update to current upstream release 4.8

This commit is contained in:
Tomas Mraz 2020-01-13 11:46:38 +01:00
parent 36709cd2d7
commit b76250c68a
22 changed files with 744 additions and 1993 deletions

2
.gitignore vendored
View File

@ -10,3 +10,5 @@ shadow-4.1.4.2.tar.bz2
/shadow-4.5.tar.xz.asc /shadow-4.5.tar.xz.asc
/shadow-4.6.tar.xz /shadow-4.6.tar.xz
/shadow-4.6.tar.xz.asc /shadow-4.6.tar.xz.asc
/shadow-4.8.tar.xz
/shadow-4.8.tar.xz.asc

View File

@ -1,16 +0,0 @@
Index: shadow-4.5/lib/commonio.c
===================================================================
--- shadow-4.5.orig/lib/commonio.c
+++ shadow-4.5/lib/commonio.c
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
int retval;
char buf[32];
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
+ /* We depend here on the fact, that the file name is pid-specific.
+ * So no O_EXCL here and no DoS.
+ */
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
if (-1 == fd) {
if (log) {
(void) fprintf (stderr,

View File

@ -1,41 +0,0 @@
Index: shadow-4.5/configure.ac
===================================================================
--- shadow-4.5.orig/configure.ac
+++ shadow-4.5/configure.ac
@@ -32,9 +32,9 @@ AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
attr/error_context.h)
Index: shadow-4.5/lib/defines.h
===================================================================
--- shadow-4.5.orig/lib/defines.h
+++ shadow-4.5/lib/defines.h
@@ -4,6 +4,8 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
+#include "config.h"
+
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
# include <unistd.h>
#endif
+#if HAVE_CRYPT_H
+# include <crypt.h> /* crypt(3) may be defined in here */
+#endif
+
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>

View File

@ -1,44 +0,0 @@
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
@@ -195,6 +195,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -372,6 +378,12 @@
must be fixed manually.
</para>
<para>
+ The change of the user ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
+ <para>
No checks will be performed with regard to the
<option>UID_MIN</option>, <option>UID_MAX</option>,
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
}
if (!mflg && (uflg || gflg)) {
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
+ struct stat sb;
+
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
/*
* Change the UID on all of the files owned by
* `user_id' to `user_newid' in the user's home

View File

@ -1,223 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
char* lock = NULL;
size_t lock_file_len;
size_t file_len;
- int err;
+ int err = 0;
if (db->locked) {
return 1;
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
file = (char*)malloc(file_len);
if(file == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
lock = (char*)malloc(lock_file_len);
if(lock == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
snprintf (file, file_len, "%s.%lu",
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
static bool is_listed (const char *cfgin, const char *tty, bool def)
{
FILE *fp;
- char buf[200], *s;
+ char buf[1024], *s;
const char *cons;
/*
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
if (*cons != '/') {
char *pbuf;
- strcpy (buf, cons);
+ strncpy (buf, cons, sizeof (buf));
+ buf[sizeof (buf) - 1] = '\0';
pbuf = &buf[0];
while ((s = strtok (pbuf, ":")) != NULL) {
if (strcmp (s, tty) == 0) {
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
do {
wpid = waitpid (pid, status, 0);
} while ( ((pid_t)-1 == wpid && errno == EINTR)
- || (wpid != pid));
+ || ((pid_t)-1 != wpid && wpid != pid));
if ((pid_t)-1 == wpid) {
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
@@ -314,7 +314,7 @@ static void fail_exit (int code)
static void get_defaults (void)
{
FILE *fp;
- char* default_file = USER_DEFAULTS_FILE;
+ char *default_file = USER_DEFAULTS_FILE;
char buf[1024];
char *cp;
@@ -324,6 +324,8 @@ static void get_defaults (void)
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL)
+ return;
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -334,7 +336,7 @@ static void get_defaults (void)
fp = fopen (default_file, "r");
if (NULL == fp) {
- return;
+ goto getdef_err;
}
/*
@@ -445,7 +447,7 @@ static void get_defaults (void)
}
}
(void) fclose (fp);
-
+ getdef_err:
if(prefix[0]) {
free(default_file);
}
@@ -480,8 +482,8 @@ static int set_defaults (void)
FILE *ifp;
FILE *ofp;
char buf[1024];
- char* new_file = NEW_USER_FILE;
- char* default_file = USER_DEFAULTS_FILE;
+ char *new_file = NULL;
+ char *default_file = USER_DEFAULTS_FILE;
char *cp;
int ofd;
int wlen;
@@ -492,17 +494,30 @@ static int set_defaults (void)
bool out_shell = false;
bool out_skel = false;
bool out_create_mail_spool = false;
+ size_t len;
+ int ret = -1;
- if(prefix[0]) {
- size_t len;
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
- new_file = malloc(len);
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
- assert (wlen == (int) len -1);
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+ new_file = malloc(len);
+ if (new_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ return -1;
+ }
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
+ assert (wlen <= (int) len -1);
+ if(prefix[0]) {
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ goto setdef_err;
+ }
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -515,7 +530,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot create new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
ofp = fdopen (ofd, "w");
@@ -523,7 +538,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot open new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
/*
@@ -550,7 +565,7 @@ static int set_defaults (void)
_("%s: line too long in %s: %s..."),
Prog, default_file, buf);
(void) fclose (ifp);
- return -1;
+ goto setdef_err;
}
}
@@ -614,7 +629,7 @@ static int set_defaults (void)
|| (fsync (fileno (ofp)) != 0)
|| (fclose (ofp) != 0)) {
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -629,7 +644,7 @@ static int set_defaults (void)
_("%s: Cannot create backup file (%s): %s\n"),
Prog, buf, strerror (err));
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -640,11 +655,11 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: rename: %s: %s\n"),
Prog, new_file, strerror (err));
- return -1;
+ goto setdef_err;
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USYS_CONFIG, Prog,
- "changing-useradd-defaults",
+ "changing useradd defaults",
NULL, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -654,13 +669,14 @@ static int set_defaults (void)
(unsigned int) def_group, def_home, def_shell,
def_inactive, def_expire, def_template,
def_create_mail_spool));
-
+ ret = 0;
+ setdef_err:
+ free(new_file);
if(prefix[0]) {
- free(new_file);
free(default_file);
}
- return 0;
+ return ret;
}
/*

