From fb4f0975355f7f15da521ffcf8558b3e25dc3b93 Mon Sep 17 00:00:00 2001 From: mmaslano Date: Fri, 24 Aug 2007 08:28:24 +0200 Subject: [PATCH] Pam authentication wasn't used wise. User's crontab didn't use pam and functions, which were for pam opening etc. were incorrect (wrong credetials). --- cron.h | 17 ++ crontab.c | 32 +--- do_command.c | 6 +- security.c | 458 +++++++++++++++++++-------------------------------- 4 files changed, 203 insertions(+), 310 deletions(-) diff --git a/cron.h b/cron.h index 4e78ed8..8fe52bc 100644 --- a/cron.h +++ b/cron.h @@ -47,3 +47,20 @@ #include "funcs.h" #include "globals.h" +#ifdef WITH_PAM +static pam_handle_t *pamh = NULL; +static int pam_session_opened = 0; //global for open session +static const struct pam_conv conv = { + NULL +}; + +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ + if (pamh != NULL) { \ + if (pam_session_opened != 0) \ + pam_close_session(pamh, PAM_SILENT); \ + pam_end(pamh, retcode); \ + } \ + return(retcode); } +#endif + diff --git a/crontab.c b/crontab.c index 5f7bf66..8a81cd8 100644 --- a/crontab.c +++ b/crontab.c @@ -37,7 +37,6 @@ static char rcsid[] = "$Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $"; #include #endif - #define NHEADER_LINES 0 enum opt_t { opt_unknown, opt_list, opt_delete, opt_edit, opt_replace }; @@ -118,7 +117,14 @@ main(int argc, char *argv[]) { fprintf(stderr, "See crontab(1) for more information\n"); log_it(RealUser, Pid, "AUTH", "crontab command not allowed"); exit(ERROR_EXIT); - } + } + if (cron_start_pam(pw) != PAM_SUCCESS) { + fprintf(stderr, + "You (%s) are not allowed to access to (%s) because of pam configuration.\n", + User, ProgramName); + exit(ERROR_EXIT); + }; + exitstatus = OK_EXIT; switch (Option) { case opt_unknown: @@ -140,6 +146,7 @@ main(int argc, char *argv[]) { default: abort(); } + cron_close_pam(); exit(exitstatus); /*NOTREACHED*/ } @@ -384,31 +391,14 @@ edit_cmd(void) { fprintf(stderr, "path too long\n"); goto fatal; } - //syslog(LOG_ERR,"%s%s",Filename,tmp_path()); - //syslog(LOG_ERR,"BEFORE MKSTEMP pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid, gid); uid = MY_UID(pw); setreuid(0, uid); - //syslog(LOG_ERR,"BEFORE MKSTEMP SETREUID pid: %d uid: %d gid: %d",Pid,MY_UID(pw), MY_GID(pw));//uid,gid); if (-1 == (t = mkstemp(Filename))) { perror(Filename); goto fatal; } -/* instead of chown we're using setreuid */ -/*#ifdef HAS_FCHOWN - if (fchown(t, MY_UID(pw), MY_GID(pw)) < 0) { - perror("fchown"); - goto fatal; - } -#else - if (chown(Filename, MY_UID(pw), MY_GID(pw)) < 0) { - perror("chown"); - goto fatal; - } -#endif*/ - setreuid(uid,0); - //syslog(LOG_ERR,"AFTER MKSTEMP pid: %d uid: %d gid: %d",Pid,uid, MY_GID(pw)); if (!(NewCrontab = fdopen(t, "r+"))) { perror("fdopen"); goto fatal; @@ -497,10 +487,6 @@ edit_cmd(void) { perror("setuid(getuid())"); exit(ERROR_EXIT); } -/* if (chdir(_PATH_TMP) < 0) { - perror(_PATH_TMP); - exit(ERROR_EXIT); - }*/ if (!glue_strings(q, sizeof q, editor, Filename, ' ')) { fprintf(stderr, "%s: editor command line too long\n", ProgramName); diff --git a/do_command.c b/do_command.c index 93191a6..bd0d061 100644 --- a/do_command.c +++ b/do_command.c @@ -71,7 +71,7 @@ child_process(entry *e, user *u) { */ if ( cron_set_job_security_context( e, u, &jobenv ) != 0 ) { - syslog(LOG_INFO, "CRON (%s) ERROR: cannot set security context", e->pwd->pw_name); + //syslog(LOG_INFO, "CRON (%s) ERROR: cannot set security context", e->pwd->pw_name); exit(ERROR_EXIT); } @@ -158,7 +158,7 @@ child_process(entry *e, user *u) { switch (fork()) { case -1: log_it("CRON", getpid(), "error", "can't fork"); - cron_close_security_session(); + cron_close_pam(); exit(ERROR_EXIT); /*NOTREACHED*/ case 0: @@ -523,7 +523,7 @@ child_process(entry *e, user *u) { Debug(DPROC, (", dumped core")) Debug(DPROC, ("\n")) } - cron_close_security_session(); + cron_close_pam(); env_free(jobenv); } diff --git a/security.c b/security.c index b6e1b58..19961c2 100644 --- a/security.c +++ b/security.c @@ -46,70 +46,55 @@ static int cron_get_job_range( user *u, security_context_t *ucontextp, char **jo int cron_restore_default_security_context() { setexeccon(NULL); } -int cron_set_job_security_context( entry *e, user *u, char ***jobenv ) -{ + +int cron_set_job_security_context(entry *e, user *u, char ***jobenv) { time_t minutely_time = 0; - if((e->flags & MIN_STAR)==MIN_STAR) - { - /* "minute-ly" job: Every minute for given hour/dow/month/dom. - * Ensure that these jobs never run in the same minute: - */ - minutely_time = time(0); - Debug(DSCH, ("Minute-ly job. Recording time %lu\n", minutely_time)) - } - if ( cron_open_security_session( e->pwd ) != 0 ) - { - syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", - e->pwd->pw_name, strerror(errno) - ); - return -1; + if ((e->flags & MIN_STAR)==MIN_STAR) { + /* "minute-ly" job: Every minute for given hour/dow/month/dom. + * Ensure that these jobs never run in the same minute: + */ + minutely_time = time(0); + Debug(DSCH, ("Minute-ly job. Recording time %lu\n", minutely_time)) } + if (cron_start_pam(e->pwd) != 0) { + syslog(LOG_INFO, "CRON (%s): failed to open PAM security session: %s", e->pwd->pw_name, pam_strerror(pamh,cron_start_pam(e->pwd))); + return -1; + } *jobenv = build_env( e->envp ); #ifdef WITH_SELINUX - /* we must get the crontab context BEFORE changing user, else * we'll not be permitted to read the cron spool directory :-) */ - security_context_t ucontext=0; - if ( cron_get_job_range(u, &ucontext, *jobenv) < OK ) - { - syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s", - e->pwd->pw_name, strerror(errno) - ); - return -1; + if (cron_get_job_range(u, &ucontext, *jobenv) < OK) { + syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s", + e->pwd->pw_name, strerror(errno)); + return -1; } - if (cron_change_selinux_range(u, ucontext) != 0) - { + if (cron_change_selinux_range(u, ucontext) != 0) { syslog(LOG_INFO,"CRON (%s) ERROR: failed to change SELinux context", e->pwd->pw_name); - if ( ucontext ) - freecon(ucontext); - return -1; + if ( ucontext ) + freecon(ucontext); + return -1; } - if ( ucontext ) - freecon(ucontext); + if (ucontext) + freecon(ucontext); #endif - if ( cron_start_security_session( e->pwd ) != 0 ) - { - syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", - e->pwd->pw_name, strerror(errno) - ); - return -1; +/* if (cron_open_pam_session(e->pwd) != 0) { + syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno)); + return -1; } - - if ( cron_change_user( e->pwd, env_get("HOME", *jobenv)) != 0 ) - { - syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", - e->pwd->pw_name, strerror(errno) - ); - return -1; +*/ + if (cron_change_user(e->pwd, env_get("HOME", *jobenv)) != 0) { + syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno)); + return -1; } log_close(); @@ -117,40 +102,23 @@ int cron_set_job_security_context( entry *e, user *u, char ***jobenv ) time_t job_run_time = time(0L); - if( (minutely_time > 0) - &&((job_run_time / 60) != (minutely_time / 60)) - ) - {/* if a per-minute job is delayed into the next minute + if ((minutely_time > 0) &&((job_run_time / 60) != (minutely_time / 60))) { + /* if a per-minute job is delayed into the next minute * (eg. by network authentication method timeouts), skip it. */ - struct tm tmS, tmN; - localtime_r(&job_run_time, &tmN); - localtime_r(&minutely_time,&tmS); - syslog(LOG_ERR, + struct tm tmS, tmN; + localtime_r(&job_run_time, &tmN); + localtime_r(&minutely_time,&tmS); + syslog(LOG_ERR, "(%s) error: Job execution of per-minute job scheduled for " "%.2u:%.2u delayed into subsequent minute %.2u:%.2u. Skipping job run.", e->pwd->pw_name, tmS.tm_hour, tmS.tm_min, tmN.tm_hour, tmN.tm_min); - return -1; + return -1; } return 0; } -#ifdef WITH_PAM -static pam_handle_t *pamh = NULL; -static const struct pam_conv conv = { - NULL -}; -#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ - fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ - syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ - pam_close_session(pamh, PAM_SILENT); \ - pam_end(pamh, retcode); \ - return(retcode); \ - } -#endif - -int cron_open_security_session( struct passwd *pw ) -{ +int cron_start_pam(struct passwd *pw) { int retcode = 0; #if defined(WITH_PAM) @@ -161,12 +129,11 @@ int cron_open_security_session( struct passwd *pw ) retcode = pam_acct_mgmt(pamh, PAM_SILENT); PAM_FAIL_CHECK; #endif - + return retcode; } -int cron_start_security_session( struct passwd *pw ) -{ +int cron_open_pam_session(struct passwd *pw) { int retcode = 0; #if defined(WITH_PAM) @@ -174,66 +141,56 @@ int cron_start_security_session( struct passwd *pw ) PAM_FAIL_CHECK; retcode = pam_open_session(pamh, PAM_SILENT); PAM_FAIL_CHECK; - log_close(); /* PAM has now re-opened our log to auth.info ! */ - openlog(ProgramName, LOG_PID, LOG_CRON); + if (retcode == PAM_SUCCESS) + pam_session_opened = 1; #endif return retcode; } -void cron_close_security_session( void ) -{ +void cron_close_pam(void) { #if defined(WITH_PAM) - pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); - pam_close_session(pamh, PAM_SILENT); - pam_end(pamh, PAM_ABORT); + if (pam_session_opened != 0) { + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + pam_close_session(pamh, PAM_SILENT); + } + pam_end(pamh, PAM_SUCCESS); #endif } -int cron_change_user( struct passwd *pw, char *homedir ) -{ +int cron_change_user(struct passwd *pw, char *homedir) { /* set our directory, uid and gid. Set gid first, since once * we set uid, we've lost root privledges. */ - if ( setgid( pw->pw_gid ) != 0 ) - { - log_it("CRON", getpid(), "setgid failed:", strerror(errno)); - return -1; + if (setgid(pw->pw_gid) != 0) { + log_it("CRON", getpid(), "setgid failed:", strerror(errno)); + return -1; } - if ( initgroups( pw->pw_name, pw->pw_gid ) != 0 ) - { - log_it("CRON", getpid(), "initgroups failed:", strerror(errno)); - return -1; + if (initgroups(pw->pw_name, pw->pw_gid) != 0) { + log_it("CRON", getpid(), "initgroups failed:", strerror(errno)); + return -1; } - if ( setuid( pw->pw_uid ) != 0 ) - { - log_it("CRON", getpid(), "setuid failed:", strerror(errno)); - return -1; + if (setuid( pw->pw_uid ) != 0) { + log_it("CRON", getpid(), "setuid failed:", strerror(errno)); + return -1; } - if ( chdir(homedir) == -1 ) - { - log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno)); - log_it("CRON", getpid(), homedir, strerror(errno)); - return -1; + if (chdir(homedir) == -1) { + log_it("CRON", getpid(), "chdir(HOME) failed:", strerror(errno)); + log_it("CRON", getpid(), homedir, strerror(errno)); + return -1; } - return 0; } -static int -cron_authorize_context -( - security_context_t scontext, - security_context_t file_context -) -{ +static int cron_authorize_context +(security_context_t scontext,security_context_t file_context) { #ifdef WITH_SELINUX struct av_decision avd; int retval; - unsigned int bit = FILE__ENTRYPOINT; + unsigned int bit = FILE__ENTRYPOINT; /* * Since crontab files are not directly executed, * crond must ensure that the crontab file has @@ -243,24 +200,18 @@ cron_authorize_context */ retval = security_compute_av(scontext, file_context, SECCLASS_FILE, bit, &avd); - if (retval || ((bit & avd.allowed) != bit)) return 0; #endif return 1; } -static int -cron_authorize_range -( - security_context_t scontext, - security_context_t ucontext -) -{ +static int cron_authorize_range +(security_context_t scontext,security_context_t ucontext) { #ifdef WITH_SELINUX struct av_decision avd; int retval; - unsigned int bit = CONTEXT__CONTAINS; + unsigned int bit = CONTEXT__CONTAINS; /* * Since crontab files are not directly executed, * so crond must ensure that any user specified range @@ -275,46 +226,37 @@ cron_authorize_range return 1; } -int cron_get_job_context( user *u, void *scontextp, void *file_contextp, char **jobenv ) -{ +int cron_get_job_context(user *u, void *scontextp, void *file_contextp, char **jobenv) { #if WITH_SELINUX char *sroletype; - if ( is_selinux_enabled() <= 0 ) + if (is_selinux_enabled() <= 0) return 0; - if ( (file_contextp == 0) || (scontextp == 0L) ) + if ((file_contextp == 0) || (scontextp == 0L)) return -1; *((security_context_t*)scontextp) = u->scontext; *((void **)file_contextp) = 0L; - if ( (sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L ) - { - *((security_context_t*)scontextp) = (security_context_t) sroletype; + if ((sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L) { + *((security_context_t*)scontextp) = (security_context_t) sroletype; char crontab[MAX_FNAME]; - if ( strcmp(u->name,"*system*") == 0 ) + if (strcmp(u->name,"*system*") == 0) strncpy(crontab, u->tabname, MAX_FNAME); else snprintf(crontab, MAX_FNAME, "%s/%s", CRONDIR, u->tabname); - if ( getfilecon( crontab, file_contextp ) == -1 ) - { - if ( security_getenforce() > 0 ) - { - log_it(u->name, - getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE", - sroletype - ); + if (getfilecon( crontab, file_contextp ) == -1) { + if (security_getenforce() > 0) { + log_it(u->name, getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE", + sroletype); return -1; - } else - if ( access( crontab, F_OK ) == 0 ) - log_it(u->name, - getpid(), - "getfilecon FAILED but SELinux in permissive mode, continuing " - "- SELINUX_ROLE_TYPE=", sroletype - ); - } + } else if (access( crontab, F_OK ) == 0) + log_it(u->name, getpid(), + "getfilecon FAILED but SELinux in permissive mode, continuing " + "- SELINUX_ROLE_TYPE=", sroletype); + } } #endif return 0; @@ -323,132 +265,100 @@ int cron_get_job_context( user *u, void *scontextp, void *file_contextp, char ** #if WITH_SELINUX /* always uses u->scontext as the default process context, then changes the level, and retuns it in ucontextp (or NULL otherwise) */ -static int cron_get_job_range( user *u, security_context_t *ucontextp, - char **jobenv ) -{ +static int cron_get_job_range(user *u, security_context_t *ucontextp, char **jobenv) { char *range; - if ( is_selinux_enabled() <= 0 ) + if (is_selinux_enabled() <= 0) return 0; - if ( ucontextp == 0L ) + if (ucontextp == 0L) return -1; *ucontextp = 0L; - if ( (range = env_get("MLS_LEVEL",jobenv)) != 0L ) - { - context_t ccon; - - if (!(ccon = context_new(u->scontext))) - { - log_it(u->name, - getpid(), "context_new FAILED for MLS_LEVEL", - range); - return -1; - } - - if (context_range_set(ccon, range)) - { - log_it(u->name, - getpid(), "context_range_set FAILED for MLS_LEVEL", - range); - return -1; - } - - if (!