From bc9aef5aa34825c225f1ec3ff6f66465b88ed430 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 2 Dec 2014 17:08:20 +0100 Subject: [PATCH] call PAM only for non-root user or non-system crontabs (#956157) - bypass the PAM check in crontab for root (#1169175) --- cronie-1.4.12-pam-no-root.patch | 81 +++++++++++++++++++++++++++++++ cronie-1.4.12-refresh-users.patch | 1 - cronie.spec | 8 ++- 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 cronie-1.4.12-pam-no-root.patch diff --git a/cronie-1.4.12-pam-no-root.patch b/cronie-1.4.12-pam-no-root.patch new file mode 100644 index 0000000..8a1c664 --- /dev/null +++ b/cronie-1.4.12-pam-no-root.patch @@ -0,0 +1,81 @@ +diff --git a/src/crontab.c b/src/crontab.c +index 22571ff..d165a06 100644 +--- a/src/crontab.c ++++ b/src/crontab.c +@@ -170,7 +170,7 @@ int main(int argc, char *argv[]) { + } + + #if defined(WITH_PAM) +- if (cron_start_pam(pw) != PAM_SUCCESS) { ++ if (getuid() != 0 && cron_start_pam(pw) != PAM_SUCCESS) { + fprintf(stderr, + "You (%s) are not allowed to access to (%s) because of pam configuration.\n", + User, ProgramName); +diff --git a/src/security.c b/src/security.c +index 4eee004..079ea2a 100644 +--- a/src/security.c ++++ b/src/security.c +@@ -88,6 +88,7 @@ static int cron_open_pam_session(struct passwd *pw); + if (pam_session_opened != 0) \ + pam_close_session(pamh, PAM_SILENT); \ + pam_end(pamh, retcode); \ ++ pamh = NULL; \ + } \ + return(retcode); } + #endif +@@ -122,7 +123,8 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED, + } + + #ifdef WITH_PAM +- if ((ret = cron_start_pam(e->pwd)) != 0) { ++ /* PAM is called only for non-root users or non-system crontab */ ++ if ((!u->system || e->pwd->pw_uid != 0) && (ret = cron_start_pam(e->pwd)) != 0) { + log_it(e->pwd->pw_name, getpid(), "FAILED to authorize user with PAM", + pam_strerror(pamh, ret), 0); + return -1; +@@ -152,7 +154,7 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED, + freecon(ucontext); + #endif + #ifdef WITH_PAM +- if ((ret = cron_open_pam_session(e->pwd)) != 0) { ++ if (pamh != NULL && (ret = cron_open_pam_session(e->pwd)) != 0) { + log_it(e->pwd->pw_name, getpid(), + "FAILED to open PAM security session", pam_strerror(pamh, ret), 0); + return -1; +@@ -223,7 +225,10 @@ void cron_close_pam(void) { + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + pam_close_session(pamh, PAM_SILENT); + } +- pam_end(pamh, PAM_SUCCESS); ++ if (pamh != NULL) { ++ pam_end(pamh, PAM_SUCCESS); ++ pamh = NULL; ++ } + #endif + } + +diff --git a/src/structs.h b/src/structs.h +index 272777a..6d3c15b 100644 +--- a/src/structs.h ++++ b/src/structs.h +@@ -67,6 +67,7 @@ typedef struct _user { + time_t mtime; /* last modtime of crontab */ + entry *crontab; /* this person's crontab */ + security_context_t scontext; /* SELinux security context */ ++ int system; /* is it a system crontab */ + } user; + + typedef struct _orphan { +diff --git a/src/user.c b/src/user.c +index 20c0d96..e950db7 100644 +--- a/src/user.c ++++ b/src/user.c +@@ -89,6 +89,8 @@ load_user (int crontab_fd, struct passwd *pw, const char *uname, + goto done; + } + ++ u->system = pw == NULL; ++ + /* init environment. this will be copied/augmented for each entry. + */ + if ((envp = env_init()) == NULL) { diff --git a/cronie-1.4.12-refresh-users.patch b/cronie-1.4.12-refresh-users.patch index f278146..5e7dbb4 100644 --- a/cronie-1.4.12-refresh-users.patch +++ b/cronie-1.4.12-refresh-users.patch @@ -160,7 +160,6 @@ index 479e6cc..7cc5aed 100644 + + return envp; +} -\ No newline at end of file diff --git a/src/funcs.h b/src/funcs.h index 76376b9..ddf9e2a 100644 --- a/src/funcs.h diff --git a/cronie.spec b/cronie.spec index bbe3f53..73ea1fb 100644 --- a/cronie.spec +++ b/cronie.spec @@ -6,12 +6,13 @@ Summary: Cron daemon for executing programs at set times Name: cronie Version: 1.4.12 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT and BSD and ISC and GPLv2+ Group: System Environment/Base URL: https://fedorahosted.org/cronie Source0: https://fedorahosted.org/releases/c/r/cronie/%{name}-%{version}.tar.gz Patch1: cronie-1.4.12-refresh-users.patch +Patch2: cronie-1.4.12-pam-no-root.patch Requires: dailyjobs @@ -77,6 +78,7 @@ extra features. %prep %setup -q %patch1 -p1 -b .refresh +%patch2 -p1 -b .pam-no-root %build %configure \ @@ -203,6 +205,10 @@ exit 0 %attr(0644,root,root) %{_sysconfdir}/cron.d/dailyjobs %changelog +* Tue Dec 2 2014 Tomáš Mráz - 1.4.12-3 +- call PAM only for non-root user or non-system crontabs (#956157) +- bypass the PAM check in crontab for root (#1169175) + * Tue Nov 4 2014 Tomáš Mráz - 1.4.12-2 - refresh user entries when jobs are run