svn commit: trunk/busybox/miscutils

vda at busybox.net vda at busybox.net
Sat Feb 16 13:47:59 UTC 2008


Author: vda
Date: 2008-02-16 05:47:57 -0800 (Sat, 16 Feb 2008)
New Revision: 21040

Log:
crontab: clear env if run by non-root, so that we can use PATH now
crontab: make "-c /tmp/ -e" work



Modified:
   trunk/busybox/miscutils/crontab.c


Changeset:
Modified: trunk/busybox/miscutils/crontab.c
===================================================================
--- trunk/busybox/miscutils/crontab.c	2008-02-16 13:20:56 UTC (rev 21039)
+++ trunk/busybox/miscutils/crontab.c	2008-02-16 13:47:57 UTC (rev 21040)
@@ -15,9 +15,6 @@
 #ifndef CRONTABS
 #define CRONTABS        "/var/spool/cron/crontabs"
 #endif
-#ifndef TMPDIR
-#define TMPDIR          "/var/spool/cron"
-#endif
 #ifndef CRONUPDATE
 #define CRONUPDATE      "cron.update"
 #endif
@@ -37,7 +34,7 @@
 	if (chdir(pas->pw_dir) < 0) {
 		bb_perror_msg("chdir(%s) by %s failed",
 				pas->pw_dir, pas->pw_name);
-		xchdir(TMPDIR);
+		xchdir("/tmp");
 	}
 }
 
@@ -62,9 +59,7 @@
 			ptr = PATH_VI;
 	}
 
-	/* TODO: clean up the environment!!! */
-	/* not execlp - we won't use PATH */
-	execl(ptr, ptr, file, NULL);
+	BB_EXECLP(ptr, ptr, file, NULL);
 	bb_perror_msg_and_die("exec %s", ptr);
 }
 
@@ -136,9 +131,12 @@
 	opt_ler = getopt32(argv, "u:c:lerd", &user_name, &crontab_dir);
 	argv += optind;
 
-	if (opt_ler & (OPT_u|OPT_c))
-		if (my_uid != geteuid())
+	if (my_uid != geteuid()) { /* run by non-root? */
+		if (opt_ler & (OPT_u|OPT_c))
 			bb_error_msg_and_die("only root can use -c or -u");
+		/* Clear dangerous stuff, set PATH */
+		sanitize_env_for_suid();
+	}
 
 	if (opt_ler & OPT_u) {
 		pas = getpwnam(user_name);
@@ -194,7 +192,7 @@
 		}
 
 	case OPT_e: /* Edit */
-		tmp_fname = xasprintf(TMPDIR "/crontab.%u", (unsigned)getpid());
+		tmp_fname = xasprintf("%s.%u", crontab_dir, (unsigned)getpid());
 		fd = xopen3(tmp_fname, O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0600);
 		xmove_fd(fd, STDIN_FILENO);
 		fd = open(pas->pw_name, O_RDONLY);




More information about the busybox-cvs mailing list