by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.
In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.
The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs. E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM. When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made. Then it'll be
enough to set the expire field in future for the commands to run
again. And so on.
Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.
X-Security: should benefit as users have access to cron(8) by default
as crontab(5) states it can be. This is supported by all vixie-cron derived
implementations; not sure why FreeBSD was any different.
PR: bin/106442
MFC after: 2 weeks
Note, that when cron(8) cannot create pidfile, it'll exit. I didn't
changed this behaviour, but its better to ignore errors other than
EEXIST, so daemon can be started on systems where /var/ file system
doesn't support locking (like NFS without rpc.lockd(8)).
entry having stepping value of zero can cause crontab to hang there,
and if the main crontab is being changed in this way, then cron(8)
will keep spining.
Obtained from: OpenBSD [src/usr.sbin/cron/entry.c,v 1.17]
PR: 68683 (my own, but forgot to commit it...)
MFC After: 1 week
assignment even if it is not quoted (as advertised by the man page).
This fixes a regression wrt RELENG_4 introduced in rev. 1.11.
Problem noted and patch tested by: CHOI Junho <cjh@kr.FreeBSD.org>
Reviewed by: roberto
for any reason other than ENOENT (think resource limits). Close allow and
deny files before allowed() returns to stop the user's EDITOR being able to
read them.
Obtained from: OpenBSD (partially)
line as an environment variable assignment, is broken
and not conformant to its description in the manual page.
I think it is worthwhile to have that fix in 4.6.
PR: bin/38374
Submitted by: Thomas Quinot <thomas@cuivre.fr.eu.org>
MFC after: 2 days
monthly and weekly, respectively. Also fix the @yearly shortcut so
that it doesn't execute daily during January. OpenBSD and NetBSD also
appear to have this bug.
PR: bin/21152
e->cmd. free_entry() now does the right thing with
partially-initialized structures.
load_entry(): Don't call env_free() on e->envp throughout the routine
before jumping to eof; the free_entry() call at that label will take
care of it. The previous behavior resulted in e->envp being free'd
twice (well, the second time would usually result in a crash, but
that's besides the point); once in load_entry(), and once in
free_entry() after the former called the latter. Also note that the
check added to free_entry() (above) doesn't help, since e->envp wasn't
reset to NULL after env_free().
Submitted by: Mark Peek <mark@whistle.com>
allocated memory was instead pointed to a static string. A later
free() on the value of the pointer was a possible source of reported
"warning: pointer to wrong page" messages from cron.
Use consistent types in sizeof when malloc'ing memory for the
environment.
PR: kern/12248, bin/11169, bin/9722
Fix setting of "hour" bitmap when @hourly keyword is specified.
MFC candidate after 4.0-RELEASE.
Problem-found-by: Sheldon Hearn <sheldonh@uunet.co.za>
Use getpwnam before getpwuid since two users with same uids can exists
(affects new login classes code only)
The same fixes as in inetd: by default run `system crontab things' with
daemon login class now, not restrict them to user class breaking
compatibility with old way (so-called nobody limits problem)
Implement user[:group][/login-class] syntax in system crontab
for more flexible control (the same as in inetd)
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
used by OpenBSD. (Quite frankly, I think it's perfectly reasonable to
use snprintf to copy strings, given that the semantics for strncpy()
are utterly idiotic and there is no POSIX sstrncpy().)
While I'm at it, incorporate some of OpenBSD's bugfixes to cron.
NOT for 2.2
