Copyright (C) 2004 Bruce Guenter

This document explains ...

1. Introduction

Name comes from: Busy/Bee/Bruce's/Better cron.

1.1 Problems With Other cron Systems

1.1.1 vixie-cron

• Too many bugs The last official release of vixie-cron was in December of 1993. Since then, many security holes and other bugs have been found, requiring every vendor to distribute a multiply-patched version of this system. Most vendors have a different set of patches, making this a bit of a moving target.

• Can't handle DST changes vixie-cron's mode of operations is to wake up every minute and determine, with no history, what jobs to run. When DST changes, this causes some jobs to be either skipped or run twice.

1.1.2 fcron

• Parsing issues If a job starts with a word (terminated by any non-word character, like /) that happens to also be a username, fcron interprets this word as the userid to run the job under, even for non-root users. This causes problems for jobs line bin/something when user bin exists.

• No support for `/etc/cron.d'

• No support for `/etc/crontab'

• Gratuitious incompatibilities with vixie-cron Jobs are run with the login shell for the user instead of `/bin/sh'. The default mode of execution prevents the same job from running multiple times (a good option, but bad default). MAILTO can only contain a username, not a full email address.

1.1.3 anacron

Anacron is only really useful for running jobs once a day or less frequently. From what I've seen, it's good at what it does, just not useful at much else.

1.1.4 dcron

• No support for `/etc/cron.d'

• No support for `/etc/crontab'

• No easy way of emulating support for system crontabs dcron's crontab format does not include a "username" column, and as such makes it nearly impossible to even emulate system crontabs.

• Unusual or broken handling of DST changes From reading the source, dcron only handles cases where the linear time jumps. When DST changes, linear time does not change, and so dcron effectively does not handle this situation.

1.2 Requirements

• Security

  I am choosing to make a number of relatively unorthodox choices in order to avoid many of the security issues that have plagued vixie-cron and other related systems.

• External compatability with vixie-cron

  In particular, the system must support:

  • crontabs in the same file format as vixie-cron
  • crontabs submitted via a command-line compatable `crontab' program
  • mail is sent to $MAILTO if the job produces any output (and possibly if the job exits non-zero)

• Support for system crontabs

  This means that the system MUST support:

  • System crontab entries in `/etc/crontab'
  • System crontab entries in `/etc/cron.d/*'
  System crontab entries are additionally differentiated from normal ones by having a "username" column immediately preceding the command.

• Intelligent handling of DST time changes

  One of the biggest frustrations I have had with dealing with vixie-cron is its complete inability to deal with time jumps in an intelligent manner. In particular, when DST changes happen, jobs will either get skipped (when time jumps forward) or executed twice (when time jumps backwards). This is unacceptable.

• Allow setting ulimits before executing commands

  In one of the target installations, we need to set up ulimits (limiting CPU time and memory) before executing commands. It would be easy enough to ulimit the entire daemon, but then the daemon itself would be vulnerable to getting killed when it has run for long enough. Our current setup is to run jobs through a global wrapper script, which can set any necessary limits (or anything else) and then execute the job.

1.3 Design Choices

Use local socket to submit files.

There are two basic methods of submitting crontab files:

1. Use a setuid program to write directly into spool files.
2. Set up a local socket to submit jobs to a daemon.

(1) Using a setuid submission agent was discarded to prevent the possibility of all the bugs that have plagued other setuid submission agents. The socket protocol is deliberately very simple, to make the submission agent foolproof.

Multiple process daemon.

By seperating job submission from job execution, exploiting the system to run arbitrary jobs as privileged users is made even harder. It also makes the design of those individual programs much simpler.

1.4 vixie-cron Patches

This section lists all the non-trivial patches found for vixie-cron, what problem they appear to address, and (if appropriate) how bcron will avoid the same problem. The patches listed come from multiple sources, including the latest RPM (Fedora Core IIRC).

0days.patch

This patch modifies the `crontab.5' man page to remove allowing `0' for day of month or month numbers.

badsig.patch

On some systems, signal handlers are single-shot. This patch modifies the SIGHUP handler to reactivate itself before it returns. bcron will use the bglibs signal functions, which use sigaction to create suitable handlers, where appropriate. bcron uses named pipe triggers instead of signals to deliver notifications, removing the need for most signal handlers.

buffer.patch

This patch increases the maximum username length from 20 to 32, and modifies calls to strcpy to use strncpy to ensure all string copies are length bounded. bcron uses dynamically allocated strings to eliminate the possibility of buffer overflows.

close_stdin.diff

This patch modifies the cron daemon to close stdin, stdout, and stderr on startup, and to reopen them as `/dev/null'. The bcron daemons run under supervise, and have no need of such handling.

crond.patch

Adds support for `/etc/cron.d'

cront_stdin.patch

Appears to modify `crontab''s command-line handling such that no argument is interpreted as to read the crontab from standard input.

crontab.5.diff

Documents several builtin macros to replace the first 5 fields. This macros consist of: `@reboot', `@yearly', `@annually', `@monthly', `@weekly', `@daily', `@midnight', and `@hourly'. bcron will not, at least initially, support these macros.

crontab.patch

Modifies crontab to use strncpy and snprintf when writing into length-bounded strings.

crontabloc.patch

Patches the crontab man page to reference `/etc/crontab'.

dst.patch

Patches the crontab man page to point out that DST may cause jobs to be skipped or repeated.

name.patch

Appears to modify how the cron daemon handles sending messages to syslog. bcron will log messages to stderr, avoiding syslog entirely.

nodot.patch

Adds `-i' to the list of arguments sent to sendmail (result is `-FCronDaemon -i -odi -oem'). Only useful for sendmail, but still needed.

root_-u-85879.patch

Sanity checks the use of `-u' against UID and/or root.

security2.patch

Does some sanity checking on mailto, and does a setuid before sending mail. bcron plays safe with mailto by putting it into a message header, and always drops root privileges before executing commands.

sigchld.patch

Return the SIGCHLD handler to its default state before executing commands.

sprintf.patch

More sprintf -> snprintf conversions.

time.patch

Sync all the crontabs before sleeping to handle changes in the system time.

timeaftertime.patch

The previous patch created double execution issues with small backwards adjustments in the clock time.