Multiple fixes.
- unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd
This commit is contained in:
parent
283bf24723
commit
25899fefb0
24
shadow-4.2.1-defs-chroot.patch
Normal file
24
shadow-4.2.1-defs-chroot.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c
|
||||
--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100
|
||||
+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200
|
||||
@@ -1938,8 +1938,8 @@ int main (int argc, char **argv)
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
|
||||
/* Needed for userns check */
|
||||
- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
|
||||
- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
|
||||
+ uid_t uid_min;
|
||||
+ uid_t uid_max;
|
||||
|
||||
/*
|
||||
* Get my name so that I can use it to report errors.
|
||||
@@ -1957,6 +1957,9 @@ int main (int argc, char **argv)
|
||||
audit_help_open ();
|
||||
#endif
|
||||
|
||||
+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
|
||||
+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
|
||||
+
|
||||
sys_ngroups = sysconf (_SC_NGROUPS_MAX);
|
||||
user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *));
|
||||
/*
|
15
shadow-4.2.1-no-lock-dos.patch
Normal file
15
shadow-4.2.1-no-lock-dos.patch
Normal file
@ -0,0 +1,15 @@
|
||||
diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c
|
||||
--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200
|
||||
+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200
|
||||
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
|
||||
int retval;
|
||||
char buf[32];
|
||||
|
||||
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
|
||||
+ /* We depend here on the fact, that the file name is pid-specific.
|
||||
+ * So no O_EXCL here and no DoS.
|
||||
+ */
|
||||
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
|
||||
if (-1 == fd) {
|
||||
if (log) {
|
||||
(void) fprintf (stderr,
|
39
shadow-4.2.1-usermod-unlock.patch
Normal file
39
shadow-4.2.1-usermod-unlock.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c
|
||||
--- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100
|
||||
+++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200
|
||||
@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas
|
||||
strcat (buf, pw_pass);
|
||||
pw_pass = buf;
|
||||
} else if (Uflg && pw_pass[0] == '!') {
|
||||
- char *s;
|
||||
+ char *s = pw_pass;
|
||||
|
||||
- if (pw_pass[1] == '\0') {
|
||||
+ while ('!' == *s)
|
||||
+ ++s;
|
||||
+
|
||||
+ if (*s == '\0') {
|
||||
fprintf (stderr,
|
||||
_("%s: unlocking the user's password would result in a passwordless account.\n"
|
||||
"You should set a password with usermod -p to unlock this user's password.\n"),
|
||||
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
|
||||
user_newname, (unsigned int) user_newid, 1);
|
||||
#endif
|
||||
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
|
||||
- s = pw_pass;
|
||||
- while ('\0' != *s) {
|
||||
- *s = *(s + 1);
|
||||
- s++;
|
||||
- }
|
||||
+ memmove (pw_pass, s, strlen (s) + 1);
|
||||
} else if (pflg) {
|
||||
+ if (strchr (user_pass, ':') != NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: The password field cannot contain a colon character.\n"),
|
||||
+ Prog);
|
||||
+ return pw_pass;
|
||||
+
|
||||
+ }
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
"updating-password",
|
@ -1,7 +1,7 @@
|
||||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.2.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Epoch: 2
|
||||
URL: http://pkg-shadow.alioth.debian.org/
|
||||
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
||||
@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch
|
||||
Patch20: shadow-4.1.5.1-ingroup.patch
|
||||
Patch21: shadow-4.1.5.1-move-home.patch
|
||||
Patch22: shadow-4.2.1-audit-update.patch
|
||||
Patch23: shadow-4.2.1-usermod-unlock.patch
|
||||
Patch24: shadow-4.2.1-no-lock-dos.patch
|
||||
Patch25: shadow-4.2.1-defs-chroot.patch
|
||||
|
||||
License: BSD and GPLv2+
|
||||
Group: System Environment/Base
|
||||
@ -80,6 +83,9 @@ are used for managing group accounts.
|
||||
%patch20 -p1 -b .ingroup
|
||||
%patch21 -p1 -b .move-home
|
||||
%patch22 -p1 -b .audit-update
|
||||
%patch23 -p1 -b .unlock
|
||||
%patch24 -p1 -b .no-lock-dos
|
||||
%patch25 -p1 -b .defs-chroot
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||
@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/vigr.8*
|
||||
|
||||
%changelog
|
||||
* Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
|
||||
- unlock also passwords locked with passwd -l
|
||||
- prevent breaking user entry by entering a password containing colon
|
||||
- fix possible DoS when locking the database files for update
|
||||
- properly use login.defs from the chroot in useradd
|
||||
|
||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user