File vixie-cron-4.1-pam.diff of Package cron

Index: vixie-cron-4.1/cron.8
===================================================================
--- vixie-cron-4.1.orig/cron.8
+++ vixie-cron-4.1/cron.8
@@ -76,6 +76,12 @@ jobs twice.
 .PP
 Time changes of more than 3 hours are considered to be corrections to
 the clock or timezone, and the new time is used immediately.
+.SS PAM Access Control
+On SUSE LINUX systems, crond now supports access control with PAM - see
+.IR pam (8) .
+A PAM configuration file for crond is installed in /etc/pam.d/crond .
+crond loads the PAM environment from the pam_env module, but these
+can be overriden by settings in the crontab file.
 .SH SIGNALS
 On receipt of a \s-2SIGHUP\s+2, the cron daemon will close and reopen its
 log file.  This is useful in scripts which rotate and age log files.  
@@ -90,7 +96,8 @@ No crontab files may be executable, or b
 other than their owner.
 .SH "SEE ALSO"
 .IR crontab (1),
-.IR crontab (5)
+.IR crontab (5),
+.IR pam (8)
 .SH AUTHOR
 .nf
 Paul Vixie <vixie@isc.org>
Index: vixie-cron-4.1/crond.pam
===================================================================
--- /dev/null
+++ vixie-cron-4.1/crond.pam
@@ -0,0 +1,10 @@
+#
+# The PAM configuration file for the cron daemon
+#
+#
+auth     sufficient     pam_rootok.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  required       pam_loginuid.so
+session  include        common-session
Index: vixie-cron-4.1/cron.h
===================================================================
--- vixie-cron-4.1.orig/cron.h
+++ vixie-cron-4.1/cron.h
@@ -31,6 +31,9 @@
 #define CRON_VERSION "V5.0"
 #include "config.h"
 #include "externs.h"
+#ifdef WITH_PAM
+	#include <security/pam_appl.h>
+#endif
 #include "pathnames.h"
 #include "macros.h"
 #include "structs.h"
Index: vixie-cron-4.1/do_command.c
===================================================================
--- vixie-cron-4.1.orig/do_command.c
+++ vixie-cron-4.1/do_command.c
@@ -25,9 +25,47 @@ static char rcsid[] = "$Id: do_command.c
 
 #include "cron.h"
 
+#ifdef WITH_PAM
+static pam_handle_t *pamh = NULL;
+static const struct pam_conv conv = {
+	NULL
+};
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+	pam_end(pamh, retcode); exit(1); \
+   }
+#endif
+
 static void		child_process(entry *, user *);
 static int		safe_p(const char *, const char *);
 
+/* Build up the job environment from the PAM environment plus the
+   crontab environment */
+static char ** build_env(char **cronenv)
+{
+        char **jobenv = cronenv;
+#if defined(WITH_PAM)
+        char **pamenv = pam_getenvlist(pamh);
+        char *cronvar;
+        int count = 0;
+
+        jobenv = env_copy(pamenv);
+
+        /* Now add the cron environment variables. Since env_set()
+           overwrites existing variables, this will let cron's
+           environment settings override pam's */
+
+        while ((cronvar = cronenv[count++])) {
+                if (!(jobenv = env_set(jobenv, cronvar))) {
+                        syslog(LOG_ERR, "Setting Cron environment variable %s failed", cronvar);
+                        return NULL;
+                }
+        }
+#endif
+    return jobenv;
+}
+
 void
 do_command(entry *e, user *u) {
 	Debug(DPROC, ("[%ld] do_command(%s, (%s,%ld,%ld))\n",
@@ -65,6 +103,10 @@ child_process(entry *e, user *u) {
 	int stdin_pipe[2], stdout_pipe[2];
 	char *input_data, *usernm, *mailto;
 	int children = 0;
+#if defined(WITH_PAM)
+	int		retcode = 0;
+#endif
+
 
 	Debug(DPROC, ("[%ld] child_process('%s')\n", (long)getpid(), e->cmd))
 
@@ -134,6 +176,19 @@ child_process(entry *e, user *u) {
 		*p = '\0';
 	}
 
+#if defined(WITH_PAM)
+	retcode = pam_start("crond", usernm, &conv, &pamh);
+	PAM_FAIL_CHECK;
+	retcode = pam_set_item(pamh, PAM_TTY, "cron");
+	PAM_FAIL_CHECK;
+	retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+	PAM_FAIL_CHECK;
+	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+	PAM_FAIL_CHECK;
+	retcode = pam_open_session(pamh, PAM_SILENT);
+	PAM_FAIL_CHECK;
+#endif
+
 	/* fork again, this time so we can exec the user's command.
 	 */
 	switch (fork()) {
@@ -514,6 +569,12 @@ child_process(entry *e, user *u) {
 			Debug(DPROC, (", dumped core"))
 		Debug(DPROC, ("\n"))
 	}
+
+#if defined(WITH_PAM)
+	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+	retcode = pam_close_session(pamh, PAM_SILENT);
+	pam_end(pamh, retcode);
+#endif
 }
 
 static int
Index: vixie-cron-4.1/Makefile
===================================================================
--- vixie-cron-4.1.orig/Makefile
+++ vixie-cron-4.1/Makefile
@@ -55,11 +55,12 @@ DESTROOT	=	$(DESTDIR)/usr
 DESTSBIN	=	$(DESTROOT)/sbin
 DESTBIN		=	$(DESTROOT)/bin
 DESTMAN		=	$(DESTROOT)/share/man
+DESTETC		=	$(DESTROOT)/../etc
 #<<need bitstring.h>>
 INCLUDE		=	-I.
 #INCLUDE	=
 #<<need getopt()>>
-LIBS		=
+LIBS		=	-lpam -lpam_misc
 #<<optimize or debug?>>
 #CDEBUG		=	-O
 CDEBUG		=	-O2 -pipe
@@ -68,7 +69,7 @@ LINTFLAGS	=	-hbxa $(INCLUDE) $(DEBUGGING
 #<<want to use a nonstandard CC?>>
 CC		=	gcc -Wall -Wno-unused -Wno-comment
 #<<manifest defines>>
-DEFS		=
+DEFS		=	-DWITH_PAM
 #(SGI IRIX systems need this)
 #DEFS		=	-D_BSD_SIGNALS -Dconst=
 #<<the name of the BSD-like install program>>
@@ -114,6 +115,7 @@ install		:	all
 			$(INSTALL) -c -m 4111 -o root crontab $(DESTBIN)/
 #			$(INSTALL) -c -m  111 -o root -g crontab cron $(DESTSBIN)/
 #			$(INSTALL) -c -m 2111 -o root -g crontab crontab $(DESTBIN)/
+			$(INSTALL) -c -m 0644 crond.pam $(DESTETC)/pam.d/crond
 			install -m644 crontab.1 $(DESTMAN)/man1
 			install -m644 cron.8    $(DESTMAN)/man8
 			install -m644 crontab.5 $(DESTMAN)/man5