rpms/shadow-utils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c9/shadow-utils-4.9-10.el9_5
rpms:imports/c9/shadow-utils-4.9-9.el9
rpms:imports/c10s/shadow-utils-4.15.0-5.el10
rpms:imports/c10s/shadow-utils-4.15.0-4.el10
rpms:imports/c9-beta/shadow-utils-4.9-9.el9
rpms:imports/c10s/shadow-utils-4.15.0-3.el10
rpms:imports/c8/shadow-utils-4.6-22.el8
rpms:imports/c8/shadow-utils-4.6-19.el8
rpms:imports/c9/shadow-utils-4.9-8.el9
rpms:imports/c8-beta/shadow-utils-4.6-19.el8
rpms:imports/c9-beta/shadow-utils-4.9-8.el9
rpms:imports/c9/shadow-utils-4.9-6.el9
rpms:imports/c9-beta/shadow-utils-4.9-6.el9
rpms:imports/c9/shadow-utils-4.9-5.el9
rpms:imports/c8/shadow-utils-4.6-17.el8
rpms:imports/c9-beta/shadow-utils-4.9-5.el9
rpms:imports/c8-beta/shadow-utils-4.6-17.el8
rpms:imports/c8s/shadow-utils-4.6-17.el8
rpms:imports/c9/shadow-utils-4.9-3.el9
rpms:imports/c8/shadow-utils-4.6-16.el8
rpms:imports/c8-beta/shadow-utils-4.6-16.el8
rpms:imports/c9-beta/shadow-utils-4.9-3.el9
rpms:imports/c8s/shadow-utils-4.6-16.el8
rpms:imports/c9-beta/shadow-utils-4.9-2.el9
rpms:imports/c8/shadow-utils-4.6-14.el8
rpms:imports/c8s/shadow-utils-4.6-15.el8
rpms:imports/c8-beta/shadow-utils-4.6-14.el8
rpms:imports/c8-beta/shadow-utils-4.6-12.el8
rpms:imports/c8-beta/shadow-utils-4.6-10.el8
rpms:imports/c8-beta/shadow-utils-4.6-8.el8
rpms:imports/c8s/shadow-utils-4.6-14.el8
rpms:imports/c8s/shadow-utils-4.6-13.el8
rpms:imports/c8s/shadow-utils-4.6-12.el8
rpms:imports/c8s/shadow-utils-4.6-11.el8
rpms:imports/c8s/shadow-utils-4.6-10.el8
rpms:imports/c8/shadow-utils-4.6-12.el8
rpms:imports/c8/shadow-utils-4.6-11.el8
rpms:imports/c8/shadow-utils-4.6-8.el8
rpms:imports/c8/shadow-utils-4.6-7.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c9
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c9/shadow-utils-4.9-10.el9_5
rpms:imports/c9/shadow-utils-4.9-9.el9
rpms:imports/c10s/shadow-utils-4.15.0-5.el10
rpms:imports/c10s/shadow-utils-4.15.0-4.el10
rpms:imports/c9-beta/shadow-utils-4.9-9.el9
rpms:imports/c10s/shadow-utils-4.15.0-3.el10
rpms:imports/c8/shadow-utils-4.6-22.el8
rpms:imports/c8/shadow-utils-4.6-19.el8
rpms:imports/c9/shadow-utils-4.9-8.el9
rpms:imports/c8-beta/shadow-utils-4.6-19.el8
rpms:imports/c9-beta/shadow-utils-4.9-8.el9
rpms:imports/c9/shadow-utils-4.9-6.el9
rpms:imports/c9-beta/shadow-utils-4.9-6.el9
rpms:imports/c9/shadow-utils-4.9-5.el9
rpms:imports/c8/shadow-utils-4.6-17.el8
rpms:imports/c9-beta/shadow-utils-4.9-5.el9
rpms:imports/c8-beta/shadow-utils-4.6-17.el8
rpms:imports/c8s/shadow-utils-4.6-17.el8
rpms:imports/c9/shadow-utils-4.9-3.el9
rpms:imports/c8/shadow-utils-4.6-16.el8
rpms:imports/c8-beta/shadow-utils-4.6-16.el8
rpms:imports/c9-beta/shadow-utils-4.9-3.el9
rpms:imports/c8s/shadow-utils-4.6-16.el8
rpms:imports/c9-beta/shadow-utils-4.9-2.el9
rpms:imports/c8/shadow-utils-4.6-14.el8
rpms:imports/c8s/shadow-utils-4.6-15.el8
rpms:imports/c8-beta/shadow-utils-4.6-14.el8
rpms:imports/c8-beta/shadow-utils-4.6-12.el8
rpms:imports/c8-beta/shadow-utils-4.6-10.el8
rpms:imports/c8-beta/shadow-utils-4.6-8.el8
rpms:imports/c8s/shadow-utils-4.6-14.el8
rpms:imports/c8s/shadow-utils-4.6-13.el8
rpms:imports/c8s/shadow-utils-4.6-12.el8
rpms:imports/c8s/shadow-utils-4.6-11.el8
rpms:imports/c8s/shadow-utils-4.6-10.el8
rpms:imports/c8/shadow-utils-4.6-12.el8
rpms:imports/c8/shadow-utils-4.6-11.el8
rpms:imports/c8/shadow-utils-4.6-8.el8
rpms:imports/c8/shadow-utils-4.6-7.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

81 changed files with 5693 additions and 12231 deletions
Show Stats Expand all files Collapse all files

29
.gitignore vendored
View File

@ -1 +1,28 @@
SOURCES/shadow-4.6.tar.xz
shadow-4.1.4.2.tar.bz2
/shadow-4.1.4.3.tar.bz2
/shadow-4.1.5.tar.bz2
/shadow-4.1.5.1.tar.bz2
/shadow-4.1.5.1.tar.bz2.sig
/shadow-4.2.1.tar.xz
/shadow-4.2.1.tar.xz.sig
/shadow-4.3.1.tar.gz
/shadow-4.5.tar.xz
/shadow-4.5.tar.xz.asc
/shadow-4.6.tar.xz
/shadow-4.6.tar.xz.asc
/shadow-4.8.tar.xz
/shadow-4.8.tar.xz.asc
/shadow-4.8.1.tar.xz
/shadow-4.8.1.tar.xz.asc
/shadow-4.9.tar.xz
/shadow-4.9.tar.xz.asc
/shadow-4.11.1.tar.xz
/shadow-4.11.1.tar.xz.asc
/shadow-4.12.3.tar.xz
/shadow-4.12.3.tar.xz.asc
/shadow-4.13.tar.xz
/shadow-4.13.tar.xz.asc
/shadow-4.14.0.tar.xz
/shadow-4.14.0.tar.xz.asc
/shadow-4.15.0.tar.xz
/shadow-4.15.0.tar.xz.asc

1
.shadow-utils.metadata
View File

@ -1 +0,0 @@
0b84eb1010fda5edca2a9d1733f9480200e02de6 SOURCES/shadow-4.6.tar.xz

36
SOURCES/shadow-4.1.5.1-default-range.patch
View File

@ -1,36 +0,0 @@
Index: shadow-4.5/lib/semanage.c
===================================================================
--- shadow-4.5.orig/lib/semanage.c
+++ shadow-4.5/lib/semanage.c
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {

21
SOURCES/shadow-4.1.5.1-info-parent-dir.patch
View File

@ -1,21 +0,0 @@
Index: shadow-4.5/man/newusers.8.xml
===================================================================
--- shadow-4.5.orig/man/newusers.8.xml
+++ shadow-4.5/man/newusers.8.xml
@@ -218,7 +218,15 @@
<para>
If this field does not specify an existing directory, the
specified directory is created, with ownership set to the
- user being created or updated and its primary group.
+ user being created or updated and its primary group. Note
+ that newusers does not create parent directories of the new
+ user's home directory. The newusers command will fail to
+ create the home directory if the parent directories do not
+ exist, and will send a message to stderr informing the user
+ of the failure. The newusers command will not halt or return
+ a failure to the calling shell if it fails to create the home
+ directory, it will continue to process the batch of new users
+ specified.
</para>
<para>
If the home directory of an existing user is changed,

13
SOURCES/shadow-4.1.5.1-logmsg.patch
View File

@ -1,13 +0,0 @@
Index: shadow-4.5/src/useradd.c
===================================================================
--- shadow-4.5.orig/src/useradd.c
+++ shadow-4.5/src/useradd.c
@@ -323,7 +323,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
exit (code);
}

16
SOURCES/shadow-4.1.5.1-userdel-helpfix.patch
View File

@ -1,16 +0,0 @@
Index: shadow-4.5/src/userdel.c
===================================================================
--- shadow-4.5.orig/src/userdel.c
+++ shadow-4.5/src/userdel.c
@@ -143,8 +143,9 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -f, --force force removal of files,\n"
- " even if not owned by user\n"),
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
+ " e.g. removal of user still logged in\n"
+ " or files, even if not owned by the user\n"),
usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);

16
SOURCES/shadow-4.2.1-no-lock-dos.patch
View File

@ -1,16 +0,0 @@
Index: shadow-4.5/lib/commonio.c
===================================================================
--- shadow-4.5.orig/lib/commonio.c
+++ shadow-4.5/lib/commonio.c
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
int retval;
char buf[32];
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
+ /* We depend here on the fact, that the file name is pid-specific.
+ * So no O_EXCL here and no DoS.
+ */
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
if (-1 == fd) {
if (log) {
(void) fprintf (stderr,

91
SOURCES/shadow-4.2.1-null-tm.patch
View File

@ -1,91 +0,0 @@
Index: shadow-4.5/src/faillog.c
===================================================================
--- shadow-4.5.orig/src/faillog.c
+++ shadow-4.5/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
}
tm = localtime (&fl.fail_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+ cp = ptime;
#endif
+ }
printf ("%-9s %5d %5d ",
pw->pw_name, fl.fail_cnt, fl.fail_max);
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
Index: shadow-4.5/src/chage.c
===================================================================
--- shadow-4.5.orig/src/chage.c
+++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
struct tm *tp;
tp = gmtime (&date);
+ if (tp == NULL) {
+ (void) snprintf (buf, maxsize, "(unknown)");
+ return;
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
Index: shadow-4.5/src/lastlog.c
===================================================================
--- shadow-4.5.orig/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ cp = ptime;
#else
- cp = asctime (tm);
- cp[24] = '\0';
+ cp = asctime (tm);
+ cp[24] = '\0';
#endif
+ }
if (ll.ll_time == (time_t) 0) {
cp = _("**Never logged in**\0");
Index: shadow-4.5/src/passwd.c
===================================================================
--- shadow-4.5.orig/src/passwd.c
+++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
struct tm *tm;
tm = gmtime (&t);
+ if (tm == NULL) {
+ return "(unknown)";
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
#else /* !HAVE_STRFTIME */
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
} else {
time_t t = (time_t) date;
tp = gmtime (&t);
+ if (tp == NULL) {
+ strncpy (buf, "unknown", maxsize);
+ return;
+ }
#ifdef HAVE_STRFTIME
strftime (buf, maxsize, "%Y-%m-%d", tp);
#else

41
SOURCES/shadow-4.5-crypt_h.patch
View File

@ -1,41 +0,0 @@
Index: shadow-4.5/configure.ac
===================================================================
--- shadow-4.5.orig/configure.ac
+++ shadow-4.5/configure.ac
@@ -32,9 +32,9 @@ AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
attr/error_context.h)
Index: shadow-4.5/lib/defines.h
===================================================================
--- shadow-4.5.orig/lib/defines.h
+++ shadow-4.5/lib/defines.h
@@ -4,6 +4,8 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
+#include "config.h"
+
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
# include <unistd.h>
#endif
+#if HAVE_CRYPT_H
+# include <crypt.h> /* crypt(3) may be defined in here */
+#endif
+
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>

84
SOURCES/shadow-4.5-long-entry.patch
View File

@ -1,84 +0,0 @@
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200
@@ -382,4 +382,7 @@ extern char *strerror ();
# endif
#endif
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
#endif /* _DEFINES_H_ */
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|| (valid_field (pw->pw_dir, ":\n") == -1)
- || (valid_field (pw->pw_shell, ":\n") == -1)) {
+ || (valid_field (pw->pw_shell, ":\n") == -1)
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200
@@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf)
{
static struct passwd pwent;
- static char pwdbuf[1024];
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
register int i;
register char *cp;
char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
* the password structure remain valid.
*/
- if (strlen (buf) >= sizeof pwdbuf)
+ if (strlen (buf) >= sizeof pwdbuf) {
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
return 0; /* fail if too long */
+ }
strcpy (pwdbuf, buf);
/*
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200
@@ -48,7 +48,7 @@
*/
struct spwd *sgetspent (const char *string)
{
- static char spwbuf[1024];
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
static struct spwd spwd;
char *fields[FIELDS];
char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
*/
if (strlen (string) >= sizeof spwbuf) {
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
return 0; /* fail if too long */
}
strcpy (spwbuf, string);
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp)
|| (valid_field (sp->sp_namp, ":\n") == -1)
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
+ || (valid_field (sp->sp_pwdp, ":\n") == -1)
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}

64
SOURCES/shadow-4.5-usermod-unlock.patch
View File

@ -1,64 +0,0 @@
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
strcat (buf, pw_pass);
pw_pass = buf;
} else if (Uflg && pw_pass[0] == '!') {
- char *s;
+ char *s = pw_pass;
- if (pw_pass[1] == '\0') {
+ while ('!' == *s)
+ ++s;
+
+ if (*s == '\0') {
fprintf (stderr,
_("%s: unlocking the user's password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user's password.\n"),
Prog);
- return pw_pass;
+ return NULL;
}
#ifdef WITH_AUDIT
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
user_newname, (unsigned int) user_newid, 1);
#endif
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
- s = pw_pass;
- while ('\0' != *s) {
- *s = *(s + 1);
- s++;
- }
+ memmove (pw_pass, s, strlen (s) + 1);
} else if (pflg) {
+ if (strchr (user_pass, ':') != NULL) {
+ fprintf (stderr,
+ _("%s: The password field cannot contain a colon character.\n"),
+ Prog);
+ return NULL;
+
+ }
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"updating-password",
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
if ( (!is_shadow_pwd)
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
+ if (pwent->pw_passwd == NULL)
+ fail_exit (E_PW_UPDATE);
}
if (uflg) {
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
* + aging has been requested
*/
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+ if (spent->sp_pwdp == NULL)
+ fail_exit(E_PW_UPDATE);
if (pflg) {
spent->sp_lstchg = (long) gettime () / SCALE;

642
SOURCES/shadow-4.6-check-local-groups.patch
View File

@ -1,642 +0,0 @@
From 140510de9de4771feb3af1d859c09604043a4c9b Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Fri, 27 Mar 2020 14:23:02 +0100
Subject: [PATCH 1/2] usermod: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
---
src/usermod.c | 220 ++++++++++++++++++++++++++++++++------------------
1 file changed, 143 insertions(+), 77 deletions(-)
diff --git a/src/usermod.c b/src/usermod.c
index 05b98715..ef430296 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -183,6 +183,7 @@ static bool sub_gid_locked = false;
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
long int date);
static int get_groups (char *);
+static struct group * get_local_group (char * grp_name);
static /*@noreturn@*/void usage (int status);
static void new_pwent (struct passwd *);
static void new_spent (struct spwd *);
@@ -196,7 +197,9 @@ static void grp_update (void);
static void process_flags (int, char **);
static void close_files (void);
+static void close_group_files (void);
static void open_files (void);
+static void open_group_files (void);
static void usr_update (void);
static void move_home (void);
static void update_lastlog (void);
@@ -253,6 +256,11 @@ static int get_groups (char *list)
return 0;
}
+ /*
+ * Open the group files
+ */
+ open_group_files ();
+
/*
* So long as there is some data to be converted, strip off each
* name and look it up. A mix of numerical and string values for
@@ -272,7 +280,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical GID
* values, otherwise the string is looked up as is.
*/
- grp = prefix_getgr_nam_gid (list);
+ grp = get_local_group (list);
/*
* There must be a match, either by GID value or by
@@ -322,6 +330,8 @@ static int get_groups (char *list)
gr_free ((struct group *)grp);
} while (NULL != list);
+ close_group_files ();
+
user_groups[ngroups] = (char *) 0;
/*
@@ -334,6 +344,44 @@ static int get_groups (char *list)
return 0;
}
+/*
+ * get_local_group - checks if a given group name exists locally
+ *
+ * get_local_group() checks if a given group name exists locally.
+ * If the name exists the group information is returned, otherwise NULL is
+ * returned.
+ */
+static struct group * get_local_group(char * grp_name)
+{
+ const struct group *grp;
+ struct group *result_grp = NULL;
+ long long int gid;
+ char *endptr;
+
+ gid = strtoll (grp_name, &endptr, 10);
+ if ( ('\0' != *grp_name)
+ && ('\0' == *endptr)
+ && (ERANGE != errno)
+ && (gid == (gid_t)gid)) {
+ grp = gr_locate_gid ((gid_t) gid);
+ }
+ else {
+ grp = gr_locate(grp_name);
+ }
+
+ if (grp != NULL) {
+ result_grp = __gr_dup (grp);
+ if (NULL == result_grp) {
+ fprintf (stderr,
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
+ Prog, grp_name);
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+
+ return result_grp;
+}
+
#ifdef ENABLE_SUBIDS
struct ulong_range
{
@@ -1447,50 +1495,7 @@ static void close_files (void)
}
if (Gflg || lflg) {
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- sgr_dbname ()));
- /* continue */
- }
- }
-#endif
- if (gr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- gr_dbname ()));
- /* continue */
- }
+ close_group_files ();
}
if (is_shadow_pwd) {
@@ -1559,6 +1564,60 @@ static void close_files (void)
#endif
}
+/*
+ * close_group_files - close all of the files that were opened
+ *
+ * close_group_files() closes all of the files that were opened related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void close_group_files (void)
+{
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+ if (gr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ gr_dbname ()));
+ /* continue */
+ }
+}
+
/*
* open_files - lock and open the password files
*
@@ -1594,38 +1653,7 @@ static void open_files (void)
}
if (Gflg || lflg) {
- /*
- * Lock and open the group file. This will load all of the
- * group entries.
- */
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#endif
+ open_group_files ();
}
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
@@ -1661,6 +1689,44 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
+/*
+ * open_group_files - lock and open the group files
+ *
+ * open_group_files() loads all of the group entries.
+ */
+static void open_group_files (void)
+{
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_lock () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif
+}
+
/*
* usr_update - create the user entries
*
--
2.25.4
From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Mon, 30 Mar 2020 09:08:23 +0200
Subject: [PATCH 2/2] useradd: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
---
src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
1 file changed, 157 insertions(+), 77 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 645d4a40..90210233 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -211,6 +211,7 @@ static void get_defaults (void);
static void show_defaults (void);
static int set_defaults (void);
static int get_groups (char *);
+static struct group * get_local_group (char * grp_name);
static void usage (int status);
static void new_pwent (struct passwd *);
@@ -220,7 +221,10 @@ static void grp_update (void);
static void process_flags (int argc, char **argv);
static void close_files (void);
+static void close_group_files (void);
+static void unlock_group_files (void);
static void open_files (void);
+static void open_group_files (void);
static void open_shadow (void);
static void faillog_reset (uid_t);
static void lastlog_reset (uid_t);
@@ -731,6 +735,11 @@ static int get_groups (char *list)
return 0;
}
+ /*
+ * Open the group files
+ */
+ open_group_files ();
+
/*
* So long as there is some data to be converted, strip off
* each name and look it up. A mix of numerical and string
@@ -749,7 +758,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical
* GID values, otherwise the string is looked up as is.
*/
- grp = prefix_getgr_nam_gid (list);
+ grp = get_local_group (list);
/*
* There must be a match, either by GID value or by
@@ -799,6 +808,9 @@ static int get_groups (char *list)
user_groups[ngroups++] = xstrdup (grp->gr_name);
} while (NULL != list);
+ close_group_files ();
+ unlock_group_files ();
+
user_groups[ngroups] = (char *) 0;
/*
@@ -811,6 +823,44 @@ static int get_groups (char *list)
return 0;
}
+/*
+ * get_local_group - checks if a given group name exists locally
+ *
+ * get_local_group() checks if a given group name exists locally.
+ * If the name exists the group information is returned, otherwise NULL is
+ * returned.
+ */
+static struct group * get_local_group(char * grp_name)
+{
+ const struct group *grp;
+ struct group *result_grp = NULL;
+ long long int gid;
+ char *endptr;
+
+ gid = strtoll (grp_name, &endptr, 10);
+ if ( ('\0' != *grp_name)
+ && ('\0' == *endptr)
+ && (ERANGE != errno)
+ && (gid == (gid_t)gid)) {
+ grp = gr_locate_gid ((gid_t) gid);
+ }
+ else {
+ grp = gr_locate(grp_name);
+ }
+
+ if (grp != NULL) {
+ result_grp = __gr_dup (grp);
+ if (NULL == result_grp) {
+ fprintf (stderr,
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
+ Prog, grp_name);
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+
+ return result_grp;
+}
+
/*
* usage - display usage message and exit
*/
@@ -1530,23 +1580,9 @@ static void close_files (void)
SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
fail_exit (E_PW_UPDATE);
}
- if (do_grp_update) {
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#endif
- }
+
+ close_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr,
@@ -1587,34 +1623,9 @@ static void close_files (void)
/* continue */
}
pw_locked = false;
- if (gr_unlock () == 0) {
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "unlocking-group-file",
- user_name, AUDIT_NO_ID,
- SHADOW_AUDIT_FAILURE);
-#endif
- /* continue */
- }
- gr_locked = false;
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "unlocking-gshadow-file",
- user_name, AUDIT_NO_ID,
- SHADOW_AUDIT_FAILURE);
-#endif
- /* continue */
- }
- sgr_locked = false;
- }
-#endif
+
+ unlock_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_unlock () == 0) {
@@ -1647,6 +1658,71 @@ static void close_files (void)
#endif /* ENABLE_SUBIDS */
}
+/*
+ * close_group_files - close all of the files that were opened
+ *
+ * close_group_files() closes all of the files that were opened related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void close_group_files (void)
+{
+ if (do_grp_update) {
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_close () == 0)) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif /* SHADOWGRP */
+ }
+}
+
+/*
+ * unlock_group_files - unlock all of the files that were locked
+ *
+ * unlock_group_files() unlocks all of the files that were locked related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void unlock_group_files (void)
+{
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "unlocking-group-file",
+ user_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_FAILURE);
+#endif /* WITH_AUDIT */
+ /* continue */
+ }
+ gr_locked = false;
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "unlocking-gshadow-file",
+ user_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_FAILURE);
+#endif /* WITH_AUDIT */
+ /* continue */
+ }
+ sgr_locked = false;
+ }
+#endif /* SHADOWGRP */
+}
+
/*
* open_files - lock and open the password files
*
@@ -1668,37 +1744,8 @@ static void open_files (void)
/* shadow file will be opened by open_shadow(); */
- /*
- * Lock and open the group file.
- */
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (sgr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
+ open_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
@@ -1733,6 +1780,39 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
+static void open_group_files (void)
+{
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (sgr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif /* SHADOWGRP */
+}
+
static void open_shadow (void)
{
if (!is_shadow_pwd) {
--
2.25.4

44
SOURCES/shadow-4.6-chgrp-guard.patch
View File

@ -1,44 +0,0 @@
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
@@ -195,6 +195,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -372,6 +378,12 @@
must be fixed manually.
</para>
<para>
+ The change of the user ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
+ <para>
No checks will be performed with regard to the
<option>UID_MIN</option>, <option>UID_MAX</option>,
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
}
if (!mflg && (uflg || gflg)) {
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
+ struct stat sb;
+
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
/*
* Change the UID on all of the files owned by
* `user_id' to `user_newid' in the user's home

223
SOURCES/shadow-4.6-coverity.patch
View File

@ -1,223 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
char* lock = NULL;
size_t lock_file_len;
size_t file_len;
- int err;
+ int err = 0;
if (db->locked) {
return 1;
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
file = (char*)malloc(file_len);
if(file == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
lock = (char*)malloc(lock_file_len);
if(lock == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
snprintf (file, file_len, "%s.%lu",
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
static bool is_listed (const char *cfgin, const char *tty, bool def)
{
FILE *fp;
- char buf[200], *s;
+ char buf[1024], *s;
const char *cons;
/*
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
if (*cons != '/') {
char *pbuf;
- strcpy (buf, cons);
+ strncpy (buf, cons, sizeof (buf));
+ buf[sizeof (buf) - 1] = '\0';
pbuf = &buf[0];
while ((s = strtok (pbuf, ":")) != NULL) {
if (strcmp (s, tty) == 0) {
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
do {
wpid = waitpid (pid, status, 0);
} while ( ((pid_t)-1 == wpid && errno == EINTR)
- || (wpid != pid));
+ || ((pid_t)-1 != wpid && wpid != pid));
if ((pid_t)-1 == wpid) {
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
@@ -314,7 +314,7 @@ static void fail_exit (int code)
static void get_defaults (void)
{
FILE *fp;
- char* default_file = USER_DEFAULTS_FILE;
+ char *default_file = USER_DEFAULTS_FILE;
char buf[1024];
char *cp;
@@ -324,6 +324,8 @@ static void get_defaults (void)
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL)
+ return;
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -334,7 +336,7 @@ static void get_defaults (void)
fp = fopen (default_file, "r");
if (NULL == fp) {
- return;
+ goto getdef_err;
}
/*
@@ -445,7 +447,7 @@ static void get_defaults (void)
}
}
(void) fclose (fp);
-
+ getdef_err:
if(prefix[0]) {
free(default_file);
}
@@ -480,8 +482,8 @@ static int set_defaults (void)
FILE *ifp;
FILE *ofp;
char buf[1024];
- char* new_file = NEW_USER_FILE;
- char* default_file = USER_DEFAULTS_FILE;
+ char *new_file = NULL;
+ char *default_file = USER_DEFAULTS_FILE;
char *cp;
int ofd;
int wlen;
@@ -492,17 +494,30 @@ static int set_defaults (void)
bool out_shell = false;
bool out_skel = false;
bool out_create_mail_spool = false;
+ size_t len;
+ int ret = -1;
- if(prefix[0]) {
- size_t len;
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
- new_file = malloc(len);
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
- assert (wlen == (int) len -1);
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+ new_file = malloc(len);
+ if (new_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ return -1;
+ }
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
+ assert (wlen <= (int) len -1);
+ if(prefix[0]) {
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ goto setdef_err;
+ }
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -515,7 +530,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot create new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
ofp = fdopen (ofd, "w");
@@ -523,7 +538,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot open new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
/*
@@ -550,7 +565,7 @@ static int set_defaults (void)
_("%s: line too long in %s: %s..."),
Prog, default_file, buf);
(void) fclose (ifp);
- return -1;
+ goto setdef_err;
}
}
@@ -614,7 +629,7 @@ static int set_defaults (void)
|| (fsync (fileno (ofp)) != 0)
|| (fclose (ofp) != 0)) {
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -629,7 +644,7 @@ static int set_defaults (void)
_("%s: Cannot create backup file (%s): %s\n"),
Prog, buf, strerror (err));
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -640,11 +655,11 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: rename: %s: %s\n"),
Prog, new_file, strerror (err));
- return -1;
+ goto setdef_err;
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USYS_CONFIG, Prog,
- "changing-useradd-defaults",
+ "changing useradd defaults",
NULL, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -654,13 +669,14 @@ static int set_defaults (void)
(unsigned int) def_group, def_home, def_shell,
def_inactive, def_expire, def_template,
def_create_mail_spool));
-
+ ret = 0;
+ setdef_err:
+ free(new_file);
if(prefix[0]) {
- free(new_file);
free(default_file);
}
- return 0;
+ return ret;
}
/*

21
SOURCES/shadow-4.6-getenforce.patch
View File

@ -1,21 +0,0 @@
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
}
return 0;
error:
- if (security_getenforce () != 0) {
+ if (security_getenforce () > 0) {
return 1;
}
return 0;
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
selinux_checked = true;
}
if (selinux_enabled) {
- if (setfscreatecon (NULL) != 0) {
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
return 1;
}
}

244
SOURCES/shadow-4.6-getsubids.patch
View File

@ -1,244 +0,0 @@
diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
--- shadow-4.6/man/getsubids.1.xml.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/man/getsubids.1.xml 2021-12-09 10:40:50.730275761 +0100
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (c) 2021 Iker Pedrosa
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+ <refentryinfo>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Creation, 2021</contrib>
+ </author>
+ </refentryinfo>
+ <refmeta>
+ <refentrytitle>getsubids</refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+ </refmeta>
+ <refnamediv id='name'>
+ <refname>getsubids</refname>
+ <refpurpose>get the subordinate id ranges for a user</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>getsubids</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'>
+ <replaceable>USER</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The <command>getsubids</command> command lists the subordinate user ID
+ ranges for a given user. The subordinate group IDs can be listed using
+ the <option>-g</option> option.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <para>
+ The options which apply to the <command>getsubids</command> command are:
+ </para>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-g</option>
+ </term>
+ <listitem>
+ <para>
+ List the subordinate group ID ranges.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ For example, to obtain the subordinate UIDs of the testuser:
+ </para>
+ <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+ </para>
+ <para>
+ This command output provides (in order from left to right) the list
+ index, username, UID range start, and number of UIDs in range.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ <citerefentry>
+ <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ </para>
+ </refsect1>
+</refentry>
diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
--- shadow-4.6/man/Makefile.am.getsubids 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/Makefile.am 2021-12-09 10:40:50.730275761 +0100
@@ -59,6 +59,7 @@ man_MANS += $(man_nopam)
endif
man_subids = \
+ man1/getsubids.1 \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
@@ -77,6 +78,7 @@ man_XMANS = \
expiry.1.xml \
faillog.5.xml \
faillog.8.xml \
+ getsubids.1.xml \
gpasswd.1.xml \
groupadd.8.xml \
groupdel.8.xml \
diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
--- shadow-4.6/src/getsubids.c.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/src/getsubids.c 2021-12-09 10:40:50.730275761 +0100
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "subid.h"
+#include "prototypes.h"
+
+const char *Prog;
+FILE *shadow_logfd = NULL;
+
+void usage(void)
+{
+ fprintf(stderr, "Usage: %s [-g] user\n", Prog);
+ fprintf(stderr, " list subuid ranges for user\n");
+ fprintf(stderr, " pass -g to list subgid ranges\n");
+ exit(EXIT_FAILURE);
+}
+
+int main(int argc, char *argv[])
+{
+ int i, count=0;
+ struct subid_range *ranges;
+ const char *owner;
+
+ Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
+ if (argc < 2)
+ usage();
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ usage();
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
+ if (!ranges) {
+ fprintf(stderr, "Error fetching ranges\n");
+ exit(1);
+ }
+ for (i = 0; i < count; i++) {
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
+ }
+ return 0;
+}
diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
--- shadow-4.6/src/Makefile.am.getsubids 2021-12-09 10:40:50.710275627 +0100
+++ shadow-4.6/src/Makefile.am 2021-12-09 10:45:04.465985510 +0100
@@ -140,8 +140,8 @@ if WITH_TCB
endif
if ENABLE_SUBIDS
-noinst_PROGRAMS += list_subid_ranges \
- get_subid_owners \
+bin_PROGRAMS += getsubids
+noinst_PROGRAMS += get_subid_owners \
new_subid_range \
free_subid_range \
check_subid_range
@@ -156,13 +156,13 @@ MISCLIBS = \
$(LIBCRYPT) \
$(LIBTCB)
-list_subid_ranges_LDADD = \
+getsubids_LDADD = \
$(top_builddir)/lib/libshadow.la \
$(top_builddir)/libmisc/libmisc.la \
$(top_builddir)/libsubid/libsubid.la \
$(MISCLIBS) -ldl
-list_subid_ranges_CPPFLAGS = \
+getsubids_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
-I$(top_srcdir)/libsubid

104
SOURCES/shadow-4.6-goodname.patch
View File

@ -1,104 +0,0 @@
diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
--- shadow-4.6/libmisc/chkname.c.goodname 2020-10-23 12:50:47.202529031 +0200
+++ shadow-4.6/libmisc/chkname.c 2020-10-23 12:54:54.604692559 +0200
@@ -49,25 +49,44 @@
static bool is_valid_name (const char *name)
{
/*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ * User/group names must match gnu e-regex:
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+ *
+ * as a non-POSIX, extension, allow "$" as the last char for
+ * sake of Samba 3.x "add machine script"
+ *
+ * Also do not allow fully numeric names or just "." or "..".
+ */
+ int numeric;
+
+ if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
+ !((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.')) {
return false;
}
+ numeric = isdigit(*name);
+
while ('\0' != *++name) {
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
+ if (!((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.' ||
+ *name == '-' ||
+ (*name == '$' && name[1] == '\0')
)) {
return false;
}
+ numeric &= isdigit(*name);
}
- return true;
+ return !numeric;
}
bool is_valid_user_name (const char *name)
diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 12:50:47.202529031 +0200
@@ -273,10 +273,14 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
- Groupnames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Groupnames may begin with lower and upper case letters, digits,
+ underscores, or periods. They may continue with all the aforementioned
+ characters, or dashes. Finally, they can end with a dollar sign.
+
+ Fully numeric groupnames and groupnames containing only . or .. are
+ disallowed.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
</para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
--- shadow-4.6/man/useradd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 12:50:47.202529031 +0200
@@ -650,10 +650,16 @@
</para>
<para>
- Usernames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Usernames may begin with lower and upper case letters, digits,
+ underscores, or periods. They may continue with all the aforementioned
+ characters, or dashes. Finally, they can end with a dollar sign.
+
+ Fully numeric usernames and usernames containing only . or .. are
+ disallowed. It is not recommended to use usernames beginning
+ with . character as their home directories will be hidden in
+ the <command>ls</command> output.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
</para>
<para>
Usernames may only be up to 32 characters long.

11
SOURCES/shadow-4.6-gpasswd-fix-password-leak.patch
View File

@ -1,11 +0,0 @@
diff -up shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak shadow-4.9/src/gpasswd.c
--- shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak 2023-07-12 09:38:32.062546006 +0200
+++ shadow-4.9/src/gpasswd.c 2023-07-12 09:42:33.194154548 +0200
@@ -857,6 +857,7 @@ static void change_passwd (struct group
strzero (cp);
cp = getpass (_("Re-enter new password: "));
if (NULL == cp) {
+ memzero (pass, sizeof pass);
exit (1);
}

13
SOURCES/shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
View File

@ -1,13 +0,0 @@
diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100
+++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
if(!passwd_db_file) {
return getpwent();
}
+ if (!fp_pwent) {
+ return NULL;
+ }
return fgetpwent(fp_pwent);
}
extern void prefix_endpwent()

201
SOURCES/shadow-4.6-home_mode-directive.patch
View File

@ -1,201 +0,0 @@
From a847899b521b0df0665e442845bcff23407d9ea0 Mon Sep 17 00:00:00 2001
From: Duncan Overbruck <mail@duncano.de>
Date: Sat, 11 Jan 2020 22:19:37 +0100
Subject: [PATCH] add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.
There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.
A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
---
etc/login.defs | 7 ++++++-
lib/getdef.c | 1 +
man/login.defs.5.xml | 4 ++++
man/login.defs.d/UMASK.xml | 3 ++-
src/newusers.c | 6 +++---
src/useradd.c | 5 +++--
6 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index cd2597dc..a2f8cd50 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+HOME_MODE 0700
+
#
# Password aging controls:
#
diff --git a/lib/getdef.c b/lib/getdef.c
index bbb273f4..00f6abfe 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
+ {"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
index ebf60ba3..9e95da20 100644
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -50,6 +50,7 @@
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
@@ -185,6 +186,7 @@
&FAKE_SHELL;
&FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN -->
+ &HOME_MODE;
&HUSHLOGIN_FILE;
&ISSUE_FILE;
&KILLCHAR;
@@ -401,6 +403,7 @@
ENCRYPT_METHOD
GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
@@ -481,6 +484,7 @@
<para>
CREATE_HOME
GID_MAX GID_MIN
+ HOME_MODE
MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
new file mode 100644
index 00000000..21aa55f7
--- /dev/null
+++ b/man/login.defs.d/HOME_MODE.xml
@@ -0,0 +1,43 @@
+<!--
+ Copyright (c) 1991 - 1993, Julianne Frances Haugh
+ Copyright (c) 1991 - 1993, Chip Rosenthal
+ Copyright (c) 2007 - 2009, Nicolas François
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+ <term><option>HOME_MODE</option> (number)</term>
+ <listitem>
+ <para>
+ The mode for new home directories. If not specified,
+ the <option>UMASK</option> is used to create the mode.
+ </para>
+ <para>
+ <command>useradd</command> and <command>newusers</command> use this
+ to set the mode of the home directory they create.
+ </para>
+ </listitem>
+</varlistentry>
diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml
index d7b71a5e..0f061dbb 100644
--- a/man/login.defs.d/UMASK.xml
+++ b/man/login.defs.d/UMASK.xml
@@ -37,7 +37,8 @@
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
- mask to set the mode of the home directory they create
+ mask to set the mode of the home directory they create if
+ <option>HOME_MODE</option> is not set.
</para>
<para condition="no_pam">
It is also used by <command>login</command> to define users' initial
diff --git a/src/newusers.c b/src/newusers.c
index 99c69f78..e9fe0e27 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */
- mode_t msk = 0777 & ~getdef_num ("UMASK",
- GETDEF_DEFAULT_UMASK);
- if (mkdir (newpw.pw_dir, msk) != 0) {
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir,
diff --git a/src/useradd.c b/src/useradd.c
index 4af0f7c6..8b453e3c 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2152,8 +2152,9 @@ static void create_home (void)
fail_exit (E_HOMEDIR);
}
(void) chown (prefix_user_home, user_id, user_gid);
- chmod (prefix_user_home,
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ chmod (prefix_user_home, mode);
home_added = true;
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_MGMT, Prog,
--
2.25.2

11
SOURCES/shadow-4.6-ignore-login-prompt.patch
View File

@ -1,11 +0,0 @@
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

28
SOURCES/shadow-4.6-install_subid_h.patch
View File

@ -1,28 +0,0 @@
From 77e39de1e6cbd6925f16bb260abb7d216296886b Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 09:21:11 -0500
Subject: [PATCH] Install subid.h
Now subid.h gets installed under /usr/include/shadow/subid.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index f543b5eb..189165b0 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -3,6 +3,8 @@ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
libsubid_la_SOURCES = api.c
+pkginclude_HEADERS = subid.h
+
MISCLIBS = \
$(LIBAUDIT) \
$(LIBSELINUX) \
--
2.31.1

1306
SOURCES/shadow-4.6-libsubid_creation.patch
View File

File diff suppressed because it is too large Load Diff

151
SOURCES/shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
View File

@ -1,151 +0,0 @@
diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200
+++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200
@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
subid_nss = NULL;
goto done;
}
- subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
- if (!subid_nss->has_any_range) {
- fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
- dlclose(h);
- free(subid_nss);
- subid_nss = NULL;
- goto done;
- }
subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
if (!subid_nss->find_subid_owners) {
fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200
@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
struct subid_nss_ops {
/*
- * nss_has_any_range: does a user own any subid range
- *
- * @owner: username
- * @idtype: subuid or subgid
- * @result: true if a subid allocation was found for @owner
- *
- * returns success if the module was able to determine an answer (true or false),
- * else an error status.
- */
- enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
-
- /*
* nss_has_range: does a user own a given subid range
*
* @owner: username
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200
@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
return commonio_open (&subordinate_uid_db, mode);
}
-bool sub_uid_assigned(const char *owner)
+bool local_sub_uid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_UID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
-
return range_exists (&subordinate_uid_db, owner);
}
@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
return have_range(&subordinate_gid_db, owner, start, count);
}
-bool sub_gid_assigned(const char *owner)
+bool local_sub_gid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_GID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
return range_exists (&subordinate_gid_db, owner);
}
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200
@@ -16,7 +16,7 @@
extern int sub_uid_close(void);
extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
extern bool sub_uid_file_present (void);
-extern bool sub_uid_assigned(const char *owner);
+extern bool local_sub_uid_assigned(const char *owner);
extern int sub_uid_lock (void);
extern int sub_uid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_uid_dbname (void);
@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
extern int sub_gid_close(void);
extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
extern bool sub_gid_file_present (void);
-extern bool sub_gid_assigned(const char *owner);
+extern bool local_sub_gid_assigned(const char *owner);
extern int sub_gid_lock (void);
extern int sub_gid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_gid_dbname (void);
diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200
+++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200
@@ -1021,6 +1021,24 @@ static void close_files (void)
#endif /* ENABLE_SUBIDS */
}
+static bool want_subuids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
+static bool want_subgids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
int main (int argc, char **argv)
{
char buf[BUFSIZ];
@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
/*
* Add subordinate uids if the user does not have them.
*/
- if (is_sub_uid && !sub_uid_assigned(fields[0])) {
+ if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
uid_t sub_uid_start = 0;
unsigned long sub_uid_count = 0;
if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
/*
* Add subordinate gids if the user does not have them.
*/
- if (is_sub_gid && !sub_gid_assigned(fields[0])) {
+ if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
gid_t sub_gid_start = 0;
unsigned long sub_gid_count = 0;
if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

