From ec6a023c6634777da138f6237aab98b2f40ed4c2 Mon Sep 17 00:00:00 2001 From: ulfvonbelow Date: Thu, 2 Feb 2023 19:29:50 +0000 Subject: config.scm.in: rename to config.scm.in.in, substitute from Makefile. * src/mcron/config.scm.in: renamed to config.scm.in.in. (config-sbin-dir): new variable. * Makefile.am: substitute in config.scm.in. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 451777d..7ea532f 100644 --- a/configure.ac +++ b/configure.ac @@ -127,5 +127,5 @@ AC_CONFIG_FILES([pre-inst-env:build-aux/pre-inst-env.in], [chmod +x pre-inst-env]) AC_CONFIG_FILES([doc/config.texi Makefile - src/mcron/config.scm]) + src/mcron/config.scm.in]) AC_OUTPUT -- cgit v1.2.3 From 4727c770c2a723d46b4162cff21ab8f0b75c3998 Mon Sep 17 00:00:00 2001 From: ulfvonbelow Date: Thu, 2 Feb 2023 19:29:52 +0000 Subject: crontab-access: replace with wrapper, rename to crontab-access-real. The wrapper has two purposes: 1. Not being a script, thereby eliminating the issues with setuid scripts. 2. Purging the environment. crontab-access-real has no need for any environment variables to do its work, so to prevent tampering with dynamic linker, libc, or guile, we may as well just unset them all. This wrapper does introduce a requirement for a C compiler. Ideally it would be conditional based on whether the wrapper is even going to be built, but autoconf doesn't like that one bit. Someone with more experience with autotools should sort that out. In the meantime I guess anyone wanting to build without a C compiler being present is going to have to edit configure.ac and re-run bootstrap. * src/crontab-access.in: renamed to src/crontab-access-real.in * src/crontab-access.c.in: new file, wrapper for crontab-access-real. * Makefile.am: inform about crontab-access.c.in and name change to crontab-access-real. Put crontab-access-real in libexecdir. --- Makefile.am | 19 ++++++++++++++++--- configure.ac | 8 ++++++++ src/crontab-access-real.in | 45 +++++++++++++++++++++++++++++++++++++++++++++ src/crontab-access.c.in | 10 ++++++++++ src/crontab-access.in | 45 --------------------------------------------- 5 files changed, 79 insertions(+), 48 deletions(-) create mode 100644 src/crontab-access-real.in create mode 100644 src/crontab-access.c.in delete mode 100644 src/crontab-access.in (limited to 'configure.ac') diff --git a/Makefile.am b/Makefile.am index 4aff2ae..2a87d72 100755 --- a/Makefile.am +++ b/Makefile.am @@ -26,11 +26,18 @@ noinst_SCRIPTS = if MULTI_USER bin_SCRIPTS += bin/crontab -sbin_SCRIPTS = bin/cron bin/crontab-access +sbin_SCRIPTS = bin/cron +libexec_SCRIPTS = bin/crontab-access-real +sbin_PROGRAMS = bin/crontab-access else -noinst_SCRIPTS += bin/cron bin/crontab bin/crontab-access +noinst_SCRIPTS += bin/cron bin/crontab bin/crontab-access-real +noinst_PROGRAMS = bin/crontab-access endif +# The dynamic linker should detect that it's being run for a setuid program, +# but we take no chances. +bin_crontab_access_LDFLAGS = -static + # wrapper to be used in the build environment and for running tests. noinst_SCRIPTS += pre-inst-env @@ -81,6 +88,8 @@ compiled_modules = \ CLEANFILES = $(compiled_modules) \ bin/crontab \ bin/crontab-access \ + src/crontab-access.c \ + bin/crontab-access-real \ bin/cron \ bin/mcron DISTCLEANFILES = src/mcron/config.scm @@ -123,6 +132,9 @@ do_subst = sed -e 's,%PREFIX%,${prefix},g' \ src/mcron/config.scm: src/mcron/config.scm.in Makefile $(AM_V_GEN)$(do_subst) $< > $@ +src/crontab-access.c: src/crontab-access.c.in Makefile + $(AM_V_GEN)$(do_subst) $< > $@ + bin/% : src/%.in Makefile $(AM_V_GEN)$(MKDIR_P) bin ; \ $(do_subst) $< > $@ ; \ @@ -163,7 +175,8 @@ EXTRA_DIST = \ HACKING \ src/cron.in \ src/crontab.in \ - src/crontab-access.in \ + src/crontab-access-real.in \ + src/crontab-access.c.in \ src/mcron.in \ tests/init.sh \ $(TESTS) diff --git a/configure.ac b/configure.ac index 7ea532f..b79e3c3 100644 --- a/configure.ac +++ b/configure.ac @@ -65,6 +65,14 @@ AC_ARG_ENABLE([multi-user], [Don't