import shadow-utils-4.6-16.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:14:48 -04:00 committed by Stepan Oksanichenko
parent 591e6b5663
commit ff2f2a785d
17 changed files with 6674 additions and 2 deletions

View File

@ -0,0 +1,244 @@
diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
--- shadow-4.6/man/getsubids.1.xml.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/man/getsubids.1.xml 2021-12-09 10:40:50.730275761 +0100
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (c) 2021 Iker Pedrosa
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+ <refentryinfo>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Creation, 2021</contrib>
+ </author>
+ </refentryinfo>
+ <refmeta>
+ <refentrytitle>getsubids</refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+ </refmeta>
+ <refnamediv id='name'>
+ <refname>getsubids</refname>
+ <refpurpose>get the subordinate id ranges for a user</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>getsubids</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'>
+ <replaceable>USER</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The <command>getsubids</command> command lists the subordinate user ID
+ ranges for a given user. The subordinate group IDs can be listed using
+ the <option>-g</option> option.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <para>
+ The options which apply to the <command>getsubids</command> command are:
+ </para>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-g</option>
+ </term>
+ <listitem>
+ <para>
+ List the subordinate group ID ranges.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ For example, to obtain the subordinate UIDs of the testuser:
+ </para>
+ <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+ </para>
+ <para>
+ This command output provides (in order from left to right) the list
+ index, username, UID range start, and number of UIDs in range.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ <citerefentry>
+ <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ </para>
+ </refsect1>
+</refentry>
diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
--- shadow-4.6/man/Makefile.am.getsubids 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/Makefile.am 2021-12-09 10:40:50.730275761 +0100
@@ -59,6 +59,7 @@ man_MANS += $(man_nopam)
endif
man_subids = \
+ man1/getsubids.1 \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
@@ -77,6 +78,7 @@ man_XMANS = \
expiry.1.xml \
faillog.5.xml \
faillog.8.xml \
+ getsubids.1.xml \
gpasswd.1.xml \
groupadd.8.xml \
groupdel.8.xml \
diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
--- shadow-4.6/src/getsubids.c.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/src/getsubids.c 2021-12-09 10:40:50.730275761 +0100
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "subid.h"
+#include "prototypes.h"
+
+const char *Prog;
+FILE *shadow_logfd = NULL;
+
+void usage(void)
+{
+ fprintf(stderr, "Usage: %s [-g] user\n", Prog);
+ fprintf(stderr, " list subuid ranges for user\n");
+ fprintf(stderr, " pass -g to list subgid ranges\n");
+ exit(EXIT_FAILURE);
+}
+
+int main(int argc, char *argv[])
+{
+ int i, count=0;
+ struct subid_range *ranges;
+ const char *owner;
+
+ Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
+ if (argc < 2)
+ usage();
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ usage();
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
+ if (!ranges) {
+ fprintf(stderr, "Error fetching ranges\n");
+ exit(1);
+ }
+ for (i = 0; i < count; i++) {
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
+ }
+ return 0;
+}
diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
--- shadow-4.6/src/Makefile.am.getsubids 2021-12-09 10:40:50.710275627 +0100
+++ shadow-4.6/src/Makefile.am 2021-12-09 10:45:04.465985510 +0100
@@ -140,8 +140,8 @@ if WITH_TCB
endif
if ENABLE_SUBIDS
-noinst_PROGRAMS += list_subid_ranges \
- get_subid_owners \
+bin_PROGRAMS += getsubids
+noinst_PROGRAMS += get_subid_owners \
new_subid_range \
free_subid_range \
check_subid_range
@@ -156,13 +156,13 @@ MISCLIBS = \
$(LIBCRYPT) \
$(LIBTCB)
-list_subid_ranges_LDADD = \
+getsubids_LDADD = \
$(top_builddir)/lib/libshadow.la \
$(top_builddir)/libmisc/libmisc.la \
$(top_builddir)/libsubid/libsubid.la \
$(MISCLIBS) -ldl
-list_subid_ranges_CPPFLAGS = \
+getsubids_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
-I$(top_srcdir)/libsubid

View File

@ -0,0 +1,13 @@
diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100
+++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
if(!passwd_db_file) {
return getpwent();
}
+ if (!fp_pwent) {
+ return NULL;
+ }
return fgetpwent(fp_pwent);
}
extern void prefix_endpwent()

