rpms/at
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove old patches.

Browse Source
This commit is contained in:
Marcela Mašláňová 2009-10-14 12:21:18 +00:00
parent f2de853269
commit bc3273cefd
19 changed files with 0 additions and 1697 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
at-3.1.10-PIE.patch
View File

@ -1,28 +0,0 @@
diff -up at-3.1.10/Makefile.in.PIE at-3.1.10/Makefile.in
--- at-3.1.10/Makefile.in.PIE 2008-01-08 09:53:24.000000000 +0100
+++ at-3.1.10/Makefile.in 2008-01-08 09:53:53.000000000 +0100
@@ -68,13 +68,13 @@ LIST = Filelist Filelist.asc
all: at atd atrun
at: $(ATOBJECTS)
- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o at -PIE $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
rm -f $(CLONES)
$(LN_S) -f at atq
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o atd -PIE $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
@@ -86,7 +86,7 @@ atrun: atrun.in
configure
.c.o:
- $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c
+ $(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c
install: all
$(INSTALL) -m 755 -d $(IROOT)$(etcdir)

48
at-3.1.10-different_shell.patch
View File

@ -1,48 +0,0 @@
diff -up at-3.1.10/at.c.fix at-3.1.10/at.c
--- at-3.1.10/at.c.fix 2009-03-18 10:49:06.000000000 +0100
+++ at-3.1.10/at.c 2009-03-18 10:59:19.000000000 +0100
@@ -61,12 +61,8 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-
-#ifdef TM_IN_SYS_TIME
-#include <sys/time.h>
-#else
#include <time.h>
-#endif
+#include <sys/time.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
@@ -244,6 +240,12 @@ writefile(time_t runtimer, char queue)
int kill_errno;
int rc;
int mailsize = 128;
+ struct timeval tv;
+ struct timezone tz;
+ long int i;
+
+ gettimeofday(&tv, &tz);
+ srandom(getpid()+tv.tv_usec);
/* Install the signal handler for SIGINT; terminate after removing the
* spool file if necessary
@@ -455,7 +457,8 @@ writefile(time_t runtimer, char queue)
fprintf(fp, " || {\n\t echo 'Execution directory "
"inaccessible' >&2\n\t exit 1\n}\n");
- fprintf(fp, "${SHELL:-/bin/sh} << `(dd if=/dev/urandom count=200 bs=1 2>/dev/null|LC_ALL=C tr -d -c '[:alnum:]')`\n\n");
+ i = random();
+ fprintf(fp, "${SHELL:-/bin/sh} << marcinDELIMITER%08lx\n", i);
istty = isatty(fileno(stdin));
if (istty) {
@@ -473,6 +476,7 @@ writefile(time_t runtimer, char queue)
fprintf(stderr, "<EOT>\n");
}
fprintf(fp, "\n");
+ fprintf(fp, "marcinDELIMITER%08lx\n", i);
if (ferror(fp))
panic("Output error");

66
at-3.1.10-dont_fork.patch
View File

@ -1,66 +0,0 @@
--- at-3.1.10/atd.8.in.fork 2005-08-29 10:08:51.000000000 +0200
+++ at-3.1.10/atd.8.in 2007-07-03 14:04:05.000000000 +0200
@@ -1,5 +1,5 @@
.Id $Id$
-.TH ATD 8 "Mar 1997" local "Linux Programmer's Manual"
+.TH ATD 3 "Jun 2007" at-3.1.10 "Linux Programmer's Manual"
.SH NAME
atd \- run jobs queued for later execution
.SH SYNOPSIS
@@ -10,6 +10,7 @@
.IR batch_interval ]
.RB [ -d ]
.RB [ -s ]
+.RB [ -n ]
.SH DESCRIPTION
.B atd
runs jobs queued by
@@ -46,6 +47,9 @@
is installed as
.B @prefix@/sbin/atrun
for backward compatibility.
+.TP 8
+.B -n
+Don't fork option.
.SH WARNING
.B atd
won't work if its spool directory is mounted via NFS even if
--- at-3.1.10/daemon.h.fork 2005-08-05 05:16:01.000000000 +0200
+++ at-3.1.10/daemon.h 2007-07-03 14:02:22.000000000 +0200
@@ -14,3 +14,4 @@
perr (const char *fmt, ...);
extern int daemon_debug;
+extern int daemon_nofork;
--- at-3.1.10/daemon.c.fork 2005-08-05 05:16:01.000000000 +0200
+++ at-3.1.10/daemon.c 2007-07-03 14:01:51.000000000 +0200
@@ -50,7 +50,8 @@
static const char *svnid = "$Id$";
-int daemon_debug;
+int daemon_debug = 0;
+int daemon_nofork = 0;
static int
lock_fd(int fd)
@@ -119,15 +120,18 @@
(open("/dev/null", O_RDWR) != 2)) {
perr("Error redirecting I/O");
}
+ }
+ if (daemon_nofork) pid = getpid();
+ else {
pid = fork();
if (pid == -1) {
perr("Cannot fork");
} else if (pid != 0) {
exit(0);
}
+ (void) setsid();
}
old_umask = umask(S_IWGRP | S_IWOTH);
- (void) setsid();
PRIV_START

40
at-3.1.10-havepam.patch
View File

@ -1,40 +0,0 @@
--- at-3.1.10/atd.c.havepam 2007-08-22 10:37:16.000000000 +0200
+++ at-3.1.10/atd.c 2007-08-22 10:39:42.000000000 +0200
@@ -121,7 +121,7 @@
static volatile sig_atomic_t term_signal = 0;
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
#include <security/pam_appl.h>
static pam_handle_t *pamh = NULL;
@@ -139,7 +139,7 @@
#define PAM_END { retcode = pam_close_session(pamh,0); \
pam_end(pamh,retcode); }
-#endif /* HAVE_PAM */
+#endif /* WITH_PAM */
/* Signal handlers */
RETSIGTYPE
@@ -246,7 +246,7 @@
char queue;
char fmt[64];
unsigned long jobno;
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
int retcode;
#endif
--- at-3.1.10/configure.in.havepam 2007-08-22 10:37:16.000000000 +0200
+++ at-3.1.10/configure.in 2007-08-22 10:37:16.000000000 +0200
@@ -80,7 +80,7 @@
AC_FUNC_GETLOADAVG
AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
AC_CHECK_HEADERS(security/pam_appl.h, [PAMLIB="-lpam"
- AC_DEFINE(HAVE_PAM)])
+ AC_DEFINE(WITH_PAM)])
dnl Checking for programs

102
at-3.1.10-makefile.patch
View File

@ -1,102 +0,0 @@
--- at-3.1.10/Makefile.in.old 2005-08-29 10:08:28.000000000 +0200
+++ at-3.1.10/Makefile.in 2007-07-02 15:38:48.000000000 +0200
@@ -51,7 +51,7 @@
privs.h
OTHERS = parsetime.l parsetime.y
-
+TEST_VERBOSE = 0
DOCS = Problems Copyright README ChangeLog timespec
MISC = COPYING Makefile.in configure acconfig.h install-sh \
@@ -67,13 +67,13 @@
all: at atd atrun
at: $(ATOBJECTS)
- $(CC) $(CFLAGS) -o at $(ATOBJECTS) $(LIBS) $(LEXLIB)
+ $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB)
rm -f $(CLONES)
$(LN_S) -f at atq
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
+ $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
@@ -85,38 +85,42 @@
configure
.c.o:
- $(CC) -c $(CFLAGS) $(DEFS) $*.c
+ $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c
install: all
- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(etcdir)
- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(bindir)
- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(sbindir)
- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(docdir)
- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(atdocdir)
- $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR)
- chmod 1770 $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR)
+ $(INSTALL) -m 755 -d $(IROOT)$(etcdir)
+ $(INSTALL) -m 755 -d $(IROOT)$(bindir)
+ $(INSTALL) -m 755 -d $(IROOT)$(sbindir)
+ $(INSTALL) -m 755 -d $(IROOT)$(docdir)
+ $(INSTALL) -m 755 -d $(IROOT)$(atdocdir)
+ $(INSTALL) -m 755 -d $(IROOT)$(ATJOB_DIR)
+ $(INSTALL) -m 755 -d $(IROOT)$(etcdir)/pam.d
+ $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR)
+ chmod 700 $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
+ chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
touch $(IROOT)$(LFILE)
chmod 600 $(IROOT)$(LFILE)
chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(LFILE)
- test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -o root -g $(DAEMON_GROUPNAME) -m 640 at.deny $(IROOT)$(etcdir)/
- $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 6755 -s at $(IROOT)$(bindir)
+ test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -m 600 at.deny $(IROOT)$(etcdir)/
+ $(INSTALL) -o $(INSTALL_ROOT_USER) -g $(DAEMON_GROUPNAME) pam_atd $(IROOT)$(etcdir)/pam.d/atd
+ $(INSTALL) -m 4755 at $(IROOT)$(bindir)
$(LN_S) -f at $(IROOT)$(bindir)/atq
$(LN_S) -f at $(IROOT)$(bindir)/atrm
- $(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir)
- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man1dir)
- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man5dir)
- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man8dir)
- $(INSTALL) -g root -o root -m 755 -s atd $(IROOT)$(sbindir)
- $(INSTALL) -g root -o root -m 755 atrun $(IROOT)$(sbindir)
- $(INSTALL) -g root -o root -m 644 at.1 $(IROOT)$(man1dir)/
+ $(INSTALL) -m 755 batch $(IROOT)$(bindir)
+ $(INSTALL) -d -m 755 $(IROOT)$(man1dir)
+ $(INSTALL) -d -m 755 $(IROOT)$(man5dir)
+ $(INSTALL) -d -m 755 $(IROOT)$(man8dir)
+ $(INSTALL) -m 755 atd $(IROOT)$(sbindir)
+ $(INSTALL) -m 755 atrun $(IROOT)$(sbindir)
+ $(INSTALL) -m 644 at.1 $(IROOT)$(man1dir)/
cd $(IROOT)$(man1dir) && $(LN_S) -f at.1 atq.1 && $(LN_S) -f at.1 batch.1 && $(LN_S) -f at.1 atrm.1
- $(INSTALL) -g root -o root -m 644 atd.8 $(IROOT)$(man8dir)/
+ $(INSTALL) -m 644 atd.8 $(IROOT)$(man8dir)/
sed "s,\$${exec_prefix},$(exec_prefix),g" <atrun.8>tmpman
- $(INSTALL) -g root -o root -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
+ $(INSTALL) -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
rm -f tmpman
- $(INSTALL) -g root -o root -m 644 at_allow.5 $(IROOT)$(man5dir)/
- cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5
- $(INSTALL) -g root -o root -m 644 $(DOCS) $(IROOT)$(atdocdir)
+ $(INSTALL) -m 644 at_allow.5 $(IROOT)$(man5dir)/
+ cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5
+ $(INSTALL) -m 644 $(DOCS) $(IROOT)$(atdocdir)
rm -f $(IROOT)$(mandir)/cat1/at.1* $(IROOT)$(mandir)/cat1/batch.1* \
$(IROOT)$(mandir)/cat1/atq.1*
rm -f $(IROOT)$(mandir)/cat1/atd.8*
@@ -150,6 +154,9 @@
parsetest: lex.yy.c y.tab.c
$(CC) -o parsetest $(CFLAGS) $(DEFS) -DTEST_PARSER -DNEED_YYWRAP lex.yy.c y.tab.c
+test: parsetest
+ PERL_DL_NONLAZY=1 perl -e 'use Test::Harness qw(&runtests $$verbose); $$verbose=$(TEST_VERBOSE); runtests @ARGV;' test.pl
+
.depend: $(CSRCS)
gcc $(CFLAGS) $(DEFS) -MM $(CSRCS) > .depend

11
at-3.1.10-man-timespec-path.patch
View File

@ -1,11 +0,0 @@
--- at-3.1.10/at.1.in.path 2005-08-29 10:09:24.000000000 +0200
+++ at-3.1.10/at.1.in 2006-09-07 11:07:21.000000000 +0200
@@ -110,7 +110,7 @@
.B at 1am tomorrow.
.PP
The exact definition of the time specification can be found in
-.IR @prefix@/share/doc/at/timespec .
+.IR @prefix@/share/doc/at-@VERSION@/timespec.
.PP
For both
.BR at " and " batch ,

14
at-3.1.10-man_hyphen.patch
View File

@ -1,14 +0,0 @@
diff -up at-3.1.10/at.1.in.hyphen at-3.1.10/at.1.in
--- at-3.1.10/at.1.in.hyphen 2009-02-19 08:47:39.000000000 +0100
+++ at-3.1.10/at.1.in 2009-02-19 08:48:19.000000000 +0100
@@ -89,7 +89,9 @@ or giving a date of the form
or
.B MM/DD/YY
or
-.B DD.MM.YY.
+.B DD.MM.YY
+or
+.B YYYY-MM-DD.
The specification of a date
.I must
follow the specification of the time of day.

42
at-3.1.10-nonposix.patch
View File

@ -1,42 +0,0 @@
diff -up at-3.1.10/at.c.nonposix at-3.1.10/at.c
--- at-3.1.10/at.c.nonposix 2008-03-25 14:54:09.000000000 +0100
+++ at-3.1.10/at.c 2008-03-25 14:57:46.000000000 +0100
@@ -92,6 +92,7 @@
#define SIZE 255
#define TIMEFORMAT_POSIX "%a %b %e %T %Y"
+#define TIMEFORMAT_ISO "%Y-%m-%d %H:%M"
#define TIMESIZE 50
enum {
@@ -490,7 +491,15 @@ writefile(time_t runtimer, char queue)
runtime = localtime(&runtimer);
- strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime);
+ /* We only use the sick POSIX time format if POSIXLY_CORRECT
+ is set. Otherwise, we use ISO format.
+ */
+
+ if (getenv("POSIXLY_CORRECT") != NULL) {
+ strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime);
+ } else {
+ strftime(timestr, TIMESIZE, TIMEFORMAT_ISO, runtime);
+ }
fprintf(stderr, "job %ld at %s\n", jobno, timestr);
/* Signal atd, if present. Usual precautions taken... */
@@ -588,8 +597,11 @@ list_jobs(void)
runtimer = 60 * (time_t) ctm;
runtime = localtime(&runtimer);
- strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime);
-
+ if (getenv("POSIXLY_CORRECT") != NULL) {
+ strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime);
+ } else {
+ strftime(timestr, TIMESIZE, TIMEFORMAT_ISO, runtime);
+ }
if ((pwd = getpwuid(buf.st_uid)))
printf("%ld\t%s %c %s\n", jobno, timestr, queue, pwd->pw_name);
else

28
at-3.1.10-opt_V.patch
View File

@ -1,28 +0,0 @@
--- at-3.1.10/configure.in.opt_v 2007-07-04 17:05:33.000000000 +0200
+++ at-3.1.10/configure.in 2007-07-09 09:23:24.000000000 +0200
@@ -5,7 +5,7 @@
AC_CONFIG_HEADER(config.h)
AC_PREREQ(2.7)
-VERSION="3.1.9"
+VERSION="3.1.10"
if test "X$CFLAGS" = "X"; then
CFLAGS="-O2 -g -Wall"
fi
--- at-3.1.10/at.c.opt_v 2007-07-04 17:05:33.000000000 +0200
+++ at-3.1.10/at.c 2007-07-09 09:34:34.000000000 +0200
@@ -966,9 +966,11 @@
/* end of options eating
*/
- if (disp_version)
- fprintf(stderr, "at version " VERSION "\n"
- "Bug reports to: rmurray@debian.org (Ryan Murray)\n");
+ if (disp_version) {
+ fprintf(stderr, "at version " VERSION "\n");
+ if (argc == 2)
+ exit(EXIT_SUCCESS);
+ }
/* select our program
*/

