AboutSummaryRefsLogTreeCommitDiffStats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* crontab: split into crontab and setuid helper crontab-access.ulfvonbelow2023-03-183-143/+278
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a user did somehow manage to install this crontab as functioning setuid-root in its current state (despite linux ignoring the setuid bit when executing scripts), it would be a very bad thing for them. It currently has several glaring security holes. In approximate order from most to least severe: 1. It blindly calls system() with the user-supplied value of VISUAL or EDITOR, without dropping privileges. I can't fathom what the author was thinking, considering (mcron scripts crontab) is littered with comments and evidence that this is supposed to be a setuid-root program. An attacker could simply run EDITOR='sh #' crontab -e and get a root shell. If you try this, you may find that it coincidentally doesn't work because bash in particular always drops privileges on startup if it detects differing real and effective ids. I don't know whether other shells do this, but it actually doesn't matter as long as you're using glibc, because its system() consults PATH looking for sh. One false entry in there and an attacker is running arbitrary code as root. And crontab doesn't do any sanitizing of *any* environment variables. 2. No attempt is made to sanitize any environment variables. Also, depending on Guile's startup behavior, trying to sanitize them in guile may be too late. A wrapper is needed, which would be needed anyway in order to use a setuid script. 3. No attempt is made to ensure that the temporary file being edited is newly-created, so an attacker could guess or deduce the filename to be used, create it in advance, keep it open while crontab opens it, and overwrite it right before it is copied, allowing them to execute arbitrary code as any user that dared edit their crontab, including root. 4. Its replace mode accepts a filename. It does no validation whatsoever on this, opens it, and copies it to the user's crontab as long as it's valid vixie cron syntax. So for example, crontab /var/cron/tabs/root && crontab --list will let you freely read root's (and in a similar manner any other user's) crontab. Vixie cron includes comments in its valid syntax, so any file that consists entirely of comments can also be dumped. Also, any file for which opening it and reading from it has side-effects can have those side-effects triggered even if it isn't valid vixie cron syntax. 5. Crontabs created in /tmp for editing, as well as crontabs created in /var/cron/tabs, are world-readable with typical inherited umask. (1) and (4) are resolved by splitting crontab into two programs: crontab, which is no longer setuid, and crontab-access, which is. The setuid program no longer opens any files except for the user's crontab and the allow/deny files, and it runs no external programs whatsoever. Crontab is run as the invoking user, so the usual kernel-level permissions checks regarding which files can be opened for reading apply. The editor is run from crontab, as the invoking user, so sanitizing of the environment in the setuid helper has no effect on the editor's environment. (2) to be resolved shortly with a wrapper program. (3) is resolved by using mkstemp. The inability to control the mode it is created with, along with (5), are resolved by setting the umask properly. * src/mcron/scripts/crontab-access.scm: new module. * src/mcron/scripts/crontab.scm: move list, delete, and replace implementation to crontab-access. * src/crontab-access.in: new file to invoke main of crontab-access. * Makefile.am: inform of crontab-access.in and crontab-access.scm.
* config.scm.in: rename to config.scm.in.in, substitute from Makefile.ulfvonbelow2023-03-181-0/+1
| | | | | | * src/mcron/config.scm.in: renamed to config.scm.in.in. (config-sbin-dir): new variable. * Makefile.am: substitute in config.scm.in.
* cron: use signal numbers instead of symbols.ulfvonbelow2023-03-181-1/+1
| | | | | | | Did this ever work? * src/mcron/scripts/cron.scm (main): install signal handlers using numbers that symbols evaluate to instead of symbols.
* Incorporate and use command-line-processor proposed for Guile coreDale Mellor2022-07-075-4/+1208
| | | | | | | | | | | | | | | | | | Since the elimination of the C wrapping around mcron and all the executable scripts, a weakness in Guile's (ice-9 getopt-long) module means that the command 'mcron -s crontab.scm' does not currently work. A replacement for the getopt-long module, as well as a higher-level 'command-line-processor' facility, have been pushed to the Guile upstream developers and are awaiting approval and incorporation. In the meantime, those modules are temporarily incorporated here into the mcron package, and the code is modified to use those local versions. * Makefile.am: install two new Guile modules * src/{cron,crontab,mcron}.in: use local command-line-processor module * src/mcron/command-line-processor.scm: new module * src/mcron/getopt-long.scm: new module * tests/schedule{,-2}.sh: clarify tests of -s, --schedule options
* Trivial copyright change.Dale Mellor2022-07-071-1/+1
|
* cron doesnʼt need the --log-format and --date-format options.Dale Mellor2022-07-072-9/+8
| | | | | * src/cron.in: remove the options * src/mcron/scripts/cron.scm: no need for extra processing
* Using proposed new Guile command-line-processor.Dale Mellor2022-07-076-206/+215
| | | | | | | | | This is a pre-emptive delta which will make use of new facilities in a future Guile for command-line option processing---a fuller description will appear with later patches. * src/{cron,crontab,mcron}.in: use new facility * src/mcron/scripts/{cron,crontab,mcron}.scm: remove old option-scanning code
* vixie-time: Remove calls to 'pk' debugging facilityMathieu Lirzin2022-07-071-2/+2
| | | | * src/mcron/vixie-time.scm (parse-vixie-time): Remove pk usage
* Lose hope of running against guile 2.2 or earlier.Dale Mellor2022-07-071-26/+12
| | | | | | | | | | We have previously allowed versions 2.0 and 2.2 to get past the configure stage, but all versions of guile before 3.0 have in fact failed to compile the code due to syntax errors for some time now. * build-aux/guix.scm: package depends on guile@3 * configure.ac: only look for guile version 3 * src/mcron/base.scm: drop allowance for old-fashioned (version 2.0) select
* Give mcron --log option to turn logging on.Dale Mellor2022-07-072-6/+20
| | | | | | | | This makes the behaviour backwards compatible with all previous uses of mcron. * src/mcron/base.scm: establish %do-logging parameter and act on it * src/mcron/scripts/mcron.scm: set %do-logging according to command line * tests/base.scm: some tests require %do-logging to be set
* base: Annotate output with job information.Maxim Cournoyer2022-07-075-106/+327
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before this change, it was difficult to discern which job emitted which output, as there was no information connecting the job to the output it produced. This change rectifies that by annotating each line output by cron/mcron with a prefix that contains a timestamp and the job name. It also reports about when the job runs and whether it completed successfully or failed. It was initially suggested here: <https://issues.guix.gnu.org/36510>. Thanks to the fine people from the #guile libera.chat IRC channel for providing ideas and help; this change would not have been possible without them! * src/mcron/base.scm (install-suspendable-ports!): Install suspendable ports. (%date-format, %log-format): New parameters. (validate-date-format, validate-log-format): New procedures. (<job-data>): New record. (run-job): Update doc. Redirect stdout and stderr to a pipe. Return a <job-data> instance containing the input port and other information about the job. Output job status messages. (process-output): New procedure. (child-cleanup): Add docstring. Use positive logic. Call 'process-output' one last time after a child process is collected. (run-job-loop): Add a CHILDREN-DATA variable to the loop. Provide the open file descriptors of the children ports to select*, and collect their output when they trigger select. * tests/base.scm ("run-job: basic"): Adjust and fix indentation. (dummy-job/capture-output): New procedure. ("run-job, output"): New test. ("validate-date-format, valid", "validate-date-format, invalid") ("validate-log-format, valid", "validate-log-format, invalid") ("run-job, output with custom format", "run-job, failure") ("run-job, failure in shell action"): New tests. * src/mcron/scripts/cron.scm (show-help): Document new options. (%options) [log-format, date-format]: New options. (main): Parameterize the main loop with the new parameter options (or their default values when not provided); move exception handling elsewhere (see below). * src/mcron/scripts/mcron.scm: Likewise. * src/cron.in: Install error handler here. * src/mcron.in: Likewise. * doc/mcron.texi: Document new cron and mcron options, as well as new (mcron base) APIs. * tests/basic.sh: Test the new options. Suggested-by: Robert Vollmert <rob@vllmrt.net>
* Revert "Minor cosmetic simplification of case logic after previous patch."Dale Mellor2022-01-101-25/+25
| | | | This reverts commit 99a26e5de6d132056999074ce4f4f2cf24ec8c2f.
* Minor cosmetic simplification of case logic after previous patch.Dale Mellor2021-12-301-25/+25
| | | | * src/mcron/base.scm: change around some /cond/s and /if/s.
* base: Handle nonexistent user home directories.Maxim Cournoyer2021-12-301-1/+11
| | | | | | | | This is useful for running jobs as the "nobody" user, for example. * src/mcron/base.scm (run-job): Catch the ENOENT (2, "No such file or directory") error when attempting to change directory to the user home directory.
* Clarify an error messageAhmed Khanzada2021-12-291-1/+2
| | | | * src/mcron/scripts/mcron.scm: modified string literal
* small change to reflect GNU Mcron not just mcronatsb2021-04-071-1/+1
|
* Fix "mcron --help" to show --stdin does *not* apply to files.Dale Mellor2021-02-011-2/+2
| | | | * src/mcron/scripts/mcron.scm: modified string literal
* scripts: Separate build/install directory contextMathieu Lirzin2020-05-173-8/+14
| | | | | | | | | | This prevents installed modules to interfere with the ones from the build directory. * src/cron.in: Augment Guile load paths with install directories only when MCRON_UNINSTALLED environment variable is not set. * src/crontab.in: Likewise. * src/mcron.in: Likewise.
* project: banish need for C compilerDale Mellor2020-04-2013-425/+180
| | | | | | | | | | This patch gets rid of the thin veneer that we currently have around the three executables. This was done for historical reasons (circa 2003 Guile couldnʼt deal with process signals and forks). In fact these problems were fixed many moons ago, and there is now no need for it. The project becomes 100% Guile! Many files are affected; interested coders should use the GIT repository to understand the details of all the changes.
* mcron: Look for local files in local directory.Dale Mellor2020-04-201-2/+5
| | | | | | | | | Previously were looking for files listed on the command line in Guile's modules directory. This is a bug-fix; running 'make check' will reveal one less failure than before. * src/mcron/scripts/mcron.scm (process-user-file): use read and eval instead of load.
* utils: It's 2020!Ludovic Courtès2020-02-271-1/+1
| | | | * src/mcron/utils.scm (show-version): Update copyright year.
* base: Avoid 'call-with-current-continuation'.Ludovic Courtès2020-02-271-22/+22
| | | | | | | | 'call-with-current-continuation' is overkill and not quite what we want. 'let/ec' is supported in Guile 2.0, 2.2, and 3.0. * src/mcron/base.scm (run-job-loop): Use 'let/ec' instead of 'call-with-current-continuation'.
* base: Call 'child-cleanup' when 'select' returns an empty set.Ludovic Courtès2020-02-271-14/+26
| | | | | | | | Previously, on Guile >= 2.2, we'd lose this opportunity to call 'child-cleanup', possibly leaving zombies behind us. * src/mcron/base.scm (run-job-loop): Define 'select*'. Don't expect 'select*' to throw upon EINTR or EAGAIN.
* Add missing #include directives.Ludovic Courtès2020-02-273-0/+3
| | | | | | | | <libguile.h> in Guile 2.x used to include these, but this is no longer the case with 3.0. * src/cron.c, src/mcron.h: Include <string.h>. * src/utils.c: Include <stdio.h>.
* build: Add '--with-sendmail' configure option宋文武2018-10-071-4/+4
| | | | | | | | | | | | This allows users to configure the Mail Transfert Agent (MTA) of their choice. * configure.ac: Add '--with-sendmail' option. (SENDMAIL): Default to 'sendmail -t'. * NEWS: Announce it. * src/mcron/redirect.scm (with-mail-out): Assume the MTA is reading the message for recipients. * build-aux/guix.scm: Remove 'which' from the native-inputs.
* vixie-time: Refactor 'parse-vixie-time'Mathieu Lirzin2018-04-081-68/+63
| | | | | * src/mcron/vixie-time.scm (parse-vixie-time): Use 'match' to avoid complex 'car' and 'cdr' usage.
* vixie-time: Refactor 'interpolate-weekdays'Mathieu Lirzin2018-04-081-18/+11
| | | | | * src/mcron/vixie-time.scm (interpolate-weekdays): Avoid mutation and add 'range-wday' inner procedure.
* vixie-time: Adapt to '%find-best-next' possible infinite resultMathieu Lirzin2018-04-011-10/+13
| | | | | | | This is a follow up to commit ae6deb8ea23570c02a7b575a53bba37048aab59f. * src/mcron/vixie-time.scm (increment-time-component): Check if '%find-best-next' returns '+inf.0' not 9999.
* utils: Remove 'parse-args'Mathieu Lirzin2018-03-273-13/+5
| | | | | | | | It seems that it is not useful to catch 'misc-error exception when calling 'getopt-long'. Since 'parse-args' purpose was only to catch this particular error, it can be deleted. * src/mcron/utils.scm (parse-args): Remove.
* job-specifier: Box 'configuration-user' global variableMathieu Lirzin2018-03-271-6/+4
| | | | | | | | | | | * src/mcron/job-specifier.scm (configuration-user): Box it using SRFI-111 to be explicit about the mutability of this object. (job): Adapt. (set-configuration-user): Adapt and use 'get-user'. * tests/job-specifier.scm ("set-configuration-user: passwd entry") ("set-configuration-user: invalid uid", "set-configuration-user: uid") ("set-configuration-user: invalid spec") ("set-configuration-user: name"): New tests.
* job-specifier: Fix typo "implement" => "implementation"Mathieu Lirzin2018-03-271-1/+2
| | | | * src/mcron/job-specifier.scm (%find-best-next): Fix typo.
* job-specifier: Adapt 'bump-time' to 'next-...-from' proceduresMathieu Lirzin2018-03-261-15/+9
| | | | | | | | | | | | | | | This is a follow-up to commit 913e3c65e4f56476e8ac69f4892cf92c125751ec. Since 'next-...-from' procedures now uses an '#:optional' argument instead of a dotted optional arguments list, 'bump-time' doesn't need to unwrap VALUE-LIST anymore. * src/mcron/job-specifier.scm (bump-time): Pass VALUE-LIST directly to '%find-best-next'. * tests/job-specifier.scm ("next-hour-from"): New test. * NEWS: Update. Reported-by: Ludovic Courtès <ludo@gnu.org>
* job-specifier: Preserve '%find-best-next' arguments exactnessMathieu Lirzin2018-03-261-2/+6
| | | | | | | | | | | | The behavior of the 'min' procedure which converts its parameters to inexact numbers when at least one of them is inexact was causing '%find-best-next' to always return real numbers. * src/mcron/job-specifier.scm (%find-best-next): Preserve the exactness of numbers in NEXT-LIST. * tests/job-specifier.scm ("%find-best-next: exact"): New test. Reported-by: Ludovic Courtès <ludo@gnu.org>
* utils: It's 2018!Mathieu Lirzin2018-03-251-1/+1
| | | | * src/mcron/utils.scm (show-version): Update copyright.
* environment: Refactor configuration environment handlingMathieu Lirzin2018-03-241-35/+38
| | | | | | | | * src/mcron/environment.scm (current-environment-mods): Rename to ... (%current-environment-mods): ... this. Box it using SRFI-111 to be explicit about the mutability of this object. (get-current-environment-mods-copy, clear-environment-mods) (append-environment-mods): New '#:ENVIRON' argument.
* base: Box 'number-children'Mathieu Lirzin2018-03-241-6/+15
| | | | | | | | | * src/mcron/base.scm (number-children): Box it using SRFI-111 to be explicit about the mutability of this object. (update-number-children!): New procedure. (run-job, child-cleanup): Use it. * tests/base.scm ("update-number-children!: 1+") ("number-children: init", "update-number-children!: 1-"): New tests.
* base: Rewrite 'child-cleanup'Mathieu Lirzin2018-03-241-6/+6
| | | | * src/mcron/base.scm (child-cleanup): Use recursion instead of 'do'.
* utils: Add 'get-user'Mathieu Lirzin2018-03-243-8/+17
| | | | | | * src/mcron/utils.scm (get-user): New procedure. * src/mcron/job-specifier.scm (job): Use it. * src/mcron/base.scm (remove-user-jobs): Likewise.
* base: Rewrite 'find-next-jobs' docstring.Mathieu Lirzin2018-03-241-15/+4
| | | | | * src/mcron/base.scm (find-next-jobs): Don't explain the detail of implementation in the docstring.
* base: Add '<schedule>' record data typeMathieu Lirzin2018-03-241-66/+77
| | | | | | | | | | | | | | | | | | Reifying the notion of a schedule helps reasoning about the code. Passing a schedule as an argument to related procedures allows writing simpler unit tests. * src/mcron/base.scm(<schedule>): New record data type. (make-schedule, schedule-user, set-schedule-user!) (schedule-system, set-schedule-system!) (schedule-current, set-schedule-current!): New procedures. (system-job-list, user-job-list, configuration-source): Replace those global variables with ... (%global-schedule): ... this global <schedule> instance. * src/mcron/base.scm (use-system-job-list, use-user-job-list) (remove-user-jobs, clear-system-jobs, add-job, find-next-jobs) (display-schedule, run-job-loop): Add '#:SCHEDULE' keyword argument. * doc/mcron.texi (The base module): Update documentation.
* job-specifier: Use 'simple-format'Mathieu Lirzin2018-03-231-4/+3
| | | | | * src/mcron/job-specifier.scm (job): Use 'simple-format' instead of 'with-output-to-string'.
* utils: Use 'scandir' instead of custom 'for-each-file'Mathieu Lirzin2018-03-203-23/+11
| | | | | | | | | | | | * src/mcron/utils.scm (for-each-file): Delete. * src/mcron/scripts/cron.scm (process-files-in-system-directory): Use 'scandir' which has the benefit of being deterministic. * src/mcron/scripts/mcron.scm (process-files-in-user-directory): Likewise. * tests/schedule.sh: Update expected output which is now more reliable. * NEWS: Update. Suggested-by: Ludovic Courtès <ludo@gnu.org>
* tests: Add 'schedule.sh'Mathieu Lirzin2018-03-161-1/+4
| | | | | | | * tests/schedule.sh: New test. * Makefile.am (TESTS): Add it. * src/mcron/job-specifier.scm (configuration-time): Use SOURCE_DATE_EPOCH for reproducible tests.
* base: Add 'display-schedule' procedureMathieu Lirzin2018-03-164-30/+27
| | | | | | | | | | | | | This procedure is a more generic and less coupled version of 'get-schedule' which has been kept for backward compatibility and deprecated. * src/mcron/base.scm (display-schedule): New procedure. (get-schedule): Move to ... * src/mcron/core.scm: ... here. * src/mcron/scripts/cron.scm (main): Use 'display-schedule'. * src/mcron/scripts/mcron.scm (main): Likewise. * doc/mcron.texi (The base module): Document it.
* crontab: Extract procedures from 'main'Mathieu Lirzin2018-03-161-35/+34
| | | | | * src/mcron/scripts/crontab.scm (in-access-file?) (hit-server): New procedures.
* utils: Add 'assq_symbol_set_x' functionMathieu Lirzin2017-09-285-16/+18
| | | | | * src/utils.c (assq_symbol_set_x): New function. * src/mcron.c (parse_opt): Use it.
* mcron: Handle command line arguments in C with argpMathieu Lirzin2017-09-282-61/+108
| | | | | | | | | | | 'argp' is a convenient and maintainable way to parse command line arguments. Guile doesn't offer an equivalent of this, so the command line handling has been moved to C. * src/mcron.c (parse_args, parse_opt): New functions. (inner_main): Call 'parse_args'. * src/mcron/scripts/mcron.scm (show-help, %options): Delete. (main): Remove command line handling.
* Replace generic C wrapper with individual programsMathieu Lirzin2017-09-283-21/+109
| | | | | | | | | | | * src/wrapper.c: Delete. * src/crontab.c: New file. * src/mcron.c: Likewise. * src/cron.c: Likewise. * configure.ac: Adapt 'AC_CONFIG_DIR' to use "src/mcron.c". * Makefile.am (bin_crontab_SOURCES, bin_cron_SOURCES) (bin_mcron_SOURCES): Use new files. (bin_cron_CPPFLAGS, bin_mcron_CPPFLAGS, bin_crontab_CPPFLAGS): Delete.
* wrapper: Move 'wrap_env_path' to a new 'utils' module.Mathieu Lirzin2017-09-283-24/+72
| | | | | | | | | * src/wrapper.c: Move 'wrap_env_path' to ... * src/utils.h: ... here. New module. * src/utils.c: New file. * configure.ac: Use AC_PROG_RANLIB and AM_PROG_AR. * Makefile.am (noinst_LIBRARIES, src_libmcron_a_SOURCES): New variables. (LDADD): Add 'src/libmcron.a'.
* build: Remove "--enable-debug" configure optionMathieu Lirzin2017-09-281-1/+8
| | | | | | | | | | | Unlike C code where debugging impose the "-g" compilation flags. This debugging option only affects Guile code, so using an environment variable works better since it doesn't impose to recompile Mcron or to edit "config.scm". * configure.ac: Remove "--enable-debug" configure option. * src/mcron/config.scm.in (config-debug): Use MCRON_DEBUG environment variable to trigger the debug mode at runtime.