rpms/vixie-cron/F-7 vixie-cron-4.1-fixs.patch, NONE, 1.1 vixie-cron-4.1-pam_crontab.patch, NONE, 1.1 vixie-cron-4.1-tmp.patch, NONE, 1.1 vixie-cron.init, 1.4, 1.5 vixie-cron.spec, 1.98, 1.99
Marcela Mašláňová (mmaslano)
fedora-extras-commits at redhat.com
Mon Jul 30 15:13:56 UTC 2007
Author: mmaslano
Update of /cvs/pkgs/rpms/vixie-cron/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9208
Modified Files:
vixie-cron.init vixie-cron.spec
Added Files:
vixie-cron-4.1-fixs.patch vixie-cron-4.1-pam_crontab.patch
vixie-cron-4.1-tmp.patch
Log Message:
Add patches for update cron.
vixie-cron-4.1-fixs.patch:
--- NEW FILE vixie-cron-4.1-fixs.patch ---
--- vixie-cron-4.1/security.c.bug 2007-07-02 12:11:56.000000000 +0200
+++ vixie-cron-4.1/security.c 2007-07-02 12:20:25.000000000 +0200
@@ -201,13 +201,6 @@
return -1;
}
- if ( chdir(homedir) == -1 )
- {
- log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno));
- log_it("CRON", getpid(), homedir, strerror(errno));
- return -1;
- }
-
if ( initgroups( pw->pw_name, pw->pw_gid ) != 0 )
{
log_it("CRON", getpid(), "initgroups failed:", strerror(errno));
@@ -219,7 +212,14 @@
log_it("CRON", getpid(), "setuid failed:", strerror(errno));
return -1;
}
-
+
+ if ( chdir(homedir) == -1 )
+ {
+ log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno));
+ log_it("CRON", getpid(), homedir, strerror(errno));
+ return -1;
+ }
+
return 0;
}
--- vixie-cron-4.1/crontab.1.bug 2007-07-02 12:11:56.000000000 +0200
+++ vixie-cron-4.1/crontab.1 2007-07-02 12:20:55.000000000 +0200
@@ -19,7 +19,7 @@
.\"
.\" $Id: crontab.1,v 1.7 2004/01/23 19:03:32 vixie Exp $
.\"
-.TH CRONTAB 1 "16 Januar 2007"
+.TH CRONTAB 1 "16 January 2007"
.UC 4
.SH NAME
crontab \- maintain crontab files for individual users (ISC Cron V4.1)
vixie-cron-4.1-pam_crontab.patch:
--- NEW FILE vixie-cron-4.1-pam_crontab.patch ---
--- vixie-cron-4.1/cron.h.old 2007-07-30 16:34:07.000000000 +0200
+++ vixie-cron-4.1/cron.h 2007-07-26 15:14:19.000000000 +0200
@@ -47,3 +47,20 @@
#include "funcs.h"
#include "globals.h"
+#ifdef WITH_PAM
+static pam_handle_t *pamh = NULL;
+static int pam_session_opened = 0; //global for open session
+static const struct pam_conv conv = {
+ NULL
+};
+
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+ fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ if (pamh != NULL) { \
+ if (pam_session_opened != 0) \
+ pam_close_session(pamh, PAM_SILENT); \
+ pam_end(pamh, retcode); \
+ } \
+ return(retcode); }
+#endif
+
--- vixie-cron-4.1/do_command.c.old 2007-07-30 16:34:08.000000000 +0200
+++ vixie-cron-4.1/do_command.c 2007-07-26 16:56:11.000000000 +0200
@@ -71,7 +71,7 @@
*/
if ( cron_set_job_security_context( e, u, &jobenv ) != 0 )
{
- syslog(LOG_INFO, "CRON (%s) ERROR: cannot set security context", e->pwd->pw_name);
+ //syslog(LOG_INFO, "CRON (%s) ERROR: cannot set security context", e->pwd->pw_name);
exit(ERROR_EXIT);
}
@@ -158,7 +158,7 @@
switch (fork()) {
case -1:
log_it("CRON", getpid(), "error", "can't fork");
- cron_close_security_session();
+ cron_close_pam();
