1 /*        $NetBSD: crontab.c,v 1.15 2018/03/06 21:21:27 htodd Exp $   */
2 
3 /* Copyright 1988,1990,1993,1994 by Paul Vixie
4  * All rights reserved
5  */
6 
7 /*
8  * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
9  * Copyright (c) 1997,2000 by Internet Software Consortium, Inc.
10  *
11  * Permission to use, copy, modify, and distribute this software for any
12  * purpose with or without fee is hereby granted, provided that the above
13  * copyright notice and this permission notice appear in all copies.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
16  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17  * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
18  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
21  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22  */
23 #include <sys/cdefs.h>
24 #if !defined(lint) && !defined(LINT)
25 #if 0
26 static char rcsid[] = "Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp";
27 #else
28 __RCSID("$NetBSD: crontab.c,v 1.15 2018/03/06 21:21:27 htodd Exp $");
29 #endif
30 #endif
31 
32 /* crontab - install and manage per-user crontab files
33  * vix 02may87 [RCS has the rest of the log]
34  * vix 26jan87 [original]
35  */
36 
37 #define   MAIN_PROGRAM
38 
39 #include "cron.h"
40 
41 #define NHEADER_LINES 3
42 
43 enum opt_t          { opt_unknown, opt_list, opt_delete, opt_edit, opt_replace };
44 
45 #if DEBUGGING
46 static const char   *Options[] = {
47     "???", "list", "delete", "edit", "replace" };
48 static const char   *getoptargs = "u:lerx:";
49 #else
50 static const char   *getoptargs = "u:ler";
51 #endif
52 
53 static    PID_T               Pid;
54 static    char                User[MAX_UNAME], RealUser[MAX_UNAME];
55 static    char                Filename[MAX_FNAME], TempFilename[MAX_FNAME];
56 static    FILE                *NewCrontab;
57 static    int                 CheckErrorCount;
58 static    enum opt_t          Option;
59 static    struct passwd       *pw;
60 static    void                list_cmd(void),
61                               delete_cmd(void),
62                               edit_cmd(void),
63                               poke_daemon(void),
64                               check_error(const char *),
65                               parse_args(int c, char *v[]);
66 static    int                 replace_cmd(void);
67 static  int                   allowed(const char *, const char *, const char *);
68 static  int                   in_file(const char *, FILE *, int);
69 static  int                   relinquish_priv(void);
70 static  int                   regain_priv(void);
71 
72 static __dead void
usage(const char * msg)73 usage(const char *msg) {
74           (void)fprintf(stderr, "%s: usage error: %s\n", getprogname(), msg);
75           (void)fprintf(stderr, "usage:\t%s [-u user] file\n", getprogname());
76           (void)fprintf(stderr, "\t%s [-u user] [ -e | -l | -r ]\n", getprogname());
77           (void)fprintf(stderr, "\t\t(default operation is replace, per 1003.2)\n");
78           (void)fprintf(stderr, "\t-e\t(edit user's crontab)\n");
79           (void)fprintf(stderr, "\t-l\t(list user's crontab)\n");
80           (void)fprintf(stderr, "\t-r\t(delete user's crontab)\n");
81           exit(ERROR_EXIT);
82 }
83 
84 static uid_t euid, ruid;
85 static gid_t egid, rgid;
86 
87 int
main(int argc,char * argv[])88 main(int argc, char *argv[]) {
89           int exitstatus;
90 
91           setprogname(argv[0]);
92           Pid = getpid();
93           (void)setlocale(LC_ALL, "");
94 
95           euid = geteuid();
96           egid = getegid();
97           ruid = getuid();
98           rgid = getgid();
99 
100           if (euid == ruid && ruid != 0)
101                     errx(ERROR_EXIT, "Not installed setuid root");
102 
103           (void)setvbuf(stderr, NULL, _IOLBF, 0);
104           parse_args(argc, argv);                 /* sets many globals, opens a file */
105           set_cron_cwd();
106           if (!allowed(RealUser, CRON_ALLOW, CRON_DENY)) {
107                     (void)fprintf(stderr,
108                               "You `%s' are not allowed to use this program `%s'\n",
109                               User, getprogname());
110                     (void)fprintf(stderr, "See crontab(1) for more information\n");
111                     log_it(RealUser, Pid, "AUTH", "crontab command not allowed");
112                     exit(ERROR_EXIT);
113           }
114           exitstatus = OK_EXIT;
115           switch (Option) {
116           case opt_unknown:
117                     usage("unrecognized option");
118                     exitstatus = ERROR_EXIT;
119                     break;
120           case opt_list:
121                     list_cmd();
122                     break;
123           case opt_delete:
124                     delete_cmd();
125                     break;
126           case opt_edit:
127                     edit_cmd();
128                     break;
129           case opt_replace:
130                     if (replace_cmd() < 0)
131                               exitstatus = ERROR_EXIT;
132                     break;
133           default:
