diff options
| author | yar <yar@FreeBSD.org> | 2007-06-15 12:02:16 +0000 |
|---|---|---|
| committer | yar <yar@FreeBSD.org> | 2007-06-15 12:02:16 +0000 |
| commit | 73c6fd823f55ad9b3332da2e2e97404fd7abb290 (patch) | |
| tree | eaa06dc8dd3f1bc3b920d863b59ed4d58f1b1a11 /libexec | |
| parent | c6862c6dc24ac7f67bd815e9862f013ec2c2d2ff (diff) | |
| download | FreeBSD-src-73c6fd823f55ad9b3332da2e2e97404fd7abb290.zip FreeBSD-src-73c6fd823f55ad9b3332da2e2e97404fd7abb290.tar.gz | |
Add PAM support to atrun(8).
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/atrun/Makefile | 6 | ||||
| -rw-r--r-- | libexec/atrun/atrun.c | 41 |
2 files changed, 36 insertions, 11 deletions
diff --git a/libexec/atrun/Makefile b/libexec/atrun/Makefile index 40ebd06..c922dc5 100644 --- a/libexec/atrun/Makefile +++ b/libexec/atrun/Makefile @@ -12,11 +12,11 @@ BINDIR= ${ATLIB_DIR} CLEANFILES= ${MAN} CFLAGS+=-I${MAINSRC} -I${.CURDIR} -CFLAGS+=-DLOGIN_CAP +CFLAGS+=-DLOGIN_CAP -DPAM WFORMAT=0 -DPADD= ${LIBUTIL} -LDADD= -lutil +DPADD= ${LIBPAM} ${LIBUTIL} +LDADD= -lpam -lutil atrun.8: atrun.man @${ECHO} Making ${.TARGET:T} from ${.ALLSRC:T}; \ diff --git a/libexec/atrun/atrun.c b/libexec/atrun/atrun.c index 374c10b..a7cef87 100644 --- a/libexec/atrun/atrun.c +++ b/libexec/atrun/atrun.c @@ -58,6 +58,10 @@ static const char rcsid[] = #ifdef LOGIN_CAP #include <login_cap.h> #endif +#ifdef PAM +#include <security/pam_appl.h> +#include <security/openpam.h> +#endif #if (MAXLOGNAME-1) > UT_NAMESIZE #define LOGNAMESIZE UT_NAMESIZE @@ -87,6 +91,7 @@ static const char rcsid[] = /* File scope variables */ +static const char * const atrun = "atrun"; /* service name for syslog etc. */ static int debug = 0; void perr(const char *fmt, ...); @@ -135,7 +140,14 @@ run_file(const char *filename, uid_t uid, gid_t gid) int fflags; long nuid; long ngid; - +#ifdef PAM + pam_handle_t *pamh = NULL; + int pam_err; + struct pam_conv pamc = { + .conv = openpam_nullconv, + .appdata_ptr = NULL + }; +#endif PRIV_START @@ -163,17 +175,30 @@ run_file(const char *filename, uid_t uid, gid_t gid) perrx("Userid %lu not found - aborting job %s", (unsigned long) uid, filename); +#ifdef PAM PRIV_START - stream=fopen(filename, "r"); + pam_err = pam_start(atrun, pentry->pw_name, &pamc, &pamh); + if (pam_err != PAM_SUCCESS) + perrx("cannot start PAM: %s", pam_strerror(pamh, pam_err)); + + pam_err = pam_acct_mgmt(pamh, PAM_SILENT); + /* Expired password shouldn't prevent the job from running. */ + if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) + perrx("Account %s (userid %lu) unavailable for job %s: %s", + pentry->pw_name, (unsigned long)uid, + filename, pam_strerror(pamh, pam_err)); + + pam_end(pamh, pam_err); PRIV_END +#endif /* PAM */ -#ifdef __FreeBSD__ - if (pentry->pw_expire && time(NULL) >= pentry->pw_expire) - perrx("Userid %lu is expired - aborting job %s", - (unsigned long) uid, filename); -#endif + PRIV_START + + stream=fopen(filename, "r"); + + PRIV_END if (stream == NULL) perr("cannot open input file"); @@ -444,7 +469,7 @@ main(int argc, char *argv[]) RELINQUISH_PRIVS_ROOT(DAEMON_UID, DAEMON_GID) - openlog("atrun", LOG_PID, LOG_CRON); + openlog(atrun, LOG_PID, LOG_CRON); opterr = 0; while((c=getopt(argc, argv, "dl:"))!= -1) |