543
at-3.1.10-pam.patch
View File

@ -1,543 +0,0 @@
--- at-3.1.10/pam_atd.pam 2007-07-03 13:29:24.000000000 +0200
+++ at-3.1.10/pam_atd 2007-07-03 13:29:24.000000000 +0200
@@ -0,0 +1,9 @@
+# The PAM configuration file for the at daemon
+#
+#
+auth required pam_env.so
+auth include password-auth
+account required pam_access.so
+account include password-auth
+session required pam_loginuid.so
+session include password-auth
diff -up at-3.1.10/atd.c.pam at-3.1.10/atd.c
--- at-3.1.10/atd.c.pam 2008-07-18 15:47:52.000000000 +0200
+++ at-3.1.10/atd.c 2008-07-18 16:02:32.000000000 +0200
@@ -74,6 +74,14 @@
#include <syslog.h>
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
/* Local headers */
#include "privs.h"
@@ -83,6 +91,10 @@
#include "getloadavg.h"
#endif
+#ifndef LOG_ATD
+#define LOG_ATD LOG_DAEMON
+#endif
+
/* Macros */
#define BATCH_INTERVAL_DEFAULT 60
@@ -121,6 +133,7 @@ static const struct pam_conv conv = {
#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+ pam_close_session(pamh, PAM_SILENT); \
pam_end(pamh, retcode); exit(1); \
}
#define PAM_END { retcode = pam_close_session(pamh,0); \
@@ -196,6 +209,19 @@ myfork()
#define fork myfork
#endif
+#undef ATD_MAIL_PROGRAM
+#undef ATD_MAIL_NAME
+#if defined(SENDMAIL)
+#define ATD_MAIL_PROGRAM SENDMAIL
+#define ATD_MAIL_NAME "sendmail"
+#elif defined(MAILC)
+#define ATD_MAIL_PROGRAM MAILC
+#define ATD_MAIL_NAME "mail"
+#elif defined(MAILX)
+#define ATD_MAIL_PROGRAM MAILX
+#define ATD_MAIL_NAME "mailx"
+#endif
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -380,18 +406,22 @@ run_file(const char *filename, uid_t uid
fstat(fd_out, &buf);
size = buf.st_size;
-#ifdef HAVE_PAM
- PRIV_START
+//add for fedora, removed HAVE_PAM
+#ifdef WITH_PAM
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "atd");
+ PAM_FAIL_CHECK;
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
PAM_FAIL_CHECK;
- PRIV_END
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
#endif
+//end
close(STDIN_FILENO);
close(STDOUT_FILENO);
@@ -404,6 +434,14 @@ run_file(const char *filename, uid_t uid
else if (pid == 0) {
char *nul = NULL;
char **nenvp = &nul;
+ char **pam_envp=0L;
+
+ PRIV_START
+#ifdef WITH_PAM
+ pam_envp = pam_getenvlist(pamh);
+ if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
+ nenvp = pam_envp;
+#endif
/* Set up things for the child; we want standard input from the
* input file, and standard output and error sent to our output file.
@@ -425,8 +463,6 @@ run_file(const char *filename, uid_t uid
if (chdir(ATJOB_DIR) < 0)
perr("Cannot chdir to " ATJOB_DIR);
- PRIV_START
-
nice((tolower((int) queue) - 'a' + 1) * 2);
if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -443,10 +479,91 @@ run_file(const char *filename, uid_t uid
chdir("/");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ int retval=0;
+ struct av_decision avd;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) {
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+ free(seuser);
+ free(level);
+ if (retval) {
+ if (security_getenforce()==1) {
+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name);
+ goto out;
+ }
+ }
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
+ if (security_getenforce() > 0) {
+ perr("fgetfilecon FAILED %s", filename);
+ } else {
+ syslog(LOG_ERR, "fgetfilecon FAILED %s", filename);
+ goto out;
+ }
+ }
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1)
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+ }
+ freecon(user_context);
+ }
+#endif
+
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
perr("Exec failed for /bin/sh");
+//add for fedora
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0)
+ if (setexeccon(NULL) < 0)
+ if (security_getenforce()==1)
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
+
+#endif
+//end
+//add for fedora
+#ifdef WITH_PAM
+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
+ {
+ for( nenvp = pam_envp; *nenvp != 0L; nenvp++)
+ free(*nenvp);
+ free( pam_envp );
+ nenvp = &nul;
+ pam_envp=0L;
+ }
+#endif
PRIV_END
+// end
}
/* We're the parent. Let's wait.
*/
@@ -459,6 +576,7 @@ run_file(const char *filename, uid_t uid
*/
waitpid(pid, (int *) NULL, 0);
+/* remove because WITH_PAM
#ifdef HAVE_PAM
PRIV_START
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
@@ -466,7 +584,7 @@ run_file(const char *filename, uid_t uid
pam_end(pamh, retcode);
PRIV_END
#endif
-
+*/
/* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run.
*/
@@ -474,6 +592,13 @@ run_file(const char *filename, uid_t uid
if (open(filename, O_RDONLY) != STDIN_FILENO)
perr("Open of jobfile failed");
+#ifdef WITH_PAM
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+#endif
unlink(filename);
/* The job is now finished. We can delete its input file.
@@ -482,8 +607,30 @@ run_file(const char *filename, uid_t uid
unlink(newname);
free(newname);
+#ifdef ATD_MAIL_PROGRAM
if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
+ int mail_pid = -1;
+//add for fedora
+#ifdef WITH_PAM
+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "atd");
+ PAM_FAIL_CHECK;
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_FAIL_CHECK;
+ /* PAM has now re-opened our log to auth.info ! */
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+#endif
+//end
+ mail_pid = fork();
+ if ( mail_pid == 0 )
+ {
PRIV_START
if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -497,15 +644,80 @@ run_file(const char *filename, uid_t uid
chdir ("/");
-#if defined(SENDMAIL)
- execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
-#else
- perr("No mail command specified.");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ int retval=0;
+ struct av_decision avd;
+
+ if (get_default_context(pentry->pw_name, NULL, &user_context))
+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1) {
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ goto out;
+ }
+ }
+
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+ }
+ out:
+ freecon(user_context);
+ }
+#endif
+ execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
+ perr("Exec faile for mail command");
+ exit(-1);
+
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0)
+ if (setexeccon(NULL) < 0)
+ if (security_getenforce()==1)
+ perr("Could not reset exec context for user %s\n", pentry->pw_name);
#endif
- perr("Exec failed for mail command");
PRIV_END
+ }
+ else if ( mail_pid == -1 ) {
+ perr("fork of mailer failed");
+ }
+ else {
+ /* Parent */
+ waitpid(mail_pid, (int *) NULL, 0);
+ }
+#ifdef WITH_PAM
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+#endif
}
+#endif
exit(EXIT_SUCCESS);
}
@@ -703,6 +915,10 @@ main(int argc, char *argv[])
struct passwd *pwe;
struct group *ge;
+#ifdef WITH_SELINUX
+ selinux_enabled=is_selinux_enabled();
+#endif
+
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
@@ -719,18 +935,14 @@ main(int argc, char *argv[])
RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid)
-#ifndef LOG_CRON
-#define LOG_CRON LOG_DAEMON
-#endif
-
- openlog("atd", LOG_PID, LOG_CRON);
+ openlog("atd", LOG_PID, LOG_ATD);
opterr = 0;
errno = 0;
run_as_daemon = 1;
batch_interval = BATCH_INTERVAL_DEFAULT;
- while ((c = getopt(argc, argv, "sdl:b:")) != EOF) {
+ while ((c = getopt(argc, argv, "sdl:b:n")) != EOF) {
switch (c) {
case 'l':
if (sscanf(optarg, "%lf", &load_avg) != 1)
@@ -745,7 +957,10 @@ main(int argc, char *argv[])
break;
case 'd':
daemon_debug++;
- break;
+ /* go through another option*/
+ case 'n':
+ daemon_nofork++;
+ break;
case 's':
run_as_daemon = 0;
diff -up at-3.1.10/config.h.in.pam at-3.1.10/config.h.in
--- at-3.1.10/config.h.in.pam 2008-07-18 16:04:41.000000000 +0200
+++ at-3.1.10/config.h.in 2008-07-18 16:05:13.000000000 +0200
@@ -181,3 +181,9 @@
#undef HAVE_ATTRIBUTE_NORETURN
#undef HAVE_PAM
+
+/* Define if you are building with_pam */
+#undef WITH_PAM
+
+/* Define if you are building with_selinux */
+#undef WITH_SELINUX
diff -up at-3.1.10/configure.in.pam at-3.1.10/configure.in
--- at-3.1.10/configure.in.pam 2008-07-18 16:05:28.000000000 +0200
+++ at-3.1.10/configure.in 2008-07-18 16:06:01.000000000 +0200
@@ -316,4 +316,19 @@ AC_ARG_WITH(daemon_groupname,
)
AC_SUBST(DAEMON_GROUPNAME)
+AC_ARG_WITH(selinux,
+[ --with-selinux Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
+AC_ARG_WITH(pam,
+[ --with-pam Define to enable pam support ],
+AC_DEFINE(WITH_PAM),
+)
+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
+AC_SUBST(PAMLIB)
+
AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
diff -up at-3.1.10/Makefile.in.pam at-3.1.10/Makefile.in
--- at-3.1.10/Makefile.in.pam 2008-07-18 15:47:52.000000000 +0200
+++ at-3.1.10/Makefile.in 2008-07-18 16:04:19.000000000 +0200
@@ -41,6 +41,7 @@ LIBS = @LIBS@
LIBOBJS = @LIBOBJS@
INSTALL = @INSTALL@
PAMLIB = @PAMLIB@
+SELINUXLIB = @SELINUXLIB@
CLONES = atq atrm
ATOBJECTS = at.o panic.o perm.o y.tab.o lex.yy.o
@@ -67,13 +68,13 @@ LIST = Filelist Filelist.asc
all: at atd atrun
at: $(ATOBJECTS)
- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB)
+ $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
rm -f $(CLONES)
$(LN_S) -f at atq
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(PAMLIB)
+ $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
diff -up at-3.1.10/perm.c.pam at-3.1.10/perm.c
--- at-3.1.10/perm.c.pam 2008-07-18 16:06:14.000000000 +0200
+++ at-3.1.10/perm.c 2008-07-18 16:08:05.000000000 +0200
@@ -51,6 +51,14 @@
#define PRIV_END while(0)
#endif
+#ifdef WITH_PAM
+#include <security/pam_appl.h>
+static pam_handle_t *pamh = NULL;
+static const struct pam_conv conv = {
+ NULL
+};
+#endif
+
/* Structures and unions */
@@ -109,18 +117,55 @@ user_in_file(const char *path, const cha
int
check_permission()
{
- uid_t uid = geteuid();
+ uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
struct passwd *pentry;
int allow = 0, deny = 1;
- if (uid == 0)
+ int retcode = 0;
+ if (euid == 0)
return 1;
- if ((pentry = getpwuid(uid)) == NULL) {
+ if ((pentry = getpwuid(euid)) == NULL) {
perror("Cannot access user database");
exit(EXIT_FAILURE);
}
+#ifdef WITH_PAM
+/*
+ * We must check if the atd daemon userid will be allowed to gain the job owner user's
+ * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
+ */
+ setreuid(daemon_uid, daemon_uid);
+ setregid(daemon_gid, daemon_gid);
+
+# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+ fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
+ pam_close_session(pamh,PAM_SILENT); \
+ pam_end(pamh, retcode); \
+ setregid(gid,egid); \
+ setreuid(uid,euid); \
+ return(0); \
+ }
+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "atd");
+ PAM_FAIL_CHECK;
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_FAIL_CHECK;
+
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh,PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+
+ setregid(gid,egid);
+ setreuid(uid,euid);
+
+#endif
+
allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name);
if (allow==0 || allow==1)
return allow;

