/*	$OpenBSD: database.c,v 1.38 2019/06/28 13:32:47 deraadt Exp $	*/

/* Copyright 1988,1990,1993,1994 by Paul Vixie
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1997,2000 by Internet Software Consortium, Inc.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>

#include <bitstring.h>		/* for structs.h */
#include <dirent.h>
#include <fcntl.h>
#include <limits.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <time.h>		/* for structs.h */
#include <unistd.h>

#include "pathnames.h"
#include "globals.h"
#include "macros.h"
#include "structs.h"
#include "funcs.h"

#define HASH(a,b) ((a)+(b))

static	void		process_crontab(int, const char *, const char *,
					struct stat *, cron_db *, cron_db *);

void
load_database(cron_db **db)
{
	struct stat statbuf, syscron_stat;
	cron_db *new_db, *old_db = *db;
	struct timespec mtime;
	struct dirent *dp;
	DIR *dir;
	user *u;

	/* before we start loading any data, do a stat on _PATH_CRON_SPOOL
	 * so that if anything changes as of this moment (i.e., before we've
	 * cached any of the database), we'll see the changes next time.
	 */
	if (stat(_PATH_CRON_SPOOL, &statbuf) == -1) {
		syslog(LOG_ERR, "(CRON) STAT FAILED (%s)", _PATH_CRON_SPOOL);
		return;
	}

	/* track system crontab file
	 */
	if (stat(_PATH_SYS_CRONTAB, &syscron_stat) == -1)
		timespecclear(&syscron_stat.st_mtim);

	/* hash mtime of system crontab file and crontab dir
	 */
	mtime.tv_sec =
	    HASH(statbuf.st_mtim.tv_sec, syscron_stat.st_mtim.tv_sec);
	mtime.tv_nsec =
	    HASH(statbuf.st_mtim.tv_nsec, syscron_stat.st_mtim.tv_nsec);

	/* if spooldir's mtime has not changed, we don't need to fiddle with
	 * the database.
	 */
	if (old_db != NULL && timespeccmp(&mtime, &old_db->mtime, ==))
		return;

	/* something's different.  make a new database, moving unchanged
	 * elements from the old database, reloading elements that have
	 * actually changed.  Whatever is left in the old database when
	 * we're done is chaff -- crontabs that disappeared.
	 */
	if ((new_db = malloc(sizeof(*new_db))) == NULL)
		return;
	new_db->mtime = mtime;
	TAILQ_INIT(&new_db->users);

	if (timespecisset(&syscron_stat.st_mtim)) {
		process_crontab(AT_FDCWD, "*system*", _PATH_SYS_CRONTAB,
				&syscron_stat, new_db, old_db);
	}

	/* we used to keep this dir open all the time, for the sake of
	 * efficiency.  however, we need to close it in every fork, and
	 * we fork a lot more often than the mtime of the dir changes.
	 */
	if (!(dir = opendir(_PATH_CRON_SPOOL))) {
		syslog(LOG_ERR, "(CRON) OPENDIR FAILED (%s)", _PATH_CRON_SPOOL);
		/* Restore system crontab entry as needed. */
		if (!TAILQ_EMPTY(&new_db->users) &&
		    (u = TAILQ_FIRST(&old_db->users))) {
			if (strcmp(u->name, "*system*") == 0) {
				TAILQ_REMOVE(&old_db->users, u, entries);
				free_user(u);
				TAILQ_INSERT_HEAD(&old_db->users,
				    TAILQ_FIRST(&new_db->users), entries);
			}
		}
		free(new_db);
		return;
	}

	while (NULL != (dp = readdir(dir))) {
		/* avoid file names beginning with ".".  this is good
		 * because we would otherwise waste two guaranteed calls
		 * to getpwnam() for . and .., and also because user names
		 * starting with a period are just too nasty to consider.
		 */
		if (dp->d_name[0] == '.')
			continue;

		process_crontab(dirfd(dir), dp->d_name, dp->d_name,
				&statbuf, new_db, old_db);
	}
	closedir(dir);

	/* if we don't do this, then when our children eventually call
	 * getpwnam() in do_command.c's child_process to verify MAILTO=,
	 * they will screw us up (and v-v).
	 */
	endpwent();

	/* whatever's left in the old database is now junk.
	 */
	if (old_db != NULL) {
		while ((u = TAILQ_FIRST(&old_db->users))) {
			TAILQ_REMOVE(&old_db->users, u, entries);
			free_user(u);
		}
		free(old_db);
	}

	/* overwrite the database control block with the new one.
	 */
	*db = new_db;
}

user *
find_user(cron_db *db, const char *name)
{
	user *u = NULL;

	if (db != NULL) {
		TAILQ_FOREACH(u, &db->users, entries) {
			if (strcmp(u->name, name) == 0)
				break;
		}
	}
	return (u);
}

static void
process_crontab(int dfd, const char *uname, const char *fname,
		struct stat *statbuf, cron_db *new_db, cron_db *old_db)
{
	struct passwd *pw = NULL;
	FILE *crontab_fp = NULL;
	user *u, *new_u;
	mode_t tabmask, tabperm;
	int fd;

	/* Note: pw must remain NULL for system crontab (see below). */
	if (fname[0] != '/' && (pw = getpwnam(uname)) == NULL) {
		/* file doesn't have a user in passwd file.
		 */
		syslog(LOG_WARNING, "(%s) ORPHAN (no passwd entry)", uname);
		goto next_crontab;
	}

	fd = openat(dfd, fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC);
	if (fd == -1) {
		/* crontab not accessible?
		 */
		syslog(LOG_ERR, "(%s) CAN'T OPEN (%s)", uname, fname);
		goto next_crontab;
	}
	if (!(crontab_fp = fdopen(fd, "r"))) {
		syslog(LOG_ERR, "(%s) FDOPEN (%m)", fname);
		close(fd);
		goto next_crontab;
	}

	if (fstat(fileno(crontab_fp), statbuf) == -1) {
		syslog(LOG_ERR, "(%s) FSTAT FAILED (%s)", uname, fname);
		goto next_crontab;
	}
	if (!S_ISREG(statbuf->st_mode)) {
		syslog(LOG_WARNING, "(%s) NOT REGULAR (%s)", uname, fname);
		goto next_crontab;
	}
	/* Looser permissions on system crontab. */
	tabmask = pw ? ALLPERMS : (ALLPERMS & ~(S_IWUSR|S_IRGRP|S_IROTH));
	tabperm = pw ? (S_IRUSR|S_IWUSR) : S_IRUSR;
	if ((statbuf->st_mode & tabmask) != tabperm) {
		syslog(LOG_WARNING, "(%s) BAD FILE MODE (%s)", uname, fname);
		goto next_crontab;
	}
	if (statbuf->st_uid != 0 && (pw == NULL ||
	    statbuf->st_uid != pw->pw_uid || strcmp(uname, pw->pw_name) != 0)) {
		syslog(LOG_WARNING, "(%s) WRONG FILE OWNER (%s)", uname, fname);
		goto next_crontab;
	}
	if (pw != NULL && statbuf->st_gid != cron_gid) {
		syslog(LOG_WARNING, "(%s) WRONG FILE GROUP (%s)", uname, fname);
		goto next_crontab;
	}
	if (pw != NULL && statbuf->st_nlink != 1) {
		syslog(LOG_WARNING, "(%s) BAD LINK COUNT (%s)", uname, fname);
		goto next_crontab;
	}

	u = find_user(old_db, fname);
	if (u != NULL) {
		/* if crontab has not changed since we last read it
		 * in, then we can just use our existing entry.
		 */
		if (timespeccmp(&u->mtime, &statbuf->st_mtim, ==)) {
			TAILQ_REMOVE(&old_db->users, u, entries);
			TAILQ_INSERT_TAIL(&new_db->users, u, entries);
			goto next_crontab;
		}
		syslog(LOG_INFO, "(%s) RELOAD (%s)", uname, fname);
	}

	new_u = load_user(crontab_fp, pw, fname);
	if (new_u != NULL) {
		/* Insert user into the new database and remove from old. */
		new_u->mtime = statbuf->st_mtim;
		TAILQ_INSERT_TAIL(&new_db->users, new_u, entries);
		if (u != NULL) {
			TAILQ_REMOVE(&old_db->users, u, entries);
			free_user(u);
		}
	} else if (u != NULL) {
		/* New user crontab failed to load, preserve the old one. */
		TAILQ_REMOVE(&old_db->users, u, entries);
		TAILQ_INSERT_TAIL(&new_db->users, u, entries);
	}

 next_crontab:
	if (crontab_fp != NULL) {
		fclose(crontab_fp);
	}
}