- 528582 add noreplace option into files section

- rewrite pam2 patch - check return value, use "better" macro, etc.
- new version of at

.cvsignore

@@ -3,3 +3,4 @@ at_3.1.10.tar.gz
 atd.init
 atd.sysconf
 test.pl
+at_3.1.11.orig.tar.gz

at-3.1.11-dont_fork.patch

@@ -0,0 +1,92 @@
+diff -up at-3.1.11/atd.8.in.dont_fork at-3.1.11/atd.8.in
+--- at-3.1.11/atd.8.in.dont_fork	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/atd.8.in	2009-10-01 13:03:18.799878107 +0200
+@@ -1,4 +1,4 @@
+-.TH ATD 8 "Mar 1997" local "Linux Programmer's Manual"
++.TH ATD 8 "Sep 2009" at-3.1.11 "Linux Programmer's Manual"
+ .SH NAME
+ atd \- run jobs queued for later execution
+ .SH SYNOPSIS
+@@ -9,6 +9,7 @@ atd \- run jobs queued for later executi
+ .IR batch_interval ]
+ .RB [ -d ]
+ .RB [ -s ]
++.RB [ -n ]
+ .SH DESCRIPTION
+ .B atd
+ runs jobs queued by
+@@ -45,6 +46,9 @@ A script invoking
+ is installed as
+ .B @prefix@/sbin/atrun
+ for backward compatibility.
+++.TP 8
+++.B -n
+++Don't fork option.
+ .SH WARNING
+ .B atd
+ won't work if its spool directory is mounted via NFS even if
+diff -up at-3.1.11/atd.c.dont_fork at-3.1.11/atd.c
+--- at-3.1.11/atd.c.dont_fork	2009-10-01 13:03:18.000000000 +0200
++++ at-3.1.11/atd.c	2009-10-01 13:04:55.289631298 +0200
+@@ -729,7 +729,7 @@ main(int argc, char *argv[])
+     run_as_daemon = 1;
+     batch_interval = BATCH_INTERVAL_DEFAULT;
+ 
+-    while ((c = getopt(argc, argv, "sdl:b:")) != EOF) {
++    while ((c = getopt(argc, argv, "sdl:b:n")) != EOF) {
+ 	switch (c) {
+ 	case 'l':
+ 	    if (sscanf(optarg, "%lf", &load_avg) != 1)
+@@ -744,7 +744,10 @@ main(int argc, char *argv[])
+ 	    break;
+ 	case 'd':
+ 	    daemon_debug++;
+-	    break;
++        /* go through another option*/
++   case 'n':
++        daemon_nofork++;
++        break;
+ 
+ 	case 's':
+ 	    run_as_daemon = 0;
+diff -up at-3.1.11/daemon.c.dont_fork at-3.1.11/daemon.c
+--- at-3.1.11/daemon.c.dont_fork	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/daemon.c	2009-10-01 13:03:18.800878165 +0200
+@@ -48,7 +48,8 @@
+ #include "daemon.h"
+ #include "privs.h"
+ 
+-int daemon_debug;
++int daemon_debug = 0;
++int daemon_nofork = 0;
+ 
+ static int
+ lock_fd(int fd)
+@@ -117,15 +118,18 @@ daemon_setup()
+ 	    (open("/dev/null", O_RDWR) != 2)) {
+ 	    perr("Error redirecting I/O");
+ 	}
++    }
++    if (daemon_nofork) pid = getpid();
++    else {
+ 	pid = fork();
+ 	if (pid == -1) {
+ 	    perr("Cannot fork");
+ 	} else if (pid != 0) {
+ 	    exit(0);
+ 	}
++	(void) setsid();
+     }
+     old_umask = umask(S_IWGRP | S_IWOTH);
+-    (void) setsid();
+ 
+     PRIV_START
+ 
+diff -up at-3.1.11/daemon.h.dont_fork at-3.1.11/daemon.h
+--- at-3.1.11/daemon.h.dont_fork	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/daemon.h	2009-10-01 13:03:18.801877593 +0200
+@@ -14,3 +14,4 @@ __attribute__((noreturn))
+ perr (const char *fmt, ...);
+ 
+ extern int daemon_debug;
++extern int daemon_nofork;

at-3.1.11-log.patch

@@ -0,0 +1,48 @@
+diff -up at-3.1.11/at.c.log at-3.1.11/at.c
+diff -up at-3.1.11/atd.c.log at-3.1.11/atd.c
+--- at-3.1.11/atd.c.log	2009-10-01 13:05:17.000000000 +0200
++++ at-3.1.11/atd.c	2009-10-01 13:25:48.437638709 +0200
+@@ -83,6 +83,10 @@
+ #include "getloadavg.h"
+ #endif
+ 
++#ifndef LOG_ATD
++#define LOG_ATD        LOG_DAEMON
++#endif
++
+ /* Macros */
+ 
+ #define BATCH_INTERVAL_DEFAULT 60
+@@ -195,6 +199,19 @@ myfork()
+ #define fork myfork
+ #endif
+ 
++#undef ATD_MAIL_PROGRAM
++#undef ATD_MAIL_NAME
++#if defined(SENDMAIL)
++#define ATD_MAIL_PROGRAM SENDMAIL
++#define ATD_MAIL_NAME    "sendmail"
++#elif  defined(MAILC)
++#define ATD_MAIL_PROGRAM MAILC
++#define ATD_MAIL_NAME    "mail"
++#elif  defined(MAILX)
++#define ATD_MAIL_PROGRAM MAILX
++#define ATD_MAIL_NAME    "mailx"
++#endif
++
+ static void
+ run_file(const char *filename, uid_t uid, gid_t gid)
+ {
+@@ -718,11 +735,7 @@ main(int argc, char *argv[])
+ 
+     RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid)
+ 
+-#ifndef LOG_CRON
+-#define LOG_CRON	LOG_DAEMON
+-#endif
+-
+-    openlog("atd", LOG_PID, LOG_CRON);
++    openlog("atd", LOG_PID, LOG_ATD);
+ 
+     opterr = 0;
+     errno = 0;

at-3.1.11-makefile.patch

@@ -0,0 +1,102 @@
+diff -up at-3.1.11/Makefile.in.make at-3.1.11/Makefile.in
+--- at-3.1.11/Makefile.in.make	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/Makefile.in	2009-10-02 10:36:24.104162973 +0200
+@@ -50,6 +51,8 @@ HEADERS 	= at.h panic.h parsetime.h perm
+ 
+ OTHERS		= parsetime.l parsetime.y
+ 
++TEST_VERBOSE	= 0
++
+ DOCS =  Problems Copyright README ChangeLog timespec
+ 
+ MISC =  COPYING  Makefile.in configure acconfig.h install-sh \
+@@ -65,13 +68,13 @@ LIST = Filelist Filelist.asc
+ all: at atd atrun
+ 
+ at: $(ATOBJECTS)
+-	$(CC) $(CFLAGS) -o at $(ATOBJECTS) $(LIBS) $(LEXLIB)
++	$(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(SELINUXLIB) $(PAMLIB)
+ 	rm -f $(CLONES)
+ 	$(LN_S) -f at atq
+ 	$(LN_S) -f at atrm
+ 
+ atd: $(RUNOBJECTS)
+-	$(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
++	$(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+ 
+ y.tab.c y.tab.h: parsetime.y
+ 	$(YACC) -d parsetime.y
+@@ -83,38 +86,42 @@ atrun: atrun.in
+ 	configure
+ 
+ .c.o:
+-	$(CC) -c $(CFLAGS) $(DEFS) $*.c
++	$(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c
+ 
+ install: all
+-	$(INSTALL) -g root -o root -m 755 -d $(IROOT)$(etcdir)
+-	$(INSTALL) -g root -o root -m 755 -d $(IROOT)$(bindir)
+-	$(INSTALL) -g root -o root -m 755 -d $(IROOT)$(sbindir)
+-	$(INSTALL) -g root -o root -m 755 -d $(IROOT)$(docdir)
+-	$(INSTALL) -g root -o root -m 755 -d $(IROOT)$(atdocdir)
+-	$(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR)
+-	chmod 1770 $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR)
++	$(INSTALL) -m 755 -d $(IROOT)$(etcdir)
++	$(INSTALL) -m 755 -d $(IROOT)$(bindir)
++	$(INSTALL) -m 755 -d $(IROOT)$(sbindir)
++	$(INSTALL) -m 755 -d $(IROOT)$(docdir)
++	$(INSTALL) -m 755 -d $(IROOT)$(atdocdir)
++	$(INSTALL) -m 755 -d $(IROOT)$(ATJOB_DIR)
++	$(INSTALL) -m 755 -d $(IROOT)$(etcdir)/pam.d
++	$(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR)
++	chmod 700 $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
++	chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
+ 	touch $(IROOT)$(LFILE)
+ 	chmod 600 $(IROOT)$(LFILE)
+ 	chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(LFILE)
+-	test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -o root -g $(DAEMON_GROUPNAME) -m 640 at.deny $(IROOT)$(etcdir)/
+-	$(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 6755 -s at $(IROOT)$(bindir)
++	test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL)  -m 600 at.deny $(IROOT)$(etcdir)/
++	$(INSTALL) -o $(INSTALL_ROOT_USER) -g $(DAEMON_GROUPNAME) pam_atd $(IROOT)$(etcdir)/pam.d/atd
++	$(INSTALL) -m 4755 at $(IROOT)$(bindir)
+ 	$(LN_S) -f at $(IROOT)$(bindir)/atq
+ 	$(LN_S) -f at $(IROOT)$(bindir)/atrm
+-	$(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir)
+-	$(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man1dir)
+-	$(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man5dir)
+-	$(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man8dir)
+-	$(INSTALL) -g root -o root -m 755 -s atd $(IROOT)$(sbindir)
+-	$(INSTALL) -g root -o root -m 755 atrun $(IROOT)$(sbindir)
+-	$(INSTALL) -g root -o root -m 644 at.1 $(IROOT)$(man1dir)/
++	$(INSTALL) -m 755 batch $(IROOT)$(bindir)
++	$(INSTALL) -d -m 755 $(IROOT)$(man1dir)
++	$(INSTALL) -d -m 755 $(IROOT)$(man5dir)
++	$(INSTALL) -d -m 755 $(IROOT)$(man8dir)
++	$(INSTALL) -m 755 atd $(IROOT)$(sbindir)
++	$(INSTALL) -m 755 atrun $(IROOT)$(sbindir)
++	$(INSTALL) -m 644 at.1 $(IROOT)$(man1dir)/
+ 	cd $(IROOT)$(man1dir) && $(LN_S) -f at.1 atq.1 && $(LN_S) -f at.1 batch.1 && $(LN_S) -f at.1 atrm.1
+-	$(INSTALL) -g root -o root -m 644 atd.8 $(IROOT)$(man8dir)/
++	$(INSTALL) -m 644 atd.8 $(IROOT)$(man8dir)/
+ 	sed "s,\$${exec_prefix},$(exec_prefix),g" <atrun.8>tmpman
+-	$(INSTALL) -g root -o root -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
++	$(INSTALL) -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
+ 	rm -f tmpman
+-	$(INSTALL) -g root -o root -m 644 at_allow.5 $(IROOT)$(man5dir)/
++	$(INSTALL) -m 644 at_allow.5 $(IROOT)$(man5dir)/
+ 	cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5 
+-	$(INSTALL) -g root -o root -m 644 $(DOCS) $(IROOT)$(atdocdir)
++	$(INSTALL) -m 644 $(DOCS) $(IROOT)$(atdocdir)
+ 	rm -f $(IROOT)$(mandir)/cat1/at.1* $(IROOT)$(mandir)/cat1/batch.1* \
+ 		$(IROOT)$(mandir)/cat1/atq.1*
+ 	rm -f $(IROOT)$(mandir)/cat1/atd.8*
+@@ -148,6 +155,9 @@ Filelist.asc: Filelist
+ parsetest: lex.yy.c y.tab.c
+ 	$(CC) -o parsetest $(CFLAGS) $(DEFS) -DTEST_PARSER -DNEED_YYWRAP lex.yy.c y.tab.c
+ 
++test: parsetest
++	PERL_DL_NONLAZY=1 perl -e 'use Test::Harness qw(&runtests $$verbose); $$verbose=$(TEST_VERBOSE); runtests @ARGV;' test.pl
++
+ .depend: $(CSRCS)
+ 	gcc $(CFLAGS) $(DEFS) -MM $(CSRCS) > .depend
+ 

at-3.1.11-nitpicks.patch

@@ -0,0 +1,86 @@
+diff -up at-3.1.11/at.1.in.typo at-3.1.11/at.1.in
+--- at-3.1.11/at.1.in.typo	2009-08-14 12:49:05.000000000 -0400
++++ at-3.1.11/at.1.in	2009-09-29 13:11:37.869869479 -0400
+@@ -89,7 +89,9 @@ or giving a date of the form
+ or
+ .B MM/DD/YY
+ or
+-.B DD.MM.YY.
++.B DD.MM.YY
++or
++.B YYYY-MM-DD.
+ The specification of a date
+ .I must
+ follow the specification of the time of day.
+@@ -119,7 +121,7 @@ and to run a job at 1am tomorrow, you wo
+ .B at 1am tomorrow.
+ .PP
+ The exact definition of the time specification can be found in
+-.IR @prefix@/share/doc/at/timespec .
++.IR @prefix@/share/doc/at-@VERSION@/timespec .
+ .PP
+ For both
+ .BR at " and " batch ,
+diff -up at-3.1.11/atd.c.typo at-3.1.11/atd.c
+--- at-3.1.11/atd.c.typo	2009-09-29 13:02:17.068860987 -0400
++++ at-3.1.11/atd.c	2009-09-29 13:02:17.099881137 -0400
+@@ -276,6 +276,8 @@ run_file(const char *filename, uid_t uid
+ 	free(newname);
+ 	return;
+     }
++    (void) setsid(); //own session for process
++
+     /* Let's see who we mail to.  Hopefully, we can read it from
+      * the command file; if not, send it to the owner, or, failing that,
+      * to root.
+@@ -497,7 +499,7 @@ run_file(const char *filename, uid_t uid
+ #if defined(SENDMAIL)
+ 	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
+ #else
+-#error      "No mail command specified."
++	    perr("No mail command specified.");
+ #endif
+ 	    perr("Exec failed for mail command");
+ 
+@@ -606,6 +608,7 @@ run_loop()
+ 		 * Let's remove the lockfile and reschedule.
+ 		 */
+ 		strncpy(lock_name, dirent->d_name, sizeof(lock_name));
++		lock_name[sizeof(lock_name)-1] = '\0';
+ 		lock_name[0] = '=';
+ 		unlink(lock_name);
+ 		next_job = now;
+@@ -640,6 +643,7 @@ run_loop()
+ 	    run_batch++;
+ 	    if (strcmp(batch_name, dirent->d_name) > 0) {
+ 		strncpy(batch_name, dirent->d_name, sizeof(batch_name));
++		batch_name[sizeof(batch_name)-1] = '\0';
+ 		batch_uid = buf.st_uid;
+ 		batch_gid = buf.st_gid;
+ 		batch_queue = queue;
+
+diff -up at-3.1.11/configure.ac.aaa at-3.1.11/configure.ac
+--- at-3.1.11/configure.ac.aaa	2009-08-14 12:49:05.000000000 -0400
++++ at-3.1.11/configure.ac	2009-09-29 13:35:59.230866054 -0400
+@@ -5,7 +5,7 @@ AC_CONFIG_SRCDIR(at.c)
+ 
+ AC_PREFIX_DEFAULT(/usr)
+ AC_CONFIG_HEADER(config.h)
+-AC_PREREQ([2.64])
++AC_PREREQ([2.63])
+ 
+ VERSION=AC_PACKAGE_VERSION
+ if test "X$CFLAGS" = "X"; then
+diff -up at-3.1.11/atd.c.seg at-3.1.11/atd.c
+--- at-3.1.11/atd.c.seg	2009-08-14 12:49:05.000000000 -0400
++++ at-3.1.11/atd.c	2009-09-29 12:15:55.200864618 -0400
+@@ -435,6 +435,9 @@ run_file(const char *filename, uid_t uid
+ 	    if (setuid(uid) < 0)
+ 		perr("Cannot set user id");
+ 
++	    if (SIG_ERR == signal(SIGCHLD, SIG_DFL))
++		perr("Cannot reset signal handler to default");
++
+ 	    chdir("/");
+ 
+ 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)

at-3.1.11-opt_V.patch

@@ -0,0 +1,17 @@
+diff -up at-3.1.11/at.c.opt_V at-3.1.11/at.c
+--- at-3.1.11/at.c.opt_V	2009-09-29 12:42:16.000000000 -0400
++++ at-3.1.11/at.c	2009-09-29 12:46:43.998865749 -0400
+@@ -857,10 +857,9 @@ main(int argc, char **argv)
+      */
+ 
+     if (disp_version) {
+-	fprintf(stderr, "at version " VERSION "\n"
+-	   "Please report bugs to the Debian bug tracking system (http://bugs.debian.org/)\n"
+-	   "or contact the maintainers (at@packages.debian.org).\n");
+-	exit(EXIT_SUCCESS);
++        fprintf(stderr, "at version " VERSION "\n");
++        if (argc == 2)
++            exit(EXIT_SUCCESS);
+     }
+ 
+     /* select our program

at-3.1.11-pam.patch

@@ -0,0 +1,12 @@
+--- at-3.1.10/pam_atd.pam   2007-07-03 13:29:24.000000000 +0200
++++ at-3.1.10/pam_atd   2007-07-03 13:29:24.000000000 +0200
+@@ -0,0 +1,9 @@
++# The PAM configuration file for the at daemon
++#
++#
++auth       required    pam_env.so
++auth       include     password-auth
++account    required    pam_access.so
++account    include     password-auth
++session    required    pam_loginuid.so
++session    include     password-auth