View File

@ -1,11 +0,0 @@
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

View File

@ -1,128 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
#endif
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
@@ -50,7 +50,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
@@ -2020,7 +2020,7 @@ static void create_home (void)
{
if (access (prefix_user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
- if (set_selinux_file_context (prefix_user_home) != 0) {
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for home directory %s\n"),
Prog, user_home);

View File

@ -1,115 +0,0 @@
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
@@ -2120,6 +2120,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory already exists.\n"
- "Not copying any file from skel directory into it.\n"),
- Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
"adding SELinux user mapping",
user_name, (unsigned int) user_id, 0);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ rv = E_SE_UPDATE;
+ }
}
}
-#endif /* WITH_SELINUX */
+#endif
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory already exists.\n"
+ "Not copying any file from skel directory into it.\n"),
+ Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- return E_SUCCESS;
+ return rv;
}

View File

@ -1,641 +0,0 @@
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 12 Sep 2018 14:22:11 +0200
Subject: [PATCH] Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
---
configure.ac | 10 +++++++
lib/Makefile.am | 2 ++
lib/commonio.c | 2 ++
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
lib/sssd.h | 17 +++++++++++
src/chfn.c | 2 ++
src/chgpasswd.c | 2 ++
src/chpasswd.c | 2 ++
src/chsh.c | 2 ++
src/gpasswd.c | 2 ++
src/groupadd.c | 2 ++
src/groupdel.c | 2 ++
src/groupmod.c | 2 ++
src/grpck.c | 2 ++
src/grpconv.c | 2 ++
src/grpunconv.c | 2 ++
src/newusers.c | 2 ++
src/passwd.c | 2 ++
src/pwck.c | 2 ++
src/pwconv.c | 2 ++
src/pwunconv.c | 2 ++
src/useradd.c | 2 ++
src/userdel.c | 2 ++
src/usermod.c | 2 ++
src/vipw.c | 2 ++
25 files changed, 146 insertions(+)
create mode 100644 lib/sssd.c
create mode 100644 lib/sssd.h
diff --git a/configure.ac b/configure.ac
index 41068a5d..10ad70cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
AC_ARG_WITH(nscd,
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
[with_nscd=$withval], [with_nscd=yes])
+AC_ARG_WITH(sssd,
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
+ [with_sssd=$withval], [with_sssd=yes])
AC_ARG_WITH(group-name-max-length,
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
fi
+if test "$with_sssd" = "yes"; then
+ AC_CHECK_FUNC(posix_spawn,
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
+fi
+
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
+echo " sssd support: $with_sssd"
echo " subordinate IDs support: $enable_subids"
echo
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6db86cd6..fd634542 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
lockpw.c \
nscd.c \
nscd.h \
+ sssd.c \
+ sssd.h \
pam_defs.h \
port.c \
port.h \
diff --git a/lib/commonio.c b/lib/commonio.c
index d06b8e7d..96f2d5f7 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -45,6 +45,7 @@
#include <stdio.h>
#include <signal.h>
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include <tcb.h>
#endif /* WITH_TCB */
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
if (nscd_need_reload) {
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
nscd_need_reload = false;
}
#ifdef HAVE_LCKPWDF
diff --git a/lib/sssd.c b/lib/sssd.c
new file mode 100644
index 00000000..80e49e55
--- /dev/null
+++ b/lib/sssd.c
@@ -0,0 +1,75 @@
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
+
+#include <config.h>
+#ifdef USE_SSSD
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include "exitcodes.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "sssd.h"
+
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+
+int sssd_flush_cache (int dbflags)
+{
+ int status, code, rv;
+ const char *cmd = "/usr/sbin/sss_cache";
+ char *sss_cache_args = NULL;
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
+ const char *spawnedEnv[] = {NULL};
+ int i = 0;
+
+ sss_cache_args = malloc(4);
+ if (sss_cache_args == NULL) {
+ return -1;
+ }
+
+ sss_cache_args[i++] = '-';
+ if (dbflags & SSSD_DB_PASSWD) {
+ sss_cache_args[i++] = 'U';
+ }
+ if (dbflags & SSSD_DB_GROUP) {
+ sss_cache_args[i++] = 'G';
+ }
+ sss_cache_args[i++] = '\0';
+ if (i == 2) {
+ /* Neither passwd nor group, nothing to do */
+ free(sss_cache_args);
+ return 0;
+ }
+ spawnedArgs[1] = sss_cache_args;
+
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
+ free(sss_cache_args);
+ if (rv != 0) {
+ /* run_command writes its own more detailed message. */
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ code = WEXITSTATUS (status);
+ if (!WIFEXITED (status)) {
+ (void) fprintf (stderr,
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
+ Prog, WTERMSIG (status));
+ return -1;
+ } else if (code == E_CMD_NOTFOUND) {
+ /* sss_cache is not installed, or it is installed but uses an
+ interpreter that is missing. Probably the former. */
+ return 0;
+ } else if (code != 0) {
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+ Prog, code);
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ return 0;
+}
+#else /* USE_SSSD */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* USE_SSSD */
+
diff --git a/lib/sssd.h b/lib/sssd.h
new file mode 100644
index 00000000..00ff2a8a
--- /dev/null
+++ b/lib/sssd.h
@@ -0,0 +1,17 @@
+#ifndef _SSSD_H_
+#define _SSSD_H_
+
+#define SSSD_DB_PASSWD 0x001
+#define SSSD_DB_GROUP 0x002
+
+/*
+ * sssd_flush_cache - flush specified service buffer in sssd cache
+ */
+#ifdef USE_SSSD
+extern int sssd_flush_cache (int dbflags);
+#else
+#define sssd_flush_cache(service) (0)
+#endif
+
+#endif
+
diff --git a/src/chfn.c b/src/chfn.c
index 18aa3de7..0725e1c7 100644
--- a/src/chfn.c
+++ b/src/chfn.c
@@ -47,6 +47,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef USE_PAM
#include "pam_defs.h"
#endif
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 13203a46..e5f2eb7e 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -46,6 +46,7 @@
#endif /* ACCT_TOOLS_SETUID */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "groupio.h"
#ifdef SHADOWGRP
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return (0);
}
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 918b27ee..49e79cdb 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -44,6 +44,7 @@
#endif /* USE_PAM */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "getdef.h"
#include "prototypes.h"
#include "pwio.h"
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return (0);
}
diff --git a/src/chsh.c b/src/chsh.c
index c89708b9..910e3dd4 100644
--- a/src/chsh.c
+++ b/src/chsh.c
@@ -46,6 +46,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/gpasswd.c b/src/gpasswd.c
index c4a492b1..4d75af96 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
exit (E_SUCCESS);
}
diff --git a/src/groupadd.c b/src/groupadd.c
index b57006c5..2dd8eec9 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -51,6 +51,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupdel.c b/src/groupdel.c
index 70bed010..f941a84a 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -49,6 +49,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupmod.c b/src/groupmod.c
index b293b98f..1dca5fc9 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -51,6 +51,7 @@
#include "groupio.h"
#include "pwio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/grpck.c b/src/grpck.c
index ea5d3b39..6140b10d 100644
--- a/src/grpck.c
+++ b/src/grpck.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
/*
* Tell the user what we did and exit.
diff --git a/src/grpconv.c b/src/grpconv.c
index f95f4960..5e5eaaca 100644
--- a/src/grpconv.c
+++ b/src/grpconv.c
@@ -48,6 +48,7 @@
#include <unistd.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/grpunconv.c b/src/grpunconv.c
index 253f06f5..e4105c26 100644
--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -48,6 +48,7 @@
#include <grp.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/newusers.c b/src/newusers.c
index 8e4bef97..7c3bb1c2 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -62,6 +62,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "pwio.h"
#include "sgroupio.h"
#include "shadowio.h"
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef USE_PAM
unsigned int i;
diff --git a/src/passwd.c b/src/passwd.c
index 3af3e651..5bea2765 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -51,6 +51,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
closelog ();
diff --git a/src/pwck.c b/src/pwck.c
index 05df68ec..0ffb711e 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -48,6 +48,7 @@
#include "shadowio.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif /* WITH_TCB */
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
/*
* Tell the user what we did and exit.
diff --git a/src/pwconv.c b/src/pwconv.c
index d6ee31a8..9c69fa13 100644
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -72,6 +72,7 @@
#include "pwio.h"
#include "shadowio.h"
#include "nscd.h"
+#include "sssd.h"
/*
* exit status values
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return E_SUCCESS;
}
diff --git a/src/pwunconv.c b/src/pwunconv.c
index fabf0237..e11ea494 100644
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -42,6 +42,7 @@
#include <getopt.h>
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "shadowio.h"
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return 0;
}
diff --git a/src/useradd.c b/src/useradd.c
index ca90f076..b0c2224d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -60,6 +60,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
/*
* tallylog_reset needs to be able to lookup
diff --git a/src/userdel.c b/src/userdel.c
index c8de1d31..0715e4fe 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -53,6 +53,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
}
diff --git a/src/usermod.c b/src/usermod.c
index 7355ad31..fd9a98a6 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -57,6 +57,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef WITH_SELINUX
if (Zflg) {
diff --git a/src/vipw.c b/src/vipw.c
index 6d730f65..2cfac6b4 100644
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -42,6 +42,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "sgroupio.h"
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return E_SUCCESS;
}

View File

@ -1,31 +0,0 @@
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
$(MAKE) -C .. config.xml
cp ../config.xml $@
-%.xml: ../%.xml ../po/$(LANG).po
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
+messages.mo: ../po/$(LANG).po
+ msgfmt ../po/$(LANG).po -o messages.mo
+
+login.defs.d:
+ ln -sf ../login.defs.d login.defs.d
+
+%.xml: ../%.xml messages.mo login.defs.d
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
+ else \
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
+ fi
+ itstool -d -l $(LANG) -m messages.mo -o . $@
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
include ../generate_mans.mak
@@ -16,4 +27,4 @@ $(man_MANS):
@echo you need to run configure with --enable-man to generate man pages
endif
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

View File

@ -1,190 +0,0 @@
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu May 2 14:33:06 2019 +0200
Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.
This reverts the implementation to use lckpwdf() if prefix option
is not used.
diff --git a/lib/commonio.c b/lib/commonio.c
index 26e518f2..94dda779 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
int commonio_setname (struct commonio_db *db, const char *name)
{
snprintf (db->filename, sizeof (db->filename), "%s", name);
+ db->setname = true;
return 1;
}
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
int commonio_lock (struct commonio_db *db)
{
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
-#if 0
- /*
- * only if the system libc has a real lckpwdf() - the one from
- * lockpw.c calls us and would cause infinite recursion!
- */
+ int i;
+#ifdef HAVE_LCKPWDF
/*
- * Call lckpwdf() on the first lock.
- * If it succeeds, call *_lock() only once
- * (no retries, it should always succeed).
+ * Only if the system libc has a real lckpwdf() - the one from
+ * lockpw.c calls us and would cause infinite recursion!
+ * It is also not used with the prefix option.
*/
- if (0 == lock_count) {
- if (lckpwdf () == -1) {
- if (geteuid () != 0) {
- (void) fprintf (stderr,
- "%s: Permission denied.\n",
- Prog);
+ if (!db->setname) {
+ /*
+ * Call lckpwdf() on the first lock.
+ * If it succeeds, call *_lock() only once
+ * (no retries, it should always succeed).
+ */
+ if (0 == lock_count) {
+ if (lckpwdf () == -1) {
+ if (geteuid () != 0) {
+ (void) fprintf (stderr,
+ "%s: Permission denied.\n",
+ Prog);
+ }
+ return 0; /* failure */
}
- return 0; /* failure */
}
- }
- if (commonio_lock_nowait (db, true) != 0) {
- return 1; /* success */
- }
+ if (commonio_lock_nowait (db, true) != 0) {
+ return 1; /* success */
+ }
- ulckpwdf ();
- return 0; /* failure */
-#else /* !HAVE_LCKPWDF */
- int i;
+ ulckpwdf ();
+ return 0; /* failure */
+ }
+#endif /* !HAVE_LCKPWDF */
/*
* lckpwdf() not used - do it the old way.
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
}
}
return 0; /* failure */
-#endif /* !HAVE_LCKPWDF */
}
static void dec_lock_count (void)
diff --git a/lib/commonio.h b/lib/commonio.h
index 40e5708f..64e83073 100644
--- a/lib/commonio.h
+++ b/lib/commonio.h
@@ -143,6 +143,7 @@ struct commonio_db {
bool isopen:1;
bool locked:1;
bool readonly:1;
+ bool setname:1;
};
extern int commonio_setname (struct commonio_db *, const char *);
diff --git a/lib/groupio.c b/lib/groupio.c
index ae2302b5..bffb06e0 100644
--- a/lib/groupio.c
+++ b/lib/groupio.c
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int gr_setdbname (const char *filename)
diff --git a/lib/pwio.c b/lib/pwio.c
index 7ee85377..127719cb 100644
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int pw_setdbname (const char *filename)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 5423626a..ffbdb263 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sgr_setdbname (const char *filename)
diff --git a/lib/shadowio.c b/lib/shadowio.c
index 5fa3d312..676b1f1a 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int spw_setdbname (const char *filename)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index a662e67e..dd779c59 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_uid_setdbname (const char *filename)
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_gid_setdbname (const char *filename)

View File

@ -1,42 +0,0 @@
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
{
long long int gid;
char *endptr;
+ struct group *g;
if (NULL == grname) {
return NULL;
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
&& (gid == (gid_t)gid)) {
return prefix_getgrgid ((gid_t) gid);
}
- return prefix_getgrnam (grname);
+ g = prefix_getgrnam (grname);
+ return g ? __gr_dup(g) : NULL;
}
else
return getgr_nam_gid(grname);
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
prefix_user_home = xmalloc(len);
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
assert (wlen == (int) len -1);
+ if (user_newhome) {
+ len = strlen(prefix) + strlen(user_newhome) + 2;
+ prefix_user_newhome = xmalloc(len);
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+ assert (wlen == (int) len -1);
+ }
- len = strlen(prefix) + strlen(user_newhome) + 2;
- prefix_user_newhome = xmalloc(len);
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
- assert (wlen == (int) len -1);
}
else {
prefix_user_home = user_home;

35
shadow-4.8-crypt_h.patch Normal file
View File

@ -0,0 +1,35 @@
diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
--- shadow-4.8/configure.ac.crypt_h 2020-01-13 10:26:17.400481712 +0100
+++ shadow-4.8/configure.ac 2020-01-13 10:29:11.563529093 +0100
@@ -32,7 +32,7 @@ AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.crypt_h 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/defines.h 2020-01-13 10:26:17.400481712 +0100
@@ -4,6 +4,8 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
+#include "config.h"
+
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
# include <unistd.h>
#endif
+#if HAVE_CRYPT_H
+# include <crypt.h> /* crypt(3) may be defined in here */
+#endif
+
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>

View File

@ -1,18 +1,12 @@
Index: shadow-4.5/libmisc/chkname.c diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
=================================================================== --- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100
--- shadow-4.5.orig/libmisc/chkname.c +++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100
+++ shadow-4.5/libmisc/chkname.c @@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
@@ -47,27 +47,46 @@ }
#include "chkname.h"
static bool is_valid_name (const char *name)
-{
+{
/* /*
- * User/group names must match [a-z_][a-z0-9_-]*[$] - * User/group names must match [a-z_][a-z0-9_-]*[$]
- */ - */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ * User/group names must match gnu e-regex: + * User/group names must match gnu e-regex:
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? + * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+ * + *
@ -22,7 +16,9 @@ Index: shadow-4.5/libmisc/chkname.c
+ * Also do not allow fully numeric names or just "." or "..". + * Also do not allow fully numeric names or just "." or "..".
+ */ + */
+ int numeric; + int numeric;
+
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ if ('\0' == *name || + if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || + ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) || + '\0' == name[1])) ||
@ -60,11 +56,10 @@ Index: shadow-4.5/libmisc/chkname.c
} }
bool is_valid_user_name (const char *name) bool is_valid_user_name (const char *name)
Index: shadow-4.5/man/groupadd.8.xml diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
=================================================================== --- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200
--- shadow-4.5.orig/man/groupadd.8.xml +++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100
+++ shadow-4.5/man/groupadd.8.xml @@ -273,10 +273,12 @@
@@ -256,10 +256,12 @@
<refsect1 id='caveats'> <refsect1 id='caveats'>
<title>CAVEATS</title> <title>CAVEATS</title>
<para> <para>
@ -81,11 +76,10 @@ Index: shadow-4.5/man/groupadd.8.xml
</para> </para>
<para> <para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
Index: shadow-4.5/man/useradd.8.xml diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
=================================================================== --- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200
--- shadow-4.5.orig/man/useradd.8.xml +++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100
+++ shadow-4.5/man/useradd.8.xml @@ -661,10 +661,14 @@
@@ -633,10 +633,14 @@
</para> </para>
<para> <para>

View File

@ -0,0 +1,11 @@
diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100
+++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100
@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
{"LASTLOG_UID_MAX", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

