If there is no cron.allow or cron.deny file, only the superuser may run

the crontab command; for POSIX compliance.  Create an empty cron.deny
file to allow any user to run crontab:
    install -c -o root -g crontab -m 660 /dev/null /var/cron/cron.deny

5 files changed, 25 insertions, 56 deletions

diff --git a/usr.sbin/cron/config.h b/usr.sbin/cron/config.h
index 1a1639c553e..33944a2ed24 100644
--- a/usr.sbin/cron/config.h
+++ b/usr.sbin/cron/config.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.h,v 1.13 2002/07/15 19:13:29 millert Exp $	*/
+/*	$OpenBSD: config.h,v 1.14 2003/02/20 19:12:16 millert Exp $	*/
 
 /* Copyright 1988,1990,1993,1994 by Paul Vixie
  * All rights reserved
@@ -65,12 +65,6 @@
 			 * generate the Date: header.
 			 */
 
-			/* if ALLOW_FILE and DENY_FILE are not defined or are
-			 * defined but neither exists, should crontab(1) be
-			 * usable only by root?
-			 */
-/*#define ALLOW_ONLY_ROOT			-*/
-
 			/* if you want to use syslog(3) instead of appending
 			 * to CRONDIR/LOG_FILE (/var/cron/log, e.g.), define
 			 * SYSLOG here.  Note that quite a bit of logging
diff --git a/usr.sbin/cron/crontab.1 b/usr.sbin/cron/crontab.1
index 0eddd4603de..50b3616f262 100644
--- a/usr.sbin/cron/crontab.1
+++ b/usr.sbin/cron/crontab.1
@@ -15,7 +15,7 @@
 .\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 .\" SOFTWARE.
 .\"
-.\" $OpenBSD: crontab.1,v 1.17 2003/02/20 17:28:29 millert Exp $
+.\" $OpenBSD: crontab.1,v 1.18 2003/02/20 19:12:16 millert Exp $
 .\"
 .Dd June 8, 1999
 .Dt CRONTAB 1
@@ -65,11 +65,9 @@ be listed in the
 .Pa /var/cron/cron.deny
 file in order to use
 .Nm crontab .
-If neither of these files exists, then
-depending on site-dependent configuration parameters, only the super user
+If neither of these files exists then only the super user
 will be allowed to use
-.Nm crontab ,
-or all users will be able to use it.
+.Nm crontab .
 .Em NOTE :
 if they exist,
 .Pa /var/cron/cron.allow
diff --git a/usr.sbin/cron/crontab.c b/usr.sbin/cron/crontab.c
index 05ca44003a3..9accc8d24d9 100644
--- a/usr.sbin/cron/crontab.c
+++ b/usr.sbin/cron/crontab.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crontab.c,v 1.38 2003/02/18 02:25:39 millert Exp $	*/
+/*	$OpenBSD: crontab.c,v 1.39 2003/02/20 19:12:16 millert Exp $	*/
 /* Copyright 1988,1990,1993,1994 by Paul Vixie
  * All rights reserved
  */
@@ -21,7 +21,7 @@
  */
 
 #if !defined(lint) && !defined(LINT)
-static char const rcsid[] = "$OpenBSD: crontab.c,v 1.38 2003/02/18 02:25:39 millert Exp $";
+static char const rcsid[] = "$OpenBSD: crontab.c,v 1.39 2003/02/20 19:12:16 millert Exp $";
 #endif
 
 /* crontab - install and manage per-user crontab files
@@ -88,7 +88,7 @@ main(int argc, char *argv[]) {
 #endif
 	parse_args(argc, argv);		/* sets many globals, opens a file */
 	set_cron_cwd();
-	if (!allowed(User)) {
+	if (!allowed(RealUser, ALLOW_FILE, DENY_FILE)) {
 		fprintf(stderr,
 			"You (%s) are not allowed to use this program (%s)\n",
 			User, ProgramName);
diff --git a/usr.sbin/cron/funcs.h b/usr.sbin/cron/funcs.h
index 84a2bf67260..e7dc347d500 100644
--- a/usr.sbin/cron/funcs.h
+++ b/usr.sbin/cron/funcs.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: funcs.h,v 1.8 2002/07/15 19:13:29 millert Exp $	*/
+/*	$OpenBSD: funcs.h,v 1.9 2003/02/20 19:12:16 millert Exp $	*/
 
 /*
  * Copyright (c) 1997,2000 by Internet Software Consortium, Inc.
@@ -51,7 +51,7 @@ int		job_runqueue(void),
 		cron_pclose(FILE *),
 		glue_strings(char *, size_t, const char *, const char *, char),
 		strcmp_until(const char *, const char *, char),
-		allowed(const char *),
+		allowed(const char *, const char *, const char *),
 		strdtb(char *),
 		open_socket(void),
 		safe_p(const char *, const char *),
diff --git a/usr.sbin/cron/misc.c b/usr.sbin/cron/misc.c
index 8ea94593f0c..b234f1cabeb 100644
--- a/usr.sbin/cron/misc.c
+++ b/usr.sbin/cron/misc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: misc.c,v 1.24 2003/02/18 02:25:39 millert Exp $	*/
+/*	$OpenBSD: misc.c,v 1.25 2003/02/20 19:12:16 millert Exp $	*/
 /* Copyright 1988,1990,1993,1994 by Paul Vixie
  * All rights reserved
  */
@@ -21,7 +21,7 @@
  */
 
 #if !defined(lint) && !defined(LINT)
-static char const rcsid[] = "$OpenBSD: misc.c,v 1.24 2003/02/18 02:25:39 millert Exp $";
+static char const rcsid[] = "$OpenBSD: misc.c,v 1.25 2003/02/20 19:12:16 millert Exp $";
 #endif
 
 /* vix 26jan87 [RCS has the rest of the log]
@@ -432,49 +432,26 @@ in_file(const char *string, FILE *file, int error)
 	return (FALSE);
 }
 
-/* int allowed(const char *username)
- *	returns TRUE if (ALLOW_FILE exists and user is listed)
- *	or (DENY_FILE exists and user is NOT listed)
- *	or (neither file exists but user=="root" so it's okay)
+/* int allowed(const char *username, const char *allow_file, const char *deny_file)
+ *	returns TRUE if (allow_file exists and user is listed)
+ *	or (deny_file exists and user is NOT listed).
+ *	root is always allowed.
  */
 int
-allowed(const char *username) {
-	FILE	*allow = NULL;
-	FILE	*deny = NULL;
+allowed(const char *username, const char *allow_file, const char *deny_file) {
+	FILE	*fp;
 	int	isallowed;
 
-#if defined(ALLOW_FILE) && defined(DENY_FILE)
+	if (strcmp(username, ROOT_USER) == 0)
+		return (TRUE);
 	isallowed = FALSE;
-	allow = fopen(ALLOW_FILE, "r");
-	if (allow == NULL && errno != ENOENT)
-		goto out;
-	deny = fopen(DENY_FILE, "r");
-	if (deny == NULL && errno != ENOENT)
-		goto out;
-	Debug(DMISC, ("allow/deny enabled, %d/%d\n", !!allow, !!deny))
-
-	if (allow) {
-		isallowed = in_file(username, allow, FALSE);
-		goto out;
+	if ((fp = fopen(allow_file, "r")) != NULL) {
+		isallowed = in_file(username, fp, FALSE);
+		fclose(fp);
+	} else if ((fp = fopen(deny_file, "r")) != NULL) {
+		isallowed = !in_file(username, fp, FALSE);
+		fclose(fp);
 	}
-	if (deny) {
-		isallowed = !in_file(username, deny, TRUE);
-		goto out;
-	}
-#endif
-
-#if defined(ALLOW_ONLY_ROOT)
-	isallowed = strcmp(username, ROOT_USER) == 0;
-#else
-	isallowed = TRUE;
-#endif
-
-out:
-	if (allow)
-		fclose(allow);
-	if (deny)
-		fclose(deny);
-
 	return (isallowed);
 }