at-3.1.11-pam2.patch

@@ -0,0 +1,427 @@
+diff -up at-3.1.11/at.c.pam2 at-3.1.11/at.c
+--- at-3.1.11/at.c.pam2	2009-10-13 16:47:23.277378517 +0200
++++ at-3.1.11/at.c	2009-10-13 16:47:23.321377936 +0200
+@@ -315,26 +315,19 @@ writefile(time_t runtimer, char queue)
+ 	 * bit.  Yes, this is a kluge.
+ 	 */
+ 	cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
+-        seteuid(real_uid);
++       if ((seteuid(effective_uid)) < 0)
++	    perr("Error in seteuid: %s", errno);
+ 	if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1)
+ 	    perr("Cannot create atjob file %.500s", atfile);
+-        seteuid(effective_uid);
+ 
+ 	if ((fd2 = dup(fd)) < 0)
+ 	    perr("Error in dup() of job file");
+ 
+-        /*
+ 	if (fchown(fd2, real_uid, real_gid) != 0)
+-	    perr("Cannot give away file");
+-        */
++	    perr("Cannot give real_uid and real_gid the file");
+ 
+     PRIV_END
+ 
+-    /* We no longer need suid root; now we just need to be able to write
+-     * to the directory, if necessary.
+-     */
+-
+-    REDUCE_PRIV(daemon_uid, daemon_gid)
+     /* We've successfully created the file; let's set the flag so it 
+      * gets removed in case of an interrupt or error.
+      */
+@@ -493,7 +486,7 @@ writefile(time_t runtimer, char queue)
+      */
+ 
+     if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0)
+-	perr("Cannot give away file");
++	perr("Cannot change the mode of the file");
+ 
+     close(fd2);
+ 
+@@ -658,7 +651,7 @@ process_jobs(int argc, char **argv, int 
+                     We need the unprivileged uid here since the file is owned by the real
+                     (not effective) uid.
+                     */
+-                    setregid(real_gid, effective_gid);
++		    PRIV_START
+ 
+ 		    if (queue == '=') {
+ 			fprintf(stderr, "Warning: deleting running job\n");
+@@ -667,8 +660,8 @@ process_jobs(int argc, char **argv, int 
+ 			perr("Cannot unlink %.500s", dirent->d_name);
+ 			rc = EXIT_FAILURE;
+ 		    }
++		    PRIV_END
+ 
+-                    setregid(effective_gid, real_gid);
+ 		    done = 1;
+ 
+ 		    break;
+@@ -678,7 +671,7 @@ process_jobs(int argc, char **argv, int 
+ 			FILE *fp;
+ 			int ch;
+ 
+-			setregid(real_gid, effective_gid);
++			PRIV_START
+ 			fp = fopen(dirent->d_name, "r");
+ 
+ 			if (fp) {
+@@ -691,7 +684,7 @@ process_jobs(int argc, char **argv, int 
+ 			    perr("Cannot open %.500s", dirent->d_name);
+ 			    rc = EXIT_FAILURE;
+ 			}
+-			setregid(effective_gid, real_gid);
++			PRIV_END
+ 		    }
+ 		    break;
+ 
+diff -up at-3.1.11/atd.c.pam2 at-3.1.11/atd.c
+--- at-3.1.11/atd.c.pam2	2009-10-13 16:47:23.297368464 +0200
++++ at-3.1.11/atd.c	2009-10-13 16:48:21.696629698 +0200
+@@ -112,7 +112,7 @@ static int run_as_daemon = 0;
+ 
+ static volatile sig_atomic_t term_signal = 0;
+ 
+-#ifdef HAVE_PAM
++#ifdef WITH_PAM
+ #include <security/pam_appl.h>
+ 
+ static pam_handle_t *pamh = NULL;
+@@ -121,15 +121,7 @@ static const struct pam_conv conv = {
+ 	NULL
+ };
+ 
+-#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+-	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+-	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+-	pam_end(pamh, retcode); exit(1); \
+-    }
+-#define PAM_END { retcode = pam_close_session(pamh,0); \
+-		pam_end(pamh,retcode); }
+-
+-#endif /* HAVE_PAM */
++#endif /* WITH_PAM */
+ 
+ /* Signal handlers */
+ RETSIGTYPE 
+@@ -236,7 +228,7 @@ run_file(const char *filename, uid_t uid
+     char queue;
+     char fmt[64];
+     unsigned long jobno;
+-#ifdef HAVE_PAM
++#ifdef WITH_PAM
+     int retcode;
+ #endif
+ 
+@@ -396,16 +388,11 @@ run_file(const char *filename, uid_t uid
+     fstat(fd_out, &buf);
+     size = buf.st_size;
+ 
+-#ifdef HAVE_PAM
++#ifdef WITH_PAM
+     PRIV_START
+-    retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+-    PAM_FAIL_CHECK;
+-    retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+-    PAM_FAIL_CHECK;
+-    retcode = pam_open_session(pamh, PAM_SILENT);
+-    PAM_FAIL_CHECK;
+-    retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+-    PAM_FAIL_CHECK;
++    PAM_HANDLING;
++    closelog(); 
++    openlog("atd", LOG_PID, LOG_ATD);
+     PRIV_END
+ #endif
+ 
+@@ -420,7 +407,15 @@ run_file(const char *filename, uid_t uid
+     else if (pid == 0) {
+ 	char *nul = NULL;
+ 	char **nenvp = &nul;
++	char **pam_envp=0L;
+ 
++	PRIV_START
++#ifdef WITH_PAM
++	pam_envp = pam_getenvlist(pamh);
++	if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
++		nenvp = pam_envp;
++#endif
++	PRIV_END
+ 	/* Set up things for the child; we want standard input from the
+ 	 * input file, and standard output and error sent to our output file.
+ 	 */
+@@ -461,7 +456,16 @@ run_file(const char *filename, uid_t uid
+ 
+ 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
+ 		perr("Exec failed for /bin/sh");
+-
++#ifdef  WITH_PAM
++	    if ( ( nenvp != &nul ) && (pam_envp != 0L)  && (*pam_envp != 0L))
++	    {
++		for( nenvp = pam_envp; *nenvp != 0L; nenvp++)
++			free(*nenvp);
++		free( pam_envp );
++		nenvp = &nul;
++		pam_envp=0L;
++	    }
++#endif
+ 	PRIV_END
+     }
+     /* We're the parent.  Let's wait.
+@@ -475,7 +479,7 @@ run_file(const char *filename, uid_t uid
+      */
+     waitpid(pid, (int *) NULL, 0);
+ 
+-#ifdef HAVE_PAM
++#ifdef WITH_PAM
+     PRIV_START
+ 	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+ 	retcode = pam_close_session(pamh, PAM_SILENT);
+@@ -490,6 +494,13 @@ run_file(const char *filename, uid_t uid
+     if (open(filename, O_RDONLY) != STDIN_FILENO)
+ 	perr("Open of jobfile failed");
+ 
++#ifdef  WITH_PAM
++    pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
++    pam_close_session(pamh, PAM_SILENT);
++    pam_end(pamh, PAM_ABORT);
++    closelog();
++    openlog("atd", LOG_PID, LOG_ATD);
++#endif
+     unlink(filename);
+ 
+     /* The job is now finished.  We can delete its input file.
+@@ -498,8 +509,19 @@ run_file(const char *filename, uid_t uid
+     unlink(newname);
+     free(newname);
+ 
++#ifdef ATD_MAIL_PROGRAM
+     if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
++       int mail_pid = -1;
++#ifdef WITH_PAM
++       PAM_HANDLING;
++       closelog();
++       openlog("atd", LOG_PID, LOG_ATD);
++#endif
+ 
++   mail_pid = fork();
++
++   if ( mail_pid == 0 )
++   {
+ 	PRIV_START
+ 
+ 	    if (initgroups(pentry->pw_name, pentry->pw_gid))
+@@ -513,15 +535,28 @@ run_file(const char *filename, uid_t uid
+ 
+ 	    chdir ("/");
+ 
+-#if defined(SENDMAIL)
+-	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
+-#else
+-	    perr("No mail command specified.");
+-#endif
++           execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
+ 	    perr("Exec failed for mail command");
++	    exit(-1);
+ 
+ 	PRIV_END
++   }
++   else if ( mail_pid == -1 ) {
++           perr("fork of mailer failed");
++   }
++   else {
++           /* Parent */
++           waitpid(mail_pid, (int *) NULL, 0);
++   }
++#ifdef WITH_PAM
++   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
++   pam_close_session(pamh, PAM_SILENT);
++   pam_end(pamh, PAM_ABORT);
++   closelog();
++   openlog("atd", LOG_PID, LOG_ATD);
++#endif
+     }
++#endif
+     exit(EXIT_SUCCESS);
+ }
+ 
+diff -up at-3.1.11/config.h.in.pam2 at-3.1.11/config.h.in
+--- at-3.1.11/config.h.in.pam2	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/config.h.in	2009-10-13 16:47:23.323393602 +0200
+@@ -74,8 +74,8 @@
+ /* Define to 1 if you have the <nlist.h> header file. */
+ #undef HAVE_NLIST_H
+ 
+-/* Define to 1 for PAM support */
+-#undef HAVE_PAM
++/* Define if you are building with_pam */
++#undef WITH_PAM
+ 
+ /* Define to 1 if you have the `pstat_getdynamic' function. */
+ #undef HAVE_PSTAT_GETDYNAMIC
+diff -up at-3.1.11/configure.ac.pam2 at-3.1.11/configure.ac
+--- at-3.1.11/configure.ac.pam2	2009-10-13 16:47:23.266377946 +0200
++++ at-3.1.11/configure.ac	2009-10-13 16:47:23.324393260 +0200
+@@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG
+ AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
+ AC_CHECK_HEADERS(security/pam_appl.h, [
+   PAMLIB="-lpam"
+-  AC_DEFINE(HAVE_PAM, 1, [Define to 1 for PAM support])
++  AC_DEFINE(WITH_PAM, 1, [Define to 1 for PAM support])
+ ])
+ 
+ dnl Checking for programs
+@@ -301,5 +301,12 @@ AC_ARG_WITH(daemon_groupname,
+ )
+ AC_SUBST(DAEMON_GROUPNAME)
+ 
++AC_ARG_WITH(pam,
++[ --with-pam            Define to enable pam support ],
++AC_DEFINE(WITH_PAM),
++)
++AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
++AC_SUBST(PAMLIB)
++
+ AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 batch)
+ AC_OUTPUT
+diff -up at-3.1.11/perm.c.pam2 at-3.1.11/perm.c
+--- at-3.1.11/perm.c.pam2	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/perm.c	2009-10-13 16:47:23.325392918 +0200
+@@ -51,6 +51,14 @@
+ #define PRIV_END while(0)
+ #endif
+ 
++#ifdef WITH_PAM
++#include <security/pam_appl.h>
++static pam_handle_t *pamh = NULL;
++static const struct pam_conv conv = {
++       NULL
++};
++#endif
++
+ /* Structures and unions */
+ 
+ 
+@@ -108,18 +116,53 @@ user_in_file(const char *path, const cha
+ int
+ check_permission()
+ {
+-  uid_t uid = geteuid();
++  uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
+   struct passwd *pentry;
+   int    allow = 0, deny = 1;
+ 
+-  if (uid == 0)
++  int    retcode = 0;
++  if (euid == 0)
+     return 1;
+ 
+-  if ((pentry = getpwuid(uid)) == NULL) {
++  if ((pentry = getpwuid(euid)) == NULL) {
+     perror("Cannot access user database");
+     exit(EXIT_FAILURE);
+   }
+ 
++#ifdef  WITH_PAM
++/*
++ *  We must check if the atd daemon userid will be allowed to gain the job owner user's
++ *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
++ */
++  if (setreuid(daemon_uid, daemon_uid) != 0) {
++      fprintf(stderr, "cannot set egid: %s", strerror(errno));
++      exit(1);
++  }
++  if (setregid(daemon_gid, daemon_gid) != 0) {
++      fprintf(stderr, "cannot set euid: %s", strerror(errno));
++      exit(1);
++  }
++
++    pam_close_session(pamh,PAM_SILENT);
++
++    PAM_HANDLING;
++
++    pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
++    pam_close_session(pamh,PAM_SILENT);
++    pam_end(pamh, PAM_ABORT);
++
++    if (setregid(gid,egid) != 0) {
++        fprintf(stderr, "cannot set egid: %s", strerror(errno));
++        exit(1);
++    }
++    if (setreuid(uid,euid) != 0) {
++        fprintf(stderr, "cannot set euid: %s", strerror(errno));
++        exit(1);
++    }
++
++
++#endif
++
+   allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name);
+   if (allow==0 || allow==1)
+     return allow;
+diff -up at-3.1.11/privs.h.pam2 at-3.1.11/privs.h
+--- at-3.1.11/privs.h.pam2	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/privs.h	2009-10-13 16:47:23.326393135 +0200
+@@ -144,3 +144,60 @@ extern gid_t real_gid, effective_gid, da
+ #error "Cannot implement user ID swapping without setreuid or setresuid"
+ #endif
+ #endif
++
++#ifdef WITH_PAM
++/* PAM failed after session was open.  */
++#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
++	pam_close_session(pamh,PAM_SILENT);
++
++/* syslog will be logging error messages */
++#ifdef HAVE_UNISTD_H
++#include <syslog.h>
++#endif
++
++/* PAM fail even before opening the session */
++#define PAM_FAIL_CHECK \
++	do { if (retcode != PAM_SUCCESS) { \
++		fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
++		syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
++		if (pamh) \
++		    pam_end(pamh, retcode); \
++		if (setregid(getgid(),getegid()) != 0) { \
++		    fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
++		    exit(1); \
++		} \
++		if (setreuid(getuid(),geteuid()) != 0) { \
++		    fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
++		    exit(1); \
++		} \
++		exit(1); \
++	    } \
++	} while (0) \
++
++/* PAM - check after every operation whether they passed */
++#define PAM_HANDLING \
++	do { pamh = NULL; \
++	retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
++	PAM_FAIL_CHECK; \
++	retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
++	PAM_FAIL_CHECK; \
++	retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
++	PAM_FAIL_CHECK; \
++	retcode = pam_open_session(pamh, PAM_SILENT); \
++	PAM_FAIL_CHECK; \
++	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
++	PAM_SESSION_FAIL; \
++	PAM_FAIL_CHECK; \
++	} while (0)
++
++/* OLD FAIL_CHECK ONLY FOR perm.c
++ * define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
++ *         fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
++ *         syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
++ *         if (pamh) \
++ *               pam_end(pamh, retcode); \
++ *         exit(1); \
++ * }
++ */
++
++#endif

