From c1bcbeddb1e41b87bebc27262551bb8b22434fac Mon Sep 17 00:00:00 2001 From: Marcela Mašláňová Date: Jul 18 2008 14:34:48 +0000 Subject: - 446004 hope adding || into scriptlets fix removing old package after upgrade - fixes for fuzz=0 --- diff --git a/at-3.1.10-pam.patch b/at-3.1.10-pam.patch index 9cc8b26..9c06637 100644 --- a/at-3.1.10-pam.patch +++ b/at-3.1.10-pam.patch @@ -1,116 +1,22 @@ ---- at-3.1.10/perm.c.pam 2005-08-05 05:16:01.000000000 +0200 -+++ at-3.1.10/perm.c 2007-07-03 13:29:24.000000000 +0200 -@@ -51,6 +51,14 @@ - #define PRIV_END while(0) - #endif - -+#ifdef WITH_PAM -+#include -+static pam_handle_t *pamh = NULL; -+static const struct pam_conv conv = { -+ NULL -+}; -+#endif -+ - /* Structures and unions */ - - -@@ -109,18 +117,54 @@ - int - check_permission() - { -- uid_t uid = geteuid(); -+ uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid(); - struct passwd *pentry; - int allow = 0, deny = 1; -- -- if (uid == 0) -+ int retcode = 0; -+ if (euid == 0) - return 1; - -- if ((pentry = getpwuid(uid)) == NULL) { -+ if ((pentry = getpwuid(euid)) == NULL) { - perror("Cannot access user database"); - exit(EXIT_FAILURE); - } - -+#ifdef WITH_PAM -+/* -+ * We must check if the atd daemon userid will be allowed to gain the job owner user's -+ * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. -+ */ -+ setreuid(daemon_uid, daemon_uid); -+ setregid(daemon_gid, daemon_gid); -+ -+# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ -+ fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \ -+ pam_close_session(pamh,PAM_SILENT); \ -+ pam_end(pamh, retcode); \ -+ setregid(gid,egid); \ -+ setreuid(uid,euid); \ -+ return(0); \ -+ } -+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); -+ PAM_FAIL_CHECK; -+ retcode = pam_set_item(pamh, PAM_TTY, "atd"); -+ PAM_FAIL_CHECK; -+ retcode = pam_acct_mgmt(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_FAIL_CHECK; -+ -+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); -+ pam_close_session(pamh,PAM_SILENT); -+ pam_end(pamh, PAM_ABORT); -+ -+ setregid(gid,egid); -+ setreuid(uid,euid); -+ -+#endif -+ - allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name); - if (allow==0 || allow==1) - return allow; ---- at-3.1.10/config.h.in.pam 2005-08-05 05:16:02.000000000 +0200 -+++ at-3.1.10/config.h.in 2007-07-03 13:29:24.000000000 +0200 -@@ -181,3 +181,10 @@ - - #undef HAVE_ATTRIBUTE_NORETURN - #undef HAVE_PAM -+ -+/* Define if you are building with_pam */ -+#undef WITH_PAM -+ -+/* Define if you are building with_selinux */ -+#undef WITH_SELINUX -+ ---- at-3.1.10/configure.in.pam 2005-08-05 05:16:02.000000000 +0200 -+++ at-3.1.10/configure.in 2007-07-03 13:29:24.000000000 +0200 -@@ -316,4 +316,19 @@ - ) - AC_SUBST(DAEMON_GROUPNAME) - -+AC_ARG_WITH(selinux, -+[ --with-selinux Define to run with selinux], -+AC_DEFINE(WITH_SELINUX), -+) -+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) -+AC_SUBST(SELINUXLIB) -+AC_SUBST(WITH_SELINUX) -+ -+AC_ARG_WITH(pam, -+[ --with-pam Define to enable pam support ], -+AC_DEFINE(WITH_PAM), -+) -+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') -+AC_SUBST(PAMLIB) -+ - AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch) ---- at-3.1.10/atd.c.pam 2007-07-03 13:29:24.000000000 +0200 -+++ at-3.1.10/atd.c 2007-07-03 13:52:38.000000000 +0200 +--- at-3.1.10/pam_atd.pam 2007-07-03 13:29:24.000000000 +0200 ++++ at-3.1.10/pam_atd 2007-07-03 13:29:24.000000000 +0200 +@@ -0,0 +1,13 @@ ++# The PAM configuration file for the at daemon ++# ++# ++auth sufficient