[at/f19] 989201 PAM issue prevents atd sending mail.
Marcela Mašláňová
mmaslano at fedoraproject.org
Wed Dec 4 10:57:40 UTC 2013
commit 2f054d4660a136fcf5e6f70a56ed553128400634
Author: Marcela Mašláňová <mmaslano at redhat.com>
Date: Wed Dec 4 11:56:53 2013 +0100
989201 PAM issue prevents atd sending mail.
at-3.1.13-pam.patch | 79 +++++++++++++++++++---------------------------
at-3.1.13-selinux.patch | 51 ++++++++++++------------------
at.spec | 5 ++-
3 files changed, 57 insertions(+), 78 deletions(-)
---
diff --git a/at-3.1.13-pam.patch b/at-3.1.13-pam.patch
index 0bb3116..052a723 100644
--- a/at-3.1.13-pam.patch
+++ b/at-3.1.13-pam.patch
@@ -1,6 +1,6 @@
diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
---- at-3.1.13/at.c.pam 2012-04-19 16:50:57.491000001 +0200
-+++ at-3.1.13/at.c 2012-04-19 16:50:57.505000001 +0200
+--- at-3.1.13/at.c.pam 2013-12-03 16:42:16.582903011 +0100
++++ at-3.1.13/at.c 2013-12-03 16:42:16.585903079 +0100
@@ -141,18 +141,13 @@ sigc(int signo)
/* If the user presses ^C, remove the spool file and exit
*/
@@ -90,8 +90,8 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
break;
diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
---- at-3.1.13/atd.c.pam 2012-04-19 16:50:57.498000001 +0200
-+++ at-3.1.13/atd.c 2012-04-19 16:52:37.209000138 +0200
+--- at-3.1.13/atd.c.pam 2013-12-03 16:42:16.584903056 +0100
++++ at-3.1.13/atd.c 2013-12-03 16:53:42.835351089 +0100
@@ -111,7 +111,7 @@ static int run_as_daemon = 0;
static volatile sig_atomic_t term_signal = 0;
@@ -174,25 +174,20 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
nice((tolower((int) queue) - 'a' + 1) * 2);
if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -458,7 +449,16 @@ run_file(const char *filename, uid_t uid
+@@ -456,9 +447,9 @@ run_file(const char *filename, uid_t uid
- if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
- perr("Exec failed for /bin/sh");
+ chdir("/");
+
+- if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
+- perr("Exec failed for /bin/sh");
-
-+#ifdef WITH_PAM
-+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
-+ {
-+ for( nenvp = pam_envp; *nenvp != 0L; nenvp++)
-+ free(*nenvp);
-+ free( pam_envp );
-+ nenvp = &nul;
-+ pam_envp=0L;
-+ }
-+#endif
++ execle("/bin/sh", "sh", (char *) NULL, nenvp);
++ perr("Exec failed for /bin/sh");
++ /* perr exits, the PRIV_END is just for nice form */
PRIV_END
}
/* We're the parent. Let's wait.
-@@ -471,14 +471,6 @@ run_file(const char *filename, uid_t uid
+@@ -471,14 +462,6 @@ run_file(const char *filename, uid_t uid
*/
waitpid(pid, (int *) NULL, 0);
@@ -207,52 +202,44 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
/* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run.
*/
-@@ -509,8 +501,20 @@ run_file(const char *filename, uid_t uid
+@@ -509,8 +492,13 @@ run_file(const char *filename, uid_t uid
unlink(newname);
free(newname);
+#ifdef ATD_MAIL_PROGRAM
if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
+ int mail_pid = -1;
-+#ifdef WITH_PAM
-+ AT_START_PAM;
-+ AT_OPEN_PAM_SESSION;
-+ closelog();
-+ openlog("atd", LOG_PID, LOG_ATD);
-+#endif
-+
-+ mail_pid = fork();
-+ if ( mail_pid == 0 )
-+ {
++ mail_pid = fork();
++
++ if ( mail_pid == 0 ) {
PRIV_START
if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -535,7 +539,21 @@ run_file(const char *filename, uid_t uid
+@@ -535,7 +523,20 @@ run_file(const char *filename, uid_t uid
perr("Exec failed for mail command");
PRIV_END
-+ }
-+ else if ( mail_pid == -1 ) {
-+ perr("fork of mailer failed");
-+ }
-+ else {
-+ /* Parent */
-+ waitpid(mail_pid, (int *) NULL, 0);
-+ }
++ }
++ else if ( mail_pid == -1 ) {
++ syslog(LOG_ERR, "fork of mailer failed: %m");
++ }
++ /* Parent */
++ waitpid(mail_pid, (int *) NULL, 0);
+ }
++
+#ifdef WITH_PAM
-+ AT_CLOSE_PAM;
-+ closelog();
-+ openlog("atd", LOG_PID, LOG_ATD);
++ AT_CLOSE_PAM;
++ closelog();
++ openlog("atd", LOG_PID, LOG_ATD);
+#endif
- }
+#endif
exit(EXIT_SUCCESS);
}
diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
--- at-3.1.13/config.h.in.pam 2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/config.h.in 2012-04-19 16:50:57.506000001 +0200
++++ at-3.1.13/config.h.in 2013-12-03 16:42:16.586903101 +0100
@@ -68,8 +68,8 @@
/* Define to 1 if you have the <nlist.h> header file. */
#undef HAVE_NLIST_H
@@ -266,7 +253,7 @@ diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
#undef HAVE_PSTAT_GETDYNAMIC
diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
--- at-3.1.13/configure.ac.pam 2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/configure.ac 2012-04-19 16:50:57.506000001 +0200
++++ at-3.1.13/configure.ac 2013-12-03 16:42:16.586903101 +0100
@@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG
AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
AC_CHECK_HEADERS(security/pam_appl.h, [
@@ -292,7 +279,7 @@ diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
[ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ],
diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
--- at-3.1.13/perm.c.pam 2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/perm.c 2012-04-19 16:53:09.192001742 +0200
++++ at-3.1.13/perm.c 2013-12-03 16:42:16.586903101 +0100
@@ -51,6 +51,14 @@
#define PRIV_END while(0)
#endif
@@ -359,7 +346,7 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
return allow;
diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h
--- at-3.1.13/privs.h.pam 2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/privs.h 2012-04-19 16:53:46.296016675 +0200
++++ at-3.1.13/privs.h 2013-12-03 16:42:16.586903101 +0100
@@ -144,3 +144,63 @@ extern gid_t real_gid, effective_gid, da
#error "Cannot implement user ID swapping without setreuid or setresuid"
#endif
diff --git a/at-3.1.13-selinux.patch b/at-3.1.13-selinux.patch
index 255fe2b..fc1b93c 100644
--- a/at-3.1.13-selinux.patch
+++ b/at-3.1.13-selinux.patch
@@ -1,6 +1,6 @@
diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c
---- at-3.1.13/atd.c.selinux 2012-11-01 15:11:21.368772308 +0100
-+++ at-3.1.13/atd.c 2012-11-01 15:13:16.809162818 +0100
+--- at-3.1.13/atd.c.selinux 2013-12-03 17:37:14.492141743 +0100
++++ at-3.1.13/atd.c 2013-12-03 17:49:44.141017027 +0100
@@ -83,6 +83,14 @@
#include "getloadavg.h"
#endif
@@ -85,32 +85,21 @@ diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
-@@ -446,9 +516,23 @@ run_file(const char *filename, uid_t uid
- perr("Cannot reset signal handler to default");
+@@ -433,6 +503,13 @@ run_file(const char *filename, uid_t uid
+
+ nice((tolower((int) queue) - 'a' + 1) * 2);
- chdir("/");
--
-+#ifdef WITH_SELINUX
-+ if (selinux_enabled > 0) {
-+ if (set_selinux_context(pentry->pw_name, filename) < 0)
-+ perr("SELinux Failed to set context\n");
-+ }
-+#endif
- if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
- perr("Exec failed for /bin/sh");
-+//add for fedora
+#ifdef WITH_SELINUX
-+ if (selinux_enabled>0)
-+ if (setexeccon(NULL) < 0)
-+ if (security_getenforce()==1)
-+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
++ if (selinux_enabled > 0) {
++ if (set_selinux_context(pentry->pw_name, filename) < 0)
++ perr("SELinux Failed to set context\n");
++ }
+#endif
-+//end
-+//add for fedora
- #ifdef WITH_PAM
- if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
- {
-@@ -751,6 +835,10 @@ main(int argc, char *argv[])
++
+ if (initgroups(pentry->pw_name, pentry->pw_gid))
+ perr("Cannot initialize the supplementary group access list");
+
+@@ -734,6 +811,10 @@ main(int argc, char *argv[])
struct passwd *pwe;
struct group *ge;
@@ -122,8 +111,8 @@ diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c
* daemon is fine.
*/
diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in
---- at-3.1.13/config.h.in.selinux 2012-11-01 15:11:21.368772308 +0100
-+++ at-3.1.13/config.h.in 2012-11-01 15:11:21.371772392 +0100
+--- at-3.1.13/config.h.in.selinux 2013-12-03 17:37:14.492141743 +0100
++++ at-3.1.13/config.h.in 2013-12-03 17:37:14.494141788 +0100
@@ -71,6 +71,9 @@
/* Define if you are building with_pam */
#undef WITH_PAM
@@ -135,8 +124,8 @@ diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in
#undef HAVE_PSTAT_GETDYNAMIC
diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac
---- at-3.1.13/configure.ac.selinux 2012-11-01 15:11:21.369772335 +0100
-+++ at-3.1.13/configure.ac 2012-11-01 15:11:21.372772420 +0100
+--- at-3.1.13/configure.ac.selinux 2013-12-03 17:37:14.492141743 +0100
++++ at-3.1.13/configure.ac 2013-12-03 17:37:14.494141788 +0100
@@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname,
)
AC_SUBST(DAEMON_GROUPNAME)
@@ -152,8 +141,8 @@ diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac
AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch)
AC_OUTPUT
diff -up at-3.1.13/Makefile.in.selinux at-3.1.13/Makefile.in
---- at-3.1.13/Makefile.in.selinux 2012-11-01 15:11:21.361772115 +0100
-+++ at-3.1.13/Makefile.in 2012-11-01 15:11:21.372772420 +0100
+--- at-3.1.13/Makefile.in.selinux 2013-12-03 17:37:14.486141608 +0100
++++ at-3.1.13/Makefile.in 2013-12-03 17:37:14.494141788 +0100
@@ -39,6 +39,8 @@ LIBS = @LIBS@
LIBOBJS = @LIBOBJS@
INSTALL = @INSTALL@
diff --git a/at.spec b/at.spec
index e1a2a3a..68694ab 100644
--- a/at.spec
+++ b/at.spec
@@ -3,7 +3,7 @@
Summary: Job spooling tools
Name: at
Version: 3.1.13
-Release: 12%{dist}
+Release: 13%{dist}
# http://packages.debian.org/changelogs/pool/main/a/at/current/copyright
# + install-sh is MIT license with changes under Public Domain
License: GPLv3+ and GPLv2+ and ISC and MIT and Public Domain
@@ -187,6 +187,9 @@ chown daemon:daemon %{_localstatedir}/spool/at/.SEQ
%attr(0755,root,root) %{_initrddir}/atd
%changelog
+* Wed Dec 4 2013 Marcela Mašláňová <mmaslano at redhat.com> 3.1.13-13
+- 989201 PAM issue prevents atd sending mail
+
* Mon Feb 11 2013 Peter Robinson <pbrobinson at fedoraproject.org> 3.1.13-12
- Fix patch to fix FTBFS with gcc 4.8
More information about the scm-commits
mailing list