View File

@ -0,0 +1,28 @@
From 77e39de1e6cbd6925f16bb260abb7d216296886b Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 09:21:11 -0500
Subject: [PATCH] Install subid.h
Now subid.h gets installed under /usr/include/shadow/subid.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index f543b5eb..189165b0 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -3,6 +3,8 @@ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
libsubid_la_SOURCES = api.c
+pkginclude_HEADERS = subid.h
+
MISCLIBS = \
$(LIBAUDIT) \
$(LIBSELINUX) \
--
2.31.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,151 @@
diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200
+++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200
@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
subid_nss = NULL;
goto done;
}
- subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
- if (!subid_nss->has_any_range) {
- fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
- dlclose(h);
- free(subid_nss);
- subid_nss = NULL;
- goto done;
- }
subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
if (!subid_nss->find_subid_owners) {
fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200
@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
struct subid_nss_ops {
/*
- * nss_has_any_range: does a user own any subid range
- *
- * @owner: username
- * @idtype: subuid or subgid
- * @result: true if a subid allocation was found for @owner
- *
- * returns success if the module was able to determine an answer (true or false),
- * else an error status.
- */
- enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
-
- /*
* nss_has_range: does a user own a given subid range
*
* @owner: username
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200
@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
return commonio_open (&subordinate_uid_db, mode);
}
-bool sub_uid_assigned(const char *owner)
+bool local_sub_uid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_UID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
-
return range_exists (&subordinate_uid_db, owner);
}
@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
return have_range(&subordinate_gid_db, owner, start, count);
}
-bool sub_gid_assigned(const char *owner)
+bool local_sub_gid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_GID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
return range_exists (&subordinate_gid_db, owner);
}
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200
@@ -16,7 +16,7 @@
extern int sub_uid_close(void);
extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
extern bool sub_uid_file_present (void);
-extern bool sub_uid_assigned(const char *owner);
+extern bool local_sub_uid_assigned(const char *owner);
extern int sub_uid_lock (void);
extern int sub_uid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_uid_dbname (void);
@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
extern int sub_gid_close(void);
extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
extern bool sub_gid_file_present (void);
-extern bool sub_gid_assigned(const char *owner);
+extern bool local_sub_gid_assigned(const char *owner);
extern int sub_gid_lock (void);
extern int sub_gid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_gid_dbname (void);
diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200
+++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200
@@ -1021,6 +1021,24 @@ static void close_files (void)
#endif /* ENABLE_SUBIDS */
}
+static bool want_subuids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
+static bool want_subgids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
int main (int argc, char **argv)
{
char buf[BUFSIZ];
@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
/*
* Add subordinate uids if the user does not have them.
*/
- if (is_sub_uid && !sub_uid_assigned(fields[0])) {
+ if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
uid_t sub_uid_start = 0;
unsigned long sub_uid_count = 0;
if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
/*
* Add subordinate gids if the user does not have them.
*/
- if (is_sub_gid && !sub_gid_assigned(fields[0])) {
+ if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
gid_t sub_gid_start = 0;
unsigned long sub_gid_count = 0;
if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

View File

@ -0,0 +1,40 @@
From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 23 May 2021 08:03:10 -0500
Subject: [PATCH] libsubid_init: don't print messages on error
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index c4848142..b477b271 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname) {
+ if (progname)
Prog = progname;
- } else {
- fprintf(stderr, "Out of memory");
+ else
return false;
- }
}
if (logfd) {
@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
}
shadow_logfd = fopen("/dev/null", "w");
if (!shadow_logfd) {
- fprintf(stderr, "ERROR opening /dev/null for error messages. Using stderr.");
shadow_logfd = stderr;
return false;
}
--
2.30.2

View File

@ -0,0 +1,37 @@
From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Mon, 17 May 2021 08:48:03 -0500
Subject: [PATCH] libsubid_init: return false if out of memory
The rest of the run isn't likely to get much better, is it?
Thanks to Alexey for pointing this out.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Cc: Alexey Tikhonov <atikhono@redhat.com>
---
libsubid/api.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index 8ca09859..8618e500 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname)
+ if (progname) {
Prog = progname;
- else
+ } else {
fprintf(stderr, "Out of memory");
+ return false;
+ }
}
if (logfd) {
--
2.30.2