141
at-3.1.10-pamfix.patch
View File

@ -1,141 +0,0 @@
diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
--- at-3.1.10/atd.c.pamfix 2008-07-18 16:23:11.000000000 +0200
+++ at-3.1.10/atd.c 2008-07-18 16:23:11.000000000 +0200
@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
};
#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh, PAM_SILENT); \
- pam_end(pamh, retcode); exit(1); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ exit(1); \
}
-#define PAM_END { retcode = pam_close_session(pamh,0); \
- pam_end(pamh,retcode); }
-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
/* Signal handlers */
RETSIGTYPE
@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
//add for fedora, removed HAVE_PAM
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
closelog();
openlog("atd", LOG_PID, LOG_ATD);
@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid
int mail_pid = -1;
//add for fedora
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
/* PAM has now re-opened our log to auth.info ! */
closelog();
diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
--- at-3.1.10/perm.c.pamfix 2008-07-18 16:23:11.000000000 +0200
+++ at-3.1.10/perm.c 2008-07-18 16:26:16.000000000 +0200
@@ -135,34 +135,61 @@ check_permission()
* We must check if the atd daemon userid will be allowed to gain the job owner user's
* credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
*/
- setreuid(daemon_uid, daemon_uid);
- setregid(daemon_gid, daemon_gid);
+ if (setreuid(daemon_uid, daemon_uid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setregid(daemon_gid, daemon_gid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh,PAM_SILENT); \
- pam_end(pamh, retcode); \
- setregid(gid,egid); \
- setreuid(uid,euid); \
- return(0); \
- }
+ fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ if (setregid(gid,egid) != 0) { \
+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ if (setreuid(uid,euid) != 0) { \
+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ return(0); \
+ }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh,PAM_SILENT);
+
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
PAM_FAIL_CHECK;
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
pam_close_session(pamh,PAM_SILENT);
pam_end(pamh, PAM_ABORT);
- setregid(gid,egid);
- setreuid(uid,euid);
+ if (setregid(gid,egid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setreuid(uid,euid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
+
#endif

78
at-3.1.10-perm.patch
View File

@ -1,78 +0,0 @@
--- at-3.1.10/at.c.perm 2007-07-04 09:43:19.000000000 +0200
+++ at-3.1.10/at.c 2007-07-04 10:04:47.000000000 +0200
@@ -314,26 +314,19 @@
* bit. Yes, this is a kluge.
*/
cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
- seteuid(real_uid);
+ seteuid(effective_uid);
if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1)
perr("Cannot create atjob file %.500s", atfile);
- seteuid(effective_uid);
+ //seteuid(effective_uid);
if ((fd2 = dup(fd)) < 0)
perr("Error in dup() of job file");
- /*
if (fchown(fd2, real_uid, real_gid) != 0)
- perr("Cannot give away file");
- */
+ perr("Cannot give real_uid and real_gid the file");
PRIV_END
- /* We no longer need suid root; now we just need to be able to write
- * to the directory, if necessary.
- */
-
- REDUCE_PRIV(daemon_uid, daemon_gid)
/* We've successfully created the file; let's set the flag so it
* gets removed in case of an interrupt or error.
*/
@@ -491,7 +484,7 @@
*/
if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0)
- perr("Cannot give away file");
+ perr("Cannot change the mode of the file");
close(fd2);
@@ -656,7 +649,7 @@
We need the unprivileged uid here since the file is owned by the real
(not effective) uid.
*/
- setregid(real_gid, effective_gid);
+ PRIV_START
if (queue == '=') {
fprintf(stderr, "Warning: deleting running job\n");
@@ -665,8 +658,8 @@
perr("Cannot unlink %.500s", dirent->d_name);
rc = EXIT_FAILURE;
}
+ PRIV_END
- setregid(effective_gid, real_gid);
done = 1;
break;
@@ -676,7 +669,7 @@
FILE *fp;
int ch;
- setregid(real_gid, effective_gid);
+ PRIV_START
fp = fopen(dirent->d_name, "r");
if (fp) {
@@ -689,7 +682,7 @@
perr("Cannot open %.500s", dirent->d_name);
rc = EXIT_FAILURE;
}
- setregid(effective_gid, real_gid);
+ PRIV_END
}
break;

187
at-3.1.10-selinux_mail.patch
View File

@ -1,187 +0,0 @@
diff -up at-3.1.10/atd.c.mailselinux at-3.1.10/atd.c
--- at-3.1.10/atd.c.mailselinux 2008-09-17 10:45:38.000000000 +0200
+++ at-3.1.10/atd.c 2008-09-17 10:49:48.000000000 +0200
@@ -224,6 +224,69 @@ myfork()
#define ATD_MAIL_NAME "mailx"
#endif
+#ifdef WITH_SELINUX
+static int set_selinux_context(const char *name, const char *filename) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ struct av_decision avd;
+ int retval=-1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ if (getseuserbyname(name, &seuser, &level) == 0) {
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+ free(seuser);
+ free(level);
+ if (retval) {
+ if (security_getenforce()==1) {
+ perr("execle: couldn't get security context for user %s\n", name);
+ } else {
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
+ return -1;
+ }
+ }
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1) {
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
+ } else {
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ goto err;
+ }
+ }
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
+ }
+ }
+ err:
+ freecon(user_context);
+ return 0;
+}
+#endif
+
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -486,61 +549,8 @@ run_file(const char *filename, uid_t uid
#ifdef WITH_SELINUX
if (selinux_enabled>0) {
- security_context_t user_context=NULL;
- security_context_t file_context=NULL;
- int retval=0;
- struct av_decision avd;
- char *seuser=NULL;
- char *level=NULL;
-
- if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) {
- retval=get_default_context_with_level(seuser, level, NULL, &user_context);
- free(seuser);
- free(level);
- if (retval) {
- if (security_getenforce()==1) {
- perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
- } else {
- syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name);
- goto out;
- }
- }
- }
-
- /*
- * Since crontab files are not directly executed,
- * crond must ensure that the crontab file has
- * a context that is appropriate for the context of
- * the user cron job. It performs an entrypoint
- * permission check for this purpose.
- */
- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
- if (security_getenforce() > 0) {
- perr("fgetfilecon FAILED %s", filename);
- } else {
- syslog(LOG_ERR, "fgetfilecon FAILED %s", filename);
- goto out;
- }
- }
- retval = security_compute_av(user_context,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
- freecon(file_context);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
- if (security_getenforce()==1)
- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
-
- if (setexeccon(user_context) < 0) {
- if (security_getenforce()==1) {
- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
- }
- freecon(user_context);
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
}
#endif
@@ -654,47 +664,8 @@ run_file(const char *filename, uid_t uid
#ifdef WITH_SELINUX
if (selinux_enabled>0) {
- security_context_t user_context=NULL;
- security_context_t file_context=NULL;
- int retval=0;
- struct av_decision avd;
-
- if (get_default_context(pentry->pw_name, NULL, &user_context))
- perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
- /*
- * Since crontab files are not directly executed,
- * crond must ensure that the crontab file has
- * a context that is appropriate for the context of
- * the user cron job. It performs an entrypoint
- * permission check for this purpose.
- */
- if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
- perr("fgetfilecon FAILED %s", filename);
-
- retval = security_compute_av(user_context,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
- freecon(file_context);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
- if (security_getenforce()==1) {
- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- goto out;
- }
- }
-
- if (setexeccon(user_context) < 0) {
- if (security_getenforce()==1) {
- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
- }
- out:
- freecon(user_context);
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
}
#endif
execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);

11
at-3.1.10-session.patch
View File

@ -1,11 +0,0 @@
--- at-3.1.10/atd.c.old 2007-07-12 11:12:36.000000000 +0200
+++ at-3.1.10/atd.c 2007-07-12 11:20:40.000000000 +0200
@@ -303,6 +303,8 @@
free(newname);
return;
}
+ (void) setsid(); //own session for process
+
/* Let's see who we mail to. Hopefully, we can read it from
* the command file; if not, send it to the owner, or, failing that,
* to root.

