The wrapper has two purposes:
1. Not being a script, thereby eliminating the issues with setuid scripts.
2. Purging the environment. crontab-access-real has no need for any
environment variables to do its work, so to prevent tampering with dynamic
linker, libc, or guile, we may as well just unset them all.
This wrapper does introduce a requirement for a C compiler. Ideally it would
be conditional based on whether the wrapper is even going to be built, but
autoconf doesn't like that one bit. Someone with more experience with
autotools should sort that out. In the meantime I guess anyone wanting to
build without a C compiler being present is going to have to edit configure.ac
and re-run bootstrap.
* src/crontab-access.in: renamed to src/crontab-access-real.in
* src/crontab-access.c.in: new file, wrapper for crontab-access-real.
* Makefile.am: inform about crontab-access.c.in and name change to
crontab-access-real. Put crontab-access-real in libexecdir.
If a user did somehow manage to install this crontab as functioning
setuid-root in its current state (despite linux ignoring the setuid bit when
executing scripts), it would be a very bad thing for them. It currently has
several glaring security holes. In approximate order from most to least
severe:
1. It blindly calls system() with the user-supplied value of VISUAL or
EDITOR, without dropping privileges. I can't fathom what the author was
thinking, considering (mcron scripts crontab) is littered with comments and
evidence that this is supposed to be a setuid-root program. An attacker
could simply run
EDITOR='sh #' crontab -e
and get a root shell. If you try this, you may find that it coincidentally
doesn't work because bash in particular always drops privileges on startup
if it detects differing real and effective ids. I don't know whether other
shells do this, but it actually doesn't matter as long as you're using
glibc, because its system() consults PATH looking for sh. One false entry
in there and an attacker is running arbitrary code as root. And crontab
doesn't do any sanitizing of *any* environment variables.
2. No attempt is made to sanitize any environment variables. Also, depending
on Guile's startup behavior, trying to sanitize them in guile may be too
late. A wrapper is needed, which would be needed anyway in order to use a
setuid script.
3. No attempt is made to ensure that the temporary file being edited is
newly-created, so an attacker could guess or deduce the filename to be
used, create it in advance, keep it open while crontab opens it, and
overwrite it right before it is copied, allowing them to execute arbitrary
code as any user that dared edit their crontab, including root.
4. Its replace mode accepts a filename. It does no validation whatsoever on
this, opens it, and copies it to the user's crontab as long as it's valid
vixie cron syntax. So for example,
crontab /var/cron/tabs/root && crontab --list
will let you freely read root's (and in a similar manner any other user's)
crontab. Vixie cron includes comments in its valid syntax, so any file that
consists entirely of comments can also be dumped. Also, any file for which
opening it and reading from it has side-effects can have those side-effects
triggered even if it isn't valid vixie cron syntax.
5. Crontabs created in /tmp for editing, as well as crontabs created in
/var/cron/tabs, are world-readable with typical inherited umask.
(1) and (4) are resolved by splitting crontab into two programs: crontab,
which is no longer setuid, and crontab-access, which is. The setuid program no
longer opens any files except for the user's crontab and the allow/deny files,
and it runs no external programs whatsoever. Crontab is run as the invoking
user, so the usual kernel-level permissions checks regarding which files can
be opened for reading apply. The editor is run from crontab, as the invoking
user, so sanitizing of the environment in the setuid helper has no effect on
the editor's environment.
(2) to be resolved shortly with a wrapper program.
(3) is resolved by using mkstemp. The inability to control the mode it is
created with, along with (5), are resolved by setting the umask properly.
* src/mcron/scripts/crontab-access.scm: new module.
* src/mcron/scripts/crontab.scm: move list, delete, and replace
implementation to crontab-access.
* src/crontab-access.in: new file to invoke main of crontab-access.
* Makefile.am: inform of crontab-access.in and crontab-access.scm.