exit(ERROR_EXIT);
/*NOTREACHED*/
case 0:
@@ -523,7 +523,7 @@
Debug(DPROC, (", dumped core"))
Debug(DPROC, ("\n"))
}
- cron_close_security_session();
+ cron_close_pam();
env_free(jobenv);
}
--- vixie-cron-4.1/crontab.c.old 2007-07-30 16:34:09.000000000 +0200
+++ vixie-cron-4.1/crontab.c 2007-07-30 10:49:09.000000000 +0200
@@ -37,7 +37,6 @@
#include <selinux/av_permissions.h>
#endif
-
#define NHEADER_LINES 0
enum opt_t { opt_unknown, opt_list, opt_delete, opt_edit, opt_replace };
@@ -118,7 +117,14 @@
fprintf(stderr, "See crontab(1) for more information\n");
log_it(RealUser, Pid, "AUTH", "crontab command not allowed");
exit(ERROR_EXIT);
- }
+ }
+ if (cron_start_pam(pw) != PAM_SUCCESS) {
+ fprintf(stderr,
+ "You (%s) are not allowed to access to (%s) because of pam configuration.\n",
+ User, ProgramName);
+ exit(ERROR_EXIT);
+ };
+
exitstatus = OK_EXIT;
switch (Option) {
case opt_unknown:
@@ -140,6 +146,7 @@
default:
abort();
}
+ cron_close_pam();
exit(exitstatus);
/*NOTREACHED*/
}
@@ -384,31 +391,14 @@
fprintf(stderr, "path too long\n");
goto fatal;
}
- //syslog(LOG_ERR,"%s%s",Filename,tmp_path());
- //syslog(LOG_ERR,"BEFORE MKSTEMP pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid, gid);
uid = MY_UID(pw);
setreuid(0, uid);
- //syslog(LOG_ERR,"BEFORE MKSTEMP SETREUID pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid,gid);
if (-1 == (t = mkstemp(Filename))) {
perror(Filename);
goto fatal;
}
-/* instead of chown we're using setreuid */
-/*#ifdef HAS_FCHOWN
- if (fchown(t, MY_UID(pw), MY_GID(pw)) < 0) {
- perror("fchown");
- goto fatal;
- }
-#else
- if (chown(Filename, MY_UID(pw), MY_GID(pw)) < 0) {
- perror("chown");
- goto fatal;
- }
-#endif*/
-
setreuid(uid,0);
- //syslog(LOG_ERR,"AFTER MKSTEMP pid: %d uid: %d gid: %d",Pid,uid, MY_GID(pw));
if (!(NewCrontab = fdopen(t, "r+"))) {
perror("fdopen");
goto fatal;
@@ -497,10 +487,6 @@
perror("setuid(getuid())");
exit(ERROR_EXIT);
}
-/* if (chdir(_PATH_TMP) < 0) {
- perror(_PATH_TMP);
- exit(ERROR_EXIT);
- }*/
if (!glue_strings(q, sizeof q, editor, Filename, ' ')) {
fprintf(stderr, "%s: editor command line too long\n",
ProgramName);
--- vixie-cron-4.1/security.c.old 2007-07-30 16:34:09.000000000 +0200
+++ vixie-cron-4.1/security.c 2007-07-30 16:30:52.000000000 +0200
@@ -46,70 +46,55 @@
int cron_restore_default_security_context() {
setexeccon(NULL);
}
-int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
-{
+
+int cron_set_job_security_context(entry *e, user *u, char ***jobenv) {
time_t minutely_time = 0;
- if((e->flags & MIN_STAR)==MIN_STAR)
- {
- /* "minute-ly" job: Every minute for given hour/dow/month/dom.
- * Ensure that these jobs never run in the same minute:
- */
- minutely_time = time(0);
- Debug(DSCH, ("Minute-ly job. Recording time %lu\n", minutely_time))
- }
- if ( cron_open_security_session( e->pwd ) != 0 )
- {
- syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
- e->pwd->pw_name, strerror(errno)
- );
- return -1;
+ if ((e->flags & MIN_STAR)==MIN_STAR) {
+ /* "minute-ly" job: Every minute for given hour/dow/month/dom.
