On Sat, 27 Feb 2016, Trevor Cordes wrote:
Here's the precise debug email I got from cron:
sh: line 69: warning: here-document at line 68 delimited by end-of-file (wanted `marcinDELIMITER04dba0c8') /bin/sh: 1marcinDELIMITER04dba0c8: ambiguous redirect
I thought I'd seen that here-doc delimiter before. It's standard for the at command. When entered at the command line the at command puts the user's input in a here-document for the atd to execute.
Once upon a time there was a bug https://bugzilla.redhat.com/show_bug.cgi?id=486844 that led me to remember what I've observed on the at job queue.
It spooks me a little bit as that's a funky here-doc string to look for, and WTF with the redirect? Doesn't look like anything I would have scripted (I rarely use heredocs).
I've seen some utilities that don't care for the vagaries of different cron daemons use an at command at the end of the current at job to schedule their next run. The first one is usually started by an init script or whatever equivalent in the distro in use.
The problem with requiring the caller of at to do something to log at commands is that that won't help track/log if someone manages to inject a malicious at command. The above evidence smells to me of some compromised program allowing someone to set a timed at job as my user. But it could just be me being paranoid...
-Daryl