diff --git a/shadow-4.6-coverity.patch b/shadow-4.6-coverity.patch new file mode 100644 index 0000000..44533e2 --- /dev/null +++ b/shadow-4.6-coverity.patch @@ -0,0 +1,223 @@ +diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c +--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200 ++++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200 +@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni + char* lock = NULL; + size_t lock_file_len; + size_t file_len; +- int err; ++ int err = 0; + + if (db->locked) { + return 1; +@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni + lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */ + file = (char*)malloc(file_len); + if(file == NULL) { +- err = ENOMEM; + goto cleanup_ENOMEM; + } + lock = (char*)malloc(lock_file_len); + if(lock == NULL) { +- err = ENOMEM; + goto cleanup_ENOMEM; + } + snprintf (file, file_len, "%s.%lu", +diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c +--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200 +@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin + static bool is_listed (const char *cfgin, const char *tty, bool def) + { + FILE *fp; +- char buf[200], *s; ++ char buf[1024], *s; + const char *cons; + + /* +@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin + + if (*cons != '/') { + char *pbuf; +- strcpy (buf, cons); ++ strncpy (buf, cons, sizeof (buf)); ++ buf[sizeof (buf) - 1] = '\0'; + pbuf = &buf[0]; + while ((s = strtok (pbuf, ":")) != NULL) { + if (strcmp (s, tty) == 0) { +diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c +--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200 ++++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200 +@@ -69,7 +69,7 @@ int run_command (const char *cmd, const + do { + wpid = waitpid (pid, status, 0); + } while ( ((pid_t)-1 == wpid && errno == EINTR) +- || (wpid != pid)); ++ || ((pid_t)-1 != wpid && wpid != pid)); + + if ((pid_t)-1 == wpid) { + fprintf (stderr, "%s: waitpid (status: %d): %s\n", +diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200 ++++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200 +@@ -314,7 +314,7 @@ static void fail_exit (int code) + static void get_defaults (void) + { + FILE *fp; +- char* default_file = USER_DEFAULTS_FILE; ++ char *default_file = USER_DEFAULTS_FILE; + char buf[1024]; + char *cp; + +@@ -324,6 +324,8 @@ static void get_defaults (void) + + len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2; + default_file = malloc(len); ++ if (default_file == NULL) ++ return; + wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE); + assert (wlen == (int) len -1); + } +@@ -334,7 +336,7 @@ static void get_defaults (void) + + fp = fopen (default_file, "r"); + if (NULL == fp) { +- return; ++ goto getdef_err; + } + + /* +@@ -445,7 +447,7 @@ static void get_defaults (void) + } + } + (void) fclose (fp); +- ++ getdef_err: + if(prefix[0]) { + free(default_file); + } +@@ -480,8 +482,8 @@ static int set_defaults (void) + FILE *ifp; + FILE *ofp; + char buf[1024]; +- char* new_file = NEW_USER_FILE; +- char* default_file = USER_DEFAULTS_FILE; ++ char *new_file = NULL; ++ char *default_file = USER_DEFAULTS_FILE; + char *cp; + int ofd; + int wlen; +@@ -492,17 +494,30 @@ static int set_defaults (void) + bool out_shell = false; + bool out_skel = false; + bool out_create_mail_spool = false; ++ size_t len; ++ int ret = -1; + +- if(prefix[0]) { +- size_t len; + +- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2; +- new_file = malloc(len); +- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE); +- assert (wlen == (int) len -1); ++ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2; ++ new_file = malloc(len); ++ if (new_file == NULL) { ++ fprintf (stderr, ++ _("%s: cannot create new defaults file: %s\n"), ++ Prog, strerror(errno)); ++ return -1; ++ } ++ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE); ++ assert (wlen <= (int) len -1); + ++ if(prefix[0]) { + len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2; + default_file = malloc(len); ++ if (default_file == NULL) { ++ fprintf (stderr, ++ _("%s: cannot create new defaults file: %s\n"), ++ Prog, strerror(errno)); ++ goto setdef_err; ++ } + wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE); + assert (wlen == (int) len -1); + } +@@ -515,7 +530,7 @@ static int set_defaults (void) + fprintf (stderr, + _("%s: cannot create new defaults file\n"), + Prog); +- return -1; ++ goto setdef_err; + } + + ofp = fdopen (ofd, "w"); +@@ -523,7 +538,7 @@ static int set_defaults (void) + fprintf (stderr, + _("%s: cannot open new defaults file\n"), + Prog); +- return -1; ++ goto setdef_err; + } + + /* +@@ -550,7 +565,7 @@ static int set_defaults (void) + _("%s: line too long in %s: %s..."), + Prog, default_file, buf); + (void) fclose (ifp); +- return -1; ++ goto setdef_err; + } + } + +@@ -614,7 +629,7 @@ static int set_defaults (void) + || (fsync (fileno (ofp)) != 0) + || (fclose (ofp) != 0)) { + unlink (new_file); +- return -1; ++ goto setdef_err; + } + + /* +@@ -629,7 +644,7 @@ static int set_defaults (void) + _("%s: Cannot create backup file (%s): %s\n"), + Prog, buf, strerror (err)); + unlink (new_file); +- return -1; ++ goto setdef_err; + } + + /* +@@ -640,11 +655,11 @@ static int set_defaults (void) + fprintf (stderr, + _("%s: rename: %s: %s\n"), + Prog, new_file, strerror (err)); +- return -1; ++ goto setdef_err; + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USYS_CONFIG, Prog, +- "changing-useradd-defaults", ++ "changing useradd defaults", + NULL, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -654,13 +669,14 @@ static int set_defaults (void) + (unsigned int) def_group, def_home, def_shell, + def_inactive, def_expire, def_template, + def_create_mail_spool)); +- ++ ret = 0; ++ setdef_err: ++ free(new_file); + if(prefix[0]) { +- free(new_file); + free(default_file); + } + +- return 0; ++ return ret; + } + + /* diff --git a/shadow-4.6-sssd-flush.patch b/shadow-4.6-sssd-flush.patch new file mode 100644 index 0000000..025c1d3 --- /dev/null +++ b/shadow-4.6-sssd-flush.patch @@ -0,0 +1,641 @@ +From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 12 Sep 2018 14:22:11 +0200 +Subject: [PATCH] Flush sssd caches in addition to nscd caches + +Some distributions, notably Fedora, have the following order of nsswitch +modules by default: + passwd: sss files + group: sss files + +The advantage of serving local users through SSSD is that the nss_sss +module has a fast mmapped-cache that speeds up NSS lookups compared to +accessing the disk an opening the files on each NSS request. + +Traditionally, this has been done with the help of nscd, but using nscd +in parallel with sssd is cumbersome, as both SSSD and nscd use their own +independent caching, so using nscd in setups where sssd is also serving +users from some remote domain (LDAP, AD, ...) can result in a bit of +unpredictability. + +More details about why Fedora chose to use sss before files can be found +on e.g.: + https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers +or: + https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html + +Now, even though sssd watches the passwd and group files with the help +of inotify, there can still be a small window where someone requests a +user or a group, finds that it doesn't exist, adds the entry and checks +again. Without some support in shadow-utils that would explicitly drop +the sssd caches, the inotify watch can fire a little late, so a +combination of commands like this: + getent passwd user || useradd user; getent passwd user +can result in the second getent passwd not finding the newly added user +as the racy behaviour might still return the cached negative hit from +the first getent passwd. + +This patch more or less copies the already existing support that +shadow-utils had for dropping nscd caches, except using the "sss_cache" +tool that sssd ships. +--- + configure.ac | 10 +++++++ + lib/Makefile.am | 2 ++ + lib/commonio.c | 2 ++ + lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ + lib/sssd.h | 17 +++++++++++ + src/chfn.c | 2 ++ + src/chgpasswd.c | 2 ++ + src/chpasswd.c | 2 ++ + src/chsh.c | 2 ++ + src/gpasswd.c | 2 ++ + src/groupadd.c | 2 ++ + src/groupdel.c | 2 ++ + src/groupmod.c | 2 ++ + src/grpck.c | 2 ++ + src/grpconv.c | 2 ++ + src/grpunconv.c | 2 ++ + src/newusers.c | 2 ++ + src/passwd.c | 2 ++ + src/pwck.c | 2 ++ + src/pwconv.c | 2 ++ + src/pwunconv.c | 2 ++ + src/useradd.c | 2 ++ + src/userdel.c | 2 ++ + src/usermod.c | 2 ++ + src/vipw.c | 2 ++ + 25 files changed, 146 insertions(+) + create mode 100644 lib/sssd.c + create mode 100644 lib/sssd.h + +diff --git a/configure.ac b/configure.ac +index 41068a5d..10ad70cf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt, + AC_ARG_WITH(nscd, + [AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])], + [with_nscd=$withval], [with_nscd=yes]) ++AC_ARG_WITH(sssd, ++ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])], ++ [with_sssd=$withval], [with_sssd=yes]) + AC_ARG_WITH(group-name-max-length, + [AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])], + [with_group_name_max_length=$withval], [with_group_name_max_length=yes]) +@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then + [AC_MSG_ERROR([posix_spawn is needed for nscd support])]) + fi + ++if test "$with_sssd" = "yes"; then ++ AC_CHECK_FUNC(posix_spawn, ++ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])], ++ [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) ++fi ++ + dnl Check for some functions in libc first, only if not found check for + dnl other libraries. This should prevent linking libnsl if not really + dnl needed (Linux glibc, Irix), but still link it if needed (Solaris). +@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp" + echo " S/Key support: $with_skey" + echo " SHA passwords encryption: $with_sha_crypt" + echo " nscd support: $with_nscd" ++echo " sssd support: $with_sssd" + echo " subordinate IDs support: $enable_subids" + echo +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 6db86cd6..fd634542 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \ + lockpw.c \ + nscd.c \ + nscd.h \ ++ sssd.c \ ++ sssd.h \ + pam_defs.h \ + port.c \ + port.h \ +diff --git a/lib/commonio.c b/lib/commonio.c +index d06b8e7d..96f2d5f7 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -45,6 +45,7 @@ + #include + #include + #include "nscd.h" ++#include "sssd.h" + #ifdef WITH_TCB + #include + #endif /* WITH_TCB */ +@@ -485,6 +486,7 @@ static void dec_lock_count (void) + if (nscd_need_reload) { + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + nscd_need_reload = false; + } + #ifdef HAVE_LCKPWDF +diff --git a/lib/sssd.c b/lib/sssd.c +new file mode 100644 +index 00000000..80e49e55 +--- /dev/null ++++ b/lib/sssd.c +@@ -0,0 +1,75 @@ ++/* Author: Peter Vrabec */ ++ ++#include ++#ifdef USE_SSSD ++ ++#include ++#include ++#include ++#include "exitcodes.h" ++#include "defines.h" ++#include "prototypes.h" ++#include "sssd.h" ++ ++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n" ++ ++int sssd_flush_cache (int dbflags) ++{ ++ int status, code, rv; ++ const char *cmd = "/usr/sbin/sss_cache"; ++ char *sss_cache_args = NULL; ++ const char *spawnedArgs[] = {"sss_cache", NULL, NULL}; ++ const char *spawnedEnv[] = {NULL}; ++ int i = 0; ++ ++ sss_cache_args = malloc(4); ++ if (sss_cache_args == NULL) { ++ return -1; ++ } ++ ++ sss_cache_args[i++] = '-'; ++ if (dbflags & SSSD_DB_PASSWD) { ++ sss_cache_args[i++] = 'U'; ++ } ++ if (dbflags & SSSD_DB_GROUP) { ++ sss_cache_args[i++] = 'G'; ++ } ++ sss_cache_args[i++] = '\0'; ++ if (i == 2) { ++ /* Neither passwd nor group, nothing to do */ ++ free(sss_cache_args); ++ return 0; ++ } ++ spawnedArgs[1] = sss_cache_args; ++ ++ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status); ++ free(sss_cache_args); ++ if (rv != 0) { ++ /* run_command writes its own more detailed message. */ ++ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); ++ return -1; ++ } ++ ++ code = WEXITSTATUS (status); ++ if (!WIFEXITED (status)) { ++ (void) fprintf (stderr, ++ _("%s: sss_cache did not terminate normally (signal %d)\n"), ++ Prog, WTERMSIG (status)); ++ return -1; ++ } else if (code == E_CMD_NOTFOUND) { ++ /* sss_cache is not installed, or it is installed but uses an ++ interpreter that is missing. Probably the former. */ ++ return 0; ++ } else if (code != 0) { ++ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"), ++ Prog, code); ++ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); ++ return -1; ++ } ++ ++ return 0; ++} ++#else /* USE_SSSD */ ++extern int errno; /* warning: ANSI C forbids an empty source file */ ++#endif /* USE_SSSD */ ++ +diff --git a/lib/sssd.h b/lib/sssd.h +new file mode 100644 +index 00000000..00ff2a8a +--- /dev/null ++++ b/lib/sssd.h +@@ -0,0 +1,17 @@ ++#ifndef _SSSD_H_ ++#define _SSSD_H_ ++ ++#define SSSD_DB_PASSWD 0x001 ++#define SSSD_DB_GROUP 0x002 ++ ++/* ++ * sssd_flush_cache - flush specified service buffer in sssd cache ++ */ ++#ifdef USE_SSSD ++extern int sssd_flush_cache (int dbflags); ++#else ++#define sssd_flush_cache(service) (0) ++#endif ++ ++#endif ++ +diff --git a/src/chfn.c b/src/chfn.c +index 18aa3de7..0725e1c7 100644 +--- a/src/chfn.c ++++ b/src/chfn.c +@@ -47,6 +47,7 @@ + #include "defines.h" + #include "getdef.h" + #include "nscd.h" ++#include "sssd.h" + #ifdef USE_PAM + #include "pam_defs.h" + #endif +@@ -746,6 +747,7 @@ int main (int argc, char **argv) + SYSLOG ((LOG_INFO, "changed user '%s' information", user)); + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + closelog (); + exit (E_SUCCESS); +diff --git a/src/chgpasswd.c b/src/chgpasswd.c +index 13203a46..e5f2eb7e 100644 +--- a/src/chgpasswd.c ++++ b/src/chgpasswd.c +@@ -46,6 +46,7 @@ + #endif /* ACCT_TOOLS_SETUID */ + #include "defines.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "groupio.h" + #ifdef SHADOWGRP +@@ -581,6 +582,7 @@ int main (int argc, char **argv) + close_files (); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return (0); + } +diff --git a/src/chpasswd.c b/src/chpasswd.c +index 918b27ee..49e79cdb 100644 +--- a/src/chpasswd.c ++++ b/src/chpasswd.c +@@ -44,6 +44,7 @@ + #endif /* USE_PAM */ + #include "defines.h" + #include "nscd.h" ++#include "sssd.h" + #include "getdef.h" + #include "prototypes.h" + #include "pwio.h" +@@ -624,6 +625,7 @@ int main (int argc, char **argv) + } + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + return (0); + } +diff --git a/src/chsh.c b/src/chsh.c +index c89708b9..910e3dd4 100644 +--- a/src/chsh.c ++++ b/src/chsh.c +@@ -46,6 +46,7 @@ + #include "defines.h" + #include "getdef.