From 25899fefb05e983b4403720125a756665943cf13 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 27 Aug 2015 15:53:13 +0200 Subject: [PATCH] Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd --- shadow-4.2.1-defs-chroot.patch | 24 +++++++++++++++++++ shadow-4.2.1-no-lock-dos.patch | 15 ++++++++++++ shadow-4.2.1-usermod-unlock.patch | 39 +++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++++++++++- 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-defs-chroot.patch create mode 100644 shadow-4.2.1-no-lock-dos.patch create mode 100644 shadow-4.2.1-usermod-unlock.patch diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch new file mode 100644 index 0000000..827ad40 --- /dev/null +++ b/shadow-4.2.1-defs-chroot.patch @@ -0,0 +1,24 @@ +diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) + #endif /* ACCT_TOOLS_SETUID */ + + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; + + /* + * Get my name so that I can use it to report errors. +@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ + sys_ngroups = sysconf (_SC_NGROUPS_MAX); + user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); + /* diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch new file mode 100644 index 0000000..58fd605 --- /dev/null +++ b/shadow-4.2.1-no-lock-dos.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c +--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 ++++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil + int retval; + char buf[32]; + +- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600); ++ /* We depend here on the fact, that the file name is pid-specific. ++ * So no O_EXCL here and no DoS. ++ */ ++ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600); + if (-1 == fd) { + if (log) { + (void) fprintf (stderr, diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch new file mode 100644 index 0000000..85403cd --- /dev/null +++ b/shadow-4.2.1-usermod-unlock.patch @@ -0,0 +1,39 @@ +diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200 +@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas + strcat (buf, pw_pass); + pw_pass = buf; + } else if (Uflg && pw_pass[0] == '!') { +- char *s; ++ char *s = pw_pass; + +- if (pw_pass[1] == '\0') { ++ while ('!' == *s) ++ ++s; ++ ++ if (*s == '\0') { + fprintf (stderr, + _("%s: unlocking the user's password would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock this user's password.\n"), +@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); +- s = pw_pass; +- while ('\0' != *s) { +- *s = *(s + 1); +- s++; +- } ++ memmove (pw_pass, s, strlen (s) + 1); + } else if (pflg) { ++ if (strchr (user_pass, ':') != NULL) { ++ fprintf (stderr, ++ _("%s: The password field cannot contain a colon character.\n"), ++ Prog); ++ return pw_pass; ++ ++ } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "updating-password", diff --git a/shadow-utils.spec b/shadow-utils.spec index 26569bb..48d0f8b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.2.1-audit-update.patch +Patch23: shadow-4.2.1-usermod-unlock.patch +Patch24: shadow-4.2.1-no-lock-dos.patch +Patch25: shadow-4.2.1-defs-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +83,9 @@ are used for managing group accounts. %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update +%patch23 -p1 -b .unlock +%patch24 -p1 -b .no-lock-dos +%patch25 -p1 -b .defs-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 27 2015 Tomáš Mráz - 2:4.2.1-3 +- unlock also passwords locked with passwd -l +- prevent breaking user entry by entering a password containing colon +- fix possible DoS when locking the database files for update +- properly use login.defs from the chroot in useradd + * Fri Jun 19 2015 Fedora Release Engineering - 2:4.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild