SummaryRefsLogTreeCommitDiffStats
Commit message (Expand)AuthorAgeFilesLines
* crontab-access: replace with wrapper, rename to crontab-access-real....The wrapper has two purposes: 1. Not being a script, thereby eliminating the issues with setuid scripts. 2. Purging the environment. crontab-access-real has no need for any environment variables to do its work, so to prevent tampering with dynamic linker, libc, or guile, we may as well just unset them all. This wrapper does introduce a requirement for a C compiler. Ideally it would be conditional based on whether the wrapper is even going to be built, but autoconf doesn't like that one bit. Someone with more experience with autotools should sort that out. In the meantime I guess anyone wanting to build without a C compiler being present is going to have to edit configure.ac and re-run bootstrap. * src/crontab-access.in: renamed to src/crontab-access-real.in * src/crontab-access.c.in: new file, wrapper for crontab-access-real. * Makefile.am: inform about crontab-access.c.in and name change to crontab-access-real. Put crontab-access-real in libexecdir. ulfvonbelow2023-03-184-3/+34
* crontab: split into crontab and setuid helper crontab-access....If a user did somehow manage to install this crontab as functioning setuid-root in its current state (despite linux ignoring the setuid bit when executing scripts), it would be a very bad thing for them. It currently has several glaring security holes. In approximate order from most to least severe: 1. It blindly calls system() with the user-supplied value of VISUAL or EDITOR, without dropping privileges. I can't fathom what the author was thinking, considering (mcron scripts crontab) is littered with comments and evidence that this is supposed to be a setuid-root program. An attacker could simply run EDITOR='sh #' crontab -e and get a root shell. If you try this, you may find that it coincidentally doesn't work because bash in particular always drops privileges on startup if it detects differing real and effective ids. I don't know whether other shells do this, but it actually doesn't matter as long as you're using glibc, because its system() consults PATH looking for sh. One false entry in there and an attacker is running arbitrary code as root. And crontab doesn't do any sanitizing of *any* environment variables. 2. No attempt is made to sanitize any environment variables. Also, depending on Guile's startup behavior, trying to sanitize them in guile may be too late. A wrapper is needed, which would be needed anyway in order to use a setuid script. 3. No attempt is made to ensure that the temporary file being edited is newly-created, so an attacker could guess or deduce the filename to be used, create it in advance, keep it open while crontab opens it, and overwrite it right before it is copied, allowing them to execute arbitrary code as any user that dared edit their crontab, including root. 4. Its replace mode accepts a filename. It does no validation whatsoever on this, opens it, and copies it to the user's crontab as long as it's valid vixie cron syntax. So for example, crontab /var/cron/tabs/root && crontab --list will let you freely read root's (and in a similar manner any other user's) crontab. Vixie cron includes comments in its valid syntax, so any file that consists entirely of comments can also be dumped. Also, any file for which opening it and reading from it has side-effects can have those side-effects triggered even if it isn't valid vixie cron syntax. 5. Crontabs created in /tmp for editing, as well as crontabs created in /var/cron/tabs, are world-readable with typical inherited umask. (1) and (4) are resolved by splitting crontab into two programs: crontab, which is no longer setuid, and crontab-access, which is. The setuid program no longer opens any files except for the user's crontab and the allow/deny files, and it runs no external programs whatsoever. Crontab is run as the invoking user, so the usual kernel-level permissions checks regarding which files can be opened for reading apply. The editor is run from crontab, as the invoking user, so sanitizing of the environment in the setuid helper has no effect on the editor's environment. (2) to be resolved shortly with a wrapper program. (3) is resolved by using mkstemp. The inability to control the mode it is created with, along with (5), are resolved by setting the umask properly. * src/mcron/scripts/crontab-access.scm: new module. * src/mcron/scripts/crontab.scm: move list, delete, and replace implementation to crontab-access. * src/crontab-access.in: new file to invoke main of crontab-access. * Makefile.am: inform of crontab-access.in and crontab-access.scm. ulfvonbelow2023-03-184-150/+295
* config.scm.in: rename to config.scm.in.in, substitute from Makefile....* src/mcron/config.scm.in: renamed to config.scm.in.in. (config-sbin-dir): new variable. * Makefile.am: substitute in config.scm.in. ulfvonbelow2023-03-183-7/+11
* Makefile.am: don't install cron as setuid....Setuid scripts are disabled on most systems anyway. Also cron refuses to run if the real user id isn't 0, so there's no point in it being setuid anyway. Also also, no attempt at controlling the environment has been made, so even if the symlink race conditions that make setuid scripts vulnerable were resolved, it would still be unsafe. ulfvonbelow2023-03-181-2/+1
* cron: use signal numbers instead of symbols....Did this ever work? * src/mcron/scripts/cron.scm (main): install signal handlers using numbers that symbols evaluate to instead of symbols. ulfvonbelow2023-03-181-1/+1
* Make vixie cron mode actually work, and work safely...I suspect nobody has used the legacy cron mode in a long time, possibly ever. If you look at the changes I've made, you'll probably see why I suspect this. I happen to have tried to use it so that one of my users could use the format he was familiar with, and ended up making a lot of necessary fixes - some just to make it work, but many to achieve the most basic of security requirements. If anyone has mcron's crontab script installed setuid-root and is on a system that respects the setuid bit of scripts, or has manually created a setuid wrapper around the crontab script, they should apply these patches ASAP. ulfvonbelow (5): cron: use signal numbers instead of symbols. Makefile.am: don't install cron as setuid. config.scm.in: rename to config.scm.in.in, substitute from Makefile. crontab: split into crontab and setuid helper crontab-access. crontab-access: replace with wrapper, rename to crontab-access-real. Makefile.am | 53 +++- configure.ac | 10 +- src/crontab-access-real.in | 45 ++++ src/crontab-access.c.in | 10 + src/mcron/{config.scm.in => config.scm.in.in} | 1 + src/mcron/scripts/cron.scm | 2 +- src/mcron/scripts/crontab-access.scm | 121 +++++++++ src/mcron/scripts/crontab.scm | 255 ++++++++---------- 8 files changed, 338 insertions(+), 159 deletions(-) create mode 100644 src/crontab-access-real.in create mode 100644 src/crontab-access.c.in rename src/mcron/{config.scm.in => config.scm.in.in} (97%) create mode 100644 src/mcron/scripts/crontab-access.scm -- 2.38.1 ulfvonbelow2023-03-180-0/+0
* Incorporate and use command-line-processor proposed for Guile core...Since the elimination of the C wrapping around mcron and all the executable scripts, a weakness in Guile's (ice-9 getopt-long) module means that the command 'mcron -s crontab.scm' does not currently work. A replacement for the getopt-long module, as well as a higher-level 'command-line-processor' facility, have been pushed to the Guile upstream developers and are awaiting approval and incorporation. In the meantime, those modules are temporarily incorporated here into the mcron package, and the code is modified to use those local versions. * Makefile.am: install two new Guile modules * src/{cron,crontab,mcron}.in: use local command-line-processor module * src/mcron/command-line-processor.scm: new module * src/mcron/getopt-long.scm: new module * tests/schedule{,-2}.sh: clarify tests of -s, --schedule options Dale Mellor2022-07-078-8/+1212
* Trivial copyright change.Dale Mellor2022-07-071-1/+1
* cron doesnʼt need the --log-format and --date-format options....* src/cron.in: remove the options * src/mcron/scripts/cron.scm: no need for extra processing Dale Mellor2022-07-072-9/+8
* Using proposed new Guile command-line-processor....This is a pre-emptive delta which will make use of new facilities in a future Guile for command-line option processing---a fuller description will appear with later patches. * src/{cron,crontab,mcron}.in: use new facility * src/mcron/scripts/{cron,crontab,mcron}.scm: remove old option-scanning code Dale Mellor2022-07-076-206/+215
* tests: Check (mcron vixie-specification)...* tests/vixie-specification.scm: New file. * Makefile.am (TESTS): Register it. Mathieu Lirzin2022-07-072-0/+145
* vixie-time: Remove calls to 'pk' debugging facility...* src/mcron/vixie-time.scm (parse-vixie-time): Remove pk usage Mathieu Lirzin2022-07-071-2/+2
* Lose hope of running against guile 2.2 or earlier....We have previously allowed versions 2.0 and 2.2 to get past the configure stage, but all versions of guile before 3.0 have in fact failed to compile the code due to syntax errors for some time now. * build-aux/guix.scm: package depends on guile@3 * configure.ac: only look for guile version 3 * src/mcron/base.scm: drop allowance for old-fashioned (version 2.0) select Dale Mellor2022-07-073-28/+14
