From: Tomas Mraz Date: Mon, 8 Apr 2019 14:00:54 +0000 (+0200) Subject: Move allowed() and related function to security.c X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d29548feb18fe869d416e6df02ce6a4f105b2264;p=cronie Move allowed() and related function to security.c It makes more sense to have it there and it also uses audit and is not called from cronnext. --- diff --git a/src/misc.c b/src/misc.c index 9129d1d..42153b8 100644 --- a/src/misc.c +++ b/src/misc.c @@ -460,76 +460,6 @@ int skip_comments(FILE * file) { return TRUE; } -/* int in_file(const char *string, FILE *file, int error) - * return TRUE if one of the lines in file matches string exactly, - * FALSE if no lines match, and error on error. - */ -static int in_file(const char *string, FILE * file, int error) { - char line[MAX_TEMPSTR]; - char *endp; - - if (fseek(file, 0L, SEEK_SET)) - return (error); - while (fgets(line, MAX_TEMPSTR, file)) { - if (line[0] != '\0') { - endp = &line[strlen(line) - 1]; - if (*endp != '\n') - return (error); - *endp = '\0'; - if (0 == strcmp(line, string)) - return (TRUE); - } - } - if (ferror(file)) - return (error); - return (FALSE); -} - -/* int allowed(const char *username, const char *allow_file, const char *deny_file) - * returns TRUE if (allow_file exists and user is listed) - * or (deny_file exists and user is NOT listed). - * root is always allowed. - */ -int allowed(const char *username, const char *allow_file, - const char *deny_file) { - FILE *fp; - int isallowed; - char buf[128]; - - if (getuid() == 0) - return TRUE; - isallowed = FALSE; - if ((fp = fopen(allow_file, "r")) != NULL) { - isallowed = in_file(username, fp, FALSE); - fclose(fp); - if ((getuid() == 0) && (!isallowed)) { - snprintf(buf, sizeof (buf), - "root used -u for user %s not in cron.allow", username); - log_it("crontab", getpid(), "warning", buf, 0); - isallowed = TRUE; - } - } - else if ((fp = fopen(deny_file, "r")) != NULL) { - isallowed = !in_file(username, fp, FALSE); - fclose(fp); - if ((getuid() == 0) && (!isallowed)) { - snprintf(buf, sizeof (buf), - "root used -u for user %s in cron.deny", username); - log_it("crontab", getpid(), "warning", buf, 0); - isallowed = TRUE; - } - } -#ifdef WITH_AUDIT - if (isallowed == FALSE) { - int audit_fd = audit_open(); - audit_log_user_message(audit_fd, AUDIT_USER_START, "cron deny", - NULL, NULL, NULL, 0); - close(audit_fd); - } -#endif - return (isallowed); -} - void log_it(const char *username, PID_T xpid, const char *event, const char *detail, int err) { #if defined(LOG_FILE) || DEBUGGING diff --git a/src/security.c b/src/security.c index 5213cf3..c3207e1 100644 --- a/src/security.c +++ b/src/security.c @@ -675,3 +675,74 @@ static char **build_env(char **cronenv) { return jobenv; #endif } + +/* int in_file(const char *string, FILE *file, int error) + * return TRUE if one of the lines in file matches string exactly, + * FALSE if no lines match, and error on error. + */ +static int in_file(const char *string, FILE * file, int error) { + char line[MAX_TEMPSTR]; + char *endp; + + if (fseek(file, 0L, SEEK_SET)) + return (error); + while (fgets(line, MAX_TEMPSTR, file)) { + if (line[0] != '\0') { + endp = &line[strlen(line) - 1]; + if (*endp != '\n') + return (error); + *endp = '\0'; + if (0 == strcmp(line, string)) + return (TRUE); + } + } + if (ferror(file)) + return (error); + return (FALSE); +} + +/* int allowed(const char *username, const char *allow_file, const char *deny_file) + * returns TRUE if (allow_file exists and user is listed) + * or (deny_file exists and user is NOT listed). + * root is always allowed. + */ +int allowed(const char *username, const char *allow_file, + const char *deny_file) { + FILE *fp; + int isallowed; + char buf[128]; + + if (getuid() == 0) + return TRUE; + isallowed = FALSE; + if ((fp = fopen(allow_file, "r")) != NULL) { + isallowed = in_file(username, fp, FALSE); + fclose(fp); + if ((getuid() == 0) && (!isallowed)) { + snprintf(buf, sizeof (buf), + "root used -u for user %s not in cron.allow", username); + log_it("crontab", getpid(), "warning", buf, 0); + isallowed = TRUE; + } + } + else if ((fp = fopen(deny_file, "r")) != NULL) { + isallowed = !in_file(username, fp, FALSE); + fclose(fp); + if ((getuid() == 0) && (!isallowed)) { + snprintf(buf, sizeof (buf), + "root used -u for user %s in cron.deny", username); + log_it("crontab", getpid(), "warning", buf, 0); + isallowed = TRUE; + } + } +#ifdef WITH_AUDIT + if (isallowed == FALSE) { + int audit_fd = audit_open(); + audit_log_user_message(audit_fd, AUDIT_USER_START, "cron deny", + NULL, NULL, NULL, 0); + close(audit_fd); + } +#endif + return (isallowed); +} +