+ * Ensure that these jobs never run in the same minute:
+ */
+ minutely_time = time(0);
+ Debug(DSCH, ("Minute-ly job. Recording time %lu\n", minutely_time))
}
+ if (cron_start_pam(e->pwd) != 0) {
+ syslog(LOG_INFO, "CRON (%s): failed to open PAM security session: %s", e->pwd->pw_name, pam_strerror(pamh,cron_start_pam(e->pwd)));
+ return -1;
+ }
*jobenv = build_env( e->envp );
#ifdef WITH_SELINUX
-
/* we must get the crontab context BEFORE changing user, else
* we'll not be permitted to read the cron spool directory :-)
*/
-
security_context_t ucontext=0;
- if ( cron_get_job_range(u, &ucontext, *jobenv) < OK )
- {
- syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s",
- e->pwd->pw_name, strerror(errno)
- );
- return -1;
+ if (cron_get_job_range(u, &ucontext, *jobenv) < OK) {
+ syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s",
+ e->pwd->pw_name, strerror(errno));
+ return -1;
}
- if (cron_change_selinux_range(u, ucontext) != 0)
- {
+ if (cron_change_selinux_range(u, ucontext) != 0) {
syslog(LOG_INFO,"CRON (%s) ERROR: failed to change SELinux context",
e->pwd->pw_name);
- if ( ucontext )
- freecon(ucontext);
- return -1;
+ if ( ucontext )
+ freecon(ucontext);
+ return -1;
}
- if ( ucontext )
- freecon(ucontext);
+ if (ucontext)
+ freecon(ucontext);
#endif
- if ( cron_start_security_session( e->pwd ) != 0 )
- {
- syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
- e->pwd->pw_name, strerror(errno)
- );
- return -1;
- }
-
- if ( cron_change_user( e->pwd, env_get("HOME", *jobenv)) != 0 )
- {
- syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
- e->pwd->pw_name, strerror(errno)
- );
- return -1;
+/* if (cron_open_pam_session(e->pwd) != 0) {
+ syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno));
+ return -1;
+ }
+*/
+ if (cron_change_user(e->pwd, env_get("HOME", *jobenv)) != 0) {
+ syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno));
+ return -1;
}
log_close();
@@ -117,40 +102,23 @@
time_t job_run_time = time(0L);
- if( (minutely_time > 0)
- &&((job_run_time / 60) != (minutely_time / 60))
- )
- {/* if a per-minute job is delayed into the next minute
+ if ((minutely_time > 0) &&((job_run_time / 60) != (minutely_time / 60))) {
+ /* if a per-minute job is delayed into the next minute
* (eg. by network authentication method timeouts), skip it.
*/
- struct tm tmS, tmN;
- localtime_r(&job_run_time, &tmN);
- localtime_r(&minutely_time,&tmS);
- syslog(LOG_ERR,
+ struct tm tmS, tmN;
+ localtime_r(&job_run_time, &tmN);
+ localtime_r(&minutely_time,&tmS);
+ syslog(LOG_ERR,
"(%s) error: Job execution of per-minute job scheduled for "
"%.2u:%.2u delayed into subsequent minute %.2u:%.2u. Skipping job run.",
e->pwd->pw_name, tmS.tm_hour, tmS.tm_min, tmN.tm_hour, tmN.tm_min);
- return -1;
+ return -1;
}
return 0;
}
-#ifdef WITH_PAM
-static pam_handle_t *pamh = NULL;
-static const struct pam_conv conv = {
- NULL
-};
-#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
- syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh, PAM_SILENT); \
- pam_end(pamh, retcode); \
- return(retcode); \
- }
-#endif
-
-int cron_open_security_session( struct passwd *pw )
-{
+int cron_start_pam(struct passwd *pw) {
int retcode = 0;
#if defined(WITH_PAM)
@@ -161,12 +129,11 @@
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
#endif
-
+
return retcode;
}
-int cron_start_security_session( struct passwd *pw )
-{
+int cron_open_pam_session(struct passwd *pw) {
int retcode = 0;
#if defined(WITH_PAM)
@@ -174,66 +141,57 @@
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
- log_close(); /* PAM has now re-opened our log to auth.info ! */
- openlog(ProgramName, LOG_PID, LOG_CRON);
+ if (retcode == PAM_SUCCESS)
+ pam_session_opened = 1;
#endif
return retcode;
}
-void cron_close_security_session( void )
-{
+void cron_close_pam(void) {
#if defined(WITH_PAM)
- pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
- pam_close_session(pamh, PAM_SILENT);
- pam_end(pamh, PAM_ABORT);
+ if (pam_session_opened != 0) {
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+ pam_close_session(pamh, PAM_SILENT);
+ }
+ pam_end(pamh, PAM_SUCCESS);
#endif
}
-int cron_change_user( struct passwd *pw, char *homedir )
-{
+int cron_change_user(struct passwd *pw, char *homedir) {
/* set our directory, uid and gid. Set gid first, since once
* we set uid, we've lost root privledges.
