at/at-3.1.10-pamfix.patch

diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
--- at-3.1.10/atd.c.pamfix	2008-07-18 16:23:11.000000000 +0200
+++ at-3.1.10/atd.c	2008-07-18 16:23:11.000000000 +0200
@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
 };
 
 #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+	fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
 	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
-	pam_close_session(pamh, PAM_SILENT); \
-	pam_end(pamh, retcode); exit(1); \
+    if (pamh) \
+        pam_end(pamh, retcode); \
+    exit(1); \
     }
-#define PAM_END { retcode = pam_close_session(pamh,0); \
-		pam_end(pamh,retcode); }
 
-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+    pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
 
 /* Signal handlers */
 RETSIGTYPE 
@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
 
 //add for fedora, removed HAVE_PAM
 #ifdef  WITH_PAM
+    pamh = NULL;
     retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
     PAM_FAIL_CHECK;
     retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
     retcode = pam_acct_mgmt(pamh, PAM_SILENT);
     PAM_FAIL_CHECK;
     retcode = pam_open_session(pamh, PAM_SILENT);
+    PAM_SESSION_FAIL;
     PAM_FAIL_CHECK;
     retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+    PAM_SESSION_FAIL;
     PAM_FAIL_CHECK;
     closelog();
     openlog("atd", LOG_PID, LOG_ATD);
@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid
    int mail_pid = -1;
 //add for fedora
 #ifdef  WITH_PAM
+       pamh = NULL;
        retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
        PAM_FAIL_CHECK;
        retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid
        retcode = pam_acct_mgmt(pamh, PAM_SILENT);
        PAM_FAIL_CHECK;
        retcode = pam_open_session(pamh, PAM_SILENT);
+       PAM_SESSION_FAIL;
        PAM_FAIL_CHECK;
        retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+       PAM_SESSION_FAIL;
        PAM_FAIL_CHECK;
         /* PAM has now re-opened our log to auth.info ! */
        closelog();
diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
--- at-3.1.10/perm.c.pamfix	2008-07-18 16:23:11.000000000 +0200
+++ at-3.1.10/perm.c	2008-07-18 16:26:16.000000000 +0200
@@ -135,34 +135,61 @@ check_permission()
  *  We must check if the atd daemon userid will be allowed to gain the job owner user's
  *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
  */
-  setreuid(daemon_uid, daemon_uid);
-  setregid(daemon_gid, daemon_gid);
+  if (setreuid(daemon_uid, daemon_uid) != 0) {
+      fprintf(stderr, "cannot set egid: %s", strerror(errno));
+      exit(1);
+  }
+  if (setregid(daemon_gid, daemon_gid) != 0) {
+      fprintf(stderr, "cannot set euid: %s", strerror(errno));
+      exit(1);
+  }
 
 # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
-                 pam_close_session(pamh,PAM_SILENT); \
-                              pam_end(pamh, retcode); \
-                               setregid(gid,egid); \
-                               setreuid(uid,euid); \
-                               return(0); \
-                           }
+     fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+     if (pamh) \
+         pam_end(pamh, retcode); \
+     if (setregid(gid,egid) != 0) { \
+         fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     if (setreuid(uid,euid) != 0) { \
+         fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     return(0); \
+     }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+      pam_close_session(pamh,PAM_SILENT);
+
+  pamh = NULL;
   retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
   PAM_FAIL_CHECK;
   retcode = pam_set_item(pamh, PAM_TTY, "atd");
   PAM_FAIL_CHECK;
   retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+  PAM_SESSION_FAIL;
   PAM_FAIL_CHECK;
   retcode = pam_open_session(pamh, PAM_SILENT);
+  PAM_SESSION_FAIL;
   PAM_FAIL_CHECK;
   retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+  PAM_SESSION_FAIL;
   PAM_FAIL_CHECK;
 
   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
   pam_close_session(pamh,PAM_SILENT);
   pam_end(pamh, PAM_ABORT);
 
-  setregid(gid,egid);
-  setreuid(uid,euid);
+  if (setregid(gid,egid) != 0) {
+     fprintf(stderr, "cannot set egid: %s", strerror(errno));
+     exit(1);
+  }
+  if (setreuid(uid,euid) != 0) {
+     fprintf(stderr, "cannot set euid: %s", strerror(errno));
+     exit(1);
+  }
+
 
 #endif
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`--- at-3.1.10/atd.c.pamfix 2008-07-18 16:23:11.000000000 +0200`
			`+++ at-3.1.10/atd.c 2008-07-18 16:23:11.000000000 +0200`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`@@ -131,15 +131,17 @@ static const struct pam_conv conv = {`
			`};`

			`#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \`
			`- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \`
			`+ fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \`
			`syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \`
			`- pam_close_session(pamh, PAM_SILENT); \`
			`- pam_end(pamh, retcode); exit(1); \`
			`+ if (pamh) \`
			`+ pam_end(pamh, retcode); \`
			`+ exit(1); \`
			`}`
			`-#define PAM_END { retcode = pam_close_session(pamh,0); \`
			`- pam_end(pamh,retcode); }`

