| Commit message (Expand) | Author | Age | Files | Lines |
* | It is 2023.... * src/cron.in
* src/mcron.in
v1.2.3v1.2.2 | Dale Mellor | 2023-03-24 | 2 | -2/+2 |
* | Merge system-wide Vixie cron updates....I don't believe that anyone should be running system-wide cron processes these
days (the attack surface is rather large), but should use separate per-user or
per-service mcron daemon processes. But mcron is advertised as a drop-in
Vixie replacement, so we should do what we can to make it safe in this use
case.
I've performed a basic vetting of the changes against vandalism, but haven't
verified the correctness of the code or done any checking; the changes are
being accepted on the basis that almost anything is an improvement on what
currently exists.
| Dale Mellor | 2023-03-18 | 6 | -144/+290 |
|\ |
|
| * | crontab-access: replace with wrapper, rename to crontab-access-real....The wrapper has two purposes:
1. Not being a script, thereby eliminating the issues with setuid scripts.
2. Purging the environment. crontab-access-real has no need for any
environment variables to do its work, so to prevent tampering with dynamic
linker, libc, or guile, we may as well just unset them all.
This wrapper does introduce a requirement for a C compiler. Ideally it would
be conditional based on whether the wrapper is even going to be built, but
autoconf doesn't like that one bit. Someone with more experience with
autotools should sort that out. In the meantime I guess anyone wanting to
build without a C compiler being present is going to have to edit configure.ac
and re-run bootstrap.
* src/crontab-access.in: renamed to src/crontab-access-real.in
* src/crontab-access.c.in: new file, wrapper for crontab-access-real.
* Makefile.am: inform about crontab-access.c.in and name change to
crontab-access-real. Put crontab-access-real in libexecdir.
| ulfvonbelow | 2023-03-18 | 2 | -0/+10 |
| * | crontab: split into crontab and setuid helper crontab-access....If a user did somehow manage to install this crontab as functioning
setuid-root in its current state (despite linux ignoring the setuid bit when
executing scripts), it would be a very bad thing for them. It currently has
several glaring security holes. In approximate order from most to least
severe:
1. It blindly calls system() with the user-supplied value of VISUAL or
EDITOR, without dropping privileges. I can't fathom what the author was
thinking, considering (mcron scripts crontab) is littered with comments and
evidence that this is supposed to be a setuid-root program. An attacker
could simply run
EDITOR='sh #' crontab -e
and get a root shell. If you try this, you may find that it coincidentally
doesn't work because bash in particular always drops privileges on startup
if it detects differing real and effective ids. I don't know whether other
shells do this, but it actually doesn't matter as long as you're using
glibc, because its system() consults PATH looking for sh. One false entry
in there and an attacker is running arbitrary code as root. And crontab
doesn't do any sanitizing of *any* environment variables.
2. No attempt is made to sanitize any environment variables. Also, depending
on Guile's startup behavior, trying to sanitize them in guile may be too
late. A wrapper is needed, which would be needed anyway in order to use a
setuid script.
3. No attempt is made to ensure that the temporary file being edited is
newly-created, so an attacker could guess or deduce the filename to be
used, create it in advance, keep it open while crontab opens it, and
overwrite it right before it is copied, allowing them to execute arbitrary
code as any user that dared edit their crontab, including root.
4. Its replace mode accepts a filename. It does no validation whatsoever on
this, opens it, and copies it to the user's crontab as long as it's valid
vixie cron syntax. So for example,
crontab /var/cron/tabs/root && crontab --list
will let you freely read root's (and in a similar manner any other user's)
crontab. Vixie cron includes comments in its valid syntax, so any file that
consists entirely of comments can also be dumped. Also, any file for which
opening it and reading from it has side-effects can have those side-effects
triggered even if it isn't valid vixie cron syntax.
5. Crontabs created in /tmp for editing, as well as crontabs created in
/var/cron/tabs, are world-readable with typical inherited umask.
(1) and (4) are resolved by splitting crontab into two programs: crontab,
which is no longer setuid, and crontab-access, which is. The setuid program no
longer opens any files except for the user's crontab and the allow/deny files,
and it runs no external programs whatsoever. Crontab is run as the invoking
user, so the usual kernel-level permissions checks regarding which files can
be opened for reading apply. The editor is run from crontab, as the invoking
user, so sanitizing of the environment in the setuid helper has no effect on
the editor's environment.
(2) to be resolved shortly with a wrapper program.
(3) is resolved by using mkstemp. The inability to control the mode it is
created with, along with (5), are resolved by setting the umask properly.
* src/mcron/scripts/crontab-access.scm: new module.