* Give mcron --log option to turn logging on....This makes the behaviour backwards compatible with all previous uses of mcron. * src/mcron/base.scm: establish %do-logging parameter and act on it * src/mcron/scripts/mcron.scm: set %do-logging according to command line * tests/base.scm: some tests require %do-logging to be set Dale Mellor2022-07-073-14/+30
* base: Annotate output with job information....Before this change, it was difficult to discern which job emitted which output, as there was no information connecting the job to the output it produced. This change rectifies that by annotating each line output by cron/mcron with a prefix that contains a timestamp and the job name. It also reports about when the job runs and whether it completed successfully or failed. It was initially suggested here: <https://issues.guix.gnu.org/36510>. Thanks to the fine people from the #guile libera.chat IRC channel for providing ideas and help; this change would not have been possible without them! * src/mcron/base.scm (install-suspendable-ports!): Install suspendable ports. (%date-format, %log-format): New parameters. (validate-date-format, validate-log-format): New procedures. (<job-data>): New record. (run-job): Update doc. Redirect stdout and stderr to a pipe. Return a <job-data> instance containing the input port and other information about the job. Output job status messages. (process-output): New procedure. (child-cleanup): Add docstring. Use positive logic. Call 'process-output' one last time after a child process is collected. (run-job-loop): Add a CHILDREN-DATA variable to the loop. Provide the open file descriptors of the children ports to select*, and collect their output when they trigger select. * tests/base.scm ("run-job: basic"): Adjust and fix indentation. (dummy-job/capture-output): New procedure. ("run-job, output"): New test. ("validate-date-format, valid", "validate-date-format, invalid") ("validate-log-format, valid", "validate-log-format, invalid") ("run-job, output with custom format", "run-job, failure") ("run-job, failure in shell action"): New tests. * src/mcron/scripts/cron.scm (show-help): Document new options. (%options) [log-format, date-format]: New options. (main): Parameterize the main loop with the new parameter options (or their default values when not provided); move exception handling elsewhere (see below). * src/mcron/scripts/mcron.scm: Likewise. * src/cron.in: Install error handler here. * src/mcron.in: Likewise. * doc/mcron.texi: Document new cron and mcron options, as well as new (mcron base) APIs. * tests/basic.sh: Test the new options. Suggested-by: Robert Vollmert <rob@vllmrt.net> Maxim Cournoyer2022-07-078-120/+516
* Revert "Minor cosmetic simplification of case logic after previous patch."...This reverts commit 99a26e5de6d132056999074ce4f4f2cf24ec8c2f. Dale Mellor2022-01-101-25/+25
* documentation: extensive editing of info manual after a note from Paul Vixie....Paul has been in touch to say that the crontab format was not his invention, and that his program was based off of V7's cron's functionality, not later AT&T and Berkeley ones. Thus the mcron manual is edited extensively to emphasise more the POSIX standard crontab format, and to point out a more accurate history of cron developments. * doc/mcron.texi: small changes throughout the document. Dale Mellor2022-01-101-121/+136
* Minor cosmetic simplification of case logic after previous patch.... * src/mcron/base.scm: change around some /cond/s and /if/s. Dale Mellor2021-12-301-25/+25
* base: Handle nonexistent user home directories....This is useful for running jobs as the "nobody" user, for example. * src/mcron/base.scm (run-job): Catch the ENOENT (2, "No such file or directory") error when attempting to change directory to the user home directory. Maxim Cournoyer2021-12-301-1/+11
* Clarify an error message...* src/mcron/scripts/mcron.scm: modified string literal Ahmed Khanzada2021-12-291-1/+2
* documentation: Bug fix in a simple example....The second example under the manual heading Simple Examples does not work. The call to next-minute-from errs because the second argument must be a list. It can’t be the raw number 15. Thanks to Colton Lewis. * doc/mcron.texi: edited text. Dale Mellor2021-09-031-1/+1
* updating for next releasev1.2.1atsb2021-08-053-2/+9
* small change to reflect GNU Mcron not just mcronatsb2021-04-071-1/+1
* updates for latest autoconfatsb2021-04-071-15/+9
* Fix "mcron --help" to show --stdin does *not* apply to files.... * src/mcron/scripts/mcron.scm: modified string literal Dale Mellor2021-02-011-2/+2
* fixes for ubuntu 20.4v1.2.0atsb2020-08-131-0/+2
* build: Remove C specific Guile configuration step...* configure.ac: Remove unecessary PKG_CHECK_MODULES invocation. Mathieu Lirzin2020-05-171-5/+0
* build: Detect guile M4 macro expansion errors...This ensures that the absence of 'pkg-config' or 'guile' M4 macros expansion do not pass the bootstrap step. * configure.ac: Allow or forbid some M4 macros patterns in the generated 'configure' script. Mathieu Lirzin2020-05-171-1/+8
* scripts: Separate build/install directory context...This prevents installed modules to interfere with the ones from the build directory. * src/cron.in: Augment Guile load paths with install directories only when MCRON_UNINSTALLED environment variable is not set. * src/crontab.in: Likewise. * src/mcron.in: Likewise. Mathieu Lirzin2020-05-173-8/+14
* build: Distribute script source files...This allows 'make distcheck' to succeed. * Makefile.am (EXTRA_DIST): Add script source files. Mathieu Lirzin2020-05-081-0/+3
* build: Handle missing "bin" directory...This fixes the generation of scripts when "bin" directory does not exist. * Makefile.am (bin/%): Invoke $(MKDIR_P) first. Mathieu Lirzin2020-05-081-4/+5
* prepare version 1.2.0atsb2020-04-222-2/+2
* push new NEWS fileatsb2020-04-221-0/+9
* merge from dm-v1.2.0 part 1atsb2020-04-2221-525/+358
|\
| * project: banish need for C compiler...This patch gets rid of the thin veneer that we currently have around the three executables. This was done for historical reasons (circa 2003 Guile couldnʼt deal with process signals and forks). In fact these problems were fixed many moons ago, and there is now no need for it. The project becomes 100% Guile! Many files are affected; interested coders should use the GIT repository to understand the details of all the changes. Dale Mellor2020-04-2017-505/+251
| * test: demonstrate incorrect -s option on mcron program...The option is supposed to be able to take an optional argument, but if the argument is not supplied (should default to 8) then the test, rather than failing, is skipped with a friendly message in the log file. The proper fix will come with an upstream patch to GNU Guile, and a future version of Mcron. * tests/schedule-2.sh: new test, new file * Makefile.am: make sure to run the new test file Dale Mellor2020-04-202-0/+83
| * mcron: Look for local files in local directory....Previously were looking for files listed on the command line in Guile's modules directory. This is a bug-fix; running 'make check' will reveal one less failure than before. * src/mcron/scripts/mcron.scm (process-user-file): use read and eval instead of load. Dale Mellor2020-04-201-2/+5
| * test: Demonstration of failure to open local file....The mcron program goes looking for files specified on the command line in Guile's module path, inevitably resulting in failure to load said file. Running 'make check' will show at least one failure. * tests/basic.sh: Added new test. Dale Mellor2020-04-201-0/+3
| * doc/mcron.texi: Make the manual gender-neutral....Replace his/hers with theirs, etc. *doc/mcron.text: light edits only. Dale Mellor2020-04-201-6/+6
| * test: make date tests reliable, i.e. independent of current time...Some of the date tests depend both on the particular time of day and year at which the test is run, and also on the state of daylight-savings adjustments. (At the present time on my system there are four failing tests, but YMMV.) This patch puts all the tests to UTC time in the C locale, making the results consistent. *All* items in the test suite should be passing once again. * tests/job-schedule.scm: Fix up the environment before running the tests. Dale Mellor2020-04-202-18/+17
* | small fix for older gcc versionsatsb2020-04-141-1/+2
|/
* preparing 1.1.4v1.1.4atsb2020-04-123-2/+12
* Updated my e-mail address.Dale Mellor2020-02-271-1/+1
* utils: It's 2020!...* src/mcron/utils.scm (show-version): Update copyright year. Ludovic Courtès2020-02-271-1/+1
* base: Avoid 'call-with-current-continuation'....'call-with-current-continuation' is overkill and not quite what we want. 'let/ec' is supported in Guile 2.0, 2.2, and 3.0. * src/mcron/base.scm (run-job-loop): Use 'let/ec' instead of 'call-with-current-continuation'. Ludovic Courtès2020-02-271-22/+22
* base: Call 'child-cleanup' when 'select' returns an empty set....Previously, on Guile >= 2.2, we'd lose this opportunity to call 'child-cleanup', possibly leaving zombies behind us. * src/mcron/base.scm (run-job-loop): Define 'select*'. Don't expect 'select*' to throw upon EINTR or EAGAIN. Ludovic Courtès2020-02-271-14/+26
* build: Support Guile 3.0....* configure.ac: Add "3.0" to 'GUILE_PKG'. Ludovic Courtès2020-02-271-2/+2
* Add missing #include directives....<libguile.h> in Guile 2.x used to include these, but this is no longer the case with 3.0. * src/cron.c, src/mcron.h: Include <string.h>. * src/utils.c: Include <stdio.h>. Ludovic Courtès2020-02-273-0/+3
* prepared files for 1.1.3v1.1.3atsb2019-11-173-2/+10
* maint: Add Efraim Flashner to the authors...* AUTHORS: Add Efraim Flashner. Mathieu Lirzin2019-04-071-0/+1