rpms/at/devel at-3.1.10-pam.patch, 1.3, 1.4 at-3.1.10-pam_keyring.patch, 1.1, 1.2 at-3.1.10-pamfix.patch, 1.1, 1.2 at-3.1.8-perr.patch, 1.1, 1.2 at.spec, 1.66, 1.67 at-3.1.10-setuids.patch, 1.1, NONE

Marcela Mašláňová (mmaslano) fedora-extras-commits at redhat.com
Fri Jul 18 14:35:38 UTC 2008


Author: mmaslano

Update of /cvs/pkgs/rpms/at/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6453

Modified Files:
	at-3.1.10-pam.patch at-3.1.10-pam_keyring.patch 
	at-3.1.10-pamfix.patch at-3.1.8-perr.patch at.spec 
Removed Files:
	at-3.1.10-setuids.patch 
Log Message:
* Fri Jul 18 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-24
- 446004 hope adding || into scriptlets fix removing old package after upgrade
- fixes for fuzz=0


at-3.1.10-pam.patch:

Index: at-3.1.10-pam.patch
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at-3.1.10-pam.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- at-3.1.10-pam.patch	3 Jul 2007 14:24:48 -0000	1.3
+++ at-3.1.10-pam.patch	18 Jul 2008 14:34:48 -0000	1.4
@@ -1,116 +1,22 @@
---- at-3.1.10/perm.c.pam	2005-08-05 05:16:01.000000000 +0200
-+++ at-3.1.10/perm.c	2007-07-03 13:29:24.000000000 +0200
-@@ -51,6 +51,14 @@
- #define PRIV_END while(0)
- #endif
- 
-+#ifdef WITH_PAM
-+#include <security/pam_appl.h>
-+static pam_handle_t *pamh = NULL;
-+static const struct pam_conv conv = {
-+       NULL
-+};
-+#endif
-+
- /* Structures and unions */
- 
- 
-@@ -109,18 +117,54 @@
- int
- check_permission()
- {
--  uid_t uid = geteuid();
-+  uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
-   struct passwd *pentry;
-   int    allow = 0, deny = 1;
--
--  if (uid == 0)
-+  int	 retcode = 0;
-+  if (euid == 0)
-     return 1;
- 
--  if ((pentry = getpwuid(uid)) == NULL) {
-+  if ((pentry = getpwuid(euid)) == NULL) {
-     perror("Cannot access user database");
-     exit(EXIT_FAILURE);
-   }
- 
-+#ifdef  WITH_PAM
-+/*
-+ *  We must check if the atd daemon userid will be allowed to gain the job owner user's
-+ *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
-+ */
-+  setreuid(daemon_uid, daemon_uid);
-+  setregid(daemon_gid, daemon_gid);
-+
-+# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-+                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
-+			      pam_close_session(pamh,PAM_SILENT); \
-+                              pam_end(pamh, retcode); \
-+                               setregid(gid,egid); \
-+                               setreuid(uid,euid); \
-+                               return(0); \
-+                           }
-+  retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
-+  PAM_FAIL_CHECK;
-+  retcode = pam_set_item(pamh, PAM_TTY, "atd");
-+  PAM_FAIL_CHECK;
-+  retcode = pam_acct_mgmt(pamh, PAM_SILENT);
-+  PAM_FAIL_CHECK;
-+  retcode = pam_open_session(pamh, PAM_SILENT);
-+  PAM_FAIL_CHECK;
-+  retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
-+  PAM_FAIL_CHECK;
-+
-+  pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
-+  pam_close_session(pamh,PAM_SILENT);
-+  pam_end(pamh, PAM_ABORT);
-+
-+  setregid(gid,egid);
-+  setreuid(uid,euid);
-+
-+#endif
-+
-   allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name);
-   if (allow==0 || allow==1)
-     return allow;
---- at-3.1.10/config.h.in.pam	2005-08-05 05:16:02.000000000 +0200
-+++ at-3.1.10/config.h.in	2007-07-03 13:29:24.000000000 +0200
-@@ -181,3 +181,10 @@
- 
- #undef HAVE_ATTRIBUTE_NORETURN
- #undef HAVE_PAM
-+
-+/* Define if you are building with_pam */
-+#undef WITH_PAM
-+
-+/* Define if you are building with_selinux  */
-+#undef WITH_SELINUX
-+
---- at-3.1.10/configure.in.pam	2005-08-05 05:16:02.000000000 +0200
-+++ at-3.1.10/configure.in	2007-07-03 13:29:24.000000000 +0200
-@@ -316,4 +316,19 @@
- )
- AC_SUBST(DAEMON_GROUPNAME)
- 
-+AC_ARG_WITH(selinux,
-+[ --with-selinux       Define to run with selinux],
-+AC_DEFINE(WITH_SELINUX),
-+)
-+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
-+AC_SUBST(SELINUXLIB)
-+AC_SUBST(WITH_SELINUX)
-+
-+AC_ARG_WITH(pam,
-+[ --with-pam            Define to enable pam support ],
-+AC_DEFINE(WITH_PAM),
-+)
-+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
-+AC_SUBST(PAMLIB)
-+
- AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
---- at-3.1.10/atd.c.pam	2007-07-03 13:29:24.000000000 +0200
-+++ at-3.1.10/atd.c	2007-07-03 13:52:38.000000000 +0200
+--- at-3.1.10/pam_atd.pam   2007-07-03 13:29:24.000000000 +0200
++++ at-3.1.10/pam_atd   2007-07-03 13:29:24.000000000 +0200
+@@ -0,0 +1,13 @@
++# The PAM configuration file for the at daemon
++#
++#
++auth       sufficient  pam_rootok.so
++auth       include     system-auth
++auth       required    pam_env.so
++account        include     system-auth
++session        required    pam_loginuid.so
++session        include     system-auth
++# Sets up user limits, please uncomment and read /etc/security/limits.conf
++# to enable this functionality.
++# session    required   pam_limits.so
++#
+diff -up at-3.1.10/atd.c.pam at-3.1.10/atd.c
+--- at-3.1.10/atd.c.pam	2008-07-18 15:47:52.000000000 +0200
++++ at-3.1.10/atd.c	2008-07-18 16:02:32.000000000 +0200
 @@ -74,6 +74,14 @@
  #include <syslog.h>
  #endif
@@ -137,7 +43,7 @@
  /* Macros */
  
  #define BATCH_INTERVAL_DEFAULT 60
-@@ -121,6 +133,7 @@
+@@ -121,6 +133,7 @@ static const struct pam_conv conv = {
  #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
  	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
  	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
@@ -145,7 +51,7 @@
  	pam_end(pamh, retcode); exit(1); \
      }
  #define PAM_END { retcode = pam_close_session(pamh,0); \
-@@ -196,6 +209,19 @@
+@@ -196,6 +209,19 @@ myfork()
  #define fork myfork
  #endif
  
@@ -165,7 +71,7 @@
  static void
  run_file(const char *filename, uid_t uid, gid_t gid)
  {
-@@ -378,18 +404,22 @@
+@@ -380,18 +406,22 @@ run_file(const char *filename, uid_t uid
      fstat(fd_out, &buf);
      size = buf.st_size;
  
@@ -191,22 +97,22 @@
  
      close(STDIN_FILENO);
      close(STDOUT_FILENO);
-@@ -402,6 +432,14 @@
+@@ -404,6 +434,14 @@ run_file(const char *filename, uid_t uid
      else if (pid == 0) {
  	char *nul = NULL;
  	char **nenvp = &nul;
 +	char **pam_envp=0L;
 +
-+        PRIV_START
++	PRIV_START
 +#ifdef WITH_PAM
-+        pam_envp = pam_getenvlist(pamh);
-+        if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
-+            nenvp = pam_envp;
++	pam_envp = pam_getenvlist(pamh);
++	if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
++		nenvp = pam_envp;
 +#endif
  
  	/* Set up things for the child; we want standard input from the
  	 * input file, and standard output and error sent to our output file.
-@@ -423,8 +461,6 @@
+@@ -425,8 +463,6 @@ run_file(const char *filename, uid_t uid
  	if (chdir(ATJOB_DIR) < 0)
  	    perr("Cannot chdir to " ATJOB_DIR);
  
@@ -215,13 +121,13 @@
  	    nice((tolower((int) queue) - 'a' + 1) * 2);
  
  	    if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -441,10 +477,90 @@
+@@ -443,10 +479,91 @@ run_file(const char *filename, uid_t uid
  
  	    chdir("/");
  
 +#ifdef WITH_SELINUX
 +           if (selinux_enabled>0) {
-+	       security_context_t user_context=NULL;
++          security_context_t user_context=NULL;
 +               security_context_t  file_context=NULL;
 +               int retval=0;
 +               struct av_decision avd;
@@ -249,7 +155,7 @@
 +              * the user cron job.  It performs an entrypoint
 +              * permission check for this purpose.
 +              */
-+	     if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
++        if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
 +                     if (security_getenforce() > 0) {
 +                         perr("fgetfilecon FAILED %s", filename);
 +                     } else {
@@ -281,13 +187,13 @@
 +
  	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
  		perr("Exec failed for /bin/sh");
--
+ 
 +//add for fedora
 +#ifdef WITH_SELINUX
-+	if (selinux_enabled>0)
-+        	if (setexeccon(NULL) < 0)
-+        		if (security_getenforce()==1)
-+				perr("Could not resset exec context for user %s\n", pentry->pw_name);
++   if (selinux_enabled>0)
++           if (setexeccon(NULL) < 0)
++               if (security_getenforce()==1)
++               perr("Could not resset exec context for user %s\n", pentry->pw_name);
 +
 +#endif
 +//end
@@ -303,20 +209,19 @@
 +       }
 +#endif
  	PRIV_END
-+//end
++// end
      }
      /* We're the parent.  Let's wait.
       */
-@@ -456,7 +572,7 @@
-        return with an ECHILD error. 
+@@ -459,6 +576,7 @@ run_file(const char *filename, uid_t uid
       */
      waitpid(pid, (int *) NULL, 0);
--
-+/* remove because WITH_PAM 
+ 
++/* remove because WITH_PAM
  #ifdef HAVE_PAM
      PRIV_START
  	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
-@@ -464,7 +580,7 @@
+@@ -466,7 +584,7 @@ run_file(const char *filename, uid_t uid
  	pam_end(pamh, retcode);
      PRIV_END
  #endif
@@ -325,7 +230,7 @@
      /* Send mail.  Unlink the output file after opening it, so it
       * doesn't hang around after the run.
       */
-@@ -472,6 +588,13 @@
+@@ -474,6 +592,13 @@ run_file(const char *filename, uid_t uid
      if (open(filename, O_RDONLY) != STDIN_FILENO)
  	perr("Open of jobfile failed");
  
@@ -339,13 +244,13 @@
      unlink(filename);
  
      /* The job is now finished.  We can delete its input file.
-@@ -480,8 +603,30 @@
+@@ -482,8 +607,30 @@ run_file(const char *filename, uid_t uid
      unlink(newname);
      free(newname);
  
 +#ifdef ATD_MAIL_PROGRAM
      if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
-+	int mail_pid = -1;
++   int mail_pid = -1;
 +//add for fedora
 +#ifdef  WITH_PAM
 +       retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
@@ -363,22 +268,21 @@
 +       openlog("atd", LOG_PID, LOG_ATD);
 +#endif
 +//end
-+	mail_pid = fork();
++   mail_pid = fork();
  
-+	if ( mail_pid == 0 )
-+	{
++   if ( mail_pid == 0 )
++   {
  	PRIV_START
  
  	    if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -495,16 +640,80 @@
+@@ -497,15 +644,80 @@ run_file(const char *filename, uid_t uid
  
  	    chdir ("/");
  