View File

@ -1,17 +1,19 @@
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 --- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 +++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100
@@ -382,4 +382,7 @@ extern char *strerror (); @@ -388,6 +388,9 @@ extern char *strerror ();
# endif # endif
#endif #endif
+/* Maximum length of passwd entry */ +/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768 +#define PASSWD_ENTRY_MAX_LENGTH 32768
+ +
#endif /* _DEFINES_H_ */ #ifdef HAVE_SECURE_GETENV
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c # define shadow_getenv(name) secure_getenv(name)
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 # else
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, @@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1) || (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1) || (valid_field (pw->pw_gecos, ":\n") == -1)
@ -24,9 +26,9 @@ diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
return -1; return -1;
} }
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 --- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@ @@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf) struct passwd *sgetpwent (const char *buf)
{ {
@ -48,9 +50,9 @@ diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
strcpy (pwdbuf, buf); strcpy (pwdbuf, buf);
/* /*
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 --- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@ @@ -48,7 +48,7 @@
*/ */
struct spwd *sgetspent (const char *string) struct spwd *sgetspent (const char *string)
@ -68,9 +70,9 @@ diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
return 0; /* fail if too long */ return 0; /* fail if too long */
} }
strcpy (spwbuf, string); strcpy (spwbuf, string);
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 --- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, @@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp) if ( (NULL == sp)