134                     abort();
135           }
136           exit(exitstatus);
137           /*NOTREACHED*/
138 }
139 
140 static void
get_time(const struct stat * st,struct timespec * ts)141 get_time(const struct stat *st, struct timespec *ts)
142 {
143           ts[0].tv_sec = st->st_atime;
144           ts[0].tv_nsec = st->st_atimensec;
145           ts[1].tv_sec = st->st_mtime;
146           ts[1].tv_nsec = st->st_mtimensec;
147 }
148 
149 static int
change_time(const char * name,const struct timespec * ts)150 change_time(const char *name, const struct timespec *ts)
151 {
152 #if defined(HAVE_UTIMENSAT)
153           return utimensat(AT_FDCWD, name, ts, 0);
154 #elif defined(HAVE_UTIMES)
155           struct timeval tv[2];
156           TIMESPEC_TO_TIMEVAL(&tv[0], &ts[0]);
157           TIMESPEC_TO_TIMEVAL(&tv[1], &ts[1]);
158           return utimes(name, tv);
159 #else
160           struct utimbuf ut;
161           ut.actime = ts[0].tv_sec;
162           ut.modtime = ts[1].tv_sec;
163           return utime(name, &ut);
164 #endif
165 }
166 
167 static int
compare_time(const struct stat * st,const struct timespec * ts2)168 compare_time(const struct stat *st, const struct timespec *ts2)
169 {
170           struct timespec ts1[2];
171           get_time(st, ts1);
172 
173           return ts1[1].tv_sec == ts2[1].tv_sec
174 #if defined(HAVE_UTIMENSAT)
175               && ts1[1].tv_nsec == ts2[1].tv_nsec
176 #elif defined(HAVE_UTIMES)
177               && ts1[1].tv_nsec / 1000 == ts2[1].tv_nsec / 1000
178 #endif
179           ;
180 }
181 
182 static void
parse_args(int argc,char * argv[])183 parse_args(int argc, char *argv[]) {
184           int argch;
185 
186           if (!(pw = getpwuid(getuid()))) {
187                     errx(ERROR_EXIT,
188                         "your UID isn't in the passwd file. bailingo out");
189           }
190           if (strlen(pw->pw_name) >= sizeof User) {
191                     errx(ERROR_EXIT, "username too long");
192           }
193           (void)strlcpy(User, pw->pw_name, sizeof(User));
194           (void)strlcpy(RealUser, User, sizeof(RealUser));
195           Filename[0] = '\0';
196           Option = opt_unknown;
197           while (-1 != (argch = getopt(argc, argv, getoptargs))) {
198                     switch (argch) {
199 #if DEBUGGING
200                     case 'x':
201                               if (!set_debug_flags(optarg))
202                                         usage("bad debug option");
203                               break;
204 #endif
205                     case 'u':
206                               if (MY_UID(pw) != ROOT_UID) {
207                                         errx(ERROR_EXIT,
208                                             "must be privileged to use -u");
209                               }
210                               if (!(pw = getpwnam(optarg))) {
211                                         errx(ERROR_EXIT, "user `%s' unknown", optarg);
212                               }
213                               if (strlen(optarg) >= sizeof User)
214                                         usage("username too long");
215                               (void) strlcpy(User, optarg, sizeof(User));
216                               break;
217                     case 'l':
218                               if (Option != opt_unknown)
219                                         usage("only one operation permitted");
220                               Option = opt_list;
221                               break;
222                     case 'r':
223                               if (Option != opt_unknown)
224                                         usage("only one operation permitted");
225                               Option = opt_delete;
226                               break;
227                     case 'e':
228                               if (Option != opt_unknown)
229                                         usage("only one operation permitted");
230                               Option = opt_edit;
231                               break;
232                     default:
233                               usage("unrecognized option");
234                     }
235           }
236 
237           endpwent();
238 
239           if (Option != opt_unknown) {
240                     if (argv[optind] != NULL)
241                               usage("no arguments permitted after this option");
242           } else {
243                     if (argv[optind] != NULL) {
244                               Option = opt_replace;
245                               if (strlen(argv[optind]) >= sizeof Filename)
246                                         usage("filename too long");
247                               (void)strlcpy(Filename, argv[optind], sizeof(Filename));
248                     } else
249                               usage("file name must be specified for replace");
250           }
251 
252           if (Option == opt_replace) {
253                     /* we have to open the file here because we're going to
254                      * chdir(2) into /var/cron before we get around to
255                      * reading the file.
256                      */
257                     if (!strcmp(Filename, "-"))
258                               NewCrontab = stdin;
259                     else {
260                               /* relinquish the setuid status of the binary during
261                                * the open, lest nonroot users read files they should
262                                * not be able to read.  we can't use access() here
263                                * since there's a race condition.  thanks go out to
264                                * Arnt Gulbrandsen <agulbra@pvv.unit.no> for spotting
265                                * the race.
266                                */
267 
268                               if (relinquish_priv() < OK) {
269                                         err(ERROR_EXIT, "swapping uids");
270                               }
271                               if (!(NewCrontab = fopen(Filename, "r"))) {
272                                         err(ERROR_EXIT, "cannot open `%s'", Filename);
273                               }
274                               if (regain_priv() < OK) {
275                                         err(ERROR_EXIT, "swapping uids back");
276                               }
277                     }
278           }
279 
280           Debug(DMISC, ("user=%s, file=%s, option=%s\n",
281                           User, Filename, Options[(int)Option]));
282 }
283 
284 static void
skip_header(int * pch,FILE * f)285 skip_header(int *pch, FILE *f)
286 {
287           int ch;
288           int x;
289 
290           /* ignore the top few comments since we probably put them there.
291            */
292           for (x = 0;  x < NHEADER_LINES;  x++) {
293                     ch = get_char(f);
294                     if (EOF == ch)
295                               break;
296                     if ('#' != ch)
297                               break;
298                     while (EOF != (ch = get_char(f)))
299                               if (ch == '\n')
300                                         break;
301                     if (EOF == ch)
302                               break;
303           }
304           if (ch == '\n')
305                     ch = get_char(f);
306 
307           *pch = ch;
308 }
309 
310 static void
list_cmd(void)311 list_cmd(void) {
312           char n[MAX_FNAME];
313           FILE *f;
314           int ch;
315 
316           log_it(RealUser, Pid, "LIST", User);
317           if (!glue_strings(n, sizeof n, SPOOL_DIR, User, '/')) {
318                     errx(ERROR_EXIT, "path too long");
319           }
320           if (!(f = fopen(n, "r"))) {
321                     if (errno == ENOENT)
322                               errx(ERROR_EXIT, "no crontab for `%s'", User);
323                     else
324                               err(ERROR_EXIT, "Cannot open `%s'", n);
325           }
326 
327           /* file is open. copy to stdout, close.
