diff options
-rw-r--r-- | usr.sbin/cron/cron.8 | 17 | ||||
-rw-r--r-- | usr.sbin/cron/database.c | 13 |
2 files changed, 15 insertions, 15 deletions
diff --git a/usr.sbin/cron/cron.8 b/usr.sbin/cron/cron.8 index cf39eda89f5..2af248d47a4 100644 --- a/usr.sbin/cron/cron.8 +++ b/usr.sbin/cron/cron.8 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $OpenBSD: cron.8,v 1.28 2007/02/18 23:59:03 jmc Exp $ +.\" $OpenBSD: cron.8,v 1.29 2007/03/28 16:49:25 millert Exp $ .\" .Dd July 6, 2002 .Dt CRON 8 @@ -212,14 +212,11 @@ to check for crontab changes immediately .Sh AUTHORS .An Paul Vixie Aq vixie@isc.org .Sh CAVEATS -All .Xr crontab 5 -files must not be readable or writable by any user other than their owner, -including -.Pa /etc/crontab . -In practice this means they should be mode 0600. -This restriction is enforced automatically by -.Xr crontab 1 -but if +files will be ignored if they do not have the proper file mode. +For user crontab files created by +.Xr crontab 1 , +the mode must be 0400 or 0600. +If the system crontab file is used, .Pa /etc/crontab -is used, the mode must be set manually on that file. +must not be writable by any user other than root. diff --git a/usr.sbin/cron/database.c b/usr.sbin/cron/database.c index c14132dfcf3..3a571adc0ec 100644 --- a/usr.sbin/cron/database.c +++ b/usr.sbin/cron/database.c @@ -1,4 +1,4 @@ -/* $OpenBSD: database.c,v 1.16 2004/06/22 03:15:33 avsm Exp $ */ +/* $OpenBSD: database.c,v 1.17 2007/03/28 16:49:25 millert Exp $ */ /* Copyright 1988,1990,1993,1994 by Paul Vixie * All rights reserved @@ -22,7 +22,7 @@ */ #if !defined(lint) && !defined(LINT) -static char const rcsid[] = "$OpenBSD: database.c,v 1.16 2004/06/22 03:15:33 avsm Exp $"; +static char const rcsid[] = "$OpenBSD: database.c,v 1.17 2007/03/28 16:49:25 millert Exp $"; #endif /* vix 26jan87 [RCS has the log] @@ -209,15 +209,18 @@ process_crontab(const char *uname, const char *fname, const char *tabname, goto next_crontab; } if ((statbuf->st_mode & 07577) != 0400) { - log_it(fname, getpid(), "BAD FILE MODE", tabname); - goto next_crontab; + /* Looser permissions on system crontab. */ + if (pw != NULL || (statbuf->st_mode & 022) != 0) { + log_it(fname, getpid(), "BAD FILE MODE", tabname); + goto next_crontab; + } } if (statbuf->st_uid != ROOT_UID && (pw == NULL || statbuf->st_uid != pw->pw_uid || strcmp(uname, pw->pw_name) != 0)) { log_it(fname, getpid(), "WRONG FILE OWNER", tabname); goto next_crontab; } - if (statbuf->st_nlink != 1) { + if (pw != NULL && statbuf->st_nlink != 1) { log_it(fname, getpid(), "BAD LINK COUNT", tabname); goto next_crontab; } |