View File

@ -1,35 +1,6 @@
Index: shadow-4.5/man/groupmems.8.xml diff -up shadow-4.8/man/chage.1.xml.manfix shadow-4.8/man/chage.1.xml
=================================================================== --- shadow-4.8/man/chage.1.xml.manfix 2019-10-05 01:28:34.000000000 +0200
--- shadow-4.5.orig/man/groupmems.8.xml +++ shadow-4.8/man/chage.1.xml 2020-01-13 10:12:48.445155882 +0100
+++ shadow-4.5/man/groupmems.8.xml
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2770 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
Index: shadow-4.5/man/chage.1.xml
===================================================================
--- shadow-4.5.orig/man/chage.1.xml
+++ shadow-4.5/man/chage.1.xml
@@ -102,6 +102,9 @@ @@ -102,6 +102,9 @@
Set the number of days since January 1st, 1970 when the password Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format was last changed. The date may also be expressed in the format
@ -54,7 +25,7 @@ Index: shadow-4.5/man/chage.1.xml
Passing the number <emphasis remap='I'>-1</emphasis> as the Passing the number <emphasis remap='I'>-1</emphasis> as the
<replaceable>EXPIRE_DATE</replaceable> will remove an account <replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date. expiration date.
@@ -233,6 +243,18 @@ @@ -239,6 +249,18 @@
The <command>chage</command> program requires a shadow password file to The <command>chage</command> program requires a shadow password file to
be available. be available.
</para> </para>
@ -73,11 +44,56 @@ Index: shadow-4.5/man/chage.1.xml
<para>The <command>chage</command> command is restricted to the root <para>The <command>chage</command> command is restricted to the root
user, except for the <option>-l</option> option, which may be used by user, except for the <option>-l</option> option, which may be used by
an unprivileged user to determine when their password or account is due an unprivileged user to determine when their password or account is due
Index: shadow-4.5/man/ja/man5/login.defs.5 diff -up shadow-4.8/man/groupadd.8.xml.manfix shadow-4.8/man/groupadd.8.xml
=================================================================== --- shadow-4.8/man/groupadd.8.xml.manfix 2020-01-13 10:12:48.432156100 +0100
--- shadow-4.5.orig/man/ja/man5/login.defs.5 +++ shadow-4.8/man/groupadd.8.xml 2020-01-13 10:13:06.096859122 +0100
+++ shadow-4.5/man/ja/man5/login.defs.5 @@ -320,13 +320,13 @@
@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ <varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.8/man/groupmems.8.xml.manfix shadow-4.8/man/groupmems.8.xml
--- shadow-4.8/man/groupmems.8.xml.manfix 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/man/groupmems.8.xml 2020-01-13 10:12:48.445155882 +0100
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2770 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.8/man/ja/man5/login.defs.5.manfix shadow-4.8/man/ja/man5/login.defs.5
--- shadow-4.8/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/man/ja/man5/login.defs.5 2020-01-13 10:12:48.445155882 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。 どのパラメータを使用するかを示したものである。
.na .na
@ -88,11 +104,10 @@ Index: shadow-4.5/man/ja/man5/login.defs.5
.IP groupadd 12 .IP groupadd 12
GID_MAX GID_MIN GID_MAX GID_MIN
.IP newusers 12 .IP newusers 12
Index: shadow-4.5/man/login.defs.5.xml diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
=================================================================== --- shadow-4.8/man/login.defs.5.xml.manfix 2019-07-23 17:26:08.000000000 +0200
--- shadow-4.5.orig/man/login.defs.5.xml +++ shadow-4.8/man/login.defs.5.xml 2020-01-13 10:14:10.491776547 +0100
+++ shadow-4.5/man/login.defs.5.xml @@ -163,6 +163,17 @@
@@ -162,6 +162,17 @@
long numeric parameters is machine-dependent. long numeric parameters is machine-dependent.
</para> </para>
@ -110,7 +125,7 @@ Index: shadow-4.5/man/login.defs.5.xml
<para>The following configuration items are provided:</para> <para>The following configuration items are provided:</para>
<variablelist remap='IP'> <variablelist remap='IP'>
@@ -252,16 +263,6 @@ @@ -254,16 +265,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -127,7 +142,7 @@ Index: shadow-4.5/man/login.defs.5.xml
<term>chgpasswd</term> <term>chgpasswd</term>
<listitem> <listitem>
<para> <para>
@@ -282,14 +283,6 @@ @@ -284,14 +285,6 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -142,10 +157,10 @@ Index: shadow-4.5/man/login.defs.5.xml
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) --> <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables --> <!-- faillog: no variables -->
<varlistentry> <varlistentry>
@@ -350,34 +343,6 @@ @@ -357,34 +350,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry> </varlistentry>
<!-- id: no variables -->
<!-- lastlog: no variables -->
- <varlistentry> - <varlistentry>
- <term>login</term> - <term>login</term>
- <listitem> - <listitem>
@ -161,7 +176,7 @@ Index: shadow-4.5/man/login.defs.5.xml
- HUSHLOGIN_FILE - HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase> - <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR - KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB</phrase> - <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES - LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase> - <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB - LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
@ -177,7 +192,7 @@ Index: shadow-4.5/man/login.defs.5.xml
<!-- logoutd: no variables --> <!-- logoutd: no variables -->
<varlistentry> <varlistentry>
<term>newgrp / sg</term> <term>newgrp / sg</term>
@@ -405,17 +370,6 @@ @@ -412,17 +377,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<!-- nologin: no variables --> <!-- nologin: no variables -->
@ -195,7 +210,7 @@ Index: shadow-4.5/man/login.defs.5.xml
<varlistentry> <varlistentry>
<term>pwck</term> <term>pwck</term>
<listitem> <listitem>
@@ -442,32 +396,6 @@ @@ -449,32 +403,6 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -228,10 +243,9 @@ Index: shadow-4.5/man/login.defs.5.xml
<varlistentry> <varlistentry>
<term>useradd</term> <term>useradd</term>
<listitem> <listitem>
Index: shadow-4.5/man/shadow.5.xml diff -up shadow-4.8/man/shadow.5.xml.manfix shadow-4.8/man/shadow.5.xml
=================================================================== --- shadow-4.8/man/shadow.5.xml.manfix 2019-12-01 17:52:32.000000000 +0100
--- shadow-4.5.orig/man/shadow.5.xml +++ shadow-4.8/man/shadow.5.xml 2020-01-13 10:12:48.446155865 +0100
+++ shadow-4.5/man/shadow.5.xml
@@ -129,7 +129,7 @@ @@ -129,7 +129,7 @@
<listitem> <listitem>
<para> <para>
@ -261,11 +275,10 @@ Index: shadow-4.5/man/shadow.5.xml
</para> </para>
<para> <para>
Note that an account expiration differs from a password Note that an account expiration differs from a password
Index: shadow-4.5/man/useradd.8.xml diff -up shadow-4.8/man/useradd.8.xml.manfix shadow-4.8/man/useradd.8.xml
=================================================================== --- shadow-4.8/man/useradd.8.xml.manfix 2020-01-13 10:12:48.432156100 +0100
--- shadow-4.5.orig/man/useradd.8.xml +++ shadow-4.8/man/useradd.8.xml 2020-01-13 10:12:48.446155865 +0100
+++ shadow-4.5/man/useradd.8.xml @@ -358,6 +358,11 @@
@@ -347,6 +347,11 @@
<option>CREATE_HOME</option> is not enabled, no home <option>CREATE_HOME</option> is not enabled, no home
directories are created. directories are created.
</para> </para>
@ -277,11 +290,10 @@ Index: shadow-4.5/man/useradd.8.xml
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
Index: shadow-4.5/man/usermod.8.xml diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml
=================================================================== --- shadow-4.8/man/usermod.8.xml.manfix 2019-10-05 03:23:58.000000000 +0200
--- shadow-4.5.orig/man/usermod.8.xml +++ shadow-4.8/man/usermod.8.xml 2020-01-13 10:12:48.446155865 +0100
+++ shadow-4.5/man/usermod.8.xml @@ -153,7 +153,8 @@
@@ -132,7 +132,8 @@
If the <option>-m</option> If the <option>-m</option>
option is given, the contents of the current home directory will option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does be moved to the new home directory, which is created if it does
@ -291,7 +303,20 @@ Index: shadow-4.5/man/usermod.8.xml
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -256,7 +257,8 @@ @@ -215,6 +216,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -277,7 +284,8 @@
<listitem> <listitem>
<para> <para>
Move the content of the user's home directory to the new Move the content of the user's home directory to the new
@ -301,49 +326,16 @@ Index: shadow-4.5/man/usermod.8.xml
</para> </para>
<para> <para>
This option is only valid in combination with the This option is only valid in combination with the
diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml @@ -391,6 +399,12 @@
index 01ace007..93fe7421 100644 must be fixed manually.
--- a/man/login.defs.d/SUB_GID_COUNT.xml
+++ b/man/login.defs.d/SUB_GID_COUNT.xml
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_GID_MIN</option>,
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para> </para>
</listitem>
</varlistentry>
diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
index 5ad812f7..516417b7 100644
--- a/man/login.defs.d/SUB_UID_COUNT.xml
+++ b/man/login.defs.d/SUB_UID_COUNT.xml
@@ -42,7 +42,7 @@
<para> <para>
The default values for <option>SUB_UID_MIN</option>, + The change of the user ownership of files inside of the user's
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option> + home directory is also not done if the home dir owner uid is
- are respectively 100000, 600100000 and 10000. + different from the current or new user id. This is safety measure
+ are respectively 100000, 600100000 and 65536. + for special home directories such as <filename>/</filename>.
</para> + </para>
</listitem> + <para>
</varlistentry> No checks will be performed with regard to the
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml <option>UID_MIN</option>, <option>UID_MAX</option>,
--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200 <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
@@ -320,13 +320,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>

View File

@ -1,7 +1,6 @@
Index: shadow-4.5/src/chgpasswd.c diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
=================================================================== --- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
--- shadow-4.5.orig/src/chgpasswd.c +++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100
+++ shadow-4.5/src/chgpasswd.c
@@ -39,6 +39,13 @@ @@ -39,6 +39,13 @@
#include <pwd.h> #include <pwd.h>
#include <stdio.h> #include <stdio.h>
@ -16,7 +15,7 @@ Index: shadow-4.5/src/chgpasswd.c
#ifdef ACCT_TOOLS_SETUID #ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM #ifdef USE_PAM
#include "pam_defs.h" #include "pam_defs.h"
@@ -76,6 +83,9 @@ static bool sgr_locked = false; @@ -80,6 +87,9 @@ static bool sgr_locked = false;
#endif #endif
static bool gr_locked = false; static bool gr_locked = false;
@ -26,7 +25,7 @@ Index: shadow-4.5/src/chgpasswd.c
/* local function prototypes */ /* local function prototypes */
static void fail_exit (int code); static void fail_exit (int code);
static /*@noreturn@*/void usage (int status); static /*@noreturn@*/void usage (int status);
@@ -300,6 +310,63 @@ static void check_perms (void) @@ -334,6 +344,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */ #endif /* ACCT_TOOLS_SETUID */
} }
@ -90,7 +89,7 @@ Index: shadow-4.5/src/chgpasswd.c
/* /*
* open_files - lock and open the group databases * open_files - lock and open the group databases
*/ */
@@ -393,6 +460,7 @@ int main (int argc, char **argv) @@ -427,6 +494,7 @@ int main (int argc, char **argv)
const struct group *gr; const struct group *gr;
struct group newgr; struct group newgr;
@ -98,7 +97,7 @@ Index: shadow-4.5/src/chgpasswd.c
int errors = 0; int errors = 0;
int line = 0; int line = 0;
@@ -402,12 +470,37 @@ int main (int argc, char **argv) @@ -436,12 +504,37 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR); (void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE); (void) textdomain (PACKAGE);
@ -136,28 +135,9 @@ Index: shadow-4.5/src/chgpasswd.c
check_perms (); check_perms ();
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
#endif --- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
@@ -536,6 +629,15 @@ int main (int argc, char **argv) +++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
newgr.gr_passwd = cp;
}
+#ifdef WITH_AUDIT
+ {
+
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+ "change-password",
+ myname, AUDIT_NO_ID, gr->gr_name,
+ SHADOW_AUDIT_SUCCESS);
+ }
+#endif
/*
* The updated group file entry is then put back and will
* be written to the group file later, after all the
Index: shadow-4.5/src/chpasswd.c
===================================================================
--- shadow-4.5.orig/src/chpasswd.c
+++ shadow-4.5/src/chpasswd.c
@@ -39,6 +39,13 @@ @@ -39,6 +39,13 @@
#include <pwd.h> #include <pwd.h>
#include <stdio.h> #include <stdio.h>
@ -172,7 +152,7 @@ Index: shadow-4.5/src/chpasswd.c
#ifdef USE_PAM #ifdef USE_PAM
#include "pam_defs.h" #include "pam_defs.h"
#endif /* USE_PAM */ #endif /* USE_PAM */
@@ -297,6 +304,63 @@ static void check_perms (void) @@ -332,6 +339,63 @@ static void check_perms (void)
#endif /* USE_PAM */ #endif /* USE_PAM */
} }
@ -236,7 +216,7 @@ Index: shadow-4.5/src/chpasswd.c
/* /*
* open_files - lock and open the password databases * open_files - lock and open the password databases
*/ */
@@ -393,6 +457,10 @@ int main (int argc, char **argv) @@ -428,6 +492,10 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR); (void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE); (void) textdomain (PACKAGE);
@ -247,7 +227,7 @@ Index: shadow-4.5/src/chpasswd.c
process_root_flag ("-R", argc, argv); process_root_flag ("-R", argc, argv);
process_flags (argc, argv); process_flags (argc, argv);
@@ -405,6 +473,10 @@ int main (int argc, char **argv) @@ -440,6 +508,10 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd"); OPENLOG ("chpasswd");
@ -258,33 +238,3 @@ Index: shadow-4.5/src/chpasswd.c
check_perms (); check_perms ();
#ifdef USE_PAM #ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
newpw.pw_passwd = cp;
}
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "updating-password",
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
+#endif
/*
* The updated password file entry is then put back and will
* be written to the password file later, after all the
Index: shadow-4.5/src/Makefile.am
===================================================================
--- shadow-4.5.orig/src/Makefile.am
+++ shadow-4.5/src/Makefile.am
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

241
shadow-4.8-selinux.patch Normal file
View File

@ -0,0 +1,241 @@
diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c
--- shadow-4.8/lib/commonio.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/commonio.c 2020-01-13 10:08:53.769101131 +0100
@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c
--- shadow-4.8/libmisc/copydir.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/libmisc/copydir.c 2020-01-13 10:08:53.769101131 +0100
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h
--- shadow-4.8/lib/prototypes.h.selinux 2020-01-13 10:08:53.769101131 +0100
+++ shadow-4.8/lib/prototypes.h 2020-01-13 10:11:20.914627399 +0100
@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
extern int check_selinux_permit (const char *perm_name);
#endif
diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c
--- shadow-4.8/lib/selinux.c.selinux 2019-11-12 01:18:25.000000000 +0100
+++ shadow-4.8/lib/selinux.c 2020-01-13 10:08:53.769101131 +0100
@@ -51,7 +51,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -63,19 +63,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c
--- shadow-4.8/lib/semanage.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/semanage.c 2020-01-13 10:08:53.766101181 +0100
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c
--- shadow-4.8/src/useradd.c.selinux 2020-01-13 10:08:53.762101248 +0100
+++ shadow-4.8/src/useradd.c 2020-01-13 10:08:53.767101164 +0100
@@ -2078,7 +2078,7 @@ static void create_home (void)
++bhome;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (prefix_user_home) != 0) {
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for home directory %s\n"),
Prog, user_home);
@@ -2232,6 +2232,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)
"adding SELinux user mapping",
user_name, (unsigned int) user_id, 0);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ rv = E_SE_UPDATE;
+ }
}
}
#endif /* WITH_SELINUX */
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory %s already exists.\n"
+ "%s: Not copying any file from skel directory into it.\n"),
+ Prog, user_home, Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- return E_SUCCESS;
+ return rv;
}