pam_rootok.so ++auth include system-auth ++auth required pam_env.so ++account include system-auth ++session required pam_loginuid.so ++session include system-auth ++# Sets up user limits, please uncomment and read /etc/security/limits.conf ++# to enable this functionality. ++# session required pam_limits.so ++# +diff -up at-3.1.10/atd.c.pam at-3.1.10/atd.c +--- at-3.1.10/atd.c.pam 2008-07-18 15:47:52.000000000 +0200 ++++ at-3.1.10/atd.c 2008-07-18 16:02:32.000000000 +0200 @@ -74,6 +74,14 @@ #include #endif @@ -137,7 +43,7 @@ /* Macros */ #define BATCH_INTERVAL_DEFAULT 60 -@@ -121,6 +133,7 @@ +@@ -121,6 +133,7 @@ static const struct pam_conv conv = { #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ @@ -145,7 +51,7 @@ pam_end(pamh, retcode); exit(1); \ } #define PAM_END { retcode = pam_close_session(pamh,0); \ -@@ -196,6 +209,19 @@ +@@ -196,6 +209,19 @@ myfork() #define fork myfork #endif @@ -165,7 +71,7 @@ static void run_file(const char *filename, uid_t uid, gid_t gid) { -@@ -378,18 +404,22 @@ +@@ -380,18 +406,22 @@ run_file(const char *filename, uid_t uid fstat(fd_out, &buf); size = buf.st_size; @@ -191,22 +97,22 @@ close(STDIN_FILENO); close(STDOUT_FILENO); -@@ -402,6 +432,14 @@ +@@ -404,6 +434,14 @@ run_file(const char *filename, uid_t uid else if (pid == 0) { char *nul = NULL; char **nenvp = &nul; + char **pam_envp=0L; + -+ PRIV_START ++ PRIV_START +#ifdef WITH_PAM -+ pam_envp = pam_getenvlist(pamh); -+ if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) ) -+ nenvp = pam_envp; ++ pam_envp = pam_getenvlist(pamh); ++ if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) ) ++ nenvp = pam_envp; +#endif /* Set up things for the child; we want standard input from the * input file, and standard output and error sent to our output file. -@@ -423,8 +461,6 @@ +@@ -425,8 +463,6 @@ run_file(const char *filename, uid_t uid if (chdir(ATJOB_DIR) < 0) perr("Cannot chdir to " ATJOB_DIR); @@ -215,13 +121,13 @@ nice((tolower((int) queue) - 'a' + 1) * 2); if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -441,10 +477,90 @@ +@@ -443,10 +479,91 @@ run_file(const char *filename, uid_t uid chdir("/"); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { -+ security_context_t user_context=NULL; ++ security_context_t user_context=NULL; + security_context_t file_context=NULL; + int retval=0; + struct av_decision avd; @@ -249,7 +155,7 @@ + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ -+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { ++ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { + if (security_getenforce() > 0) { + perr("fgetfilecon FAILED %s", filename); + } else { @@ -281,13 +187,13 @@ + if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) perr("Exec failed for /bin/sh"); -- + +//add for fedora +#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not resset exec context for user %s\n", pentry->pw_name); ++ if (selinux_enabled>0) ++ if (setexeccon(NULL) < 0) ++ if (security_getenforce()==1) ++ perr("Could not resset exec context for user %s\n", pentry->pw_name); + +#endif +//end @@ -303,20 +209,19 @@ + } +#endif PRIV_END -+//end ++// end } /* We're the parent. Let's wait. */ -@@ -456,7 +572,7 @@ - return with an ECHILD error. +@@ -459,6 +576,7 @@ run_file(const char *filename, uid_t uid */ waitpid(pid, (int *) NULL, 0); -- -+/* remove because WITH_PAM + ++/* remove because WITH_PAM #ifdef HAVE_PAM PRIV_START pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); -@@ -464,7 +580,7 @@ +@@ -466,7 +584,7 @@ run_file(const char *filename, uid_t uid pam_end(pamh, retcode); PRIV_END #endif @@ -325,7 +230,7 @@ /* Send mail. Unlink the output file after opening it, so it * doesn't hang around after the run. */ -@@ -472,6 +588,13 @@ +@@ -474,6 +592,13 @@ run_file(const char *filename, uid_t uid if (open(filename, O_RDONLY) != STDIN_FILENO) perr("Open of jobfile failed"); @@ -339,13 +244,13 @@ unlink(filename); /* The job is now finished. We can delete its input file. -@@ -480,8 +603,30 @@ +@@ -482,8 +607,30 @@ run_file(const char *filename, uid_t uid unlink(newname); free(newname); +#ifdef ATD_MAIL_PROGRAM if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { -+ int mail_pid = -1; ++ int mail_pid = -1; +//add for fedora +#ifdef WITH_PAM + retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); @@ -363,22 +268,21 @@ + openlog("atd", LOG_PID, LOG_ATD); +#endif +//end -+ mail_pid = fork(); ++ mail_pid = fork(); -+ if ( mail_pid == 0 ) -+ { ++ if ( mail_pid == 0 ) ++ { PRIV_START if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -495,16 +640,80 @@ +@@ -497,15 +644,80 @@ run_file(const char *filename, uid_t uid chdir ("/"); -#if defined(SENDMAIL) - execl(SENDMAIL, "sendmail", mailname, (char *) NULL); -#else --/*#error "No mail command specified."*/ -- perr("No mail command specified."); +- perr("No mail command specified."); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + security_context_t user_context=NULL; @@ -405,13 +309,13 @@ + &avd); + freecon(file_context); + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -+ if (security_getenforce()==1) { ++ if (security_getenforce()==1) { + perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); + } else { + syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); + goto out; + } -+ } ++ } + + if (setexeccon(user_context) < 0) { + if (security_getenforce()==1) { @@ -420,34 +324,34 @@ + syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + } + } -+ out: -+ freecon(user_context); ++ out: ++ freecon(user_context); + } +#endif + execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL); -+ perr("Exec faile for mail command"); -+ exit(-1); ++ perr("Exec faile for mail command"); ++ exit(-1); + +#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not resset exec context for user %s\n", pentry->pw_name); ++ if (selinux_enabled>0) ++ if (setexeccon(NULL) < 0) ++ if (security_getenforce()==1) ++ perr("Could not resset exec context for user %s\n", pentry->pw_name); #endif - perr("Exec failed for mail command"); PRIV_END -+ } -+ else if ( mail_pid == -1 ) { ++ } ++ else if ( mail_pid == -1 ) { + perr("fork of mailer failed"); + } -+ else { ++ else { + /* Parent */ + waitpid(mail_pid, (int *) NULL, 0); -+ } ++ } +#ifdef WITH_PAM -+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); -+ pam_close_session(pamh, PAM_SILENT); ++ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); ++ pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, PAM_ABORT); + closelog(); + openlog("atd", LOG_PID, LOG_ATD); @@ -457,7 +361,7 @@ exit(EXIT_SUCCESS); } -@@ -702,6 +911,10 @@ +@@ -703,6 +915,10 @@ main(int argc, char *argv[]) struct passwd *pwe; struct group *ge; @@ -468,7 +372,7 @@ /* We don't need root privileges all the time; running under uid and gid * daemon is fine. */ -@@ -718,18 +931,13 @@ +@@ -719,18 +935,14 @@ main(int argc, char *argv[]) RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid) @@ -477,46 +381,78 @@ -#endif - - openlog("atd", LOG_PID, LOG_CRON); -- + openlog("atd", LOG_PID, LOG_ATD); + opterr = 0; errno = 0; run_as_daemon = 1; batch_interval = BATCH_INTERVAL_DEFAULT; - while ((c = getopt(argc, argv, "sdl:b:")) != EOF) { -+ while ((c = getopt(argc, argv, "sdl:b:n:")) != EOF) { ++ while ((c = getopt(argc, argv, "sdl:b:n")) != EOF) { switch (c) { case 'l': if (sscanf(optarg, "%lf", &load_avg) != 1) -@@ -742,10 +950,15 @@ - if (sscanf(optarg, "%ud", &batch_interval) != 1) - pabort("garbled option -b"); +@@ -745,7 +957,10 @@ main(int argc, char *argv[]) break; -+ case 'd': daemon_debug++; -+ /* go through another option*/ -+ -+ case 'n': -+ daemon_nofork++; - break; -- -+ +- break; ++ /* go through another option*/ ++ case 'n': ++ daemon_nofork++; ++ break; + case 's': run_as_daemon = 0; - break; ---- at-3.1.10/Makefile.in.pam 2007-07-03 13:29:24.000000000 +0200 -+++ at-3.1.10/Makefile.in 2007-07-03 13:29:24.000000000 +0200 -@@ -41,6 +41,7 @@ +diff -up at-3.1.10/config.h.in.pam at-3.1.10/config.h.in +--- at-3.1.10/config.h.in.pam 2008-07-18 16:04:41.000000000 +0200 ++++ at-3.1.10/config.h.in 2008-07-18 16:05:13.000000000 +0200 +@@ -181,3 +181,9 @@ + + #undef HAVE_ATTRIBUTE_NORETURN + #undef HAVE_PAM ++ ++/* Define if you are building with_pam */ ++#undef WITH_PAM ++ ++/* Define if you are building with_selinux */ ++#undef WITH_SELINUX +diff -up at-3.1.10/configure.in.pam at-3.1.10/configure.in +--- at-3.1.10/configure.in.pam 2008-07-18 16:05:28.000000000 +0200 ++++ at-3.1.10/configure.in 2008-07-18 16:06:01.000000000 +0200 +@@ -316,4 +316,19 @@ AC_ARG_WITH(daemon_groupname, + ) + AC_SUBST(DAEMON_GROUPNAME) + ++AC_ARG_WITH(selinux, ++[ --with-selinux Define to run with selinux], ++AC_DEFINE(WITH_SELINUX), ++) ++AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) ++AC_SUBST(SELINUXLIB) ++AC_SUBST(WITH_SELINUX) ++ ++AC_ARG_WITH(pam, ++[ --with-pam Define to enable pam support ], ++AC_DEFINE(WITH_PAM), ++) ++AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') ++AC_SUBST(PAMLIB) ++ + AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch) +diff -up at-3.1.10/Makefile.in.pam at-3.1.10/Makefile.in +--- at-3.1.10/Makefile.in.pam 2008-07-18 15:47:52.000000000 +0200 ++++ at-3.1.10/Makefile.in 2008-07-18 16:04:19.000000000 +0200 +@@ -41,6 +41,7 @@ LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ INSTALL = @INSTALL@ PAMLIB = @PAMLIB@ -+SELINUXLIB = @SELINUXLIB@ ++SELINUXLIB = @SELINUXLIB@ CLONES = atq atrm ATOBJECTS = at.o panic.o perm.o y.tab.o lex.yy.o -@@ -67,13 +68,13 @@ +@@ -67,13 +68,13 @@ LIST = Filelist Filelist.asc all: at atd atrun at: $(ATOBJECTS) @@ -532,19 +468,80 @@ y.tab.c y.tab.h: parsetime.y $(YACC) -d parsetime.y ---- at-3.1.10/pam_atd.pam 2007-07-03 13:29:24.000000000 +0200 -+++ at-3.1.10/pam_atd 2007-07-03 13:29:24.000000000 +0200 -@@ -0,0 +1,13 @@ -+# The PAM configuration file for the at daemon -+# -+# -+auth sufficient pam_rootok.so -+auth include system-auth -+auth required pam_env.so -+account include system-auth -+session required pam_loginuid.so -+session include system-auth -+# Sets up user limits, please uncomment and read /etc/security/limits.conf -+# to enable this functionality. -+# session required pam_limits.so -+# +diff -up at-3.1.10/perm.c.pam at-3.1.10/perm.c +--- at-3.1.10/perm.c.pam 2008-07-18 16:06:14.000000000 +0200 ++++ at-3.1.10/perm.c 2008-07-18 16:08:05.000000000 +0200 +@@ -51,6 +51,14 @@ + #define PRIV_END while(0) + #endif + ++#ifdef WITH_PAM ++#include ++static pam_handle_t *pamh = NULL; ++static const struct pam_conv conv = { ++ NULL ++}; ++#endif ++ + /* Structures and unions */ + + +@@ -109,18 +117,55 @@ user_in_file(const char *path, const cha + int + check_permission() + { +- uid_t uid = geteuid(); ++ uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid(); + struct passwd *pentry; + int allow = 0, deny = 1; + +- if (uid == 0) ++ int retcode = 0; ++ if (euid == 0) + return 1; + +- if ((pentry = getpwuid(uid)) == NULL) { ++ if ((pentry = getpwuid(euid)) == NULL) { + perror("Cannot access user database"); + exit(EXIT_FAILURE); + } + ++#ifdef WITH_PAM ++/* ++ * We must check if the atd daemon userid will be allowed to gain the job owner user's ++ * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. ++ */ ++ setreuid(daemon_uid, daemon_uid); ++ setregid(daemon_gid, daemon_gid); ++ ++# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ ++ fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \ ++ pam_close_session(pamh,PAM_SILENT); \ ++ pam_end(pamh, retcode); \ ++ setregid(gid,egid); \ ++ setreuid(uid,euid); \ ++ return(0); \ ++ } ++ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); ++ PAM_FAIL_CHECK; ++ retcode = pam_set_item(pamh, PAM_TTY, "atd"); ++ PAM_FAIL_CHECK; ++ retcode = pam_acct_mgmt(pamh, PAM_SILENT); ++ PAM_FAIL_CHECK; ++ retcode = pam_open_session(pamh, PAM_SILENT); ++ PAM_FAIL_CHECK; ++ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); ++ PAM_FAIL_CHECK; ++ ++ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); ++ pam_close_session(pamh,PAM_SILENT); ++ pam_end(pamh, PAM_ABORT); ++ ++ setregid(gid,egid); ++ setreuid(uid,euid); ++ ++#endif ++ + allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name); + if (allow==0 || allow==1) + return allow; diff --git a/at-3.1.10-pam_keyring.patch b/at-3.1.10-pam_keyring.patch index db7a23a..2e00fa4 100644 --- a/at-3.1.10-pam_keyring.patch +++ b/at-3.1.10-pam_keyring.patch @@ -1,13 +1,13 @@ -diff -up at-3.1.10/pam_atd.old at-3.1.10/pam_atd ---- at-3.1.10/pam_atd.old 2007-10-05 13:32:16.000000000 +0200 -+++ at-3.1.10/pam_atd 2007-10-05 13:35:31.000000000 +0200 +diff -up at-3.1.10/pam_atd.pamkeyring at-3.1.10/pam_atd +--- at-3.1.10/pam_atd.pamkeyring 2008-07-18 16:15:07.000000000 +0200 ++++ at-3.1.10/pam_atd 2008-07-18 16:16:48.000000000 +0200 @@ -2,8 +2,8 @@ # # - auth sufficient pam_rootok.so -+auth required pam_env.so - auth include system-auth --auth required pam_env.so - account include system-auth - session required pam_loginuid.so - session include system-auth + auth sufficient pam_rootok.so +-auth include system-auth + auth required pam_env.so ++auth include system-auth + account include system-auth + session required pam_loginuid.so + session include system-auth diff --git a/at-3.1.10-pamfix.patch b/at-3.1.10-pamfix.patch index 7446ad1..641e117 100644 --- a/at-3.1.10-pamfix.patch +++ b/at-3.1.10-pamfix.patch @@ -1,6 +1,6 @@ diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c ---- at-3.1.10/atd.c.pamfix 2008-01-09 14:56:57.000000000 +0100 -+++ at-3.1.10/atd.c 2008-01-09 14:56:57.000000000 +0100 +--- at-3.1.10/atd.c.pamfix 2008-07-18 16:23:11.000000000 +0200 ++++ at-3.1.10/atd.c 2008-07-18 16:23:11.000000000 +0200 @@ -131,15 +131,17 @@ static const struct pam_conv conv = { }; @@ -44,15 +44,15 @@ diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c PAM_FAIL_CHECK; closelog(); openlog("atd", LOG_PID, LOG_ATD); -@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid - int mail_pid = -1; +@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid + int mail_pid = -1; //add for fedora #ifdef WITH_PAM + pamh = NULL; retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); PAM_FAIL_CHECK; retcode = pam_set_item(pamh, PAM_TTY, "atd"); -@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid +@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid retcode = pam_acct_mgmt(pamh, PAM_SILENT); PAM_FAIL_CHECK; retcode = pam_open_session(pamh, PAM_SILENT); @@ -64,9 +64,9 @@ diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c /* PAM has now re-opened our log to auth.info ! */ closelog(); diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c ---- at-3.1.10/perm.c.pamfix 2008-01-09 14:56:57.000000000 +0100 -+++ at-3.1.10/perm.c 2008-01-09 15:58:54.000000000 +0100 -@@ -134,17 +134,34 @@ check_permission() +--- at-3.1.10/perm.c.pamfix 2008-07-18 16:23:11.000000000 +0200 ++++ at-3.1.10/perm.c 2008-07-18 16:26:16.000000000 +0200 +@@ -135,34 +135,61 @@ check_permission() * We must check if the atd daemon userid will be allowed to gain the job owner user's * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. */ @@ -83,7 +83,7 @@ diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ - fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \ -- pam_close_session(pamh,PAM_SILENT); \ +- pam_close_session(pamh,PAM_SILENT); \ - pam_end(pamh, retcode); \ - setregid(gid,egid); \ - setreuid(uid,euid); \ @@ -110,8 +110,9 @@ diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); PAM_FAIL_CHECK; retcode = pam_set_item(pamh, PAM_TTY, "atd"); -@@ -152,16 +169,25 @@ check_permission() + PAM_FAIL_CHECK; retcode = pam_acct_mgmt(pamh, PAM_SILENT); ++ PAM_SESSION_FAIL; PAM_FAIL_CHECK; retcode = pam_open_session(pamh, PAM_SILENT); + PAM_SESSION_FAIL; diff --git a/at-3.1.10-setuids.patch b/at-3.1.10-setuids.patch deleted file mode 100644 index e69de29..0000000 --- a/at-3.1.10-setuids.patch +++ /dev/null diff --git a/at-3.1.8-perr.patch b/at-3.1.8-perr.patch index 3ef7e23..5ab284f 100644 --- a/at-3.1.8-perr.patch +++ b/at-3.1.8-perr.patch @@ -1,12 +1,12 @@ ---- at-3.1.8/atd.c.org 2002-07-19 16:20:24.000000000 +0900 -+++ at-3.1.8/atd.c 2002-07-19 16:22:30.000000000 +0900 -@@ -453,7 +453,8 @@ - #elif defined(MAILX) - execl(MAILX, "mailx", mailname, (char *) NULL); +diff -up at-3.1.10/atd.c.bla at-3.1.10/atd.c +--- at-3.1.10/atd.c.bla 2008-07-18 15:18:35.000000000 +0200 ++++ at-3.1.10/atd.c 2008-07-18 15:19:41.000000000 +0200 +@@ -643,7 +643,7 @@ run_file(const char *filename, uid_t uid + #if defined(SENDMAIL) + execl(SENDMAIL, "sendmail", mailname, (char *) NULL); #else -#error "No mail command specified." -+/*#error "No mail command specified."*/ -+ perr("No mail command specified."); ++ perr("No mail command specified."); #endif perr("Exec failed for mail command"); diff --git a/at.spec b/at.spec index b85e5ff..a8ae164 100644 --- a/at.spec +++ b/at.spec @@ -31,8 +31,7 @@ Patch13: at-3.1.10-havepam.patch Patch14: at-3.1.10-pam_keyring.patch Patch15: at-3.1.10-PIE.patch Patch16: at-3.1.10-pamfix.patch -Patch17: at-3.1.10-setuids.patch -Patch18: nonposix.patch +Patch17: nonposix.patch BuildRequires: fileutils chkconfig /etc/init.d BuildRequires: flex bison autoconf @@ -83,8 +82,7 @@ cp %{SOURCE1} . %patch14 -p1 -b .pamkeyring %patch15 -p1 -b .PIE %patch16 -p1 -b .pamfix -%patch17 -p1 -b .setuids -%patch18 -p1 -b .nonposix +%patch17 -p1 -b .nonposix %build # patch10 touches configure.in @@ -189,6 +187,7 @@ fi %changelog * Fri Jul 18 2008 Marcela Maslanova - 3.1.10-24 - 446004 hope adding || into scriptlets fix removing old package after upgrade +- fixes for fuzz=0 * Tue Mar 25 2008 Marcela Maslanova - 3.1.10-23 - 436952 use local instead of posix output date/time format.