import shadow-utils-4.9-5.el9
This commit is contained in:
parent
7ef65e2851
commit
3b31c46d3e
108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Wed, 13 Jul 2022 09:55:14 +0200
|
||||
Subject: [PATCH] subordinateio: also compare the owner ID
|
||||
|
||||
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
|
||||
not only to check for the owner name but also for the owner ID of a
|
||||
given range.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||
index 9ca70b8b..6bc45283 100644
|
||||
--- a/lib/subordinateio.c
|
||||
+++ b/lib/subordinateio.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
+#define ID_SIZE 31
|
||||
+
|
||||
/*
|
||||
* subordinate_dup: create a duplicate range
|
||||
*
|
||||
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
|
||||
return start == ULONG_MAX ? (gid_t) -1 : start;
|
||||
}
|
||||
|
||||
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ struct group *gr;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ switch (id_type) {
|
||||
+ case ID_TYPE_UID:
|
||||
+ pw = getpwnam(owner);
|
||||
+ if (pw == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ case ID_TYPE_GID:
|
||||
+ gr = getgrnam(owner);
|
||||
+ if (gr == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
|
||||
*
|
||||
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
enum subid_status status;
|
||||
int count = 0;
|
||||
struct subid_nss_ops *h;
|
||||
+ char id[ID_SIZE];
|
||||
+ bool have_owner_id;
|
||||
|
||||
*in_ranges = NULL;
|
||||
|
||||
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ have_owner_id = get_owner_id(owner, id_type, id);
|
||||
+
|
||||
commonio_rewind(db);
|
||||
while ((range = commonio_next(db)) != NULL) {
|
||||
if (0 == strcmp(range->owner, owner)) {
|
||||
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ // Let's also compare with the ID
|
||||
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
|
||||
+ if (!append_range(&ranges, range, count++)) {
|
||||
+ free(ranges);
|
||||
+ ranges = NULL;
|
||||
+ count = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
out:
|
||||
--
|
||||
2.36.1
|
||||
|
@ -0,0 +1,19 @@
|
||||
diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
|
||||
--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users 2022-04-22 14:50:10.658371270 +0200
|
||||
+++ shadow-4.9/src/useradd.c 2022-04-22 14:54:34.810100549 +0200
|
||||
@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
|
||||
{
|
||||
uid_t uid_min ;
|
||||
uid_t uid_max ;
|
||||
- if(rflg){
|
||||
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
|
||||
+ if (rflg) {
|
||||
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
|
||||
- if(uid_min <= uid_max){
|
||||
- if(user_id < uid_min || user_id >uid_max)
|
||||
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
|
||||
+ if (user_id > uid_max) {
|
||||
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
|
||||
}
|
||||
}else{
|
||||
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
|
@ -1,12 +1,12 @@
|
||||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.9
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Epoch: 2
|
||||
License: BSD and GPLv2+
|
||||
URL: https://github.com/shadow-maint/shadow
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
|
||||
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
|
||||
Source2: shadow-utils.useradd
|
||||
Source3: shadow-utils.login.defs
|
||||
Source4: shadow-bsd.txt
|
||||
@ -67,6 +67,10 @@ Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
|
||||
Patch23: shadow-4.9-getsubids.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
|
||||
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
|
||||
Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
|
||||
Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: audit-libs >= 1.6.5
|
||||
@ -120,6 +124,7 @@ Utility library that provides a way to manage subid ranges.
|
||||
%package subid-devel
|
||||
Summary: Development package for shadow-utils-subid
|
||||
License: BSD and GPLv2+
|
||||
Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description subid-devel
|
||||
Development files for shadow-utils-subid.
|
||||
@ -151,6 +156,8 @@ Development files for shadow-utils-subid.
|
||||
%patch22 -p1 -b .newgrp-fix-segmentation-fault
|
||||
%patch23 -p1 -b .getsubids
|
||||
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
|
||||
%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
|
||||
%patch26 -p1 -b .subordinateio-compare-owner-ID
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||
@ -321,6 +328,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%{_libdir}/libsubid.so
|
||||
|
||||
%changelog
|
||||
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
||||
- subordinateio: also compare the owner ID. Resolves: #2109410
|
||||
|
||||
* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
||||
- useradd: modify check ID range for system users. Resolves: #2004911
|
||||
- Fix release sources
|
||||
- Add subid requirement for subid-devel
|
||||
|
||||
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
||||
- getsubids: provide system binary and man page. Resolves: #2013015
|
||||
- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
|
||||
|
Loading…
Reference in New Issue
Block a user