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwauth.h" + #include "pwio.h" +@@ -557,6 +558,7 @@ int main (int argc, char **argv) + SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh)); + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + closelog (); + exit (E_SUCCESS); +diff --git a/src/gpasswd.c b/src/gpasswd.c +index c4a492b1..4d75af96 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -45,6 +45,7 @@ + #include "defines.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #ifdef SHADOWGRP + #include "sgroupio.h" +@@ -1201,6 +1202,7 @@ int main (int argc, char **argv) + close_files (); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + exit (E_SUCCESS); + } +diff --git a/src/groupadd.c b/src/groupadd.c +index b57006c5..2dd8eec9 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -51,6 +51,7 @@ + #include "getdef.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #ifdef SHADOWGRP + #include "sgroupio.h" +@@ -625,6 +626,7 @@ int main (int argc, char **argv) + close_files (); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return E_SUCCESS; + } +diff --git a/src/groupdel.c b/src/groupdel.c +index 70bed010..f941a84a 100644 +--- a/src/groupdel.c ++++ b/src/groupdel.c +@@ -49,6 +49,7 @@ + #include "defines.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #ifdef SHADOWGRP + #include "sgroupio.h" +@@ -492,6 +493,7 @@ int main (int argc, char **argv) + close_files (); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return E_SUCCESS; + } +diff --git a/src/groupmod.c b/src/groupmod.c +index b293b98f..1dca5fc9 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -51,6 +51,7 @@ + #include "groupio.h" + #include "pwio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #ifdef SHADOWGRP + #include "sgroupio.h" +@@ -877,6 +878,7 @@ int main (int argc, char **argv) + close_files (); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return E_SUCCESS; + } +diff --git a/src/grpck.c b/src/grpck.c +index ea5d3b39..6140b10d 100644 +--- a/src/grpck.c ++++ b/src/grpck.c +@@ -45,6 +45,7 @@ + #include "defines.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + + #ifdef SHADOWGRP +@@ -870,6 +871,7 @@ int main (int argc, char **argv) + close_files (changed); + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + /* + * Tell the user what we did and exit. +diff --git a/src/grpconv.c b/src/grpconv.c +index f95f4960..5e5eaaca 100644 +--- a/src/grpconv.c ++++ b/src/grpconv.c +@@ -48,6 +48,7 @@ + #include + #include + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + /*@-exitarg@*/ + #include "exitcodes.h" +@@ -273,6 +274,7 @@ int main (int argc, char **argv) + } + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return 0; + } +diff --git a/src/grpunconv.c b/src/grpunconv.c +index 253f06f5..e4105c26 100644 +--- a/src/grpunconv.c ++++ b/src/grpunconv.c +@@ -48,6 +48,7 @@ + #include + #include + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + /*@-exitarg@*/ + #include "exitcodes.h" +@@ -236,6 +237,7 @@ int main (int argc, char **argv) + } + + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_GROUP); + + return 0; + } +diff --git a/src/newusers.c b/src/newusers.c +index 8e4bef97..7c3bb1c2 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -62,6 +62,7 @@ + #include "getdef.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "pwio.h" + #include "sgroupio.h" + #include "shadowio.h" +@@ -1233,6 +1234,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + #ifdef USE_PAM + unsigned int i; +diff --git a/src/passwd.c b/src/passwd.c +index 3af3e651..5bea2765 100644 +--- a/src/passwd.c ++++ b/src/passwd.c +@@ -51,6 +51,7 @@ + #include "defines.h" + #include "getdef.