Date: Tue, 31 Jan 2012 13:13:34 -0700 From: Ian Lepore <freebsd@damnhippie.dyndns.org> To: John Baldwin <jhb@freebsd.org> Cc: current@freebsd.org Subject: Re: Race between cron and crontab Message-ID: <1328040814.1662.383.camel@revolution.hippie.lan> In-Reply-To: <201201311330.15480.jhb@freebsd.org> References: <201201311149.32760.jhb@freebsd.org> <1328032670.1662.333.camel@revolution.hippie.lan> <201201311330.15480.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2012-01-31 at 13:30 -0500, John Baldwin wrote: > On Tuesday, January 31, 2012 12:57:50 pm Ian Lepore wrote: > > On Tue, 2012-01-31 at 11:49 -0500, John Baldwin wrote: > > > A co-worker ran into a race between updating a cron tab via crontab(8) and > > > cron(8) yesterday. Specifically, cron(8) failed to notice that a crontab was > > > updated. The problem is that 1) by default our filesystems only use second > > > granularity for timestamps and 2) cron only caches the seconds portion of a > > > file's timestamp when checking for changes anyway. This means that cron can > > > miss updates to a spool directory if multiple updates to the directory are > > > performed within a single second and cron wakes up to scan the spool directory > > > within the same second and scans it before all of the updates are complete. > > > > > > Specifically, when replacing a crontab, crontab(8) first creates a temporary > > > file in /var/cron/tabs and then uses a rename to install it followed by > > > touching the spool directory to update its modification time. However, the > > > creation of the temporary file already changes the modification time of the > > > directory, and cron may "miss" the rename if it scans the directory in between > > > the creation of the temporary file and the rename. > > > > > > The "fix" I am planning to use locally is to simply force crontab(8) to sleep > > > for a second before it touches the spool directory, thus ensuring that it the > > > touch of the spool directory will use a later modification time than the > > > creation of the temporary file. > > > > > > Note that crontab -r is not affected by this race as it only does one atomic > > > update to the directory (unlink()). > > > > > > Index: crontab.c > > > =================================================================== > > > --- crontab.c (revision 225431) > > > +++ crontab.c (working copy) > > > @@ -604,6 +604,15 @@ replace_cmd() { > > > > > > log_it(RealUser, Pid, "REPLACE", User); > > > > > > + /* > > > + * Creating the 'tn' temp file has already updated the > > > + * modification time of the spool directory. Sleep for a > > > + * second to ensure that poke_daemon() sets a later > > > + * modification time. Otherwise, this can race with the cron > > > + * daemon scanning for updated crontabs. > > > + */ > > > + sleep(1); > > > + > > > poke_daemon(); > > > > > > return (0); > > > > Maybe this is overly pedantic, but that solution still allows the > > possibility of the same sort of race if a user updates their crontab in > > the same second as an admin saves a new /etc/crontab, because cron takes > > the max timestamp of /etc/crontab and /var/cron/tabs and compares it > > against the database-rebuild timestamp. > > Hmm, I'm not sure I see the race in that case. If the /etc/crontab file > matches the timestamp of the spool directory before the utimes() call > after the one-second sleep, then it will still rescan it on the next > check when it notices a newer timestamp on the spool directory. If > it is the same timestamp as the second timestamp on the spool directory, > then the scan is guaranteed to have not started before that second began, > meaning that the crontab(8) process editing the user's crontab must have > passed the rename, so the scan will see the user's new crontab. > > > A possible solution on the daemon side of things might be something like > > the attached, but I should state (nay, shout) that I haven't looked > > beyond these few lines to see if there are any unintended side effects > > to such a change. > > I think this patch doesn't change anything at all actually. It is > certainly subject to the original race I described if you do not use > the patch in crontab(8) itself. > You're right about my patch not fixing anything; I didn't think hard enough before I started typing. But I think the problem I was trying to get at with /etc/crontab still exists with your patch; it would be triggered if a user updated their crontab and after the 1 second sleep the directory timestamp gets updated and cron rebuilds the database, and then right after that but still in the same second /etc/crontab gets written. (That's why I was trying, however feebly, to move the solution into the daemon.) Maybe the simple answer is for admins to be sure not to save changes to /etc/crontab during the xx:xx:00 second, or with your patch, :01. (I'm kidding, of course. The fact that cron likes to wake up at the top of minute is no g'tee that it actually does so every time.) Once you start thinking along the "no g'tee" lines you realize that two users can be updating their tabs concurrently, and one arrives in poke_daemon() and grabs the current time (let's say it's noon) then gets preempted for a long while before calling utimes(), the other user runs through poke_daemon() and updates the directory timestamp to 12:00:01, then the first process gets some cycles again and re-updates the timestamp to 12:00:00. Ooopsie, we've achieved a complex and annoying proof of the idea that timestamps alone aren't an adequate synchronization primitive. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1328040814.1662.383.camel>