- used PIE instead of pie (with pie wasn't build on 64b successful)

- rewrite PAM fail check - fix checking of settings setuid(s)
2008-01-14 09:08:45 +00:00 · 2008-01-14 09:08:45 +00:00 · 8631931ced
commit 8631931ced
parent 0dbb2afee2
4 changed files with 180 additions and 1 deletions
--- a/at-3.1.10-PIE.patch
+++ b/at-3.1.10-PIE.patch
@ -0,0 +1,28 @@
+diff -up at-3.1.10/Makefile.in.PIE at-3.1.10/Makefile.in
+--- at-3.1.10/Makefile.in.PIE	2008-01-08 09:53:24.000000000 +0100
+++ at-3.1.10/Makefile.in	2008-01-08 09:53:53.000000000 +0100
+@@ -68,13 +68,13 @@ LIST = Filelist Filelist.asc
+ all: at atd atrun
+ 
+ at: $(ATOBJECTS)
+-	$(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
+	$(CC) $(CFLAGS) -o at -PIE $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
+ 	rm -f $(CLONES)
+ 	$(LN_S) -f at atq
+ 	$(LN_S) -f at atrm
+ 
+ atd: $(RUNOBJECTS)
+-	$(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+	$(CC) $(CFLAGS) -o atd -PIE $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+ 
+ y.tab.c y.tab.h: parsetime.y
+ 	$(YACC) -d parsetime.y
+@@ -86,7 +86,7 @@ atrun: atrun.in
+ 	configure
+ 
+ .c.o:
+-	$(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c
+	$(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c
+ 
+ install: all
+ 	$(INSTALL) -m 755 -d $(IROOT)$(etcdir)
--- a/at-3.1.10-pamfix.patch
+++ b/at-3.1.10-pamfix.patch
@ -0,0 +1,140 @@
+diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
+--- at-3.1.10/atd.c.pamfix	2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/atd.c	2008-01-09 14:56:57.000000000 +0100
+@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
+ };
+ 
+ #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+-	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+	fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
+ 	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+-	pam_close_session(pamh, PAM_SILENT); \
+-	pam_end(pamh, retcode); exit(1); \
+    if (pamh) \
+        pam_end(pamh, retcode); \
+    exit(1); \
+     }
+-#define PAM_END { retcode = pam_close_session(pamh,0); \
+-		pam_end(pamh,retcode); }
+ 
+-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+    pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
+ 
+ /* Signal handlers */
+ RETSIGTYPE 
+@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
+ 
+ //add for fedora, removed HAVE_PAM
+ #ifdef  WITH_PAM
+    pamh = NULL;
+     retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+     PAM_FAIL_CHECK;
+     retcode = pam_set_item(pamh, PAM_TTY, "atd");
+@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
+     retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+     PAM_FAIL_CHECK;
+     retcode = pam_open_session(pamh, PAM_SILENT);
+    PAM_SESSION_FAIL;
+     PAM_FAIL_CHECK;
+     retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+    PAM_SESSION_FAIL;
+     PAM_FAIL_CHECK;
+     closelog();
+     openlog("atd", LOG_PID, LOG_ATD);
+@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid
+ 	int mail_pid = -1;
+ //add for fedora
+ #ifdef  WITH_PAM
+       pamh = NULL;
+        retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+        PAM_FAIL_CHECK;
+        retcode = pam_set_item(pamh, PAM_TTY, "atd");
+@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid
+        retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+        PAM_FAIL_CHECK;
+        retcode = pam_open_session(pamh, PAM_SILENT);
+       PAM_SESSION_FAIL;
+        PAM_FAIL_CHECK;
+        retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+       PAM_SESSION_FAIL;
+        PAM_FAIL_CHECK;
+         /* PAM has now re-opened our log to auth.info ! */
+        closelog();
+diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
+--- at-3.1.10/perm.c.pamfix	2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/perm.c	2008-01-09 15:58:54.000000000 +0100
+@@ -134,17 +134,34 @@ check_permission()
+  *  We must check if the atd daemon userid will be allowed to gain the job owner user's
+  *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
+  */
+-  setreuid(daemon_uid, daemon_uid);
+-  setregid(daemon_gid, daemon_gid);
+  if (setreuid(daemon_uid, daemon_uid) != 0) {
+      fprintf(stderr, "cannot set egid: %s", strerror(errno));
+      exit(1);
+  }
+  if (setregid(daemon_gid, daemon_gid) != 0) {
+      fprintf(stderr, "cannot set euid: %s", strerror(errno));
+      exit(1);
+  }
+ 
+ # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+-                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
+-			      pam_close_session(pamh,PAM_SILENT); \
+-                              pam_end(pamh, retcode); \
+-                               setregid(gid,egid); \
+-                               setreuid(uid,euid); \
+-                               return(0); \
+-                           }
+     fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+     if (pamh) \
+         pam_end(pamh, retcode); \
+     if (setregid(gid,egid) != 0) { \
+         fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     if (setreuid(uid,euid) != 0) { \
+         fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     return(0); \
+     }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+      pam_close_session(pamh,PAM_SILENT);
+
+  pamh = NULL;
+   retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+   PAM_FAIL_CHECK;
+   retcode = pam_set_item(pamh, PAM_TTY, "atd");
+@@ -152,16 +169,25 @@ check_permission()
+   retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+   PAM_FAIL_CHECK;
+   retcode = pam_open_session(pamh, PAM_SILENT);
+  PAM_SESSION_FAIL;
+   PAM_FAIL_CHECK;
+   retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+  PAM_SESSION_FAIL;
+   PAM_FAIL_CHECK;
+ 
+   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+   pam_close_session(pamh,PAM_SILENT);
+   pam_end(pamh, PAM_ABORT);
+ 
+-  setregid(gid,egid);
+-  setreuid(uid,euid);
+  if (setregid(gid,egid) != 0) {
+     fprintf(stderr, "cannot set egid: %s", strerror(errno));
+     exit(1);
+  }
+  if (setreuid(uid,euid) != 0) {
+     fprintf(stderr, "cannot set euid: %s", strerror(errno));
+     exit(1);
+  }
+
+ 
+ #endif
+ 
--- a/at-3.1.10-setuids.patch
+++ b/at-3.1.10-setuids.patch
--- a/at.spec
+++ b/at.spec
@ -6,7 +6,7 @@
 Summary: Job spooling tools
 Name: at
 Version: 3.1.10
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://ftp.debian.org/debian/pool/main/a/at
@ -29,6 +29,9 @@ Patch11: at-3.1.10-opt_V.patch
 Patch12: at-3.1.10-session.patch
 Patch13: at-3.1.10-havepam.patch
 Patch14: at-3.1.10-pam_keyring.patch
+Patch15: at-3.1.10-PIE.patch
+Patch16: at-3.1.10-pamfix.patch
+Patch17: at-3.1.10-setuids.patch 

 BuildRequires: fileutils chkconfig /etc/init.d
 BuildRequires: flex bison autoconf
@ -77,6 +80,9 @@ cp %{SOURCE1} .
 %patch12 -p1 -b .session
 %patch13 -p1 -b .havepam
 %patch14 -p1 -b .pamkeyring
+%patch15 -p1 -b .PIE
+%patch16 -p1 -b .pamfix
+%patch17 -p1 -b .setuids

 %build
 # patch10 touches configure.in
@ -179,6 +185,11 @@ fi
 %attr(4755,root,root)	%{_bindir}/at

 %changelog
+* Tue Jan  8 2008 Marcela Maslanova <mmaslano@redhat.com> - 3.1.10-20
+- used PIE instead of pie (with pie wasn't build on 64b successful)
+- rewrite PAM fail check
+- fix checking of settings setuid(s)
+
 * Mon Dec  3 2007 Marcela Maslanova <mmaslano@redhat.com> - 3.1.10-19
 - another problem with permission