1 /* Copyright 1988,1990,1993,1994 by Paul Vixie
4 * Distribute freely, except: don't remove my name from the source or
5 * documentation (don't take credit for my work), mark your changes (don't
6 * get me blamed for your possible bugs), don't alter or remove this
7 * notice. May be sold if buildable source is provided to buyer. No
8 * warrantee of any kind, express or implied, is included with this
9 * software; use at your own risk, responsibility for damages (if any) to
10 * anyone resulting from the use of this software rests entirely with the
13 * Send bug reports, bug fixes, enhancements, requests, flames, etc., and
14 * I'll try to keep a version up to date. I can be reached as follows:
15 * Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul
18 #if !defined(lint) && !defined(LINT)
19 static const char rcsid[] =
25 #include <sys/signal.h>
27 # include <sys/universe.h>
32 #if defined(LOGIN_CAP)
33 # include <login_cap.h>
36 # include <security/pam_appl.h>
37 # include <security/openpam.h>
41 static void child_process(entry *, user *),
52 Debug(DPROC, ("[%d] do_command(%s, (%s,%d,%d))\n",
53 getpid(), e->cmd, u->name, e->uid, e->gid))
55 /* fork to become asynchronous -- parent process is done immediately,
56 * and continues to run the normal cron code, which means return to
57 * tick(). the child and grandchild don't leave this function, alive.
59 * vfork() is unsuitable, since we have much to do, and the parent
60 * needs to be able to run off and fork other processes.
62 switch ((pid = fork())) {
64 log_it("CRON",getpid(),"error","can't fork");
65 if (e->flags & INTERVAL)
66 e->lastexit = time(NULL);
72 Debug(DPROC, ("[%d] child process done, exiting\n", getpid()))
77 Debug(DPROC, ("[%d] main process forked child #%d, "
78 "returning to work\n", getpid(), pid))
79 if (e->flags & INTERVAL) {
85 Debug(DPROC, ("[%d] main process returning to work\n", getpid()))
94 int stdin_pipe[2], stdout_pipe[2];
95 register char *input_data;
96 char *usernm, *mailto;
98 # if defined(LOGIN_CAP)
103 Debug(DPROC, ("[%d] child_process('%s')\n", getpid(), e->cmd))
105 /* mark ourselves as different to PS command watchers by upshifting
106 * our program name. This has no effect on some kernels.
108 setproctitle("running job");
110 /* discover some useful and important environment settings
112 usernm = env_get("LOGNAME", e->envp);
113 mailto = env_get("MAILTO", e->envp);
116 /* use PAM to see if the user's account is available,
117 * i.e., not locked or expired or whatever. skip this
118 * for system tasks from /etc/crontab -- they can run
121 if (strcmp(u->name, SYS_NAME)) { /* not equal */
122 pam_handle_t *pamh = NULL;
124 struct pam_conv pamc = {
125 .conv = openpam_nullconv,
129 Debug(DPROC, ("[%d] checking account with PAM\n", getpid()))
131 /* u->name keeps crontab owner name while LOGNAME is the name
132 * of user to run command on behalf of. they should be the
133 * same for a task from a per-user crontab.
135 if (strcmp(u->name, usernm)) {
136 log_it(usernm, getpid(), "username ambiguity", u->name);
140 pam_err = pam_start("cron", usernm, &pamc, &pamh);
141 if (pam_err != PAM_SUCCESS) {
142 log_it("CRON", getpid(), "error", "can't start PAM");
146 pam_err = pam_acct_mgmt(pamh, PAM_SILENT);
147 /* Expired password shouldn't prevent the job from running. */
148 if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) {
149 log_it(usernm, getpid(), "USER", "account unavailable");
153 pam_end(pamh, pam_err);
158 /* our parent is watching for our death by catching SIGCHLD. we
159 * do not care to watch for our children's deaths this way -- we
160 * use wait() explicitly. so we have to disable the signal (which
161 * was inherited from the parent).
163 (void) signal(SIGCHLD, SIG_DFL);
165 /* on system-V systems, we are ignoring SIGCLD. we have to stop
166 * ignoring it now or the wait() in cron_pclose() won't work.
167 * because of this, we have to wait() for our children here, as well.
169 (void) signal(SIGCLD, SIG_DFL);
172 /* create some pipes to talk to our future child
174 if (pipe(stdin_pipe) != 0 || pipe(stdout_pipe) != 0) {
175 log_it("CRON", getpid(), "error", "can't pipe");
179 /* since we are a forked process, we can diddle the command string
180 * we were passed -- nobody else is going to use it again, right?
182 * if a % is present in the command, previous characters are the
183 * command, and subsequent characters are the additional input to
184 * the command. Subsequent %'s will be transformed into newlines,
185 * but that happens later.
