Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
cron
vixie-cron-4.1-pam.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File vixie-cron-4.1-pam.diff of Package cron
Index: vixie-cron-4.1/cron.8 =================================================================== --- vixie-cron-4.1.orig/cron.8 +++ vixie-cron-4.1/cron.8 @@ -76,6 +76,12 @@ jobs twice. .PP Time changes of more than 3 hours are considered to be corrections to the clock or timezone, and the new time is used immediately. +.SS PAM Access Control +On SUSE LINUX systems, crond now supports access control with PAM - see +.IR pam (8) . +A PAM configuration file for crond is installed in /etc/pam.d/crond . +crond loads the PAM environment from the pam_env module, but these +can be overriden by settings in the crontab file. .SH SIGNALS On receipt of a \s-2SIGHUP\s+2, the cron daemon will close and reopen its log file. This is useful in scripts which rotate and age log files. @@ -90,7 +96,8 @@ No crontab files may be executable, or b other than their owner. .SH "SEE ALSO" .IR crontab (1), -.IR crontab (5) +.IR crontab (5), +.IR pam (8) .SH AUTHOR .nf Paul Vixie <vixie@isc.org> Index: vixie-cron-4.1/crond.pam =================================================================== --- /dev/null +++ vixie-cron-4.1/crond.pam @@ -0,0 +1,10 @@ +# +# The PAM configuration file for the cron daemon +# +# +auth sufficient pam_rootok.so +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session Index: vixie-cron-4.1/cron.h =================================================================== --- vixie-cron-4.1.orig/cron.h +++ vixie-cron-4.1/cron.h @@ -31,6 +31,9 @@ #define CRON_VERSION "V5.0" #include "config.h" #include "externs.h" +#ifdef WITH_PAM + #include <security/pam_appl.h> +#endif #include "pathnames.h" #include "macros.h" #include "structs.h" Index: vixie-cron-4.1/do_command.c =================================================================== --- vixie-cron-4.1.orig/do_command.c +++ vixie-cron-4.1/do_command.c @@ -25,9 +25,47 @@ static char rcsid[] = "$Id: do_command.c #include "cron.h" +#ifdef WITH_PAM +static pam_handle_t *pamh = NULL; +static const struct pam_conv conv = { + NULL +}; +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + pam_end(pamh, retcode); exit(1); \ + } +#endif + static void child_process(entry *, user *); static int safe_p(const char *, const char *); +/* Build up the job environment from the PAM environment plus the + crontab environment */ +static char ** build_env(char **cronenv) +{ + char **jobenv = cronenv; +#if defined(WITH_PAM) + char **pamenv = pam_getenvlist(pamh); + char *cronvar; + int count = 0; + + jobenv = env_copy(pamenv); + + /* Now add the cron environment variables. Since env_set() + overwrites existing variables, this will let cron's + environment settings override pam's */ + + while ((cronvar = cronenv[count++])) { + if (!(jobenv = env_set(jobenv, cronvar))) { + syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar); + return NULL; + } + } +#endif + return jobenv; +} + void do_command(entry *e, user *u) { Debug(DPROC, ("[%ld] do_command(%s, (%s,%ld,%ld))\n", @@ -65,6 +103,10 @@ child_process(entry *e, user *u) { int stdin_pipe[2], stdout_pipe[2]; char *input_data, *usernm, *mailto; int children = 0; +#if defined(WITH_PAM) + int retcode = 0; +#endif + Debug(DPROC, ("[%ld] child_process('%s')\n", (long)getpid(), e->cmd)) @@ -134,6 +176,19 @@ child_process(entry *e, user *u) { *p = '\0'; } +#if defined(WITH_PAM) + retcode = pam_start("crond", usernm, &conv, &pamh); + PAM_FAIL_CHECK; + retcode = pam_set_item(pamh, PAM_TTY, "cron"); + PAM_FAIL_CHECK; + retcode = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_open_session(pamh, PAM_SILENT); + PAM_FAIL_CHECK; +#endif + /* fork again, this time so we can exec the user's command. */ switch (fork()) { @@ -514,6 +569,12 @@ child_process(entry *e, user *u) { Debug(DPROC, (", dumped core")) Debug(DPROC, ("\n")) } + +#if defined(WITH_PAM) + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + retcode = pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, retcode); +#endif } static int Index: vixie-cron-4.1/Makefile =================================================================== --- vixie-cron-4.1.orig/Makefile +++ vixie-cron-4.1/Makefile @@ -55,11 +55,12 @@ DESTROOT = $(DESTDIR)/usr DESTSBIN = $(DESTROOT)/sbin DESTBIN = $(DESTROOT)/bin DESTMAN = $(DESTROOT)/share/man +DESTETC = $(DESTROOT)/../etc #<<need bitstring.h>> INCLUDE = -I. #INCLUDE = #<<need getopt()>> -LIBS = +LIBS = -lpam -lpam_misc #<<optimize or debug?>> #CDEBUG = -O CDEBUG = -O2 -pipe @@ -68,7 +69,7 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING #<<want to use a nonstandard CC?>> CC = gcc -Wall -Wno-unused -Wno-comment #<<manifest defines>> -DEFS = +DEFS = -DWITH_PAM #(SGI IRIX systems need this) #DEFS = -D_BSD_SIGNALS -Dconst= #<<the name of the BSD-like install program>> @@ -114,6 +115,7 @@ install : all $(INSTALL) -c -m 4111 -o root crontab $(DESTBIN)/ # $(INSTALL) -c -m 111 -o root -g crontab cron $(DESTSBIN)/ # $(INSTALL) -c -m 2111 -o root -g crontab crontab $(DESTBIN)/ + $(INSTALL) -c -m 0644 crond.pam $(DESTETC)/pam.d/crond install -m644 crontab.1 $(DESTMAN)/man1 install -m644 cron.8 $(DESTMAN)/man8 install -m644 crontab.5 $(DESTMAN)/man5
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor