at/at-3.1.10-pamfix.patch

diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
--- at-3.1.10/atd.c.pamfix	2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/atd.c	2008-01-09 14:56:57.000000000 +0100
@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
 };
 
 #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+	fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
 	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
-	pam_close_session(pamh, PAM_SILENT); \
-	pam_end(pamh, retcode); exit(1); \
+    if (pamh) \
+        pam_end(pamh, retcode); \
+    exit(1); \
     }
-#define PAM_END { retcode = pam_close_session(pamh,0); \
-		pam_end(pamh,retcode); }
 
-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+    pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
 
 /* Signal handlers */
 RETSIGTYPE 
@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
 
 //add for fedora, removed HAVE_PAM
 #ifdef  WITH_PAM
+    pamh = NULL;
     retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
     PAM_FAIL_CHECK;
     retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
     retcode = pam_acct_mgmt(pamh, PAM_SILENT);
     PAM_FAIL_CHECK;
     retcode = pam_open_session(pamh, PAM_SILENT);
+    PAM_SESSION_FAIL;
     PAM_FAIL_CHECK;
     retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+    PAM_SESSION_FAIL;
     PAM_FAIL_CHECK;
     closelog();
     openlog("atd", LOG_PID, LOG_ATD);
@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid
 	int mail_pid = -1;
 //add for fedora
 #ifdef  WITH_PAM
+       pamh = NULL;
        retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
        PAM_FAIL_CHECK;
        retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid
        retcode = pam_acct_mgmt(pamh, PAM_SILENT);
        PAM_FAIL_CHECK;
        retcode = pam_open_session(pamh, PAM_SILENT);
+       PAM_SESSION_FAIL;
        PAM_FAIL_CHECK;
        retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+       PAM_SESSION_FAIL;
        PAM_FAIL_CHECK;
         /* PAM has now re-opened our log to auth.info ! */
        closelog();
diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
--- at-3.1.10/perm.c.pamfix	2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/perm.c	2008-01-09 15:58:54.000000000 +0100
@@ -134,17 +134,34 @@ check_permission()
  *  We must check if the atd daemon userid will be allowed to gain the job owner user's
  *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
  */
-  setreuid(daemon_uid, daemon_uid);
-  setregid(daemon_gid, daemon_gid);
+  if (setreuid(daemon_uid, daemon_uid) != 0) {
+      fprintf(stderr, "cannot set egid: %s", strerror(errno));
+      exit(1);
+  }
+  if (setregid(daemon_gid, daemon_gid) != 0) {
+      fprintf(stderr, "cannot set euid: %s", strerror(errno));
+      exit(1);
+  }
 
 # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-                              fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
-			      pam_close_session(pamh,PAM_SILENT); \
-                              pam_end(pamh, retcode); \
-                               setregid(gid,egid); \
-                               setreuid(uid,euid); \
-                               return(0); \
-                           }
+     fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+     if (pamh) \
+         pam_end(pamh, retcode); \
+     if (setregid(gid,egid) != 0) { \
+         fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     if (setreuid(uid,euid) != 0) { \
+         fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+         exit(1); \
+     } \
+     return(0); \
+     }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+      pam_close_session(pamh,PAM_SILENT);
+
+  pamh = NULL;
   retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
   PAM_FAIL_CHECK;
   retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -152,16 +169,25 @@ check_permission()
   retcode = pam_acct_mgmt(pamh, PAM_SILENT);
   PAM_FAIL_CHECK;
   retcode = pam_open_session(pamh, PAM_SILENT);
+  PAM_SESSION_FAIL;
   PAM_FAIL_CHECK;
   retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+  PAM_SESSION_FAIL;
   PAM_FAIL_CHECK;
 
   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
   pam_close_session(pamh,PAM_SILENT);
   pam_end(pamh, PAM_ABORT);
 
-  setregid(gid,egid);
-  setreuid(uid,euid);
+  if (setregid(gid,egid) != 0) {
+     fprintf(stderr, "cannot set egid: %s", strerror(errno));
+     exit(1);
+  }
+  if (setreuid(uid,euid) != 0) {
+     fprintf(stderr, "cannot set euid: %s", strerror(errno));
+     exit(1);
+  }
+
 
 #endif