import shadow-utils-4.6-8.el8

This commit is contained in:
CentOS Sources 2019-11-05 16:27:37 -05:00 committed by Andrew Lukoshko
parent 7f2bbdec4c
commit 263a8e0ea1
5 changed files with 318 additions and 15 deletions

View File

@ -54,6 +54,25 @@ Index: shadow-4.5/man/chage.1.xml
Passing the number <emphasis remap='I'>-1</emphasis> as the
<replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date.
@@ -233,6 +243,18 @@
The <command>chage</command> program requires a shadow password file to
be available.
</para>
+ <para>
+ The chage program will report only the information from the shadow
+ password file. This implies that configuration from other sources
+ (e.g. LDAP or empty password hash field from the passwd file) that
+ affect the user's login will not be shown in the chage output.
+ </para>
+ <para>
+ The <command>chage</command> program will also not report any
+ inconsistency between the shadow and passwd files (e.g. missing x in
+ the passwd file). The <command>pwck</command> can be used to check
+ for this kind of inconsistencies.
+ </para>
<para>The <command>chage</command> command is restricted to the root
user, except for the <option>-l</option> option, which may be used by
an unprivileged user to determine when their password or account is due
Index: shadow-4.5/man/ja/man5/login.defs.5
===================================================================
--- shadow-4.5.orig/man/ja/man5/login.defs.5
@ -282,3 +301,49 @@ Index: shadow-4.5/man/usermod.8.xml
</para>
<para>
This option is only valid in combination with the
diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
index 01ace007..93fe7421 100644
--- a/man/login.defs.d/SUB_GID_COUNT.xml
+++ b/man/login.defs.d/SUB_GID_COUNT.xml
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_GID_MIN</option>,
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
index 5ad812f7..516417b7 100644
--- a/man/login.defs.d/SUB_UID_COUNT.xml
+++ b/man/login.defs.d/SUB_UID_COUNT.xml
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_UID_MIN</option>,
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
@@ -320,13 +320,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>

View File

@ -834,16 +834,23 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
@@ -472,7 +472,7 @@ static void close_files (void)
@@ -472,7 +472,14 @@ static void close_files (void)
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_ACCT, Prog,
+ /* If both happened, log password change as its more important */
+ if (pflg)
+ audit_logger (AUDIT_GRP_CHAUTHTOK, Prog,
+ info_gshadow.audit_msg,
+ group_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_SUCCESS);
+ else
+ audit_logger (AUDIT_GRP_MGMT, Prog,
info_gshadow.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
@@ -495,7 +495,7 @@ static void close_files (void)
@@ -495,7 +502,7 @@ static void close_files (void)
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
@ -852,7 +859,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_passwd.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
@@ -510,8 +510,8 @@ static void close_files (void)
@@ -510,8 +517,8 @@ static void close_files (void)
}
#ifdef WITH_AUDIT
@ -863,7 +870,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -523,6 +523,8 @@ static void close_files (void)
@@ -523,6 +530,8 @@ static void close_files (void)
*/
static void prepare_failure_reports (void)
{
@ -872,7 +879,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.name = group_name;
#ifdef SHADOWGRP
info_gshadow.name = group_name;
@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi
@@ -535,76 +544,109 @@ static void prepare_failure_reports (voi
#endif
info_passwd.audit_msg = xmalloc (512);
@ -971,6 +978,9 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
+ free(nv_pair);
}
if (pflg) {
+ strncat(info_passwd.audit_msg, "op=change-password",
+ 511 - strlen (info_passwd.action));
+
+ /* Note: audit doesn't want this value recorded */
strncat (info_group.action, ", new password",
- 511 - strlen (info_group.audit_msg));
@ -1006,7 +1016,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
"%lu", (unsigned long int) group_newid);
}
info_group.audit_msg[511] = '\0';
@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi
@@ -612,6 +654,11 @@ static void prepare_failure_reports (voi
info_gshadow.audit_msg[511] = '\0';
#endif
info_passwd.audit_msg[511] = '\0';
@ -1603,16 +1613,24 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
@@ -1997,7 +1939,7 @@ static void usr_update (void)
@@ -1996,9 +1938,14 @@ static void usr_update (void)
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
+ /*
+ * Even though we have the ID of the user, we won't send it now
+ * because its not written to disk yet. After close_files it is
+ * and we can use the real ID thereafter.
+ */
audit_logger (AUDIT_ADD_USER, Prog,
- "adding user",
- user_name, (unsigned int) user_id,
+ "add-user",
user_name, (unsigned int) user_id,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -2032,12 +1974,6 @@ static void create_home (void)
/*
@@ -2032,12 +1979,6 @@ static void create_home (void)
fprintf (stderr,
_("%s: cannot create directory %s\n"),
Prog, prefix_user_home);
@ -1625,7 +1643,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_HOMEDIR);
}
(void) chown (prefix_user_home, user_id, user_gid);
@@ -2045,8 +1981,8 @@ static void create_home (void)
@@ -2045,8 +1986,8 @@ static void create_home (void)
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
home_added = true;
#ifdef WITH_AUDIT
@ -1636,7 +1654,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
user_name, (unsigned int) user_id,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -2231,12 +2167,6 @@ int main (int argc, char **argv)
@@ -2231,12 +2172,6 @@ int main (int argc, char **argv)
*/
if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
@ -1649,7 +1667,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE);
}
@@ -2252,12 +2182,6 @@ int main (int argc, char **argv)
@@ -2252,12 +2187,6 @@ int main (int argc, char **argv)
fprintf (stderr,
_("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
Prog, user_name);
@ -1662,7 +1680,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE);
}
}
@@ -2287,12 +2211,6 @@ int main (int argc, char **argv)
@@ -2287,12 +2216,6 @@ int main (int argc, char **argv)
fprintf (stderr,
_("%s: UID %lu is not unique\n"),
Prog, (unsigned long) user_id);

View File

@ -0,0 +1,11 @@
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

View File

@ -0,0 +1,190 @@
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu May 2 14:33:06 2019 +0200
Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.
This reverts the implementation to use lckpwdf() if prefix option
is not used.
diff --git a/lib/commonio.c b/lib/commonio.c
index 26e518f2..94dda779 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
int commonio_setname (struct commonio_db *db, const char *name)
{
snprintf (db->filename, sizeof (db->filename), "%s", name);
+ db->setname = true;
return 1;
}
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
int commonio_lock (struct commonio_db *db)
{
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
-#if 0
- /*
- * only if the system libc has a real lckpwdf() - the one from
- * lockpw.c calls us and would cause infinite recursion!
- */
+ int i;
+#ifdef HAVE_LCKPWDF
/*
- * Call lckpwdf() on the first lock.
- * If it succeeds, call *_lock() only once
- * (no retries, it should always succeed).
+ * Only if the system libc has a real lckpwdf() - the one from
+ * lockpw.c calls us and would cause infinite recursion!
+ * It is also not used with the prefix option.
*/
- if (0 == lock_count) {
- if (lckpwdf () == -1) {
- if (geteuid () != 0) {
- (void) fprintf (stderr,
- "%s: Permission denied.\n",
- Prog);
+ if (!db->setname) {
+ /*
+ * Call lckpwdf() on the first lock.
+ * If it succeeds, call *_lock() only once
+ * (no retries, it should always succeed).
+ */
+ if (0 == lock_count) {
+ if (lckpwdf () == -1) {
+ if (geteuid () != 0) {
+ (void) fprintf (stderr,
+ "%s: Permission denied.\n",
+ Prog);
+ }
+ return 0; /* failure */
}
- return 0; /* failure */
}
- }
- if (commonio_lock_nowait (db, true) != 0) {
- return 1; /* success */
- }
+ if (commonio_lock_nowait (db, true) != 0) {
+ return 1; /* success */
+ }
- ulckpwdf ();
- return 0; /* failure */
-#else /* !HAVE_LCKPWDF */
- int i;
+ ulckpwdf ();
+ return 0; /* failure */
+ }
+#endif /* !HAVE_LCKPWDF */
/*
* lckpwdf() not used - do it the old way.
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
}
}
return 0; /* failure */
-#endif /* !HAVE_LCKPWDF */
}
static void dec_lock_count (void)
diff --git a/lib/commonio.h b/lib/commonio.h
index 40e5708f..64e83073 100644
--- a/lib/commonio.h
+++ b/lib/commonio.h
@@ -143,6 +143,7 @@ struct commonio_db {
bool isopen:1;
bool locked:1;
bool readonly:1;
+ bool setname:1;
};
extern int commonio_setname (struct commonio_db *, const char *);
diff --git a/lib/groupio.c b/lib/groupio.c
index ae2302b5..bffb06e0 100644
--- a/lib/groupio.c
+++ b/lib/groupio.c
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int gr_setdbname (const char *filename)
diff --git a/lib/pwio.c b/lib/pwio.c
index 7ee85377..127719cb 100644
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int pw_setdbname (const char *filename)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 5423626a..ffbdb263 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sgr_setdbname (const char *filename)
diff --git a/lib/shadowio.c b/lib/shadowio.c
index 5fa3d312..676b1f1a 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int spw_setdbname (const char *filename)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index a662e67e..dd779c59 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_uid_setdbname (const char *filename)
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_gid_setdbname (const char *filename)

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
Release: 7%{?dist}
Release: 8%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -35,6 +35,8 @@ Patch36: shadow-4.6-use-itstool.patch
Patch37: shadow-4.6-sssd-flush.patch
Patch38: shadow-4.6-sysugid-min-limit.patch
Patch39: shadow-4.6-chgrp-guard.patch
Patch40: shadow-4.6-ignore-login-prompt.patch
Patch41: shadow-4.6-use-lckpwdf.patch
License: BSD and GPLv2+
Group: System Environment/Base
@ -92,12 +94,17 @@ are used for managing group accounts.
%patch37 -p1 -b .sssd-flush
%patch38 -p1 -b .sysugid-min-limit
%patch39 -p1 -b .chgrp-guard
%patch40 -p1 -b .login-prompt
%patch41 -p1 -b .use-lckpwdf
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
cp -a %{SOURCE4} %{SOURCE5} .
# Force regeneration of getdate.c
rm libmisc/getdate.c
%build
%ifarch sparc64
#sparc64 need big PIE
@ -243,6 +250,18 @@ done
%{_mandir}/man8/vigr.8*
%changelog
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-8
- properly audit group password change
- do not add uid of a new (not yet added) user to the audit message
- use lckpwdf() again to disable concurrent edits of databases by
other applications
- clarify chage manual page in regards to shadow and passwd
inconsistency
- fix minor issues in groupadd and login.defs manual pages
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
- force regeneration of getdate.c otherwise the date parsing fix
is not applied
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-7
- usermod: guard against unsafe change of ownership of
special home directories