bc9aef5aa3
- bypass the PAM check in crontab for root (#1169175)
82 lines
2.5 KiB
Diff
82 lines
2.5 KiB
Diff
diff --git a/src/crontab.c b/src/crontab.c
|
|
index 22571ff..d165a06 100644
|
|
--- a/src/crontab.c
|
|
+++ b/src/crontab.c
|
|
@@ -170,7 +170,7 @@ int main(int argc, char *argv[]) {
|
|
}
|
|
|
|
#if defined(WITH_PAM)
|
|
- if (cron_start_pam(pw) != PAM_SUCCESS) {
|
|
+ if (getuid() != 0 && cron_start_pam(pw) != PAM_SUCCESS) {
|
|
fprintf(stderr,
|
|
"You (%s) are not allowed to access to (%s) because of pam configuration.\n",
|
|
User, ProgramName);
|
|
diff --git a/src/security.c b/src/security.c
|
|
index 4eee004..079ea2a 100644
|
|
--- a/src/security.c
|
|
+++ b/src/security.c
|
|
@@ -88,6 +88,7 @@ static int cron_open_pam_session(struct passwd *pw);
|
|
if (pam_session_opened != 0) \
|
|
pam_close_session(pamh, PAM_SILENT); \
|
|
pam_end(pamh, retcode); \
|
|
+ pamh = NULL; \
|
|
} \
|
|
return(retcode); }
|
|
#endif
|
|
@@ -122,7 +123,8 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
|
|
}
|
|
|
|
#ifdef WITH_PAM
|
|
- if ((ret = cron_start_pam(e->pwd)) != 0) {
|
|
+ /* PAM is called only for non-root users or non-system crontab */
|
|
+ if ((!u->system || e->pwd->pw_uid != 0) && (ret = cron_start_pam(e->pwd)) != 0) {
|
|
log_it(e->pwd->pw_name, getpid(), "FAILED to authorize user with PAM",
|
|
pam_strerror(pamh, ret), 0);
|
|
return -1;
|
|
@@ -152,7 +154,7 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
|
|
freecon(ucontext);
|
|
#endif
|
|
#ifdef WITH_PAM
|
|
- if ((ret = cron_open_pam_session(e->pwd)) != 0) {
|
|
+ if (pamh != NULL && (ret = cron_open_pam_session(e->pwd)) != 0) {
|
|
log_it(e->pwd->pw_name, getpid(),
|
|
"FAILED to open PAM security session", pam_strerror(pamh, ret), 0);
|
|
return -1;
|
|
@@ -223,7 +225,10 @@ void cron_close_pam(void) {
|
|
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
|
|
pam_close_session(pamh, PAM_SILENT);
|
|
}
|
|
- pam_end(pamh, PAM_SUCCESS);
|
|
+ if (pamh != NULL) {
|
|
+ pam_end(pamh, PAM_SUCCESS);
|
|
+ pamh = NULL;
|
|
+ }
|
|
#endif
|
|
}
|
|
|
|
diff --git a/src/structs.h b/src/structs.h
|
|
index 272777a..6d3c15b 100644
|
|
--- a/src/structs.h
|
|
+++ b/src/structs.h
|
|
@@ -67,6 +67,7 @@ typedef struct _user {
|
|
time_t mtime; /* last modtime of crontab */
|
|
entry *crontab; /* this person's crontab */
|
|
security_context_t scontext; /* SELinux security context */
|
|
+ int system; /* is it a system crontab */
|
|
} user;
|
|
|
|
typedef struct _orphan {
|
|
diff --git a/src/user.c b/src/user.c
|
|
index 20c0d96..e950db7 100644
|
|
--- a/src/user.c
|
|
+++ b/src/user.c
|
|
@@ -89,6 +89,8 @@ load_user (int crontab_fd, struct passwd *pw, const char *uname,
|
|
goto done;
|
|
}
|
|
|
|
+ u->system = pw == NULL;
|
|
+
|
|
/* init environment. this will be copied/augmented for each entry.
|
|
*/
|
|
if ((envp = env_init()) == NULL) {
|