Compare commits

..

No commits in common. "c9" and "c8" have entirely different histories.
c9 ... c8

26 changed files with 15683 additions and 86529 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libuser-0.63.tar.xz
SOURCES/libuser-0.62.tar.xz

View File

@ -1 +1 @@
cd6b029165743afaaee58e7d80e767da7a868545 SOURCES/libuser-0.63.tar.xz
e0fe60dd38f3b5777d0a4ad664725eddd18ef310 SOURCES/libuser-0.62.tar.xz

View File

@ -0,0 +1,52 @@
From 9317afc8bb7eec656444fc2eecfcd1ea3bfdda82 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 15 Mar 2017 12:43:03 -0400
Subject: [PATCH] Fix errors with -Werror=format-security
Recent versions of the Fedora build system treat format-security
warnings as errors, resulting in failure to build. This patch
ensures that appropriate format strings are present.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
modules/files.c | 2 +-
modules/ldap.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/files.c b/modules/files.c
index 4ef0a57be9f2aad99d82abfae5204009a93e5572..6a7787e28112ba07e0fc44f2887ce1d1540af29e 100644
--- a/modules/files.c
+++ b/modules/files.c
@@ -532,11 +532,11 @@ parse_field(const struct format_specifier *format, GValue *value,
err = NULL;
ret = lu_value_init_set_attr_from_string(value, format->attribute,
string, &err);
if (ret == FALSE) {
g_assert(err != NULL);
- g_warning(lu_strerror(err));
+ g_warning("%s", lu_strerror(err));
lu_error_free(&err);
}
return ret;
}
diff --git a/modules/ldap.c b/modules/ldap.c
index ad10f7394c5735f3180cbab5bc7314301fd83ffc..02e9eb6a0cf10595d730e3dc719f2e848a3491d4 100644
--- a/modules/ldap.c
+++ b/modules/ldap.c
@@ -670,11 +670,11 @@ lu_ldap_lookup(struct lu_module *module,
error = NULL;
ok = lu_value_init_set_attr_from_string
(&value, attr, val, &error);
if (ok == FALSE) {
g_assert(error != NULL);
- g_warning(lu_strerror(error));
+ g_warning("%s", lu_strerror(error));
lu_error_free(&error);
} else {
lu_ent_add_current(ent, attr,
&value);
g_value_unset(&value);
--
2.12.0

View File

@ -0,0 +1,40 @@
From 68e2c532e610e1c91dd10ff176b673d6190adef4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Mon, 6 Aug 2018 21:43:53 +0200
Subject: [PATCH] Use 2048-bit keys in tests to avoid issues with modern
systems
---
tests/default_pw_test | 2 +-
tests/ldap_test | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/default_pw_test b/tests/default_pw_test
index 6da406cf3f67cee2084e730361d43c88df83b81c..733c85c090e07c87a9a7ef8b58c5396bf5f91197 100755
--- a/tests/default_pw_test
+++ b/tests/default_pw_test
@@ -30,7 +30,7 @@ rm -rf "$workdir"
mkdir "$workdir"
# Create a SSL key
-/usr/bin/openssl req -newkey rsa:1024 -keyout "$workdir"/key1 -nodes \
+/usr/bin/openssl req -newkey rsa:2048 -keyout "$workdir"/key1 -nodes \
-x509 -days 2 -out "$workdir"/key3 2>/dev/null <<EOF
.
.
diff --git a/tests/ldap_test b/tests/ldap_test
index f82c2795ef283e323f49c8a400d6c628b3a3e331..54609b14d54b2c5638445262e7fb25307ba6db4c 100755
--- a/tests/ldap_test
+++ b/tests/ldap_test
@@ -30,7 +30,7 @@ rm -rf "$workdir"
mkdir "$workdir"
# Create a SSL key
-/usr/bin/openssl req -newkey rsa:1024 -keyout "$workdir"/key1 -nodes \
+/usr/bin/openssl req -newkey rsa:2048 -keyout "$workdir"/key1 -nodes \
-x509 -days 2 -out "$workdir"/key3 2>/dev/null <<EOF
.
.
--
2.14.4

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,658 @@
From 72962208c42ea202f1e31f2f3ac1b523cd545b06 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 3 Aug 2018 11:33:05 +0200
Subject: [PATCH] Add audit events around user life cycle
---
Makefile.am | 18 ++++++-------
apps/lchage.c | 5 ++++
apps/lchsh.c | 7 +++++
apps/lgroupadd.c | 5 ++++
apps/lgroupdel.c | 6 +++++
apps/lgroupmod.c | 36 +++++++++++++++++++++++++
apps/luseradd.c | 16 +++++++++++
apps/luserdel.c | 17 ++++++++++++
apps/lusermod.c | 38 +++++++++++++++++++++++++-
configure.ac | 17 ++++++++++++
lib/common.c | 66 +++++++++++++++++++++++++++++++++++++++++++++-
lib/user_private.h | 15 +++++++++++
12 files changed, 235 insertions(+), 11 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 080f97e8cc81a77dd0413c3b6fe7fe8002499393..9f099bd71941a869274a502a3130802731d83c24 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -116,7 +116,7 @@ apps_libapputil_la_LDFLAGS = $(GOBJECT_LIBS) -lpam -lpam_misc $(SELINUX_LIBS)
apps_lchage_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lchage_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lchfn_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lchfn_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
@@ -124,19 +124,19 @@ apps_lchfn_LDFLAGS = $(GMODULE_LIBS) -lpopt
apps_lchsh_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lchsh_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
-apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lgroupadd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lgroupadd_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lgroupdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lgroupdel_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lgroupmod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lgroupmod_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lid_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lid_LDADD = lib/libuser.la $(LTLIBINTL)
@@ -152,15 +152,15 @@ apps_lpasswd_LDFLAGS = $(GMODULE_LIBS) -lpopt
apps_luseradd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_luseradd_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_luserdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_luserdel_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
apps_lusermod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
apps_lusermod_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
lib_libuser_la_SOURCES = lib/common.c lib/config.c lib/entity.c lib/error.c \
lib/fs.c lib/getdate.y lib/internal.h lib/misc.c lib/modules.c \
@@ -170,7 +170,7 @@ lib_libuser_la_CPPFLAGS = $(GMODULE_CFLAGS) -Ilib $(LOCALEDIR_CPPFLAGS) \
-DMODULEDIR='"$(pkglibdir)"' -DNSCD='"$(NSCD)"' \
-DSYSCONFDIR='"$(sysconfdir)"'
lib_libuser_la_LDFLAGS = $(GMODULE_LIBS) $(CRYPT_LIBS) $(SELINUX_LIBS) \
- -version-info 6:2:5
+ $(AUDIT_LIBS) -version-info 6:2:5
lib_libuser_la_LIBADD = $(LTLIBINTL)
modules_libuser_files_la_SOURCES = modules/files.c
diff --git a/apps/lchage.c b/apps/lchage.c
index bad296ccf0755dd6781b1a2e6397dccb1f7dbd12..1a4f04883062cb11f15a2e34d37e127fef2a374e 100644
--- a/apps/lchage.c
+++ b/apps/lchage.c
@@ -29,6 +29,7 @@
#include <popt.h>
#include <glib.h>
#include "../lib/user.h"
+#include "../lib/user_private.h"
#include "apputil.h"
#define INVALID_LONG LONG_MIN
@@ -239,8 +240,12 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Failed to modify aging information for %s: "
"%s\n"), user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
+ AUDIT_NO_ID, 0);
return 3;
}
+ lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
+ AUDIT_NO_ID, 1);
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
}
diff --git a/apps/lchsh.c b/apps/lchsh.c
index 7c8a9246d4548a7f6fbacce91cdfdf4372799943..555ed2ea7b0d5a90bf37a7f23c398b382ac45a38 100644
--- a/apps/lchsh.c
+++ b/apps/lchsh.c
@@ -26,6 +26,7 @@
#include <string.h>
#include <unistd.h>
#include "../lib/user.h"
+#include "../lib/user_private.h"
#include "apputil.h"
int
@@ -120,6 +121,8 @@ main(int argc, const char **argv)
NULL, &error) == FALSE) {
fprintf(stderr, _("Shell not changed: %s\n"),
lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+ AUDIT_NO_ID, 0);
return 1;
}
/* Modify the in-memory structure's shell attribute. */
@@ -132,9 +135,13 @@ main(int argc, const char **argv)
if (lu_user_modify(ctx, ent, &error)) {
g_print(_("Shell changed.\n"));
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+ AUDIT_NO_ID, 1);
} else {
fprintf(stderr, _("Shell not changed: %s\n"),
lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+ AUDIT_NO_ID, 0);
return 1;
}
}
diff --git a/apps/lgroupadd.c b/apps/lgroupadd.c
index d73ee864adac9e5dbc7d98392190db225d116143..3fa2a1df5ac5838ef256541c07ae6028e4f6a80b 100644
--- a/apps/lgroupadd.c
+++ b/apps/lgroupadd.c
@@ -118,6 +118,8 @@ main(int argc, const char **argv)
if (lu_group_add(ctx, ent, &error) == FALSE) {
fprintf(stderr, _("Group creation failed: %s\n"),
lu_strerror(error));
+ lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+ AUDIT_NO_ID, 0);
return 2;
}
@@ -127,5 +129,8 @@ main(int argc, const char **argv)
lu_end(ctx);
+ lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+ AUDIT_NO_ID, 1);
+
return 0;
}
diff --git a/apps/lgroupdel.c b/apps/lgroupdel.c
index e0fd6c6d42f55eef82f0790f551721972c129b5f..c5ccbed95cb834719cd109a81e6f979bb737dc71 100644
--- a/apps/lgroupdel.c
+++ b/apps/lgroupdel.c
@@ -24,6 +24,7 @@
#include <locale.h>
#include <popt.h>
#include "../lib/user.h"
+#include "../lib/user_private.h"
#include "apputil.h"
int
@@ -90,6 +91,8 @@ main(int argc, const char **argv)
if (lu_group_delete(ctx, ent, &error) == FALSE) {
fprintf(stderr, _("Group %s could not be deleted: %s\n"),
group, lu_strerror(error));
+ lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
+ AUDIT_NO_ID, 0);
return 3;
}
@@ -99,5 +102,8 @@ main(int argc, const char **argv)
lu_end(ctx);
+ lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
+ AUDIT_NO_ID, 1);
+
return 0;
}
diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c
index 21170e06f37370d7b2f2d936048ae7abf24fd181..0ad0ae4f39d32435b4668ef15ec678d8ea319e5c 100644
--- a/apps/lgroupmod.c
+++ b/apps/lgroupmod.c
@@ -138,8 +138,14 @@ main(int argc, const char **argv)
== FALSE) {
fprintf(stderr, _("Failed to set password for group "
"%s: %s\n"), group, lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-passwd", group,
+ AUDIT_NO_ID, 0);
return 4;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-passwd", group,
+ AUDIT_NO_ID, 1);
}
if (cryptedUserPassword) {
@@ -147,8 +153,14 @@ main(int argc, const char **argv)
&error) == FALSE) {
fprintf(stderr, _("Failed to set password for group "
"%s: %s\n"), group, lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-passwd", group,
+ AUDIT_NO_ID, 0);
return 5;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-passwd", group,
+ AUDIT_NO_ID, 1);
}
if (lock) {
@@ -156,8 +168,14 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Group %s could not be locked: %s\n"), group,
lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-lock", group,
+ AUDIT_NO_ID, 0);
return 6;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-lock", group,
+ AUDIT_NO_ID, 1);
}
if (unlock) {
@@ -165,8 +183,14 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Group %s could not be unlocked: %s\n"),
group, lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-lock", group,
+ AUDIT_NO_ID, 0);
return 7;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-lock", group,
+ AUDIT_NO_ID, 1);
}
change = gid || addAdmins || remAdmins || addMembers || remMembers;
@@ -241,8 +265,14 @@ main(int argc, const char **argv)
if (change && lu_group_modify(ctx, ent, &error) == FALSE) {
fprintf(stderr, _("Group %s could not be modified: %s\n"),
group, lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-members", group,
+ AUDIT_NO_ID, 0);
return 8;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-members", group,
+ AUDIT_NO_ID, 1);
if (gidNumber != LU_VALUE_INVALID_ID) {
users = lu_users_enumerate_by_group_full(ctx, gid, &error);
@@ -256,8 +286,14 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Group %s could not be modified: %s\n"),
group, lu_strerror(error));
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-id", group,
+ AUDIT_NO_ID, 0);
return 8;
}
+ lu_audit_logger(AUDIT_GRP_MGMT,
+ "changing-group-id", group,
+ AUDIT_NO_ID, 1);
}
lu_ent_free(ent);
diff --git a/apps/luseradd.c b/apps/luseradd.c
index 7839183c00f892ad50f77f5aed6ada07cd3c125b..9d7f4f10a9c6f849e551f017f05c2e67e4a56259 100644
--- a/apps/luseradd.c
+++ b/apps/luseradd.c
@@ -210,8 +210,12 @@ main(int argc, const char **argv)
lu_error_free(&error);
}
lu_end(ctx);
+ lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+ AUDIT_NO_ID, 0);
return 1;
}
+ lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+ AUDIT_NO_ID, 1);
}
/* Retrieve the group ID. */
@@ -259,9 +263,13 @@ main(int argc, const char **argv)
if (lu_user_add(ctx, ent, &error) == FALSE) {
fprintf(stderr, _("Account creation failed: %s.\n"),
lu_strerror(error));
+ lu_audit_logger(AUDIT_ADD_USER, "add-user", name,
+ AUDIT_NO_ID, 0);
+
return 3;
}
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ lu_audit_logger(AUDIT_ADD_USER, "add-user", name, AUDIT_NO_ID, 1);
/* If we don't have the the don't-create-home flag, create the user's
* home directory. */
@@ -282,8 +290,12 @@ main(int argc, const char **argv)
&error) == FALSE) {
fprintf(stderr, _("Error creating %s: %s.\n"),
homeDirectory, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
+ uidNumber, 0);
return 7;
}
+ lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
+ uidNumber, 1);
/* Create a mail spool for the user. */
if (lu_mail_spool_create(ctx, ent, &error) != TRUE) {
@@ -311,8 +323,12 @@ main(int argc, const char **argv)
fprintf(stderr, _("Error setting password for user "
"%s: %s.\n"), name,
lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+ name, uidNumber, 0);
return 3;
}
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+ name, uidNumber, 1);
}
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
diff --git a/apps/luserdel.c b/apps/luserdel.c
index 2f39a4ffb8ae47ac5dc3c84270b54a8ca68c7403..7e20fa7ea9bf4082967bc6931a8557936bfda0a2 100644
--- a/apps/luserdel.c
+++ b/apps/luserdel.c
@@ -26,6 +26,7 @@
#include <string.h>
#include <unistd.h>
#include "../lib/user.h"
+#include "../lib/user_private.h"
#include "apputil.h"
int
@@ -93,8 +94,12 @@ main(int argc, const char **argv)
if (lu_user_delete(ctx, ent, &error) == FALSE) {
fprintf(stderr, _("User %s could not be deleted: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
+ AUDIT_NO_ID, 0);
return 3;
}
+ lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
+ AUDIT_NO_ID, 1);
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
@@ -126,9 +131,15 @@ main(int argc, const char **argv)
fprintf(stderr, _("Group %s could not be "
"deleted: %s.\n"), tmp,
lu_strerror(error));
+ lu_audit_logger_with_group (AUDIT_DEL_GROUP,
+ "delete-group", user, AUDIT_NO_ID,
+ tmp, 0);
return 7;
}
}
+ lu_audit_logger_with_group (AUDIT_DEL_GROUP,
+ "delete-group", user,
+ AUDIT_NO_ID, tmp, 1);
lu_ent_free(group_ent);
lu_nscd_flush_cache(LU_NSCD_CACHE_GROUP);
}
@@ -138,8 +149,14 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Error removing home directory: %s.\n"),
lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT,
+ "deleting-home-directory", user,
+ AUDIT_NO_ID, 0);
return 9;
}
+ lu_audit_logger(AUDIT_USER_MGMT, "deleting-home-directory", user,
+ AUDIT_NO_ID, 1);
+
/* Delete the user's mail spool. */
if (lu_mail_spool_remove(ctx, ent, &error) != TRUE) {
fprintf(stderr, _("Error removing mail spool: %s"),
diff --git a/apps/lusermod.c b/apps/lusermod.c
index afec147475736f0b814b5e1f30c77064f3915c20..143157f114c93960fb879d9e6e0c1fb914f3ffcb 100644
--- a/apps/lusermod.c
+++ b/apps/lusermod.c
@@ -179,8 +179,13 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Failed to set password for user %s: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK,
+ "updating-password", user,
+ uidNumber, 0);
return 5;
}
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+ user, uidNumber, 0);
}
/* If we need to change a user's crypted password, try to change it,
@@ -192,8 +197,13 @@ main(int argc, const char **argv)
fprintf(stderr,
_("Failed to set password for user %s: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK,
+ "updating-password", user,
+ uidNumber, 0);
return 6;
}
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+ user, uidNumber, 0);
}
/* If we need to lock/unlock the user's account, do that. */
@@ -202,16 +212,26 @@ main(int argc, const char **argv)
fprintf(stderr,
_("User %s could not be locked: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK,
+ "locking-account", user,
+ uidNumber, 0);
return 7;
}
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "locking-account",
+ user, uidNumber, 0);
}
if (unlock) {
if (lu_user_unlock(ctx, ent, &error) == FALSE) {
fprintf(stderr,
_("User %s could not be unlocked: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK,
+ "unlocking-account", user,
+ uidNumber, 0);
return 8;
}
+ lu_audit_logger(AUDIT_USER_CHAUTHTOK, "unlocking-account",
+ user, uidNumber, 0);
}
/* Determine if we actually need to change anything. */
@@ -274,8 +294,13 @@ main(int argc, const char **argv)
if (change && (lu_user_modify(ctx, ent, &error) == FALSE)) {
fprintf(stderr, _("User %s could not be modified: %s.\n"),
user, lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT,
+ "modify-account", user,
+ uidNumber, 0);
return 9;
}
+ lu_audit_logger(AUDIT_USER_MGMT, "modify-account",
+ user, uidNumber, 1);
lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
/* If the user's name changed, we need to update supplemental
@@ -322,12 +347,19 @@ main(int argc, const char **argv)
}
}
/* Save the changes to the group. */
- if (lu_group_modify(ctx, group, &error) == FALSE)
+ if (lu_group_modify(ctx, group, &error) == FALSE) {
fprintf(stderr, _("Group %s could not be "
"modified: %s.\n"),
lu_ent_get_first_string(group,
LU_GROUPNAME),
lu_strerror(error));
+ lu_audit_logger_with_group(AUDIT_USER_MGMT,
+ "update-member-in-group", user, uidNumber,
+ lu_ent_get_first_string(group, LU_GROUPNAME),0);
+ } else
+ lu_audit_logger_with_group(AUDIT_USER_MGMT,
+ "update-member-in-group", user, uidNumber,
+ lu_ent_get_first_string(group, LU_GROUPNAME),1);
lu_ent_free(group);
}
g_ptr_array_free(groups, TRUE);
@@ -353,8 +385,12 @@ main(int argc, const char **argv)
fprintf(stderr, _("Error moving %s to %s: %s.\n"),
oldHomeDirectory, homeDirectory,
lu_strerror(error));
+ lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
+ user, uidNumber, 0);
return 12;
}
+ lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
+ user, uidNumber, 1);
}
g_free(oldHomeDirectory);
diff --git a/configure.ac b/configure.ac
index 3e68b16a1f65ff5e5e3e905c1ffce8993e562176..0bd4a67d4c77fa1b701d74dbeab908a192dbf4d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -118,6 +118,23 @@ if test "x$selinux" != xno ; then
fi
AC_SUBST(SELINUX_LIBS)
+AC_ARG_WITH(audit,
+AS_HELP_STRING([--with-audit],[log using Linux Audit in addition to syslog]),
+use_audit=$withval,
+use_audit=auto)
+if test x$use_audit != xno ; then
+ AC_SEARCH_LIBS([audit_open], [audit])
+ if test x$ac_cv_search_audit_open = xno ; then
+ if test x$use_audit != xauto ; then
+ AC_MSG_ERROR([requested Linux Audit, but libaudit was not found])
+ fi
+ else
+ AC_DEFINE(WITH_AUDIT,1,[Define if you want to use Linux Audit.])
+ AUDIT_LIBS=-laudit
+ fi
+fi
+AC_SUBST(AUDIT_LIBS)
+
AC_C_CONST
AC_TYPE_UID_T
AC_TYPE_MODE_T
diff --git a/lib/common.c b/lib/common.c
index fc5df7461111908ff3eae59608ce0a51d62e155e..dce7e570ec9c92b56b28f15ab503fb7a641b660e 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -16,9 +16,10 @@
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-#include <config.h>
+#include "config.h"
#include <glib.h>
#include <string.h>
+#include <stdlib.h>
#include "internal.h"
#include "user_private.h"
@@ -111,3 +112,66 @@ lu_common_sgroup_default(struct lu_module *module,
g_return_val_if_fail(name != NULL, FALSE);
return lu_common_group_default(module, name, is_system, ent, error);
}
+
+#ifdef WITH_AUDIT
+static int audit_fd = 0;
+
+/* result - 1 is "success" and 0 is "failed" */
+void lu_audit_logger(int type, const char *op, const char *name,
+ unsigned int id, unsigned int result)
+{
+ if (audit_fd == 0) {
+ /* First time through */
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* You get these only when the kernel doesn't have
+ * audit compiled in. */
+ if ( (errno == EINVAL)
+ || (errno == EPROTONOSUPPORT)
+ || (errno == EAFNOSUPPORT))
+ return;
+ fputs("Cannot open audit interface - aborting.\n", stderr);
+ exit(EXIT_FAILURE);
+ }
+ }
+ if (audit_fd < 0)
+ return;
+ audit_log_acct_message(audit_fd, type, NULL, op, name, id,
+ NULL, NULL, NULL, (int) result);
+}
+
+/* result - 1 is "success" and 0 is "failed" */
+void lu_audit_logger_with_group (int type, const char *op, const char *name,
+ unsigned int id, const char *grp, unsigned int result)
+{
+ int len;
+ char enc_group[(LOGIN_NAME_MAX*2)+1], buf[1024];
+
+ if (audit_fd == 0) {
+ /* First time through */
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* You get these only when the kernel doesn't have
+ * audit compiled in. */
+ if ( (errno == EINVAL)
+ || (errno == EPROTONOSUPPORT)
+ || (errno == EAFNOSUPPORT))
+ return;
+ fputs("Cannot open audit interface - aborting.\n", stderr);
+ exit(EXIT_FAILURE);
+ }
+ }
+ if (audit_fd < 0)
+ return;
+ len = strnlen(grp, sizeof(enc_group)/2);
+ if (audit_value_needs_encoding(grp, len)) {
+ snprintf(buf, sizeof(buf), "%s grp=%s", op,
+ audit_encode_value(enc_group, grp, len));
+ } else {
+ snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
+ }
+ audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
+ NULL, NULL, NULL, (int) result);
+}
+#endif
+
diff --git a/lib/user_private.h b/lib/user_private.h
index a4869c138d51519539b6939406cdb0fee23ab7f6..02b813c47ee359db774bb85a2aa7aa12e18d3067 100644
--- a/lib/user_private.h
+++ b/lib/user_private.h
@@ -34,6 +34,9 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
#include "user.h"
G_BEGIN_DECLS
@@ -357,6 +360,18 @@ id_t lu_get_first_unused_id(struct lu_context *ctx, enum lu_entity_type type,
/* Append a copy of VALUES to DEST */
void lu_util_append_values(GValueArray *dest, GValueArray *values);
+#ifdef WITH_AUDIT
+void lu_audit_logger(int type, const char *op, const char *name,
+ unsigned int id, unsigned int result);
+void lu_audit_logger_with_group(int type, const char *op, const char *name,
+ unsigned int id, const char *grp,
+ unsigned int result);
+#else
+#define lu_audit_logger(a, b, c, d, e)
+#define lu_audit_logger_with_group(a, b, c, d, e, f)
+#endif
+#define AUDIT_NO_ID ((unsigned int) -1)
+
G_END_DECLS
#endif
--
2.17.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,44 @@
From 11a7ff7eeefe763be9ade949e8f2a4a2d53f6129 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Mon, 24 Sep 2018 20:51:51 +0200
Subject: [PATCH 4/7] Check negative return of PyList_Size
Merges:
https://pagure.io/libuser/issue/28
In case of an error, PyList_Size can return a negative value. We should
check that case, also to avoid compiler warnings like:
Error: COMPILER_WARNING: [#def41] [warning: defect not occurring in libuser-0.60-9.el7]
libuser-0.62/python/misc.c: scope_hint: In function 'libuser_admin_prompt'
libuser-0.62/python/misc.c:160:12: warning: argument 1 range [9223372036854775808, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
/usr/include/glib-2.0/glib/glist.h:32: included_from: Included from here.
/usr/include/glib-2.0/glib/ghash.h:33: included_from: Included from here.
/usr/include/glib-2.0/glib.h:50: included_from: Included from here.
libuser-0.62/python/misc.c:25: included_from: Included from here.
/usr/include/glib-2.0/glib/gmem.h:96:10: note: in a call to allocation function 'g_malloc0_n' declared here
---
python/misc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/python/misc.c b/python/misc.c
index c4ce819bfaeb4296507b504c4647b7676377b631..fcb0ccfebae143fa7c7a43ad60d7e9b231ca8863 100644
--- a/python/misc.c
+++ b/python/misc.c
@@ -137,7 +137,12 @@ libuser_admin_prompt(struct libuser_admin *self, PyObject * args,
return NULL;
}
count = PyList_Size(list);
- if (count > INT_MAX) {
+ if (count < 0) {
+ PyErr_SetString(PyExc_TypeError,
+ "prompt_list has no size; probably not a list");
+ DEBUG_EXIT;
+ return NULL;
+ } else if (count > INT_MAX) {
PyErr_SetString(PyExc_ValueError, "too many prompts");
DEBUG_EXIT;
return NULL;
--
2.14.4

View File

@ -0,0 +1,60 @@
From 7acf0fad0ca468f33f86084f36251df5baf3dc94 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 26 Sep 2018 21:01:59 +0200
Subject: [PATCH 5/7] files.c: Init char *name to NULL
Merges:
https://pagure.io/libuser/issue/27
This is mostly to silence coverity warnings. "enum lu_entity_type" has
three values and several places in the code follow logic as:
char *name;
if ent->type == user:
name = foo()
if ent->type == group
name = bar()
g_assert(name != NULL)
it shouldn't be possible for ent->type to be anything else but in the
odd case it is, initializing name to NULL will ensure that name will be
still NULL after the code falls through the conditions and at least the
behaviour is defined.
---
modules/files.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules/files.c b/modules/files.c
index 6a7787e28112ba07e0fc44f2887ce1d1540af29e..8c2a282b6448bbfb313b5d4f5eeb28b8240bccd5 100644
--- a/modules/files.c
+++ b/modules/files.c
@@ -1501,7 +1501,7 @@ generic_lock(struct lu_module *module, const char *file_suffix, int field,
struct lu_ent *ent, enum lock_op op, struct lu_error **error)
{
struct editing *e;
- char *value, *new_value, *name;
+ char *value, *new_value, *name = NULL;
gboolean commit = FALSE, ret = FALSE;
/* Get the name which keys the entries of interest in the file. */
@@ -1561,7 +1561,7 @@ generic_is_locked(struct lu_module *module, const char *file_suffix,
int field, struct lu_ent *ent, struct lu_error **error)
{
char *filename;
- char *value, *name;
+ char *value, *name = NULL;
int fd;
gboolean ret = FALSE;
@@ -1752,7 +1752,7 @@ generic_setpass(struct lu_module *module, const char *file_suffix, int field,
struct lu_error **error)
{
struct editing *e;
- char *value, *name;
+ char *value, *name = NULL;
gboolean ret = FALSE;
/* Get the name of this account. */
--
2.14.4

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,56 @@
From 8da7fc83aa3e9fd868c6a8da9261b72dae7d29e7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 26 Sep 2018 21:38:02 +0200
Subject: [PATCH 6/7] merge_ent_array_duplicates: Only use values if valid
Merges:
https://pagure.io/libuser/issue/22
Don't attempt to dereference a NULL pointer
---
lib/user.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/lib/user.c b/lib/user.c
index ad2bb099c7d12bd91188e69f188c64953b1d9748..2500565a544bb33a5e08d9807a794a42c819a2d2 100644
--- a/lib/user.c
+++ b/lib/user.c
@@ -691,10 +691,13 @@ merge_ent_array_duplicates(GPtrArray *array)
while (attributes != NULL) {
attr = (const char *)attributes->data;
values = lu_ent_get_current(current, attr);
- for (j = 0; j < values->n_values; j++) {
- value = g_value_array_get_nth(values,
- j);
- lu_ent_add_current(saved, attr, value);
+ if (values != NULL) {
+ for (j = 0; j < values->n_values; j++) {
+ value = g_value_array_get_nth(
+ values,
+ j);
+ lu_ent_add_current(saved, attr, value);
+ }
}
attributes = g_list_next(attributes);
}
@@ -705,10 +708,13 @@ merge_ent_array_duplicates(GPtrArray *array)
while (attributes != NULL) {
attr = (const char *)attributes->data;
values = lu_ent_get(current, attr);
- for (j = 0; j < values->n_values; j++) {
- value = g_value_array_get_nth(values,
- j);
- lu_ent_add(saved, attr, value);
+ if (values != NULL) {
+ for (j = 0; j < values->n_values; j++) {
+ value = g_value_array_get_nth(
+ values,
+ j);
+ lu_ent_add(saved, attr, value);
+ }
}
attributes = g_list_next(attributes);
}
--
2.14.4