Setuid scripts are disabled on most systems anyway. Also cron refuses to run
if the real user id isn't 0, so there's no point in it being setuid
anyway. Also also, no attempt at controlling the environment has been made, so
even if the symlink race conditions that make setuid scripts vulnerable were
resolved, it would still be unsafe.
Since the elimination of the C wrapping around mcron and all the
executable scripts, a weakness in Guile's (ice-9 getopt-long) module
means that the command 'mcron -s crontab.scm' does not currently
work. A replacement for the getopt-long module, as well as a
higher-level 'command-line-processor' facility, have been pushed to
the Guile upstream developers and are awaiting approval and
incorporation. In the meantime, those modules are temporarily
incorporated here into the mcron package, and the code is modified
to use those local versions.
* Makefile.am: install two new Guile modules
* src/{cron,crontab,mcron}.in: use local command-line-processor module
* src/mcron/command-line-processor.scm: new module
* src/mcron/getopt-long.scm: new module
* tests/schedule{,-2}.sh: clarify tests of -s, --schedule options
This patch gets rid of the thin veneer that we currently have around the three
executables. This was done for historical reasons (circa 2003 Guile couldnʼt
deal with process signals and forks). In fact these problems were fixed many
moons ago, and there is now no need for it. The project becomes 100% Guile!
Many files are affected; interested coders should use the GIT repository to
understand the details of all the changes.
The option is supposed to be able to take an optional argument, but if the
argument is not supplied (should default to 8) then the test, rather than
failing, is skipped with a friendly message in the log file. The proper fix
will come with an upstream patch to GNU Guile, and a future version of Mcron.
* tests/schedule-2.sh: new test, new file
* Makefile.am: make sure to run the new test file
* configure.ac: Pass 'std-options' to AM_INIT_AUTOMAKE to check that the
"--help" and "--version" options can be passed to installed programs.
* Makefile.am (installcheck-local): New rule which checks the programs
presence and configuration.
This fixes an issue where the installed Guile load paths were set by the
undefined 'moduledir' Make macro.
* Makefile.am (AM_CPPFLAGS): Define PACKAGE_LOAD_PATH with
'guilesitedir' macro and PACKAGE_LOAD_COMPILED_PATH with
'guilesitegodir'.
* NEWS: Update.
Previously only prepending a prefix was handled when installing 'crontab'.
Using the 'transform' Make macro allows the installation process to support
generic transformations as defined by the '--program-suffix' and
'--program-transform-name' configure options.
* configure.ac: Don't substitue '@real_program_prefix@'.
* Makefile.am (fpp): Remove.
(transform_exe): New macro.
[MULTI_USER] (install-exec-hook): Use it when installing 'crontab'.
Before that change, it was possible for 'make' to try linking programs
before 'src/libmcron.a' was built.
* Makefile.am (bin_mcron_DEPENDENCIES, bin_cron_DEPENDENCIES)
(bin_crontab_DEPENDENCIES): Add '$(noinst_LIBRARIES)'.
* tests/schedule.sh: New test.
* Makefile.am (TESTS): Add it.
* src/mcron/job-specifier.scm (configuration-time): Use
SOURCE_DATE_EPOCH for reproducible tests.
* tests/init.sh: New test framework from Gnulib.
* tests/basic.sh: New test.
* Makefile.am (TESTS): Add it.
(TEST_EXTENSIONS): Add '.sh'.
(SH_LOG_COMPILER): Use 'pre-inst-env'.
(EXTRA_DIST): Add 'tests/init.sh'.
* build-aux/pre-inst-env.in: export $srcdir for shell tests.
* configure.ac: Define "--disable-multi-user" option instead of
"--enable-no-vixie-clobber".
* Makefile.am (install-exec-hook) [MULTI_USER]: Only set crontab setuid bit.
(bin_PROGRAMS): Keep only 'mcron' by default.
(bin_PROGRAMS) [MULTI_USER]: Add 'crontab'
(sbin_PROGRAMS) [MULTI_USER]: Add 'cron'.