 -#if defined(SENDMAIL)
 -	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
 -#else
--/*#error      "No mail command specified."*/
--	perr("No mail command specified.");
+-		perr("No mail command specified.");
 +#ifdef WITH_SELINUX
 +           if (selinux_enabled>0) {
 +             security_context_t user_context=NULL;
@@ -405,13 +309,13 @@
 +                                          &avd);
 +             freecon(file_context);
 +             if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-+	     	if (security_getenforce()==1) {
++           if (security_getenforce()==1) {
 +                    perr("Not allowed to set exec context to %s for user  %s\n", user_context,pentry->pw_name);
 +                } else {
 +                    syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,pentry->pw_name);
 +                    goto out;
 +                }
-+	     }
++        }
 +
 +             if (setexeccon(user_context) < 0) {
 +               if (security_getenforce()==1) {
@@ -420,34 +324,34 @@
 +                 syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,pentry->pw_name);
 +               }
 +             }
-+	     out:
-+	             freecon(user_context);
++        out:
++                freecon(user_context);
 +           }
 +#endif
 +            execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
-+	    perr("Exec faile for mail command");
-+	    exit(-1);
++       perr("Exec faile for mail command");
++       exit(-1);
 +
 +#ifdef WITH_SELINUX
-+	if (selinux_enabled>0)
-+        	if (setexeccon(NULL) < 0)
-+                	if (security_getenforce()==1)
-+                        	perr("Could not resset exec context for user %s\n", pentry->pw_name);
++   if (selinux_enabled>0)
++           if (setexeccon(NULL) < 0)
++                   if (security_getenforce()==1)
++                           perr("Could not resset exec context for user %s\n", pentry->pw_name);
  #endif
 -	    perr("Exec failed for mail command");
  
  	PRIV_END
-+	}
-+	else if ( mail_pid == -1 ) {
++   }
++   else if ( mail_pid == -1 ) {
 +           perr("fork of mailer failed");
 +        }
-+	else {
++   else {
 +           /* Parent */
 +           waitpid(mail_pid, (int *) NULL, 0);
-+	}
++   }
 +#ifdef WITH_PAM
-+	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
-+	pam_close_session(pamh, PAM_SILENT);
++   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
++   pam_close_session(pamh, PAM_SILENT);
 +        pam_end(pamh, PAM_ABORT);
 +        closelog();
 +        openlog("atd", LOG_PID, LOG_ATD);
@@ -457,7 +361,7 @@
      exit(EXIT_SUCCESS);
  }
  
-@@ -702,6 +911,10 @@
+@@ -703,6 +915,10 @@ main(int argc, char *argv[])
      struct passwd *pwe;
      struct group *ge;
  
@@ -468,7 +372,7 @@
  /* We don't need root privileges all the time; running under uid and gid
   * daemon is fine.
   */
-@@ -718,18 +931,13 @@
+@@ -719,18 +935,14 @@ main(int argc, char *argv[])
  
      RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid)
  
@@ -477,46 +381,78 @@
 -#endif
 -
 -    openlog("atd", LOG_PID, LOG_CRON);
--
 +    openlog("atd", LOG_PID, LOG_ATD);
+ 
      opterr = 0;
      errno = 0;
      run_as_daemon = 1;
      batch_interval = BATCH_INTERVAL_DEFAULT;
  
 -    while ((c = getopt(argc, argv, "sdl:b:")) != EOF) {
-+    while ((c = getopt(argc, argv, "sdl:b:n:")) != EOF) {
++    while ((c = getopt(argc, argv, "sdl:b:n")) != EOF) {
  	switch (c) {
  	case 'l':
  	    if (sscanf(optarg, "%lf", &load_avg) != 1)
-@@ -742,10 +950,15 @@
- 	    if (sscanf(optarg, "%ud", &batch_interval) != 1)
- 		pabort("garbled option -b");
+@@ -745,7 +957,10 @@ main(int argc, char *argv[])
  	    break;
-+	    
  	case 'd':
  	    daemon_debug++;
-+	    /* go through another option*/
-+	
-+	case 'n':
-+	    daemon_nofork++;
- 	    break;
--
-+	    
+-	    break;
++        /* go through another option*/
++   case 'n':
++        daemon_nofork++;
++        break;
+ 
  	case 's':
  	    run_as_daemon = 0;
- 	    break;
---- at-3.1.10/Makefile.in.pam	2007-07-03 13:29:24.000000000 +0200
-+++ at-3.1.10/Makefile.in	2007-07-03 13:29:24.000000000 +0200
-@@ -41,6 +41,7 @@
+diff -up at-3.1.10/config.h.in.pam at-3.1.10/config.h.in
+--- at-3.1.10/config.h.in.pam	2008-07-18 16:04:41.000000000 +0200
++++ at-3.1.10/config.h.in	2008-07-18 16:05:13.000000000 +0200
+@@ -181,3 +181,9 @@
+ 
+ #undef HAVE_ATTRIBUTE_NORETURN
+ #undef HAVE_PAM
++
++/* Define if you are building with_pam */
++#undef WITH_PAM
++
++/* Define if you are building with_selinux  */
++#undef WITH_SELINUX
+diff -up at-3.1.10/configure.in.pam at-3.1.10/configure.in
+--- at-3.1.10/configure.in.pam	2008-07-18 16:05:28.000000000 +0200
++++ at-3.1.10/configure.in	2008-07-18 16:06:01.000000000 +0200
+@@ -316,4 +316,19 @@ AC_ARG_WITH(daemon_groupname,
+ )
+ AC_SUBST(DAEMON_GROUPNAME)
+ 
++AC_ARG_WITH(selinux,
++[ --with-selinux       Define to run with selinux],
++AC_DEFINE(WITH_SELINUX),
++)
++AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
++AC_SUBST(SELINUXLIB)
++AC_SUBST(WITH_SELINUX)
++
++AC_ARG_WITH(pam,
++[ --with-pam            Define to enable pam support ],
++AC_DEFINE(WITH_PAM),
++)
++AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
++AC_SUBST(PAMLIB)
++
+ AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
+diff -up at-3.1.10/Makefile.in.pam at-3.1.10/Makefile.in
+--- at-3.1.10/Makefile.in.pam	2008-07-18 15:47:52.000000000 +0200
++++ at-3.1.10/Makefile.in	2008-07-18 16:04:19.000000000 +0200
+@@ -41,6 +41,7 @@ LIBS		= @LIBS@
  LIBOBJS		= @LIBOBJS@
  INSTALL		= @INSTALL@
  PAMLIB          = @PAMLIB@
-+SELINUXLIB	= @SELINUXLIB@
++SELINUXLIB = @SELINUXLIB@
  
  CLONES		= atq atrm 
  ATOBJECTS	= at.o panic.o perm.o y.tab.o lex.yy.o
-@@ -67,13 +68,13 @@
+@@ -67,13 +68,13 @@ LIST = Filelist Filelist.asc
  all: at atd atrun
  
  at: $(ATOBJECTS)
@@ -532,19 +468,80 @@
  
  y.tab.c y.tab.h: parsetime.y
  	$(YACC) -d parsetime.y
---- at-3.1.10/pam_atd.pam	2007-07-03 13:29:24.000000000 +0200
-+++ at-3.1.10/pam_atd	2007-07-03 13:29:24.000000000 +0200
-@@ -0,0 +1,13 @@
-+# The PAM configuration file for the at daemon
-+#
-+#
-+auth		sufficient	pam_rootok.so
-+auth		include		system-auth
-+auth		required	pam_env.so
-+account		include		system-auth
-+session		required	pam_loginuid.so 
-+session		include		system-auth
-+# Sets up user limits, please uncomment and read /etc/security/limits.conf
-+# to enable this functionality.
-+# session    required   pam_limits.so
-+#
+diff -up at-3.1.10/perm.c.pam at-3.1.10/perm.c
+--- at-3.1.10/perm.c.pam	2008-07-18 16:06:14.000000000 +0200
++++ at-3.1.10/perm.c	2008-07-18 16:08:05.000000000 +0200
+@@ -51,6 +51,14 @@
+ #define PRIV_END while(0)
+ #endif
+ 
++#ifdef WITH_PAM
++#include <security/pam_appl.h>
++static pam_handle_t *pamh = NULL;
++static const struct pam_conv conv = {
++       NULL
++};
++#endif
++
+ /* Structures and unions */
+ 
+ 
+@@ -109,18 +117,55 @@ user_in_file(const char *path, const cha
+ int
+ check_permission()
+ {
+-  uid_t uid = geteuid();
++  uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
+   struct passwd *pentry;
+   int    allow = 0, deny = 1;
+ 
+-  if (uid == 0)
++  int   retcode = 0;
++  if (euid == 0)
+     return 1;
+ 
+-  if ((pentry = getpwuid(uid)) == NULL) {
++  if ((pentry = getpwuid(euid)) == NULL) {
+     perror("Cannot access user database");
+     exit(EXIT_FAILURE);
+   }
+ 
++#ifdef  WITH_PAM
++/*
++ *  We must check if the atd daemon userid will be allowed to gain the job owner user's
++ *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
++ */
++  setreuid(daemon_uid, daemon_uid);
++  setregid(daemon_gid, daemon_gid);
++
++# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
++                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
++                 pam_close_session(pamh,PAM_SILENT); \
++                              pam_end(pamh, retcode); \
++                               setregid(gid,egid); \
++                               setreuid(uid,euid); \
++                               return(0); \
++                           }
++  retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
++  PAM_FAIL_CHECK;
++  retcode = pam_set_item(pamh, PAM_TTY, "atd");
++  PAM_FAIL_CHECK;
++  retcode = pam_acct_mgmt(pamh, PAM_SILENT);
++  PAM_FAIL_CHECK;
++  retcode = pam_open_session(pamh, PAM_SILENT);
++  PAM_FAIL_CHECK;
++  retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
++  PAM_FAIL_CHECK;
++
++  pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
++  pam_close_session(pamh,PAM_SILENT);
++  pam_end(pamh, PAM_ABORT);
++
++  setregid(gid,egid);
++  setreuid(uid,euid);
++
++#endif
++
+   allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name);
+   if (allow==0 || allow==1)
+     return allow;

at-3.1.10-pam_keyring.patch:

Index: at-3.1.10-pam_keyring.patch
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at-3.1.10-pam_keyring.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- at-3.1.10-pam_keyring.patch	5 Oct 2007 11:58:14 -0000	1.1
+++ at-3.1.10-pam_keyring.patch	18 Jul 2008 14:34:48 -0000	1.2
@@ -1,13 +1,13 @@
-diff -up at-3.1.10/pam_atd.old at-3.1.10/pam_atd
---- at-3.1.10/pam_atd.old	2007-10-05 13:32:16.000000000 +0200
-+++ at-3.1.10/pam_atd	2007-10-05 13:35:31.000000000 +0200
+diff -up at-3.1.10/pam_atd.pamkeyring at-3.1.10/pam_atd
+--- at-3.1.10/pam_atd.pamkeyring	2008-07-18 16:15:07.000000000 +0200
++++ at-3.1.10/pam_atd	2008-07-18 16:16:48.000000000 +0200
 @@ -2,8 +2,8 @@
  #
  #
- auth		sufficient	pam_rootok.so
-+auth            required        pam_env.so
- auth		include		system-auth
--auth		required	pam_env.so
- account		include		system-auth
- session		required	pam_loginuid.so 
- session		include		system-auth
+ auth       sufficient  pam_rootok.so
+-auth       include     system-auth
+ auth       required    pam_env.so
++auth       include     system-auth
+ account        include     system-auth
+ session        required    pam_loginuid.so
+ session        include     system-auth

at-3.1.10-pamfix.patch:

Index: at-3.1.10-pamfix.patch
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at-3.1.10-pamfix.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- at-3.1.10-pamfix.patch	14 Jan 2008 09:08:45 -0000	1.1
+++ at-3.1.10-pamfix.patch	18 Jul 2008 14:34:48 -0000	1.2
@@ -1,6 +1,6 @@
 diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
---- at-3.1.10/atd.c.pamfix	2008-01-09 14:56:57.000000000 +0100
-+++ at-3.1.10/atd.c	2008-01-09 14:56:57.000000000 +0100
+--- at-3.1.10/atd.c.pamfix	2008-07-18 16:23:11.000000000 +0200
++++ at-3.1.10/atd.c	2008-07-18 16:23:11.000000000 +0200
 @@ -131,15 +131,17 @@ static const struct pam_conv conv = {
  };
  
@@ -44,15 +44,15 @@
      PAM_FAIL_CHECK;
      closelog();
      openlog("atd", LOG_PID, LOG_ATD);
-@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid
- 	int mail_pid = -1;
+@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid
+    int mail_pid = -1;
  //add for fedora
  #ifdef  WITH_PAM
 +       pamh = NULL;
         retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
         PAM_FAIL_CHECK;
         retcode = pam_set_item(pamh, PAM_TTY, "atd");
-@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid
+@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid
         retcode = pam_acct_mgmt(pamh, PAM_SILENT);
         PAM_FAIL_CHECK;
         retcode = pam_open_session(pamh, PAM_SILENT);
@@ -64,9 +64,9 @@
          /* PAM has now re-opened our log to auth.info ! */
         closelog();
 diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
---- at-3.1.10/perm.c.pamfix	2008-01-09 14:56:57.000000000 +0100
-+++ at-3.1.10/perm.c	2008-01-09 15:58:54.000000000 +0100
-@@ -134,17 +134,34 @@ check_permission()
+--- at-3.1.10/perm.c.pamfix	2008-07-18 16:23:11.000000000 +0200
++++ at-3.1.10/perm.c	2008-07-18 16:26:16.000000000 +0200
+@@ -135,34 +135,61 @@ check_permission()
   *  We must check if the atd daemon userid will be allowed to gain the job owner user's
   *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
   */
@@ -83,7 +83,7 @@
  
  # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
 -                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
--			      pam_close_session(pamh,PAM_SILENT); \
+-                 pam_close_session(pamh,PAM_SILENT); \
 -                              pam_end(pamh, retcode); \
 -                               setregid(gid,egid); \
 -                               setreuid(uid,euid); \
@@ -110,8 +110,9 @@
    retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
    PAM_FAIL_CHECK;
    retcode = pam_set_item(pamh, PAM_TTY, "atd");
-@@ -152,16 +169,25 @@ check_permission()
+   PAM_FAIL_CHECK;
    retcode = pam_acct_mgmt(pamh, PAM_SILENT);
++  PAM_SESSION_FAIL;
    PAM_FAIL_CHECK;
    retcode = pam_open_session(pamh, PAM_SILENT);
 +  PAM_SESSION_FAIL;

at-3.1.8-perr.patch:

Index: at-3.1.8-perr.patch
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at-3.1.8-perr.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- at-3.1.8-perr.patch	9 Sep 2004 03:15:31 -0000	1.1
+++ at-3.1.8-perr.patch	18 Jul 2008 14:34:48 -0000	1.2
@@ -1,12 +1,12 @@
---- at-3.1.8/atd.c.org	2002-07-19 16:20:24.000000000 +0900
-+++ at-3.1.8/atd.c	2002-07-19 16:22:30.000000000 +0900
-@@ -453,7 +453,8 @@
- #elif  defined(MAILX)
- 	    execl(MAILX, "mailx", mailname, (char *) NULL);
+diff -up at-3.1.10/atd.c.bla at-3.1.10/atd.c
+--- at-3.1.10/atd.c.bla	2008-07-18 15:18:35.000000000 +0200
++++ at-3.1.10/atd.c	2008-07-18 15:19:41.000000000 +0200
+@@ -643,7 +643,7 @@ run_file(const char *filename, uid_t uid
+ #if defined(SENDMAIL)
+ 	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
  #else
 -#error      "No mail command specified."
-+/*#error      "No mail command specified."*/
-+	perr("No mail command specified.");
++		perr("No mail command specified.");
  #endif
  	    perr("Exec failed for mail command");
  


Index: at.spec
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at.spec,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- at.spec	18 Jul 2008 12:55:00 -0000	1.66
+++ at.spec	18 Jul 2008 14:34:48 -0000	1.67
@@ -31,8 +31,7 @@
 Patch14: at-3.1.10-pam_keyring.patch
 Patch15: at-3.1.10-PIE.patch
 Patch16: at-3.1.10-pamfix.patch
-Patch17: at-3.1.10-setuids.patch 
-Patch18: nonposix.patch
+Patch17: nonposix.patch
 
 BuildRequires: fileutils chkconfig /etc/init.d
 BuildRequires: flex bison autoconf
@@ -83,8 +82,7 @@
 %patch14 -p1 -b .pamkeyring
 %patch15 -p1 -b .PIE
 %patch16 -p1 -b .pamfix
-%patch17 -p1 -b .setuids
-%patch18 -p1 -b .nonposix
+%patch17 -p1 -b .nonposix
 
 %build
 # patch10 touches configure.in
@@ -189,6 +187,7 @@
 %changelog
 * Fri Jul 18 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-24
 - 446004 hope adding || into scriptlets fix removing old package after upgrade
+- fixes for fuzz=0
 
 * Tue Mar 25 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-23
 - 436952 use local instead of posix output date/time format.


--- at-3.1.10-setuids.patch DELETED ---




More information about the fedora-extras-commits mailing list