d83c6e
diff -up at-3.1.20/at.c.pam at-3.1.20/at.c
d83c6e
--- at-3.1.20/at.c.pam	2016-06-28 22:18:00.000000000 +0200
d83c6e
+++ at-3.1.20/at.c	2016-07-01 09:44:22.251683924 +0200
d83c6e
@@ -144,18 +144,13 @@ sigc(int signo)
d83c6e
 /* If the user presses ^C, remove the spool file and exit 
d83c6e
  */
d83c6e
     if (fcreated) {
d83c6e
-	/*
d83c6e
         PRIV_START
d83c6e
-
d83c6e
+        /*
d83c6e
         We need the unprivileged uid here since the file is owned by the real
d83c6e
         (not effective) uid.
d83c6e
         */
d83c6e
-        setregid(real_gid, effective_gid);
d83c6e
-	    unlink(atfile);
d83c6e
-        setregid(effective_gid, real_gid);
d83c6e
-        /*
d83c6e
+	unlink(atfile);
d83c6e
 	PRIV_END
d83c6e
-        */
d83c6e
     }
d83c6e
     exit(EXIT_FAILURE);
d83c6e
 }
d83c6e
@@ -315,26 +310,19 @@ writefile(time_t runtimer, char queue)
d83c6e
 	 * bit.  Yes, this is a kluge.
d83c6e
 	 */
d83c6e
 	cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
d83c6e
-        seteuid(real_uid);
d83c6e
+       if ((seteuid(effective_uid)) < 0)
d83c6e
+	    perr("Error in seteuid: %s", errno);
d83c6e
 	if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR)) == -1)
d83c6e
 	    perr("Cannot create atjob file %.500s", atfile);
d83c6e
-        seteuid(effective_uid);
d83c6e
 
d83c6e
 	if ((fd2 = dup(fd)) < 0)
d83c6e
 	    perr("Error in dup() of job file");
d83c6e
 
d83c6e
-        /*
d83c6e
 	if (fchown(fd2, real_uid, real_gid) != 0)
d83c6e
-	    perr("Cannot give away file");
d83c6e
-        */
d83c6e
+	    perr("Cannot give real_uid and real_gid the file");
d83c6e
 
d83c6e
     PRIV_END
d83c6e
 
d83c6e
-    /* We no longer need suid root; now we just need to be able to write
d83c6e
-     * to the directory, if necessary.
d83c6e
-     */
d83c6e
-
d83c6e
-    REDUCE_PRIV(daemon_uid, daemon_gid)
d83c6e
     /* We've successfully created the file; let's set the flag so it 
d83c6e
      * gets removed in case of an interrupt or error.
d83c6e
      */
d83c6e
@@ -673,7 +661,7 @@ process_jobs(int argc, char **argv, int
d83c6e
                     We need the unprivileged uid here since the file is owned by the real
d83c6e
                     (not effective) uid.
d83c6e
                     */
d83c6e
-                    setregid(real_gid, effective_gid);
d83c6e
+		    PRIV_START
d83c6e
 
d83c6e
 		    if (queue == '=') {
d83c6e
 			fprintf(stderr, "Warning: deleting running job\n");
d83c6e
@@ -682,8 +670,8 @@ process_jobs(int argc, char **argv, int
d83c6e
 			perr("Cannot unlink %.500s", dirent->d_name);
d83c6e
 			rc = EXIT_FAILURE;
d83c6e
 		    }
d83c6e
+		    PRIV_END
d83c6e
 
d83c6e
-                    setregid(effective_gid, real_gid);
d83c6e
 		    done = 1;
d83c6e
 
d83c6e
 		    break;
d83c6e
@@ -693,7 +681,7 @@ process_jobs(int argc, char **argv, int
d83c6e
 			FILE *fp;
d83c6e
 			int ch;
d83c6e
 
d83c6e
-			setregid(real_gid, effective_gid);
d83c6e
+			PRIV_START
d83c6e
 			fp = fopen(dirent->d_name, "r");
d83c6e
 
d83c6e
 			if (fp) {
d83c6e
@@ -706,7 +694,7 @@ process_jobs(int argc, char **argv, int
d83c6e
 			    perr("Cannot open %.500s", dirent->d_name);
d83c6e
 			    rc = EXIT_FAILURE;
d83c6e
 			}
d83c6e
-			setregid(effective_gid, real_gid);
d83c6e
+			PRIV_END
d83c6e
 		    }
d83c6e
 		    break;
d83c6e
 
d83c6e
diff -up at-3.1.20/atd.c.pam at-3.1.20/atd.c
d83c6e
--- at-3.1.20/atd.c.pam	2016-06-28 22:14:39.000000000 +0200
d83c6e
+++ at-3.1.20/atd.c	2016-07-01 09:44:22.251683924 +0200
d83c6e
@@ -91,6 +91,10 @@ int selinux_enabled = 0;
d83c6e
 
d83c6e
 /* Macros */
d83c6e
 
d83c6e
+#ifndef LOG_ATD
d83c6e
+#define LOG_ATD        LOG_DAEMON
d83c6e
+#endif
d83c6e
+
d83c6e
 #define BATCH_INTERVAL_DEFAULT 60
d83c6e
 #define CHECK_INTERVAL 3600
d83c6e
 
d83c6e
@@ -114,7 +118,7 @@ static int run_as_daemon = 0;
d83c6e
 
d83c6e
 static volatile sig_atomic_t term_signal = 0;
d83c6e
 
d83c6e
-#ifdef HAVE_PAM
d83c6e
+#ifdef WITH_PAM
d83c6e
 #include <security/pam_appl.h>
d83c6e
 
d83c6e
 static pam_handle_t *pamh = NULL;
d83c6e
@@ -123,15 +127,7 @@ static const struct pam_conv conv = {
d83c6e
 	NULL
d83c6e
 };
d83c6e
 
d83c6e
-#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
d83c6e
-	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
d83c6e
-	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
d83c6e
-	pam_end(pamh, retcode); exit(1); \
d83c6e
-    }
d83c6e
-#define PAM_END { retcode = pam_close_session(pamh,0); \
d83c6e
-		pam_end(pamh,retcode); }
d83c6e
-
d83c6e
-#endif /* HAVE_PAM */
d83c6e
+#endif /* WITH_PAM */
d83c6e
 
d83c6e
 /* Signal handlers */
d83c6e
 RETSIGTYPE 
d83c6e
@@ -292,7 +288,7 @@ run_file(const char *filename, uid_t uid
d83c6e
     char fmt[64];
d83c6e
     unsigned long jobno;
d83c6e
     int rc;
d83c6e
-#ifdef HAVE_PAM
d83c6e
+#ifdef WITH_PAM
d83c6e
     int retcode;
d83c6e
 #endif
d83c6e
 
d83c6e
@@ -449,17 +445,11 @@ run_file(const char *filename, uid_t uid
d83c6e
     fstat(fd_out, &buf;;
d83c6e
     size = buf.st_size;
d83c6e
 
d83c6e
-#ifdef HAVE_PAM
d83c6e
-    PRIV_START
d83c6e
-    retcode = pam_start("atd", pentry->pw_name, &conv, &pamh);
d83c6e
-    PAM_FAIL_CHECK;
d83c6e
-    retcode = pam_acct_mgmt(pamh, PAM_SILENT);
d83c6e
-    PAM_FAIL_CHECK;
d83c6e
-    retcode = pam_open_session(pamh, PAM_SILENT);
d83c6e
-    PAM_FAIL_CHECK;
d83c6e
-    retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
d83c6e
-    PAM_FAIL_CHECK;
d83c6e
-    PRIV_END
d83c6e
+#ifdef WITH_PAM
d83c6e
+    AT_START_PAM;
d83c6e
+    AT_OPEN_PAM_SESSION;
d83c6e
+    closelog(); 
d83c6e
+    openlog("atd", LOG_PID, LOG_ATD);
d83c6e
 #endif
d83c6e
 
d83c6e
     close(STDIN_FILENO);
d83c6e
@@ -473,7 +463,14 @@ run_file(const char *filename, uid_t uid
d83c6e
     else if (pid == 0) {
d83c6e
 	char *nul = NULL;
d83c6e
 	char **nenvp = &nul;
d83c6e
+	char **pam_envp=0L;
d83c6e
 
d83c6e
+	PRIV_START
d83c6e
+#ifdef WITH_PAM
d83c6e
+	pam_envp = pam_getenvlist(pamh);
d83c6e
+	if ( ( pam_envp != 0L ) && (pam_envp[0] != 0L) )
d83c6e
+		nenvp = pam_envp;
d83c6e
+#endif
d83c6e
 	/* Set up things for the child; we want standard input from the
d83c6e
 	 * input file, and standard output and error sent to our output file.
d83c6e
 	 */
d83c6e
@@ -492,8 +489,6 @@ run_file(const char *filename, uid_t uid
d83c6e
 	close(fd_in);
d83c6e
 	close(fd_out);
d83c6e
 
d83c6e
-	PRIV_START
d83c6e
-
d83c6e
 	    nice((tolower((int) queue) - 'a' + 1) * 2);
d83c6e
 
d83c6e
 #ifdef WITH_SELINUX
d83c6e
@@ -514,9 +509,9 @@ run_file(const char *filename, uid_t uid
d83c6e
 
d83c6e
 	    chdir("/");
d83c6e
 
d83c6e
-	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
d83c6e
-		perr("Exec failed for /bin/sh");
d83c6e
-
d83c6e
+	    execle("/bin/sh", "sh", (char *) NULL, nenvp);
d83c6e
+	    perr("Exec failed for /bin/sh");
d83c6e
+            /* perr exits, the PRIV_END is just for nice form */
d83c6e
 	PRIV_END
d83c6e
     }
d83c6e
     /* We're the parent.  Let's wait.
d83c6e
@@ -529,14 +524,6 @@ run_file(const char *filename, uid_t uid
d83c6e
      */
d83c6e
     waitpid(pid, (int *) NULL, 0);
d83c6e
 
d83c6e
-#ifdef HAVE_PAM
d83c6e
-    PRIV_START
d83c6e
-	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
d83c6e
-	retcode = pam_close_session(pamh, PAM_SILENT);
d83c6e
-	pam_end(pamh, retcode);
d83c6e
-    PRIV_END
d83c6e
-#endif
d83c6e
-
d83c6e
     /* Send mail.  Unlink the output file after opening it, so it
d83c6e
      * doesn't hang around after the run.
d83c6e
      */
d83c6e
@@ -567,8 +554,13 @@ run_file(const char *filename, uid_t uid
d83c6e
     unlink(newname);
d83c6e
     free(newname);
d83c6e
 
d83c6e
+#ifdef ATD_MAIL_PROGRAM
d83c6e
     if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
d83c6e
+       int mail_pid = -1;
d83c6e
 
d83c6e
+     mail_pid = fork();
d83c6e
+
d83c6e
+     if ( mail_pid == 0 ) {
d83c6e
 	PRIV_START
d83c6e
 
d83c6e
 	    if (initgroups(pentry->pw_name, pentry->pw_gid))
d83c6e
@@ -590,7 +582,20 @@ run_file(const char *filename, uid_t uid
d83c6e
 	    perr("Exec failed for mail command");
d83c6e
 
d83c6e
 	PRIV_END
d83c6e
+     }
d83c6e
+     else if ( mail_pid == -1 ) {
d83c6e
+           syslog(LOG_ERR, "fork of mailer failed: %m");
d83c6e
+     }
d83c6e
+     /* Parent */
d83c6e
+     waitpid(mail_pid, (int *) NULL, 0);
d83c6e
     }
d83c6e
+
d83c6e
+#ifdef WITH_PAM
d83c6e
+    AT_CLOSE_PAM;
d83c6e
+    closelog();
d83c6e
+    openlog("atd", LOG_PID, LOG_ATD);
d83c6e
+#endif
d83c6e
+#endif
d83c6e
     exit(EXIT_SUCCESS);
d83c6e
 }
d83c6e
 
d83c6e
diff -up at-3.1.20/config.h.in.pam at-3.1.20/config.h.in
d83c6e
--- at-3.1.20/config.h.in.pam	2015-12-18 21:29:24.000000000 +0100
d83c6e
+++ at-3.1.20/config.h.in	2016-07-01 09:44:22.251683924 +0200
d83c6e
@@ -68,8 +68,8 @@
d83c6e
 /* Define to 1 if you have the <nlist.h> header file. */
d83c6e
 #undef HAVE_NLIST_H
d83c6e
 
d83c6e
-/* Define to 1 for PAM support */
d83c6e
-#undef HAVE_PAM
d83c6e
+/* Define if you are building with_pam */
d83c6e
+#undef WITH_PAM
d83c6e
 
d83c6e
 /* Define to 1 if you have the `pstat_getdynamic' function. */
d83c6e
 #undef HAVE_PSTAT_GETDYNAMIC
d83c6e
diff -up at-3.1.20/configure.ac.pam at-3.1.20/configure.ac
d83c6e
--- at-3.1.20/configure.ac.pam	2016-06-28 22:55:52.000000000 +0200
d83c6e
+++ at-3.1.20/configure.ac	2016-07-01 09:45:23.268092527 +0200
d83c6e
@@ -78,7 +78,7 @@ AC_FUNC_GETLOADAVG
d83c6e
 AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
d83c6e
 AC_CHECK_HEADERS(security/pam_appl.h, [
d83c6e
   PAMLIB="-lpam"
d83c6e
-  AC_DEFINE(HAVE_PAM, 1, [Define to 1 for PAM support])
d83c6e
+  AC_DEFINE(WITH_PAM, 1, [Define to 1 for PAM support])
d83c6e
 ])
d83c6e
 
