bcron is a better cron (though the “b” in the name probably comes from the first name of its writer, Bruce Guenter). It was created with security in mind, and is especially well suited for multi-user systems where the individual users need to be given access to their respective crontabs. With bcron this can be accomplished without compromising the system security. Here’s a quote from the bcron page:
This is bcron, a new cron system designed with secure operations in mind. To do this, the system is divided into several seperate programs, each responsible for a seperate task, with strictly controlled communications between them. The user interface is a drop-in replacement for similar systems (such as vixie-cron), but the internals differ greatly.
As of writing of this bcron can not be found in the FreeBSD 7.0 ports system. Fortunately its installation is fairly straightforward. Yet the included documentation is rather spartan so I provide a more complete outline below.
- Install latest bglibs if not yet installed** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.
** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):
/usr/local/bglibs -> /usr/local/lib/bglibs
/usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
/usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2 - Install ucspi-unix if not yet installed as bcron components communicate via UNIX sockets. This requires bglibs and also compiles and installs well using a downloaded tarball (it’s also available in ports at /usr/ports/sysutils/ucspi-unix, but I prefer to compile it from the downloaded tarball).
- Make sure /var has been moved off the root to /usr/var before proceeding. See an older post for details.
- Make sure daemontools (and hence supervise) has been installed and is operational as bcron will be started with it.
- Create a system user “cron” (for example by using vipw command) and group “cron” (by editing /etc/group). This user/group will own all the crontab files (though not /etc/crontab as it’s system crontab and needs to be owned by root:wheel).
user:
cron:*:50:50::0:0:BCron Sandbox:/nonexistent:/usr/sbin/nologingroup:
cron:*:50: - Create the spool & tmp directories:
mkdir -p /var/spool/cron/crontabs /var/spool/cron/tmp
mkfifo /var/spool/cron/trigger
sh
for i in crontabs tmp trigger; do
chown cron:cron /var/spool/cron/$i
chmod go-rwx /var/spool/cron/$i
done - Create the configuration directory /usr/local/etc/bcron:mkdir -p /usr/local/etc/bcron** You can put any common configuration settings into this directory (it is an “ENVDIR”), like alternate spool directories in BCRON_SPOOL.
- Create the bcron service directories (there are three services) and add the scripts below it:
mkdir -p /var/bcron/supervise/bcron-sched/log
mkdir /var/bcron/supervise/bcron-spool
mkdir /var/bcron/supervise/bcron-updateSet their permissions to 1750 for security purposes (no world access, sticky bit):
chmod 1750 /var/bcron/supervise/bcron-sched
chmod 1750 /var/bcron/supervise/bcron-spool
chmod 1750 /var/bcron/supervise/bcron-updateMake all the run and log/run scripts executable by root, readable by group:
chmod 740 /var/bcron/supervise/bcron-sched/run
chmod 740 /var/bcron/supervise/bcron-sched/log/run
chmod 740 /var/bcron/supervise/bcron-spool/run
chmod 740 /var/bcron/supervise/bcron-update/runand make log bcron-sched subdir accessible by root, group:
chmod 750 /var/bcron/supervise/bcron-sched/log
RUN SCRIPTS:
/var/bcron/supervise/bcron-sched/run:#!/bin/sh
exec 2>&1
exec envdir /usr/local/etc/bcron bcron-start | multilog t /var/log/bcron/var/bcron/supervise/bcron-sched/log/run:
#!/bin/sh
exec >/dev/null 2>&1
exec
multilog t /var/log/bcron/var/bcron/supervise/bcron-spool/run:
#!/bin/sh
exec >/dev/null 2>&1
exec
envdir /usr/local/etc/bcron
envuidgid cron
sh -c ‘
exec
unixserver -U ${BCRON_SOCKET:-/var/run/bcron-spool}
bcron-spool
‘/var/bcron/supervise/bcron-update/run:
#!/bin/sh
exec >/dev/null 2>&1
exec
bcron-update /etc/crontab - Kill the deafult cron daemon and add the following to rc.conf so it won’t restart on reboot:
#disable default cron; bcron is used instead (started by supervise)
cron_enable=”NO” - Symlink bcron services’ primary supervise directories to under /var/service to start bcron services (you can also use svc-add command if you have installed supervise-scripts):
ln -s /var/bcron/supervise/bcron-sched /var/service/bcron-sched
ln -s /var/bcron/supervise/bcron-spool /var/service/bcron-spool
ln -s /var/bcron/supervise/bcron-update /var/service/bcron-update - Set /etc/crontab permissions to 600, and make sure it’s owned by the root.
chmod 600 /etc/crontab
chown root:wheel /etc/crontab** For other users the owner of the crontab file in their respective home folders would be cron:cron.
- Edit /etc/crontab and test that it gets updated. Note that there is a brief delay, perhaps one minute or so, after you save the crontab until the change becomes effective. Also note that the default shell for the crontab is /bin/sh. You might want to change it to something more powerful like c-shell (/bin/csh) or bash (/bin/bash) that you’re familiar with. You may also want to augment the default path, for example, by including /usr/local/bin for user-installed commands.