Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 May 2020 16:52:18 +0200
From: Solar Designer <>
Subject: vixie-cron lost allow_error fix


I recently learned that we inadvertently lost the fix for crontab's
checking of /etc/cron.{allow,deny} files.  The issue was recently
rediscovered and patched in Debian, and I went to check our code -
finding that we no longer have the fix.  I think we lost it here:

* Mon Mar 14 2005 Solar Designer <> 4.1.20040916-owl1
- Applied many assorted corrections and cleanups.

* Sun Feb 20 2005 Juan M. Bello Rivas <> 4.1.20040916-owl0.1
- Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with
modifications by Jarno Huuskonen and Dmitry V. Levin.

Looks like I wasn't careful enough in reviewing Juan's work here.
Not having this fix is a clear bug (not just missing hardening), because
the crontab(1) man page explicitly says:

"If crontab is unable to read the files, users will not be allowed to
use crontab."

which without that fix is false.

Dmitry, you might want to check ALT Linux's package and see if it needs
the fix.  While you're at it, feel free to get it into Owl as well.  You
even re-learned CVS recently for passwdqc 1.4.0, so may as well reuse
this skill while it's not forgotten again. ;-)

Looks like I had fixed this in Owl's package of Vixie Cron in 2000
(before we released Owl publicly) by denying access on errors other than
ENOENT, but we lost the fix in update to newer upstream (OpenBSD) code
in 2005.  Oops.;r2=1.2
(search for "allow_error").


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.