From bc3273cefd21970aaae9c57c341625a2aac0ca7e Mon Sep 17 00:00:00 2001 From: Marcela Mašláňová Date: Oct 14 2009 12:21:18 +0000 Subject: Remove old patches. --- diff --git a/at-3.1.10-PIE.patch b/at-3.1.10-PIE.patch deleted file mode 100644 index 6a6615d..0000000 --- a/at-3.1.10-PIE.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up at-3.1.10/Makefile.in.PIE at-3.1.10/Makefile.in ---- at-3.1.10/Makefile.in.PIE 2008-01-08 09:53:24.000000000 +0100 -+++ at-3.1.10/Makefile.in 2008-01-08 09:53:53.000000000 +0100 -@@ -68,13 +68,13 @@ LIST = Filelist Filelist.asc - all: at atd atrun - - at: $(ATOBJECTS) -- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB) -+ $(CC) $(CFLAGS) -o at -PIE $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB) - rm -f $(CLONES) - $(LN_S) -f at atq - $(LN_S) -f at atrm - - atd: $(RUNOBJECTS) -- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB) -+ $(CC) $(CFLAGS) -o atd -PIE $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB) - - y.tab.c y.tab.h: parsetime.y - $(YACC) -d parsetime.y -@@ -86,7 +86,7 @@ atrun: atrun.in - configure - - .c.o: -- $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c -+ $(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c - - install: all - $(INSTALL) -m 755 -d $(IROOT)$(etcdir) diff --git a/at-3.1.10-different_shell.patch b/at-3.1.10-different_shell.patch deleted file mode 100644 index 00b9ceb..0000000 --- a/at-3.1.10-different_shell.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up at-3.1.10/at.c.fix at-3.1.10/at.c ---- at-3.1.10/at.c.fix 2009-03-18 10:49:06.000000000 +0100 -+++ at-3.1.10/at.c 2009-03-18 10:59:19.000000000 +0100 -@@ -61,12 +61,8 @@ - #include - #include - #include -- --#ifdef TM_IN_SYS_TIME --#include --#else - #include --#endif -+#include - - #ifdef HAVE_UNISTD_H - #include -@@ -244,6 +240,12 @@ writefile(time_t runtimer, char queue) - int kill_errno; - int rc; - int mailsize = 128; -+ struct timeval tv; -+ struct timezone tz; -+ long int i; -+ -+ gettimeofday(&tv, &tz); -+ srandom(getpid()+tv.tv_usec); - - /* Install the signal handler for SIGINT; terminate after removing the - * spool file if necessary -@@ -455,7 +457,8 @@ writefile(time_t runtimer, char queue) - fprintf(fp, " || {\n\t echo 'Execution directory " - "inaccessible' >&2\n\t exit 1\n}\n"); - -- fprintf(fp, "${SHELL:-/bin/sh} << `(dd if=/dev/urandom count=200 bs=1 2>/dev/null|LC_ALL=C tr -d -c '[:alnum:]')`\n\n"); -+ i = random(); -+ fprintf(fp, "${SHELL:-/bin/sh} << marcinDELIMITER%08lx\n", i); - - istty = isatty(fileno(stdin)); - if (istty) { -@@ -473,6 +476,7 @@ writefile(time_t runtimer, char queue) - fprintf(stderr, "\n"); - } - fprintf(fp, "\n"); -+ fprintf(fp, "marcinDELIMITER%08lx\n", i); - if (ferror(fp)) - panic("Output error"); - diff --git a/at-3.1.10-dont_fork.patch b/at-3.1.10-dont_fork.patch deleted file mode 100644 index 4d56bf2..0000000 --- a/at-3.1.10-dont_fork.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- at-3.1.10/atd.8.in.fork 2005-08-29 10:08:51.000000000 +0200 -+++ at-3.1.10/atd.8.in 2007-07-03 14:04:05.000000000 +0200 -@@ -1,5 +1,5 @@ - .Id $Id$ --.TH ATD 8 "Mar 1997" local "Linux Programmer's Manual" -+.TH ATD 3 "Jun 2007" at-3.1.10 "Linux Programmer's Manual" - .SH NAME - atd \- run jobs queued for later execution - .SH SYNOPSIS -@@ -10,6 +10,7 @@ - .IR batch_interval ] - .RB [ -d ] - .RB [ -s ] -+.RB [ -n ] - .SH DESCRIPTION - .B atd - runs jobs queued by -@@ -46,6 +47,9 @@ - is installed as - .B @prefix@/sbin/atrun - for backward compatibility. -+.TP 8 -+.B -n -+Don't fork option. - .SH WARNING - .B atd - won't work if its spool directory is mounted via NFS even if ---- at-3.1.10/daemon.h.fork 2005-08-05 05:16:01.000000000 +0200 -+++ at-3.1.10/daemon.h 2007-07-03 14:02:22.000000000 +0200 -@@ -14,3 +14,4 @@ - perr (const char *fmt, ...); - - extern int daemon_debug; -+extern int daemon_nofork; ---- at-3.1.10/daemon.c.fork 2005-08-05 05:16:01.000000000 +0200 -+++ at-3.1.10/daemon.c 2007-07-03 14:01:51.000000000 +0200 -@@ -50,7 +50,8 @@ - - static const char *svnid = "$Id$"; - --int daemon_debug; -+int daemon_debug = 0; -+int daemon_nofork = 0; - - static int - lock_fd(int fd) -@@ -119,15 +120,18 @@ - (open("/dev/null", O_RDWR) != 2)) { - perr("Error redirecting I/O"); - } -+ } -+ if (daemon_nofork) pid = getpid(); -+ else { - pid = fork(); - if (pid == -1) { - perr("Cannot fork"); - } else if (pid != 0) { - exit(0); - } -+ (void) setsid(); - } - old_umask = umask(S_IWGRP | S_IWOTH); -- (void) setsid(); - - PRIV_START - diff --git a/at-3.1.10-havepam.patch b/at-3.1.10-havepam.patch deleted file mode 100644 index ae18a89..0000000 --- a/at-3.1.10-havepam.patch +++ /dev/null @@ -1,40 +0,0 @@ ---- at-3.1.10/atd.c.havepam 2007-08-22 10:37:16.000000000 +0200 -+++ at-3.1.10/atd.c 2007-08-22 10:39:42.000000000 +0200 -@@ -121,7 +121,7 @@ - - static volatile sig_atomic_t term_signal = 0; - --#ifdef HAVE_PAM -+#ifdef WITH_PAM - #include - - static pam_handle_t *pamh = NULL; -@@ -139,7 +139,7 @@ - #define PAM_END { retcode = pam_close_session(pamh,0); \ - pam_end(pamh,retcode); } - --#endif /* HAVE_PAM */ -+#endif /* WITH_PAM */ - - /* Signal handlers */ - RETSIGTYPE -@@ -246,7 +246,7 @@ - char queue; - char fmt[64]; - unsigned long jobno; --#ifdef HAVE_PAM -+#ifdef WITH_PAM - int retcode; - #endif - ---- at-3.1.10/configure.in.havepam 2007-08-22 10:37:16.000000000 +0200 -+++ at-3.1.10/configure.in 2007-08-22 10:37:16.000000000 +0200 -@@ -80,7 +80,7 @@ - AC_FUNC_GETLOADAVG - AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid) - AC_CHECK_HEADERS(security/pam_appl.h, [PAMLIB="-lpam" -- AC_DEFINE(HAVE_PAM)]) -+ AC_DEFINE(WITH_PAM)]) - - dnl Checking for programs - diff --git a/at-3.1.10-makefile.patch b/at-3.1.10-makefile.patch deleted file mode 100644 index 53379c8..0000000 --- a/at-3.1.10-makefile.patch +++ /dev/null @@ -1,102 +0,0 @@ ---- at-3.1.10/Makefile.in.old 2005-08-29 10:08:28.000000000 +0200 -+++ at-3.1.10/Makefile.in 2007-07-02 15:38:48.000000000 +0200 -@@ -51,7 +51,7 @@ - privs.h - - OTHERS = parsetime.l parsetime.y -- -+TEST_VERBOSE = 0 - DOCS = Problems Copyright README ChangeLog timespec - - MISC = COPYING Makefile.in configure acconfig.h install-sh \ -@@ -67,13 +67,13 @@ - all: at atd atrun - - at: $(ATOBJECTS) -- $(CC) $(CFLAGS) -o at $(ATOBJECTS) $(LIBS) $(LEXLIB) -+ $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) - rm -f $(CLONES) - $(LN_S) -f at atq - $(LN_S) -f at atrm - - atd: $(RUNOBJECTS) -- $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) -+ $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(PAMLIB) - - y.tab.c y.tab.h: parsetime.y - $(YACC) -d parsetime.y -@@ -85,38 +85,42 @@ - configure - - .c.o: -- $(CC) -c $(CFLAGS) $(DEFS) $*.c -+ $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c - - install: all -- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(etcdir) -- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(bindir) -- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(sbindir) -- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(docdir) -- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(atdocdir) -- $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR) -- chmod 1770 $(IROOT)$(ATSPOOL_DIR) $(IROOT)$(ATJOB_DIR) -+ $(INSTALL) -m 755 -d $(IROOT)$(etcdir) -+ $(INSTALL) -m 755 -d $(IROOT)$(bindir) -+ $(INSTALL) -m 755 -d $(IROOT)$(sbindir) -+ $(INSTALL) -m 755 -d $(IROOT)$(docdir) -+ $(INSTALL) -m 755 -d $(IROOT)$(atdocdir) -+ $(INSTALL) -m 755 -d $(IROOT)$(ATJOB_DIR) -+ $(INSTALL) -m 755 -d $(IROOT)$(etcdir)/pam.d -+ $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR) -+ chmod 700 $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR) -+ chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR) - touch $(IROOT)$(LFILE) - chmod 600 $(IROOT)$(LFILE) - chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(LFILE) -- test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -o root -g $(DAEMON_GROUPNAME) -m 640 at.deny $(IROOT)$(etcdir)/ -- $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 6755 -s at $(IROOT)$(bindir) -+ test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -m 600 at.deny $(IROOT)$(etcdir)/ -+ $(INSTALL) -o $(INSTALL_ROOT_USER) -g $(DAEMON_GROUPNAME) pam_atd $(IROOT)$(etcdir)/pam.d/atd -+ $(INSTALL) -m 4755 at $(IROOT)$(bindir) - $(LN_S) -f at $(IROOT)$(bindir)/atq - $(LN_S) -f at $(IROOT)$(bindir)/atrm -- $(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir) -- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man1dir) -- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man5dir) -- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man8dir) -- $(INSTALL) -g root -o root -m 755 -s atd $(IROOT)$(sbindir) -- $(INSTALL) -g root -o root -m 755 atrun $(IROOT)$(sbindir) -- $(INSTALL) -g root -o root -m 644 at.1 $(IROOT)$(man1dir)/ -+ $(INSTALL) -m 755 batch $(IROOT)$(bindir) -+ $(INSTALL) -d -m 755 $(IROOT)$(man1dir) -+ $(INSTALL) -d -m 755 $(IROOT)$(man5dir) -+ $(INSTALL) -d -m 755 $(IROOT)$(man8dir) -+ $(INSTALL) -m 755 atd $(IROOT)$(sbindir) -+ $(INSTALL) -m 755 atrun $(IROOT)$(sbindir) -+ $(INSTALL) -m 644 at.1 $(IROOT)$(man1dir)/ - cd $(IROOT)$(man1dir) && $(LN_S) -f at.1 atq.1 && $(LN_S) -f at.1 batch.1 && $(LN_S) -f at.1 atrm.1 -- $(INSTALL) -g root -o root -m 644 atd.8 $(IROOT)$(man8dir)/ -+ $(INSTALL) -m 644 atd.8 $(IROOT)$(man8dir)/ - sed "s,\$${exec_prefix},$(exec_prefix),g" tmpman -- $(INSTALL) -g root -o root -m 644 tmpman $(IROOT)$(man8dir)/atrun.8 -+ $(INSTALL) -m 644 tmpman $(IROOT)$(man8dir)/atrun.8 - rm -f tmpman -- $(INSTALL) -g root -o root -m 644 at_allow.5 $(IROOT)$(man5dir)/ -- cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5 -- $(INSTALL) -g root -o root -m 644 $(DOCS) $(IROOT)$(atdocdir) -+ $(INSTALL) -m 644 at_allow.5 $(IROOT)$(man5dir)/ -+ cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5 -+ $(INSTALL) -m 644 $(DOCS) $(IROOT)$(atdocdir) - rm -f $(IROOT)$(mandir)/cat1/at.1* $(IROOT)$(mandir)/cat1/batch.1* \ - $(IROOT)$(mandir)/cat1/atq.1* - rm -f $(IROOT)$(mandir)/cat1/atd.8* -@@ -150,6 +154,9 @@ - parsetest: lex.yy.c y.tab.c - $(CC) -o parsetest $(CFLAGS) $(DEFS) -DTEST_PARSER -DNEED_YYWRAP lex.yy.c y.tab.c - -+test: parsetest -+ PERL_DL_NONLAZY=1 perl -e 'use Test::Harness qw(&runtests $$verbose); $$verbose=$(TEST_VERBOSE); runtests @ARGV;' test.pl -+ - .depend: $(CSRCS) - gcc $(CFLAGS) $(DEFS) -MM $(CSRCS) > .depend - diff --git a/at-3.1.10-man-timespec-path.patch b/at-3.1.10-man-timespec-path.patch deleted file mode 100644 index 53b0425..0000000 --- a/at-3.1.10-man-timespec-path.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- at-3.1.10/at.1.in.path 2005-08-29 10:09:24.000000000 +0200 -+++ at-3.1.10/at.1.in 2006-09-07 11:07:21.000000000 +0200 -@@ -110,7 +110,7 @@ - .B at 1am tomorrow. - .PP - The exact definition of the time specification can be found in --.IR @prefix@/share/doc/at/timespec . -+.IR @prefix@/share/doc/at-@VERSION@/timespec. - .PP - For both - .BR at " and " batch , diff --git a/at-3.1.10-man_hyphen.patch b/at-3.1.10-man_hyphen.patch deleted file mode 100644 index 7fdeed2..0000000 --- a/at-3.1.10-man_hyphen.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up at-3.1.10/at.1.in.hyphen at-3.1.10/at.1.in ---- at-3.1.10/at.1.in.hyphen 2009-02-19 08:47:39.000000000 +0100 -+++ at-3.1.10/at.1.in 2009-02-19 08:48:19.000000000 +0100 -@@ -89,7 +89,9 @@ or giving a date of the form - or - .B MM/DD/YY - or --.B DD.MM.YY. -+.B DD.MM.YY -+or -+.B YYYY-MM-DD. - The specification of a date - .I must - follow the specification of the time of day. diff --git a/at-3.1.10-nonposix.patch b/at-3.1.10-nonposix.patch deleted file mode 100644 index ed6923d..0000000 --- a/at-3.1.10-nonposix.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up at-3.1.10/at.c.nonposix at-3.1.10/at.c ---- at-3.1.10/at.c.nonposix 2008-03-25 14:54:09.000000000 +0100 -+++ at-3.1.10/at.c 2008-03-25 14:57:46.000000000 +0100 -@@ -92,6 +92,7 @@ - #define SIZE 255 - - #define TIMEFORMAT_POSIX "%a %b %e %T %Y" -+#define TIMEFORMAT_ISO "%Y-%m-%d %H:%M" - #define TIMESIZE 50 - - enum { -@@ -490,7 +491,15 @@ writefile(time_t runtimer, char queue) - - runtime = localtime(&runtimer); - -- strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime); -+ /* We only use the sick POSIX time format if POSIXLY_CORRECT -+ is set. Otherwise, we use ISO format. -+ */ -+ -+ if (getenv("POSIXLY_CORRECT") != NULL) { -+ strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime); -+ } else { -+ strftime(timestr, TIMESIZE, TIMEFORMAT_ISO, runtime); -+ } - fprintf(stderr, "job %ld at %s\n", jobno, timestr); - - /* Signal atd, if present. Usual precautions taken... */ -@@ -588,8 +597,11 @@ list_jobs(void) - runtimer = 60 * (time_t) ctm; - runtime = localtime(&runtimer); - -- strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime); -- -+ if (getenv("POSIXLY_CORRECT") != NULL) { -+ strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime); -+ } else { -+ strftime(timestr, TIMESIZE, TIMEFORMAT_ISO, runtime); -+ } - if ((pwd = getpwuid(buf.st_uid))) - printf("%ld\t%s %c %s\n", jobno, timestr, queue, pwd->pw_name); - else diff --git a/at-3.1.10-opt_V.patch b/at-3.1.10-opt_V.patch deleted file mode 100644 index f5f8250..0000000 --- a/at-3.1.10-opt_V.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- at-3.1.10/configure.in.opt_v 2007-07-04 17:05:33.000000000 +0200 -+++ at-3.1.10/configure.in 2007-07-09 09:23:24.000000000 +0200 -@@ -5,7 +5,7 @@ - AC_CONFIG_HEADER(config.h) - AC_PREREQ(2.7) - --VERSION="3.1.9" -+VERSION="3.1.10" - if test "X$CFLAGS" = "X"; then - CFLAGS="-O2 -g -Wall" - fi ---- at-3.1.10/at.c.opt_v 2007-07-04 17:05:33.000000000 +0200 -+++ at-3.1.10/at.c 2007-07-09 09:34:34.000000000 +0200 -@@ -966,9 +966,11 @@ - /* end of options eating - */ - -- if (disp_version) -- fprintf(stderr, "at version " VERSION "\n" -- "Bug reports to: rmurray@debian.org (Ryan Murray)\n"); -+ if (disp_version) { -+ fprintf(stderr, "at version " VERSION "\n"); -+ if (argc == 2) -+ exit(EXIT_SUCCESS); -+ } - - /* select our program - */ diff --git a/at-3.1.10-pam.patch b/at-3.1.10-pam.patch deleted file mode 100644 index 4ee7366..0000000 --- a/at-3.1.10-pam.patch +++ /dev/null @@ -1,543 +0,0 @@ ---- at-3.1.10/pam_atd.pam 2007-07-03 13:29:24.000000000 +0200 -+++ at-3.1.10/pam_atd 2007-07-03 13:29:24.000000000 +0200 -@@ -0,0 +1,9 @@ -+# The PAM configuration file for the at daemon -+# -+# -+auth required pam_env.so -+auth include password-auth -+account required pam_access.so -+account include password-auth -+session required pam_loginuid.so -+session include password-auth -diff -up at-3.1.10/atd.c.pam at-3.1.10/atd.c ---- at-3.1.10/atd.c.pam 2008-07-18 15:47:52.000000000 +0200 -+++ at-3.1.10/atd.c 2008-07-18 16:02:32.000000000 +0200 -@@ -74,6 +74,14 @@ - #include - #endif - -+#ifdef WITH_SELINUX -+#include -+#include -+int selinux_enabled=0; -+#include -+#include -+#endif -+ - /* Local headers */ - - #include "privs.h" -@@ -83,6 +91,10 @@ - #include "getloadavg.h" - #endif - -+#ifndef LOG_ATD -+#define LOG_ATD LOG_DAEMON -+#endif -+ - /* Macros */ - - #define BATCH_INTERVAL_DEFAULT 60 -@@ -121,6 +133,7 @@ static const struct pam_conv conv = { - #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ - fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ - syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ -+ pam_close_session(pamh, PAM_SILENT); \ - pam_end(pamh, retcode); exit(1); \ - } - #define PAM_END { retcode = pam_close_session(pamh,0); \ -@@ -196,6 +209,19 @@ myfork() - #define fork myfork - #endif - -+#undef ATD_MAIL_PROGRAM -+#undef ATD_MAIL_NAME -+#if defined(SENDMAIL) -+#define ATD_MAIL_PROGRAM SENDMAIL -+#define ATD_MAIL_NAME "sendmail" -+#elif defined(MAILC) -+#define ATD_MAIL_PROGRAM MAILC -+#define ATD_MAIL_NAME "mail" -+#elif defined(MAILX) -+#define ATD_MAIL_PROGRAM MAILX -+#define ATD_MAIL_NAME "mailx" -+#endif -+ - static void - run_file(const char *filename, uid_t uid, gid_t gid) - { -@@ -380,18 +406,22 @@ run_file(const char *filename, uid_t uid - fstat(fd_out, &buf); - size = buf.st_size; - --#ifdef HAVE_PAM -- PRIV_START -+//add for fedora, removed HAVE_PAM -+#ifdef WITH_PAM - retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); - PAM_FAIL_CHECK; -+ retcode = pam_set_item(pamh, PAM_TTY, "atd"); -+ PAM_FAIL_CHECK; - retcode = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_open_session(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); - PAM_FAIL_CHECK; -- PRIV_END -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); - #endif -+//end - - close(STDIN_FILENO); - close(STDOUT_FILENO); -@@ -404,6 +434,14 @@ run_file(const char *filename, uid_t uid - else if (pid == 0) { - char *nul = NULL; - char **nenvp = &nul; -+ char **pam_envp=0L; -+ -+ PRIV_START -+#ifdef WITH_PAM -+ pam_envp = pam_getenvlist(pamh); -+ if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) ) -+ nenvp = pam_envp; -+#endif - - /* Set up things for the child; we want standard input from the - * input file, and standard output and error sent to our output file. -@@ -425,8 +463,6 @@ run_file(const char *filename, uid_t uid - if (chdir(ATJOB_DIR) < 0) - perr("Cannot chdir to " ATJOB_DIR); - -- PRIV_START -- - nice((tolower((int) queue) - 'a' + 1) * 2); - - if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -443,10 +479,91 @@ run_file(const char *filename, uid_t uid - - chdir("/"); - -+#ifdef WITH_SELINUX -+ if (selinux_enabled>0) { -+ security_context_t user_context=NULL; -+ security_context_t file_context=NULL; -+ int retval=0; -+ struct av_decision avd; -+ char *seuser=NULL; -+ char *level=NULL; -+ -+ if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) { -+ retval=get_default_context_with_level(seuser, level, NULL, &user_context); -+ free(seuser); -+ free(level); -+ if (retval) { -+ if (security_getenforce()==1) { -+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name); -+ } else { -+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name); -+ goto out; -+ } -+ } -+ } -+ -+ /* -+ * Since crontab files are not directly executed, -+ * crond must ensure that the crontab file has -+ * a context that is appropriate for the context of -+ * the user cron job. It performs an entrypoint -+ * permission check for this purpose. -+ */ -+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { -+ if (security_getenforce() > 0) { -+ perr("fgetfilecon FAILED %s", filename); -+ } else { -+ syslog(LOG_ERR, "fgetfilecon FAILED %s", filename); -+ goto out; -+ } -+ } -+ retval = security_compute_av(user_context, -+ file_context, -+ SECCLASS_FILE, -+ FILE__ENTRYPOINT, -+ &avd); -+ freecon(file_context); -+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -+ if (security_getenforce()==1) -+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } -+ -+ if (setexeccon(user_context) < 0) { -+ if (security_getenforce()==1) { -+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } else { -+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } -+ } -+ freecon(user_context); -+ } -+#endif -+ - if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) - perr("Exec failed for /bin/sh"); - -+//add for fedora -+#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not resset exec context for user %s\n", pentry->pw_name); -+ -+#endif -+//end -+//add for fedora -+#ifdef WITH_PAM -+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) -+ { -+ for( nenvp = pam_envp; *nenvp != 0L; nenvp++) -+ free(*nenvp); -+ free( pam_envp ); -+ nenvp = &nul; -+ pam_envp=0L; -+ } -+#endif - PRIV_END -+// end - } - /* We're the parent. Let's wait. - */ -@@ -459,6 +576,7 @@ run_file(const char *filename, uid_t uid - */ - waitpid(pid, (int *) NULL, 0); - -+/* remove because WITH_PAM - #ifdef HAVE_PAM - PRIV_START - pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); -@@ -466,7 +584,7 @@ run_file(const char *filename, uid_t uid - pam_end(pamh, retcode); - PRIV_END - #endif -- -+*/ - /* Send mail. Unlink the output file after opening it, so it - * doesn't hang around after the run. - */ -@@ -474,6 +592,13 @@ run_file(const char *filename, uid_t uid - if (open(filename, O_RDONLY) != STDIN_FILENO) - perr("Open of jobfile failed"); - -+#ifdef WITH_PAM -+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); -+ pam_close_session(pamh, PAM_SILENT); -+ pam_end(pamh, PAM_ABORT); -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); -+#endif - unlink(filename); - - /* The job is now finished. We can delete its input file. -@@ -482,8 +607,30 @@ run_file(const char *filename, uid_t uid - unlink(newname); - free(newname); - -+#ifdef ATD_MAIL_PROGRAM - if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { -+ int mail_pid = -1; -+//add for fedora -+#ifdef WITH_PAM -+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); -+ PAM_FAIL_CHECK; -+ retcode = pam_set_item(pamh, PAM_TTY, "atd"); -+ PAM_FAIL_CHECK; -+ retcode = pam_acct_mgmt(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_FAIL_CHECK; -+ /* PAM has now re-opened our log to auth.info ! */ -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); -+#endif -+//end -+ mail_pid = fork(); - -+ if ( mail_pid == 0 ) -+ { - PRIV_START - - if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -497,15 +644,80 @@ run_file(const char *filename, uid_t uid - - chdir ("/"); - --#if defined(SENDMAIL) -- execl(SENDMAIL, "sendmail", mailname, (char *) NULL); --#else -- perr("No mail command specified."); -+#ifdef WITH_SELINUX -+ if (selinux_enabled>0) { -+ security_context_t user_context=NULL; -+ security_context_t file_context=NULL; -+ int retval=0; -+ struct av_decision avd; -+ -+ if (get_default_context(pentry->pw_name, NULL, &user_context)) -+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name); -+ /* -+ * Since crontab files are not directly executed, -+ * crond must ensure that the crontab file has -+ * a context that is appropriate for the context of -+ * the user cron job. It performs an entrypoint -+ * permission check for this purpose. -+ */ -+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) -+ perr("fgetfilecon FAILED %s", filename); -+ -+ retval = security_compute_av(user_context, -+ file_context, -+ SECCLASS_FILE, -+ FILE__ENTRYPOINT, -+ &avd); -+ freecon(file_context); -+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -+ if (security_getenforce()==1) { -+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } else { -+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ goto out; -+ } -+ } -+ -+ if (setexeccon(user_context) < 0) { -+ if (security_getenforce()==1) { -+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } else { -+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -+ } -+ } -+ out: -+ freecon(user_context); -+ } -+#endif -+ execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL); -+ perr("Exec faile for mail command"); -+ exit(-1); -+ -+#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not reset exec context for user %s\n", pentry->pw_name); - #endif -- perr("Exec failed for mail command"); - - PRIV_END -+ } -+ else if ( mail_pid == -1 ) { -+ perr("fork of mailer failed"); -+ } -+ else { -+ /* Parent */ -+ waitpid(mail_pid, (int *) NULL, 0); -+ } -+#ifdef WITH_PAM -+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); -+ pam_close_session(pamh, PAM_SILENT); -+ pam_end(pamh, PAM_ABORT); -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); -+#endif - } -+#endif - exit(EXIT_SUCCESS); - } - -@@ -703,6 +915,10 @@ main(int argc, char *argv[]) - struct passwd *pwe; - struct group *ge; - -+#ifdef WITH_SELINUX -+ selinux_enabled=is_selinux_enabled(); -+#endif -+ - /* We don't need root privileges all the time; running under uid and gid - * daemon is fine. - */ -@@ -719,18 +935,14 @@ main(int argc, char *argv[]) - - RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid) - --#ifndef LOG_CRON --#define LOG_CRON LOG_DAEMON --#endif -- -- openlog("atd", LOG_PID, LOG_CRON); -+ openlog("atd", LOG_PID, LOG_ATD); - - opterr = 0; - errno = 0; - run_as_daemon = 1; - batch_interval = BATCH_INTERVAL_DEFAULT; - -- while ((c = getopt(argc, argv, "sdl:b:")) != EOF) { -+ while ((c = getopt(argc, argv, "sdl:b:n")) != EOF) { - switch (c) { - case 'l': - if (sscanf(optarg, "%lf", &load_avg) != 1) -@@ -745,7 +957,10 @@ main(int argc, char *argv[]) - break; - case 'd': - daemon_debug++; -- break; -+ /* go through another option*/ -+ case 'n': -+ daemon_nofork++; -+ break; - - case 's': - run_as_daemon = 0; -diff -up at-3.1.10/config.h.in.pam at-3.1.10/config.h.in ---- at-3.1.10/config.h.in.pam 2008-07-18 16:04:41.000000000 +0200 -+++ at-3.1.10/config.h.in 2008-07-18 16:05:13.000000000 +0200 -@@ -181,3 +181,9 @@ - - #undef HAVE_ATTRIBUTE_NORETURN - #undef HAVE_PAM -+ -+/* Define if you are building with_pam */ -+#undef WITH_PAM -+ -+/* Define if you are building with_selinux */ -+#undef WITH_SELINUX -diff -up at-3.1.10/configure.in.pam at-3.1.10/configure.in ---- at-3.1.10/configure.in.pam 2008-07-18 16:05:28.000000000 +0200 -+++ at-3.1.10/configure.in 2008-07-18 16:06:01.000000000 +0200 -@@ -316,4 +316,19 @@ AC_ARG_WITH(daemon_groupname, - ) - AC_SUBST(DAEMON_GROUPNAME) - -+AC_ARG_WITH(selinux, -+[ --with-selinux Define to run with selinux], -+AC_DEFINE(WITH_SELINUX), -+) -+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) -+AC_SUBST(SELINUXLIB) -+AC_SUBST(WITH_SELINUX) -+ -+AC_ARG_WITH(pam, -+[ --with-pam Define to enable pam support ], -+AC_DEFINE(WITH_PAM), -+) -+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') -+AC_SUBST(PAMLIB) -+ - AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch) -diff -up at-3.1.10/Makefile.in.pam at-3.1.10/Makefile.in ---- at-3.1.10/Makefile.in.pam 2008-07-18 15:47:52.000000000 +0200 -+++ at-3.1.10/Makefile.in 2008-07-18 16:04:19.000000000 +0200 -@@ -41,6 +41,7 @@ LIBS = @LIBS@ - LIBOBJS = @LIBOBJS@ - INSTALL = @INSTALL@ - PAMLIB = @PAMLIB@ -+SELINUXLIB = @SELINUXLIB@ - - CLONES = atq atrm - ATOBJECTS = at.o panic.o perm.o y.tab.o lex.yy.o -@@ -67,13 +68,13 @@ LIST = Filelist Filelist.asc - all: at atd atrun - - at: $(ATOBJECTS) -- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) -+ $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB) - rm -f $(CLONES) - $(LN_S) -f at atq - $(LN_S) -f at atrm - - atd: $(RUNOBJECTS) -- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(PAMLIB) -+ $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB) - - y.tab.c y.tab.h: parsetime.y - $(YACC) -d parsetime.y -diff -up at-3.1.10/perm.c.pam at-3.1.10/perm.c ---- at-3.1.10/perm.c.pam 2008-07-18 16:06:14.000000000 +0200 -+++ at-3.1.10/perm.c 2008-07-18 16:08:05.000000000 +0200 -@@ -51,6 +51,14 @@ - #define PRIV_END while(0) - #endif - -+#ifdef WITH_PAM -+#include -+static pam_handle_t *pamh = NULL; -+static const struct pam_conv conv = { -+ NULL -+}; -+#endif -+ - /* Structures and unions */ - - -@@ -109,18 +117,55 @@ user_in_file(const char *path, const cha - int - check_permission() - { -- uid_t uid = geteuid(); -+ uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid(); - struct passwd *pentry; - int allow = 0, deny = 1; - -- if (uid == 0) -+ int retcode = 0; -+ if (euid == 0) - return 1; - -- if ((pentry = getpwuid(uid)) == NULL) { -+ if ((pentry = getpwuid(euid)) == NULL) { - perror("Cannot access user database"); - exit(EXIT_FAILURE); - } - -+#ifdef WITH_PAM -+/* -+ * We must check if the atd daemon userid will be allowed to gain the job owner user's -+ * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. -+ */ -+ setreuid(daemon_uid, daemon_uid); -+ setregid(daemon_gid, daemon_gid); -+ -+# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ -+ fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \ -+ pam_close_session(pamh,PAM_SILENT); \ -+ pam_end(pamh, retcode); \ -+ setregid(gid,egid); \ -+ setreuid(uid,euid); \ -+ return(0); \ -+ } -+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); -+ PAM_FAIL_CHECK; -+ retcode = pam_set_item(pamh, PAM_TTY, "atd"); -+ PAM_FAIL_CHECK; -+ retcode = pam_acct_mgmt(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_FAIL_CHECK; -+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_FAIL_CHECK; -+ -+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); -+ pam_close_session(pamh,PAM_SILENT); -+ pam_end(pamh, PAM_ABORT); -+ -+ setregid(gid,egid); -+ setreuid(uid,euid); -+ -+#endif -+ - allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name); - if (allow==0 || allow==1) - return allow; diff --git a/at-3.1.10-pamfix.patch b/at-3.1.10-pamfix.patch deleted file mode 100644 index 641e117..0000000 --- a/at-3.1.10-pamfix.patch +++ /dev/null @@ -1,141 +0,0 @@ -diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c ---- at-3.1.10/atd.c.pamfix 2008-07-18 16:23:11.000000000 +0200 -+++ at-3.1.10/atd.c 2008-07-18 16:23:11.000000000 +0200 -@@ -131,15 +131,17 @@ static const struct pam_conv conv = { - }; - - #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ -- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ -+ fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \ - syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ -- pam_close_session(pamh, PAM_SILENT); \ -- pam_end(pamh, retcode); exit(1); \ -+ if (pamh) \ -+ pam_end(pamh, retcode); \ -+ exit(1); \ - } --#define PAM_END { retcode = pam_close_session(pamh,0); \ -- pam_end(pamh,retcode); } - --#endif /* WITH_PAM */ -+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \ -+ pam_close_session(pamh, PAM_SILENT); -+ -+#endif /* end WITH_PAM */ - - /* Signal handlers */ - RETSIGTYPE -@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid - - //add for fedora, removed HAVE_PAM - #ifdef WITH_PAM -+ pamh = NULL; - retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); - PAM_FAIL_CHECK; - retcode = pam_set_item(pamh, PAM_TTY, "atd"); -@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid - retcode = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - closelog(); - openlog("atd", LOG_PID, LOG_ATD); -@@ -612,6 +617,7 @@ run_file(const char *filename, uid_t uid - int mail_pid = -1; - //add for fedora - #ifdef WITH_PAM -+ pamh = NULL; - retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); - PAM_FAIL_CHECK; - retcode = pam_set_item(pamh, PAM_TTY, "atd"); -@@ -619,8 +625,10 @@ run_file(const char *filename, uid_t uid - retcode = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - /* PAM has now re-opened our log to auth.info ! */ - closelog(); -diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c ---- at-3.1.10/perm.c.pamfix 2008-07-18 16:23:11.000000000 +0200 -+++ at-3.1.10/perm.c 2008-07-18 16:26:16.000000000 +0200 -@@ -135,34 +135,61 @@ check_permission() - * We must check if the atd daemon userid will be allowed to gain the job owner user's - * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. - */ -- setreuid(daemon_uid, daemon_uid); -- setregid(daemon_gid, daemon_gid); -+ if (setreuid(daemon_uid, daemon_uid) != 0) { -+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); -+ exit(1); -+ } -+ if (setregid(daemon_gid, daemon_gid) != 0) { -+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); -+ exit(1); -+ } - - # define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ -- fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \ -- pam_close_session(pamh,PAM_SILENT); \ -- pam_end(pamh, retcode); \ -- setregid(gid,egid); \ -- setreuid(uid,euid); \ -- return(0); \ -- } -+ fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \ -+ if (pamh) \ -+ pam_end(pamh, retcode); \ -+ if (setregid(gid,egid) != 0) { \ -+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); \ -+ exit(1); \ -+ } \ -+ if (setreuid(uid,euid) != 0) { \ -+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); \ -+ exit(1); \ -+ } \ -+ return(0); \ -+ } -+ -+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \ -+ pam_close_session(pamh,PAM_SILENT); -+ -+ pamh = NULL; - retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); - PAM_FAIL_CHECK; - retcode = pam_set_item(pamh, PAM_TTY, "atd"); - PAM_FAIL_CHECK; - retcode = pam_acct_mgmt(pamh, PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - retcode = pam_open_session(pamh, PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); -+ PAM_SESSION_FAIL; - PAM_FAIL_CHECK; - - pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); - pam_close_session(pamh,PAM_SILENT); - pam_end(pamh, PAM_ABORT); - -- setregid(gid,egid); -- setreuid(uid,euid); -+ if (setregid(gid,egid) != 0) { -+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); -+ exit(1); -+ } -+ if (setreuid(uid,euid) != 0) { -+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); -+ exit(1); -+ } -+ - - #endif - diff --git a/at-3.1.10-perm.patch b/at-3.1.10-perm.patch deleted file mode 100644 index 0df57f5..0000000 --- a/at-3.1.10-perm.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- at-3.1.10/at.c.perm 2007-07-04 09:43:19.000000000 +0200 -+++ at-3.1.10/at.c 2007-07-04 10:04:47.000000000 +0200 -@@ -314,26 +314,19 @@ - * bit. Yes, this is a kluge. - */ - cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR); -- seteuid(real_uid); -+ seteuid(effective_uid); - if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1) - perr("Cannot create atjob file %.500s", atfile); -- seteuid(effective_uid); -+ //seteuid(effective_uid); - - if ((fd2 = dup(fd)) < 0) - perr("Error in dup() of job file"); - -- /* - if (fchown(fd2, real_uid, real_gid) != 0) -- perr("Cannot give away file"); -- */ -+ perr("Cannot give real_uid and real_gid the file"); - - PRIV_END - -- /* We no longer need suid root; now we just need to be able to write -- * to the directory, if necessary. -- */ -- -- REDUCE_PRIV(daemon_uid, daemon_gid) - /* We've successfully created the file; let's set the flag so it - * gets removed in case of an interrupt or error. - */ -@@ -491,7 +484,7 @@ - */ - - if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0) -- perr("Cannot give away file"); -+ perr("Cannot change the mode of the file"); - - close(fd2); - -@@ -656,7 +649,7 @@ - We need the unprivileged uid here since the file is owned by the real - (not effective) uid. - */ -- setregid(real_gid, effective_gid); -+ PRIV_START - - if (queue == '=') { - fprintf(stderr, "Warning: deleting running job\n"); -@@ -665,8 +658,8 @@ - perr("Cannot unlink %.500s", dirent->d_name); - rc = EXIT_FAILURE; - } -+ PRIV_END - -- setregid(effective_gid, real_gid); - done = 1; - - break; -@@ -676,7 +669,7 @@ - FILE *fp; - int ch; - -- setregid(real_gid, effective_gid); -+ PRIV_START - fp = fopen(dirent->d_name, "r"); - - if (fp) { -@@ -689,7 +682,7 @@ - perr("Cannot open %.500s", dirent->d_name); - rc = EXIT_FAILURE; - } -- setregid(effective_gid, real_gid); -+ PRIV_END - } - break; - diff --git a/at-3.1.10-selinux_mail.patch b/at-3.1.10-selinux_mail.patch deleted file mode 100644 index cd2af80..0000000 --- a/at-3.1.10-selinux_mail.patch +++ /dev/null @@ -1,187 +0,0 @@ -diff -up at-3.1.10/atd.c.mailselinux at-3.1.10/atd.c ---- at-3.1.10/atd.c.mailselinux 2008-09-17 10:45:38.000000000 +0200 -+++ at-3.1.10/atd.c 2008-09-17 10:49:48.000000000 +0200 -@@ -224,6 +224,69 @@ myfork() - #define ATD_MAIL_NAME "mailx" - #endif - -+#ifdef WITH_SELINUX -+static int set_selinux_context(const char *name, const char *filename) { -+ security_context_t user_context=NULL; -+ security_context_t file_context=NULL; -+ struct av_decision avd; -+ int retval=-1; -+ char *seuser=NULL; -+ char *level=NULL; -+ -+ if (getseuserbyname(name, &seuser, &level) == 0) { -+ retval=get_default_context_with_level(seuser, level, NULL, &user_context); -+ free(seuser); -+ free(level); -+ if (retval) { -+ if (security_getenforce()==1) { -+ perr("execle: couldn't get security context for user %s\n", name); -+ } else { -+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); -+ return -1; -+ } -+ } -+ } -+ -+ /* -+ * Since crontab files are not directly executed, -+ * crond must ensure that the crontab file has -+ * a context that is appropriate for the context of -+ * the user cron job. It performs an entrypoint -+ * permission check for this purpose. -+ */ -+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) -+ perr("fgetfilecon FAILED %s", filename); -+ -+ retval = security_compute_av(user_context, -+ file_context, -+ SECCLASS_FILE, -+ FILE__ENTRYPOINT, -+ &avd); -+ freecon(file_context); -+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -+ if (security_getenforce()==1) { -+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name); -+ } else { -+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); -+ retval = -1; -+ goto err; -+ } -+ } -+ if (setexeccon(user_context) < 0) { -+ if (security_getenforce()==1) { -+ perr("Could not set exec context to %s for user %s\n", user_context,name); -+ retval = -1; -+ } else { -+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); -+ } -+ } -+ err: -+ freecon(user_context); -+ return 0; -+} -+#endif -+ -+ - static void - run_file(const char *filename, uid_t uid, gid_t gid) - { -@@ -486,61 +549,8 @@ run_file(const char *filename, uid_t uid - - #ifdef WITH_SELINUX - if (selinux_enabled>0) { -- security_context_t user_context=NULL; -- security_context_t file_context=NULL; -- int retval=0; -- struct av_decision avd; -- char *seuser=NULL; -- char *level=NULL; -- -- if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) { -- retval=get_default_context_with_level(seuser, level, NULL, &user_context); -- free(seuser); -- free(level); -- if (retval) { -- if (security_getenforce()==1) { -- perr("execle: couldn't get security context for user %s\n", pentry->pw_name); -- } else { -- syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name); -- goto out; -- } -- } -- } -- -- /* -- * Since crontab files are not directly executed, -- * crond must ensure that the crontab file has -- * a context that is appropriate for the context of -- * the user cron job. It performs an entrypoint -- * permission check for this purpose. -- */ -- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { -- if (security_getenforce() > 0) { -- perr("fgetfilecon FAILED %s", filename); -- } else { -- syslog(LOG_ERR, "fgetfilecon FAILED %s", filename); -- goto out; -- } -- } -- retval = security_compute_av(user_context, -- file_context, -- SECCLASS_FILE, -- FILE__ENTRYPOINT, -- &avd); -- freecon(file_context); -- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -- if (security_getenforce()==1) -- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } -- -- if (setexeccon(user_context) < 0) { -- if (security_getenforce()==1) { -- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } else { -- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } -- } -- freecon(user_context); -+ if (set_selinux_context(pentry->pw_name, filename) < 0) -+ perr("SELinux Failed to set context\n"); - } - #endif - -@@ -654,47 +664,8 @@ run_file(const char *filename, uid_t uid - - #ifdef WITH_SELINUX - if (selinux_enabled>0) { -- security_context_t user_context=NULL; -- security_context_t file_context=NULL; -- int retval=0; -- struct av_decision avd; -- -- if (get_default_context(pentry->pw_name, NULL, &user_context)) -- perr("execle: couldn't get security context for user %s\n", pentry->pw_name); -- /* -- * Since crontab files are not directly executed, -- * crond must ensure that the crontab file has -- * a context that is appropriate for the context of -- * the user cron job. It performs an entrypoint -- * permission check for this purpose. -- */ -- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) -- perr("fgetfilecon FAILED %s", filename); -- -- retval = security_compute_av(user_context, -- file_context, -- SECCLASS_FILE, -- FILE__ENTRYPOINT, -- &avd); -- freecon(file_context); -- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -- if (security_getenforce()==1) { -- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } else { -- syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); -- goto out; -- } -- } -- -- if (setexeccon(user_context) < 0) { -- if (security_getenforce()==1) { -- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } else { -- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); -- } -- } -- out: -- freecon(user_context); -+ if (set_selinux_context(pentry->pw_name, filename) < 0) -+ perr("SELinux Failed to set context\n"); - } - #endif - execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL); diff --git a/at-3.1.10-session.patch b/at-3.1.10-session.patch deleted file mode 100644 index 79414b8..0000000 --- a/at-3.1.10-session.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- at-3.1.10/atd.c.old 2007-07-12 11:12:36.000000000 +0200 -+++ at-3.1.10/atd.c 2007-07-12 11:20:40.000000000 +0200 -@@ -303,6 +303,8 @@ - free(newname); - return; - } -+ (void) setsid(); //own session for process -+ - /* Let's see who we mail to. Hopefully, we can read it from - * the command file; if not, send it to the owner, or, failing that, - * to root. diff --git a/at-3.1.10-typo.patch b/at-3.1.10-typo.patch deleted file mode 100644 index 79d171e..0000000 --- a/at-3.1.10-typo.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- at-3.1.10/atrun.8.in.typo 2005-08-29 10:08:41.000000000 +0200 -+++ at-3.1.10/atrun.8.in 2006-09-12 10:00:57.000000000 +0200 -@@ -11,7 +11,7 @@ - .B atrun - runs jobs queued by - .BR at(1) . --It is a shell script containing invoking -+It is a shell script invoking - .B @sbindir@/atd - with the - .I -s ---- at-3.1.10/atd.c.typo 2006-09-12 10:00:57.000000000 +0200 -+++ at-3.1.10/atd.c 2006-09-12 10:07:19.000000000 +0200 -@@ -316,7 +316,7 @@ - "aborting", jobno, filename); - - if (buf.st_nlink > 2) { -- perr("Someboy is trying to run a linked script for job %8lu (%.500s)", -+ perr("Somebody is trying to run a linked script for job %8lu (%.500s)", - jobno, filename); - } - if ((fflags = fcntl(fd_in, F_GETFD)) < 0) -@@ -607,6 +607,7 @@ - * Let's remove the lockfile and reschedule. - */ - strncpy(lock_name, dirent->d_name, sizeof(lock_name)); -+ lock_name[sizeof(lock_name)-1] = '\0'; - lock_name[0] = '='; - unlink(lock_name); - next_job = now; -@@ -623,7 +624,7 @@ - nothing_to_do = 0; - - /* There's a job for later. Note its execution time if it's -- * the earlierst so far. -+ * the earliest so far. - */ - if (run_time > now) { - if (next_job > run_time) { -@@ -641,6 +642,7 @@ - run_batch++; - if (strcmp(batch_name, dirent->d_name) > 0) { - strncpy(batch_name, dirent->d_name, sizeof(batch_name)); -+ batch_name[sizeof(batch_name)-1] = '\0'; - batch_uid = buf.st_uid; - batch_gid = buf.st_gid; - batch_queue = queue; -@@ -683,7 +685,7 @@ - int - main(int argc, char *argv[]) - { --/* Browse through ATJOB_DIR, checking all the jobfiles wether they should -+/* Browse through ATJOB_DIR, checking all the jobfiles whether they should - * be executed and or deleted. The queue is coded into the first byte of - * the job filename, the date (in minutes since Eon) as a hex number in the - * following eight bytes, followed by a dot and a serial number. A file diff --git a/at-3.1.7-lockfile.patch b/at-3.1.7-lockfile.patch deleted file mode 100644 index 8788a1a..0000000 --- a/at-3.1.7-lockfile.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- at-3.1.7/at.c.lockfile Wed Oct 22 17:56:22 1997 -+++ at-3.1.7/at.c Wed Oct 22 17:56:40 1997 -@@ -199,7 +199,7 @@ - fscanf(fid, "%5lx", &jobno); - rewind(fid); - } else { -- fid = fopen(ATJOB_DIR "/.SEQ", "w"); -+ fid = fopen(LFILE, "w"); - if (fid == NULL) - return EOF; - } diff --git a/at-3.1.7-sigchld.patch b/at-3.1.7-sigchld.patch deleted file mode 100644 index 5a5c0b5..0000000 --- a/at-3.1.7-sigchld.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- at-3.1.7/atd.c.sigchld Mon May 24 16:56:41 1999 -+++ at-3.1.7/atd.c Mon May 24 16:58:57 1999 -@@ -348,6 +348,9 @@ - if (setuid(uid) < 0) - perr("Cannot set user id"); - -+ if (SIG_ERR == signal(SIGCHLD, SIG_DFL)) -+ perr("Cannot reset signal handler to default"); -+ - chdir("/"); - - if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) diff --git a/at-3.1.8-perr.patch b/at-3.1.8-perr.patch deleted file mode 100644 index 5ab284f..0000000 --- a/at-3.1.8-perr.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up at-3.1.10/atd.c.bla at-3.1.10/atd.c ---- at-3.1.10/atd.c.bla 2008-07-18 15:18:35.000000000 +0200 -+++ at-3.1.10/atd.c 2008-07-18 15:19:41.000000000 +0200 -@@ -643,7 +643,7 @@ run_file(const char *filename, uid_t uid - #if defined(SENDMAIL) - execl(SENDMAIL, "sendmail", mailname, (char *) NULL); - #else --#error "No mail command specified." -+ perr("No mail command specified."); - #endif - perr("Exec failed for mail command"); - diff --git a/at-3.1.8-t_option.patch b/at-3.1.8-t_option.patch deleted file mode 100644 index 89e604e..0000000 --- a/at-3.1.8-t_option.patch +++ /dev/null @@ -1,267 +0,0 @@ ---- at-3.1.10/at.c.t_option 2007-07-04 11:12:10.000000000 +0200 -+++ at-3.1.10/at.c 2007-07-04 11:13:19.000000000 +0200 -@@ -396,8 +396,9 @@ - unsigned int i; - for (i = 0; i < sizeof(no_export) / sizeof(no_export[0]); i++) { - export = export -- && (strncmp(*atenv, no_export[i], -- (size_t) (eqp - *atenv)) != 0); -+ && ( (((size_t) (eqp - *atenv)) != strlen(no_export[i])) -+ ||(strncmp(*atenv, no_export[i],(size_t) (eqp - *atenv)) != 0) -+ ); - } - eqp++; - } -@@ -752,6 +753,102 @@ - return p; - } - -+/* Handle POSIX.2 '-t' option : -+ * Parses time string in "touch(1)" format: -+ * [[CC]YY]MMDDhhmm[.ss] -+ * and returns time_t . -+ */ -+time_t -+t_option(char *s) -+{ -+ time_t t=time(0L); -+ struct tm tm, tm_now=*localtime(&t); -+ int l; -+ -+ if((s == 0L) || (*s == '\0')) -+ { -+ return 0L; -+ }; -+ memset(&tm,'\0',sizeof(tm)); -+ l = strnlen(s,15); -+ switch(l) -+ { -+ case 15: -+ /* CCYYMMDDhhmm.ss */ -+ sscanf(s, "%4d%2d%2d%2d%2d.%2d", -+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec -+ ); -+ if(tm.tm_year) -+ tm.tm_year -= 1900 ; -+ -+ break; -+ -+ case 13: -+ /* YYMMDDhhmm.ss */ -+ sscanf(s, "%2d%2d%2d%2d%2d.%2d", -+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec -+ ); -+ if(tm.tm_year) -+ tm.tm_year += 100 ; /* Y2.1K+ bug! */ -+ -+ break; -+ -+ case 11: -+ /* MMDDhhmm.ss */ -+ sscanf(s, "%2d%2d%2d%2d.%2d", -+ &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec -+ ); -+ -+ tm.tm_year = tm_now.tm_year; -+ -+ if(tm.tm_mon) -+ tm.tm_mon -= 1; -+ break; -+ -+ case 12: -+ /* CCYYMMDDhhmm */ -+ sscanf(s, "%4d%2d%2d%2d%2d", -+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min -+ ); -+ if(tm.tm_year) -+ tm.tm_year -= 1900 ; -+ break; -+ -+ case 10: -+ /* YYMMDDhhmm */ -+ sscanf(s, "%2d%2d%2d%2d%2d", -+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min -+ ); -+ if(tm.tm_year) -+ tm.tm_year += 100 ; /* Y2.1K+ bug! */ -+ break; -+ -+ case 8: -+ /* MMDDhhmm */ -+ sscanf(s, "%2d%2d%2d%2d", -+ &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min -+ ); -+ if( tm.tm_mday ) -+ tm.tm_year = tm_now.tm_year; -+ break; -+ default: -+ break; -+ } -+ -+ if( tm.tm_mon ) -+ tm.tm_mon -= 1; -+ -+ if( tm.tm_mday ) -+ { -+ tm.tm_isdst = -1; -+ t = mktime(&tm); -+ return t; -+ } else -+ return 0L; -+} -+ -+ -+ - int - main(int argc, char **argv) - { -@@ -761,9 +858,9 @@ - char *pgm; - - int program = AT; /* our default program */ -- char *options = "q:f:MmvldhVc"; /* default options for at */ -+ char *options = "q:f:MmvldhVct:"; /* default options for at */ - int disp_version = 0; -- time_t timer; -+ time_t timer=0L; - struct passwd *pwe; - struct group *ge; - -@@ -866,7 +963,9 @@ - program = CAT; - options = ""; - break; -- -+ case 't': -+ timer = t_option(optarg); -+ break; - default: - usage(); - break; -@@ -923,10 +1022,12 @@ - break; - - case AT: -- if (argc > optind) { -- timer = parsetime(argc - optind, argv + optind); -- } else { -- timer = 0; -+ if (timer == 0) { -+ if (argc > optind) { -+ timer = parsetime(argc - optind, argv + optind); -+ } else { -+ timer = 0; -+ } - } - - if (timer == 0) { -@@ -955,10 +1056,12 @@ - else - queue = DEFAULT_BATCH_QUEUE; - -- if (argc > optind) -- timer = parsetime(argc, argv); -- else -- timer = time(NULL); -+ if( timer == 0L ) { -+ if (argc > optind) -+ timer = parsetime(argc, argv); -+ else -+ timer = time(NULL); -+ } - - if (atverify) { - struct tm *tm = localtime(&timer); ---- at-3.1.10/at.1.in.t_option 2007-07-04 11:12:10.000000000 +0200 -+++ at-3.1.10/at.1.in 2007-07-04 11:12:10.000000000 +0200 -@@ -12,6 +12,16 @@ - .RB [ -mldbv ] - .B TIME - .br -+.B at -+.RB [ -V ] -+.RB [ -q -+.IR queue ] -+.RB [ -f -+.IR file ] -+.RB [ -mldbv ] -+.RB -t -+.IR time_arg -+.br - .B "at -c" - .I job - .RI [ job... ] -@@ -32,8 +42,7 @@ - and - .B batch - read commands from standard input or a specified file which are to --be executed at a later time, using --.BR /bin/sh . -+be executed at a later time. - .TP 8 - .BR at - executes commands at a specified time. -@@ -227,6 +236,63 @@ - .B - \-c - cats the jobs listed on the command line to standard output. -+.TP -+.BI \-t " time_arg" -+Submit the job to be run at the time specified by the -+.BI time_arg -+option argument, which must have the same format as specified for the -+.BR touch(1) -+utility's -+.B \-t -+time option argument ([[CC]YY]MMDDhhmm). -+.SH ENVIRONMENT -+.P -+.TP 8 -+.B SHELL -+The value of the SHELL environment variable at the time of -+.B at -+invocation will determine which shell is used to execute the -+.B at -+job commands. If SHELL is unset when -+.B at -+is invoked, the user's login shell will be used; otherwise, -+if SHELL is set when -+.B at -+is invoked, it must contain the path of a shell interpreter -+executable that will be used to run the commands at the specified time. -+.P -+.B at -+will record the values of -+environment variables present at time of -+.B at -+invocation. When the commands are run at the specified time, -+.B at -+will restore these variables to their recorded values . -+These variables are excluded from this processing and are never -+set by -+.B at -+when the commands are run : -+.br -+.BI TERM, -+.BI DISPLAY, -+.BI SHELLOPTS, -+.BI _, -+.BI PPID, -+.BI BASH_VERSINFO, -+.BI EUID, -+.BI UID, -+.BI GROUPS. -+.br -+If the user submitting the -+.B at -+job is not the super-user, variables that alter the behaviour of the -+loader -+.BR ld.so(8), -+such as -+.B LD_LIBRARY_PATH -+, cannot be recorded and restored by -+.B at . -+.P - .SH FILES - .I @ATJBD@ - .br