From 2f054d4660a136fcf5e6f70a56ed553128400634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 4 Dec 2013 11:56:53 +0100 Subject: [PATCH 1/5] 989201 PAM issue prevents atd sending mail. --- at-3.1.13-pam.patch | 81 +++++++++++++++++------------------------ at-3.1.13-selinux.patch | 51 ++++++++++---------------- at.spec | 5 ++- 3 files changed, 58 insertions(+), 79 deletions(-) diff --git a/at-3.1.13-pam.patch b/at-3.1.13-pam.patch index 0bb3116..052a723 100644 --- a/at-3.1.13-pam.patch +++ b/at-3.1.13-pam.patch @@ -1,6 +1,6 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c ---- at-3.1.13/at.c.pam 2012-04-19 16:50:57.491000001 +0200 -+++ at-3.1.13/at.c 2012-04-19 16:50:57.505000001 +0200 +--- at-3.1.13/at.c.pam 2013-12-03 16:42:16.582903011 +0100 ++++ at-3.1.13/at.c 2013-12-03 16:42:16.585903079 +0100 @@ -141,18 +141,13 @@ sigc(int signo) /* If the user presses ^C, remove the spool file and exit */ @@ -90,8 +90,8 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c break; diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c ---- at-3.1.13/atd.c.pam 2012-04-19 16:50:57.498000001 +0200 -+++ at-3.1.13/atd.c 2012-04-19 16:52:37.209000138 +0200 +--- at-3.1.13/atd.c.pam 2013-12-03 16:42:16.584903056 +0100 ++++ at-3.1.13/atd.c 2013-12-03 16:53:42.835351089 +0100 @@ -111,7 +111,7 @@ static int run_as_daemon = 0; static volatile sig_atomic_t term_signal = 0; @@ -174,25 +174,20 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c nice((tolower((int) queue) - 'a' + 1) * 2); if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -458,7 +449,16 @@ run_file(const char *filename, uid_t uid +@@ -456,9 +447,9 @@ run_file(const char *filename, uid_t uid - if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) - perr("Exec failed for /bin/sh"); + chdir("/"); + +- if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) +- perr("Exec failed for /bin/sh"); - -+#ifdef WITH_PAM -+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) -+ { -+ for( nenvp = pam_envp; *nenvp != 0L; nenvp++) -+ free(*nenvp); -+ free( pam_envp ); -+ nenvp = &nul; -+ pam_envp=0L; -+ } -+#endif ++ execle("/bin/sh", "sh", (char *) NULL, nenvp); ++ perr("Exec failed for /bin/sh"); ++ /* perr exits, the PRIV_END is just for nice form */ PRIV_END } /* We're the parent. Let's wait. -@@ -471,14 +471,6 @@ run_file(const char *filename, uid_t uid +@@ -471,14 +462,6 @@ run_file(const char *filename, uid_t uid */ waitpid(pid, (int *) NULL, 0); @@ -207,52 +202,44 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c /* Send mail. Unlink the output file after opening it, so it * doesn't hang around after the run. */ -@@ -509,8 +501,20 @@ run_file(const char *filename, uid_t uid +@@ -509,8 +492,13 @@ run_file(const char *filename, uid_t uid unlink(newname); free(newname); +#ifdef ATD_MAIL_PROGRAM if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) { + int mail_pid = -1; -+#ifdef WITH_PAM -+ AT_START_PAM; -+ AT_OPEN_PAM_SESSION; -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); -+#endif -+ -+ mail_pid = fork(); -+ if ( mail_pid == 0 ) -+ { ++ mail_pid = fork(); ++ ++ if ( mail_pid == 0 ) { PRIV_START if (initgroups(pentry->pw_name, pentry->pw_gid)) -@@ -535,7 +539,21 @@ run_file(const char *filename, uid_t uid +@@ -535,7 +523,20 @@ run_file(const char *filename, uid_t uid perr("Exec failed for mail command"); PRIV_END -+ } -+ else if ( mail_pid == -1 ) { -+ perr("fork of mailer failed"); -+ } -+ else { -+ /* Parent */ -+ waitpid(mail_pid, (int *) NULL, 0); -+ } -+#ifdef WITH_PAM -+ AT_CLOSE_PAM; -+ closelog(); -+ openlog("atd", LOG_PID, LOG_ATD); -+#endif ++ } ++ else if ( mail_pid == -1 ) { ++ syslog(LOG_ERR, "fork of mailer failed: %m"); ++ } ++ /* Parent */ ++ waitpid(mail_pid, (int *) NULL, 0); } ++ ++#ifdef WITH_PAM ++ AT_CLOSE_PAM; ++ closelog(); ++ openlog("atd", LOG_PID, LOG_ATD); ++#endif +#endif exit(EXIT_SUCCESS); } diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in --- at-3.1.13/config.h.in.pam 2011-06-25 14:43:14.000000000 +0200 -+++ at-3.1.13/config.h.in 2012-04-19 16:50:57.506000001 +0200 ++++ at-3.1.13/config.h.in 2013-12-03 16:42:16.586903101 +0100 @@ -68,8 +68,8 @@ /* Define to 1 if you have the header file. */ #undef HAVE_NLIST_H @@ -266,7 +253,7 @@ diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in #undef HAVE_PSTAT_GETDYNAMIC diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac --- at-3.1.13/configure.ac.pam 2011-06-25 14:43:14.000000000 +0200 -+++ at-3.1.13/configure.ac 2012-04-19 16:50:57.506000001 +0200 ++++ at-3.1.13/configure.ac 2013-12-03 16:42:16.586903101 +0100 @@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid) AC_CHECK_HEADERS(security/pam_appl.h, [ @@ -292,7 +279,7 @@ diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c --- at-3.1.13/perm.c.pam 2011-06-25 14:43:14.000000000 +0200 -+++ at-3.1.13/perm.c 2012-04-19 16:53:09.192001742 +0200 ++++ at-3.1.13/perm.c 2013-12-03 16:42:16.586903101 +0100 @@ -51,6 +51,14 @@ #define PRIV_END while(0) #endif @@ -359,7 +346,7 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c return allow; diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h --- at-3.1.13/privs.h.pam 2011-06-25 14:43:14.000000000 +0200 -+++ at-3.1.13/privs.h 2012-04-19 16:53:46.296016675 +0200 ++++ at-3.1.13/privs.h 2013-12-03 16:42:16.586903101 +0100 @@ -144,3 +144,63 @@ extern gid_t real_gid, effective_gid, da #error "Cannot implement user ID swapping without setreuid or setresuid" #endif diff --git a/at-3.1.13-selinux.patch b/at-3.1.13-selinux.patch index 255fe2b..fc1b93c 100644 --- a/at-3.1.13-selinux.patch +++ b/at-3.1.13-selinux.patch @@ -1,6 +1,6 @@ diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c ---- at-3.1.13/atd.c.selinux 2012-11-01 15:11:21.368772308 +0100 -+++ at-3.1.13/atd.c 2012-11-01 15:13:16.809162818 +0100 +--- at-3.1.13/atd.c.selinux 2013-12-03 17:37:14.492141743 +0100 ++++ at-3.1.13/atd.c 2013-12-03 17:49:44.141017027 +0100 @@ -83,6 +83,14 @@ #include "getloadavg.h" #endif @@ -85,32 +85,21 @@ diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c static void run_file(const char *filename, uid_t uid, gid_t gid) { -@@ -446,9 +516,23 @@ run_file(const char *filename, uid_t uid - perr("Cannot reset signal handler to default"); +@@ -433,6 +503,13 @@ run_file(const char *filename, uid_t uid + + nice((tolower((int) queue) - 'a' + 1) * 2); - chdir("/"); -- +#ifdef WITH_SELINUX -+ if (selinux_enabled > 0) { -+ if (set_selinux_context(pentry->pw_name, filename) < 0) -+ perr("SELinux Failed to set context\n"); -+ } ++ if (selinux_enabled > 0) { ++ if (set_selinux_context(pentry->pw_name, filename) < 0) ++ perr("SELinux Failed to set context\n"); ++ } +#endif - if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) - perr("Exec failed for /bin/sh"); -+//add for fedora -+#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not resset exec context for user %s\n", pentry->pw_name); -+#endif -+//end -+//add for fedora - #ifdef WITH_PAM - if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) - { -@@ -751,6 +835,10 @@ main(int argc, char *argv[]) ++ + if (initgroups(pentry->pw_name, pentry->pw_gid)) + perr("Cannot initialize the supplementary group access list"); + +@@ -734,6 +811,10 @@ main(int argc, char *argv[]) struct passwd *pwe; struct group *ge; @@ -122,8 +111,8 @@ diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c * daemon is fine. */ diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in ---- at-3.1.13/config.h.in.selinux 2012-11-01 15:11:21.368772308 +0100 -+++ at-3.1.13/config.h.in 2012-11-01 15:11:21.371772392 +0100 +--- at-3.1.13/config.h.in.selinux 2013-12-03 17:37:14.492141743 +0100 ++++ at-3.1.13/config.h.in 2013-12-03 17:37:14.494141788 +0100 @@ -71,6 +71,9 @@ /* Define if you are building with_pam */ #undef WITH_PAM @@ -135,8 +124,8 @@ diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in #undef HAVE_PSTAT_GETDYNAMIC diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac ---- at-3.1.13/configure.ac.selinux 2012-11-01 15:11:21.369772335 +0100 -+++ at-3.1.13/configure.ac 2012-11-01 15:11:21.372772420 +0100 +--- at-3.1.13/configure.ac.selinux 2013-12-03 17:37:14.492141743 +0100 ++++ at-3.1.13/configure.ac 2013-12-03 17:37:14.494141788 +0100 @@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname, ) AC_SUBST(DAEMON_GROUPNAME) @@ -152,8 +141,8 @@ diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch) AC_OUTPUT diff -up at-3.1.13/Makefile.in.selinux at-3.1.13/Makefile.in ---- at-3.1.13/Makefile.in.selinux 2012-11-01 15:11:21.361772115 +0100 -+++ at-3.1.13/Makefile.in 2012-11-01 15:11:21.372772420 +0100 +--- at-3.1.13/Makefile.in.selinux 2013-12-03 17:37:14.486141608 +0100 ++++ at-3.1.13/Makefile.in 2013-12-03 17:37:14.494141788 +0100 @@ -39,6 +39,8 @@ LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ INSTALL = @INSTALL@ diff --git a/at.spec b/at.spec index e1a2a3a..68694ab 100644 --- a/at.spec +++ b/at.spec @@ -3,7 +3,7 @@ Summary: Job spooling tools Name: at Version: 3.1.13 -Release: 12%{dist} +Release: 13%{dist} # http://packages.debian.org/changelogs/pool/main/a/at/current/copyright # + install-sh is MIT license with changes under Public Domain License: GPLv3+ and GPLv2+ and ISC and MIT and Public Domain @@ -187,6 +187,9 @@ chown daemon:daemon %{_localstatedir}/spool/at/.SEQ %attr(0755,root,root) %{_initrddir}/atd %changelog +* Wed Dec 4 2013 Marcela Mašláňová 3.1.13-13 +- 989201 PAM issue prevents atd sending mail + * Mon Feb 11 2013 Peter Robinson 3.1.13-12 - Fix patch to fix FTBFS with gcc 4.8 From 6059ae801116feec47fd08a8da046f439658bee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 4 Dec 2013 11:59:19 +0100 Subject: [PATCH 2/5] Upload new source. --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4d9f8d7..ca8821f 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ at_3.1.11.orig.tar.gz at_3.1.12.orig.tar.gz pam_atd /at_3.1.13.orig.tar.gz +/at_3.1.14.orig.tar.gz diff --git a/sources b/sources index 9877be7..c01c6e4 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ b117781fd68e393443b2a8e478c7c22f atd.init ac1471fe22f63f666dc7d31173f47ea0 atd.sysconf 000d2f30379d2bf8af09f51416e863ec pam_atd -1da61af6c29e323abaaf13ee1a8dad79 at_3.1.13.orig.tar.gz +d41cfd79033b6e49a8838add59a42ac6 at_3.1.14.orig.tar.gz From 3fff51d7be8c195a2d7b60e6a42be5a552aff24c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 4 Dec 2013 12:09:08 +0100 Subject: [PATCH 3/5] Revert "Upload new source." Mixed branches... This reverts commit 6059ae801116feec47fd08a8da046f439658bee7. --- .gitignore | 1 - sources | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ca8821f..4d9f8d7 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,3 @@ at_3.1.11.orig.tar.gz at_3.1.12.orig.tar.gz pam_atd /at_3.1.13.orig.tar.gz -/at_3.1.14.orig.tar.gz diff --git a/sources b/sources index c01c6e4..9877be7 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ b117781fd68e393443b2a8e478c7c22f atd.init ac1471fe22f63f666dc7d31173f47ea0 atd.sysconf 000d2f30379d2bf8af09f51416e863ec pam_atd -d41cfd79033b6e49a8838add59a42ac6 at_3.1.14.orig.tar.gz +1da61af6c29e323abaaf13ee1a8dad79 at_3.1.13.orig.tar.gz From 66ca9b4f3e5aecc0db9ec50159265759e24e9f3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 4 Dec 2013 15:15:41 +0100 Subject: [PATCH 4/5] 718422 File a0000f0149b7f3 is in wrong format. --- at-3.1.14-wrong_format.patch | 23 +++++++++++++++++++++++ at.spec | 3 +++ 2 files changed, 26 insertions(+) create mode 100644 at-3.1.14-wrong_format.patch diff --git a/at-3.1.14-wrong_format.patch b/at-3.1.14-wrong_format.patch new file mode 100644 index 0000000..b2a5ef4 --- /dev/null +++ b/at-3.1.14-wrong_format.patch @@ -0,0 +1,23 @@ +diff -up at-3.1.14/atd.c.seg at-3.1.14/atd.c +--- at-3.1.14/atd.c.seg 2013-12-02 14:33:48.650769756 +0100 ++++ at-3.1.14/atd.c 2013-12-02 14:52:49.057437721 +0100 +@@ -752,14 +752,17 @@ run_loop() + /* Is the file already locked? + */ + if (buf.st_nlink > 1) { +- if (run_time + CHECK_INTERVAL <= now) { +- ++ if (buf.st_mtime + CHECK_INTERVAL <= now) { + /* Something went wrong the last time this was executed. + * Let's remove the lockfile and reschedule. ++ * We also change the timestamp to avoid rerunning the job more ++ * than once every CHECK_INTERVAL. + */ + strncpy(lock_name, dirent->d_name, sizeof(lock_name)); + lock_name[sizeof(lock_name)-1] = '\0'; + lock_name[0] = '='; ++ if (utime(lock_name, 0) < 0) ++ syslog(LOG_ERR, "utime couldn't be set for lock file %s\n", lock_name); + unlink(lock_name); + next_job = now; + nothing_to_do = 0; diff --git a/at.spec b/at.spec index 68694ab..9701ae7 100644 --- a/at.spec +++ b/at.spec @@ -28,6 +28,7 @@ Patch8: at-3.1.12-fix_no_export.patch Patch9: at-3.1.13-mailwithhostname.patch Patch10: at-3.1.13-usePOSIXtimers.patch Patch11: at-3.1.13-help.patch +Patch12: at-3.1.14-wrong_format.patch BuildRequires: fileutils /etc/init.d BuildRequires: flex flex-static bison autoconf @@ -81,6 +82,7 @@ cp %{SOURCE1} . %patch9 -p1 -b .mail %patch10 -p1 -b .posix %patch11 -p1 -b .help +%patch12 -p1 -b .wrong %build # patch9 touches configure.in @@ -189,6 +191,7 @@ chown daemon:daemon %{_localstatedir}/spool/at/.SEQ %changelog * Wed Dec 4 2013 Marcela Mašláňová 3.1.13-13 - 989201 PAM issue prevents atd sending mail +- 718422 File a0000f0149b7f3 is in wrong format * Mon Feb 11 2013 Peter Robinson 3.1.13-12 - Fix patch to fix FTBFS with gcc 4.8 From 427587fa5593bb3601aba6e8aee33bfc27f0e064 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Sat, 4 Oct 2014 09:06:49 +0200 Subject: [PATCH 5/5] filter environment variables not acceptable in bash input (#1147043) --- at-3.1.10-filter-environment.patch | 26 ++++++++++++++++++++++++++ at.spec | 9 +++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 at-3.1.10-filter-environment.patch diff --git a/at-3.1.10-filter-environment.patch b/at-3.1.10-filter-environment.patch new file mode 100644 index 0000000..55fc669 --- /dev/null +++ b/at-3.1.10-filter-environment.patch @@ -0,0 +1,26 @@ +diff -up at-3.1.10/at.c.filter-environment at-3.1.10/at.c +--- at-3.1.10/at.c.filter-environment 2014-10-02 10:21:01.684890331 +0200 ++++ at-3.1.10/at.c 2014-10-02 10:21:40.678770635 +0200 +@@ -388,6 +388,22 @@ writefile(time_t runtimer, char queue) + int export = 1; + char *eqp; + ++ /* Only accept alphanumerics and underscore in variable names. ++ * Also require the name to not start with a digit. ++ * Some shells don't like other variable names. ++ */ ++ { ++ char *p = *atenv; ++ if (isdigit(*p)) ++ export = 0; ++ for (; *p != '=' && *p != '\0'; ++p) { ++ if (!isalnum(*p) && *p != '_') { ++ export = 0; ++ break; ++ } ++ } ++ } ++ + eqp = strchr(*atenv, '='); + if (ap == NULL) + eqp = *atenv; diff --git a/at.spec b/at.spec index 9701ae7..32881ae 100644 --- a/at.spec +++ b/at.spec @@ -3,7 +3,7 @@ Summary: Job spooling tools Name: at Version: 3.1.13 -Release: 13%{dist} +Release: 15%{?dist} # http://packages.debian.org/changelogs/pool/main/a/at/current/copyright # + install-sh is MIT license with changes under Public Domain License: GPLv3+ and GPLv2+ and ISC and MIT and Public Domain @@ -29,6 +29,7 @@ Patch9: at-3.1.13-mailwithhostname.patch Patch10: at-3.1.13-usePOSIXtimers.patch Patch11: at-3.1.13-help.patch Patch12: at-3.1.14-wrong_format.patch +Patch13: at-3.1.10-filter-environment.patch BuildRequires: fileutils /etc/init.d BuildRequires: flex flex-static bison autoconf @@ -83,6 +84,7 @@ cp %{SOURCE1} . %patch10 -p1 -b .posix %patch11 -p1 -b .help %patch12 -p1 -b .wrong +%patch13 -p1 -b .filter-environment %build # patch9 touches configure.in @@ -98,7 +100,7 @@ rm -f lex.yy.* y.tab.* --with-pam %endif -make %{?_smp_mflags} V=1 +make V=1 %install make install \ @@ -189,6 +191,9 @@ chown daemon:daemon %{_localstatedir}/spool/at/.SEQ %attr(0755,root,root) %{_initrddir}/atd %changelog +* Sat Oct 4 2014 Tomáš Mráz - 3.1.13-15 +- filter environment variables not acceptable in bash input (#1147043) + * Wed Dec 4 2013 Marcela Mašláňová 3.1.13-13 - 989201 PAM issue prevents atd sending mail - 718422 File a0000f0149b7f3 is in wrong format