Accepting request 207613 from Base:System

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/207613 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/at?expand=0&rev=58
2013-11-20 09:23:25 +00:00 · 2013-11-20 09:23:25 +00:00 · f763d68deb
commit f763d68deb
parent 995498d0aa e70bb1ac82
3 changed files with 136 additions and 8 deletions
--- a/at-backport-old-privs.patch
+++ b/at-backport-old-privs.patch
@ -0,0 +1,107 @@
+From: Michal Vyskocil <mvyskocil@suse.com>
+Subject: Backport old privs
+
+at since 3.10 have substantially changed the priviledge model, which is tied to
+Debian setup of at. As SUSE does use a different layout, this patch introduces
+back the PRIV_START/PRIV_END + fchown where needed.
+
+References: https://bugzilla.novell.com/show_bug.cgi?id=849720
+
+---
+ at.c |   12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+Index: at-3.1.13/at.c
+===================================================================
+--- at-3.1.13.orig/at.c
+++ at-3.1.13/at.c
+@@ -154,18 +154,11 @@ sigc(int signo)
+ /* If the user presses ^C, remove the spool file and exit 
+  */
+     if (fcreated) {
+-	/*
+         PRIV_START
+ 
+-        We need the unprivileged uid here since the file is owned by the real
+-        (not effective) uid.
+-        */
+-        setregid(real_gid, effective_gid);
+ 	    unlink(atfile);
+-        setregid(effective_gid, real_gid);
+-        /*
+
+ 	PRIV_END
+-        */
+     }
+     exit(EXIT_FAILURE);
+ }
+@@ -325,18 +318,14 @@ writefile(time_t runtimer, char queue)
+ 	 * bit.  Yes, this is a kluge.
+ 	 */
+ 	cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
+-        seteuid(real_uid);
+ 	if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1)
+ 	    perr("Cannot create atjob file %.500s", atfile);
+-        seteuid(effective_uid);
+ 
+ 	if ((fd2 = dup(fd)) < 0)
+ 	    perr("Error in dup() of job file");
+ 
+-        /*
+ 	if (fchown(fd2, real_uid, real_gid) != 0)
+ 	    perr("Cannot give away file");
+-        */
+ 
+     PRIV_END
+ 
+@@ -679,11 +668,7 @@ process_jobs(int argc, char **argv, int
+ 		switch (what) {
+ 		case ATRM:
+ 
+-                    /*
+-                    We need the unprivileged uid here since the file is owned by the real
+-                    (not effective) uid.
+-                    */
+-                    setregid(real_gid, effective_gid);
+                    PRIV_START
+ 
+ 		    if (queue == '=') {
+ 			fprintf(stderr, "Warning: deleting running job\n");
+@@ -693,7 +678,7 @@ process_jobs(int argc, char **argv, int
+ 			rc = EXIT_FAILURE;
+ 		    }
+ 
+-                    setregid(effective_gid, real_gid);
+                    PRIV_END
+ 		    done = 1;
+ 
+ 		    break;
+@@ -703,21 +688,25 @@ process_jobs(int argc, char **argv, int
+ 			FILE *fp;
+ 			int ch;
+ 
+-			setregid(real_gid, effective_gid);
+-			fp = fopen(dirent->d_name, "r");
+			PRIV_START
+
+			    fp = fopen(dirent->d_name, "r");
+
+			PRIV_END
+ 
+ 			if (fp) {
+ 			    while ((ch = getc(fp)) != EOF) {
+ 				putchar(ch);
+ 			    }
+ 			    done = 1;
+                            PRIV_START
+ 			    fclose(fp);
+                            PRIV_END
+ 			}
+ 			else {
+ 			    perr("Cannot open %.500s", dirent->d_name);
+ 			    rc = EXIT_FAILURE;
+ 			}
+-			setregid(effective_gid, real_gid);
+ 		    }
+ 		    break;
+ 
--- a/at.changes
+++ b/at.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Nov 12 15:37:29 UTC 2013 - mvyskocil@suse.com
+
+- use old privs model (fixes bnc#849720)
+  * at-backport-old-privs.patch
+- do not install sysvinit script and service file together
+- add sticky bit to atjobs
+
 -------------------------------------------------------------------
 Tue Oct 22 06:38:25 UTC 2013 - meissner@suse.com

--- a/at.spec
+++ b/at.spec
@ -62,6 +62,8 @@ Patch21:        at-makefile-deps.patch
 #PATCH-FIX-OPENSUSE Set pid dir to /run not /var/run
 Patch22:        at-piddir.patch
 Patch23:        at-secure_getenv.patch
+#PATCH-FIX-OPENSUSE backport privs from 3.1.8 (bnc#849720)
+Patch24:        at-backport-old-privs.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         %{_sbindir}/useradd %{_sbindir}/groupadd %fillup_prereq %insserv_prereq
 PreReq:         permissions
@ -98,6 +100,8 @@ This program allows you to run jobs at specified times.
 %patch21 -p1
 %patch22
 %patch23 -p1
+%patch24 -p1
+
 %build
 rm -fv y.tab.c y.tab.h lex.yy.c lex.yy.o y.tab.o
 autoreconf -fiv
@ -107,10 +111,11 @@ export SENDMAIL=%{_sbindir}/sendmail
  --with-selinux \
  --with-daemon_username=at \
  --with-daemon_groupname=at
+
 make %{?_smp_mflags}

 %install
-mkdir -p $RPM_BUILD_ROOT/etc/{init.d,pam.d}
+mkdir -p $RPM_BUILD_ROOT/etc/pam.d
 mkdir -p $RPM_BUILD_ROOT/usr/{bin,sbin,share/man/man{1,5,8}}
 mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
 export CFLAGS="$RPM_OPT_FLAGS"
@ -119,15 +124,20 @@ make install IROOT=$RPM_BUILD_ROOT
 # Don't install docs here in this way
 mkdir docs
 mv $RPM_BUILD_ROOT/%{_prefix}/doc/at/* docs/
+
+%if ! %{has_systemd}
+mkdir -p $RPM_BUILD_ROOT/etc/init.d
 install %SOURCE1 $RPM_BUILD_ROOT/etc/init.d/atd
 ln -sf ../../etc/init.d/atd $RPM_BUILD_ROOT%{_sbindir}/rcatd
-install -m644 %SOURCE2 $RPM_BUILD_ROOT/etc/pam.d/atd
-install -m644 %SOURCE3 $RPM_BUILD_ROOT/var/adm/fillup-templates
-%if 0%{?has_systemd}
+%else
 install -D -m 0644 %{S:5} %{buildroot}%{_unitdir}/atd.service
 %{__install} -D -m 0755 %{S:4} %{buildroot}%{_prefix}/lib/systemd/system-sleep/atd.sh
+ln -sf ../../%{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rcatd
 %endif

+install -m644 %SOURCE2 $RPM_BUILD_ROOT/etc/pam.d/atd
+install -m644 %SOURCE3 $RPM_BUILD_ROOT/var/adm/fillup-templates
+
 %pre
 %{_sbindir}/groupadd -g 25 -o -r at 2> /dev/null || :
 %{_sbindir}/useradd -r -o -g at -u 25 -s /bin/bash -c "Batch jobs daemon" -d /var/spool/atjobs at 2> /dev/null || :
@ -148,20 +158,22 @@ if [ -f etc/init.d/at ] ; then
 rm -f etc/init.d/at
 %{insserv_cleanup}
 fi
-%{fillup_and_insserv -n atd atd }
 %set_permissions /usr/bin/at
 %if 0%{?has_systemd}
 %service_add_post atd.service
+%else
+%{fillup_and_insserv -n atd atd }
 %endif

 %verifyscript
 %verify_permissions -e /usr/bin/at

 %postun
-%restart_on_update atd
 %insserv_cleanup
 %if 0%{?has_systemd}
 %service_del_postun atd.service
+%else
+%restart_on_update atd
 %endif

 %files
@ -169,7 +181,6 @@ fi
 %doc Problems Copyright COPYING README ChangeLog timespec
 %config(noreplace) /etc/at.deny
 %{_sbindir}/rcatd
-%config /etc/init.d/atd
 %config %attr(644,root,root) /etc/pam.d/atd
 %verify(not mode) %attr(4750,root,trusted) %{_bindir}/at
 %{_bindir}/atq
@ -179,12 +190,14 @@ fi
 %{_sbindir}/atd
 %{_sbindir}/atrun
 %attr(700,at,at) %dir /var/spool/atspool
-%attr(700,at,at) %dir /var/spool/atjobs
+%attr(1770,at,at) %dir /var/spool/atjobs
 %attr(600,at,at) /var/spool/atjobs/.SEQ
 /var/adm/fillup-templates/sysconfig.atd
 %if 0%{?has_systemd}
 %{_unitdir}/atd.service
 %{_prefix}/lib/systemd/system-sleep/atd.sh
+%else
+%config /etc/init.d/atd
 %endif

 %changelog