(noinst_PROGRAMS) [!MULTI_USER]: Add 'cron' and 'crontab'.
(dist_man_MANS): Move 'crontab.1' and 'cron.8' ...
(extra_mans): here. New variable.
(dist_man_MANS) [MULTI_USER]: Add it.
(all-local) [!MULTI_USER]: New target. Depend on it.
(EXTRA_DIST) [!MULTI_USER]: Distribute it.
(MAINTAINERCLEANFILES): Clean it.
* src/wrapper.c (wrap_env_path): New function.
(main): Use it.
(inner_main): Let 'wrap_env_path' set the environment variables.
Don't use 'scm_c_eval_string' when calling 'main' procedure.
* Makefile.am (AM_CPPFLAGS): Define _GNU_SOURCE for 'asprintf'.
* build-aux/git-version-gen: New script.
* configure.ac (AC_INIT): Use it.
(AC_REQUIRE_AUX_FILE): Distribute it.
* Makefile.am (.version): New target.
(BUILT_SOURCES, EXTRA_DIST): Add it.
(dist-hook): Generate ".tarball-version".
* .gitignore: Update.
Previously PACKAGE_LOAD_PATH was set in config header which wasn't correctly
expanded due to the presence of ${prefix} in ${moduledir}. Let 'make' handle
the expansion.
* Makefile.am (AM_CPPFLAGS): New variable.
(cron_CPPFLAGS, crontab_CPPFLAGS, mcron_CPPFLAGS): Use it.
* configure.ac (PACKAGE_LOAD_PATH): Undefine it.
(AC_CONFIG_HEADER): Remove macro.
* src/mcron.c: Adapt to it.
* configure.ac (AM_INIT_AUTOMAKE): Add more warnings.
* Makefile.am (AM_V_GUILEC, AM_V_GUILEC_, AM_V_GUILEC_0): Rename to ...
(guilec_verbose, guilec_verbose_, guilec_verbose_0): ... these. Make them
more portable. This follows an example from Automake manual.
* Makefile.am (dist_man_MANS): Add 'cron' and 'crontab' man page.
Generate man pages in $(srcdir).
(MAINTAINERCLEANFILES, gen_man): New variables.
(AM_V_HELP2MAN, AM_V_HELP2MAN_, AM_V_HELP2MAN_0): Delete unneeded variables.
($(srcdir)/doc/crontab.1, $(srcdir)/doc/cron.8): New targets.
(doc/mcron.1): Rename to ...
($(srcdir)/doc/mcron.1)): ... this.
This improves readability and complies with the GNU Coding Standards by
making the behavior of the programs independent of the name used to
invoke them.
* src/mcron/scripts/cron.scm: New file.
* src/mcron/scripts/crontab.scm: Likewise.
* src/mcron/scripts/mcron.scm: Likewise.
* Makefile.am (dist_mcronmodule_DATA): Remove 'src/mcron/crontab.scm'.
(bin_PROGRAMS): Add 'crontab'.
(sbin_PROGRAMS): Add 'cron'.
(mcron_CFLAGS, mcron_LDADD): Rename to ...
(AM_CFLAGS, LDADD): ... these.
(cron_SOURCES, cron_CPPFLAGS, cron_DEPENDENCIES)
(crontab_SOURCES, crontab_CPPFLAGS, crontab_DEPENDENCIES)
(mcron_CPPFLAGS, mcronscriptdir, dist_mcronscript_DATA): New variables.
(modules): Redefine it in terms of other '_DATA' variables.
* src/mcron/crontab.scm: Remove file.
* src/mcron/main.scm (parse-args): New procedure.
(command-name, command-type, options): Remove.
(show-version): Adapt.
(show-help, process-files-in-system-directory, cron-file-descriptors)
(main, process-user-file, process-files-in-user-directory): Move
procedures in the new files.
* src/mcron.c (inner_main): Define the current module at compile time.
* TODO: Update.
* .gitignore: Likewise.
