Bug #881 ยป cron_pam_support.diff
| Makefile 12 Dec 2007 11:39:16 -0000 | ||
|---|---|---|
| 1 |
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.12.2.1 2001/04/25 12:09:23 ru Exp $
|
|
| 1 |
# $FreeBSD: src/usr.sbin/cron/cron/Makefile,v 1.16 2007/06/17 17:25:53 yar Exp $
|
|
| 2 | 2 |
# $DragonFly: src/usr.sbin/cron/cron/Makefile,v 1.2 2003/06/17 04:29:53 dillon Exp $ |
| 3 | 3 | |
| 4 | 4 |
PROG= cron |
| 5 | 5 |
SRCS= cron.c database.c do_command.c job.c user.c popen.c |
| 6 |
CFLAGS+=-DLOGIN_CAP |
|
| 7 |
DPADD= ${LIBCRON} ${LIBUTIL}
|
|
| 8 |
LDADD= ${LIBCRON} -lutil
|
|
| 6 |
CFLAGS+=-DLOGIN_CAP -DPAM
|
|
| 7 |
DPADD= ${LIBCRON} ${LIBPAM} ${LIBUTIL}
|
|
| 8 |
LDADD= ${LIBCRON} -lpam -lutil
|
|
| 9 | 9 |
MAN= cron.8 |
| 10 | 10 | |
| 11 | 11 |
.include <bsd.prog.mk> |
| cron.8 12 Dec 2007 11:39:16 -0000 | ||
|---|---|---|
| 15 | 15 |
.\" * Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul |
| 16 | 16 |
.\" */ |
| 17 | 17 |
.\" |
| 18 |
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.7.2.9 2003/03/11 21:13:48 trhodes Exp $
|
|
| 18 |
.\" $FreeBSD: src/usr.sbin/cron/cron/cron.8,v 1.25 2007/06/17 17:25:53 yar Exp $
|
|
| 19 | 19 |
.\" $DragonFly: src/usr.sbin/cron/cron/cron.8,v 1.3 2006/03/18 20:29:50 dillon Exp $ |
| 20 | 20 |
.\" |
| 21 |
.Dd December 20, 1993
|
|
| 21 |
.Dd June 17, 2007
|
|
| 22 | 22 |
.Dt CRON 8 |
| 23 | 23 |
.Os |
| 24 | 24 |
.Sh NAME |
| ... | ... | |
| 54 | 54 |
.Pa /etc/crontab |
| 55 | 55 |
which is in a different format (see |
| 56 | 56 |
.Xr crontab 5 ) . |
| 57 |
.Pp |
|
| 57 | 58 |
The |
| 58 | 59 |
.Nm |
| 59 | 60 |
utility |
| 60 | 61 |
then wakes up every minute, examining all stored crontabs, checking each |
| 61 |
command to see if it should be run in the current minute. When executing |
|
| 62 |
command to see if it should be run in the current minute. |
|
| 63 |
Before running a command from a per-account crontab file, |
|
| 64 |
.Nm |
|
| 65 |
checks the status of the account with |
|
| 66 |
.Xr pam 3 |
|
| 67 |
and skips the command if the account is unavailable, |
|
| 68 |
e.g., locked out or expired. |
|
| 69 |
Commands from |
|
| 70 |
.Pa /etc/crontab |
|
| 71 |
bypass this check. |
|
| 72 |
When executing |
|
| 62 | 73 |
commands, any output is mailed to the owner of the crontab (or to the user |
| 63 | 74 |
named in the |
| 64 | 75 |
.Ev MAILTO |
| ... | ... | |
| 171 | 182 |
trace through the execution, but do not perform any actions |
| 172 | 183 |
.El |
| 173 | 184 |
.El |
| 185 |
.Sh FILES |
|
| 186 |
.Bl -tag -width /etc/pam.d/cron -compact |
|
| 187 |
.It Pa /etc/crontab |
|
| 188 |
System crontab file |
|
| 189 |
.It Pa /etc/pam.d/cron |
|
| 190 |
.Xr pam.conf 5 |
|
| 191 |
configuration file for |
|
| 192 |
.Nm |
|
| 193 |
.It Pa /var/cron/tabs |
|
| 194 |
Directory for personal crontab files |
|
| 195 |
.El |
|
| 174 | 196 |
.Sh SEE ALSO |
| 175 | 197 |
.Xr crontab 1 , |
| 176 |
.Xr crontab 5 |
|
| 198 |
.Xr pam 3 , |
|
| 199 |
.Xr crontab 5 , |
|
| 200 |
.Xr pam.conf 5 |
|
| 177 | 201 |
.Sh AUTHORS |
| 178 | 202 |
.An Paul Vixie Aq paul@vix.com |
| cron.h 12 Dec 2007 11:39:16 -0000 | ||
|---|---|---|
| 17 | 17 | |
| 18 | 18 |
/* cron.h - header for vixie's cron |
| 19 | 19 |
* |
| 20 |
* $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.9.2.3 2001/05/28 23:37:26 babkin Exp $
|
|
| 20 |
* $FreeBSD: src/usr.sbin/cron/cron/cron.h,v 1.17 2007/06/17 17:25:53 yar Exp $
|
|
| 21 | 21 |
* $DragonFly: src/usr.sbin/cron/cron/cron.h,v 1.5 2006/03/18 20:29:50 dillon Exp $ |
| 22 | 22 |
* |
| 23 | 23 |
* vix 14nov88 [rest of log is in RCS] |
| ... | ... | |
| 76 | 76 |
#define MAX_UNAME 20 /* max length of username, should be overkill */ |
| 77 | 77 |
#define ROOT_UID 0 /* don't change this, it really must be root */ |
| 78 | 78 |
#define ROOT_USER "root" /* ditto */ |
| 79 |
#define SYS_NAME "*system*" /* magic owner name for system crontab */ |
|
| 79 | 80 | |
| 80 | 81 |
/* NOTE: these correspond to DebugFlagNames, |
| 81 | 82 |
* defined below. |
| database.c 12 Dec 2007 11:39:16 -0000 | ||
|---|---|---|
| 84 | 84 |
new_db.head = new_db.tail = NULL; |
| 85 | 85 | |
| 86 | 86 |
if (syscron_stat.st_mtime) {
|
| 87 |
process_crontab("root", "*system*",
|
|
| 87 |
process_crontab("root", SYS_NAME,
|
|
| 88 | 88 |
SYSCRONTAB, &syscron_stat, |
| 89 | 89 |
&new_db, old_db); |
| 90 | 90 |
} |
| ... | ... | |
| 189 | 189 |
int crontab_fd = OK - 1; |
| 190 | 190 |
user *u; |
| 191 | 191 | |
| 192 |
if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
|
|
| 192 |
if (strcmp(fname, SYS_NAME) && !(pw = getpwnam(uname))) {
|
|
| 193 | 193 |
/* file doesn't have a user in passwd file. |
| 194 | 194 |
*/ |
| 195 | 195 |
log_it(fname, getpid(), "ORPHAN", "no passwd entry"); |
| do_command.c 12 Dec 2007 11:54:06 -0000 | ||
|---|---|---|
| 14 | 14 |
* I'll try to keep a version up to date. I can be reached as follows: |
| 15 | 15 |
* Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul |
| 16 | 16 |
* |
| 17 |
* $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.15.2.5 2001/05/04 00:59:40 peter Exp $
|
|
| 17 |
* $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.27 2007/06/17 17:25:53 yar Exp $
|
|
| 18 | 18 |
* $DragonFly: src/usr.sbin/cron/cron/do_command.c,v 1.7 2006/03/18 20:29:50 dillon Exp $ |
| 19 | 19 |
*/ |
| 20 | 20 | |
| ... | ... | |
| 29 | 29 |
#if defined(LOGIN_CAP) |
| 30 | 30 |
# include <login_cap.h> |
| 31 | 31 |
#endif |
| 32 | ||
| 32 |
#ifdef PAM |
|
| 33 |
# include <security/pam_appl.h> |
|
| 34 |
# include <security/openpam.h> |
|
| 35 |
#endif |
|
| 33 | 36 | |
| 34 | 37 |
static void child_process(entry *, user *), |
| 35 | 38 |
do_univ(user *); |
| ... | ... | |
| 92 | 95 |
usernm = env_get("LOGNAME", e->envp);
|
| 93 | 96 |
mailto = env_get("MAILTO", e->envp);
|
| 94 | 97 | |
| 98 |
#ifdef PAM |
|
| 99 |
/* use PAM to see if the user's account is available, |
|
| 100 |
* i.e., not locked or expired or whatever. skip this |
|
| 101 |
* for system tasks from /etc/crontab -- they can run |
|
| 102 |
* as any user. |
|
| 103 |
*/ |
|
| 104 |
if (strcmp(u->name, SYS_NAME)) { /* not equal */
|
|
| 105 |
pam_handle_t *pamh = NULL; |
|
| 106 |
int pam_err; |
|
| 107 |
struct pam_conv pamc = {
|
|
| 108 |
.conv = openpam_nullconv, |
|
| 109 |
.appdata_ptr = NULL |
|
| 110 |
}; |
|
| 111 | ||
| 112 |
Debug(DPROC, ("[%d] checking account with PAM\n", getpid()))
|
|
| 113 | ||
| 114 |
/* u->name keeps crontab owner name while LOGNAME is the name |
|
| 115 |
* of user to run command on behalf of. they should be the |
|
| 116 |
* same for a task from a per-user crontab. |
|
| 117 |
*/ |
|
| 118 |
if (strcmp(u->name, usernm)) {
|
|
| 119 |
log_it(usernm, getpid(), "username ambiguity", u->name); |
|
| 120 |
exit(ERROR_EXIT); |
|
| 121 |
} |
|
| 122 | ||
| 123 |
pam_err = pam_start("cron", usernm, &pamc, &pamh);
|
|
| 124 |
if (pam_err != PAM_SUCCESS) {
|
|
| 125 |
log_it("CRON", getpid(), "error", "can't start PAM");
|
|
| 126 |
exit(ERROR_EXIT); |
|
| 127 |
} |
|
| 128 | ||
| 129 |
pam_err = pam_acct_mgmt(pamh, PAM_SILENT); |
|
| 130 |
/* Expired password shouldn't prevent the job from running. */ |
|
| 131 |
if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) {
|
|
| 132 |
log_it(usernm, getpid(), "USER", "account unavailable"); |
|
| 133 |
exit(ERROR_EXIT); |
|
| 134 |
} |
|
| 135 | ||
| 136 |
pam_end(pamh, pam_err); |
|
| 137 |
} |
|
| 138 |
#endif |
|
| 139 | ||
| 95 | 140 |
#ifdef USE_SIGCHLD |
| 96 | 141 |
/* our parent is watching for our death by catching SIGCHLD. we |
| 97 | 142 |
* do not care to watch for our children's deaths this way -- we |