Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
29
.gitignore
vendored
29
.gitignore
vendored
@ -1 +1,28 @@
|
||||
SOURCES/shadow-4.6.tar.xz
|
||||
shadow-4.1.4.2.tar.bz2
|
||||
/shadow-4.1.4.3.tar.bz2
|
||||
/shadow-4.1.5.tar.bz2
|
||||
/shadow-4.1.5.1.tar.bz2
|
||||
/shadow-4.1.5.1.tar.bz2.sig
|
||||
/shadow-4.2.1.tar.xz
|
||||
/shadow-4.2.1.tar.xz.sig
|
||||
/shadow-4.3.1.tar.gz
|
||||
/shadow-4.5.tar.xz
|
||||
/shadow-4.5.tar.xz.asc
|
||||
/shadow-4.6.tar.xz
|
||||
/shadow-4.6.tar.xz.asc
|
||||
/shadow-4.8.tar.xz
|
||||
/shadow-4.8.tar.xz.asc
|
||||
/shadow-4.8.1.tar.xz
|
||||
/shadow-4.8.1.tar.xz.asc
|
||||
/shadow-4.9.tar.xz
|
||||
/shadow-4.9.tar.xz.asc
|
||||
/shadow-4.11.1.tar.xz
|
||||
/shadow-4.11.1.tar.xz.asc
|
||||
/shadow-4.12.3.tar.xz
|
||||
/shadow-4.12.3.tar.xz.asc
|
||||
/shadow-4.13.tar.xz
|
||||
/shadow-4.13.tar.xz.asc
|
||||
/shadow-4.14.0.tar.xz
|
||||
/shadow-4.14.0.tar.xz.asc
|
||||
/shadow-4.15.0.tar.xz
|
||||
/shadow-4.15.0.tar.xz.asc
|
||||
|
@ -1 +0,0 @@
|
||||
0b84eb1010fda5edca2a9d1733f9480200e02de6 SOURCES/shadow-4.6.tar.xz
|
@ -1,36 +0,0 @@
|
||||
Index: shadow-4.5/lib/semanage.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/semanage.c
|
||||
+++ shadow-4.5/lib/semanage.c
|
||||
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
|
||||
goto done;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||
if (ret != 0) {
|
||||
fprintf (stderr,
|
||||
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
|
||||
ret = 1;
|
||||
goto done;
|
||||
}
|
||||
+#endif
|
||||
|
||||
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
|
||||
if (ret != 0) {
|
||||
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
|
||||
goto done;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||
if (ret != 0) {
|
||||
fprintf (stderr,
|
||||
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
|
||||
ret = 1;
|
||||
goto done;
|
||||
}
|
||||
+#endif
|
||||
|
||||
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
|
||||
if (ret != 0) {
|
@ -1,21 +0,0 @@
|
||||
Index: shadow-4.5/man/newusers.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/newusers.8.xml
|
||||
+++ shadow-4.5/man/newusers.8.xml
|
||||
@@ -218,7 +218,15 @@
|
||||
<para>
|
||||
If this field does not specify an existing directory, the
|
||||
specified directory is created, with ownership set to the
|
||||
- user being created or updated and its primary group.
|
||||
+ user being created or updated and its primary group. Note
|
||||
+ that newusers does not create parent directories of the new
|
||||
+ user's home directory. The newusers command will fail to
|
||||
+ create the home directory if the parent directories do not
|
||||
+ exist, and will send a message to stderr informing the user
|
||||
+ of the failure. The newusers command will not halt or return
|
||||
+ a failure to the calling shell if it fails to create the home
|
||||
+ directory, it will continue to process the batch of new users
|
||||
+ specified.
|
||||
</para>
|
||||
<para>
|
||||
If the home directory of an existing user is changed,
|
@ -1,13 +0,0 @@
|
||||
Index: shadow-4.5/src/useradd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/useradd.c
|
||||
+++ shadow-4.5/src/useradd.c
|
||||
@@ -323,7 +323,7 @@ static void fail_exit (int code)
|
||||
user_name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
|
||||
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
|
||||
exit (code);
|
||||
}
|
||||
|
@ -1,16 +0,0 @@
|
||||
Index: shadow-4.5/src/userdel.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/userdel.c
|
||||
+++ shadow-4.5/src/userdel.c
|
||||
@@ -143,8 +143,9 @@ static void usage (int status)
|
||||
"\n"
|
||||
"Options:\n"),
|
||||
Prog);
|
||||
- (void) fputs (_(" -f, --force force removal of files,\n"
|
||||
- " even if not owned by user\n"),
|
||||
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
|
||||
+ " e.g. removal of user still logged in\n"
|
||||
+ " or files, even if not owned by the user\n"),
|
||||
usageout);
|
||||
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
||||
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);
|
@ -1,16 +0,0 @@
|
||||
Index: shadow-4.5/lib/commonio.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/commonio.c
|
||||
+++ shadow-4.5/lib/commonio.c
|
||||
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
|
||||
int retval;
|
||||
char buf[32];
|
||||
|
||||
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
|
||||
+ /* We depend here on the fact, that the file name is pid-specific.
|
||||
+ * So no O_EXCL here and no DoS.
|
||||
+ */
|
||||
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
|
||||
if (-1 == fd) {
|
||||
if (log) {
|
||||
(void) fprintf (stderr,
|
@ -1,91 +0,0 @@
|
||||
Index: shadow-4.5/src/faillog.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/faillog.c
|
||||
+++ shadow-4.5/src/faillog.c
|
||||
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
|
||||
}
|
||||
|
||||
tm = localtime (&fl.fail_time);
|
||||
+ if (tm == NULL) {
|
||||
+ cp = "(unknown)";
|
||||
+ } else {
|
||||
#ifdef HAVE_STRFTIME
|
||||
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||
- cp = ptime;
|
||||
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||
+ cp = ptime;
|
||||
#endif
|
||||
+ }
|
||||
printf ("%-9s %5d %5d ",
|
||||
pw->pw_name, fl.fail_cnt, fl.fail_max);
|
||||
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
|
||||
Index: shadow-4.5/src/chage.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/chage.c
|
||||
+++ shadow-4.5/src/chage.c
|
||||
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
|
||||
struct tm *tp;
|
||||
|
||||
tp = gmtime (&date);
|
||||
+ if (tp == NULL) {
|
||||
+ (void) snprintf (buf, maxsize, "(unknown)");
|
||||
+ return;
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||
#else
|
||||
Index: shadow-4.5/src/lastlog.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/lastlog.c
|
||||
+++ shadow-4.5/src/lastlog.c
|
||||
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
|
||||
|
||||
ll_time = ll.ll_time;
|
||||
tm = localtime (&ll_time);
|
||||
+ if (tm == NULL) {
|
||||
+ cp = "(unknown)";
|
||||
+ } else {
|
||||
#ifdef HAVE_STRFTIME
|
||||
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
- cp = ptime;
|
||||
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
+ cp = ptime;
|
||||
#else
|
||||
- cp = asctime (tm);
|
||||
- cp[24] = '\0';
|
||||
+ cp = asctime (tm);
|
||||
+ cp[24] = '\0';
|
||||
#endif
|
||||
+ }
|
||||
|
||||
if (ll.ll_time == (time_t) 0) {
|
||||
cp = _("**Never logged in**\0");
|
||||
Index: shadow-4.5/src/passwd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/passwd.c
|
||||
+++ shadow-4.5/src/passwd.c
|
||||
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
|
||||
struct tm *tm;
|
||||
|
||||
tm = gmtime (&t);
|
||||
+ if (tm == NULL) {
|
||||
+ return "(unknown)";
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
|
||||
#else /* !HAVE_STRFTIME */
|
||||
Index: shadow-4.5/src/usermod.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/usermod.c
|
||||
+++ shadow-4.5/src/usermod.c
|
||||
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
|
||||
} else {
|
||||
time_t t = (time_t) date;
|
||||
tp = gmtime (&t);
|
||||
+ if (tp == NULL) {
|
||||
+ strncpy (buf, "unknown", maxsize);
|
||||
+ return;
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||
#else
|
@ -1,41 +0,0 @@
|
||||
Index: shadow-4.5/configure.ac
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/configure.ac
|
||||
+++ shadow-4.5/configure.ac
|
||||
@@ -32,9 +32,9 @@ AC_HEADER_STDC
|
||||
AC_HEADER_SYS_WAIT
|
||||
AC_HEADER_STDBOOL
|
||||
|
||||
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
|
||||
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
|
||||
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
|
||||
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
|
||||
attr/error_context.h)
|
||||
|
||||
Index: shadow-4.5/lib/defines.h
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/defines.h
|
||||
+++ shadow-4.5/lib/defines.h
|
||||
@@ -4,6 +4,8 @@
|
||||
#ifndef _DEFINES_H_
|
||||
#define _DEFINES_H_
|
||||
|
||||
+#include "config.h"
|
||||
+
|
||||
#if HAVE_STDBOOL_H
|
||||
# include <stdbool.h>
|
||||
#else
|
||||
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
|
||||
# include <unistd.h>
|
||||
#endif
|
||||
|
||||
+#if HAVE_CRYPT_H
|
||||
+# include <crypt.h> /* crypt(3) may be defined in here */
|
||||
+#endif
|
||||
+
|
||||
#if TIME_WITH_SYS_TIME
|
||||
# include <sys/time.h>
|
||||
# include <time.h>
|
@ -1,84 +0,0 @@
|
||||
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
|
||||
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200
|
||||
@@ -382,4 +382,7 @@ extern char *strerror ();
|
||||
# endif
|
||||
#endif
|
||||
|
||||
+/* Maximum length of passwd entry */
|
||||
+#define PASSWD_ENTRY_MAX_LENGTH 32768
|
||||
+
|
||||
#endif /* _DEFINES_H_ */
|
||||
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
|
||||
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100
|
||||
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200
|
||||
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|
||||
|| (pw->pw_gid == (gid_t)-1)
|
||||
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|
||||
|| (valid_field (pw->pw_dir, ":\n") == -1)
|
||||
- || (valid_field (pw->pw_shell, ":\n") == -1)) {
|
||||
+ || (valid_field (pw->pw_shell, ":\n") == -1)
|
||||
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
|
||||
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
|
||||
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
|
||||
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200
|
||||
@@ -57,7 +57,7 @@
|
||||
struct passwd *sgetpwent (const char *buf)
|
||||
{
|
||||
static struct passwd pwent;
|
||||
- static char pwdbuf[1024];
|
||||
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
|
||||
register int i;
|
||||
register char *cp;
|
||||
char *fields[NFIELDS];
|
||||
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
|
||||
* the password structure remain valid.
|
||||
*/
|
||||
|
||||
- if (strlen (buf) >= sizeof pwdbuf)
|
||||
+ if (strlen (buf) >= sizeof pwdbuf) {
|
||||
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
|
||||
return 0; /* fail if too long */
|
||||
+ }
|
||||
strcpy (pwdbuf, buf);
|
||||
|
||||
/*
|
||||
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
|
||||
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200
|
||||
@@ -48,7 +48,7 @@
|
||||
*/
|
||||
struct spwd *sgetspent (const char *string)
|
||||
{
|
||||
- static char spwbuf[1024];
|
||||
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
|
||||
static struct spwd spwd;
|
||||
char *fields[FIELDS];
|
||||
char *cp;
|
||||
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
|
||||
*/
|
||||
|
||||
if (strlen (string) >= sizeof spwbuf) {
|
||||
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
|
||||
return 0; /* fail if too long */
|
||||
}
|
||||
strcpy (spwbuf, string);
|
||||
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
|
||||
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100
|
||||
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200
|
||||
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
|
||||
|
||||
if ( (NULL == sp)
|
||||
|| (valid_field (sp->sp_namp, ":\n") == -1)
|
||||
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
|
||||
+ || (valid_field (sp->sp_pwdp, ":\n") == -1)
|
||||
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
|
||||
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) {
|
||||
return -1;
|
||||
}
|
||||
|
@ -1,64 +0,0 @@
|
||||
Index: shadow-4.5/src/usermod.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/usermod.c
|
||||
+++ shadow-4.5/src/usermod.c
|
||||
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
|
||||
strcat (buf, pw_pass);
|
||||
pw_pass = buf;
|
||||
} else if (Uflg && pw_pass[0] == '!') {
|
||||
- char *s;
|
||||
+ char *s = pw_pass;
|
||||
|
||||
- if (pw_pass[1] == '\0') {
|
||||
+ while ('!' == *s)
|
||||
+ ++s;
|
||||
+
|
||||
+ if (*s == '\0') {
|
||||
fprintf (stderr,
|
||||
_("%s: unlocking the user's password would result in a passwordless account.\n"
|
||||
"You should set a password with usermod -p to unlock this user's password.\n"),
|
||||
Prog);
|
||||
- return pw_pass;
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
#ifdef WITH_AUDIT
|
||||
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
|
||||
user_newname, (unsigned int) user_newid, 1);
|
||||
#endif
|
||||
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
|
||||
- s = pw_pass;
|
||||
- while ('\0' != *s) {
|
||||
- *s = *(s + 1);
|
||||
- s++;
|
||||
- }
|
||||
+ memmove (pw_pass, s, strlen (s) + 1);
|
||||
} else if (pflg) {
|
||||
+ if (strchr (user_pass, ':') != NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: The password field cannot contain a colon character.\n"),
|
||||
+ Prog);
|
||||
+ return NULL;
|
||||
+
|
||||
+ }
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
"updating-password",
|
||||
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
|
||||
if ( (!is_shadow_pwd)
|
||||
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
|
||||
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
|
||||
+ if (pwent->pw_passwd == NULL)
|
||||
+ fail_exit (E_PW_UPDATE);
|
||||
}
|
||||
|
||||
if (uflg) {
|
||||
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
|
||||
* + aging has been requested
|
||||
*/
|
||||
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
|
||||
+ if (spent->sp_pwdp == NULL)
|
||||
+ fail_exit(E_PW_UPDATE);
|
||||
|
||||
if (pflg) {
|
||||
spent->sp_lstchg = (long) gettime () / SCALE;
|
@ -1,642 +0,0 @@
|
||||
From 140510de9de4771feb3af1d859c09604043a4c9b Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Fri, 27 Mar 2020 14:23:02 +0100
|
||||
Subject: [PATCH 1/2] usermod: check only local groups with -G option
|
||||
|
||||
Check only local groups when adding new supplementary groups to a user
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
|
||||
---
|
||||
src/usermod.c | 220 ++++++++++++++++++++++++++++++++------------------
|
||||
1 file changed, 143 insertions(+), 77 deletions(-)
|
||||
|
||||
diff --git a/src/usermod.c b/src/usermod.c
|
||||
index 05b98715..ef430296 100644
|
||||
--- a/src/usermod.c
|
||||
+++ b/src/usermod.c
|
||||
@@ -183,6 +183,7 @@ static bool sub_gid_locked = false;
|
||||
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
|
||||
long int date);
|
||||
static int get_groups (char *);
|
||||
+static struct group * get_local_group (char * grp_name);
|
||||
static /*@noreturn@*/void usage (int status);
|
||||
static void new_pwent (struct passwd *);
|
||||
static void new_spent (struct spwd *);
|
||||
@@ -196,7 +197,9 @@ static void grp_update (void);
|
||||
|
||||
static void process_flags (int, char **);
|
||||
static void close_files (void);
|
||||
+static void close_group_files (void);
|
||||
static void open_files (void);
|
||||
+static void open_group_files (void);
|
||||
static void usr_update (void);
|
||||
static void move_home (void);
|
||||
static void update_lastlog (void);
|
||||
@@ -253,6 +256,11 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Open the group files
|
||||
+ */
|
||||
+ open_group_files ();
|
||||
+
|
||||
/*
|
||||
* So long as there is some data to be converted, strip off each
|
||||
* name and look it up. A mix of numerical and string values for
|
||||
@@ -272,7 +280,7 @@ static int get_groups (char *list)
|
||||
* Names starting with digits are treated as numerical GID
|
||||
* values, otherwise the string is looked up as is.
|
||||
*/
|
||||
- grp = prefix_getgr_nam_gid (list);
|
||||
+ grp = get_local_group (list);
|
||||
|
||||
/*
|
||||
* There must be a match, either by GID value or by
|
||||
@@ -322,6 +330,8 @@ static int get_groups (char *list)
|
||||
gr_free ((struct group *)grp);
|
||||
} while (NULL != list);
|
||||
|
||||
+ close_group_files ();
|
||||
+
|
||||
user_groups[ngroups] = (char *) 0;
|
||||
|
||||
/*
|
||||
@@ -334,6 +344,44 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * get_local_group - checks if a given group name exists locally
|
||||
+ *
|
||||
+ * get_local_group() checks if a given group name exists locally.
|
||||
+ * If the name exists the group information is returned, otherwise NULL is
|
||||
+ * returned.
|
||||
+ */
|
||||
+static struct group * get_local_group(char * grp_name)
|
||||
+{
|
||||
+ const struct group *grp;
|
||||
+ struct group *result_grp = NULL;
|
||||
+ long long int gid;
|
||||
+ char *endptr;
|
||||
+
|
||||
+ gid = strtoll (grp_name, &endptr, 10);
|
||||
+ if ( ('\0' != *grp_name)
|
||||
+ && ('\0' == *endptr)
|
||||
+ && (ERANGE != errno)
|
||||
+ && (gid == (gid_t)gid)) {
|
||||
+ grp = gr_locate_gid ((gid_t) gid);
|
||||
+ }
|
||||
+ else {
|
||||
+ grp = gr_locate(grp_name);
|
||||
+ }
|
||||
+
|
||||
+ if (grp != NULL) {
|
||||
+ result_grp = __gr_dup (grp);
|
||||
+ if (NULL == result_grp) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
|
||||
+ Prog, grp_name);
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return result_grp;
|
||||
+}
|
||||
+
|
||||
#ifdef ENABLE_SUBIDS
|
||||
struct ulong_range
|
||||
{
|
||||
@@ -1447,50 +1495,7 @@ static void close_files (void)
|
||||
}
|
||||
|
||||
if (Gflg || lflg) {
|
||||
- if (gr_close () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failure while writing changes to %s",
|
||||
- gr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_close () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failure while writing changes to %s",
|
||||
- sgr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_unlock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failed to unlock %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failed to unlock %s",
|
||||
- sgr_dbname ()));
|
||||
- /* continue */
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
- if (gr_unlock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failed to unlock %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failed to unlock %s",
|
||||
- gr_dbname ()));
|
||||
- /* continue */
|
||||
- }
|
||||
+ close_group_files ();
|
||||
}
|
||||
|
||||
if (is_shadow_pwd) {
|
||||
@@ -1559,6 +1564,60 @@ static void close_files (void)
|
||||
#endif
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * close_group_files - close all of the files that were opened
|
||||
+ *
|
||||
+ * close_group_files() closes all of the files that were opened related
|
||||
+ * with groups. This causes any modified entries to be written out.
|
||||
+ */
|
||||
+static void close_group_files (void)
|
||||
+{
|
||||
+ if (gr_close () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failure while writing changes to %s",
|
||||
+ gr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_close () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failure while writing changes to %s",
|
||||
+ sgr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_unlock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failed to unlock %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failed to unlock %s",
|
||||
+ sgr_dbname ()));
|
||||
+ /* continue */
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+ if (gr_unlock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failed to unlock %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failed to unlock %s",
|
||||
+ gr_dbname ()));
|
||||
+ /* continue */
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* open_files - lock and open the password files
|
||||
*
|
||||
@@ -1594,38 +1653,7 @@ static void open_files (void)
|
||||
}
|
||||
|
||||
if (Gflg || lflg) {
|
||||
- /*
|
||||
- * Lock and open the group file. This will load all of the
|
||||
- * group entries.
|
||||
- */
|
||||
- if (gr_lock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- gr_locked = true;
|
||||
- if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot open %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp && (sgr_lock () == 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- sgr_locked = true;
|
||||
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot open %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#endif
|
||||
+ open_group_files ();
|
||||
}
|
||||
#ifdef ENABLE_SUBIDS
|
||||
if (vflg || Vflg) {
|
||||
@@ -1661,6 +1689,44 @@ static void open_files (void)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * open_group_files - lock and open the group files
|
||||
+ *
|
||||
+ * open_group_files() loads all of the group entries.
|
||||
+ */
|
||||
+static void open_group_files (void)
|
||||
+{
|
||||
+ if (gr_lock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ gr_locked = true;
|
||||
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot open %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp && (sgr_lock () == 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ sgr_locked = true;
|
||||
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot open %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* usr_update - create the user entries
|
||||
*
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Mon, 30 Mar 2020 09:08:23 +0200
|
||||
Subject: [PATCH 2/2] useradd: check only local groups with -G option
|
||||
|
||||
Check only local groups when adding new supplementary groups to a user
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
|
||||
---
|
||||
src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
|
||||
1 file changed, 157 insertions(+), 77 deletions(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 645d4a40..90210233 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -211,6 +211,7 @@ static void get_defaults (void);
|
||||
static void show_defaults (void);
|
||||
static int set_defaults (void);
|
||||
static int get_groups (char *);
|
||||
+static struct group * get_local_group (char * grp_name);
|
||||
static void usage (int status);
|
||||
static void new_pwent (struct passwd *);
|
||||
|
||||
@@ -220,7 +221,10 @@ static void grp_update (void);
|
||||
|
||||
static void process_flags (int argc, char **argv);
|
||||
static void close_files (void);
|
||||
+static void close_group_files (void);
|
||||
+static void unlock_group_files (void);
|
||||
static void open_files (void);
|
||||
+static void open_group_files (void);
|
||||
static void open_shadow (void);
|
||||
static void faillog_reset (uid_t);
|
||||
static void lastlog_reset (uid_t);
|
||||
@@ -731,6 +735,11 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Open the group files
|
||||
+ */
|
||||
+ open_group_files ();
|
||||
+
|
||||
/*
|
||||
* So long as there is some data to be converted, strip off
|
||||
* each name and look it up. A mix of numerical and string
|
||||
@@ -749,7 +758,7 @@ static int get_groups (char *list)
|
||||
* Names starting with digits are treated as numerical
|
||||
* GID values, otherwise the string is looked up as is.
|
||||
*/
|
||||
- grp = prefix_getgr_nam_gid (list);
|
||||
+ grp = get_local_group (list);
|
||||
|
||||
/*
|
||||
* There must be a match, either by GID value or by
|
||||
@@ -799,6 +808,9 @@ static int get_groups (char *list)
|
||||
user_groups[ngroups++] = xstrdup (grp->gr_name);
|
||||
} while (NULL != list);
|
||||
|
||||
+ close_group_files ();
|
||||
+ unlock_group_files ();
|
||||
+
|
||||
user_groups[ngroups] = (char *) 0;
|
||||
|
||||
/*
|
||||
@@ -811,6 +823,44 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * get_local_group - checks if a given group name exists locally
|
||||
+ *
|
||||
+ * get_local_group() checks if a given group name exists locally.
|
||||
+ * If the name exists the group information is returned, otherwise NULL is
|
||||
+ * returned.
|
||||
+ */
|
||||
+static struct group * get_local_group(char * grp_name)
|
||||
+{
|
||||
+ const struct group *grp;
|
||||
+ struct group *result_grp = NULL;
|
||||
+ long long int gid;
|
||||
+ char *endptr;
|
||||
+
|
||||
+ gid = strtoll (grp_name, &endptr, 10);
|
||||
+ if ( ('\0' != *grp_name)
|
||||
+ && ('\0' == *endptr)
|
||||
+ && (ERANGE != errno)
|
||||
+ && (gid == (gid_t)gid)) {
|
||||
+ grp = gr_locate_gid ((gid_t) gid);
|
||||
+ }
|
||||
+ else {
|
||||
+ grp = gr_locate(grp_name);
|
||||
+ }
|
||||
+
|
||||
+ if (grp != NULL) {
|
||||
+ result_grp = __gr_dup (grp);
|
||||
+ if (NULL == result_grp) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
|
||||
+ Prog, grp_name);
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return result_grp;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* usage - display usage message and exit
|
||||
*/
|
||||
@@ -1530,23 +1580,9 @@ static void close_files (void)
|
||||
SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
|
||||
fail_exit (E_PW_UPDATE);
|
||||
}
|
||||
- if (do_grp_update) {
|
||||
- if (gr_close () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp && (sgr_close () == 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#endif
|
||||
- }
|
||||
+
|
||||
+ close_group_files ();
|
||||
+
|
||||
#ifdef ENABLE_SUBIDS
|
||||
if (is_sub_uid && (sub_uid_close () == 0)) {
|
||||
fprintf (stderr,
|
||||
@@ -1587,34 +1623,9 @@ static void close_files (void)
|
||||
/* continue */
|
||||
}
|
||||
pw_locked = false;
|
||||
- if (gr_unlock () == 0) {
|
||||
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
||||
-#ifdef WITH_AUDIT
|
||||
- audit_logger (AUDIT_ADD_USER, Prog,
|
||||
- "unlocking-group-file",
|
||||
- user_name, AUDIT_NO_ID,
|
||||
- SHADOW_AUDIT_FAILURE);
|
||||
-#endif
|
||||
- /* continue */
|
||||
- }
|
||||
- gr_locked = false;
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_unlock () == 0) {
|
||||
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
||||
-#ifdef WITH_AUDIT
|
||||
- audit_logger (AUDIT_ADD_USER, Prog,
|
||||
- "unlocking-gshadow-file",
|
||||
- user_name, AUDIT_NO_ID,
|
||||
- SHADOW_AUDIT_FAILURE);
|
||||
-#endif
|
||||
- /* continue */
|
||||
- }
|
||||
- sgr_locked = false;
|
||||
- }
|
||||
-#endif
|
||||
+
|
||||
+ unlock_group_files ();
|
||||
+
|
||||
#ifdef ENABLE_SUBIDS
|
||||
if (is_sub_uid) {
|
||||
if (sub_uid_unlock () == 0) {
|
||||
@@ -1647,6 +1658,71 @@ static void close_files (void)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * close_group_files - close all of the files that were opened
|
||||
+ *
|
||||
+ * close_group_files() closes all of the files that were opened related
|
||||
+ * with groups. This causes any modified entries to be written out.
|
||||
+ */
|
||||
+static void close_group_files (void)
|
||||
+{
|
||||
+ if (do_grp_update) {
|
||||
+ if (gr_close () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp && (sgr_close () == 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#endif /* SHADOWGRP */
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * unlock_group_files - unlock all of the files that were locked
|
||||
+ *
|
||||
+ * unlock_group_files() unlocks all of the files that were locked related
|
||||
+ * with groups. This causes any modified entries to be written out.
|
||||
+ */
|
||||
+static void unlock_group_files (void)
|
||||
+{
|
||||
+ if (gr_unlock () == 0) {
|
||||
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_ADD_USER, Prog,
|
||||
+ "unlocking-group-file",
|
||||
+ user_name, AUDIT_NO_ID,
|
||||
+ SHADOW_AUDIT_FAILURE);
|
||||
+#endif /* WITH_AUDIT */
|
||||
+ /* continue */
|
||||
+ }
|
||||
+ gr_locked = false;
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_unlock () == 0) {
|
||||
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_ADD_USER, Prog,
|
||||
+ "unlocking-gshadow-file",
|
||||
+ user_name, AUDIT_NO_ID,
|
||||
+ SHADOW_AUDIT_FAILURE);
|
||||
+#endif /* WITH_AUDIT */
|
||||
+ /* continue */
|
||||
+ }
|
||||
+ sgr_locked = false;
|
||||
+ }
|
||||
+#endif /* SHADOWGRP */
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* open_files - lock and open the password files
|
||||
*
|
||||
@@ -1668,37 +1744,8 @@ static void open_files (void)
|
||||
|
||||
/* shadow file will be opened by open_shadow(); */
|
||||
|
||||
- /*
|
||||
- * Lock and open the group file.
|
||||
- */
|
||||
- if (gr_lock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- gr_locked = true;
|
||||
- if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_lock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- sgr_locked = true;
|
||||
- if (sgr_open (O_CREAT | O_RDWR) == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot open %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
+ open_group_files ();
|
||||
+
|
||||
#ifdef ENABLE_SUBIDS
|
||||
if (is_sub_uid) {
|
||||
if (sub_uid_lock () == 0) {
|
||||
@@ -1733,6 +1780,39 @@ static void open_files (void)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
}
|
||||
|
||||
+static void open_group_files (void)
|
||||
+{
|
||||
+ if (gr_lock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ gr_locked = true;
|
||||
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_lock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ sgr_locked = true;
|
||||
+ if (sgr_open (O_CREAT | O_RDWR) == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot open %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* SHADOWGRP */
|
||||
+}
|
||||
+
|
||||
static void open_shadow (void)
|
||||
{
|
||||
if (!is_shadow_pwd) {
|
||||
--
|
||||
2.25.4
|
||||
|
@ -1,44 +0,0 @@
|
||||
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
|
||||
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
|
||||
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
|
||||
@@ -195,6 +195,12 @@
|
||||
The group ownership of files outside of the user's home directory
|
||||
must be fixed manually.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The change of the group ownership of files inside of the user's
|
||||
+ home directory is also not done if the home dir owner uid is
|
||||
+ different from the current or new user id. This is safety measure
|
||||
+ for special home directories such as <filename>/</filename>.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@@ -372,6 +378,12 @@
|
||||
must be fixed manually.
