cron_pam_support.diff

schmidtm, 12/12/2007 11:50 AM

Download (6.74 KB)

View differences:

Makefile 12 Dec 2007 11:39:16 -0000
1
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.12.2.1 2001/04/25 12:09:23 ru Exp $
1
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.16 2007/06/17 17:25:53 yar Exp $
2 2
# $DragonFly: src/usr.sbin/cron/cron/Makefile,v 1.2 2003/06/17 04:29:53 dillon Exp $
3 3

  
4 4
PROG=	cron
5 5
SRCS=	cron.c database.c do_command.c job.c user.c popen.c
6
CFLAGS+=-DLOGIN_CAP
7
DPADD=	${LIBCRON} ${LIBUTIL}
8
LDADD=	${LIBCRON} -lutil
6
CFLAGS+=-DLOGIN_CAP -DPAM
7
DPADD=	${LIBCRON} ${LIBPAM} ${LIBUTIL}
8
LDADD=	${LIBCRON} -lpam -lutil
9 9
MAN=	cron.8
10 10

  
11 11
.include <bsd.prog.mk>
cron.8 12 Dec 2007 11:39:16 -0000
15 15
.\" * Paul Vixie          <paul@vix.com>          uunet!decwrl!vixie!paul
16 16
.\" */
17 17
.\"
18
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.7.2.9 2003/03/11 21:13:48 trhodes Exp $
18
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.25 2007/06/17 17:25:53 yar Exp $
19 19
.\" $DragonFly: src/usr.sbin/cron/cron/cron.8,v 1.3 2006/03/18 20:29:50 dillon Exp $
20 20
.\"
21
.Dd December 20, 1993
21
.Dd June 17, 2007
22 22
.Dt CRON 8
23 23
.Os
24 24
.Sh NAME
......
54 54
.Pa /etc/crontab
55 55
which is in a different format (see
56 56
.Xr crontab 5 ) .
57
.Pp
57 58
The
58 59
.Nm
59 60
utility
60 61
then wakes up every minute, examining all stored crontabs, checking each
61
command to see if it should be run in the current minute.  When executing
62
command to see if it should be run in the current minute.  
63
Before running a command from a per-account crontab file,
64
.Nm
65
checks the status of the account with
66
.Xr pam 3
67
and skips the command if the account is unavailable,
68
e.g., locked out or expired.
69
Commands from
70
.Pa /etc/crontab
71
bypass this check.
72
When executing
62 73
commands, any output is mailed to the owner of the crontab (or to the user
63 74
named in the
64 75
.Ev MAILTO
......
171 182
trace through the execution, but do not perform any actions
172 183
.El
173 184
.El
185
.Sh FILES
186
.Bl -tag -width /etc/pam.d/cron -compact
187
.It Pa /etc/crontab
188
System crontab file
189
.It Pa /etc/pam.d/cron
190
.Xr pam.conf 5
191
configuration file for
192
.Nm
193
.It Pa /var/cron/tabs
194
Directory for personal crontab files
195
.El
174 196
.Sh SEE ALSO
175 197
.Xr crontab 1 ,
176
.Xr crontab 5
198
.Xr pam 3 ,
199
.Xr crontab 5 ,
200
.Xr pam.conf 5
177 201
.Sh AUTHORS
178 202
.An Paul Vixie Aq paul@vix.com
cron.h 12 Dec 2007 11:39:16 -0000
17 17

  
18 18
/* cron.h - header for vixie's cron
19 19
 *
20
 * $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.9.2.3 2001/05/28 23:37:26 babkin Exp $
20
 * $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.17 2007/06/17 17:25:53 yar Exp $
21 21
 * $DragonFly: src/usr.sbin/cron/cron/cron.h,v 1.5 2006/03/18 20:29:50 dillon Exp $
22 22
 *
23 23
 * vix 14nov88 [rest of log is in RCS]
......
76 76
#define	MAX_UNAME	20	/* max length of username, should be overkill */
77 77
#define	ROOT_UID	0	/* don't change this, it really must be root */
78 78
#define	ROOT_USER	"root"	/* ditto */
79
#define	SYS_NAME	"*system*" /* magic owner name for system crontab */
79 80

