Bug 235792 - cron(8) does not respect login.conf environment vars
Summary: cron(8) does not respect login.conf environment vars
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.2-STABLE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2019-02-17 02:46 UTC by andrew
Modified: 2019-09-03 01:22 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description andrew 2019-02-17 02:46:12 UTC
cron source code says:

/* Set user's entire context, but skip the environment
 * as cron provides a separate interface for this

The fact that environment variables can be set in the crontab doesn't justify ignoring login.conf; it just introduces usability obstacles by requiring duplicate settings everywhere. cron should respect all parts of the user's login class, not pick and choose.
Comment 1 Bob Bishop 2019-02-17 20:46:30 UTC
Changing cron's treatment of the environment would be a POLA violation with possible security consequences. Please don't.
Comment 2 andrew 2019-02-17 22:56:55 UTC
(In reply to Bob Bishop from comment #1)

There's more to security than blowing away the environment everywhere; it's also important to allow necessary settings to be made in a centralized and trusted place.

Back in the day (I've been using Unix in one form or another for 30+ years and admining it for 25+, I'm not new at this) when environment variables were things you set in commands in your .profile, it was reasonable for cron to ignore that and start from scratch. But the existence of login.conf changes that logic.

My argument is that the POLA violation goes the other way: that any time that values in login.conf are *not* respected is surprising.
Comment 3 Bob Bishop 2019-02-18 12:04:47 UTC
(In reply to andrew from comment #2)

I've been around the block a few times also :-)

I'm content to disagree on this, let's see what other people think.
Comment 4 andrew 2019-09-01 01:10:50 UTC
My concrete proposal to address this is now up at https://reviews.freebsd.org/D21481