import shadow-utils-4.6-8.el8
This commit is contained in:
commit
b1318795b0
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/shadow-4.6.tar.xz
|
1
.shadow-utils.metadata
Normal file
1
.shadow-utils.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
0b84eb1010fda5edca2a9d1733f9480200e02de6 SOURCES/shadow-4.6.tar.xz
|
339
SOURCES/gpl-2.0.txt
Normal file
339
SOURCES/gpl-2.0.txt
Normal file
@ -0,0 +1,339 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Lesser General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) year name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Lesser General
|
||||||
|
Public License instead of this License.
|
36
SOURCES/shadow-4.1.5.1-default-range.patch
Normal file
36
SOURCES/shadow-4.1.5.1-default-range.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
Index: shadow-4.5/lib/semanage.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/lib/semanage.c
|
||||||
|
+++ shadow-4.5/lib/semanage.c
|
||||||
|
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||||
|
if (ret != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
|
||||||
|
ret = 1;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
|
||||||
|
if (ret != 0) {
|
||||||
|
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||||
|
if (ret != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
|
||||||
|
ret = 1;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
|
||||||
|
if (ret != 0) {
|
21
SOURCES/shadow-4.1.5.1-info-parent-dir.patch
Normal file
21
SOURCES/shadow-4.1.5.1-info-parent-dir.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
Index: shadow-4.5/man/newusers.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/newusers.8.xml
|
||||||
|
+++ shadow-4.5/man/newusers.8.xml
|
||||||
|
@@ -218,7 +218,15 @@
|
||||||
|
<para>
|
||||||
|
If this field does not specify an existing directory, the
|
||||||
|
specified directory is created, with ownership set to the
|
||||||
|
- user being created or updated and its primary group.
|
||||||
|
+ user being created or updated and its primary group. Note
|
||||||
|
+ that newusers does not create parent directories of the new
|
||||||
|
+ user's home directory. The newusers command will fail to
|
||||||
|
+ create the home directory if the parent directories do not
|
||||||
|
+ exist, and will send a message to stderr informing the user
|
||||||
|
+ of the failure. The newusers command will not halt or return
|
||||||
|
+ a failure to the calling shell if it fails to create the home
|
||||||
|
+ directory, it will continue to process the batch of new users
|
||||||
|
+ specified.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
If the home directory of an existing user is changed,
|
13
SOURCES/shadow-4.1.5.1-logmsg.patch
Normal file
13
SOURCES/shadow-4.1.5.1-logmsg.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Index: shadow-4.5/src/useradd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/useradd.c
|
||||||
|
+++ shadow-4.5/src/useradd.c
|
||||||
|
@@ -323,7 +323,7 @@ static void fail_exit (int code)
|
||||||
|
user_name, AUDIT_NO_ID,
|
||||||
|
SHADOW_AUDIT_FAILURE);
|
||||||
|
#endif
|
||||||
|
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
|
||||||
|
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
|
||||||
|
exit (code);
|
||||||
|
}
|
||||||
|
|
16
SOURCES/shadow-4.1.5.1-userdel-helpfix.patch
Normal file
16
SOURCES/shadow-4.1.5.1-userdel-helpfix.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Index: shadow-4.5/src/userdel.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/userdel.c
|
||||||
|
+++ shadow-4.5/src/userdel.c
|
||||||
|
@@ -143,8 +143,9 @@ static void usage (int status)
|
||||||
|
"\n"
|
||||||
|
"Options:\n"),
|
||||||
|
Prog);
|
||||||
|
- (void) fputs (_(" -f, --force force removal of files,\n"
|
||||||
|
- " even if not owned by user\n"),
|
||||||
|
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
|
||||||
|
+ " e.g. removal of user still logged in\n"
|
||||||
|
+ " or files, even if not owned by the user\n"),
|
||||||
|
usageout);
|
||||||
|
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
||||||
|
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);
|
69
SOURCES/shadow-4.2.1-date-parsing.patch
Normal file
69
SOURCES/shadow-4.2.1-date-parsing.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
Index: shadow-4.5/libmisc/getdate.y
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/libmisc/getdate.y
|
||||||
|
+++ shadow-4.5/libmisc/getdate.y
|
||||||
|
@@ -152,6 +152,7 @@ static int yyHaveDay;
|
||||||
|
static int yyHaveRel;
|
||||||
|
static int yyHaveTime;
|
||||||
|
static int yyHaveZone;
|
||||||
|
+static int yyHaveYear;
|
||||||
|
static int yyTimezone;
|
||||||
|
static int yyDay;
|
||||||
|
static int yyHour;
|
||||||
|
@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER {
|
||||||
|
yyDay = $3;
|
||||||
|
yyYear = $5;
|
||||||
|
}
|
||||||
|
+ yyHaveYear++;
|
||||||
|
}
|
||||||
|
| tUNUMBER tSNUMBER tSNUMBER {
|
||||||
|
/* ISO 8601 format. yyyy-mm-dd. */
|
||||||
|
yyYear = $1;
|
||||||
|
yyMonth = -$2;
|
||||||
|
yyDay = -$3;
|
||||||
|
+ yyHaveYear++;
|
||||||
|
}
|
||||||
|
| tUNUMBER tMONTH tSNUMBER {
|
||||||
|
/* e.g. 17-JUN-1992. */
|
||||||
|
yyDay = $1;
|
||||||
|
yyMonth = $2;
|
||||||
|
yyYear = -$3;
|
||||||
|
+ yyHaveYear++;
|
||||||
|
}
|
||||||
|
| tMONTH tUNUMBER {
|
||||||
|
yyMonth = $1;
|
||||||
|
@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER {
|
||||||
|
yyMonth = $1;
|
||||||
|
yyDay = $2;
|
||||||
|
yyYear = $4;
|
||||||
|
+ yyHaveYear++;
|
||||||
|
}
|
||||||
|
| tUNUMBER tMONTH {
|
||||||
|
yyMonth = $2;
|
||||||
|
@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER {
|
||||||
|
yyMonth = $2;
|
||||||
|
yyDay = $1;
|
||||||
|
yyYear = $3;
|
||||||
|
+ yyHaveYear++;
|
||||||
|
}
|
||||||
|
;
|
||||||
|
|
||||||
|
@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT {
|
||||||
|
|
||||||
|
number : tUNUMBER
|
||||||
|
{
|
||||||
|
- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
|
||||||
|
+ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear
|
||||||
|
+ && (yyHaveDate != 0) && (yyHaveRel == 0))
|
||||||
|
yyYear = $1;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
@@ -802,7 +809,7 @@ yylex (void)
|
||||||
|
return LookupWord (buff);
|
||||||
|
}
|
||||||
|
if (c != '(')
|
||||||
|
- return *yyInput++;
|
||||||
|
+ return (unsigned char)*yyInput++;
|
||||||
|
Count = 0;
|
||||||
|
do
|
||||||
|
{
|
16
SOURCES/shadow-4.2.1-no-lock-dos.patch
Normal file
16
SOURCES/shadow-4.2.1-no-lock-dos.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Index: shadow-4.5/lib/commonio.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/lib/commonio.c
|
||||||
|
+++ shadow-4.5/lib/commonio.c
|
||||||
|
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
|
||||||
|
int retval;
|
||||||
|
char buf[32];
|
||||||
|
|
||||||
|
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
|
||||||
|
+ /* We depend here on the fact, that the file name is pid-specific.
|
||||||
|
+ * So no O_EXCL here and no DoS.
|
||||||
|
+ */
|
||||||
|
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
|
||||||
|
if (-1 == fd) {
|
||||||
|
if (log) {
|
||||||
|
(void) fprintf (stderr,
|
91
SOURCES/shadow-4.2.1-null-tm.patch
Normal file
91
SOURCES/shadow-4.2.1-null-tm.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
Index: shadow-4.5/src/faillog.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/faillog.c
|
||||||
|
+++ shadow-4.5/src/faillog.c
|
||||||
|
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
|
||||||
|
}
|
||||||
|
|
||||||
|
tm = localtime (&fl.fail_time);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ cp = "(unknown)";
|
||||||
|
+ } else {
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||||
|
- cp = ptime;
|
||||||
|
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||||
|
+ cp = ptime;
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
printf ("%-9s %5d %5d ",
|
||||||
|
pw->pw_name, fl.fail_cnt, fl.fail_max);
|
||||||
|
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
|
||||||
|
Index: shadow-4.5/src/chage.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/chage.c
|
||||||
|
+++ shadow-4.5/src/chage.c
|
||||||
|
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
|
||||||
|
struct tm *tp;
|
||||||
|
|
||||||
|
tp = gmtime (&date);
|
||||||
|
+ if (tp == NULL) {
|
||||||
|
+ (void) snprintf (buf, maxsize, "(unknown)");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||||
|
#else
|
||||||
|
Index: shadow-4.5/src/lastlog.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/lastlog.c
|
||||||
|
+++ shadow-4.5/src/lastlog.c
|
||||||
|
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
|
||||||
|
|
||||||
|
ll_time = ll.ll_time;
|
||||||
|
tm = localtime (&ll_time);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ cp = "(unknown)";
|
||||||
|
+ } else {
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||||
|
- cp = ptime;
|
||||||
|
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||||
|
+ cp = ptime;
|
||||||
|
#else
|
||||||
|
- cp = asctime (tm);
|
||||||
|
- cp[24] = '\0';
|
||||||
|
+ cp = asctime (tm);
|
||||||
|
+ cp[24] = '\0';
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (ll.ll_time == (time_t) 0) {
|
||||||
|
cp = _("**Never logged in**\0");
|
||||||
|
Index: shadow-4.5/src/passwd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/passwd.c
|
||||||
|
+++ shadow-4.5/src/passwd.c
|
||||||
|
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
|
||||||
|
struct tm *tm;
|
||||||
|
|
||||||
|
tm = gmtime (&t);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ return "(unknown)";
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
|
||||||
|
#else /* !HAVE_STRFTIME */
|
||||||
|
Index: shadow-4.5/src/usermod.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/usermod.c
|
||||||
|
+++ shadow-4.5/src/usermod.c
|
||||||
|
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
|
||||||
|
} else {
|
||||||
|
time_t t = (time_t) date;
|
||||||
|
tp = gmtime (&t);
|
||||||
|
+ if (tp == NULL) {
|
||||||
|
+ strncpy (buf, "unknown", maxsize);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||||
|
#else
|
349
SOURCES/shadow-4.3.1-manfix.patch
Normal file
349
SOURCES/shadow-4.3.1-manfix.patch
Normal file
@ -0,0 +1,349 @@
|
|||||||
|
Index: shadow-4.5/man/groupmems.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/groupmems.8.xml
|
||||||
|
+++ shadow-4.5/man/groupmems.8.xml
|
||||||
|
@@ -179,20 +179,10 @@
|
||||||
|
<refsect1 id='setup'>
|
||||||
|
<title>SETUP</title>
|
||||||
|
<para>
|
||||||
|
- The <command>groupmems</command> executable should be in mode
|
||||||
|
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
|
||||||
|
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||||
|
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||||
|
- <command>groupmems</command> utility to manage their own group
|
||||||
|
- membership list.
|
||||||
|
+ In this operating system the <command>groupmems</command> executable
|
||||||
|
+ is not setuid and regular users cannot use it to manipulate
|
||||||
|
+ the membership of their own group.
|
||||||
|
</para>
|
||||||
|
-
|
||||||
|
- <programlisting>
|
||||||
|
- $ groupadd -r groups
|
||||||
|
- $ chmod 2770 groupmems
|
||||||
|
- $ chown root.groups groupmems
|
||||||
|
- $ groupmems -g groups -a gk4
|
||||||
|
- </programlisting>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1 id='configuration'>
|
||||||
|
Index: shadow-4.5/man/chage.1.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/chage.1.xml
|
||||||
|
+++ shadow-4.5/man/chage.1.xml
|
||||||
|
@@ -102,6 +102,9 @@
|
||||||
|
Set the number of days since January 1st, 1970 when the password
|
||||||
|
was last changed. The date may also be expressed in the format
|
||||||
|
YYYY-MM-DD (or the format more commonly used in your area).
|
||||||
|
+ If the <replaceable>LAST_DAY</replaceable> is set to
|
||||||
|
+ <emphasis>0</emphasis> the user is forced to change his password
|
||||||
|
+ on the next log on.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
@@ -119,6 +122,13 @@
|
||||||
|
system again.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
+ For example the following can be used to set an account to expire
|
||||||
|
+ in 180 days:
|
||||||
|
+ </para>
|
||||||
|
+ <programlisting>
|
||||||
|
+ chage -E $(date -d +180days +%Y-%m-%d)
|
||||||
|
+ </programlisting>
|
||||||
|
+ <para>
|
||||||
|
Passing the number <emphasis remap='I'>-1</emphasis> as the
|
||||||
|
<replaceable>EXPIRE_DATE</replaceable> will remove an account
|
||||||
|
expiration date.
|
||||||
|
@@ -233,6 +243,18 @@
|
||||||
|
The <command>chage</command> program requires a shadow password file to
|
||||||
|
be available.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The chage program will report only the information from the shadow
|
||||||
|
+ password file. This implies that configuration from other sources
|
||||||
|
+ (e.g. LDAP or empty password hash field from the passwd file) that
|
||||||
|
+ affect the user's login will not be shown in the chage output.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ The <command>chage</command> program will also not report any
|
||||||
|
+ inconsistency between the shadow and passwd files (e.g. missing x in
|
||||||
|
+ the passwd file). The <command>pwck</command> can be used to check
|
||||||
|
+ for this kind of inconsistencies.
|
||||||
|
+ </para>
|
||||||
|
<para>The <command>chage</command> command is restricted to the root
|
||||||
|
user, except for the <option>-l</option> option, which may be used by
|
||||||
|
an unprivileged user to determine when their password or account is due
|
||||||
|
Index: shadow-4.5/man/ja/man5/login.defs.5
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/ja/man5/login.defs.5
|
||||||
|
+++ shadow-4.5/man/ja/man5/login.defs.5
|
||||||
|
@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
|
||||||
|
shadow パスワード機能のどのプログラムが
|
||||||
|
どのパラメータを使用するかを示したものである。
|
||||||
|
.na
|
||||||
|
-.IP chfn 12
|
||||||
|
-CHFN_AUTH CHFN_RESTRICT
|
||||||
|
-.IP chsh 12
|
||||||
|
-CHFN_AUTH
|
||||||
|
.IP groupadd 12
|
||||||
|
GID_MAX GID_MIN
|
||||||
|
.IP newusers 12
|
||||||
|
Index: shadow-4.5/man/login.defs.5.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/login.defs.5.xml
|
||||||
|
+++ shadow-4.5/man/login.defs.5.xml
|
||||||
|
@@ -162,6 +162,17 @@
|
||||||
|
long numeric parameters is machine-dependent.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
+ <para>
|
||||||
|
+ Please note that the parameters in this configuration file control the
|
||||||
|
+ behavior of the tools from the shadow-utils component. None of these
|
||||||
|
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||||
|
+ passwd command) should be configured elsewhere. The only values that
|
||||||
|
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||||
|
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||||
|
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||||
|
+ pam(8) for more information.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
<para>The following configuration items are provided:</para>
|
||||||
|
|
||||||
|
<variablelist remap='IP'>
|
||||||
|
@@ -252,16 +263,6 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
- <term>chfn</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||||
|
- CHFN_RESTRICT
|
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
<term>chgpasswd</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
@@ -282,14 +283,6 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
- <varlistentry condition="no_pam">
|
||||||
|
- <term>chsh</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- CHSH_AUTH LOGIN_STRING
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||||
|
<!-- faillog: no variables -->
|
||||||
|
<varlistentry>
|
||||||
|
@@ -350,34 +343,6 @@
|
||||||
|
</varlistentry>
|
||||||
|
<!-- id: no variables -->
|
||||||
|
<!-- lastlog: no variables -->
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>login</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME
|
||||||
|
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||||
|
- ENV_TZ ENVIRON_FILE</phrase>
|
||||||
|
- ERASECHAR FAIL_DELAY
|
||||||
|
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||||
|
- FAKE_SHELL
|
||||||
|
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||||
|
- HUSHLOGIN_FILE
|
||||||
|
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||||
|
- KILLCHAR
|
||||||
|
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
|
||||||
|
- LOGIN_RETRIES
|
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||||
|
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||||
|
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||||
|
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||||
|
- QUOTAS_ENAB</phrase>
|
||||||
|
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||||
|
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||||
|
- USERGROUPS_ENAB
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<!-- logoutd: no variables -->
|
||||||
|
<varlistentry>
|
||||||
|
<term>newgrp / sg</term>
|
||||||
|
@@ -405,17 +370,6 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<!-- nologin: no variables -->
|
||||||
|
- <varlistentry condition="no_pam">
|
||||||
|
- <term>passwd</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
||||||
|
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
||||||
|
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||||
|
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>pwck</term>
|
||||||
|
<listitem>
|
||||||
|
@@ -442,32 +396,6 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>su</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME
|
||||||
|
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||||
|
- ENV_PATH ENV_SUPATH
|
||||||
|
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||||
|
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||||
|
- SULOG_FILE SU_NAME
|
||||||
|
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||||
|
- SYSLOG_SU_ENAB
|
||||||
|
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>sulogin</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- ENV_HZ
|
||||||
|
- <phrase condition="no_pam">ENV_TZ</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>useradd</term>
|
||||||
|
<listitem>
|
||||||
|
Index: shadow-4.5/man/shadow.5.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/shadow.5.xml
|
||||||
|
+++ shadow-4.5/man/shadow.5.xml
|
||||||
|
@@ -129,7 +129,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of the last password change, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The value 0 has a special meaning, which is that the user
|
||||||
|
@@ -208,8 +208,8 @@
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
After expiration of the password and this expiration period is
|
||||||
|
- elapsed, no login is possible using the current user's
|
||||||
|
- password. The user should contact her administrator.
|
||||||
|
+ elapsed, no login is possible for the user.
|
||||||
|
+ The user should contact her administrator.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
An empty field means that there are no enforcement of an
|
||||||
|
@@ -224,7 +224,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of expiration of the account, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Note that an account expiration differs from a password
|
||||||
|
Index: shadow-4.5/man/useradd.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/useradd.8.xml
|
||||||
|
+++ shadow-4.5/man/useradd.8.xml
|
||||||
|
@@ -347,6 +347,11 @@
|
||||||
|
<option>CREATE_HOME</option> is not enabled, no home
|
||||||
|
directories are created.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The directory where the user's home directory is created must
|
||||||
|
+ exist and have proper SELinux context and permissions. Otherwise
|
||||||
|
+ the user's home directory cannot be created or accessed.
|
||||||
|
+ </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
Index: shadow-4.5/man/usermod.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/usermod.8.xml
|
||||||
|
+++ shadow-4.5/man/usermod.8.xml
|
||||||
|
@@ -132,7 +132,8 @@
|
||||||
|
If the <option>-m</option>
|
||||||
|
option is given, the contents of the current home directory will
|
||||||
|
be moved to the new home directory, which is created if it does
|
||||||
|
- not already exist.
|
||||||
|
+ not already exist. If the current home directory does not exist
|
||||||
|
+ the new home directory will not be created.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
@@ -256,7 +257,8 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Move the content of the user's home directory to the new
|
||||||
|
- location.
|
||||||
|
+ location. If the current home directory does not exist
|
||||||
|
+ the new home directory will not be created.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
This option is only valid in combination with the
|
||||||
|
diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
|
||||||
|
index 01ace007..93fe7421 100644
|
||||||
|
--- a/man/login.defs.d/SUB_GID_COUNT.xml
|
||||||
|
+++ b/man/login.defs.d/SUB_GID_COUNT.xml
|
||||||
|
@@ -42,7 +42,7 @@
|
||||||
|
<para>
|
||||||
|
The default values for <option>SUB_GID_MIN</option>,
|
||||||
|
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
|
||||||
|
- are respectively 100000, 600100000 and 10000.
|
||||||
|
+ are respectively 100000, 600100000 and 65536.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
|
||||||
|
index 5ad812f7..516417b7 100644
|
||||||
|
--- a/man/login.defs.d/SUB_UID_COUNT.xml
|
||||||
|
+++ b/man/login.defs.d/SUB_UID_COUNT.xml
|
||||||
|
@@ -42,7 +42,7 @@
|
||||||
|
<para>
|
||||||
|
The default values for <option>SUB_UID_MIN</option>,
|
||||||
|
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
|
||||||
|
- are respectively 100000, 600100000 and 10000.
|
||||||
|
+ are respectively 100000, 600100000 and 65536.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
|
||||||
|
--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
|
||||||
|
+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
|
||||||
|
@@ -320,13 +320,13 @@
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>4</replaceable></term>
|
||||||
|
<listitem>
|
||||||
|
- <para>GID not unique (when <option>-o</option> not used)</para>
|
||||||
|
+ <para>GID is already used (when called without <option>-o</option>)</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>9</replaceable></term>
|
||||||
|
<listitem>
|
||||||
|
- <para>group name not unique</para>
|
||||||
|
+ <para>group name is already used</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
|
277
SOURCES/shadow-4.3.1-selinux-perms.patch
Normal file
277
SOURCES/shadow-4.3.1-selinux-perms.patch
Normal file
@ -0,0 +1,277 @@
|
|||||||
|
Index: shadow-4.5/src/chgpasswd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/chgpasswd.c
|
||||||
|
+++ shadow-4.5/src/chgpasswd.c
|
||||||
|
@@ -39,6 +39,13 @@
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+#include <selinux/selinux.h>
|
||||||
|
+#include <selinux/avc.h>
|
||||||
|
+#endif
|
||||||
|
+#ifdef WITH_LIBAUDIT
|
||||||
|
+#include <libaudit.h>
|
||||||
|
+#endif
|
||||||
|
#ifdef ACCT_TOOLS_SETUID
|
||||||
|
#ifdef USE_PAM
|
||||||
|
#include "pam_defs.h"
|
||||||
|
@@ -76,6 +83,9 @@ static bool sgr_locked = false;
|
||||||
|
#endif
|
||||||
|
static bool gr_locked = false;
|
||||||
|
|
||||||
|
+/* The name of the caller */
|
||||||
|
+static char *myname = NULL;
|
||||||
|
+
|
||||||
|
/* local function prototypes */
|
||||||
|
static void fail_exit (int code);
|
||||||
|
static /*@noreturn@*/void usage (int status);
|
||||||
|
@@ -300,6 +310,63 @@ static void check_perms (void)
|
||||||
|
#endif /* ACCT_TOOLS_SETUID */
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+static int
|
||||||
|
+log_callback (int type, const char *fmt, ...)
|
||||||
|
+{
|
||||||
|
+ int audit_fd;
|
||||||
|
+ va_list ap;
|
||||||
|
+
|
||||||
|
+ va_start(ap, fmt);
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_fd = audit_open();
|
||||||
|
+
|
||||||
|
+ if (audit_fd >= 0) {
|
||||||
|
+ char *buf;
|
||||||
|
+
|
||||||
|
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||||
|
+ goto ret;
|
||||||
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
|
+ NULL, 0);
|
||||||
|
+ audit_close(audit_fd);
|
||||||
|
+ free(buf);
|
||||||
|
+ goto ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||||
|
+ret:
|
||||||
|
+ va_end(ap);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+selinux_check_root (void)
|
||||||
|
+{
|
||||||
|
+ int status = -1;
|
||||||
|
+ security_context_t user_context;
|
||||||
|
+ union selinux_callback old_callback;
|
||||||
|
+
|
||||||
|
+ if (is_selinux_enabled() < 1)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
|
||||||
|
+ /* setup callbacks */
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
|
||||||
|
+ if ((status = getprevcon(&user_context)) < 0) {
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
|
||||||
|
+
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||||
|
+ freecon(user_context);
|
||||||
|
+ if (status != 0 && security_getenforce() != 0)
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* open_files - lock and open the group databases
|
||||||
|
*/
|
||||||
|
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
const struct group *gr;
|
||||||
|
struct group newgr;
|
||||||
|
+ struct passwd *pw = NULL;
|
||||||
|
int errors = 0;
|
||||||
|
int line = 0;
|
||||||
|
|
||||||
|
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
OPENLOG ("chgpasswd");
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_help_open ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Determine the name of the user that invoked this command. This
|
||||||
|
+ * is really hit or miss because there are so many ways that command
|
||||||
|
+ * can be executed and so many ways to trip up the routines that
|
||||||
|
+ * report the user name.
|
||||||
|
+ */
|
||||||
|
+ pw = get_my_pwent ();
|
||||||
|
+ if (NULL == pw) {
|
||||||
|
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ SYSLOG ((LOG_WARN,
|
||||||
|
+ "Cannot determine the user name of the caller (UID %lu)",
|
||||||
|
+ (unsigned long) getuid ()));
|
||||||
|
+ exit (E_NOPERM);
|
||||||
|
+ }
|
||||||
|
+ myname = xstrdup (pw->pw_name);
|
||||||
|
+
|
||||||
|
check_perms ();
|
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ selinux_check_root ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
is_shadow_grp = sgr_file_present ();
|
||||||
|
#endif
|
||||||
|
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
|
||||||
|
newgr.gr_passwd = cp;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ {
|
||||||
|
+
|
||||||
|
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
|
||||||
|
+ "change-password",
|
||||||
|
+ myname, AUDIT_NO_ID, gr->gr_name,
|
||||||
|
+ SHADOW_AUDIT_SUCCESS);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
/*
|
||||||
|
* The updated group file entry is then put back and will
|
||||||
|
* be written to the group file later, after all the
|
||||||
|
Index: shadow-4.5/src/chpasswd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/chpasswd.c
|
||||||
|
+++ shadow-4.5/src/chpasswd.c
|
||||||
|
@@ -39,6 +39,13 @@
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+#include <selinux/selinux.h>
|
||||||
|
+#include <selinux/avc.h>
|
||||||
|
+#endif
|
||||||
|
+#ifdef WITH_LIBAUDIT
|
||||||
|
+#include <libaudit.h>
|
||||||
|
+#endif
|
||||||
|
#ifdef USE_PAM
|
||||||
|
#include "pam_defs.h"
|
||||||
|
#endif /* USE_PAM */
|
||||||
|
@@ -297,6 +304,63 @@ static void check_perms (void)
|
||||||
|
#endif /* USE_PAM */
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+static int
|
||||||
|
+log_callback (int type, const char *fmt, ...)
|
||||||
|
+{
|
||||||
|
+ int audit_fd;
|
||||||
|
+ va_list ap;
|
||||||
|
+
|
||||||
|
+ va_start(ap, fmt);
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_fd = audit_open();
|
||||||
|
+
|
||||||
|
+ if (audit_fd >= 0) {
|
||||||
|
+ char *buf;
|
||||||
|
+
|
||||||
|
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||||
|
+ goto ret;
|
||||||
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
|
+ NULL, 0);
|
||||||
|
+ audit_close(audit_fd);
|
||||||
|
+ free(buf);
|
||||||
|
+ goto ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||||
|
+ret:
|
||||||
|
+ va_end(ap);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+selinux_check_root (void)
|
||||||
|
+{
|
||||||
|
+ int status = -1;
|
||||||
|
+ security_context_t user_context;
|
||||||
|
+ union selinux_callback old_callback;
|
||||||
|
+
|
||||||
|
+ if (is_selinux_enabled() < 1)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
|
||||||
|
+ /* setup callbacks */
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
|
||||||
|
+ if ((status = getprevcon(&user_context)) < 0) {
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
|
||||||
|
+
|
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||||
|
+ freecon(user_context);
|
||||||
|
+ if (status != 0 && security_getenforce() != 0)
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* open_files - lock and open the password databases
|
||||||
|
*/
|
||||||
|
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
OPENLOG ("chpasswd");
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_help_open ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
check_perms ();
|
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ selinux_check_root ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef USE_PAM
|
||||||
|
if (!use_pam)
|
||||||
|
#endif /* USE_PAM */
|
||||||
|
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
|
||||||
|
newpw.pw_passwd = cp;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||||
|
+ "updating-password",
|
||||||
|
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
|
||||||
|
+#endif
|
||||||
|
/*
|
||||||
|
* The updated password file entry is then put back and will
|
||||||
|
* be written to the password file later, after all the
|
||||||
|
Index: shadow-4.5/src/Makefile.am
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/Makefile.am
|
||||||
|
+++ shadow-4.5/src/Makefile.am
|
||||||
|
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
||||||
|
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
|
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
|
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||||
|
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||||
|
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||||
|
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||||
|
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
||||||
|
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||||
|
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
||||||
|
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||||
|
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
41
SOURCES/shadow-4.5-crypt_h.patch
Normal file
41
SOURCES/shadow-4.5-crypt_h.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
Index: shadow-4.5/configure.ac
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/configure.ac
|
||||||
|
+++ shadow-4.5/configure.ac
|
||||||
|
@@ -32,9 +32,9 @@ AC_HEADER_STDC
|
||||||
|
AC_HEADER_SYS_WAIT
|
||||||
|
AC_HEADER_STDBOOL
|
||||||
|
|
||||||
|
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||||
|
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
|
||||||
|
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||||
|
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
|
||||||
|
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
|
||||||
|
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||||
|
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
|
||||||
|
attr/error_context.h)
|
||||||
|
|
||||||
|
Index: shadow-4.5/lib/defines.h
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/lib/defines.h
|
||||||
|
+++ shadow-4.5/lib/defines.h
|
||||||
|
@@ -4,6 +4,8 @@
|
||||||
|
#ifndef _DEFINES_H_
|
||||||
|
#define _DEFINES_H_
|
||||||
|
|
||||||
|
+#include "config.h"
|
||||||
|
+
|
||||||
|
#if HAVE_STDBOOL_H
|
||||||
|
# include <stdbool.h>
|
||||||
|
#else
|
||||||
|
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
|
||||||
|
# include <unistd.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if HAVE_CRYPT_H
|
||||||
|
+# include <crypt.h> /* crypt(3) may be defined in here */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#if TIME_WITH_SYS_TIME
|
||||||
|
# include <sys/time.h>
|
||||||
|
# include <time.h>
|
110
SOURCES/shadow-4.5-goodname.patch
Normal file
110
SOURCES/shadow-4.5-goodname.patch
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
Index: shadow-4.5/libmisc/chkname.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/libmisc/chkname.c
|
||||||
|
+++ shadow-4.5/libmisc/chkname.c
|
||||||
|
@@ -47,27 +47,46 @@
|
||||||
|
#include "chkname.h"
|
||||||
|
|
||||||
|
static bool is_valid_name (const char *name)
|
||||||
|
-{
|
||||||
|
+{
|
||||||
|
/*
|
||||||
|
- * User/group names must match [a-z_][a-z0-9_-]*[$]
|
||||||
|
- */
|
||||||
|
- if (('\0' == *name) ||
|
||||||
|
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
|
||||||
|
+ * User/group names must match gnu e-regex:
|
||||||
|
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
|
||||||
|
+ *
|
||||||
|
+ * as a non-POSIX, extension, allow "$" as the last char for
|
||||||
|
+ * sake of Samba 3.x "add machine script"
|
||||||
|
+ *
|
||||||
|
+ * Also do not allow fully numeric names or just "." or "..".
|
||||||
|
+ */
|
||||||
|
+ int numeric;
|
||||||
|
+
|
||||||
|
+ if ('\0' == *name ||
|
||||||
|
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
|
||||||
|
+ '\0' == name[1])) ||
|
||||||
|
+ !((*name >= 'a' && *name <= 'z') ||
|
||||||
|
+ (*name >= 'A' && *name <= 'Z') ||
|
||||||
|
+ (*name >= '0' && *name <= '9') ||
|
||||||
|
+ *name == '_' ||
|
||||||
|
+ *name == '.')) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ numeric = isdigit(*name);
|
||||||
|
+
|
||||||
|
while ('\0' != *++name) {
|
||||||
|
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
|
||||||
|
- ( ('0' <= *name) && ('9' >= *name) ) ||
|
||||||
|
- ('_' == *name) ||
|
||||||
|
- ('-' == *name) ||
|
||||||
|
- ( ('$' == *name) && ('\0' == *(name + 1)) )
|
||||||
|
+ if (!((*name >= 'a' && *name <= 'z') ||
|
||||||
|
+ (*name >= 'A' && *name <= 'Z') ||
|
||||||
|
+ (*name >= '0' && *name <= '9') ||
|
||||||
|
+ *name == '_' ||
|
||||||
|
+ *name == '.' ||
|
||||||
|
+ *name == '-' ||
|
||||||
|
+ (*name == '$' && name[1] == '\0')
|
||||||
|
)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
+ numeric &= isdigit(*name);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return true;
|
||||||
|
+ return !numeric;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool is_valid_user_name (const char *name)
|
||||||
|
Index: shadow-4.5/man/groupadd.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/groupadd.8.xml
|
||||||
|
+++ shadow-4.5/man/groupadd.8.xml
|
||||||
|
@@ -256,10 +256,14 @@
|
||||||
|
<refsect1 id='caveats'>
|
||||||
|
<title>CAVEATS</title>
|
||||||
|
<para>
|
||||||
|
- Groupnames must start with a lower case letter or an underscore,
|
||||||
|
- followed by lower case letters, digits, underscores, or dashes.
|
||||||
|
- They can end with a dollar sign.
|
||||||
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||||
|
+ Groupnames may contain only lower and upper case letters, digits,
|
||||||
|
+ underscores, or dashes. They can end with a dollar sign.
|
||||||
|
+
|
||||||
|
+ Dashes are not allowed at the beginning of the groupname.
|
||||||
|
+ Fully numeric groupnames and groupnames . or .. are
|
||||||
|
+ also disallowed.
|
||||||
|
+
|
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||||
|
Index: shadow-4.5/man/useradd.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/useradd.8.xml
|
||||||
|
+++ shadow-4.5/man/useradd.8.xml
|
||||||
|
@@ -633,10 +633,16 @@
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
- Usernames must start with a lower case letter or an underscore,
|
||||||
|
- followed by lower case letters, digits, underscores, or dashes.
|
||||||
|
- They can end with a dollar sign.
|
||||||
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||||
|
+ Usernames may contain only lower and upper case letters, digits,
|
||||||
|
+ underscores, or dashes. They can end with a dollar sign.
|
||||||
|
+
|
||||||
|
+ Dashes are not allowed at the beginning of the username.
|
||||||
|
+ Fully numeric usernames and usernames . or .. are
|
||||||
|
+ also disallowed. It is not recommended to use usernames beginning
|
||||||
|
+ with . character as their home directories will be hidden in
|
||||||
|
+ the <command>ls</command> output.
|
||||||
|
+
|
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Usernames may only be up to 32 characters long.
|
84
SOURCES/shadow-4.5-long-entry.patch
Normal file
84
SOURCES/shadow-4.5-long-entry.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
|
||||||
|
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||||
|
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200
|
||||||
|
@@ -382,4 +382,7 @@ extern char *strerror ();
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* Maximum length of passwd entry */
|
||||||
|
+#define PASSWD_ENTRY_MAX_LENGTH 32768
|
||||||
|
+
|
||||||
|
#endif /* _DEFINES_H_ */
|
||||||
|
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
|
||||||
|
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100
|
||||||
|
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200
|
||||||
|
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|
||||||
|
|| (pw->pw_gid == (gid_t)-1)
|
||||||
|
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|
||||||
|
|| (valid_field (pw->pw_dir, ":\n") == -1)
|
||||||
|
- || (valid_field (pw->pw_shell, ":\n") == -1)) {
|
||||||
|
+ || (valid_field (pw->pw_shell, ":\n") == -1)
|
||||||
|
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
|
||||||
|
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
|
||||||
|
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
|
||||||
|
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||||
|
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200
|
||||||
|
@@ -57,7 +57,7 @@
|
||||||
|
struct passwd *sgetpwent (const char *buf)
|
||||||
|
{
|
||||||
|
static struct passwd pwent;
|
||||||
|
- static char pwdbuf[1024];
|
||||||
|
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
|
||||||
|
register int i;
|
||||||
|
register char *cp;
|
||||||
|
char *fields[NFIELDS];
|
||||||
|
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
|
||||||
|
* the password structure remain valid.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (strlen (buf) >= sizeof pwdbuf)
|
||||||
|
+ if (strlen (buf) >= sizeof pwdbuf) {
|
||||||
|
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
|
||||||
|
return 0; /* fail if too long */
|
||||||
|
+ }
|
||||||
|
strcpy (pwdbuf, buf);
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
|
||||||
|
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||||
|
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200
|
||||||
|
@@ -48,7 +48,7 @@
|
||||||
|
*/
|
||||||
|
struct spwd *sgetspent (const char *string)
|
||||||
|
{
|
||||||
|
- static char spwbuf[1024];
|
||||||
|
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
|
||||||
|
static struct spwd spwd;
|
||||||
|
char *fields[FIELDS];
|
||||||
|
char *cp;
|
||||||
|
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (strlen (string) >= sizeof spwbuf) {
|
||||||
|
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
|
||||||
|
return 0; /* fail if too long */
|
||||||
|
}
|
||||||
|
strcpy (spwbuf, string);
|
||||||
|
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
|
||||||
|
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100
|
||||||
|
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200
|
||||||
|
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
|
||||||
|
|
||||||
|
if ( (NULL == sp)
|
||||||
|
|| (valid_field (sp->sp_namp, ":\n") == -1)
|
||||||
|
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
|
||||||
|
+ || (valid_field (sp->sp_pwdp, ":\n") == -1)
|
||||||
|
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
|
||||||
|
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
64
SOURCES/shadow-4.5-usermod-unlock.patch
Normal file
64
SOURCES/shadow-4.5-usermod-unlock.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
Index: shadow-4.5/src/usermod.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/usermod.c
|
||||||
|
+++ shadow-4.5/src/usermod.c
|
||||||
|
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
|
||||||
|
strcat (buf, pw_pass);
|
||||||
|
pw_pass = buf;
|
||||||
|
} else if (Uflg && pw_pass[0] == '!') {
|
||||||
|
- char *s;
|
||||||
|
+ char *s = pw_pass;
|
||||||
|
|
||||||
|
- if (pw_pass[1] == '\0') {
|
||||||
|
+ while ('!' == *s)
|
||||||
|
+ ++s;
|
||||||
|
+
|
||||||
|
+ if (*s == '\0') {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: unlocking the user's password would result in a passwordless account.\n"
|
||||||
|
"You should set a password with usermod -p to unlock this user's password.\n"),
|
||||||
|
Prog);
|
||||||
|
- return pw_pass;
|
||||||
|
+ return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_AUDIT
|
||||||
|
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
|
||||||
|
user_newname, (unsigned int) user_newid, 1);
|
||||||
|
#endif
|
||||||
|
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
|
||||||
|
- s = pw_pass;
|
||||||
|
- while ('\0' != *s) {
|
||||||
|
- *s = *(s + 1);
|
||||||
|
- s++;
|
||||||
|
- }
|
||||||
|
+ memmove (pw_pass, s, strlen (s) + 1);
|
||||||
|
} else if (pflg) {
|
||||||
|
+ if (strchr (user_pass, ':') != NULL) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: The password field cannot contain a colon character.\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
#ifdef WITH_AUDIT
|
||||||
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||||
|
"updating-password",
|
||||||
|
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
|
||||||
|
if ( (!is_shadow_pwd)
|
||||||
|
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
|
||||||
|
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
|
||||||
|
+ if (pwent->pw_passwd == NULL)
|
||||||
|
+ fail_exit (E_PW_UPDATE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (uflg) {
|
||||||
|
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
|
||||||
|
* + aging has been requested
|
||||||
|
*/
|
||||||
|
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
|
||||||
|
+ if (spent->sp_pwdp == NULL)
|
||||||
|
+ fail_exit(E_PW_UPDATE);
|
||||||
|
|
||||||
|
if (pflg) {
|
||||||
|
spent->sp_lstchg = (long) gettime () / SCALE;
|
2365
SOURCES/shadow-4.6-audit-update.patch
Normal file
2365
SOURCES/shadow-4.6-audit-update.patch
Normal file
File diff suppressed because it is too large
Load Diff
44
SOURCES/shadow-4.6-chgrp-guard.patch
Normal file
44
SOURCES/shadow-4.6-chgrp-guard.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
|
||||||
|
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
|
||||||
|
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
|
||||||
|
@@ -195,6 +195,12 @@
|
||||||
|
The group ownership of files outside of the user's home directory
|
||||||
|
must be fixed manually.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The change of the group ownership of files inside of the user's
|
||||||
|
+ home directory is also not done if the home dir owner uid is
|
||||||
|
+ different from the current or new user id. This is safety measure
|
||||||
|
+ for special home directories such as <filename>/</filename>.
|
||||||
|
+ </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
@@ -372,6 +378,12 @@
|
||||||
|
must be fixed manually.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
+ The change of the user ownership of files inside of the user's
|
||||||
|
+ home directory is also not done if the home dir owner uid is
|
||||||
|
+ different from the current or new user id. This is safety measure
|
||||||
|
+ for special home directories such as <filename>/</filename>.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
No checks will be performed with regard to the
|
||||||
|
<option>UID_MIN</option>, <option>UID_MAX</option>,
|
||||||
|
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
|
||||||
|
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
|
||||||
|
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
|
||||||
|
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
|
||||||
|
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!mflg && (uflg || gflg)) {
|
||||||
|
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
|
||||||
|
+ struct stat sb;
|
||||||
|
+
|
||||||
|
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
|
||||||
|
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
|
||||||
|
/*
|
||||||
|
* Change the UID on all of the files owned by
|
||||||
|
* `user_id' to `user_newid' in the user's home
|
223
SOURCES/shadow-4.6-coverity.patch
Normal file
223
SOURCES/shadow-4.6-coverity.patch
Normal file
@ -0,0 +1,223 @@
|
|||||||
|
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
|
||||||
|
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
|
||||||
|
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
|
||||||
|
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
|
||||||
|
char* lock = NULL;
|
||||||
|
size_t lock_file_len;
|
||||||
|
size_t file_len;
|
||||||
|
- int err;
|
||||||
|
+ int err = 0;
|
||||||
|
|
||||||
|
if (db->locked) {
|
||||||
|
return 1;
|
||||||
|
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
|
||||||
|
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
|
||||||
|
file = (char*)malloc(file_len);
|
||||||
|
if(file == NULL) {
|
||||||
|
- err = ENOMEM;
|
||||||
|
goto cleanup_ENOMEM;
|
||||||
|
}
|
||||||
|
lock = (char*)malloc(lock_file_len);
|
||||||
|
if(lock == NULL) {
|
||||||
|
- err = ENOMEM;
|
||||||
|
goto cleanup_ENOMEM;
|
||||||
|
}
|
||||||
|
snprintf (file, file_len, "%s.%lu",
|
||||||
|
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
|
||||||
|
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
|
||||||
|
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
|
||||||
|
static bool is_listed (const char *cfgin, const char *tty, bool def)
|
||||||
|
{
|
||||||
|
FILE *fp;
|
||||||
|
- char buf[200], *s;
|
||||||
|
+ char buf[1024], *s;
|
||||||
|
const char *cons;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
|
||||||
|
|
||||||
|
if (*cons != '/') {
|
||||||
|
char *pbuf;
|
||||||
|
- strcpy (buf, cons);
|
||||||
|
+ strncpy (buf, cons, sizeof (buf));
|
||||||
|
+ buf[sizeof (buf) - 1] = '\0';
|
||||||
|
pbuf = &buf[0];
|
||||||
|
while ((s = strtok (pbuf, ":")) != NULL) {
|
||||||
|
if (strcmp (s, tty) == 0) {
|
||||||
|
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
|
||||||
|
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
|
||||||
|
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
|
||||||
|
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
|
||||||
|
do {
|
||||||
|
wpid = waitpid (pid, status, 0);
|
||||||
|
} while ( ((pid_t)-1 == wpid && errno == EINTR)
|
||||||
|
- || (wpid != pid));
|
||||||
|
+ || ((pid_t)-1 != wpid && wpid != pid));
|
||||||
|
|
||||||
|
if ((pid_t)-1 == wpid) {
|
||||||
|
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
|
||||||
|
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
|
||||||
|
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
|
||||||
|
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
|
||||||
|
@@ -314,7 +314,7 @@ static void fail_exit (int code)
|
||||||
|
static void get_defaults (void)
|
||||||
|
{
|
||||||
|
FILE *fp;
|
||||||
|
- char* default_file = USER_DEFAULTS_FILE;
|
||||||
|
+ char *default_file = USER_DEFAULTS_FILE;
|
||||||
|
char buf[1024];
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
@@ -324,6 +324,8 @@ static void get_defaults (void)
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||||
|
default_file = malloc(len);
|
||||||
|
+ if (default_file == NULL)
|
||||||
|
+ return;
|
||||||
|
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||||
|
assert (wlen == (int) len -1);
|
||||||
|
}
|
||||||
|
@@ -334,7 +336,7 @@ static void get_defaults (void)
|
||||||
|
|
||||||
|
fp = fopen (default_file, "r");
|
||||||
|
if (NULL == fp) {
|
||||||
|
- return;
|
||||||
|
+ goto getdef_err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -445,7 +447,7 @@ static void get_defaults (void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
(void) fclose (fp);
|
||||||
|
-
|
||||||
|
+ getdef_err:
|
||||||
|
if(prefix[0]) {
|
||||||
|
free(default_file);
|
||||||
|
}
|
||||||
|
@@ -480,8 +482,8 @@ static int set_defaults (void)
|
||||||
|
FILE *ifp;
|
||||||
|
FILE *ofp;
|
||||||
|
char buf[1024];
|
||||||
|
- char* new_file = NEW_USER_FILE;
|
||||||
|
- char* default_file = USER_DEFAULTS_FILE;
|
||||||
|
+ char *new_file = NULL;
|
||||||
|
+ char *default_file = USER_DEFAULTS_FILE;
|
||||||
|
char *cp;
|
||||||
|
int ofd;
|
||||||
|
int wlen;
|
||||||
|
@@ -492,17 +494,30 @@ static int set_defaults (void)
|
||||||
|
bool out_shell = false;
|
||||||
|
bool out_skel = false;
|
||||||
|
bool out_create_mail_spool = false;
|
||||||
|
+ size_t len;
|
||||||
|
+ int ret = -1;
|
||||||
|
|
||||||
|
- if(prefix[0]) {
|
||||||
|
- size_t len;
|
||||||
|
|
||||||
|
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||||
|
- new_file = malloc(len);
|
||||||
|
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
|
||||||
|
- assert (wlen == (int) len -1);
|
||||||
|
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||||
|
+ new_file = malloc(len);
|
||||||
|
+ if (new_file == NULL) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot create new defaults file: %s\n"),
|
||||||
|
+ Prog, strerror(errno));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
|
||||||
|
+ assert (wlen <= (int) len -1);
|
||||||
|
|
||||||
|
+ if(prefix[0]) {
|
||||||
|
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||||
|
default_file = malloc(len);
|
||||||
|
+ if (default_file == NULL) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot create new defaults file: %s\n"),
|
||||||
|
+ Prog, strerror(errno));
|
||||||
|
+ goto setdef_err;
|
||||||
|
+ }
|
||||||
|
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||||
|
assert (wlen == (int) len -1);
|
||||||
|
}
|
||||||
|
@@ -515,7 +530,7 @@ static int set_defaults (void)
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: cannot create new defaults file\n"),
|
||||||
|
Prog);
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
|
||||||
|
ofp = fdopen (ofd, "w");
|
||||||
|
@@ -523,7 +538,7 @@ static int set_defaults (void)
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: cannot open new defaults file\n"),
|
||||||
|
Prog);
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -550,7 +565,7 @@ static int set_defaults (void)
|
||||||
|
_("%s: line too long in %s: %s..."),
|
||||||
|
Prog, default_file, buf);
|
||||||
|
(void) fclose (ifp);
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -614,7 +629,7 @@ static int set_defaults (void)
|
||||||
|
|| (fsync (fileno (ofp)) != 0)
|
||||||
|
|| (fclose (ofp) != 0)) {
|
||||||
|
unlink (new_file);
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -629,7 +644,7 @@ static int set_defaults (void)
|
||||||
|
_("%s: Cannot create backup file (%s): %s\n"),
|
||||||
|
Prog, buf, strerror (err));
|
||||||
|
unlink (new_file);
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -640,11 +655,11 @@ static int set_defaults (void)
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: rename: %s: %s\n"),
|
||||||
|
Prog, new_file, strerror (err));
|
||||||
|
- return -1;
|
||||||
|
+ goto setdef_err;
|
||||||
|
}
|
||||||
|
#ifdef WITH_AUDIT
|
||||||
|
audit_logger (AUDIT_USYS_CONFIG, Prog,
|
||||||
|
- "changing-useradd-defaults",
|
||||||
|
+ "changing useradd defaults",
|
||||||
|
NULL, AUDIT_NO_ID,
|
||||||
|
SHADOW_AUDIT_SUCCESS);
|
||||||
|
#endif
|
||||||
|
@@ -654,13 +669,14 @@ static int set_defaults (void)
|
||||||
|
(unsigned int) def_group, def_home, def_shell,
|
||||||
|
def_inactive, def_expire, def_template,
|
||||||
|
def_create_mail_spool));
|
||||||
|
-
|
||||||
|
+ ret = 0;
|
||||||
|
+ setdef_err:
|
||||||
|
+ free(new_file);
|
||||||
|
if(prefix[0]) {
|
||||||
|
- free(new_file);
|
||||||
|
free(default_file);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
21
SOURCES/shadow-4.6-getenforce.patch
Normal file
21
SOURCES/shadow-4.6-getenforce.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
|
||||||
|
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
|
||||||
|
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
|
||||||
|
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
error:
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
+ if (security_getenforce () > 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
|
||||||
|
selinux_checked = true;
|
||||||
|
}
|
||||||
|
if (selinux_enabled) {
|
||||||
|
- if (setfscreatecon (NULL) != 0) {
|
||||||
|
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
11
SOURCES/shadow-4.6-ignore-login-prompt.patch
Normal file
11
SOURCES/shadow-4.6-ignore-login-prompt.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
|
||||||
|
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
|
||||||
|
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
|
||||||
|
{"KILLCHAR", NULL},
|
||||||
|
{"LOGIN_RETRIES", NULL},
|
||||||
|
{"LOGIN_TIMEOUT", NULL},
|
||||||
|
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||||
|
{"LOG_OK_LOGINS", NULL},
|
||||||
|
{"LOG_UNKFAIL_ENAB", NULL},
|
||||||
|
{"MAIL_DIR", NULL},
|
15
SOURCES/shadow-4.6-move-home.patch
Normal file
15
SOURCES/shadow-4.6-move-home.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
|
||||||
|
--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200
|
||||||
|
+++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200
|
||||||
|
@@ -1845,6 +1845,11 @@ static void move_home (void)
|
||||||
|
Prog, prefix_user_home, prefix_user_newhome);
|
||||||
|
fail_exit (E_HOMEDIR);
|
||||||
|
}
|
||||||
|
+ } else {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: The previous home directory (%s) does "
|
||||||
|
+ "not exist or is inaccessible. Move cannot be completed.\n"),
|
||||||
|
+ Prog, prefix_user_home);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
128
SOURCES/shadow-4.6-orig-context.patch
Normal file
128
SOURCES/shadow-4.6-orig-context.patch
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
|
||||||
|
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
|
||||||
|
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
|
||||||
|
snprintf (buf, sizeof buf, "%s-", db->filename);
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (buf) != 0) {
|
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||||
|
errors++;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
|
||||||
|
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (buf) != 0) {
|
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||||
|
errors++;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
|
||||||
|
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
|
||||||
|
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
free (oldlink);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -684,7 +684,7 @@ static int copy_special (const char *src
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
|
||||||
|
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
|
||||||
|
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
|
||||||
|
|
||||||
|
/* selinux.c */
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
-extern int set_selinux_file_context (const char *dst_name);
|
||||||
|
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
|
||||||
|
extern int reset_selinux_file_context (void);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
|
||||||
|
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
|
||||||
|
@@ -50,7 +50,7 @@ static bool selinux_enabled;
|
||||||
|
* Callers may have to Reset SELinux to create files with default
|
||||||
|
* contexts with reset_selinux_file_context
|
||||||
|
*/
|
||||||
|
-int set_selinux_file_context (const char *dst_name)
|
||||||
|
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
|
||||||
|
{
|
||||||
|
/*@null@*/security_context_t scontext = NULL;
|
||||||
|
|
||||||
|
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
|
||||||
|
if (selinux_enabled) {
|
||||||
|
/* Get the default security context for this file */
|
||||||
|
if (matchpathcon (dst_name, 0, &scontext) < 0) {
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
+ /* We could not get the default, copy the original */
|
||||||
|
+ if (orig_name == NULL)
|
||||||
|
+ goto error;
|
||||||
|
+ if (getfilecon (orig_name, &scontext) < 0)
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
/* Set the security context for the next created file */
|
||||||
|
- if (setfscreatecon (scontext) < 0) {
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ if (setfscreatecon (scontext) < 0)
|
||||||
|
+ goto error;
|
||||||
|
freecon (scontext);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
+ error:
|
||||||
|
+ if (security_getenforce () != 0) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
|
||||||
|
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
|
||||||
|
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
|
||||||
|
@@ -2020,7 +2020,7 @@ static void create_home (void)
|
||||||
|
{
|
||||||
|
if (access (prefix_user_home, F_OK) != 0) {
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (prefix_user_home) != 0) {
|
||||||
|
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: cannot set SELinux context for home directory %s\n"),
|
||||||
|
Prog, user_home);
|
41
SOURCES/shadow-4.6-redhat.patch
Normal file
41
SOURCES/shadow-4.6-redhat.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
||||||
|
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
|
||||||
|
@@ -98,7 +98,7 @@ const char *Prog;
|
||||||
|
static gid_t def_group = 100;
|
||||||
|
static const char *def_gname = "other";
|
||||||
|
static const char *def_home = "/home";
|
||||||
|
-static const char *def_shell = "";
|
||||||
|
+static const char *def_shell = "/sbin/nologin";
|
||||||
|
static const char *def_template = SKEL_DIR;
|
||||||
|
static const char *def_create_mail_spool = "no";
|
||||||
|
|
||||||
|
@@ -108,7 +108,7 @@ static const char *def_expire = "";
|
||||||
|
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||||
|
|
||||||
|
static const char *user_name = "";
|
||||||
|
-static const char *user_pass = "!";
|
||||||
|
+static const char *user_pass = "!!";
|
||||||
|
static uid_t user_id;
|
||||||
|
static gid_t user_gid;
|
||||||
|
static const char *user_comment = "";
|
||||||
|
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
|
||||||
|
};
|
||||||
|
while ((c = getopt_long (argc, argv,
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
|
||||||
|
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
|
||||||
|
#else /* !WITH_SELINUX */
|
||||||
|
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
|
||||||
|
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
|
||||||
|
#endif /* !WITH_SELINUX */
|
||||||
|
long_options, NULL)) != -1) {
|
||||||
|
switch (c) {
|
||||||
|
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
|
||||||
|
case 'M':
|
||||||
|
Mflg = true;
|
||||||
|
break;
|
||||||
|
+ case 'n':
|
||||||
|
case 'N':
|
||||||
|
Nflg = true;
|
||||||
|
break;
|
115
SOURCES/shadow-4.6-selinux.patch
Normal file
115
SOURCES/shadow-4.6-selinux.patch
Normal file
@ -0,0 +1,115 @@
|
|||||||
|
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
|
||||||
|
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
|
||||||
|
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
+ /* drop obsolete matchpathcon cache */
|
||||||
|
+ matchpathcon_fini();
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
semanage_seuser_key_free (key);
|
||||||
|
semanage_handle_destroy (handle);
|
||||||
|
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
+
|
||||||
|
+ /* drop obsolete matchpathcon cache */
|
||||||
|
+ matchpathcon_fini();
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
semanage_handle_destroy (handle);
|
||||||
|
return ret;
|
||||||
|
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
|
||||||
|
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
|
||||||
|
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
|
||||||
|
@@ -2120,6 +2120,7 @@ static void create_mail (void)
|
||||||
|
*/
|
||||||
|
int main (int argc, char **argv)
|
||||||
|
{
|
||||||
|
+ int rv = E_SUCCESS;
|
||||||
|
#ifdef ACCT_TOOLS_SETUID
|
||||||
|
#ifdef USE_PAM
|
||||||
|
pam_handle_t *pamh = NULL;
|
||||||
|
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
usr_update ();
|
||||||
|
|
||||||
|
- if (mflg) {
|
||||||
|
- create_home ();
|
||||||
|
- if (home_added) {
|
||||||
|
- copy_tree (def_template, prefix_user_home, false, false,
|
||||||
|
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||||
|
- } else {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: warning: the home directory already exists.\n"
|
||||||
|
- "Not copying any file from skel directory into it.\n"),
|
||||||
|
- Prog);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Do not create mail directory for system accounts */
|
||||||
|
- if (!rflg) {
|
||||||
|
- create_mail ();
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
+ nscd_flush_cache ("passwd");
|
||||||
|
+ nscd_flush_cache ("group");
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* tallylog_reset needs to be able to lookup
|
||||||
|
* a valid existing user name,
|
||||||
|
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (Zflg) {
|
||||||
|
- if (set_seuser (user_name, user_selinux) != 0) {
|
||||||
|
+ if (Zflg && *user_selinux) {
|
||||||
|
+ if (is_selinux_enabled () > 0) {
|
||||||
|
+ if (set_seuser (user_name, user_selinux) != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||||
|
Prog, user_name, user_selinux);
|
||||||
|
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
|
||||||
|
"adding SELinux user mapping",
|
||||||
|
user_name, (unsigned int) user_id, 0);
|
||||||
|
#endif /* WITH_AUDIT */
|
||||||
|
- fail_exit (E_SE_UPDATE);
|
||||||
|
+ rv = E_SE_UPDATE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-#endif /* WITH_SELINUX */
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
- nscd_flush_cache ("passwd");
|
||||||
|
- nscd_flush_cache ("group");
|
||||||
|
+ if (mflg) {
|
||||||
|
+ create_home ();
|
||||||
|
+ if (home_added) {
|
||||||
|
+ copy_tree (def_template, prefix_user_home, false, true,
|
||||||
|
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||||
|
+ } else {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: warning: the home directory already exists.\n"
|
||||||
|
+ "Not copying any file from skel directory into it.\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Do not create mail directory for system accounts */
|
||||||
|
+ if (!rflg) {
|
||||||
|
+ create_mail ();
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return E_SUCCESS;
|
||||||
|
+ return rv;
|
||||||
|
}
|
||||||
|
|
641
SOURCES/shadow-4.6-sssd-flush.patch
Normal file
641
SOURCES/shadow-4.6-sssd-flush.patch
Normal file
@ -0,0 +1,641 @@
|
|||||||
|
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jakub.hrozek@posteo.se>
|
||||||
|
Date: Wed, 12 Sep 2018 14:22:11 +0200
|
||||||
|
Subject: [PATCH] Flush sssd caches in addition to nscd caches
|
||||||
|
|
||||||
|
Some distributions, notably Fedora, have the following order of nsswitch
|
||||||
|
modules by default:
|
||||||
|
passwd: sss files
|
||||||
|
group: sss files
|
||||||
|
|
||||||
|
The advantage of serving local users through SSSD is that the nss_sss
|
||||||
|
module has a fast mmapped-cache that speeds up NSS lookups compared to
|
||||||
|
accessing the disk an opening the files on each NSS request.
|
||||||
|
|
||||||
|
Traditionally, this has been done with the help of nscd, but using nscd
|
||||||
|
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
|
||||||
|
independent caching, so using nscd in setups where sssd is also serving
|
||||||
|
users from some remote domain (LDAP, AD, ...) can result in a bit of
|
||||||
|
unpredictability.
|
||||||
|
|
||||||
|
More details about why Fedora chose to use sss before files can be found
|
||||||
|
on e.g.:
|
||||||
|
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
|
||||||
|
or:
|
||||||
|
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
|
||||||
|
|
||||||
|
Now, even though sssd watches the passwd and group files with the help
|
||||||
|
of inotify, there can still be a small window where someone requests a
|
||||||
|
user or a group, finds that it doesn't exist, adds the entry and checks
|
||||||
|
again. Without some support in shadow-utils that would explicitly drop
|
||||||
|
the sssd caches, the inotify watch can fire a little late, so a
|
||||||
|
combination of commands like this:
|
||||||
|
getent passwd user || useradd user; getent passwd user
|
||||||
|
can result in the second getent passwd not finding the newly added user
|
||||||
|
as the racy behaviour might still return the cached negative hit from
|
||||||
|
the first getent passwd.
|
||||||
|
|
||||||
|
This patch more or less copies the already existing support that
|
||||||
|
shadow-utils had for dropping nscd caches, except using the "sss_cache"
|
||||||
|
tool that sssd ships.
|
||||||
|
---
|
||||||
|
configure.ac | 10 +++++++
|
||||||
|
lib/Makefile.am | 2 ++
|
||||||
|
lib/commonio.c | 2 ++
|
||||||
|
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
lib/sssd.h | 17 +++++++++++
|
||||||
|
src/chfn.c | 2 ++
|
||||||
|
src/chgpasswd.c | 2 ++
|
||||||
|
src/chpasswd.c | 2 ++
|
||||||
|
src/chsh.c | 2 ++
|
||||||
|
src/gpasswd.c | 2 ++
|
||||||
|
src/groupadd.c | 2 ++
|
||||||
|
src/groupdel.c | 2 ++
|
||||||
|
src/groupmod.c | 2 ++
|
||||||
|
src/grpck.c | 2 ++
|
||||||
|
src/grpconv.c | 2 ++
|
||||||
|
src/grpunconv.c | 2 ++
|
||||||
|
src/newusers.c | 2 ++
|
||||||
|
src/passwd.c | 2 ++
|
||||||
|
src/pwck.c | 2 ++
|
||||||
|
src/pwconv.c | 2 ++
|
||||||
|
src/pwunconv.c | 2 ++
|
||||||
|
src/useradd.c | 2 ++
|
||||||
|
src/userdel.c | 2 ++
|
||||||
|
src/usermod.c | 2 ++
|
||||||
|
src/vipw.c | 2 ++
|
||||||
|
25 files changed, 146 insertions(+)
|
||||||
|
create mode 100644 lib/sssd.c
|
||||||
|
create mode 100644 lib/sssd.h
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 41068a5d..10ad70cf 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
|
||||||
|
AC_ARG_WITH(nscd,
|
||||||
|
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
|
||||||
|
[with_nscd=$withval], [with_nscd=yes])
|
||||||
|
+AC_ARG_WITH(sssd,
|
||||||
|
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
|
||||||
|
+ [with_sssd=$withval], [with_sssd=yes])
|
||||||
|
AC_ARG_WITH(group-name-max-length,
|
||||||
|
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
|
||||||
|
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
|
||||||
|
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
|
||||||
|
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
|
||||||
|
fi
|
||||||
|
|
||||||
|
+if test "$with_sssd" = "yes"; then
|
||||||
|
+ AC_CHECK_FUNC(posix_spawn,
|
||||||
|
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
|
||||||
|
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
dnl Check for some functions in libc first, only if not found check for
|
||||||
|
dnl other libraries. This should prevent linking libnsl if not really
|
||||||
|
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
|
||||||
|
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
|
||||||
|
echo " S/Key support: $with_skey"
|
||||||
|
echo " SHA passwords encryption: $with_sha_crypt"
|
||||||
|
echo " nscd support: $with_nscd"
|
||||||
|
+echo " sssd support: $with_sssd"
|
||||||
|
echo " subordinate IDs support: $enable_subids"
|
||||||
|
echo
|
||||||
|
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
||||||
|
index 6db86cd6..fd634542 100644
|
||||||
|
--- a/lib/Makefile.am
|
||||||
|
+++ b/lib/Makefile.am
|
||||||
|
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
|
||||||
|
lockpw.c \
|
||||||
|
nscd.c \
|
||||||
|
nscd.h \
|
||||||
|
+ sssd.c \
|
||||||
|
+ sssd.h \
|
||||||
|
pam_defs.h \
|
||||||
|
port.c \
|
||||||
|
port.h \
|
||||||
|
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||||
|
index d06b8e7d..96f2d5f7 100644
|
||||||
|
--- a/lib/commonio.c
|
||||||
|
+++ b/lib/commonio.c
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#ifdef WITH_TCB
|
||||||
|
#include <tcb.h>
|
||||||
|
#endif /* WITH_TCB */
|
||||||
|
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
|
||||||
|
if (nscd_need_reload) {
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
nscd_need_reload = false;
|
||||||
|
}
|
||||||
|
#ifdef HAVE_LCKPWDF
|
||||||
|
diff --git a/lib/sssd.c b/lib/sssd.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..80e49e55
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/sssd.c
|
||||||
|
@@ -0,0 +1,75 @@
|
||||||
|
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
|
||||||
|
+
|
||||||
|
+#include <config.h>
|
||||||
|
+#ifdef USE_SSSD
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <sys/wait.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include "exitcodes.h"
|
||||||
|
+#include "defines.h"
|
||||||
|
+#include "prototypes.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
+
|
||||||
|
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
|
||||||
|
+
|
||||||
|
+int sssd_flush_cache (int dbflags)
|
||||||
|
+{
|
||||||
|
+ int status, code, rv;
|
||||||
|
+ const char *cmd = "/usr/sbin/sss_cache";
|
||||||
|
+ char *sss_cache_args = NULL;
|
||||||
|
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
|
||||||
|
+ const char *spawnedEnv[] = {NULL};
|
||||||
|
+ int i = 0;
|
||||||
|
+
|
||||||
|
+ sss_cache_args = malloc(4);
|
||||||
|
+ if (sss_cache_args == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sss_cache_args[i++] = '-';
|
||||||
|
+ if (dbflags & SSSD_DB_PASSWD) {
|
||||||
|
+ sss_cache_args[i++] = 'U';
|
||||||
|
+ }
|
||||||
|
+ if (dbflags & SSSD_DB_GROUP) {
|
||||||
|
+ sss_cache_args[i++] = 'G';
|
||||||
|
+ }
|
||||||
|
+ sss_cache_args[i++] = '\0';
|
||||||
|
+ if (i == 2) {
|
||||||
|
+ /* Neither passwd nor group, nothing to do */
|
||||||
|
+ free(sss_cache_args);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ spawnedArgs[1] = sss_cache_args;
|
||||||
|
+
|
||||||
|
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
|
||||||
|
+ free(sss_cache_args);
|
||||||
|
+ if (rv != 0) {
|
||||||
|
+ /* run_command writes its own more detailed message. */
|
||||||
|
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ code = WEXITSTATUS (status);
|
||||||
|
+ if (!WIFEXITED (status)) {
|
||||||
|
+ (void) fprintf (stderr,
|
||||||
|
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
|
||||||
|
+ Prog, WTERMSIG (status));
|
||||||
|
+ return -1;
|
||||||
|
+ } else if (code == E_CMD_NOTFOUND) {
|
||||||
|
+ /* sss_cache is not installed, or it is installed but uses an
|
||||||
|
+ interpreter that is missing. Probably the former. */
|
||||||
|
+ return 0;
|
||||||
|
+ } else if (code != 0) {
|
||||||
|
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
|
||||||
|
+ Prog, code);
|
||||||
|
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+#else /* USE_SSSD */
|
||||||
|
+extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||||
|
+#endif /* USE_SSSD */
|
||||||
|
+
|
||||||
|
diff --git a/lib/sssd.h b/lib/sssd.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..00ff2a8a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/sssd.h
|
||||||
|
@@ -0,0 +1,17 @@
|
||||||
|
+#ifndef _SSSD_H_
|
||||||
|
+#define _SSSD_H_
|
||||||
|
+
|
||||||
|
+#define SSSD_DB_PASSWD 0x001
|
||||||
|
+#define SSSD_DB_GROUP 0x002
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * sssd_flush_cache - flush specified service buffer in sssd cache
|
||||||
|
+ */
|
||||||
|
+#ifdef USE_SSSD
|
||||||
|
+extern int sssd_flush_cache (int dbflags);
|
||||||
|
+#else
|
||||||
|
+#define sssd_flush_cache(service) (0)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
diff --git a/src/chfn.c b/src/chfn.c
|
||||||
|
index 18aa3de7..0725e1c7 100644
|
||||||
|
--- a/src/chfn.c
|
||||||
|
+++ b/src/chfn.c
|
||||||
|
@@ -47,6 +47,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#ifdef USE_PAM
|
||||||
|
#include "pam_defs.h"
|
||||||
|
#endif
|
||||||
|
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
|
||||||
|
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
closelog ();
|
||||||
|
exit (E_SUCCESS);
|
||||||
|
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
|
||||||
|
index 13203a46..e5f2eb7e 100644
|
||||||
|
--- a/src/chgpasswd.c
|
||||||
|
+++ b/src/chgpasswd.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
#endif /* ACCT_TOOLS_SETUID */
|
||||||
|
#include "defines.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
diff --git a/src/chpasswd.c b/src/chpasswd.c
|
||||||
|
index 918b27ee..49e79cdb 100644
|
||||||
|
--- a/src/chpasswd.c
|
||||||
|
+++ b/src/chpasswd.c
|
||||||
|
@@ -44,6 +44,7 @@
|
||||||
|
#endif /* USE_PAM */
|
||||||
|
#include "defines.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
diff --git a/src/chsh.c b/src/chsh.c
|
||||||
|
index c89708b9..910e3dd4 100644
|
||||||
|
--- a/src/chsh.c
|
||||||
|
+++ b/src/chsh.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwauth.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
|
||||||
|
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
closelog ();
|
||||||
|
exit (E_SUCCESS);
|
||||||
|
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
||||||
|
index c4a492b1..4d75af96 100644
|
||||||
|
--- a/src/gpasswd.c
|
||||||
|
+++ b/src/gpasswd.c
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
#include "sgroupio.h"
|
||||||
|
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
exit (E_SUCCESS);
|
||||||
|
}
|
||||||
|
diff --git a/src/groupadd.c b/src/groupadd.c
|
||||||
|
index b57006c5..2dd8eec9 100644
|
||||||
|
--- a/src/groupadd.c
|
||||||
|
+++ b/src/groupadd.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
#include "sgroupio.h"
|
||||||
|
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return E_SUCCESS;
|
||||||
|
}
|
||||||
|
diff --git a/src/groupdel.c b/src/groupdel.c
|
||||||
|
index 70bed010..f941a84a 100644
|
||||||
|
--- a/src/groupdel.c
|
||||||
|
+++ b/src/groupdel.c
|
||||||
|
@@ -49,6 +49,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
#include "sgroupio.h"
|
||||||
|
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return E_SUCCESS;
|
||||||
|
}
|
||||||
|
diff --git a/src/groupmod.c b/src/groupmod.c
|
||||||
|
index b293b98f..1dca5fc9 100644
|
||||||
|
--- a/src/groupmod.c
|
||||||
|
+++ b/src/groupmod.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
#include "sgroupio.h"
|
||||||
|
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return E_SUCCESS;
|
||||||
|
}
|
||||||
|
diff --git a/src/grpck.c b/src/grpck.c
|
||||||
|
index ea5d3b39..6140b10d 100644
|
||||||
|
--- a/src/grpck.c
|
||||||
|
+++ b/src/grpck.c
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files (changed);
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Tell the user what we did and exit.
|
||||||
|
diff --git a/src/grpconv.c b/src/grpconv.c
|
||||||
|
index f95f4960..5e5eaaca 100644
|
||||||
|
--- a/src/grpconv.c
|
||||||
|
+++ b/src/grpconv.c
|
||||||
|
@@ -48,6 +48,7 @@
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <getopt.h>
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
/*@-exitarg@*/
|
||||||
|
#include "exitcodes.h"
|
||||||
|
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/src/grpunconv.c b/src/grpunconv.c
|
||||||
|
index 253f06f5..e4105c26 100644
|
||||||
|
--- a/src/grpunconv.c
|
||||||
|
+++ b/src/grpunconv.c
|
||||||
|
@@ -48,6 +48,7 @@
|
||||||
|
#include <grp.h>
|
||||||
|
#include <getopt.h>
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
/*@-exitarg@*/
|
||||||
|
#include "exitcodes.h"
|
||||||
|
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/src/newusers.c b/src/newusers.c
|
||||||
|
index 8e4bef97..7c3bb1c2 100644
|
||||||
|
--- a/src/newusers.c
|
||||||
|
+++ b/src/newusers.c
|
||||||
|
@@ -62,6 +62,7 @@
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
#include "sgroupio.h"
|
||||||
|
#include "shadowio.h"
|
||||||
|
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
unsigned int i;
|
||||||
|
diff --git a/src/passwd.c b/src/passwd.c
|
||||||
|
index 3af3e651..5bea2765 100644
|
||||||
|
--- a/src/passwd.c
|
||||||
|
+++ b/src/passwd.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwauth.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
|
||||||
|
closelog ();
|
||||||
|
diff --git a/src/pwck.c b/src/pwck.c
|
||||||
|
index 05df68ec..0ffb711e 100644
|
||||||
|
--- a/src/pwck.c
|
||||||
|
+++ b/src/pwck.c
|
||||||
|
@@ -48,6 +48,7 @@
|
||||||
|
#include "shadowio.h"
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#ifdef WITH_TCB
|
||||||
|
#include "tcbfuncs.h"
|
||||||
|
#endif /* WITH_TCB */
|
||||||
|
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||||
|
close_files (changed);
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Tell the user what we did and exit.
|
||||||
|
diff --git a/src/pwconv.c b/src/pwconv.c
|
||||||
|
index d6ee31a8..9c69fa13 100644
|
||||||
|
--- a/src/pwconv.c
|
||||||
|
+++ b/src/pwconv.c
|
||||||
|
@@ -72,6 +72,7 @@
|
||||||
|
#include "pwio.h"
|
||||||
|
#include "shadowio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* exit status values
|
||||||
|
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
return E_SUCCESS;
|
||||||
|
}
|
||||||
|
diff --git a/src/pwunconv.c b/src/pwunconv.c
|
||||||
|
index fabf0237..e11ea494 100644
|
||||||
|
--- a/src/pwunconv.c
|
||||||
|
+++ b/src/pwunconv.c
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#include <getopt.h>
|
||||||
|
#include "defines.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
#include "shadowio.h"
|
||||||
|
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/src/useradd.c b/src/useradd.c
|
||||||
|
index ca90f076..b0c2224d 100644
|
||||||
|
--- a/src/useradd.c
|
||||||
|
+++ b/src/useradd.c
|
||||||
|
@@ -60,6 +60,7 @@
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwauth.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* tallylog_reset needs to be able to lookup
|
||||||
|
diff --git a/src/userdel.c b/src/userdel.c
|
||||||
|
index c8de1d31..0715e4fe 100644
|
||||||
|
--- a/src/userdel.c
|
||||||
|
+++ b/src/userdel.c
|
||||||
|
@@ -53,6 +53,7 @@
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwauth.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
|
||||||
|
}
|
||||||
|
diff --git a/src/usermod.c b/src/usermod.c
|
||||||
|
index 7355ad31..fd9a98a6 100644
|
||||||
|
--- a/src/usermod.c
|
||||||
|
+++ b/src/usermod.c
|
||||||
|
@@ -57,6 +57,7 @@
|
||||||
|
#include "getdef.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwauth.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
if (Zflg) {
|
||||||
|
diff --git a/src/vipw.c b/src/vipw.c
|
||||||
|
index 6d730f65..2cfac6b4 100644
|
||||||
|
--- a/src/vipw.c
|
||||||
|
+++ b/src/vipw.c
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#include "defines.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "nscd.h"
|
||||||
|
+#include "sssd.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
#include "sgroupio.h"
|
||||||
|
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
nscd_flush_cache ("passwd");
|
||||||
|
nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
|
||||||
|
return E_SUCCESS;
|
||||||
|
}
|
34
SOURCES/shadow-4.6-sysugid-min-limit.patch
Normal file
34
SOURCES/shadow-4.6-sysugid-min-limit.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
|
||||||
|
--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||||
|
+++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:51:20.554963292 +0100
|
||||||
|
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_group, g
|
||||||
|
(unsigned long) *max_id);
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
+ /*
|
||||||
|
+ * Zero is reserved for root and the allocation algorithm does not
|
||||||
|
+ * work right with it.
|
||||||
|
+ */
|
||||||
|
+ if (*min_id == 0) {
|
||||||
|
+ *min_id = (gid_t) 1;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
/* Non-system groups */
|
||||||
|
|
||||||
|
diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
|
||||||
|
--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||||
|
+++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:51:39.341399569 +0100
|
||||||
|
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_user, ui
|
||||||
|
(unsigned long) *max_id);
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
+ /*
|
||||||
|
+ * Zero is reserved for root and the allocation algorithm does not
|
||||||
|
+ * work right with it.
|
||||||
|
+ */
|
||||||
|
+ if (*min_id == 0) {
|
||||||
|
+ *min_id = (uid_t) 1;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
/* Non-system users */
|
||||||
|
|
31
SOURCES/shadow-4.6-use-itstool.patch
Normal file
31
SOURCES/shadow-4.6-use-itstool.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
|
||||||
|
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
|
||||||
|
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
|
||||||
|
$(MAKE) -C .. config.xml
|
||||||
|
cp ../config.xml $@
|
||||||
|
|
||||||
|
-%.xml: ../%.xml ../po/$(LANG).po
|
||||||
|
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
|
||||||
|
+messages.mo: ../po/$(LANG).po
|
||||||
|
+ msgfmt ../po/$(LANG).po -o messages.mo
|
||||||
|
+
|
||||||
|
+login.defs.d:
|
||||||
|
+ ln -sf ../login.defs.d login.defs.d
|
||||||
|
+
|
||||||
|
+%.xml: ../%.xml messages.mo login.defs.d
|
||||||
|
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
|
||||||
|
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
|
||||||
|
+ else \
|
||||||
|
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
|
||||||
|
+ fi
|
||||||
|
+ itstool -d -l $(LANG) -m messages.mo -o . $@
|
||||||
|
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
|
||||||
|
|
||||||
|
include ../generate_mans.mak
|
||||||
|
@@ -16,4 +27,4 @@ $(man_MANS):
|
||||||
|
@echo you need to run configure with --enable-man to generate man pages
|
||||||
|
endif
|
||||||
|
|
||||||
|
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
||||||
|
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
190
SOURCES/shadow-4.6-use-lckpwdf.patch
Normal file
190
SOURCES/shadow-4.6-use-lckpwdf.patch
Normal file
@ -0,0 +1,190 @@
|
|||||||
|
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
|
||||||
|
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu May 2 14:33:06 2019 +0200
|
||||||
|
|
||||||
|
Use the lckpwdf() again if prefix is not set
|
||||||
|
|
||||||
|
The implementation of prefix option dropped the use of lckpwdf().
|
||||||
|
However that is incorrect as other tools manipulating the shadow passwords
|
||||||
|
such as PAM use lckpwdf() and do not know anything about the
|
||||||
|
shadow's own locking mechanism.
|
||||||
|
|
||||||
|
This reverts the implementation to use lckpwdf() if prefix option
|
||||||
|
is not used.
|
||||||
|
|
||||||
|
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||||
|
index 26e518f2..94dda779 100644
|
||||||
|
--- a/lib/commonio.c
|
||||||
|
+++ b/lib/commonio.c
|
||||||
|
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
|
||||||
|
int commonio_setname (struct commonio_db *db, const char *name)
|
||||||
|
{
|
||||||
|
snprintf (db->filename, sizeof (db->filename), "%s", name);
|
||||||
|
+ db->setname = true;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
|
||||||
|
|
||||||
|
int commonio_lock (struct commonio_db *db)
|
||||||
|
{
|
||||||
|
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
|
||||||
|
-#if 0
|
||||||
|
- /*
|
||||||
|
- * only if the system libc has a real lckpwdf() - the one from
|
||||||
|
- * lockpw.c calls us and would cause infinite recursion!
|
||||||
|
- */
|
||||||
|
+ int i;
|
||||||
|
|
||||||
|
+#ifdef HAVE_LCKPWDF
|
||||||
|
/*
|
||||||
|
- * Call lckpwdf() on the first lock.
|
||||||
|
- * If it succeeds, call *_lock() only once
|
||||||
|
- * (no retries, it should always succeed).