* src/mcron/scripts/crontab.scm: move list, delete, and replace
implementation to crontab-access.
* src/crontab-access.in: new file to invoke main of crontab-access.
* Makefile.am: inform of crontab-access.in and crontab-access.scm.
| ulfvonbelow | 2023-03-18 | 3 | -143/+278 |
| * | config.scm.in: rename to config.scm.in.in, substitute from Makefile....* src/mcron/config.scm.in: renamed to config.scm.in.in.
(config-sbin-dir): new variable.
* Makefile.am: substitute in config.scm.in.
| ulfvonbelow | 2023-03-18 | 1 | -0/+1 |
| * | cron: use signal numbers instead of symbols....Did this ever work?
* src/mcron/scripts/cron.scm (main): install signal handlers using numbers
that symbols evaluate to instead of symbols.
| ulfvonbelow | 2023-03-18 | 1 | -1/+1 |
* | | The new options --log-format and --date-format must have arguments....* src/mcron.in: change the optionsʼ specification
| Dale Mellor | 2022-07-07 | 1 | -2/+2 |
|/ |
|
* | Incorporate and use command-line-processor proposed for Guile core...Since the elimination of the C wrapping around mcron and all the
executable scripts, a weakness in Guile's (ice-9 getopt-long) module
means that the command 'mcron -s crontab.scm' does not currently
work. A replacement for the getopt-long module, as well as a
higher-level 'command-line-processor' facility, have been pushed to
the Guile upstream developers and are awaiting approval and
incorporation. In the meantime, those modules are temporarily
incorporated here into the mcron package, and the code is modified
to use those local versions.
* Makefile.am: install two new Guile modules
* src/{cron,crontab,mcron}.in: use local command-line-processor module
* src/mcron/command-line-processor.scm: new module
* src/mcron/getopt-long.scm: new module
* tests/schedule{,-2}.sh: clarify tests of -s, --schedule options
| Dale Mellor | 2022-07-07 | 5 | -4/+1208 |
* | Trivial copyright change. | Dale Mellor | 2022-07-07 | 1 | -1/+1 |
* | cron doesnʼt need the --log-format and --date-format options....* src/cron.in: remove the options
* src/mcron/scripts/cron.scm: no need for extra processing
| Dale Mellor | 2022-07-07 | 2 | -9/+8 |
* | Using proposed new Guile command-line-processor....This is a pre-emptive delta which will make use of new facilities
in a future Guile for command-line option processing---a fuller
description will appear with later patches.
* src/{cron,crontab,mcron}.in: use new facility
* src/mcron/scripts/{cron,crontab,mcron}.scm: remove old option-scanning code
| Dale Mellor | 2022-07-07 | 6 | -206/+215 |
* | vixie-time: Remove calls to 'pk' debugging facility...* src/mcron/vixie-time.scm (parse-vixie-time): Remove pk usage
| Mathieu Lirzin | 2022-07-07 | 1 | -2/+2 |
* | Lose hope of running against guile 2.2 or earlier....We have previously allowed versions 2.0 and 2.2 to get past the configure
stage, but all versions of guile before 3.0 have in fact failed to compile the
code due to syntax errors for some time now.
* build-aux/guix.scm: package depends on guile@3
* configure.ac: only look for guile version 3
* src/mcron/base.scm: drop allowance for old-fashioned (version 2.0) select
| Dale Mellor | 2022-07-07 | 1 | -26/+12 |
* | Give mcron --log option to turn logging on....This makes the behaviour backwards compatible with all previous uses of mcron.
* src/mcron/base.scm: establish %do-logging parameter and act on it
* src/mcron/scripts/mcron.scm: set %do-logging according to command line
* tests/base.scm: some tests require %do-logging to be set
| Dale Mellor | 2022-07-07 | 2 | -6/+20 |
* | base: Annotate output with job information....Before this change, it was difficult to discern which job emitted which
output, as there was no information connecting the job to the output it
produced. This change rectifies that by annotating each line output by
cron/mcron with a prefix that contains a timestamp and the job name. It also
reports about when the job runs and whether it completed successfully or
failed. It was initially suggested here: <https://issues.guix.gnu.org/36510>.
Thanks to the fine people from the #guile libera.chat IRC channel for
providing ideas and help; this change would not have been possible without
them!
* src/mcron/base.scm (install-suspendable-ports!): Install suspendable ports.
(%date-format, %log-format): New parameters.
(validate-date-format, validate-log-format): New procedures.
(<job-data>): New record.
(run-job): Update doc. Redirect stdout and stderr to a pipe. Return a
<job-data> instance containing the input port and other information about the
job. Output job status messages.
