rpms/shadow-utils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to version 4.14.0

Browse Source 
Resolves: #2229000

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
Iker Pedrosa 2023-08-16 10:55:53 +02:00
parent 5cab3439c8
commit 799aaaa508
9 changed files with 381 additions and 1007 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -22,3 +22,5 @@ shadow-4.1.4.2.tar.bz2
/shadow-4.12.3.tar.xz.asc
/shadow-4.13.tar.xz
/shadow-4.13.tar.xz.asc
/shadow-4.14.0.tar.xz
/shadow-4.14.0.tar.xz.asc

38
shadow-4.12.3-redhat.patch
View File

@ -1,38 +0,0 @@
diff -up shadow-4.12.3/src/useradd.c.redhat shadow-4.12.3/src/useradd.c
--- shadow-4.12.3/src/useradd.c.redhat 2022-08-06 18:22:45.000000000 +0200
+++ shadow-4.12.3/src/useradd.c 2022-08-22 15:57:19.034664441 +0200
@@ -82,7 +82,7 @@ const char *Prog;
static gid_t def_group = 1000;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "/bin/bash";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "yes";
static const char *def_log_init = "yes";
@@ -93,7 +93,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1227,7 +1227,7 @@ static void process_flags (int argc, cha
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U"
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U"
#ifdef WITH_SELINUX
"Z:"
#endif /* WITH_SELINUX */
@@ -1395,6 +1395,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

240
shadow-4.12.3-selinux-perms.patch
View File

@ -1,240 +0,0 @@
diff -up shadow-4.12.3/src/chgpasswd.c.selinux-perms shadow-4.12.3/src/chgpasswd.c
--- shadow-4.12.3/src/chgpasswd.c.selinux-perms 2022-06-19 16:16:48.000000000 +0200
+++ shadow-4.12.3/src/chgpasswd.c 2022-08-22 16:09:02.006970030 +0200
@@ -16,6 +16,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
@@ -61,6 +68,9 @@ static bool sgr_locked = false;
#endif
static bool gr_locked = false;
+/* The name of the caller */
+static char *myname = NULL;
+
/* local function prototypes */
static void fail_exit (int code);
static /*@noreturn@*/void usage (int status);
@@ -318,6 +328,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the group databases
*/
@@ -411,6 +478,7 @@ int main (int argc, char **argv)
const struct group *gr;
struct group newgr;
+ struct passwd *pw = NULL;
int errors = 0;
int line = 0;
@@ -422,12 +490,37 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
OPENLOG ("chgpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
+ /*
+ * Determine the name of the user that invoked this command. This
+ * is really hit or miss because there are so many ways that command
+ * can be executed and so many ways to trip up the routines that
+ * report the user name.
+ */
+ pw = get_my_pwent ();
+ if (NULL == pw) {
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
+ Prog);
+ SYSLOG ((LOG_WARN,
+ "Cannot determine the user name of the caller (UID %lu)",
+ (unsigned long) getuid ()));
+ exit (E_NOPERM);
+ }
+ myname = xstrdup (pw->pw_name);
+
check_perms ();
#ifdef SHADOWGRP
diff -up shadow-4.12.3/src/chpasswd.c.selinux-perms shadow-4.12.3/src/chpasswd.c
--- shadow-4.12.3/src/chpasswd.c.selinux-perms 2022-06-19 16:16:48.000000000 +0200
+++ shadow-4.12.3/src/chpasswd.c 2022-08-22 16:10:56.702835681 +0200
@@ -16,6 +16,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
@@ -318,6 +325,63 @@ static void check_perms (void)
#endif /* USE_PAM */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the password databases
*/
@@ -450,6 +514,10 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_flags (argc, argv);
salt = get_salt();
@@ -463,6 +531,10 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
check_perms ();
#ifdef USE_PAM

35
shadow-4.13-default-range.patch
View File

@ -1,35 +0,0 @@
diff -up shadow-4.13/lib/semanage.c.default-range shadow-4.13/lib/semanage.c
--- shadow-4.13/lib/semanage.c.default-range 2022-11-09 09:37:11.955314964 +0100
+++ shadow-4.13/lib/semanage.c 2022-11-09 09:47:59.130645564 +0100
@@ -122,6 +122,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
+#if 0
if (semanage_mls_enabled(handle)) {
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
@@ -131,6 +132,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {
@@ -181,6 +183,7 @@ static int semanage_user_add (semanage_h
goto done;
}
+#if 0
if (semanage_mls_enabled(handle)) {
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
@@ -190,6 +193,7 @@ static int semanage_user_add (semanage_h
goto done;
}
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {

946
shadow-4.11.1-audit-update.patch → shadow-4.14.0-audit-update.patch
View File

File diff suppressed because it is too large Load Diff

2
shadow-4.9-manfix.patch → shadow-4.14.0-manfix.patch
View File

@ -19,7 +19,7 @@ diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xm
- <programlisting>
- $ groupadd -r groups
- $ chmod 2710 groupmems
- $ chown root.groups groupmems
- $ chown root:groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>

64
shadow-4.5-usermod-unlock.patch
View File

@ -1,64 +0,0 @@
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
strcat (buf, pw_pass);
pw_pass = buf;
} else if (Uflg && pw_pass[0] == '!') {
- char *s;
+ char *s = pw_pass;
- if (pw_pass[1] == '\0') {
+ while ('!' == *s)
+ ++s;
+
+ if (*s == '\0') {
fprintf (stderr,
_("%s: unlocking the user's password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user's password.\n"),
Prog);
- return pw_pass;
+ return NULL;
}
#ifdef WITH_AUDIT
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
user_newname, (unsigned int) user_newid, 1);
#endif
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
- s = pw_pass;
- while ('\0' != *s) {
- *s = *(s + 1);
- s++;
- }
+ memmove (pw_pass, s, strlen (s) + 1);
} else if (pflg) {
+ if (strchr (user_pass, ':') != NULL) {
+ fprintf (stderr,
+ _("%s: The password field cannot contain a colon character.\n"),
+ Prog);
+ return NULL;
+
+ }
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"updating-password",
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
if ( (!is_shadow_pwd)
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
+ if (pwent->pw_passwd == NULL)
+ fail_exit (E_PW_UPDATE);
}
if (uflg) {
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
* + aging has been requested
*/
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+ if (spent->sp_pwdp == NULL)
+ fail_exit(E_PW_UPDATE);
if (pflg) {
spent->sp_lstchg = (long) gettime () / SCALE;

33
shadow-utils.spec
View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.13
Release: 8%{?dist}
Version: 4.14.0
Release: 1%{?dist}
Epoch: 2
License: BSD-3-Clause AND GPL-2.0-or-later
URL: https://github.com/shadow-maint/shadow
@ -17,27 +17,12 @@ Source6: shadow-utils.HOME_MODE.xml
%global includesubiddir %{_includedir}/shadow
### Patches ###
# Misc small changes - most probably non-upstreamable
Patch0: shadow-4.12.3-redhat.patch
# SElinux related - upstreamability unknown
Patch1: shadow-4.13-default-range.patch
# Misc manual page changes - non-upstreamable
Patch2: shadow-4.9-manfix.patch
Patch0: shadow-4.14.0-manfix.patch
# Date parsing improvement - could be upstreamed
Patch3: shadow-4.2.1-date-parsing.patch
Patch1: shadow-4.2.1-date-parsing.patch
# Audit message changes - partially upstreamed
# https://github.com/shadow-maint/shadow/commit/37412f505ed0bc5c9e3f04b2266b40f8f6fc310f
Patch4: shadow-4.11.1-audit-update.patch
# Changes related to password unlocking - could be upstreamed
Patch5: shadow-4.5-usermod-unlock.patch
# Additional SElinux related changes - upstreamability unknown
Patch6: shadow-4.12.3-selinux-perms.patch
# https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef
Patch7: shadow-utils-configure-gshadow.patch
# https://github.com/shadow-maint/shadow/commit/6974df39a708abf8bafbdfa2b7827e0f70f874cb
# https://github.com/shadow-maint/shadow/commit/7ff33fae6f9cd79c0e012671c37a172e9a681d0b
# https://github.com/shadow-maint/shadow/commit/05e2adf509ba0e3779dae66a276b86927a8e1e0e
Patch8: shadow-4.13-newidmap-support-passing-pid-as-fd.patch
Patch2: shadow-4.14.0-audit-update.patch
### Dependencies ###
Requires: audit-libs >= 1.6.5
@ -129,10 +114,13 @@ autoreconf
--with-bcrypt \
--with-yescrypt \
--with-selinux \
--without-libbsd \
--without-libcrack \
--without-libpam \
--enable-shared \
--with-group-name-max-length=32
--with-group-name-max-length=32 \
--enable-lastlog \
--enable-logind=no
%make_build
%install
@ -273,6 +261,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
%{_libdir}/libsubid.so
%changelog
* Wed Aug 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-1
- Rebase to version 4.14.0. Resolves: #2229000
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (shadow-4.13.tar.xz) = 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e
SHA512 (shadow-4.13.tar.xz.asc) = f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648
SHA512 (shadow-4.14.0.tar.xz) = ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f
SHA512 (shadow-4.14.0.tar.xz.asc) = d011a732d73b4b066ca8d204c0420303f925c87efc7655feb5c5f60b619d67da450e220ee44f6c86929ae79cbd4343136fe9c20d25b39fa0a228a48e57636309