|
||||
</para>
|
||||
<para>
|
||||
+ The change of the user ownership of files inside of the user's
|
||||
+ home directory is also not done if the home dir owner uid is
|
||||
+ different from the current or new user id. This is safety measure
|
||||
+ for special home directories such as <filename>/</filename>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
No checks will be performed with regard to the
|
||||
<option>UID_MIN</option>, <option>UID_MAX</option>,
|
||||
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
|
||||
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
|
||||
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
|
||||
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
|
||||
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
if (!mflg && (uflg || gflg)) {
|
||||
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
|
||||
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
|
||||
/*
|
||||
* Change the UID on all of the files owned by
|
||||
* `user_id' to `user_newid' in the user's home
|
@ -1,223 +0,0 @@
|
||||
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
|
||||
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
|
||||
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
|
||||
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
|
||||
char* lock = NULL;
|
||||
size_t lock_file_len;
|
||||
size_t file_len;
|
||||
- int err;
|
||||
+ int err = 0;
|
||||
|
||||
if (db->locked) {
|
||||
return 1;
|
||||
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
|
||||
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
|
||||
file = (char*)malloc(file_len);
|
||||
if(file == NULL) {
|
||||
- err = ENOMEM;
|
||||
goto cleanup_ENOMEM;
|
||||
}
|
||||
lock = (char*)malloc(lock_file_len);
|
||||
if(lock == NULL) {
|
||||
- err = ENOMEM;
|
||||
goto cleanup_ENOMEM;
|
||||
}
|
||||
snprintf (file, file_len, "%s.%lu",
|
||||
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
|
||||
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
|
||||
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
|
||||
static bool is_listed (const char *cfgin, const char *tty, bool def)
|
||||
{
|
||||
FILE *fp;
|
||||
- char buf[200], *s;
|
||||
+ char buf[1024], *s;
|
||||
const char *cons;
|
||||
|
||||
/*
|
||||
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
|
||||
|
||||
if (*cons != '/') {
|
||||
char *pbuf;
|
||||
- strcpy (buf, cons);
|
||||
+ strncpy (buf, cons, sizeof (buf));
|
||||
+ buf[sizeof (buf) - 1] = '\0';
|
||||
pbuf = &buf[0];
|
||||
while ((s = strtok (pbuf, ":")) != NULL) {
|
||||
if (strcmp (s, tty) == 0) {
|
||||
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
|
||||
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
|
||||
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
|
||||
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
|
||||
do {
|
||||
wpid = waitpid (pid, status, 0);
|
||||
} while ( ((pid_t)-1 == wpid && errno == EINTR)
|
||||
- || (wpid != pid));
|
||||
+ || ((pid_t)-1 != wpid && wpid != pid));
|
||||
|
||||
if ((pid_t)-1 == wpid) {
|
||||
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
|
||||
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
|
||||
@@ -314,7 +314,7 @@ static void fail_exit (int code)
|
||||
static void get_defaults (void)
|
||||
{
|
||||
FILE *fp;
|
||||
- char* default_file = USER_DEFAULTS_FILE;
|
||||
+ char *default_file = USER_DEFAULTS_FILE;
|
||||
char buf[1024];
|
||||
char *cp;
|
||||
|
||||
@@ -324,6 +324,8 @@ static void get_defaults (void)
|
||||
|
||||
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||
default_file = malloc(len);
|
||||
+ if (default_file == NULL)
|
||||
+ return;
|
||||
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||
assert (wlen == (int) len -1);
|
||||
}
|
||||
@@ -334,7 +336,7 @@ static void get_defaults (void)
|
||||
|
||||
fp = fopen (default_file, "r");
|
||||
if (NULL == fp) {
|
||||
- return;
|
||||
+ goto getdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -445,7 +447,7 @@ static void get_defaults (void)
|
||||
}
|
||||
}
|
||||
(void) fclose (fp);
|
||||
-
|
||||
+ getdef_err:
|
||||
if(prefix[0]) {
|
||||
free(default_file);
|
||||
}
|
||||
@@ -480,8 +482,8 @@ static int set_defaults (void)
|
||||
FILE *ifp;
|
||||
FILE *ofp;
|
||||
char buf[1024];
|
||||
- char* new_file = NEW_USER_FILE;
|
||||
- char* default_file = USER_DEFAULTS_FILE;
|
||||
+ char *new_file = NULL;
|
||||
+ char *default_file = USER_DEFAULTS_FILE;
|
||||
char *cp;
|
||||
int ofd;
|
||||
int wlen;
|
||||
@@ -492,17 +494,30 @@ static int set_defaults (void)
|
||||
bool out_shell = false;
|
||||
bool out_skel = false;
|
||||
bool out_create_mail_spool = false;
|
||||
+ size_t len;
|
||||
+ int ret = -1;
|
||||
|
||||
- if(prefix[0]) {
|
||||
- size_t len;
|
||||
|
||||
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||
- new_file = malloc(len);
|
||||
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
|
||||
- assert (wlen == (int) len -1);
|
||||
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||
+ new_file = malloc(len);
|
||||
+ if (new_file == NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot create new defaults file: %s\n"),
|
||||
+ Prog, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
|
||||
+ assert (wlen <= (int) len -1);
|
||||
|
||||
+ if(prefix[0]) {
|
||||
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||
default_file = malloc(len);
|
||||
+ if (default_file == NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot create new defaults file: %s\n"),
|
||||
+ Prog, strerror(errno));
|
||||
+ goto setdef_err;
|
||||
+ }
|
||||
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||
assert (wlen == (int) len -1);
|
||||
}
|
||||
@@ -515,7 +530,7 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: cannot create new defaults file\n"),
|
||||
Prog);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
ofp = fdopen (ofd, "w");
|
||||
@@ -523,7 +538,7 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: cannot open new defaults file\n"),
|
||||
Prog);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -550,7 +565,7 @@ static int set_defaults (void)
|
||||
_("%s: line too long in %s: %s..."),
|
||||
Prog, default_file, buf);
|
||||
(void) fclose (ifp);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -614,7 +629,7 @@ static int set_defaults (void)
|
||||
|| (fsync (fileno (ofp)) != 0)
|
||||
|| (fclose (ofp) != 0)) {
|
||||
unlink (new_file);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -629,7 +644,7 @@ static int set_defaults (void)
|
||||
_("%s: Cannot create backup file (%s): %s\n"),
|
||||
Prog, buf, strerror (err));
|
||||
unlink (new_file);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -640,11 +655,11 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: rename: %s: %s\n"),
|
||||
Prog, new_file, strerror (err));
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USYS_CONFIG, Prog,
|
||||
- "changing-useradd-defaults",
|
||||
+ "changing useradd defaults",
|
||||
NULL, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_SUCCESS);
|
||||
#endif
|
||||
@@ -654,13 +669,14 @@ static int set_defaults (void)
|
||||
(unsigned int) def_group, def_home, def_shell,
|
||||
def_inactive, def_expire, def_template,
|
||||
def_create_mail_spool));
|
||||
-
|
||||
+ ret = 0;
|
||||
+ setdef_err:
|
||||
+ free(new_file);
|
||||
if(prefix[0]) {
|
||||
- free(new_file);
|
||||
free(default_file);
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/*
|
@ -1,21 +0,0 @@
|
||||
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
|
||||
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
|
||||
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
|
||||
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
|
||||
}
|
||||
return 0;
|
||||
error:
|
||||
- if (security_getenforce () != 0) {
|
||||
+ if (security_getenforce () > 0) {
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
|
||||
selinux_checked = true;
|
||||
}
|
||||
if (selinux_enabled) {
|
||||
- if (setfscreatecon (NULL) != 0) {
|
||||
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
|
||||
return 1;
|
||||
}
|
||||
}
|
@ -1,244 +0,0 @@
|
||||
diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
|
||||
--- shadow-4.6/man/getsubids.1.xml.getsubids 2021-12-09 10:40:50.730275761 +0100
|
||||
+++ shadow-4.6/man/getsubids.1.xml 2021-12-09 10:40:50.730275761 +0100
|
||||
@@ -0,0 +1,141 @@
|
||||
+<?xml version="1.0" encoding="UTF-8"?>
|
||||
+<!--
|
||||
+ Copyright (c) 2021 Iker Pedrosa
|
||||
+ All rights reserved.
|
||||
+
|
||||
+ Redistribution and use in source and binary forms, with or without
|
||||
+ modification, are permitted provided that the following conditions
|
||||
+ are met:
|
||||
+ 1. Redistributions of source code must retain the above copyright
|
||||
+ notice, this list of conditions and the following disclaimer.
|
||||
+ 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ notice, this list of conditions and the following disclaimer in the
|
||||
+ documentation and/or other materials provided with the distribution.
|
||||
+ 3. The name of the copyright holders or contributors may not be used to
|
||||
+ endorse or promote products derived from this software without
|
||||
+ specific prior written permission.
|
||||
+
|
||||
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+-->
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
||||
+<!-- SHADOW-CONFIG-HERE -->
|
||||
+]>
|
||||
+
|
||||
+<refentry id='getsubids.1'>
|
||||
+ <refentryinfo>
|
||||
+ <author>
|
||||
+ <firstname>Iker</firstname>
|
||||
+ <surname>Pedrosa</surname>
|
||||
+ <contrib>Creation, 2021</contrib>
|
||||
+ </author>
|
||||
+ </refentryinfo>
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>getsubids</refentrytitle>
|
||||
+ <manvolnum>1</manvolnum>
|
||||
+ <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
|
||||
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
|
||||
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+ <refnamediv id='name'>
|
||||
+ <refname>getsubids</refname>
|
||||
+ <refpurpose>get the subordinate id ranges for a user</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsynopsisdiv id='synopsis'>
|
||||
+ <cmdsynopsis>
|
||||
+ <command>getsubids</command>
|
||||
+ <arg choice='opt'>
|
||||
+ <replaceable>options</replaceable>
|
||||
+ </arg>
|
||||
+ <arg choice='plain'>
|
||||
+ <replaceable>USER</replaceable>
|
||||
+ </arg>
|
||||
+ </cmdsynopsis>
|
||||
+ </refsynopsisdiv>
|
||||
+
|
||||
+ <refsect1 id='description'>
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para>
|
||||
+ The <command>getsubids</command> command lists the subordinate user ID
|
||||
+ ranges for a given user. The subordinate group IDs can be listed using
|
||||
+ the <option>-g</option> option.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='options'>
|
||||
+ <title>OPTIONS</title>
|
||||
+ <para>
|
||||
+ The options which apply to the <command>getsubids</command> command are:
|
||||
+ </para>
|
||||
+ <variablelist remap='IP'>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>-g</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ List the subordinate group ID ranges.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='example'>
|
||||
+ <title>EXAMPLE</title>
|
||||
+ <para>
|
||||
+ For example, to obtain the subordinate UIDs of the testuser:
|
||||
+ </para>
|
||||
+ <para>
|
||||
+<programlisting>
|
||||
+$ getsubids testuser
|
||||
+0: testuser 100000 65536
|
||||
+</programlisting>
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This command output provides (in order from left to right) the list
|
||||
+ index, username, UID range start, and number of UIDs in range.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+</refentry>
|
||||
diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
|
||||
--- shadow-4.6/man/Makefile.am.getsubids 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/Makefile.am 2021-12-09 10:40:50.730275761 +0100
|
||||
@@ -59,6 +59,7 @@ man_MANS += $(man_nopam)
|
||||
endif
|
||||
|
||||
man_subids = \
|
||||
+ man1/getsubids.1 \
|
||||
man1/newgidmap.1 \
|
||||
man1/newuidmap.1 \
|
||||
man5/subgid.5 \
|
||||
@@ -77,6 +78,7 @@ man_XMANS = \
|
||||
expiry.1.xml \
|
||||
faillog.5.xml \
|
||||
faillog.8.xml \
|
||||
+ getsubids.1.xml \
|
||||
gpasswd.1.xml \
|
||||
groupadd.8.xml \
|
||||
groupdel.8.xml \
|
||||
diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
|
||||
--- shadow-4.6/src/getsubids.c.getsubids 2021-12-09 10:40:50.730275761 +0100
|
||||
+++ shadow-4.6/src/getsubids.c 2021-12-09 10:40:50.730275761 +0100
|
||||
@@ -0,0 +1,46 @@
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
+#include <stdlib.h>
|
||||
+#include "subid.h"
|
||||
+#include "prototypes.h"
|
||||
+
|
||||
+const char *Prog;
|
||||
+FILE *shadow_logfd = NULL;
|
||||
+
|
||||
+void usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "Usage: %s [-g] user\n", Prog);
|
||||
+ fprintf(stderr, " list subuid ranges for user\n");
|
||||
+ fprintf(stderr, " pass -g to list subgid ranges\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+}
|
||||
+
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ int i, count=0;
|
||||
+ struct subid_range *ranges;
|
||||
+ const char *owner;
|
||||
+
|
||||
+ Prog = Basename (argv[0]);
|
||||
+ shadow_logfd = stderr;
|
||||
+ if (argc < 2)
|
||||
+ usage();
|
||||
+ owner = argv[1];
|
||||
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
|
||||
+ owner = argv[2];
|
||||
+ count = get_subgid_ranges(owner, &ranges);
|
||||
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
|
||||
+ usage();
|
||||
+ } else {
|
||||
+ count = get_subuid_ranges(owner, &ranges);
|
||||
+ }
|
||||
+ if (!ranges) {
|
||||
+ fprintf(stderr, "Error fetching ranges\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ for (i = 0; i < count; i++) {
|
||||
+ printf("%d: %s %lu %lu\n", i, owner,
|
||||
+ ranges[i].start, ranges[i].count);
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
|
||||
--- shadow-4.6/src/Makefile.am.getsubids 2021-12-09 10:40:50.710275627 +0100
|
||||
+++ shadow-4.6/src/Makefile.am 2021-12-09 10:45:04.465985510 +0100
|
||||
@@ -140,8 +140,8 @@ if WITH_TCB
|
||||
endif
|
||||
|
||||
if ENABLE_SUBIDS
|
||||
-noinst_PROGRAMS += list_subid_ranges \
|
||||
- get_subid_owners \
|
||||
+bin_PROGRAMS += getsubids
|
||||
+noinst_PROGRAMS += get_subid_owners \
|
||||
new_subid_range \
|
||||
free_subid_range \
|
||||
check_subid_range
|
||||
@@ -156,13 +156,13 @@ MISCLIBS = \
|
||||
$(LIBCRYPT) \
|
||||
$(LIBTCB)
|
||||
|
||||
-list_subid_ranges_LDADD = \
|
||||
+getsubids_LDADD = \
|
||||
$(top_builddir)/lib/libshadow.la \
|
||||
$(top_builddir)/libmisc/libmisc.la \
|
||||
$(top_builddir)/libsubid/libsubid.la \
|
||||
$(MISCLIBS) -ldl
|
||||
|
||||
-list_subid_ranges_CPPFLAGS = \
|
||||
+getsubids_CPPFLAGS = \
|
||||
-I$(top_srcdir)/lib \
|
||||
-I$(top_srcdir)/libmisc \
|
||||
-I$(top_srcdir)/libsubid
|
@ -1,104 +0,0 @@
|
||||
diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
|
||||
--- shadow-4.6/libmisc/chkname.c.goodname 2020-10-23 12:50:47.202529031 +0200
|
||||
+++ shadow-4.6/libmisc/chkname.c 2020-10-23 12:54:54.604692559 +0200
|
||||
@@ -49,25 +49,44 @@
|
||||
static bool is_valid_name (const char *name)
|
||||
{
|
||||
/*
|
||||
- * User/group names must match [a-z_][a-z0-9_-]*[$]
|
||||
- */
|
||||
- if (('\0' == *name) ||
|
||||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
|
||||
+ * User/group names must match gnu e-regex:
|
||||
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
|
||||
+ *
|
||||
+ * as a non-POSIX, extension, allow "$" as the last char for
|
||||
+ * sake of Samba 3.x "add machine script"
|
||||
+ *
|
||||
+ * Also do not allow fully numeric names or just "." or "..".
|
||||
+ */
|
||||
+ int numeric;
|
||||
+
|
||||
+ if ('\0' == *name ||
|
||||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
|
||||
+ '\0' == name[1])) ||
|
||||
+ !((*name >= 'a' && *name <= 'z') ||
|
||||
+ (*name >= 'A' && *name <= 'Z') ||
|
||||
+ (*name >= '0' && *name <= '9') ||
|
||||
+ *name == '_' ||
|
||||
+ *name == '.')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ numeric = isdigit(*name);
|
||||
+
|
||||
while ('\0' != *++name) {
|
||||
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
|
||||
- ( ('0' <= *name) && ('9' >= *name) ) ||
|
||||
- ('_' == *name) ||
|
||||
- ('-' == *name) ||
|
||||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
|
||||
+ if (!((*name >= 'a' && *name <= 'z') ||
|
||||
+ (*name >= 'A' && *name <= 'Z') ||
|
||||
+ (*name >= '0' && *name <= '9') ||
|
||||
+ *name == '_' ||
|
||||
+ *name == '.' ||
|
||||
+ *name == '-' ||
|
||||
+ (*name == '$' && name[1] == '\0')
|
||||
)) {
|
||||
return false;
|
||||
}
|
||||
+ numeric &= isdigit(*name);
|
||||
}
|
||||
|
||||
- return true;
|
||||
+ return !numeric;
|
||||
}
|
||||
|
||||
bool is_valid_user_name (const char *name)
|
||||
diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
|
||||
--- shadow-4.6/man/groupadd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 12:50:47.202529031 +0200
|
||||
@@ -273,10 +273,14 @@
|
||||
<refsect1 id='caveats'>
|
||||
<title>CAVEATS</title>
|
||||
<para>
|
||||
- Groupnames must start with a lower case letter or an underscore,
|
||||
- followed by lower case letters, digits, underscores, or dashes.
|
||||
- They can end with a dollar sign.
|
||||
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||
+ Groupnames may begin with lower and upper case letters, digits,
|
||||
+ underscores, or periods. They may continue with all the aforementioned
|
||||
+ characters, or dashes. Finally, they can end with a dollar sign.
|
||||
+
|
||||
+ Fully numeric groupnames and groupnames containing only . or .. are
|
||||
+ disallowed.
|
||||
+
|
||||
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||
</para>
|
||||
<para>
|
||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||
diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
|
||||
--- shadow-4.6/man/useradd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 12:50:47.202529031 +0200
|
||||
@@ -650,10 +650,16 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
- Usernames must start with a lower case letter or an underscore,
|
||||
- followed by lower case letters, digits, underscores, or dashes.
|
||||
- They can end with a dollar sign.
|
||||
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||
+ Usernames may begin with lower and upper case letters, digits,
|
||||
+ underscores, or periods. They may continue with all the aforementioned
|
||||
+ characters, or dashes. Finally, they can end with a dollar sign.
|
||||
+
|
||||
+ Fully numeric usernames and usernames containing only . or .. are
|
||||
+ disallowed. It is not recommended to use usernames beginning
|
||||
+ with . character as their home directories will be hidden in
|
||||
+ the <command>ls</command> output.
|
||||
+
|
||||
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||
</para>
|
||||
<para>
|
||||
Usernames may only be up to 32 characters long.
|
@ -1,11 +0,0 @@
|
||||
diff -up shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak shadow-4.9/src/gpasswd.c
|
||||
--- shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak 2023-07-12 09:38:32.062546006 +0200
|
||||
+++ shadow-4.9/src/gpasswd.c 2023-07-12 09:42:33.194154548 +0200
|
||||
@@ -857,6 +857,7 @@ static void change_passwd (struct group
|
||||
strzero (cp);
|
||||
cp = getpass (_("Re-enter new password: "));
|
||||
if (NULL == cp) {
|
||||
+ memzero (pass, sizeof pass);
|
||||
exit (1);
|
||||
}
|
||||
|
@ -1,13 +0,0 @@
|
||||
diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
|
||||
--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100
|
||||
+++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100
|
||||
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
|
||||
if(!passwd_db_file) {
|
||||
return getpwent();
|
||||
}
|
||||
+ if (!fp_pwent) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
return fgetpwent(fp_pwent);
|
||||
}
|
||||
extern void prefix_endpwent()
|
@ -1,201 +0,0 @@
|
||||
From a847899b521b0df0665e442845bcff23407d9ea0 Mon Sep 17 00:00:00 2001
|
||||
From: Duncan Overbruck <mail@duncano.de>
|
||||
Date: Sat, 11 Jan 2020 22:19:37 +0100
|
||||
Subject: [PATCH] add new HOME_MODE login.defs(5) option
|
||||
|
||||
This option can be used to set a separate mode for useradd(8) and
|
||||
newusers(8) to create the home directories with.
|
||||
If this option is not set, the current behavior of using UMASK
|
||||
or the default umask is preserved.
|
||||
|
||||
There are many distributions that set UMASK to 077 by default just
|
||||
to create home directories not readable by others and use things like
|
||||
/etc/profile, bashrc or sudo configuration files to set a less
|
||||
restrictive
|
||||
umask. This has always resulted in bug reports because it is hard
|
||||
to follow as users tend to change files like bashrc and are not about
|
||||
setting the umask to counteract the umask set in /etc/login.defs.
|
||||
|
||||
A recent change in sudo has also resulted in many bug reports about
|
||||
this. sudo now tries to respect the umask set by pam modules and on
|
||||
systems where pam does not set a umask, the login.defs UMASK value is
|
||||
used.
|
||||
---
|
||||
etc/login.defs | 7 ++++++-
|
||||
lib/getdef.c | 1 +
|
||||
man/login.defs.5.xml | 4 ++++
|
||||
man/login.defs.d/UMASK.xml | 3 ++-
|
||||
src/newusers.c | 6 +++---
|
||||
src/useradd.c | 5 +++--
|
||||
6 files changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/etc/login.defs b/etc/login.defs
|
||||
index cd2597dc..a2f8cd50 100644
|
||||
--- a/etc/login.defs
|
||||
+++ b/etc/login.defs
|
||||
@@ -195,12 +195,17 @@ KILLCHAR 025
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
-# home directories.
|
||||
+# home directories if HOME_MODE is not set.
|
||||
# 022 is the default value, but 027, or even 077, could be considered
|
||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
# must make up their mind.
|
||||
UMASK 022
|
||||
|
||||
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
+# home directories.
|
||||
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
+HOME_MODE 0700
|
||||
+
|
||||
#
|
||||
# Password aging controls:
|
||||
#
|
||||
diff --git a/lib/getdef.c b/lib/getdef.c
|
||||
index bbb273f4..00f6abfe 100644
|
||||
--- a/lib/getdef.c
|
||||
+++ b/lib/getdef.c
|
||||
@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
|
||||
{"FAKE_SHELL", NULL},
|
||||
{"GID_MAX", NULL},
|
||||
{"GID_MIN", NULL},
|
||||
+ {"HOME_MODE", NULL},
|
||||
{"HUSHLOGIN_FILE", NULL},
|
||||
{"KILLCHAR", NULL},
|
||||
{"LOGIN_RETRIES", NULL},
|
||||
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
|
||||
index ebf60ba3..9e95da20 100644
|
||||
--- a/man/login.defs.5.xml
|
||||
+++ b/man/login.defs.5.xml
|
||||
@@ -50,6 +50,7 @@
|
||||
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
|
||||
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
|
||||
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
|
||||
+<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
|
||||
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
|
||||
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
|
||||
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
|
||||
@@ -185,6 +186,7 @@
|
||||
&FAKE_SHELL;
|
||||
&FTMP_FILE;
|
||||
&GID_MAX; <!-- documents also GID_MIN -->
|
||||
+ &HOME_MODE;
|
||||
&HUSHLOGIN_FILE;
|
||||
&ISSUE_FILE;
|
||||
&KILLCHAR;
|
||||
@@ -401,6 +403,7 @@
|
||||
ENCRYPT_METHOD
|
||||
GID_MAX GID_MIN
|
||||
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
|
||||
+ HOME_MODE
|
||||
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
|
||||
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||
SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||
@@ -481,6 +484,7 @@
|
||||
<para>
|
||||
CREATE_HOME
|
||||
GID_MAX GID_MIN
|
||||
+ HOME_MODE
|
||||
MAIL_DIR MAX_MEMBERS_PER_GROUP
|
||||
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
|
||||
SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
|
||||
diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
|
||||
new file mode 100644
|
||||
index 00000000..21aa55f7
|
||||
--- /dev/null
|
||||
+++ b/man/login.defs.d/HOME_MODE.xml
|
||||
@@ -0,0 +1,43 @@
|
||||
+<!--
|
||||
+ Copyright (c) 1991 - 1993, Julianne Frances Haugh
|
||||
+ Copyright (c) 1991 - 1993, Chip Rosenthal
|
||||
+ Copyright (c) 2007 - 2009, Nicolas François
|
||||
+ All rights reserved.
|
||||
+
|
||||
+ Redistribution and use in source and binary forms, with or without
|
||||
+ modification, are permitted provided that the following conditions
|
||||
+ are met:
|
||||
+ 1. Redistributions of source code must retain the above copyright
|
||||
+ notice, this list of conditions and the following disclaimer.
|
||||
+ 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ notice, this list of conditions and the following disclaimer in the
|
||||
+ documentation and/or other materials provided with the distribution.
|
||||
+ 3. The name of the copyright holders or contributors may not be used to
|
||||
+ endorse or promote products derived from this software without
|
||||
+ specific prior written permission.
|
||||
+
|
||||
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+-->
|
||||
+<varlistentry>
|
||||
+ <term><option>HOME_MODE</option> (number)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The mode for new home directories. If not specified,
|
||||
+ the <option>UMASK</option> is used to create the mode.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <command>useradd</command> and <command>newusers</command> use this
|
||||
+ to set the mode of the home directory they create.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+</varlistentry>
|
||||
diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml
|
||||
index d7b71a5e..0f061dbb 100644
|
||||
--- a/man/login.defs.d/UMASK.xml
|
||||
+++ b/man/login.defs.d/UMASK.xml
|
||||
@@ -37,7 +37,8 @@
|
||||
</para>
|
||||
<para>
|
||||
<command>useradd</command> and <command>newusers</command> use this
|
||||
- mask to set the mode of the home directory they create
|
||||
+ mask to set the mode of the home directory they create if
|
||||
+ <option>HOME_MODE</option> is not set.
|
||||
</para>
|
||||
<para condition="no_pam">
|
||||
It is also used by <command>login</command> to define users' initial
|
||||
diff --git a/src/newusers.c b/src/newusers.c
|
||||
index 99c69f78..e9fe0e27 100644
|
||||
--- a/src/newusers.c
|
||||
+++ b/src/newusers.c
|
||||
@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
|
||||
if ( ('\0' != fields[5][0])
|
||||
&& (access (newpw.pw_dir, F_OK) != 0)) {
|
||||
/* FIXME: should check for directory */
|
||||
- mode_t msk = 0777 & ~getdef_num ("UMASK",
|
||||
- GETDEF_DEFAULT_UMASK);
|
||||
- if (mkdir (newpw.pw_dir, msk) != 0) {
|
||||
+ mode_t mode = getdef_num ("HOME_MODE",
|
||||
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
|
||||
+ if (mkdir (newpw.pw_dir, mode) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: line %d: mkdir %s failed: %s\n"),
|
||||
Prog, line, newpw.pw_dir,
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 4af0f7c6..8b453e3c 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2152,8 +2152,9 @@ static void create_home (void)
|
||||
fail_exit (E_HOMEDIR);
|
||||
}
|
||||
(void) chown (prefix_user_home, user_id, user_gid);
|
||||
- chmod (prefix_user_home,
|
||||
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
|
||||
+ mode_t mode = getdef_num ("HOME_MODE",
|
||||
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
|
||||
+ chmod (prefix_user_home, mode);
|
||||
home_added = true;
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_MGMT, Prog,
|
||||
--
|
||||
2.25.2
|
||||
|
@ -1,11 +0,0 @@
|
||||
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
|
||||
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
|
||||
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
|
||||
{"KILLCHAR", NULL},
|
||||
{"LOGIN_RETRIES", NULL},
|
||||
{"LOGIN_TIMEOUT", NULL},
|
||||
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||
{"LOG_OK_LOGINS", NULL},
|
||||
{"LOG_UNKFAIL_ENAB", NULL},
|
||||
{"MAIL_DIR", NULL},
|
@ -1,28 +0,0 @@
|
||||
From 77e39de1e6cbd6925f16bb260abb7d216296886b Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Tue, 4 May 2021 09:21:11 -0500
|
||||
Subject: [PATCH] Install subid.h
|
||||
|
||||
Now subid.h gets installed under /usr/include/shadow/subid.h
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
libsubid/Makefile.am | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
|
||||
index f543b5eb..189165b0 100644
|
||||
--- a/libsubid/Makefile.am
|
||||
+++ b/libsubid/Makefile.am
|
||||
@@ -3,6 +3,8 @@ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
|
||||
-shared -version-info @LIBSUBID_ABI_MAJOR@
|
||||
libsubid_la_SOURCES = api.c
|
||||
|
||||
+pkginclude_HEADERS = subid.h
|
||||
+
|
||||
MISCLIBS = \
|
||||
$(LIBAUDIT) \
|
||||
$(LIBSELINUX) \
|
||||
--
|
||||
2.31.1
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,151 +0,0 @@
|
||||
diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
|
||||
--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200
|
||||
+++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200
|
||||
@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
|
||||
subid_nss = NULL;
|
||||
goto done;
|
||||
}
|
||||
- subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
|
||||
- if (!subid_nss->has_any_range) {
|
||||
- fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
|
||||
- dlclose(h);
|
||||
- free(subid_nss);
|
||||
- subid_nss = NULL;
|
||||
- goto done;
|
||||
- }
|
||||
subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
|
||||
if (!subid_nss->find_subid_owners) {
|
||||
fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
|
||||
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
|
||||
--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
||||
+++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200
|
||||
@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
|
||||
|
||||
struct subid_nss_ops {
|
||||
/*
|
||||
- * nss_has_any_range: does a user own any subid range
|
||||
- *
|
||||
- * @owner: username
|
||||
- * @idtype: subuid or subgid
|
||||
- * @result: true if a subid allocation was found for @owner
|
||||
- *
|
||||
- * returns success if the module was able to determine an answer (true or false),
|
||||
- * else an error status.
|
||||
- */
|
||||
- enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
|
||||
-
|
||||
- /*
|
||||
* nss_has_range: does a user own a given subid range
|
||||
*
|
||||
* @owner: username
|
||||
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
|
||||
--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
||||
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200
|
||||
@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
|
||||
return commonio_open (&subordinate_uid_db, mode);
|
||||
}
|
||||
|
||||
-bool sub_uid_assigned(const char *owner)
|
||||
+bool local_sub_uid_assigned(const char *owner)
|
||||
{
|
||||
- struct subid_nss_ops *h;
|
||||
- bool found;
|
||||
- enum subid_status status;
|
||||
- h = get_subid_nss_handle();
|
||||
- if (h) {
|
||||
- status = h->has_any_range(owner, ID_TYPE_UID, &found);
|
||||
- if (status == SUBID_STATUS_SUCCESS && found)
|
||||
- return true;
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
return range_exists (&subordinate_uid_db, owner);
|
||||
}
|
||||
|
||||
@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
|
||||
return have_range(&subordinate_gid_db, owner, start, count);
|
||||
}
|
||||
|
||||
-bool sub_gid_assigned(const char *owner)
|
||||
+bool local_sub_gid_assigned(const char *owner)
|
||||
{
|
||||
- struct subid_nss_ops *h;
|
||||
- bool found;
|
||||
- enum subid_status status;
|
||||
- h = get_subid_nss_handle();
|
||||
- if (h) {
|
||||
- status = h->has_any_range(owner, ID_TYPE_GID, &found);
|
||||
- if (status == SUBID_STATUS_SUCCESS && found)
|
||||
- return true;
|
||||
- return false;
|
||||
- }
|
||||
return range_exists (&subordinate_gid_db, owner);
|
||||
}
|
||||
|
||||
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
|
||||
--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
||||
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200
|
||||
@@ -16,7 +16,7 @@
|
||||
extern int sub_uid_close(void);
|
||||
extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
|
||||
extern bool sub_uid_file_present (void);
|
||||
-extern bool sub_uid_assigned(const char *owner);
|
||||
+extern bool local_sub_uid_assigned(const char *owner);
|
||||
extern int sub_uid_lock (void);
|
||||
extern int sub_uid_setdbname (const char *filename);
|
||||
extern /*@observer@*/const char *sub_uid_dbname (void);
|
||||
@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
|
||||
extern int sub_gid_close(void);
|
||||
extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
|
||||
extern bool sub_gid_file_present (void);
|
||||
-extern bool sub_gid_assigned(const char *owner);
|
||||
+extern bool local_sub_gid_assigned(const char *owner);
|
||||
extern int sub_gid_lock (void);
|
||||
extern int sub_gid_setdbname (const char *filename);
|
||||
extern /*@observer@*/const char *sub_gid_dbname (void);
|
||||
diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
|
||||
--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200
|
||||
+++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200
|
||||
@@ -1021,6 +1021,24 @@ static void close_files (void)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
}
|
||||
|
||||
+static bool want_subuids(void)
|
||||
+{
|
||||
+ if (get_subid_nss_handle() != NULL)
|
||||
+ return false;
|
||||
+ if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
|
||||
+ return false;
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static bool want_subgids(void)
|
||||
+{
|
||||
+ if (get_subid_nss_handle() != NULL)
|
||||
+ return false;
|
||||
+ if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
|
||||
+ return false;
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
int main (int argc, char **argv)
|
||||
{
|
||||
char buf[BUFSIZ];
|
||||
@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
|
||||
/*
|
||||
* Add subordinate uids if the user does not have them.
|
||||
*/
|
||||
- if (is_sub_uid && !sub_uid_assigned(fields[0])) {
|
||||
+ if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
|
||||
uid_t sub_uid_start = 0;
|
||||
unsigned long sub_uid_count = 0;
|
||||
if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
|
||||
@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
|
||||
/*
|
||||
* Add subordinate gids if the user does not have them.
|
||||
*/
|
||||
- if (is_sub_gid && !sub_gid_assigned(fields[0])) {
|
||||
+ if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
|
||||
gid_t sub_gid_start = 0;
|
||||
unsigned long sub_gid_count = 0;
|
||||
if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {
|
@ -1,40 +0,0 @@
|
||||
From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Sun, 23 May 2021 08:03:10 -0500
|
||||
Subject: [PATCH] libsubid_init: don't print messages on error
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
libsubid/api.c | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libsubid/api.c b/libsubid/api.c
|
||||
index c4848142..b477b271 100644
|
||||
--- a/libsubid/api.c
|
||||
+++ b/libsubid/api.c
|
||||
@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
|
||||
{
|
||||
if (progname) {
|
||||
progname = strdup(progname);
|
||||
- if (progname) {
|
||||
+ if (progname)
|
||||
Prog = progname;
|
||||
- } else {
|
||||
- fprintf(stderr, "Out of memory");
|
||||
+ else
|
||||
return false;
|
||||
- }
|
||||
}
|
||||
|
||||
if (logfd) {
|
||||
@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
|
||||
}
|
||||
shadow_logfd = fopen("/dev/null", "w");
|
||||
if (!shadow_logfd) {
|
||||
- fprintf(stderr, "ERROR opening /dev/null for error messages. Using stderr.");
|
||||
shadow_logfd = stderr;
|
||||
return false;
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,37 +0,0 @@
|
||||
From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Mon, 17 May 2021 08:48:03 -0500
|
||||
Subject: [PATCH] libsubid_init: return false if out of memory
|
||||
|
||||
The rest of the run isn't likely to get much better, is it?
|
||||
|
||||
Thanks to Alexey for pointing this out.