(process-output): New procedure.
(child-cleanup): Add docstring. Use positive logic. Call 'process-output'
one last time after a child process is collected.
(run-job-loop): Add a CHILDREN-DATA variable to the loop. Provide the open
file descriptors of the children ports to select*, and collect their output
when they trigger select.
* tests/base.scm ("run-job: basic"): Adjust and fix indentation.
(dummy-job/capture-output): New procedure.
("run-job, output"): New test.
("validate-date-format, valid", "validate-date-format, invalid")
("validate-log-format, valid", "validate-log-format, invalid")
("run-job, output with custom format", "run-job, failure")
("run-job, failure in shell action"): New tests.
* src/mcron/scripts/cron.scm (show-help): Document new options.
(%options) [log-format, date-format]: New options.
(main): Parameterize the main loop with the new parameter options (or their
default values when not provided); move exception handling elsewhere (see
below).
* src/mcron/scripts/mcron.scm: Likewise.
* src/cron.in: Install error handler here.
* src/mcron.in: Likewise.
* doc/mcron.texi: Document new cron and mcron options, as well as new
(mcron base) APIs.
* tests/basic.sh: Test the new options.
Suggested-by: Robert Vollmert <rob@vllmrt.net>
| Maxim Cournoyer | 2022-07-07 | 5 | -106/+327 |
* | Revert "Minor cosmetic simplification of case logic after previous patch."...This reverts commit 99a26e5de6d132056999074ce4f4f2cf24ec8c2f.
| Dale Mellor | 2022-01-10 | 1 | -25/+25 |
* | Minor cosmetic simplification of case logic after previous patch.... * src/mcron/base.scm: change around some /cond/s and /if/s.
| Dale Mellor | 2021-12-30 | 1 | -25/+25 |
* | base: Handle nonexistent user home directories....This is useful for running jobs as the "nobody" user, for example.
* src/mcron/base.scm (run-job): Catch the ENOENT (2, "No such file or
directory") error when attempting to change directory to the user home
directory.
| Maxim Cournoyer | 2021-12-30 | 1 | -1/+11 |
* | Clarify an error message...* src/mcron/scripts/mcron.scm: modified string literal
| Ahmed Khanzada | 2021-12-29 | 1 | -1/+2 |
* | small change to reflect GNU Mcron not just mcron | atsb | 2021-04-07 | 1 | -1/+1 |
* | Fix "mcron --help" to show --stdin does *not* apply to files.... * src/mcron/scripts/mcron.scm: modified string literal
| Dale Mellor | 2021-02-01 | 1 | -2/+2 |
* | scripts: Separate build/install directory context...This prevents installed modules to interfere with the ones from the
build directory.
* src/cron.in: Augment Guile load paths with install directories only
when MCRON_UNINSTALLED environment variable is not set.
* src/crontab.in: Likewise.
* src/mcron.in: Likewise.
| Mathieu Lirzin | 2020-05-17 | 3 | -8/+14 |
* | project: banish need for C compiler...This patch gets rid of the thin veneer that we currently have around the three
executables. This was done for historical reasons (circa 2003 Guile couldnʼt
deal with process signals and forks). In fact these problems were fixed many
moons ago, and there is now no need for it. The project becomes 100% Guile!
Many files are affected; interested coders should use the GIT repository to
understand the details of all the changes.
| Dale Mellor | 2020-04-20 | 13 | -425/+180 |
* | mcron: Look for local files in local directory....Previously were looking for files listed on the command line in
Guile's modules directory. This is a bug-fix; running
'make check' will reveal one less failure than before.
* src/mcron/scripts/mcron.scm (process-user-file): use read and eval
instead of load.
| Dale Mellor | 2020-04-20 | 1 | -2/+5 |
* | utils: It's 2020!...* src/mcron/utils.scm (show-version): Update copyright year.
| Ludovic Courtès | 2020-02-27 | 1 | -1/+1 |
* | base: Avoid 'call-with-current-continuation'....'call-with-current-continuation' is overkill and not quite what we
want. 'let/ec' is supported in Guile 2.0, 2.2, and 3.0.
* src/mcron/base.scm (run-job-loop): Use 'let/ec' instead of
'call-with-current-continuation'.
| Ludovic Courtès | 2020-02-27 | 1 | -22/+22 |
* | base: Call 'child-cleanup' when 'select' returns an empty set....Previously, on Guile >= 2.2, we'd lose this opportunity to call
'child-cleanup', possibly leaving zombies behind us.
* src/mcron/base.scm (run-job-loop): Define 'select*'. Don't expect
'select*' to throw upon EINTR or EAGAIN.
| Ludovic Courtès | 2020-02-27 | 1 | -14/+26 |
* | Add missing #include directives....<libguile.h> in Guile 2.x used to include these, but this is no longer
the case with 3.0.
* src/cron.c, src/mcron.h: Include <string.h>.
* src/utils.c: Include <stdio.h>.
| Ludovic Courtès | 2020-02-27 | 3 | -0/+3 |
* | build: Add '--with-sendmail' configure option...This allows users to configure the Mail Transfert Agent (MTA) of their
choice.
* configure.ac: Add '--with-sendmail' option.
(SENDMAIL): Default to 'sendmail -t'.
* NEWS: Announce it.
* src/mcron/redirect.scm (with-mail-out): Assume the MTA is reading the
message for recipients.
* build-aux/guix.scm: Remove 'which' from the native-inputs.
| 宋文武 | 2018-10-07 | 1 | -4/+4 |
* | vixie-time: Refactor 'parse-vixie-time'...* src/mcron/vixie-time.scm (parse-vixie-time): Use 'match' to avoid
complex 'car' and 'cdr' usage.
| Mathieu Lirzin | 2018-04-08 | 1 | -68/+63 |
* | vixie-time: Refactor 'interpolate-weekdays'...* src/mcron/vixie-time.scm (interpolate-weekdays): Avoid mutation and
add 'range-wday' inner procedure.
| Mathieu Lirzin | 2018-04-08 | 1 | -18/+11 |
* | vixie-time: Adapt to '%find-best-next' possible infinite result...This is a follow up to commit ae6deb8ea23570c02a7b575a53bba37048aab59f.
* src/mcron/vixie-time.scm (increment-time-component): Check if
'%find-best-next' returns '+inf.0' not 9999.
| Mathieu Lirzin | 2018-04-01 | 1 | -10/+13 |
* | utils: Remove 'parse-args'...It seems that it is not useful to catch 'misc-error exception when
calling 'getopt-long'. Since 'parse-args' purpose was only to catch
this particular error, it can be deleted.
* src/mcron/utils.scm (parse-args): Remove.
| Mathieu Lirzin | 2018-03-27 | 3 | -13/+5 |
* | job-specifier: Box 'configuration-user' global variable...* src/mcron/job-specifier.scm (configuration-user): Box it using
SRFI-111 to be explicit about the mutability of this object.
(job): Adapt.
(set-configuration-user): Adapt and use 'get-user'.
* tests/job-specifier.scm ("set-configuration-user: passwd entry")
("set-configuration-user: invalid uid", "set-configuration-user: uid")
("set-configuration-user: invalid spec")
("set-configuration-user: name"): New tests.
| Mathieu Lirzin | 2018-03-27 | 1 | -6/+4 |
* | job-specifier: Fix typo "implement" => "implementation"...* src/mcron/job-specifier.scm (%find-best-next): Fix typo.
| Mathieu Lirzin | 2018-03-27 | 1 | -1/+2 |
* | job-specifier: Adapt 'bump-time' to 'next-...-from' procedures...This is a follow-up to commit 913e3c65e4f56476e8ac69f4892cf92c125751ec.
Since 'next-...-from' procedures now uses an '#:optional' argument
instead of a dotted optional arguments list, 'bump-time' doesn't need to
unwrap VALUE-LIST anymore.
* src/mcron/job-specifier.scm (bump-time): Pass VALUE-LIST directly to
'%find-best-next'.
* tests/job-specifier.scm ("next-hour-from"): New test.
* NEWS: Update.
Reported-by: Ludovic Courtès <ludo@gnu.org>
| Mathieu Lirzin | 2018-03-26 | 1 | -15/+9 |
* | job-specifier: Preserve '%find-best-next' arguments exactness...The behavior of the 'min' procedure which converts its parameters to
inexact numbers when at least one of them is inexact was causing
'%find-best-next' to always return real numbers.
* src/mcron/job-specifier.scm (%find-best-next): Preserve the exactness
of numbers in NEXT-LIST.
* tests/job-specifier.scm ("%find-best-next: exact"): New test.
Reported-by: Ludovic Courtès <ludo@gnu.org>
| Mathieu Lirzin | 2018-03-26 | 1 | -2/+6 |
* | utils: It's 2018!...* src/mcron/utils.scm (show-version): Update copyright.
| Mathieu Lirzin | 2018-03-25 | 1 | -1/+1 |
* | environment: Refactor configuration environment handling...* src/mcron/environment.scm (current-environment-mods): Rename to ...
