int deny = 0;
/* check if user is in passwd file */
- if ( getpwnam(user) == NULL )
- return 0;
+ if ( getpwnam(user) != NULL ) {
- /* check if user is in fcron.allow and/or in fcron.deny files */
- allow = in_file(user, fcronallow);
- deny = in_file(user, fcrondeny);
+ /* check if user is in fcron.allow and/or in fcron.deny files */
+ allow = in_file(user, fcronallow);
+ deny = in_file(user, fcrondeny);
- if ( allow == -1 && deny == -1 )
- /* neither fcron.allow nor fcron.deny exist :
- * we consider that user is allowed */
- return 1;
+ /* in_file() returns:
+ * -1 if file doesn't exist
+ * 0 if string is not in file,
+ * 1 if it is in file
+ * and 2 if file contains "all" string */
- if ( allow == -1 && deny == 0 )
- return 1;
+ if ( allow == -1 && deny == -1 )
+ /* neither fcron.allow nor fcron.deny exist :
+ * we consider that user is allowed */
+ return 1;
+
+ if ( allow == -1 && deny == 0 )
+ return 1;
- if ( deny == -1 && allow == 1 )
- return 1;
+ if ( deny == -1 && allow == 1 )
+ return 1;
- if ( allow == 1 )
- if ( deny != 1 )
- return 1;
- if ( allow == 2 )
- if ( deny <= 0 )
- return 1;
+ if ( allow == 1 && deny != 1 )
+ return 1;
+ if ( allow == 2 && deny <= 0 )
+ return 1;
+
+ }
/* if we gets here, user is not allowed */
+
+#ifdef WITH_AUDIT
+ {
+ int audit_fd = audit_open();
+ audit_log_user_message(audit_fd, AUDIT_USER_START, "fcron deny",
+ NULL, NULL, NULL, 0);
+ close(audit_fd);
+ }
+#endif
+
return 0;
}
#ifdef WITH_SELINUX
/*
- * Since crontab files are not directly executed,
- * crond must ensure that the crontab file has
+ * Since fcrontab files are not directly executed,
+ * fcrond must ensure that the fcrontab file has
* a context that is appropriate for the context of
- * the user cron job. It performs an entrypoint
+ * the user fcron job. It performs an entrypoint
* permission check for this purpose.
*/
#ifdef SYSFCRONTAB
/* Define if you have the <grp.h> header file. */
#undef HAVE_GRP_H
+/* Define if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
/* Define if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
+/* Define if you have the audit library (-laudit). */
+#undef HAVE_LIBAUDIT
+
/* Define if you have the dgc library (-ldgc). */
#undef HAVE_LIBDGC
/* Define if you have the pam library (-lpam). */
#undef HAVE_LIBPAM
+/* Have audit trails (libaudit) support */
+#undef WITH_AUDIT
+
/* Have SE Linux support */
#undef WITH_SELINUX
AC_CHECK_HEADERS(termios.h)
AC_CHECK_HEADERS(strings.h)
AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h)
-AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h)
+AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h libaudit.h)
AC_CHECK_HEADERS(sys/resource.h)
AC_CHECK_HEADERS(grp.h)
AC_FUNC_WAIT3
AC_CHECK_LIB(xnet, shutdown)
AC_CHECK_LIB(selinux, getcon, [selinuxavail=1], [selinuxavail=0])
+AC_CHECK_LIB(audit, audit_open, [auditavail=1], [auditavail=0])
AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0])
AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0])
if test $getloadavg -eq 1; then
fcrondyn=0
usepam=0
useselinux=0
+ useaudit=0
;;
*)
AC_MSG_ERROR(Invalid argument : please use 'yes' or 'no'.)
AC_SUBST(ANSWERALL)
+AC_MSG_CHECKING(if audit trails should be enabled if available)
+AC_ARG_WITH(audit,
+[ --with-audit=[yes|no] Enable (or not) audit trails if available (default: yes).],
+[ case "$withval" in
+ no)
+ useaudit=0
+ ;;
+ yes)
+ useaudit=1
+ ;;
+ *)
+ AC_MSG_ERROR(Must be set to either "yes" or "no".)
+ ;;
+ esac ]
+)
+if test useaudit = "0"; then
+ AC_MSG_RESULT(no)
+elif test "$useaudit" = "1" && test "$auditavail" != 1; then
+ useaudit=0
+ AC_MSG_RESULT(not available)
+ AC_MSG_ERROR([
+ You requested audit trails to be enabled, but libaudit was not found.
+])
+elif test "$auditavail" = 1; then
+ useaudit=1
+ AC_MSG_RESULT(yes)
+ LIBS="$LIBS -laudit"
+ AC_DEFINE(WITH_AUDIT)
+else
+ useaudit=0
+ AC_MSG_RESULT(no)
+fi
+
+
if test "$usepam" = ""; then
usepam=1
fi
echo "no"
fi
+echo -n "Audit trails : "
+if test "$useaudit" -eq 1; then
+ echo "yes"
+else
+ echo "no"
+fi
+
echo -n "PAM : "
if test "$usepam" -eq 1; then
echo "yes"
fi
echo -n "Load average support : "
-if test "$getloadavg" -eq 1 -o ! -z "$proc"; then
+if test "$getloadavg" -eq 1 -o -n "$proc"; then
echo "yes"
else
echo "no"
<title>High priority</title>
<itemizedlist>
<listitem>
- <para>add audit (libaudit)</para>
+ <para>add audit (libaudit) + TEST</para>
</listitem>
<listitem>
<para>Use directory notifications (FAM) / inotify, and support a fcrontab
#include <sys/ucred.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
+
#ifdef HAVE_LIBPAM
#include "pam.h"
#endif
projects / fcron / commitdiff