d83c6e
 dnl Checking for programs
d83c6e
@@ -239,6 +239,13 @@ AC_ARG_WITH(daemon_username,
d83c6e
 )
d83c6e
 AC_SUBST(DAEMON_USERNAME)
d83c6e
 
d83c6e
+AC_ARG_WITH(pam,
d83c6e
+[ --with-pam            Define to enable pam support ],
d83c6e
+AC_DEFINE(WITH_PAM),
d83c6e
+)
d83c6e
+AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
d83c6e
+AC_SUBST(PAMLIB)
d83c6e
+
d83c6e
 AC_ARG_WITH(selinux,
d83c6e
 [ --with-selinux       Define to run with selinux (default=check)],
d83c6e
 [],
d83c6e
diff -up at-3.1.20/Makefile.in.pam at-3.1.20/Makefile.in
d83c6e
--- at-3.1.20/Makefile.in.pam	2016-07-01 09:44:22.250683901 +0200
d83c6e
+++ at-3.1.20/Makefile.in	2016-07-01 09:44:22.252683947 +0200
d83c6e
@@ -68,7 +68,7 @@ LIST = Filelist Filelist.asc
d83c6e
 all: at atd atd.service atrun
d83c6e
 
d83c6e
 at: $(ATOBJECTS)
d83c6e
-	$(CC) $(LDFLAGS) -pie -o at $(ATOBJECTS) $(LIBS) $(LEXLIB)
d83c6e
+	$(CC) $(LDFLAGS) -pie -o at $(ATOBJECTS) $(LIBS) $(LEXLIB) $(PAMLIB)
d83c6e
 	rm -f $(CLONES)
d83c6e
 	$(LN_S) -f at atq
d83c6e
 	$(LN_S) -f at atrm
d83c6e
diff -up at-3.1.20/perm.c.pam at-3.1.20/perm.c
d83c6e
--- at-3.1.20/perm.c.pam	2015-08-22 00:09:22.000000000 +0200
d83c6e
+++ at-3.1.20/perm.c	2016-07-01 09:44:22.252683947 +0200
d83c6e
@@ -51,6 +51,14 @@
d83c6e
 #define PRIV_END while(0)
d83c6e
 #endif
d83c6e
 
d83c6e
+#ifdef WITH_PAM
d83c6e
+#include <security/pam_appl.h>
d83c6e
+static pam_handle_t *pamh = NULL;
d83c6e
+static const struct pam_conv conv = {
d83c6e
+       NULL
d83c6e
+};
d83c6e
+#endif
d83c6e
+
d83c6e
 /* Structures and unions */
d83c6e
 
d83c6e
 
d83c6e
@@ -108,18 +116,45 @@ user_in_file(const char *path, const cha
d83c6e
 int
d83c6e
 check_permission()
d83c6e
 {
d83c6e
-  uid_t uid = geteuid();
d83c6e
+  uid_t euid = geteuid(), uid=getuid(), egid=getegid(), gid=getgid();
d83c6e
   struct passwd *pentry;
d83c6e
   int    allow = 0, deny = 1;
d83c6e
 
d83c6e
-  if (uid == 0)
d83c6e
+  int    retcode = 0;
d83c6e
+  if (euid == 0)
d83c6e
     return 1;
d83c6e
 
d83c6e
-  if ((pentry = getpwuid(uid)) == NULL) {
d83c6e
+  if ((pentry = getpwuid(euid)) == NULL) {
d83c6e
     perror("Cannot access user database");
d83c6e
     exit(EXIT_FAILURE);
d83c6e
   }
d83c6e
 
d83c6e
+#ifdef  WITH_PAM
d83c6e
+/*
d83c6e
+ *  We must check if the atd daemon userid will be allowed to gain the job owner user's
d83c6e
+ *  credentials with PAM . If not, the user has been denied at(1) usage, eg. with pam_access.
d83c6e
+ */
d83c6e
+  if (setreuid(daemon_uid, daemon_uid) != 0) {
d83c6e
+      fprintf(stderr, "cannot set egid: %s", strerror(errno));
d83c6e
+      exit(1);
d83c6e
+  }
d83c6e
+  if (setregid(daemon_gid, daemon_gid) != 0) {
d83c6e
+      fprintf(stderr, "cannot set euid: %s", strerror(errno));
d83c6e
+      exit(1);
d83c6e
+  }
d83c6e
+
d83c6e
+    AT_START_PAM;
d83c6e
+    AT_CLOSE_PAM;
d83c6e
+    if (setregid(gid,egid) != 0) {
d83c6e
+        fprintf(stderr, "cannot set egid: %s", strerror(errno));
d83c6e
+        exit(1);
d83c6e
+    }
d83c6e
+    if (setreuid(uid,euid) != 0) {
d83c6e
+        fprintf(stderr, "cannot set euid: %s", strerror(errno));
d83c6e
+        exit(1);
d83c6e
+    }
d83c6e
+#endif
d83c6e
+
d83c6e
   allow = user_in_file(ETCDIR "/at.allow", pentry->pw_name);
d83c6e
   if (allow==0 || allow==1)
d83c6e
     return allow;
d83c6e
diff -up at-3.1.20/privs.h.pam at-3.1.20/privs.h
d83c6e
--- at-3.1.20/privs.h.pam	2015-08-22 00:09:22.000000000 +0200
d83c6e
+++ at-3.1.20/privs.h	2016-07-01 09:44:22.252683947 +0200
d83c6e
@@ -144,3 +144,63 @@ extern gid_t real_gid, effective_gid, da
d83c6e
 #error "Cannot implement user ID swapping without setreuid or setresuid"
d83c6e
 #endif
d83c6e
 #endif
d83c6e
+
d83c6e
+#ifdef WITH_PAM
d83c6e
+/* PAM failed after session was open.  */
d83c6e
+#define PAM_SESSION_FAIL if (retcode != PAM_SUCCESS) \
d83c6e
+       pam_close_session(pamh,PAM_SILENT);
d83c6e
+
d83c6e
+/* syslog will be logging error messages */
d83c6e
+#ifdef HAVE_UNISTD_H
d83c6e
+#include <syslog.h>
d83c6e
+#endif
d83c6e
+
d83c6e
+/* PAM fail even before opening the session */
d83c6e
+#define PAM_FAIL_CHECK \
d83c6e
+       do { if (retcode != PAM_SUCCESS) { \
d83c6e
+               fprintf(stderr,"PAM failure: %s\n",pam_strerror(pamh, retcode)); \
d83c6e
+               syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
d83c6e
+               if (pamh) \
d83c6e
+                   pam_end(pamh, retcode); \
d83c6e
+               if (setregid(getgid(),getegid()) != 0) { \
d83c6e
+                   fprintf(stderr, "cannot set egid: %s", strerror(errno)); \
d83c6e
+                   exit(1); \
d83c6e
+               } \
d83c6e
+               if (setreuid(getuid(),geteuid()) != 0) { \
d83c6e
+                   fprintf(stderr, "cannot set euid: %s", strerror(errno)); \
d83c6e
+                   exit(1); \
d83c6e
+               } \
d83c6e
+               exit(1); \
d83c6e
+           } \
d83c6e
+       } while (0) \
d83c6e
+
d83c6e
+static int pam_session_opened = 0;      //global for open session
d83c6e
+
d83c6e
+#define AT_START_PAM { \
d83c6e
+        retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
d83c6e
+        PAM_FAIL_CHECK; \
d83c6e
+        retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
d83c6e
+        PAM_FAIL_CHECK; \
d83c6e
+        retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
d83c6e
+        PAM_FAIL_CHECK; \
d83c6e
+} 
d83c6e
+
d83c6e
+#define AT_OPEN_PAM_SESSION { \
d83c6e
+        retcode = pam_open_session(pamh, PAM_SILENT); \
d83c6e
+        PAM_FAIL_CHECK; \
d83c6e
+        retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
d83c6e
+        PAM_FAIL_CHECK; \
d83c6e
+        if (retcode == PAM_SUCCESS) \
d83c6e
+                pam_session_opened = 1; \
d83c6e
+}
d83c6e
+
d83c6e
+#define AT_CLOSE_PAM { \
d83c6e
+        if (pam_session_opened != 0) { \
d83c6e
+                pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); \
d83c6e
+                pam_close_session(pamh, PAM_SILENT); \
d83c6e
+        } \
d83c6e
+        pam_end(pamh, PAM_SUCCESS); \
d83c6e
+}
d83c6e
+
d83c6e
+#endif
d83c6e
+