Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Spelling fixes for usr.sbin/

Fix empty mailto (-m "") handling: somehow I missed all checks but the first,
hence output would be written to the wrong filehandle.

Submitted by: reg
Approved by: yar (implicit)
MFC after: ASAP
Pointy hat to: marck

Add -m option to cron(8), overriding default mail recipient for cron mails,
unless explicitly provided by MAILTO= line in crontab. This feature can be
useful in massive hosting environment, where most users do not care about
autogenerated mails.

Setting recipient to null string disables default mails at all.

Approved by: yar
MFC after: 4 weeks

Cleanup of userland __P use

Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs. E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM. When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made. Then it'll be
enough to set the expire field in future for the commands to run
again. And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default

o Finally learn how to spell "privileges".

English trainer: ceri

o Spell "privledges" correctly. Re-style comment.

o Better be safe than sorry: check return code from setuid(2),
setgid(2), setlogin(2) and initgroups(3). In theory they could
fail for root with some third party mac(4) policies.

Submitted by: Kostik Belousov
MFC after: 1 month

Use pidfile(3) in cron(8).

Note, that when cron(8) cannot create pidfile, it'll exit. I didn't
changed this behaviour, but its better to ignore errors other than
EEXIST, so daemon can be started on systems where /var/ file system
doesn't support locking (like NFS without rpc.lockd(8)).

Add two new options to cron(8), -J and -j. They allow to specify
the maximum amount of time jitter for root and other users, respectively.
Before starting a job, cron(8) will sleep a random number of seconds,
from 0 to the amount specified. This can help to smooth down load spikes
when a lot of jobs are to start at the beginning of a particular minute
(e.g., the first minute of an hour.)

PR: bin/66474
Submitted by: Dmitry Morozovsky <marck <@> rinet.ru>

Fix a coredump that would occur when fdopen was unable to
return a valid fd.

PR: 49096
Submitted by: demon
MFC after: 3 days

Stop cron from shouting in the syslog. Use setproctitle() instead, since
smashing argv[0] doesn't have the intended effect of changing the ps(1)
output these days.

PR: 25850

Call login_close() to prevent parent from memory leaking in some
cases due to vfork()

Prevent user from breaking his limits and restrictions or
abusing sendmail by any other way via MAILTO tag (since sendmail is running
from daemon). Now run sendmail from user, as any other cron user command.

Obtained from: Inspired by OpenBSD, but implementation is different

Enable SIGCHLD to stop childs complaining to SIG_IGN of it.
It helps perl f.e.

Obtained from: OpenBSD do_command.c v1.7

Catch and report fdopen failures.

$Id$ -> $FreeBSD$

Log run-time parsing errors now

Use getpwnam before getpwuid since two users with same uids can exists
(affects new login classes code only)

The same fixes as in inetd: by default run `system crontab things' with
daemon login class now, not restrict them to user class breaking
compatibility with old way (so-called nobody limits problem)

Implement user[:group][/login-class] syntax in system crontab
for more flexible control (the same as in inetd)

Use err(3). Rewrote man page in mdoc format.

Tone down the paranoia a bit in from the previous commit. setusercontext()
automatically Does The Right Thing when lc == NULL, which just happens to
be what the extra code in cron was trying to do. Simplify.

For some reason, the old login class code didn't seem to be working here.
I suspect it was because the child exec code's parent was doing the
initial lookups, then forking, then doing other things (possibly trashing
the static data in the getpw*() buffer), then attempting to dereference
*pwd and *lc. Also, no error checking appeared to be done - I've allowed
it to fall back to the old "become user" code on critical failure rather than
risk running a user's cron jobs as root.

Revert $FreeBSD$ to $Id$

Make cron login class savvy.
Use setusercontext() rather than setuid()/setgid()/setlogin()/initgroups()
which is all handled. Login environment is NOT set by this call as crontab
provides its own means of doing so.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Replace my "inane" usage of snprintf to copy strings with strncpy as
used by OpenBSD. (Quite frankly, I think it's perfectly reasonable to
use snprintf to copy strings, given that the semantics for strncpy()
are utterly idiotic and there is no POSIX sstrncpy().)

While I'm at it, incorporate some of OpenBSD's bugfixes to cron.

NOT for 2.2

Fix a bug that prevented %'s and \'s from being passed to the program
invoked.

Submitted by: fenner@parc.xerox.com (Bill Fenner)

Remove trailing whitespace.

Fix MAILTO hole by passing -t to sendmail
Submitted by: Mike Pritchard <pritc003@maroon.tc.umn.edu>

Really fix MAILTO hole by parsing spaces.
Remove local bitstring copy

Close MAILTO security hole

This commit was generated by cvs2svn to compensate for changes in r2311,
which included commits to RCS files with non-trunk default branches.

Paul Vixie's cron, version 3.0. Munged into bmake format. If this goes
well, expect our two seperate directories for cron and crontab to go away
shortly.
Submitted by: jkh