Vixie Cron

45 views
Skip to first unread message

Aaron Toponce

unread,
Jan 1, 2010, 9:43:12 AM1/1/10
to oa...@googlegroups.com
So, I was asked an interesting question yesterday that I didn't have an answer for. After what I feel has been a great amount of research, I feel I'm part way there with the answer, but I'm still falling short. So, I'm turning to the community for help on this one.

On RHEL, if both the /etc/cron.allow and /etc/cron.deny files are missing, then only the root user can use crontab(1). Even according to the man page:
   

    If the cron.allow file exists, then you must be listed therein in order
    to be allowed to use this command.  If the  cron.allow  file  does  not
    exist but the cron.deny file does exist, then you must not be listed in
    the cron.deny file in order to use this command.  If neither  of  these
    files  exists, only the super user will be allowed to use this command.

On Debian, however, this is very different. If both those files are missing, than anyone on the system can take advantage of crontab(1). According to the Debian mag page:

    If the /etc/cron.allow file exists, then you must be listed therein  in
    order  to  be allowed to use this command.  If the /etc/cron.allow file
    does not exist but the /etc/cron.deny file does exist,  then  you  must
    not  be listed in the /etc/cron.deny file in order to use this command.
    If neither of these files exists, then depending on site-dependent con?
    figuration  parameters, only the super user will be allowed to use this
    command, or all users will be able to use this  command.  For  standard
    Debian systems, all users may use this command.

Now, both RHEL and Debian are running the cron developed by Paul Vixie. That much is clear. So, why the extreme difference between the two? Who is going against the grain, and who is sticking with the standard vanilla behavior? Curious, I did some research on Vixie cron, and it turns out that Paul Vixie developed it for BSD 4.3. Further, it's been taken up by the ISC (BIND, DHCP, etc) for future development. Now, I don't have BSD 4.3, but I do have FreeBSD, OpenBSD and NetBSD. Logging into each of those systems, I find that they are also running Vixie cron. So, curious, I pull up their crontab(1) man page:

     If the allow file exists, then you must be listed therein in order to be
     allowed to use this command.  If the allow file does not exist but the
     deny file does exist, then you must not be listed in the deny file in
     order to use this command.  If neither of these files exists, then
     depending on site-dependent configuration parameters, only the super user
     will be allowed to use this command, or all users will be able to use
     this command.  The format of these files is one username per line, with
     no leading or trailing whitespace.  Lines of other formats will be
     ignored, and so can be used for comments.

Their man page is very similiar to Debian's. Both state that if the /etc/cron.allow and /etc/cron.deny files are missing, then depending on site-wide configuration, either only the super-user can install cron jobs or all users on the system can. The RHEL page is the only one "out of place", if you will by saying that if both are missing, only the super-user can install cron jobs.

So, the question comes up, where is this site-wide config? On Debian, I would expect it do be /etc/default/cron. Sure enough, that file exists, but it doesn't appear to have any variables that configure the behavior we're seeking. Digging a bit, I find that PAM can also control who gets to use crontab(1). So, I pull up /etc/pam.d/cron, but I'm not sure if what I'm seeing controls this behavior as well. Then, there's /etc/security/access.conf, which is a configuration for pam_access.so. That entire file is nothing but comments, as is the case on RHEL.

The only file that shows promise is /etc/pam.d/cron, as they are different between Debian and RHEL. But, I can't seem to find any line in the config that says only root can install cron jobs on RHEL and everyone can on Debian, however. To be honest, I would be quite shocked if Debian was deviating from the standard vanilla install. That's not like Debian to do so. Sure, it has done so on occasion, but usually produces a good benefit to the system or administrator (Apache comes to mind). I'm tending to believe that Red Hat is deviating from the norm, as the BSDs and Debian agree on the base install of Vixie cron (man page agrees and both /etc/cron.allow and /etc/cron.deny files missing). My experience has shown that Red Hat deviates from standard quite a bit, where Debian does not.

But, that's not the point. The point is, where is this elusive site-wide configuration file that determines if only root can install cron jobs or all users can with the two cron.allow and cron.deny files missing??? If anyone has some ideas, it would be greatly appreciated.

Thanks,
-- 
. O .   O . O   . . O   O . .   . O .
. . O   . O O   O . O   . O O   . . O
O O O   . O .   . O O   O O .   O O O
signature.asc

Aaron Toponce

unread,
Jan 1, 2010, 10:49:34 AM1/1/10
to oa...@googlegroups.com
Aaron Toponce wrote:
The only file that shows promise is /etc/pam.d/cron, as they are different between Debian and RHEL. But, I can't seem to find any line in the config that says only root can install cron jobs on RHEL and everyone can on Debian, however. To be honest, I would be quite shocked if Debian was deviating from the standard vanilla install. That's not like Debian to do so. Sure, it has done so on occasion, but usually produces a good benefit to the system or administrator (Apache comes to mind). I'm tending to believe that Red Hat is deviating from the norm, as the BSDs and Debian agree on the base install of Vixie cron (man page agrees and both /etc/cron.allow and /etc/cron.deny files missing). My experience has shown that Red Hat deviates from standard quite a bit, where Debian does not.
  

So, after looking at the source, I think I found my answer. There is no site-wide config that I can find that controls this behavior. It seems to be a compile time option. The upstream source shows that if both files are missing, then everyone on the system can install cron jobs. Red Hat is publishing a slew of patches, on the man page as well as a number of source files. One of the patches they push is changing the behavior of crontab(1), so if both cron.allow and cron.deny files are missing, then only root can install cron jobs. As I expected, Debian is staying as close to upstream source as possible, while RHEL/Fedora is deviating.

Further, it appears that Fedora has abandoned Vixie cron for a new cron system called 'cronie', which appears to be in-house developed by Red Hat (https://admin.fedoraproject.org/pkgdb/packages/name/cronie). This started sometime around Fedora 9, which means it's not in RHEL 5 or earlier, but might be in RHEL 6.

It also appears that Debian might be abandoning Vixie cron for bcron (Bruce's cron), which seems to have security more in mind, and more up-to-date features. This switch hasn't happened yet  but it is available for install on Sid, should anyone want to try it.

If you're curious about the source files, you can get them here, and check them to make sure I'm interpreting the patch and source files correctly. After all, I'm not a C programmer:

http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/8/Fedora/source/SRPMS/vixie-cron-4.2-3.fc8.src.rpm
http://ftp.de.debian.org/debian/pool/main/c/cron/cron_3.0pl1.orig.tar.gz
http://ftp.de.debian.org/debian/pool/main/c/cron/cron_3.0pl1-105.diff.gz
signature.asc

Aaron Toponce

unread,
Jan 1, 2010, 11:38:21 AM1/1/10
to oa...@googlegroups.com
One final note about cron, in case anyone is curious. Upstart, developed
by Canonical (the parent company of Ubuntu), will be designed to replace
cron eventually. Upstart has been the default init system in Ubuntu
since 6.06, Fedora since Fedora 9 and it will be in the next Debian
stable release, aliased "Squeeze". It's in the Palm webOS, Google Chrome
OS and Maemo 5 OS for Nokia tablets.

More info here:
http://upstart.ubuntu.com/faq.html#replace-cron
http://fedoraproject.org/wiki/Features/Upstart
http://lists.debian.org/debian-devel-announce/2009/09/msg00003.html
http://mjg59.livejournal.com/111453.html
http://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/security-overview
http://wiki.maemo.org/Task:Maemo_roadmap/Fremantle

signature.asc
Reply all
Reply to author
Forward
0 new messages