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwauth.h" + #include "pwio.h" +@@ -1150,6 +1151,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname)); + closelog (); +diff --git a/src/pwck.c b/src/pwck.c +index 05df68ec..0ffb711e 100644 +--- a/src/pwck.c ++++ b/src/pwck.c +@@ -48,6 +48,7 @@ + #include "shadowio.h" + #include "getdef.h" + #include "nscd.h" ++#include "sssd.h" + #ifdef WITH_TCB + #include "tcbfuncs.h" + #endif /* WITH_TCB */ +@@ -877,6 +878,7 @@ int main (int argc, char **argv) + close_files (changed); + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + /* + * Tell the user what we did and exit. +diff --git a/src/pwconv.c b/src/pwconv.c +index d6ee31a8..9c69fa13 100644 +--- a/src/pwconv.c ++++ b/src/pwconv.c +@@ -72,6 +72,7 @@ + #include "pwio.h" + #include "shadowio.h" + #include "nscd.h" ++#include "sssd.h" + + /* + * exit status values +@@ -328,6 +329,7 @@ int main (int argc, char **argv) + } + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + return E_SUCCESS; + } +diff --git a/src/pwunconv.c b/src/pwunconv.c +index fabf0237..e11ea494 100644 +--- a/src/pwunconv.c ++++ b/src/pwunconv.c +@@ -42,6 +42,7 @@ + #include + #include "defines.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwio.h" + #include "shadowio.h" +@@ -250,6 +251,7 @@ int main (int argc, char **argv) + } + + nscd_flush_cache ("passwd"); ++ sssd_flush_cache (SSSD_DB_PASSWD); + + return 0; + } +diff --git a/src/useradd.c b/src/useradd.c +index ca90f076..b0c2224d 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -60,6 +60,7 @@ + #include "getdef.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwauth.h" + #include "pwio.h" +@@ -2425,6 +2426,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + /* + * tallylog_reset needs to be able to lookup +diff --git a/src/userdel.c b/src/userdel.c +index c8de1d31..0715e4fe 100644 +--- a/src/userdel.c ++++ b/src/userdel.c +@@ -53,6 +53,7 @@ + #include "getdef.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwauth.h" + #include "pwio.h" +@@ -1328,6 +1329,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + return ((0 != errors) ? E_HOMEDIR : E_SUCCESS); + } +diff --git a/src/usermod.c b/src/usermod.c +index 7355ad31..fd9a98a6 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -57,6 +57,7 @@ + #include "getdef.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwauth.h" + #include "pwio.h" +@@ -2255,6 +2256,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + #ifdef WITH_SELINUX + if (Zflg) { +diff --git a/src/vipw.c b/src/vipw.c +index 6d730f65..2cfac6b4 100644 +--- a/src/vipw.c ++++ b/src/vipw.c +@@ -42,6 +42,7 @@ + #include "defines.h" + #include "groupio.h" + #include "nscd.h" ++#include "sssd.h" + #include "prototypes.h" + #include "pwio.h" + #include "sgroupio.h" +@@ -556,6 +557,7 @@ int main (int argc, char **argv) + + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + + return E_SUCCESS; + } diff --git a/shadow-utils.spec b/shadow-utils.spec index 8587c71..8d924f6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -30,6 +30,8 @@ Patch31: shadow-4.6-getenforce.patch Patch32: shadow-4.5-crypt_h.patch Patch33: shadow-4.5-long-entry.patch Patch34: shadow-4.6-usermod-crash.patch +Patch35: shadow-4.6-coverity.patch +Patch36: shadow-4.6-sssd-flush.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -81,6 +83,8 @@ are used for managing group accounts. %patch32 -p1 -b .crypt_h %patch33 -p1 -b .long-entry %patch34 -p1 -b .usermod-crash +%patch35 -p1 -b .coverity +%patch36 -p1 -b .sssd-flush iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -232,6 +236,10 @@ done %{_mandir}/man8/vigr.8* %changelog +* Wed Oct 10 2018 Tomáš Mráz - 2:4.6-3 +- fix some issues from Coverity scan +- flush sssd caches - patch by Jakub Hrozek + * Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild