rpms/at/devel at-3.1.10-PIE.patch, NONE, 1.1 at-3.1.10-pamfix.patch, NONE, 1.1 at-3.1.10-setuids.patch, NONE, 1.1 at.spec, 1.61, 1.62
Marcela Mašláňová (mmaslano)
fedora-extras-commits at redhat.com
Mon Jan 14 09:09:23 UTC 2008
- Previous message (by thread): rpms/fish/devel .cvsignore, 1.8, 1.9 fish.spec, 1.20, 1.21 sources, 1.8, 1.9 fish-1.22.3-openfix.patch, 1.2, NONE
- Next message (by thread): rpms/dcraw/devel dcraw-8.81-gps.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 dcraw.spec, 1.18, 1.19 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mmaslano
Update of /cvs/pkgs/rpms/at/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20555
Modified Files:
at.spec
Added Files:
at-3.1.10-PIE.patch at-3.1.10-pamfix.patch
at-3.1.10-setuids.patch
Log Message:
- used PIE instead of pie (with pie wasn't build on 64b successful)
- rewrite PAM fail check
- fix checking of settings setuid(s)
at-3.1.10-PIE.patch:
--- NEW FILE at-3.1.10-PIE.patch ---
diff -up at-3.1.10/Makefile.in.PIE at-3.1.10/Makefile.in
--- at-3.1.10/Makefile.in.PIE 2008-01-08 09:53:24.000000000 +0100
+++ at-3.1.10/Makefile.in 2008-01-08 09:53:53.000000000 +0100
@@ -68,13 +68,13 @@ LIST = Filelist Filelist.asc
all: at atd atrun
at: $(ATOBJECTS)
- $(CC) $(CFLAGS) -o at -pie $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o at -PIE $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
rm -f $(CLONES)
$(LN_S) -f at atq
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
+ $(CC) $(CFLAGS) -o atd -PIE $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
@@ -86,7 +86,7 @@ atrun: atrun.in
configure
.c.o:
- $(CC) -c $(CFLAGS) -fpie $(DEFS) $*.c
+ $(CC) -c $(CFLAGS) -fPIE $(DEFS) $*.c
install: all
$(INSTALL) -m 755 -d $(IROOT)$(etcdir)
at-3.1.10-pamfix.patch:
--- NEW FILE at-3.1.10-pamfix.patch ---
diff -up at-3.1.10/atd.c.pamfix at-3.1.10/atd.c
--- at-3.1.10/atd.c.pamfix 2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/atd.c 2008-01-09 14:56:57.000000000 +0100
@@ -131,15 +131,17 @@ static const struct pam_conv conv = {
};
#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh, PAM_SILENT); \
- pam_end(pamh, retcode); exit(1); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ exit(1); \
}
-#define PAM_END { retcode = pam_close_session(pamh,0); \
- pam_end(pamh,retcode); }
-#endif /* WITH_PAM */
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh, PAM_SILENT);
+
+#endif /* end WITH_PAM */
/* Signal handlers */
RETSIGTYPE
@@ -408,6 +410,7 @@ run_file(const char *filename, uid_t uid
//add for fedora, removed HAVE_PAM
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -415,8 +418,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
closelog();
openlog("atd", LOG_PID, LOG_ATD);
@@ -610,6 +615,7 @@ run_file(const char *filename, uid_t uid
int mail_pid = -1;
//add for fedora
#ifdef WITH_PAM
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -617,8 +623,10 @@ run_file(const char *filename, uid_t uid
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
/* PAM has now re-opened our log to auth.info ! */
closelog();
diff -up at-3.1.10/perm.c.pamfix at-3.1.10/perm.c
--- at-3.1.10/perm.c.pamfix 2008-01-09 14:56:57.000000000 +0100
+++ at-3.1.10/perm.c 2008-01-09 15:58:54.000000000 +0100
@@ -134,17 +134,34 @@ check_permission()
* We must check if the atd daemon userid will be allowed to gain the job owner user's
* credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
*/
- setreuid(daemon_uid, daemon_uid);
- setregid(daemon_gid, daemon_gid);
+ if (setreuid(daemon_uid, daemon_uid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setregid(daemon_gid, daemon_gid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
# define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
- fprintf(stderr,"PAM authentication failure: %s\n",pam_strerror(pamh, retcode)); \
- pam_close_session(pamh,PAM_SILENT); \
- pam_end(pamh, retcode); \
- setregid(gid,egid); \
- setreuid(uid,euid); \
- return(0); \
- }
+ fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
+ if (pamh) \
+ pam_end(pamh, retcode); \
+ if (setregid(gid,egid) != 0) { \
+ fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ if (setreuid(uid,euid) != 0) { \
+ fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
+ exit(1); \
+ } \
+ return(0); \
+ }
+
+# define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
+ pam_close_session(pamh,PAM_SILENT);
+
+ pamh = NULL;
retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, "atd");
@@ -152,16 +169,25 @@ check_permission()
retcode = pam_acct_mgmt(pamh, PAM_SILENT);
PAM_FAIL_CHECK;
retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_SESSION_FAIL;
PAM_FAIL_CHECK;
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
pam_close_session(pamh,PAM_SILENT);
pam_end(pamh, PAM_ABORT);
- setregid(gid,egid);
- setreuid(uid,euid);
+ if (setregid(gid,egid) != 0) {
+ fprintf(stderr, "cannot set egid: %s", strerror(errno));
+ exit(1);
+ }
+ if (setreuid(uid,euid) != 0) {
+ fprintf(stderr, "cannot set euid: %s", strerror(errno));
+ exit(1);
+ }
+
#endif
at-3.1.10-setuids.patch:
--- NEW FILE at-3.1.10-setuids.patch ---
Index: at.spec
===================================================================
RCS file: /cvs/pkgs/rpms/at/devel/at.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- at.spec 3 Dec 2007 07:58:16 -0000 1.61
+++ at.spec 14 Jan 2008 09:08:45 -0000 1.62
@@ -6,7 +6,7 @@
Summary: Job spooling tools
Name: at
Version: 3.1.10
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://ftp.debian.org/debian/pool/main/a/at
@@ -29,6 +29,9 @@
Patch12: at-3.1.10-session.patch
Patch13: at-3.1.10-havepam.patch
Patch14: at-3.1.10-pam_keyring.patch
+Patch15: at-3.1.10-PIE.patch
+Patch16: at-3.1.10-pamfix.patch
+Patch17: at-3.1.10-setuids.patch
BuildRequires: fileutils chkconfig /etc/init.d
BuildRequires: flex bison autoconf
@@ -77,6 +80,9 @@
%patch12 -p1 -b .session
%patch13 -p1 -b .havepam
%patch14 -p1 -b .pamkeyring
+%patch15 -p1 -b .PIE
+%patch16 -p1 -b .pamfix
+%patch17 -p1 -b .setuids
%build
# patch10 touches configure.in
@@ -179,6 +185,11 @@
%attr(4755,root,root) %{_bindir}/at
%changelog
+* Tue Jan 8 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-20
+- used PIE instead of pie (with pie wasn't build on 64b successful)
+- rewrite PAM fail check
+- fix checking of settings setuid(s)
+
* Mon Dec 3 2007 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-19
- another problem with permission
- Previous message (by thread): rpms/fish/devel .cvsignore, 1.8, 1.9 fish.spec, 1.20, 1.21 sources, 1.8, 1.9 fish-1.22.3-openfix.patch, 1.2, NONE
- Next message (by thread): rpms/dcraw/devel dcraw-8.81-gps.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 dcraw.spec, 1.18, 1.19 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list