56
at-3.1.10-typo.patch
View File

@ -1,56 +0,0 @@
--- at-3.1.10/atrun.8.in.typo 2005-08-29 10:08:41.000000000 +0200
+++ at-3.1.10/atrun.8.in 2006-09-12 10:00:57.000000000 +0200
@@ -11,7 +11,7 @@
.B atrun
runs jobs queued by
.BR at(1) .
-It is a shell script containing invoking
+It is a shell script invoking
.B @sbindir@/atd
with the
.I -s
--- at-3.1.10/atd.c.typo 2006-09-12 10:00:57.000000000 +0200
+++ at-3.1.10/atd.c 2006-09-12 10:07:19.000000000 +0200
@@ -316,7 +316,7 @@
"aborting", jobno, filename);
if (buf.st_nlink > 2) {
- perr("Someboy is trying to run a linked script for job %8lu (%.500s)",
+ perr("Somebody is trying to run a linked script for job %8lu (%.500s)",
jobno, filename);
}
if ((fflags = fcntl(fd_in, F_GETFD)) < 0)
@@ -607,6 +607,7 @@
* Let's remove the lockfile and reschedule.
*/
strncpy(lock_name, dirent->d_name, sizeof(lock_name));
+ lock_name[sizeof(lock_name)-1] = '\0';
lock_name[0] = '=';
unlink(lock_name);
next_job = now;
@@ -623,7 +624,7 @@
nothing_to_do = 0;
/* There's a job for later. Note its execution time if it's
- * the earlierst so far.
+ * the earliest so far.
*/
if (run_time > now) {
if (next_job > run_time) {
@@ -641,6 +642,7 @@
run_batch++;
if (strcmp(batch_name, dirent->d_name) > 0) {
strncpy(batch_name, dirent->d_name, sizeof(batch_name));
+ batch_name[sizeof(batch_name)-1] = '\0';
batch_uid = buf.st_uid;
batch_gid = buf.st_gid;
batch_queue = queue;
@@ -683,7 +685,7 @@
int
main(int argc, char *argv[])
{
-/* Browse through ATJOB_DIR, checking all the jobfiles wether they should
+/* Browse through ATJOB_DIR, checking all the jobfiles whether they should
* be executed and or deleted. The queue is coded into the first byte of
* the job filename, the date (in minutes since Eon) as a hex number in the
* following eight bytes, followed by a dot and a serial number. A file

11
at-3.1.7-lockfile.patch
View File

@ -1,11 +0,0 @@
--- at-3.1.7/at.c.lockfile Wed Oct 22 17:56:22 1997
+++ at-3.1.7/at.c Wed Oct 22 17:56:40 1997
@@ -199,7 +199,7 @@
fscanf(fid, "%5lx", &jobno);
rewind(fid);
} else {
- fid = fopen(ATJOB_DIR "/.SEQ", "w");
+ fid = fopen(LFILE, "w");
if (fid == NULL)
return EOF;
}

12
at-3.1.7-sigchld.patch
View File

@ -1,12 +0,0 @@
--- at-3.1.7/atd.c.sigchld Mon May 24 16:56:41 1999
+++ at-3.1.7/atd.c Mon May 24 16:58:57 1999
@@ -348,6 +348,9 @@
if (setuid(uid) < 0)
perr("Cannot set user id");
+ if (SIG_ERR == signal(SIGCHLD, SIG_DFL))
+ perr("Cannot reset signal handler to default");
+
chdir("/");
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)

12
at-3.1.8-perr.patch
View File

@ -1,12 +0,0 @@
diff -up at-3.1.10/atd.c.bla at-3.1.10/atd.c
--- at-3.1.10/atd.c.bla 2008-07-18 15:18:35.000000000 +0200
+++ at-3.1.10/atd.c 2008-07-18 15:19:41.000000000 +0200
@@ -643,7 +643,7 @@ run_file(const char *filename, uid_t uid
#if defined(SENDMAIL)
execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
#else
-#error "No mail command specified."
+ perr("No mail command specified.");
#endif
perr("Exec failed for mail command");

