Commit Graph

182 Commits

Author SHA1 Message Date
bdrewery
b619f0c747 Revert r267233 for now. PIE support needs to be reworked.
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other
   build-only utility libraries.
2. Another 40% is fixed by generating _pic.a variants of various libraries.
3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR)
   where it never would work anyhow, such as csu or loader. This suggests
   there may be better ways of adding support to the tree. Many of these
   cases can be fixed such that -fPIE will work but there is really no
   reason to have it in those cases.
4. Some of the uses are working around hacks done to some Makefiles that are
   really building libraries but have been using bsd.prog.mk because the code
   is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have
   been needed.

We likely do want to enable PIE by default (opt-out) for non-tree consumers
(such as ports). For in-tree though we probably want to only enable PIE
(opt-in) for common attack targets such as remote service daemons and setuid
utilities. This is also a great performance compromise since ASLR is expected
to reduce performance. As such it does not make sense to enable it in all
utilities such as ls(1) that have little benefit to having it enabled.

Reported by:	kib
2014-08-19 15:04:32 +00:00
peter
b2635de275 Check gethostname(2) return code - but even if it succeeds it may not
null terminate.

Temporarily use "From: $user@$hostname" rather than "From: $user".
The latter exposes incompatible behavior if using dma(8).  sendmail(8)
(and other alternatives) canonify either form on submission (even
if masquerading), but dma will leak a non-compliant address to
the internet.
2014-08-05 01:32:09 +00:00
bapt
c0cd28f928 use .Mt to mark up email addresses consistently (part2)
PR:		191174
Submitted by:	Franco Fichtner  <franco@lastsummer.de>
2014-06-20 09:57:27 +00:00
bdrewery
989e2c6000 In preparation for ASLR [1] support add WITH_PIE to support building with -fPIE.
This is currently an opt-in build flag. Once ASLR support is ready and stable
it should changed to opt-out and be enabled by default along with ASLR.

Each application Makefile uses opt-out to ensure that ASLR will be enabled by
default in new directories when the system is compiled with PIE/ASLR. [2]

Mark known build failures as NO_PIE for now.

The only known runtime failure was rtld.

[1] http://www.bsdcan.org/2014/schedule/events/452.en.html
Submitted by:		Shawn Webb <lattera@gmail.com>
Discussed between:	des@ and Shawn Webb [2]
2014-06-08 17:29:31 +00:00
ache
6c067c7c3d Bad timespec_subtract() calculations produce negative tv_nsec on i386
which cause EINVAL returned from nanosleep() which cause loop in
cron_sleep() and making all cron jobs to start about 30 seconds earlier
(which cause f.e. logfiles rotation by newsyslog delayed by 1 hour).

Use simple and proved calculations from kernel's timespecsub() instead.

MFC after:      3 days
2014-01-25 02:16:09 +00:00
sobomax
83b5dc03eb Second attempt to add @every_second keyword support. Due to multiple
requests, default to the previous 60-seconds scheduling method
unless there is any @every_second entries to conserve CPU cycles and
power.

This change also improves scheduling in the default mode by running
as close to the beginning of the minnute as possible by replacing
sleep(3) with nanosleep(2). Previously, the tasks would run anywhere
within the first second of the minute and that offset drifted back
and forth each time cron(8) was engaged.

MFC after:	1 month
2012-10-25 22:54:29 +00:00
sobomax
325858cd57 Fully backout latest changes.
Pointy hat to:	sobomax
2012-10-18 06:27:03 +00:00
sobomax
18829e44fc Remove harmless, but superfluous local change that creeped in along
with the r241649.
2012-10-17 21:26:35 +00:00
sobomax
53616179d3 Revert latest changes to cron, until better version is worked out (I hope).
Requested by:   few
2012-10-17 20:45:48 +00:00
sobomax
19f11b875b o Use nanosleep(2) to sleep exact amount of time till the next second,
not multiple of 1 second, which results in actual time to drift back
and forth every run within 1 second of the actual action has
been set for.

Suggested by:   Ian Lepore

o Schedule the first run in 1 second after starting up, not on the
boundary of the next minute, which results in the every_second jobs
not being run.
2012-10-17 00:44:34 +00:00
sobomax
7097039d8d Properly handle non-keyword case by setting e->second to 0. 2012-10-16 21:34:02 +00:00
sobomax
4e207a1656 Add per-second scheduling into the cron(8). Right now it's
only available via the new @every_second shortcut. ENOTIME to
implement crontab(5) format extensions to allow more flexible
scheduling.

In order to address some concerns expressed by Terry Lambert
while discussing the topic few years ago, about per-second cron
possibly causing some bad effects on /etc/crontab by stat()ing
it every second instead of every minute now (i.e. atime update),
only check that database needs to be reloaded on every 60-th
loop run. This should be close enough to the current behaviour.

Add "@every_minute" shortcut while I am here.

MFC after:	1 month
2012-10-15 08:21:49 +00:00
pluknet
6e937acf71 Fix build with LOG_FILE undefined and DEBUGGING disabled. 2012-10-02 09:23:16 +00:00
pluknet
ed9eade0ad Fix build with DEBUGGING disabled. 2012-10-02 09:19:28 +00:00
ed
02dcf28b58 Rework all non-contributed files that use `struct timezone'.
This structure is not part of POSIX. According to POSIX, gettimeofday()
has the following prototype:

	int gettimeofday(struct timeval *restrict tp, void *restrict tzp);

Also, POSIX states that gettimeofday() shall return 0 (as long as tzp is
not used). Remove dead error handling code. Also use NULL for a
nul-pointer instead of integer 0.

While there, change all pieces of code that only use tv_sec to use
time(3), as this provides less overhead.
2012-09-01 14:45:15 +00:00
jhb
49f8db31d3 Add a one second sleep before touching the spool directory. If the touch
occurs in the same second as the earlier operations to create the temporary
file and the cron(8) daemon is rescans the spool directory during that
second, then the daemon may miss a cron edit and not properly update its
internal database.

MFC after:	1 month
2012-07-02 20:27:37 +00:00
gjb
f26417e87c As cron(8) is started with '-s' by default, timezones that observe
DST should not need to worry about scheduling jobs when the DST time
changes.

Rather than removing the BUGS section in crontab(5) regarding this,
note that disabling '-s' may still cause jobs to be executed twice or
not at all.

PR:		166318
Submitted by:	Florian k Unglaub (f.unglaub%googlemail!com)
MFC After:	1 week
2012-04-28 22:48:00 +00:00
delphij
2d737c5364 Drop setuid status while doing file operations to prevent potential
information leak.  This changeset is intended to be a minimal one
to make backports easier.

Reviewed by:	kevlo, remko
MFC after:	1 week
2012-02-27 05:49:00 +00:00
scf
8b7604c610 Since April 2, 2006, Indiana has observed DST.
MFC after:	5 days
2012-01-28 21:06:45 +00:00
uqs
415a3a9b96 Spelling fixes for usr.sbin/ 2011-12-30 10:58:14 +00:00
wblock
8483c39233 Point out that @reboot runs at every cron startup, not just system
startup.

Discussed on:	hackers@

Approved by:	gjb (mentor)
MFC after:	1 week
2011-11-25 17:41:12 +00:00
brueffer
c50c381ddc List /var/cron/tabs in FILES and add descriptions for the other entries.
PR:		145912
Submitted by:	Julian H. Stacey <jhs@berklix.com>
Obtained from:	OpenBSD
MFC after:	1 week
2010-05-14 01:25:30 +00:00
ed
073cafdd42 The last big commit: let usr.sbin/ use WARNS=6 by default. 2010-01-02 11:07:44 +00:00
attilio
99524169bf Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap
environments.
Please note that this can't be done while such processes run in jails.

Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.

Obtained from:	Sandvine Incorporated
Reviewed by:	emaste, arch@
Sponsored by:	Sandvine Incorporated
MFC:		1 month
2009-11-25 15:12:24 +00:00
skv
7457414ec0 Fix typo.
Approved by:	ru
2008-12-01 17:39:34 +00:00
matteo
38559fc6d5 remove a pointless prototype and static-fy the corresponding function
MFC after:	3 days
2008-11-18 01:19:25 +00:00
matteo
f2820241b0 use WARNS?= instead of WARNS=
MFC after:	3 days
2008-11-18 00:59:26 +00:00
matteo
3c521d56fa Be more precise and use sizeof(tn)
Pointed out by: glewis@

MFC after:	3 days
2008-11-18 00:39:50 +00:00
matteo
d4072625e6 Use WARNS?= instead of WARNS=
MFC after:	3 days
2008-11-18 00:12:15 +00:00
matteo
79b0ca8da7 Make usr.sbin/cron/crontab and usr.sbin/cron/lib WARNS=3 clean
Tested with: make universe

MFC after:	3 days
2008-11-10 06:35:30 +00:00
matteo
43e6672f4c Revert to previous revision.
I should not commit anything at 3.50 AM.
In addition to danfe's comments, I got others.
I'll work on a better version of the patch.
2008-11-09 09:01:09 +00:00
matteo
21b9f8808f Don't leave files in /var/cront/tabs when interrupted
PR:		17363
MFC after:	3 days
2008-11-09 07:34:11 +00:00
matteo
d820425919 Be paranoid and use snprintf
PR:		bin/122137
Submitted by:	Steven Kreuzer <skreuzer@exit2shell.com>
MFC after:	3 days
2008-11-09 06:44:53 +00:00
matteo
f1225346f4 Be paranoid and zero out passwd
PR:	122070
Submitted by:	Steven Kreuzer <skreuzer@exit2shell.com>
Reminded by:    gnn@
MFC after:	3 days
2008-11-06 04:53:02 +00:00
marck
fb63e4aaab Fix empty mailto (-m "") handling: somehow I missed all checks but the first,
hence output would be written to the wrong filehandle.

Submitted by:	reg
Approved by:	yar (implicit)
MFC after:	ASAP
Pointy hat to:	marck
2008-08-01 08:01:33 +00:00
marck
d97ee39b60 Add -m option to cron(8), overriding default mail recipient for cron mails,
unless explicitly provided by MAILTO= line in crontab.  This feature can be
useful in massive hosting environment, where most users do not care about
autogenerated mails.

Setting recipient to null string disables default mails at all.

Approved by:	yar
MFC after:	4 weeks
2008-06-29 16:56:18 +00:00
kevlo
fa3791e1a7 Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
ru
62d48a1604 Fixed static linkage (build with -DNO_SHARED).
Approved by:	re (kensmith)
2007-10-01 18:17:24 +00:00
yar
333d04678d Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs.  E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM.  When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made.  Then it'll be
enough to set the expire field in future for the commands to run
again.  And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default
2007-06-17 17:25:53 +00:00
will
03b6c30cc0 Fix a bug where HOME was not allowed to be overridden by an user's crontab
as crontab(5) states it can be.  This is supported by all vixie-cron derived
implementations; not sure why FreeBSD was any different.

PR:		bin/106442
MFC after:	2 weeks
2007-03-08 07:00:42 +00:00
brian
5a857cb91f Behave as documented when reading fields saying "X/Y" where X != *
rather than mis-parsing them as "X".

MFC after: 1 day
2006-09-26 18:06:09 +00:00
ru
27ee15c183 Use a #define to refer to /etc/crontab. 2006-09-03 17:52:19 +00:00
stefanf
372c92d219 Don't use "implicit int". Move the opening { of the functions to the next
line while there.
2006-07-20 09:11:08 +00:00
maxim
2ee476dd47 o Finally learn how to spell "privileges".
English trainer:	ceri
2006-06-11 21:13:49 +00:00
maxim
5ec37c2386 o Spell "privledges" correctly. Re-style comment. 2006-06-11 20:17:18 +00:00
maxim
e66637299e o Better be safe than sorry: check return code from setuid(2),
setgid(2), setlogin(2) and initgroups(3).  In theory they could
fail for root with some third party mac(4) policies.

Submitted by:	Kostik Belousov
MFC after:	1 month
2006-06-01 15:03:06 +00:00
brooks
81ed190221 /etc/crontab is similar enough to parse as correct if you run
"crontab /etc/crontab", but not the same format due to the who field.
Add some limited anti-foot-shooting support and refuse to load
/etc/crontab as someone's crontab.  Users wishing shoot their foot in
this manner may copy /etc/crontab elsewhere. :)

MFC After:	1 week
2006-01-10 05:56:32 +00:00
pjd
c71407b589 Pidfiles should be created with permission preventing users from opening
them for reading. When user can open file for reading, he can also
flock(2) it, which can lead to confusions.

Pointed out by:	green
2005-09-16 11:24:28 +00:00
pjd
45a889ae7c Use pidfile(3) in cron(8).
Note, that when cron(8) cannot create pidfile, it'll exit. I didn't
changed this behaviour, but its better to ignore errors other than
EEXIST, so daemon can be started on systems where /var/ file system
doesn't support locking (like NFS without rpc.lockd(8)).
2005-08-24 17:51:36 +00:00
brueffer
a4887954f7 Mention the default value of PATH and that it may be overridden.
Submitted by:	Roman Divacky
MFC after:	3 days
2005-07-31 13:41:23 +00:00