40
SOURCES/shadow-4.6-libsubid_init_not_print_error_messages.patch
View File

@ -1,40 +0,0 @@
From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 23 May 2021 08:03:10 -0500
Subject: [PATCH] libsubid_init: don't print messages on error
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index c4848142..b477b271 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname) {
+ if (progname)
Prog = progname;
- } else {
- fprintf(stderr, "Out of memory");
+ else
return false;
- }
}
if (logfd) {
@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
}
shadow_logfd = fopen("/dev/null", "w");
if (!shadow_logfd) {
- fprintf(stderr, "ERROR opening /dev/null for error messages. Using stderr.");
shadow_logfd = stderr;
return false;
}
--
2.30.2

37
SOURCES/shadow-4.6-libsubid_init_return_false.patch
View File

@ -1,37 +0,0 @@
From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Mon, 17 May 2021 08:48:03 -0500
Subject: [PATCH] libsubid_init: return false if out of memory
The rest of the run isn't likely to get much better, is it?
Thanks to Alexey for pointing this out.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Cc: Alexey Tikhonov <atikhono@redhat.com>
---
libsubid/api.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index 8ca09859..8618e500 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname)
+ if (progname) {
Prog = progname;
- else
+ } else {
fprintf(stderr, "Out of memory");
+ return false;
+ }
}
if (logfd) {
--
2.30.2

41
SOURCES/shadow-4.6-libsubid_make_logfd_not_extern.patch
View File

@ -1,41 +0,0 @@
From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Fri, 28 May 2021 22:02:16 -0500
Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
Closes #346
Also #include stdio.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 2 +-
libsubid/subid.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index b477b271..a7b904d0 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -40,7 +40,7 @@
#include "subid.h"
const char *Prog = "(libsubid)";
-extern FILE * shadow_logfd;
+FILE *shadow_logfd;
bool libsubid_init(const char *progname, FILE * logfd)
{
diff --git a/libsubid/subid.h b/libsubid/subid.h
index 5fef2572..eabafe4d 100644
--- a/libsubid/subid.h
+++ b/libsubid/subid.h
@@ -1,4 +1,5 @@
#include <sys/types.h>
+#include <stdio.h>
#include <stdbool.h>
#ifndef SUBID_RANGE_DEFINED
--
2.31.1

2382
SOURCES/shadow-4.6-libsubid_not_print_error_messages.patch
View File

File diff suppressed because it is too large Load Diff

1758
SOURCES/shadow-4.6-libsubid_nsswitch_support.patch
View File

File diff suppressed because it is too large Load Diff

264
SOURCES/shadow-4.6-libsubid_simplify_ranges_variable.patch
View File

@ -1,264 +0,0 @@
diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.165917066 +0200
+++ shadow-4.8.1/configure.ac 2021-05-24 15:02:56.184917324 +0200
@@ -1,6 +1,6 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 2)
+m4_define([libsubid_abi_major], 3)
m4_define([libsubid_abi_minor], 0)
m4_define([libsubid_abi_micro], 0)
m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.184917324 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-24 16:38:57.610619467 +0200
@@ -309,16 +309,15 @@ struct subid_nss_ops {
*
* @owner - string representing username being queried
* @id_type - subuid or subgid
- * @ranges - pointer to an array of struct subordinate_range pointers, or
- * NULL. The returned array of struct subordinate_range and its
- * members must be freed by the caller.
+ * @ranges - pointer to an array of struct subid_range, or NULL. The
+ * returned array must be freed by the caller.
* @count - pointer to an integer into which the number of returned ranges
* is written.
* returns success if the module was able to determine an answer,
* else an error status.
*/
- enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
+ enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
/*
* nss_find_subid_owners: find uids who own a given subuid or subgid.
diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/libsubid/api.c 2021-05-24 16:42:32.091584531 +0200
@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
}
static
-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
{
return list_owner_ranges(owner, id_type, ranges);
}
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subuid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_UID, ranges);
}
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subgid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_GID, ranges);
}
-void subid_free_ranges(struct subordinate_range **ranges, int count)
-{
- return free_subordinate_ranges(ranges, count);
-}
-
static
int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
{
diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/libsubid/subid.h 2021-05-24 16:43:49.697657383 +0200
@@ -3,6 +3,15 @@
#ifndef SUBID_RANGE_DEFINED
#define SUBID_RANGE_DEFINED 1
+
+/* subid_range is just a starting point and size of a range */
+struct subid_range {
+ unsigned long start;
+ unsigned long count;
+};
+
+/* subordinage_range is a subid_range plus an owner, representing
+ * a range in /etc/subuid or /etc/subgid */
struct subordinate_range {
const char *owner;
unsigned long start;
@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
* get_subuid_ranges: return a list of UID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
+ *
+ * The caller must free(ranges) when done.
*
* returns: number of ranges found, ir < 0 on error.
*/
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
+int get_subuid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subgid_ranges: return a list of GID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
*
- * returns: number of ranges found, ir < 0 on error.
- */
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
-
-/*
- * subid_free_ranges: free an array of subordinate_ranges returned by either
- * get_subuid_ranges() or get_subgid_ranges().
+ * The caller must free(ranges) when done.
*
- * @ranges: the ranges to free
- * @count: the number of ranges in @ranges
+ * returns: number of ranges found, ir < 0 on error.
*/
-void subid_free_ranges(struct subordinate_range **ranges, int count);
+int get_subgid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subuid_owners: return a list of uids to which the given uid has been
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify 2021-05-24 17:27:38.721035241 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-24 17:28:06.481420946 +0200
@@ -11,6 +11,7 @@
#include <stdio.h>
#include "commonio.h"
#include "subordinateio.h"
+#include "../libsubid/subid.h"
#include <sys/types.h>
#include <pwd.h>
#include <ctype.h>
@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
return false;
}
-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
+static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
{
- struct subordinate_range *tmp;
if (!*ranges) {
- *ranges = malloc(sizeof(struct subordinate_range *));
+ *ranges = malloc(sizeof(struct subid_range));
if (!*ranges)
return false;
} else {
- struct subordinate_range **new;
- new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
- if (!new)
+ struct subid_range *alloced;
+ alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
+ if (!alloced)
return false;
- *ranges = new;
+ *ranges = alloced;
}
- (*ranges)[n] = NULL;
- tmp = subordinate_dup(new);
- if (!tmp)
- return false;
- (*ranges)[n] = tmp;
+ (*ranges)[n].start = new->start;
+ (*ranges)[n].count = new->count;
return true;
}
@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
*
* The caller must free the subordinate range list.
*/
-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
+int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
{
// TODO - need to handle owner being either uid or username
- struct subordinate_range **ranges = NULL;
+ struct subid_range *ranges = NULL;
const struct subordinate_range *range;
struct commonio_db *db;
enum subid_status status;
@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
while ((range = commonio_next(db)) != NULL) {
if (0 == strcmp(range->owner, owner)) {
if (!append_range(&ranges, range, count++)) {
- free_subordinate_ranges(ranges, count-1);
+ free(ranges);
ranges = NULL;
count = -1;
goto out;
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-24 16:40:56.978269647 +0200
@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
+extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/src/list_subid_ranges.c 2021-05-24 16:45:10.884779740 +0200
@@ -17,27 +17,29 @@ void usage(void)
int main(int argc, char *argv[])
{
int i, count=0;
- struct subordinate_range **ranges;
+ struct subid_range *ranges;
+ const char *owner;
Prog = Basename (argv[0]);
shadow_logfd = stderr;
- if (argc < 2) {
+ if (argc < 2)
usage();
- }
- if (argc == 3 && strcmp(argv[1], "-g") == 0)
- count = get_subgid_ranges(argv[2], &ranges);
- else if (argc == 2 && strcmp(argv[1], "-h") == 0)
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
usage();
- else
- count = get_subuid_ranges(argv[1], &ranges);
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
if (!ranges) {
fprintf(stderr, "Error fetching ranges\n");
exit(1);
}
for (i = 0; i < count; i++) {
- printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
- ranges[i]->start, ranges[i]->count);
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
}
- subid_free_ranges(ranges, count);
return 0;
}
diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.166917079 +0200
+++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c 2021-05-24 15:03:01.469989106 +0200
@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
if (strcmp(owner, "conn") == 0)
return SUBID_STATUS_ERROR_CONN;
- *ranges = NULL;
+ *in_ranges = NULL;
if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
strcmp(owner, "group1") != 0)
return SUBID_STATUS_SUCCESS;

44
SOURCES/shadow-4.6-man-mention-nss-in-newuidmap.patch
View File

@ -1,44 +0,0 @@
From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 14:39:26 -0500
Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
Closes #328
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
man/newgidmap.1.xml | 3 ++-
man/newuidmap.1.xml | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 71b03e56..76fc1e30 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
+ command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index a6f1f085..44eca50a 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
+ command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
--
2.30.2

166
SOURCES/shadow-4.6-man_clarify_subid_delegation.patch
View File

@ -1,166 +0,0 @@
diff -up shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newgidmap.1.xml
--- shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newgidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,10 +80,15 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
- through the configured NSS subid module).
- Note that the root user is not exempted from the requirement for a valid
+ The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
+ based on its command line arguments and the gids allowed. Subgid
+ delegation can either be managed via <filename>/etc/subgid</filename>
+ or through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
+ Note that the root group is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff -up shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newuidmap.1.xml
--- shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newuidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,9 +80,14 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
- through the configured NSS subid module).
+ The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
+ based on its command line arguments and the uids allowed. Subuid
+ delegation can either be managed via <filename>/etc/subuid</filename> or
+ through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
diff -up shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subgid.5.xml
--- shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subgid.5.xml 2021-11-03 09:59:55.752084920 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subgid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subgid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subgid</refname>
- <refpurpose>the subordinate gid file</refpurpose>
+ <refpurpose>the configuration for subordinate group ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subgid authorizes a group id to map ranges of group ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate gids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of gids to
+ <filename>/etc/subgid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate gid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>groupadd</command> will only create entries in
+ <filename>/etc/subgid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subgid</filename> contains
a user name and a range of subordinate group ids that user
is allowed to use.
diff -up shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subuid.5.xml
--- shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subuid.5.xml 2021-11-03 10:00:18.888255255 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subuid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subuid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subuid</refname>
- <refpurpose>the subordinate uid file</refpurpose>
+ <refpurpose>the configuration for subordinate user ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subuid authorizes a user id to map ranges of user ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate uids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of uids to
+ <filename>/etc/subuid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate uid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>useradd</command> will only create entries in
+ <filename>/etc/subuid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subuid</filename> contains
a user name and a range of subordinate user ids that user
is allowed to use.

349
SOURCES/shadow-4.6-manfix.patch
View File

@ -1,349 +0,0 @@
diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml
--- shadow-4.6/man/groupmems.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/groupmems.8.xml 2020-10-23 13:15:24.105387634 +0200
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2770 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml
--- shadow-4.6/man/chage.1.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/chage.1.xml 2020-10-23 13:15:24.105387634 +0200
@@ -102,6 +102,9 @@
Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
+ If the <replaceable>LAST_DAY</replaceable> is set to
+ <emphasis>0</emphasis> the user is forced to change his password
+ on the next log on.
</para>
</listitem>
</varlistentry>
@@ -119,6 +122,13 @@
system again.
</para>
<para>
+ For example the following can be used to set an account to expire
+ in 180 days:
+ </para>
+ <programlisting>
+ chage -E $(date -d +180days +%Y-%m-%d)
+ </programlisting>
+ <para>
Passing the number <emphasis remap='I'>-1</emphasis> as the
<replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date.
@@ -233,6 +243,18 @@
The <command>chage</command> program requires a shadow password file to
be available.
</para>
+ <para>
+ The chage program will report only the information from the shadow
+ password file. This implies that configuration from other sources
+ (e.g. LDAP or empty password hash field from the passwd file) that
+ affect the user's login will not be shown in the chage output.
+ </para>
+ <para>
+ The <command>chage</command> program will also not report any
+ inconsistency between the shadow and passwd files (e.g. missing x in
+ the passwd file). The <command>pwck</command> can be used to check
+ for this kind of inconsistencies.
+ </para>
<para>The <command>chage</command> command is restricted to the root
user, except for the <option>-l</option> option, which may be used by
an unprivileged user to determine when their password or account is due
diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5
--- shadow-4.6/man/ja/man5/login.defs.5.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/ja/man5/login.defs.5 2020-10-23 13:15:24.106387639 +0200
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml
--- shadow-4.6/man/login.defs.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.5.xml 2020-10-23 13:15:43.280475188 +0200
@@ -162,6 +162,27 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
+ <para>
+ Please also take into account that this man page is generic and some of
+ the options may be unsupported by currently installed tools. In case of
+ doubt check <xref linkend="cross_references"/> and
+ <xref linkend="see_also"/>. For example see
+ <citerefentry><refentrytitle>login</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> for login specific options such
+ as <emphasis>LOGIN_STRING</emphasis>.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -252,16 +273,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -282,14 +293,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -350,34 +353,6 @@
</varlistentry>
<!-- id: no variables -->
<!-- lastlog: no variables -->
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -405,17 +380,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -442,32 +406,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>
diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml
--- shadow-4.6/man/shadow.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/shadow.5.xml 2020-10-23 13:15:24.106387639 +0200
@@ -129,7 +129,7 @@
<listitem>
<para>
The date of the last password change, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
The value 0 has a special meaning, which is that the user
@@ -208,8 +208,8 @@
</para>
<para>
After expiration of the password and this expiration period is
- elapsed, no login is possible using the current user's
- password. The user should contact her administrator.
+ elapsed, no login is possible for the user.
+ The user should contact her administrator.
</para>
<para>
An empty field means that there are no enforcement of an
@@ -224,7 +224,7 @@
<listitem>
<para>
The date of expiration of the account, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
Note that an account expiration differs from a password
diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml
--- shadow-4.6/man/useradd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -347,6 +347,11 @@
<option>CREATE_HOME</option> is not enabled, no home
directories are created.
</para>
+ <para>
+ The directory where the user's home directory is created must
+ exist and have proper SELinux context and permissions. Otherwise
+ the user's home directory cannot be created or accessed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml
--- shadow-4.6/man/usermod.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/usermod.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -132,7 +132,8 @@
If the <option>-m</option>
option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does
- not already exist.
+ not already exist. If the current home directory does not exist
+ the new home directory will not be created.
</para>
</listitem>
</varlistentry>
@@ -256,7 +257,8 @@
<listitem>
<para>
Move the content of the user's home directory to the new
- location.
+ location. If the current home directory does not exist
+ the new home directory will not be created.
</para>
<para>
This option is only valid in combination with the
diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml
--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_GID_MIN</option>,
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml
--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_UID_MIN</option>,
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -322,13 +322,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>

15
SOURCES/shadow-4.6-move-home.patch
View File

@ -1,15 +0,0 @@
diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200
+++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200
@@ -1845,6 +1845,11 @@ static void move_home (void)
Prog, prefix_user_home, prefix_user_newhome);
fail_exit (E_HOMEDIR);
}
+ } else {
+ fprintf (stderr,
+ _("%s: The previous home directory (%s) does "
+ "not exist or is inaccessible. Move cannot be completed.\n"),
+ Prog, prefix_user_home);
}
}

128
SOURCES/shadow-4.6-orig-context.patch
View File

@ -1,128 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
#endif
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
@@ -50,7 +50,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
@@ -2020,7 +2020,7 @@ static void create_home (void)
{
if (access (prefix_user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
- if (set_selinux_file_context (prefix_user_home) != 0) {
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for home directory %s\n"),
Prog, user_home);

41
SOURCES/shadow-4.6-redhat.patch
View File

@ -1,41 +0,0 @@
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
@@ -98,7 +98,7 @@ const char *Prog;
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
@@ -108,7 +108,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

108
SOURCES/shadow-4.6-regular-user.patch
View File

@ -1,108 +0,0 @@
From fd4405b763d26649339069532e79bd45013c8c38 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 20 Jan 2020 13:58:07 +0100
Subject: [PATCH] Do not mistake a regular user process for a namespaced one
In case there is a regular user with a process running on a system
with uid falling into a namespaced uid range of another user.
The user with the colliding namespaced uid range will not be
allowed to be deleted without forcing the action with -f.
The user_busy() is adjusted to check whether the suspected process
is really a namespaced process in a different namespace.
---
libmisc/user_busy.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c
index b0867568..324bb946 100644
--- a/libmisc/user_busy.c
+++ b/libmisc/user_busy.c
@@ -39,6 +39,7 @@
#include <sys/types.h>
#include <dirent.h>
#include <fcntl.h>
+#include <unistd.h>
#include "defines.h"
#include "prototypes.h"
#ifdef ENABLE_SUBIDS
@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
#endif /* !__linux__ */
#ifdef __linux__
+#ifdef ENABLE_SUBIDS
+#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
+static int different_namespace (const char *sname)
+{
+ /* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
+ char path[41];
+ char buf[512], buf2[512];
+ ssize_t llen1, llen2;
+
+ snprintf (path, 41, "/proc/%s/ns/user", sname);
+
+ if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
+ return 0;
+
+ if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
+ return 0;
+
+ if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
+ return 0; /* same namespace */
+
+ return 1;
+}
+#endif /* ENABLE_SUBIDS */
+
+
static int check_status (const char *name, const char *sname, uid_t uid)
{
/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
FILE *sfile;
snprintf (status, 40, "/proc/%s/status", sname);
- status[39] = '\0';
sfile = fopen (status, "r");
if (NULL == sfile) {
@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
while (fgets (line, sizeof (line), sfile) == line) {
if (strncmp (line, "Uid:\t", 5) == 0) {
unsigned long ruid, euid, suid;
+
assert (uid == (unsigned long) uid);
+ (void) fclose (sfile);
if (sscanf (line,
"Uid:\t%lu\t%lu\t%lu\n",
&ruid, &euid, &suid) == 3) {
if ( (ruid == (unsigned long) uid)
|| (euid == (unsigned long) uid)
- || (suid == (unsigned long) uid)
+ || (suid == (unsigned long) uid) ) {
+ return 1;
+ }
#ifdef ENABLE_SUBIDS
- || have_sub_uids(name, ruid, 1)
- || have_sub_uids(name, euid, 1)
- || have_sub_uids(name, suid, 1)
-#endif /* ENABLE_SUBIDS */
+ if ( different_namespace (sname)
+ && ( have_sub_uids(name, ruid, 1)
+ || have_sub_uids(name, euid, 1)
+ || have_sub_uids(name, suid, 1))
) {
- (void) fclose (sfile);
return 1;
}
+#endif /* ENABLE_SUBIDS */
} else {
/* Ignore errors. This is just a best effort. */
}
- (void) fclose (sfile);
return 0;
}
}
--
2.25.2

19
SOURCES/shadow-4.6-remove-login-string-references.patch
View File

@ -1,19 +0,0 @@
diff -up shadow-4.6/man/login.defs.5.xml.remove_login_string_references shadow-4.6/man/login.defs.5.xml
--- shadow-4.6/man/login.defs.5.xml.remove_login_string_references 2021-04-27 13:01:49.428338258 +0200
+++ shadow-4.6/man/login.defs.5.xml 2021-04-27 13:01:49.433338329 +0200
@@ -58,7 +58,6 @@
<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
<!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
<!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml">
<!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
@@ -214,7 +213,6 @@
&LOG_OK_LOGINS;
&LOG_UNKFAIL_ENAB;
&LOGIN_RETRIES;
- &LOGIN_STRING;
&LOGIN_TIMEOUT;
&MAIL_CHECK_ENAB;
&MAIL_DIR;

24
SOURCES/shadow-4.6-respect_enable_static_no.patch
View File

@ -1,24 +0,0 @@
diff -up shadow-4.6/configure.ac.respect_enable_static_no shadow-4.6/configure.ac
--- shadow-4.6/configure.ac.respect_enable_static_no 2021-11-03 12:09:39.852829632 +0100
+++ shadow-4.6/configure.ac 2021-11-03 12:10:32.447203434 +0100
@@ -311,6 +311,8 @@ if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
if test "$with_nscd" = "yes"; then
AC_CHECK_FUNC(posix_spawn,
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
diff -up shadow-4.6/libsubid/Makefile.am.respect_enable_static_no shadow-4.6/libsubid/Makefile.am
--- shadow-4.6/libsubid/Makefile.am.respect_enable_static_no 2021-11-03 12:09:39.851829625 +0100
+++ shadow-4.6/libsubid/Makefile.am 2021-11-03 12:09:39.852829632 +0100
@@ -1,6 +1,8 @@
lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
libsubid_la_SOURCES = api.c
pkginclude_HEADERS = subid.h

15
SOURCES/shadow-4.6-salt-remove-rounds.patch
View File

@ -1,15 +0,0 @@
diff --git a/libmisc/salt.c b/libmisc/salt.c
index c72447ea..4940d76e 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
result[0] = '\0';
}
+ if (strstr(result, "rounds=") != NULL) {
+ result[3] = '\0';
+ }
+
/*
* Concatenate a pseudo random salt.
*/

284
SOURCES/shadow-4.6-selinux-perms.patch
View File

@ -1,284 +0,0 @@
diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
--- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
+++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
@@ -80,6 +87,9 @@ static bool sgr_locked = false;
#endif
static bool gr_locked = false;
+/* The name of the caller */
+static char *myname = NULL;
+
/* local function prototypes */
static void fail_exit (int code);
static /*@noreturn@*/void usage (int status);
@@ -334,6 +344,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the group databases
*/
@@ -427,6 +494,7 @@ int main (int argc, char **argv)
const struct group *gr;
struct group newgr;
+ struct passwd *pw = NULL;
int errors = 0;
int line = 0;
@@ -436,12 +504,37 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
OPENLOG ("chgpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
+ /*
+ * Determine the name of the user that invoked this command. This
+ * is really hit or miss because there are so many ways that command
+ * can be executed and so many ways to trip up the routines that
+ * report the user name.
+ */
+ pw = get_my_pwent ();
+ if (NULL == pw) {
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
+ Prog);
+ SYSLOG ((LOG_WARN,
+ "Cannot determine the user name of the caller (UID %lu)",
+ (unsigned long) getuid ()));
+ exit (E_NOPERM);
+ }
+ myname = xstrdup (pw->pw_name);
+
check_perms ();
#ifdef SHADOWGRP
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
newgr.gr_passwd = cp;
}
+#ifdef WITH_AUDIT
+ {
+
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+ "change-password",
+ myname, AUDIT_NO_ID, gr->gr_name,
+ SHADOW_AUDIT_SUCCESS);
+ }
+#endif
/*
* The updated group file entry is then put back and will
* be written to the group file later, after all the
diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
+++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
@@ -332,6 +339,63 @@ static void check_perms (void)
#endif /* USE_PAM */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the password databases
*/
@@ -428,6 +492,10 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
@@ -440,6 +508,10 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
check_perms ();
#ifdef USE_PAM
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
newpw.pw_passwd = cp;
}
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "updating-password",
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
+#endif
/*
* The updated password file entry is then put back and will
* be written to the password file later, after all the
Index: shadow-4.5/src/Makefile.am
===================================================================
--- shadow-4.5.orig/src/Makefile.am
+++ shadow-4.5/src/Makefile.am
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

115
SOURCES/shadow-4.6-selinux.patch
View File

@ -1,115 +0,0 @@
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
@@ -2120,6 +2120,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory already exists.\n"
- "Not copying any file from skel directory into it.\n"),
- Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
"adding SELinux user mapping",
user_name, (unsigned int) user_id, 0);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ rv = E_SE_UPDATE;
+ }
}
}
-#endif /* WITH_SELINUX */
+#endif
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory already exists.\n"
+ "Not copying any file from skel directory into it.\n"),
+ Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- return E_SUCCESS;
+ return rv;
}

214
SOURCES/shadow-4.6-skip-over-reserved-ids.patch
View File

@ -1,214 +0,0 @@
From baae5b4a06c905d9f52ed1f922a0d7d0625d11cf Mon Sep 17 00:00:00 2001
From: Martin Kletzander <nert.pinx@gmail.com>
Date: Wed, 1 Feb 2023 15:36:41 +0100
Subject: [PATCH] find_new_[gu]id(): Skip over IDs that are reserved for legacy
reasons
Some programs don't support `(uint16_t) -1` or `(uint32_t) -1` as user
or group IDs. This is because `-1` is used as an error code or as an
unspecified ID, e.g. in `chown(2)` parameters, and in the past, `gid_t`
and `uid_t` have changed width. For legacy reasons, those values have
been kept reserved in programs today (for example systemd does this; see
the documentation in the link below).
This should not be confused with catching overflow in the ID values,
since that is already caught by our ERANGE checks. This is about not
using reserved values that have been reserved for legacy reasons.
Link: <https://systemd.io/UIDS-GIDS/>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
libmisc/find_new_gid.c | 38 ++++++++++++++++++++++++++++----------
libmisc/find_new_uid.c | 38 ++++++++++++++++++++++++++++----------
2 files changed, 56 insertions(+), 20 deletions(-)
diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c
index 70ba95a2..da1d8d55 100644
--- a/libmisc/find_new_gid.c
+++ b/libmisc/find_new_gid.c
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
*
* On success, return 0
* If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
* If the ID is outside the range, return ERANGE
* In other cases, return errno from getgrgid()
*/
@@ -111,6 +112,11 @@ static int check_gid (const gid_t gid,
return ERANGE;
}
+ /* Check for compatibility with 16b and 32b gid_t error codes */
+ if (gid == UINT16_MAX || gid == UINT32_MAX) {
+ return EINVAL;
+ }
+
/*
* Check whether we already detected this GID
* using the gr_next() loop
@@ -182,10 +188,10 @@ int find_new_gid (bool sys_group,
* gr_locate_gid() found the GID in an as-yet uncommitted
* entry. We'll proceed below and auto-set a GID.
*/
- } else if (result == EEXIST || result == ERANGE) {
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
/*
* Continue on below. At this time, we won't
- * treat these two cases differently.
+ * treat these three cases differently.
*/
} else {
/*
@@ -296,8 +302,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -339,8 +348,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -399,8 +411,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -442,8 +457,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c
index 6b71dfe5..09885236 100644
--- a/libmisc/find_new_uid.c
+++ b/libmisc/find_new_uid.c
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
*
* On success, return 0
* If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
* If the ID is outside the range, return ERANGE
* In other cases, return errno from getpwuid()
*/
@@ -111,6 +112,11 @@ static int check_uid(const uid_t uid,
return ERANGE;
}
+ /* Check for compatibility with 16b and 32b uid_t error codes */
+ if (uid == UINT16_MAX || uid == UINT32_MAX) {
+ return EINVAL;
+ }
+
/*
* Check whether we already detected this UID
* using the pw_next() loop
@@ -182,10 +188,10 @@ int find_new_uid(bool sys_user,
* pw_locate_uid() found the UID in an as-yet uncommitted
* entry. We'll proceed below and auto-set an UID.
*/
- } else if (result == EEXIST || result == ERANGE) {
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
/*
* Continue on below. At this time, we won't
- * treat these two cases differently.
+ * treat these three cases differently.
*/
} else {
/*
@@ -296,8 +302,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -339,8 +348,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -399,8 +411,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -442,8 +457,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
--
2.40.1

641
SOURCES/shadow-4.6-sssd-flush.patch
View File

@ -1,641 +0,0 @@
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 12 Sep 2018 14:22:11 +0200
Subject: [PATCH] Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
---
configure.ac | 10 +++++++
lib/Makefile.am | 2 ++
lib/commonio.c | 2 ++
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
lib/sssd.h | 17 +++++++++++
src/chfn.c | 2 ++
src/chgpasswd.c | 2 ++
src/chpasswd.c | 2 ++
src/chsh.c | 2 ++
src/gpasswd.c | 2 ++
src/groupadd.c | 2 ++
src/groupdel.c | 2 ++
src/groupmod.c | 2 ++
src/grpck.c | 2 ++
src/grpconv.c | 2 ++
src/grpunconv.c | 2 ++
src/newusers.c | 2 ++
src/passwd.c | 2 ++
src/pwck.c | 2 ++
src/pwconv.c | 2 ++
src/pwunconv.c | 2 ++
src/useradd.c | 2 ++
src/userdel.c | 2 ++
src/usermod.c | 2 ++
src/vipw.c | 2 ++
25 files changed, 146 insertions(+)
create mode 100644 lib/sssd.c
create mode 100644 lib/sssd.h
diff --git a/configure.ac b/configure.ac
index 41068a5d..10ad70cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
AC_ARG_WITH(nscd,
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
[with_nscd=$withval], [with_nscd=yes])
+AC_ARG_WITH(sssd,
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
+ [with_sssd=$withval], [with_sssd=yes])
AC_ARG_WITH(group-name-max-length,
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
fi
+if test "$with_sssd" = "yes"; then
+ AC_CHECK_FUNC(posix_spawn,
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
+fi
+
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
+echo " sssd support: $with_sssd"
echo " subordinate IDs support: $enable_subids"
echo
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6db86cd6..fd634542 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
lockpw.c \
nscd.c \
nscd.h \
+ sssd.c \
+ sssd.h \
pam_defs.h \
port.c \
port.h \
diff --git a/lib/commonio.c b/lib/commonio.c
index d06b8e7d..96f2d5f7 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -45,6 +45,7 @@
#include <stdio.h>
#include <signal.h>
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include <tcb.h>
#endif /* WITH_TCB */
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
if (nscd_need_reload) {
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
nscd_need_reload = false;
}
#ifdef HAVE_LCKPWDF
diff --git a/lib/sssd.c b/lib/sssd.c
new file mode 100644
index 00000000..80e49e55
--- /dev/null
+++ b/lib/sssd.c
@@ -0,0 +1,75 @@
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
+
+#include <config.h>
+#ifdef USE_SSSD
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include "exitcodes.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "sssd.h"
+
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+
+int sssd_flush_cache (int dbflags)
+{
+ int status, code, rv;
+ const char *cmd = "/usr/sbin/sss_cache";
+ char *sss_cache_args = NULL;
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
+ const char *spawnedEnv[] = {NULL};
+ int i = 0;
+
+ sss_cache_args = malloc(4);
+ if (sss_cache_args == NULL) {
+ return -1;
+ }
+
+ sss_cache_args[i++] = '-';
+ if (dbflags & SSSD_DB_PASSWD) {
+ sss_cache_args[i++] = 'U';
+ }
+ if (dbflags & SSSD_DB_GROUP) {
+ sss_cache_args[i++] = 'G';
+ }
+ sss_cache_args[i++] = '\0';
+ if (i == 2) {
+ /* Neither passwd nor group, nothing to do */
+ free(sss_cache_args);
+ return 0;
+ }
+ spawnedArgs[1] = sss_cache_args;
+
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
+ free(sss_cache_args);
+ if (rv != 0) {
+ /* run_command writes its own more detailed message. */
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ code = WEXITSTATUS (status);
+ if (!WIFEXITED (status)) {
+ (void) fprintf (stderr,
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
+ Prog, WTERMSIG (status));
+ return -1;
+ } else if (code == E_CMD_NOTFOUND) {
+ /* sss_cache is not installed, or it is installed but uses an
+ interpreter that is missing. Probably the former. */
+ return 0;
+ } else if (code != 0) {
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+ Prog, code);
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ return 0;
+}
+#else /* USE_SSSD */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* USE_SSSD */
+
diff --git a/lib/sssd.h b/lib/sssd.h
new file mode 100644
index 00000000..00ff2a8a
--- /dev/null
+++ b/lib/sssd.h
@@ -0,0 +1,17 @@
+#ifndef _SSSD_H_
+#define _SSSD_H_
+
+#define SSSD_DB_PASSWD 0x001
+#define SSSD_DB_GROUP 0x002
+
+/*
+ * sssd_flush_cache - flush specified service buffer in sssd cache
+ */
+#ifdef USE_SSSD
+extern int sssd_flush_cache (int dbflags);
+#else
+#define sssd_flush_cache(service) (0)
+#endif
+
+#endif
+
diff --git a/src/chfn.c b/src/chfn.c
index 18aa3de7..0725e1c7 100644
--- a/src/chfn.c
+++ b/src/chfn.c
@@ -47,6 +47,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef USE_PAM
#include "pam_defs.h"
#endif
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 13203a46..e5f2eb7e 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -46,6 +46,7 @@
#endif /* ACCT_TOOLS_SETUID */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "groupio.h"
#ifdef SHADOWGRP
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return (0);
}
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 918b27ee..49e79cdb 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -44,6 +44,7 @@
#endif /* USE_PAM */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "getdef.h"
#include "prototypes.h"
#include "pwio.h"
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return (0);
}
diff --git a/src/chsh.c b/src/chsh.c
index c89708b9..910e3dd4 100644
--- a/src/chsh.c
+++ b/src/chsh.c
@@ -46,6 +46,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/gpasswd.c b/src/gpasswd.c
index c4a492b1..4d75af96 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
exit (E_SUCCESS);
}
diff --git a/src/groupadd.c b/src/groupadd.c
index b57006c5..2dd8eec9 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -51,6 +51,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupdel.c b/src/groupdel.c
index 70bed010..f941a84a 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -49,6 +49,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupmod.c b/src/groupmod.c
index b293b98f..1dca5fc9 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -51,6 +51,7 @@
#include "groupio.h"
#include "pwio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/grpck.c b/src/grpck.c
index ea5d3b39..6140b10d 100644
--- a/src/grpck.c
+++ b/src/grpck.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
/*
* Tell the user what we did and exit.
diff --git a/src/grpconv.c b/src/grpconv.c
index f95f4960..5e5eaaca 100644
--- a/src/grpconv.c
+++ b/src/grpconv.c
@@ -48,6 +48,7 @@
#include <unistd.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/grpunconv.c b/src/grpunconv.c
index 253f06f5..e4105c26 100644
--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -48,6 +48,7 @@
#include <grp.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/newusers.c b/src/newusers.c
index 8e4bef97..7c3bb1c2 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -62,6 +62,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "pwio.h"
#include "sgroupio.h"
#include "shadowio.h"
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef USE_PAM
unsigned int i;
diff --git a/src/passwd.c b/src/passwd.c
index 3af3e651..5bea2765 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -51,6 +51,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
closelog ();
diff --git a/src/pwck.c b/src/pwck.c
index 05df68ec..0ffb711e 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -48,6 +48,7 @@
#include "shadowio.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif /* WITH_TCB */
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
/*
* Tell the user what we did and exit.
diff --git a/src/pwconv.c b/src/pwconv.c
index d6ee31a8..9c69fa13 100644
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -72,6 +72,7 @@
#include "pwio.h"
#include "shadowio.h"
#include "nscd.h"
+#include "sssd.h"
/*
* exit status values
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return E_SUCCESS;
}
diff --git a/src/pwunconv.c b/src/pwunconv.c
index fabf0237..e11ea494 100644
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -42,6 +42,7 @@
#include <getopt.h>
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "shadowio.h"
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return 0;
}
diff --git a/src/useradd.c b/src/useradd.c
index ca90f076..b0c2224d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -60,6 +60,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
/*
* tallylog_reset needs to be able to lookup
diff --git a/src/userdel.c b/src/userdel.c
index c8de1d31..0715e4fe 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -53,6 +53,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
}
diff --git a/src/usermod.c b/src/usermod.c
index 7355ad31..fd9a98a6 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -57,6 +57,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef WITH_SELINUX
if (Zflg) {
diff --git a/src/vipw.c b/src/vipw.c
index 6d730f65..2cfac6b4 100644
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -42,6 +42,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "sgroupio.h"
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return E_SUCCESS;
}

59
SOURCES/shadow-4.6-sssd-redirect-warning.patch
View File

@ -1,59 +0,0 @@
From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Fri, 2 Oct 2020 16:09:42 +0200
Subject: [PATCH] lib/sssd: redirect warning message to file
Instead of printing warning in stderr print it to file. This way the
user is not spammed with unnecessary messages when updating packages.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
---
lib/sssd.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/lib/sssd.c b/lib/sssd.c
index 80e49e55..f864ce68 100644
--- a/lib/sssd.c
+++ b/lib/sssd.c
@@ -11,7 +11,7 @@
#include "prototypes.h"
#include "sssd.h"
-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
int sssd_flush_cache (int dbflags)
{
@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
free(sss_cache_args);
if (rv != 0) {
/* run_command writes its own more detailed message. */
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
return -1;
}
code = WEXITSTATUS (status);
if (!WIFEXITED (status)) {
- (void) fprintf (stderr,
- _("%s: sss_cache did not terminate normally (signal %d)\n"),
- Prog, WTERMSIG (status));
+ SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
+ Prog, WTERMSIG (status)));
return -1;
} else if (code == E_CMD_NOTFOUND) {
/* sss_cache is not installed, or it is installed but uses an
interpreter that is missing. Probably the former. */
return 0;
} else if (code != 0) {
- (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
- Prog, code);
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
return -1;
}
--
2.26.2

34
SOURCES/shadow-4.6-sysugid-min-limit.patch
View File

@ -1,34 +0,0 @@
diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:51:20.554963292 +0100
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_group, g
(unsigned long) *max_id);
return EINVAL;
}
+ /*
+ * Zero is reserved for root and the allocation algorithm does not
+ * work right with it.
+ */
+ if (*min_id == 0) {
+ *min_id = (gid_t) 1;
+ }
} else {
/* Non-system groups */
diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:51:39.341399569 +0100
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_user, ui
(unsigned long) *max_id);
return EINVAL;
}
+ /*
+ * Zero is reserved for root and the allocation algorithm does not
+ * work right with it.
+ */
+ if (*min_id == 0) {
+ *min_id = (uid_t) 1;
+ }
} else {
/* Non-system users */

31
SOURCES/shadow-4.6-use-itstool.patch
View File

@ -1,31 +0,0 @@
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
$(MAKE) -C .. config.xml
cp ../config.xml $@
-%.xml: ../%.xml ../po/$(LANG).po
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
+messages.mo: ../po/$(LANG).po
+ msgfmt ../po/$(LANG).po -o messages.mo
+
+login.defs.d:
+ ln -sf ../login.defs.d login.defs.d
+
+%.xml: ../%.xml messages.mo login.defs.d
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
+ else \
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
+ fi
+ itstool -d -l $(LANG) -m messages.mo -o . $@
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
include ../generate_mans.mak
@@ -16,4 +27,4 @@ $(man_MANS):
@echo you need to run configure with --enable-man to generate man pages
endif
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

190
SOURCES/shadow-4.6-use-lckpwdf.patch
View File

@ -1,190 +0,0 @@
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu May 2 14:33:06 2019 +0200
Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.
This reverts the implementation to use lckpwdf() if prefix option
is not used.
diff --git a/lib/commonio.c b/lib/commonio.c
index 26e518f2..94dda779 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
int commonio_setname (struct commonio_db *db, const char *name)
{
snprintf (db->filename, sizeof (db->filename), "%s", name);
+ db->setname = true;
return 1;
}
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
int commonio_lock (struct commonio_db *db)
{
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
-#if 0
- /*
- * only if the system libc has a real lckpwdf() - the one from
- * lockpw.c calls us and would cause infinite recursion!
- */
+ int i;
+#ifdef HAVE_LCKPWDF
/*
- * Call lckpwdf() on the first lock.
- * If it succeeds, call *_lock() only once
- * (no retries, it should always succeed).
+ * Only if the system libc has a real lckpwdf() - the one from
+ * lockpw.c calls us and would cause infinite recursion!
+ * It is also not used with the prefix option.
*/
- if (0 == lock_count) {
- if (lckpwdf () == -1) {
- if (geteuid () != 0) {
- (void) fprintf (stderr,
- "%s: Permission denied.\n",
- Prog);
+ if (!db->setname) {
+ /*
+ * Call lckpwdf() on the first lock.
+ * If it succeeds, call *_lock() only once
+ * (no retries, it should always succeed).
+ */
+ if (0 == lock_count) {
+ if (lckpwdf () == -1) {
+ if (geteuid () != 0) {
+ (void) fprintf (stderr,
+ "%s: Permission denied.\n",
+ Prog);
+ }
+ return 0; /* failure */
}
- return 0; /* failure */
}
- }
- if (commonio_lock_nowait (db, true) != 0) {
- return 1; /* success */
- }
+ if (commonio_lock_nowait (db, true) != 0) {
+ return 1; /* success */
+ }
- ulckpwdf ();
- return 0; /* failure */
-#else /* !HAVE_LCKPWDF */
- int i;
+ ulckpwdf ();
+ return 0; /* failure */
+ }
+#endif /* !HAVE_LCKPWDF */
/*
* lckpwdf() not used - do it the old way.
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
}
}
return 0; /* failure */
-#endif /* !HAVE_LCKPWDF */
}
static void dec_lock_count (void)
diff --git a/lib/commonio.h b/lib/commonio.h
index 40e5708f..64e83073 100644
--- a/lib/commonio.h
+++ b/lib/commonio.h
@@ -143,6 +143,7 @@ struct commonio_db {
bool isopen:1;
bool locked:1;
bool readonly:1;
+ bool setname:1;
};
extern int commonio_setname (struct commonio_db *, const char *);
diff --git a/lib/groupio.c b/lib/groupio.c
index ae2302b5..bffb06e0 100644
--- a/lib/groupio.c
+++ b/lib/groupio.c
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int gr_setdbname (const char *filename)
diff --git a/lib/pwio.c b/lib/pwio.c
index 7ee85377..127719cb 100644
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int pw_setdbname (const char *filename)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 5423626a..ffbdb263 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sgr_setdbname (const char *filename)
diff --git a/lib/shadowio.c b/lib/shadowio.c
index 5fa3d312..676b1f1a 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int spw_setdbname (const char *filename)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index a662e67e..dd779c59 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_uid_setdbname (const char *filename)
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_gid_setdbname (const char *filename)

