rpms/at
6
0
Fork 0
Code Issues Pull Requests Releases Activity

PAM support rewritten to work with new defaults

Browse Source 
The problem with pam is visible with systemd, which change some default. Now is
after pam_close_session closed all jobs, which will terminate all at jobs.

rhbz#812682
This commit is contained in:
Marcela Mašláňová 2012-04-19 17:30:08 +02:00
parent 53ff479aaa
commit 363b8ce826
2 changed files with 57 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
at-3.1.13-pam.patch
View File

@ -1,6 +1,6 @@
diff -up at-3.1.13/at.c.pam at-3.1.13/at.c diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
--- at-3.1.13/at.c.pam 2011-07-29 13:51:50.234127938 +0200 --- at-3.1.13/at.c.pam 2012-04-19 16:50:57.491000001 +0200
+++ at-3.1.13/at.c 2011-07-29 13:51:50.245127883 +0200 +++ at-3.1.13/at.c 2012-04-19 16:50:57.505000001 +0200
@@ -141,18 +141,13 @@ sigc(int signo) @@ -141,18 +141,13 @@ sigc(int signo)
/* If the user presses ^C, remove the spool file and exit /* If the user presses ^C, remove the spool file and exit
*/ */
@ -52,7 +52,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
/* We've successfully created the file; let's set the flag so it /* We've successfully created the file; let's set the flag so it
* gets removed in case of an interrupt or error. * gets removed in case of an interrupt or error.
*/ */
@@ -661,7 +649,7 @@ process_jobs(int argc, char **argv, int @@ -661,7 +649,7 @@ process_jobs(int argc, char **argv, int
We need the unprivileged uid here since the file is owned by the real We need the unprivileged uid here since the file is owned by the real
(not effective) uid. (not effective) uid.
*/ */
@ -61,7 +61,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
if (queue == '=') { if (queue == '=') {
fprintf(stderr, "Warning: deleting running job\n"); fprintf(stderr, "Warning: deleting running job\n");
@@ -670,8 +658,8 @@ process_jobs(int argc, char **argv, int @@ -670,8 +658,8 @@ process_jobs(int argc, char **argv, int
perr("Cannot unlink %.500s", dirent->d_name); perr("Cannot unlink %.500s", dirent->d_name);
rc = EXIT_FAILURE; rc = EXIT_FAILURE;
} }
@ -71,7 +71,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
done = 1; done = 1;
break; break;
@@ -681,7 +669,7 @@ process_jobs(int argc, char **argv, int @@ -681,7 +669,7 @@ process_jobs(int argc, char **argv, int
FILE *fp; FILE *fp;
int ch; int ch;
@ -80,7 +80,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
fp = fopen(dirent->d_name, "r"); fp = fopen(dirent->d_name, "r");
if (fp) { if (fp) {
@@ -694,7 +682,7 @@ process_jobs(int argc, char **argv, int @@ -694,7 +682,7 @@ process_jobs(int argc, char **argv, int
perr("Cannot open %.500s", dirent->d_name); perr("Cannot open %.500s", dirent->d_name);
rc = EXIT_FAILURE; rc = EXIT_FAILURE;
} }
@ -90,8 +90,8 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
break; break;
diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
--- at-3.1.13/atd.c.pam 2011-07-29 13:51:50.240127908 +0200 --- at-3.1.13/atd.c.pam 2012-04-19 16:50:57.498000001 +0200
+++ at-3.1.13/atd.c 2011-07-29 13:54:35.805384873 +0200 +++ at-3.1.13/atd.c 2012-04-19 16:52:37.209000138 +0200
@@ -111,7 +111,7 @@ static int run_as_daemon = 0; @@ -111,7 +111,7 @@ static int run_as_daemon = 0;
static volatile sig_atomic_t term_signal = 0; static volatile sig_atomic_t term_signal = 0;
@ -127,7 +127,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
int retcode; int retcode;
#endif #endif
@@ -395,17 +387,10 @@ run_file(const char *filename, uid_t uid @@ -395,17 +387,11 @@ run_file(const char *filename, uid_t uid
fstat(fd_out, &buf); fstat(fd_out, &buf);
size = buf.st_size; size = buf.st_size;
@ -143,13 +143,14 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
- PAM_FAIL_CHECK; - PAM_FAIL_CHECK;
- PRIV_END - PRIV_END
+#ifdef WITH_PAM +#ifdef WITH_PAM
+ PAM_HANDLING; + AT_START_PAM;
+ AT_OPEN_PAM_SESSION;
+ closelog(); + closelog();
+ openlog("atd", LOG_PID, LOG_ATD); + openlog("atd", LOG_PID, LOG_ATD);
#endif #endif
close(STDIN_FILENO); close(STDIN_FILENO);
@@ -419,7 +404,14 @@ run_file(const char *filename, uid_t uid @@ -419,7 +405,14 @@ run_file(const char *filename, uid_t uid
else if (pid == 0) { else if (pid == 0) {
char *nul = NULL; char *nul = NULL;
char **nenvp = &nul; char **nenvp = &nul;
@ -164,7 +165,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
/* Set up things for the child; we want standard input from the /* Set up things for the child; we want standard input from the
* input file, and standard output and error sent to our output file. * input file, and standard output and error sent to our output file.
*/ */
@@ -438,8 +430,6 @@ run_file(const char *filename, uid_t uid @@ -438,8 +431,6 @@ run_file(const char *filename, uid_t uid
close(fd_in); close(fd_in);
close(fd_out); close(fd_out);
@ -173,7 +174,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
nice((tolower((int) queue) - 'a' + 1) * 2); nice((tolower((int) queue) - 'a' + 1) * 2);
if (initgroups(pentry->pw_name, pentry->pw_gid)) if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -458,7 +448,16 @@ run_file(const char *filename, uid_t uid @@ -458,7 +449,16 @@ run_file(const char *filename, uid_t uid
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
perr("Exec failed for /bin/sh"); perr("Exec failed for /bin/sh");
@ -191,7 +192,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
PRIV_END PRIV_END
} }
/* We're the parent. Let's wait. /* We're the parent. Let's wait.
@@ -471,14 +470,6 @@ run_file(const char *filename, uid_t uid @@ -471,14 +471,6 @@ run_file(const char *filename, uid_t uid
*/ */
waitpid(pid, (int *) NULL, 0); waitpid(pid, (int *) NULL, 0);
@ -206,7 +207,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
/* Send mail. Unlink the output file after opening it, so it /* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run. * doesn't hang around after the run.
*/ */
@@ -509,8 +500,19 @@ run_file(const char *filename, uid_t uid @@ -509,8 +501,20 @@ run_file(const char *filename, uid_t uid
unlink(newname); unlink(newname);
free(newname); free(newname);
