From 00503f62f4a57ebf6915bd3d5ea530a7edb14798 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 10:21:34 -0400 Subject: [PATCH] import shadow-utils-4.9-5.el9 --- ...w-4.9-subordinateio-compare-owner-ID.patch | 108 ++++++++++++++++++ ...dify-check-ID-range-for-system-users.patch | 19 +++ SPECS/shadow-utils.spec | 21 +++- 3 files changed, 145 insertions(+), 3 deletions(-) create mode 100644 SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch create mode 100644 SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch diff --git a/SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch b/SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch new file mode 100644 index 0000000..19ab7ec --- /dev/null +++ b/SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch @@ -0,0 +1,108 @@ +From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 13 Jul 2022 09:55:14 +0200 +Subject: [PATCH] subordinateio: also compare the owner ID + +IDs already populate /etc/subuid and /etc/subgid files so it's necessary +not only to check for the owner name but also for the owner ID of a +given range. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311 + +Signed-off-by: Iker Pedrosa +--- + lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/lib/subordinateio.c b/lib/subordinateio.c +index 9ca70b8b..6bc45283 100644 +--- a/lib/subordinateio.c ++++ b/lib/subordinateio.c +@@ -17,6 +17,8 @@ + #include + #include + ++#define ID_SIZE 31 ++ + /* + * subordinate_dup: create a duplicate range + * +@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count) + return start == ULONG_MAX ? (gid_t) -1 : start; + } + ++static bool get_owner_id(const char *owner, enum subid_type id_type, char *id) ++{ ++ struct passwd *pw; ++ struct group *gr; ++ int ret = 0; ++ ++ switch (id_type) { ++ case ID_TYPE_UID: ++ pw = getpwnam(owner); ++ if (pw == NULL) { ++ return false; ++ } ++ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid); ++ if (ret < 0 || ret >= ID_SIZE) { ++ return false; ++ } ++ break; ++ case ID_TYPE_GID: ++ gr = getgrnam(owner); ++ if (gr == NULL) { ++ return false; ++ } ++ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid); ++ if (ret < 0 || ret >= ID_SIZE) { ++ return false; ++ } ++ break; ++ default: ++ return false; ++ } ++ ++ return true; ++} ++ + /* + * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges) + * +@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r + enum subid_status status; + int count = 0; + struct subid_nss_ops *h; ++ char id[ID_SIZE]; ++ bool have_owner_id; + + *in_ranges = NULL; + +@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r + return -1; + } + ++ have_owner_id = get_owner_id(owner, id_type, id); ++ + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (0 == strcmp(range->owner, owner)) { +@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r + goto out; + } + } ++ ++ // Let's also compare with the ID ++ if (have_owner_id == true && 0 == strcmp(range->owner, id)) { ++ if (!append_range(&ranges, range, count++)) { ++ free(ranges); ++ ranges = NULL; ++ count = -1; ++ goto out; ++ } ++ } + } + + out: +-- +2.36.1 + diff --git a/SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch b/SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch new file mode 100644 index 0000000..ce47bc1 --- /dev/null +++ b/SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch @@ -0,0 +1,19 @@ +diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c +--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users 2022-04-22 14:50:10.658371270 +0200 ++++ shadow-4.9/src/useradd.c 2022-04-22 14:54:34.810100549 +0200 +@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui + { + uid_t uid_min ; + uid_t uid_max ; +- if(rflg){ +- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL); ++ if (rflg) { + uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1); +- if(uid_min <= uid_max){ +- if(user_id < uid_min || user_id >uid_max) +- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max); ++ if (user_id > uid_max) { ++ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max); + } + }else{ + uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL); diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec index aa46a17..716efbd 100644 --- a/SPECS/shadow-utils.spec +++ b/SPECS/shadow-utils.spec @@ -1,12 +1,12 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.9 -Release: 3%{?dist} +Release: 5%{?dist} Epoch: 2 License: BSD and GPLv2+ URL: https://github.com/shadow-maint/shadow -Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz -Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz +Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt @@ -67,6 +67,10 @@ Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch Patch23: shadow-4.9-getsubids.patch # https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83 Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch +# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 +Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch +# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 +Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch ### Dependencies ### Requires: audit-libs >= 1.6.5 @@ -120,6 +124,7 @@ Utility library that provides a way to manage subid ranges. %package subid-devel Summary: Development package for shadow-utils-subid License: BSD and GPLv2+ +Requires: shadow-utils-subid = %{epoch}:%{version}-%{release} %description subid-devel Development files for shadow-utils-subid. @@ -151,6 +156,8 @@ Development files for shadow-utils-subid. %patch22 -p1 -b .newgrp-fix-segmentation-fault %patch23 -p1 -b .getsubids %patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist +%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users +%patch26 -p1 -b .subordinateio-compare-owner-ID iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -321,6 +328,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_libdir}/libsubid.so %changelog +* Thu Jul 21 2022 Iker Pedrosa - 2:4.9-5 +- subordinateio: also compare the owner ID. Resolves: #2109410 + +* Fri Apr 22 2022 Iker Pedrosa - 2:4.9-4 +- useradd: modify check ID range for system users. Resolves: #2004911 +- Fix release sources +- Add subid requirement for subid-devel + * Thu Dec 2 2021 Iker Pedrosa - 2:4.9-3 - getsubids: provide system binary and man page. Resolves: #2013015 - useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081