187 * If there are escaped %'s, remove the escape character.
190 register int escaped = FALSE;
194 for (input_data = p = e->cmd; (ch = *input_data);
199 if (ch == '%' || ch == '\\')
209 *input_data++ = '\0';
216 /* fork again, this time so we can exec the user's command.
220 log_it("CRON",getpid(),"error","can't vfork");
224 Debug(DPROC, ("[%d] grandchild process Vfork()'ed\n",
227 if (e->uid == ROOT_UID)
231 sleep(random() % Jitter);
234 /* write a log message. we've waited this long to do it
235 * because it was not until now that we knew the PID that
236 * the actual user command shell was going to get and the
237 * PID is part of the log message.
240 char *x = mkprints((u_char *)e->cmd, strlen(e->cmd));
242 log_it(usernm, getpid(), "CMD", x);
246 /* that's the last thing we'll log. close the log files.
252 /* get new pgrp, void tty, etc.
256 /* close the pipe ends that we won't use. this doesn't affect
257 * the parent, who has to read and write them; it keeps the
258 * kernel from recording us as a potential client TWICE --
259 * which would keep it from sending SIGPIPE in otherwise
260 * appropriate circumstances.
262 close(stdin_pipe[WRITE_PIPE]);
263 close(stdout_pipe[READ_PIPE]);
265 /* grandchild process. make std{in,out} be the ends of
266 * pipes opened by our daddy; make stderr go to stdout.
268 close(STDIN); dup2(stdin_pipe[READ_PIPE], STDIN);
269 close(STDOUT); dup2(stdout_pipe[WRITE_PIPE], STDOUT);
270 close(STDERR); dup2(STDOUT, STDERR);
272 /* close the pipes we just dup'ed. The resources will remain.
274 close(stdin_pipe[READ_PIPE]);
275 close(stdout_pipe[WRITE_PIPE]);
277 /* set our login universe. Do this in the grandchild
278 * so that the child can invoke /usr/lib/sendmail
283 # if defined(LOGIN_CAP)
284 /* Set user's entire context, but skip the environment
285 * as cron provides a separate interface for this
287 if ((pwd = getpwnam(usernm)) == NULL)
288 pwd = getpwuid(e->uid);
291 pwd->pw_gid = e->gid;
292 if (e->class != NULL)
293 lc = login_getclass(e->class);
296 setusercontext(lc, pwd, e->uid,
297 LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
300 /* fall back to the old method */
303 /* set our directory, uid and gid. Set gid first,
304 * since once we set uid, we've lost root privileges.
306 if (setgid(e->gid) != 0) {
307 log_it(usernm, getpid(),
308 "error", "setgid failed");
312 if (initgroups(usernm, e->gid) != 0) {
313 log_it(usernm, getpid(),
314 "error", "initgroups failed");
318 if (setlogin(usernm) != 0) {
319 log_it(usernm, getpid(),
320 "error", "setlogin failed");
323 if (setuid(e->uid) != 0) {
324 log_it(usernm, getpid(),
325 "error", "setuid failed");
328 /* we aren't root after this..*/
329 #if defined(LOGIN_CAP)
334 chdir(env_get("HOME", e->envp));
339 char *shell = env_get("SHELL", e->envp);
342 if (DebugFlags & DTEST) {
344 "debug DTEST is on, not exec'ing command.\n");
346 "\tcmd='%s' shell='%s'\n", e->cmd, shell);
349 # endif /*DEBUGGING*/
350 execle(shell, shell, "-c", e->cmd, (char *)NULL,
352 warn("execle: couldn't exec `%s'", shell);
363 /* middle process, child of original cron, parent of process running
364 * the user's command.
367 Debug(DPROC, ("[%d] child continues, closing pipes\n", getpid()))
369 /* close the ends of the pipe that will only be referenced in the
370 * grandchild process...
372 close(stdin_pipe[READ_PIPE]);
373 close(stdout_pipe[WRITE_PIPE]);
376 * write, to the pipe connected to child's stdin, any input specified
377 * after a % in the crontab entry. while we copy, convert any
378 * additional %'s to newlines. when done, if some characters were
379 * written and the last one wasn't a newline, write a newline.
381 * Note that if the input data won't fit into one pipe buffer (2K
382 * or 4K on most BSD systems), and the child doesn't read its stdin,
383 * we would block here. thus we must fork again.
386 if (*input_data && fork() == 0) {
387 register FILE *out = fdopen(stdin_pipe[WRITE_PIPE], "w");
388 register int need_newline = FALSE;
389 register int escaped = FALSE;
393 warn("fdopen failed in child2");
397 Debug(DPROC, ("[%d] child2 sending data to grandchild\n", getpid()))
399 /* close the pipe we don't use, since we inherited it and
400 * are part of its reference count now.
402 close(stdout_pipe[READ_PIPE]);
407 * \x -> \x for all x != %
409 while ((ch = *input_data++)) {
418 if (!(escaped = (ch == '\\'))) {
420 need_newline = (ch != '\n');
428 /* close the pipe, causing an EOF condition. fclose causes
429 * stdin_pipe[WRITE_PIPE] to be closed, too.
433 Debug(DPROC, ("[%d] child2 done sending to grandchild\n", getpid()))
437 /* close the pipe to the grandkiddie's stdin, since its wicked uncle
438 * ernie back there has it open and will close it when he's done.
440 close(stdin_pipe[WRITE_PIPE]);
445 * read output from the grandchild. it's stderr has been redirected to
446 * it's stdout, which has been redirected to our pipe. if there is any
447 * output, we'll be mailing it to the user whose crontab this is...
448 * when the grandchild exits, we'll get EOF.
451 Debug(DPROC, ("[%d] child reading output from grandchild\n", getpid()))
454 register FILE *in = fdopen(stdout_pipe[READ_PIPE], "r");
458 warn("fdopen failed in child");
465 register int bytes = 1;
469 ("[%d] got data (%x:%c) from grandchild\n",
472 /* get name of recipient. this is MAILTO if set to a
473 * valid local username; USER otherwise.
475 if (mailto == NULL) {
476 /* MAILTO not present, set to USER,
477 * unless globally overriden.
484 if (mailto && *mailto == '\0')
487 /* if we are supposed to be mailing, MAILTO will
488 * be non-NULL. only in this case should we set
489 * up the mail command and subjects and stuff...
494 auto char mailcmd[MAX_COMMAND];
495 auto char hostname[MAXHOSTNAMELEN];
497 if (gethostname(hostname, MAXHOSTNAMELEN) == -1)
499 hostname[sizeof(hostname) - 1] = '\0';
500 (void) snprintf(mailcmd, sizeof(mailcmd),
502 if (!(mail = cron_popen(mailcmd, "w", e))) {
504 (void) _exit(ERROR_EXIT);
506 fprintf(mail, "From: Cron Daemon <%s@%s>\n",
508 fprintf(mail, "To: %s\n", mailto);
509 fprintf(mail, "Subject: Cron <%s@%s> %s\n",
510 usernm, first_word(hostname, "."),
512 # if defined(MAIL_DATE)
513 fprintf(mail, "Date: %s\n",
514 arpadate(&TargetTime));
515 # endif /* MAIL_DATE */
516 for (env = e->envp; *env; env++)
517 fprintf(mail, "X-Cron-Env: <%s>\n",
521 /* this was the first char from the pipe
526 /* we have to read the input pipe no matter whether
527 * we mail or not, but obviously we only write to
528 * mail pipe if we ARE mailing.
531 while (EOF != (ch = getc(in))) {
537 /* only close pipe if we opened it -- i.e., we're
542 Debug(DPROC, ("[%d] closing pipe to mail\n",
544 /* Note: the pclose will probably see
545 * the termination of the grandchild
546 * in addition to the mail process, since
547 * it (the grandchild) is likely to exit
548 * after closing its stdout.
550 status = cron_pclose(mail);
553 /* if there was output and we could not mail it,
554 * log the facts so the poor user can figure out
557 if (mailto && status) {
558 char buf[MAX_TEMPSTR];
560 snprintf(buf, sizeof(buf),
561 "mailed %d byte%s of output but got status 0x%04x\n",
562 bytes, (bytes==1)?"":"s",
564 log_it(usernm, getpid(), "MAIL", buf);
567 } /*if data from grandchild*/
569 Debug(DPROC, ("[%d] got EOF from grandchild\n", getpid()))
571 fclose(in); /* also closes stdout_pipe[READ_PIPE] */
574 /* wait for children to die.
576 for (; children > 0; children--)
581 Debug(DPROC, ("[%d] waiting for grandchild #%d to finish\n",
585 Debug(DPROC, ("[%d] no more grandchildren--mail written?\n",
589 Debug(DPROC, ("[%d] grandchild #%d finished, status=%04x",
590 getpid(), pid, WEXITSTATUS(waiter)))
591 if (WIFSIGNALED(waiter) && WCOREDUMP(waiter))
592 Debug(DPROC, (", dumped core"))
603 /* Dynix (Sequent) hack to put the user associated with
604 * the passed user structure into the ATT universe if
605 * necessary. We have to dig the gecos info out of
606 * the user's password entry to see if the magic
607 * "universe(att)" string is present.
614 p = getpwuid(u->uid);
622 for (i = 0; i < 4; i++)
624 if ((s = strchr(s, ',')) == NULL)
628 if (strcmp(s, "universe(att)"))
631 (void) universe(U_ATT);