at-3.1.11-selinux.patch

@@ -0,0 +1,178 @@
+diff -up at-3.1.11/atd.c.selinux at-3.1.11/atd.c
+--- at-3.1.11/atd.c.selinux	2009-10-05 12:56:24.573344967 +0200
++++ at-3.1.11/atd.c	2009-10-05 13:01:55.991338568 +0200
+@@ -74,6 +74,14 @@
+ #include <syslog.h>
+ #endif
+ 
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/get_context_list.h>
++int selinux_enabled=0;
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
++#endif
++
+ /* Local headers */
+ 
+ #include "privs.h"
+@@ -204,6 +212,68 @@ myfork()
+ #define ATD_MAIL_NAME    "mailx"
+ #endif
+ 
++#ifdef WITH_SELINUX
++static int set_selinux_context(const char *name, const char *filename) {
++	security_context_t user_context=NULL;
++	security_context_t  file_context=NULL;
++	struct av_decision avd;
++	int retval=-1;
++	char *seuser=NULL;
++	char *level=NULL;
++
++	if (getseuserbyname(name, &seuser, &level) == 0) {
++		retval=get_default_context_with_level(seuser, level, NULL, &user_context);
++		free(seuser);
++		free(level);
++		if (retval) {
++			if (security_getenforce()==1) {
++				perr("execle: couldn't get security context for user %s\n", name);
++			} else {
++				syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
++				return -1;
++			}
++		}
++	}
++
++	/*
++	* Since crontab files are not directly executed,
++	* crond must ensure that the crontab file has
++	* a context that is appropriate for the context of
++	* the user cron job.  It performs an entrypoint
++	* permission check for this purpose.
++	*/
++	if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
++		perr("fgetfilecon FAILED %s", filename);
++
++	retval = security_compute_av(user_context,
++                                    file_context,
++                                    SECCLASS_FILE,
++                                    FILE__ENTRYPOINT,
++                                    &avd);
++	freecon(file_context);
++	if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
++		if (security_getenforce()==1) {
++			perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
++		} else {
++			syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
++			retval = -1;
++			goto err;
++		}
++	}
++	if (setexeccon(user_context) < 0) {
++		if (security_getenforce()==1) {
++			perr("Could not set exec context to %s for user  %s\n", user_context,name);
++			retval = -1;
++		} else {
++			syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
++		}
++	}
++  err:
++	freecon(user_context);
++	return 0;
++}
++#endif
++
+ static void
+ run_file(const char *filename, uid_t uid, gid_t gid)
+ {
+@@ -454,6 +524,13 @@ run_file(const char *filename, uid_t uid
+ 
+ 	    chdir("/");
+ 
++#ifdef WITH_SELINUX
++           if (selinux_enabled > 0) {
++               if (set_selinux_context(pentry->pw_name, filename) < 0)
++                       perr("SELinux Failed to set context\n");
++           }
++#endif
++
+ 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
+ 		perr("Exec failed for /bin/sh");
+ #ifdef  WITH_PAM
+@@ -535,10 +612,24 @@ run_file(const char *filename, uid_t uid
+ 
+ 	    chdir ("/");
+ 
++#ifdef WITH_SELINUX
++           if (selinux_enabled>0) {
++               if (set_selinux_context(pentry->pw_name, filename) < 0)
++                   perr("SELinux Failed to set context\n");
++           }
++#endif
++
+            execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
+ 	    perr("Exec failed for mail command");
+ 	    exit(-1);
+ 
++#ifdef WITH_SELINUX
++           if (selinux_enabled>0)
++               if (setexeccon(NULL) < 0)
++                   if (security_getenforce()==1)
++                       perr("Could not reset exec context for user %s\n", pentry->pw_name);
++#endif
++
+ 	PRIV_END
+    }
+    else if ( mail_pid == -1 ) {
+@@ -754,6 +845,10 @@ main(int argc, char *argv[])
+     struct passwd *pwe;
+     struct group *ge;
+ 
++#ifdef WITH_SELINUX
++    selinux_enabled=is_selinux_enabled();
++#endif
++
+ /* We don't need root privileges all the time; running under uid and gid
+  * daemon is fine.
+  */
+diff -up at-3.1.11/config.h.in.selinux at-3.1.11/config.h.in
+--- at-3.1.11/config.h.in.selinux	2009-10-05 12:56:24.573344967 +0200
++++ at-3.1.11/config.h.in	2009-10-05 12:56:24.590350404 +0200
+@@ -77,6 +77,9 @@
+ /* Define if you are building with_pam */
+ #undef WITH_PAM
+ 
++/* Define if you are building with_selinux  */
++#undef WITH_SELINUX
++
+ /* Define to 1 if you have the `pstat_getdynamic' function. */
+ #undef HAVE_PSTAT_GETDYNAMIC
+ 
+diff -up at-3.1.11/configure.ac.selinux at-3.1.11/configure.ac
+--- at-3.1.11/configure.ac.selinux	2009-10-05 12:56:24.574344835 +0200
++++ at-3.1.11/configure.ac	2009-10-05 12:56:24.591350062 +0200
+@@ -308,5 +308,13 @@ AC_DEFINE(WITH_PAM),
+ AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
+ AC_SUBST(PAMLIB)
+ 
++AC_ARG_WITH(selinux,
++[ --with-selinux       Define to run with selinux],
++AC_DEFINE(WITH_SELINUX),
++)
++AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
++AC_SUBST(SELINUXLIB)
++AC_SUBST(WITH_SELINUX)
++
+ AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 batch)
+ AC_OUTPUT
+diff -up at-3.1.11/Makefile.in.selinux at-3.1.11/Makefile.in
+--- at-3.1.11/Makefile.in.selinux	2009-10-05 12:56:24.509607000 +0200
++++ at-3.1.11/Makefile.in	2009-10-05 12:56:24.592345179 +0200
+@@ -39,6 +39,7 @@ LIBS		= @LIBS@
+ LIBOBJS		= @LIBOBJS@
+ INSTALL		= @INSTALL@
+ PAMLIB          = @PAMLIB@
++SELINUXLIB	= @SELINUXLIB@
+ 
+ CLONES		= atq atrm 
+ ATOBJECTS	= at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o

at-3.1.11-shell.patch

@@ -0,0 +1,55 @@
+diff -up at-3.1.11/at.c.shell at-3.1.11/at.c
+--- at-3.1.11/at.c.shell	2009-08-14 18:49:05.000000000 +0200
++++ at-3.1.11/at.c	2009-09-29 15:50:34.786919463 +0200
+@@ -62,11 +62,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
+-#ifdef TM_IN_SYS_TIME
+ #include <sys/time.h>
+-#else
+ #include <time.h>
+-#endif
+ 
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+@@ -241,6 +238,12 @@ writefile(time_t runtimer, char queue)
+     int kill_errno;
+     int rc;
+     int mailsize = 128;
++    struct timeval tv;
++    struct timezone tz;
++    long int i;
++
++    gettimeofday(&tv, &tz);
++    srandom(getpid()+tv.tv_usec);
+ 
+ /* Install the signal handler for SIGINT; terminate after removing the
+  * spool file if necessary
+@@ -458,6 +461,9 @@ writefile(time_t runtimer, char queue)
+     fprintf(fp, " || {\n\t echo 'Execution directory "
+ 	    "inaccessible' >&2\n\t exit 1\n}\n");
+ 
++    i = random();
++    fprintf(fp, "${SHELL:-/bin/sh} << marcinDELIMITER%08lx\n", i);
++
+     istty = isatty(fileno(stdin));
+     if (istty) {
+ 	fprintf(stderr, "at> ");
+@@ -474,6 +480,7 @@ writefile(time_t runtimer, char queue)
+ 	fprintf(stderr, "<EOT>\n");
+     }
+     fprintf(fp, "\n");
++    fprintf(fp, "marcinDELIMITER%08lx\n", i);
+     if (ferror(fp))
+ 	panic("Output error");
+ 
+@@ -924,7 +931,7 @@ main(int argc, char **argv)
+ 	   It also alows a warning diagnostic to be printed.  Because of the
+ 	   possible variance, we always output the diagnostic. */
+ 
+-	fprintf(stderr, "warning: commands will be executed using /bin/sh\n");
++	//fprintf(stderr, "warning: commands will be executed using /bin/sh\n");
+ 
+ 	writefile(timer, queue);
+ 	break;

at.spec

@@ -1,42 +1,30 @@
-%define major_ver 3.1.10
+%define major_ver 3.1.11
 
 %if %{?WITH_PAM:0}%{!?WITH_PAM:1}
 %define WITH_PAM 1
 %endif
 Summary: Job spooling tools
 Name: at
-Version: 3.1.10
-Release: 38%{?dist}
+Version: %{major_ver}
+Release: 1%{dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://ftp.debian.org/debian/pool/main/a/at
-Source: http://ftp.debian.org/debian/pool/main/a/at/at_%{major_ver}.tar.gz
+Source: http://ftp.debian.org/debian/pool/main/a/at/at_%{major_ver}.orig.tar.gz
 Source1: test.pl
 Source2: atd.init
 Source3: atd.sysconf
 Source4: 56atd
-Patch0: at-3.1.7-lockfile.patch
-Patch1: at-3.1.10-makefile.patch
-Patch2: at-3.1.10-man-timespec-path.patch
-Patch3: at-3.1.7-sigchld.patch
-Patch4: at-3.1.10-typo.patch
-Patch5: at-3.1.8-perr.patch
-Patch6: at-3.1.10-shell.patch
-Patch7: at-3.1.8-t_option.patch
-Patch8: at-3.1.10-pam.patch
-Patch9: at-3.1.10-dont_fork.patch
-Patch10: at-3.1.10-perm.patch
-Patch11: at-3.1.10-opt_V.patch
-Patch12: at-3.1.10-session.patch
-Patch13: at-3.1.10-havepam.patch
-# included in another pam patch
-#Patch14: at-3.1.10-pam_keyring.patch
-Patch15: at-3.1.10-PIE.patch
-Patch16: at-3.1.10-pamfix.patch
-Patch17: at-3.1.10-nonposix.patch
-Patch18: at-3.1.10-selinux_mail.patch
-Patch19: at-3.1.10-man_hyphen.patch
-Patch20: at-3.1.10-different_shell.patch
+
+Patch1: at-3.1.11-makefile.patch
+Patch2: at-3.1.11-nitpicks.patch
+Patch3: at-3.1.11-shell.patch
+Patch4: at-3.1.11-opt_V.patch
+Patch5: at-3.1.11-dont_fork.patch
+Patch6: at-3.1.11-log.patch
+Patch7: at-3.1.11-pam.patch
+Patch8: at-3.1.11-pam2.patch
+Patch9: at-3.1.11-selinux.patch
 
 BuildRequires: fileutils chkconfig /etc/init.d
 BuildRequires: flex bison autoconf
@@ -54,48 +42,31 @@ Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 At and batch read commands from standard input or from a specified
 file. At allows you to specify that a command will be run at a
 particular time. Batch will execute commands when the system load
-levels drop to a particular level. Both commands use /bin/sh.
+levels drop to a particular level. Both commands use user's shell.
 
 You should install the at package if you need a utility for
 time-oriented job control. Note: If it is a recurring job that will
 need to be repeated at the same time every day/week, etc. you should
 use crontab instead.
 
-#%{?_without_check: %define _without_check 1}
-#%{!?_without_check: %define _without_check 1}
-#%{!?_without_check: %define _without_check 0}
-# FIX THIS!
-
 %prep
 %setup -q
 
 cp %{SOURCE1} .
-%patch0 -p1 -b .lockfile
 %patch1 -p1 -b .make
-%patch2 -p1 -b .paths
-%patch3 -p1 -b .sigchld
-%patch4 -p1 -b .typo
-%patch5 -p1 -b .perr
-%patch6 -p1 -b .shell
-%patch7 -p1 -b .t_option
-%patch8 -p1 -b .pam
-%patch9 -p1 -b .dont_fork
-%patch10 -p1 -b .perm
-%patch11 -p1 -b .opt_V
-%patch12 -p1 -b .session
-%patch13 -p1 -b .havepam
-##%patch14 -p1 -b .pamkeyring
-%patch15 -p1 -b .PIE
-%patch16 -p1 -b .pamfix
-%patch17 -p1 -b .nonposix
-%patch18 -p1 -b .mailselinux
-%patch19 -p1 -b .hyphen
-%patch20 -p1 -b .fix
+%patch2 -p1 -b .typo
+%patch3 -p1 -b .shell
+%patch4 -p1 -b .opt_V
+%patch5 -p1 -b .dont_fork
+%patch6 -p1 -b .log
+%patch7 -p1 -b .pam
+%patch8 -p1 -b .pam2
+%patch9 -p1 -b .selinux
 
 %build
-# patch10 touches configure.in
+# patch9 touches configure.in
 autoconf
-# for patch11
+# uselles files
 rm -f lex.yy.* y.tab.*
 %configure --with-atspool=%{_localstatedir}/spool/at/spool \
 	--with-jobdir=%{_localstatedir}/spool/at \
@@ -179,25 +150,27 @@ fi
 %files
 %defattr(-,root,root,-)
 %doc docs/*
-%config(noreplace) %{_sysconfdir}/at.deny
+%config(noreplace)		%{_sysconfdir}/at.deny
+%config(noreplace)		%{_sysconfdir}/sysconfig/atd
 %attr(0755,root,root)		%{_sysconfdir}/rc.d/init.d/atd
-%attr(0644,root,root)		%{_sysconfdir}/sysconfig/atd
 %attr(0700,daemon,daemon)	%dir %{_localstatedir}/spool/at
 %attr(0600,daemon,daemon)	%verify(not md5 size mtime) %ghost %{_localstatedir}/spool/at/.SEQ
 %attr(0700,daemon,daemon)	%dir %{_localstatedir}/spool/at/spool
-%attr(0640,root,daemon)	%config(noreplace) /etc/pam.d/atd
+%attr(0640,root,daemon)		%config(noreplace) /etc/pam.d/atd
 %{_sbindir}/atrun
-%attr(0755,root,root)	%{_sbindir}/atd
+%attr(0755,root,root)		%{_sbindir}/atd
 %{_mandir}/man*/*
 %{_bindir}/batch
 %{_bindir}/atrm
 %{_bindir}/atq
-%attr(4755,root,root)	%{_bindir}/at
-%attr(0755,root,root)	%{_libdir}/pm-utils/sleep.d/56atd
+%attr(4755,root,root)		%{_bindir}/at
+%attr(0755,root,root)		%{_libdir}/pm-utils/sleep.d/56atd
 
 %changelog
-* Tue Sep 29 2009 Tomas Mraz <tmraz@redhat.com> 3.1.10-38
-- authentication PAM modules have to be configured for pam_setcred()
+* Tue Oct 13 2009 Marcela Mašláňová <mmaslano@redhat.com> - 3.1.11-1
+- 528582 add noreplace option into files section
+- rewrite pam2 patch - check return value, use "better" macro, etc.
+- new version of at
 
 * Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> 3.1.10-37
 - improve the PAM configuration, use password-auth common stack

sources

@@ -3,3 +3,4 @@
 b117781fd68e393443b2a8e478c7c22f  atd.init
 ac1471fe22f63f666dc7d31173f47ea0  atd.sysconf
 67aece5997fbe1f93072e0afd69e5280  test.pl
+d5832d9b770f41db78020b92f80966d3  at_3.1.11.orig.tar.gz