267
at-3.1.8-t_option.patch
View File

@ -1,267 +0,0 @@
--- at-3.1.10/at.c.t_option 2007-07-04 11:12:10.000000000 +0200
+++ at-3.1.10/at.c 2007-07-04 11:13:19.000000000 +0200
@@ -396,8 +396,9 @@
unsigned int i;
for (i = 0; i < sizeof(no_export) / sizeof(no_export[0]); i++) {
export = export
- && (strncmp(*atenv, no_export[i],
- (size_t) (eqp - *atenv)) != 0);
+ && ( (((size_t) (eqp - *atenv)) != strlen(no_export[i]))
+ ||(strncmp(*atenv, no_export[i],(size_t) (eqp - *atenv)) != 0)
+ );
}
eqp++;
}
@@ -752,6 +753,102 @@
return p;
}
+/* Handle POSIX.2 '-t' option :
+ * Parses time string in "touch(1)" format:
+ * [[CC]YY]MMDDhhmm[.ss]
+ * and returns time_t .
+ */
+time_t
+t_option(char *s)
+{
+ time_t t=time(0L);
+ struct tm tm, tm_now=*localtime(&t);
+ int l;
+
+ if((s == 0L) || (*s == '\0'))
+ {
+ return 0L;
+ };
+ memset(&tm,'\0',sizeof(tm));
+ l = strnlen(s,15);
+ switch(l)
+ {
+ case 15:
+ /* CCYYMMDDhhmm.ss */
+ sscanf(s, "%4d%2d%2d%2d%2d.%2d",
+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec
+ );
+ if(tm.tm_year)
+ tm.tm_year -= 1900 ;
+
+ break;
+
+ case 13:
+ /* YYMMDDhhmm.ss */
+ sscanf(s, "%2d%2d%2d%2d%2d.%2d",
+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec
+ );
+ if(tm.tm_year)
+ tm.tm_year += 100 ; /* Y2.1K+ bug! */
+
+ break;
+
+ case 11:
+ /* MMDDhhmm.ss */
+ sscanf(s, "%2d%2d%2d%2d.%2d",
+ &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec
+ );
+
+ tm.tm_year = tm_now.tm_year;
+
+ if(tm.tm_mon)
+ tm.tm_mon -= 1;
+ break;
+
+ case 12:
+ /* CCYYMMDDhhmm */
+ sscanf(s, "%4d%2d%2d%2d%2d",
+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min
+ );
+ if(tm.tm_year)
+ tm.tm_year -= 1900 ;
+ break;
+
+ case 10:
+ /* YYMMDDhhmm */
+ sscanf(s, "%2d%2d%2d%2d%2d",
+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min
+ );
+ if(tm.tm_year)
+ tm.tm_year += 100 ; /* Y2.1K+ bug! */
+ break;
+
+ case 8:
+ /* MMDDhhmm */
+ sscanf(s, "%2d%2d%2d%2d",
+ &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min
+ );
+ if( tm.tm_mday )
+ tm.tm_year = tm_now.tm_year;
+ break;
+ default:
+ break;
+ }
+
+ if( tm.tm_mon )
+ tm.tm_mon -= 1;
+
+ if( tm.tm_mday )
+ {
+ tm.tm_isdst = -1;
+ t = mktime(&tm);
+ return t;
+ } else
+ return 0L;
+}
+
+
+
int
main(int argc, char **argv)
{
@@ -761,9 +858,9 @@
char *pgm;
int program = AT; /* our default program */
- char *options = "q:f:MmvldhVc"; /* default options for at */
+ char *options = "q:f:MmvldhVct:"; /* default options for at */
int disp_version = 0;
- time_t timer;
+ time_t timer=0L;
struct passwd *pwe;
struct group *ge;
@@ -866,7 +963,9 @@
program = CAT;
options = "";
break;
-
+ case 't':
+ timer = t_option(optarg);
+ break;
default:
usage();
break;
@@ -923,10 +1022,12 @@
break;
case AT:
- if (argc > optind) {
- timer = parsetime(argc - optind, argv + optind);
- } else {
- timer = 0;
+ if (timer == 0) {
+ if (argc > optind) {
+ timer = parsetime(argc - optind, argv + optind);
+ } else {
+ timer = 0;
+ }
}
if (timer == 0) {
@@ -955,10 +1056,12 @@
else
queue = DEFAULT_BATCH_QUEUE;
- if (argc > optind)
- timer = parsetime(argc, argv);
- else
- timer = time(NULL);
+ if( timer == 0L ) {
+ if (argc > optind)
+ timer = parsetime(argc, argv);
+ else
+ timer = time(NULL);
+ }
if (atverify) {
struct tm *tm = localtime(&timer);
--- at-3.1.10/at.1.in.t_option 2007-07-04 11:12:10.000000000 +0200
+++ at-3.1.10/at.1.in 2007-07-04 11:12:10.000000000 +0200
@@ -12,6 +12,16 @@
.RB [ -mldbv ]
.B TIME
.br
+.B at
+.RB [ -V ]
+.RB [ -q
+.IR queue ]
+.RB [ -f
+.IR file ]
+.RB [ -mldbv ]
+.RB -t
+.IR time_arg
+.br
.B "at -c"
.I job
.RI [ job... ]
@@ -32,8 +42,7 @@
and
.B batch
read commands from standard input or a specified file which are to
-be executed at a later time, using
-.BR /bin/sh .
+be executed at a later time.
.TP 8
.BR at
executes commands at a specified time.
@@ -227,6 +236,63 @@
.B
\-c
cats the jobs listed on the command line to standard output.
+.TP
+.BI \-t " time_arg"
+Submit the job to be run at the time specified by the
+.BI time_arg
+option argument, which must have the same format as specified for the
+.BR touch(1)
+utility's
+.B \-t
+time option argument ([[CC]YY]MMDDhhmm).
+.SH ENVIRONMENT
+.P
+.TP 8
+.B SHELL
+The value of the SHELL environment variable at the time of
+.B at
+invocation will determine which shell is used to execute the
+.B at
+job commands. If SHELL is unset when
+.B at
+is invoked, the user's login shell will be used; otherwise,
+if SHELL is set when
+.B at
+is invoked, it must contain the path of a shell interpreter
+executable that will be used to run the commands at the specified time.
+.P
+.B at
+will record the values of
+environment variables present at time of
+.B at
+invocation. When the commands are run at the specified time,
+.B at
+will restore these variables to their recorded values .
+These variables are excluded from this processing and are never
+set by
+.B at
+when the commands are run :
+.br
+.BI TERM,
+.BI DISPLAY,
+.BI SHELLOPTS,
+.BI _,
+.BI PPID,
+.BI BASH_VERSINFO,
+.BI EUID,
+.BI UID,
+.BI GROUPS.
+.br
+If the user submitting the
+.B at
+job is not the super-user, variables that alter the behaviour of the
+loader
+.BR ld.so(8),
+such as
+.B LD_LIBRARY_PATH
+, cannot be recorded and restored by
+.B at .
+.P
.SH FILES
.I @ATJBD@
.br