modules = \
 CLEANFILES = $(compiled_modules) \
 	bin/crontab \
 	bin/crontab-access \
+	src/crontab-access.c \
+	bin/crontab-access-real \
         bin/cron \
 	bin/mcron
 DISTCLEANFILES = src/mcron/config.scm
@@ -123,6 +132,9 @@ do_subst = sed	-e 's,%PREFIX%,${prefix},g'				\
 src/mcron/config.scm: src/mcron/config.scm.in Makefile
 	$(AM_V_GEN)$(do_subst) $< > $@
 
+src/crontab-access.c: src/crontab-access.c.in Makefile
+	$(AM_V_GEN)$(do_subst) $< > $@
+
 bin/% : src/%.in Makefile
 	$(AM_V_GEN)$(MKDIR_P) bin ; \
 	  $(do_subst) $< > $@ ; \
@@ -163,7 +175,8 @@ EXTRA_DIST = \
   HACKING \
   src/cron.in \
   src/crontab.in \
-  src/crontab-access.in \
+  src/crontab-access-real.in \
+  src/crontab-access.c.in \
   src/mcron.in \
   tests/init.sh \
   $(TESTS)
diff --git a/configure.ac b/configure.ac
index 7ea532f..b79e3c3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,14 @@ AC_ARG_ENABLE([multi-user],
     [Don't Install legacy cron and crontab programs])],
   [enable_multi_user="$enableval"],
   [enable_multi_user="yes"])
+
+dnl Not possible to run this conditionally?
+AC_PROG_CC
+dnl AS_IF([test "x$enable_multi_user" = xyes],
+dnl   [# Need a C compiler to compile setuid wrapper
+dnl   AC_PROG_CC]
+dnl fi
+
 AM_CONDITIONAL([MULTI_USER], [test "x$enable_multi_user" = xyes])
 
 # Configure the various files that mcron uses at runtime.
diff --git a/src/crontab-access.in b/src/crontab-access-real.in
index 569d147..569d147 100644
--- a/src/crontab-access.in
+++ b/src/crontab-access-real.in
diff --git a/src/crontab-access.c.in b/src/crontab-access.c.in
new file mode 100644
index 0000000..652b9cc
--- /dev/null
+++ b/src/crontab-access.c.in
@@ -0,0 +1,10 @@
+#include <unistd.h>
+
+int main(int argc, char **argv)
+{
+  char *envp = NULL;
+  execve("%libexecdir%/crontab-access-real",
+         argv, &envp);
+  /* Should not get here! */
+  return 1;
+}