View File

@ -0,0 +1,33 @@
From e5536845298b6672a16e5866a823fcf6562c6cf3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 26 Sep 2018 21:15:38 +0200
Subject: [PATCH 7/7] editing_open: close fd after we've established its
validity
Merges:
https://pagure.io/libuser/issue/26
The code used to first close(fd) and only then check if it's != -1.
Reverse the logic so that the fd is only closed if valid.
---
modules/files.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/files.c b/modules/files.c
index 8c2a282b6448bbfb313b5d4f5eeb28b8240bccd5..b8bf8a60e5810c0b705bd91efbdf9e27e851cd2b 100644
--- a/modules/files.c
+++ b/modules/files.c
@@ -387,9 +387,9 @@ editing_open(struct lu_module *module, const char *file_suffix,
backup_name = g_strconcat(e->filename, "-", NULL);
fd = open_and_copy_file(e->filename, backup_name, FALSE, error);
g_free (backup_name);
- close(fd);
if (fd == -1)
goto err_fscreate;
+ close(fd);
e->new_filename = g_strconcat(e->filename, "+", NULL);
e->new_fd = open_and_copy_file(e->filename, e->new_filename, TRUE,
--
2.14.4

View File

@ -0,0 +1,48 @@
From c6a4e9f596c976f71894269e3168567e6118236c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 5 Jun 2019 22:16:51 +0200
Subject: [PATCH] lgroupmod: Emit AUDIT_GRP_CHAUTHTOK, not AUDIT_GRP_MGMT when
changing group password
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1670997
---
apps/lgroupmod.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c
index 0ad0ae4..20be85f 100644
--- a/apps/lgroupmod.c
+++ b/apps/lgroupmod.c
@@ -138,12 +138,12 @@ main(int argc, const char **argv)
== FALSE) {
fprintf(stderr, _("Failed to set password for group "
"%s: %s\n"), group, lu_strerror(error));
- lu_audit_logger(AUDIT_GRP_MGMT,
+ lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
"changing-group-passwd", group,
AUDIT_NO_ID, 0);
return 4;
}
- lu_audit_logger(AUDIT_GRP_MGMT,
+ lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
"changing-group-passwd", group,
AUDIT_NO_ID, 1);
}
@@ -153,12 +153,12 @@ main(int argc, const char **argv)
&error) == FALSE) {
fprintf(stderr, _("Failed to set password for group "
"%s: %s\n"), group, lu_strerror(error));
- lu_audit_logger(AUDIT_GRP_MGMT,
+ lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
"changing-group-passwd", group,
AUDIT_NO_ID, 0);
return 5;
}
- lu_audit_logger(AUDIT_GRP_MGMT,
+ lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
"changing-group-passwd", group,
AUDIT_NO_ID, 1);
}
--
2.20.1

View File

@ -1,21 +1,7 @@
commit 009d9238317d152f524ee46c4be1ad2f93c47732
Author: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed Sep 26 21:29:35 2018 +0200
lu_dispatch: Free tmp on failures
Merges:
https://pagure.io/libuser/issue/23
This makes the code slightly less compact with using an explicit
condition instead of the g_return_val_if_fail() shorthand, but freeing
tmp on failures.
diff --git a/lib/user.c b/lib/user.c
index ad2bb09..5709f41 100644
--- a/lib/user.c
+++ b/lib/user.c
@@ -980,7 +980,10 @@ lu_dispatch(struct lu_context *context,
diff -up libuser-0.62/lib/user.c.orig libuser-0.62/lib/user.c
--- libuser-0.62/lib/user.c.orig 2024-05-07 17:03:45.220514343 +0200
+++ libuser-0.62/lib/user.c 2024-05-07 17:05:17.855649386 +0200
@@ -986,7 +986,10 @@ lu_dispatch(struct lu_context *context,
case user_default:
case group_default:
/* Make sure we have both name and boolean here. */
@ -27,7 +13,7 @@ index ad2bb09..5709f41 100644
/* Run the checks and preps. */
if (run_list(context, context->create_module_names,
logic_and, id,
@@ -1059,7 +1062,10 @@ lu_dispatch(struct lu_context *context,
@@ -1065,7 +1068,10 @@ lu_dispatch(struct lu_context *context,
case user_setpass:
case group_setpass:
/* Make sure we have a valid password. */
@ -39,7 +25,7 @@ index ad2bb09..5709f41 100644
/* no break: fall through */
case user_removepass:
case group_removepass:
@@ -1088,7 +1094,10 @@ lu_dispatch(struct lu_context *context,
@@ -1094,7 +1100,10 @@ lu_dispatch(struct lu_context *context,
case users_enumerate_by_group:
case groups_enumerate_by_user:
/* Make sure we have both name and ID here. */