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.6 Version: 4.8
Release: 16%{?dist} Release: 1%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -10,33 +10,44 @@ Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
# Misc small changes - most probably non-upstreamable
Patch0: shadow-4.6-redhat.patch Patch0: shadow-4.6-redhat.patch
Patch1: shadow-4.5-goodname.patch # Be more lenient with acceptable user/group names - non upstreamable
Patch1: shadow-4.8-goodname.patch
# Docfix for newusers - could be upstreamed
Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch
Patch6: shadow-4.6-selinux.patch # Misc SElinux related changes - upstreamability unknown
Patch10: shadow-4.6-orig-context.patch Patch6: shadow-4.8-selinux.patch
# Syslog message change - could be upstreamed
Patch11: shadow-4.1.5.1-logmsg.patch Patch11: shadow-4.1.5.1-logmsg.patch
# SElinux related - upstreamability unknown
Patch14: shadow-4.1.5.1-default-range.patch Patch14: shadow-4.1.5.1-default-range.patch
Patch15: shadow-4.3.1-manfix.patch # Misc manual page changes - only some of them could be upstreamed
Patch15: shadow-4.8-manfix.patch
# Userdel usage message change - could be upstreamed
Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch
# Date parsing improvement - could be upstreamed
Patch19: shadow-4.2.1-date-parsing.patch Patch19: shadow-4.2.1-date-parsing.patch
# Additional error message - could be upstreamed
Patch21: shadow-4.6-move-home.patch Patch21: shadow-4.6-move-home.patch
Patch22: shadow-4.6-audit-update.patch # Audit message changes - upstreamability unknown
Patch22: shadow-4.8-audit-update.patch
# Changes related to password unlocking - could be upstreamed
Patch23: shadow-4.5-usermod-unlock.patch Patch23: shadow-4.5-usermod-unlock.patch
Patch24: shadow-4.2.1-no-lock-dos.patch # Additional SElinux related changes - upstreamability unknown
Patch28: shadow-4.3.1-selinux-perms.patch Patch28: shadow-4.8-selinux-perms.patch
# Handle NULL return from *time funcs - could be upstreamed
Patch29: shadow-4.2.1-null-tm.patch Patch29: shadow-4.2.1-null-tm.patch
# SElinux related - upstreamability unknown
Patch31: shadow-4.6-getenforce.patch Patch31: shadow-4.6-getenforce.patch
Patch32: shadow-4.5-crypt_h.patch # Handle include of crypt.h - could be upstreamed
Patch33: shadow-4.5-long-entry.patch Patch32: shadow-4.8-crypt_h.patch
Patch34: shadow-4.6-usermod-crash.patch # Handle /etc/passwd corruption - could be upstreamed
Patch35: shadow-4.6-coverity.patch Patch33: shadow-4.8-long-entry.patch
Patch36: shadow-4.6-use-itstool.patch # Limit uid/gid allocation to non-zero - could be upstreamed
Patch37: shadow-4.6-sssd-flush.patch
Patch38: shadow-4.6-sysugid-min-limit.patch Patch38: shadow-4.6-sysugid-min-limit.patch
Patch39: shadow-4.6-chgrp-guard.patch # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
Patch40: shadow-4.6-ignore-login-prompt.patch Patch40: shadow-4.8-ignore-login-prompt.patch
Patch41: shadow-4.6-use-lckpwdf.patch
License: BSD and GPLv2+ License: BSD and GPLv2+
BuildRequires: gcc BuildRequires: gcc
@ -69,7 +80,6 @@ are used for managing group accounts.
%patch1 -p1 -b .goodname %patch1 -p1 -b .goodname
%patch2 -p1 -b .info-parent-dir %patch2 -p1 -b .info-parent-dir
%patch6 -p1 -b .selinux %patch6 -p1 -b .selinux
%patch10 -p1 -b .orig-context
%patch11 -p1 -b .logmsg %patch11 -p1 -b .logmsg
%patch14 -p1 -b .default-range %patch14 -p1 -b .default-range
%patch15 -p1 -b .manfix %patch15 -p1 -b .manfix
@ -78,20 +88,13 @@ are used for managing group accounts.
%patch21 -p1 -b .move-home %patch21 -p1 -b .move-home
%patch22 -p1 -b .audit-update %patch22 -p1 -b .audit-update
%patch23 -p1 -b .unlock %patch23 -p1 -b .unlock
%patch24 -p1 -b .no-lock-dos
%patch28 -p1 -b .selinux-perms %patch28 -p1 -b .selinux-perms
%patch29 -p1 -b .null-tm %patch29 -p1 -b .null-tm
%patch31 -p1 -b .getenforce %patch31 -p1 -b .getenforce
%patch32 -p1 -b .crypt_h %patch32 -p1 -b .crypt_h
%patch33 -p1 -b .long-entry %patch33 -p1 -b .long-entry
%patch34 -p1 -b .usermod-crash
%patch35 -p1 -b .coverity
%patch36 -p1 -b .use-itstool
%patch37 -p1 -b .sssd-flush
%patch38 -p1 -b .sysugid-min-limit %patch38 -p1 -b .sysugid-min-limit
%patch39 -p1 -b .chgrp-guard
%patch40 -p1 -b .login-prompt %patch40 -p1 -b .login-prompt
%patch41 -p1 -b .use-lckpwdf
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO cp -f doc/HOWTO.utf8 doc/HOWTO
@ -246,6 +249,9 @@ done
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%changelog %changelog
* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
- update to current upstream release 4.8
* Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16 * Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
- fix SELinux related problem in chpasswd/chgpasswd when run with -R - fix SELinux related problem in chpasswd/chgpasswd when run with -R
(patch by Petr Lautrbach) (#1747215) (patch by Petr Lautrbach) (#1747215)

View File

@ -1,2 +1,2 @@
SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 SHA512 (shadow-4.8.tar.xz) = 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece
SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed SHA512 (shadow-4.8.tar.xz.asc) = 200f7793e55447cc5c0d11988ee26511167c5fe23e1f6622b6b0c8cb74498052f2df855f02e351fee0da16562f6a6510ad3954b4c5e13dd9a8da0d998f8dc5e6