This change also puts back the search specifically for guile version 3.
Note that, if guild is not imminently available (usually part of guile-devel
package) then make will abort with an ugly and very non-descriptive error
message.
* configure.ac
I don't believe that anyone should be running system-wide cron processes these
days (the attack surface is rather large), but should use separate per-user or
per-service mcron daemon processes. But mcron is advertised as a drop-in
Vixie replacement, so we should do what we can to make it safe in this use
case.
I've performed a basic vetting of the changes against vandalism, but haven't
verified the correctness of the code or done any checking; the changes are
being accepted on the basis that almost anything is an improvement on what
currently exists.
The wrapper has two purposes:
1. Not being a script, thereby eliminating the issues with setuid scripts.
2. Purging the environment. crontab-access-real has no need for any
environment variables to do its work, so to prevent tampering with dynamic
linker, libc, or guile, we may as well just unset them all.
This wrapper does introduce a requirement for a C compiler. Ideally it would
be conditional based on whether the wrapper is even going to be built, but
autoconf doesn't like that one bit. Someone with more experience with
autotools should sort that out. In the meantime I guess anyone wanting to
build without a C compiler being present is going to have to edit configure.ac
and re-run bootstrap.
* src/crontab-access.in: renamed to src/crontab-access-real.in
* src/crontab-access.c.in: new file, wrapper for crontab-access-real.
* Makefile.am: inform about crontab-access.c.in and name change to
crontab-access-real. Put crontab-access-real in libexecdir.
If a user did somehow manage to install this crontab as functioning
setuid-root in its current state (despite linux ignoring the setuid bit when
executing scripts), it would be a very bad thing for them. It currently has
several glaring security holes. In approximate order from most to least
severe:
1. It blindly calls system() with the user-supplied value of VISUAL or
EDITOR, without dropping privileges. I can't fathom what the author was
thinking, considering (mcron scripts crontab) is littered with comments and
evidence that this is supposed to be a setuid-root program. An attacker
could simply run
EDITOR='sh #' crontab -e
and get a root shell. If you try this, you may find that it coincidentally
doesn't work because bash in particular always drops privileges on startup
if it detects differing real and effective ids. I don't know whether other
shells do this, but it actually doesn't matter as long as you're using
glibc, because its system() consults PATH looking for sh. One false entry
in there and an attacker is running arbitrary code as root. And crontab
doesn't do any sanitizing of *any* environment variables.
2. No attempt is made to sanitize any environment variables. Also, depending
on Guile's startup behavior, trying to sanitize them in guile may be too
late. A wrapper is needed, which would be needed anyway in order to use a
setuid script.
3. No attempt is made to ensure that the temporary file being edited is
newly-created, so an attacker could guess or deduce the filename to be
used, create it in advance, keep it open while crontab opens it, and
overwrite it right before it is copied, allowing them to execute arbitrary
code as any user that dared edit their crontab, including root.
4. Its replace mode accepts a filename. It does no validation whatsoever on
this, opens it, and copies it to the user's crontab as long as it's valid
vixie cron syntax. So for example,
crontab /var/cron/tabs/root && crontab --list
will let you freely read root's (and in a similar manner any other user's)
crontab. Vixie cron includes comments in its valid syntax, so any file that
consists entirely of comments can also be dumped. Also, any file for which
opening it and reading from it has side-effects can have those side-effects
triggered even if it isn't valid vixie cron syntax.
5. Crontabs created in /tmp for editing, as well as crontabs created in
/var/cron/tabs, are world-readable with typical inherited umask.
(1) and (4) are resolved by splitting crontab into two programs: crontab,
which is no longer setuid, and crontab-access, which is. The setuid program no
longer opens any files except for the user's crontab and the allow/deny files,
and it runs no external programs whatsoever. Crontab is run as the invoking
user, so the usual kernel-level permissions checks regarding which files can
be opened for reading apply. The editor is run from crontab, as the invoking
user, so sanitizing of the environment in the setuid helper has no effect on
the editor's environment.
(2) to be resolved shortly with a wrapper program.
(3) is resolved by using mkstemp. The inability to control the mode it is
created with, along with (5), are resolved by setting the umask properly.
* src/mcron/scripts/crontab-access.scm: new module.
* src/mcron/scripts/crontab.scm: move list, delete, and replace
implementation to crontab-access.
* src/crontab-access.in: new file to invoke main of crontab-access.
* Makefile.am: inform of crontab-access.in and crontab-access.scm.
Setuid scripts are disabled on most systems anyway. Also cron refuses to run
if the real user id isn't 0, so there's no point in it being setuid
anyway. Also also, no attempt at controlling the environment has been made, so
even if the symlink race conditions that make setuid scripts vulnerable were
resolved, it would still be unsafe.
I suspect nobody has used the legacy cron mode in a long time, possibly
ever. If you look at the changes I've made, you'll probably see why I suspect
this. I happen to have tried to use it so that one of my users could use the
format he was familiar with, and ended up making a lot of necessary fixes -
some just to make it work, but many to achieve the most basic of security
requirements.
If anyone has mcron's crontab script installed setuid-root and is on a system
that respects the setuid bit of scripts, or has manually created a setuid
wrapper around the crontab script, they should apply these patches
ASAP.
ulfvonbelow (5):
cron: use signal numbers instead of symbols.
Makefile.am: don't install cron as setuid.
config.scm.in: rename to config.scm.in.in, substitute from Makefile.
crontab: split into crontab and setuid helper crontab-access.
crontab-access: replace with wrapper, rename to crontab-access-real.
Makefile.am | 53 +++-
configure.ac | 10 +-
src/crontab-access-real.in | 45 ++++
src/crontab-access.c.in | 10 +
src/mcron/{config.scm.in => config.scm.in.in} | 1 +
src/mcron/scripts/cron.scm | 2 +-
src/mcron/scripts/crontab-access.scm | 121 +++++++++
src/mcron/scripts/crontab.scm | 255 ++++++++----------
8 files changed, 338 insertions(+), 159 deletions(-)
create mode 100644 src/crontab-access-real.in
create mode 100644 src/crontab-access.c.in
rename src/mcron/{config.scm.in => config.scm.in.in} (97%)
create mode 100644 src/mcron/scripts/crontab-access.scm
--
2.38.1
It has been decided not to implement the (next-week) procedure in the program,
so we need to remove the references to it in the manual.
The reason for the omission is discussed in a new extended example section,
and code is provided to illustrate how the functionality can be implemented if
needed.
The change also makes some alteration to the flow of sections in the document,
and implicitly fixes some problems in the flow that the previous document had,
with regards to linking the GNU Free Documentation License in the document
structure.
* doc/mcron.texi: modifications as described.
Since the elimination of the C wrapping around mcron and all the
executable scripts, a weakness in Guile's (ice-9 getopt-long) module
means that the command 'mcron -s crontab.scm' does not currently
work. A replacement for the getopt-long module, as well as a
higher-level 'command-line-processor' facility, have been pushed to
the Guile upstream developers and are awaiting approval and
incorporation. In the meantime, those modules are temporarily
incorporated here into the mcron package, and the code is modified
to use those local versions.
* Makefile.am: install two new Guile modules
* src/{cron,crontab,mcron}.in: use local command-line-processor module
* src/mcron/command-line-processor.scm: new module
* src/mcron/getopt-long.scm: new module
* tests/schedule{,-2}.sh: clarify tests of -s, --schedule options
This is a pre-emptive delta which will make use of new facilities
in a future Guile for command-line option processing---a fuller
description will appear with later patches.
* src/{cron,crontab,mcron}.in: use new facility
* src/mcron/scripts/{cron,crontab,mcron}.scm: remove old option-scanning code
We have previously allowed versions 2.0 and 2.2 to get past the configure
stage, but all versions of guile before 3.0 have in fact failed to compile the
code due to syntax errors for some time now.
* build-aux/guix.scm: package depends on guile@3
* configure.ac: only look for guile version 3
* src/mcron/base.scm: drop allowance for old-fashioned (version 2.0) select
This makes the behaviour backwards compatible with all previous uses of mcron.
* src/mcron/base.scm: establish %do-logging parameter and act on it
* src/mcron/scripts/mcron.scm: set %do-logging according to command line
* tests/base.scm: some tests require %do-logging to be set
Before this change, it was difficult to discern which job emitted which
output, as there was no information connecting the job to the output it
produced. This change rectifies that by annotating each line output by
cron/mcron with a prefix that contains a timestamp and the job name. It also
reports about when the job runs and whether it completed successfully or
failed. It was initially suggested here: <https://issues.guix.gnu.org/36510>.
Thanks to the fine people from the #guile libera.chat IRC channel for
providing ideas and help; this change would not have been possible without
them!
* src/mcron/base.scm (install-suspendable-ports!): Install suspendable ports.
(%date-format, %log-format): New parameters.
(validate-date-format, validate-log-format): New procedures.
(<job-data>): New record.
(run-job): Update doc. Redirect stdout and stderr to a pipe. Return a
<job-data> instance containing the input port and other information about the
job. Output job status messages.
(process-output): New procedure.
(child-cleanup): Add docstring. Use positive logic. Call 'process-output'
one last time after a child process is collected.
(run-job-loop): Add a CHILDREN-DATA variable to the loop. Provide the open
file descriptors of the children ports to select*, and collect their output
when they trigger select.
* tests/base.scm ("run-job: basic"): Adjust and fix indentation.
(dummy-job/capture-output): New procedure.
("run-job, output"): New test.
("validate-date-format, valid", "validate-date-format, invalid")
("validate-log-format, valid", "validate-log-format, invalid")
("run-job, output with custom format", "run-job, failure")
("run-job, failure in shell action"): New tests.
* src/mcron/scripts/cron.scm (show-help): Document new options.
(%options) [log-format, date-format]: New options.
(main): Parameterize the main loop with the new parameter options (or their
default values when not provided); move exception handling elsewhere (see
below).
* src/mcron/scripts/mcron.scm: Likewise.
* src/cron.in: Install error handler here.
* src/mcron.in: Likewise.
* doc/mcron.texi: Document new cron and mcron options, as well as new
(mcron base) APIs.
* tests/basic.sh: Test the new options.
Suggested-by: Robert Vollmert <rob@vllmrt.net>
Paul has been in touch to say that the crontab format was not his invention,
and that his program was based off of V7's cron's functionality, not later
AT&T and Berkeley ones.
Thus the mcron manual is edited extensively to emphasise more the POSIX
standard crontab format, and to point out a more accurate history of cron
developments.
* doc/mcron.texi: small changes throughout the document.
This is useful for running jobs as the "nobody" user, for example.
* src/mcron/base.scm (run-job): Catch the ENOENT (2, "No such file or
directory") error when attempting to change directory to the user home
directory.
The second example under the manual heading Simple Examples does not work.
The call to next-minute-from errs because the second argument must be a
list. It can’t be the raw number 15.
Thanks to Colton Lewis.
* doc/mcron.texi: edited text.
This ensures that the absence of 'pkg-config' or 'guile' M4 macros
expansion do not pass the bootstrap step.
* configure.ac: Allow or forbid some M4 macros patterns in the generated
'configure' script.
This prevents installed modules to interfere with the ones from the
build directory.
* src/cron.in: Augment Guile load paths with install directories only
when MCRON_UNINSTALLED environment variable is not set.
* src/crontab.in: Likewise.
* src/mcron.in: Likewise.
This patch gets rid of the thin veneer that we currently have around the three
executables. This was done for historical reasons (circa 2003 Guile couldnʼt
deal with process signals and forks). In fact these problems were fixed many
moons ago, and there is now no need for it. The project becomes 100% Guile!
Many files are affected; interested coders should use the GIT repository to
understand the details of all the changes.
The option is supposed to be able to take an optional argument, but if the
argument is not supplied (should default to 8) then the test, rather than
failing, is skipped with a friendly message in the log file. The proper fix
will come with an upstream patch to GNU Guile, and a future version of Mcron.
* tests/schedule-2.sh: new test, new file
* Makefile.am: make sure to run the new test file
Previously were looking for files listed on the command line in
Guile's modules directory. This is a bug-fix; running
'make check' will reveal one less failure than before.
* src/mcron/scripts/mcron.scm (process-user-file): use read and eval
instead of load.
The mcron program goes looking for files specified on the command
line in Guile's module path, inevitably resulting in failure to load
said file. Running 'make check' will show at least one failure.
* tests/basic.sh: Added new test.
Some of the date tests depend both on the particular time of day and year at
which the test is run, and also on the state of daylight-savings adjustments.
(At the present time on my system there are four failing tests, but YMMV.)
This patch puts all the tests to UTC time in the C locale, making the results
consistent. *All* items in the test suite should be passing once again.
* tests/job-schedule.scm: Fix up the environment before running the tests.