1465
SOURCES/libuser-0_62-de.po Normal file

File diff suppressed because it is too large Load Diff

1454
SOURCES/libuser-0_62-es.po Normal file

File diff suppressed because it is too large Load Diff

1464
SOURCES/libuser-0_62-fr.po Normal file

File diff suppressed because it is too large Load Diff

1450
SOURCES/libuser-0_62-it.po Normal file

File diff suppressed because it is too large Load Diff

1480
SOURCES/libuser-0_62-ja.po Normal file

File diff suppressed because it is too large Load Diff

1446
SOURCES/libuser-0_62-ko.po Normal file

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

1459
SOURCES/libuser-0_62-ru.po Normal file

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,40 +1,48 @@
Name: libuser
Version: 0.63
Release: 15%{?dist}
Version: 0.62
Release: 26%{?dist}
Group: System Environment/Base
License: LGPLv2+
URL: https://pagure.io/libuser
Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.xz
Patch0001: 0001-man-typo.patch
Patch0002: 0002-popt-memopy.patch
Patch0003: 0003-translation.patch
Patch0004: 0004-resource-leak.patch
Patch0005: 0005-translation-update.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1608321
Source1: libuser-0_62-ja.po
Source2: libuser-0_62-zh_CN.po
Source3: libuser-0_62-zh_TW.po
Source4: libuser-0_62-fr.po
Source5: libuser-0_62-it.po
Source6: libuser-0_62-de.po
Source7: libuser-0_62-ko.po
Source8: libuser-0_62-pt_BR.po
Source9: libuser-0_62-ru.po
Source10: libuser-0_62-es.po
BuildRequires: glib2-devel
BuildRequires: linuxdoc-tools
BuildRequires: pam-devel
BuildRequires: popt-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: libselinux-devel
BuildRequires: openldap-devel
BuildRequires: python3-devel
# Because we patch configure
BuildRequires: autoconf gettext-devel automake libtool
BuildRequires: glib2-devel, linuxdoc-tools, pam-devel, popt-devel
BuildRequires: cyrus-sasl-devel, libselinux-devel, openldap-devel, python3-devel
# To make sure the configure script can find it
BuildRequires: nscd
BuildRequires: gcc
# For %%check
BuildRequires: openldap-clients
# BuildRequires: openldap-servers
BuildRequires: openssl
BuildRequires: make
BuildRequires: bison
BuildRequires: libtool
BuildRequires: gettext-devel
BuildRequires: gtk-doc
# We support libaudit
BuildRequires: audit-libs-devel
# For %%check
BuildRequires: openldap-clients, openldap-servers, openssl
Summary: A user and group account administration library
%global __provides_exclude_from ^(%{_libdir}/%{name}|%{python3_sitearch})/.*$
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
# Patch to address format-security.
# Submitted upstream at https://pagure.io/libuser/pull-request/17
Patch1: 0001-Fix-errors-with-Werror-format-security.patch
Patch2: 0002-Use-2048-bit-keys-in-tests-to-avoid-issues-with-mode.patch
Patch3: 0003-Add-audit-events-around-user-life-cycle.patch
Patch4: 0004-Check-negative-return-of-PyList_Size.patch
Patch5: 0005-files.c-Init-char-name-to-NULL.patch
Patch6: 0006-merge_ent_array_duplicates-Only-use-values-if-valid.patch
Patch7: 0007-editing_open-close-fd-after-we-ve-established-its-va.patch
Patch8: 0008-lgroupmod-Emit-AUDIT_GRP_CHAUTHTOK-not-AUDIT_GRP_MGM.patch
Patch9: 0009-man-typo.patch
Patch10: 0010-resource-leak.patch
%description
The libuser library implements a standardized interface for manipulating
@ -45,6 +53,7 @@ Sample applications modeled after those included with the shadow password
suite are included.
%package devel
Group: Development/Libraries
Summary: Files needed for developing applications which use libuser
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: glib2-devel%{?_isa}
@ -54,11 +63,12 @@ The libuser-devel package contains header files, static libraries, and other
files useful for developing applications with libuser.
%package -n python3-libuser
%{?python_provide:%python_provide python2-libuser}
Summary: Python 3 bindings for the libuser library
Group: Development/Libraries
Requires: libuser%{?_isa} = %{version}-%{release}
Provides: python3-libuser = %{version}-%{release}
Provides: python3-libuser%{?_isa} = %{version}-%{release}
%{?python_provide:%python_provide python3-libuser}
Provides: libuser-python3 = %{version}-%{release}
Obsoletes: libuser-python3 < %{version}-%{release}
%description -n python3-libuser
The python3-libuser package contains the Python bindings for
@ -66,33 +76,70 @@ the libuser library, which provides a Python 3 API for manipulating and
administering user and group accounts.
%prep
%autosetup -n libuser-%{version} -p1
%setup -q -n libuser-%{version}
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
%patch -P 6 -p1
%patch -P 7 -p1
%patch -P 8 -p1
%patch -P 9 -p1
%patch -P 10 -p1
cp %{SOURCE1} po/ja.po
cp %{SOURCE2} po/zh_CN.po
cp %{SOURCE3} po/zh_TW.po
cp %{SOURCE4} po/fr.po
cp %{SOURCE5} po/it.po
cp %{SOURCE6} po/de.po
cp %{SOURCE7} po/ko.po
cp %{SOURCE8} po/pt_BR.po
cp %{SOURCE9} po/ru.po
cp %{SOURCE10} po/es.po
%build
./autogen.sh
%configure --with-selinux --with-ldap --with-audit \
--enable-gtk-doc --with-html-dir=%{_datadir}/gtk-doc/html \
PYTHON=%{python3}
autoreconf -if
%configure --with-selinux \
--with-ldap \
--with-audit \
--with-html-dir=%{_datadir}/gtk-doc/html \
PYTHON=/usr/bin/python3
make
# (make all) only rebuilds .gmo files if the .pot file is updated, regardless of po/ja.po changes
make -C po ja.gmo
make -C po zh_CN.gmo
make -C po zh_TW.gmo
make -C po it.gmo
make -C po de.gmo
make -C po ko.gmo
make -C po pt_BR.gmo
make -C po ru.gmo
make -C po es.gmo
%install
%make_install
make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
%find_lang %{name}
#%check
#make check || { cat test-suite.log; false; }
#
## Verify that all python modules load, just in case.
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
#export LD_LIBRARY_PATH
#PYTHONPATH=$RPM_BUILD_ROOT%{python3_sitearch}
#export PYTHONPATH
#%{python3} -c "import libuser"
%check
LC_ALL=C.UTF-8 make check \
|| { cat test-suite.log; false; }
# Verify that all python modules load, just in case.
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
export LD_LIBRARY_PATH
cd $RPM_BUILD_ROOT/%{python3_sitearch}
# The Python 3 module only supports UTF-8
LC_ALL=C.UTF-8 python3 -c "import libuser"
%ldconfig_scriptlets
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files -f %{name}.lang
%{!?_licensedir:%global license %%doc}
@ -123,120 +170,50 @@ make
%{_datadir}/gtk-doc/html/*
%changelog
* Tue May 7 2024 Tomas Halman <thalman@redhat.com> - 0.63-15
- Update translations
Resolves: RHEL-12110
* Tue Jul 23 2024 Michal Hlavinka <mhlavink@redhat.com> - 0.62-26
- fix findings from static application security testing (#RHEL-35578)
- translation update (#RHEL-12111)
* Mon May 6 2024 Tomas Halman <thalman@redhat.com> - 0.63-14
- Fix findings from static application security testing
Resolves: RHEL-35693
* Tue Nov 29 2022 Tomas Halman <thalman@redhat.com> - 0.62-25
- Man-page update
- Resolves: rhbz#2070941 - small typo in lchage man page
* Tue Jul 11 2023 Tomas Halman <thalman@redhat.com> - 0.63-13
- Translation update
Resolves: rhbz#2139662
* Wed Jun 26 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.62-23
- Actually apply the patch from the previous build
- Resolves: rhbz#1670997 - Amend the user lifecycle auditing
* Thu Nov 10 2022 Tomas Halman <thalman@redhat.com> - 0.63-12
- correct popt memory handling
- Fix the manpage
Resolves: rhbz#2070943
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.62-22
- Resolves: rhbz#1670997 - Amend the user lifecycle auditing
* Fri Jul 15 2022 Tomas Halman <thalman@redhat.com> - 0.63-11
- remove build dependency for openldap-server
Resolves: rhbz#2102876
* Fri Nov 30 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-21
- Resolves: rhbz#1608321 - [libuser] RHEL 8.0 Tier 0 Localization
* Tue Aug 17 2021 Tomas Halman <thalman@redhat.com> - 0.63-10
- Update changelog according git history
Resolves: rhbz#1993633
* Fri Oct 12 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-20
- Resolves: rhbz#1637398 - libuser-python3 should be renamed to comply
with Packaging Guidelines
* Tue Aug 17 2021 Tomas Halman <thalman@redhat.com> - 0.63-9
- Fix broken changelog in rpm spec
Resolves: rhbz#1993633
* Wed Oct 3 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-19
- Resolves: rhbz#1602600 - Please review important issues found by covscan
in "libuser-0.62-14.el8+7" package
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Sep 28 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-18
- Resolves: rhbz#1608321 - [libuser] RHEL 8.0 Tier 0 Localization
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-6
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Mon Aug 13 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-17
- Resolves: rhbz#1558151 - libuser needs audit events around the account
lifecycle
* Thu May 20 2021 Tomas Halman <thalman@redhat.com> - 0.63-5
- Enable audit library in the build
- Resolves: rhbz#1923043 - libuser doesn't audit events around the account lifecycle
* Mon Aug 6 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-16
- Use 2048bit keys in tests
- Resolves: rhbz#1611729 - [RHEL8-S-BUILD] libuser Fails Scratch Build on rhel-8.0
* Tue May 11 2021 Tomas Halman <thalman@redhat.com> - 0.63-4
- Resolves: rhbz#1951601 - Remove fakeroot dependency
* Mon Jun 11 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-15
- Drop the fakeroot dependency
- Resolves: #1581448 - Remove fakeroot from libuser in RHEL8
* Tue May 11 2021 Tomas Halman <thalman@redhat.com> - 0.63-3
- Renaming python package according to the standard
- Resolves: rhbz#1951968
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 1 2021 Tomas Halman <thalman@redhat.com> - 0.63-1
- Release new version 0.63
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-31
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Sep 09 2020 Tom Stellard <tstellar@redhat.com> - 0.62-30
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Sep 02 2020 Merlin Mathesius <mmathesi@redhat.com> - 0.62-29
- Pull in upstream patch that fixes FTBFS for Rawhide and ELN
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-28
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-27
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 3 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.62-26
- Temporarily disable tests, nothing changed since forever so this should be
safe and would unblock FTBFS
- Related: rhbz#1817666 - libuser fails to build with Python 3.9: FAIL: tests/fs_test
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.62-25
- Rebuilt for Python 3.9
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 26 2019 Miro Hrončok <mhroncok@redhat.com> - 0.62-23
- Subpackage python2-libuser has been removed
See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.62-22
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 0.62-19
- Rebuilt for libcrypt.so.2 (#1666033)
* Fri Jul 20 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-19
- BuildRequires: gcc
- Related: rhbz#1604682 - libuser: FTBFS in Fedora rawhide
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 9 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-16
- Use python2 explicitly in tests of python2 bindings instead of just "python"
- Related: rhbz#1582899 - libuser: FTBFS in Fedora 28
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.62-15
- Rebuilt for Python 3.7
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Jun 10 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-14
- Do not build python2-libuser at all in RHEL-8
- Resolves: #1559103 - libuser: Drop Python 2 subpackage(s) from RHEL 8
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 0.62-13
- Rebuilt for switch to libxcrypt
@ -643,7 +620,7 @@ make
- Fix updating of groups after user renaming in lusermod
- Allow setting a shadow password even if the current shadow password is
invalid (#131180)
- Add lu_{user,group}_unlock_nonempty (#86414); module interface ABI has
- Add lu_{user,group}_unlock_nonempty (#86414); module interface ABI has
changed
- Miscellaneous bug and memory leak fixes
@ -718,7 +695,7 @@ make
- enable SELinux
* Mon Sep 08 2003 Dan Walsh <dwalsh@redhat.com> 0.51.7-5
- Turn off SELinux
- Turn off SELinux
* Wed Aug 06 2003 Dan Walsh <dwalsh@redhat.com> 0.51.7-3
- Add SELinux support
@ -945,7 +922,7 @@ make
- finish adding a sasldb module which manipulates a sasldb file
- add users_enumerate_by_group and groups_enumerate_by_users
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- luserdel: remove the user's primary group if it has the same name as
the user and has no members configured (-G disables)
- fixup some configure stuff to make libuser.conf get generated correctly
@ -999,7 +976,7 @@ make
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- stub out the krb5 and ldap modules so that they'll at least compile again
* Tue Jul 10 2001 Nalin Dahyabhai <nalin@redhat.com>
- don't bail when writing empty fields to colon-delimited files
- use permissions of the original file when making backup files instead of 0600