MFC r357714-r357715: cron(8): rip out some legacy bits

r357714: cron(8): convert vfork() usage to fork()

vfork() is error-prone, and the usage here definitely grew to not be
clearly OK given vfork-semantics; e.g. setusercontext(3) within the child.

Rip out vfork() and the rest of the references to it. fork is heavier, but
it's unclear that the difference will be all that obvious.

Reported by: Andrew Gierth and sigsys@gmail.com

r357715: cron(8): rip out do_univ

This was an old Dynix hack, the function is a NOP on FreeBSD. We have no
need to retain this; Dynix was discontinued long ago.

MFC r356103: cron(8): use proper variable to determine mailer process status

While the mailer is normally opened/set if the mailto is set, this is not
the case if the grandchild actually didn't produce any output. This change
corrects the situation to only attempt to kill/close the mail process if it
was actually opened in the first place.

The reporter initially stumbled on the -n (suppress mail on success) flag
leading to a SIGKILL of the process group, but simultaneously
discovered/reported the behavior with !-n jobs if MAILTO was set and no
output happened.

All of these places that are checking mailto should actually be checking
whether mail is set, so do that for consistency+correctness.

This set of bugs were introduced by r352668.

MFC r352668: cron: log suppression and mail suppression for successful runs

This commit adds two new extensions to crontab, ported from OpenBSD:
- -n: suppress mail on succesful run
- -q: suppress logging of command execution

The -q option appears decades old, but -n is relatively new. The
original proposal by Job Snijder can be found here [1], and gives very
convincing reasons for inclusion in base.

This patch is a nearly identical port of OpenBSD cron for -q and -n
features. It is written to follow existing conventions and style of the
existing codebase.

Example usage:

# should only send email, but won't show up in log
* * * * * -q date

# should not send email
* * * * * -n date

# should not send email or log
* * * * * -n -q date

# should send email because of ping failure
* * * * * -n -q ping -c 1 5.5.5.5

[1]: https://marc.info/?l=openbsd-tech&m=152874866117948&w=2

PR: 237538
Relnotes: yes

MFC r346252: cron(8): Add MAILFROM ability for crontabs

This changes the sender mail address in a similar fashion to how MAILTO may
change the recipient. The default from address remains unchanged.

PR: 140304

MFC r334817, r334910

r334817:
Add new functionality and syntax to cron(1) to allow to run jobs at a
given interval, which is counted in seconds since exit of the previous
invocation of the job. Example user crontab entry:

@25 sleep 10

The example will launch 'sleep 10' every 35 seconds. This is a rather
useless example above, but clearly explains the functionality.

The practical goal here is to avoid overlap of previous job invocation
to a new one, or to avoid too short interval(s) for jobs that last long
and doesn't have any point of immediate launch soon after previous run.

Another useful effect of interval jobs can be noticed when a cluster of
machines periodically communicates with a single node. Running the task
time based creates too much load on the node. Running interval based
spreads invocations across machines in cluster. Note that -j/-J won't
help in this case.

r334910:
Remove old, dead compat code.

We no longer need to od these things conditionally, and the fallbacks
are to 4.2BSD era defaults, which nobody uses anymore. Vixie cron has
diverged from upstream anyway in our tree, and it's not clear there's
actually a viable upstream anymore. Plus, we don't follow the
vendor-supplied code pattern here.

I'm doing this to reduce false positives from grep.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

cron: use (char *)NULL instead of (char *)0 in execle.

Obtained from: OpenBSD (CVS Rev 1.25)

Undo change from r292607 that was not meant to be there

Pointyhat: me

cron: Check the return value of pipe(2)

Fix inspired by: OpenBSD (rev 1.56)
CID: 1009830

Check gethostname(2) return code - but even if it succeeds it may not
null terminate.

Temporarily use "From: $user@$hostname" rather than "From: $user".
The latter exposes incompatible behavior if using dma(8). sendmail(8)
(and other alternatives) canonify either form on submission (even
if masquerading), but dma will leak a non-compliant address to
the internet.

Spelling fixes for usr.sbin/

Fix empty mailto (-m "") handling: somehow I missed all checks but the first,
hence output would be written to the wrong filehandle.

Submitted by: reg
Approved by: yar (implicit)
MFC after: ASAP
Pointy hat to: marck

Add -m option to cron(8), overriding default mail recipient for cron mails,
unless explicitly provided by MAILTO= line in crontab. This feature can be
useful in massive hosting environment, where most users do not care about
autogenerated mails.

Setting recipient to null string disables default mails at all.

Approved by: yar
MFC after: 4 weeks

Cleanup of userland __P use

Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs. E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM. When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made. Then it'll be
enough to set the expire field in future for the commands to run
again. And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default

o Finally learn how to spell "privileges".

English trainer: ceri

o Spell "privledges" correctly. Re-style comment.

o Better be safe than sorry: check return code from setuid(2),
setgid(2), setlogin(2) and initgroups(3). In theory they could
fail for root with some third party mac(4) policies.

Submitted by: Kostik Belousov
MFC after: 1 month

Use pidfile(3) in cron(8).

Note, that when cron(8) cannot create pidfile, it'll exit. I didn't
changed this behaviour, but its better to ignore errors other than
EEXIST, so daemon can be started on systems where /var/ file system
doesn't support locking (like NFS without rpc.lockd(8)).

Add two new options to cron(8), -J and -j. They allow to specify
the maximum amount of time jitter for root and other users, respectively.
Before starting a job, cron(8) will sleep a random number of seconds,
from 0 to the amount specified. This can help to smooth down load spikes
when a lot of jobs are to start at the beginning of a particular minute
(e.g., the first minute of an hour.)

PR: bin/66474
Submitted by: Dmitry Morozovsky <marck <@> rinet.ru>

Fix a coredump that would occur when fdopen was unable to
return a valid fd.

PR: 49096
Submitted by: demon
MFC after: 3 days

Stop cron from shouting in the syslog. Use setproctitle() instead, since
smashing argv[0] doesn't have the intended effect of changing the ps(1)
output these days.

PR: 25850

Call login_close() to prevent parent from memory leaking in some
cases due to vfork()

Prevent user from breaking his limits and restrictions or
abusing sendmail by any other way via MAILTO tag (since sendmail is running
from daemon). Now run sendmail from user, as any other cron user command.

Obtained from: Inspired by OpenBSD, but implementation is different

Enable SIGCHLD to stop childs complaining to SIG_IGN of it.
It helps perl f.e.

Obtained from: OpenBSD do_command.c v1.7

Catch and report fdopen failures.

$Id$ -> $FreeBSD$

Log run-time parsing errors now

Use getpwnam before getpwuid since two users with same uids can exists
(affects new login classes code only)

The same fixes as in inetd: by default run `system crontab things' with
daemon login class now, not restrict them to user class breaking
compatibility with old way (so-called nobody limits problem)

Implement user[:group][/login-class] syntax in system crontab
for more flexible control (the same as in inetd)

Use err(3). Rewrote man page in mdoc format.

Tone down the paranoia a bit in from the previous commit. setusercontext()
automatically Does The Right Thing when lc == NULL, which just happens to
be what the extra code in cron was trying to do. Simplify.

For some reason, the old login class code didn't seem to be working here.
I suspect it was because the child exec code's parent was doing the
initial lookups, then forking, then doing other things (possibly trashing
the static data in the getpw*() buffer), then attempting to dereference
*pwd and *lc. Also, no error checking appeared to be done - I've allowed
it to fall back to the old "become user" code on critical failure rather than
risk running a user's cron jobs as root.

Revert $FreeBSD$ to $Id$

Make cron login class savvy.
Use setusercontext() rather than setuid()/setgid()/setlogin()/initgroups()
which is all handled. Login environment is NOT set by this call as crontab
provides its own means of doing so.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Replace my "inane" usage of snprintf to copy strings with strncpy as
used by OpenBSD. (Quite frankly, I think it's perfectly reasonable to
use snprintf to copy strings, given that the semantics for strncpy()
are utterly idiotic and there is no POSIX sstrncpy().)

While I'm at it, incorporate some of OpenBSD's bugfixes to cron.

NOT for 2.2

Fix a bug that prevented %'s and \'s from being passed to the program
invoked.

Submitted by: fenner@parc.xerox.com (Bill Fenner)

Remove trailing whitespace.

Fix MAILTO hole by passing -t to sendmail
Submitted by: Mike Pritchard <pritc003@maroon.tc.umn.edu>

Really fix MAILTO hole by parsing spaces.
Remove local bitstring copy

Close MAILTO security hole

This commit was generated by cvs2svn to compensate for changes in r2311,
which included commits to RCS files with non-trunk default branches.

Paul Vixie's cron, version 3.0. Munged into bmake format. If this goes
well, expect our two seperate directories for cron and crontab to go away
shortly.
Submitted by: jkh