diff -up at-3.1.12/at.c.pam at-3.1.12/at.c --- at-3.1.12/at.c.pam 2009-12-03 10:34:52.714284767 +0100 +++ at-3.1.12/at.c 2009-12-03 10:36:38.736257590 +0100 @@ -318,26 +318,19 @@ writefile(time_t runtimer, char queue) * bit. Yes, this is a kluge. */ cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR); - seteuid(real_uid); + if ((seteuid(effective_uid)) < 0) + perr("Error in seteuid: %s", errno); if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1) perr("Cannot create atjob file %.500s", atfile); - seteuid(effective_uid); if ((fd2 = dup(fd)) < 0) perr("Error in dup() of job file"); - /* if (fchown(fd2, real_uid, real_gid) != 0) - perr("Cannot give away file"); - */ + perr("Cannot give real_uid and real_gid the file"); PRIV_END - /* We no longer need suid root; now we just need to be able to write - * to the directory, if necessary. - */ - - REDUCE_PRIV(daemon_uid, daemon_gid) /* We've successfully created the file; let's set the flag so it * gets removed in case of an interrupt or error. */ @@ -661,7 +654,7 @@ process_jobs(int argc, char **argv, int We need the unprivileged uid here since the file is owned by the real (not effective) uid. */ - setregid(real_gid, effective_gid); + PRIV_START if (queue == '=') { fprintf(stderr, "Warning: deleting running job\n"); @@ -670,8 +663,8 @@ process_jobs(int argc, char **argv, int perr("Cannot unlink %.500s", dirent->d_name); rc = EXIT_FAILURE; } + PRIV_END - setregid(effective_gid, real_gid); done = 1; break; @@ -681,7 +674,7 @@ process_jobs(int argc, char **argv, int FILE *fp; int ch; - setregid(real_gid, effective_gid); + PRIV_START fp = fopen(dirent->d_name, "r"); if (fp) { @@ -694,7 +687,7 @@ process_jobs(int argc, char **argv, int perr("Cannot open %.500s", dirent->d_name); rc = EXIT_FAILURE; } - setregid(effective_gid, real_gid); + PRIV_END } break; diff -up at-3.1.12/atd.c.pam at-3.1.12/atd.c --- at-3.1.12/atd.c.pam 2009-12-03 10:36:45.265284508 +0100 +++ at-3.1.12/atd.c 2009-12-03 10:38:52.276261175 +0100 @@ -111,7 +111,7 @@ static int run_as_daemon = 0; static volatile sig_atomic_t term_signal = 0; -#ifdef HAVE_PAM +#ifdef WITH_PAM #include static pam_handle_t *pamh = NULL; @@ -120,15 +120,7 @@ static const struct pam_conv conv = { NULL }; -#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ - fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ - syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ - pam_end(pamh, retcode); exit(1); \ - } -#define PAM_END { retcode = pam_close_session(pamh,0); \ - pam_end(pamh,retcode); } - -#endif /* HAVE_PAM */ +#endif /* WITH_PAM */ /* Signal handlers */ RETSIGTYPE @@ -234,7 +226,7 @@ run_file(const char *filename, uid_t uid char queue; char fmt[64]; unsigned long jobno; -#ifdef HAVE_PAM +#ifdef WITH_PAM int retcode; #endif @@ -395,16 +387,11 @@ run_file(const char *filename, uid_t uid fstat(fd_out, &buf); size = buf.st_size; -#ifdef HAVE_PAM +#ifdef WITH_PAM PRIV_START - retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); - PAM_FAIL_CHECK; - retcode = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_open_session(pamh, PAM_SILENT); - PAM_FAIL_CHECK; - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); - PAM_FAIL_CHECK; + PAM_HANDLING; + closelog(); + openlog("atd", LOG_PID, LOG_ATD); PRIV_END #endif @@ -419,7 +406,15 @@ run_file(const char *filename, uid_t uid else if (pid == 0) { char *nul = NULL; char **nenvp = &nul; + char **pam_envp=0L; + PRIV_START +#ifdef WITH_PAM + pam_envp = pam_getenvlist(pamh); + if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) ) + nenvp = pam_envp; +#endif + PRIV_END /* Set up things for the child; we want standard input from the * input file, and standard output and error sent to our output file. */ @@ -460,7 +455,16 @@ run_file(const char *filename, uid_t uid if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) perr("Exec failed for /bin/sh"); - +#ifdef WITH_PAM + if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) + { + for( nenvp = pam_envp; *nenvp != 0L; nenvp++) + free(*nenvp); + free( pam_envp ); + nenvp = &nul; + pam_envp=0L; + } +#endif PRIV_END } /* We're the parent. Let's wait. @@ -474,7 +478,7 @@ run_file(const char *filename, uid_t uid */ waitpid(pid, (int *) NULL, 0); -#ifdef HAVE_PAM +#ifdef WITH_PAM PRIV_START pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); retcode = pam_close_session(pamh, PAM_SILENT); @@ -503,6 +507,14 @@ run_file(const char *filename, uid_t uid if (fd_in != STDOUT_FILENO && fd_in != STDERR_FILENO) close(fd_in); +#ifdef WITH_PAM + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, PAM_ABORT); + closelog(); + openlog("atd", LOG_PID, LOG_ATD); +#endif + unlink(filename); /* The job is now finished. We can delete its input file. @@ -511,8 +523,19 @@ run_file(const char *filename, uid_t uid unlink(newname); free(newname); +#ifdef ATD_MAIL_PROGRAM if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { + int mail_pid = -1; +#ifdef WITH_PAM + PAM_HANDLING; + closelog(); + openlog("atd", LOG_PID, LOG_ATD); +#endif + + mail_pid = fork(); + if ( mail_pid == 0 ) + { PRIV_START if (initgroups(pentry->pw_name, pentry->pw_gid)) @@ -537,7 +560,23 @@ run_file(const char *filename, uid_t uid perr("Exec failed for mail command"); PRIV_END + } + else if ( mail_pid == -1 ) { + perr("fork of mailer failed"); + } + else { + /* Parent */ + waitpid(mail_pid, (int *) NULL, 0); + } +#ifdef WITH_PAM + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + pam_close_session(pamh, PAM_SILENT); + pam_end(pamh, PAM_ABORT); + closelog(); + openlog("atd", LOG_PID, LOG_ATD); +#endif } +#endif exit(EXIT_SUCCESS); } diff -up at-3.1.12/config.h.in.pam at-3.1.12/config.h.in --- at-3.1.12/config.h.in.pam 2009-11-23 16:11:52.000000000 +0100 +++ at-3.1.12/config.h.in 2009-12-03 10:34:36.373265254 +0100 @@ -68,8 +68,8 @@ /* Define to 1 if you have the header file. */ #undef HAVE_NLIST_H -/* Define to 1 for PAM support */ -#undef HAVE_PAM +/* Define if you are building with_pam */ +#undef WITH_PAM /* Define to 1 if you have the `pstat_getdynamic' function. */ #undef HAVE_PSTAT_GETDYNAMIC diff -up at-3.1.12/configure.ac.pam at-3.1.12/configure.ac --- at-3.1.12/configure.ac.pam 2009-11-23 16:11:52.000000000 +0100 +++ at-3.1.12/configure.ac 2009-12-03 10:34:36.373265254 +0100 @@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid) AC_CHECK_HEADERS(security/pam_appl.h, [ PAMLIB="-lpam" - AC_DEFINE(HAVE_PAM, 1, [Define to 1 for PAM support]) + AC_DEFINE(WITH_PAM, 1, [Define to 1 for PAM support]) ]) dnl Checking for programs @@ -238,6 +238,13 @@ AC_ARG_WITH(daemon_username, ) AC_SUBST(DAEMON_USERNAME) +AC_ARG_WITH(pam, +[ --with-pam Define to enable pam support ], +AC_DEFINE(WITH_PAM), +) +AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') +AC_SUBST(PAMLIB) + AC_MSG_CHECKING(groupname to run under) AC_ARG_WITH(daemon_groupname, [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], diff -up at-3.1.12/perm.c.pam at-3.1.12/perm.c --- at-3.1.12/perm.c.pam 2009-11-23 16:11:52.000000000 +0100 +++ at-3.1.12/perm.c 2009-12-03 10:34:36.373265254 +0100 @@ -51,6 +51,14 @@ #define PRIV_END while(0) #endif +#ifdef WITH_PAM +#include +static pam_handle_t *pamh = NULL; +static const struct pam_conv conv = { + NULL +}; +#endif + /* Structures and unions */ @@ -108,18 +116,51 @@ user_in_file(const char *path, const cha int check_permission() { - uid_t uid = geteuid(); + uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid(); struct passwd *pentry; int allow = 0, deny = 1; - if (uid == 0) + int retcode = 0; + if (euid == 0) return 1; - if ((pentry = getpwuid(uid)) == NULL) { + if ((pentry = getpwuid(euid)) == NULL) { perror("Cannot access user database"); exit(EXIT_FAILURE); } +#ifdef WITH_PAM +/* + * We must check if the atd daemon userid will be allowed to gain the job owner user's + * credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access. + */ + if (setreuid(daemon_uid, daemon_uid) != 0) { + fprintf(stderr, "cannot set egid: %s", strerror(errno)); + exit(1); + } + if (setregid(daemon_gid, daemon_gid) != 0) { + fprintf(stderr, "cannot set euid: %s", strerror(errno)); + exit(1); + } + + pam_close_session(pamh,PAM_SILENT); + + PAM_HANDLING; + + pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT ); + pam_close_session(pamh,PAM_SILENT); + pam_end(pamh, PAM_ABORT); + + if (setregid(gid,egid) != 0) { + fprintf(stderr, "cannot set egid: %s", strerror(errno)); + exit(1); + } + if (setreuid(uid,euid) != 0) { + fprintf(stderr, "cannot set euid: %s", strerror(errno)); + exit(1); + } +#endif + allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name); if (allow==0 || allow==1) return allow; diff -up at-3.1.12/privs.h.pam at-3.1.12/privs.h --- at-3.1.12/privs.h.pam 2009-11-23 16:11:52.000000000 +0100 +++ at-3.1.12/privs.h 2009-12-03 10:34:36.374266484 +0100 @@ -144,3 +144,61 @@ extern gid_t real_gid, effective_gid, da #error "Cannot implement user ID swapping without setreuid or setresuid" #endif #endif + +#ifdef WITH_PAM +/* PAM failed after session was open. */ +#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \ + pam_close_session(pamh,PAM_SILENT); + +/* syslog will be logging error messages */ +#ifdef HAVE_UNISTD_H +#include +#endif + +/* PAM fail even before opening the session */ +#define PAM_FAIL_CHECK \ + do { if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + if (pamh) \ + pam_end(pamh, retcode); \ + if (setregid(getgid(),getegid()) != 0) { \ + fprintf(stderr, "cannot set egid: %s", strerror(errno)); \ + exit(1); \ + } \ + if (setreuid(getuid(),geteuid()) != 0) { \ + fprintf(stderr, "cannot set euid: %s", strerror(errno)); \ + exit(1); \ + } \ + exit(1); \ + } \ + } while (0) \ + +/* PAM - check after every operation whether they passed */ +#define PAM_HANDLING \ + do { pamh = NULL; \ + retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \ + PAM_FAIL_CHECK; \ + retcode = pam_set_item(pamh, PAM_TTY, "atd"); \ + PAM_FAIL_CHECK; \ + retcode = pam_acct_mgmt(pamh, PAM_SILENT); \ + PAM_FAIL_CHECK; \ + retcode = pam_open_session(pamh, PAM_SILENT); \ + PAM_FAIL_CHECK; \ + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \ + PAM_SESSION_FAIL; \ + PAM_FAIL_CHECK; \ + } while (0) + +/* OLD FAIL_CHECK ONLY FOR perm.c + * define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + * fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \ + * syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ + * if (pamh) \ + * pam_end(pamh, retcode); \ + * exit(1); \ + * } + */ + +#endif +