(%current-environment-mods): ... this. Box it using SRFI-111 to be
explicit about the mutability of this object.
(get-current-environment-mods-copy, clear-environment-mods)
(append-environment-mods): New '#:ENVIRON' argument.
| Mathieu Lirzin | 2018-03-24 | 1 | -35/+38 |
* | base: Box 'number-children'...* src/mcron/base.scm (number-children): Box it using SRFI-111 to be
explicit about the mutability of this object.
(update-number-children!): New procedure.
(run-job, child-cleanup): Use it.
* tests/base.scm ("update-number-children!: 1+")
("number-children: init", "update-number-children!: 1-"): New tests.
| Mathieu Lirzin | 2018-03-24 | 1 | -6/+15 |
* | base: Rewrite 'child-cleanup'...* src/mcron/base.scm (child-cleanup): Use recursion instead of 'do'.
| Mathieu Lirzin | 2018-03-24 | 1 | -6/+6 |
* | utils: Add 'get-user'...* src/mcron/utils.scm (get-user): New procedure.
* src/mcron/job-specifier.scm (job): Use it.
* src/mcron/base.scm (remove-user-jobs): Likewise.
| Mathieu Lirzin | 2018-03-24 | 3 | -8/+17 |
* | base: Rewrite 'find-next-jobs' docstring....* src/mcron/base.scm (find-next-jobs): Don't explain the detail of
implementation in the docstring.
| Mathieu Lirzin | 2018-03-24 | 1 | -15/+4 |
* | base: Add '<schedule>' record data type...Reifying the notion of a schedule helps reasoning about the code.
Passing a schedule as an argument to related procedures allows writing
simpler unit tests.
* src/mcron/base.scm(<schedule>): New record data type.
(make-schedule, schedule-user, set-schedule-user!)
(schedule-system, set-schedule-system!)
(schedule-current, set-schedule-current!): New procedures.
(system-job-list, user-job-list, configuration-source): Replace those
global variables with ...
(%global-schedule): ... this global <schedule> instance.
* src/mcron/base.scm (use-system-job-list, use-user-job-list)
(remove-user-jobs, clear-system-jobs, add-job, find-next-jobs)
(display-schedule, run-job-loop): Add '#:SCHEDULE' keyword argument.
* doc/mcron.texi (The base module): Update documentation.
| Mathieu Lirzin | 2018-03-24 | 1 | -66/+77 |
* | job-specifier: Use 'simple-format'...* src/mcron/job-specifier.scm (job): Use 'simple-format' instead of
'with-output-to-string'.
| Mathieu Lirzin | 2018-03-23 | 1 | -4/+3 |
* | utils: Use 'scandir' instead of custom 'for-each-file'...* src/mcron/utils.scm (for-each-file): Delete.
* src/mcron/scripts/cron.scm (process-files-in-system-directory): Use
'scandir' which has the benefit of being deterministic.
* src/mcron/scripts/mcron.scm (process-files-in-user-directory):
Likewise.
* tests/schedule.sh: Update expected output which is now more reliable.
* NEWS: Update.
Suggested-by: Ludovic Courtès <ludo@gnu.org>
| Mathieu Lirzin | 2018-03-20 | 3 | -23/+11 |
* | tests: Add 'schedule.sh'...* tests/schedule.sh: New test.
* Makefile.am (TESTS): Add it.
* src/mcron/job-specifier.scm (configuration-time): Use
SOURCE_DATE_EPOCH for reproducible tests.
| Mathieu Lirzin | 2018-03-16 | 1 | -1/+4 |
* | base: Add 'display-schedule' procedure...This procedure is a more generic and less coupled version of
'get-schedule' which has been kept for backward compatibility and
deprecated.
* src/mcron/base.scm (display-schedule): New procedure.
(get-schedule): Move to ...
* src/mcron/core.scm: ... here.
* src/mcron/scripts/cron.scm (main): Use 'display-schedule'.
* src/mcron/scripts/mcron.scm (main): Likewise.
* doc/mcron.texi (The base module): Document it.
| Mathieu Lirzin | 2018-03-16 | 4 | -30/+27 |
* | crontab: Extract procedures from 'main'...* src/mcron/scripts/crontab.scm (in-access-file?)
(hit-server): New procedures.
| Mathieu Lirzin | 2018-03-16 | 1 | -35/+34 |
* | utils: Add 'assq_symbol_set_x' function...* src/utils.c (assq_symbol_set_x): New function.
* src/mcron.c (parse_opt): Use it.
| Mathieu Lirzin | 2017-09-28 | 5 | -16/+18 |