This is bcron, a new cron system designed with secure operations in mind. To do this, the system is divided into several seperate programs, each responsible for a seperate task, with strictly controlled communications between them. The user interface is a drop-in replacement for similar systems (such as vixie-cron), but the internals differ greatly.

As of writing of this bcron can not be found in the FreeBSD 7.0 ports system. Fortunately its installation is fairly straightforward.  Yet the included documentation is rather spartan so I provide a more complete outline below.

1. Install latest bglibs if not yet installed** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.

   ** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):

   /usr/local/bglibs -> /usr/local/lib/bglibs
   /usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
   /usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2

2. Install ucspi-unix if not yet installed as bcron components communicate via UNIX sockets. This requires bglibs and also compiles and installs well using a downloaded tarball (it’s also available in ports at /usr/ports/sysutils/ucspi-unix, but I prefer to compile it from the downloaded tarball).
3. Make sure /var has been moved off the root to /usr/var before proceeding. See an older post for details.
4. Make sure daemontools (and hence supervise) has been installed and is operational as bcron will be started with it.
5. Create a system user “cron” (for example by using vipw command) and group “cron” (by editing /etc/group). This user/group will own all the crontab files (though not /etc/crontab as it’s system crontab and needs to be owned by root:wheel).
   
   user:
   cron:*:50:50::0:0:BCron Sandbox:/nonexistent:/usr/sbin/nologin

   group:
   cron:*:50:

6. Create the spool & tmp directories:
   mkdir -p /var/spool/cron/crontabs /var/spool/cron/tmp
   mkfifo /var/spool/cron/trigger
   sh
   for i in crontabs tmp trigger; do
   chown cron:cron /var/spool/cron/$i
   chmod go-rwx /var/spool/cron/$i
   done
7. Create the configuration directory /usr/local/etc/bcron:mkdir -p /usr/local/etc/bcron** You can put any common configuration settings into this directory (it is an “ENVDIR”), like alternate spool directories in BCRON_SPOOL.
8. Create the bcron service directories (there are three services) and add the scripts below it:

   mkdir -p /var/bcron/supervise/bcron-sched/log
   mkdir /var/bcron/supervise/bcron-spool
   mkdir /var/bcron/supervise/bcron-update

   Set their permissions to 1750 for security purposes (no world access, sticky bit):

   chmod 1750 /var/bcron/supervise/bcron-sched
   chmod 1750 /var/bcron/supervise/bcron-spool
   chmod 1750 /var/bcron/supervise/bcron-update

   Make all the run and log/run scripts executable by root, readable by group:

   chmod 740 /var/bcron/supervise/bcron-sched/run
   chmod 740 /var/bcron/supervise/bcron-sched/log/run
   chmod 740 /var/bcron/supervise/bcron-spool/run
   chmod 740 /var/bcron/supervise/bcron-update/run

   and make log bcron-sched subdir accessible by root, group:

   chmod 750 /var/bcron/supervise/bcron-sched/log

   RUN SCRIPTS:
   /var/bcron/supervise/bcron-sched/run:

   #!/bin/sh
   exec 2>&1
   exec envdir /usr/local/etc/bcron bcron-start | multilog t /var/log/bcron

   /var/bcron/supervise/bcron-sched/log/run:

   #!/bin/sh
   exec >/dev/null 2>&1
   exec \
   multilog t /var/log/bcron

   /var/bcron/supervise/bcron-spool/run:

   #!/bin/sh
   exec >/dev/null 2>&1
   exec \
   envdir /usr/local/etc/bcron \
   envuidgid cron \
   sh -c ‘
   exec \
   unixserver -U ${BCRON_SOCKET:-/var/run/bcron-spool} \
   bcron-spool
   ‘

   /var/bcron/supervise/bcron-update/run:

   #!/bin/sh
   exec >/dev/null 2>&1
   exec \
   bcron-update /etc/crontab

9. Kill the deafult cron daemon and add the following to rc.conf so it won’t restart on reboot:

   #disable default cron; bcron is used instead (started by supervise)
   cron_enable=”NO”

10. Symlink bcron services’ primary supervise directories to under /var/service to start bcron services (you can also use svc-add command if you have installed supervise-scripts):
    ln -s /var/bcron/supervise/bcron-sched /var/service/bcron-sched
    ln -s /var/bcron/supervise/bcron-spool /var/service/bcron-spool
    ln -s /var/bcron/supervise/bcron-update /var/service/bcron-update
11. Set /etc/crontab permissions to 600, and make sure it’s owned by the root.
    chmod 600 /etc/crontab
    chown root:wheel /etc/crontab

    ** For other users the owner of the crontab file in their respective home folders would be cron:cron.

12. Edit /etc/crontab and test that it gets updated. Note that there is a brief delay, perhaps one minute or so, after you save the crontab until the change becomes effective. Also note that the default shell for the crontab is /bin/sh. You might want to change it to something more powerful like c-shell (/bin/csh) or bash (/bin/bash) that you’re familiar with. You may also want to augment the default path, for example, by including /usr/local/bin for user-installed commands.

1. Copy /usr/ports/sysutils/daemontools/work/svscan.sh.sample to
   /usr/local/etc/rc.d/svscan.sh and give it owner execute privileges with
   chmod 700 /usr/local/etc/rc.d/svscan.sh
2. Create /var/service and create a symlink to it from /service
   mkdir /var/service
   ln -s /var/service /service
3. Add following to /etc/rc.conf:
   #start /var/service scanning
   svscan_enable=”YES”
4. Reboot the system (svscan will *not* start on a BSD system before the system is rebooted)
   

Optionally you can also install Bruce Guenter’s supervise-scripts that make life a whole lot easier with daemontools’ supervise.

1. Install latest bglibs if not yet installed
   ** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):
   /usr/local/bglibs -> /usr/local/lib/bglibs
   /usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
   /usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2
2. Download, compile, and install supervise-scripts. Once installed, you’ll find new commands svc-start, svc-stop, svc-restart, svc-add, svc-remove, svc-isdown, svc-isup, svc-waitdown, svc-waitup, and svc-status in /usr/local/bin. These make scripting and managing services much easier.

When switching programs to be svscan-started and svscan-managed, remember to make sure they’re not being started either as default services by the system, or that a prior startup setting doesn’t exist in  /etc/rc.conf. Disable them (depending on the service) by commenting out the startup in /etc/rc.conf, by adding a “NO” clause in /etc/rc.conf (such as cron_enable=”NO”), or by disabling the corresponding startup script in /usr/local/etc/rc.d.

If you mess up a service initialization, uninstall the failed service (i.e. unlink the service’s primary service directory from /var/service), delete the “supervise” subfolders (and “down” file if present) from the service’s primary service directory (there’s one also in the “log” subfolder). Then reboot the system, and reinstall the service either by using the supervise-scripts command svc-add, or by simply symlinking the service’s primary service directory to /var/service (for example ln -s /var/db/mysql-supervise /var/service/mysql).