Bug #881 ยป cron_pam_support.diff
Makefile 12 Dec 2007 11:39:16 -0000 | ||
---|---|---|
1 |
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.12.2.1 2001/04/25 12:09:23 ru Exp $
|
|
1 |
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.16 2007/06/17 17:25:53 yar Exp $
|
|
2 | 2 |
# $DragonFly: src/usr.sbin/cron/cron/Makefile,v 1.2 2003/06/17 04:29:53 dillon Exp $ |
3 | 3 | |
4 | 4 |
PROG= cron |
5 | 5 |
SRCS= cron.c database.c do_command.c job.c user.c popen.c |
6 |
CFLAGS+=-DLOGIN_CAP |
|
7 |
DPADD= ${LIBCRON} ${LIBUTIL} |
|
8 |
LDADD= ${LIBCRON} -lutil |
|
6 |
CFLAGS+=-DLOGIN_CAP -DPAM
|
|
7 |
DPADD= ${LIBCRON} ${LIBPAM} ${LIBUTIL}
|
|
8 |
LDADD= ${LIBCRON} -lpam -lutil
|
|
9 | 9 |
MAN= cron.8 |
10 | 10 | |
11 | 11 |
.include <bsd.prog.mk> |
cron.8 12 Dec 2007 11:39:16 -0000 | ||
---|---|---|
15 | 15 |
.\" * Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul |
16 | 16 |
.\" */ |
17 | 17 |
.\" |
18 |
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.7.2.9 2003/03/11 21:13:48 trhodes Exp $
|
|
18 |
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.25 2007/06/17 17:25:53 yar Exp $
|
|
19 | 19 |
.\" $DragonFly: src/usr.sbin/cron/cron/cron.8,v 1.3 2006/03/18 20:29:50 dillon Exp $ |
20 | 20 |
.\" |
21 |
.Dd December 20, 1993
|
|
21 |
.Dd June 17, 2007
|
|
22 | 22 |
.Dt CRON 8 |
23 | 23 |
.Os |
24 | 24 |
.Sh NAME |
... | ... | |
54 | 54 |
.Pa /etc/crontab |
55 | 55 |
which is in a different format (see |
56 | 56 |
.Xr crontab 5 ) . |
57 |
.Pp |
|
57 | 58 |
The |
58 | 59 |
.Nm |
59 | 60 |
utility |
60 | 61 |
then wakes up every minute, examining all stored crontabs, checking each |
61 |
command to see if it should be run in the current minute. When executing |
|
62 |
command to see if it should be run in the current minute. |
|
63 |
Before running a command from a per-account crontab file, |
|
64 |
.Nm |
|
65 |
checks the status of the account with |
|
66 |
.Xr pam 3 |
|
67 |
and skips the command if the account is unavailable, |
|
68 |
e.g., locked out or expired. |
|
69 |
Commands from |
|
70 |
.Pa /etc/crontab |
|
71 |
bypass this check. |
|
72 |
When executing |
|
62 | 73 |
commands, any output is mailed to the owner of the crontab (or to the user |
63 | 74 |
named in the |
64 | 75 |
.Ev MAILTO |
... | ... | |
171 | 182 |
trace through the execution, but do not perform any actions |
172 | 183 |
.El |
173 | 184 |
.El |
185 |
.Sh FILES |
|
186 |
.Bl -tag -width /etc/pam.d/cron -compact |
|
187 |
.It Pa /etc/crontab |
|
188 |
System crontab file |
|
189 |
.It Pa /etc/pam.d/cron |
|
190 |
.Xr pam.conf 5 |
|
191 |
configuration file for |
|
192 |
.Nm |
|
193 |
.It Pa /var/cron/tabs |
|
194 |
Directory for personal crontab files |
|
195 |
.El |
|
174 | 196 |
.Sh SEE ALSO |
175 | 197 |
.Xr crontab 1 , |
176 |
.Xr crontab 5 |
|
198 |
.Xr pam 3 , |
|
199 |
.Xr crontab 5 , |
|
200 |
.Xr pam.conf 5 |
|
177 | 201 |
.Sh AUTHORS |
178 | 202 |
.An Paul Vixie Aq paul@vix.com |
cron.h 12 Dec 2007 11:39:16 -0000 | ||
---|---|---|
17 | 17 | |
18 | 18 |
/* cron.h - header for vixie's cron |
19 | 19 |
* |
20 |
* $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.9.2.3 2001/05/28 23:37:26 babkin Exp $
|
|
20 |
* $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.17 2007/06/17 17:25:53 yar Exp $
|
|
21 | 21 |
* $DragonFly: src/usr.sbin/cron/cron/cron.h,v 1.5 2006/03/18 20:29:50 dillon Exp $ |
22 | 22 |
* |
23 | 23 |
* vix 14nov88 [rest of log is in RCS] |
... | ... | |
76 | 76 |
#define MAX_UNAME 20 /* max length of username, should be overkill */ |
77 | 77 |
#define ROOT_UID 0 /* don't change this, it really must be root */ |
78 | 78 |
