import shadow-utils-4.9-5.el9

2022-11-15 02:06:17 -05:00 · 2022-11-15 02:06:17 -05:00 · 3b31c46d3e
parent 7ef65e2851
commit 3b31c46d3e
3 changed files with 145 additions and 3 deletions
--- a/SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
+++ b/SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
@ -0,0 +1,108 @@
+From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Wed, 13 Jul 2022 09:55:14 +0200
+Subject: [PATCH] subordinateio: also compare the owner ID
+
+IDs already populate /etc/subuid and /etc/subgid files so it's necessary
+not only to check for the owner name but also for the owner ID of a
+given range.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/lib/subordinateio.c b/lib/subordinateio.c
+index 9ca70b8b..6bc45283 100644
+--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
+@@ -17,6 +17,8 @@
+ #include <ctype.h>
+ #include <fcntl.h>
+ 
+#define ID_SIZE 31
+
+ /*
+  * subordinate_dup: create a duplicate range
+  *
+@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
+ 	return start == ULONG_MAX ? (gid_t) -1 : start;
+ }
+ 
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
+{
+	struct passwd *pw;
+	struct group *gr;
+	int ret = 0;
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		pw = getpwnam(owner);
+		if (pw == NULL) {
+			return false;
+		}
+		ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
+		if (ret < 0 || ret >= ID_SIZE) {
+			return false;
+		}
+		break;
+	case ID_TYPE_GID:
+		gr = getgrnam(owner);
+		if (gr == NULL) {
+			return false;
+		}
+		ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
+		if (ret < 0 || ret >= ID_SIZE) {
+			return false;
+		}
+		break;
+	default:
+		return false;
+	}
+
+	return true;
+}
+
+ /*
+  * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
+  *
+@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
+ 	enum subid_status status;
+ 	int count = 0;
+ 	struct subid_nss_ops *h;
+	char id[ID_SIZE];
+	bool have_owner_id;
+ 
+ 	*in_ranges = NULL;
+ 
+@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
+ 		return -1;
+ 	}
+ 
+	have_owner_id = get_owner_id(owner, id_type, id);
+
+ 	commonio_rewind(db);
+ 	while ((range = commonio_next(db)) != NULL) {
+ 		if (0 == strcmp(range->owner, owner)) {
+@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
+ 				goto out;
+ 			}
+ 		}
+
+		// Let's also compare with the ID
+		if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
+			if (!append_range(&ranges, range, count++)) {
+				free(ranges);
+				ranges = NULL;
+				count = -1;
+				goto out;
+			}
+		}
+ 	}
+ 
+ out:
+-- 
+2.36.1
+
--- a/SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
+++ b/SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
@ -0,0 +1,19 @@
+diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
+--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users	2022-04-22 14:50:10.658371270 +0200
+++ shadow-4.9/src/useradd.c	2022-04-22 14:54:34.810100549 +0200
+@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
+ {
+ 	uid_t uid_min ;
+ 	uid_t uid_max ;
+-	if(rflg){
+-		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
+	if (rflg) {
+ 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
+-		if(uid_min <= uid_max){
+-			if(user_id < uid_min || user_id >uid_max)
+-				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
+		if (user_id > uid_max) {
+			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
+ 		}
+ 	}else{
+ 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
--- a/SPECS/shadow-utils.spec
+++ b/SPECS/shadow-utils.spec
@ -1,12 +1,12 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 3%{?dist}
+Release: 5%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
-Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
-Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
+Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
+Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
@ -67,6 +67,10 @@ Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
 Patch23: shadow-4.9-getsubids.patch
 # https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
 Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
+# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
+Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
+# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
+Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch

 ### Dependencies ###
 Requires: audit-libs >= 1.6.5
@ -120,6 +124,7 @@ Utility library that provides a way to manage subid ranges.
 %package subid-devel
 Summary: Development package for shadow-utils-subid
 License: BSD and GPLv2+
+Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}

 %description subid-devel
 Development files for shadow-utils-subid.
@ -151,6 +156,8 @@ Development files for shadow-utils-subid.
 %patch22 -p1 -b .newgrp-fix-segmentation-fault
 %patch23 -p1 -b .getsubids
 %patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
+%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
+%patch26 -p1 -b .subordinateio-compare-owner-ID

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -321,6 +328,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so

 %changelog
+* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+- subordinateio: also compare the owner ID. Resolves: #2109410
+
+* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
+- useradd: modify check ID range for system users. Resolves: #2004911
+- Fix release sources
+- Add subid requirement for subid-devel
+
 * Thu Dec  2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
 - getsubids: provide system binary and man page. Resolves: #2013015
 - useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081