View File

@ -0,0 +1,41 @@
From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Fri, 28 May 2021 22:02:16 -0500
Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
Closes #346
Also #include stdio.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 2 +-
libsubid/subid.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index b477b271..a7b904d0 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -40,7 +40,7 @@
#include "subid.h"
const char *Prog = "(libsubid)";
-extern FILE * shadow_logfd;
+FILE *shadow_logfd;
bool libsubid_init(const char *progname, FILE * logfd)
{
diff --git a/libsubid/subid.h b/libsubid/subid.h
index 5fef2572..eabafe4d 100644
--- a/libsubid/subid.h
+++ b/libsubid/subid.h
@@ -1,4 +1,5 @@
#include <sys/types.h>
+#include <stdio.h>
#include <stdbool.h>
#ifndef SUBID_RANGE_DEFINED
--
2.31.1

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,264 @@
diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.165917066 +0200
+++ shadow-4.8.1/configure.ac 2021-05-24 15:02:56.184917324 +0200
@@ -1,6 +1,6 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 2)
+m4_define([libsubid_abi_major], 3)
m4_define([libsubid_abi_minor], 0)
m4_define([libsubid_abi_micro], 0)
m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.184917324 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-24 16:38:57.610619467 +0200
@@ -309,16 +309,15 @@ struct subid_nss_ops {
*
* @owner - string representing username being queried
* @id_type - subuid or subgid
- * @ranges - pointer to an array of struct subordinate_range pointers, or
- * NULL. The returned array of struct subordinate_range and its
- * members must be freed by the caller.
+ * @ranges - pointer to an array of struct subid_range, or NULL. The
+ * returned array must be freed by the caller.
* @count - pointer to an integer into which the number of returned ranges
* is written.
* returns success if the module was able to determine an answer,
* else an error status.
*/
- enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
+ enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
/*
* nss_find_subid_owners: find uids who own a given subuid or subgid.
diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/libsubid/api.c 2021-05-24 16:42:32.091584531 +0200
@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
}
static
-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
{
return list_owner_ranges(owner, id_type, ranges);
}
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subuid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_UID, ranges);
}
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subgid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_GID, ranges);
}
-void subid_free_ranges(struct subordinate_range **ranges, int count)
-{
- return free_subordinate_ranges(ranges, count);
-}
-
static
int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
{
diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/libsubid/subid.h 2021-05-24 16:43:49.697657383 +0200
@@ -3,6 +3,15 @@
#ifndef SUBID_RANGE_DEFINED
#define SUBID_RANGE_DEFINED 1
+
+/* subid_range is just a starting point and size of a range */
+struct subid_range {
+ unsigned long start;
+ unsigned long count;
+};
+
+/* subordinage_range is a subid_range plus an owner, representing
+ * a range in /etc/subuid or /etc/subgid */
struct subordinate_range {
const char *owner;
unsigned long start;
@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
* get_subuid_ranges: return a list of UID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
+ *
+ * The caller must free(ranges) when done.
*
* returns: number of ranges found, ir < 0 on error.
*/
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
+int get_subuid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subgid_ranges: return a list of GID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
*
- * returns: number of ranges found, ir < 0 on error.
- */
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
-
-/*
- * subid_free_ranges: free an array of subordinate_ranges returned by either
- * get_subuid_ranges() or get_subgid_ranges().
+ * The caller must free(ranges) when done.
*
- * @ranges: the ranges to free
- * @count: the number of ranges in @ranges
+ * returns: number of ranges found, ir < 0 on error.
*/
-void subid_free_ranges(struct subordinate_range **ranges, int count);
+int get_subgid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subuid_owners: return a list of uids to which the given uid has been
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify 2021-05-24 17:27:38.721035241 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-24 17:28:06.481420946 +0200
@@ -11,6 +11,7 @@
#include <stdio.h>
#include "commonio.h"
#include "subordinateio.h"
+#include "../libsubid/subid.h"
#include <sys/types.h>
#include <pwd.h>
#include <ctype.h>
@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
return false;
}
-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
+static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
{
- struct subordinate_range *tmp;
if (!*ranges) {
- *ranges = malloc(sizeof(struct subordinate_range *));
+ *ranges = malloc(sizeof(struct subid_range));
if (!*ranges)
return false;
} else {
- struct subordinate_range **new;
- new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
- if (!new)
+ struct subid_range *alloced;
+ alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
+ if (!alloced)
return false;
- *ranges = new;
+ *ranges = alloced;
}
- (*ranges)[n] = NULL;
- tmp = subordinate_dup(new);
- if (!tmp)
- return false;
- (*ranges)[n] = tmp;
+ (*ranges)[n].start = new->start;
+ (*ranges)[n].count = new->count;
return true;
}
@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
*
* The caller must free the subordinate range list.
*/
-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
+int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
{
// TODO - need to handle owner being either uid or username
- struct subordinate_range **ranges = NULL;
+ struct subid_range *ranges = NULL;
const struct subordinate_range *range;
struct commonio_db *db;
enum subid_status status;
@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
while ((range = commonio_next(db)) != NULL) {
if (0 == strcmp(range->owner, owner)) {
if (!append_range(&ranges, range, count++)) {
- free_subordinate_ranges(ranges, count-1);
+ free(ranges);
ranges = NULL;
count = -1;
goto out;
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-24 16:40:56.978269647 +0200
@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
+extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/src/list_subid_ranges.c 2021-05-24 16:45:10.884779740 +0200
@@ -17,27 +17,29 @@ void usage(void)
int main(int argc, char *argv[])
{
int i, count=0;
- struct subordinate_range **ranges;
+ struct subid_range *ranges;
+ const char *owner;
Prog = Basename (argv[0]);
shadow_logfd = stderr;
- if (argc < 2) {
+ if (argc < 2)
usage();
- }
- if (argc == 3 && strcmp(argv[1], "-g") == 0)
- count = get_subgid_ranges(argv[2], &ranges);
- else if (argc == 2 && strcmp(argv[1], "-h") == 0)
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
usage();
- else
- count = get_subuid_ranges(argv[1], &ranges);
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
if (!ranges) {
fprintf(stderr, "Error fetching ranges\n");
exit(1);
}
for (i = 0; i < count; i++) {
- printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
- ranges[i]->start, ranges[i]->count);
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
}
- subid_free_ranges(ranges, count);
return 0;
}
diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.166917079 +0200
+++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c 2021-05-24 15:03:01.469989106 +0200
@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
if (strcmp(owner, "conn") == 0)
return SUBID_STATUS_ERROR_CONN;
- *ranges = NULL;
+ *in_ranges = NULL;
if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
strcmp(owner, "group1") != 0)
return SUBID_STATUS_SUCCESS;

View File

@ -0,0 +1,44 @@
From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 14:39:26 -0500
Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
Closes #328
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
man/newgidmap.1.xml | 3 ++-
man/newuidmap.1.xml | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 71b03e56..76fc1e30 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
+ command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index a6f1f085..44eca50a 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
+ command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
--
2.30.2

View File

@ -0,0 +1,166 @@
diff -up shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newgidmap.1.xml
--- shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newgidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,10 +80,15 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
- through the configured NSS subid module).
- Note that the root user is not exempted from the requirement for a valid
+ The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
+ based on its command line arguments and the gids allowed. Subgid
+ delegation can either be managed via <filename>/etc/subgid</filename>
+ or through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
+ Note that the root group is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff -up shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newuidmap.1.xml
--- shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newuidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,9 +80,14 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
- through the configured NSS subid module).
+ The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
+ based on its command line arguments and the uids allowed. Subuid
+ delegation can either be managed via <filename>/etc/subuid</filename> or
+ through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
diff -up shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subgid.5.xml
--- shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subgid.5.xml 2021-11-03 09:59:55.752084920 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subgid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subgid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subgid</refname>
- <refpurpose>the subordinate gid file</refpurpose>
+ <refpurpose>the configuration for subordinate group ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subgid authorizes a group id to map ranges of group ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate gids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of gids to
+ <filename>/etc/subgid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate gid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>groupadd</command> will only create entries in
+ <filename>/etc/subgid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subgid</filename> contains
a user name and a range of subordinate group ids that user
is allowed to use.
diff -up shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subuid.5.xml
--- shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subuid.5.xml 2021-11-03 10:00:18.888255255 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subuid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subuid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subuid</refname>
- <refpurpose>the subordinate uid file</refpurpose>
+ <refpurpose>the configuration for subordinate user ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subuid authorizes a user id to map ranges of user ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate uids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of uids to
+ <filename>/etc/subuid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate uid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>useradd</command> will only create entries in
+ <filename>/etc/subuid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subuid</filename> contains
a user name and a range of subordinate user ids that user
is allowed to use.

View File

@ -0,0 +1,24 @@
diff -up shadow-4.6/configure.ac.respect_enable_static_no shadow-4.6/configure.ac
--- shadow-4.6/configure.ac.respect_enable_static_no 2021-11-03 12:09:39.852829632 +0100
+++ shadow-4.6/configure.ac 2021-11-03 12:10:32.447203434 +0100
@@ -311,6 +311,8 @@ if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
if test "$with_nscd" = "yes"; then
AC_CHECK_FUNC(posix_spawn,
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
diff -up shadow-4.6/libsubid/Makefile.am.respect_enable_static_no shadow-4.6/libsubid/Makefile.am
--- shadow-4.6/libsubid/Makefile.am.respect_enable_static_no 2021-11-03 12:09:39.851829625 +0100
+++ shadow-4.6/libsubid/Makefile.am 2021-11-03 12:09:39.852829632 +0100
@@ -1,6 +1,8 @@
lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
libsubid_la_SOURCES = api.c
pkginclude_HEADERS = subid.h

View File

@ -0,0 +1,44 @@
From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 22 May 2021 11:42:02 -0500
Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
Closes #298
Fix useradd when SUB_UID_COUNT=0 in login.defs.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
src/useradd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 06accb2f..9862ae55 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_t uid_min;
uid_t uid_max;
+ unsigned long subuid_count;
+ unsigned long subgid_count;
#endif
/*
@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
- is_sub_uid = sub_uid_file_present () && !rflg &&
+ subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
+ subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
+ is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
- is_sub_gid = sub_gid_file_present () && !rflg &&
+ is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
#endif /* ENABLE_SUBIDS */
--
2.30.2