20
SOURCES/shadow-4.6-useradd-check-if-subid-range-exists.patch
View File

@ -1,20 +0,0 @@
diff -up shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists 2023-05-17 10:39:41.457826153 +0200
+++ shadow-4.6/src/useradd.c 2023-05-17 10:41:30.937036772 +0200
@@ -2019,14 +2019,14 @@ static void usr_update (void)
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid &&
+ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
- if (is_sub_gid &&
+ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
(sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),

44
SOURCES/shadow-4.6-useradd_SUB_UID_COUNT-0.patch
View File

@ -1,44 +0,0 @@
From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 22 May 2021 11:42:02 -0500
Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
Closes #298
Fix useradd when SUB_UID_COUNT=0 in login.defs.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
src/useradd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 06accb2f..9862ae55 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_t uid_min;
uid_t uid_max;
+ unsigned long subuid_count;
+ unsigned long subgid_count;
#endif
/*
@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
- is_sub_uid = sub_uid_file_present () && !rflg &&
+ subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
+ subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
+ is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
- is_sub_gid = sub_gid_file_present () && !rflg &&
+ is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
#endif /* ENABLE_SUBIDS */
--
2.30.2

21
SOURCES/shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
View File

@ -1,21 +0,0 @@
diff -up shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids 2021-11-03 11:55:00.189562187 +0100
+++ shadow-4.6/src/useradd.c 2021-11-03 11:57:34.128658978 +0100
@@ -2350,7 +2350,7 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid) {
+ if (is_sub_uid && subuid_count != 0) {
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
@@ -2358,7 +2358,7 @@ int main (int argc, char **argv)
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid) {
+ if (is_sub_gid && subgid_count != 0) {
if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),

322
SOURCES/shadow-4.6-usermod-allow-all-group-types.patch
View File

@ -1,322 +0,0 @@
From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 3 Aug 2021 08:57:20 +0200
Subject: [PATCH] usermod: allow all group types with -G option
The only way of removing a group from the supplementary list is to use
-G option, and list all groups that the user is a member of except for
the one that wants to be removed. The problem lies when there's a user
that contains both local and remote groups, and the group to be removed
is a local one. As we need to include the remote group with -G option
the command will fail.
This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
it would be possible to remove the remote groups from the supplementary
list.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
Resolves: https://github.com/shadow-maint/shadow/issues/338
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/usermod.c | 220 ++++++++++++++++++--------------------------------
1 file changed, 77 insertions(+), 143 deletions(-)
diff --git a/src/usermod.c b/src/usermod.c
index 03bb9b9d..a0c03afa 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
long int date);
static int get_groups (char *);
-static struct group * get_local_group (char * grp_name);
static /*@noreturn@*/void usage (int status);
static void new_pwent (struct passwd *);
static void new_spent (struct spwd *);
@@ -201,9 +200,7 @@ static void grp_update (void);
static void process_flags (int, char **);
static void close_files (void);
-static void close_group_files (void);
static void open_files (void);
-static void open_group_files (void);
static void usr_update (void);
static void move_home (void);
static void update_lastlog (void);
@@ -260,11 +257,6 @@ static int get_groups (char *list)
return 0;
}
- /*
- * Open the group files
- */
- open_group_files ();
-
/*
* So long as there is some data to be converted, strip off each
* name and look it up. A mix of numerical and string values for
@@ -284,7 +276,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical GID
* values, otherwise the string is looked up as is.
*/
- grp = get_local_group (list);
+ grp = prefix_getgr_nam_gid (list);
/*
* There must be a match, either by GID value or by
@@ -334,8 +326,6 @@ static int get_groups (char *list)
gr_free ((struct group *)grp);
} while (NULL != list);
- close_group_files ();
-
user_groups[ngroups] = (char *) 0;
/*
@@ -348,44 +338,6 @@ static int get_groups (char *list)
return 0;
}
-/*
- * get_local_group - checks if a given group name exists locally
- *
- * get_local_group() checks if a given group name exists locally.
- * If the name exists the group information is returned, otherwise NULL is
- * returned.
- */
-static struct group * get_local_group(char * grp_name)
-{
- const struct group *grp;
- struct group *result_grp = NULL;
- long long int gid;
- char *endptr;
-
- gid = strtoll (grp_name, &endptr, 10);
- if ( ('\0' != *grp_name)
- && ('\0' == *endptr)
- && (ERANGE != errno)
- && (gid == (gid_t)gid)) {
- grp = gr_locate_gid ((gid_t) gid);
- }
- else {
- grp = gr_locate(grp_name);
- }
-
- if (grp != NULL) {
- result_grp = __gr_dup (grp);
- if (NULL == result_grp) {
- fprintf (stderr,
- _("%s: Out of memory. Cannot find group '%s'.\n"),
- Prog, grp_name);
- fail_exit (E_GRP_UPDATE);
- }
- }
-
- return result_grp;
-}
-
#ifdef ENABLE_SUBIDS
struct ulong_range
{
@@ -1523,7 +1475,50 @@ static void close_files (void)
}
if (Gflg || lflg) {
- close_group_files ();
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+ if (gr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ gr_dbname ()));
+ /* continue */
+ }
}
if (is_shadow_pwd) {
@@ -1592,60 +1587,6 @@ static void close_files (void)
#endif
}
-/*
- * close_group_files - close all of the files that were opened
- *
- * close_group_files() closes all of the files that were opened related
- * with groups. This causes any modified entries to be written out.
- */
-static void close_group_files (void)
-{
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- sgr_dbname ()));
- /* continue */
- }
- }
-#endif
- if (gr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- gr_dbname ()));
- /* continue */
- }
-}
-
/*
* open_files - lock and open the password files
*
@@ -1681,7 +1622,38 @@ static void open_files (void)
}
if (Gflg || lflg) {
- open_group_files ();
+ /*
+ * Lock and open the group file. This will load all of the
+ * group entries.
+ */
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_lock () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif
}
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
@@ -1717,44 +1689,6 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
-/*
- * open_group_files - lock and open the group files
- *
- * open_group_files() loads all of the group entries.
- */
-static void open_group_files (void)
-{
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#endif
-}
-
/*
* usr_update - create the user entries
*
--
2.31.1

42
SOURCES/shadow-4.6-usermod-crash.patch
View File

@ -1,42 +0,0 @@
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
{
long long int gid;
char *endptr;
+ struct group *g;
if (NULL == grname) {
return NULL;
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
&& (gid == (gid_t)gid)) {
return prefix_getgrgid ((gid_t) gid);
}
- return prefix_getgrnam (grname);
+ g = prefix_getgrnam (grname);
+ return g ? __gr_dup(g) : NULL;
}
else
return getgr_nam_gid(grname);
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
prefix_user_home = xmalloc(len);
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
assert (wlen == (int) len -1);
+ if (user_newhome) {
+ len = strlen(prefix) + strlen(user_newhome) + 2;
+ prefix_user_newhome = xmalloc(len);
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+ assert (wlen == (int) len -1);
+ }
- len = strlen(prefix) + strlen(user_newhome) + 2;
- prefix_user_newhome = xmalloc(len);
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
- assert (wlen == (int) len -1);
}
else {
prefix_user_home = user_home;

11
SOURCES/shadow-4.6.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAlrncOkACgkQ6f7qBqhe
P52UGAf/eOnoIYIZ52y72iMxeNfQMTMjYTZd1YrtjlK0RQKquK7FrCOg91MvOF2B
hLVKu2OU7mzuPTMSAraAxjXLkrM0E3vFjMtu1fHBGlGTMspAfik/9Gu9qoevAKXy
BRqgN5m5HMfoGPeEjzILzaGq8bnPKIOfJ0iAYVkjjIa73Vn20uTmNgNZIRqHqwfw
5GUFHn6cjQXFcQ3ngywgwQD7/h/65w8dBbGysF551sAqzPJRbneQL9Wtklcqi1ub
55NyF0ifT67RqMh+EyxhuhXP1Hi57PTEAeqaFMFxnPlQPb+8pQ8nszWBmI+vUN8D
FmhwCtSTnmKlj0jeAqevmkijJhGPQQ==
=fk/F
-----END PGP SIGNATURE-----

108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
View File

@ -1,108 +0,0 @@
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 13 Jul 2022 09:55:14 +0200
Subject: [PATCH] subordinateio: also compare the owner ID
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
not only to check for the owner name but also for the owner ID of a
given range.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index 9ca70b8b..6bc45283 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -17,6 +17,8 @@
#include <ctype.h>
#include <fcntl.h>
+#define ID_SIZE 31
+
/*
* subordinate_dup: create a duplicate range
*
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
return start == ULONG_MAX ? (gid_t) -1 : start;
}
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
+{
+ struct passwd *pw;
+ struct group *gr;
+ int ret = 0;
+
+ switch (id_type) {
+ case ID_TYPE_UID:
+ pw = getpwnam(owner);
+ if (pw == NULL) {
+ return false;
+ }
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
+ if (ret < 0 || ret >= ID_SIZE) {
+ return false;
+ }
+ break;
+ case ID_TYPE_GID:
+ gr = getgrnam(owner);
+ if (gr == NULL) {
+ return false;
+ }
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
+ if (ret < 0 || ret >= ID_SIZE) {
+ return false;
+ }
+ break;
+ default:
+ return false;
+ }
+
+ return true;
+}
+
/*
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
*
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
enum subid_status status;
int count = 0;
struct subid_nss_ops *h;
+ char id[ID_SIZE];
+ bool have_owner_id;
*in_ranges = NULL;
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
return -1;
}
+ have_owner_id = get_owner_id(owner, id_type, id);
+
commonio_rewind(db);
while ((range = commonio_next(db)) != NULL) {
if (0 == strcmp(range->owner, owner)) {
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
goto out;
}
}
+
+ // Let's also compare with the ID
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
+ if (!append_range(&ranges, range, count++)) {
+ free(ranges);
+ ranges = NULL;
+ count = -1;
+ goto out;
+ }
+ }
}
out:
--
2.36.1

98
SOURCES/shadow-utils.login.defs
View File

@ -1,98 +0,0 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# The values must be within the 1000-999999999 range.
#
SHA_CRYPT_MAX_ROUNDS 5000

9
gating.yaml Normal file
View File

@ -0,0 +1,9 @@
# recipients: sssd-qe
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

0
SOURCES/gpl-2.0.txt → gpl-2.0.txt
View File

5
passwd.pamd Normal file
View File

@ -0,0 +1,5 @@
#%PAM-1.0
# This tool only uses the password stack.
password substack system-auth
-password optional pam_gnome_keyring.so use_authtok
password substack postlogin

441
shadow-4.13-newidmap-support-passing-pid-as-fd.patch Normal file
View File

@ -0,0 +1,441 @@
From 6974df39a708abf8bafbdfa2b7827e0f70f874cb Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Mon, 6 Feb 2023 22:49:42 -0600
Subject: [PATCH] newuidmap and newgidmap: support passing pid as fd
Closes #635
newuidmap and newgidmap currently take an integner pid as
the first argument, determining the process id on which to
act. Accept also "fd:N", where N must be an open file
descriptor to the /proc/pid directory for the process to
act upon. This way, if you
exec 10</proc/99
newuidmap fd:10 100000 0 65536
and pid 99 dies and a new process happens to take pid 99 before
newuidmap happens to do its work, then since newuidmap will use
openat() using fd 10, it won't change the mapping for the new
process.
Example:
// terminal 1:
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
about to unshare with 10000000
Press any key to exec (I am 129176)
// terminal 2:
serge@jerom ~/src/shadow$ exec 10</proc/129176
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10
// Terminal 1:
uid=0(root) gid=0(root) groups=0(root)
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
lib/get_pid.c | 51 +++++++++++++++++++++++++++++++++++++++++++++
lib/prototypes.h | 2 ++
man/newgidmap.1.xml | 11 ++++++++++
man/newuidmap.1.xml | 11 ++++++++++
src/newgidmap.c | 41 ++++++++++++++----------------------
src/newuidmap.c | 40 +++++++++++++----------------------
6 files changed, 106 insertions(+), 50 deletions(-)
diff --git a/lib/get_pid.c b/lib/get_pid.c
index 10184bf0..ab91d158 100644
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -10,6 +10,9 @@
#include "prototypes.h"
#include "defines.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
int get_pid (const char *pidstr, pid_t *pid)
{
@@ -29,3 +32,51 @@ int get_pid (const char *pidstr, pid_t *pid)
return 1;
}
+/*
+ * If use passed in fd:4 as an argument, then return the
+ * value '4', the fd to use.
+ */
+int get_pidfd_from_fd(const char *pidfdstr)
+{
+ long long int val;
+ char *endptr;
+
+ errno = 0;
+ val = strtoll (pidfdstr, &endptr, 10);
+ if ( ('\0' == *pidfdstr)
+ || ('\0' != *endptr)
+ || (ERANGE == errno)
+ || (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
+ return 0;
+ }
+
+ return (int)val;
+}
+
+int open_pidfd(const char *pidstr)
+{
+ int proc_dir_fd;
+ int written;
+ char proc_dir_name[32];
+ pid_t target;
+
+ if (get_pid(pidstr, &target) == 0)
+ return -ENOENT;
+
+ /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
+ written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
+ target);
+ if ((written <= 0) || ((size_t)written >= sizeof(proc_dir_name))) {
+ fprintf(stderr, "snprintf of proc path failed for %u: %s\n",
+ target, strerror(errno));
+ return -EINVAL;
+ }
+
+ proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
+ if (proc_dir_fd < 0) {
+ fprintf(stderr, _("Could not open proc directory for target %u: %s\n"),
+ target, strerror(errno));
+ return -EINVAL;
+ }
+ return proc_dir_fd;
+}
diff --git a/lib/prototypes.h b/lib/prototypes.h
index 400d5b97..21df6f61 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -160,6 +160,8 @@ extern int getlong (const char *numstr, /*@out@*/long int *result);
/* get_pid.c */
extern int get_pid (const char *pidstr, pid_t *pid);
+extern int get_pidfd_from_fd(const char *pidfdstr);
+extern int open_pidfd(const char *pidstr);
/* getrange */
extern int getrange (const char *range,
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index e4ebc69e..9b7683eb 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -116,6 +116,17 @@
<para>
Note that newgidmap may be used only once for a given process.
</para>
+ <para>
+ Instead of an integer process id, the first argument may be
+ specified as <replaceable>fd:N</replaceable>, where the integer N
+ is the file descriptor number for the calling process's opened
+ file for <filename>/proc/[pid[</filename>. In this case,
+ <command>newgidmap</command> will use
+ <refentrytitle>openat</refentrytitle><manvolnum>2</manvolnum>
+ to open the <filename>gid_map</filename> file under that
+ directory, avoiding a TOCTTOU in case the process exits and
+ the pid is immediately reused.
+ </para>
</refsect1>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index f5cb5b48..ca917a77 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -116,6 +116,17 @@
<para>
Note that newuidmap may be used only once for a given process.
</para>
+ <para>
+ Instead of an integer process id, the first argument may be
+ specified as <replaceable>fd:N</replaceable>, where the integer N
+ is the file descriptor number for the calling process's opened
+ file for <filename>/proc/[pid[</filename>. In this case,
+ <command>newuidmap</command> will use
+ <refentrytitle>openat</refentrytitle><manvolnum>2</manvolnum>
+ to open the <filename>uid_map</filename> file under that
+ directory, avoiding a TOCTTOU in case the process exits and
+ the pid is immediately reused.
+ </para>
</refsect1>
<refsect1 id='options'>
diff --git a/src/newgidmap.c b/src/newgidmap.c
index 01d0fe90..d6d29725 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -69,7 +69,7 @@ static void verify_ranges(struct passwd *pw, int ranges,
static void usage(void)
{
- fprintf(stderr, _("usage: %s <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);
+ fprintf(stderr, _("usage: %s [<pid|fd:<pidfd>] <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);
exit(EXIT_FAILURE);
}
@@ -143,15 +143,12 @@ out:
*/
int main(int argc, char **argv)
{
- char proc_dir_name[32];
char *target_str;
- pid_t target;
int proc_dir_fd;
int ranges;
struct map_range *mappings;
struct stat st;
struct passwd *pw;
- int written;
bool allow_setgroups = false;
Prog = Basename (argv[0]);
@@ -168,25 +165,19 @@ int main(int argc, char **argv)
/* Find the process that needs its user namespace
* gid mapping set.
*/
- target_str = argv[1];
- if (!get_pid(target_str, &target))
- usage();
- /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
- written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
- target);
- if ((written <= 0) || (written >= sizeof(proc_dir_name))) {
- fprintf(stderr, "%s: snprintf of proc path failed: %s\n",
- Prog, strerror(errno));
- }
-
- proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
- if (proc_dir_fd < 0) {
- fprintf(stderr, _("%s: Could not open proc directory for target %u\n"),
- Prog, target);
- return EXIT_FAILURE;
+ target_str = argv[1];
+ if (strlen(target_str) > 3 && strncmp(target_str, "fd:", 3) == 0) {
+ /* the user passed in a /proc/pid fd for the process */
+ target_str = &target_str[3];
+ proc_dir_fd = get_pidfd_from_fd(target_str);
+ if (proc_dir_fd < 0)
+ usage();
+ } else {
+ proc_dir_fd = open_pidfd(target_str);
+ if (proc_dir_fd < 0)
+ usage();
}
-
/* Who am i? */
pw = get_my_pwent ();
if (NULL == pw) {
@@ -200,8 +191,8 @@ int main(int argc, char **argv)
/* Get the effective uid and effective gid of the target process */
if (fstat(proc_dir_fd, &st) < 0) {
- fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
- Prog, target);
+ fprintf(stderr, _("%s: Could not stat directory for process\n"),
+ Prog);
return EXIT_FAILURE;
}
@@ -213,8 +204,8 @@ int main(int argc, char **argv)
(!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
(pw->pw_uid != st.st_uid) ||
(getgid() != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
- Prog, target,
+ fprintf(stderr, _( "%s: Target process is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog,
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
diff --git a/src/newuidmap.c b/src/newuidmap.c
index e8798409..e99655c9 100644
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -64,7 +64,7 @@ static void verify_ranges(struct passwd *pw, int ranges,
static void usage(void)
{
- fprintf(stderr, _("usage: %s <pid> <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... \n"), Prog);
+ fprintf(stderr, _("usage: %s [<pid>|fd:<pidfd>] <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... \n"), Prog);
exit(EXIT_FAILURE);
}
@@ -73,15 +73,12 @@ static void usage(void)
*/
int main(int argc, char **argv)
{
- char proc_dir_name[32];
char *target_str;
- pid_t target;
int proc_dir_fd;
int ranges;
struct map_range *mappings;
struct stat st;
struct passwd *pw;
- int written;
Prog = Basename (argv[0]);
log_set_progname(Prog);
@@ -94,26 +91,20 @@ int main(int argc, char **argv)
if (argc < 2)
usage();
+ target_str = argv[1];
/* Find the process that needs its user namespace
* uid mapping set.
*/
- target_str = argv[1];
- if (!get_pid(target_str, &target))
- usage();
-
- /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
- written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
- target);
- if ((written <= 0) || (written >= sizeof(proc_dir_name))) {
- fprintf(stderr, "%s: snprintf of proc path failed: %s\n",
- Prog, strerror(errno));
- }
-
- proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
- if (proc_dir_fd < 0) {
- fprintf(stderr, _("%s: Could not open proc directory for target %u\n"),
- Prog, target);
- return EXIT_FAILURE;
+ if (strlen(target_str) > 3 && strncmp(target_str, "fd:", 3) == 0) {
+ /* the user passed in a /proc/pid fd for the process */
+ target_str = &target_str[3];
+ proc_dir_fd = get_pidfd_from_fd(target_str);
+ if (proc_dir_fd < 0)
+ usage();
+ } else {
+ proc_dir_fd = open_pidfd(target_str);
+ if (proc_dir_fd < 0)
+ usage();
}
/* Who am i? */
@@ -129,8 +120,7 @@ int main(int argc, char **argv)
/* Get the effective uid and effective gid of the target process */
if (fstat(proc_dir_fd, &st) < 0) {
- fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
- Prog, target);
+ fprintf(stderr, _("%s: Could not stat directory for target process\n"), Prog);
return EXIT_FAILURE;
}
@@ -142,8 +132,8 @@ int main(int argc, char **argv)
(!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
(pw->pw_uid != st.st_uid) ||
(getgid() != st.st_gid)) {
- fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
- Prog, target,
+ fprintf(stderr, _( "%s: Target process is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog,
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
--
2.39.2
From 7ff33fae6f9cd79c0e012671c37a172e9a681d0b Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Fri, 24 Feb 2023 13:52:32 -0600
Subject: [PATCH] get_pidfd_from_fd: return -1 on error, not 0
Fixes: 6974df39a: newuidmap and newgidmap: support passing pid as fd
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
lib/get_pid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/get_pid.c b/lib/get_pid.c
index ab91d158..5b6d9da4 100644
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -35,6 +35,7 @@ int get_pid (const char *pidstr, pid_t *pid)
/*
* If use passed in fd:4 as an argument, then return the
* value '4', the fd to use.
+ * On error, return -1.
*/
int get_pidfd_from_fd(const char *pidfdstr)
{
@@ -47,7 +48,7 @@ int get_pidfd_from_fd(const char *pidfdstr)
|| ('\0' != *endptr)
|| (ERANGE == errno)
|| (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
- return 0;
+ return -1;
}
return (int)val;
--
2.39.2
From 05e2adf509ba0e3779dae66a276b86927a8e1e0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vin=C3=ADcius=20dos=20Santos=20Oliveira?=
<vini.ipsmaker@gmail.com>
Date: Fri, 24 Feb 2023 18:06:02 -0300
Subject: [PATCH] Validate fds created by the user
write_mapping() will do the following:
openat(proc_dir_fd, map_file, O_WRONLY);
An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
---
lib/get_pid.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/lib/get_pid.c b/lib/get_pid.c
index 5b6d9da4..8e5e6014 100644
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
{
long long int val;
char *endptr;
+ struct stat st;
+ dev_t proc_st_dev, proc_st_rdev;
errno = 0;
val = strtoll (pidfdstr, &endptr, 10);
@@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
return -1;
}
+ if (stat("/proc/self/uid_map", &st) < 0) {
+ return -1;
+ }
+
+ proc_st_dev = st.st_dev;
+ proc_st_rdev = st.st_rdev;
+
+ if (fstat(val, &st) < 0) {
+ return -1;
+ }
+
+ if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
+ return -1;
+ }
+
return (int)val;
}
--
2.39.2

288
shadow-4.14.0-passwd-stdin.patch Normal file
View File

@ -0,0 +1,288 @@
diff -up shadow-4.14.0/libmisc/agetpass.c.orig shadow-4.14.0/libmisc/agetpass.c
--- shadow-4.14.0/libmisc/agetpass.c.orig 2024-01-24 20:06:20.557577853 +0100
+++ shadow-4.14.0/libmisc/agetpass.c 2024-01-24 21:21:06.379445080 +0100
@@ -32,6 +32,7 @@
* SYNOPSIS
* [[gnu::malloc(erase_pass)]]
* char *agetpass(const char *prompt);
+ * char *agetpass_stdin();
*
* void erase_pass(char *pass);
*
@@ -64,6 +65,10 @@
* erased by calling erase_pass(), to avoid possibly leaking the
* password.
*
+ * agetpass_stdin()
+ * This function is the same as previous one (agetpass). Just the
+ * password is read from stdin and terminal is not required.
+ *
* erase_pass()
* This function first clears the password, by calling
* explicit_bzero(3) (or an equivalent call), and then frees the
@@ -92,8 +97,8 @@
*/
-char *
-agetpass(const char *prompt)
+static char *
+agetpass_internal(const char *prompt, int flags)
{
char *pass;
size_t len;
@@ -110,7 +115,7 @@ agetpass(const char *prompt)
if (pass == NULL)
return NULL;
- if (readpassphrase(prompt, pass, PASS_MAX + 2, RPP_REQUIRE_TTY) == NULL)
+ if (readpassphrase(prompt, pass, PASS_MAX + 2, flags) == NULL)
goto fail;
len = strlen(pass);
@@ -126,6 +131,17 @@ fail:
return NULL;
}
+char *
+agetpass(const char *prompt)
+{
+ return agetpass_internal(prompt, RPP_REQUIRE_TTY);
+}
+
+char *
+agetpass_stdin()
+{
+ return agetpass_internal(NULL, RPP_STDIN);
+}
void
erase_pass(char *pass)
diff -up shadow-4.14.0/lib/prototypes.h.orig shadow-4.14.0/lib/prototypes.h
--- shadow-4.14.0/lib/prototypes.h.orig 2024-01-24 22:06:18.786184942 +0100
+++ shadow-4.14.0/lib/prototypes.h 2024-01-24 20:19:45.299231059 +0100
@@ -47,6 +47,7 @@ extern int expire (const struct passwd *
extern void erase_pass(char *pass);
ATTR_MALLOC(erase_pass)
extern char *agetpass(const char *prompt);
+extern char *agetpass_stdin();
/* isexpired.c */
extern int isexpired (const struct passwd *, /*@null@*/const struct spwd *);
diff -up shadow-4.14.0/man/passwd.1.xml.orig shadow-4.14.0/man/passwd.1.xml
--- shadow-4.14.0/man/passwd.1.xml.orig 2024-01-24 20:33:31.438972506 +0100
+++ shadow-4.14.0/man/passwd.1.xml 2024-01-29 17:36:31.082495245 +0100
@@ -341,6 +341,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-s</option>, <option>--stdin</option>
+ </term>
+ <listitem>
+ <para>
+ This option is used to indicate that passwd should read the new password from standard
+ input, which can be a pipe.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff -up shadow-4.14.0/src/passwd.c.orig shadow-4.14.0/src/passwd.c
--- shadow-4.14.0/src/passwd.c.orig 2024-01-24 13:57:15.714549266 +0100
+++ shadow-4.14.0/src/passwd.c 2024-01-29 17:33:59.421508534 +0100
@@ -65,7 +65,8 @@ static bool
Sflg = false, /* -S - show password status */
uflg = false, /* -u - unlock the user's password */
wflg = false, /* -w - set warning days */
- xflg = false; /* -x - set maximum days */
+ xflg = false, /* -x - set maximum days */
+ sflg = false; /* -s - read passwd from stdin */
/*
* set to 1 if there are any flags which require root privileges,
@@ -156,6 +157,7 @@ usage (int status)
(void) fputs (_(" -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n"), usageout);
(void) fputs (_(" -x, --maxdays MAX_DAYS set maximum number of days before password\n"
" change to MAX_DAYS\n"), usageout);
+ (void) fputs (_(" -s, --stdin read new token from stdin\n"), usageout);
(void) fputs ("\n", usageout);
exit (status);
}
@@ -275,7 +277,7 @@ static int new_password (const struct pa
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
}
}
- if (!qflg) {
+ if (!qflg && !sflg) {
if (pass_max_len == -1) {
(void) printf (_(
"Enter the new password (minimum of %d characters)\n"
@@ -289,55 +291,67 @@ static int new_password (const struct pa
}
}
- warned = false;
- for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
- cp = agetpass (_("New password: "));
+ if (sflg) {
+ /*
+ * root is setting the passphrase from stdin
+ */
+ cp = agetpass_stdin ();
if (NULL == cp) {
- memzero (orig, sizeof orig);
- memzero (pass, sizeof pass);
return -1;
}
- if (warned && (strcmp (pass, cp) != 0)) {
- warned = false;
- }
STRFCPY (pass, cp);
erase_pass (cp);
+ } else {
+ warned = false;
+ for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
+ cp = agetpass (_("New password: "));
+ if (NULL == cp) {
+ memzero (orig, sizeof orig);
+ memzero (pass, sizeof pass);
+ return -1;
+ }
+ if (warned && (strcmp (pass, cp) != 0)) {
+ warned = false;
+ }
+ STRFCPY (pass, cp);
+ erase_pass (cp);
- if (!amroot && !obscure(orig, pass, pw)) {
- (void) puts (_("Try again."));
- continue;
- }
+ if (!amroot && !obscure(orig, pass, pw)) {
+ (void) puts (_("Try again."));
+ continue;
+ }
- /*
- * If enabled, warn about weak passwords even if you are
- * root (enter this password again to use it anyway).
- * --marekm
- */
- if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
- && !obscure(orig, pass, pw)) {
- (void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
- warned = true;
- continue;
+ /*
+ * If enabled, warn about weak passwords even if you are
+ * root (enter this password again to use it anyway).
+ * --marekm
+ */
+ if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
+ && !obscure(orig, pass, pw)) {
+ (void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
+ warned = true;
+ continue;
+ }
+ cp = agetpass (_("Re-enter new password: "));
+ if (NULL == cp) {
+ memzero (orig, sizeof orig);
+ memzero (pass, sizeof pass);
+ return -1;
+ }
+ if (strcmp (cp, pass) != 0) {
+ erase_pass (cp);
+ (void) fputs (_("They don't match; try again.\n"), stderr);
+ } else {
+ erase_pass (cp);
+ break;
+ }
}
- cp = agetpass (_("Re-enter new password: "));
- if (NULL == cp) {
- memzero (orig, sizeof orig);
+ memzero (orig, sizeof orig);
+
+ if (i == 0) {
memzero (pass, sizeof pass);
return -1;
}
- if (strcmp (cp, pass) != 0) {
- erase_pass (cp);
- (void) fputs (_("They don't match; try again.\n"), stderr);
- } else {
- erase_pass (cp);
- break;
- }
- }
- memzero (orig, sizeof orig);
-
- if (i == 0) {
- memzero (pass, sizeof pass);
- return -1;
}
/*
@@ -714,6 +728,7 @@ static void update_shadow (void)
* -u unlock the password of the named account (*)
* -w # set sp_warn to # days (*)
* -x # set sp_max to # days (*)
+ * -s read password from stdin
*
* (*) requires root permission to execute.
*
@@ -781,10 +796,11 @@ int main (int argc, char **argv)
{"unlock", no_argument, NULL, 'u'},
{"warndays", required_argument, NULL, 'w'},
{"maxdays", required_argument, NULL, 'x'},
+ {"stdin", no_argument, NULL, 's'},
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "adehi:kln:qr:R:P:Suw:x:",
+ while ((c = getopt_long (argc, argv, "adehi:kln:qr:R:P:Suw:x:s",
long_options, NULL)) != -1) {
switch (c) {
case 'a':
@@ -877,6 +893,15 @@ int main (int argc, char **argv)
xflg = true;
anyflag = true;
break;
+ case 's':
+ if (!amroot) {
+ (void) fprintf (stderr,
+ _("%s: only root can use --stdin/-s option\n"),
+ Prog);
+ usage (E_BAD_ARG);
+ }
+ sflg = true;
+ break;
default:
usage (E_BAD_ARG);
}
@@ -1068,7 +1093,16 @@ int main (int argc, char **argv)
* Don't set the real UID for PAM...
*/
if (!anyflag && use_pam) {
- do_pam_passwd (name, qflg, kflg);
+ if (sflg) {
+ cp = agetpass_stdin ();
+ if (cp == NULL) {
+ exit (E_FAILURE);
+ }
+ do_pam_passwd_non_interactive ("passwd", name, cp);
+ erase_pass (cp);
+ } else {
+ do_pam_passwd (name, qflg, kflg);
+ }
exit (E_SUCCESS);
}
#endif /* USE_PAM */
@@ -1102,4 +1136,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-

306
shadow-4.14.0-remove-libcrack.patch Normal file
View File

@ -0,0 +1,306 @@
From 43b4e5a6c41f5c43cad18810f9229e40e8c4a57e Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Mon, 30 Oct 2023 12:53:37 +0100
Subject: [PATCH 1/2] Remove FascistHistory() and FascistHistoryPw() calls
These functions don't seem to exist anymore. I can't find them in
Debian, nor in a web search. They probably were functions from an
ancient implementation of cracklib that doesn't exist anymore.
$ git remote -v
origin git@github.com:cracklib/cracklib.git (fetch)
origin git@github.com:cracklib/cracklib.git (push)
$ grep -rni fascisthistory
$ git log --grep FascistHistory
$ git log -S FascistHistory
Closes: <https://codesearch.debian.net/search?q=FascistHistory&literal=1>
Cc: Mike Frysinger <vapier@gentoo.org>
Acked-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
configure.ac | 4 ----
libmisc/obscure.c | 8 --------
src/passwd.c | 33 ++-------------------------------
3 files changed, 2 insertions(+), 43 deletions(-)
diff --git a/configure.ac b/configure.ac
index 2c8cca3f..5c8c7764 100644
--- a/configure.ac
+++ b/configure.ac
@@ -526,10 +526,6 @@ if test "$with_libcrack" = "yes"; then
echo "checking cracklib flavour, don't be surprised by the results"
AC_CHECK_LIB(crack, FascistCheck,
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
- AC_CHECK_LIB(crack, FascistHistory,
- AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
- AC_CHECK_LIB(crack, FascistHistoryPw,
- AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
fi
if test "$with_btrfs" != "no"; then
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
index ccffb71d..4070d4e4 100644
--- a/libmisc/obscure.c
+++ b/libmisc/obscure.c
@@ -100,11 +100,7 @@ static /*@observer@*//*@null@*/const char *password_check (
#ifdef HAVE_LIBCRACK
char *dictpath;
-#ifdef HAVE_LIBCRACK_PW
- char *FascistCheckPw ();
-#else
char *FascistCheck ();
-#endif
#endif
if (strcmp (new, old) == 0) {
@@ -133,11 +129,7 @@ static /*@observer@*//*@null@*/const char *password_check (
dictpath = getdef_str ("CRACKLIB_DICTPATH");
if (NULL != dictpath) {
-#ifdef HAVE_LIBCRACK_PW
- msg = FascistCheckPw (new, dictpath, pwdp);
-#else
msg = FascistCheck (new, dictpath);
-#endif
}
#endif
}
diff --git a/src/passwd.c b/src/passwd.c
index 67608619..a4f49320 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -114,7 +114,6 @@ static bool do_update_pwd = false;
/* local function prototypes */
NORETURN static void usage (int);
-static bool reuse (const char *, const struct passwd *);
static int new_password (const struct passwd *);
static void check_password (const struct passwd *, const struct spwd *);
@@ -163,27 +162,6 @@ usage (int status)
exit (status);
}
-static bool reuse (const char *pass, const struct passwd *pw)
-{
-#ifdef HAVE_LIBCRACK_HIST
- const char *reason;
-
-#ifdef HAVE_LIBCRACK_PW
- const char *FascistHistoryPw (const char *, const struct passwd *);
-
- reason = FascistHistory (pass, pw);
-#else /* !HAVE_LIBCRACK_PW */
- const char *FascistHistory (const char *, int);
-
- reason = FascistHistory (pass, pw->pw_uid);
-#endif /* !HAVE_LIBCRACK_PW */
- if (NULL != reason) {
- (void) printf (_("Bad password: %s. "), reason);
- return true;
- }
-#endif /* HAVE_LIBCRACK_HIST */
- return false;
-}
/*
* new_password - validate old password and replace with new (both old and
@@ -202,10 +180,6 @@ static int new_password (const struct passwd *pw)
int pass_max_len = -1;
const char *method;
-#ifdef HAVE_LIBCRACK_HIST
- int HistUpdate (const char *, const char *);
-#endif /* HAVE_LIBCRACK_HIST */
-
/*
* Authenticate the user. The user will be prompted for their own
* password.
@@ -306,7 +280,7 @@ static int new_password (const struct passwd *pw)
STRFCPY (pass, cp);
erase_pass (cp);
- if (!amroot && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
+ if (!amroot && !obscure(orig, pass, pw)) {
(void) puts (_("Try again."));
continue;
}
@@ -317,7 +291,7 @@ static int new_password (const struct passwd *pw)
* --marekm
*/
if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
- && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
+ && !obscure(orig, pass, pw)) {
(void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
warned = true;
continue;
@@ -357,9 +331,6 @@ static int new_password (const struct passwd *pw)
return -1;
}
-#ifdef HAVE_LIBCRACK_HIST
- HistUpdate (pw->pw_name, crypt_passwd);
-#endif /* HAVE_LIBCRACK_HIST */
STRFCPY (crypt_passwd, cp);
return 0;
}
--
2.43.0
From 45f34ee8c196a98397504cb7ed8576b6f1825cf9 Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Mon, 30 Oct 2023 13:31:42 +0100
Subject: [PATCH 2/2] Remove libcrack support
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
configure.ac | 11 -----------
etc/login.defs | 5 -----
lib/getdef.c | 1 -
libmisc/obscure.c | 22 ----------------------
libsubid/Makefile.am | 1 -
src/Makefile.am | 2 +-
7 files changed, 2 insertions(+), 42 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5c8c7764..c2b0a1a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -243,9 +243,6 @@ AC_ARG_WITH(skey,
AC_ARG_WITH(tcb,
[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
[with_tcb=$withval], [with_tcb=maybe])
-AC_ARG_WITH(libcrack,
- [AS_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
- [with_libcrack=$withval], [with_libcrack=no])
AC_ARG_WITH(sha-crypt,
[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
[with_sha_crypt=$withval], [with_sha_crypt=yes])
@@ -521,13 +518,6 @@ if test "$with_audit" != "no"; then
fi
fi
-AC_SUBST(LIBCRACK)
-if test "$with_libcrack" = "yes"; then
- echo "checking cracklib flavour, don't be surprised by the results"
- AC_CHECK_LIB(crack, FascistCheck,
- [LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
-fi
-
if test "$with_btrfs" != "no"; then
AC_CHECK_HEADERS([sys/statfs.h linux/magic.h linux/btrfs_tree.h], \
[btrfs_headers="yes"], [btrfs_headers="no"])
@@ -768,7 +758,6 @@ echo
echo "shadow will be compiled with the following features:"
echo
echo " auditing support: $with_audit"
-echo " CrackLib support: $with_libcrack"
echo " PAM support: $with_libpam"
if test "$with_libpam" = "yes"; then
echo " suid account management tools: $enable_acct_tools_setuid"
diff --git a/etc/login.defs b/etc/login.defs
index 114dbcd9..33622c29 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -227,11 +227,6 @@ PASS_WARN_AGE 7
#
SU_WHEEL_ONLY no
-#
-# If compiled with cracklib support, sets the path to the dictionaries
-#
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
-
#
# Min/max values for automatic uid selection in useradd(8)
#
diff --git a/lib/getdef.c b/lib/getdef.c
index 977660c2..d64e6343 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -39,7 +39,6 @@ struct itemdef {
#define PAMDEFS \
{"CHFN_AUTH", NULL}, \
{"CHSH_AUTH", NULL}, \
- {"CRACKLIB_DICTPATH", NULL}, \
{"ENV_HZ", NULL}, \
{"ENVIRON_FILE", NULL}, \
{"ENV_TZ", NULL}, \
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
index 4070d4e4..2aece68b 100644
--- a/libmisc/obscure.c
+++ b/libmisc/obscure.c
@@ -12,11 +12,6 @@
#ident "$Id$"
-/*
- * This version of obscure.c contains modifications to support "cracklib"
- * by Alec Muffet (alec.muffett@uk.sun.com). You must obtain the Cracklib
- * library source code for this function to operate.
- */
#include <ctype.h>
#include <stdio.h>
@@ -97,12 +92,6 @@ static /*@observer@*//*@null@*/const char *password_check (
const char *msg = NULL;
char *oldmono, *newmono, *wrapped;
-#ifdef HAVE_LIBCRACK
- char *dictpath;
-
- char *FascistCheck ();
-#endif
-
if (strcmp (new, old) == 0) {
return _("no change");
}
@@ -121,17 +110,6 @@ static /*@observer@*//*@null@*/const char *password_check (
msg = _("too similar");
} else if (strstr (wrapped, newmono) != NULL) {
msg = _("rotated");
- } else {
-#ifdef HAVE_LIBCRACK
- /*
- * Invoke Alec Muffett's cracklib routines.
- */
-
- dictpath = getdef_str ("CRACKLIB_DICTPATH");
- if (NULL != dictpath) {
- msg = FascistCheck (new, dictpath);
- }
-#endif
}
strzero (newmono);
strzero (oldmono);
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index 5ba0ab35..b6488e77 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -8,7 +8,6 @@ MISCLIBS = \
$(LIBAUDIT) \
$(LIBSELINUX) \
$(LIBSEMANAGE) \
- $(LIBCRACK) \
$(LIBCRYPT_NOPAM) \
$(LIBSKEY) \
$(LIBMD) \
diff --git a/src/Makefile.am b/src/Makefile.am
index fcfee9d2..b6cb09ef 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -123,7 +123,7 @@ login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(L
newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT) $(LIBECONF)
newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
nologin_LDADD =
-passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
+passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
pwck_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
pwconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
pwunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
--
2.43.0

