1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
From: Christian Kastner <ckk@kvr.at>
Date: Thu, 7 Jan 2016 23:02:33 +0100
Subject: PAM support for jobs
Add support for PAM for job execution.
Contributed by Topi Miettinen <Topi.Miettinen@nic.fi>.
Bug-Debian: https://bugs.debian.org/68366
Bug-Debian: https://bugs.debian.org/67586
Forwarded: no
Last-Update: 2016-01-07
---
Makefile | 4 ++--
cron.8 | 2 ++
do_command.c | 33 +++++++++++++++++++++++++++++++++
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 5f74507..c8dd2f4 100644
--- a/Makefile
+++ b/Makefile
@@ -55,7 +55,7 @@ DESTMAN = $(DESTROOT)/share/man
INCLUDE = -I.
#INCLUDE =
#<<need getopt()>>
-LIBS =
+LIBS = $(PAM_LIBS)
#<<optimize or debug?>>
#OPTIM = -O
OPTIM = -g
@@ -73,7 +73,7 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $(DEBUGGING)
#<<manifest defines>>
# Allow override from command line
DEBUG_DEFS ?= -DDEBUGGING=0
-DEFS = $(DEBUG_DEFS)
+DEFS = $(DEBUG_DEFS) $(PAM_DEFS)
#(SGI IRIX systems need this)
#DEFS = -D_BSD_SIGNALS -Dconst=
#<<the name of the BSD-like install program>>
diff --git a/cron.8 b/cron.8
index 54b1ef5..9b2c01d 100644
--- a/cron.8
+++ b/cron.8
@@ -116,6 +116,8 @@ changes introduced are:
.IP \(em
Support for /etc/cron.{hourly,daily,weekly,monthly} via /etc/crontab,
.IP \(em
+PAM support,
+.IP \(em
Debian-specific file locations and commands,
.IP \(em
Debian-specific configuration (/etc/default/cron),
diff --git a/do_command.c b/do_command.c
index f3c37f8..1a75ed4 100644
--- a/do_command.c
+++ b/do_command.c
@@ -29,6 +29,18 @@ static char rcsid[] = "$Id: do_command.c,v 2.12 1994/01/15 20:43:43 vixie Exp $"
#if defined(SYSLOG)
# include <syslog.h>
#endif
+#if defined(USE_PAM)
+#include <security/pam_appl.h>
+static pam_handle_t *pamh = NULL;
+static const struct pam_conv conv = {
+ NULL
+};
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+ fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+ pam_end(pamh, retcode); exit(1); \
+ }
+#endif
static void child_process __P((entry *, user *)),
@@ -78,6 +90,9 @@ child_process(e, u)
register char *input_data;
char *usernm, *mailto;
int children = 0;
+#if defined(USE_PAM)
+ int retcode = 0;
+#endif
Debug(DPROC, ("[%d] child_process('%s')\n", getpid(), e->cmd))
@@ -153,6 +168,19 @@ child_process(e, u)
*p = '\0';
}
+#if defined(USE_PAM)
+ retcode = pam_start("cron", usernm, &conv, &pamh);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "cron");
+ PAM_FAIL_CHECK;
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+#endif
+
/* fork again, this time so we can exec the user's command.
*/
switch (fork()) {
@@ -495,6 +523,11 @@ child_process(e, u)
Debug(DPROC, (", dumped core"))
Debug(DPROC, ("\n"))
}
+#if defined(USE_PAM)
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+ retcode = pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, retcode);
+#endif
}
|
