import shadow-utils-4.9-5.el9
This commit is contained in:
parent
3bc64657c9
commit
00503f62f4
108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 13 Jul 2022 09:55:14 +0200
|
||||||
|
Subject: [PATCH] subordinateio: also compare the owner ID
|
||||||
|
|
||||||
|
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
|
||||||
|
not only to check for the owner name but also for the owner ID of a
|
||||||
|
given range.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
|
||||||
|
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 50 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||||
|
index 9ca70b8b..6bc45283 100644
|
||||||
|
--- a/lib/subordinateio.c
|
||||||
|
+++ b/lib/subordinateio.c
|
||||||
|
@@ -17,6 +17,8 @@
|
||||||
|
#include <ctype.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
|
||||||
|
+#define ID_SIZE 31
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* subordinate_dup: create a duplicate range
|
||||||
|
*
|
||||||
|
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
|
||||||
|
return start == ULONG_MAX ? (gid_t) -1 : start;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
|
||||||
|
+{
|
||||||
|
+ struct passwd *pw;
|
||||||
|
+ struct group *gr;
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ switch (id_type) {
|
||||||
|
+ case ID_TYPE_UID:
|
||||||
|
+ pw = getpwnam(owner);
|
||||||
|
+ if (pw == NULL) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
|
||||||
|
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case ID_TYPE_GID:
|
||||||
|
+ gr = getgrnam(owner);
|
||||||
|
+ if (gr == NULL) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
|
||||||
|
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
|
||||||
|
*
|
||||||
|
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||||
|
enum subid_status status;
|
||||||
|
int count = 0;
|
||||||
|
struct subid_nss_ops *h;
|
||||||
|
+ char id[ID_SIZE];
|
||||||
|
+ bool have_owner_id;
|
||||||
|
|
||||||
|
*in_ranges = NULL;
|
||||||
|
|
||||||
|
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ have_owner_id = get_owner_id(owner, id_type, id);
|
||||||
|
+
|
||||||
|
commonio_rewind(db);
|
||||||
|
while ((range = commonio_next(db)) != NULL) {
|
||||||
|
if (0 == strcmp(range->owner, owner)) {
|
||||||
|
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ // Let's also compare with the ID
|
||||||
|
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
|
||||||
|
+ if (!append_range(&ranges, range, count++)) {
|
||||||
|
+ free(ranges);
|
||||||
|
+ ranges = NULL;
|
||||||
|
+ count = -1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
@ -0,0 +1,19 @@
|
|||||||
|
diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
|
||||||
|
--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users 2022-04-22 14:50:10.658371270 +0200
|
||||||
|
+++ shadow-4.9/src/useradd.c 2022-04-22 14:54:34.810100549 +0200
|
||||||
|
@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
|
||||||
|
{
|
||||||
|
uid_t uid_min ;
|
||||||
|
uid_t uid_max ;
|
||||||
|
- if(rflg){
|
||||||
|
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
|
||||||
|
+ if (rflg) {
|
||||||
|
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
|
||||||
|
- if(uid_min <= uid_max){
|
||||||
|
- if(user_id < uid_min || user_id >uid_max)
|
||||||
|
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
|
||||||
|
+ if (user_id > uid_max) {
|
||||||
|
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
|
@ -1,12 +1,12 @@
|
|||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.9
|
Version: 4.9
|
||||||
Release: 3%{?dist}
|
Release: 5%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
URL: https://github.com/shadow-maint/shadow
|
URL: https://github.com/shadow-maint/shadow
|
||||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
|
||||||
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
|
||||||
Source2: shadow-utils.useradd
|
Source2: shadow-utils.useradd
|
||||||
Source3: shadow-utils.login.defs
|
Source3: shadow-utils.login.defs
|
||||||
Source4: shadow-bsd.txt
|
Source4: shadow-bsd.txt
|
||||||
@ -67,6 +67,10 @@ Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
|
|||||||
Patch23: shadow-4.9-getsubids.patch
|
Patch23: shadow-4.9-getsubids.patch
|
||||||
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
|
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
|
||||||
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
|
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
|
||||||
|
Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
|
||||||
|
Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
Requires: audit-libs >= 1.6.5
|
Requires: audit-libs >= 1.6.5
|
||||||
@ -120,6 +124,7 @@ Utility library that provides a way to manage subid ranges.
|
|||||||
%package subid-devel
|
%package subid-devel
|
||||||
Summary: Development package for shadow-utils-subid
|
Summary: Development package for shadow-utils-subid
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
|
Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description subid-devel
|
%description subid-devel
|
||||||
Development files for shadow-utils-subid.
|
Development files for shadow-utils-subid.
|
||||||
@ -151,6 +156,8 @@ Development files for shadow-utils-subid.
|
|||||||
%patch22 -p1 -b .newgrp-fix-segmentation-fault
|
%patch22 -p1 -b .newgrp-fix-segmentation-fault
|
||||||
%patch23 -p1 -b .getsubids
|
%patch23 -p1 -b .getsubids
|
||||||
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
|
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
|
||||||
|
%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
|
||||||
|
%patch26 -p1 -b .subordinateio-compare-owner-ID
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||||
@ -321,6 +328,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
|||||||
%{_libdir}/libsubid.so
|
%{_libdir}/libsubid.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
||||||
|
- subordinateio: also compare the owner ID. Resolves: #2109410
|
||||||
|
|
||||||
|
* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
||||||
|
- useradd: modify check ID range for system users. Resolves: #2004911
|
||||||
|
- Fix release sources
|
||||||
|
- Add subid requirement for subid-devel
|
||||||
|
|
||||||
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
||||||
- getsubids: provide system binary and man page. Resolves: #2013015
|
- getsubids: provide system binary and man page. Resolves: #2013015
|
||||||
- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
|
- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
|
||||||
|
Loading…
Reference in New Issue
Block a user