(*ucontextp = context_str(ccon))) - { - log_it(u->name, - getpid(), "context_str FAILED for MLS_LEVEL", - range); - return -1; - } - - if (!(*ucontextp = strdup(*ucontextp))) - { - log_it(u->name, - getpid(), "strdup FAILED for MLS_LEVEL", - range); - return -1; - } - - context_free(ccon); - } - else if (!u->scontext) - { /* cron_change_selinux_range() deals with this */ - return 0; + if ((range = env_get("MLS_LEVEL",jobenv)) != 0L) { + context_t ccon; + if (!(ccon = context_new(u->scontext))) { + log_it(u->name, getpid(), "context_new FAILED for MLS_LEVEL", range); + return -1; + } + + if (context_range_set(ccon, range)) { + log_it(u->name, getpid(), "context_range_set FAILED for MLS_LEVEL", + range); + return -1; } - else if (!(*ucontextp = strdup(u->scontext))) - { - log_it(u->name, - getpid(), "strdup FAILED for MLS_LEVEL", - range); - return -1; + + if (!(*ucontextp = context_str(ccon))) { + log_it(u->name, getpid(), "context_str FAILED for MLS_LEVEL", + range); + return -1; } + if (!(*ucontextp = strdup(*ucontextp))) { + log_it(u->name, getpid(), "strdup FAILED for MLS_LEVEL", + range); + return -1; + } + context_free(ccon); + } + else if (!u->scontext) { + /* cron_change_selinux_range() deals with this */ + return 0; + } + else if (!(*ucontextp = strdup(u->scontext))) { + log_it(u->name, getpid(), "strdup FAILED for MLS_LEVEL", + range); + return -1; + } + return 0; } #endif -int cron_change_selinux_context( user *u, void *scontext, void *file_context ) -{ +int cron_change_selinux_context(user *u, void *scontext, void *file_context) { #ifdef WITH_SELINUX - if ( is_selinux_enabled() <= 0 ) + if (is_selinux_enabled() <= 0) return 0; - if ( scontext == 0L ) - { - if (security_getenforce() > 0) - { - log_it( u->name, getpid(), - "NULL security context for user", - "" - ); + if (scontext == 0L) { + if (security_getenforce() > 0) { + log_it( u->name, getpid(), "NULL security context for user", ""); return -1; - }else - { + } + else { log_it( u->name, getpid(), "NULL security context for user, " "but SELinux in permissive mode, continuing", - "" - ); + ""); return 0; } } - if ( file_context ) - { - if ( ! cron_authorize_context( scontext, file_context ) ) - { - if ( security_getenforce() > 0 ) - { + if (file_context) { + if (!cron_authorize_context( scontext, file_context)) { + if (security_getenforce() > 0) { syslog(LOG_ERR, "CRON (%s) ERROR:" "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user", - u->name, (char*)scontext - ); + u->name, (char*)scontext); return -1; - } else - { + } + else { syslog(LOG_INFO, "CRON (%s) WARNING:" "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user," " but SELinux in permissive mode, continuing", - u->name, (char*)scontext - ); + u->name, (char*)scontext); } } - } + } - if ( setexeccon(scontext) < 0 ) - { - if (security_getenforce() > 0) - { + if (setexeccon(scontext) < 0) { + if (security_getenforce() > 0) { syslog(LOG_ERR, "CRON (%s) ERROR:" "Could not set exec context to %s for user", - u->name, (char*)scontext - ); - + u->name, (char*)scontext); return -1; } } @@ -457,41 +367,34 @@ int cron_change_selinux_context( user *u, void *scontext, void *file_context ) } #ifdef WITH_SELINUX -static int cron_change_selinux_range( user *u, - security_context_t ucontext ) -{ - if ( is_selinux_enabled() <= 0 ) +static int cron_change_selinux_range(user *u,security_context_t ucontext) { + if (is_selinux_enabled() <= 0) return 0; - if ( u->scontext == 0L ) - { + if (u->scontext == 0L) { if (security_getenforce() > 0) { log_it( u->name, getpid(), "NULL security context for user", - "" - ); + ""); return -1; - }else - { + } + else { log_it( u->name, getpid(), "NULL security context for user, " "but SELinux in permissive mode, continuing", - "" - ); + ""); return 0; } } - if ( strcmp(u->scontext, ucontext) ) - { - if ( ! cron_authorize_range( u->scontext, ucontext )) - { - if ( security_getenforce() > 0 ) - { + if (strcmp(u->scontext, ucontext)) { + if (!cron_authorize_range( u->scontext, ucontext)) { + if (security_getenforce() > 0) { #ifdef WITH_AUDIT char *msg = NULL; - if (asprintf(&msg, "cron: Unauthorized MLS range acct=%s new_scontext=%s old_scontext=%s", u->name, (char*)ucontext, u->scontext) >= 0) { + if (asprintf(&msg, "cron: Unauthorized MLS range acct=%s new_scontext=%s old_scontext=%s", + u->name, (char*)ucontext, u->scontext) >= 0) { int audit_fd = audit_open(); audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, msg, NULL, NULL, NULL, 0); close(audit_fd); @@ -501,40 +404,33 @@ static int cron_change_selinux_range( user *u, syslog(LOG_ERR, "CRON (%s) ERROR:" "Unauthorized range %s in MLS_LEVEL for user %s ", - u->name, (char*)ucontext, u->scontext - ); + u->name, (char*)ucontext, u->scontext); return -1; - } else - { + } + else { syslog(LOG_INFO, "CRON (%s) WARNING:" "Unauthorized range %s in MLS_LEVEL for user %s," " but SELinux in permissive mode, continuing", - u->name, (char*)ucontext, u->scontext - ); + u->name, (char*)ucontext, u->scontext); } } - } + } - if ( setexeccon(ucontext) < 0 ) - { - if (security_getenforce() > 0) - { + if (setexeccon(ucontext) < 0) { + if (security_getenforce() > 0) { syslog(LOG_ERR, "CRON (%s) ERROR:" "Could not set exec context to %s for user", - u->name, (char*)ucontext - ); - + u->name, (char*)ucontext); return -1; - } else - { + } + else { syslog(LOG_ERR, "CRON (%s) ERROR:" "Could not set exec context to %s for user, " " but SELinux in permissive mode, continuing", - u->name, (char*)ucontext - ); + u->name, (char*)ucontext); return 0; } @@ -589,19 +485,17 @@ int get_security_context( const char *name, } } - if ( ! cron_authorize_context( scontext, file_context ) ) - { + if (!cron_authorize_context( scontext, file_context)) { freecon(scontext); freecon(file_context); if (security_getenforce() > 0) { log_it(name, getpid(), "Unauthorized SELinux context", tabname); return -1; - } else - { + } + else { log_it(name, getpid(), "Unauthorized SELinux context, but SELinux in permissive mode, continuing", - tabname - ); + tabname); return 0; } } @@ -612,19 +506,16 @@ int get_security_context( const char *name, return 0; } -void free_security_context( security_context_t *scontext ) -{ +void free_security_context(security_context_t *scontext) { #ifdef WITH_SELINUX - if( *scontext != NULL ) - { - freecon(*scontext); - *scontext=0L; - } + if (*scontext != NULL) { + freecon(*scontext); + *scontext=0L; + } #endif } -int crontab_security_access(void) -{ +int crontab_security_access(void) { #ifdef WITH_SELINUX if (is_selinux_enabled() > 0) if (selinux_check_passwd_access(PASSWD__CRONTAB)!=0) @@ -644,16 +535,15 @@ static char ** build_env(char **cronenv) int count = 0; jobenv = env_copy(pamenv); - /* Now add the cron environment variables. Since env_set() overwrites existing variables, this will let cron's environment settings override pam's */ while ((cronvar = cronenv[count++])) { - if (!(jobenv = env_set(jobenv, cronvar))) { - syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar); - return NULL; - } + if (!(jobenv = env_set(jobenv, cronvar))) { + syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar); + return NULL; + } } return jobenv; #else -- 2.40.0