@ -214,7 +215,8 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
+ int mail_pid = -1; + int mail_pid = -1;
+#ifdef WITH_PAM +#ifdef WITH_PAM
+ PAM_HANDLING; + AT_START_PAM;
+ AT_OPEN_PAM_SESSION;
+ closelog(); + closelog();
+ openlog("atd", LOG_PID, LOG_ATD); + openlog("atd", LOG_PID, LOG_ATD);
+#endif +#endif
@ -226,7 +228,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
PRIV_START PRIV_START
if (initgroups(pentry->pw_name, pentry->pw_gid)) if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -535,7 +537,23 @@ run_file(const char *filename, uid_t uid @@ -535,7 +539,21 @@ run_file(const char *filename, uid_t uid
perr("Exec failed for mail command"); perr("Exec failed for mail command");
PRIV_END PRIV_END
@ -239,9 +241,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
+ waitpid(mail_pid, (int *) NULL, 0); + waitpid(mail_pid, (int *) NULL, 0);
+ } + }
+#ifdef WITH_PAM +#ifdef WITH_PAM
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + AT_CLOSE_PAM;
+ pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+ closelog(); + closelog();
+ openlog("atd", LOG_PID, LOG_ATD); + openlog("atd", LOG_PID, LOG_ATD);
+#endif +#endif
@ -252,7 +252,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
--- at-3.1.13/config.h.in.pam 2011-06-25 14:43:14.000000000 +0200 --- at-3.1.13/config.h.in.pam 2011-06-25 14:43:14.000000000 +0200
+++ at-3.1.13/config.h.in 2011-07-29 13:51:50.246127878 +0200 +++ at-3.1.13/config.h.in 2012-04-19 16:50:57.506000001 +0200
@@ -68,8 +68,8 @@ @@ -68,8 +68,8 @@
/* Define to 1 if you have the <nlist.h> header file. */ /* Define to 1 if you have the <nlist.h> header file. */
#undef HAVE_NLIST_H #undef HAVE_NLIST_H
@ -266,7 +266,7 @@ diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
#undef HAVE_PSTAT_GETDYNAMIC #undef HAVE_PSTAT_GETDYNAMIC
diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
--- at-3.1.13/configure.ac.pam 2011-06-25 14:43:14.000000000 +0200 --- at-3.1.13/configure.ac.pam 2011-06-25 14:43:14.000000000 +0200
+++ at-3.1.13/configure.ac 2011-07-29 13:51:50.247127873 +0200 +++ at-3.1.13/configure.ac 2012-04-19 16:50:57.506000001 +0200
@@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG @@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG
AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid) AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
AC_CHECK_HEADERS(security/pam_appl.h, [ AC_CHECK_HEADERS(security/pam_appl.h, [
@ -292,7 +292,7 @@ diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
[ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ],
diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
--- at-3.1.13/perm.c.pam 2011-06-25 14:43:14.000000000 +0200 --- at-3.1.13/perm.c.pam 2011-06-25 14:43:14.000000000 +0200
+++ at-3.1.13/perm.c 2011-07-29 13:51:50.248127868 +0200 +++ at-3.1.13/perm.c 2012-04-19 16:53:09.192001742 +0200
@@ -51,6 +51,14 @@ @@ -51,6 +51,14 @@
#define PRIV_END while(0) #define PRIV_END while(0)
#endif #endif
@ -308,7 +308,7 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
/* Structures and unions */ /* Structures and unions */
@@ -108,18 +116,51 @@ user_in_file(const char *path, const cha @@ -108,18 +116,45 @@ user_in_file(const char *path, const cha
int int
check_permission() check_permission()
{ {
@ -342,14 +342,8 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
+ exit(1); + exit(1);
+ } + }
+ +
+ pam_close_session(pamh,PAM_SILENT); + AT_START_PAM;
+ + AT_CLOSE_PAM;
+ PAM_HANDLING;
+
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh,PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+
+ if (setregid(gid,egid) != 0) { + if (setregid(gid,egid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); + fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1); + exit(1);
@ -365,8 +359,8 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
return allow; return allow;
diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h
--- at-3.1.13/privs.h.pam 2011-06-25 14:43:14.000000000 +0200 --- at-3.1.13/privs.h.pam 2011-06-25 14:43:14.000000000 +0200
+++ at-3.1.13/privs.h 2011-07-29 13:51:50.248127868 +0200 +++ at-3.1.13/privs.h 2012-04-19 16:53:46.296016675 +0200
@@ -144,3 +144,61 @@ extern gid_t real_gid, effective_gid, da @@ -144,3 +144,63 @@ extern gid_t real_gid, effective_gid, da
#error "Cannot implement user ID swapping without setreuid or setresuid" #error "Cannot implement user ID swapping without setreuid or setresuid"
#endif #endif
#endif #endif
@ -400,31 +394,33 @@ diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h
+ } \ + } \
+ } while (0) \ + } while (0) \
+ +
+/* PAM - check after every operation whether they passed */ +static int pam_session_opened = 0; //global for open session
+#define PAM_HANDLING \
+ do { pamh = NULL; \
+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
+ PAM_FAIL_CHECK; \
+ retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
+ PAM_FAIL_CHECK; \
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
+ PAM_FAIL_CHECK; \
+ retcode = pam_open_session(pamh, PAM_SILENT); \
+ PAM_FAIL_CHECK; \
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
+ PAM_SESSION_FAIL; \
+ PAM_FAIL_CHECK; \
+ } while (0)
+ +
+/* OLD FAIL_CHECK ONLY FOR perm.c +#define AT_START_PAM { \
+ * define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
+ * fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \ + PAM_FAIL_CHECK; \
+ * syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
+ * if (pamh) \ + PAM_FAIL_CHECK; \
+ * pam_end(pamh, retcode); \ + retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
+ * exit(1); \ + PAM_FAIL_CHECK; \
+ * } +}
+ */ +
+#define AT_OPEN_PAM_SESSION { \
+ retcode = pam_open_session(pamh, PAM_SILENT); \
+ PAM_FAIL_CHECK; \
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
+ PAM_FAIL_CHECK; \
+ if (retcode == PAM_SUCCESS) \
+ pam_session_opened = 1; \
+}
+
+#define AT_CLOSE_PAM { \
+ if (pam_session_opened != 0) { \
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); \
+ pam_close_session(pamh, PAM_SILENT); \
+ } \
+ pam_end(pamh, PAM_SUCCESS); \
+}
+ +
+#endif +#endif
+ +