*/
- if ( setgid( pw->pw_gid ) != 0 )
- {
- log_it("CRON", getpid(), "setgid failed:", strerror(errno));
- return -1;
+ if (setgid(pw->pw_gid) != 0) {
+ log_it("CRON", getpid(), "setgid failed:", strerror(errno));
+ return -1;
}
- if ( initgroups( pw->pw_name, pw->pw_gid ) != 0 )
- {
- log_it("CRON", getpid(), "initgroups failed:", strerror(errno));
- return -1;
+ if (chdir(homedir) == -1) {
+ log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno));
+ log_it("CRON", getpid(), homedir, strerror(errno));
+ return -1;
}
- if ( setuid( pw->pw_uid ) != 0 )
- {
- log_it("CRON", getpid(), "setuid failed:", strerror(errno));
- return -1;
+ if (initgroups(pw->pw_name, pw->pw_gid) != 0) {
+ log_it("CRON", getpid(), "initgroups failed:", strerror(errno));
+ return -1;
}
- if ( chdir(homedir) == -1 )
- {
- log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno));
- log_it("CRON", getpid(), homedir, strerror(errno));
- return -1;
+ if (setuid( pw->pw_uid ) != 0) {
+ log_it("CRON", getpid(), "setuid failed:", strerror(errno));
+ return -1;
}
-
+
return 0;
}
-static int
-cron_authorize_context
-(
- security_context_t scontext,
- security_context_t file_context
-)
-{
+static int cron_authorize_context
+(security_context_t scontext,security_context_t file_context) {
#ifdef WITH_SELINUX
struct av_decision avd;
int retval;
- unsigned int bit = FILE__ENTRYPOINT;
+ unsigned int bit = FILE__ENTRYPOINT;
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
@@ -243,24 +201,18 @@
*/
retval = security_compute_av(scontext, file_context,
SECCLASS_FILE, bit, &avd);
-
if (retval || ((bit & avd.allowed) != bit))
return 0;
#endif
return 1;
}
-static int
-cron_authorize_range
-(
- security_context_t scontext,
- security_context_t ucontext
-)
-{
+static int cron_authorize_range
+(security_context_t scontext,security_context_t ucontext) {
#ifdef WITH_SELINUX
struct av_decision avd;
int retval;
- unsigned int bit = CONTEXT__CONTAINS;
+ unsigned int bit = CONTEXT__CONTAINS;
/*
* Since crontab files are not directly executed,
* so crond must ensure that any user specified range
@@ -275,46 +227,37 @@
return 1;
}
-int cron_get_job_context( user *u, void *scontextp, void *file_contextp, char **jobenv )
-{
+int cron_get_job_context(user *u, void *scontextp, void *file_contextp, char **jobenv) {
#if WITH_SELINUX
char *sroletype;
- if ( is_selinux_enabled() <= 0 )
+ if (is_selinux_enabled() <= 0)
return 0;
- if ( (file_contextp == 0) || (scontextp == 0L) )
+ if ((file_contextp == 0) || (scontextp == 0L))
return -1;
*((security_context_t*)scontextp) = u->scontext;
*((void **)file_contextp) = 0L;
- if ( (sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L )
- {
- *((security_context_t*)scontextp) = (security_context_t) sroletype;
+ if ((sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L) {
+ *((security_context_t*)scontextp) = (security_context_t) sroletype;
char crontab[MAX_FNAME];
- if ( strcmp(u->name,"*system*") == 0 )
+ if (strcmp(u->name,"*system*") == 0)
strncpy(crontab, u->tabname, MAX_FNAME);
else
snprintf(crontab, MAX_FNAME, "%s/%s", CRONDIR, u->tabname);
- if ( getfilecon( crontab, file_contextp ) == -1 )
- {
- if ( security_getenforce() > 0 )
- {
- log_it(u->name,
- getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE",
- sroletype
- );
+ if (getfilecon( crontab, file_contextp ) == -1) {
+ if (security_getenforce() > 0) {
+ log_it(u->name, getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE",
+ sroletype);
return -1;
- } else
- if ( access( crontab, F_OK ) == 0 )
- log_it(u->name,
- getpid(),
- "getfilecon FAILED but SELinux in permissive mode, continuing "
- "- SELINUX_ROLE_TYPE=", sroletype
- );
- }
+ } else if (access( crontab, F_OK ) == 0)
+ log_it(u->name, getpid(),
+ "getfilecon FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype);
+ }
}
#endif
return 0;
@@ -323,132 +266,100 @@
#if WITH_SELINUX
/* always uses u->scontext as the default process context, then changes the
level, and retuns it in ucontextp (or NULL otherwise) */
-static int cron_get_job_range( user *u, security_context_t *ucontextp,
- char **jobenv )
-{
+static int cron_get_job_range(user *u, security_context_t *ucontextp, char **jobenv) {
char *range;
- if ( is_selinux_enabled() <= 0 )
+ if (is_selinux_enabled() <= 0)
return 0;
- if ( ucontextp == 0L )
+ if (ucontextp == 0L)
return -1;
*ucontextp = 0L;
- if ( (range = env_get("MLS_LEVEL",jobenv)) != 0L )
- {
- context_t ccon;
-
- if (!(ccon = context_new(u->scontext)))
- {
- log_it(u->name,
- getpid(), "context_new FAILED for MLS_LEVEL",
- range);
- return -1;
- }
-
- if (context_range_set(ccon, range))
- {
- log_it(u->name,
- getpid(), "context_range_set FAILED for MLS_LEVEL",
- range);
- return -1;
- }
-
- if (!(*ucontextp = context_str(ccon)))
- {
- log_it(u->name,
- getpid(), "context_str FAILED for MLS_LEVEL",
- range);
- return -1;
- }
-
- if (!(*ucontextp = strdup(*ucontextp)))
- {
- log_it(u->name,
- getpid(), "strdup FAILED for MLS_LEVEL",
- range);
- return -1;
- }
-
- context_free(ccon);
- }
- else if (!u->scontext)
- { /* cron_change_selinux_range() deals with this */
- return 0;
+ if ((range = env_get("MLS_LEVEL",jobenv)) != 0L) {
+ context_t ccon;
+ if (!(ccon = context_new(u->scontext))) {
+ log_it(u->name, getpid(), "context_new FAILED for MLS_LEVEL", range);
+ return -1;
+ }
+
+ if (context_range_set(ccon, range)) {
+ log_it(u->name, getpid(), "context_range_set FAILED for MLS_LEVEL",
+ range);
+ return -1;
+ }
+
+ if (!(*ucontextp = context_str(ccon))) {
+ log_it(u->name, getpid(), "context_str FAILED for MLS_LEVEL",
+ range);
+ return -1;
}
- else if (!(*ucontextp = strdup(u->scontext)))
- {
- log_it(u->name,
- getpid(), "strdup FAILED for MLS_LEVEL",
- range);
- return -1;
+
+ if (!(*ucontextp = strdup(*ucontextp))) {
+ log_it(u->name, getpid(), "strdup FAILED for MLS_LEVEL",
+ range);
+ return -1;
}
+ context_free(ccon);
+ }
+ else if (!u->scontext) {
+ /* cron_change_selinux_range() deals with this */
+ return 0;
+ }
+ else if (!(*ucontextp = strdup(u->scontext))) {
+ log_it(u->name, getpid(), "strdup FAILED for MLS_LEVEL",
+ range);
+ return -1;
+ }
return 0;
}
#endif
-int cron_change_selinux_context( user *u, void *scontext, void *file_context )
-{
+int cron_change_selinux_context(user *u, void *scontext, void *file_context) {
#ifdef WITH_SELINUX
- if ( is_selinux_enabled() <= 0 )
+ if (is_selinux_enabled() <= 0)
return 0;
- if ( scontext == 0L )
- {
- if (security_getenforce() > 0)
- {
- log_it( u->name, getpid(),
- "NULL security context for user",
- ""
- );
+ if (scontext == 0L) {
+ if (security_getenforce() > 0) {
+ log_it( u->name, getpid(), "NULL security context for user", "");
return -1;
- }else
- {
+ }
+ else {
log_it( u->name, getpid(),
"NULL security context for user, "
"but SELinux in permissive mode, continuing",
- ""
- );
+ "");
return 0;
}
}
- if ( file_context )
- {
- if ( ! cron_authorize_context( scontext, file_context ) )
- {
- if ( security_getenforce() > 0 )
- {
+ if (file_context) {
+ if (!cron_authorize_context( scontext, file_context)) {
+ if (security_getenforce() > 0) {
syslog(LOG_ERR,
"CRON (%s) ERROR:"
"Unauthorized exec context to SELINUX_ROLE_TYPE %s for user",
- u->name, (char*)scontext
- );
+ u->name, (char*)scontext);
return -1;
- } else
- {
+ }
+ else {
syslog(LOG_INFO,
"CRON (%s) WARNING:"
"Unauthorized exec context to SELINUX_ROLE_TYPE %s for user,"
" but SELinux in permissive mode, continuing",
- u->name, (char*)scontext
- );
+ u->name, (char*)scontext);
}
}
- }
+ }
- if ( setexeccon(scontext) < 0 )
- {
- if (security_getenforce() > 0)
- {
+ if (setexeccon(scontext) < 0) {
+ if (security_getenforce() > 0) {
syslog(LOG_ERR,
"CRON (%s) ERROR:"
"Could not set exec context to %s for user",
- u->name, (char*)scontext
- );
-
+ u->name, (char*)scontext);
return -1;
}
}
@@ -457,41 +368,34 @@
}
#ifdef WITH_SELINUX
-static int cron_change_selinux_range( user *u,
- security_context_t ucontext )
-{
- if ( is_selinux_enabled() <= 0 )
+static int cron_change_selinux_range(user *u,security_context_t ucontext) {
+ if (is_selinux_enabled() <= 0)
return 0;
- if ( u->scontext == 0L )
- {
+ if (u->scontext == 0L) {
if (security_getenforce() > 0)
{
log_it( u->name, getpid(),
"NULL security context for user",
- ""
- );
+ "");
return -1;
- }else
- {
+ }
+ else {
log_it( u->name, getpid(),
"NULL security context for user, "
"but SELinux in permissive mode, continuing",
- ""
- );
+ "");
return 0;
}
}
- if ( strcmp(u->scontext, ucontext) )
- {
- if ( ! cron_authorize_range( u->scontext, ucontext ))
- {
- if ( security_getenforce() > 0 )
- {
+ if (strcmp(u->scontext, ucontext)) {
+ if (!cron_authorize_range( u->scontext, ucontext)) {
+ if (security_getenforce() > 0) {
#ifdef WITH_AUDIT
char *msg = NULL;
- if (asprintf(&msg, "cron: Unauthorized MLS range acct=%s new_scontext=%s old_scontext=%s", u->name, (char*)ucontext, u->scontext) >= 0) {
+ if (asprintf(&msg, "cron: Unauthorized MLS range acct=%s new_scontext=%s old_scontext=%s",
+ u->name, (char*)ucontext, u->scontext) >= 0) {
int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, msg, NULL, NULL, NULL, 0);
close(audit_fd);
@@ -501,40 +405,33 @@
syslog(LOG_ERR,
"CRON (%s) ERROR:"
"Unauthorized range %s in MLS_LEVEL for user %s ",
- u->name, (char*)ucontext, u->scontext
- );
+ u->name, (char*)ucontext, u->scontext);
return -1;
- } else
- {
+ }
+ else {
syslog(LOG_INFO,
"CRON (%s) WARNING:"
"Unauthorized range %s in MLS_LEVEL for user %s,"
" but SELinux in permissive mode, continuing",
- u->name, (char*)ucontext, u->scontext
- );
+ u->name, (char*)ucontext, u->scontext);
}
}
- }
+ }
- if ( setexeccon(ucontext) < 0 )
- {
- if (security_getenforce() > 0)
- {
+ if (setexeccon(ucontext) < 0) {
+ if (security_getenforce() > 0) {
syslog(LOG_ERR,
"CRON (%s) ERROR:"
"Could not set exec context to %s for user",
- u->name, (char*)ucontext
- );
-
+ u->name, (char*)ucontext);
return -1;
- } else
- {
+ }
+ else {
syslog(LOG_ERR,
"CRON (%s) ERROR:"
"Could not set exec context to %s for user, "
" but SELinux in permissive mode, continuing",
- u->name, (char*)ucontext
- );
+ u->name, (char*)ucontext);
return 0;
}
@@ -589,19 +486,17 @@
}
}
- if ( ! cron_authorize_context( scontext, file_context ) )
- {
+ if (!cron_authorize_context( scontext, file_context)) {
freecon(scontext);
freecon(file_context);
if (security_getenforce() > 0) {
log_it(name, getpid(), "Unauthorized SELinux context", tabname);
return -1;
- } else
- {
+ }
+ else {
log_it(name, getpid(),
"Unauthorized SELinux context, but SELinux in permissive mode, continuing",
- tabname
- );
+ tabname);
return 0;
}
}
@@ -612,19 +507,16 @@
return 0;
}
-void free_security_context( security_context_t *scontext )
-{
+void free_security_context(security_context_t *scontext) {
#ifdef WITH_SELINUX
- if( *scontext != NULL )
- {
- freecon(*scontext);
- *scontext=0L;
- }
+ if (*scontext != NULL) {
+ freecon(*scontext);
+ *scontext=0L;
+ }
#endif
}
-int crontab_security_access(void)
-{
+int crontab_security_access(void) {
#ifdef WITH_SELINUX
if (is_selinux_enabled() > 0)
if (selinux_check_passwd_access(PASSWD__CRONTAB)!=0)
@@ -644,16 +536,15 @@
int count = 0;
jobenv = env_copy(pamenv);
-
/* Now add the cron environment variables. Since env_set()
overwrites existing variables, this will let cron's
environment settings override pam's */
while ((cronvar = cronenv[count++])) {
- if (!(jobenv = env_set(jobenv, cronvar))) {
- syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar);
- return NULL;
- }
+ if (!(jobenv = env_set(jobenv, cronvar))) {
+ syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar);
+ return NULL;
+ }
}
return jobenv;
#else
vixie-cron-4.1-tmp.patch:
--- NEW FILE vixie-cron-4.1-tmp.patch ---
--- vixie-cron-4.1/crontab.c.tmp 2007-05-18 21:17:02.000000000 +0200
+++ vixie-cron-4.1/crontab.c 2007-05-18 21:17:02.000000000 +0200
@@ -74,6 +74,7 @@
parse_args(int c, char *v[]),
die(int);
static int replace_cmd(void);
+static char *tmp_path(void);
static void
usage(const char *msg) {
@@ -336,6 +337,14 @@
fprintf(stderr, "\"%s\":%d: %s\n", Filename, LineNumber-1, msg);
}
+static char *
+tmp_path() {
+ char *tmpdir;
+
+ tmpdir = getenv("TMPDIR");
+ return tmpdir ? tmpdir : "/tmp";
+}
+
static void
edit_cmd(void) {
char n[MAX_FNAME], q[MAX_TEMPSTR], *editor;
@@ -345,7 +354,8 @@
struct utimbuf utimebuf;
WAIT_T waiter;
PID_T pid, xpid;
-
+ int uid;
+
log_it(RealUser, Pid, "BEGIN EDIT", User);
if (!glue_strings(n, sizeof n, SPOOL_DIR, User, '/')) {
fprintf(stderr, "path too long\n");
@@ -376,16 +386,23 @@
(void)signal(SIGINT, SIG_IGN);
(void)signal(SIGQUIT, SIG_IGN);
- if (!glue_strings(Filename, sizeof Filename, _PATH_TMP,
+ if (!glue_strings(Filename, sizeof Filename, tmp_path(),
"crontab.XXXXXXXXXX", '/')) {
fprintf(stderr, "path too long\n");
goto fatal;
}
+ //syslog(LOG_ERR,"%s%s",Filename,tmp_path());
+ //syslog(LOG_ERR,"BEFORE MKSTEMP pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid, gid);
+ uid = MY_UID(pw);
+ setreuid(0, uid);
+ //syslog(LOG_ERR,"BEFORE MKSTEMP SETREUID pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid,gid);
if (-1 == (t = mkstemp(Filename))) {
perror(Filename);
goto fatal;
}
-#ifdef HAS_FCHOWN
+
+/* instead of chown we're using setreuid */
+/*#ifdef HAS_FCHOWN
if (fchown(t, MY_UID(pw), MY_GID(pw)) < 0) {
perror("fchown");
goto fatal;
@@ -395,7 +412,10 @@
perror("chown");
goto fatal;
}
-#endif
+#endif*/
+
+ setreuid(uid,0);
+ //syslog(LOG_ERR,"AFTER MKSTEMP pid: %d uid: %d gid: %d",Pid,uid, MY_GID(pw));
if (!(NewCrontab = fdopen(t, "r+"))) {
perror("fdopen");
goto fatal;
@@ -481,10 +501,10 @@
perror("setuid(getuid())");
exit(ERROR_EXIT);
}
- if (chdir(_PATH_TMP) < 0) {
+/* if (chdir(_PATH_TMP) < 0) {
perror(_PATH_TMP);
exit(ERROR_EXIT);
- }
+ }*/
if (!glue_strings(q, sizeof q, editor, Filename, ' ')) {
fprintf(stderr, "%s: editor command line too long\n",
ProgramName);
Index: vixie-cron.init
===================================================================
RCS file: /cvs/pkgs/rpms/vixie-cron/F-7/vixie-cron.init,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- vixie-cron.init 25 Feb 2005 18:41:15 -0000 1.4
+++ vixie-cron.init 30 Jul 2007 15:13:24 -0000 1.5
@@ -11,63 +11,54 @@
# config: /etc/crontab
# pidfile: /var/run/crond.pid
+RETVAL=0
+prog="crond"
+CROND=/usr/sbin/crond
+LOCK_FILE=/var/lock/subsys/crond
+
# Source function library.
. /etc/init.d/functions
-. /etc/sysconfig/crond
+
+# set sysconfig settings
+[ -f /etc/sysconfig/crond ] && . /etc/sysconfig/crond
+
+[ -f /etc/sysconfig/crond ] || exit 6
+
+# validate mail
t=${CRON_VALIDATE_MAILRCPTS:-UNSET}
[ "$t" != "UNSET" ] && export CRON_VALIDATE_MAILRCPTS="$t"
-# See how we were called.
-
prog="crond"
start() {
- echo -n $"Starting $prog: "
- if [ -e /var/lock/subsys/crond ]; then
- if [ -e /var/run/crond.pid ] && [ -e /proc/`cat /var/run/crond.pid` ]; then
- echo -n $"cannot start crond: crond is already running.";
- failure $"cannot start crond: crond already running.";
- echo
- return 1
- fi
- fi
- daemon crond $CRONDARGS
+ echo -n $"Starting $prog: "
+ daemon $prog $OPTIONS && success || failure
RETVAL=$?
+ [ "$RETVAL" = 0 ] && touch $LOCK_FILE
echo
- [ $RETVAL -eq 0 ] && touch /var/lock/subsys/crond;
- return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
- if [ ! -e /var/lock/subsys/crond ]; then
- echo -n $"cannot stop crond: crond is not running."
- failure $"cannot stop crond: crond is not running."
- echo
- return 1;
+ if [ -n "`pidfileofproc $CROND`" ]; then
+ killproc $CROND
+ else
+ failure $"Stopping $prog"
fi
- killproc crond
RETVAL=$?
+ [ "$RETVAL" = 0 ] && rm -f $LOCK_FILE
echo
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/crond;
- return $RETVAL
-}
-
-rhstatus() {
- status crond
-}
-
-restart() {
- stop
- start
}
reload() {
- echo -n $"Reloading cron daemon configuration: "
- killproc crond -HUP
+ echo -n $"Reloading $prog: "
+ if [ -n "`pidfileofproc $CROND`" ]; then
+ killproc $CROND -HUP
+ else
+ failure $"Reloading $prog"
+ fi
RETVAL=$?
echo
- return $RETVAL
}
case "$1" in
@@ -78,18 +69,27 @@
stop
;;
restart)
- restart
+ stop
+ start
;;
reload)
reload
;;
status)
- rhstatus
+ status $CROND
;;
condrestart)
- [ -f /var/lock/subsys/crond ] && restart || :
- ;;
+ if [ -f $LOCK_FILE ]; then
+ if [ "$RETVAL" = 0 ]; then
+ stop
+ sleep 3
+ start
+ fi
+ fi
+ ;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
- exit 1
+ RETVAL=3
esac
+exit $RETVAL
+
Index: vixie-cron.spec
===================================================================
RCS file: /cvs/pkgs/rpms/vixie-cron/F-7/vixie-cron.spec,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- vixie-cron.spec 12 Apr 2007 16:47:46 -0000 1.98
+++ vixie-cron.spec 30 Jul 2007 15:13:24 -0000 1.99
@@ -10,7 +10,7 @@
Summary: The Vixie cron daemon for executing specified programs at set times
Name: vixie-cron
Version: 4.1
-Release: 82%{?dist}
+Release: 83%{?dist}
Epoch: 4
License: BSD
Group: System Environment/Base
@@ -86,6 +86,9 @@
Patch66: vixie-cron-4.1-bz220376.patch
Patch67: vixie-cron-4.1-hardlink.patch
Patch68: vixie-cron-4.1-mancrond.patch
+Patch69: vixie-cron-4.1-tmp.patch
+Patch70: vixie-cron-4.1-fixs.patch
+Patch71: vixie-cron-4.1-pam_crontab.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: syslog, bash >= 2.0
@@ -195,6 +198,9 @@
#%patch66 -p1 -b .bz220376
%patch67 -p1 -b .hardlink
%patch68 -p1 -b .mancrond
+%patch69 -p1 -b .tmp
+%patch70 -p1 -b .fix
+%patch71 -p1 -b .pamcrontab
%build
# RPM_OPT_FLAGS are better here, because we don't have configure for set up variables ;-)
@@ -266,6 +272,10 @@
%config(noreplace) /etc/sysconfig/crond
%changelog
+* Mon Jul 31 2007 Marcela Maslanova <mmaslano at redhat.com> - 4:4.1-83
+- update from devel
+- add pam to crontab, add variable tmpdir, fix man again
+
* Thu Apr 12 2007 Marcela Maslanova <mmaslano at redhat.com> - 4:4.1-82
- removed bz220376.patch
- change in manual - using jobs in cron.d
More information about the fedora-extras-commits
mailing list