--- Makefile.in.orig
+++ Makefile.in
@@ -28,6 +28,7 @@ YACC		= @YACC@
 LEX		= @LEX@
 LEXLIB		= @LEXLIB@
 SELINUXLIB	= @SELINUXLIB@
+PAMLIB	        = @PAMLIB@
 
 CC 		= @CC@
 CFLAGS 		= @CFLAGS@
@@ -73,7 +74,7 @@ at: $(ATOBJECTS)
 	$(LN_S) -f at atrm
 
 atd: $(RUNOBJECTS)
-	$(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
+	$(CC) $(CFLAGS) -o atd -pie $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) $(PAMLIB)
 
 y.tab.c y.tab.h: parsetime.y
 	$(YACC) -d parsetime.y
--- atd.c.orig
+++ atd.c
@@ -93,6 +93,17 @@ int selinux_enabled=0;
 #include <selinux/av_permissions.h>
 #endif
 
+#ifdef WITH_PAM
+#include <security/pam_appl.h>
+static pam_handle_t *pamh = NULL;
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
+	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+	pam_close_session(pamh, PAM_SILENT); \
+	pam_end(pamh, retcode); exit(1); \
+   }
+#endif
+
 /* Local headers */
 
 #include "privs.h"
@@ -102,6 +113,10 @@ int selinux_enabled=0;
 #include "getloadavg.h"
 #endif
 
+#ifndef LOG_ATD
+#define LOG_ATD	LOG_DAEMON
+#endif
+
 /* Macros */
 
 #define BATCH_INTERVAL_DEFAULT 60
@@ -195,6 +210,47 @@ myfork()
 #define fork myfork
 #endif
 
+#undef ATD_MAIL_PROGRAM
+#undef ATD_MAIL_NAME
+#if defined(SENDMAIL)
+#define ATD_MAIL_PROGRAM SENDMAIL
+#define ATD_MAIL_NAME    "sendmail"
+#elif  defined(MAILC)
+#define ATD_MAIL_PROGRAM MAILC
+#define ATD_MAIL_NAME    "mail"
+#elif  defined(MAILX)
+#define ATD_MAIL_PROGRAM MAILX
+#define ATD_MAIL_NAME    "mailx"
+#endif
+
+#ifdef WITH_PAM
+static int
+cron_conv(int num_msg, const struct pam_message **msgm,
+      struct pam_response **response, void *appdata_ptr)
+{
+    struct pam_message**m = msgm;
+    int i;
+
+    for (i = 0; i < num_msg; i++) {
+        switch (m[i]->msg_style) {
+        case PAM_ERROR_MSG:
+        case PAM_TEXT_INFO:
+            if (m[i]->msg != NULL) {
+                syslog (LOG_NOTICE, "%s", m[i]->msg);
+            }
+            break;
+        default:
+            break;
+        }
+    }
+    return (0);
+}
+
+static const struct pam_conv conv = {
+  cron_conv, NULL
+};
+#endif
+
 static void
 run_file(const char *filename, uid_t uid, gid_t gid)
 {
@@ -217,6 +273,9 @@ run_file(const char *filename, uid_t uid
     int ngid;
     char queue;
     unsigned long jobno;
+#ifdef WITH_PAM
+    int retcode;
+#endif
 
     sscanf(filename, "%c%5lx", &queue, &jobno);
 
@@ -361,6 +420,23 @@ run_file(const char *filename, uid_t uid
     fstat(fd_out, &buf);
     size = buf.st_size;
 
+#ifdef  WITH_PAM
+    PRIV_START
+    retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+    PAM_FAIL_CHECK;
+    retcode = pam_set_item(pamh, PAM_TTY, "atd");
+    PAM_FAIL_CHECK;
+    retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+    PAM_FAIL_CHECK;
+    retcode = pam_open_session(pamh, PAM_SILENT);
+    PAM_FAIL_CHECK;
+    retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+    PAM_FAIL_CHECK;
+    closelog();
+    openlog("atd", LOG_PID, LOG_ATD);
+    PRIV_END
+#endif
+
     close(STDIN_FILENO);
     close(STDOUT_FILENO);
     close(STDERR_FILENO);
@@ -372,6 +448,16 @@ run_file(const char *filename, uid_t uid
     else if (pid == 0) {
 	char *nul = NULL;
 	char **nenvp = &nul;
+#ifdef WITH_PAM
+        char **pam_envp=0L;
+#endif
+
+	PRIV_START
+#ifdef WITH_PAM
+	pam_envp = pam_getenvlist(pamh);
+	if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
+	    nenvp = pam_envp;
+#endif
 
 	/* Set up things for the child; we want standard input from the
 	 * input file, and standard output and error sent to our output file.
@@ -394,8 +480,6 @@ run_file(const char *filename, uid_t uid
 	if (chdir(ATJOB_DIR) < 0)
 	    perr("Cannot chdir to " ATJOB_DIR);
 
-	PRIV_START
-
 	    nice((tolower((int) queue) - 'a' + 1) * 2);
 
 	    if (initgroups(pentry->pw_name, pentry->pw_gid))
@@ -485,6 +569,24 @@ run_file(const char *filename, uid_t uid
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
 		perr("Exec failed for /bin/sh");
 
+#ifdef WITH_SELINUX
+	if (selinux_enabled>0) {
+	    if (setexeccon(NULL) < 0) {
+		perr("Could not resset exec context for user %s\n", pentry->pw_name);
+	    }
+	}
+#endif
+
+#ifdef WITH_PAM
+	if ( ( nenvp != &nul ) && (pam_envp != 0L)  && (*pam_envp != 0L))
+	{
+	    for( nenvp = pam_envp; *nenvp != 0L; nenvp++)
+		free(*nenvp);
+	    free( pam_envp );
+	    nenvp = &nul;
+	    pam_envp=0L;
+	}
+#endif
 	PRIV_END
     }
     /* We're the parent.  Let's wait.
@@ -498,13 +600,6 @@ run_file(const char *filename, uid_t uid
      */
     waitpid(pid, (int *) NULL, 0);
 
-#ifdef WITH_SELINUX
-    if (selinux_enabled>0) {
-      if (setexeccon(NULL) < 0) {
-	perr("Could not reset exec context for user %s\n", pentry->pw_name); 
-      }
-    }
-#endif	
     /* Send mail.  Unlink the output file after opening it, so it
      * doesn't hang around after the run.
      */
@@ -514,6 +609,14 @@ run_file(const char *filename, uid_t uid
 
     unlink(filename);
 
+#ifdef  WITH_PAM
+    pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+    pam_close_session(pamh, PAM_SILENT);
+    pam_end(pamh, PAM_ABORT);
+    closelog();
+    openlog("atd", LOG_PID, LOG_ATD);
+#endif
+
     /* The job is now finished.  We can delete its input file.
      */
     chdir(ATJOB_DIR);
@@ -522,7 +625,31 @@ run_file(const char *filename, uid_t uid
 
     if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
 
+      int mail_pid = -1;
+
+#ifdef  WITH_PAM
 	PRIV_START
+	retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
+	PAM_FAIL_CHECK;
+	retcode = pam_set_item(pamh, PAM_TTY, "atd");
+	PAM_FAIL_CHECK;
+	retcode = pam_acct_mgmt(pamh, PAM_SILENT);
+	PAM_FAIL_CHECK;
+	retcode = pam_open_session(pamh, PAM_SILENT);
+	PAM_FAIL_CHECK;
+	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+	PAM_FAIL_CHECK;
+        /* PAM has now re-opened our log to auth.info ! */
+	closelog();
+	openlog("atd", LOG_PID, LOG_ATD);
+	PRIV_END
+#endif
+
+	mail_pid = fork();
+
+	if ( mail_pid == 0 )
+	{
+	    PRIV_START
 
 	    if (initgroups(pentry->pw_name, pentry->pw_gid))
 		perr("Cannot delete saved userids");
@@ -535,6 +662,47 @@ run_file(const char *filename, uid_t uid
 
 	    chdir ("/");
 
+#ifdef WITH_SELINUX
+	    if (selinux_enabled>0) {
+	      security_context_t user_context=NULL;
+	      security_context_t  file_context=NULL;
+	      int retval=0;
+	      struct av_decision avd;
+
+	      if (get_default_context(pentry->pw_name, NULL, &user_context))
+		perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
+	      /*
+	       * Since crontab files are not directly executed,
+	       * crond must ensure that the crontab file has
+	       * a context that is appropriate for the context of
+	       * the user cron job.  It performs an entrypoint
+	       * permission check for this purpose.
+	       */
+	      if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+		perr("fgetfilecon FAILED %s", filename);
+
+	      retval = security_compute_av(user_context,
+					   file_context,
+					   SECCLASS_FILE,
+					   FILE__ENTRYPOINT,
+					   &avd);
+	      freecon(file_context);
+	      if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+		if (security_getenforce()==1)
+		  perr("Not allowed to set exec context to %s for user  %s\n", user_context,pentry->pw_name);
+	      }
+
+	      if (setexeccon(user_context) < 0) {
+		if (security_getenforce()==1) {
+		  perr("Could not set exec context to %s for user  %s\n", user_context,pentry->pw_name);
+		} else {
+		  syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,pentry->pw_name);
+		}
+	      }
+	      freecon(user_context);
+	    }
+#endif
+
 #if defined(SENDMAIL)
 	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
 #elif  defined(MAILC)
@@ -546,7 +714,33 @@ run_file(const char *filename, uid_t uid
 #endif
 	    perr("Exec failed for mail command");
 
-	PRIV_END
+	    exit (-1);
+
+#ifdef WITH_SELINUX
+	    if (selinux_enabled>0) {
+	      if (setexeccon(NULL) < 0) {
+		perr("Could not resset exec context for user %s\n", pentry->pw_name);
+	      }
+	    }
+#endif
+
+	    PRIV_END;
+	} else if ( mail_pid == -1 )
+	  {
+	    perr("fork of mailer failed");
+	  }
+	else
+	  {
+	    /* Parent */
+	    waitpid(mail_pid, (int *) NULL, 0);
+	  }
+#ifdef WITH_PAM
+	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
+	pam_close_session(pamh, PAM_SILENT);
+	pam_end(pamh, PAM_ABORT);
+	closelog();
+	openlog("atd", LOG_PID, LOG_ATD);
+#endif
     }
     exit(EXIT_SUCCESS);
 }
@@ -741,7 +935,7 @@ main(int argc, char *argv[])
 
 #ifdef WITH_SELINUX
     selinux_enabled=is_selinux_enabled();
-#endif	
+#endif
 /* We don't need root privileges all the time; running under uid and gid
  * daemon is fine.
  */
@@ -758,12 +952,7 @@ main(int argc, char *argv[])
 
     RELINQUISH_PRIVS_ROOT(daemon_uid, daemon_gid)
 
-#ifndef LOG_CRON
-#define LOG_CRON	LOG_DAEMON
-#endif
-
-    openlog("atd", LOG_PID, LOG_CRON);
-
+    openlog("atd", LOG_PID, LOG_ATD);
     opterr = 0;
     errno = 0;
     run_as_daemon = 1;
--- config.h.in.orig
+++ config.h.in
@@ -187,3 +187,7 @@
 
 /* Define if you are building with_selinux  */
 #undef WITH_SELINUX
+
+/* Define if you are building with_pam */
+#undef WITH_PAM
+
--- configure.in.orig
+++ configure.in
@@ -323,4 +323,11 @@ AC_CHECK_LIB(selinux, is_selinux_enabled
 AC_SUBST(SELINUXLIB)
 AC_SUBST(WITH_SELINUX)
 
+AC_ARG_WITH(pam,
+[ --with-pam            Define to enable pam support ],
+AC_DEFINE(WITH_PAM),
+)
+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
+AC_SUBST(PAMLIB)
+
 AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
--- perm.c.orig
+++ perm.c
@@ -109,14 +109,15 @@ user_in_file(const char *path, const cha
 int
 check_permission()
 {
-  uid_t uid = geteuid();
+  uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
   struct passwd *pentry;
   int    allow = 0, deny = 1;
+  int    retcode=0;
 
-  if (uid == 0)
+  if (euid == 0)
     return 1;
 
-  if ((pentry = getpwuid(uid)) == NULL) {
+  if ((pentry = getpwuid(euid)) == NULL) {
     perror("Cannot access user database");
     exit(EXIT_FAILURE);
   }