#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_crontabs  - 06/14/93
#
# Ideas from Dan Farmer's 'cron.chk' from COPS 1.04.
# 
# check_crontabs  - 11/08/2007 - jfs Change message calls so that they can be
#                                    filtered (Debian bug #411534)
# check_crontabs  - 01/15/2004 - jfs Will only warn if neither cron.allow
#                                    nor cron.deny exists (Debian bug #226362)
# check_crontabs  - 11/19/2003 - jfs Introduce some more information on
#            allow/deny checks as suggested by unspawn.
# check_crontabs  - 08/19/2003 - jfs Renamed to check_crontabs
# check_crontabs  - 08/14/2003 - jfs Added OUTPUTMETHOD to dependancies 
#                            incorporated changes from ARSC tara version 3.0.3
# check_crontabs  - 08/13/2003 - jfs Fixed a call to grep and added lost changes
#                            made by ARSC
# check_crontabs  - 08/08/2003 - jfs Avoided race conditions in temporary file
#                            usage.
# check_crontabs  - 08/12/2002 - jfs Fixed to use CRONSPOOL
# check_crontabs  - 04/25/2002 - jfs Fixed dependancies
# check_crontabs  - 04/28/1999 Modified by Advanced Research Corp (R) to 
#                        correct errors
# check_crontabs  - 04/20/1999 Modified by Advanced Research Corp (R) to 
#                        correct errors
# check_crontabs  - 02/10/2018 - jfs - Clean up the cron output file befoe
#                        using as this might contain --ERROR-- or --WARN--
#                        messages from gen_cron which leads to interpretation
#                        problems (Debian bug #839635)
# 
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r "$basedir/config" ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds AWK BASENAME CAT GEN_CRON_FILES LS MV RM TR SED GREP OUTPUTMETHOD || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Performing check of \`cron' entries..."

haveallcmds AWK BASENAME CAT GEN_CRON_FILES LS MV RM TR SED GREP OUTPUTMETHOD || exit 1
haveallfiles BASEDIR WORKDIR || exit 1


safe_temp "$WORKDIR/cron.in.$$"
trap 'delete $WORKDIR/cron.in.$$ ; exit 1' 1 2 3 15
 

realpath="$REALPATH -d"
[ ! -n "$REALPATH" -o ! $TESTEXEC "$REALPATH" ] && realpath=echo

lowner=

{
  $GEN_CRON_FILES $WORKDIR/cron.in.$$

  # Remove any warnings / errors that might have been generated by the gen_cron script 
  $CAT $WORKDIR/cron.in.$$ | $GREP -v -- "--" >$WORKDIR/cron.fix.$$ 
  $MV $WORKDIR/cron.fix.$$  $WORKDIR/cron.in.$$

  #
  # Be careful if you muck around in this loop.  Since we are reading
  # commands from these cron entries, they can have shell meta-characters
  # in them.  We try to eliminate some of them, but there is no guarantee.
  #                                                   dls
  #
  while read owner command
  do
    com="`echo \"$command\" | $SED -e 's/[0-9]*>//g' | $TR -d '()\;\`&!|'`"

    # Can't 'set' this because of shell meta-characters.
    cmd="`echo \"$com\" | $AWK '{print $1}'`"
  
    base=`$BASENAME -- "$cmd"`
    case "$base" in
      sh|csh|ksh|tcsh|zsh|bash|if|cd)
      [ "$2" != "-c" ] && cmd="`echo \"$com\" | $AWK '{print $2}'`";;
    esac

    [ -n "$TigerCheckEmbedded" -a -f "$cmd" -a "$owner" = 'root' ] && {
      echo "$cmd root.crontab" >> $TigerCheckEmbedded
    }
# This is removed from tara's version 3.0.3 
#    case "$cmd" in
#          |cd|echo|if|else|then) ;;
#          *)
#           if [ -z "`echo $cmd | $GREP \"^\/\"`" ] ; then
#             message WARN cron001w "command = $command" "cron entry for $owner does not use full pathname"
#          fi ;;
#    esac
# And subsituted by this:
    if [ -z "`echo $cmd | $GREP \"^[\/\[]\"`" -a "$cmd" != "umask" ]; then
        message WARN cron001w "" "cron entry for $owner does not use full pathname ($cmd):"
    fi



    [ "$owner" != "$lowner" ] && {
      curdir=/
      [ -n "$GETUSERHOME" ] && curdir=`$GETUSERHOME $owner`
      lowner=$owner
    }
    setcurdir=0
    for comp in $com
    do
      [ $setcurdir -eq 1 ] && {
	curdir="$comp"
	setcurdir=0
      }
      
      case "$comp" in
	*/*) {

	  case "$comp" in
	    /*) ;;
	    *) comp="$curdir/$comp";;
	  esac

	  [ ! -c "$comp" -a ! -b "$comp" ] && {
	    lgetpermit "$comp" |
	    pathmsg cron002 cron003 "$comp" $owner "cron entry for $owner uses" "$command"
	  }
	}
	;;
	cd) setcurdir=1;;
      esac
    done
  done < $WORKDIR/cron.in.$$
} |
$OUTPUTMETHOD

delete $WORKDIR/cron.in.$$


# Check for existence of root crontab
[ ! -r $CRONSPOOL/root ] &&
     message WARN cron004w "" "Root crontab does not exist"

# Check for existence of root cron.allow
[ -z "$CRONALLOW" ] && CRONALLOW=/etc/cron.allow
[ -z "$CRONDENY" ] && CRONDENY=/etc/cron.deny
if [ -f "$CRONALLOW" ]
then
   $CAT  $CRONALLOW |
   $GREP -v "^#" | 
   while read user
   do
        message WARN cron006w "" "User $user is allowed cron usage."
   done
fi
if [ -f "$CRONDENY" ]
then
   $CAT $CRONDENY |
   $GREP -v "^#" | 
   while read user
   do
        message INFO cron007i "" "User $user is denied cron usage."
   done
fi
if [ ! -f "$CRONALLOW" -a ! -f "$CRONDENY" ]
then
     message WARN cron005w "" "Use of cron is not restricted"
fi

exit 0