328            */
329           Set_LineNum(1);
330           skip_header(&ch, f);
331           for (; EOF != ch;  ch = get_char(f))
332                     (void)putchar(ch);
333           (void)fclose(f);
334 }
335 
336 static void
delete_cmd(void)337 delete_cmd(void) {
338           char n[MAX_FNAME];
339 
340           log_it(RealUser, Pid, "DELETE", User);
341           if (!glue_strings(n, sizeof n, SPOOL_DIR, User, '/')) {
342                     errx(ERROR_EXIT, "path too long");
343           }
344           if (unlink(n) != 0) {
345                     if (errno == ENOENT)
346                               errx(ERROR_EXIT, "no crontab for `%s'", User);
347                     else
348                               err(ERROR_EXIT, "cannot unlink `%s'", n);
349           }
350           poke_daemon();
351 }
352 
353 static void
check_error(const char * msg)354 check_error(const char *msg) {
355           CheckErrorCount++;
356           (void)fprintf(stderr, "\"%s\":%d: %s\n", Filename, LineNumber-1, msg);
357 }
358 
359 static void
edit_cmd(void)360 edit_cmd(void) {
361           char n[MAX_FNAME], q[MAX_TEMPSTR];
362           const char *editor;
363           FILE *f;
364           int ch, t, x;
365           sig_t oint, oabrt, oquit, ohup;
366           struct stat statbuf;
367           WAIT_T waiter;
368           PID_T pid, xpid;
369           struct timespec ts[2];
370 
371           log_it(RealUser, Pid, "BEGIN EDIT", User);
372           if (!glue_strings(n, sizeof n, SPOOL_DIR, User, '/')) {
373                     errx(ERROR_EXIT, "path too long");
374           }
375           if (!(f = fopen(n, "r"))) {
376                     if (errno != ENOENT) {
377                               err(ERROR_EXIT, "cannot open `%s'", n);
378                     }
379                     warnx("no crontab for `%s' - using an empty one", User);
380                     if (!(f = fopen(_PATH_DEVNULL, "r"))) {
381                               err(ERROR_EXIT, "cannot open `%s'", _PATH_DEVNULL);
382                     }
383           }
384 
385           if (fstat(fileno(f), &statbuf) < 0) {
386                     warn("cannot stat crontab file");
387                     goto fatal;
388           }
389           get_time(&statbuf, ts);
390 
391           /* Turn off signals. */
392           ohup = signal(SIGHUP, SIG_IGN);
393           oint = signal(SIGINT, SIG_IGN);
394           oquit = signal(SIGQUIT, SIG_IGN);
395           oabrt = signal(SIGABRT, SIG_IGN);
396 
397           if (!glue_strings(Filename, sizeof Filename, _PATH_TMP,
398               "crontab.XXXXXXXXXX", '/')) {
399                     warnx("path too long");
400                     goto fatal;
401           }
402           if (-1 == (t = mkstemp(Filename))) {
403                     warn("cannot create `%s'", Filename);
404                     goto fatal;
405           }
406 #ifdef HAS_FCHOWN
407           x = fchown(t, MY_UID(pw), MY_GID(pw));
408 #else
409           x = chown(Filename, MY_UID(pw), MY_GID(pw));
410 #endif
411           if (x < 0) {
412                     warn("cannot chown `%s'", Filename);
413                     goto fatal;
414           }
415           if (!(NewCrontab = fdopen(t, "r+"))) {
416                     warn("cannot open fd");
417                     goto fatal;
418           }
419 
420           Set_LineNum(1);
421 
422           skip_header(&ch, f);
423 
424           /* copy the rest of the crontab (if any) to the temp file.
425            */
426           for (; EOF != ch; ch = get_char(f))
427                     (void)putc(ch, NewCrontab);
428           (void)fclose(f);
429           if (fflush(NewCrontab) < OK) {
430                     err(ERROR_EXIT, "cannot flush output for `%s'", Filename);
431           }
432 #ifdef HAVE_FUTIMENS
433           if (futimens(t, ts) == -1)
434 #else
435           if (change_time(Filename, ts) == -1)
436 #endif
437                     err(ERROR_EXIT, "cannot set time info for `%s'", Filename);
438  again:
439           rewind(NewCrontab);
440           if (ferror(NewCrontab)) {
441                     warn("error while writing new crontab to `%s'", Filename);
442  fatal:
443                     (void)unlink(Filename);
444                     exit(ERROR_EXIT);
445           }
446 
447           if (((editor = getenv("VISUAL")) == NULL || *editor == '\0') &&
448               ((editor = getenv("EDITOR")) == NULL || *editor == '\0')) {
449                     editor = EDITOR;
450           }
451 
452           /* we still have the file open.  editors will generally rewrite the
453            * original file rather than renaming/unlinking it and starting a
454            * new one; even backup files are supposed to be made by copying
455            * rather than by renaming.  if some editor does not support this,
456            * then don't use it.  the security problems are more severe if we
457            * close and reopen the file around the edit.
458            */
459 
460           switch (pid = fork()) {
461           case -1:
462                     warn("cannot fork");
463                     goto fatal;
464           case 0:
465                     /* child */
466                     if (setgid(MY_GID(pw)) < 0) {
467                               err(ERROR_EXIT, "cannot setgid(getgid())");
468                     }
469                     if (setuid(MY_UID(pw)) < 0) {
470                               err(ERROR_EXIT, "cannot setuid(getuid())");
471                     }
472                     if (close_all(3)) {
473                               err(ERROR_EXIT, "cannot close files");
474                     }
475                     if (chdir(_PATH_TMP) < 0) {
476                               err(ERROR_EXIT, "cannot chdir to `%s'", _PATH_TMP);
477                     }
478                     if (!glue_strings(q, sizeof q, editor, Filename, ' ')) {
479                               errx(ERROR_EXIT, "editor command line too long");
480                     }
481                     (void)execlp(_PATH_BSHELL, _PATH_BSHELL, "-c", q, (char *)0);
482                     err(ERROR_EXIT, "cannot start `%s'", editor);
483                     /*NOTREACHED*/
484           default:
485                     /* parent */
486                     break;
487           }
488 
489           /* parent */
490           for (;;) {
491                     xpid = waitpid(pid, &waiter, WUNTRACED);
492                     if (xpid == -1) {
493                               if (errno != EINTR)
494                                         warn("waitpid() failed waiting for PID %ld "
495                                             "from `%s'", (long)pid, editor);
496                     } else if (xpid != pid) {
497                               warnx("wrong PID (%ld != %ld) from `%s'",
498                                   (long)xpid, (long)pid, editor);
499                               goto fatal;
500                     } else if (WIFSTOPPED(waiter)) {
501                               (void)kill(getpid(), WSTOPSIG(waiter));
502                     } else if (WIFEXITED(waiter) && WEXITSTATUS(waiter)) {
503                               warnx("`%s' exited with status %d\n",
504                                   editor, WEXITSTATUS(waiter));
505                               goto fatal;
506                     } else if (WIFSIGNALED(waiter)) {
507                               warnx("`%s' killed; signal %d (%score dumped)",
508                                   editor, WTERMSIG(waiter),
509                                   WCOREDUMP(waiter) ? "" : "no ");
510                               goto fatal;
511                     } else
512                               break;
513           }
514           (void)signal(SIGHUP, ohup);
515           (void)signal(SIGINT, oint);
516           (void)signal(SIGQUIT, oquit);
517           (void)signal(SIGABRT, oabrt);
518 
519           if (fstat(t, &statbuf) < 0) {
520                     warn("cannot stat `%s'", Filename);
521                     goto fatal;
522           }
523           if (compare_time(&statbuf, ts)) {
524                     warnx("no changes made to crontab");
525                     goto remove;
526           }
527           warnx("installing new crontab");
528           switch (replace_cmd()) {
529           case 0:
530                     break;
531           case -1:
532                     for (;;) {
533                               (void)fpurge(stdin);
534                               (void)printf("Do you want to retry the same edit? ");
535                               (void)fflush(stdout);
536                               q[0] = '\0';
537                               (void) fgets(q, (int)sizeof(q), stdin);
538                               switch (q[0]) {
539                               case 'y':
540                               case 'Y':
541                                         goto again;
542                               case 'n':
543                               case 'N':
544                                         goto abandon;
545                               default:
546                                         (void)printf("Enter Y or N\n");
547                               }
548                     }
549                     /*NOTREACHED*/
550           case -2:
551           abandon:
552                     warnx("edits left in `%s'", Filename);
553                     goto done;
554           default:
555                     warnx("panic: bad switch() in replace_cmd()");
556                     goto fatal;
557           }
558  remove:
559           (void)unlink(Filename);
560  done:
561           log_it(RealUser, Pid, "END EDIT", User);
562 }
563 
564 static size_t
getmaxtabsize(void)565 getmaxtabsize(void)
566 {
567           char n2[MAX_FNAME];
568           FILE *fmaxtabsize;
569           size_t maxtabsize;
570 
571           /* Make sure that the crontab is not an unreasonable size.
572            *
573            * XXX This is subject to a race condition--the user could
574            * add stuff to the file after we've checked the size but
575            * before we slurp it in and write it out. We can't just move
576            * the test to test the temp file we later create, because by
577            * that time we've already filled up the crontab disk. Probably
578            * the right thing to do is to do a bytecount in the copy loop
579            * rather than stating the file we're about to read.
580            */
581           (void)snprintf(n2, sizeof(n2), "%s/%s", CRONDIR, MAXTABSIZE_FILE);
582           if ((fmaxtabsize = fopen(n2, "r")) != NULL)  {
583                     if (fgets(n2, (int)sizeof(n2), fmaxtabsize) == NULL)  {
584                               maxtabsize = 0;
585                     } else {
586                               maxtabsize = (size_t)atoi(n2);
587                     }
588                     (void)fclose(fmaxtabsize);
589           } else {
590                     maxtabsize = MAXTABSIZE_DEFAULT;
591           }
592           return maxtabsize;
593 }
594 
595 static int
checkmaxtabsize(FILE * fp,size_t maxtabsize)596 checkmaxtabsize(FILE *fp, size_t maxtabsize)
597 {
598           struct    stat statbuf;
599 
600           if (fstat(fileno(fp), &statbuf))  {
601                     warn("error stat'ing crontab input");
602                     return 0;
603           }
604           if ((uintmax_t)statbuf.st_size > (uintmax_t)maxtabsize)  {
605                     warnx("%ju bytes is larger than the maximum size of %ju bytes",
606                         (uintmax_t)statbuf.st_size, (uintmax_t)maxtabsize);
607                     return 0;
608           }
609           return 1;
610 }
611 
612 static void
cleanTempFile(void)613 cleanTempFile(void)
614 {
615 
616           if (TempFilename[0]) {
617                     (void) unlink(TempFilename);
618                     TempFilename[0] = '\0';
619           }
620 }
621 
622 static __dead void
bail(int signo)623 bail(int signo)
624 {
625 
626           cleanTempFile();
627           errx(ERROR_EXIT, "Exiting on signal %d", signo);
628 }
629 
630 /* returns          0         on success
631  *                  -1        on syntax error
632  *                  -2        on install error
633  */
634 static int
replace_cmd(void)635 replace_cmd(void) {
636           char n[MAX_FNAME], envstr[MAX_ENVSTR];
637           int lastch;
638           FILE *tmp = NULL;
639           int ch, eof, fd;
640           int error = 0;
641           entry *e;
642           sig_t oint, oabrt, oquit, ohup;
643           uid_t file_owner;
644           time_t now = time(NULL);
645           char **envp = env_init();
646           size_t i, maxtabsize;
647 
648           if (envp == NULL) {
649                     warn("Cannot allocate memory.");
650                     return (-2);
651           }
652 
653           if (!glue_strings(TempFilename, sizeof TempFilename, SPOOL_DIR,
654               "tmp.XXXXXXXXXX", '/')) {
655                     TempFilename[0] = '\0';
656                     warnx("path too long");
657                     return (-2);
658           }
659 
660           /* Interruptible while doing I/O */
661           ohup = signal(SIGHUP, bail);
662           oint = signal(SIGINT, bail);
663           oquit = signal(SIGQUIT, bail);
664           oabrt = signal(SIGABRT, bail);
665 
666           if ((fd = mkstemp(TempFilename)) == -1 || !(tmp = fdopen(fd, "w+"))) {
667                     warn("cannot create `%s'", TempFilename);
668                     if (fd != -1)
669                               (void)close(fd);
670                     error = -2;
671                     goto done;
672           }
673 
674           maxtabsize = getmaxtabsize();
675 
676           /* This does not work for stdin, so we'll also check later */
677           if (!checkmaxtabsize(NewCrontab, maxtabsize)) {
678                     error = -2;
679                     goto done;
680           }
681 
682           /* write a signature at the top of the file.
683            *
684            * VERY IMPORTANT: make sure NHEADER_LINES agrees with this code.
685            */
686           (void)fprintf(tmp,
687               "# DO NOT EDIT THIS FILE - edit the master and reinstall.\n");
688           (void)fprintf(tmp,
689               "# (%s installed on %-24.24s)\n", Filename, ctime(&now));
690           (void)fprintf(tmp,
691               "# (Cron version %s -- %s)\n", CRON_VERSION,
692               "$NetBSD: crontab.c,v 1.15 2018/03/06 21:21:27 htodd Exp $");
693 
694           /* copy the crontab to the tmp
695            */
696           (void)rewind(NewCrontab);
697           Set_LineNum(1);
698           lastch = EOF;
699           for (i = 0; i < maxtabsize && EOF != (ch = get_char(NewCrontab)); i++)
700                     (void)putc(lastch = (char)ch, tmp);
701 
702           /* Non-Interruptible while installing */
703           (void)signal(SIGHUP, SIG_IGN);
704           (void)signal(SIGINT, SIG_IGN);
705           (void)signal(SIGQUIT, SIG_IGN);
706           (void)signal(SIGABRT, SIG_IGN);
707 
708           if (i == maxtabsize) {
709                     warnx("is larger than the maximum size of %ju bytes",
710                         (uintmax_t)maxtabsize);
711                     error = -2;
712                     goto done;
713           }
714 
715           if (lastch != EOF && lastch != '\n') {
716                     warnx("missing trailing newline in `%s'", Filename);
717                     error = -1;
718                     goto done;
719           }
720 
721           if (ferror(NewCrontab)) {
722                     warn("error while reading `%s'", Filename);
723                     error = -2;
724                     goto done;
725           }
726 
727           (void)ftruncate(fileno(tmp), ftell(tmp));
728           /* XXX this should be a NOOP - is */
729           (void)fflush(tmp);
730 
731           if (ferror(tmp)) {
732                     warn("error while writing new crontab to `%s'", TempFilename);
733                     error = -2;
734                     goto done;
735           }
736 
737           /* check the syntax of the file being installed.
738            */
739 
740           /* BUG: was reporting errors after the EOF if there were any errors
741            * in the file proper -- kludged it by stopping after first error.
742            *                  vix 31mar87
743            */
744           Set_LineNum(1 - NHEADER_LINES);
745           CheckErrorCount = 0;  eof = FALSE;
746           rewind(tmp);
747           while (!CheckErrorCount && !eof) {
748                     switch (load_env(envstr, tmp)) {
749                     case ERR:
750                               /* check for data before the EOF */
751                               if (envstr[0] != '\0') {
752                                         Set_LineNum(LineNumber + 1);
753                                         check_error("premature EOF");
754                               }
755                               eof = TRUE;
756                               break;
757                     case FALSE:
758                               e = load_entry(tmp, check_error, pw, envp);
759                               if (e)
760                                         free(e);
761                               break;
762                     case TRUE:
763                               break;
764                     }
765           }
766 
767           if (CheckErrorCount != 0) {
768                     warnx("errors in crontab file, can't install.");
769                     error = -1;
770                     goto done;
771           }
772 
773           file_owner = (getgid() == getegid()) ? ROOT_UID : pw->pw_uid;
774 
775 #ifdef HAVE_FCHOWN
776           error = fchown(fileno(tmp), file_owner, (uid_t)-1);
777 #else
778           error = chown(TempFilename, file_owner, (gid_t)-1);
779 #endif
780 
781           if (fclose(tmp) == EOF) {
782                     warn("error closing file");
783                     error = -2;
784                     tmp = NULL;
785                     goto done;
786           }
787           tmp = NULL;
788 
789           if (error < OK) {