Install legacy cron and crontab programs])], [enable_multi_user="$enableval"], [enable_multi_user="yes"]) + +dnl Not possible to run this conditionally? +AC_PROG_CC +dnl AS_IF([test "x$enable_multi_user" = xyes], +dnl [# Need a C compiler to compile setuid wrapper +dnl AC_PROG_CC] +dnl fi + AM_CONDITIONAL([MULTI_USER], [test "x$enable_multi_user" = xyes]) # Configure the various files that mcron uses at runtime. diff --git a/src/crontab-access-real.in b/src/crontab-access-real.in new file mode 100644 index 0000000..569d147 --- /dev/null +++ b/src/crontab-access-real.in @@ -0,0 +1,45 @@ +#!%GUILE% --no-auto-compile +-*- scheme -*- +!# + +;;;; crontab -- run jobs at scheduled times +;;; Copyright © 2003, 2020 Dale Mellor +;;; Copyright © 2015, 2016, 2018 Mathieu Lirzin +;;; +;;; This file is part of GNU Mcron. +;;; +;;; GNU Mcron is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; GNU Mcron is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Mcron. If not, see . + + +(unless (getenv "MCRON_UNINSTALLED") + (set! %load-path (cons "%modsrcdir%" %load-path)) + (set! %load-compiled-path (cons "%modbuilddir%" %load-compiled-path))) + +(use-modules (mcron scripts crontab) + (mcron command-line-processor)) + +(process-command-line (command-line) + application "crontab" + version "%VERSION%" + usage "[-u user] { -R | -l | -r }" + help-preamble "the default operation is to list." + option (--user= -u "the user whose files are to be manipulated") + option (--replace -R "replace this userʼs crontab via stdin") + option (--list -l "list this userʼs crontab") + option (--remove -r "delete the userʼs crontab") + bug-address "%PACKAGE_BUGREPORT%" + copyright "2003, 2016, 2020 Free Software Foundation, Inc." + license GPLv3) + +((@ (mcron scripts crontab-access) main) --user --replace --list --remove) diff --git a/src/crontab-access.c.in b/src/crontab-access.c.in new file mode 100644 index 0000000..652b9cc --- /dev/null +++ b/src/crontab-access.c.in @@ -0,0 +1,10 @@ +#include + +int main(int argc, char **argv) +{ + char *envp = NULL; + execve("%libexecdir%/crontab-access-real", + argv, &envp); + /* Should not get here! */ + return 1; +} diff --git a/src/crontab-access.in b/src/crontab-access.in deleted file mode 100644 index 569d147..0000000 --- a/src/crontab-access.in +++ /dev/null @@ -1,45 +0,0 @@ -#!%GUILE% --no-auto-compile --*- scheme -*- -!# - -;;;; crontab -- run jobs at scheduled times -;;; Copyright © 2003, 2020 Dale Mellor -;;; Copyright © 2015, 2016, 2018 Mathieu Lirzin -;;; -;;; This file is part of GNU Mcron. -;;; -;;; GNU Mcron is free software: you can redistribute it and/or modify -;;; it under the terms of the GNU General Public License as published by -;;; the Free Software Foundation, either version 3 of the License, or -;;; (at your option) any later version. -;;; -;;; GNU Mcron is distributed in the hope that it will be useful, -;;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;; GNU General Public License for more details. -;;; -;;; You should have received a copy of the GNU General Public License -;;; along with GNU Mcron. If not, see . - - -(unless (getenv "MCRON_UNINSTALLED") - (set! %load-path (cons "%modsrcdir%" %load-path)) - (set! %load-compiled-path (cons "%modbuilddir%" %load-compiled-path))) - -(use-modules (mcron scripts crontab) - (mcron command-line-processor)) - -(process-command-line (command-line) - application "crontab" - version "%VERSION%" - usage "[-u user] { -R | -l | -r }" - help-preamble "the default operation is to list." - option (--user= -u "the user whose files are to be manipulated") - option (--replace -R "replace this userʼs crontab via stdin") - option (--list -l "list this userʼs crontab") - option (--remove -r "delete the userʼs crontab") - bug-address "%PACKAGE_BUGREPORT%" - copyright "2003, 2016, 2020 Free Software Foundation, Inc." - license GPLv3) - -((@ (mcron scripts crontab-access) main) --user --replace --list --remove) -- cgit v1.2.3