From f38d60a5627da28fad6eac553ebb62b6cfce27f7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 6 Nov 2018 10:40:50 +0100 Subject: [PATCH] Use cap_setxid file capabilities for newxidmap instead of making them setuid Also: limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0 and the 0 is always used by root anyway manual page improvements --- shadow-4.3.1-manfix.patch | 18 +++++++++++++++++ shadow-4.5-goodname.patch | 32 +++++++++++++++++++++--------- shadow-4.6-sysugid-min-limit.patch | 32 ++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++++++++++--- 4 files changed, 84 insertions(+), 12 deletions(-) create mode 100644 shadow-4.6-sysugid-min-limit.patch diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index cc62a86..d70f4cc 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -213,6 +213,15 @@ Index: shadow-4.5/man/shadow.5.xml =================================================================== --- shadow-4.5.orig/man/shadow.5.xml +++ shadow-4.5/man/shadow.5.xml +@@ -129,7 +129,7 @@ + + + The date of the last password change, expressed as the number +- of days since Jan 1, 1970. ++ of days since Jan 1, 1970 00:00 UTC. + + + The value 0 has a special meaning, which is that the user @@ -208,8 +208,8 @@ @@ -224,6 +233,15 @@ Index: shadow-4.5/man/shadow.5.xml An empty field means that there are no enforcement of an +@@ -224,7 +224,7 @@ + + + The date of expiration of the account, expressed as the number +- of days since Jan 1, 1970. ++ of days since Jan 1, 1970 00:00 UTC. + + + Note that an account expiration differs from a password Index: shadow-4.5/man/useradd.8.xml =================================================================== --- shadow-4.5.orig/man/useradd.8.xml diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index 215f658..2f82828 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -64,7 +64,7 @@ Index: shadow-4.5/man/groupadd.8.xml =================================================================== --- shadow-4.5.orig/man/groupadd.8.xml +++ shadow-4.5/man/groupadd.8.xml -@@ -256,12 +256,6 @@ +@@ -256,10 +256,14 @@ CAVEATS @@ -72,16 +72,22 @@ Index: shadow-4.5/man/groupadd.8.xml - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- -- - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. ++ Groupnames may contain only lower and upper case letters, digits, ++ underscores, or dashes. They can end with a dollar sign. ++ ++ Dashes are not allowed at the beginning of the groupname. ++ Fully numeric groupnames and groupnames . or .. are ++ also disallowed. ++ ++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. Index: shadow-4.5/man/useradd.8.xml =================================================================== --- shadow-4.5.orig/man/useradd.8.xml +++ shadow-4.5/man/useradd.8.xml -@@ -633,12 +633,6 @@ +@@ -633,10 +633,16 @@ @@ -89,8 +95,16 @@ Index: shadow-4.5/man/useradd.8.xml - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- -- - Usernames may only be up to 32 characters long. ++ Usernames may contain only lower and upper case letters, digits, ++ underscores, or dashes. They can end with a dollar sign. ++ ++ Dashes are not allowed at the beginning of the username. ++ Fully numeric usernames and usernames . or .. are ++ also disallowed. It is not recommended to use usernames beginning ++ with . character as their home directories will be hidden in ++ the ls output. ++ ++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? - + + Usernames may only be up to 32 characters long. diff --git a/shadow-4.6-sysugid-min-limit.patch b/shadow-4.6-sysugid-min-limit.patch new file mode 100644 index 0000000..c03adde --- /dev/null +++ b/shadow-4.6-sysugid-min-limit.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c +--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200 ++++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:07:14.567611067 +0100 +@@ -81,6 +81,12 @@ static int get_ranges (bool sys_group, g + getdef_ulong ("GID_MIN", 1000UL), + (unsigned long) *max_id); + return EINVAL; ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (gid_t) 1; + } + } else { + /* Non-system groups */ +diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c +--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200 ++++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:07:34.392075491 +0100 +@@ -81,6 +81,12 @@ static int get_ranges (bool sys_user, ui + getdef_ulong ("UID_MIN", 1000UL), + (unsigned long) *max_id); + return EINVAL; ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (uid_t) 1; + } + } else { + /* Non-system users */ diff --git a/shadow-utils.spec b/shadow-utils.spec index 8d924f6..223aaaf 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -32,6 +32,7 @@ Patch33: shadow-4.5-long-entry.patch Patch34: shadow-4.6-usermod-crash.patch Patch35: shadow-4.6-coverity.patch Patch36: shadow-4.6-sssd-flush.patch +Patch37: shadow-4.6-sysugid-min-limit.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -85,6 +86,7 @@ are used for managing group accounts. %patch34 -p1 -b .usermod-crash %patch35 -p1 -b .coverity %patch36 -p1 -b .sssd-flush +%patch37 -p1 -b .sysugid-min-limit iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -197,8 +199,8 @@ done %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap +%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap +%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -236,6 +238,12 @@ done %{_mandir}/man8/vigr.8* %changelog +* Tue Nov 6 2018 Tomáš Mráz - 2:4.6-4 +- use cap_setxid file capabilities for newxidmap instead of making them setuid +- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0 + and the 0 is always used by root anyway +- manual page improvements + * Wed Oct 10 2018 Tomáš Mráz - 2:4.6-3 - fix some issues from Coverity scan - flush sssd caches - patch by Jakub Hrozek