  
80 81
				/* NOTE: these correspond to DebugFlagNames,
81 82
				 *	defined below.
database.c 12 Dec 2007 11:39:16 -0000
84 84
	new_db.head = new_db.tail = NULL;
85 85

  
86 86
	if (syscron_stat.st_mtime) {
87
		process_crontab("root", "*system*",
87
		process_crontab("root", SYS_NAME,
88 88
				SYSCRONTAB, &syscron_stat,
89 89
				&new_db, old_db);
90 90
	}
......
189 189
	int		crontab_fd = OK - 1;
190 190
	user		*u;
191 191

  
192
	if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
192
	if (strcmp(fname, SYS_NAME) && !(pw = getpwnam(uname))) {
193 193
		/* file doesn't have a user in passwd file.
194 194
		 */
195 195
		log_it(fname, getpid(), "ORPHAN", "no passwd entry");
do_command.c 12 Dec 2007 11:54:06 -0000
14 14
 * I'll try to keep a version up to date.  I can be reached as follows:
15 15
 * Paul Vixie          <paul@vix.com>          uunet!decwrl!vixie!paul
16 16
 *
17
 * $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.15.2.5 2001/05/04 00:59:40 peter Exp $
17
 * $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.27 2007/06/17 17:25:53 yar Exp $
18 18
 * $DragonFly: src/usr.sbin/cron/cron/do_command.c,v 1.7 2006/03/18 20:29:50 dillon Exp $
19 19
 */
20 20

  
......
29 29
#if defined(LOGIN_CAP)
30 30
# include <login_cap.h>
31 31
#endif
32

  
32
#ifdef PAM
33
# include <security/pam_appl.h>
34
# include <security/openpam.h>
35
#endif
33 36

  
34 37
static void		child_process(entry *, user *),
35 38
			do_univ(user *);
......
92 95
	usernm = env_get("LOGNAME", e->envp);
93 96
	mailto = env_get("MAILTO", e->envp);
94 97

  
98
#ifdef PAM
99
	/* use PAM to see if the user's account is available,
100
	 * i.e., not locked or expired or whatever.  skip this
101
	 * for system tasks from /etc/crontab -- they can run
102
	 * as any user.
103
	 */
104
	if (strcmp(u->name, SYS_NAME)) {	/* not equal */
105
		pam_handle_t *pamh = NULL;
106
		int pam_err;
107
		struct pam_conv pamc = {
108
			.conv = openpam_nullconv,
109
			.appdata_ptr = NULL
110
		};
111

  
112
		Debug(DPROC, ("[%d] checking account with PAM\n", getpid()))
113

  
114
		/* u->name keeps crontab owner name while LOGNAME is the name
115
		 * of user to run command on behalf of.  they should be the
116
		 * same for a task from a per-user crontab.
117
		 */
118
		if (strcmp(u->name, usernm)) {
119
			log_it(usernm, getpid(), "username ambiguity", u->name);
120
			exit(ERROR_EXIT);
121
		}
122

  
123
		pam_err = pam_start("cron", usernm, &pamc, &pamh);
124
		if (pam_err != PAM_SUCCESS) {
125
			log_it("CRON", getpid(), "error", "can't start PAM");
126
			exit(ERROR_EXIT);
127
		}
128

  
129
		pam_err = pam_acct_mgmt(pamh, PAM_SILENT);
130
		/* Expired password shouldn't prevent the job from running. */
131
		if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) {
132
			log_it(usernm, getpid(), "USER", "account unavailable");
133
			exit(ERROR_EXIT);
134
		}
135

  
136
		pam_end(pamh, pam_err);
137
	}
138
#endif
139

  
95 140
#ifdef USE_SIGCHLD
96 141
	/* our parent is watching for our death by catching SIGCHLD.  we
97 142
	 * do not care to watch for our children's deaths this way -- we