Hello community,
here is the log from the commit of package at for openSUSE:Factory
checked in at Thu Jan 8 14:50:33 CET 2009.
--------
--- at/at.changes 2008-10-08 18:35:05.000000000 +0200
+++ /mounts/work_src_done/STABLE/at/at.changes 2009-01-08 10:39:31.000000000 +0100
@@ -1,0 +2,5 @@
+Thu Jan 8 10:38:35 CET 2009 - prusnak@suse.cz
+
+- corrected selinux.patch [bnc#463521]
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
at-3.1.8.dif
at-3.1.8-eal3-manpages.dif
at-3.1.8-formatbugs.dif
at-3.1.8_massive_batch.patch
at-3.1.8-pam.diff
at-documentation-dir.diff
at-selinux-20040909.patch
New:
----
at-3.1.8-documentation-dir.patch
at-3.1.8-eal3-manpages.patch
at-3.1.8-formatbugs.patch
at-3.1.8-massive_batch.patch
at-3.1.8-pam.patch
at-3.1.8.patch
at-3.1.8-selinux.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ at.spec ++++++
--- /var/tmp/diff_new_pack.I13681/_old 2009-01-08 14:50:05.000000000 +0100
+++ /var/tmp/diff_new_pack.I13681/_new 2009-01-08 14:50:05.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package at (Version 3.1.8)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -26,24 +26,24 @@
Group: System/Daemons
AutoReqProv: on
Version: 3.1.8
-Release: 1068
+Release: 1069
Summary: A Job Manager
Source: at_3.1.8-11.tar.gz
Source1: atd.init
Source2: atd.pamd
Source3: sysconfig.atd
-Patch: at-%{version}.dif
-Patch1: at-%{version}-bison.patch
-Patch2: at-%{version}-delete_r.patch
-Patch3: at-%{version}-ttime.patch
-Patch4: at-%{version}-joblist.patch
-Patch6: at-selinux-20040909.patch
-Patch7: at-%{version}-pie.patch
-Patch8: at-%{version}-eal3-manpages.dif
-Patch9: at-%{version}-formatbugs.dif
-Patch10: at-3.1.8-pam.diff
-Patch11: at-3.1.8_massive_batch.patch
-Patch12: at-documentation-dir.diff
+Patch0: %{name}-%{version}.patch
+Patch1: %{name}-%{version}-bison.patch
+Patch2: %{name}-%{version}-delete_r.patch
+Patch3: %{name}-%{version}-ttime.patch
+Patch4: %{name}-%{version}-joblist.patch
+Patch5: %{name}-%{version}-selinux.patch
+Patch6: %{name}-%{version}-pie.patch
+Patch7: %{name}-%{version}-eal3-manpages.patch
+Patch8: %{name}-%{version}-formatbugs.patch
+Patch9: %{name}-%{version}-pam.patch
+Patch10: %{name}-%{version}-massive_batch.patch
+Patch11: %{name}-%{version}-documentation-dir.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /usr/sbin/useradd /usr/sbin/groupadd %fillup_prereq %insserv_prereq
@@ -60,29 +60,30 @@
Siggy Brentrup
%prep
-%setup
-%patch
+%setup -q
+%patch0
%patch1
%patch2
%patch3
%patch4
-%patch6 -p1
-%patch7 -p1
+%patch5
+%patch6
+%patch7
%patch8
%patch9
%patch10
%patch11
-%patch12 -p1
%build
%{?suse_update_config:%{suse_update_config -f}}
rm -fv y.tab.c y.tab.h lex.yy.c lex.yy.o y.tab.o
autoconf
-export CFLAGS="$RPM_OPT_FLAGS"
export SENDMAIL=/usr/sbin/sendmail
-./configure --prefix=%{_prefix} --with-pam --with-selinux \
- --with-daemon_username=at --with-daemon_groupname=at \
- --mandir=%{_mandir}
+%configure \
+ --with-pam \
+ --with-selinux \
+ --with-daemon_username=at \
+ --with-daemon_groupname=at
make
%install
@@ -148,6 +149,8 @@
/var/adm/fillup-templates/sysconfig.atd
%changelog
+* Thu Jan 08 2009 prusnak@suse.cz
+- corrected selinux.patch [bnc#463521]
* Wed Oct 08 2008 bwalle@suse.de
- Fix documentation directory in at(1).
* Mon Sep 01 2008 puzel@suse.cz
@@ -225,7 +228,7 @@
- don't activate by default
* Mon May 19 2003 ro@suse.de
- fix filelist
-* Tue May 13 2003 ro@suse.de
+* Mon May 12 2003 ro@suse.de
- use defattr
* Tue Mar 11 2003 ro@suse.de
- fix postinstall for updates (appeared in #24653)
++++++ at-3.1.8-bison.patch ++++++
--- /var/tmp/diff_new_pack.I13681/_old 2009-01-08 14:50:05.000000000 +0100
+++ /var/tmp/diff_new_pack.I13681/_new 2009-01-08 14:50:05.000000000 +0100
@@ -1,5 +1,5 @@
---- parsetime.y Thu Nov 7 11:06:27 2002
-+++ parsetime.y Thu Nov 7 11:08:43 2002
+--- parsetime.y
++++ parsetime.y
@@ -63,6 +63,7 @@
time_or_not : time
++++++ at-3.1.8-documentation-dir.patch ++++++
--- at.1.in
+++ at.1.in
@@ -117,7 +117,7 @@
.B at 1am tomorrow.
.PP
The exact definition of the time specification can be found in
-.IR @prefix@/share/doc/at/timespec .
+.IR @prefix@/share/doc/packages/at/timespec .
.PP
For both
.BR at " and " batch ,
++++++ at-3.1.8-eal3-manpages.dif -> at-3.1.8-eal3-manpages.patch ++++++
--- at/at-3.1.8-eal3-manpages.dif 2006-01-13 00:16:45.000000000 +0100
+++ /mounts/work_src_done/STABLE/at/at-3.1.8-eal3-manpages.patch 2009-01-06 12:32:15.000000000 +0100
@@ -1,6 +1,5 @@
-diff -purN at-3.1.8.orig/at.allow.5 at-3.1.8/at.allow.5
---- at.allow.5 1970-01-01 01:00:00.000000000 +0100
-+++ at.allow.5 2003-11-24 12:25:51.000000000 +0100
+--- at.allow.5
++++ at.allow.5
@@ -0,0 +1,36 @@
+.Id $Id: at.allow.5,v 1.1 1997/09/28 20:00:28 ig25 Exp $
+.TH AT.ALLOW 5 "Sep 1997" "" "Linux Programmer's Manual"
@@ -38,9 +37,8 @@
+.BR cron (8),
+.BR crontab (1),
+.BR atd (8).
-diff -purN at-3.1.8.orig/at.deny.5 at-3.1.8/at.deny.5
---- at.deny.5 1970-01-01 01:00:00.000000000 +0100
-+++ at.deny.5 2003-11-24 12:25:51.000000000 +0100
+--- at.deny.5
++++ at.deny.5
@@ -0,0 +1,36 @@
+.Id $Id: at.allow.5,v 1.1 1997/09/28 20:00:28 ig25 Exp $
+.TH AT.ALLOW 5 "Sep 1997" "" "Linux Programmer's Manual"
++++++ at-3.1.8-formatbugs.dif -> at-3.1.8-formatbugs.patch ++++++
--- at/at-3.1.8-formatbugs.dif 2006-01-13 00:16:45.000000000 +0100
+++ /mounts/work_src_done/STABLE/at/at-3.1.8-formatbugs.patch 2009-01-06 12:32:16.000000000 +0100
@@ -1,19 +1,6 @@
---- panic.h.xx 2005-02-05 10:12:44.870410055 +0100
-+++ panic.h 2005-02-05 10:18:18.327308607 +0100
-@@ -26,7 +26,9 @@
- #ifdef HAVE_ATTRIBUTE_NORETURN
- __attribute__((noreturn))
- #endif
--perr(const char *a, ...);
-+perr(const char *a, ...)
-+__attribute__((__format__(printf,1,2)))
-+;
- void
- #ifdef HAVE_ATTRIBUTE_NORETURN
- __attribute__((noreturn))
---- atd.c.xx 2005-02-05 10:19:11.235056781 +0100
-+++ atd.c 2005-02-05 10:19:20.048518592 +0100
-@@ -330,7 +330,7 @@
+--- atd.c
++++ atd.c
+@@ -293,7 +293,7 @@
if (buf.st_nlink > 2) {
perr("Someboy is trying to run a linked script for job %8lu (%.500s)",
@@ -22,8 +9,8 @@
}
if ((fflags = fcntl(fd_in, F_GETFD)) < 0)
perr("Error in fcntl");
---- daemon.h.xx 2005-02-05 10:20:28.592475730 +0100
-+++ daemon.h 2005-02-05 10:20:19.283988448 +0100
+--- daemon.h
++++ daemon.h
@@ -5,12 +5,12 @@
#ifdef HAVE_ATTRIBUTE_NORETURN
__attribute__((noreturn))
@@ -39,3 +26,16 @@
+perr (const char *fmt, ...) __attribute__((__format__(printf,1,2)));
extern int daemon_debug;
+--- panic.h
++++ panic.h
+@@ -26,7 +26,9 @@
+ #ifdef HAVE_ATTRIBUTE_NORETURN
+ __attribute__((noreturn))
+ #endif
+-perr(const char *a, ...);
++perr(const char *a, ...)
++__attribute__((__format__(printf,1,2)))
++;
+ void
+ #ifdef HAVE_ATTRIBUTE_NORETURN
+ __attribute__((noreturn))
++++++ at-3.1.8-massive_batch.patch ++++++
--- atd.c
+++ atd.c
@@ -140,9 +140,10 @@
static double load_avg = LOADAVG_MX;
static time_t now;
static time_t last_chg;
-static int nothing_to_do;
+static int nothing_to_do = 0;
unsigned int batch_interval;
static int run_as_daemon = 0;
+static int hupped = 0;
static volatile sig_atomic_t term_signal = 0;
@@ -155,9 +156,10 @@
}
RETSIGTYPE
-sdummy(int dummy)
+set_hup(int dummy)
{
- /* Empty signal handler */
+ hupped = 1;
+ nothing_to_do = 0;
return;
}
@@ -765,6 +767,7 @@
return next_job;
last_chg = buf.st_mtime;
+ hupped = 0;
if ((spool = opendir(".")) == NULL)
perr("Cannot read " ATJOB_DIR);
@@ -989,7 +992,7 @@
*/
sigaction(SIGHUP, NULL, &act);
- act.sa_handler = sdummy;
+ act.sa_handler = set_hup;
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, NULL, &act);
@@ -1005,9 +1008,10 @@
do {
now = time(NULL);
next_invocation = run_loop();
- if (next_invocation > now) {
+ if ((next_invocation > now) && (!hupped)) {
sleep(next_invocation - now);
}
+ hupped = 0;
} while (!term_signal);
daemon_cleanup();
exit(EXIT_SUCCESS);
++++++ at-3.1.8-pam.patch ++++++
--- Makefile.in
+++ Makefile.in
@@ -28,6 +28,7 @@
LEX = @LEX@
LEXLIB = @LEXLIB@
SELINUXLIB = @SELINUXLIB@
+PAMLIB = @PAMLIB@
CC = @CC@
CFLAGS = @CFLAGS@
@@ -73,7 +74,7 @@
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
+ $(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
--- atd.c
+++ atd.c
@@ -93,6 +93,20 @@
#include
#endif
+#ifdef WITH_PAM
+#include
+static pam_handle_t *pamh = NULL;
+static const struct pam_conv conv = {
+ NULL
+};
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+ fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+ syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+ pam_close_session(pamh, PAM_SILENT); \
+ pam_end(pamh, retcode); exit(1); \
+ }
+#endif
+
/* Local headers */
#include "privs.h"
@@ -102,6 +116,10 @@
#include "getloadavg.h"
#endif
+#ifndef LOG_ATD
+#define LOG_ATD LOG_DAEMON
+#endif
+
/* Macros */
#define BATCH_INTERVAL_DEFAULT 60
@@ -195,6 +213,19 @@
#define fork myfork
#endif
+#undef ATD_MAIL_PROGRAM
+#undef ATD_MAIL_NAME
+#if defined(SENDMAIL)
+#define ATD_MAIL_PROGRAM SENDMAIL
+#define ATD_MAIL_NAME "sendmail"
+#elif defined(MAILC)
+#define ATD_MAIL_PROGRAM MAILC
+#define ATD_MAIL_NAME "mail"
+#elif defined(MAILX)
+#define ATD_MAIL_PROGRAM MAILX
+#define ATD_MAIL_NAME "mailx"
+#endif
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -217,6 +248,9 @@
int ngid;
char queue;
unsigned long jobno;
+#ifdef WITH_PAM
+ int retcode;
+#endif
sscanf(filename, "%c%5lx", &queue, &jobno);
@@ -361,6 +395,23 @@
fstat(fd_out, &buf);
size = buf.st_size;
+#ifdef WITH_PAM
+ PRIV_START
+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "atd");
+ PAM_FAIL_CHECK;
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_FAIL_CHECK;
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+ PRIV_END
+#endif
+
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
@@ -372,6 +423,16 @@
else if (pid == 0) {
char *nul = NULL;
char **nenvp = &nul;
+#ifdef WITH_PAM
+ char **pam_envp=0L;
+#endif
+
+ PRIV_START
+#ifdef WITH_PAM
+ pam_envp = pam_getenvlist(pamh);
+ if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
+ nenvp = pam_envp;
+#endif
/* Set up things for the child; we want standard input from the
* input file, and standard output and error sent to our output file.
@@ -394,8 +455,6 @@
if (chdir(ATJOB_DIR) < 0)
perr("Cannot chdir to " ATJOB_DIR);
- PRIV_START
-
nice((tolower((int) queue) - 'a' + 1) * 2);
if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -485,6 +544,24 @@
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
perr("Exec failed for /bin/sh");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ if (setexeccon(NULL) < 0) {
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
+ }
+ }
+#endif
+
+#ifdef WITH_PAM
+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
+ {
+ for( nenvp = pam_envp; *nenvp != 0L; nenvp++)
+ free(*nenvp);
+ free( pam_envp );
+ nenvp = &nul;
+ pam_envp=0L;
+ }
+#endif
PRIV_END
}
/* We're the parent. Let's wait.
@@ -498,13 +575,6 @@
*/
waitpid(pid, (int *) NULL, 0);
-#ifdef WITH_SELINUX
- if (selinux_enabled>0) {
- if (setexeccon(NULL) < 0) {
- perr("Could not reset exec context for user %s\n", pentry->pw_name);
- }
- }
-#endif
/* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run.
*/
@@ -514,6 +584,14 @@
unlink(filename);
+#ifdef WITH_PAM
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+#endif
+
/* The job is now finished. We can delete its input file.
*/
chdir(ATJOB_DIR);
@@ -522,7 +600,31 @@
if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
+ int mail_pid = -1;
+
+#ifdef WITH_PAM
PRIV_START
+ retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item(pamh, PAM_TTY, "atd");
+ PAM_FAIL_CHECK;
+ retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_open_session(pamh, PAM_SILENT);
+ PAM_FAIL_CHECK;
+ retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ PAM_FAIL_CHECK;
+ /* PAM has now re-opened our log to auth.info ! */
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+ PRIV_END
+#endif
+
+ mail_pid = fork();
+
+ if ( mail_pid == 0 )
+ {
+ PRIV_START
if (initgroups(pentry->pw_name, pentry->pw_gid))
perr("Cannot delete saved userids");
@@ -535,6 +637,47 @@
chdir ("/");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ int retval=0;
+ struct av_decision avd;
+
+ if (get_default_context(pentry->pw_name, NULL, &user_context))
+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1)
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+ }
+ freecon(user_context);
+ }
+#endif
+
#if defined(SENDMAIL)
execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
#elif defined(MAILC)
@@ -546,7 +689,33 @@
#endif
perr("Exec failed for mail command");
- PRIV_END
+ exit (-1);
+
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ if (setexeccon(NULL) < 0) {
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
+ }
+ }
+#endif
+
+ PRIV_END;
+ } else if ( mail_pid == -1 )
+ {
+ perr("fork of mailer failed");
+ }
+ else
+ {
+ /* Parent */
+ waitpid(mail_pid, (int *) NULL, 0);
+ }
+#ifdef WITH_PAM
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+ pam_close_session(pamh, PAM_SILENT);
+ pam_end(pamh, PAM_ABORT);
+ closelog();
+ openlog("atd", LOG_PID, LOG_ATD);
+#endif
}
exit(EXIT_SUCCESS);
}
@@ -741,7 +910,7 @@
#ifdef WITH_SELINUX
selinux_enabled=is_selinux_enabled();
-#endif
+#endif
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
@@ -758,12 +927,7 @@
RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid)
-#ifndef LOG_CRON
-#define LOG_CRON LOG_DAEMON
-#endif
-
- openlog("atd", LOG_PID, LOG_CRON);
-
+ openlog("atd", LOG_PID, LOG_ATD);
opterr = 0;
errno = 0;
run_as_daemon = 1;
--- config.h.in
+++ config.h.in
@@ -187,3 +187,7 @@
/* Define if you are building with_selinux */
#undef WITH_SELINUX
+
+/* Define if you are building with_pam */
+#undef WITH_PAM
+
--- configure.in
+++ configure.in
@@ -323,4 +323,11 @@
AC_SUBST(SELINUXLIB)
AC_SUBST(WITH_SELINUX)
+AC_ARG_WITH(pam,
+[ --with-pam Define to enable pam support ],
+AC_DEFINE(WITH_PAM),
+)
+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
+AC_SUBST(PAMLIB)
+
AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
--- perm.c
+++ perm.c
@@ -109,14 +109,15 @@
int
check_permission()
{
- uid_t uid = geteuid();
+ uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
struct passwd *pentry;
int allow = 0, deny = 1;
+ int retcode=0;
- if (uid == 0)
+ if (euid == 0)
return 1;
- if ((pentry = getpwuid(uid)) == NULL) {
+ if ((pentry = getpwuid(euid)) == NULL) {
perror("Cannot access user database");
exit(EXIT_FAILURE);
}
++++++ at-3.1.8_massive_batch.patch -> at-3.1.8.patch ++++++
--- at/at-3.1.8_massive_batch.patch 2008-04-08 17:35:15.000000000 +0200
+++ /mounts/work_src_done/STABLE/at/at-3.1.8.patch 2006-01-13 00:16:45.000000000 +0100
@@ -1,58 +1,225 @@
-Index: atd.c
-===================================================================
---- atd.c.orig 2008-04-08 17:29:40.000000000 +0200
-+++ atd.c 2008-04-08 17:30:39.611014070 +0200
-@@ -140,9 +140,10 @@ static char rcsid[] = "$Id: atd.c,v 1.28
- static double load_avg = LOADAVG_MX;
- static time_t now;
- static time_t last_chg;
--static int nothing_to_do;
-+static int nothing_to_do = 0;
- unsigned int batch_interval;
- static int run_as_daemon = 0;
-+static int hupped = 0;
-
+--- Makefile.in
++++ Makefile.in
+@@ -87,37 +87,35 @@
+ $(CC) -c $(CFLAGS) $(DEFS) $*.c
+
+ install: all
+- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(etcdir)
+- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(bindir)
+- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(sbindir)
+- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(docdir)
+- $(INSTALL) -g root -o root -m 755 -d $(IROOT)$(atdocdir)
++ $(INSTALL) -m 755 -d $(IROOT)$(etcdir)
++ $(INSTALL) -m 755 -d $(IROOT)$(bindir)
++ $(INSTALL) -m 755 -d $(IROOT)$(sbindir)
++ $(INSTALL) -m 755 -d $(IROOT)$(docdir)
++ $(INSTALL) -m 755 -d $(IROOT)$(atdocdir)
+ $(INSTALL) -m 755 -d $(IROOT)$(ATJOB_DIR)
+- $(INSTALL) -g $(DAEMON_GROUPNAME) -o $(DAEMON_USERNAME) -m 755 -d $(IROOT)$(ATSPOOL_DIR)
++ $(INSTALL) -m 755 -d $(IROOT)$(ATSPOOL_DIR)
+ chmod 700 $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
+- chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(ATJOB_DIR) $(IROOT)$(ATSPOOL_DIR)
+ touch $(IROOT)$(LFILE)
+ chmod 600 $(IROOT)$(LFILE)
+- chown $(DAEMON_USERNAME):$(DAEMON_GROUPNAME) $(IROOT)$(LFILE)
+- test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -o root -m 600 at.deny $(IROOT)$(etcdir)/
+- $(INSTALL) -g root -o root -m 4755 -s at $(IROOT)$(bindir)
++ test -f $(IROOT)$(etcdir)/at.allow || test -f $(IROOT)$(etcdir)/at.deny || $(INSTALL) -m 600 at.deny $(IROOT)$(etcdir)/
++ $(INSTALL) -m 4755 at $(IROOT)$(bindir)
+ $(LN_S) -f at $(IROOT)$(bindir)/atq
+ $(LN_S) -f at $(IROOT)$(bindir)/atrm
+- $(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir)
+- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man1dir)
+- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man5dir)
+- $(INSTALL) -d -o root -g root -m 755 $(IROOT)$(man8dir)
+- $(INSTALL) -g root -o root -m 755 -s atd $(IROOT)$(sbindir)
+- $(INSTALL) -g root -o root -m 755 atrun $(IROOT)$(sbindir)
+- $(INSTALL) -g root -o root -m 644 at.1 $(IROOT)$(man1dir)/
++ $(INSTALL) -m 755 batch $(IROOT)$(bindir)
++ $(INSTALL) -d -m 755 $(IROOT)$(man1dir)
++ $(INSTALL) -d -m 755 $(IROOT)$(man5dir)
++ $(INSTALL) -d -m 755 $(IROOT)$(man8dir)
++ $(INSTALL) -m 755 atd $(IROOT)$(sbindir)
++ $(INSTALL) -m 755 atrun $(IROOT)$(sbindir)
++ $(INSTALL) -m 644 at.1 $(IROOT)$(man1dir)/
+ cd $(IROOT)$(man1dir) && $(LN_S) -f at.1 atq.1 && $(LN_S) -f at.1 batch.1 && $(LN_S) -f at.1 atrm.1
+- $(INSTALL) -g root -o root -m 644 atd.8 $(IROOT)$(man8dir)/
++ $(INSTALL) -m 644 atd.8 $(IROOT)$(man8dir)/
+ sed "s,\$${exec_prefix},$(exec_prefix),g" tmpman
+- $(INSTALL) -g root -o root -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
++ $(INSTALL) -m 644 tmpman $(IROOT)$(man8dir)/atrun.8
+ rm -f tmpman
+- $(INSTALL) -g root -o root -m 644 at_allow.5 $(IROOT)$(man5dir)/
+- cd $(IROOT)$(man5dir) && $(LN_S) -f at_allow.5 at_deny.5
+- $(INSTALL) -g root -o root -m 644 $(DOCS) $(IROOT)$(atdocdir)
++ $(INSTALL) -m 644 at.allow.5 $(IROOT)$(man5dir)/
++ $(INSTALL) -m 644 at.deny.5 $(IROOT)$(man5dir)/
++ $(INSTALL) -m 644 $(DOCS) $(IROOT)$(atdocdir)
+ rm -f $(IROOT)$(mandir)/cat1/at.1* $(IROOT)$(mandir)/cat1/batch.1* \
+ $(IROOT)$(mandir)/cat1/atq.1*
+ rm -f $(IROOT)$(mandir)/cat1/atd.8*
+--- Problems
++++ Problems
+@@ -5,7 +5,7 @@
+
+ make -f Makefile.old install
+
+-- You may not have a user or group 'daemon' on your system.
++- You may not have a user or group 'at' on your system.
+
+ - If you find numerous 'try again' error messages in your syslog files,
+ you have too many processes running; recompile your kernel for a
+--- README
++++ README
+@@ -23,7 +23,7 @@
+
+ The old one is to put
+
+-* * * * 0,5,10,15,20,25,30,35,40,45,50,55 /usr/lib/atrun
++* * * * 0,5,10,15,20,25,30,35,40,45,50,55 /usr/sbin/atrun
+
+ into root's crontab file (or wherever you put the atrun binary;
+ don't forget to start up cron.)
+--- atd.c
++++ atd.c
+@@ -1,4 +1,4 @@
+-/*
++/*
+ * atd.c - run jobs queued by at; run with root privileges.
+ * Copyright (C) 1993, 1994, 1996 Thomas Koenig
+ *
+@@ -22,7 +22,7 @@
+ #include "config.h"
+ #endif
+
+-/*
++/*
+ * /usr/bin/mail aka /usr/bin/mailx require the subject to be
+ * specified on the command line instead of reading it from stdin like
+ * /usr/sbin/sendmail does. For now simply disable MAILC and MAILX,
+@@ -121,14 +121,14 @@
static volatile sig_atomic_t term_signal = 0;
-@@ -155,9 +156,10 @@ set_term(int dummy)
+ /* Signal handlers */
+-RETSIGTYPE
++RETSIGTYPE
+ set_term(int dummy)
+ {
+ term_signal = 1;
+ return;
}
- RETSIGTYPE
--sdummy(int dummy)
-+set_hup(int dummy)
+-RETSIGTYPE
++RETSIGTYPE
+ sdummy(int dummy)
{
-- /* Empty signal handler */
-+ hupped = 1;
-+ nothing_to_do = 0;
- return;
+ /* Empty signal handler */
+@@ -156,7 +156,7 @@
+ }
+ return;
}
+-
++
-@@ -737,6 +739,7 @@ run_loop()
- return next_job;
- last_chg = buf.st_mtime;
-
-+ hupped = 0;
- if ((spool = opendir(".")) == NULL)
- perr("Cannot read " ATJOB_DIR);
+ /* Local functions */
+
+@@ -196,7 +196,7 @@
+ */
+ pid_t pid;
+ int fd_out, fd_in;
+- char mailbuf[9], jobbuf[9];
++ char mailbuf[17], jobbuf[9];
+ char *mailname = NULL;
+ char *newname;
+ FILE *stream;
+@@ -290,7 +290,12 @@
+ if ((fflags = fcntl(fd_in, F_GETFD)) < 0)
+ perr("Error in fcntl");
+
+- fcntl(fd_in, F_SETFD, fflags & ~FD_CLOEXEC);
++ /*
++ ** fcntl(fd_in, F_SETFD, fflags & ~FD_CLOEXEC);
++ ** What's that? This fcntl() removes the CLOSE_ON_EXEC flag.
++ */
++ if(fcntl(fd_in, F_SETFD, fflags | FD_CLOEXEC) < 0)
++ perr("Error in fcntl");
+
+ /*
+ * If the spool directory is mounted via NFS `atd' isn't able to
+@@ -299,7 +304,7 @@
+ * NFS and works with local file systems. It's not clear where
+ * the bug is located. -Joey
+ */
+- if (fscanf(stream, "#!/bin/sh\n# atrun uid=%d gid=%d\n# mail %8s %d",
++ if (fscanf(stream, "#!/bin/sh\n# atrun uid=%d gid=%d\n# mail %16s %d",
+ &nuid, &ngid, mailbuf, &send_mail) != 4)
+ pabort("File %.500s is in wrong format - aborting",
+ filename);
+@@ -328,7 +333,7 @@
+ perr("Cannot chdir to " ATSPOOL_DIR);
+
+ /* Create a file to hold the output of the job we are about to run.
+- * Write the mail header. Complain in case
++ * Write the mail header. Complain in case
+ */
-@@ -961,7 +964,7 @@ main(int argc, char *argv[])
+ if (unlink(filename) != -1) {
+@@ -343,7 +348,7 @@
+ write_string(fd_out, "Subject: Output from your job ");
+ write_string(fd_out, jobbuf);
+ write_string(fd_out, "\nTo: ");
+- write_string(fd_out, mailname);
++ write_string(fd_out, mailname);
+ write_string(fd_out, "\n\n");
+ fstat(fd_out, &buf);
+ size = buf.st_size;
+@@ -394,6 +399,9 @@
+ if (setuid(uid) < 0)
+ perr("Cannot set user id");
+
++ if (SIG_ERR == signal(SIGCHLD, SIG_DFL))
++ perr("Cannot reset signal handler to default");
++
+ chdir("/");
+
+ if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
+@@ -408,7 +416,7 @@
+
+ /* We inherited the master's SIGCHLD handler, which does a
+ non-blocking waitpid. So this blocking one will eventually
+- return with an ECHILD error.
++ return with an ECHILD error.
*/
+ waitpid(pid, (int *) NULL, 0);
- sigaction(SIGHUP, NULL, &act);
-- act.sa_handler = sdummy;
-+ act.sa_handler = set_hup;
- sigaction(SIGHUP, &act, NULL);
-
- sigaction(SIGTERM, NULL, &act);
-@@ -977,9 +980,10 @@ main(int argc, char *argv[])
- do {
- now = time(NULL);
- next_invocation = run_loop();
-- if (next_invocation > now) {
-+ if ((next_invocation > now) && (!hupped)) {
- sleep(next_invocation - now);
- }
-+ hupped = 0;
- } while (!term_signal);
- daemon_cleanup();
- exit(EXIT_SUCCESS);
+@@ -557,7 +565,8 @@
+ /* Something went wrong the last time this was executed.
+ * Let's remove the lockfile and reschedule.
+ */
+- strncpy(lock_name, dirent->d_name, sizeof(lock_name));
++ strncpy(lock_name, dirent->d_name, sizeof(lock_name)-1);
++ lock_name[sizeof(lock_name)-1] = 0;
+ lock_name[0] = '=';
+ unlink(lock_name);
+ next_job = now;
+@@ -591,7 +600,8 @@
+ */
+ run_batch++;
+ if (strcmp(batch_name, dirent->d_name) > 0) {
+- strncpy(batch_name, dirent->d_name, sizeof(batch_name));
++ strncpy(batch_name, dirent->d_name, sizeof(batch_name)-1);
++ batch_name[sizeof(batch_name)-1] = 0;
+ batch_uid = buf.st_uid;
+ batch_gid = buf.st_gid;
+ batch_queue = queue;
+--- configure.in
++++ configure.in
+@@ -126,7 +126,7 @@
+ fi
+
+ AC_MSG_CHECKING(location of spool directory)
+-if test -d /var/spool/atjobs ; then
++if test -d /var/spool ; then
+ sp=/var/spool
+ AC_DEFINE(SPOOLDIR, "/var/spool")
+ AC_MSG_RESULT(Using existing /var/spool/at{jobs|run})
++++++ at-3.1.8-pie.patch ++++++
--- /var/tmp/diff_new_pack.I13681/_old 2009-01-08 14:50:05.000000000 +0100
+++ /var/tmp/diff_new_pack.I13681/_new 2009-01-08 14:50:05.000000000 +0100
@@ -1,6 +1,6 @@
---- at-3.1.8/Makefile.in.pie 2004-05-12 11:11:07.690785433 +0200
-+++ at-3.1.8/Makefile.in 2004-05-12 11:23:10.367957697 +0200
-@@ -69,13 +69,13 @@
+--- Makefile.in
++++ Makefile.in
+@@ -67,13 +67,13 @@
all: at atd atrun
at: $(ATOBJECTS)
@@ -16,7 +16,7 @@
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
-@@ -87,7 +87,7 @@
+@@ -85,7 +85,7 @@
configure
.c.o:
++++++ at-3.1.8-selinux.patch ++++++
--- Makefile.in
+++ Makefile.in
@@ -27,6 +27,7 @@
YACC = @YACC@
LEX = @LEX@
LEXLIB = @LEXLIB@
+SELINUXLIB = @SELINUXLIB@
CC = @CC@
CFLAGS = @CFLAGS@
@@ -72,7 +73,7 @@
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS)
+ $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
--- atd.c
+++ atd.c
@@ -85,6 +85,14 @@
#include
#endif
+#ifdef WITH_SELINUX
+#include
+#include
+int selinux_enabled=0;
+#include
+#include
+#endif
+
/* Local headers */
#include "privs.h"
@@ -404,6 +412,76 @@
chdir("/");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ security_context_t file_context=NULL;
+ security_context_t *context_list=NULL;
+ security_context_t current_con=NULL;
+ int retval=0, list_count=0, i;
+ struct av_decision avd;
+ char *seuser=NULL, *level=NULL;
+
+ if (getseuserbyname(pentry->pw_name, &seuser, &level))
+ perr("getseuserbyname FAILED for %s\n", pentry->pw_name);
+
+ if(getcon(¤t_con)) {
+ free(seuser);
+ free(level);
+ perr("Can't get current context");
+ }
+ list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
+ freecon(current_con);
+ free(seuser);
+ free(level);
+ if (list_count == -1) {
+ if (security_getenforce() > 0)
+ perr("Couldn't get security context for user %s\n", pentry->pw_name);
+ else
+ syslog(LOG_WARNING, "Couldn't get security context for user %s, but in permissive mode", pentry->pw_name);
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (list_count != -1) {
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
+ if (security_getenforce() > 0)
+ perr("fgetfilecon FAILED for user %s", pentry->pw_name);
+ }
+
+ for(i = 0; i < list_count; i++) {
+ retval = security_compute_av(context_list[i],
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ if (!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT))
+ break;
+ }
+ }
+ freecon(file_context);
+ if (list_count != -1 && (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))) {
+ if (security_getenforce()==1)
+ perr("Not allowed to set exec context for user %s\n", pentry->pw_name);
+ else
+ syslog(LOG_WARNING, "Not allowed to set exec context for user %s, but in permissive mode", pentry->pw_name);
+ }
+
+ if ((list_count != -1 || retval) && setexeccon(context_list[i]) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name);
+ }
+ }
+ freeconary(context_list);
+ }
+#endif
+
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
perr("Exec failed for /bin/sh");
@@ -420,6 +498,13 @@
*/
waitpid(pid, (int *) NULL, 0);
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ if (setexeccon(NULL) < 0) {
+ perr("Could not reset exec context for user %s\n", pentry->pw_name);
+ }
+ }
+#endif
/* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run.
*/
@@ -654,6 +739,9 @@
struct passwd *pwe;
struct group *ge;
+#ifdef WITH_SELINUX
+ selinux_enabled=is_selinux_enabled();
+#endif
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
--- config.h.in
+++ config.h.in
@@ -184,3 +184,6 @@
#undef DEFAULT_BATCH_QUEUE
#undef HAVE_ATTRIBUTE_NORETURN
+
+/* Define if you are building with_selinux */
+#undef WITH_SELINUX
--- configure.in
+++ configure.in
@@ -315,4 +315,12 @@
)
AC_SUBST(DAEMON_GROUPNAME)
+AC_ARG_WITH(selinux,
+[ --with-selinux Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org