From: Christian Kastner Date: Thu, 7 Jan 2016 23:02:33 +0100 Subject: PAM support for jobs Add support for PAM for job execution. Contributed by Topi Miettinen . Bug-Debian: https://bugs.debian.org/68366 Bug-Debian: https://bugs.debian.org/67586 Forwarded: no Last-Update: 2016-01-07 --- Makefile | 4 ++-- cron.8 | 2 ++ do_command.c | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 5f74507..c8dd2f4 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ DESTMAN = $(DESTROOT)/share/man INCLUDE = -I. #INCLUDE = #<> -LIBS = +LIBS = $(PAM_LIBS) #<> #OPTIM = -O OPTIM = -g @@ -73,7 +73,7 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $(DEBUGGING) #<> # Allow override from command line DEBUG_DEFS ?= -DDEBUGGING=0 -DEFS = $(DEBUG_DEFS) +DEFS = $(DEBUG_DEFS) $(PAM_DEFS) #(SGI IRIX systems need this) #DEFS = -D_BSD_SIGNALS -Dconst= #<> diff --git a/cron.8 b/cron.8 index 54b1ef5..9b2c01d 100644 --- a/cron.8 +++ b/cron.8 @@ -116,6 +116,8 @@ changes introduced are: .IP \(em Support for /etc/cron.{hourly,daily,weekly,monthly} via /etc/crontab, .IP \(em +PAM support, +.IP \(em Debian-specific file locations and commands, .IP \(em Debian-specific configuration (/etc/default/cron), diff --git a/do_command.c b/do_command.c index f3c37f8..1a75ed4 100644 --- a/do_command.c +++ b/do_command.c @@ -29,6 +29,18 @@ static char rcsid[] = "$Id: do_command.c,v 2.12 1994/01/15 20:43:43 vixie Exp $" #if defined(SYSLOG) # include #endif +#if defined(USE_PAM) +#include +static pam_handle_t *pamh = NULL; +static const struct pam_conv conv = { + NULL +}; +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + pam_end(pamh, retcode); exit(1); \ + } +#endif static void child_process __P((entry *, user *)), @@ -78,6 +90,9 @@ child_process(e, u) register char *input_data; char *usernm, *mailto; int children = 0; +#if defined(USE_PAM) + int retcode = 0; +#endif Debug(DPROC, ("[%d] child_process('%s')\n", getpid(), e->cmd)) @@ -153,6 +168,19 @@ child_process(e, u) *p = '\0'; } +#if defined(USE_PAM) + retcode = pam_start("cron", usernm, &conv, &pamh); + PAM_FAIL_CHECK; + retcode = pam_set_item(pamh, PAM_TTY, "cron"); + PAM_FAIL_CHECK; + retcode = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_open_session(pamh, PAM_SILENT); + PAM_FAIL_CHECK; +#endif + /* fork again, this time so we can exec the user's command. */ switch (fork()) { @@ -495,6 +523,11 @@ child_process(e, u) Debug(DPROC, (", dumped core")) Debug(DPROC, ("\n")) } +#if defined(USE_PAM) + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + retcode = pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, retcode); +#endif }