Index: Makefile.in =================================================================== --- Makefile.in.orig 2007-03-19 16:40:39.612098659 +0100 +++ Makefile.in 2007-03-19 16:41:20.522510161 +0100 @@ -28,6 +28,7 @@ YACC = @YACC@ LEX = @LEX@ LEXLIB = @LEXLIB@ SELINUXLIB = @SELINUXLIB@ +PAMLIB = @PAMLIB@ CC = @CC@ CFLAGS = @CFLAGS@ @@ -67,13 +68,13 @@ LIST = Filelist Filelist.asc all: at atd atrun at: $(ATOBJECTS) - $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) + $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) rm -f $(CLONES) $(LN_S) -f at atq $(LN_S) -f at atrm atd: $(RUNOBJECTS) - $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) + $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB) y.tab.c y.tab.h: parsetime.y $(YACC) -d parsetime.y Index: atd.c =================================================================== --- atd.c.orig 2007-03-19 16:40:39.612098659 +0100 +++ atd.c 2007-03-19 16:41:20.526510397 +0100 @@ -93,6 +93,20 @@ int selinux_enabled=0; #include #endif +#ifdef WITH_PAM +#include +static pam_handle_t *pamh = NULL; +static const struct pam_conv conv = { + NULL +}; +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + pam_close_session(pamh, PAM_SILENT); \ + pam_end(pamh, retcode); exit(1); \ + } +#endif + /* Local headers */ #include "privs.h" @@ -102,6 +116,10 @@ int selinux_enabled=0; #include "getloadavg.h" #endif +#ifndef LOG_ATD +#define LOG_ATD LOG_DAEMON +#endif + /* Macros */ #define BATCH_INTERVAL_DEFAULT 60 @@ -195,6 +213,19 @@ myfork() #define fork myfork #endif +#undef ATD_MAIL_PROGRAM +#undef ATD_MAIL_NAME +#if defined(SENDMAIL) +#define ATD_MAIL_PROGRAM SENDMAIL +#define ATD_MAIL_NAME "sendmail" +#elif defined(MAILC) +#define ATD_MAIL_PROGRAM MAILC +#define ATD_MAIL_NAME "mail" +#elif defined(MAILX) +#define ATD_MAIL_PROGRAM MAILX +#define ATD_MAIL_NAME "mailx" +#endif + static void run_file(const char *filename, uid_t uid, gid_t gid) { @@ -217,6 +248,9 @@ run_file(const char *filename, uid_t uid int ngid; char queue; unsigned long jobno; +#ifdef WITH_PAM + int retcode; +#endif sscanf(filename, "%c%5lx", &queue, &jobno); @@ -361,6 +395,23 @@ run_file(const char *filename, uid_t uid fstat(fd_out, &buf); size = buf.st_size; +#ifdef WITH_PAM + PRIV_START + retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); + PAM_FAIL_CHECK; + retcode = pam_set_item(pamh, PAM_TTY, "atd"); + PAM_FAIL_CHECK; + retcode = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_open_session(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + PAM_FAIL_CHECK; + closelog(); + openlog("atd", LOG_PID, LOG_ATD); + PRIV_END +#endif + close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); @@ -372,6 +423,16 @@ run_file(const char *filename, uid_t uid else if (pid == 0) { char *nul = NULL; char **nenvp = &nul; +#ifdef WITH_PAM + char **pam_envp=0L; +#endif + + PRIV_START +#ifdef WITH_PAM + pam_envp = pam_getenvlist(pamh); + if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) ) + nenvp = pam_envp; +#endif /* Set up things for the child; we want standard input from the * input file, and standard output and error sent to our output file. @@ -394,8 +455,6 @@ run_file(const char *filename, uid_t uid if (chdir(ATJOB_DIR) < 0) perr("Cannot chdir to " ATJOB_DIR); - PRIV_START - nice((tolower((int) queue) - 'a' + 1) * 2); if (initgroups(pentry->pw_name, pentry->pw_gid)) @@ -419,8 +478,8 @@ run_file(const char *filename, uid_t uid int retval=0; struct av_decision avd; - if (get_default_context(pentry->pw_name, NULL, &user_context)) - perr("execle: couldn't get security context for user %s\n", pentry->pw_name); + if (get_default_context(pentry->pw_name, NULL, &user_context)) + perr("execle: couldn't get security context for user %s\n", pentry->pw_name); /* * Since crontab files are not directly executed, * crond must ensure that the crontab file has @@ -428,7 +487,7 @@ run_file(const char *filename, uid_t uid * the user cron job. It performs an entrypoint * permission check for this purpose. */ - if (fgetfilecon(STDIN_FILENO, &file_context) < 0) + if (fgetfilecon(STDIN_FILENO, &file_context) < 0) perr("fgetfilecon FAILED %s", filename); retval = security_compute_av(user_context, @@ -438,26 +497,45 @@ run_file(const char *filename, uid_t uid &avd); freecon(file_context); if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { - if (security_getenforce()==1) - perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); + if (security_getenforce()==1) + perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); } if (setexeccon(user_context) < 0) { if (security_getenforce()==1) { - perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); } else { - syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); } } freecon(user_context); } -#endif +#endif if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) perr("Exec failed for /bin/sh"); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + if (setexeccon(NULL) < 0) { + perr("Could not resset exec context for user %s\n", pentry->pw_name); + } + } +#endif + +#ifdef WITH_PAM + if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) + { + for( nenvp = pam_envp; *nenvp != 0L; nenvp++) + free(*nenvp); + free( pam_envp ); + nenvp = &nul; + pam_envp=0L; + } +#endif PRIV_END } + /* We're the parent. Let's wait. */ close(fd_in); @@ -469,13 +547,6 @@ run_file(const char *filename, uid_t uid */ waitpid(pid, (int *) NULL, 0); -#ifdef WITH_SELINUX - if (selinux_enabled>0) { - if (setexeccon(NULL) < 0) { - perr("Could not resset exec context for user %s\n", pentry->pw_name); - } - } -#endif /* Send mail. Unlink the output file after opening it, so it * doesn't hang around after the run. */ @@ -485,6 +556,14 @@ run_file(const char *filename, uid_t uid unlink(filename); +#ifdef WITH_PAM + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, PAM_ABORT); + closelog(); + openlog("atd", LOG_PID, LOG_ATD); +#endif + /* The job is now finished. We can delete its input file. */ chdir(ATJOB_DIR); @@ -493,7 +572,31 @@ run_file(const char *filename, uid_t uid if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { + int mail_pid = -1; + +#ifdef WITH_PAM PRIV_START + retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); + PAM_FAIL_CHECK; + retcode = pam_set_item(pamh, PAM_TTY, "atd"); + PAM_FAIL_CHECK; + retcode = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_open_session(pamh, PAM_SILENT); + PAM_FAIL_CHECK; + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + PAM_FAIL_CHECK; + /* PAM has now re-opened our log to auth.info ! */ + closelog(); + openlog("atd", LOG_PID, LOG_ATD); + PRIV_END +#endif + + mail_pid = fork(); + + if ( mail_pid == 0 ) + { + PRIV_START if (initgroups(pentry->pw_name, pentry->pw_gid)) perr("Cannot delete saved userids"); @@ -506,6 +609,47 @@ run_file(const char *filename, uid_t uid chdir ("/"); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + security_context_t user_context=NULL; + security_context_t file_context=NULL; + int retval=0; + struct av_decision avd; + + if (get_default_context(pentry->pw_name, NULL, &user_context)) + perr("execle: couldn't get security context for user %s\n", pentry->pw_name); + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + if (fgetfilecon(STDIN_FILENO, &file_context) < 0) + perr("fgetfilecon FAILED %s", filename); + + retval = security_compute_av(user_context, + file_context, + SECCLASS_FILE, + FILE__ENTRYPOINT, + &avd); + freecon(file_context); + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { + if (security_getenforce()==1) + perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); + } + + if (setexeccon(user_context) < 0) { + if (security_getenforce()==1) { + perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + } else { + syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + } + } + freecon(user_context); + } +#endif + #if defined(SENDMAIL) execl(SENDMAIL, "sendmail", mailname, (char *) NULL); #elif defined(MAILC) @@ -517,7 +661,33 @@ run_file(const char *filename, uid_t uid #endif perr("Exec failed for mail command"); - PRIV_END + exit (-1); + +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + if (setexeccon(NULL) < 0) { + perr("Could not resset exec context for user %s\n", pentry->pw_name); + } + } +#endif + + PRIV_END; + } else if ( mail_pid == -1 ) + { + perr("fork of mailer failed"); + } + else + { + /* Parent */ + waitpid(mail_pid, (int *) NULL, 0); + } +#ifdef WITH_PAM + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, PAM_ABORT); + closelog(); + openlog("atd", LOG_PID, LOG_ATD); +#endif } exit(EXIT_SUCCESS); } @@ -712,7 +882,7 @@ main(int argc, char *argv[]) #ifdef WITH_SELINUX selinux_enabled=is_selinux_enabled(); -#endif +#endif /* We don't need root privileges all the time; running under uid and gid * daemon is fine. */ @@ -729,12 +899,7 @@ main(int argc, char *argv[]) RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid) -#ifndef LOG_CRON -#define LOG_CRON LOG_DAEMON -#endif - - openlog("atd", LOG_PID, LOG_CRON); - + openlog("atd", LOG_PID, LOG_ATD); opterr = 0; errno = 0; run_as_daemon = 1; Index: config.h.in =================================================================== --- config.h.in.orig 2007-03-19 16:40:39.612098659 +0100 +++ config.h.in 2007-03-19 16:41:20.550511811 +0100 @@ -187,3 +187,7 @@ /* Define if you are building with_selinux */ #undef WITH_SELINUX + +/* Define if you are building with_pam */ +#undef WITH_PAM + Index: configure.in =================================================================== --- configure.in.orig 2007-03-19 16:40:39.644100546 +0100 +++ configure.in 2007-03-19 16:41:20.566512755 +0100 @@ -323,4 +323,11 @@ AC_CHECK_LIB(selinux, is_selinux_enabled AC_SUBST(SELINUXLIB) AC_SUBST(WITH_SELINUX) +AC_ARG_WITH(pam, +[ --with-pam Define to enable pam support ], +AC_DEFINE(WITH_PAM), +) +AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') +AC_SUBST(PAMLIB) + AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch) Index: perm.c =================================================================== --- perm.c.orig 2007-03-19 16:40:39.644100546 +0100 +++ perm.c 2007-03-19 16:41:35.667402890 +0100 @@ -109,14 +109,15 @@ user_in_file(const char *path, const cha int check_permission() { - uid_t uid = geteuid(); + uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid(); struct passwd *pentry; int allow = 0, deny = 1; + int retcode=0; - if (uid == 0) + if (euid == 0) return 1; - if ((pentry = getpwuid(uid)) == NULL) { + if ((pentry = getpwuid(euid)) == NULL) { perror("Cannot access user database"); exit(EXIT_FAILURE); }