380
shadow-4.15.0-account-tools-setuid.patch Normal file
View File

@ -0,0 +1,380 @@
diff -up shadow-4.15.0/src/chpasswd.c.account-tools-setuid shadow-4.15.0/src/chpasswd.c
--- shadow-4.15.0/src/chpasswd.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/chpasswd.c 2024-03-11 11:21:57.561150382 +0100
@@ -443,9 +443,11 @@ int main (int argc, char **argv)
char *cp;
const char *salt;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
bool use_pam = true;
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
int errors = 0;
int line = 0;
@@ -469,19 +471,23 @@ int main (int argc, char **argv)
process_root_flag ("-R", argc, argv);
prefix = process_prefix_flag ("-P", argc, argv);
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (md5flg || eflg || cflg || prefix[0]) {
use_pam = false;
}
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
OPENLOG (Prog);
check_perms ();
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
is_shadow_pwd = spw_file_present ();
@@ -543,6 +549,7 @@ int main (int argc, char **argv)
}
newpwd = cp;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (use_pam) {
if (do_pam_passwd_non_interactive (Prog, name, newpwd) != 0) {
@@ -553,6 +560,7 @@ int main (int argc, char **argv)
}
} else
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
const struct spwd *sp;
struct spwd newsp;
@@ -672,9 +680,11 @@ int main (int argc, char **argv)
* password database.
*/
if (0 != errors) {
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
fprintf (stderr,
_("%s: error detected, changes ignored\n"),
@@ -683,9 +693,11 @@ int main (int argc, char **argv)
fail_exit (1);
}
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
/* Save the changes */
close_files ();
diff -up shadow-4.15.0/src/groupmems.c.account-tools-setuid shadow-4.15.0/src/groupmems.c
--- shadow-4.15.0/src/groupmems.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/groupmems.c 2024-03-11 11:16:18.365408572 +0100
@@ -14,9 +14,11 @@
#include <grp.h>
#include <stdio.h>
#include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
#include <pwd.h>
#include "alloc.h"
@@ -430,6 +432,7 @@ static void process_flags (int argc, cha
static void check_perms (void)
{
if (!list) {
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
int retval;
@@ -463,7 +466,8 @@ static void check_perms (void)
fail_exit (1);
}
(void) pam_end (pamh, retval);
-#endif
+#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
}
}
diff -up shadow-4.15.0/src/newusers.c.account-tools-setuid shadow-4.15.0/src/newusers.c
--- shadow-4.15.0/src/newusers.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/newusers.c 2024-03-11 11:20:07.198909046 +0100
@@ -59,6 +59,7 @@
static const char Prog[] = "newusers";
static bool rflg = false; /* create a system account */
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
static /*@null@*//*@observer@*/char *crypt_method = NULL;
#define cflg (NULL != crypt_method)
@@ -75,6 +76,7 @@ static long bcrypt_rounds = 13;
static long yescrypt_cost = 5;
#endif /* USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static bool is_shadow;
#ifdef SHADOWGRP
@@ -97,9 +99,11 @@ NORETURN static void fail_exit (int);
static int add_group (const char *, const char *, gid_t *, gid_t);
static int get_user_id (const char *, uid_t *);
static int add_user (const char *, uid_t, gid_t);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
static int update_passwd (struct passwd *, const char *);
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static int add_passwd (struct passwd *, const char *);
static void process_flags (int argc, char **argv);
static void check_flags (void);
@@ -121,6 +125,7 @@ static void usage (int status)
"Options:\n"),
Prog);
(void) fputs (_(" -b, --badname allow bad names\n"), usageout);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
(void) fprintf (usageout,
_(" -c, --crypt-method METHOD the crypt method (one of %s)\n"),
@@ -136,9 +141,11 @@ static void usage (int status)
#endif
);
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --system create system accounts\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
(void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
@@ -146,6 +153,7 @@ static void usage (int status)
usageout);
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
(void) fputs ("\n", usageout);
exit (status);
@@ -405,6 +413,7 @@ static int add_user (const char *name, u
return (pw_update (&pwent) == 0) ? -1 : 0;
}
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
/*
* update_passwd - update the password in the passwd entry
@@ -457,6 +466,7 @@ static int update_passwd (struct passwd
return 0;
}
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
/*
* add_passwd - add or update the encrypted password
@@ -465,10 +475,13 @@ static int add_passwd (struct passwd *pw
{
const struct spwd *sp;
struct spwd spent;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
char *cp;
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
void *crypt_arg = NULL;
if (NULL != crypt_method) {
@@ -505,13 +518,14 @@ static int add_passwd (struct passwd *pw
return update_passwd (pwd, password);
}
#endif /* USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
/*
* Do the first and easiest shadow file case. The user already
* exists in the shadow password file.
*/
sp = spw_locate (pwd->pw_name);
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
if (NULL != sp) {
spent = *sp;
if ( (NULL != crypt_method)
@@ -547,7 +561,7 @@ static int add_passwd (struct passwd *pw
if (strcmp (pwd->pw_passwd, "x") != 0) {
return update_passwd (pwd, password);
}
-#else /* USE_PAM */
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
/*
* If there is already a shadow entry, do not touch it.
* If there is already a passwd entry with a password, do not
@@ -558,14 +572,14 @@ static int add_passwd (struct passwd *pw
|| (strcmp (pwd->pw_passwd, "x") != 0)) {
return 0;
}
-#endif /* USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID && !USE_PAM */
/*
* Now the really hard case - I need to create an entirely new
* shadow password file entry.
*/
spent.sp_namp = pwd->pw_name;
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
spent.sp_pwdp = (char *)password;
} else {
@@ -610,35 +624,41 @@ static int add_passwd (struct passwd *pw
static void process_flags (int argc, char **argv)
{
int c;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
int bad_s;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static struct option long_options[] = {
{"badname", no_argument, NULL, 'b'},
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
{"crypt-method", required_argument, NULL, 'c'},
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
{"help", no_argument, NULL, 'h'},
{"system", no_argument, NULL, 'r'},
{"root", required_argument, NULL, 'R'},
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
{"sha-rounds", required_argument, NULL, 's'},
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
"c:bhrs:",
#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */
"c:bhr",
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
-#else /* USE_PAM */
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
"bhr",
#endif
long_options, NULL)) != -1) {
@@ -646,11 +666,13 @@ static void process_flags (int argc, cha
case 'b':
allow_bad_names = true;
break;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
case 'c':
crypt_method = optarg;
break;
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
case 'h':
usage (EXIT_SUCCESS);
break;
@@ -659,6 +681,7 @@ static void process_flags (int argc, cha
break;
case 'R': /* no-op, handled in process_root_flag () */
break;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
case 's':
@@ -698,6 +721,7 @@ static void process_flags (int argc, cha
break;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
default:
usage (EXIT_FAILURE);
break;
@@ -730,6 +754,7 @@ static void process_flags (int argc, cha
*/
static void check_flags (void)
{
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
if (sflg && !cflg) {
@@ -762,6 +787,7 @@ static void check_flags (void)
}
}
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
}
/*
@@ -1052,12 +1078,14 @@ int main (int argc, char **argv)
int line = 0;
uid_t uid;
gid_t gid;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
int *lines = NULL;
char **usernames = NULL;
char **passwords = NULL;
unsigned int nusers = 0;
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
log_set_progname(Prog);
log_set_logfd(stderr);
@@ -1195,6 +1223,7 @@ int main (int argc, char **argv)
}
newpw = *pw;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
/* keep the list of user/password for later update by PAM */
nusers++;
@@ -1211,6 +1240,7 @@ int main (int argc, char **argv)
usernames[nusers-1] = strdup (fields[0]);
passwords[nusers-1] = strdup (fields[1]);
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
if (add_passwd (&newpw, fields[1]) != 0) {
fprintf (stderr,
_("%s: line %d: can't update password\n"),
@@ -1327,6 +1357,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
unsigned int i;
/* Now update the passwords using PAM */
@@ -1339,6 +1370,7 @@ int main (int argc, char **argv)
}
}
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
exit (EXIT_SUCCESS);
}

1515
SOURCES/shadow-4.6-audit-update.patch → shadow-4.15.0-audit-update.patch
View File

File diff suppressed because it is too large Load Diff

6
SOURCES/shadow-4.2.1-date-parsing.patch → shadow-4.15.0-date-parsing.patch
View File

@ -1,7 +1,7 @@
Index: shadow-4.5/libmisc/getdate.y
Index: shadow-4.5/lib/getdate.y
===================================================================
--- shadow-4.5.orig/libmisc/getdate.y
+++ shadow-4.5/libmisc/getdate.y
--- shadow-4.5.orig/lib/getdate.y
+++ shadow-4.5/lib/getdate.y
@@ -152,6 +152,7 @@ static int yyHaveDay;
static int yyHaveRel;
static int yyHaveTime;

137
shadow-4.15.0-getdef-spurious-error.patch Normal file
View File

@ -0,0 +1,137 @@
From ead55e9ba8958504e23e29545f90c4dd925c7462 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Wed, 20 Mar 2024 17:39:46 -0500
Subject: [PATCH] getdef: avoid spurious error messages about unknown
configuration options
def_find can return NULL for unset, not just unknown, config options. So
move the decision of whether to log an error message about an unknown config
option back into def_find, which knows the difference. Only putdef_str()
will pass a char* srcfile to def_find, so only calls from putdef_str will
cause the message, which was the original intent of fa68441bc4be8.
closes #967
fixes: fa68441bc4be8 ("Improve the login.defs unknown item error message")
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
lib/getdef.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/lib/getdef.c b/lib/getdef.c
index 4d4d4e19..ef2ae1f0 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -176,7 +176,7 @@ static const char* def_fname = LOGINDEFS; /* login config defs file */
static bool def_loaded = false; /* are defs already loaded? */
/* local function prototypes */
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *);
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *, const char *);
static void def_load (void);
@@ -195,7 +195,7 @@ static void def_load (void);
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
return (NULL == d) ? NULL : d->value;
}
@@ -214,7 +214,7 @@ bool getdef_bool (const char *item)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return false;
}
@@ -240,7 +240,7 @@ int getdef_num (const char *item, int dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -275,7 +275,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -310,7 +310,7 @@ long getdef_long (const char *item, long dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -342,7 +342,7 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -375,12 +375,9 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
* Locate the slot to save the value. If this parameter
* is unknown then "def_find" will print an err message.
*/
- d = def_find (name);
- if (NULL == d) {
- if (NULL != srcfile)
- SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
+ d = def_find (name, srcfile);
+ if (NULL == d)
return -1;
- }
/*
* Save off the value.
@@ -404,9 +401,12 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
*
* Search through a table of configurable items to locate the
* specified configuration option.
+ *
+ * If srcfile is not NULL, and the item is not found, then report an error saying
+ * the unknown item was used in this file.
*/
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name, const char *srcfile)
{
struct itemdef *ptr;
@@ -432,6 +432,8 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
fprintf (shadow_logfd,
_("configuration error - unknown item '%s' (notify administrator)\n"),
name);
+ if (srcfile != NULL)
+ SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
out:
return NULL;
@@ -610,7 +612,7 @@ int main (int argc, char **argv)
def_load ();
for (i = 0; i < NUMDEFS; ++i) {
- d = def_find (def_table[i].name);
+ d = def_find (def_table[i].name, NULL);
if (NULL == d) {
printf ("error - lookup '%s' failed\n",
def_table[i].name);
--
2.44.0

162
shadow-4.15.0-manfix.patch Normal file
View File

@ -0,0 +1,162 @@
diff -up shadow-4.15.0/man/groupmems.8.xml.manfix shadow-4.15.0/man/groupmems.8.xml
--- shadow-4.15.0/man/groupmems.8.xml.manfix 2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.15.0/man/groupmems.8.xml 2024-02-09 10:42:20.337036378 +0100
@@ -156,20 +156,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2710 groupmems
- $ chown root:groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.15.0/man/ja/man5/login.defs.5.manfix shadow-4.15.0/man/ja/man5/login.defs.5
--- shadow-4.15.0/man/ja/man5/login.defs.5.manfix 2023-03-13 21:58:56.000000000 +0100
+++ shadow-4.15.0/man/ja/man5/login.defs.5 2024-02-09 10:42:20.337036378 +0100
@@ -123,10 +123,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.15.0/man/login.defs.5.xml.manfix shadow-4.15.0/man/login.defs.5.xml
--- shadow-4.15.0/man/login.defs.5.xml.manfix 2024-01-22 22:36:43.000000000 +0100
+++ shadow-4.15.0/man/login.defs.5.xml 2024-02-09 10:45:49.014407259 +0100
@@ -144,6 +144,17 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -240,16 +251,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -276,14 +277,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -352,34 +345,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -451,32 +416,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry condition="no_pam">
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- ENV_TZ
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>

1413
shadow-4.15.0-sast-fixes.patch Normal file
View File

File diff suppressed because it is too large Load Diff

34
shadow-4.15.0-useradd-fix-write-full-return.patch Normal file
View File

@ -0,0 +1,34 @@
From 8903b94c86c978e8abef623358fd3e4629c06967 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 9 Sep 2024 10:36:17 +0200
Subject: [PATCH] useradd: fix write_full() return value
write_full() returns -1 on error and useradd was checking another value.
Closes: https://github.com/shadow-maint/shadow/issues/1072
Fixes: f45498a6c286 ("libmisc/write_full.c: Improve write_full()")
Reported-by: <https://github.com/brown-midas>
Suggested-by: <https://github.com/brown-midas>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index 02c500d0..d64fd892 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2042,7 +2042,7 @@ static void lastlog_reset (uid_t uid)
return;
}
if ( (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
- || (write_full (fd, &ll, sizeof (ll)) != (ssize_t) sizeof (ll))
+ || (write_full (fd, &ll, sizeof (ll)) == -1)
|| (fsync (fd) != 0)) {
fprintf (stderr,
_("%s: failed to reset the lastlog entry of UID %lu: %s\n"),
--
2.46.0

0
SOURCES/shadow-bsd.txt → shadow-bsd.txt
View File

20
shadow-utils-configure-gshadow.patch Normal file
View File

@ -0,0 +1,20 @@
The missing #include <gshadow.h> causes the configure check to fail
spuriously, resulting in HAVE_SHADOWGRP not being defined.
Submitted upstream: <https://github.com/shadow-maint/shadow/pull/595>
diff --git a/configure.ac b/configure.ac
index 924254a0c8171802..6c7d9839979e037d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then
ac_cv_libc_shadowgrp,
AC_RUN_IFELSE([AC_LANG_SOURCE([
#include <shadow.h>
+ #ifdef HAVE_GSHADOW_H
+ #include <gshadow.h>
+ #endif
+ int
main()
{
struct sgrp *sg = sgetsgent("test:x::");

43
shadow-utils.HOME_MODE.xml Normal file
View File

@ -0,0 +1,43 @@
<!--
Copyright (c) 1991 - 1993, Julianne Frances Haugh
Copyright (c) 1991 - 1993, Chip Rosenthal
Copyright (c) 2007 - 2009, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<varlistentry>
<term><option>HOME_MODE</option> (number)</term>
<listitem>
<para>
The mode for new home directories. If not specified,
the <option>UMASK</option> is used to create the mode.
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
to set the mode of the home directory they create.
</para>
</listitem>
</varlistentry>

315
shadow-utils.login.defs Normal file
View File

@ -0,0 +1,315 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 524288
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 524288
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
#LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
#
#LOGIN_TIMEOUT 60
#
# Maximum number of attempts to change password if rejected (too easy)
#
PASS_CHANGE_TRIES 5
#
# Warn about weak passwords (but still allow them) if you are root.
#
PASS_ALWAYS_WARN yes
#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
# Currently CHFN_AUTH is not supported
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
#CHFN_RESTRICT rwh
# Currently LOGIN_STRING is not supported
# Currently MD5_CRYPT_ENAB is not supported
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
#
ENCRYPT_METHOD YESCRYPT
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
#
#SHA_CRYPT_MAX_ROUNDS 5000
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
#
# Only works if ENCRYPT_METHOD is set to BCRYPT.
#
# Define the number of BCRYPT rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, 13 rounds will be attempted.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#BCRYPT_MIN_ROUNDS 13
#BCRYPT_MAX_ROUNDS 31
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
# Define the YESCRYPT cost factor.
# With a higher cost factor, it is more difficult to brute-force the password.
# However, more CPU time and more memory will be needed to authenticate users
# if this value is increased.
#
# If not specified, a cost factor of 5 will be used.
# The value must be within the 1-11 range.
#
#YESCRYPT_COST_FACTOR 5
# Currently CONSOLE_GROUPS is not supported
#
# Should login be allowed if we can't cd to the home directory?
# Default is yes.
#
#DEFAULT_HOME yes
# Currently ENVIRON_FILE is not supported
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# Enables userdel(8) to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-zero number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
#FORCE_SHADOW yes
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
HMAC_CRYPTO_ALGO SHA512

635
SPECS/shadow-utils.spec → shadow-utils.spec
View File

@ -1,123 +1,70 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
Release: 22%{?dist}
Version: 4.15.0
Release: 5%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
License: BSD-3-Clause AND GPL-2.0-or-later
URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Source6: shadow-utils.HOME_MODE.xml
Source7: passwd.pamd
### Globals ###
%global includesubiddir %{_includedir}/shadow
%global includesubiddir %{_includedir}/shadow
### Patches ###
Patch0: shadow-4.6-redhat.patch
Patch1: shadow-4.6-goodname.patch
Patch2: shadow-4.1.5.1-info-parent-dir.patch
Patch6: shadow-4.6-selinux.patch
Patch10: shadow-4.6-orig-context.patch
Patch11: shadow-4.1.5.1-logmsg.patch
Patch14: shadow-4.1.5.1-default-range.patch
Patch15: shadow-4.6-manfix.patch
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
Patch19: shadow-4.2.1-date-parsing.patch
Patch21: shadow-4.6-move-home.patch
Patch22: shadow-4.6-audit-update.patch
Patch23: shadow-4.5-usermod-unlock.patch
Patch24: shadow-4.2.1-no-lock-dos.patch
Patch28: shadow-4.6-selinux-perms.patch
Patch29: shadow-4.2.1-null-tm.patch
Patch31: shadow-4.6-getenforce.patch
Patch32: shadow-4.5-crypt_h.patch
Patch33: shadow-4.5-long-entry.patch
Patch34: shadow-4.6-usermod-crash.patch
Patch35: shadow-4.6-coverity.patch
Patch36: shadow-4.6-use-itstool.patch
Patch37: shadow-4.6-sssd-flush.patch
Patch38: shadow-4.6-sysugid-min-limit.patch
Patch39: shadow-4.6-chgrp-guard.patch
Patch40: shadow-4.6-ignore-login-prompt.patch
Patch41: shadow-4.6-use-lckpwdf.patch
# Upstreamed
Patch42: shadow-4.6-regular-user.patch
# Upstreamed
Patch43: shadow-4.6-home_mode-directive.patch
# Upstreamed
Patch44: shadow-4.6-check-local-groups.patch
# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8
Patch45: shadow-4.6-sssd-redirect-warning.patch
# Unused option in Fedora/RHEL - non upstreamable
Patch46: shadow-4.6-remove-login-string-references.patch
# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
Patch47: shadow-4.6-usermod-allow-all-group-types.patch
# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
Patch48: shadow-4.6-libsubid_creation.patch
# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
Patch49: shadow-4.6-libsubid_nsswitch_support.patch
# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
Patch50: shadow-4.6-man-mention-nss-in-newuidmap.patch
# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
Patch51: shadow-4.6-libsubid_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
Patch52: shadow-4.6-libsubid_init_return_false.patch
# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
Patch53: shadow-4.6-useradd_SUB_UID_COUNT-0.patch
# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
Patch54: shadow-4.6-libsubid_simplify_ranges_variable.patch
# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
Patch55: shadow-4.6-libsubid_init_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
Patch56: shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
# https://github.com/shadow-maint/shadow/pull/353
Patch57: shadow-4.6-man_clarify_subid_delegation.patch
# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
Patch58: shadow-4.6-libsubid_make_logfd_not_extern.patch
# https://github.com/shadow-maint/shadow/commit/0dffc7c61200f492eeac03c29fa7e93b62d3cead
Patch59: shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
# https://github.com/shadow-maint/shadow/commit/77e39de1e6cbd6925f16bb260abb7d216296886b
Patch60: shadow-4.6-install_subid_h.patch
# https://github.com/shadow-maint/shadow/commit/fa986b1d73605ecca54a4f19249227aeab827bf6
Patch61: shadow-4.6-respect_enable_static_no.patch
# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
Patch62: shadow-4.6-getsubids.patch
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
Patch63: shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
Patch64: shadow-4.9-subordinateio-compare-owner-ID.patch
# https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
# https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
Patch66: shadow-4.6-skip-over-reserved-ids.patch
# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
Patch68: shadow-4.6-salt-remove-rounds.patch
# Misc manual page changes - non-upstreamable
Patch0: shadow-4.15.0-manfix.patch
# Date parsing improvement - could be upstreamed
Patch1: shadow-4.15.0-date-parsing.patch
# https://github.com/shadow-maint/shadow/commit/d8e6a8b99b4d844328d875287babf6e13860d464
Patch2: shadow-4.15.0-sast-fixes.patch
# Audit message changes - partially upstreamed
Patch3: shadow-4.15.0-audit-update.patch
# Probably non-upstreamable
Patch4: shadow-4.15.0-account-tools-setuid.patch
# https://github.com/shadow-maint/shadow/commit/ead55e9ba8958504e23e29545f90c4dd925c7462
Patch5: shadow-4.15.0-getdef-spurious-error.patch
# https://github.com/shadow-maint/shadow/commit/903593249630054ab5df327481f7386f718088cc
Patch6: shadow-4.15.0-useradd-fix-write-full-return.patch
License: BSD and GPLv2+
Group: System Environment/Base
BuildRequires: gcc
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: libsemanage-devel
BuildRequires: libacl-devel, libattr-devel
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
BuildRequires: autoconf, automake, libtool, gettext-devel
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
Requires: libselinux >= 1.25.2-1
### Dependencies ###
Requires: audit-libs >= 1.6.5
Requires: libselinux >= 1.25.2-1
Requires: pam-libs
Requires: setup
Requires(pre): coreutils
Requires(post): coreutils
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
### Build Dependencies ###
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gettext-devel
BuildRequires: git
BuildRequires: itstool
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libeconf-devel
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: libsemanage-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: make
BuildRequires: pam-devel
### Provides ###
Provides: shadow = %{epoch}:%{version}-%{release}
Provides: passwd = 0.80-18
Obsoletes: passwd <= 0.80-19
%description
The shadow-utils package includes the necessary programs for
@ -150,69 +97,16 @@ Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
Development files for shadow-utils-subid.
%prep
%setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat
%patch1 -p1 -b .goodname
%patch2 -p1 -b .info-parent-dir
%patch6 -p1 -b .selinux
%patch10 -p1 -b .orig-context
%patch11 -p1 -b .logmsg
%patch14 -p1 -b .default-range
%patch15 -p1 -b .manfix
%patch17 -p1 -b .userdel
%patch19 -p1 -b .date-parsing
%patch21 -p1 -b .move-home
%patch22 -p1 -b .audit-update
%patch23 -p1 -b .unlock
%patch24 -p1 -b .no-lock-dos
%patch28 -p1 -b .selinux-perms
%patch29 -p1 -b .null-tm
%patch31 -p1 -b .getenforce
%patch32 -p1 -b .crypt_h
%patch33 -p1 -b .long-entry
%patch34 -p1 -b .usermod-crash
%patch35 -p1 -b .coverity
%patch36 -p1 -b .use-itstool
%patch37 -p1 -b .sssd-flush
%patch38 -p1 -b .sysugid-min-limit
%patch39 -p1 -b .chgrp-guard
%patch40 -p1 -b .login-prompt
%patch41 -p1 -b .use-lckpwdf
%patch42 -p1 -b .regular-user
%patch43 -p1 -b .home_mode-directive
%patch44 -p1 -b .check-local-groups
%patch45 -p1 -b .sssd-redirect-warning
%patch46 -p1 -b .remove-login-string-references
%patch47 -p1 -b .usermod-allow-all-group-types
%patch48 -p1 -b .libsubid_creation
%patch49 -p1 -b .libsubid_nsswitch_support
%patch50 -p1 -b .man-mention-nss-in-newuidmap
%patch51 -p1 -b .libsubid_not_print_error_messages
%patch52 -p1 -b .libsubid_init_return_false
%patch53 -p1 -b .useradd_SUB_UID_COUNT-0
%patch54 -p1 -b .libsubid_simplify_ranges_variable
%patch55 -p1 -b .libsubid_init_not_print_error_messages
%patch56 -p1 -b .libsubid_fix_newusers_nss_provides_subids
%patch57 -p1 -b .man_clarify_subid_delegation
%patch58 -p1 -b .libsubid_make_logfd_not_extern
%patch59 -p1 -b .useradd_dont_try_to_create_0_subuids
%patch60 -p1 -b .install_subid_h
%patch61 -p1 -b .respect_enable_static_no
%patch62 -p1 -b .getsubids
%patch63 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
%patch64 -p1 -b .subordinateio-compare-owner-ID
%patch65 -p1 -b .useradd-check-if-subid-range-exists
%patch66 -p1 -b .skip-over-reserved-ids
%patch67 -p1 -b .gpasswd-fix-password-leak
%patch68 -p1 -b .salt-remove-rounds
%autosetup -p 1 -S git -n shadow-%{version}
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
cp -a %{SOURCE4} %{SOURCE5} .
cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
# Force regeneration of getdate.c
rm libmisc/getdate.c
rm lib/getdate.c
%build
%ifarch sparc64
@ -229,75 +123,82 @@ autoreconf
--enable-shadowgrp \
--enable-man \
--with-audit \
--with-libpam \
--with-sha-crypt \
--with-bcrypt \
--with-yescrypt \
--with-selinux \
--without-libbsd \
--without-libcrack \
--without-libpam \
--without-nscd \
--without-sssd \
--enable-shared \
--with-group-name-max-length=32
--with-group-name-max-length=32 \
--enable-lastlog \
--enable-logind=no \
--disable-account-tools-setuid
%make_build
%install
rm -rf $RPM_BUILD_ROOT
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
install -d -m 755 $RPM_BUILD_ROOT%{_pam_confdir}
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pam_confdir}/passwd
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
done
# Remove binaries we don't use.
rm $RPM_BUILD_ROOT/%{_bindir}/chfn
rm $RPM_BUILD_ROOT/%{_bindir}/chsh
rm $RPM_BUILD_ROOT/%{_bindir}/expiry
rm $RPM_BUILD_ROOT/%{_bindir}/groups
rm $RPM_BUILD_ROOT/%{_bindir}/login
rm $RPM_BUILD_ROOT/%{_bindir}/passwd
rm $RPM_BUILD_ROOT/%{_bindir}/su
rm $RPM_BUILD_ROOT/%{_bindir}/faillog
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
rm $RPM_BUILD_ROOT%{_bindir}/chfn
rm $RPM_BUILD_ROOT%{_bindir}/chsh
rm $RPM_BUILD_ROOT%{_bindir}/expiry
rm $RPM_BUILD_ROOT%{_bindir}/groups
rm $RPM_BUILD_ROOT%{_bindir}/login
rm $RPM_BUILD_ROOT%{_bindir}/su
rm $RPM_BUILD_ROOT%{_bindir}/faillog
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT%{_sbindir}/nologin
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
# Remove PAM service files we don't use.
rm $RPM_BUILD_ROOT%{_pam_confdir}/chfn
rm $RPM_BUILD_ROOT%{_pam_confdir}/chpasswd
rm $RPM_BUILD_ROOT%{_pam_confdir}/chsh
rm $RPM_BUILD_ROOT%{_pam_confdir}/groupmems
rm $RPM_BUILD_ROOT%{_pam_confdir}/login
rm $RPM_BUILD_ROOT%{_pam_confdir}/newusers
rm $RPM_BUILD_ROOT%{_pam_confdir}/su
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
%find_lang shadow
@ -310,18 +211,20 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
done
# Move header files to its own folder
echo $(ls)
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
# Remove .la files created by libsubid
# Remove .la and .a files created by libsubid
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
%files -f shadow.lang
%doc NEWS doc/HOWTO README
%{!?_licensedir:%global license %%doc}
%license gpl-2.0.txt shadow-bsd.txt
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
%config(noreplace) %{_pam_confdir}/passwd
%{_bindir}/sg
%attr(4755,root,root) %{_bindir}/chage
%attr(4755,root,root) %{_bindir}/gpasswd
@ -329,6 +232,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%attr(4755,root,root) %{_bindir}/newgrp
%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
%attr(4755,root,root) %{_bindir}/passwd
%{_sbindir}/adduser
%attr(0755,root,root) %{_sbindir}/user*
%attr(0755,root,root) %{_sbindir}/group*
@ -346,6 +250,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%{_mandir}/man1/newgrp.1*
%{_mandir}/man1/newgidmap.1*
%{_mandir}/man1/newuidmap.1*
%{_mandir}/man1/passwd.*
%{_mandir}/man3/shadow.3*
%{_mandir}/man5/shadow.5*
%{_mandir}/man5/login.defs.5*
@ -375,97 +280,285 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%{_libdir}/libsubid.so
%changelog
* Tue Nov 21 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-22
- salt: remove rounds from salt string. Resolves: RHEL-16668
* Mon Nov 4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-5
- Disable nscd. Resolves: RHEL-56355
- useradd: fix write_full() return value
* Thu Nov 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-21
- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2:4.15.0-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
- gpasswd: fix password leak. Resolves: #2215947
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2:4.15.0-3
- Bump release for June 2024 mass rebuild
* Wed May 17 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-18
- Update patch to close label to reset libselinux state. Resolves: #1984740
- useradd: check if subid range exists for user. Resolves: #2012929
- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #1994269
* Tue Jun 18 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-2
- Fix static analyzer detected issues. Resolves: RHEL-35383
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-17
- subordinateio: also compare the owner ID. Resolves: #2093311
* Wed Apr 3 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-1
- Rebase to version 4.15.0
- getdef: avoid spurious error messages about unknown configuration options
* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-6
- Build linking `libpam`
* Thu Feb 1 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-5
- passwd: Provide binary from this package. Enable libpam and
disable account-tools-setuid. Provide passwd PAM service file.
Resolves: #2233275
- passwd: provide --stdin option
* Mon Jan 29 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-4
- Disable SSSD support. Resolves: #2253182
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.14.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Oct 3 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-2
- useradd: Set proper SELinux labels for def_usrtemplate
* Wed Aug 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-1
- Rebase to version 4.14.0. Resolves: #2229000
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 06 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 2:4.13-7
- Remove unused libbsd-devel dependency
* Mon Mar 6 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-6
- Add libbsd-devel and libeconf-devel as build dependencies
* Thu Mar 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-5
- newuidmap and newgidmap: support passing pid as fd. Resolves: #2174752
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Nov 23 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-3
- Change SUB_UID_MIN and SUB_GID_MIN to 524288. Resolves: #2144558
* Mon Nov 21 2022 Florian Weimer <fweimer@redhat.com> - 2:4.13-2
- Fix gshadow configure check (switching to glibc implementation)
* Wed Nov 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-1
- Rebase to version 4.13
- SPDX license migration
* Wed Oct 5 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-3
- chage: Fix regression in print_date. Resolves: #2129336
* Fri Sep 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-2
- useradd: Do not reset non-existent data in {last,fail}log
* Mon Aug 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-1
- Rebase to version 4.12.3. Resolves: #2117809
* Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
- useradd: modify check ID range for system users. Resolves: #2093692
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
- Fix explicit subid requirement for subid-devel
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
- Rebase to version 4.11.1 (#2034038)
- Fix release sources
- Add subid requirement for subid-devel
- Add explicit subid requirement for subid-devel
* Thu Dec 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-16
- getsubids: provide system binary and man page. Resolves: #2013016
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #1986782
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Oct 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-15
- Creation of subid and subid-devel subpackages (#2013009)
- libsubid: creation and nsswitch support
* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
- nss: get shadow_logfd with log_get_logfd() (#2038811)
- lib: make shadow_logfd and Prog not extern
- lib: rename Prog to shadow_progname
- lib: provide default values for shadow_progname
- libsubid: use log_set_progname in subid_init
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
- getsubids: provide system binary and man page (#1980780)
- pwck: fix segfault when calling fprintf() (#2021339)
- newgrp: fix segmentation fault (#2019553)
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
- useradd: change SELinux labels for home files (#2022658)
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
- useradd: revert fix memleak of grp (#2018697)
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
- useradd: generate home and mail directories with selinux user attribute
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
- login.defs: include HMAC_CRYPTO_ALGO key
- Clean spec file: organize dependencies and move License location
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
- libmisc: fix default value in SHA_get_salt_rounds()
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
- useradd: avoid generating an empty subid range (#1990653)
* Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
- Rebase to version 4.9
- usermod: allow all group types with -G option (#1975327)
- Clean spec file
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
- Add patch to fix 'fread returns element count, not element size'
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
- Fix regression issues detected in rhbz#667593 and rhbz#672510
* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
- Enable bcrypt support, as libxcrypt supports it well
* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
- Add a patch to obtain random bytes using getentropy()
- Update shadow-4.8-crypt_h.patch with the upstreamed version
- Add a patch to make use of crypt_gensalt() from libxcrypt
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
- useradd: free correct pointer (#1976809)
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
- Add a patch to fix the used prefix for the bcrypt hash method
- Add a patch to cleanup the code in libmisc/salt.c
- Add a patch adding some clarifying comments in libmisc/salt.c
- Add a patch to obtain random bytes from /dev/urandom
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
- Covscan fixes
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
- Backport support for yescrypt hash method
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- libsubid: make shadow_logfd not extern
- useradd: fix SUB_UID_COUNT=0
- man: mention NSS in new[ug]idmap manpages
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14
- usermod: allow all group types with -G option (#1967641)
* Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
- man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
* Mon May 3 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-13
- man: Remove references to LOGIN_STRING in login.defs (#1884702)
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
- libsubid: creation and nsswitch support
- Creation of subid and subid-devel subpackages
* Fri Oct 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-12
- lib/sssd: redirect warning message to file (#1749001)
- useradd: clarify valid usernames/groupnames (#1869432)
- login.defs: link login specific information to its own package (#1804766)
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
- man: include lastlog file caveat (#951564)
- Upstream links to several patches
- Spec file cleanup by Robert Scheck
- Add BuildRequires: make by Tom Stellard
* Fri Aug 7 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-11
- change UMASK value and add HOME_MODE in login.defs (#1777718)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue May 5 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-10
- check only local groups when adding new supplementary groups to a user
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
- commonio: force lock file sync (#1862056)
* Fri Apr 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-9
- do not mistake a regular user process for a namespaced one (#1788696)
- add HOME_MODE support in login.defs (#1777718)
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
- Rebuild with libsemanage.so.2
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-8
- properly audit group password change
- do not add uid of a new (not yet added) user to the audit message
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
- check only local groups when adding new supplementary groups to a user (#1727236)
* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
- useradd: clarify the useradd -d parameter behavior in man page
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
- updated upstream to 4.8.1
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
- synchronized login.defs with upstream file (#1261099 and #1807957)
* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
- fix useradd: doesn't generate spool mail with the proper SELinux user identity
(#1690527)
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
- make the invalid shell check into warning
* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
- update to current upstream release 4.8
* Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
- fix SELinux related problem in chpasswd/chgpasswd when run with -R
(patch by Petr Lautrbach) (#1747215)
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
- minor auditing fixes
* Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
- use lckpwdf() again to disable concurrent edits of databases by
other applications
- clarify chage manual page in regards to shadow and passwd
inconsistency
- fix minor issues in groupadd and login.defs manual pages
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
* Tue Apr 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-12
- force regeneration of getdate.c otherwise the date parsing fix
is not applied
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-7
* Fri Mar 22 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-11
- clarify chage manual page in regards to shadow and passwd
inconsistency (#1686440)
* Thu Mar 21 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-10
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
* Thu Mar 7 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 2:4.6-9
- Remove obsolete requirements for post/pre scriptlets
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:4.6-7
- Rebuilt for libcrypt.so.2 (#1666033)
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
- usermod: guard against unsafe change of ownership of
special home directories
* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
- drop trailing space from login.defs ENCRYPT_METHOD setting
* Mon Nov 19 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-5
- use itstool instead of xml2po
* Tue Nov 6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
- use cap_setxid file capabilities for newxidmap instead of making them setuid
- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
and the 0 is always used by root anyway
- manual page improvements
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
- fix some issues from Coverity scan
- flush sssd caches - patch by Jakub Hrozek
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
- fix some issues from Coverity scan
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-2
- use itstool instead of xml2po
* Mon May 28 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
- update to current upstream release 4.6
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
- Update to current upstream release 4.6
* Fri Apr 20 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-10
- Raise limit for passwd and shadow entry length but also prevent
writing longer entries (#1422497)

0
SOURCES/shadow-utils.useradd → shadow-utils.useradd
View File

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (shadow-4.15.0.tar.xz) = 88d72fb706f6792b460c14a9b1b42fe0b5962834ec3793f296cbc138807736b5ad73d3f802cda74db740a71545eb1c8ec47447c2250299eb730ed2b2674e2249
SHA512 (shadow-4.15.0.tar.xz.asc) = 0a39d6a45b7d8df12aade89ed9fc9d481c91297dbd34e85fe831426c1d0051cbcf8478759306b8871cd6b1835604c5836decf398d0165c50ac52fee365561446

77
tests/sanity/Makefile Normal file
View File

@ -0,0 +1,77 @@
# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material
# is made available to anyone wishing to use, modify, copy, or
# redistribute it subject to the terms and conditions of the GNU General
# Public License v.2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# Author: Jakub Hrozek
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Example Makefile for RHTS #
# This example is geared towards a test for a specific package #
# It does most of the work for you, but may require further coding #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# The toplevel namespace within which the test lives.
TOPLEVEL_NAMESPACE=CoreOS
# The name of the package under test:
PACKAGE_NAME=shadow-utils
# The path of the test below the package:
RELATIVE_PATH=sanity
# Version of the Test. Used with make tag.
export TESTVERSION=1.1
# The combined namespace of the test.
export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
# A phony target is one that is not really the name of a file.
# It is just a name for some commands to be executed when you
# make an explicit request. There are two reasons to use a
# phony target: to avoid a conflict with a file of the same
# name, and to improve performance.
.PHONY: all install download clean
# Executables to be built should be added here, they will be generated on the system under test.
BUILT_FILES=
# Data files, .c files, scripts anything needed to either compile the test and/or run it.
FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x ./sanity_test.py
chmod a+x ./runtest.sh
clean:
rm -f *~ *.rpm $(BUILT_FILES)
# Include Common Makefile
include /usr/share/rhts/lib/rhts-make.include
# Generate the testinfo.desc here:
$(METADATA): Makefile
@touch $(METADATA)
@echo "Owner: Jakub Hrozek <jhrozek@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "License: GNU GPL" >> $(METADATA)
@echo "Description: Basic sanity test for shadow-utils" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA)
@echo "Requires: $(PACKAGE_NAME)" >> $(METADATA)
@echo "Requires: python" >> $(METADATA)
rhts-lint $(METADATA)

10
tests/sanity/PURPOSE Normal file
View File

@ -0,0 +1,10 @@
This is a basic sanity test for the shadow-utils package. It is implemented
in python on top of the unittesting.py module.
Its purpose is to ensure that the binaries in the shadow-utils package behave
as expected and its switches/options work correctly.
For the most part, every binary in the shadow-utils package is represented by
a single class named Test<BinaryName>, i.e. TestUsermod etc. There are some
exceptions, like TestUseraddWeirdNameTest though.

24
tests/sanity/runtest.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh || exit 1
rlJournalStart
rlFileBackup --clean /etc/default/useradd- /etc/default/useradd
setenforce 0
python sanity_test.py -v
setenforce 1
rlFileRestore
EXIT=$?
if [[ $EXIT -eq 0 ]]; then
RESULT="PASS"
else
RESULT="FAIL"
fi
rlJournalEnd
echo "Result: $RESULT"
echo "Exit: $EXIT"
report_result $TEST $RESULT $EXIT

1013
tests/sanity/sanity_test.py Executable file
View File

File diff suppressed because it is too large Load Diff

13
tests/tests.yml Normal file
View File

@ -0,0 +1,13 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
- atomic
tests:
- sanity
required_packages:
- shadow-utils # sanity test needs shadow-utils
- python # sanity test needs python