call PAM only for non-root user or non-system crontabs (#956157)

- bypass the PAM check in crontab for root (#1169175)

cronie-1.4.12-pam-no-root.patch

@@ -0,0 +1,81 @@
+diff --git a/src/crontab.c b/src/crontab.c
+index 22571ff..d165a06 100644
+--- a/src/crontab.c
++++ b/src/crontab.c
+@@ -170,7 +170,7 @@ int main(int argc, char *argv[]) {
+ 	}
+ 
+ #if defined(WITH_PAM)
+-	if (cron_start_pam(pw) != PAM_SUCCESS) {
++	if (getuid() != 0 && cron_start_pam(pw) != PAM_SUCCESS) {
+ 		fprintf(stderr,
+ 			"You (%s) are not allowed to access to (%s) because of pam configuration.\n",
+ 			User, ProgramName);
+diff --git a/src/security.c b/src/security.c
+index 4eee004..079ea2a 100644
+--- a/src/security.c
++++ b/src/security.c
+@@ -88,6 +88,7 @@ static int cron_open_pam_session(struct passwd *pw);
+ 		if (pam_session_opened != 0) \
+ 			pam_close_session(pamh, PAM_SILENT); \
+ 		pam_end(pamh, retcode); \
++		pamh = NULL; \
+ 	} \
+ return(retcode); }
+ #endif
+@@ -122,7 +123,8 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
+ 	}
+ 
+ #ifdef WITH_PAM
+-	if ((ret = cron_start_pam(e->pwd)) != 0) {
++	/* PAM is called only for non-root users or non-system crontab */
++	if ((!u->system || e->pwd->pw_uid != 0) && (ret = cron_start_pam(e->pwd)) != 0) {
+ 		log_it(e->pwd->pw_name, getpid(), "FAILED to authorize user with PAM",
+ 			pam_strerror(pamh, ret), 0);
+ 		return -1;
+@@ -152,7 +154,7 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
+ 		freecon(ucontext);
+ #endif
+ #ifdef WITH_PAM
+-	if ((ret = cron_open_pam_session(e->pwd)) != 0) {
++	if (pamh != NULL && (ret = cron_open_pam_session(e->pwd)) != 0) {
+ 		log_it(e->pwd->pw_name, getpid(),
+ 			"FAILED to open PAM security session", pam_strerror(pamh, ret), 0);
+ 		return -1;
+@@ -223,7 +225,10 @@ void cron_close_pam(void) {
+ 		pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+ 		pam_close_session(pamh, PAM_SILENT);
+ 	}
+-	pam_end(pamh, PAM_SUCCESS);
++	if (pamh != NULL) {
++		pam_end(pamh, PAM_SUCCESS);
++		pamh = NULL;
++	}
+ #endif
+ }
+ 
+diff --git a/src/structs.h b/src/structs.h
+index 272777a..6d3c15b 100644
+--- a/src/structs.h
++++ b/src/structs.h
+@@ -67,6 +67,7 @@ typedef	struct _user {
+ 	time_t		mtime;		/* last modtime of crontab */
+ 	entry		*crontab;	/* this person's crontab */
+ 	security_context_t	scontext;    /* SELinux security context */
++	int		system;		/* is it a system crontab */
+ } user;
+ 
+ typedef	struct _orphan {
+diff --git a/src/user.c b/src/user.c
+index 20c0d96..e950db7 100644
+--- a/src/user.c
++++ b/src/user.c
+@@ -89,6 +89,8 @@ load_user (int crontab_fd, struct passwd *pw, const char *uname,
+ 		goto done;
+ 	}
+ 
++	u->system = pw == NULL;
++
+ 	/* init environment.  this will be copied/augmented for each entry.
+ 	*/
+ 	if ((envp = env_init()) == NULL) {

cronie-1.4.12-refresh-users.patch

@@ -160,7 +160,6 @@ index 479e6cc..7cc5aed 100644
 +
 +	return envp;
 +}
-\ No newline at end of file
 diff --git a/src/funcs.h b/src/funcs.h
 index 76376b9..ddf9e2a 100644
 --- a/src/funcs.h

cronie.spec

@@ -6,12 +6,13 @@
 Summary:   Cron daemon for executing programs at set times
 Name:      cronie
 Version:   1.4.12
-Release:   2%{?dist}
+Release:   3%{?dist}
 License:   MIT and BSD and ISC and GPLv2+
 Group:     System Environment/Base
 URL:       https://fedorahosted.org/cronie
 Source0:   https://fedorahosted.org/releases/c/r/cronie/%{name}-%{version}.tar.gz
 Patch1:    cronie-1.4.12-refresh-users.patch
+Patch2:    cronie-1.4.12-pam-no-root.patch
 
 Requires:  dailyjobs
 
@@ -77,6 +78,7 @@ extra features.
 %prep
 %setup -q
 %patch1 -p1 -b .refresh
+%patch2 -p1 -b .pam-no-root
 
 %build
 %configure \
@@ -203,6 +205,10 @@ exit 0
 %attr(0644,root,root) %{_sysconfdir}/cron.d/dailyjobs
 
 %changelog
+* Tue Dec  2 2014 Tomáš Mráz <tmraz@redhat.com> - 1.4.12-3
+- call PAM only for non-root user or non-system crontabs (#956157)
+- bypass the PAM check in crontab for root (#1169175)
+
 * Tue Nov  4 2014 Tomáš Mráz <tmraz@redhat.com> - 1.4.12-2
 - refresh user entries when jobs are run