			`-#endif /* WITH_PAM */`
			`+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \`
			`+ pam_close_session(pamh, PAM_SILENT);`
			`+`
			`+#endif /* end WITH_PAM */`

			`/* Signal handlers */`
			`RETSIGTYPE`
			`@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid`

			`//add for fedora, removed HAVE_PAM`
			`#ifdef WITH_PAM`
			`+ pamh = NULL;`
			`retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);`
			`PAM_FAIL_CHECK;`
			`retcode = pam_set_item(pamh, PAM_TTY, "atd");`
			`@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid`
			`retcode = pam_acct_mgmt(pamh, PAM_SILENT);`
			`PAM_FAIL_CHECK;`
			`retcode = pam_open_session(pamh, PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`
			`retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED \| PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`
			`closelog();`
			`openlog("atd", LOG_PID, LOG_ATD);`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid`
			`int mail_pid = -1;`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`//add for fedora`
			`#ifdef WITH_PAM`
			`+ pamh = NULL;`
			`retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);`
			`PAM_FAIL_CHECK;`
			`retcode = pam_set_item(pamh, PAM_TTY, "atd");`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`retcode = pam_acct_mgmt(pamh, PAM_SILENT);`
			`PAM_FAIL_CHECK;`
			`retcode = pam_open_session(pamh, PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`
			`retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED \| PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`
			`/* PAM has now re-opened our log to auth.info ! */`
			`closelog();`
			`diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`--- at-3.1.10/perm.c.pamfix 2008-07-18 16:23:11.000000000 +0200`
			`+++ at-3.1.10/perm.c 2008-07-18 16:26:16.000000000 +0200`
			`@@ -135,34 +135,61 @@ check_permission()`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`* We must check if the atd daemon userid will be allowed to gain the job owner user's`
			`* credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.`
			`*/`
			`- setreuid(daemon_uid, daemon_uid);`
			`- setregid(daemon_gid, daemon_gid);`
			`+ if (setreuid(daemon_uid, daemon_uid) != 0) {`
			`+ fprintf(stderr, "cannot set egid: %s", strerror(errno));`
			`+ exit(1);`
			`+ }`
			`+ if (setregid(daemon_gid, daemon_gid) != 0) {`
			`+ fprintf(stderr, "cannot set euid: %s", strerror(errno));`
			`+ exit(1);`
			`+ }`

			`# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \`
			`- fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`- pam_close_session(pamh,PAM_SILENT); \`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`- pam_end(pamh, retcode); \`
			`- setregid(gid,egid); \`
			`- setreuid(uid,euid); \`
			`- return(0); \`
			`- }`
			`+ fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \`
			`+ if (pamh) \`
			`+ pam_end(pamh, retcode); \`
			`+ if (setregid(gid,egid) != 0) { \`
			`+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); \`
			`+ exit(1); \`
			`+ } \`
			`+ if (setreuid(uid,euid) != 0) { \`
			`+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); \`
			`+ exit(1); \`
			`+ } \`
			`+ return(0); \`
			`+ }`
			`+`
			`+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \`
			`+ pam_close_session(pamh,PAM_SILENT);`
			`+`
			`+ pamh = NULL;`
			`retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);`
			`PAM_FAIL_CHECK;`
			`retcode = pam_set_item(pamh, PAM_TTY, "atd");`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`PAM_FAIL_CHECK;`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`retcode = pam_acct_mgmt(pamh, PAM_SILENT);`
- 446004 hope adding \|\| into scriptlets fix removing old package after upgrade - fixes for fuzz=0 2008-07-18 14:34:48 +00:00			`+ PAM_SESSION_FAIL;`
- used PIE instead of pie (with pie wasn't build on 64b successful) - rewrite PAM fail check - fix checking of settings setuid(s) 2008-01-14 09:08:45 +00:00			`PAM_FAIL_CHECK;`
			`retcode = pam_open_session(pamh, PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`
			`retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED \| PAM_SILENT);`
			`+ PAM_SESSION_FAIL;`
			`PAM_FAIL_CHECK;`

			`pam_setcred(pamh, PAM_DELETE_CRED \| PAM_SILENT );`
			`pam_close_session(pamh,PAM_SILENT);`
			`pam_end(pamh, PAM_ABORT);`

			`- setregid(gid,egid);`
			`- setreuid(uid,euid);`
			`+ if (setregid(gid,egid) != 0) {`
			`+ fprintf(stderr, "cannot set egid: %s", strerror(errno));`
			`+ exit(1);`
			`+ }`
			`+ if (setreuid(uid,euid) != 0) {`
			`+ fprintf(stderr, "cannot set euid: %s", strerror(errno));`
			`+ exit(1);`
			`+ }`
			`+`

			`#endif`