|
||||||
|
+ * Only if the system libc has a real lckpwdf() - the one from
|
||||||
|
+ * lockpw.c calls us and would cause infinite recursion!
|
||||||
|
+ * It is also not used with the prefix option.
|
||||||
|
*/
|
||||||
|
- if (0 == lock_count) {
|
||||||
|
- if (lckpwdf () == -1) {
|
||||||
|
- if (geteuid () != 0) {
|
||||||
|
- (void) fprintf (stderr,
|
||||||
|
- "%s: Permission denied.\n",
|
||||||
|
- Prog);
|
||||||
|
+ if (!db->setname) {
|
||||||
|
+ /*
|
||||||
|
+ * Call lckpwdf() on the first lock.
|
||||||
|
+ * If it succeeds, call *_lock() only once
|
||||||
|
+ * (no retries, it should always succeed).
|
||||||
|
+ */
|
||||||
|
+ if (0 == lock_count) {
|
||||||
|
+ if (lckpwdf () == -1) {
|
||||||
|
+ if (geteuid () != 0) {
|
||||||
|
+ (void) fprintf (stderr,
|
||||||
|
+ "%s: Permission denied.\n",
|
||||||
|
+ Prog);
|
||||||
|
+ }
|
||||||
|
+ return 0; /* failure */
|
||||||
|
}
|
||||||
|
- return 0; /* failure */
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
|
||||||
|
- if (commonio_lock_nowait (db, true) != 0) {
|
||||||
|
- return 1; /* success */
|
||||||
|
- }
|
||||||
|
+ if (commonio_lock_nowait (db, true) != 0) {
|
||||||
|
+ return 1; /* success */
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- ulckpwdf ();
|
||||||
|
- return 0; /* failure */
|
||||||
|
-#else /* !HAVE_LCKPWDF */
|
||||||
|
- int i;
|
||||||
|
+ ulckpwdf ();
|
||||||
|
+ return 0; /* failure */
|
||||||
|
+ }
|
||||||
|
+#endif /* !HAVE_LCKPWDF */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* lckpwdf() not used - do it the old way.
|
||||||
|
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0; /* failure */
|
||||||
|
-#endif /* !HAVE_LCKPWDF */
|
||||||
|
}
|
||||||
|
|
||||||
|
static void dec_lock_count (void)
|
||||||
|
diff --git a/lib/commonio.h b/lib/commonio.h
|
||||||
|
index 40e5708f..64e83073 100644
|
||||||
|
--- a/lib/commonio.h
|
||||||
|
+++ b/lib/commonio.h
|
||||||
|
@@ -143,6 +143,7 @@ struct commonio_db {
|
||||||
|
bool isopen:1;
|
||||||
|
bool locked:1;
|
||||||
|
bool readonly:1;
|
||||||
|
+ bool setname:1;
|
||||||
|
};
|
||||||
|
|
||||||
|
extern int commonio_setname (struct commonio_db *, const char *);
|
||||||
|
diff --git a/lib/groupio.c b/lib/groupio.c
|
||||||
|
index ae2302b5..bffb06e0 100644
|
||||||
|
--- a/lib/groupio.c
|
||||||
|
+++ b/lib/groupio.c
|
||||||
|
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int gr_setdbname (const char *filename)
|
||||||
|
diff --git a/lib/pwio.c b/lib/pwio.c
|
||||||
|
index 7ee85377..127719cb 100644
|
||||||
|
--- a/lib/pwio.c
|
||||||
|
+++ b/lib/pwio.c
|
||||||
|
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int pw_setdbname (const char *filename)
|
||||||
|
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
|
||||||
|
index 5423626a..ffbdb263 100644
|
||||||
|
--- a/lib/sgroupio.c
|
||||||
|
+++ b/lib/sgroupio.c
|
||||||
|
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int sgr_setdbname (const char *filename)
|
||||||
|
diff --git a/lib/shadowio.c b/lib/shadowio.c
|
||||||
|
index 5fa3d312..676b1f1a 100644
|
||||||
|
--- a/lib/shadowio.c
|
||||||
|
+++ b/lib/shadowio.c
|
||||||
|
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int spw_setdbname (const char *filename)
|
||||||
|
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||||
|
index a662e67e..dd779c59 100644
|
||||||
|
--- a/lib/subordinateio.c
|
||||||
|
+++ b/lib/subordinateio.c
|
||||||
|
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int sub_uid_setdbname (const char *filename)
|
||||||
|
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
|
||||||
|
false, /* changed */
|
||||||
|
false, /* isopen */
|
||||||
|
false, /* locked */
|
||||||
|
- false /* readonly */
|
||||||
|
+ false, /* readonly */
|
||||||
|
+ false /* setname */
|
||||||
|
};
|
||||||
|
|
||||||
|
int sub_gid_setdbname (const char *filename)
|
42
SOURCES/shadow-4.6-usermod-crash.patch
Normal file
42
SOURCES/shadow-4.6-usermod-crash.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
|
||||||
|
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
|
||||||
|
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
|
||||||
|
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
|
||||||
|
{
|
||||||
|
long long int gid;
|
||||||
|
char *endptr;
|
||||||
|
+ struct group *g;
|
||||||
|
|
||||||
|
if (NULL == grname) {
|
||||||
|
return NULL;
|
||||||
|
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
|
||||||
|
&& (gid == (gid_t)gid)) {
|
||||||
|
return prefix_getgrgid ((gid_t) gid);
|
||||||
|
}
|
||||||
|
- return prefix_getgrnam (grname);
|
||||||
|
+ g = prefix_getgrnam (grname);
|
||||||
|
+ return g ? __gr_dup(g) : NULL;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return getgr_nam_gid(grname);
|
||||||
|
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
|
||||||
|
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
|
||||||
|
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
|
||||||
|
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
|
||||||
|
prefix_user_home = xmalloc(len);
|
||||||
|
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
|
||||||
|
assert (wlen == (int) len -1);
|
||||||
|
+ if (user_newhome) {
|
||||||
|
+ len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||||
|
+ prefix_user_newhome = xmalloc(len);
|
||||||
|
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||||
|
+ assert (wlen == (int) len -1);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||||
|
- prefix_user_newhome = xmalloc(len);
|
||||||
|
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||||
|
- assert (wlen == (int) len -1);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
prefix_user_home = user_home;
|
11
SOURCES/shadow-4.6.tar.xz.asc
Normal file
11
SOURCES/shadow-4.6.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAlrncOkACgkQ6f7qBqhe
|
||||||
|
P52UGAf/eOnoIYIZ52y72iMxeNfQMTMjYTZd1YrtjlK0RQKquK7FrCOg91MvOF2B
|
||||||
|
hLVKu2OU7mzuPTMSAraAxjXLkrM0E3vFjMtu1fHBGlGTMspAfik/9Gu9qoevAKXy
|
||||||
|
BRqgN5m5HMfoGPeEjzILzaGq8bnPKIOfJ0iAYVkjjIa73Vn20uTmNgNZIRqHqwfw
|
||||||
|
5GUFHn6cjQXFcQ3ngywgwQD7/h/65w8dBbGysF551sAqzPJRbneQL9Wtklcqi1ub
|
||||||
|
55NyF0ifT67RqMh+EyxhuhXP1Hi57PTEAeqaFMFxnPlQPb+8pQ8nszWBmI+vUN8D
|
||||||
|
FmhwCtSTnmKlj0jeAqevmkijJhGPQQ==
|
||||||
|
=fk/F
|
||||||
|
-----END PGP SIGNATURE-----
|
32
SOURCES/shadow-bsd.txt
Normal file
32
SOURCES/shadow-bsd.txt
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 1990 - 1994, Julianne Frances Haugh
|
||||||
|
* Copyright (c) 1996 - 2000, Marek Michałkiewicz
|
||||||
|
* Copyright (c) 2000 - 2006, Tomasz Kłoczko
|
||||||
|
* Copyright (c) 2007 - 2011, Nicolas François
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
* 3. The name of the copyright holders or contributors may not be used to
|
||||||
|
* endorse or promote products derived from this software without
|
||||||
|
* specific prior written permission.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||||
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
72
SOURCES/shadow-utils.login.defs
Normal file
72
SOURCES/shadow-utils.login.defs
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
#
|
||||||
|
# Please note that the parameters in this configuration file control the
|
||||||
|
# behavior of the tools from the shadow-utils component. None of these
|
||||||
|
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||||
|
# passwd command) should therefore be configured elsewhere. Refer to
|
||||||
|
# /etc/pam.d/system-auth for more information.
|
||||||
|
#
|
||||||
|
|
||||||
|
# *REQUIRED*
|
||||||
|
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||||
|
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||||
|
# QMAIL_DIR is for Qmail
|
||||||
|
#
|
||||||
|
#QMAIL_DIR Maildir
|
||||||
|
MAIL_DIR /var/spool/mail
|
||||||
|
#MAIL_FILE .mail
|
||||||
|
|
||||||
|
# Password aging controls:
|
||||||
|
#
|
||||||
|
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||||
|
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||||
|
# PASS_MIN_LEN Minimum acceptable password length.
|
||||||
|
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||||
|
#
|
||||||
|
PASS_MAX_DAYS 99999
|
||||||
|
PASS_MIN_DAYS 0
|
||||||
|
PASS_MIN_LEN 5
|
||||||
|
PASS_WARN_AGE 7
|
||||||
|
|
||||||
|
#
|
||||||
|
# Min/max values for automatic uid selection in useradd
|
||||||
|
#
|
||||||
|
UID_MIN 1000
|
||||||
|
UID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
SYS_UID_MIN 201
|
||||||
|
SYS_UID_MAX 999
|
||||||
|
|
||||||
|
#
|
||||||
|
# Min/max values for automatic gid selection in groupadd
|
||||||
|
#
|
||||||
|
GID_MIN 1000
|
||||||
|
GID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
SYS_GID_MIN 201
|
||||||
|
SYS_GID_MAX 999
|
||||||
|
|
||||||
|
#
|
||||||
|
# If defined, this command is run when removing a user.
|
||||||
|
# It should remove any at/cron/print jobs etc. owned by
|
||||||
|
# the user to be removed (passed as the first argument).
|
||||||
|
#
|
||||||
|
#USERDEL_CMD /usr/sbin/userdel_local
|
||||||
|
|
||||||
|
#
|
||||||
|
# If useradd should create home directories for users by default
|
||||||
|
# On RH systems, we do. This option is overridden with the -m flag on
|
||||||
|
# useradd command line.
|
||||||
|
#
|
||||||
|
CREATE_HOME yes
|
||||||
|
|
||||||
|
# The permission mask is initialized to this value. If not specified,
|
||||||
|
# the permission mask will be initialized to 022.
|
||||||
|
UMASK 077
|
||||||
|
|
||||||
|
# This enables userdel to remove user groups if no members exist.
|
||||||
|
#
|
||||||
|
USERGROUPS_ENAB yes
|
||||||
|
|
||||||
|
# Use SHA512 to encrypt password.
|
||||||
|
ENCRYPT_METHOD SHA512
|
||||||
|
|
9
SOURCES/shadow-utils.useradd
Normal file
9
SOURCES/shadow-utils.useradd
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# useradd defaults file
|
||||||
|
GROUP=100
|
||||||
|
HOME=/home
|
||||||
|
INACTIVE=-1
|
||||||
|
EXPIRE=
|
||||||
|
SHELL=/bin/bash
|
||||||
|
SKEL=/etc/skel
|
||||||
|
CREATE_MAIL_SPOOL=yes
|
||||||
|
|
1193
SPECS/shadow-utils.spec
Normal file
1193
SPECS/shadow-utils.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user