790                     warn("cannot chown `%s'", TempFilename);
791                     error = -2;
792                     goto done;
793           }
794 
795           if (!glue_strings(n, sizeof n, SPOOL_DIR, User, '/')) {
796                     warnx("path too long");
797                     error = -2;
798                     goto done;
799           }
800           if (rename(TempFilename, n)) {
801                     warn("error renaming `%s' to `%s'", TempFilename, n);
802                     error = -2;
803                     goto done;
804           }
805           TempFilename[0] = '\0';
806           log_it(RealUser, Pid, "REPLACE", User);
807 
808           poke_daemon();
809 
810 done:
811           (void)signal(SIGHUP, ohup);
812           (void)signal(SIGINT, oint);
813           (void)signal(SIGQUIT, oquit);
814           (void)signal(SIGABRT, oabrt);
815           if (tmp != NULL)
816                     (void)fclose(tmp);
817           cleanTempFile();
818           return (error);
819 }
820 
821 static void
poke_daemon(void)822 poke_daemon(void) {
823           struct timespec ts[2];
824           (void) clock_gettime(CLOCK_REALTIME, ts);
825           ts[1] = ts[0];
826           if (change_time(SPOOL_DIR, ts) == -1)
827                     warn("can't update times on spooldir %s", SPOOL_DIR);
828 }
829 
830 /* int allowed(const char *username, const char *allow_file, const char *deny_file)
831  *        returns TRUE if (allow_file exists and user is listed)
832  *        or (deny_file exists and user is NOT listed).
833  *        root is always allowed.
834  */
835 static int
allowed(const char * username,const char * allow_file,const char * deny_file)836 allowed(const char *username, const char *allow_file, const char *deny_file) {
837           FILE      *fp;
838           int       isallowed;
839 
840           if (strcmp(username, ROOT_USER) == 0)
841                     return (TRUE);
842 #ifdef ALLOW_ONLY_ROOT
843           isallowed = FALSE;
844 #else
845           isallowed = TRUE;
846 #endif
847           if ((fp = fopen(allow_file, "r")) != NULL) {
848                     isallowed = in_file(username, fp, FALSE);
849                     (void)fclose(fp);
850           } else if ((fp = fopen(deny_file, "r")) != NULL) {
851                     isallowed = !in_file(username, fp, FALSE);
852                     (void)fclose(fp);
853           }
854           return (isallowed);
855 }
856 /* int in_file(const char *string, FILE *file, int error)
857  *        return TRUE if one of the lines in file matches string exactly,
858  *        FALSE if no lines match, and error on error.
859  */
860 static int
in_file(const char * string,FILE * file,int error)861 in_file(const char *string, FILE *file, int error)
862 {
863           char line[MAX_TEMPSTR];
864           char *endp;
865 
866           if (fseek(file, 0L, SEEK_SET))
867                     return (error);
868           while (fgets(line, MAX_TEMPSTR, file)) {
869                     if (line[0] != '\0') {
870                               endp = &line[strlen(line) - 1];
871                               if (*endp != '\n')
872                                         return (error);
873                               *endp = '\0';
874                               if (0 == strcmp(line, string))
875                                         return (TRUE);
876                     }
877           }
878           if (ferror(file))
879                     return (error);
880           return (FALSE);
881 }
882 
883 #ifdef HAVE_SAVED_UIDS
884 
relinquish_priv(void)885 static int relinquish_priv(void) {
886           return (setegid(rgid) || seteuid(ruid)) ? -1 : 0;
887 }
888 
regain_priv(void)889 static int regain_priv(void) {
890           return (setegid(egid) || seteuid(euid)) ? -1 : 0;
891 }
892 
893 #else /*HAVE_SAVED_UIDS*/
894 
relinquish_priv(void)895 static int relinquish_priv(void) {
896           return (setregid(egid, rgid) || setreuid(euid, ruid)) ? -1 : 0;
897 }
898 
regain_priv(void)899 static int regain_priv(void) {
900           return (setregid(rgid, egid) || setreuid(ruid, euid)) ? -1 : 0;
901 }
902 #endif /*HAVE_SAVED_UIDS*/
903