NetBSD/usr.sbin/cron/crontab.c

698 lines
15 KiB
C

/* $NetBSD: crontab.c,v 1.30 2006/05/24 21:43:43 christos Exp $ */
/* Copyright 1988,1990,1993,1994 by Paul Vixie
* All rights reserved
*
* Distribute freely, except: don't remove my name from the source or
* documentation (don't take credit for my work), mark your changes (don't
* get me blamed for your possible bugs), don't alter or remove this
* notice. May be sold if buildable source is provided to buyer. No
* warrantee of any kind, express or implied, is included with this
* software; use at your own risk, responsibility for damages (if any) to
* anyone resulting from the use of this software rests entirely with the
* user.
*
* Send bug reports, bug fixes, enhancements, requests, flames, etc., and
* I'll try to keep a version up to date. I can be reached as follows:
* Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul
*/
#include <sys/cdefs.h>
#if !defined(lint) && !defined(LINT)
#if 0
static char rcsid[] = "Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp";
#else
__RCSID("$NetBSD: crontab.c,v 1.30 2006/05/24 21:43:43 christos Exp $");
#endif
#endif
/* crontab - install and manage per-user crontab files
* vix 02may87 [RCS has the rest of the log]
* vix 26jan87 [original]
*/
#define MAXCRONTABSIZE (1024*256) /* max crontab size == 256 KB */
#define MAIN_PROGRAM
#include "cron.h"
#include <errno.h>
#include <fcntl.h>
#include <err.h>
#include <sys/file.h>
#include <sys/stat.h>
#ifdef USE_UTIMES
# include <sys/time.h>
#else
# include <utime.h>
#endif
#if defined(POSIX)
# include <locale.h>
#endif
#include <time.h>
#include <signal.h>
#define NHEADER_LINES 3
enum opt_t { opt_unknown, opt_list, opt_delete, opt_edit, opt_replace };
#if DEBUGGING
static char *Options[] = { "???", "list", "delete", "edit", "replace" };
#endif
static PID_T Pid;
static char User[MAX_UNAME], RealUser[MAX_UNAME];
static char Filename[MAX_FNAME];
static FILE *NewCrontab;
static int CheckErrorCount;
static enum opt_t Option;
static struct passwd *pw;
static void list_cmd(void),
delete_cmd(void),
edit_cmd(void),
poke_daemon(void),
check_error(const char *),
parse_args(int c, char *v[]),
skip_header(int *, FILE *),
usage(char *);
static int replace_cmd(void);
static void
usage(char *msg)
{
fprintf(stderr, "%s: usage error: %s\n", getprogname(), msg);
fprintf(stderr, "usage:\t%s [-u user] file\n", getprogname());
fprintf(stderr, "\t%s [-u user] [ -e | -l | -r ]\n", getprogname());
fprintf(stderr, "\t\t(default operation is replace, per 1003.2)\n");
fprintf(stderr, "\t-e\t(edit user's crontab)\n");
fprintf(stderr, "\t-l\t(list user's crontab)\n");
fprintf(stderr, "\t-r\t(delete user's crontab)\n");
exit(ERROR_EXIT);
}
int
main(int argc, char **argv)
{
int exitstatus;
setprogname(argv[0]);
Pid = getpid();
#if defined(POSIX)
setlocale(LC_ALL, "");
#endif
#if defined(BSD)
setlinebuf(stderr);
#endif
parse_args(argc, argv); /* sets many globals, opens a file */
set_cron_uid();
set_cron_cwd();
if (!allowed(User)) {
fprintf(stderr,
"You (%s) are not allowed to use this program (%s)\n",
User, getprogname());
fprintf(stderr, "See crontab(1) for more information\n");
log_it(RealUser, Pid, "AUTH", "crontab command not allowed");
exit(ERROR_EXIT);
}
exitstatus = OK_EXIT;
switch (Option) {
case opt_list: list_cmd();
break;
case opt_delete: delete_cmd();
break;
case opt_edit: edit_cmd();
break;
case opt_replace: if (replace_cmd() < 0)
exitstatus = ERROR_EXIT;
break;
case opt_unknown:
usage("unrecognized option");
break;
}
exit(0);
/*NOTREACHED*/
}
static void
parse_args(int argc, char **argv)
{
int argch;
if (!(pw = getpwuid(getuid()))) {
warnx("your UID isn't in the passwd file. bailing out.");
exit(ERROR_EXIT);
}
strlcpy(User, pw->pw_name, sizeof(User));
strlcpy(RealUser, User, sizeof(RealUser));
Filename[0] = '\0';
Option = opt_unknown;
while (-1 != (argch = getopt(argc, argv, "u:lerx:"))) {
switch (argch) {
case 'x':
if (!set_debug_flags(optarg))
usage("bad debug option");
break;
case 'u':
if (getuid() != ROOT_UID)
{
warnx("must be privileged to use -u");
exit(ERROR_EXIT);
}
if (!(pw = getpwnam(optarg)))
{
warnx("user `%s' unknown", optarg);
exit(ERROR_EXIT);
}
(void) strlcpy(User, optarg, sizeof(User));
break;
case 'l':
if (Option != opt_unknown)
usage("only one operation permitted");
Option = opt_list;
break;
case 'r':
if (Option != opt_unknown)
usage("only one operation permitted");
Option = opt_delete;
break;
case 'e':
if (Option != opt_unknown)
usage("only one operation permitted");
Option = opt_edit;
break;
default:
usage("unrecognized option");
}
}
endpwent();
if (Option != opt_unknown) {
if (argv[optind] != NULL) {
usage("no arguments permitted after this option");
}
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
(void) strlcpy(Filename, argv[optind],
sizeof(Filename));
} else {
usage("file name must be specified for replace");
}
}
if (Option == opt_replace) {
/* we have to open the file here because we're going to
* chdir(2) into /var/cron before we get around to
* reading the file.
*/
if (!strcmp(Filename, "-")) {
NewCrontab = stdin;
} else {
/* relinquish the setuid status of the binary during
* the open, lest nonroot users read files they should
* not be able to read. we can't use access() here
* since there's a race condition. thanks go out to
* Arnt Gulbrandsen <agulbra@pvv.unit.no> for spotting
* the race.
*/
if (swap_uids() < OK) {
warn("cannot swap uids");
exit(ERROR_EXIT);
}
if (!(NewCrontab = fopen(Filename, "r"))) {
warn("cannot open %s", Filename);
exit(ERROR_EXIT);
}
if (swap_uids() < OK) {
warn("cannot swap uids back");
exit(ERROR_EXIT);
}
}
}
Debug(DMISC, ("user=%s, file=%s, option=%s\n",
User, Filename, Options[(int)Option]))
}
static void
skip_header(int *pch, FILE *f)
{
int ch;
int x;
/* ignore the top few comments since we probably put them there.
*/
for (x = 0; x < NHEADER_LINES; x++) {
ch = get_char(f);
if (EOF == ch)
break;
if ('#' != ch)
break;
while (EOF != (ch = get_char(f)))
if (ch == '\n')
break;
if (EOF == ch)
break;
}
if (ch == '\n')
ch = get_char(f);
*pch = ch;
}
static void
list_cmd(void) {
char n[MAX_FNAME];
FILE *f;
int ch;
log_it(RealUser, Pid, "LIST", User);
(void) snprintf(n, sizeof(n), CRON_TAB(User));
if (!(f = fopen(n, "r"))) {
if (errno == ENOENT)
warnx("no crontab for %s", User);
else
warn("cannot open %s", n);
exit(ERROR_EXIT);
}
/* file is open. copy to stdout, close.
*/
Set_LineNum(1)
skip_header(&ch, f);
for (; EOF != ch; ch = get_char(f))
putchar(ch);
fclose(f);
}
static void
delete_cmd(void) {
char n[MAX_FNAME];
log_it(RealUser, Pid, "DELETE", User);
(void) snprintf(n, sizeof(n), CRON_TAB(User));
if (unlink(n)) {
if (errno == ENOENT)
warnx("no crontab for %s", User);
else
warn("cannot unlink %s", n);
exit(ERROR_EXIT);
}
poke_daemon();
}
static void
check_error(const char *msg)
{
CheckErrorCount++;
fprintf(stderr, "\"%s\":%d: %s\n", Filename, LineNumber-1, msg);
}
static void
edit_cmd(void) {
char n[MAX_FNAME], q[MAX_TEMPSTR];
const char *editor;
FILE *f;
int ch, t;
struct stat statbuf;
time_t mtime;
long mtimensec;
WAIT_T waiter;
PID_T pid, xpid;
sig_t oint, oabrt;
char *edit;
log_it(RealUser, Pid, "BEGIN EDIT", User);
(void) snprintf(n, sizeof(n), CRON_TAB(User));
if (!(f = fopen(n, "r"))) {
if (errno != ENOENT) {
warn("cannot open %s", n);
exit(ERROR_EXIT);
}
warnx("no crontab for %s - using an empty one", User);
if (!(f = fopen("/dev/null", "r"))) {
warn("cannot open /dev/null");
exit(ERROR_EXIT);
}
}
(void) snprintf(Filename, sizeof(Filename), "/tmp/crontab.%d", Pid);
if (-1 == (t = open(Filename, O_CREAT|O_EXCL|O_RDWR, 0600))) {
warn("cannot open %s", Filename);
goto fatal;
}
#ifdef HAS_FCHOWN
if (fchown(t, getuid(), getgid()) < 0) {
#else
if (chown(Filename, getuid(), getgid()) < 0) {
#endif
warn("cannot chown %s", Filename);
goto fatal;
}
if (fcntl(t, F_SETFD, FD_CLOEXEC) == -1) {
warn("cannot set close on exec");
goto fatal;
}
if (!(NewCrontab = fdopen(t, "r+"))) {
warn("cannot open fd");
goto fatal;
}
Set_LineNum(1)
skip_header(&ch, f);
/* copy the rest of the crontab (if any) to the temp file.
*/
for (; EOF != ch; ch = get_char(f))
putc(ch, NewCrontab);
fclose(f);
if (fflush(NewCrontab) < OK) {
warn("cannot flush output for %s", Filename);
exit(ERROR_EXIT);
}
again:
rewind(NewCrontab);
if (ferror(NewCrontab)) {
warn("error while writing new crontab to %s", Filename);
fatal: unlink(Filename);
exit(ERROR_EXIT);
}
if (fstat(t, &statbuf) < 0) {
warn("cannot stat %s", Filename);
goto fatal;
}
mtime = statbuf.st_mtime;
mtimensec = statbuf.st_mtimensec;
if ((!(editor = getenv("VISUAL")))
&& (!(editor = getenv("EDITOR")))
) {
editor = EDITOR;
}
/* we still have the file open. editors will generally rewrite the
* original file rather than renaming/unlinking it and starting a
* new one; even backup files are supposed to be made by copying
* rather than by renaming. if some editor does not support this,
* then don't use it. the security problems are more severe if we
* close and reopen the file around the edit.
*/
oint = signal(SIGINT, SIG_IGN);
oabrt = signal(SIGABRT, SIG_IGN);
switch (pid = fork()) {
case -1:
warn("cannot fork");
goto fatal;
case 0:
/* child */
if (setuid(getuid()) < 0) {
warn("cannot setuid(getuid())");
exit(ERROR_EXIT);
}
if (chdir("/tmp") < 0) {
warn("cannot chdir(/tmp)");
exit(ERROR_EXIT);
}
asprintf(&edit, "%s %s", editor, Filename);
if (system(edit) == -1) {
warn("Cannot run editor %s", editor);
exit(ERROR_EXIT);
} else
exit(OK_EXIT);
/*NOTREACHED*/
default:
/* parent */
break;
}
/* parent */
xpid = wait(&waiter);
if (xpid != pid) {
warnx("wrong PID (%d != %d) from \"%s\"", xpid, pid, editor);
goto fatal;
}
(void)signal(SIGINT, oint);
(void)signal(SIGABRT, oabrt);
if (WIFEXITED(waiter) && WEXITSTATUS(waiter)) {
warnx("\"%s\" exited with status %d",
editor, WEXITSTATUS(waiter));
goto fatal;
}
if (WIFSIGNALED(waiter)) {
warnx("\"%s\" killed; signal %d (%score dumped)",
editor, WTERMSIG(waiter), WCOREDUMP(waiter) ?"" :"no ");
goto fatal;
}
if (fstat(t, &statbuf) < 0) {
warn("cannot stat %s", Filename);
goto fatal;
}
if (mtime == statbuf.st_mtime && mtimensec == statbuf.st_mtimensec) {
warnx("no changes made to crontab");
goto remove;
}
warnx("installing new crontab");
switch (replace_cmd()) {
case 0:
break;
case -1:
for (;;) {
fpurge(stdin);
printf("Do you want to retry the same edit? ");
fflush(stdout);
q[0] = '\0';
(void) fgets(q, sizeof q, stdin);
switch (tolower((unsigned char)q[0])) {
case 'y':
goto again;
case 'n':
goto abandon;
default:
fprintf(stderr, "Enter Y or N\n");
}
}
/*NOTREACHED*/
case -2:
abandon:
warnx("edits left in %s", Filename);
goto done;
default:
warnx("panic: bad switch() in replace_cmd()");
goto fatal;
}
remove:
unlink(Filename);
done:
log_it(RealUser, Pid, "END EDIT", User);
}
/* returns 0 on success
* -1 on syntax error
* -2 on install error
*/
static int
replace_cmd(void) {
char n[MAX_FNAME], n2[MAX_FNAME], envstr[MAX_ENVSTR], tn[MAX_FNAME];
FILE *tmp, *fmaxtabsize;
int ch, eof, lastch;
entry *e;
time_t now = time(NULL);
char **envp = env_init(), *tnp = NULL;
size_t maxtabsize;
struct stat statbuf;
int val = -2;
(void) snprintf(n, sizeof(n), "tmp.%d", Pid);
(void) snprintf(tn, sizeof(tn), CRON_TAB(n));
if (!(tmp = fopen(tn, "w+"))) {
warn("Cannot open %s", tn);
goto out;
}
tnp = tn;
/* Make sure that the crontab is not an unreasonable size.
*
* XXX This is subject to a race condition--the user could
* add stuff to the file after we've checked the size but
* before we slurp it in and write it out. We can't just move
* the test to test the temp file we later create, because by
* that time we've already filled up the crontab disk. Probably
* the right thing to do is to do a bytecount in the copy loop
* rather than stating the file we're about to read.
*/
(void) snprintf(n2, sizeof(n), "%s/%s", CRONDIR, MAXTABSIZE_FILE);
if ((fmaxtabsize = fopen(n2, "r"))) {
if (fgets(n2, sizeof(n2), fmaxtabsize) == NULL) {
maxtabsize = 0;
} else {
maxtabsize = atoi(n2);
}
fclose(fmaxtabsize);
} else {
maxtabsize = MAXTABSIZE_DEFAULT;
}
if (fstat(fileno(NewCrontab), &statbuf)) {
warn("error stat'ing crontab input");
goto out;
}
if (statbuf.st_size > maxtabsize) {
warnx("%ld bytes is larger than the maximum size of %ld bytes",
(long) statbuf.st_size, (long) maxtabsize);
val = -1;
goto out;
}
/* write a signature at the top of the file.
*
* VERY IMPORTANT: make sure NHEADER_LINES agrees with this code.
*/
fprintf(tmp, "# DO NOT EDIT THIS FILE - edit the master and reinstall.\n");
fprintf(tmp, "# (%s installed on %-24.24s)\n", Filename, ctime(&now));
fprintf(tmp, "# (Cron version -- %s)\n",
"$NetBSD: crontab.c,v 1.30 2006/05/24 21:43:43 christos Exp $");
/* copy the crontab to the tmp
*/
rewind(NewCrontab);
Set_LineNum(1)
lastch = EOF;
while (EOF != (ch = get_char(NewCrontab))) {
putc(ch, tmp);
lastch = ch;
}
if (lastch != EOF && lastch != '\n') {
warnx("missing trailing newline in %s", Filename);
val = -1;
goto out;
}
if (ferror(NewCrontab)) {
warn("error while reading %s", Filename);
goto out;
}
ftruncate(fileno(tmp), ftell(tmp)); /* XXX this should be a NOOP - is */
fflush(tmp);
if (ferror(tmp)) {
warn("error while writing new crontab to %s", tn);
goto out;
}
rewind(tmp);
/* check the syntax of the file being installed.
*/
/* BUG: was reporting errors after the EOF if there were any errors
* in the file proper -- kludged it by stopping after first error.
* vix 31mar87
*/
Set_LineNum(1 - NHEADER_LINES)
CheckErrorCount = 0; eof = FALSE;
while (!CheckErrorCount && !eof) {
switch (load_env(envstr, tmp)) {
case ERR:
eof = TRUE;
break;
case FALSE:
e = load_entry(tmp, check_error, pw, envp);
if (e)
free(e);
break;
case TRUE:
break;
}
}
if (CheckErrorCount != 0) {
warnx("errors in crontab file, can't install");
val = -1;
goto out;
}
#ifdef HAS_FCHOWN
if (fchown(fileno(tmp), ROOT_UID, -1) < OK)
#else
if (chown(tn, ROOT_UID, -1) < OK)
#endif
{
warn("cannot chown %s", tn);
goto out;
}
#ifdef HAS_FCHMOD
if (fchmod(fileno(tmp), 0600) < OK)
#else
if (chmod(tn, 0600) < OK)
#endif
{
warn("cannot chmod %s", tn);
goto out;
}
if (fclose(tmp) == EOF) {
tmp = NULL;
warn("error closing file");
goto out;
}
tmp = NULL;
(void) snprintf(n, sizeof(n), CRON_TAB(User));
if (rename(tn, n)) {
warn("error renaming %s to %s", tn, n);
goto out;
}
log_it(RealUser, Pid, "REPLACE", User);
poke_daemon();
free(envp);
return (0);
out:
if (tmp)
fclose(tmp);
if (tnp)
unlink(tnp);
free(envp);
return val;
}
static void
poke_daemon(void) {
#ifdef USE_UTIMES
struct timeval tvs[2];
struct timezone tz;
(void) gettimeofday(&tvs[0], &tz);
tvs[1] = tvs[0];
if (utimes(SPOOL_DIR, tvs) < OK) {
warn("can't update mtime on spooldir %s", SPOOL_DIR);
return;
}
#else
if (utime(SPOOL_DIR, NULL) < OK) {
warn("can't update mtime on spooldir %s", SPOOL_DIR);
return;
}
#endif /*USE_UTIMES*/
}