Debug(DPROC, ("[%ld] grandchild process fork()'ed\n",
(long)getpid()))
+ if (cron_change_user_permanently(e->pwd) < 0)
+ _exit(ERROR_EXIT);
+
/* write a log message. we've waited this long to do it
* because it was not until now that we knew the PID that
* the actual user command shell was going to get and the
* are part of its reference count now.
*/
close(stdout_pipe[READ_PIPE]);
-
+ if (cron_change_user_permanently(e->pwd) < 0)
+ _exit(ERROR_EXIT);
/* translation:
* \% -> %
* % -> \n
int cron_change_user( struct passwd *pw, char *homedir );
+int cron_change_user_permanently( struct passwd *pw );
+
int cron_get_job_context( user *u, void *scontextp, void *file_contextp, char **envp );
int get_security_context(const char *name,
return -1;
}
- if (setuid( pw->pw_uid ) != 0) {
- log_it("CRON", pid, "ERROR", "setuid failed", errno);
+ if (setreuid( pw->pw_uid, -1 ) != 0) {
+ log_it("CRON", pid, "ERROR", "setreuid failed", errno);
return -1;
}
return 0;
}
+int cron_change_user_permanently(struct passwd *pw) {
+ if (setreuid( pw->pw_uid, pw->pw_uid ) != 0) {
+ log_it("CRON", getpid(), "ERROR", "setreuid failed", errno);
+ return -1;
+ }
+ return 0;
+}
+
+
static int cron_authorize_context
(security_context_t scontext,security_context_t file_context) {
#ifdef WITH_SELINUX