#define ROOT_USER "root" /* ditto */ |
79 |
#define SYS_NAME "*system*" /* magic owner name for system crontab */ |
|
79 | 80 | |
80 | 81 |
/* NOTE: these correspond to DebugFlagNames, |
81 | 82 |
* defined below. |
database.c 12 Dec 2007 11:39:16 -0000 | ||
---|---|---|
84 | 84 |
new_db.head = new_db.tail = NULL; |
85 | 85 | |
86 | 86 |
if (syscron_stat.st_mtime) { |
87 |
process_crontab("root", "*system*",
|
|
87 |
process_crontab("root", SYS_NAME,
|
|
88 | 88 |
SYSCRONTAB, &syscron_stat, |
89 | 89 |
&new_db, old_db); |
90 | 90 |
} |
... | ... | |
189 | 189 |
int crontab_fd = OK - 1; |
190 | 190 |
user *u; |
191 | 191 | |
192 |
if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
|
|
192 |
if (strcmp(fname, SYS_NAME) && !(pw = getpwnam(uname))) {
|
|
193 | 193 |
/* file doesn't have a user in passwd file. |
194 | 194 |
*/ |
195 | 195 |
log_it(fname, getpid(), "ORPHAN", "no passwd entry"); |
do_command.c 12 Dec 2007 11:54:06 -0000 | ||
---|---|---|
14 | 14 |
* I'll try to keep a version up to date. I can be reached as follows: |
15 | 15 |
* Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul |
16 | 16 |
* |
17 |
* $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.15.2.5 2001/05/04 00:59:40 peter Exp $
|
|
17 |
* $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.27 2007/06/17 17:25:53 yar Exp $
|
|
18 | 18 |
* $DragonFly: src/usr.sbin/cron/cron/do_command.c,v 1.7 2006/03/18 20:29:50 dillon Exp $ |
19 | 19 |
*/ |
20 | 20 | |
... | ... | |
29 | 29 |
#if defined(LOGIN_CAP) |
30 | 30 |
# include <login_cap.h> |
31 | 31 |
#endif |
32 | ||
32 |
#ifdef PAM |
|
33 |
# include <security/pam_appl.h> |
|
34 |
# include <security/openpam.h> |
|
35 |
#endif |
|
33 | 36 | |
34 | 37 |
static void child_process(entry *, user *), |
35 | 38 |
do_univ(user *); |
... | ... | |
92 | 95 |
usernm = env_get("LOGNAME", e->envp); |
93 | 96 |
mailto = env_get("MAILTO", e->envp); |
94 | 97 | |
98 |
#ifdef PAM |
|
99 |
/* use PAM to see if the user's account is available, |
|
100 |
* i.e., not locked or expired or whatever. skip this |
|
101 |
* for system tasks from /etc/crontab -- they can run |
|
102 |
* as any user. |
|
103 |
*/ |
|
104 |
if (strcmp(u->name, SYS_NAME)) { /* not equal */ |
|
105 |
pam_handle_t *pamh = NULL; |
|
106 |
int pam_err; |
|
107 |
struct pam_conv pamc = { |
|
108 |
.conv = openpam_nullconv, |
|
109 |
.appdata_ptr = NULL |
|
110 |
}; |
|
111 | ||
112 |
Debug(DPROC, ("[%d] checking account with PAM\n", getpid())) |
|
113 | ||
114 |
/* u->name keeps crontab owner name while LOGNAME is the name |
|
115 |
* of user to run command on behalf of. they should be the |
|
116 |
* same for a task from a per-user crontab. |
|
117 |
*/ |
|
118 |
if (strcmp(u->name, usernm)) { |
|
119 |
log_it(usernm, getpid(), "username ambiguity", u->name); |
|
120 |
exit(ERROR_EXIT); |
|
121 |
} |
|
122 | ||
123 |
pam_err = pam_start("cron", usernm, &pamc, &pamh); |
|
124 |
if (pam_err != PAM_SUCCESS) { |
|
125 |
log_it("CRON", getpid(), "error", "can't start PAM"); |
|
126 |
exit(ERROR_EXIT); |
|
127 |
} |
|
128 | ||
129 |
pam_err = pam_acct_mgmt(pamh, PAM_SILENT); |
|
130 |
/* Expired password shouldn't prevent the job from running. */ |
|
131 |
if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) { |
|
132 |
log_it(usernm, getpid(), "USER", "account unavailable"); |
|
133 |
exit(ERROR_EXIT); |
|
134 |
} |
|
135 | ||
136 |
pam_end(pamh, pam_err); |
|
137 |
} |
|
138 |
#endif |
|
139 | ||
95 | 140 |
#ifdef USE_SIGCHLD |
96 | 141 |
/* our parent is watching for our death by catching SIGCHLD. we |
97 | 142 |
* do not care to watch for our children's deaths this way -- we |