Re: vixie-cron small patch
Stanislav Zaharov wrote:
> Hello everybody!
> I've added new environment support to vixie-cron which is used by default
> cron in Debian. This environment is adding oppotunity to set mail subject
> for cron's report. It looks like this:
> MAILSUBJECT="CRON at the %hostname% (fqdn: %fqdn%): User %user% ran command
> %cmd% which was executed with status %status%. Cron fork status:
> %forkstatus%"
> * * * * * root echo test
>
> It can be useful for many users. I've attached the patch for vixie cron.
> Could the patch be included to Debian release?
Hi, Stan:
Have you tried getting your patch merged upstream? (Just kidding, it
looks like Debian hasn't pulled a new upstream release of cron in about
22 years, and new upstream releases are... infrequent.)
More seriously, any C code that manipulates strings should be heavily
scrutinized, especially in a security sensitive daemon like cron, which
has had a history of security vulnerabilities, some of which were
introduced by later patches to the original code.
There are static analyzers that can help with this, e.g. Clang's
scan-build (free), and Coverity (non-free).
But, maybe it would be better to freeze the user-facing functionality of
a venerable tool like cron? This seems like kind of a disruptive
change.
--
Robert Edmonds
edmonds@debian.org
Reply to: