rpms/at
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- used PIE instead of pie (with pie wasn't build on 64b successful)

Browse Source 
- rewrite PAM fail check
- fix checking of settings setuid(s)
This commit is contained in:
Marcela Mašláňová 2008-01-14 09:08:45 +00:00
parent 0dbb2afee2
commit 8631931ced
4 changed files with 180 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
at-3.1.10-PIE.patch Normal file
View File

@ -0,0 +1,28 @@
diff -up at-3.1.10/Makefile.in.PIE at-3.1.10/Makefile.in
--- at-3.1.10/Makefile.in.PIE 2008-01-08 09:53:24.000000000 +0100
+++ at-3.1.10/Makefile.in 2008-01-08 09:53:53.000000000 +0100
@@ -68,13 +68,13 @@ LIST = Filelist Filelist.asc
all: at atd atrun
at: $(ATOBJECTS)
- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o at -PIE $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
rm -f $(CLONES)
$(LN_S) -f at atq
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o atd -PIE $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
@@ -86,7 +86,7 @@ atrun: atrun.in
configure
.c.o:
- $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c
+ $(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c
install: all
$(INSTALL) -m 755 -d $(IROOT)$(etcdir)

140
at-3.1.10-pamfix.patch Normal file
View File

@ -0,0 +1,140 @@
diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
--- at-3.1.10/atd.c.pamfix 2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/atd.c 2008-01-09 14:56:57.000000000 +0100
@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
};
#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh, PAM_SILENT); \
- pam_end(pamh, retcode); exit(1); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ exit(1); \
}
-#define PAM_END { retcode = pam_close_session(pamh,0); \
- pam_end(pamh,retcode); }
-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
/* Signal handlers */
RETSIGTYPE
@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
//add for fedora, removed HAVE_PAM
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
closelog();
openlog("atd", LOG_PID, LOG_ATD);
@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid
int mail_pid = -1;
//add for fedora
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
/* PAM has now re-opened our log to auth.info ! */
closelog();
diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
--- at-3.1.10/perm.c.pamfix 2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/perm.c 2008-01-09 15:58:54.000000000 +0100
@@ -134,17 +134,34 @@ check_permission()
* We must check if the atd daemon userid will be allowed to gain the job owner user's
* credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
*/
- setreuid(daemon_uid, daemon_uid);
- setregid(daemon_gid, daemon_gid);
+ if (setreuid(daemon_uid, daemon_uid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setregid(daemon_gid, daemon_gid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh,PAM_SILENT); \
- pam_end(pamh, retcode); \
- setregid(gid,egid); \
- setreuid(uid,euid); \
- return(0); \
- }
+ fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ if (setregid(gid,egid) != 0) { \
+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ if (setreuid(uid,euid) != 0) { \
+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ return(0); \
+ }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh,PAM_SILENT);
+
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -152,16 +169,25 @@ check_permission()
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
pam_close_session(pamh,PAM_SILENT);
pam_end(pamh, PAM_ABORT);
- setregid(gid,egid);
- setreuid(uid,euid);
+ if (setregid(gid,egid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setreuid(uid,euid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
+
#endif

0
at-3.1.10-setuids.patch Normal file
View File

13
at.spec
View File

@ -6,7 +6,7 @@
Summary: Job spooling tools Summary: Job spooling tools
Name: at Name: at
Version: 3.1.10 Version: 3.1.10
Release: 19%{?dist} Release: 20%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://ftp.debian.org/debian/pool/main/a/at URL: http://ftp.debian.org/debian/pool/main/a/at
@ -29,6 +29,9 @@ Patch11: at-3.1.10-opt_V.patch
Patch12: at-3.1.10-session.patch Patch12: at-3.1.10-session.patch
Patch13: at-3.1.10-havepam.patch Patch13: at-3.1.10-havepam.patch
Patch14: at-3.1.10-pam_keyring.patch Patch14: at-3.1.10-pam_keyring.patch
Patch15: at-3.1.10-PIE.patch
Patch16: at-3.1.10-pamfix.patch
Patch17: at-3.1.10-setuids.patch
BuildRequires: fileutils chkconfig /etc/init.d BuildRequires: fileutils chkconfig /etc/init.d
BuildRequires: flex bison autoconf BuildRequires: flex bison autoconf
@ -77,6 +80,9 @@ cp %{SOURCE1} .
%patch12 -p1 -b .session %patch12 -p1 -b .session
%patch13 -p1 -b .havepam %patch13 -p1 -b .havepam
%patch14 -p1 -b .pamkeyring %patch14 -p1 -b .pamkeyring
%patch15 -p1 -b .PIE
%patch16 -p1 -b .pamfix
%patch17 -p1 -b .setuids
%build %build
# patch10 touches configure.in # patch10 touches configure.in
@ -179,6 +185,11 @@ fi
%attr(4755,root,root) %{_bindir}/at %attr(4755,root,root) %{_bindir}/at
%changelog %changelog
* Tue Jan 8 2008 Marcela Maslanova <mmaslano@redhat.com> - 3.1.10-20
- used PIE instead of pie (with pie wasn't build on 64b successful)
- rewrite PAM fail check
- fix checking of settings setuid(s)
* Mon Dec 3 2007 Marcela Maslanova <mmaslano@redhat.com> - 3.1.10-19 * Mon Dec 3 2007 Marcela Maslanova <mmaslano@redhat.com> - 3.1.10-19
- another problem with permission - another problem with permission