diff options
author | tjr <tjr@FreeBSD.org> | 2002-08-04 04:32:27 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2002-08-04 04:32:27 +0000 |
commit | 9cfc3cad4400c32e12ed50a0b389074811d51629 (patch) | |
tree | 5b311dc7662dad9203a32b0350c10313f8605401 /usr.sbin/cron | |
parent | c41f494e5b3e27a5991c0311ac9db9163ce9967a (diff) | |
download | FreeBSD-src-9cfc3cad4400c32e12ed50a0b389074811d51629.zip FreeBSD-src-9cfc3cad4400c32e12ed50a0b389074811d51629.tar.gz |
Never allow a user to use crontab if opening /var/cron/{allow,deny} fails
for any reason other than ENOENT (think resource limits). Close allow and
deny files before allowed() returns to stop the user's EDITOR being able to
read them.
Obtained from: OpenBSD (partially)
Diffstat (limited to 'usr.sbin/cron')
-rw-r--r-- | usr.sbin/cron/lib/misc.c | 39 |
1 files changed, 23 insertions, 16 deletions
diff --git a/usr.sbin/cron/lib/misc.c b/usr.sbin/cron/lib/misc.c index 195ff9c..89f15e4 100644 --- a/usr.sbin/cron/lib/misc.c +++ b/usr.sbin/cron/lib/misc.c @@ -410,31 +410,38 @@ int allowed(username) char *username; { - static int init = FALSE; - static FILE *allow, *deny; + FILE *allow, *deny; + int isallowed; + + isallowed = FALSE; - if (!init) { - init = TRUE; #if defined(ALLOW_FILE) && defined(DENY_FILE) - allow = fopen(ALLOW_FILE, "r"); - deny = fopen(DENY_FILE, "r"); - Debug(DMISC, ("allow/deny enabled, %d/%d\n", !!allow, !!deny)) + if ((allow = fopen(ALLOW_FILE, "r")) == NULL && errno != ENOENT) + goto out; + if ((deny = fopen(DENY_FILE, "r")) == NULL && errno != ENOENT) + goto out; + Debug(DMISC, ("allow/deny enabled, %d/%d\n", !!allow, !!deny)) #else - allow = NULL; - deny = NULL; + allow = NULL; + deny = NULL; #endif - } if (allow) - return (in_file(username, allow)); - if (deny) - return (!in_file(username, deny)); - + isallowed = in_file(username, allow); + else if (deny) + isallowed = !in_file(username, deny); + else { #if defined(ALLOW_ONLY_ROOT) - return (strcmp(username, ROOT_USER) == 0); + isallowed = (strcmp(username, ROOT_USER) == 0); #else - return TRUE; + isallowed = TRUE; #endif + } +out: if (allow) + fclose(allow); + if (deny) + fclose(deny); + return (isallowed); } |