/etc/crontab is now writable only by root. No links on this file are allowed.

diff --git a/cron.8 b/cron.8
index 727f1284104bb8252b89d2f2f29a31ee017b6e0d..f41adee95f2b0d68cce64cb02e0b5a273159e2a0 100644 (file)
--- a/cron.8
+++ b/cron.8
@@ -90,8 +90,10 @@ Naturally this is not relevant if cron was built to use
 .SH CAVEATS
 In this version of
 .BR cron ,
-/etc/crontab must not be readable or writable by any user other than root.
-In other words, it should be mode 0600.
+/etc/crontab must not be writable by any user other than root.
+No crontab files may be links, or linked to by any other file.
+No crontab files may be executable, or be writable by any user
+other than their owner.
 .SH "SEE ALSO"
 .IR crontab (1),
 .IR crontab (5),

diff --git a/crontab.5 b/crontab.5
index 7085ecc922466391747a19161689e462e0bb0730..f103debe5a22e7ee03ebe5ff6d4eb1bcd51f85af 100644 (file)
--- a/crontab.5
+++ b/crontab.5
@@ -206,6 +206,13 @@ the 5 initial time and date fields, and are prefixed by the '@' character:
 @daily     :    Run once a day, ie.   "0 0 * * *".
 @hourly    :    Run once an hour, ie. "0 * * * *".
 .fi
+.SH CAVEATS
+In this version of
+.BR cron ,
+/etc/crontab must not be writable by any user other than root.
+No crontab files may be links, or linked to by any other file.
+No crontab files may be executable, or be writable by any user
+other than their owner.
 .SH AUTHOR
 .nf
 Paul Vixie <vixie@isc.org>

diff --git a/database.c b/database.c
index 7c4d73a345ae6dd38073f8f87fb2cf8c3d4d4d3c..f3e366ca5c246b603427629e1338e3b51061f547 100644 (file)
--- a/database.c
+++ b/database.c
@@ -261,7 +261,7 @@ process_crontab(const char *uname, const char *fname, const char *tabname,
                log_it(fname, getpid(), "NOT REGULAR", tabname);
                goto next_crontab;
        }
-       if ((statbuf->st_mode & 07777) != 0600) {
+       if ((statbuf->st_mode & 07733) != 0600) {
                log_it(fname, getpid(), "BAD FILE MODE", tabname);
                goto next_crontab;
        }