subordinateio: also compare the owner ID
Resolves: #2109410 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
Iker Pedrosa
parent
1fa6b1e5d5
commit
90daf3ba00
108
shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
108
shadow-4.9-subordinateio-compare-owner-ID.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Wed, 13 Jul 2022 09:55:14 +0200
|
||||
Subject: [PATCH] subordinateio: also compare the owner ID
|
||||
|
||||
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
|
||||
not only to check for the owner name but also for the owner ID of a
|
||||
given range.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||
index 9ca70b8b..6bc45283 100644
|
||||
--- a/lib/subordinateio.c
|
||||
+++ b/lib/subordinateio.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
+#define ID_SIZE 31
|
||||
+
|
||||
/*
|
||||
* subordinate_dup: create a duplicate range
|
||||
*
|
||||
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
|
||||
return start == ULONG_MAX ? (gid_t) -1 : start;
|
||||
}
|
||||
|
||||
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ struct group *gr;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ switch (id_type) {
|
||||
+ case ID_TYPE_UID:
|
||||
+ pw = getpwnam(owner);
|
||||
+ if (pw == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ case ID_TYPE_GID:
|
||||
+ gr = getgrnam(owner);
|
||||
+ if (gr == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
|
||||
*
|
||||
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
enum subid_status status;
|
||||
int count = 0;
|
||||
struct subid_nss_ops *h;
|
||||
+ char id[ID_SIZE];
|
||||
+ bool have_owner_id;
|
||||
|
||||
*in_ranges = NULL;
|
||||
|
||||
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ have_owner_id = get_owner_id(owner, id_type, id);
|
||||
+
|
||||
commonio_rewind(db);
|
||||
while ((range = commonio_next(db)) != NULL) {
|
||||
if (0 == strcmp(range->owner, owner)) {
|
||||
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ // Let's also compare with the ID
|
||||
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
|
||||
+ if (!append_range(&ranges, range, count++)) {
|
||||
+ free(ranges);
|
||||
+ ranges = NULL;
|
||||
+ count = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
out:
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.9
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Epoch: 2
|
||||
License: BSD and GPLv2+
|
||||
URL: https://github.com/shadow-maint/shadow
|
||||
@ -69,6 +69,8 @@ Patch23: shadow-4.9-getsubids.patch
|
||||
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
|
||||
Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
|
||||
Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: audit-libs >= 1.6.5
|
||||
@ -155,6 +157,7 @@ Development files for shadow-utils-subid.
|
||||
%patch23 -p1 -b .getsubids
|
||||
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
|
||||
%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
|
||||
%patch26 -p1 -b .subordinateio-compare-owner-ID
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||
@ -325,6 +328,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%{_libdir}/libsubid.so
|
||||
|
||||
%changelog
|
||||
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
||||
- subordinateio: also compare the owner ID. Resolves: #2109410
|
||||
|
||||
* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
||||
- useradd: modify check ID range for system users. Resolves: #2004911
|
||||
- Fix release sources
|
||||
|
||||
Loading…
Reference in New Issue
Block a user