summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2007-03-28 16:49:26 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2007-03-28 16:49:26 +0000
commit499d0f0cb7d5052e362242fc682568b9a82246fb (patch)
tree24c390fd37975fae7fa4f844e8fb406f584a0eb7
parent946ccfd38933cf83d2b208eab246f05292739668 (diff)
Since /etc/crontab is not edited via crontab(1) there's no good
reason to require its mode to be be 0400 or to bail if the link count is != 1. The reason for such paranoia all has to do with crontab(1) and editing user crontab files. We now only require that /etc/crontab not be writable by anyone other than the owner. OK deraadt@ ajacoutot@ jmc@
-rw-r--r--usr.sbin/cron/cron.817
-rw-r--r--usr.sbin/cron/database.c13
2 files changed, 15 insertions, 15 deletions
diff --git a/usr.sbin/cron/cron.8 b/usr.sbin/cron/cron.8
index cf39eda89f5..2af248d47a4 100644
--- a/usr.sbin/cron/cron.8
+++ b/usr.sbin/cron/cron.8
@@ -17,7 +17,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $OpenBSD: cron.8,v 1.28 2007/02/18 23:59:03 jmc Exp $
+.\" $OpenBSD: cron.8,v 1.29 2007/03/28 16:49:25 millert Exp $
.\"
.Dd July 6, 2002
.Dt CRON 8
@@ -212,14 +212,11 @@ to check for crontab changes immediately
.Sh AUTHORS
.An Paul Vixie Aq vixie@isc.org
.Sh CAVEATS
-All
.Xr crontab 5
-files must not be readable or writable by any user other than their owner,
-including
-.Pa /etc/crontab .
-In practice this means they should be mode 0600.
-This restriction is enforced automatically by
-.Xr crontab 1
-but if
+files will be ignored if they do not have the proper file mode.
+For user crontab files created by
+.Xr crontab 1 ,
+the mode must be 0400 or 0600.
+If the system crontab file is used,
.Pa /etc/crontab
-is used, the mode must be set manually on that file.
+must not be writable by any user other than root.
diff --git a/usr.sbin/cron/database.c b/usr.sbin/cron/database.c
index c14132dfcf3..3a571adc0ec 100644
--- a/usr.sbin/cron/database.c
+++ b/usr.sbin/cron/database.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: database.c,v 1.16 2004/06/22 03:15:33 avsm Exp $ */
+/* $OpenBSD: database.c,v 1.17 2007/03/28 16:49:25 millert Exp $ */
/* Copyright 1988,1990,1993,1994 by Paul Vixie
* All rights reserved
@@ -22,7 +22,7 @@
*/
#if !defined(lint) && !defined(LINT)
-static char const rcsid[] = "$OpenBSD: database.c,v 1.16 2004/06/22 03:15:33 avsm Exp $";
+static char const rcsid[] = "$OpenBSD: database.c,v 1.17 2007/03/28 16:49:25 millert Exp $";
#endif
/* vix 26jan87 [RCS has the log]
@@ -209,15 +209,18 @@ process_crontab(const char *uname, const char *fname, const char *tabname,
goto next_crontab;
}
if ((statbuf->st_mode & 07577) != 0400) {
- log_it(fname, getpid(), "BAD FILE MODE", tabname);
- goto next_crontab;
+ /* Looser permissions on system crontab. */
+ if (pw != NULL || (statbuf->st_mode & 022) != 0) {
+ log_it(fname, getpid(), "BAD FILE MODE", tabname);
+ goto next_crontab;
+ }
}
if (statbuf->st_uid != ROOT_UID && (pw == NULL ||
statbuf->st_uid != pw->pw_uid || strcmp(uname, pw->pw_name) != 0)) {
log_it(fname, getpid(), "WRONG FILE OWNER", tabname);
goto next_crontab;
}
- if (statbuf->st_nlink != 1) {
+ if (pw != NULL && statbuf->st_nlink != 1) {
log_it(fname, getpid(), "BAD LINK COUNT", tabname);
goto next_crontab;
}