Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 656290

Summary: sys-process/cronie-1.5.2 does not respect/require cron group
Product: Gentoo Linux Reporter: rypervenche <contact>
Component: Current packagesAssignee: Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Status: RESOLVED INVALID    
Severity: normal CC: cron-bugs+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description rypervenche 2018-05-22 16:59:04 UTC 
With default installation of cronie 1.52 (have not tested other versions), all users are allowed to create crontabs. According to the wiki page https://wiki.gentoo.org/wiki/Cron#Giving_trusted_users_access_to_cron and from what the files in cronie seem to indicate, only users in the cron group should be able to create/edit crontabs.

Reproducible: Always

Steps to Reproduce:
1. useradd -m test
2. su - test
3. crontab -e
Actual Results:  
Opens crontab for editing and allows saving.

Expected Results:  
You (test) are not allowed to use this program (crontab)
See crontab(1) for more information

[ebuild   R    ] sys-process/cronie-1.5.2::gentoo  USE="anacron inotify pam (-selinux)" 0 KiB
Comment 1 Georgy Yakovlev archtester gentoo-dev 2018-05-23 00:57:59 UTC 
group membership is not used for cronie.
but it does create crontab group (not cron) for other purposes.

wiki describes other cron implementation.

from man crontab:

If the /etc/cron.allow file exists, a user must be listed in it to be allowed to use cron.
If the cron.allow file does not exist but the cron.deny file does exist, then a user must not be listed in the cron.deny file  in  order  to use  cron.  

If  neither  of  these  files  exists,  only the super user is allowed to use cron.

gentoo ships /etc/cron.deny by default (via sys-process/cronie)
Comment 2 rypervenche 2018-05-24 01:39:40 UTC 
Ahh, thank you. I was going off of the line "No matter which cron package has been chosen, to allow a user to use crontab he will first have to be in the cron group". I'll look into updating that wiki page.
Comment 3 rypervenche 2018-05-24 01:45:18 UTC 
Oh, my apologies. It seems my /var/spool/cron had incorrect permissions, so the cron group is indeed required. Looks as though cronbase sets this up.

Sorry for taking up your time.
Comment 4 Georgy Yakovlev archtester gentoo-dev 2018-05-28 01:25:20 UTC 
no problem, I also learned something wile digging it =)
thanks for reporting bugs, it helps.