View File

@ -0,0 +1,21 @@
diff -up shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids 2021-11-03 11:55:00.189562187 +0100
+++ shadow-4.6/src/useradd.c 2021-11-03 11:57:34.128658978 +0100
@@ -2350,7 +2350,7 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid) {
+ if (is_sub_uid && subuid_count != 0) {
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
@@ -2358,7 +2358,7 @@ int main (int argc, char **argv)
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid) {
+ if (is_sub_gid && subgid_count != 0) {
if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.6 Version: 4.6
Release: 14%{?dist} Release: 16%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -10,6 +10,11 @@ Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
### Globals ###
%global includesubiddir %{_includedir}/shadow
### Patches ###
Patch0: shadow-4.6-redhat.patch Patch0: shadow-4.6-redhat.patch
Patch1: shadow-4.6-goodname.patch Patch1: shadow-4.6-goodname.patch
Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch
@ -49,6 +54,44 @@ Patch45: shadow-4.6-sssd-redirect-warning.patch
Patch46: shadow-4.6-remove-login-string-references.patch Patch46: shadow-4.6-remove-login-string-references.patch
# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991 # https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
Patch47: shadow-4.6-usermod-allow-all-group-types.patch Patch47: shadow-4.6-usermod-allow-all-group-types.patch
# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
Patch48: shadow-4.6-libsubid_creation.patch
# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
Patch49: shadow-4.6-libsubid_nsswitch_support.patch
# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
Patch50: shadow-4.6-man-mention-nss-in-newuidmap.patch
# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
Patch51: shadow-4.6-libsubid_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
Patch52: shadow-4.6-libsubid_init_return_false.patch
# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
Patch53: shadow-4.6-useradd_SUB_UID_COUNT-0.patch
# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
Patch54: shadow-4.6-libsubid_simplify_ranges_variable.patch
# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
Patch55: shadow-4.6-libsubid_init_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
Patch56: shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
# https://github.com/shadow-maint/shadow/pull/353
Patch57: shadow-4.6-man_clarify_subid_delegation.patch
# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
Patch58: shadow-4.6-libsubid_make_logfd_not_extern.patch
# https://github.com/shadow-maint/shadow/commit/0dffc7c61200f492eeac03c29fa7e93b62d3cead
Patch59: shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
# https://github.com/shadow-maint/shadow/commit/77e39de1e6cbd6925f16bb260abb7d216296886b
Patch60: shadow-4.6-install_subid_h.patch
# https://github.com/shadow-maint/shadow/commit/fa986b1d73605ecca54a4f19249227aeab827bf6
Patch61: shadow-4.6-respect_enable_static_no.patch
# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
Patch62: shadow-4.6-getsubids.patch
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
Patch63: shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
License: BSD and GPLv2+ License: BSD and GPLv2+
Group: System Environment/Base Group: System Environment/Base
@ -79,6 +122,23 @@ for all users. The useradd, userdel, and usermod commands are used for
managing user accounts. The groupadd, groupdel, and groupmod commands managing user accounts. The groupadd, groupdel, and groupmod commands
are used for managing group accounts. are used for managing group accounts.
### Subpackages ###
%package subid
Summary: A library to manage subordinate uid and gid ranges
License: BSD and GPLv2+
%description subid
Utility library that provides a way to manage subid ranges.
%package subid-devel
Summary: Development package for shadow-utils-subid
License: BSD and GPLv2+
%description subid-devel
Development files for shadow-utils-subid.
%prep %prep
%setup -q -n shadow-%{version} %setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat %patch0 -p1 -b .redhat
@ -114,6 +174,22 @@ are used for managing group accounts.
%patch45 -p1 -b .sssd-redirect-warning %patch45 -p1 -b .sssd-redirect-warning
%patch46 -p1 -b .remove-login-string-references %patch46 -p1 -b .remove-login-string-references
%patch47 -p1 -b .usermod-allow-all-group-types %patch47 -p1 -b .usermod-allow-all-group-types
%patch48 -p1 -b .libsubid_creation
%patch49 -p1 -b .libsubid_nsswitch_support
%patch50 -p1 -b .man-mention-nss-in-newuidmap
%patch51 -p1 -b .libsubid_not_print_error_messages
%patch52 -p1 -b .libsubid_init_return_false
%patch53 -p1 -b .useradd_SUB_UID_COUNT-0
%patch54 -p1 -b .libsubid_simplify_ranges_variable
%patch55 -p1 -b .libsubid_init_not_print_error_messages
%patch56 -p1 -b .libsubid_fix_newusers_nss_provides_subids
%patch57 -p1 -b .man_clarify_subid_delegation
%patch58 -p1 -b .libsubid_make_logfd_not_extern
%patch59 -p1 -b .useradd_dont_try_to_create_0_subuids
%patch60 -p1 -b .install_subid_h
%patch61 -p1 -b .respect_enable_static_no
%patch62 -p1 -b .getsubids
%patch63 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO cp -f doc/HOWTO.utf8 doc/HOWTO
@ -142,7 +218,7 @@ autoreconf
--with-selinux \ --with-selinux \
--without-libcrack \ --without-libcrack \
--without-libpam \ --without-libpam \
--disable-shared \ --enable-shared \
--with-group-name-max-length=32 --with-group-name-max-length=32
%make_build %make_build
@ -218,6 +294,13 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
echo "%%lang($lang) $dir/man*/*" >> shadow.lang echo "%%lang($lang) $dir/man*/*" >> shadow.lang
done done
# Move header files to its own folder
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
# Remove .la files created by libsubid
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%files -f shadow.lang %files -f shadow.lang
%doc NEWS doc/HOWTO README %doc NEWS doc/HOWTO README
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
@ -267,7 +350,33 @@ done
%{_mandir}/man8/vipw.8* %{_mandir}/man8/vipw.8*
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%files subid
%{_libdir}/libsubid.so.*
%{_bindir}/getsubids
%{_mandir}/man1/getsubids.1*
%files subid-devel
%{includesubiddir}/subid.h
%{_libdir}/libsubid.so
%changelog %changelog
* Thu Dec 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-16
- getsubids: provide system binary and man page. Resolves: #2013016
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #1986782
* Tue Oct 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-15
- Creation of subid and subid-devel subpackages (#2013009)
- libsubid: creation and nsswitch support
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- libsubid: make shadow_logfd not extern
- useradd: fix SUB_UID_COUNT=0
- man: mention NSS in new[ug]idmap manpages
- man: clarify subid delegation
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14 * Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14
- usermod: allow all group types with -G option (#1967641) - usermod: allow all group types with -G option (#1967641)