5
at.spec
View File

@ -3,7 +3,7 @@
Summary: Job spooling tools Summary: Job spooling tools
Name: at Name: at
Version: 3.1.13 Version: 3.1.13
Release: 7%{dist} Release: 8%{dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://ftp.debian.org/debian/pool/main/a/at URL: http://ftp.debian.org/debian/pool/main/a/at
@ -189,13 +189,14 @@ fi
%attr(0755,root,root) %{_initrddir}/atd %attr(0755,root,root) %{_initrddir}/atd
%changelog %changelog
* Tue Apr 17 2012 Marcela Mašláňová <mmaslano@redhat.com> - 3.1.13-7 * Tue Apr 17 2012 Marcela Mašláňová <mmaslano@redhat.com> - 3.1.13-8
- at-3.1.13-mailwithhostname.patch in email mention also hostname address - at-3.1.13-mailwithhostname.patch in email mention also hostname address
- at-3.1.13-usePOSIXtimers.patch use POSIX timers, so we won't need - at-3.1.13-usePOSIXtimers.patch use POSIX timers, so we won't need
pm-utils hack anymore pm-utils hack anymore
- at-3.1.13-help.patch update usage - at-3.1.13-help.patch update usage
- systemd-user-sessions.service is used in unit file, so the atd should be - systemd-user-sessions.service is used in unit file, so the atd should be
started after almost all services are up and running started after almost all services are up and running
- 812682 pam support work with new systemd defaults
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.13-7 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.13-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild