diff --git a/.gitignore b/.gitignore index 44cb6ed..422ed12 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.12.3.tar.xz.asc /shadow-4.13.tar.xz /shadow-4.13.tar.xz.asc +/shadow-4.14.0.tar.xz +/shadow-4.14.0.tar.xz.asc diff --git a/shadow-4.12.3-redhat.patch b/shadow-4.12.3-redhat.patch deleted file mode 100644 index 48c591d..0000000 --- a/shadow-4.12.3-redhat.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up shadow-4.12.3/src/useradd.c.redhat shadow-4.12.3/src/useradd.c ---- shadow-4.12.3/src/useradd.c.redhat 2022-08-06 18:22:45.000000000 +0200 -+++ shadow-4.12.3/src/useradd.c 2022-08-22 15:57:19.034664441 +0200 -@@ -82,7 +82,7 @@ const char *Prog; - static gid_t def_group = 1000; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = "/bin/bash"; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "yes"; - static const char *def_log_init = "yes"; -@@ -93,7 +93,7 @@ static const char *def_expire = ""; - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -1227,7 +1227,7 @@ static void process_flags (int argc, cha - {NULL, 0, NULL, '\0'} - }; - while ((c = getopt_long (argc, argv, -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U" -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U" - #ifdef WITH_SELINUX - "Z:" - #endif /* WITH_SELINUX */ -@@ -1395,6 +1395,7 @@ static void process_flags (int argc, cha - case 'M': - Mflg = true; - break; -+ case 'n': - case 'N': - Nflg = true; - break; diff --git a/shadow-4.12.3-selinux-perms.patch b/shadow-4.12.3-selinux-perms.patch deleted file mode 100644 index f396455..0000000 --- a/shadow-4.12.3-selinux-perms.patch +++ /dev/null @@ -1,240 +0,0 @@ -diff -up shadow-4.12.3/src/chgpasswd.c.selinux-perms shadow-4.12.3/src/chgpasswd.c ---- shadow-4.12.3/src/chgpasswd.c.selinux-perms 2022-06-19 16:16:48.000000000 +0200 -+++ shadow-4.12.3/src/chgpasswd.c 2022-08-22 16:09:02.006970030 +0200 -@@ -16,6 +16,13 @@ - #include - #include - #include -+#ifdef WITH_SELINUX -+#include -+#include -+#endif -+#ifdef WITH_LIBAUDIT -+#include -+#endif - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - #include "pam_defs.h" -@@ -61,6 +68,9 @@ static bool sgr_locked = false; - #endif - static bool gr_locked = false; - -+/* The name of the caller */ -+static char *myname = NULL; -+ - /* local function prototypes */ - static void fail_exit (int code); - static /*@noreturn@*/void usage (int status); -@@ -318,6 +328,63 @@ static void check_perms (void) - #endif /* ACCT_TOOLS_SETUID */ - } - -+#ifdef WITH_SELINUX -+static int -+log_callback (int type, const char *fmt, ...) -+{ -+ int audit_fd; -+ va_list ap; -+ -+ va_start(ap, fmt); -+#ifdef WITH_AUDIT -+ audit_fd = audit_open(); -+ -+ if (audit_fd >= 0) { -+ char *buf; -+ -+ if (vasprintf (&buf, fmt, ap) < 0) -+ goto ret; -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -+ NULL, 0); -+ audit_close(audit_fd); -+ free(buf); -+ goto ret; -+ } -+ -+#endif -+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); -+ret: -+ va_end(ap); -+ return 0; -+} -+ -+static void -+selinux_check_root (void) -+{ -+ int status = -1; -+ security_context_t user_context; -+ union selinux_callback old_callback; -+ -+ if (is_selinux_enabled() < 1) -+ return; -+ -+ old_callback = selinux_get_callback(SELINUX_CB_LOG); -+ /* setup callbacks */ -+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); -+ if ((status = getprevcon(&user_context)) < 0) { -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ exit(1); -+ } -+ -+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); -+ -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ freecon(user_context); -+ if (status != 0 && security_getenforce() != 0) -+ exit(1); -+} -+#endif -+ - /* - * open_files - lock and open the group databases - */ -@@ -411,6 +478,7 @@ int main (int argc, char **argv) - - const struct group *gr; - struct group newgr; -+ struct passwd *pw = NULL; - int errors = 0; - int line = 0; - -@@ -422,12 +490,37 @@ int main (int argc, char **argv) - (void) bindtextdomain (PACKAGE, LOCALEDIR); - (void) textdomain (PACKAGE); - -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ - process_root_flag ("-R", argc, argv); - - process_flags (argc, argv); - - OPENLOG ("chgpasswd"); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ -+ /* -+ * Determine the name of the user that invoked this command. This -+ * is really hit or miss because there are so many ways that command -+ * can be executed and so many ways to trip up the routines that -+ * report the user name. -+ */ -+ pw = get_my_pwent (); -+ if (NULL == pw) { -+ fprintf (stderr, _("%s: Cannot determine your user name.\n"), -+ Prog); -+ SYSLOG ((LOG_WARN, -+ "Cannot determine the user name of the caller (UID %lu)", -+ (unsigned long) getuid ())); -+ exit (E_NOPERM); -+ } -+ myname = xstrdup (pw->pw_name); -+ - check_perms (); - - #ifdef SHADOWGRP -diff -up shadow-4.12.3/src/chpasswd.c.selinux-perms shadow-4.12.3/src/chpasswd.c ---- shadow-4.12.3/src/chpasswd.c.selinux-perms 2022-06-19 16:16:48.000000000 +0200 -+++ shadow-4.12.3/src/chpasswd.c 2022-08-22 16:10:56.702835681 +0200 -@@ -16,6 +16,13 @@ - #include - #include - #include -+#ifdef WITH_SELINUX -+#include -+#include -+#endif -+#ifdef WITH_LIBAUDIT -+#include -+#endif - #ifdef USE_PAM - #include "pam_defs.h" - #endif /* USE_PAM */ -@@ -318,6 +325,63 @@ static void check_perms (void) - #endif /* USE_PAM */ - } - -+#ifdef WITH_SELINUX -+static int -+log_callback (int type, const char *fmt, ...) -+{ -+ int audit_fd; -+ va_list ap; -+ -+ va_start(ap, fmt); -+#ifdef WITH_AUDIT -+ audit_fd = audit_open(); -+ -+ if (audit_fd >= 0) { -+ char *buf; -+ -+ if (vasprintf (&buf, fmt, ap) < 0) -+ goto ret; -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -+ NULL, 0); -+ audit_close(audit_fd); -+ free(buf); -+ goto ret; -+ } -+ -+#endif -+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); -+ret: -+ va_end(ap); -+ return 0; -+} -+ -+static void -+selinux_check_root (void) -+{ -+ int status = -1; -+ security_context_t user_context; -+ union selinux_callback old_callback; -+ -+ if (is_selinux_enabled() < 1) -+ return; -+ -+ old_callback = selinux_get_callback(SELINUX_CB_LOG); -+ /* setup callbacks */ -+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); -+ if ((status = getprevcon(&user_context)) < 0) { -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ exit(1); -+ } -+ -+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); -+ -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ freecon(user_context); -+ if (status != 0 && security_getenforce() != 0) -+ exit(1); -+} -+#endif -+ - /* - * open_files - lock and open the password databases - */ -@@ -450,6 +514,10 @@ int main (int argc, char **argv) - (void) bindtextdomain (PACKAGE, LOCALEDIR); - (void) textdomain (PACKAGE); - -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ - process_flags (argc, argv); - - salt = get_salt(); -@@ -463,6 +531,10 @@ int main (int argc, char **argv) - - OPENLOG ("chpasswd"); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - check_perms (); - - #ifdef USE_PAM diff --git a/shadow-4.13-default-range.patch b/shadow-4.13-default-range.patch deleted file mode 100644 index f199b39..0000000 --- a/shadow-4.13-default-range.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up shadow-4.13/lib/semanage.c.default-range shadow-4.13/lib/semanage.c ---- shadow-4.13/lib/semanage.c.default-range 2022-11-09 09:37:11.955314964 +0100 -+++ shadow-4.13/lib/semanage.c 2022-11-09 09:47:59.130645564 +0100 -@@ -122,6 +122,7 @@ static int semanage_user_mod (semanage_h - goto done; - } - -+#if 0 - if (semanage_mls_enabled(handle)) { - ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); - if (ret != 0) { -@@ -131,6 +132,7 @@ static int semanage_user_mod (semanage_h - goto done; - } - } -+#endif - - ret = semanage_seuser_set_sename (handle, seuser, seuser_name); - if (ret != 0) { -@@ -181,6 +183,7 @@ static int semanage_user_add (semanage_h - goto done; - } - -+#if 0 - if (semanage_mls_enabled(handle)) { - ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); - if (ret != 0) { -@@ -190,6 +193,7 @@ static int semanage_user_add (semanage_h - goto done; - } - } -+#endif - - ret = semanage_seuser_set_sename (handle, seuser, seuser_name); - if (ret != 0) { diff --git a/shadow-4.11.1-audit-update.patch b/shadow-4.14.0-audit-update.patch similarity index 66% rename from shadow-4.11.1-audit-update.patch rename to shadow-4.14.0-audit-update.patch index 65acae0..0ff7dae 100644 --- a/shadow-4.11.1-audit-update.patch +++ b/shadow-4.14.0-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.11.1/libmisc/audit_help.c.audit-update shadow-4.11.1/libmisc/audit_help.c ---- shadow-4.11.1/libmisc/audit_help.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/libmisc/audit_help.c 2022-01-03 15:15:38.946046192 +0100 +diff -up shadow-4.14.0/libmisc/audit_help.c.audit-update shadow-4.14.0/libmisc/audit_help.c +--- shadow-4.14.0/libmisc/audit_help.c.audit-update 2023-05-26 04:56:11.000000000 +0200 ++++ shadow-4.14.0/libmisc/audit_help.c 2023-08-04 09:30:25.206963536 +0200 @@ -46,7 +46,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.11.1/libmisc/audit_help.c.audit-update shadow-4.11.1/libmisc/a void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.11.1/libmisc/cleanup_group.c.audit-update shadow-4.11.1/libmisc/cleanup_group.c ---- shadow-4.11.1/libmisc/cleanup_group.c.audit-update 2022-01-03 14:57:01.777006776 +0100 -+++ shadow-4.11.1/libmisc/cleanup_group.c 2022-01-03 15:22:27.438770608 +0100 +diff -up shadow-4.14.0/libmisc/cleanup_group.c.audit-update shadow-4.14.0/libmisc/cleanup_group.c +--- shadow-4.14.0/libmisc/cleanup_group.c.audit-update 2023-05-26 04:56:11.000000000 +0200 ++++ shadow-4.14.0/libmisc/cleanup_group.c 2023-08-04 09:30:25.207963539 +0200 @@ -61,7 +61,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.11.1/libmisc/cleanup_group.c.audit-update shadow-4.11.1/libmis SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.11.1/libmisc/cleanup_user.c.audit-update shadow-4.11.1/libmisc/cleanup_user.c ---- shadow-4.11.1/libmisc/cleanup_user.c.audit-update 2022-01-03 14:57:01.777006776 +0100 -+++ shadow-4.11.1/libmisc/cleanup_user.c 2022-01-03 15:21:22.593338130 +0100 +diff -up shadow-4.14.0/libmisc/cleanup_user.c.audit-update shadow-4.14.0/libmisc/cleanup_user.c +--- shadow-4.14.0/libmisc/cleanup_user.c.audit-update 2023-05-26 04:56:11.000000000 +0200 ++++ shadow-4.14.0/libmisc/cleanup_user.c 2023-08-04 09:30:25.207963539 +0200 @@ -43,7 +43,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +181,10 @@ diff -up shadow-4.11.1/libmisc/cleanup_user.c.audit-update shadow-4.11.1/libmisc SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.11.1/lib/prototypes.h.audit-update shadow-4.11.1/lib/prototypes.h ---- shadow-4.11.1/lib/prototypes.h.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/lib/prototypes.h 2022-01-03 14:57:01.777006776 +0100 -@@ -197,12 +197,21 @@ extern int audit_fd; +diff -up shadow-4.14.0/lib/prototypes.h.audit-update shadow-4.14.0/lib/prototypes.h +--- shadow-4.14.0/lib/prototypes.h.audit-update 2023-08-03 18:28:35.000000000 +0200 ++++ shadow-4.14.0/lib/prototypes.h 2023-08-04 09:30:25.207963539 +0200 +@@ -202,12 +202,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,100 +206,91 @@ diff -up shadow-4.11.1/lib/prototypes.h.audit-update shadow-4.11.1/lib/prototype void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.11.1/src/chage.c.audit-update shadow-4.11.1/src/chage.c ---- shadow-4.11.1/src/chage.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/chage.c 2022-01-03 14:57:01.777006776 +0100 -@@ -100,9 +100,10 @@ static /*@noreturn@*/void fail_exit (int +diff -up shadow-4.14.0/src/chage.c.audit-update shadow-4.14.0/src/chage.c +--- shadow-4.14.0/src/chage.c.audit-update 2023-08-04 09:30:25.207963539 +0200 ++++ shadow-4.14.0/src/chage.c 2023-08-04 09:31:12.237080212 +0200 +@@ -106,8 +106,8 @@ fail_exit (int code) #ifdef WITH_AUDIT if (E_SUCCESS != code) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change age", -- user_name, (unsigned int) user_uid, 0); +- "change age", user_name, user_uid, 0); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_FAILURE); ++ "change-age", user_name, user_uid, SHADOW_AUDIT_FAILURE); } #endif -@@ -837,11 +838,7 @@ int main (int argc, char **argv) +@@ -841,10 +841,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Permission denied.\n"), Prog); fail_exit (E_NOPERM); } -#ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "display aging info", -- user_name, (unsigned int) user_uid, 1); +- "display aging info", user_name, user_uid, 1); -#endif + /* Displaying fields is not of interest to audit */ list_fields (); fail_exit (E_SUCCESS); } -@@ -860,41 +857,43 @@ int main (int argc, char **argv) +@@ -863,39 +860,39 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT else { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "change all aging information", -- user_name, (unsigned int) user_uid, 1); +- user_name, user_uid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, + "change-all-aging-information", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); ++ user_name, user_uid, SHADOW_AUDIT_SUCCESS); } #endif } else { #ifdef WITH_AUDIT if (Mflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change max age", -- user_name, (unsigned int) user_uid, 1); +- "change max age", user_name, user_uid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-max-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); ++ "change-max-age", user_name, user_uid, SHADOW_AUDIT_SUCCESS); } if (mflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change min age", +- "change min age", user_name, user_uid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-min-age", - user_name, (unsigned int) user_uid, 1); ++ "change-min-age", user_name, user_uid, 1); } if (dflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "change last change date", + audit_logger (AUDIT_USER_MGMT, Prog, + "change-last-change-date", - user_name, (unsigned int) user_uid, 1); + user_name, user_uid, 1); } if (Wflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "change passwd warning", + audit_logger (AUDIT_USER_MGMT, Prog, + "change-passwd-warning", - user_name, (unsigned int) user_uid, 1); + user_name, user_uid, 1); } if (Iflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "change inactive days", + audit_logger (AUDIT_USER_MGMT, Prog, + "change-inactive-days", - user_name, (unsigned int) user_uid, 1); + user_name, user_uid, 1); } if (Eflg) { - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "change passwd expiration", + audit_logger (AUDIT_USER_MGMT, Prog, + "change-passwd-expiration", - user_name, (unsigned int) user_uid, 1); + user_name, user_uid, 1); } #endif -diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c ---- shadow-4.11.1/src/gpasswd.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/gpasswd.c 2022-01-03 14:57:01.778006782 +0100 -@@ -116,7 +116,7 @@ static void usage (int status) +diff -up shadow-4.14.0/src/gpasswd.c.audit-update shadow-4.14.0/src/gpasswd.c +--- shadow-4.14.0/src/gpasswd.c.audit-update 2023-06-11 03:35:50.000000000 +0200 ++++ shadow-4.14.0/src/gpasswd.c 2023-08-04 09:30:25.207963539 +0200 +@@ -118,7 +118,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); (void) fputs (_(" -Q, --root CHROOT_DIR directory to chroot into\n"), usageout); @@ -308,7 +299,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -375,21 +375,14 @@ static void open_files (void) +@@ -377,21 +377,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -333,7 +324,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -397,13 +390,9 @@ static void log_gpasswd_failure (const c +@@ -399,13 +392,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -350,7 +341,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -411,13 +400,9 @@ static void log_gpasswd_failure (const c +@@ -413,13 +402,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -367,7 +358,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -425,13 +410,9 @@ static void log_gpasswd_failure (const c +@@ -427,13 +412,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -384,7 +375,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -441,13 +422,9 @@ static void log_gpasswd_failure (const c +@@ -443,13 +424,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -401,7 +392,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -457,13 +434,9 @@ static void log_gpasswd_failure (const c +@@ -459,13 +436,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -418,7 +409,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -472,13 +445,9 @@ static void log_gpasswd_failure (const c +@@ -474,13 +447,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -435,7 +426,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -509,21 +478,14 @@ static void log_gpasswd_failure_gshadow +@@ -511,21 +480,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -460,7 +451,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -531,13 +493,9 @@ static void log_gpasswd_success (const c +@@ -533,13 +495,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -477,7 +468,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -545,13 +503,9 @@ static void log_gpasswd_success (const c +@@ -547,13 +505,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -494,7 +485,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -559,13 +513,9 @@ static void log_gpasswd_success (const c +@@ -561,13 +515,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -511,7 +502,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -575,13 +525,9 @@ static void log_gpasswd_success (const c +@@ -577,13 +527,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -528,7 +519,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -591,13 +537,9 @@ static void log_gpasswd_success (const c +@@ -593,13 +539,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -545,7 +536,7 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -606,13 +548,9 @@ static void log_gpasswd_success (const c +@@ -608,13 +550,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -562,10 +553,10 @@ diff -up shadow-4.11.1/src/gpasswd.c.audit-update shadow-4.11.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c ---- shadow-4.11.1/src/groupadd.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/groupadd.c 2022-01-03 14:57:01.778006782 +0100 -@@ -111,6 +111,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.14.0/src/groupadd.c.audit-update shadow-4.14.0/src/groupadd.c +--- shadow-4.14.0/src/groupadd.c.audit-update 2023-05-26 04:56:11.000000000 +0200 ++++ shadow-4.14.0/src/groupadd.c 2023-08-04 09:34:34.125581046 +0200 +@@ -114,6 +114,15 @@ usage (int status) exit (status); } @@ -581,7 +572,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -207,7 +216,7 @@ static void grp_update (void) +@@ -210,7 +219,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -590,7 +581,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -217,7 +226,7 @@ static void grp_update (void) +@@ -220,7 +229,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -599,7 +590,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -241,7 +250,7 @@ static void check_new_name (void) +@@ -244,7 +253,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -608,7 +599,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } /* -@@ -257,11 +266,11 @@ static void close_files (void) +@@ -260,11 +269,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -619,10 +610,10 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c audit_logger (AUDIT_ADD_GROUP, Prog, - "adding group to /etc/group", + "add-group", - group_name, (unsigned int) group_id, - SHADOW_AUDIT_SUCCESS); + group_name, group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -279,11 +288,11 @@ static void close_files (void) + SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", +@@ -281,11 +290,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -634,23 +625,21 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c - "adding group to /etc/gshadow", + audit_logger (AUDIT_GRP_MGMT, Prog, + "add-shadow-group", - group_name, (unsigned int) group_id, - SHADOW_AUDIT_SUCCESS); + group_name, group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -297,12 +306,6 @@ static void close_files (void) + SYSLOG ((LOG_INFO, "group added to %s: name=%s", +@@ -298,10 +307,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_GROUP, Prog, -- "", -- group_name, (unsigned int) group_id, -- SHADOW_AUDIT_SUCCESS); +- "", group_name, group_id, SHADOW_AUDIT_SUCCESS); -#endif SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -320,7 +323,7 @@ static void open_files (void) +@@ -319,7 +324,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -659,7 +648,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -330,7 +333,7 @@ static void open_files (void) +@@ -329,7 +334,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -668,7 +657,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -346,7 +349,7 @@ static void open_files (void) +@@ -345,7 +350,7 @@ static void open_files (void) if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -677,7 +666,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } #ifdef SHADOWGRP -@@ -356,7 +359,7 @@ static void open_files (void) +@@ -355,7 +360,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -686,7 +675,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -493,7 +496,7 @@ static void check_flags (void) +@@ -492,7 +497,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -695,7 +684,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } if (gflg && (prefix_getgrgid (group_id) != NULL)) { -@@ -512,7 +515,7 @@ static void check_flags (void) +@@ -511,7 +516,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -704,7 +693,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } } } -@@ -540,7 +543,7 @@ static void check_perms (void) +@@ -539,7 +544,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -713,7 +702,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -560,7 +563,7 @@ static void check_perms (void) +@@ -559,7 +564,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -722,7 +711,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -595,7 +598,7 @@ int main (int argc, char **argv) +@@ -594,7 +599,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -731,7 +720,7 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } /* -@@ -617,7 +620,7 @@ int main (int argc, char **argv) +@@ -621,7 +626,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -740,10 +729,10 @@ diff -up shadow-4.11.1/src/groupadd.c.audit-update shadow-4.11.1/src/groupadd.c } } -diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c ---- shadow-4.11.1/src/groupdel.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/groupdel.c 2022-01-03 14:57:01.778006782 +0100 -@@ -84,6 +84,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.14.0/src/groupdel.c.audit-update shadow-4.14.0/src/groupdel.c +--- shadow-4.14.0/src/groupdel.c.audit-update 2023-05-26 04:56:11.000000000 +0200 ++++ shadow-4.14.0/src/groupdel.c 2023-08-04 09:36:42.778900250 +0200 +@@ -87,6 +87,15 @@ usage (int status) exit (status); } @@ -759,7 +748,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c /* * grp_update - update group file entries * -@@ -110,7 +119,7 @@ static void grp_update (void) +@@ -113,7 +122,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -768,7 +757,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } #ifdef SHADOWGRP -@@ -122,7 +131,7 @@ static void grp_update (void) +@@ -125,7 +134,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -777,7 +766,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -141,12 +150,12 @@ static void close_files (void) +@@ -144,12 +153,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -789,10 +778,10 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c audit_logger (AUDIT_DEL_GROUP, Prog, - "removing group from /etc/group", + "delete-group", - group_name, (unsigned int) group_id, - SHADOW_AUDIT_SUCCESS); + group_name, group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -166,12 +175,12 @@ static void close_files (void) + SYSLOG ((LOG_INFO, +@@ -168,12 +177,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -805,24 +794,22 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c - "removing group from /etc/gshadow", + audit_logger (AUDIT_GRP_MGMT, Prog, + "delete-shadow-group", - group_name, (unsigned int) group_id, - SHADOW_AUDIT_SUCCESS); + group_name, group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -185,13 +194,6 @@ static void close_files (void) + SYSLOG ((LOG_INFO, +@@ -186,11 +195,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ - /* Report success at the system level */ -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_GROUP, Prog, -- "", -- group_name, (unsigned int) group_id, -- SHADOW_AUDIT_SUCCESS); +- "", group_name, group_id, SHADOW_AUDIT_SUCCESS); -#endif SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -208,7 +210,7 @@ static void open_files (void) +@@ -207,7 +211,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -831,7 +818,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -217,7 +219,7 @@ static void open_files (void) +@@ -216,7 +220,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -840,7 +827,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -235,7 +237,7 @@ static void open_files (void) +@@ -234,7 +238,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -849,7 +836,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -244,7 +246,7 @@ static void open_files (void) +@@ -243,7 +247,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -858,7 +845,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -285,7 +287,7 @@ static void group_busy (gid_t gid) +@@ -284,7 +288,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -867,7 +854,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } /* -@@ -373,7 +375,7 @@ int main (int argc, char **argv) +@@ -372,7 +376,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -876,7 +863,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } process_flags (argc, argv); -@@ -387,7 +389,7 @@ int main (int argc, char **argv) +@@ -386,7 +390,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -885,7 +872,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -408,7 +410,7 @@ int main (int argc, char **argv) +@@ -407,7 +411,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -894,7 +881,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -428,7 +430,7 @@ int main (int argc, char **argv) +@@ -427,7 +431,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -903,7 +890,7 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } group_id = grp->gr_gid; -@@ -452,7 +454,7 @@ int main (int argc, char **argv) +@@ -451,7 +455,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -912,10 +899,10 @@ diff -up shadow-4.11.1/src/groupdel.c.audit-update shadow-4.11.1/src/groupdel.c } #endif -diff -up shadow-4.11.1/src/groupmod.c.audit-update shadow-4.11.1/src/groupmod.c ---- shadow-4.11.1/src/groupmod.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/groupmod.c 2022-01-03 14:57:01.778006782 +0100 -@@ -468,7 +468,7 @@ static void close_files (void) +diff -up shadow-4.14.0/src/groupmod.c.audit-update shadow-4.14.0/src/groupmod.c +--- shadow-4.14.0/src/groupmod.c.audit-update 2023-06-10 02:02:29.000000000 +0200 ++++ shadow-4.14.0/src/groupmod.c 2023-08-04 09:30:25.208963541 +0200 +@@ -473,7 +473,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -924,7 +911,7 @@ diff -up shadow-4.11.1/src/groupmod.c.audit-update shadow-4.11.1/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -491,7 +491,14 @@ static void close_files (void) +@@ -496,7 +496,14 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -940,7 +927,7 @@ diff -up shadow-4.11.1/src/groupmod.c.audit-update shadow-4.11.1/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -514,7 +521,7 @@ static void close_files (void) +@@ -519,7 +526,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -949,7 +936,7 @@ diff -up shadow-4.11.1/src/groupmod.c.audit-update shadow-4.11.1/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -529,8 +536,8 @@ static void close_files (void) +@@ -534,8 +541,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -960,168 +947,10 @@ diff -up shadow-4.11.1/src/groupmod.c.audit-update shadow-4.11.1/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -542,6 +549,8 @@ static void close_files (void) - */ - static void prepare_failure_reports (void) - { -+ char *nv_pair, nv[64]; -+ - info_group.name = group_name; - #ifdef SHADOWGRP - info_gshadow.name = group_name; -@@ -554,76 +563,109 @@ static void prepare_failure_reports (voi - #endif - info_passwd.audit_msg = xmalloc (512); - -- (void) snprintf (info_group.audit_msg, 511, -- "changing %s; ", gr_dbname ()); -+ info_group.action = xmalloc (512); - #ifdef SHADOWGRP -- (void) snprintf (info_gshadow.audit_msg, 511, -- "changing %s; ", sgr_dbname ()); -+ info_gshadow.action = xmalloc (512); - #endif -- (void) snprintf (info_passwd.audit_msg, 511, -- "changing %s; ", pw_dbname ()); -+ info_passwd.action = xmalloc (512); - -- info_group.action = info_group.audit_msg -- + strlen (info_group.audit_msg); -+ (void) snprintf (info_group.audit_msg, 511, -+ "changing-group"); - #ifdef SHADOWGRP -- info_gshadow.action = info_gshadow.audit_msg -- + strlen (info_gshadow.audit_msg); -+ (void) snprintf (info_gshadow.audit_msg, 511, -+ "changing-shadow-group"); - #endif -- info_passwd.action = info_passwd.audit_msg -- + strlen (info_passwd.audit_msg); -+ (void) snprintf (info_passwd.audit_msg, 511, -+ "changing-group-passwd"); - -+ nv_pair = audit_encode_nv_string(" grp", group_name, -+ strlen(group_name)); -+ if(nv_pair) { -+ strncat(info_group.audit_msg, nv_pair, -+ 511 - strlen(info_group.audit_msg)); -+#ifdef SHADOWGRP -+ strncat(info_gshadow.audit_msg, nv_pair, -+ 511 - strlen(info_gshadow.audit_msg)); -+#endif -+ strncat(info_passwd.audit_msg, nv_pair, -+ 511 - strlen(info_passwd.audit_msg)); -+ free(nv_pair); -+ } -+ snprintf(nv, sizeof(nv), " gid=%lu", (unsigned long)group_id); -+ strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg)); -+ strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg)); -+ - (void) snprintf (info_group.action, -- 511 - strlen (info_group.audit_msg), -+ 511, - "group %s/%lu", - group_name, (unsigned long int) group_id); - #ifdef SHADOWGRP - (void) snprintf (info_gshadow.action, -- 511 - strlen (info_group.audit_msg), -+ 511, - "group %s", group_name); - #endif - (void) snprintf (info_passwd.action, -- 511 - strlen (info_group.audit_msg), -+ 511, - "group %s/%lu", - group_name, (unsigned long int) group_id); - - if (nflg) { -+ nv_pair = audit_encode_nv_string(" new_group", group_newname, -+ strlen(group_newname)); -+ strncat(info_group.audit_msg, nv_pair, -+ 511 - strlen(info_group.audit_msg)); - strncat (info_group.action, ", new name: ", -- 511 - strlen (info_group.audit_msg)); -+ 511 - strlen (info_group.action)); - strncat (info_group.action, group_newname, -- 511 - strlen (info_group.audit_msg)); -+ 511 - strlen (info_group.action)); - - #ifdef SHADOWGRP -+ strncat(info_gshadow.audit_msg, nv_pair, -+ 511 - strlen(info_gshadow.audit_msg)); - strncat (info_gshadow.action, ", new name: ", -- 511 - strlen (info_gshadow.audit_msg)); -+ 511 - strlen (info_gshadow.action)); - strncat (info_gshadow.action, group_newname, -- 511 - strlen (info_gshadow.audit_msg)); -+ 511 - strlen (info_gshadow.action)); - #endif - -+ strncat(info_passwd.audit_msg, nv_pair, -+ 511 - strlen(info_passwd.audit_msg)); - strncat (info_passwd.action, ", new name: ", -- 511 - strlen (info_passwd.audit_msg)); -+ 511 - strlen (info_passwd.action)); - strncat (info_passwd.action, group_newname, -- 511 - strlen (info_passwd.audit_msg)); -+ 511 - strlen (info_passwd.action)); -+ free(nv_pair); - } - if (pflg) { -+ strncat(info_passwd.audit_msg, "op=change-password", -+ 511 - strlen (info_passwd.action)); -+ -+ /* Note: audit doesn't want this value recorded */ - strncat (info_group.action, ", new password", -- 511 - strlen (info_group.audit_msg)); -+ 511 - strlen (info_group.action)); - - #ifdef SHADOWGRP - strncat (info_gshadow.action, ", new password", -- 511 - strlen (info_gshadow.audit_msg)); -+ 511 - strlen (info_gshadow.action)); - #endif - } - if (gflg) { -+ snprintf(nv, sizeof(nv), " new_gid=%lu", (unsigned long)group_newid); -+ strncat(info_group.audit_msg, nv, -+ 511 - strlen(info_group.audit_msg)); -+ strncat(info_passwd.audit_msg, nv, -+ 511 - strlen(info_passwd.audit_msg)); -+ - strncat (info_group.action, ", new gid: ", -- 511 - strlen (info_group.audit_msg)); -+ 511 - strlen (info_group.action)); - (void) snprintf (info_group.action+strlen (info_group.action), -- 511 - strlen (info_group.audit_msg), -+ 511 - strlen (info_group.action), - "%lu", (unsigned long int) group_newid); - - strncat (info_passwd.action, ", new gid: ", -- 511 - strlen (info_passwd.audit_msg)); -+ 511 - strlen (info_passwd.action)); - (void) snprintf (info_passwd.action+strlen (info_passwd.action), -- 511 - strlen (info_passwd.audit_msg), -+ 511 - strlen (info_passwd.action), - "%lu", (unsigned long int) group_newid); - } - info_group.audit_msg[511] = '\0'; -@@ -631,6 +673,11 @@ static void prepare_failure_reports (voi - info_gshadow.audit_msg[511] = '\0'; - #endif - info_passwd.audit_msg[511] = '\0'; -+ info_group.action[511] = '\0'; -+#ifdef SHADOWGRP -+ info_gshadow.action[511] = '\0'; -+#endif -+ info_passwd.action[511] = '\0'; - - // FIXME: add a system cleanup - add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c ---- shadow-4.11.1/src/newgrp.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/newgrp.c 2022-01-03 15:25:39.407050922 +0100 -@@ -185,11 +185,12 @@ static void check_perms (const struct gr +diff -up shadow-4.14.0/src/newgrp.c.audit-update shadow-4.14.0/src/newgrp.c +--- shadow-4.14.0/src/newgrp.c.audit-update 2023-08-04 09:30:25.208963541 +0200 ++++ shadow-4.14.0/src/newgrp.c 2023-08-04 09:51:28.354208322 +0200 +@@ -186,10 +186,10 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1129,14 +958,12 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + "authentication new_gid=%lu", (unsigned long) grp->gr_gid); audit_logger (AUDIT_GRP_AUTH, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); #endif SYSLOG ((LOG_INFO, "Invalid password for group '%s' from '%s'", -@@ -200,11 +201,12 @@ static void check_perms (const struct gr +@@ -200,10 +200,10 @@ static void check_perms (const struct gr } #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1144,14 +971,12 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + "authentication new_gid=%lu", (unsigned long) grp->gr_gid); audit_logger (AUDIT_GRP_AUTH, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 1); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_SUCCESS); +- audit_buf, NULL, getuid (), 1); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_SUCCESS); #endif } -@@ -215,19 +217,6 @@ failure: +@@ -214,17 +214,6 @@ failure: * harm. -- JWP */ closelog (); @@ -1160,18 +985,16 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c - snprintf (audit_buf, sizeof(audit_buf), - "changing new-group=%s", groupname); - audit_logger (AUDIT_CHGRP_ID, Prog, -- audit_buf, NULL, -- (unsigned int) getuid (), 0); +- audit_buf, NULL, getuid (), 0); - } else { - audit_logger (AUDIT_CHGRP_ID, Prog, -- "changing", NULL, -- (unsigned int) getuid (), 0); +- "changing", NULL, getuid (), 0); - } -#endif exit (EXIT_FAILURE); } -@@ -299,15 +288,27 @@ static void syslog_sg (const char *name, +@@ -298,13 +287,23 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1190,29 +1013,25 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + group); + } audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); } else { audit_logger (AUDIT_CHGRP_ID, Prog, - "changing", NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_FAILURE); +- "changing", NULL, getuid (), 0); ++ "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE); } #endif exit (EXIT_FAILURE); -@@ -438,7 +439,7 @@ int main (int argc, char **argv) +@@ -440,7 +439,7 @@ int main (int argc, char **argv) + Prog); #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, - "changing", NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- "changing", NULL, getuid (), 0); ++ "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE); #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -554,15 +555,26 @@ int main (int argc, char **argv) +@@ -556,13 +555,22 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1230,59 +1049,52 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + "changing new_group=\"%s\"", group); + } audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); } else { audit_logger (AUDIT_CHGRP_ID, Prog, - "changing", NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), -+ SHADOW_AUDIT_FAILURE); +- "changing", NULL, getuid (), 0); ++ "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE); } #endif exit (EXIT_FAILURE); -@@ -719,10 +731,10 @@ int main (int argc, char **argv) +@@ -717,9 +725,9 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), - "changing new-gid=%lu", (unsigned long) gid); + "changing new_gid=%lu", (unsigned long) gid); audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); #endif exit (EXIT_FAILURE); } -@@ -731,10 +743,10 @@ int main (int argc, char **argv) +@@ -728,9 +736,9 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), - "changing new-gid=%lu", (unsigned long) gid); + "changing new_gid=%lu", (unsigned long) gid); audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); #endif exit (EXIT_FAILURE); } -@@ -748,10 +760,10 @@ int main (int argc, char **argv) - execl (SHELL, "sh", "-c", command, (char *) 0); +@@ -744,9 +752,9 @@ int main (int argc, char **argv) + execl (SHELL, "sh", "-c", command, (char *) NULL); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), - "changing new-gid=%lu", (unsigned long) gid); + "changing new_gid=%lu", (unsigned long) gid); audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -815,11 +827,11 @@ int main (int argc, char **argv) +@@ -810,10 +818,10 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1290,13 +1102,12 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%lu", (unsigned long) gid); audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 1); -+ (unsigned int) getuid (), SHADOW_AUDIT_SUCCESS); +- audit_buf, NULL, getuid (), 1); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_SUCCESS); #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -843,15 +855,24 @@ int main (int argc, char **argv) +@@ -837,13 +845,22 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1314,112 +1125,91 @@ diff -up shadow-4.11.1/src/newgrp.c.audit-update shadow-4.11.1/src/newgrp.c + "changing new_group=\"%s\"", group); + } audit_logger (AUDIT_CHGRP_ID, Prog, - audit_buf, NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- audit_buf, NULL, getuid (), 0); ++ audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE); } else { audit_logger (AUDIT_CHGRP_ID, Prog, - "changing", NULL, -- (unsigned int) getuid (), 0); -+ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); +- "changing", NULL, getuid (), 0); ++ "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE); } #endif exit (EXIT_FAILURE); -diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c ---- shadow-4.11.1/src/useradd.c.audit-update 2022-01-03 14:57:01.772006744 +0100 -+++ shadow-4.11.1/src/useradd.c 2022-01-03 14:57:01.787006838 +0100 -@@ -222,6 +222,8 @@ static void check_uid_range(int rflg, ui +diff -up shadow-4.14.0/src/useradd.c.audit-update shadow-4.14.0/src/useradd.c +--- shadow-4.14.0/src/useradd.c.audit-update 2023-07-30 12:38:39.000000000 +0200 ++++ shadow-4.14.0/src/useradd.c 2023-08-04 10:02:18.851935396 +0200 +@@ -240,6 +240,8 @@ static void check_uid_range(int rflg, ui */ static void fail_exit (int code) { + int type; + - if (home_added) { - if (rmdir (prefix_user_home) != 0) { - fprintf (stderr, -@@ -235,12 +237,6 @@ static void fail_exit (int code) - if (spw_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); + if (home_added && rmdir(prefix_user_home) != 0) { + fprintf(stderr, + _("%s: %s was created, but could not be removed\n"), +@@ -250,38 +252,22 @@ static void fail_exit (int code) + if (spw_locked && spw_unlock() == 0) { + fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname()); + SYSLOG((LOG_ERR, "failed to unlock %s", spw_dbname())); -#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking shadow file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); +- audit_logger(AUDIT_ADD_USER, Prog, "unlocking shadow file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); -#endif - /* continue */ - } + /* continue */ } -@@ -248,12 +244,6 @@ static void fail_exit (int code) - if (pw_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + if (pw_locked && pw_unlock() == 0) { + fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname()); + SYSLOG((LOG_ERR, "failed to unlock %s", pw_dbname())); -#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking passwd file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); +- audit_logger(AUDIT_ADD_USER, Prog, "unlocking passwd file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); -#endif - /* continue */ - } + /* continue */ } -@@ -261,12 +251,6 @@ static void fail_exit (int code) - if (gr_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); + if (gr_locked && gr_unlock() == 0) { + fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname()); + SYSLOG((LOG_ERR, "failed to unlock %s", gr_dbname())); -#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking group file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); +- audit_logger(AUDIT_ADD_USER, Prog, "unlocking group file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); -#endif - /* continue */ - } + /* continue */ } -@@ -275,12 +259,6 @@ static void fail_exit (int code) - if (sgr_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking gshadow file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); --#endif - /* continue */ - } + #ifdef SHADOWGRP + if (sgr_locked && sgr_unlock() == 0) { + fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname()); + SYSLOG((LOG_ERR, "failed to unlock %s", sgr_dbname())); +-# ifdef WITH_AUDIT +- audit_logger(AUDIT_ADD_USER, Prog, "unlocking gshadow file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); +-# endif + /* continue */ } -@@ -290,12 +268,6 @@ static void fail_exit (int code) - if (sub_uid_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking subordinate user file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); --#endif - /* continue */ - } + #endif +@@ -289,27 +275,23 @@ static void fail_exit (int code) + if (sub_uid_locked && sub_uid_unlock() == 0) { + fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname()); + SYSLOG((LOG_ERR, "failed to unlock %s", sub_uid_dbname())); +-# ifdef WITH_AUDIT +- audit_logger(AUDIT_ADD_USER, Prog, +- "unlocking subordinate user file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); +-# endif + /* continue */ } -@@ -303,20 +275,19 @@ static void fail_exit (int code) - if (sub_gid_unlock () == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "unlocking subordinate group file", -- user_name, AUDIT_NO_ID, -- SHADOW_AUDIT_FAILURE); --#endif - /* continue */ - } + if (sub_gid_locked && sub_gid_unlock() == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname())); +-# ifdef WITH_AUDIT +- audit_logger(AUDIT_ADD_USER, Prog, +- "unlocking subordinate group file", +- user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); +-# endif + /* continue */ } - #endif /* ENABLE_SUBIDS */ + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding user", +- audit_logger(AUDIT_ADD_USER, Prog, "adding user", + if (code == E_PW_UPDATE || code >= E_GRP_UPDATE) + type = AUDIT_USER_MGMT; + else @@ -1427,10 +1217,10 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c + + audit_logger (type, Prog, + "add-user", - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); + user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -719,7 +690,7 @@ static int set_defaults (void) + SYSLOG((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code)); +@@ -759,7 +741,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1439,7 +1229,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1050,12 +1021,6 @@ static void grp_update (void) +@@ -1096,12 +1078,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1452,7 +1242,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -1069,18 +1034,12 @@ static void grp_update (void) +@@ -1115,18 +1091,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1474,7 +1264,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1125,12 +1084,6 @@ static void grp_update (void) +@@ -1171,12 +1141,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1487,7 +1277,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -1144,18 +1097,13 @@ static void grp_update (void) +@@ -1190,18 +1154,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1510,7 +1300,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1528,7 +1476,7 @@ static void process_flags (int argc, cha +@@ -1596,7 +1555,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1519,7 +1309,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1637,7 +1585,7 @@ static void close_files (void) +@@ -1705,7 +1664,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1528,7 +1318,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1650,7 +1598,7 @@ static void close_files (void) +@@ -1718,7 +1677,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1537,7 +1327,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1667,7 +1615,7 @@ static void close_files (void) +@@ -1735,7 +1694,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1546,7 +1336,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1681,7 +1629,7 @@ static void close_files (void) +@@ -1749,7 +1708,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1555,7 +1345,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1942,7 +1890,7 @@ static void grp_add (void) +@@ -2012,7 +1971,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1564,7 +1354,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1958,7 +1906,7 @@ static void grp_add (void) +@@ -2028,7 +1987,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1573,7 +1363,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1968,7 +1916,7 @@ static void grp_add (void) +@@ -2038,7 +1997,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1582,61 +1372,48 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -2161,12 +2109,6 @@ static void usr_update (unsigned long su +@@ -2240,11 +2199,6 @@ static void usr_update (unsigned long su fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding shadow password", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -2187,9 +2129,14 @@ static void usr_update (unsigned long su - #endif /* ENABLE_SUBIDS */ - - #ifdef WITH_AUDIT -+ /* -+ * Even though we have the ID of the user, we won't send it now -+ * because its not written to disk yet. After close_files it is -+ * and we can use the real ID thereafter. -+ */ +@@ -2271,7 +2225,7 @@ static void usr_update (unsigned long su + * and we can use the real ID thereafter. + */ audit_logger (AUDIT_ADD_USER, Prog, - "adding user", -- user_name, (unsigned int) user_id, + "add-user", -+ user_name, AUDIT_NO_ID, + user_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif - /* -@@ -2279,12 +2226,6 @@ static void create_home (void) - fprintf (stderr, - _("%s: cannot create directory %s\n"), - Prog, path); +@@ -2365,10 +2319,6 @@ static void create_home (void) + if (mkdir(path, 0) != 0) { + fprintf(stderr, _("%s: cannot create directory %s\n"), + Prog, path); -#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding home directory", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- audit_logger(AUDIT_ADD_USER, Prog, "adding home directory", +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif - fail_exit (E_HOMEDIR); + fail_exit(E_HOMEDIR); } - if (chown (path, 0, 0) < 0) { -@@ -2311,8 +2252,8 @@ static void create_home (void) - } - home_added = true; + if (chown(path, 0, 0) < 0) { +@@ -2393,7 +2343,7 @@ static void create_home (void) + } + home_added = true; #ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding home directory", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "add-home-dir", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); +- audit_logger(AUDIT_ADD_USER, Prog, "adding home directory", ++ audit_logger(AUDIT_USER_MGMT, Prog, "add-home-dir", + user_name, user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2552,12 +2493,6 @@ int main (int argc, char **argv) + #ifdef WITH_SELINUX +@@ -2637,12 +2587,6 @@ int main (int argc, char **argv) */ if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1426,7 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2573,12 +2508,6 @@ int main (int argc, char **argv) +@@ -2658,12 +2602,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,62 +1439,61 @@ diff -up shadow-4.11.1/src/useradd.c.audit-update shadow-4.11.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2608,12 +2537,6 @@ int main (int argc, char **argv) +@@ -2693,12 +2631,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding user", -- user_name, (unsigned int) user_id, +- user_name, user_id, - SHADOW_AUDIT_FAILURE); -#endif fail_exit (E_UID_IN_USE); } } -@@ -2688,9 +2611,10 @@ int main (int argc, char **argv) +@@ -2773,9 +2705,9 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); +- user_name, user_id, 0); + audit_logger (AUDIT_ROLE_ASSIGN, Prog, + "add-selinux-user-mapping", -+ user_name, (unsigned int) user_id, -+ SHADOW_AUDIT_FAILURE); ++ user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_SE_UPDATE); } -diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c ---- shadow-4.11.1/src/userdel.c.audit-update 2022-01-03 01:46:53.000000000 +0100 -+++ shadow-4.11.1/src/userdel.c 2022-01-03 14:57:01.787006838 +0100 -@@ -202,9 +202,9 @@ static void update_groups (void) +diff -up shadow-4.14.0/src/userdel.c.audit-update shadow-4.14.0/src/userdel.c +--- shadow-4.14.0/src/userdel.c.audit-update 2023-06-10 02:02:29.000000000 +0200 ++++ shadow-4.14.0/src/userdel.c 2023-08-04 10:26:18.225695416 +0200 +@@ -204,9 +204,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "deleting user from group", -- user_name, (unsigned int) user_id, +- user_name, user_id, SHADOW_AUDIT_SUCCESS); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, + "deleting-user-from-group", -+ user_name, (unsigned int) user_id, ngrp->gr_name, - SHADOW_AUDIT_SUCCESS); ++ user_name, user_id, ngrp->gr_name, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -264,9 +264,9 @@ static void update_groups (void) + user_name, ngrp->gr_name)); +@@ -265,9 +265,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "deleting user from shadow group", -- user_name, (unsigned int) user_id, +- user_name, user_id, SHADOW_AUDIT_SUCCESS); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, + "deleting-user-from-shadow-group", -+ user_name, (unsigned int) user_id, nsgrp->sg_name, - SHADOW_AUDIT_SUCCESS); ++ user_name, user_id, nsgrp->sg_name, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", + user_name, nsgrp->sg_name)); @@ -343,9 +343,9 @@ static void remove_usergroup (void) } @@ -1750,18 +1526,17 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c audit_logger (AUDIT_DEL_USER, Prog, - "deleting user", + "delete-user", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -545,24 +545,12 @@ static void open_files (void) + +@@ -544,22 +544,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking password file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } @@ -1772,47 +1547,43 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening password file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -570,12 +558,6 @@ static void open_files (void) +@@ -567,11 +557,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking shadow password file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -583,12 +565,6 @@ static void open_files (void) +@@ -579,11 +564,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening shadow password file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } } -@@ -596,23 +572,11 @@ static void open_files (void) +@@ -591,21 +571,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } @@ -1822,21 +1593,19 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -621,24 +585,12 @@ static void open_files (void) +@@ -614,22 +584,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking shadow group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } @@ -1847,21 +1616,19 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening shadow group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } } -@@ -649,24 +601,12 @@ static void open_files (void) +@@ -640,22 +600,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking subordinate user file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_SUB_UID_UPDATE); } @@ -1872,21 +1639,19 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening subordinate user file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_SUB_UID_UPDATE); } } -@@ -675,24 +615,12 @@ static void open_files (void) +@@ -664,22 +614,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "locking subordinate group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_SUB_GID_UPDATE); } @@ -1897,40 +1662,39 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, - "opening subordinate group file", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- user_name, user_id, SHADOW_AUDIT_FAILURE); -#endif /* WITH_AUDIT */ fail_exit (E_SUB_GID_UPDATE); } } -@@ -737,7 +665,7 @@ static void update_user (void) +@@ -724,7 +664,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting user entries", + "delete-user", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); + user_name, user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -845,7 +773,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_INFO, "delete user '%s'\n", user_name)); +@@ -831,7 +771,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting mail file", + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -862,7 +790,7 @@ static int remove_mailbox (void) + free(mailfile); +@@ -847,7 +787,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting mail file", + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -872,8 +800,8 @@ static int remove_mailbox (void) + errors = 1; +@@ -856,8 +796,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1938,28 +1702,28 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c - "deleting mail file", + audit_logger (AUDIT_USER_MGMT, Prog, + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); + user_name, user_id, SHADOW_AUDIT_SUCCESS); } -@@ -891,7 +819,7 @@ static int remove_mailbox (void) + #endif /* WITH_AUDIT */ +@@ -874,7 +814,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting mail file", + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -908,7 +836,7 @@ static int remove_mailbox (void) + free(mailfile); +@@ -890,7 +830,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting mail file", + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -918,8 +846,8 @@ static int remove_mailbox (void) + errors = 1; +@@ -899,8 +839,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1967,10 +1731,10 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c - "deleting mail file", + audit_logger (AUDIT_USER_MGMT, Prog, + "delete-mail-file", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); + user_name, user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1138,7 +1066,7 @@ int main (int argc, char **argv) + #endif /* WITH_AUDIT */ +@@ -1118,7 +1058,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1979,7 +1743,7 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1194,7 +1122,7 @@ int main (int argc, char **argv) +@@ -1174,7 +1114,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1988,7 +1752,7 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1288,8 +1216,8 @@ int main (int argc, char **argv) +@@ -1268,8 +1208,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -1996,10 +1760,10 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c - "deleting home directory", + audit_logger (AUDIT_USER_MGMT, Prog, + "deleting-home-directory", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); + user_name, user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1298,7 +1226,7 @@ int main (int argc, char **argv) + #endif /* WITH_AUDIT */ +@@ -1277,7 +1217,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2008,7 +1772,7 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1311,8 +1239,8 @@ int main (int argc, char **argv) +@@ -1290,8 +1230,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2016,66 +1780,61 @@ diff -up shadow-4.11.1/src/userdel.c.audit-update shadow-4.11.1/src/userdel.c - "removing SELinux user mapping", + audit_logger (AUDIT_ROLE_REMOVE, Prog, + "delete-selinux-user-mapping", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c ---- shadow-4.11.1/src/usermod.c.audit-update 2022-01-03 14:57:01.776006769 +0100 -+++ shadow-4.11.1/src/usermod.c 2022-01-03 15:28:16.959101706 +0100 -@@ -417,8 +417,8 @@ static char *new_pw_passwd (char *pw_pas + fail_exit (E_SE_UPDATE); +diff -up shadow-4.14.0/src/usermod.c.audit-update shadow-4.14.0/src/usermod.c +--- shadow-4.14.0/src/usermod.c.audit-update 2023-07-30 12:38:39.000000000 +0200 ++++ shadow-4.14.0/src/usermod.c 2023-08-04 10:33:04.601749324 +0200 +@@ -427,7 +427,7 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "updating passwd", -- user_newname, (unsigned int) user_newid, 0); -+ "updating-password", -+ user_newname, (unsigned int) user_newid, 1); +- "updating passwd", user_newname, user_newid, 0); ++ "updating-passwd", user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -437,8 +437,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -444,14 +444,14 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "updating password", -- user_newname, (unsigned int) user_newid, 0); -+ "updating-password", -+ user_newname, (unsigned int) user_newid, 1); +- "updating password", user_newname, user_newid, 0); ++ "updating-password", user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); - s = pw_pass; -@@ -449,7 +449,7 @@ static char *new_pw_passwd (char *pw_pas + memmove(pw_pass, pw_pass + 1, strlen(pw_pass)); } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "changing password", -+ "updating-password", - user_newname, (unsigned int) user_newid, 1); +- "changing password", user_newname, user_newid, 1); ++ "updating-password", user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -478,8 +478,8 @@ static void new_pwent (struct passwd *pw + pw_pass = xstrdup (user_pass); +@@ -479,8 +479,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "changing name", +- "changing name", user_newname, user_newid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "changing-name", - user_newname, (unsigned int) user_newid, 1); ++ "changing-name", user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, + "change user name '%s' to '%s'", @@ -499,8 +499,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "changing uid", +- "changing uid", user_newname, user_newid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "changing-uid", - user_newname, (unsigned int) user_newid, 1); ++ "changing-uid", user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -510,8 +510,8 @@ static void new_pwent (struct passwd *pw + "change user '%s' UID from '%d' to '%d'", +@@ -509,8 +509,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2083,21 +1842,20 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing primary group", + audit_logger (AUDIT_USER_MGMT, Prog, + "changing-primary-group", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -521,8 +521,8 @@ static void new_pwent (struct passwd *pw +@@ -520,16 +520,16 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "changing comment", +- "changing comment", user_newname, user_newid, 1); + audit_logger (AUDIT_USER_MGMT, Prog, -+ "changing-comment", - user_newname, (unsigned int) user_newid, 1); ++ "changing-comment", user_newname, user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -530,8 +530,8 @@ static void new_pwent (struct passwd *pw + } if (dflg) { #ifdef WITH_AUDIT @@ -2105,10 +1863,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing home directory", + audit_logger (AUDIT_USER_MGMT, Prog, + "changing-home-dir", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -547,8 +547,8 @@ static void new_pwent (struct passwd *pw +@@ -545,8 +545,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2116,10 +1874,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing user shell", + audit_logger (AUDIT_USER_MGMT, Prog, + "changing-shell", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -578,8 +578,8 @@ static void new_spent (struct spwd *spen +@@ -576,8 +576,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2127,10 +1885,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing inactive days", + audit_logger (AUDIT_USER_MGMT, Prog, + "changing-inactive-days", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -593,8 +593,8 @@ static void new_spent (struct spwd *spen +@@ -591,8 +591,8 @@ static void new_spent (struct spwd *spen date_to_str (sizeof(new_exp), new_exp, user_newexpire * DAY); date_to_str (sizeof(old_exp), old_exp, user_expire * DAY); #ifdef WITH_AUDIT @@ -2138,10 +1896,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing expiration date", + audit_logger (AUDIT_USER_MGMT, Prog, + "changing-expiration-date", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -677,9 +677,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -677,9 +677,9 @@ fail_exit (int code) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2256,7 +2014,7 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1817,8 +1828,8 @@ static void move_home (void) +@@ -1830,8 +1841,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2264,10 +2022,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing home directory owner", + audit_logger (AUDIT_USER_MGMT, Prog, + "updating-home-dir-owner", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); } #endif -@@ -1836,8 +1847,8 @@ static void move_home (void) +@@ -1849,8 +1860,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2275,10 +2033,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "moving home directory", + audit_logger (AUDIT_USER_MGMT, Prog, + "moving-home-dir", - user_newname, (unsigned int) user_newid, - 1); + user_newname, user_newid, 1); #endif -@@ -1865,9 +1876,9 @@ static void move_home (void) + return; +@@ -1877,9 +1888,9 @@ static void move_home (void) Prog, prefix_user_home); } #ifdef WITH_AUDIT @@ -2288,9 +2046,9 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "moving home directory", + "moving-home-dir", user_newname, - (unsigned int) user_newid, + user_newid, 1); -@@ -2085,8 +2096,8 @@ static void move_mailbox (void) +@@ -2100,8 +2111,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2298,10 +2056,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing mail file owner", + audit_logger (AUDIT_USER_MGMT, Prog, + "updating-mail-file-owner", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); } #endif -@@ -2112,8 +2123,8 @@ static void move_mailbox (void) +@@ -2129,8 +2140,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2309,10 +2067,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing mail file name", + audit_logger (AUDIT_USER_MGMT, Prog, + "updating-mail-file-name", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); } - #endif -@@ -2310,8 +2321,8 @@ int main (int argc, char **argv) + +@@ -2331,8 +2342,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2320,10 +2078,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "modifying User mapping ", + audit_logger (AUDIT_ROLE_ASSIGN, Prog, + "changing-selinux-user-mapping ", - user_name, (unsigned int) user_id, + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2323,8 +2334,8 @@ int main (int argc, char **argv) +@@ -2344,8 +2355,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2331,10 +2089,10 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "removing SELinux user mapping", + audit_logger (AUDIT_ROLE_REMOVE, Prog, + "delete-selinux-user-mapping", - user_name, (unsigned int) user_id, + user_name, user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2365,8 +2376,8 @@ int main (int argc, char **argv) +@@ -2388,8 +2399,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2342,6 +2100,6 @@ diff -up shadow-4.11.1/src/usermod.c.audit-update shadow-4.11.1/src/usermod.c - "changing home directory owner", + audit_logger (AUDIT_USER_MGMT, Prog, + "updating-home-dir-owner", - user_newname, (unsigned int) user_newid, 1); + user_newname, user_newid, 1); } #endif diff --git a/shadow-4.9-manfix.patch b/shadow-4.14.0-manfix.patch similarity index 99% rename from shadow-4.9-manfix.patch rename to shadow-4.14.0-manfix.patch index 46cba1a..70f030e 100644 --- a/shadow-4.9-manfix.patch +++ b/shadow-4.14.0-manfix.patch @@ -19,7 +19,7 @@ diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xm - - $ groupadd -r groups - $ chmod 2710 groupmems -- $ chown root.groups groupmems +- $ chown root:groups groupmems - $ groupmems -g groups -a gk4 - diff --git a/shadow-4.5-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch deleted file mode 100644 index e2d70b5..0000000 --- a/shadow-4.5-usermod-unlock.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas - strcat (buf, pw_pass); - pw_pass = buf; - } else if (Uflg && pw_pass[0] == '!') { -- char *s; -+ char *s = pw_pass; - -- if (pw_pass[1] == '\0') { -+ while ('!' == *s) -+ ++s; -+ -+ if (*s == '\0') { - fprintf (stderr, - _("%s: unlocking the user's password would result in a passwordless account.\n" - "You should set a password with usermod -p to unlock this user's password.\n"), - Prog); -- return pw_pass; -+ return NULL; - } - - #ifdef WITH_AUDIT -@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas - user_newname, (unsigned int) user_newid, 1); - #endif - SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); -- s = pw_pass; -- while ('\0' != *s) { -- *s = *(s + 1); -- s++; -- } -+ memmove (pw_pass, s, strlen (s) + 1); - } else if (pflg) { -+ if (strchr (user_pass, ':') != NULL) { -+ fprintf (stderr, -+ _("%s: The password field cannot contain a colon character.\n"), -+ Prog); -+ return NULL; -+ -+ } - #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "updating-password", -@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw - if ( (!is_shadow_pwd) - || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) { - pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd); -+ if (pwent->pw_passwd == NULL) -+ fail_exit (E_PW_UPDATE); - } - - if (uflg) { -@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen - * + aging has been requested - */ - spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp); -+ if (spent->sp_pwdp == NULL) -+ fail_exit(E_PW_UPDATE); - - if (pflg) { - spent->sp_lstchg = (long) gettime () / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 8ee19af..74f4ec6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.13 -Release: 8%{?dist} +Version: 4.14.0 +Release: 1%{?dist} Epoch: 2 License: BSD-3-Clause AND GPL-2.0-or-later URL: https://github.com/shadow-maint/shadow @@ -17,27 +17,12 @@ Source6: shadow-utils.HOME_MODE.xml %global includesubiddir %{_includedir}/shadow ### Patches ### -# Misc small changes - most probably non-upstreamable -Patch0: shadow-4.12.3-redhat.patch -# SElinux related - upstreamability unknown -Patch1: shadow-4.13-default-range.patch # Misc manual page changes - non-upstreamable -Patch2: shadow-4.9-manfix.patch +Patch0: shadow-4.14.0-manfix.patch # Date parsing improvement - could be upstreamed -Patch3: shadow-4.2.1-date-parsing.patch +Patch1: shadow-4.2.1-date-parsing.patch # Audit message changes - partially upstreamed -# https://github.com/shadow-maint/shadow/commit/37412f505ed0bc5c9e3f04b2266b40f8f6fc310f -Patch4: shadow-4.11.1-audit-update.patch -# Changes related to password unlocking - could be upstreamed -Patch5: shadow-4.5-usermod-unlock.patch -# Additional SElinux related changes - upstreamability unknown -Patch6: shadow-4.12.3-selinux-perms.patch -# https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef -Patch7: shadow-utils-configure-gshadow.patch -# https://github.com/shadow-maint/shadow/commit/6974df39a708abf8bafbdfa2b7827e0f70f874cb -# https://github.com/shadow-maint/shadow/commit/7ff33fae6f9cd79c0e012671c37a172e9a681d0b -# https://github.com/shadow-maint/shadow/commit/05e2adf509ba0e3779dae66a276b86927a8e1e0e -Patch8: shadow-4.13-newidmap-support-passing-pid-as-fd.patch +Patch2: shadow-4.14.0-audit-update.patch ### Dependencies ### Requires: audit-libs >= 1.6.5 @@ -129,10 +114,13 @@ autoreconf --with-bcrypt \ --with-yescrypt \ --with-selinux \ + --without-libbsd \ --without-libcrack \ --without-libpam \ --enable-shared \ - --with-group-name-max-length=32 + --with-group-name-max-length=32 \ + --enable-lastlog \ + --enable-logind=no %make_build %install @@ -273,6 +261,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a %{_libdir}/libsubid.so %changelog +* Wed Aug 16 2023 Iker Pedrosa - 2:4.14.0-1 +- Rebase to version 4.14.0. Resolves: #2229000 + * Sat Jul 22 2023 Fedora Release Engineering - 2:4.13-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index 40bac31..1ec1caa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (shadow-4.13.tar.xz) = 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e -SHA512 (shadow-4.13.tar.xz.asc) = f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648 +SHA512 (shadow-4.14.0.tar.xz) = ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f +SHA512 (shadow-4.14.0.tar.xz.asc) = d011a732d73b4b066ca8d204c0420303f925c87efc7655feb5c5f60b619d67da450e220ee44f6c86929ae79cbd4343136fe9c20d25b39fa0a228a48e57636309