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
Cc: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
libsubid/api.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libsubid/api.c b/libsubid/api.c
|
||||
index 8ca09859..8618e500 100644
|
||||
--- a/libsubid/api.c
|
||||
+++ b/libsubid/api.c
|
||||
@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
|
||||
{
|
||||
if (progname) {
|
||||
progname = strdup(progname);
|
||||
- if (progname)
|
||||
+ if (progname) {
|
||||
Prog = progname;
|
||||
- else
|
||||
+ } else {
|
||||
fprintf(stderr, "Out of memory");
|
||||
+ return false;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (logfd) {
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Fri, 28 May 2021 22:02:16 -0500
|
||||
Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
|
||||
|
||||
Closes #346
|
||||
|
||||
Also #include stdio.h
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
libsubid/api.c | 2 +-
|
||||
libsubid/subid.h | 1 +
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libsubid/api.c b/libsubid/api.c
|
||||
index b477b271..a7b904d0 100644
|
||||
--- a/libsubid/api.c
|
||||
+++ b/libsubid/api.c
|
||||
@@ -40,7 +40,7 @@
|
||||
#include "subid.h"
|
||||
|
||||
const char *Prog = "(libsubid)";
|
||||
-extern FILE * shadow_logfd;
|
||||
+FILE *shadow_logfd;
|
||||
|
||||
bool libsubid_init(const char *progname, FILE * logfd)
|
||||
{
|
||||
diff --git a/libsubid/subid.h b/libsubid/subid.h
|
||||
index 5fef2572..eabafe4d 100644
|
||||
--- a/libsubid/subid.h
|
||||
+++ b/libsubid/subid.h
|
||||
@@ -1,4 +1,5 @@
|
||||
#include <sys/types.h>
|
||||
+#include <stdio.h>
|
||||
#include <stdbool.h>
|
||||
|
||||
#ifndef SUBID_RANGE_DEFINED
|
||||
--
|
||||
2.31.1
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,264 +0,0 @@
|
||||
diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
|
||||
--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.165917066 +0200
|
||||
+++ shadow-4.8.1/configure.ac 2021-05-24 15:02:56.184917324 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
dnl Process this file with autoconf to produce a configure script.
|
||||
AC_PREREQ([2.69])
|
||||
-m4_define([libsubid_abi_major], 2)
|
||||
+m4_define([libsubid_abi_major], 3)
|
||||
m4_define([libsubid_abi_minor], 0)
|
||||
m4_define([libsubid_abi_micro], 0)
|
||||
m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
|
||||
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
|
||||
--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.184917324 +0200
|
||||
+++ shadow-4.8.1/lib/prototypes.h 2021-05-24 16:38:57.610619467 +0200
|
||||
@@ -309,16 +309,15 @@ struct subid_nss_ops {
|
||||
*
|
||||
* @owner - string representing username being queried
|
||||
* @id_type - subuid or subgid
|
||||
- * @ranges - pointer to an array of struct subordinate_range pointers, or
|
||||
- * NULL. The returned array of struct subordinate_range and its
|
||||
- * members must be freed by the caller.
|
||||
+ * @ranges - pointer to an array of struct subid_range, or NULL. The
|
||||
+ * returned array must be freed by the caller.
|
||||
* @count - pointer to an integer into which the number of returned ranges
|
||||
* is written.
|
||||
|
||||
* returns success if the module was able to determine an answer,
|
||||
* else an error status.
|
||||
*/
|
||||
- enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
|
||||
+ enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
|
||||
|
||||
/*
|
||||
* nss_find_subid_owners: find uids who own a given subuid or subgid.
|
||||
diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
|
||||
--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
|
||||
+++ shadow-4.8.1/libsubid/api.c 2021-05-24 16:42:32.091584531 +0200
|
||||
@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
|
||||
}
|
||||
|
||||
static
|
||||
-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
|
||||
+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
|
||||
{
|
||||
return list_owner_ranges(owner, id_type, ranges);
|
||||
}
|
||||
|
||||
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
|
||||
+int get_subuid_ranges(const char *owner, struct subid_range **ranges)
|
||||
{
|
||||
return get_subid_ranges(owner, ID_TYPE_UID, ranges);
|
||||
}
|
||||
|
||||
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
|
||||
+int get_subgid_ranges(const char *owner, struct subid_range **ranges)
|
||||
{
|
||||
return get_subid_ranges(owner, ID_TYPE_GID, ranges);
|
||||
}
|
||||
|
||||
-void subid_free_ranges(struct subordinate_range **ranges, int count)
|
||||
-{
|
||||
- return free_subordinate_ranges(ranges, count);
|
||||
-}
|
||||
-
|
||||
static
|
||||
int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
|
||||
{
|
||||
diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
|
||||
--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
|
||||
+++ shadow-4.8.1/libsubid/subid.h 2021-05-24 16:43:49.697657383 +0200
|
||||
@@ -3,6 +3,15 @@
|
||||
|
||||
#ifndef SUBID_RANGE_DEFINED
|
||||
#define SUBID_RANGE_DEFINED 1
|
||||
+
|
||||
+/* subid_range is just a starting point and size of a range */
|
||||
+struct subid_range {
|
||||
+ unsigned long start;
|
||||
+ unsigned long count;
|
||||
+};
|
||||
+
|
||||
+/* subordinage_range is a subid_range plus an owner, representing
|
||||
+ * a range in /etc/subuid or /etc/subgid */
|
||||
struct subordinate_range {
|
||||
const char *owner;
|
||||
unsigned long start;
|
||||
@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
|
||||
* get_subuid_ranges: return a list of UID ranges for a user
|
||||
*
|
||||
* @owner: username being queried
|
||||
- * @ranges: a pointer to a subordinate range ** in which the result will be
|
||||
- * returned.
|
||||
+ * @ranges: a pointer to an array of subid_range structs in which the result
|
||||
+ * will be returned.
|
||||
+ *
|
||||
+ * The caller must free(ranges) when done.
|
||||
*
|
||||
* returns: number of ranges found, ir < 0 on error.
|
||||
*/
|
||||
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
|
||||
+int get_subuid_ranges(const char *owner, struct subid_range **ranges);
|
||||
|
||||
/*
|
||||
* get_subgid_ranges: return a list of GID ranges for a user
|
||||
*
|
||||
* @owner: username being queried
|
||||
- * @ranges: a pointer to a subordinate range ** in which the result will be
|
||||
- * returned.
|
||||
+ * @ranges: a pointer to an array of subid_range structs in which the result
|
||||
+ * will be returned.
|
||||
*
|
||||
- * returns: number of ranges found, ir < 0 on error.
|
||||
- */
|
||||
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
|
||||
-
|
||||
-/*
|
||||
- * subid_free_ranges: free an array of subordinate_ranges returned by either
|
||||
- * get_subuid_ranges() or get_subgid_ranges().
|
||||
+ * The caller must free(ranges) when done.
|
||||
*
|
||||
- * @ranges: the ranges to free
|
||||
- * @count: the number of ranges in @ranges
|
||||
+ * returns: number of ranges found, ir < 0 on error.
|
||||
*/
|
||||
-void subid_free_ranges(struct subordinate_range **ranges, int count);
|
||||
+int get_subgid_ranges(const char *owner, struct subid_range **ranges);
|
||||
|
||||
/*
|
||||
* get_subuid_owners: return a list of uids to which the given uid has been
|
||||
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
|
||||
--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify 2021-05-24 17:27:38.721035241 +0200
|
||||
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-24 17:28:06.481420946 +0200
|
||||
@@ -11,6 +11,7 @@
|
||||
#include <stdio.h>
|
||||
#include "commonio.h"
|
||||
#include "subordinateio.h"
|
||||
+#include "../libsubid/subid.h"
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
#include <ctype.h>
|
||||
@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
|
||||
+static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
|
||||
{
|
||||
- struct subordinate_range *tmp;
|
||||
if (!*ranges) {
|
||||
- *ranges = malloc(sizeof(struct subordinate_range *));
|
||||
+ *ranges = malloc(sizeof(struct subid_range));
|
||||
if (!*ranges)
|
||||
return false;
|
||||
} else {
|
||||
- struct subordinate_range **new;
|
||||
- new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
|
||||
- if (!new)
|
||||
+ struct subid_range *alloced;
|
||||
+ alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
|
||||
+ if (!alloced)
|
||||
return false;
|
||||
- *ranges = new;
|
||||
+ *ranges = alloced;
|
||||
}
|
||||
- (*ranges)[n] = NULL;
|
||||
- tmp = subordinate_dup(new);
|
||||
- if (!tmp)
|
||||
- return false;
|
||||
- (*ranges)[n] = tmp;
|
||||
+ (*ranges)[n].start = new->start;
|
||||
+ (*ranges)[n].count = new->count;
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
|
||||
*
|
||||
* The caller must free the subordinate range list.
|
||||
*/
|
||||
-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
|
||||
+int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
|
||||
{
|
||||
// TODO - need to handle owner being either uid or username
|
||||
- struct subordinate_range **ranges = NULL;
|
||||
+ struct subid_range *ranges = NULL;
|
||||
const struct subordinate_range *range;
|
||||
struct commonio_db *db;
|
||||
enum subid_status status;
|
||||
@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
|
||||
while ((range = commonio_next(db)) != NULL) {
|
||||
if (0 == strcmp(range->owner, owner)) {
|
||||
if (!append_range(&ranges, range, count++)) {
|
||||
- free_subordinate_ranges(ranges, count-1);
|
||||
+ free(ranges);
|
||||
ranges = NULL;
|
||||
count = -1;
|
||||
goto out;
|
||||
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
|
||||
--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
|
||||
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-24 16:40:56.978269647 +0200
|
||||
@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
|
||||
extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
|
||||
extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
|
||||
extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
|
||||
-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
|
||||
+extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
|
||||
extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
|
||||
extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
|
||||
extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
|
||||
diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
|
||||
--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
|
||||
+++ shadow-4.8.1/src/list_subid_ranges.c 2021-05-24 16:45:10.884779740 +0200
|
||||
@@ -17,27 +17,29 @@ void usage(void)
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int i, count=0;
|
||||
- struct subordinate_range **ranges;
|
||||
+ struct subid_range *ranges;
|
||||
+ const char *owner;
|
||||
|
||||
Prog = Basename (argv[0]);
|
||||
shadow_logfd = stderr;
|
||||
- if (argc < 2) {
|
||||
+ if (argc < 2)
|
||||
usage();
|
||||
- }
|
||||
- if (argc == 3 && strcmp(argv[1], "-g") == 0)
|
||||
- count = get_subgid_ranges(argv[2], &ranges);
|
||||
- else if (argc == 2 && strcmp(argv[1], "-h") == 0)
|
||||
+ owner = argv[1];
|
||||
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
|
||||
+ owner = argv[2];
|
||||
+ count = get_subgid_ranges(owner, &ranges);
|
||||
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
|
||||
usage();
|
||||
- else
|
||||
- count = get_subuid_ranges(argv[1], &ranges);
|
||||
+ } else {
|
||||
+ count = get_subuid_ranges(owner, &ranges);
|
||||
+ }
|
||||
if (!ranges) {
|
||||
fprintf(stderr, "Error fetching ranges\n");
|
||||
exit(1);
|
||||
}
|
||||
for (i = 0; i < count; i++) {
|
||||
- printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
|
||||
- ranges[i]->start, ranges[i]->count);
|
||||
+ printf("%d: %s %lu %lu\n", i, owner,
|
||||
+ ranges[i].start, ranges[i].count);
|
||||
}
|
||||
- subid_free_ranges(ranges, count);
|
||||
return 0;
|
||||
}
|
||||
diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
|
||||
--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.166917079 +0200
|
||||
+++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c 2021-05-24 15:03:01.469989106 +0200
|
||||
@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
|
||||
if (strcmp(owner, "conn") == 0)
|
||||
return SUBID_STATUS_ERROR_CONN;
|
||||
|
||||
- *ranges = NULL;
|
||||
+ *in_ranges = NULL;
|
||||
if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
|
||||
strcmp(owner, "group1") != 0)
|
||||
return SUBID_STATUS_SUCCESS;
|
@ -1,44 +0,0 @@
|
||||
From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Tue, 4 May 2021 14:39:26 -0500
|
||||
Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
|
||||
|
||||
Closes #328
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
man/newgidmap.1.xml | 3 ++-
|
||||
man/newuidmap.1.xml | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
|
||||
index 71b03e56..76fc1e30 100644
|
||||
--- a/man/newgidmap.1.xml
|
||||
+++ b/man/newgidmap.1.xml
|
||||
@@ -88,7 +88,8 @@
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
|
||||
- command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
|
||||
+ command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
|
||||
+ through the configured NSS subid module).
|
||||
Note that the root user is not exempted from the requirement for a valid
|
||||
<filename>/etc/subgid</filename> entry.
|
||||
</para>
|
||||
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
|
||||
index a6f1f085..44eca50a 100644
|
||||
--- a/man/newuidmap.1.xml
|
||||
+++ b/man/newuidmap.1.xml
|
||||
@@ -88,7 +88,8 @@
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
|
||||
- command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
|
||||
+ command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
|
||||
+ through the configured NSS subid module).
|
||||
Note that the root user is not exempted from the requirement for a valid
|
||||
<filename>/etc/subuid</filename> entry.
|
||||
</para>
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,166 +0,0 @@
|
||||
diff -up shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newgidmap.1.xml
|
||||
--- shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
|
||||
+++ shadow-4.6/man/newgidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
|
||||
@@ -80,10 +80,15 @@
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
- The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
|
||||
- command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
|
||||
- through the configured NSS subid module).
|
||||
- Note that the root user is not exempted from the requirement for a valid
|
||||
+ The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
|
||||
+ based on its command line arguments and the gids allowed. Subgid
|
||||
+ delegation can either be managed via <filename>/etc/subgid</filename>
|
||||
+ or through the configured NSS subid module. These options are mutually
|
||||
+ exclusive.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ Note that the root group is not exempted from the requirement for a valid
|
||||
<filename>/etc/subgid</filename> entry.
|
||||
</para>
|
||||
|
||||
diff -up shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newuidmap.1.xml
|
||||
--- shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
|
||||
+++ shadow-4.6/man/newuidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
|
||||
@@ -80,9 +80,14 @@
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
- The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
|
||||
- command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
|
||||
- through the configured NSS subid module).
|
||||
+ The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
|
||||
+ based on its command line arguments and the uids allowed. Subuid
|
||||
+ delegation can either be managed via <filename>/etc/subuid</filename> or
|
||||
+ through the configured NSS subid module. These options are mutually
|
||||
+ exclusive.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
Note that the root user is not exempted from the requirement for a valid
|
||||
<filename>/etc/subuid</filename> entry.
|
||||
</para>
|
||||
diff -up shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subgid.5.xml
|
||||
--- shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/subgid.5.xml 2021-11-03 09:59:55.752084920 +0100
|
||||
@@ -32,6 +32,18 @@
|
||||
<!-- SHADOW-CONFIG-HERE -->
|
||||
]>
|
||||
<refentry id='subgid.5'>
|
||||
+ <refentryinfo>
|
||||
+ <author>
|
||||
+ <firstname>Eric</firstname>
|
||||
+ <surname>Biederman</surname>
|
||||
+ <contrib>Creation, 2013</contrib>
|
||||
+ </author>
|
||||
+ <author>
|
||||
+ <firstname>Iker</firstname>
|
||||
+ <surname>Pedrosa</surname>
|
||||
+ <contrib>Developer, 2021</contrib>
|
||||
+ </author>
|
||||
+ </refentryinfo>
|
||||
<refmeta>
|
||||
<refentrytitle>subgid</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
@@ -41,12 +53,37 @@
|
||||
</refmeta>
|
||||
<refnamediv id='name'>
|
||||
<refname>subgid</refname>
|
||||
- <refpurpose>the subordinate gid file</refpurpose>
|
||||
+ <refpurpose>the configuration for subordinate group ids</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
+ Subgid authorizes a group id to map ranges of group ids from its namespace
|
||||
+ into child namespaces.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The delegation of the subordinate gids can be configured via the
|
||||
+ <replaceable>subid</replaceable> field in
|
||||
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
|
||||
+ as the delegation source. Setting this field to
|
||||
+ <replaceable>files</replaceable> configures the delegation of gids to
|
||||
+ <filename>/etc/subgid</filename>. Setting any other value treats
|
||||
+ the delegation as a plugin following with a name of the form
|
||||
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
|
||||
+ missing, then the subordinate gid delegation falls back to
|
||||
+ <replaceable>files</replaceable>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Note, that <command>groupadd</command> will only create entries in
|
||||
+ <filename>/etc/subgid</filename> if subid delegation is managed via subid
|
||||
+ files.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='local-subordinate-delegation'>
|
||||
+ <title>LOCAL SUBORDINATE DELEGATION</title>
|
||||
+ <para>
|
||||
Each line in <filename>/etc/subgid</filename> contains
|
||||
a user name and a range of subordinate group ids that user
|
||||
is allowed to use.
|
||||
diff -up shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subuid.5.xml
|
||||
--- shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/subuid.5.xml 2021-11-03 10:00:18.888255255 +0100
|
||||
@@ -32,6 +32,18 @@
|
||||
<!-- SHADOW-CONFIG-HERE -->
|
||||
]>
|
||||
<refentry id='subuid.5'>
|
||||
+ <refentryinfo>
|
||||
+ <author>
|
||||
+ <firstname>Eric</firstname>
|
||||
+ <surname>Biederman</surname>
|
||||
+ <contrib>Creation, 2013</contrib>
|
||||
+ </author>
|
||||
+ <author>
|
||||
+ <firstname>Iker</firstname>
|
||||
+ <surname>Pedrosa</surname>
|
||||
+ <contrib>Developer, 2021</contrib>
|
||||
+ </author>
|
||||
+ </refentryinfo>
|
||||
<refmeta>
|
||||
<refentrytitle>subuid</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
@@ -41,12 +53,37 @@
|
||||
</refmeta>
|
||||
<refnamediv id='name'>
|
||||
<refname>subuid</refname>
|
||||
- <refpurpose>the subordinate uid file</refpurpose>
|
||||
+ <refpurpose>the configuration for subordinate user ids</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
+ Subuid authorizes a user id to map ranges of user ids from its namespace
|
||||
+ into child namespaces.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The delegation of the subordinate uids can be configured via the
|
||||
+ <replaceable>subid</replaceable> field in
|
||||
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
|
||||
+ as the delegation source. Setting this field to
|
||||
+ <replaceable>files</replaceable> configures the delegation of uids to
|
||||
+ <filename>/etc/subuid</filename>. Setting any other value treats
|
||||
+ the delegation as a plugin following with a name of the form
|
||||
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
|
||||
+ missing, then the subordinate uid delegation falls back to
|
||||
+ <replaceable>files</replaceable>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Note, that <command>useradd</command> will only create entries in
|
||||
+ <filename>/etc/subuid</filename> if subid delegation is managed via subid
|
||||
+ files.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='local-subordinate-delegation'>
|
||||
+ <title>LOCAL SUBORDINATE DELEGATION</title>
|
||||
+ <para>
|
||||
Each line in <filename>/etc/subuid</filename> contains
|
||||
a user name and a range of subordinate user ids that user
|
||||
is allowed to use.
|
@ -1,349 +0,0 @@
|
||||
diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml
|
||||
--- shadow-4.6/man/groupmems.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/groupmems.8.xml 2020-10-23 13:15:24.105387634 +0200
|
||||
@@ -179,20 +179,10 @@
|
||||
<refsect1 id='setup'>
|
||||
<title>SETUP</title>
|
||||
<para>
|
||||
- The <command>groupmems</command> executable should be in mode
|
||||
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
|
||||
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||
- <command>groupmems</command> utility to manage their own group
|
||||
- membership list.
|
||||
+ In this operating system the <command>groupmems</command> executable
|
||||
+ is not setuid and regular users cannot use it to manipulate
|
||||
+ the membership of their own group.
|
||||
</para>
|
||||
-
|
||||
- <programlisting>
|
||||
- $ groupadd -r groups
|
||||
- $ chmod 2770 groupmems
|
||||
- $ chown root.groups groupmems
|
||||
- $ groupmems -g groups -a gk4
|
||||
- </programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration'>
|
||||
diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml
|
||||
--- shadow-4.6/man/chage.1.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/chage.1.xml 2020-10-23 13:15:24.105387634 +0200
|
||||
@@ -102,6 +102,9 @@
|
||||
Set the number of days since January 1st, 1970 when the password
|
||||
was last changed. The date may also be expressed in the format
|
||||
YYYY-MM-DD (or the format more commonly used in your area).
|
||||
+ If the <replaceable>LAST_DAY</replaceable> is set to
|
||||
+ <emphasis>0</emphasis> the user is forced to change his password
|
||||
+ on the next log on.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -119,6 +122,13 @@
|
||||
system again.
|
||||
</para>
|
||||
<para>
|
||||
+ For example the following can be used to set an account to expire
|
||||
+ in 180 days:
|
||||
+ </para>
|
||||
+ <programlisting>
|
||||
+ chage -E $(date -d +180days +%Y-%m-%d)
|
||||
+ </programlisting>
|
||||
+ <para>
|
||||
Passing the number <emphasis remap='I'>-1</emphasis> as the
|
||||
<replaceable>EXPIRE_DATE</replaceable> will remove an account
|
||||
expiration date.
|
||||
@@ -233,6 +243,18 @@
|
||||
The <command>chage</command> program requires a shadow password file to
|
||||
be available.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The chage program will report only the information from the shadow
|
||||
+ password file. This implies that configuration from other sources
|
||||
+ (e.g. LDAP or empty password hash field from the passwd file) that
|
||||
+ affect the user's login will not be shown in the chage output.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The <command>chage</command> program will also not report any
|
||||
+ inconsistency between the shadow and passwd files (e.g. missing x in
|
||||
+ the passwd file). The <command>pwck</command> can be used to check
|
||||
+ for this kind of inconsistencies.
|
||||
+ </para>
|
||||
<para>The <command>chage</command> command is restricted to the root
|
||||
user, except for the <option>-l</option> option, which may be used by
|
||||
an unprivileged user to determine when their password or account is due
|
||||
diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5
|
||||
--- shadow-4.6/man/ja/man5/login.defs.5.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/ja/man5/login.defs.5 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -147,10 +147,6 @@ 以下の参照表は、
|
||||
shadow パスワード機能のどのプログラムが
|
||||
どのパラメータを使用するかを示したものである。
|
||||
.na
|
||||
-.IP chfn 12
|
||||
-CHFN_AUTH CHFN_RESTRICT
|
||||
-.IP chsh 12
|
||||
-CHFN_AUTH
|
||||
.IP groupadd 12
|
||||
GID_MAX GID_MIN
|
||||
.IP newusers 12
|
||||
diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml
|
||||
--- shadow-4.6/man/login.defs.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/login.defs.5.xml 2020-10-23 13:15:43.280475188 +0200
|
||||
@@ -162,6 +162,27 @@
|
||||
long numeric parameters is machine-dependent.
|
||||
</para>
|
||||
|
||||
+ <para>
|
||||
+ Please note that the parameters in this configuration file control the
|
||||
+ behavior of the tools from the shadow-utils component. None of these
|
||||
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
+ passwd command) should be configured elsewhere. The only values that
|
||||
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||
+ pam(8) for more information.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ Please also take into account that this man page is generic and some of
|
||||
+ the options may be unsupported by currently installed tools. In case of
|
||||
+ doubt check <xref linkend="cross_references"/> and
|
||||
+ <xref linkend="see_also"/>. For example see
|
||||
+ <citerefentry><refentrytitle>login</refentrytitle>
|
||||
+ <manvolnum>1</manvolnum></citerefentry> for login specific options such
|
||||
+ as <emphasis>LOGIN_STRING</emphasis>.
|
||||
+ </para>
|
||||
+
|
||||
<para>The following configuration items are provided:</para>
|
||||
|
||||
<variablelist remap='IP'>
|
||||
@@ -252,16 +273,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term>chfn</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||
- CHFN_RESTRICT
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
<term>chgpasswd</term>
|
||||
<listitem>
|
||||
<para>
|
||||
@@ -282,14 +293,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>chsh</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- CHSH_AUTH LOGIN_STRING
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||
<!-- faillog: no variables -->
|
||||
<varlistentry>
|
||||
@@ -350,34 +353,6 @@
|
||||
</varlistentry>
|
||||
<!-- id: no variables -->
|
||||
<!-- lastlog: no variables -->
|
||||
- <varlistentry>
|
||||
- <term>login</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||
- ENV_TZ ENVIRON_FILE</phrase>
|
||||
- ERASECHAR FAIL_DELAY
|
||||
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||
- FAKE_SHELL
|
||||
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||
- HUSHLOGIN_FILE
|
||||
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||
- KILLCHAR
|
||||
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
|
||||
- LOGIN_RETRIES
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||
- QUOTAS_ENAB</phrase>
|
||||
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||
- USERGROUPS_ENAB
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- logoutd: no variables -->
|
||||
<varlistentry>
|
||||
<term>newgrp / sg</term>
|
||||
@@ -405,17 +380,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<!-- nologin: no variables -->
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>passwd</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
||||
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
||||
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>pwck</term>
|
||||
<listitem>
|
||||
@@ -442,32 +406,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>su</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||
- ENV_PATH ENV_SUPATH
|
||||
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||
- SULOG_FILE SU_NAME
|
||||
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||
- SYSLOG_SU_ENAB
|
||||
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>sulogin</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENV_HZ
|
||||
- <phrase condition="no_pam">ENV_TZ</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>useradd</term>
|
||||
<listitem>
|
||||
diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml
|
||||
--- shadow-4.6/man/shadow.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/shadow.5.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -129,7 +129,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The date of the last password change, expressed as the number
|
||||
- of days since Jan 1, 1970.
|
||||
+ of days since Jan 1, 1970 00:00 UTC.
|
||||
</para>
|
||||
<para>
|
||||
The value 0 has a special meaning, which is that the user
|
||||
@@ -208,8 +208,8 @@
|
||||
</para>
|
||||
<para>
|
||||
After expiration of the password and this expiration period is
|
||||
- elapsed, no login is possible using the current user's
|
||||
- password. The user should contact her administrator.
|
||||
+ elapsed, no login is possible for the user.
|
||||
+ The user should contact her administrator.
|
||||
</para>
|
||||
<para>
|
||||
An empty field means that there are no enforcement of an
|
||||
@@ -224,7 +224,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The date of expiration of the account, expressed as the number
|
||||
- of days since Jan 1, 1970.
|
||||
+ of days since Jan 1, 1970 00:00 UTC.
|
||||
</para>
|
||||
<para>
|
||||
Note that an account expiration differs from a password
|
||||
diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml
|
||||
--- shadow-4.6/man/useradd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
|
||||
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -347,6 +347,11 @@
|
||||
<option>CREATE_HOME</option> is not enabled, no home
|
||||
directories are created.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The directory where the user's home directory is created must
|
||||
+ exist and have proper SELinux context and permissions. Otherwise
|
||||
+ the user's home directory cannot be created or accessed.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml
|
||||
--- shadow-4.6/man/usermod.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/usermod.8.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -132,7 +132,8 @@
|
||||
If the <option>-m</option>
|
||||
option is given, the contents of the current home directory will
|
||||
be moved to the new home directory, which is created if it does
|
||||
- not already exist.
|
||||
+ not already exist. If the current home directory does not exist
|
||||
+ the new home directory will not be created.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -256,7 +257,8 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Move the content of the user's home directory to the new
|
||||
- location.
|
||||
+ location. If the current home directory does not exist
|
||||
+ the new home directory will not be created.
|
||||
</para>
|
||||
<para>
|
||||
This option is only valid in combination with the
|
||||
diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml
|
||||
--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -42,7 +42,7 @@
|
||||
<para>
|
||||
The default values for <option>SUB_GID_MIN</option>,
|
||||
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
|
||||
- are respectively 100000, 600100000 and 10000.
|
||||
+ are respectively 100000, 600100000 and 65536.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml
|
||||
--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -42,7 +42,7 @@
|
||||
<para>
|
||||
The default values for <option>SUB_UID_MIN</option>,
|
||||
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
|
||||
- are respectively 100000, 600100000 and 10000.
|
||||
+ are respectively 100000, 600100000 and 65536.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
|
||||
--- shadow-4.6/man/groupadd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
|
||||
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 13:15:24.106387639 +0200
|
||||
@@ -322,13 +322,13 @@
|
||||
<varlistentry>
|
||||
<term><replaceable>4</replaceable></term>
|
||||
<listitem>
|
||||
- <para>GID not unique (when <option>-o</option> not used)</para>
|
||||
+ <para>GID is already used (when called without <option>-o</option>)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><replaceable>9</replaceable></term>
|
||||
<listitem>
|
||||
- <para>group name not unique</para>
|
||||
+ <para>group name is already used</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
@ -1,15 +0,0 @@
|
||||
diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
|
||||
--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200
|
||||
+++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200
|
||||
@@ -1845,6 +1845,11 @@ static void move_home (void)
|
||||
Prog, prefix_user_home, prefix_user_newhome);
|
||||
fail_exit (E_HOMEDIR);
|
||||
}
|
||||
+ } else {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: The previous home directory (%s) does "
|
||||
+ "not exist or is inaccessible. Move cannot be completed.\n"),
|
||||
+ Prog, prefix_user_home);
|
||||
}
|
||||
}
|
||||
|
@ -1,128 +0,0 @@
|
||||
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
|
||||
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
|
||||
snprintf (buf, sizeof buf, "%s-", db->filename);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (buf) != 0) {
|
||||
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||
errors++;
|
||||
}
|
||||
#endif
|
||||
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
|
||||
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (buf) != 0) {
|
||||
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||
errors++;
|
||||
}
|
||||
#endif
|
||||
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
|
||||
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
|
||||
*/
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
free (oldlink);
|
||||
return -1;
|
||||
}
|
||||
@@ -684,7 +684,7 @@ static int copy_special (const char *src
|
||||
int err = 0;
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
|
||||
return -1;
|
||||
}
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
|
||||
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
|
||||
|
||||
/* selinux.c */
|
||||
#ifdef WITH_SELINUX
|
||||
-extern int set_selinux_file_context (const char *dst_name);
|
||||
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
|
||||
extern int reset_selinux_file_context (void);
|
||||
#endif
|
||||
|
||||
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
|
||||
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -50,7 +50,7 @@ static bool selinux_enabled;
|
||||
* Callers may have to Reset SELinux to create files with default
|
||||
* contexts with reset_selinux_file_context
|
||||
*/
|
||||
-int set_selinux_file_context (const char *dst_name)
|
||||
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
|
||||
{
|
||||
/*@null@*/security_context_t scontext = NULL;
|
||||
|
||||
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
|
||||
if (selinux_enabled) {
|
||||
/* Get the default security context for this file */
|
||||
if (matchpathcon (dst_name, 0, &scontext) < 0) {
|
||||
- if (security_getenforce () != 0) {
|
||||
- return 1;
|
||||
- }
|
||||
+ /* We could not get the default, copy the original */
|
||||
+ if (orig_name == NULL)
|
||||
+ goto error;
|
||||
+ if (getfilecon (orig_name, &scontext) < 0)
|
||||
+ goto error;
|
||||
}
|
||||
/* Set the security context for the next created file */
|
||||
- if (setfscreatecon (scontext) < 0) {
|
||||
- if (security_getenforce () != 0) {
|
||||
- return 1;
|
||||
- }
|
||||
- }
|
||||
+ if (setfscreatecon (scontext) < 0)
|
||||
+ goto error;
|
||||
freecon (scontext);
|
||||
}
|
||||
return 0;
|
||||
+ error:
|
||||
+ if (security_getenforce () != 0) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
|
||||
@@ -2020,7 +2020,7 @@ static void create_home (void)
|
||||
{
|
||||
if (access (prefix_user_home, F_OK) != 0) {
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (prefix_user_home) != 0) {
|
||||
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: cannot set SELinux context for home directory %s\n"),
|
||||
Prog, user_home);
|
@ -1,41 +0,0 @@
|
||||
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
|
||||
@@ -98,7 +98,7 @@ const char *Prog;
|
||||
static gid_t def_group = 100;
|
||||
static const char *def_gname = "other";
|
||||
static const char *def_home = "/home";
|
||||
-static const char *def_shell = "";
|
||||
+static const char *def_shell = "/sbin/nologin";
|
||||
static const char *def_template = SKEL_DIR;
|
||||
static const char *def_create_mail_spool = "no";
|
||||
|
||||
@@ -108,7 +108,7 @@ static const char *def_expire = "";
|
||||
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||
|
||||
static const char *user_name = "";
|
||||
-static const char *user_pass = "!";
|
||||
+static const char *user_pass = "!!";
|
||||
static uid_t user_id;
|
||||
static gid_t user_gid;
|
||||
static const char *user_comment = "";
|
||||
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
|
||||
};
|
||||
while ((c = getopt_long (argc, argv,
|
||||
#ifdef WITH_SELINUX
|
||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
|
||||
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
|
||||
#else /* !WITH_SELINUX */
|
||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
|
||||
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
|
||||
#endif /* !WITH_SELINUX */
|
||||
long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
|
||||
case 'M':
|
||||
Mflg = true;
|
||||
break;
|
||||
+ case 'n':
|
||||
case 'N':
|
||||
Nflg = true;
|
||||
break;
|
@ -1,108 +0,0 @@
|
||||
From fd4405b763d26649339069532e79bd45013c8c38 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Mon, 20 Jan 2020 13:58:07 +0100
|
||||
Subject: [PATCH] Do not mistake a regular user process for a namespaced one
|
||||
|
||||
In case there is a regular user with a process running on a system
|
||||
with uid falling into a namespaced uid range of another user.
|
||||
The user with the colliding namespaced uid range will not be
|
||||
allowed to be deleted without forcing the action with -f.
|
||||
|
||||
The user_busy() is adjusted to check whether the suspected process
|
||||
is really a namespaced process in a different namespace.
|
||||
---
|
||||
libmisc/user_busy.c | 44 ++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 36 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c
|
||||
index b0867568..324bb946 100644
|
||||
--- a/libmisc/user_busy.c
|
||||
+++ b/libmisc/user_busy.c
|
||||
@@ -39,6 +39,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <dirent.h>
|
||||
#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
#include "defines.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef ENABLE_SUBIDS
|
||||
@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
|
||||
#endif /* !__linux__ */
|
||||
|
||||
#ifdef __linux__
|
||||
+#ifdef ENABLE_SUBIDS
|
||||
+#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
|
||||
+static int different_namespace (const char *sname)
|
||||
+{
|
||||
+ /* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
|
||||
+ char path[41];
|
||||
+ char buf[512], buf2[512];
|
||||
+ ssize_t llen1, llen2;
|
||||
+
|
||||
+ snprintf (path, 41, "/proc/%s/ns/user", sname);
|
||||
+
|
||||
+ if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
|
||||
+ return 0;
|
||||
+
|
||||
+ if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
|
||||
+ return 0; /* same namespace */
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif /* ENABLE_SUBIDS */
|
||||
+
|
||||
+
|
||||
static int check_status (const char *name, const char *sname, uid_t uid)
|
||||
{
|
||||
/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
|
||||
@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
|
||||
FILE *sfile;
|
||||
|
||||
snprintf (status, 40, "/proc/%s/status", sname);
|
||||
- status[39] = '\0';
|
||||
|
||||
sfile = fopen (status, "r");
|
||||
if (NULL == sfile) {
|
||||
@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
|
||||
while (fgets (line, sizeof (line), sfile) == line) {
|
||||
if (strncmp (line, "Uid:\t", 5) == 0) {
|
||||
unsigned long ruid, euid, suid;
|
||||
+
|
||||
assert (uid == (unsigned long) uid);
|
||||
+ (void) fclose (sfile);
|
||||
if (sscanf (line,
|
||||
"Uid:\t%lu\t%lu\t%lu\n",
|
||||
&ruid, &euid, &suid) == 3) {
|
||||
if ( (ruid == (unsigned long) uid)
|
||||
|| (euid == (unsigned long) uid)
|
||||
- || (suid == (unsigned long) uid)
|
||||
+ || (suid == (unsigned long) uid) ) {
|
||||
+ return 1;
|
||||
+ }
|
||||
#ifdef ENABLE_SUBIDS
|
||||
- || have_sub_uids(name, ruid, 1)
|
||||
- || have_sub_uids(name, euid, 1)
|
||||
- || have_sub_uids(name, suid, 1)
|
||||
-#endif /* ENABLE_SUBIDS */
|
||||
+ if ( different_namespace (sname)
|
||||
+ && ( have_sub_uids(name, ruid, 1)
|
||||
+ || have_sub_uids(name, euid, 1)
|
||||
+ || have_sub_uids(name, suid, 1))
|
||||
) {
|
||||
- (void) fclose (sfile);
|
||||
return 1;
|
||||
}
|
||||
+#endif /* ENABLE_SUBIDS */
|
||||
} else {
|
||||
/* Ignore errors. This is just a best effort. */
|
||||
}
|
||||
- (void) fclose (sfile);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.25.2
|
||||
|
@ -1,19 +0,0 @@
|
||||
diff -up shadow-4.6/man/login.defs.5.xml.remove_login_string_references shadow-4.6/man/login.defs.5.xml
|
||||
--- shadow-4.6/man/login.defs.5.xml.remove_login_string_references 2021-04-27 13:01:49.428338258 +0200
|
||||
+++ shadow-4.6/man/login.defs.5.xml 2021-04-27 13:01:49.433338329 +0200
|
||||
@@ -58,7 +58,6 @@
|
||||
<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
|
||||
<!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
|
||||
<!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
|
||||
-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml">
|
||||
<!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
|
||||
<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
|
||||
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
|
||||
@@ -214,7 +213,6 @@
|
||||
&LOG_OK_LOGINS;
|
||||
&LOG_UNKFAIL_ENAB;
|
||||
&LOGIN_RETRIES;
|
||||
- &LOGIN_STRING;
|
||||
&LOGIN_TIMEOUT;
|
||||
&MAIL_CHECK_ENAB;
|
||||
&MAIL_DIR;
|
@ -1,24 +0,0 @@
|
||||
diff -up shadow-4.6/configure.ac.respect_enable_static_no shadow-4.6/configure.ac
|
||||
--- shadow-4.6/configure.ac.respect_enable_static_no 2021-11-03 12:09:39.852829632 +0100
|
||||
+++ shadow-4.6/configure.ac 2021-11-03 12:10:32.447203434 +0100
|
||||
@@ -311,6 +311,8 @@ if test "$with_sha_crypt" = "yes"; then
|
||||
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
|
||||
fi
|
||||
|
||||
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
|
||||
+
|
||||
if test "$with_nscd" = "yes"; then
|
||||
AC_CHECK_FUNC(posix_spawn,
|
||||
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
|
||||
diff -up shadow-4.6/libsubid/Makefile.am.respect_enable_static_no shadow-4.6/libsubid/Makefile.am
|
||||
--- shadow-4.6/libsubid/Makefile.am.respect_enable_static_no 2021-11-03 12:09:39.851829625 +0100
|
||||
+++ shadow-4.6/libsubid/Makefile.am 2021-11-03 12:09:39.852829632 +0100
|
||||
@@ -1,6 +1,8 @@
|
||||
lib_LTLIBRARIES = libsubid.la
|
||||
+if ENABLE_SHARED
|
||||
libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
|
||||
-shared -version-info @LIBSUBID_ABI_MAJOR@
|
||||
+endif
|
||||
libsubid_la_SOURCES = api.c
|
||||
|
||||
pkginclude_HEADERS = subid.h
|
@ -1,15 +0,0 @@
|
||||
diff --git a/libmisc/salt.c b/libmisc/salt.c
|
||||
index c72447ea..4940d76e 100644
|
||||
--- a/libmisc/salt.c
|
||||
+++ b/libmisc/salt.c
|
||||
@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
|
||||
result[0] = '\0';
|
||||
}
|
||||
|
||||
+ if (strstr(result, "rounds=") != NULL) {
|
||||
+ result[3] = '\0';
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Concatenate a pseudo random salt.
|
||||
*/
|
@ -1,284 +0,0 @@
|
||||
diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
|
||||
--- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
|
||||
+++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/avc.h>
|
||||
+#endif
|
||||
+#ifdef WITH_LIBAUDIT
|
||||
+#include <libaudit.h>
|
||||
+#endif
|
||||
#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
@@ -80,6 +87,9 @@ static bool sgr_locked = false;
|
||||
#endif
|
||||
static bool gr_locked = false;
|
||||
|
||||
+/* The name of the caller */
|
||||
+static char *myname = NULL;
|
||||
+
|
||||
/* local function prototypes */
|
||||
static void fail_exit (int code);
|
||||
static /*@noreturn@*/void usage (int status);
|
||||
@@ -334,6 +344,63 @@ static void check_perms (void)
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+static int
|
||||
+log_callback (int type, const char *fmt, ...)
|
||||
+{
|
||||
+ int audit_fd;
|
||||
+ va_list ap;
|
||||
+
|
||||
+ va_start(ap, fmt);
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_fd = audit_open();
|
||||
+
|
||||
+ if (audit_fd >= 0) {
|
||||
+ char *buf;
|
||||
+
|
||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ goto ret;
|
||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
+ NULL, 0);
|
||||
+ audit_close(audit_fd);
|
||||
+ free(buf);
|
||||
+ goto ret;
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
+ret:
|
||||
+ va_end(ap);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+selinux_check_root (void)
|
||||
+{
|
||||
+ int status = -1;
|
||||
+ security_context_t user_context;
|
||||
+ union selinux_callback old_callback;
|
||||
+
|
||||
+ if (is_selinux_enabled() < 1)
|
||||
+ return;
|
||||
+
|
||||
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
|
||||
+ /* setup callbacks */
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
|
||||
+ if ((status = getprevcon(&user_context)) < 0) {
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
|
||||
+
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||
+ freecon(user_context);
|
||||
+ if (status != 0 && security_getenforce() != 0)
|
||||
+ exit(1);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* open_files - lock and open the group databases
|
||||
*/
|
||||
@@ -427,6 +494,7 @@ int main (int argc, char **argv)
|
||||
|
||||
const struct group *gr;
|
||||
struct group newgr;
|
||||
+ struct passwd *pw = NULL;
|
||||
int errors = 0;
|
||||
int line = 0;
|
||||
|
||||
@@ -436,12 +504,37 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
process_root_flag ("-R", argc, argv);
|
||||
|
||||
process_flags (argc, argv);
|
||||
|
||||
OPENLOG ("chgpasswd");
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_help_open ();
|
||||
+#endif
|
||||
+
|
||||
+ /*
|
||||
+ * Determine the name of the user that invoked this command. This
|
||||
+ * is really hit or miss because there are so many ways that command
|
||||
+ * can be executed and so many ways to trip up the routines that
|
||||
+ * report the user name.
|
||||
+ */
|
||||
+ pw = get_my_pwent ();
|
||||
+ if (NULL == pw) {
|
||||
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
|
||||
+ Prog);
|
||||
+ SYSLOG ((LOG_WARN,
|
||||
+ "Cannot determine the user name of the caller (UID %lu)",
|
||||
+ (unsigned long) getuid ()));
|
||||
+ exit (E_NOPERM);
|
||||
+ }
|
||||
+ myname = xstrdup (pw->pw_name);
|
||||
+
|
||||
check_perms ();
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
|
||||
newgr.gr_passwd = cp;
|
||||
}
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ {
|
||||
+
|
||||
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
|
||||
+ "change-password",
|
||||
+ myname, AUDIT_NO_ID, gr->gr_name,
|
||||
+ SHADOW_AUDIT_SUCCESS);
|
||||
+ }
|
||||
+#endif
|
||||
/*
|
||||
* The updated group file entry is then put back and will
|
||||
* be written to the group file later, after all the
|
||||
diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
|
||||
--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
|
||||
+++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/avc.h>
|
||||
+#endif
|
||||
+#ifdef WITH_LIBAUDIT
|
||||
+#include <libaudit.h>
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif /* USE_PAM */
|
||||
@@ -332,6 +339,63 @@ static void check_perms (void)
|
||||
#endif /* USE_PAM */
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+static int
|
||||
+log_callback (int type, const char *fmt, ...)
|
||||
+{
|
||||
+ int audit_fd;
|
||||
+ va_list ap;
|
||||
+
|
||||
+ va_start(ap, fmt);
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_fd = audit_open();
|
||||
+
|
||||
+ if (audit_fd >= 0) {
|
||||
+ char *buf;
|
||||
+
|
||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ goto ret;
|
||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
+ NULL, 0);
|
||||
+ audit_close(audit_fd);
|
||||
+ free(buf);
|
||||
+ goto ret;
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
+ret:
|
||||
+ va_end(ap);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+selinux_check_root (void)
|
||||
+{
|
||||
+ int status = -1;
|
||||
+ security_context_t user_context;
|
||||
+ union selinux_callback old_callback;
|
||||
+
|
||||
+ if (is_selinux_enabled() < 1)
|
||||
+ return;
|
||||
+
|
||||
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
|
||||
+ /* setup callbacks */
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
|
||||
+ if ((status = getprevcon(&user_context)) < 0) {
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
|
||||
+
|
||||
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
|
||||
+ freecon(user_context);
|
||||
+ if (status != 0 && security_getenforce() != 0)
|
||||
+ exit(1);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* open_files - lock and open the password databases
|
||||
*/
|
||||
@@ -428,6 +492,10 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
process_root_flag ("-R", argc, argv);
|
||||
|
||||
process_flags (argc, argv);
|
||||
@@ -440,6 +508,10 @@ int main (int argc, char **argv)
|
||||
|
||||
OPENLOG ("chpasswd");
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_help_open ();
|
||||
+#endif
|
||||
+
|
||||
check_perms ();
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
|
||||
newpw.pw_passwd = cp;
|
||||
}
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
+ "updating-password",
|
||||
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
|
||||
+#endif
|
||||
/*
|
||||
* The updated password file entry is then put back and will
|
||||
* be written to the password file later, after all the
|
||||
Index: shadow-4.5/src/Makefile.am
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/Makefile.am
|
||||
+++ shadow-4.5/src/Makefile.am
|
||||
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
@ -1,115 +0,0 @@
|
||||
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
|
||||
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
|
||||
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
|
||||
|
||||
ret = 0;
|
||||
|
||||
+ /* drop obsolete matchpathcon cache */
|
||||
+ matchpathcon_fini();
|
||||
+
|
||||
done:
|
||||
semanage_seuser_key_free (key);
|
||||
semanage_handle_destroy (handle);
|
||||
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
+
|
||||
+ /* drop obsolete matchpathcon cache */
|
||||
+ matchpathcon_fini();
|
||||
+
|
||||
done:
|
||||
semanage_handle_destroy (handle);
|
||||
return ret;
|
||||
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
|
||||
@@ -2120,6 +2120,7 @@ static void create_mail (void)
|
||||
*/
|
||||
int main (int argc, char **argv)
|
||||
{
|
||||
+ int rv = E_SUCCESS;
|
||||
#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
pam_handle_t *pamh = NULL;
|
||||
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
|
||||
|
||||
usr_update ();
|
||||
|
||||
- if (mflg) {
|
||||
- create_home ();
|
||||
- if (home_added) {
|
||||
- copy_tree (def_template, prefix_user_home, false, false,
|
||||
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
- } else {
|
||||
- fprintf (stderr,
|
||||
- _("%s: warning: the home directory already exists.\n"
|
||||
- "Not copying any file from skel directory into it.\n"),
|
||||
- Prog);
|
||||
- }
|
||||
-
|
||||
- }
|
||||
-
|
||||
- /* Do not create mail directory for system accounts */
|
||||
- if (!rflg) {
|
||||
- create_mail ();
|
||||
- }
|
||||
-
|
||||
close_files ();
|
||||
|
||||
+ nscd_flush_cache ("passwd");
|
||||
+ nscd_flush_cache ("group");
|
||||
+
|
||||
/*
|
||||
* tallylog_reset needs to be able to lookup
|
||||
* a valid existing user name,
|
||||
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (Zflg) {
|
||||
- if (set_seuser (user_name, user_selinux) != 0) {
|
||||
+ if (Zflg && *user_selinux) {
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ if (set_seuser (user_name, user_selinux) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
Prog, user_name, user_selinux);
|
||||
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
|
||||
"adding SELinux user mapping",
|
||||
user_name, (unsigned int) user_id, 0);
|
||||
#endif /* WITH_AUDIT */
|
||||
- fail_exit (E_SE_UPDATE);
|
||||
+ rv = E_SE_UPDATE;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
-#endif /* WITH_SELINUX */
|
||||
+#endif
|
||||
|
||||
- nscd_flush_cache ("passwd");
|
||||
- nscd_flush_cache ("group");
|
||||
+ if (mflg) {
|
||||
+ create_home ();
|
||||
+ if (home_added) {
|
||||
+ copy_tree (def_template, prefix_user_home, false, true,
|
||||
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
+ } else {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: warning: the home directory already exists.\n"
|
||||
+ "Not copying any file from skel directory into it.\n"),
|
||||
+ Prog);
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ /* Do not create mail directory for system accounts */
|
||||
+ if (!rflg) {
|
||||
+ create_mail ();
|
||||
+ }
|
||||
|
||||
- return E_SUCCESS;
|
||||
+ return rv;
|
||||
}
|
||||
|
@ -1,214 +0,0 @@
|
||||
From baae5b4a06c905d9f52ed1f922a0d7d0625d11cf Mon Sep 17 00:00:00 2001
|
||||
From: Martin Kletzander <nert.pinx@gmail.com>
|
||||
Date: Wed, 1 Feb 2023 15:36:41 +0100
|
||||
Subject: [PATCH] find_new_[gu]id(): Skip over IDs that are reserved for legacy
|
||||
reasons
|
||||
|
||||
Some programs don't support `(uint16_t) -1` or `(uint32_t) -1` as user
|
||||
or group IDs. This is because `-1` is used as an error code or as an
|
||||
unspecified ID, e.g. in `chown(2)` parameters, and in the past, `gid_t`
|
||||
and `uid_t` have changed width. For legacy reasons, those values have
|
||||
been kept reserved in programs today (for example systemd does this; see
|
||||
the documentation in the link below).
|
||||
|
||||
This should not be confused with catching overflow in the ID values,
|
||||
since that is already caught by our ERANGE checks. This is about not
|
||||
using reserved values that have been reserved for legacy reasons.
|
||||
|
||||
Link: <https://systemd.io/UIDS-GIDS/>
|
||||
Reviewed-by: Alejandro Colomar <alx@kernel.org>
|
||||
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
|
||||
---
|
||||
libmisc/find_new_gid.c | 38 ++++++++++++++++++++++++++++----------
|
||||
libmisc/find_new_uid.c | 38 ++++++++++++++++++++++++++++----------
|
||||
2 files changed, 56 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c
|
||||
index 70ba95a2..da1d8d55 100644
|
||||
--- a/libmisc/find_new_gid.c
|
||||
+++ b/libmisc/find_new_gid.c
|
||||
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
|
||||
*
|
||||
* On success, return 0
|
||||
* If the ID is in use, return EEXIST
|
||||
+ * If the ID might clash with -1, return EINVAL
|
||||
* If the ID is outside the range, return ERANGE
|
||||
* In other cases, return errno from getgrgid()
|
||||
*/
|
||||
@@ -111,6 +112,11 @@ static int check_gid (const gid_t gid,
|
||||
return ERANGE;
|
||||
}
|
||||
|
||||
+ /* Check for compatibility with 16b and 32b gid_t error codes */
|
||||
+ if (gid == UINT16_MAX || gid == UINT32_MAX) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Check whether we already detected this GID
|
||||
* using the gr_next() loop
|
||||
@@ -182,10 +188,10 @@ int find_new_gid (bool sys_group,
|
||||
* gr_locate_gid() found the GID in an as-yet uncommitted
|
||||
* entry. We'll proceed below and auto-set a GID.
|
||||
*/
|
||||
- } else if (result == EEXIST || result == ERANGE) {
|
||||
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
|
||||
/*
|
||||
* Continue on below. At this time, we won't
|
||||
- * treat these two cases differently.
|
||||
+ * treat these three cases differently.
|
||||
*/
|
||||
} else {
|
||||
/*
|
||||
@@ -296,8 +302,11 @@ int find_new_gid (bool sys_group,
|
||||
*gid = id;
|
||||
free (used_gids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This GID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -339,8 +348,11 @@ int find_new_gid (bool sys_group,
|
||||
*gid = id;
|
||||
free (used_gids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This GID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -399,8 +411,11 @@ int find_new_gid (bool sys_group,
|
||||
*gid = id;
|
||||
free (used_gids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This GID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -442,8 +457,11 @@ int find_new_gid (bool sys_group,
|
||||
*gid = id;
|
||||
free (used_gids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This GID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c
|
||||
index 6b71dfe5..09885236 100644
|
||||
--- a/libmisc/find_new_uid.c
|
||||
+++ b/libmisc/find_new_uid.c
|
||||
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
|
||||
*
|
||||
* On success, return 0
|
||||
* If the ID is in use, return EEXIST
|
||||
+ * If the ID might clash with -1, return EINVAL
|
||||
* If the ID is outside the range, return ERANGE
|
||||
* In other cases, return errno from getpwuid()
|
||||
*/
|
||||
@@ -111,6 +112,11 @@ static int check_uid(const uid_t uid,
|
||||
return ERANGE;
|
||||
}
|
||||
|
||||
+ /* Check for compatibility with 16b and 32b uid_t error codes */
|
||||
+ if (uid == UINT16_MAX || uid == UINT32_MAX) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Check whether we already detected this UID
|
||||
* using the pw_next() loop
|
||||
@@ -182,10 +188,10 @@ int find_new_uid(bool sys_user,
|
||||
* pw_locate_uid() found the UID in an as-yet uncommitted
|
||||
* entry. We'll proceed below and auto-set an UID.
|
||||
*/
|
||||
- } else if (result == EEXIST || result == ERANGE) {
|
||||
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
|
||||
/*
|
||||
* Continue on below. At this time, we won't
|
||||
- * treat these two cases differently.
|
||||
+ * treat these three cases differently.
|
||||
*/
|
||||
} else {
|
||||
/*
|
||||
@@ -296,8 +302,11 @@ int find_new_uid(bool sys_user,
|
||||
*uid = id;
|
||||
free (used_uids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This UID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -339,8 +348,11 @@ int find_new_uid(bool sys_user,
|
||||
*uid = id;
|
||||
free (used_uids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This UID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -399,8 +411,11 @@ int find_new_uid(bool sys_user,
|
||||
*uid = id;
|
||||
free (used_uids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This UID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
@@ -442,8 +457,11 @@ int find_new_uid(bool sys_user,
|
||||
*uid = id;
|
||||
free (used_uids);
|
||||
return 0;
|
||||
- } else if (result == EEXIST) {
|
||||
- /* This UID is in use, we'll continue to the next */
|
||||
+ } else if (result == EEXIST || result == EINVAL) {
|
||||
+ /*
|
||||
+ * This GID is in use or unusable, we'll
|
||||
+ * continue to the next.
|
||||
+ */
|
||||
} else {
|
||||
/*
|
||||
* An unexpected error occurred.
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,641 +0,0 @@
|
||||
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jakub.hrozek@posteo.se>
|
||||
Date: Wed, 12 Sep 2018 14:22:11 +0200
|
||||
Subject: [PATCH] Flush sssd caches in addition to nscd caches
|
||||
|
||||
Some distributions, notably Fedora, have the following order of nsswitch
|
||||
modules by default:
|
||||
passwd: sss files
|
||||
group: sss files
|
||||
|
||||
The advantage of serving local users through SSSD is that the nss_sss
|
||||
module has a fast mmapped-cache that speeds up NSS lookups compared to
|
||||
accessing the disk an opening the files on each NSS request.
|
||||
|
||||
Traditionally, this has been done with the help of nscd, but using nscd
|
||||
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
|
||||
independent caching, so using nscd in setups where sssd is also serving
|
||||
users from some remote domain (LDAP, AD, ...) can result in a bit of
|
||||
unpredictability.
|
||||
|
||||
More details about why Fedora chose to use sss before files can be found
|
||||
on e.g.:
|
||||
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
|
||||
or:
|
||||
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
|
||||
|
||||
Now, even though sssd watches the passwd and group files with the help
|
||||
of inotify, there can still be a small window where someone requests a
|
||||
user or a group, finds that it doesn't exist, adds the entry and checks
|
||||
again. Without some support in shadow-utils that would explicitly drop
|
||||
the sssd caches, the inotify watch can fire a little late, so a
|
||||
combination of commands like this:
|
||||
getent passwd user || useradd user; getent passwd user
|
||||
can result in the second getent passwd not finding the newly added user
|
||||
as the racy behaviour might still return the cached negative hit from
|
||||
the first getent passwd.
|
||||
|
||||
This patch more or less copies the already existing support that
|
||||
shadow-utils had for dropping nscd caches, except using the "sss_cache"
|
||||
tool that sssd ships.
|
||||
---
|
||||
configure.ac | 10 +++++++
|
||||
lib/Makefile.am | 2 ++
|
||||
lib/commonio.c | 2 ++
|
||||
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/sssd.h | 17 +++++++++++
|
||||
src/chfn.c | 2 ++
|
||||
src/chgpasswd.c | 2 ++
|
||||
src/chpasswd.c | 2 ++
|
||||
src/chsh.c | 2 ++
|
||||
src/gpasswd.c | 2 ++
|
||||
src/groupadd.c | 2 ++
|
||||
src/groupdel.c | 2 ++
|
||||
src/groupmod.c | 2 ++
|
||||
src/grpck.c | 2 ++
|
||||
src/grpconv.c | 2 ++
|
||||
src/grpunconv.c | 2 ++
|
||||
src/newusers.c | 2 ++
|
||||
src/passwd.c | 2 ++
|
||||
src/pwck.c | 2 ++
|
||||
src/pwconv.c | 2 ++
|
||||
src/pwunconv.c | 2 ++
|
||||
src/useradd.c | 2 ++
|
||||
src/userdel.c | 2 ++
|
||||
src/usermod.c | 2 ++
|
||||
src/vipw.c | 2 ++
|
||||
25 files changed, 146 insertions(+)
|
||||
create mode 100644 lib/sssd.c
|
||||
create mode 100644 lib/sssd.h
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 41068a5d..10ad70cf 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
|
||||
AC_ARG_WITH(nscd,
|
||||
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
|
||||
[with_nscd=$withval], [with_nscd=yes])
|
||||
+AC_ARG_WITH(sssd,
|
||||
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
|
||||
+ [with_sssd=$withval], [with_sssd=yes])
|
||||
AC_ARG_WITH(group-name-max-length,
|
||||
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
|
||||
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
|
||||
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
|
||||
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
|
||||
fi
|
||||
|
||||
+if test "$with_sssd" = "yes"; then
|
||||
+ AC_CHECK_FUNC(posix_spawn,
|
||||
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
|
||||
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
|
||||
+fi
|
||||
+
|
||||
dnl Check for some functions in libc first, only if not found check for
|
||||
dnl other libraries. This should prevent linking libnsl if not really
|
||||
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
|
||||
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
|
||||
echo " S/Key support: $with_skey"
|
||||
echo " SHA passwords encryption: $with_sha_crypt"
|
||||
echo " nscd support: $with_nscd"
|
||||
+echo " sssd support: $with_sssd"
|
||||
echo " subordinate IDs support: $enable_subids"
|
||||
echo
|
||||
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
||||
index 6db86cd6..fd634542 100644
|
||||
--- a/lib/Makefile.am
|
||||
+++ b/lib/Makefile.am
|
||||
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
|
||||
lockpw.c \
|
||||
nscd.c \
|
||||
nscd.h \
|
||||
+ sssd.c \
|
||||
+ sssd.h \
|
||||
pam_defs.h \
|
||||
port.c \
|
||||
port.h \
|
||||
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||
index d06b8e7d..96f2d5f7 100644
|
||||
--- a/lib/commonio.c
|
||||
+++ b/lib/commonio.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include <stdio.h>
|
||||
#include <signal.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef WITH_TCB
|
||||
#include <tcb.h>
|
||||
#endif /* WITH_TCB */
|
||||
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
|
||||
if (nscd_need_reload) {
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
nscd_need_reload = false;
|
||||
}
|
||||
#ifdef HAVE_LCKPWDF
|
||||
diff --git a/lib/sssd.c b/lib/sssd.c
|
||||
new file mode 100644
|
||||
index 00000000..80e49e55
|
||||
--- /dev/null
|
||||
+++ b/lib/sssd.c
|
||||
@@ -0,0 +1,75 @@
|
||||
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
|
||||
+
|
||||
+#include <config.h>
|
||||
+#ifdef USE_SSSD
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <sys/wait.h>
|
||||
+#include <sys/types.h>
|
||||
+#include "exitcodes.h"
|
||||
+#include "defines.h"
|
||||
+#include "prototypes.h"
|
||||
+#include "sssd.h"
|
||||
+
|
||||
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
|
||||
+
|
||||
+int sssd_flush_cache (int dbflags)
|
||||
+{
|
||||
+ int status, code, rv;
|
||||
+ const char *cmd = "/usr/sbin/sss_cache";
|
||||
+ char *sss_cache_args = NULL;
|
||||
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
|
||||
+ const char *spawnedEnv[] = {NULL};
|
||||
+ int i = 0;
|
||||
+
|
||||
+ sss_cache_args = malloc(4);
|
||||
+ if (sss_cache_args == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sss_cache_args[i++] = '-';
|
||||
+ if (dbflags & SSSD_DB_PASSWD) {
|
||||
+ sss_cache_args[i++] = 'U';
|
||||
+ }
|
||||
+ if (dbflags & SSSD_DB_GROUP) {
|
||||
+ sss_cache_args[i++] = 'G';
|
||||
+ }
|
||||
+ sss_cache_args[i++] = '\0';
|
||||
+ if (i == 2) {
|
||||
+ /* Neither passwd nor group, nothing to do */
|
||||
+ free(sss_cache_args);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ spawnedArgs[1] = sss_cache_args;
|
||||
+
|
||||
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
|
||||
+ free(sss_cache_args);
|
||||
+ if (rv != 0) {
|
||||
+ /* run_command writes its own more detailed message. */
|
||||
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ code = WEXITSTATUS (status);
|
||||
+ if (!WIFEXITED (status)) {
|
||||
+ (void) fprintf (stderr,
|
||||
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
|
||||
+ Prog, WTERMSIG (status));
|
||||
+ return -1;
|
||||
+ } else if (code == E_CMD_NOTFOUND) {
|
||||
+ /* sss_cache is not installed, or it is installed but uses an
|
||||
+ interpreter that is missing. Probably the former. */
|
||||
+ return 0;
|
||||
+ } else if (code != 0) {
|
||||
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
|
||||
+ Prog, code);
|
||||
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+#else /* USE_SSSD */
|
||||
+extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||
+#endif /* USE_SSSD */
|
||||
+
|
||||
diff --git a/lib/sssd.h b/lib/sssd.h
|
||||
new file mode 100644
|
||||
index 00000000..00ff2a8a
|
||||
--- /dev/null
|
||||
+++ b/lib/sssd.h
|
||||
@@ -0,0 +1,17 @@
|
||||
+#ifndef _SSSD_H_
|
||||
+#define _SSSD_H_
|
||||
+
|
||||
+#define SSSD_DB_PASSWD 0x001
|
||||
+#define SSSD_DB_GROUP 0x002
|
||||
+
|
||||
+/*
|
||||
+ * sssd_flush_cache - flush specified service buffer in sssd cache
|
||||
+ */
|
||||
+#ifdef USE_SSSD
|
||||
+extern int sssd_flush_cache (int dbflags);
|
||||
+#else
|
||||
+#define sssd_flush_cache(service) (0)
|
||||
+#endif
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/src/chfn.c b/src/chfn.c
|
||||
index 18aa3de7..0725e1c7 100644
|
||||
--- a/src/chfn.c
|
||||
+++ b/src/chfn.c
|
||||
@@ -47,6 +47,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif
|
||||
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
|
||||
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
closelog ();
|
||||
exit (E_SUCCESS);
|
||||
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
|
||||
index 13203a46..e5f2eb7e 100644
|
||||
--- a/src/chgpasswd.c
|
||||
+++ b/src/chgpasswd.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "groupio.h"
|
||||
#ifdef SHADOWGRP
|
||||
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return (0);
|
||||
}
|
||||
diff --git a/src/chpasswd.c b/src/chpasswd.c
|
||||
index 918b27ee..49e79cdb 100644
|
||||
--- a/src/chpasswd.c
|
||||
+++ b/src/chpasswd.c
|
||||
@@ -44,6 +44,7 @@
|
||||
#endif /* USE_PAM */
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "getdef.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return (0);
|
||||
}
|
||||
diff --git a/src/chsh.c b/src/chsh.c
|
||||
index c89708b9..910e3dd4 100644
|
||||
--- a/src/chsh.c
|
||||
+++ b/src/chsh.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
|
||||
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
closelog ();
|
||||
exit (E_SUCCESS);
|
||||
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
||||
index c4a492b1..4d75af96 100644
|
||||
--- a/src/gpasswd.c
|
||||
+++ b/src/gpasswd.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
exit (E_SUCCESS);
|
||||
}
|
||||
diff --git a/src/groupadd.c b/src/groupadd.c
|
||||
index b57006c5..2dd8eec9 100644
|
||||
--- a/src/groupadd.c
|
||||
+++ b/src/groupadd.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/groupdel.c b/src/groupdel.c
|
||||
index 70bed010..f941a84a 100644
|
||||
--- a/src/groupdel.c
|
||||
+++ b/src/groupdel.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/groupmod.c b/src/groupmod.c
|
||||
index b293b98f..1dca5fc9 100644
|
||||
--- a/src/groupmod.c
|
||||
+++ b/src/groupmod.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "groupio.h"
|
||||
#include "pwio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/grpck.c b/src/grpck.c
|
||||
index ea5d3b39..6140b10d 100644
|
||||
--- a/src/grpck.c
|
||||
+++ b/src/grpck.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
|
||||
close_files (changed);
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
/*
|
||||
* Tell the user what we did and exit.
|
||||
diff --git a/src/grpconv.c b/src/grpconv.c
|
||||
index f95f4960..5e5eaaca 100644
|
||||
--- a/src/grpconv.c
|
||||
+++ b/src/grpconv.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <unistd.h>
|
||||
#include <getopt.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
/*@-exitarg@*/
|
||||
#include "exitcodes.h"
|
||||
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/grpunconv.c b/src/grpunconv.c
|
||||
index 253f06f5..e4105c26 100644
|
||||
--- a/src/grpunconv.c
|
||||
+++ b/src/grpunconv.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <grp.h>
|
||||
#include <getopt.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
/*@-exitarg@*/
|
||||
#include "exitcodes.h"
|
||||
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/newusers.c b/src/newusers.c
|
||||
index 8e4bef97..7c3bb1c2 100644
|
||||
--- a/src/newusers.c
|
||||
+++ b/src/newusers.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "pwio.h"
|
||||
#include "sgroupio.h"
|
||||
#include "shadowio.h"
|
||||
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
#ifdef USE_PAM
|
||||
unsigned int i;
|
||||
diff --git a/src/passwd.c b/src/passwd.c
|
||||
index 3af3e651..5bea2765 100644
|
||||
--- a/src/passwd.c
|
||||
+++ b/src/passwd.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
|
||||
closelog ();
|
||||
diff --git a/src/pwck.c b/src/pwck.c
|
||||
index 05df68ec..0ffb711e 100644
|
||||
--- a/src/pwck.c
|
||||
+++ b/src/pwck.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include "shadowio.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef WITH_TCB
|
||||
#include "tcbfuncs.h"
|
||||
#endif /* WITH_TCB */
|
||||
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||
close_files (changed);
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
/*
|
||||
* Tell the user what we did and exit.
|
||||
diff --git a/src/pwconv.c b/src/pwconv.c
|
||||
index d6ee31a8..9c69fa13 100644
|
||||
--- a/src/pwconv.c
|
||||
+++ b/src/pwconv.c
|
||||
@@ -72,6 +72,7 @@
|
||||
#include "pwio.h"
|
||||
#include "shadowio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
|
||||
/*
|
||||
* exit status values
|
||||
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/pwunconv.c b/src/pwunconv.c
|
||||
index fabf0237..e11ea494 100644
|
||||
--- a/src/pwunconv.c
|
||||
+++ b/src/pwunconv.c
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <getopt.h>
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
#include "shadowio.h"
|
||||
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index ca90f076..b0c2224d 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -60,6 +60,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
/*
|
||||
* tallylog_reset needs to be able to lookup
|
||||
diff --git a/src/userdel.c b/src/userdel.c
|
||||
index c8de1d31..0715e4fe 100644
|
||||
--- a/src/userdel.c
|
||||
+++ b/src/userdel.c
|
||||
@@ -53,6 +53,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
|
||||
}
|
||||
diff --git a/src/usermod.c b/src/usermod.c
|
||||
index 7355ad31..fd9a98a6 100644
|
||||
--- a/src/usermod.c
|
||||
+++ b/src/usermod.c
|
||||
@@ -57,6 +57,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (Zflg) {
|
||||
diff --git a/src/vipw.c b/src/vipw.c
|
||||
index 6d730f65..2cfac6b4 100644
|
||||
--- a/src/vipw.c
|
||||
+++ b/src/vipw.c
|
||||
@@ -42,6 +42,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
#include "sgroupio.h"
|
||||
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
@ -1,59 +0,0 @@
|
||||
From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Fri, 2 Oct 2020 16:09:42 +0200
|
||||
Subject: [PATCH] lib/sssd: redirect warning message to file
|
||||
|
||||
Instead of printing warning in stderr print it to file. This way the
|
||||
user is not spammed with unnecessary messages when updating packages.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
|
||||
---
|
||||
lib/sssd.c | 14 ++++++--------
|
||||
1 file changed, 6 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lib/sssd.c b/lib/sssd.c
|
||||
index 80e49e55..f864ce68 100644
|
||||
--- a/lib/sssd.c
|
||||
+++ b/lib/sssd.c
|
||||
@@ -11,7 +11,7 @@
|
||||
#include "prototypes.h"
|
||||
#include "sssd.h"
|
||||
|
||||
-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
|
||||
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
|
||||
|
||||
int sssd_flush_cache (int dbflags)
|
||||
{
|
||||
@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
|
||||
free(sss_cache_args);
|
||||
if (rv != 0) {
|
||||
/* run_command writes its own more detailed message. */
|
||||
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
|
||||
return -1;
|
||||
}
|
||||
|
||||
code = WEXITSTATUS (status);
|
||||
if (!WIFEXITED (status)) {
|
||||
- (void) fprintf (stderr,
|
||||
- _("%s: sss_cache did not terminate normally (signal %d)\n"),
|
||||
- Prog, WTERMSIG (status));
|
||||
+ SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
|
||||
+ Prog, WTERMSIG (status)));
|
||||
return -1;
|
||||
} else if (code == E_CMD_NOTFOUND) {
|
||||
/* sss_cache is not installed, or it is installed but uses an
|
||||
interpreter that is missing. Probably the former. */
|
||||
return 0;
|
||||
} else if (code != 0) {
|
||||
- (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
|
||||
- Prog, code);
|
||||
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
|
||||
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
|
||||
return -1;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,34 +0,0 @@
|
||||
diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
|
||||
--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||
+++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:51:20.554963292 +0100
|
||||
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_group, g
|
||||
(unsigned long) *max_id);
|
||||
return EINVAL;
|
||||
}
|
||||
+ /*
|
||||
+ * Zero is reserved for root and the allocation algorithm does not
|
||||
+ * work right with it.
|
||||
+ */
|
||||
+ if (*min_id == 0) {
|
||||
+ *min_id = (gid_t) 1;
|
||||
+ }
|
||||
} else {
|
||||
/* Non-system groups */
|
||||
|
||||
diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
|
||||
--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||
+++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:51:39.341399569 +0100
|
||||
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_user, ui
|
||||
(unsigned long) *max_id);
|
||||
return EINVAL;
|
||||
}
|
||||
+ /*
|
||||
+ * Zero is reserved for root and the allocation algorithm does not
|
||||
+ * work right with it.
|
||||
+ */
|
||||
+ if (*min_id == 0) {
|
||||
+ *min_id = (uid_t) 1;
|
||||
+ }
|
||||
} else {
|
||||
/* Non-system users */
|
||||
|
@ -1,31 +0,0 @@
|
||||
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
|
||||
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
|
||||
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
|
||||
$(MAKE) -C .. config.xml
|
||||
cp ../config.xml $@
|
||||
|
||||
-%.xml: ../%.xml ../po/$(LANG).po
|
||||
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
|
||||
+messages.mo: ../po/$(LANG).po
|
||||
+ msgfmt ../po/$(LANG).po -o messages.mo
|
||||
+
|
||||
+login.defs.d:
|
||||
+ ln -sf ../login.defs.d login.defs.d
|
||||
+
|
||||
+%.xml: ../%.xml messages.mo login.defs.d
|
||||
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
|
||||
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
|
||||
+ else \
|
||||
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
|
||||
+ fi
|
||||
+ itstool -d -l $(LANG) -m messages.mo -o . $@
|
||||
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
|
||||
|
||||
include ../generate_mans.mak
|
||||
@@ -16,4 +27,4 @@ $(man_MANS):
|
||||
@echo you need to run configure with --enable-man to generate man pages
|
||||
endif
|
||||
|
||||
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
||||
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
@ -1,190 +0,0 @@
|
||||
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
|
||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu May 2 14:33:06 2019 +0200
|
||||
|
||||
Use the lckpwdf() again if prefix is not set
|
||||
|
||||
The implementation of prefix option dropped the use of lckpwdf().
|
||||
However that is incorrect as other tools manipulating the shadow passwords
|
||||
such as PAM use lckpwdf() and do not know anything about the
|
||||
shadow's own locking mechanism.
|
||||
|
||||
This reverts the implementation to use lckpwdf() if prefix option
|
||||
is not used.
|
||||
|
||||
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||
index 26e518f2..94dda779 100644
|
||||
--- a/lib/commonio.c
|
||||
+++ b/lib/commonio.c
|
||||
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
|
||||
int commonio_setname (struct commonio_db *db, const char *name)
|
||||
{
|
||||
snprintf (db->filename, sizeof (db->filename), "%s", name);
|
||||
+ db->setname = true;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
|
||||
|
||||
int commonio_lock (struct commonio_db *db)
|
||||
{
|
||||
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
|
||||
-#if 0
|
||||
- /*
|
||||
- * only if the system libc has a real lckpwdf() - the one from
|
||||
- * lockpw.c calls us and would cause infinite recursion!
|
||||
- */
|
||||
+ int i;
|
||||
|
||||
+#ifdef HAVE_LCKPWDF
|
||||
/*
|
||||
- * Call lckpwdf() on the first lock.
|
||||
- * If it succeeds, call *_lock() only once
|
||||
- * (no retries, it should always succeed).
|
||||
+ * Only if the system libc has a real lckpwdf() - the one from
|
||||
+ * lockpw.c calls us and would cause infinite recursion!
|
||||
+ * It is also not used with the prefix option.
|
||||
*/
|
||||
- if (0 == lock_count) {
|
||||
- if (lckpwdf () == -1) {
|
||||
- if (geteuid () != 0) {
|
||||
- (void) fprintf (stderr,
|
||||
- "%s: Permission denied.\n",
|
||||
- Prog);
|
||||
+ if (!db->setname) {
|
||||
+ /*
|
||||
+ * Call lckpwdf() on the first lock.
|
||||
+ * If it succeeds, call *_lock() only once
|
||||
+ * (no retries, it should always succeed).
|
||||
+ */
|
||||
+ if (0 == lock_count) {
|
||||
+ if (lckpwdf () == -1) {
|
||||
+ if (geteuid () != 0) {
|
||||
+ (void) fprintf (stderr,
|
||||
+ "%s: Permission denied.\n",
|
||||
+ Prog);
|
||||
+ }
|
||||
+ return 0; /* failure */
|
||||
}
|
||||
- return 0; /* failure */
|
||||
}
|
||||
- }
|
||||
|
||||
- if (commonio_lock_nowait (db, true) != 0) {
|
||||
- return 1; /* success */
|
||||
- }
|
||||
+ if (commonio_lock_nowait (db, true) != 0) {
|
||||
+ return 1; /* success */
|
||||
+ }
|
||||
|
||||
- ulckpwdf ();
|
||||
- return 0; /* failure */
|
||||
-#else /* !HAVE_LCKPWDF */
|
||||
- int i;
|
||||
+ ulckpwdf ();
|
||||
+ return 0; /* failure */
|
||||
+ }
|
||||
+#endif /* !HAVE_LCKPWDF */
|
||||
|
||||
/*
|
||||
* lckpwdf() not used - do it the old way.
|
||||
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
|
||||
}
|
||||
}
|
||||
return 0; /* failure */
|
||||
-#endif /* !HAVE_LCKPWDF */
|
||||
}
|
||||
|
||||
static void dec_lock_count (void)
|
||||
diff --git a/lib/commonio.h b/lib/commonio.h
|
||||
index 40e5708f..64e83073 100644
|
||||
--- a/lib/commonio.h
|
||||
+++ b/lib/commonio.h
|
||||
@@ -143,6 +143,7 @@ struct commonio_db {
|
||||
bool isopen:1;
|
||||
bool locked:1;
|
||||
bool readonly:1;
|
||||
+ bool setname:1;
|
||||
};
|
||||
|
||||
extern int commonio_setname (struct commonio_db *, const char *);
|
||||
diff --git a/lib/groupio.c b/lib/groupio.c
|
||||
index ae2302b5..bffb06e0 100644
|
||||
--- a/lib/groupio.c
|
||||
+++ b/lib/groupio.c
|
||||
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int gr_setdbname (const char *filename)
|
||||
diff --git a/lib/pwio.c b/lib/pwio.c
|
||||
index 7ee85377..127719cb 100644
|
||||
--- a/lib/pwio.c
|
||||
+++ b/lib/pwio.c
|
||||
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int pw_setdbname (const char *filename)
|
||||
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
|
||||
index 5423626a..ffbdb263 100644
|
||||
--- a/lib/sgroupio.c
|
||||
+++ b/lib/sgroupio.c
|
||||
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sgr_setdbname (const char *filename)
|
||||
diff --git a/lib/shadowio.c b/lib/shadowio.c
|
||||
index 5fa3d312..676b1f1a 100644
|
||||
--- a/lib/shadowio.c
|
||||
+++ b/lib/shadowio.c
|
||||
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int spw_setdbname (const char *filename)
|
||||
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||
index a662e67e..dd779c59 100644
|
||||
--- a/lib/subordinateio.c
|
||||
+++ b/lib/subordinateio.c
|
||||
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sub_uid_setdbname (const char *filename)
|
||||
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sub_gid_setdbname (const char *filename)
|
@ -1,20 +0,0 @@
|
||||
diff -up shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists 2023-05-17 10:39:41.457826153 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2023-05-17 10:41:30.937036772 +0200
|
||||
@@ -2019,14 +2019,14 @@ static void usr_update (void)
|
||||
fail_exit (E_PW_UPDATE);
|
||||
}
|
||||
#ifdef ENABLE_SUBIDS
|
||||
- if (is_sub_uid &&
|
||||
+ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
|
||||
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
|
||||
fprintf (stderr,
|
||||
_("%s: failed to prepare the new %s entry\n"),
|
||||
Prog, sub_uid_dbname ());
|
||||
fail_exit (E_SUB_UID_UPDATE);
|
||||
}
|
||||
- if (is_sub_gid &&
|
||||
+ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
|
||||
(sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
|
||||
fprintf (stderr,
|
||||
_("%s: failed to prepare the new %s entry\n"),
|
@ -1,44 +0,0 @@
|
||||
From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Sat, 22 May 2021 11:42:02 -0500
|
||||
Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
|
||||
|
||||
Closes #298
|
||||
|
||||
Fix useradd when SUB_UID_COUNT=0 in login.defs.
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
src/useradd.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 06accb2f..9862ae55 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
|
||||
#ifdef ENABLE_SUBIDS
|
||||
uid_t uid_min;
|
||||
uid_t uid_max;
|
||||
+ unsigned long subuid_count;
|
||||
+ unsigned long subgid_count;
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
|
||||
#ifdef ENABLE_SUBIDS
|
||||
uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
|
||||
uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
|
||||
- is_sub_uid = sub_uid_file_present () && !rflg &&
|
||||
+ subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
|
||||
+ subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
|
||||
+ is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
|
||||
(!user_id || (user_id <= uid_max && user_id >= uid_min));
|
||||
- is_sub_gid = sub_gid_file_present () && !rflg &&
|
||||
+ is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
|
||||
(!user_id || (user_id <= uid_max && user_id >= uid_min));
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,21 +0,0 @@
|
||||
diff -up shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids 2021-11-03 11:55:00.189562187 +0100
|
||||
+++ shadow-4.6/src/useradd.c 2021-11-03 11:57:34.128658978 +0100
|
||||
@@ -2350,7 +2350,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
#ifdef ENABLE_SUBIDS
|
||||
- if (is_sub_uid) {
|
||||
+ if (is_sub_uid && subuid_count != 0) {
|
||||
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: can't create subordinate user IDs\n"),
|
||||
@@ -2358,7 +2358,7 @@ int main (int argc, char **argv)
|
||||
fail_exit(E_SUB_UID_UPDATE);
|
||||
}
|
||||
}
|
||||
- if (is_sub_gid) {
|
||||
+ if (is_sub_gid && subgid_count != 0) {
|
||||
if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: can't create subordinate group IDs\n"),
|
@ -1,322 +0,0 @@
|
||||
From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Tue, 3 Aug 2021 08:57:20 +0200
|
||||
Subject: [PATCH] usermod: allow all group types with -G option
|
||||
|
||||
The only way of removing a group from the supplementary list is to use
|
||||
-G option, and list all groups that the user is a member of except for
|
||||
the one that wants to be removed. The problem lies when there's a user
|
||||
that contains both local and remote groups, and the group to be removed
|
||||
is a local one. As we need to include the remote group with -G option
|
||||
the command will fail.
|
||||
|
||||
This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
|
||||
it would be possible to remove the remote groups from the supplementary
|
||||
list.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
|
||||
Resolves: https://github.com/shadow-maint/shadow/issues/338
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
src/usermod.c | 220 ++++++++++++++++++--------------------------------
|
||||
1 file changed, 77 insertions(+), 143 deletions(-)
|
||||
|
||||
diff --git a/src/usermod.c b/src/usermod.c
|
||||
index 03bb9b9d..a0c03afa 100644
|
||||
--- a/src/usermod.c
|
||||
+++ b/src/usermod.c
|
||||
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
|
||||
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
|
||||
long int date);
|
||||
static int get_groups (char *);
|
||||
-static struct group * get_local_group (char * grp_name);
|
||||
static /*@noreturn@*/void usage (int status);
|
||||
static void new_pwent (struct passwd *);
|
||||
static void new_spent (struct spwd *);
|
||||
@@ -201,9 +200,7 @@ static void grp_update (void);
|
||||
|
||||
static void process_flags (int, char **);
|
||||
static void close_files (void);
|
||||
-static void close_group_files (void);
|
||||
static void open_files (void);
|
||||
-static void open_group_files (void);
|
||||
static void usr_update (void);
|
||||
static void move_home (void);
|
||||
static void update_lastlog (void);
|
||||
@@ -260,11 +257,6 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Open the group files
|
||||
- */
|
||||
- open_group_files ();
|
||||
-
|
||||
/*
|
||||
* So long as there is some data to be converted, strip off each
|
||||
* name and look it up. A mix of numerical and string values for
|
||||
@@ -284,7 +276,7 @@ static int get_groups (char *list)
|
||||
* Names starting with digits are treated as numerical GID
|
||||
* values, otherwise the string is looked up as is.
|
||||
*/
|
||||
- grp = get_local_group (list);
|
||||
+ grp = prefix_getgr_nam_gid (list);
|
||||
|
||||
/*
|
||||
* There must be a match, either by GID value or by
|
||||
@@ -334,8 +326,6 @@ static int get_groups (char *list)
|
||||
gr_free ((struct group *)grp);
|
||||
} while (NULL != list);
|
||||
|
||||
- close_group_files ();
|
||||
-
|
||||
user_groups[ngroups] = (char *) 0;
|
||||
|
||||
/*
|
||||
@@ -348,44 +338,6 @@ static int get_groups (char *list)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * get_local_group - checks if a given group name exists locally
|
||||
- *
|
||||
- * get_local_group() checks if a given group name exists locally.
|
||||
- * If the name exists the group information is returned, otherwise NULL is
|
||||
- * returned.
|
||||
- */
|
||||
-static struct group * get_local_group(char * grp_name)
|
||||
-{
|
||||
- const struct group *grp;
|
||||
- struct group *result_grp = NULL;
|
||||
- long long int gid;
|
||||
- char *endptr;
|
||||
-
|
||||
- gid = strtoll (grp_name, &endptr, 10);
|
||||
- if ( ('\0' != *grp_name)
|
||||
- && ('\0' == *endptr)
|
||||
- && (ERANGE != errno)
|
||||
- && (gid == (gid_t)gid)) {
|
||||
- grp = gr_locate_gid ((gid_t) gid);
|
||||
- }
|
||||
- else {
|
||||
- grp = gr_locate(grp_name);
|
||||
- }
|
||||
-
|
||||
- if (grp != NULL) {
|
||||
- result_grp = __gr_dup (grp);
|
||||
- if (NULL == result_grp) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: Out of memory. Cannot find group '%s'.\n"),
|
||||
- Prog, grp_name);
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return result_grp;
|
||||
-}
|
||||
-
|
||||
#ifdef ENABLE_SUBIDS
|
||||
struct ulong_range
|
||||
{
|
||||
@@ -1523,7 +1475,50 @@ static void close_files (void)
|
||||
}
|
||||
|
||||
if (Gflg || lflg) {
|
||||
- close_group_files ();
|
||||
+ if (gr_close () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failure while writing changes to %s",
|
||||
+ gr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_close () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failure while writing changes to %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failure while writing changes to %s",
|
||||
+ sgr_dbname ()));
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp) {
|
||||
+ if (sgr_unlock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failed to unlock %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failed to unlock %s",
|
||||
+ sgr_dbname ()));
|
||||
+ /* continue */
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+ if (gr_unlock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: failed to unlock %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ SYSLOG ((LOG_ERR,
|
||||
+ "failed to unlock %s",
|
||||
+ gr_dbname ()));
|
||||
+ /* continue */
|
||||
+ }
|
||||
}
|
||||
|
||||
if (is_shadow_pwd) {
|
||||
@@ -1592,60 +1587,6 @@ static void close_files (void)
|
||||
#endif
|
||||
}
|
||||
|
||||
-/*
|
||||
- * close_group_files - close all of the files that were opened
|
||||
- *
|
||||
- * close_group_files() closes all of the files that were opened related
|
||||
- * with groups. This causes any modified entries to be written out.
|
||||
- */
|
||||
-static void close_group_files (void)
|
||||
-{
|
||||
- if (gr_close () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failure while writing changes to %s",
|
||||
- gr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_close () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failure while writing changes to %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failure while writing changes to %s",
|
||||
- sgr_dbname ()));
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp) {
|
||||
- if (sgr_unlock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failed to unlock %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failed to unlock %s",
|
||||
- sgr_dbname ()));
|
||||
- /* continue */
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
- if (gr_unlock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: failed to unlock %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- SYSLOG ((LOG_ERR,
|
||||
- "failed to unlock %s",
|
||||
- gr_dbname ()));
|
||||
- /* continue */
|
||||
- }
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* open_files - lock and open the password files
|
||||
*
|
||||
@@ -1681,7 +1622,38 @@ static void open_files (void)
|
||||
}
|
||||
|
||||
if (Gflg || lflg) {
|
||||
- open_group_files ();
|
||||
+ /*
|
||||
+ * Lock and open the group file. This will load all of the
|
||||
+ * group entries.
|
||||
+ */
|
||||
+ if (gr_lock () == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ gr_locked = true;
|
||||
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot open %s\n"),
|
||||
+ Prog, gr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (is_shadow_grp && (sgr_lock () == 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot lock %s; try again later.\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+ sgr_locked = true;
|
||||
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot open %s\n"),
|
||||
+ Prog, sgr_dbname ());
|
||||
+ fail_exit (E_GRP_UPDATE);
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
#ifdef ENABLE_SUBIDS
|
||||
if (vflg || Vflg) {
|
||||
@@ -1717,44 +1689,6 @@ static void open_files (void)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
}
|
||||
|
||||
-/*
|
||||
- * open_group_files - lock and open the group files
|
||||
- *
|
||||
- * open_group_files() loads all of the group entries.
|
||||
- */
|
||||
-static void open_group_files (void)
|
||||
-{
|
||||
- if (gr_lock () == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- gr_locked = true;
|
||||
- if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot open %s\n"),
|
||||
- Prog, gr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-
|
||||
-#ifdef SHADOWGRP
|
||||
- if (is_shadow_grp && (sgr_lock () == 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot lock %s; try again later.\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
- sgr_locked = true;
|
||||
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: cannot open %s\n"),
|
||||
- Prog, sgr_dbname ());
|
||||
- fail_exit (E_GRP_UPDATE);
|
||||
- }
|
||||
-#endif
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* usr_update - create the user entries
|
||||
*
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,42 +0,0 @@
|
||||
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
|
||||
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
|
||||
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
|
||||
{
|
||||
long long int gid;
|
||||
char *endptr;
|
||||
+ struct group *g;
|
||||
|
||||
if (NULL == grname) {
|
||||
return NULL;
|
||||
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
|
||||
&& (gid == (gid_t)gid)) {
|
||||
return prefix_getgrgid ((gid_t) gid);
|
||||
}
|
||||
- return prefix_getgrnam (grname);
|
||||
+ g = prefix_getgrnam (grname);
|
||||
+ return g ? __gr_dup(g) : NULL;
|
||||
}
|
||||
else
|
||||
return getgr_nam_gid(grname);
|
||||
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
|
||||
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
|
||||
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
|
||||
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
|
||||
prefix_user_home = xmalloc(len);
|
||||
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
|
||||
assert (wlen == (int) len -1);
|
||||
+ if (user_newhome) {
|
||||
+ len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||
+ prefix_user_newhome = xmalloc(len);
|
||||
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||
+ assert (wlen == (int) len -1);
|
||||
+ }
|
||||
|
||||
- len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||
- prefix_user_newhome = xmalloc(len);
|
||||
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||
- assert (wlen == (int) len -1);
|
||||
}
|
||||
else {
|
||||
prefix_user_home = user_home;
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAlrncOkACgkQ6f7qBqhe
|
||||
P52UGAf/eOnoIYIZ52y72iMxeNfQMTMjYTZd1YrtjlK0RQKquK7FrCOg91MvOF2B
|
||||
hLVKu2OU7mzuPTMSAraAxjXLkrM0E3vFjMtu1fHBGlGTMspAfik/9Gu9qoevAKXy
|
||||
BRqgN5m5HMfoGPeEjzILzaGq8bnPKIOfJ0iAYVkjjIa73Vn20uTmNgNZIRqHqwfw
|
||||
5GUFHn6cjQXFcQ3ngywgwQD7/h/65w8dBbGysF551sAqzPJRbneQL9Wtklcqi1ub
|
||||
55NyF0ifT67RqMh+EyxhuhXP1Hi57PTEAeqaFMFxnPlQPb+8pQ8nszWBmI+vUN8D
|
||||
FmhwCtSTnmKlj0jeAqevmkijJhGPQQ==
|
||||
=fk/F
|
||||
-----END PGP SIGNATURE-----
|
@ -1,108 +0,0 @@
|
||||
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Wed, 13 Jul 2022 09:55:14 +0200
|
||||
Subject: [PATCH] subordinateio: also compare the owner ID
|
||||
|
||||
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
|
||||
not only to check for the owner name but also for the owner ID of a
|
||||
given range.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||
index 9ca70b8b..6bc45283 100644
|
||||
--- a/lib/subordinateio.c
|
||||
+++ b/lib/subordinateio.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
+#define ID_SIZE 31
|
||||
+
|
||||
/*
|
||||
* subordinate_dup: create a duplicate range
|
||||
*
|
||||
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
|
||||
return start == ULONG_MAX ? (gid_t) -1 : start;
|
||||
}
|
||||
|
||||
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ struct group *gr;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ switch (id_type) {
|
||||
+ case ID_TYPE_UID:
|
||||
+ pw = getpwnam(owner);
|
||||
+ if (pw == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ case ID_TYPE_GID:
|
||||
+ gr = getgrnam(owner);
|
||||
+ if (gr == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
|
||||
+ if (ret < 0 || ret >= ID_SIZE) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
|
||||
*
|
||||
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
enum subid_status status;
|
||||
int count = 0;
|
||||
struct subid_nss_ops *h;
|
||||
+ char id[ID_SIZE];
|
||||
+ bool have_owner_id;
|
||||
|
||||
*in_ranges = NULL;
|
||||
|
||||
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ have_owner_id = get_owner_id(owner, id_type, id);
|
||||
+
|
||||
commonio_rewind(db);
|
||||
while ((range = commonio_next(db)) != NULL) {
|
||||
if (0 == strcmp(range->owner, owner)) {
|
||||
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ // Let's also compare with the ID
|
||||
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
|
||||
+ if (!append_range(&ranges, range, count++)) {
|
||||
+ free(ranges);
|
||||
+ ranges = NULL;
|
||||
+ count = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
out:
|
||||
--
|
||||
2.36.1
|
||||
|
@ -1,98 +0,0 @@
|
||||
#
|
||||
# Please note that the parameters in this configuration file control the
|
||||
# behavior of the tools from the shadow-utils component. None of these
|
||||
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
# passwd command) should therefore be configured elsewhere. Refer to
|
||||
# /etc/pam.d/system-auth for more information.
|
||||
#
|
||||
|
||||
# *REQUIRED*
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||
# QMAIL_DIR is for Qmail
|
||||
#
|
||||
#QMAIL_DIR Maildir
|
||||
MAIL_DIR /var/spool/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories if HOME_MODE is not set.
|
||||
# 022 is the default value, but 027, or even 077, could be considered
|
||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
# must make up their mind.
|
||||
UMASK 022
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
HOME_MODE 0700
|
||||
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
# PASS_MIN_LEN Minimum acceptable password length.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MIN_LEN 5
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN 201
|
||||
SYS_UID_MAX 999
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN 201
|
||||
SYS_GID_MAX 999
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# If useradd should create home directories for users by default
|
||||
# On RH systems, we do. This option is overridden with the -m flag on
|
||||
# useradd command line.
|
||||
#
|
||||
CREATE_HOME yes
|
||||
|
||||
# This enables userdel to remove user groups if no members exist.
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
#
|
||||
ENCRYPT_METHOD SHA512
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
#
|
||||
# Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# The values must be within the 1000-999999999 range.
|
||||
#
|
||||
SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
9
gating.yaml
Normal file
9
gating.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
# recipients: sssd-qe
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
|
5
passwd.pamd
Normal file
5
passwd.pamd
Normal file
@ -0,0 +1,5 @@
|
||||
#%PAM-1.0
|
||||
# This tool only uses the password stack.
|
||||
password substack system-auth
|
||||
-password optional pam_gnome_keyring.so use_authtok
|
||||
password substack postlogin
|
441
shadow-4.13-newidmap-support-passing-pid-as-fd.patch
Normal file
441
shadow-4.13-newidmap-support-passing-pid-as-fd.patch
Normal file
@ -0,0 +1,441 @@
|
||||
From 6974df39a708abf8bafbdfa2b7827e0f70f874cb Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Mon, 6 Feb 2023 22:49:42 -0600
|
||||
Subject: [PATCH] newuidmap and newgidmap: support passing pid as fd
|
||||
|
||||
Closes #635
|
||||
|
||||
newuidmap and newgidmap currently take an integner pid as
|
||||
the first argument, determining the process id on which to
|
||||
act. Accept also "fd:N", where N must be an open file
|
||||
descriptor to the /proc/pid directory for the process to
|
||||
act upon. This way, if you
|
||||
|
||||
exec 10</proc/99
|
||||
newuidmap fd:10 100000 0 65536
|
||||
|
||||
and pid 99 dies and a new process happens to take pid 99 before
|
||||
newuidmap happens to do its work, then since newuidmap will use
|
||||
openat() using fd 10, it won't change the mapping for the new
|
||||
process.
|
||||
|
||||
Example:
|
||||
|
||||
// terminal 1:
|
||||
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
|
||||
about to unshare with 10000000
|
||||
Press any key to exec (I am 129176)
|
||||
|
||||
// terminal 2:
|
||||
serge@jerom ~/src/shadow$ exec 10</proc/129176
|
||||
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
|
||||
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
|
||||
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
|
||||
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
|
||||
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10
|
||||
|
||||
// Terminal 1:
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
lib/get_pid.c | 51 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/prototypes.h | 2 ++
|
||||
man/newgidmap.1.xml | 11 ++++++++++
|
||||
man/newuidmap.1.xml | 11 ++++++++++
|
||||
src/newgidmap.c | 41 ++++++++++++++----------------------
|
||||
src/newuidmap.c | 40 +++++++++++++----------------------
|
||||
6 files changed, 106 insertions(+), 50 deletions(-)
|
||||
|
||||
diff --git a/lib/get_pid.c b/lib/get_pid.c
|
||||
index 10184bf0..ab91d158 100644
|
||||
--- a/lib/get_pid.c
|
||||
+++ b/lib/get_pid.c
|
||||
@@ -10,6 +10,9 @@
|
||||
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <fcntl.h>
|
||||
|
||||
int get_pid (const char *pidstr, pid_t *pid)
|
||||
{
|
||||
@@ -29,3 +32,51 @@ int get_pid (const char *pidstr, pid_t *pid)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * If use passed in fd:4 as an argument, then return the
|
||||
+ * value '4', the fd to use.
|
||||
+ */
|
||||
+int get_pidfd_from_fd(const char *pidfdstr)
|
||||
+{
|
||||
+ long long int val;
|
||||
+ char *endptr;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ val = strtoll (pidfdstr, &endptr, 10);
|
||||
+ if ( ('\0' == *pidfdstr)
|
||||
+ || ('\0' != *endptr)
|
||||
+ || (ERANGE == errno)
|
||||
+ || (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return (int)val;
|
||||
+}
|
||||
+
|
||||
+int open_pidfd(const char *pidstr)
|
||||
+{
|
||||
+ int proc_dir_fd;
|
||||
+ int written;
|
||||
+ char proc_dir_name[32];
|
||||
+ pid_t target;
|
||||
+
|
||||
+ if (get_pid(pidstr, &target) == 0)
|
||||
+ return -ENOENT;
|
||||
+
|
||||
+ /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
|
||||
+ written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
|
||||
+ target);
|
||||
+ if ((written <= 0) || ((size_t)written >= sizeof(proc_dir_name))) {
|
||||
+ fprintf(stderr, "snprintf of proc path failed for %u: %s\n",
|
||||
+ target, strerror(errno));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
|
||||
+ if (proc_dir_fd < 0) {
|
||||
+ fprintf(stderr, _("Could not open proc directory for target %u: %s\n"),
|
||||
+ target, strerror(errno));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+ return proc_dir_fd;
|
||||
+}
|
||||
diff --git a/lib/prototypes.h b/lib/prototypes.h
|
||||
index 400d5b97..21df6f61 100644
|
||||
--- a/lib/prototypes.h
|
||||
+++ b/lib/prototypes.h
|
||||
@@ -160,6 +160,8 @@ extern int getlong (const char *numstr, /*@out@*/long int *result);
|
||||
|
||||
/* get_pid.c */
|
||||
extern int get_pid (const char *pidstr, pid_t *pid);
|
||||
+extern int get_pidfd_from_fd(const char *pidfdstr);
|
||||
+extern int open_pidfd(const char *pidstr);
|
||||
|
||||
/* getrange */
|
||||
extern int getrange (const char *range,
|
||||
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
|
||||
index e4ebc69e..9b7683eb 100644
|
||||
--- a/man/newgidmap.1.xml
|
||||
+++ b/man/newgidmap.1.xml
|
||||
@@ -116,6 +116,17 @@
|
||||
<para>
|
||||
Note that newgidmap may be used only once for a given process.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Instead of an integer process id, the first argument may be
|
||||
+ specified as <replaceable>fd:N</replaceable>, where the integer N
|
||||
+ is the file descriptor number for the calling process's opened
|
||||
+ file for <filename>/proc/[pid[</filename>. In this case,
|
||||
+ <command>newgidmap</command> will use
|
||||
+ <refentrytitle>openat</refentrytitle><manvolnum>2</manvolnum>
|
||||
+ to open the <filename>gid_map</filename> file under that
|
||||
+ directory, avoiding a TOCTTOU in case the process exits and
|
||||
+ the pid is immediately reused.
|
||||
+ </para>
|
||||
|
||||
</refsect1>
|
||||
|
||||
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
|
||||
index f5cb5b48..ca917a77 100644
|
||||
--- a/man/newuidmap.1.xml
|
||||
+++ b/man/newuidmap.1.xml
|
||||
@@ -116,6 +116,17 @@
|
||||
<para>
|
||||
Note that newuidmap may be used only once for a given process.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Instead of an integer process id, the first argument may be
|
||||
+ specified as <replaceable>fd:N</replaceable>, where the integer N
|
||||
+ is the file descriptor number for the calling process's opened
|
||||
+ file for <filename>/proc/[pid[</filename>. In this case,
|
||||
+ <command>newuidmap</command> will use
|
||||
+ <refentrytitle>openat</refentrytitle><manvolnum>2</manvolnum>
|
||||
+ to open the <filename>uid_map</filename> file under that
|
||||
+ directory, avoiding a TOCTTOU in case the process exits and
|
||||
+ the pid is immediately reused.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='options'>
|
||||
diff --git a/src/newgidmap.c b/src/newgidmap.c
|
||||
index 01d0fe90..d6d29725 100644
|
||||
--- a/src/newgidmap.c
|
||||
+++ b/src/newgidmap.c
|
||||
@@ -69,7 +69,7 @@ static void verify_ranges(struct passwd *pw, int ranges,
|
||||
|
||||
static void usage(void)
|
||||
{
|
||||
- fprintf(stderr, _("usage: %s <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);
|
||||
+ fprintf(stderr, _("usage: %s [<pid|fd:<pidfd>] <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
@@ -143,15 +143,12 @@ out:
|
||||
*/
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
- char proc_dir_name[32];
|
||||
char *target_str;
|
||||
- pid_t target;
|
||||
int proc_dir_fd;
|
||||
int ranges;
|
||||
struct map_range *mappings;
|
||||
struct stat st;
|
||||
struct passwd *pw;
|
||||
- int written;
|
||||
bool allow_setgroups = false;
|
||||
|
||||
Prog = Basename (argv[0]);
|
||||
@@ -168,25 +165,19 @@ int main(int argc, char **argv)
|
||||
/* Find the process that needs its user namespace
|
||||
* gid mapping set.
|
||||
*/
|
||||
- target_str = argv[1];
|
||||
- if (!get_pid(target_str, &target))
|
||||
- usage();
|
||||
|
||||
- /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
|
||||
- written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
|
||||
- target);
|
||||
- if ((written <= 0) || (written >= sizeof(proc_dir_name))) {
|
||||
- fprintf(stderr, "%s: snprintf of proc path failed: %s\n",
|
||||
- Prog, strerror(errno));
|
||||
- }
|
||||
-
|
||||
- proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
|
||||
- if (proc_dir_fd < 0) {
|
||||
- fprintf(stderr, _("%s: Could not open proc directory for target %u\n"),
|
||||
- Prog, target);
|
||||
- return EXIT_FAILURE;
|
||||
+ target_str = argv[1];
|
||||
+ if (strlen(target_str) > 3 && strncmp(target_str, "fd:", 3) == 0) {
|
||||
+ /* the user passed in a /proc/pid fd for the process */
|
||||
+ target_str = &target_str[3];
|
||||
+ proc_dir_fd = get_pidfd_from_fd(target_str);
|
||||
+ if (proc_dir_fd < 0)
|
||||
+ usage();
|
||||
+ } else {
|
||||
+ proc_dir_fd = open_pidfd(target_str);
|
||||
+ if (proc_dir_fd < 0)
|
||||
+ usage();
|
||||
}
|
||||
-
|
||||
/* Who am i? */
|
||||
pw = get_my_pwent ();
|
||||
if (NULL == pw) {
|
||||
@@ -200,8 +191,8 @@ int main(int argc, char **argv)
|
||||
|
||||
/* Get the effective uid and effective gid of the target process */
|
||||
if (fstat(proc_dir_fd, &st) < 0) {
|
||||
- fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
|
||||
- Prog, target);
|
||||
+ fprintf(stderr, _("%s: Could not stat directory for process\n"),
|
||||
+ Prog);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
@@ -213,8 +204,8 @@ int main(int argc, char **argv)
|
||||
(!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
|
||||
(pw->pw_uid != st.st_uid) ||
|
||||
(getgid() != st.st_gid)) {
|
||||
- fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||
- Prog, target,
|
||||
+ fprintf(stderr, _( "%s: Target process is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||
+ Prog,
|
||||
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
|
||||
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
|
||||
return EXIT_FAILURE;
|
||||
diff --git a/src/newuidmap.c b/src/newuidmap.c
|
||||
index e8798409..e99655c9 100644
|
||||
--- a/src/newuidmap.c
|
||||
+++ b/src/newuidmap.c
|
||||
@@ -64,7 +64,7 @@ static void verify_ranges(struct passwd *pw, int ranges,
|
||||
|
||||
static void usage(void)
|
||||
{
|
||||
- fprintf(stderr, _("usage: %s <pid> <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... \n"), Prog);
|
||||
+ fprintf(stderr, _("usage: %s [<pid>|fd:<pidfd>] <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... \n"), Prog);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
@@ -73,15 +73,12 @@ static void usage(void)
|
||||
*/
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
- char proc_dir_name[32];
|
||||
char *target_str;
|
||||
- pid_t target;
|
||||
int proc_dir_fd;
|
||||
int ranges;
|
||||
struct map_range *mappings;
|
||||
struct stat st;
|
||||
struct passwd *pw;
|
||||
- int written;
|
||||
|
||||
Prog = Basename (argv[0]);
|
||||
log_set_progname(Prog);
|
||||
@@ -94,26 +91,20 @@ int main(int argc, char **argv)
|
||||
if (argc < 2)
|
||||
usage();
|
||||
|
||||
+ target_str = argv[1];
|
||||
/* Find the process that needs its user namespace
|
||||
* uid mapping set.
|
||||
*/
|
||||
- target_str = argv[1];
|
||||
- if (!get_pid(target_str, &target))
|
||||
- usage();
|
||||
-
|
||||
- /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
|
||||
- written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
|
||||
- target);
|
||||
- if ((written <= 0) || (written >= sizeof(proc_dir_name))) {
|
||||
- fprintf(stderr, "%s: snprintf of proc path failed: %s\n",
|
||||
- Prog, strerror(errno));
|
||||
- }
|
||||
-
|
||||
- proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
|
||||
- if (proc_dir_fd < 0) {
|
||||
- fprintf(stderr, _("%s: Could not open proc directory for target %u\n"),
|
||||
- Prog, target);
|
||||
- return EXIT_FAILURE;
|
||||
+ if (strlen(target_str) > 3 && strncmp(target_str, "fd:", 3) == 0) {
|
||||
+ /* the user passed in a /proc/pid fd for the process */
|
||||
+ target_str = &target_str[3];
|
||||
+ proc_dir_fd = get_pidfd_from_fd(target_str);
|
||||
+ if (proc_dir_fd < 0)
|
||||
+ usage();
|
||||
+ } else {
|
||||
+ proc_dir_fd = open_pidfd(target_str);
|
||||
+ if (proc_dir_fd < 0)
|
||||
+ usage();
|
||||
}
|
||||
|
||||
/* Who am i? */
|
||||
@@ -129,8 +120,7 @@ int main(int argc, char **argv)
|
||||
|
||||
/* Get the effective uid and effective gid of the target process */
|
||||
if (fstat(proc_dir_fd, &st) < 0) {
|
||||
- fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
|
||||
- Prog, target);
|
||||
+ fprintf(stderr, _("%s: Could not stat directory for target process\n"), Prog);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
@@ -142,8 +132,8 @@ int main(int argc, char **argv)
|
||||
(!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
|
||||
(pw->pw_uid != st.st_uid) ||
|
||||
(getgid() != st.st_gid)) {
|
||||
- fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||
- Prog, target,
|
||||
+ fprintf(stderr, _( "%s: Target process is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||
+ Prog,
|
||||
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
|
||||
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
|
||||
return EXIT_FAILURE;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
From 7ff33fae6f9cd79c0e012671c37a172e9a681d0b Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Fri, 24 Feb 2023 13:52:32 -0600
|
||||
Subject: [PATCH] get_pidfd_from_fd: return -1 on error, not 0
|
||||
|
||||
Fixes: 6974df39a: newuidmap and newgidmap: support passing pid as fd
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
lib/get_pid.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/get_pid.c b/lib/get_pid.c
|
||||
index ab91d158..5b6d9da4 100644
|
||||
--- a/lib/get_pid.c
|
||||
+++ b/lib/get_pid.c
|
||||
@@ -35,6 +35,7 @@ int get_pid (const char *pidstr, pid_t *pid)
|
||||
/*
|
||||
* If use passed in fd:4 as an argument, then return the
|
||||
* value '4', the fd to use.
|
||||
+ * On error, return -1.
|
||||
*/
|
||||
int get_pidfd_from_fd(const char *pidfdstr)
|
||||
{
|
||||
@@ -47,7 +48,7 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||
|| ('\0' != *endptr)
|
||||
|| (ERANGE == errno)
|
||||
|| (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
|
||||
- return 0;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
return (int)val;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
From 05e2adf509ba0e3779dae66a276b86927a8e1e0e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Vin=C3=ADcius=20dos=20Santos=20Oliveira?=
|
||||
<vini.ipsmaker@gmail.com>
|
||||
Date: Fri, 24 Feb 2023 18:06:02 -0300
|
||||
Subject: [PATCH] Validate fds created by the user
|
||||
|
||||
write_mapping() will do the following:
|
||||
|
||||
openat(proc_dir_fd, map_file, O_WRONLY);
|
||||
|
||||
An attacker could create a directory containing a symlink named
|
||||
"uid_map" pointing to any file owned by root, and thus allow him to
|
||||
overwrite any root-owned file.
|
||||
---
|
||||
lib/get_pid.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/lib/get_pid.c b/lib/get_pid.c
|
||||
index 5b6d9da4..8e5e6014 100644
|
||||
--- a/lib/get_pid.c
|
||||
+++ b/lib/get_pid.c
|
||||
@@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||
{
|
||||
long long int val;
|
||||
char *endptr;
|
||||
+ struct stat st;
|
||||
+ dev_t proc_st_dev, proc_st_rdev;
|
||||
|
||||
errno = 0;
|
||||
val = strtoll (pidfdstr, &endptr, 10);
|
||||
@@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (stat("/proc/self/uid_map", &st) < 0) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ proc_st_dev = st.st_dev;
|
||||
+ proc_st_rdev = st.st_rdev;
|
||||
+
|
||||
+ if (fstat(val, &st) < 0) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
return (int)val;
|
||||
}
|
||||
|
||||
--
|
||||
2.39.2
|
||||
|
288
shadow-4.14.0-passwd-stdin.patch
Normal file
288
shadow-4.14.0-passwd-stdin.patch
Normal file
@ -0,0 +1,288 @@
|
||||
diff -up shadow-4.14.0/libmisc/agetpass.c.orig shadow-4.14.0/libmisc/agetpass.c
|
||||
--- shadow-4.14.0/libmisc/agetpass.c.orig 2024-01-24 20:06:20.557577853 +0100
|
||||
+++ shadow-4.14.0/libmisc/agetpass.c 2024-01-24 21:21:06.379445080 +0100
|
||||
@@ -32,6 +32,7 @@
|
||||
* SYNOPSIS
|
||||
* [[gnu::malloc(erase_pass)]]
|
||||
* char *agetpass(const char *prompt);
|
||||
+ * char *agetpass_stdin();
|
||||
*
|
||||
* void erase_pass(char *pass);
|
||||
*
|
||||
@@ -64,6 +65,10 @@
|
||||
* erased by calling erase_pass(), to avoid possibly leaking the
|
||||
* password.
|
||||
*
|
||||
+ * agetpass_stdin()
|
||||
+ * This function is the same as previous one (agetpass). Just the
|
||||
+ * password is read from stdin and terminal is not required.
|
||||
+ *
|
||||
* erase_pass()
|
||||
* This function first clears the password, by calling
|
||||
* explicit_bzero(3) (or an equivalent call), and then frees the
|
||||
@@ -92,8 +97,8 @@
|
||||
*/
|
||||
|
||||
|
||||
-char *
|
||||
-agetpass(const char *prompt)
|
||||
+static char *
|
||||
+agetpass_internal(const char *prompt, int flags)
|
||||
{
|
||||
char *pass;
|
||||
size_t len;
|
||||
@@ -110,7 +115,7 @@ agetpass(const char *prompt)
|
||||
if (pass == NULL)
|
||||
return NULL;
|
||||
|
||||
- if (readpassphrase(prompt, pass, PASS_MAX + 2, RPP_REQUIRE_TTY) == NULL)
|
||||
+ if (readpassphrase(prompt, pass, PASS_MAX + 2, flags) == NULL)
|
||||
goto fail;
|
||||
|
||||
len = strlen(pass);
|
||||
@@ -126,6 +131,17 @@ fail:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+char *
|
||||
+agetpass(const char *prompt)
|
||||
+{
|
||||
+ return agetpass_internal(prompt, RPP_REQUIRE_TTY);
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+agetpass_stdin()
|
||||
+{
|
||||
+ return agetpass_internal(NULL, RPP_STDIN);
|
||||
+}
|
||||
|
||||
void
|
||||
erase_pass(char *pass)
|
||||
diff -up shadow-4.14.0/lib/prototypes.h.orig shadow-4.14.0/lib/prototypes.h
|
||||
--- shadow-4.14.0/lib/prototypes.h.orig 2024-01-24 22:06:18.786184942 +0100
|
||||
+++ shadow-4.14.0/lib/prototypes.h 2024-01-24 20:19:45.299231059 +0100
|
||||
@@ -47,6 +47,7 @@ extern int expire (const struct passwd *
|
||||
extern void erase_pass(char *pass);
|
||||
ATTR_MALLOC(erase_pass)
|
||||
extern char *agetpass(const char *prompt);
|
||||
+extern char *agetpass_stdin();
|
||||
|
||||
/* isexpired.c */
|
||||
extern int isexpired (const struct passwd *, /*@null@*/const struct spwd *);
|
||||
diff -up shadow-4.14.0/man/passwd.1.xml.orig shadow-4.14.0/man/passwd.1.xml
|
||||
--- shadow-4.14.0/man/passwd.1.xml.orig 2024-01-24 20:33:31.438972506 +0100
|
||||
+++ shadow-4.14.0/man/passwd.1.xml 2024-01-29 17:36:31.082495245 +0100
|
||||
@@ -341,6 +341,17 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>-s</option>, <option>--stdin</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ This option is used to indicate that passwd should read the new password from standard
|
||||
+ input, which can be a pipe.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
diff -up shadow-4.14.0/src/passwd.c.orig shadow-4.14.0/src/passwd.c
|
||||
--- shadow-4.14.0/src/passwd.c.orig 2024-01-24 13:57:15.714549266 +0100
|
||||
+++ shadow-4.14.0/src/passwd.c 2024-01-29 17:33:59.421508534 +0100
|
||||
@@ -65,7 +65,8 @@ static bool
|
||||
Sflg = false, /* -S - show password status */
|
||||
uflg = false, /* -u - unlock the user's password */
|
||||
wflg = false, /* -w - set warning days */
|
||||
- xflg = false; /* -x - set maximum days */
|
||||
+ xflg = false, /* -x - set maximum days */
|
||||
+ sflg = false; /* -s - read passwd from stdin */
|
||||
|
||||
/*
|
||||
* set to 1 if there are any flags which require root privileges,
|
||||
@@ -156,6 +157,7 @@ usage (int status)
|
||||
(void) fputs (_(" -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n"), usageout);
|
||||
(void) fputs (_(" -x, --maxdays MAX_DAYS set maximum number of days before password\n"
|
||||
" change to MAX_DAYS\n"), usageout);
|
||||
+ (void) fputs (_(" -s, --stdin read new token from stdin\n"), usageout);
|
||||
(void) fputs ("\n", usageout);
|
||||
exit (status);
|
||||
}
|
||||
@@ -275,7 +277,7 @@ static int new_password (const struct pa
|
||||
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
|
||||
}
|
||||
}
|
||||
- if (!qflg) {
|
||||
+ if (!qflg && !sflg) {
|
||||
if (pass_max_len == -1) {
|
||||
(void) printf (_(
|
||||
"Enter the new password (minimum of %d characters)\n"
|
||||
@@ -289,55 +291,67 @@ static int new_password (const struct pa
|
||||
}
|
||||
}
|
||||
|
||||
- warned = false;
|
||||
- for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
|
||||
- cp = agetpass (_("New password: "));
|
||||
+ if (sflg) {
|
||||
+ /*
|
||||
+ * root is setting the passphrase from stdin
|
||||
+ */
|
||||
+ cp = agetpass_stdin ();
|
||||
if (NULL == cp) {
|
||||
- memzero (orig, sizeof orig);
|
||||
- memzero (pass, sizeof pass);
|
||||
return -1;
|
||||
}
|
||||
- if (warned && (strcmp (pass, cp) != 0)) {
|
||||
- warned = false;
|
||||
- }
|
||||
STRFCPY (pass, cp);
|
||||
erase_pass (cp);
|
||||
+ } else {
|
||||
+ warned = false;
|
||||
+ for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
|
||||
+ cp = agetpass (_("New password: "));
|
||||
+ if (NULL == cp) {
|
||||
+ memzero (orig, sizeof orig);
|
||||
+ memzero (pass, sizeof pass);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (warned && (strcmp (pass, cp) != 0)) {
|
||||
+ warned = false;
|
||||
+ }
|
||||
+ STRFCPY (pass, cp);
|
||||
+ erase_pass (cp);
|
||||
|
||||
- if (!amroot && !obscure(orig, pass, pw)) {
|
||||
- (void) puts (_("Try again."));
|
||||
- continue;
|
||||
- }
|
||||
+ if (!amroot && !obscure(orig, pass, pw)) {
|
||||
+ (void) puts (_("Try again."));
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
- /*
|
||||
- * If enabled, warn about weak passwords even if you are
|
||||
- * root (enter this password again to use it anyway).
|
||||
- * --marekm
|
||||
- */
|
||||
- if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
|
||||
- && !obscure(orig, pass, pw)) {
|
||||
- (void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
|
||||
- warned = true;
|
||||
- continue;
|
||||
+ /*
|
||||
+ * If enabled, warn about weak passwords even if you are
|
||||
+ * root (enter this password again to use it anyway).
|
||||
+ * --marekm
|
||||
+ */
|
||||
+ if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
|
||||
+ && !obscure(orig, pass, pw)) {
|
||||
+ (void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
|
||||
+ warned = true;
|
||||
+ continue;
|
||||
+ }
|
||||
+ cp = agetpass (_("Re-enter new password: "));
|
||||
+ if (NULL == cp) {
|
||||
+ memzero (orig, sizeof orig);
|
||||
+ memzero (pass, sizeof pass);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (strcmp (cp, pass) != 0) {
|
||||
+ erase_pass (cp);
|
||||
+ (void) fputs (_("They don't match; try again.\n"), stderr);
|
||||
+ } else {
|
||||
+ erase_pass (cp);
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
- cp = agetpass (_("Re-enter new password: "));
|
||||
- if (NULL == cp) {
|
||||
- memzero (orig, sizeof orig);
|
||||
+ memzero (orig, sizeof orig);
|
||||
+
|
||||
+ if (i == 0) {
|
||||
memzero (pass, sizeof pass);
|
||||
return -1;
|
||||
}
|
||||
- if (strcmp (cp, pass) != 0) {
|
||||
- erase_pass (cp);
|
||||
- (void) fputs (_("They don't match; try again.\n"), stderr);
|
||||
- } else {
|
||||
- erase_pass (cp);
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- memzero (orig, sizeof orig);
|
||||
-
|
||||
- if (i == 0) {
|
||||
- memzero (pass, sizeof pass);
|
||||
- return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -714,6 +728,7 @@ static void update_shadow (void)
|
||||
* -u unlock the password of the named account (*)
|
||||
* -w # set sp_warn to # days (*)
|
||||
* -x # set sp_max to # days (*)
|
||||
+ * -s read password from stdin
|
||||
*
|
||||
* (*) requires root permission to execute.
|
||||
*
|
||||
@@ -781,10 +796,11 @@ int main (int argc, char **argv)
|
||||
{"unlock", no_argument, NULL, 'u'},
|
||||
{"warndays", required_argument, NULL, 'w'},
|
||||
{"maxdays", required_argument, NULL, 'x'},
|
||||
+ {"stdin", no_argument, NULL, 's'},
|
||||
{NULL, 0, NULL, '\0'}
|
||||
};
|
||||
|
||||
- while ((c = getopt_long (argc, argv, "adehi:kln:qr:R:P:Suw:x:",
|
||||
+ while ((c = getopt_long (argc, argv, "adehi:kln:qr:R:P:Suw:x:s",
|
||||
long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case 'a':
|
||||
@@ -877,6 +893,15 @@ int main (int argc, char **argv)
|
||||
xflg = true;
|
||||
anyflag = true;
|
||||
break;
|
||||
+ case 's':
|
||||
+ if (!amroot) {
|
||||
+ (void) fprintf (stderr,
|
||||
+ _("%s: only root can use --stdin/-s option\n"),
|
||||
+ Prog);
|
||||
+ usage (E_BAD_ARG);
|
||||
+ }
|
||||
+ sflg = true;
|
||||
+ break;
|
||||
default:
|
||||
usage (E_BAD_ARG);
|
||||
}
|
||||
@@ -1068,7 +1093,16 @@ int main (int argc, char **argv)
|
||||
* Don't set the real UID for PAM...
|
||||
*/
|
||||
if (!anyflag && use_pam) {
|
||||
- do_pam_passwd (name, qflg, kflg);
|
||||
+ if (sflg) {
|
||||
+ cp = agetpass_stdin ();
|
||||
+ if (cp == NULL) {
|
||||
+ exit (E_FAILURE);
|
||||
+ }
|
||||
+ do_pam_passwd_non_interactive ("passwd", name, cp);
|
||||
+ erase_pass (cp);
|
||||
+ } else {
|
||||
+ do_pam_passwd (name, qflg, kflg);
|
||||
+ }
|
||||
exit (E_SUCCESS);
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
@@ -1102,4 +1136,3 @@ int main (int argc, char **argv)
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
-
|
306
shadow-4.14.0-remove-libcrack.patch
Normal file
306
shadow-4.14.0-remove-libcrack.patch
Normal file
@ -0,0 +1,306 @@
|
||||
From 43b4e5a6c41f5c43cad18810f9229e40e8c4a57e Mon Sep 17 00:00:00 2001
|
||||
From: Alejandro Colomar <alx@kernel.org>
|
||||
Date: Mon, 30 Oct 2023 12:53:37 +0100
|
||||
Subject: [PATCH 1/2] Remove FascistHistory() and FascistHistoryPw() calls
|
||||
|
||||
These functions don't seem to exist anymore. I can't find them in
|
||||
Debian, nor in a web search. They probably were functions from an
|
||||
ancient implementation of cracklib that doesn't exist anymore.
|
||||
|
||||
$ git remote -v
|
||||
origin git@github.com:cracklib/cracklib.git (fetch)
|
||||
origin git@github.com:cracklib/cracklib.git (push)
|
||||
$ grep -rni fascisthistory
|
||||
$ git log --grep FascistHistory
|
||||
$ git log -S FascistHistory
|
||||
|
||||
Closes: <https://codesearch.debian.net/search?q=FascistHistory&literal=1>
|
||||
Cc: Mike Frysinger <vapier@gentoo.org>
|
||||
Acked-by: Michael Vetter <jubalh@iodoru.org>
|
||||
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
||||
---
|
||||
configure.ac | 4 ----
|
||||
libmisc/obscure.c | 8 --------
|
||||
src/passwd.c | 33 ++-------------------------------
|
||||
3 files changed, 2 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2c8cca3f..5c8c7764 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -526,10 +526,6 @@ if test "$with_libcrack" = "yes"; then
|
||||
echo "checking cracklib flavour, don't be surprised by the results"
|
||||
AC_CHECK_LIB(crack, FascistCheck,
|
||||
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
||||
- AC_CHECK_LIB(crack, FascistHistory,
|
||||
- AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
|
||||
- AC_CHECK_LIB(crack, FascistHistoryPw,
|
||||
- AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
|
||||
fi
|
||||
|
||||
if test "$with_btrfs" != "no"; then
|
||||
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
|
||||
index ccffb71d..4070d4e4 100644
|
||||
--- a/libmisc/obscure.c
|
||||
+++ b/libmisc/obscure.c
|
||||
@@ -100,11 +100,7 @@ static /*@observer@*//*@null@*/const char *password_check (
|
||||
#ifdef HAVE_LIBCRACK
|
||||
char *dictpath;
|
||||
|
||||
-#ifdef HAVE_LIBCRACK_PW
|
||||
- char *FascistCheckPw ();
|
||||
-#else
|
||||
char *FascistCheck ();
|
||||
-#endif
|
||||
#endif
|
||||
|
||||
if (strcmp (new, old) == 0) {
|
||||
@@ -133,11 +129,7 @@ static /*@observer@*//*@null@*/const char *password_check (
|
||||
|
||||
dictpath = getdef_str ("CRACKLIB_DICTPATH");
|
||||
if (NULL != dictpath) {
|
||||
-#ifdef HAVE_LIBCRACK_PW
|
||||
- msg = FascistCheckPw (new, dictpath, pwdp);
|
||||
-#else
|
||||
msg = FascistCheck (new, dictpath);
|
||||
-#endif
|
||||
}
|
||||
#endif
|
||||
}
|
||||
diff --git a/src/passwd.c b/src/passwd.c
|
||||
index 67608619..a4f49320 100644
|
||||
--- a/src/passwd.c
|
||||
+++ b/src/passwd.c
|
||||
@@ -114,7 +114,6 @@ static bool do_update_pwd = false;
|
||||
/* local function prototypes */
|
||||
NORETURN static void usage (int);
|
||||
|
||||
-static bool reuse (const char *, const struct passwd *);
|
||||
static int new_password (const struct passwd *);
|
||||
|
||||
static void check_password (const struct passwd *, const struct spwd *);
|
||||
@@ -163,27 +162,6 @@ usage (int status)
|
||||
exit (status);
|
||||
}
|
||||
|
||||
-static bool reuse (const char *pass, const struct passwd *pw)
|
||||
-{
|
||||
-#ifdef HAVE_LIBCRACK_HIST
|
||||
- const char *reason;
|
||||
-
|
||||
-#ifdef HAVE_LIBCRACK_PW
|
||||
- const char *FascistHistoryPw (const char *, const struct passwd *);
|
||||
-
|
||||
- reason = FascistHistory (pass, pw);
|
||||
-#else /* !HAVE_LIBCRACK_PW */
|
||||
- const char *FascistHistory (const char *, int);
|
||||
-
|
||||
- reason = FascistHistory (pass, pw->pw_uid);
|
||||
-#endif /* !HAVE_LIBCRACK_PW */
|
||||
- if (NULL != reason) {
|
||||
- (void) printf (_("Bad password: %s. "), reason);
|
||||
- return true;
|
||||
- }
|
||||
-#endif /* HAVE_LIBCRACK_HIST */
|
||||
- return false;
|
||||
-}
|
||||
|
||||
/*
|
||||
* new_password - validate old password and replace with new (both old and
|
||||
@@ -202,10 +180,6 @@ static int new_password (const struct passwd *pw)
|
||||
int pass_max_len = -1;
|
||||
const char *method;
|
||||
|
||||
-#ifdef HAVE_LIBCRACK_HIST
|
||||
- int HistUpdate (const char *, const char *);
|
||||
-#endif /* HAVE_LIBCRACK_HIST */
|
||||
-
|
||||
/*
|
||||
* Authenticate the user. The user will be prompted for their own
|
||||
* password.
|
||||
@@ -306,7 +280,7 @@ static int new_password (const struct passwd *pw)
|
||||
STRFCPY (pass, cp);
|
||||
erase_pass (cp);
|
||||
|
||||
- if (!amroot && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
|
||||
+ if (!amroot && !obscure(orig, pass, pw)) {
|
||||
(void) puts (_("Try again."));
|
||||
continue;
|
||||
}
|
||||
@@ -317,7 +291,7 @@ static int new_password (const struct passwd *pw)
|
||||
* --marekm
|
||||
*/
|
||||
if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
|
||||
- && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
|
||||
+ && !obscure(orig, pass, pw)) {
|
||||
(void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
|
||||
warned = true;
|
||||
continue;
|
||||
@@ -357,9 +331,6 @@ static int new_password (const struct passwd *pw)
|
||||
return -1;
|
||||
}
|
||||
|
||||
-#ifdef HAVE_LIBCRACK_HIST
|
||||
- HistUpdate (pw->pw_name, crypt_passwd);
|
||||
-#endif /* HAVE_LIBCRACK_HIST */
|
||||
STRFCPY (crypt_passwd, cp);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
From 45f34ee8c196a98397504cb7ed8576b6f1825cf9 Mon Sep 17 00:00:00 2001
|
||||
From: Alejandro Colomar <alx@kernel.org>
|
||||
Date: Mon, 30 Oct 2023 13:31:42 +0100
|
||||
Subject: [PATCH 2/2] Remove libcrack support
|
||||
|
||||
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
||||
---
|
||||
configure.ac | 11 -----------
|
||||
etc/login.defs | 5 -----
|
||||
lib/getdef.c | 1 -
|
||||
libmisc/obscure.c | 22 ----------------------
|
||||
libsubid/Makefile.am | 1 -
|
||||
src/Makefile.am | 2 +-
|
||||
7 files changed, 2 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5c8c7764..c2b0a1a5 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -243,9 +243,6 @@ AC_ARG_WITH(skey,
|
||||
AC_ARG_WITH(tcb,
|
||||
[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
|
||||
[with_tcb=$withval], [with_tcb=maybe])
|
||||
-AC_ARG_WITH(libcrack,
|
||||
- [AS_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
|
||||
- [with_libcrack=$withval], [with_libcrack=no])
|
||||
AC_ARG_WITH(sha-crypt,
|
||||
[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
|
||||
[with_sha_crypt=$withval], [with_sha_crypt=yes])
|
||||
@@ -521,13 +518,6 @@ if test "$with_audit" != "no"; then
|
||||
fi
|
||||
fi
|
||||
|
||||
-AC_SUBST(LIBCRACK)
|
||||
-if test "$with_libcrack" = "yes"; then
|
||||
- echo "checking cracklib flavour, don't be surprised by the results"
|
||||
- AC_CHECK_LIB(crack, FascistCheck,
|
||||
- [LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
||||
-fi
|
||||
-
|
||||
if test "$with_btrfs" != "no"; then
|
||||
AC_CHECK_HEADERS([sys/statfs.h linux/magic.h linux/btrfs_tree.h], \
|
||||
[btrfs_headers="yes"], [btrfs_headers="no"])
|
||||
@@ -768,7 +758,6 @@ echo
|
||||
echo "shadow will be compiled with the following features:"
|
||||
echo
|
||||
echo " auditing support: $with_audit"
|
||||
-echo " CrackLib support: $with_libcrack"
|
||||
echo " PAM support: $with_libpam"
|
||||
if test "$with_libpam" = "yes"; then
|
||||
echo " suid account management tools: $enable_acct_tools_setuid"
|
||||
diff --git a/etc/login.defs b/etc/login.defs
|
||||
index 114dbcd9..33622c29 100644
|
||||
--- a/etc/login.defs
|
||||
+++ b/etc/login.defs
|
||||
@@ -227,11 +227,6 @@ PASS_WARN_AGE 7
|
||||
#
|
||||
SU_WHEEL_ONLY no
|
||||
|
||||
-#
|
||||
-# If compiled with cracklib support, sets the path to the dictionaries
|
||||
-#
|
||||
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
|
||||
-
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd(8)
|
||||
#
|
||||
diff --git a/lib/getdef.c b/lib/getdef.c
|
||||
index 977660c2..d64e6343 100644
|
||||
--- a/lib/getdef.c
|
||||
+++ b/lib/getdef.c
|
||||
@@ -39,7 +39,6 @@ struct itemdef {
|
||||
#define PAMDEFS \
|
||||
{"CHFN_AUTH", NULL}, \
|
||||
{"CHSH_AUTH", NULL}, \
|
||||
- {"CRACKLIB_DICTPATH", NULL}, \
|
||||
{"ENV_HZ", NULL}, \
|
||||
{"ENVIRON_FILE", NULL}, \
|
||||
{"ENV_TZ", NULL}, \
|
||||
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
|
||||
index 4070d4e4..2aece68b 100644
|
||||
--- a/libmisc/obscure.c
|
||||
+++ b/libmisc/obscure.c
|
||||
@@ -12,11 +12,6 @@
|
||||
#ident "$Id$"
|
||||
|
||||
|
||||
-/*
|
||||
- * This version of obscure.c contains modifications to support "cracklib"
|
||||
- * by Alec Muffet (alec.muffett@uk.sun.com). You must obtain the Cracklib
|
||||
- * library source code for this function to operate.
|
||||
- */
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -97,12 +92,6 @@ static /*@observer@*//*@null@*/const char *password_check (
|
||||
const char *msg = NULL;
|
||||
char *oldmono, *newmono, *wrapped;
|
||||
|
||||
-#ifdef HAVE_LIBCRACK
|
||||
- char *dictpath;
|
||||
-
|
||||
- char *FascistCheck ();
|
||||
-#endif
|
||||
-
|
||||
if (strcmp (new, old) == 0) {
|
||||
return _("no change");
|
||||
}
|
||||
@@ -121,17 +110,6 @@ static /*@observer@*//*@null@*/const char *password_check (
|
||||
msg = _("too similar");
|
||||
} else if (strstr (wrapped, newmono) != NULL) {
|
||||
msg = _("rotated");
|
||||
- } else {
|
||||
-#ifdef HAVE_LIBCRACK
|
||||
- /*
|
||||
- * Invoke Alec Muffett's cracklib routines.
|
||||
- */
|
||||
-
|
||||
- dictpath = getdef_str ("CRACKLIB_DICTPATH");
|
||||
- if (NULL != dictpath) {
|
||||
- msg = FascistCheck (new, dictpath);
|
||||
- }
|
||||
-#endif
|
||||
}
|
||||
strzero (newmono);
|
||||
strzero (oldmono);
|
||||
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
|
||||
index 5ba0ab35..b6488e77 100644
|
||||
--- a/libsubid/Makefile.am
|
||||
+++ b/libsubid/Makefile.am
|
||||
@@ -8,7 +8,6 @@ MISCLIBS = \
|
||||
$(LIBAUDIT) \
|
||||
$(LIBSELINUX) \
|
||||
$(LIBSEMANAGE) \
|
||||
- $(LIBCRACK) \
|
||||
$(LIBCRYPT_NOPAM) \
|
||||
$(LIBSKEY) \
|
||||
$(LIBMD) \
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index fcfee9d2..b6cb09ef 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -123,7 +123,7 @@ login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(L
|
||||
newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT) $(LIBECONF)
|
||||
newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
|
||||
nologin_LDADD =
|
||||
-passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
|
||||
+passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
|
||||
pwck_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
||||
pwconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
||||
pwunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
||||
--
|
||||
2.43.0
|
||||
|
380
shadow-4.15.0-account-tools-setuid.patch
Normal file
380
shadow-4.15.0-account-tools-setuid.patch
Normal file
@ -0,0 +1,380 @@
|
||||
diff -up shadow-4.15.0/src/chpasswd.c.account-tools-setuid shadow-4.15.0/src/chpasswd.c
|
||||
--- shadow-4.15.0/src/chpasswd.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
|
||||
+++ shadow-4.15.0/src/chpasswd.c 2024-03-11 11:21:57.561150382 +0100
|
||||
@@ -443,9 +443,11 @@ int main (int argc, char **argv)
|
||||
char *cp;
|
||||
const char *salt;
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
bool use_pam = true;
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
|
||||
int errors = 0;
|
||||
int line = 0;
|
||||
@@ -469,19 +471,23 @@ int main (int argc, char **argv)
|
||||
process_root_flag ("-R", argc, argv);
|
||||
prefix = process_prefix_flag ("-P", argc, argv);
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
if (md5flg || eflg || cflg || prefix[0]) {
|
||||
use_pam = false;
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
|
||||
OPENLOG (Prog);
|
||||
|
||||
check_perms ();
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
{
|
||||
is_shadow_pwd = spw_file_present ();
|
||||
|
||||
@@ -543,6 +549,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
newpwd = cp;
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
if (use_pam) {
|
||||
if (do_pam_passwd_non_interactive (Prog, name, newpwd) != 0) {
|
||||
@@ -553,6 +560,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
} else
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
{
|
||||
const struct spwd *sp;
|
||||
struct spwd newsp;
|
||||
@@ -672,9 +680,11 @@ int main (int argc, char **argv)
|
||||
* password database.
|
||||
*/
|
||||
if (0 != errors) {
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
{
|
||||
fprintf (stderr,
|
||||
_("%s: error detected, changes ignored\n"),
|
||||
@@ -683,9 +693,11 @@ int main (int argc, char **argv)
|
||||
fail_exit (1);
|
||||
}
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
{
|
||||
/* Save the changes */
|
||||
close_files ();
|
||||
diff -up shadow-4.15.0/src/groupmems.c.account-tools-setuid shadow-4.15.0/src/groupmems.c
|
||||
--- shadow-4.15.0/src/groupmems.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
|
||||
+++ shadow-4.15.0/src/groupmems.c 2024-03-11 11:16:18.365408572 +0100
|
||||
@@ -14,9 +14,11 @@
|
||||
#include <grp.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
#include <pwd.h>
|
||||
|
||||
#include "alloc.h"
|
||||
@@ -430,6 +432,7 @@ static void process_flags (int argc, cha
|
||||
static void check_perms (void)
|
||||
{
|
||||
if (!list) {
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
pam_handle_t *pamh = NULL;
|
||||
int retval;
|
||||
@@ -463,7 +466,8 @@ static void check_perms (void)
|
||||
fail_exit (1);
|
||||
}
|
||||
(void) pam_end (pamh, retval);
|
||||
-#endif
|
||||
+#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
}
|
||||
}
|
||||
|
||||
diff -up shadow-4.15.0/src/newusers.c.account-tools-setuid shadow-4.15.0/src/newusers.c
|
||||
--- shadow-4.15.0/src/newusers.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
|
||||
+++ shadow-4.15.0/src/newusers.c 2024-03-11 11:20:07.198909046 +0100
|
||||
@@ -59,6 +59,7 @@
|
||||
static const char Prog[] = "newusers";
|
||||
|
||||
static bool rflg = false; /* create a system account */
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
static /*@null@*//*@observer@*/char *crypt_method = NULL;
|
||||
#define cflg (NULL != crypt_method)
|
||||
@@ -75,6 +76,7 @@ static long bcrypt_rounds = 13;
|
||||
static long yescrypt_cost = 5;
|
||||
#endif /* USE_YESCRYPT */
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
|
||||
static bool is_shadow;
|
||||
#ifdef SHADOWGRP
|
||||
@@ -97,9 +99,11 @@ NORETURN static void fail_exit (int);
|
||||
static int add_group (const char *, const char *, gid_t *, gid_t);
|
||||
static int get_user_id (const char *, uid_t *);
|
||||
static int add_user (const char *, uid_t, gid_t);
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
static int update_passwd (struct passwd *, const char *);
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
static int add_passwd (struct passwd *, const char *);
|
||||
static void process_flags (int argc, char **argv);
|
||||
static void check_flags (void);
|
||||
@@ -121,6 +125,7 @@ static void usage (int status)
|
||||
"Options:\n"),
|
||||
Prog);
|
||||
(void) fputs (_(" -b, --badname allow bad names\n"), usageout);
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
(void) fprintf (usageout,
|
||||
_(" -c, --crypt-method METHOD the crypt method (one of %s)\n"),
|
||||
@@ -136,9 +141,11 @@ static void usage (int status)
|
||||
#endif
|
||||
);
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
||||
(void) fputs (_(" -r, --system create system accounts\n"), usageout);
|
||||
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
(void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
|
||||
@@ -146,6 +153,7 @@ static void usage (int status)
|
||||
usageout);
|
||||
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
(void) fputs ("\n", usageout);
|
||||
|
||||
exit (status);
|
||||
@@ -405,6 +413,7 @@ static int add_user (const char *name, u
|
||||
return (pw_update (&pwent) == 0) ? -1 : 0;
|
||||
}
|
||||
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
/*
|
||||
* update_passwd - update the password in the passwd entry
|
||||
@@ -457,6 +466,7 @@ static int update_passwd (struct passwd
|
||||
return 0;
|
||||
}
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
|
||||
/*
|
||||
* add_passwd - add or update the encrypted password
|
||||
@@ -465,10 +475,13 @@ static int add_passwd (struct passwd *pw
|
||||
{
|
||||
const struct spwd *sp;
|
||||
struct spwd spent;
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
char *cp;
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
void *crypt_arg = NULL;
|
||||
if (NULL != crypt_method) {
|
||||
@@ -505,13 +518,14 @@ static int add_passwd (struct passwd *pw
|
||||
return update_passwd (pwd, password);
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
|
||||
/*
|
||||
* Do the first and easiest shadow file case. The user already
|
||||
* exists in the shadow password file.
|
||||
*/
|
||||
sp = spw_locate (pwd->pw_name);
|
||||
-#ifndef USE_PAM
|
||||
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
|
||||
if (NULL != sp) {
|
||||
spent = *sp;
|
||||
if ( (NULL != crypt_method)
|
||||
@@ -547,7 +561,7 @@ static int add_passwd (struct passwd *pw
|
||||
if (strcmp (pwd->pw_passwd, "x") != 0) {
|
||||
return update_passwd (pwd, password);
|
||||
}
|
||||
-#else /* USE_PAM */
|
||||
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
|
||||
/*
|
||||
* If there is already a shadow entry, do not touch it.
|
||||
* If there is already a passwd entry with a password, do not
|
||||
@@ -558,14 +572,14 @@ static int add_passwd (struct passwd *pw
|
||||
|| (strcmp (pwd->pw_passwd, "x") != 0)) {
|
||||
return 0;
|
||||
}
|
||||
-#endif /* USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID && !USE_PAM */
|
||||
|
||||
/*
|
||||
* Now the really hard case - I need to create an entirely new
|
||||
* shadow password file entry.
|
||||
*/
|
||||
spent.sp_namp = pwd->pw_name;
|
||||
-#ifndef USE_PAM
|
||||
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
|
||||
if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
|
||||
spent.sp_pwdp = (char *)password;
|
||||
} else {
|
||||
@@ -610,35 +624,41 @@ static int add_passwd (struct passwd *pw
|
||||
static void process_flags (int argc, char **argv)
|
||||
{
|
||||
int c;
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
int bad_s;
|
||||
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
static struct option long_options[] = {
|
||||
{"badname", no_argument, NULL, 'b'},
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
{"crypt-method", required_argument, NULL, 'c'},
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
{"help", no_argument, NULL, 'h'},
|
||||
{"system", no_argument, NULL, 'r'},
|
||||
{"root", required_argument, NULL, 'R'},
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
{"sha-rounds", required_argument, NULL, 's'},
|
||||
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
{NULL, 0, NULL, '\0'}
|
||||
};
|
||||
|
||||
while ((c = getopt_long (argc, argv,
|
||||
-#ifndef USE_PAM
|
||||
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
"c:bhrs:",
|
||||
#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */
|
||||
"c:bhr",
|
||||
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
|
||||
-#else /* USE_PAM */
|
||||
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
|
||||
"bhr",
|
||||
#endif
|
||||
long_options, NULL)) != -1) {
|
||||
@@ -646,11 +666,13 @@ static void process_flags (int argc, cha
|
||||
case 'b':
|
||||
allow_bad_names = true;
|
||||
break;
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
case 'c':
|
||||
crypt_method = optarg;
|
||||
break;
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
case 'h':
|
||||
usage (EXIT_SUCCESS);
|
||||
break;
|
||||
@@ -659,6 +681,7 @@ static void process_flags (int argc, cha
|
||||
break;
|
||||
case 'R': /* no-op, handled in process_root_flag () */
|
||||
break;
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
case 's':
|
||||
@@ -698,6 +721,7 @@ static void process_flags (int argc, cha
|
||||
break;
|
||||
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
default:
|
||||
usage (EXIT_FAILURE);
|
||||
break;
|
||||
@@ -730,6 +754,7 @@ static void process_flags (int argc, cha
|
||||
*/
|
||||
static void check_flags (void)
|
||||
{
|
||||
+#ifndef ACCT_TOOLS_SETUID
|
||||
#ifndef USE_PAM
|
||||
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
|
||||
if (sflg && !cflg) {
|
||||
@@ -762,6 +787,7 @@ static void check_flags (void)
|
||||
}
|
||||
}
|
||||
#endif /* !USE_PAM */
|
||||
+#endif /* !ACCT_TOOLS_SETUID */
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1052,12 +1078,14 @@ int main (int argc, char **argv)
|
||||
int line = 0;
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
int *lines = NULL;
|
||||
char **usernames = NULL;
|
||||
char **passwords = NULL;
|
||||
unsigned int nusers = 0;
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
|
||||
log_set_progname(Prog);
|
||||
log_set_logfd(stderr);
|
||||
@@ -1195,6 +1223,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
newpw = *pw;
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
/* keep the list of user/password for later update by PAM */
|
||||
nusers++;
|
||||
@@ -1211,6 +1240,7 @@ int main (int argc, char **argv)
|
||||
usernames[nusers-1] = strdup (fields[0]);
|
||||
passwords[nusers-1] = strdup (fields[1]);
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
if (add_passwd (&newpw, fields[1]) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: line %d: can't update password\n"),
|
||||
@@ -1327,6 +1357,7 @@ int main (int argc, char **argv)
|
||||
nscd_flush_cache ("group");
|
||||
sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
+#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
unsigned int i;
|
||||
/* Now update the passwords using PAM */
|
||||
@@ -1339,6 +1370,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
+#endif /* ACCT_TOOLS_SETUID */
|
||||
|
||||
exit (EXIT_SUCCESS);
|
||||
}
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
Index: shadow-4.5/libmisc/getdate.y
|
||||
Index: shadow-4.5/lib/getdate.y
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/libmisc/getdate.y
|
||||
+++ shadow-4.5/libmisc/getdate.y
|
||||
--- shadow-4.5.orig/lib/getdate.y
|
||||
+++ shadow-4.5/lib/getdate.y
|
||||
@@ -152,6 +152,7 @@ static int yyHaveDay;
|
||||
static int yyHaveRel;
|
||||
static int yyHaveTime;
|
137
shadow-4.15.0-getdef-spurious-error.patch
Normal file
137
shadow-4.15.0-getdef-spurious-error.patch
Normal file
@ -0,0 +1,137 @@
|
||||
From ead55e9ba8958504e23e29545f90c4dd925c7462 Mon Sep 17 00:00:00 2001
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Wed, 20 Mar 2024 17:39:46 -0500
|
||||
Subject: [PATCH] getdef: avoid spurious error messages about unknown
|
||||
configuration options
|
||||
|
||||
def_find can return NULL for unset, not just unknown, config options. So
|
||||
move the decision of whether to log an error message about an unknown config
|
||||
option back into def_find, which knows the difference. Only putdef_str()
|
||||
will pass a char* srcfile to def_find, so only calls from putdef_str will
|
||||
cause the message, which was the original intent of fa68441bc4be8.
|
||||
|
||||
closes #967
|
||||
|
||||
fixes: fa68441bc4be8 ("Improve the login.defs unknown item error message")
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
---
|
||||
lib/getdef.c | 30 ++++++++++++++++--------------
|
||||
1 file changed, 16 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/lib/getdef.c b/lib/getdef.c
|
||||
index 4d4d4e19..ef2ae1f0 100644
|
||||
--- a/lib/getdef.c
|
||||
+++ b/lib/getdef.c
|
||||
@@ -176,7 +176,7 @@ static const char* def_fname = LOGINDEFS; /* login config defs file */
|
||||
static bool def_loaded = false; /* are defs already loaded? */
|
||||
|
||||
/* local function prototypes */
|
||||
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *);
|
||||
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *, const char *);
|
||||
static void def_load (void);
|
||||
|
||||
|
||||
@@ -195,7 +195,7 @@ static void def_load (void);
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
return (NULL == d) ? NULL : d->value;
|
||||
}
|
||||
|
||||
@@ -214,7 +214,7 @@ bool getdef_bool (const char *item)
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
if ((NULL == d) || (NULL == d->value)) {
|
||||
return false;
|
||||
}
|
||||
@@ -240,7 +240,7 @@ int getdef_num (const char *item, int dflt)
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
if ((NULL == d) || (NULL == d->value)) {
|
||||
return dflt;
|
||||
}
|
||||
@@ -275,7 +275,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt)
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
if ((NULL == d) || (NULL == d->value)) {
|
||||
return dflt;
|
||||
}
|
||||
@@ -310,7 +310,7 @@ long getdef_long (const char *item, long dflt)
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
if ((NULL == d) || (NULL == d->value)) {
|
||||
return dflt;
|
||||
}
|
||||
@@ -342,7 +342,7 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
|
||||
def_load ();
|
||||
}
|
||||
|
||||
- d = def_find (item);
|
||||
+ d = def_find (item, NULL);
|
||||
if ((NULL == d) || (NULL == d->value)) {
|
||||
return dflt;
|
||||
}
|
||||
@@ -375,12 +375,9 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
|
||||
* Locate the slot to save the value. If this parameter
|
||||
* is unknown then "def_find" will print an err message.
|
||||
*/
|
||||
- d = def_find (name);
|
||||
- if (NULL == d) {
|
||||
- if (NULL != srcfile)
|
||||
- SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
|
||||
+ d = def_find (name, srcfile);
|
||||
+ if (NULL == d)
|
||||
return -1;
|
||||
- }
|
||||
|
||||
/*
|
||||
* Save off the value.
|
||||
@@ -404,9 +401,12 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
|
||||
*
|
||||
* Search through a table of configurable items to locate the
|
||||
* specified configuration option.
|
||||
+ *
|
||||
+ * If srcfile is not NULL, and the item is not found, then report an error saying
|
||||
+ * the unknown item was used in this file.
|
||||
*/
|
||||
|
||||
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
|
||||
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name, const char *srcfile)
|
||||
{
|
||||
struct itemdef *ptr;
|
||||
|
||||
@@ -432,6 +432,8 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
|
||||
fprintf (shadow_logfd,
|
||||
_("configuration error - unknown item '%s' (notify administrator)\n"),
|
||||
name);
|
||||
+ if (srcfile != NULL)
|
||||
+ SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
|
||||
|
||||
out:
|
||||
return NULL;
|
||||
@@ -610,7 +612,7 @@ int main (int argc, char **argv)
|
||||
def_load ();
|
||||
|
||||
for (i = 0; i < NUMDEFS; ++i) {
|
||||
- d = def_find (def_table[i].name);
|
||||
+ d = def_find (def_table[i].name, NULL);
|
||||
if (NULL == d) {
|
||||
printf ("error - lookup '%s' failed\n",
|
||||
def_table[i].name);
|
||||
--
|
||||
2.44.0
|
||||
|
162
shadow-4.15.0-manfix.patch
Normal file
162
shadow-4.15.0-manfix.patch
Normal file
@ -0,0 +1,162 @@
|
||||
diff -up shadow-4.15.0/man/groupmems.8.xml.manfix shadow-4.15.0/man/groupmems.8.xml
|
||||
--- shadow-4.15.0/man/groupmems.8.xml.manfix 2023-05-26 04:56:11.000000000 +0200
|
||||
+++ shadow-4.15.0/man/groupmems.8.xml 2024-02-09 10:42:20.337036378 +0100
|
||||
@@ -156,20 +156,10 @@
|
||||
<refsect1 id='setup'>
|
||||
<title>SETUP</title>
|
||||
<para>
|
||||
- The <command>groupmems</command> executable should be in mode
|
||||
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
|
||||
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||
- <command>groupmems</command> utility to manage their own group
|
||||
- membership list.
|
||||
+ In this operating system the <command>groupmems</command> executable
|
||||
+ is not setuid and regular users cannot use it to manipulate
|
||||
+ the membership of their own group.
|
||||
</para>
|
||||
-
|
||||
- <programlisting>
|
||||
- $ groupadd -r groups
|
||||
- $ chmod 2710 groupmems
|
||||
- $ chown root:groups groupmems
|
||||
- $ groupmems -g groups -a gk4
|
||||
- </programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration'>
|
||||
diff -up shadow-4.15.0/man/ja/man5/login.defs.5.manfix shadow-4.15.0/man/ja/man5/login.defs.5
|
||||
--- shadow-4.15.0/man/ja/man5/login.defs.5.manfix 2023-03-13 21:58:56.000000000 +0100
|
||||
+++ shadow-4.15.0/man/ja/man5/login.defs.5 2024-02-09 10:42:20.337036378 +0100
|
||||
@@ -123,10 +123,6 @@ 以下の参照表は、
|
||||
shadow パスワード機能のどのプログラムが
|
||||
どのパラメータを使用するかを示したものである。
|
||||
.na
|
||||
-.IP chfn 12
|
||||
-CHFN_AUTH CHFN_RESTRICT
|
||||
-.IP chsh 12
|
||||
-CHFN_AUTH
|
||||
.IP groupadd 12
|
||||
GID_MAX GID_MIN
|
||||
.IP newusers 12
|
||||
diff -up shadow-4.15.0/man/login.defs.5.xml.manfix shadow-4.15.0/man/login.defs.5.xml
|
||||
--- shadow-4.15.0/man/login.defs.5.xml.manfix 2024-01-22 22:36:43.000000000 +0100
|
||||
+++ shadow-4.15.0/man/login.defs.5.xml 2024-02-09 10:45:49.014407259 +0100
|
||||
@@ -144,6 +144,17 @@
|
||||
long numeric parameters is machine-dependent.
|
||||
</para>
|
||||
|
||||
+ <para>
|
||||
+ Please note that the parameters in this configuration file control the
|
||||
+ behavior of the tools from the shadow-utils component. None of these
|
||||
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
+ passwd command) should be configured elsewhere. The only values that
|
||||
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||
+ pam(8) for more information.
|
||||
+ </para>
|
||||
+
|
||||
<para>The following configuration items are provided:</para>
|
||||
|
||||
<variablelist remap='IP'>
|
||||
@@ -240,16 +251,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term>chfn</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||
- CHFN_RESTRICT
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
<term>chgpasswd</term>
|
||||
<listitem>
|
||||
<para>
|
||||
@@ -276,14 +277,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>chsh</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- CHSH_AUTH LOGIN_STRING
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||
<!-- faillog: no variables -->
|
||||
<varlistentry>
|
||||
@@ -352,34 +345,6 @@
|
||||
<para>LASTLOG_UID_MAX</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>login</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||
- ENV_TZ ENVIRON_FILE</phrase>
|
||||
- ERASECHAR FAIL_DELAY
|
||||
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||
- FAKE_SHELL
|
||||
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||
- HUSHLOGIN_FILE
|
||||
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||
- KILLCHAR
|
||||
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
|
||||
- LOGIN_RETRIES
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||
- QUOTAS_ENAB</phrase>
|
||||
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||
- USERGROUPS_ENAB
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- logoutd: no variables -->
|
||||
<varlistentry>
|
||||
<term>newgrp / sg</term>
|
||||
@@ -451,32 +416,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>su</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||
- ENV_PATH ENV_SUPATH
|
||||
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||
- SULOG_FILE SU_NAME
|
||||
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||
- SYSLOG_SU_ENAB
|
||||
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>sulogin</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENV_HZ
|
||||
- ENV_TZ
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>useradd</term>
|
||||
<listitem>
|
1413
shadow-4.15.0-sast-fixes.patch
Normal file
1413
shadow-4.15.0-sast-fixes.patch
Normal file
File diff suppressed because it is too large
Load Diff
34
shadow-4.15.0-useradd-fix-write-full-return.patch
Normal file
34
shadow-4.15.0-useradd-fix-write-full-return.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 8903b94c86c978e8abef623358fd3e4629c06967 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Mon, 9 Sep 2024 10:36:17 +0200
|
||||
Subject: [PATCH] useradd: fix write_full() return value
|
||||
|
||||
write_full() returns -1 on error and useradd was checking another value.
|
||||
|
||||
Closes: https://github.com/shadow-maint/shadow/issues/1072
|
||||
Fixes: f45498a6c286 ("libmisc/write_full.c: Improve write_full()")
|
||||
|
||||
Reported-by: <https://github.com/brown-midas>
|
||||
Suggested-by: <https://github.com/brown-midas>
|
||||
Reviewed-by: Alejandro Colomar <alx@kernel.org>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
src/useradd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 02c500d0..d64fd892 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2042,7 +2042,7 @@ static void lastlog_reset (uid_t uid)
|
||||
return;
|
||||
}
|
||||
if ( (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
|
||||
- || (write_full (fd, &ll, sizeof (ll)) != (ssize_t) sizeof (ll))
|
||||
+ || (write_full (fd, &ll, sizeof (ll)) == -1)
|
||||
|| (fsync (fd) != 0)) {
|
||||
fprintf (stderr,
|
||||
_("%s: failed to reset the lastlog entry of UID %lu: %s\n"),
|
||||
--
|
||||
2.46.0
|
||||
|
20
shadow-utils-configure-gshadow.patch
Normal file
20
shadow-utils-configure-gshadow.patch
Normal file
@ -0,0 +1,20 @@
|
||||
The missing #include <gshadow.h> causes the configure check to fail
|
||||
spuriously, resulting in HAVE_SHADOWGRP not being defined.
|
||||
|
||||
Submitted upstream: <https://github.com/shadow-maint/shadow/pull/595>
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 924254a0c8171802..6c7d9839979e037d 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then
|
||||
ac_cv_libc_shadowgrp,
|
||||
AC_RUN_IFELSE([AC_LANG_SOURCE([
|
||||
#include <shadow.h>
|
||||
+ #ifdef HAVE_GSHADOW_H
|
||||
+ #include <gshadow.h>
|
||||
+ #endif
|
||||
+ int
|
||||
main()
|
||||
{
|
||||
struct sgrp *sg = sgetsgent("test:x::");
|
43
shadow-utils.HOME_MODE.xml
Normal file
43
shadow-utils.HOME_MODE.xml
Normal file
@ -0,0 +1,43 @@
|
||||
<!--
|
||||
Copyright (c) 1991 - 1993, Julianne Frances Haugh
|
||||
Copyright (c) 1991 - 1993, Chip Rosenthal
|
||||
Copyright (c) 2007 - 2009, Nicolas François
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
3. The name of the copyright holders or contributors may not be used to
|
||||
endorse or promote products derived from this software without
|
||||
specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
-->
|
||||
<varlistentry>
|
||||
<term><option>HOME_MODE</option> (number)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The mode for new home directories. If not specified,
|
||||
the <option>UMASK</option> is used to create the mode.
|
||||
</para>
|
||||
<para>
|
||||
<command>useradd</command> and <command>newusers</command> use this
|
||||
to set the mode of the home directory they create.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
315
shadow-utils.login.defs
Normal file
315
shadow-utils.login.defs
Normal file
@ -0,0 +1,315 @@
|
||||
#
|
||||
# Please note that the parameters in this configuration file control the
|
||||
# behavior of the tools from the shadow-utils component. None of these
|
||||
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
# passwd command) should therefore be configured elsewhere. Refer to
|
||||
# /etc/pam.d/system-auth for more information.
|
||||
#
|
||||
|
||||
#
|
||||
# Delay in seconds before being allowed another attempt after a login failure
|
||||
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
|
||||
# pam_unix(8) enforces a 2s delay)
|
||||
#
|
||||
#FAIL_DELAY 3
|
||||
|
||||
# Currently FAILLOG_ENAB is not supported
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login(1) failures are recorded.
|
||||
#
|
||||
#LOG_UNKFAIL_ENAB no
|
||||
|
||||
# Currently LOG_OK_LOGINS is not supported
|
||||
|
||||
# Currently LASTLOG_ENAB is not supported
|
||||
|
||||
#
|
||||
# Limit the highest user ID number for which the lastlog entries should
|
||||
# be updated.
|
||||
#
|
||||
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
# lastlog entries.
|
||||
#
|
||||
#LASTLOG_UID_MAX
|
||||
|
||||
# Currently MAIL_CHECK_ENAB is not supported
|
||||
|
||||
# Currently OBSCURE_CHECKS_ENAB is not supported
|
||||
|
||||
# Currently PORTTIME_CHECKS_ENAB is not supported
|
||||
|
||||
# Currently QUOTAS_ENAB is not supported
|
||||
|
||||
# Currently SYSLOG_SU_ENAB is not supported
|
||||
|
||||
#
|
||||
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
|
||||
#
|
||||
#SYSLOG_SG_ENAB yes
|
||||
|
||||
# Currently CONSOLE is not supported
|
||||
|
||||
# Currently SULOG_FILE is not supported
|
||||
|
||||
# Currently MOTD_FILE is not supported
|
||||
|
||||
# Currently ISSUE_FILE is not supported
|
||||
|
||||
# Currently TTYTYPE_FILE is not supported
|
||||
|
||||
# Currently FTMP_FILE is not supported
|
||||
|
||||
# Currently NOLOGINS_FILE is not supported
|
||||
|
||||
# Currently SU_NAME is not supported
|
||||
|
||||
# *REQUIRED*
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||
#
|
||||
MAIL_DIR /var/spool/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
# user's name or shell are found in the file. If not a full pathname, then
|
||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#
|
||||
#HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
# Currently ENV_TZ is not supported
|
||||
|
||||
# Currently ENV_HZ is not supported
|
||||
|
||||
#
|
||||
# The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
#ENV_PATH PATH=/bin:/usr/bin
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
#
|
||||
# TTYGROUP Login tty will be assigned this group ownership.
|
||||
# TTYPERM Login tty will be set to this permission.
|
||||
#
|
||||
# If you have a write(1) program which is "setgid" to a special group
|
||||
# which owns the terminals, define TTYGROUP as the number of such group
|
||||
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
|
||||
# set TTYPERM to either 622 or 600.
|
||||
#
|
||||
#TTYGROUP tty
|
||||
#TTYPERM 0600
|
||||
|
||||
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
|
||||
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories if HOME_MODE is not set.
|
||||
# 022 is the default value, but 027, or even 077, could be considered
|
||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
# must make up their mind.
|
||||
UMASK 022
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
HOME_MODE 0700
|
||||
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
# PASS_MIN_LEN Minimum acceptable password length.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MIN_LEN 8
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
# Currently SU_WHEEL_ONLY is not supported
|
||||
|
||||
# Currently CRACKLIB_DICTPATH is not supported
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd(8)
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN 201
|
||||
SYS_UID_MAX 999
|
||||
# Extra per user uids
|
||||
SUB_UID_MIN 524288
|
||||
SUB_UID_MAX 600100000
|
||||
SUB_UID_COUNT 65536
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd(8)
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN 201
|
||||
SYS_GID_MAX 999
|
||||
# Extra per user group ids
|
||||
SUB_GID_MIN 524288
|
||||
SUB_GID_MAX 600100000
|
||||
SUB_GID_COUNT 65536
|
||||
|
||||
#
|
||||
# Max number of login(1) retries if password is bad
|
||||
#
|
||||
#LOGIN_RETRIES 3
|
||||
|
||||
#
|
||||
# Max time in seconds for login(1)
|
||||
#
|
||||
#LOGIN_TIMEOUT 60
|
||||
|
||||
#
|
||||
# Maximum number of attempts to change password if rejected (too easy)
|
||||
#
|
||||
PASS_CHANGE_TRIES 5
|
||||
|
||||
#
|
||||
# Warn about weak passwords (but still allow them) if you are root.
|
||||
#
|
||||
PASS_ALWAYS_WARN yes
|
||||
|
||||
#
|
||||
# Number of significant characters in the password for crypt().
|
||||
# Default is 8, don't change unless your crypt() is better.
|
||||
# Ignored if MD5_CRYPT_ENAB set to "yes".
|
||||
#
|
||||
#PASS_MAX_LEN 8
|
||||
|
||||
# Currently CHFN_AUTH is not supported
|
||||
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn(1) - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
#CHFN_RESTRICT rwh
|
||||
|
||||
# Currently LOGIN_STRING is not supported
|
||||
|
||||
# Currently MD5_CRYPT_ENAB is not supported
|
||||
|
||||
#
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
#
|
||||
ENCRYPT_METHOD YESCRYPT
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
#
|
||||
# Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, the libc will choose the default number of rounds (5000).
|
||||
# The values must be within the 1000-999999999 range.
|
||||
#
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
#
|
||||
# Define the number of BCRYPT rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, 13 rounds will be attempted.
|
||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#
|
||||
#BCRYPT_MIN_ROUNDS 13
|
||||
#BCRYPT_MAX_ROUNDS 31
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
#
|
||||
# Define the YESCRYPT cost factor.
|
||||
# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
# However, more CPU time and more memory will be needed to authenticate users
|
||||
# if this value is increased.
|
||||
#
|
||||
# If not specified, a cost factor of 5 will be used.
|
||||
# The value must be within the 1-11 range.
|
||||
#
|
||||
#YESCRYPT_COST_FACTOR 5
|
||||
|
||||
# Currently CONSOLE_GROUPS is not supported
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default is yes.
|
||||
#
|
||||
#DEFAULT_HOME yes
|
||||
|
||||
# Currently ENVIRON_FILE is not supported
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# Enables userdel(8) to remove user groups if no members exist.
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
# If set to a non-zero number, the shadow utilities will make sure that
|
||||
# groups never have more than this number of users on one line.
|
||||
# This permits to support split groups (groups split into multiple lines,
|
||||
# with the same group ID, to avoid limitation of the line length in the
|
||||
# group file).
|
||||
#
|
||||
# 0 is the default value and disables this feature.
|
||||
#
|
||||
#MAX_MEMBERS_PER_GROUP 0
|
||||
|
||||
#
|
||||
# If useradd(8) should create home directories for users by default (non
|
||||
# system users only).
|
||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||
# command-line.
|
||||
#
|
||||
CREATE_HOME yes
|
||||
|
||||
#
|
||||
# Force use shadow, even if shadow passwd & shadow group files are
|
||||
# missing.
|
||||
#
|
||||
#FORCE_SHADOW yes
|
||||
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
# authentication code.
|
||||
#
|
||||
# Note: It is recommended to check hmac(3) to see the possible algorithms
|
||||
# that are available in your system.
|
||||
#
|
||||
HMAC_CRYPTO_ALGO SHA512
|
@ -1,123 +1,70 @@
|
||||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.6
|
||||
Release: 22%{?dist}
|
||||
Version: 4.15.0
|
||||
Release: 5%{?dist}
|
||||
Epoch: 2
|
||||
URL: http://pkg-shadow.alioth.debian.org/
|
||||
License: BSD-3-Clause AND GPL-2.0-or-later
|
||||
URL: https://github.com/shadow-maint/shadow
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
|
||||
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
|
||||
Source2: shadow-utils.useradd
|
||||
Source3: shadow-utils.login.defs
|
||||
Source4: shadow-bsd.txt
|
||||
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||
Source6: shadow-utils.HOME_MODE.xml
|
||||
Source7: passwd.pamd
|
||||
|
||||
### Globals ###
|
||||
%global includesubiddir %{_includedir}/shadow
|
||||
|
||||
### Patches ###
|
||||
Patch0: shadow-4.6-redhat.patch
|
||||
Patch1: shadow-4.6-goodname.patch
|
||||
Patch2: shadow-4.1.5.1-info-parent-dir.patch
|
||||
Patch6: shadow-4.6-selinux.patch
|
||||
Patch10: shadow-4.6-orig-context.patch
|
||||
Patch11: shadow-4.1.5.1-logmsg.patch
|
||||
Patch14: shadow-4.1.5.1-default-range.patch
|
||||
Patch15: shadow-4.6-manfix.patch
|
||||
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
|
||||
Patch19: shadow-4.2.1-date-parsing.patch
|
||||
Patch21: shadow-4.6-move-home.patch
|
||||
Patch22: shadow-4.6-audit-update.patch
|
||||
Patch23: shadow-4.5-usermod-unlock.patch
|
||||
Patch24: shadow-4.2.1-no-lock-dos.patch
|
||||
Patch28: shadow-4.6-selinux-perms.patch
|
||||
Patch29: shadow-4.2.1-null-tm.patch
|
||||
Patch31: shadow-4.6-getenforce.patch
|
||||
Patch32: shadow-4.5-crypt_h.patch
|
||||
Patch33: shadow-4.5-long-entry.patch
|
||||
Patch34: shadow-4.6-usermod-crash.patch
|
||||
Patch35: shadow-4.6-coverity.patch
|
||||
Patch36: shadow-4.6-use-itstool.patch
|
||||
Patch37: shadow-4.6-sssd-flush.patch
|
||||
Patch38: shadow-4.6-sysugid-min-limit.patch
|
||||
Patch39: shadow-4.6-chgrp-guard.patch
|
||||
Patch40: shadow-4.6-ignore-login-prompt.patch
|
||||
Patch41: shadow-4.6-use-lckpwdf.patch
|
||||
# Upstreamed
|
||||
Patch42: shadow-4.6-regular-user.patch
|
||||
# Upstreamed
|
||||
Patch43: shadow-4.6-home_mode-directive.patch
|
||||
# Upstreamed
|
||||
Patch44: shadow-4.6-check-local-groups.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8
|
||||
Patch45: shadow-4.6-sssd-redirect-warning.patch
|
||||
# Unused option in Fedora/RHEL - non upstreamable
|
||||
Patch46: shadow-4.6-remove-login-string-references.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
|
||||
Patch47: shadow-4.6-usermod-allow-all-group-types.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
|
||||
# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
|
||||
# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
|
||||
# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
|
||||
Patch48: shadow-4.6-libsubid_creation.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
|
||||
# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
|
||||
# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
|
||||
Patch49: shadow-4.6-libsubid_nsswitch_support.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
|
||||
Patch50: shadow-4.6-man-mention-nss-in-newuidmap.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
|
||||
Patch51: shadow-4.6-libsubid_not_print_error_messages.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
|
||||
Patch52: shadow-4.6-libsubid_init_return_false.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
|
||||
Patch53: shadow-4.6-useradd_SUB_UID_COUNT-0.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
|
||||
Patch54: shadow-4.6-libsubid_simplify_ranges_variable.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
|
||||
Patch55: shadow-4.6-libsubid_init_not_print_error_messages.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
|
||||
Patch56: shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
|
||||
# https://github.com/shadow-maint/shadow/pull/353
|
||||
Patch57: shadow-4.6-man_clarify_subid_delegation.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
|
||||
Patch58: shadow-4.6-libsubid_make_logfd_not_extern.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/0dffc7c61200f492eeac03c29fa7e93b62d3cead
|
||||
Patch59: shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/77e39de1e6cbd6925f16bb260abb7d216296886b
|
||||
Patch60: shadow-4.6-install_subid_h.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/fa986b1d73605ecca54a4f19249227aeab827bf6
|
||||
Patch61: shadow-4.6-respect_enable_static_no.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
|
||||
Patch62: shadow-4.6-getsubids.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
|
||||
Patch63: shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
|
||||
Patch64: shadow-4.9-subordinateio-compare-owner-ID.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
|
||||
Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
|
||||
Patch66: shadow-4.6-skip-over-reserved-ids.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
|
||||
Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
|
||||
Patch68: shadow-4.6-salt-remove-rounds.patch
|
||||
# Misc manual page changes - non-upstreamable
|
||||
Patch0: shadow-4.15.0-manfix.patch
|
||||
# Date parsing improvement - could be upstreamed
|
||||
Patch1: shadow-4.15.0-date-parsing.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/d8e6a8b99b4d844328d875287babf6e13860d464
|
||||
Patch2: shadow-4.15.0-sast-fixes.patch
|
||||
# Audit message changes - partially upstreamed
|
||||
Patch3: shadow-4.15.0-audit-update.patch
|
||||
# Probably non-upstreamable
|
||||
Patch4: shadow-4.15.0-account-tools-setuid.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/ead55e9ba8958504e23e29545f90c4dd925c7462
|
||||
Patch5: shadow-4.15.0-getdef-spurious-error.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/903593249630054ab5df327481f7386f718088cc
|
||||
Patch6: shadow-4.15.0-useradd-fix-write-full-return.patch
|
||||
|
||||
License: BSD and GPLv2+
|
||||
Group: System Environment/Base
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libselinux-devel >= 1.25.2-1
|
||||
BuildRequires: audit-libs-devel >= 1.6.5
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: libacl-devel, libattr-devel
|
||||
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
|
||||
BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
|
||||
Requires: libselinux >= 1.25.2-1
|
||||
### Dependencies ###
|
||||
Requires: audit-libs >= 1.6.5
|
||||
Requires: libselinux >= 1.25.2-1
|
||||
Requires: pam-libs
|
||||
Requires: setup
|
||||
Requires(pre): coreutils
|
||||
Requires(post): coreutils
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
### Build Dependencies ###
|
||||
BuildRequires: audit-libs-devel >= 1.6.5
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
BuildRequires: docbook-dtds
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: git
|
||||
BuildRequires: itstool
|
||||
BuildRequires: libacl-devel
|
||||
BuildRequires: libattr-devel
|
||||
BuildRequires: libeconf-devel
|
||||
BuildRequires: libselinux-devel >= 1.25.2-1
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: make
|
||||
BuildRequires: pam-devel
|
||||
|
||||
### Provides ###
|
||||
Provides: shadow = %{epoch}:%{version}-%{release}
|
||||
Provides: passwd = 0.80-18
|
||||
Obsoletes: passwd <= 0.80-19
|
||||
|
||||
%description
|
||||
The shadow-utils package includes the necessary programs for
|
||||
@ -150,69 +97,16 @@ Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
|
||||
Development files for shadow-utils-subid.
|
||||
|
||||
%prep
|
||||
%setup -q -n shadow-%{version}
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .goodname
|
||||
%patch2 -p1 -b .info-parent-dir
|
||||
%patch6 -p1 -b .selinux
|
||||
%patch10 -p1 -b .orig-context
|
||||
%patch11 -p1 -b .logmsg
|
||||
%patch14 -p1 -b .default-range
|
||||
%patch15 -p1 -b .manfix
|
||||
%patch17 -p1 -b .userdel
|
||||
%patch19 -p1 -b .date-parsing
|
||||
%patch21 -p1 -b .move-home
|
||||
%patch22 -p1 -b .audit-update
|
||||
%patch23 -p1 -b .unlock
|
||||
%patch24 -p1 -b .no-lock-dos
|
||||
%patch28 -p1 -b .selinux-perms
|
||||
%patch29 -p1 -b .null-tm
|
||||
%patch31 -p1 -b .getenforce
|
||||
%patch32 -p1 -b .crypt_h
|
||||
%patch33 -p1 -b .long-entry
|
||||
%patch34 -p1 -b .usermod-crash
|
||||
%patch35 -p1 -b .coverity
|
||||
%patch36 -p1 -b .use-itstool
|
||||
%patch37 -p1 -b .sssd-flush
|
||||
%patch38 -p1 -b .sysugid-min-limit
|
||||
%patch39 -p1 -b .chgrp-guard
|
||||
%patch40 -p1 -b .login-prompt
|
||||
%patch41 -p1 -b .use-lckpwdf
|
||||
%patch42 -p1 -b .regular-user
|
||||
%patch43 -p1 -b .home_mode-directive
|
||||
%patch44 -p1 -b .check-local-groups
|
||||
%patch45 -p1 -b .sssd-redirect-warning
|
||||
%patch46 -p1 -b .remove-login-string-references
|
||||
%patch47 -p1 -b .usermod-allow-all-group-types
|
||||
%patch48 -p1 -b .libsubid_creation
|
||||
%patch49 -p1 -b .libsubid_nsswitch_support
|
||||
%patch50 -p1 -b .man-mention-nss-in-newuidmap
|
||||
%patch51 -p1 -b .libsubid_not_print_error_messages
|
||||
%patch52 -p1 -b .libsubid_init_return_false
|
||||
%patch53 -p1 -b .useradd_SUB_UID_COUNT-0
|
||||
%patch54 -p1 -b .libsubid_simplify_ranges_variable
|
||||
%patch55 -p1 -b .libsubid_init_not_print_error_messages
|
||||
%patch56 -p1 -b .libsubid_fix_newusers_nss_provides_subids
|
||||
%patch57 -p1 -b .man_clarify_subid_delegation
|
||||
%patch58 -p1 -b .libsubid_make_logfd_not_extern
|
||||
%patch59 -p1 -b .useradd_dont_try_to_create_0_subuids
|
||||
%patch60 -p1 -b .install_subid_h
|
||||
%patch61 -p1 -b .respect_enable_static_no
|
||||
%patch62 -p1 -b .getsubids
|
||||
%patch63 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
|
||||
%patch64 -p1 -b .subordinateio-compare-owner-ID
|
||||
%patch65 -p1 -b .useradd-check-if-subid-range-exists
|
||||
%patch66 -p1 -b .skip-over-reserved-ids
|
||||
%patch67 -p1 -b .gpasswd-fix-password-leak
|
||||
%patch68 -p1 -b .salt-remove-rounds
|
||||
%autosetup -p 1 -S git -n shadow-%{version}
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||
|
||||
cp -a %{SOURCE4} %{SOURCE5} .
|
||||
cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
|
||||
|
||||
# Force regeneration of getdate.c
|
||||
rm libmisc/getdate.c
|
||||
rm lib/getdate.c
|
||||
|
||||
%build
|
||||
%ifarch sparc64
|
||||
@ -229,75 +123,82 @@ autoreconf
|
||||
--enable-shadowgrp \
|
||||
--enable-man \
|
||||
--with-audit \
|
||||
--with-libpam \
|
||||
--with-sha-crypt \
|
||||
--with-bcrypt \
|
||||
--with-yescrypt \
|
||||
--with-selinux \
|
||||
--without-libbsd \
|
||||
--without-libcrack \
|
||||
--without-libpam \
|
||||
--without-nscd \
|
||||
--without-sssd \
|
||||
--enable-shared \
|
||||
--with-group-name-max-length=32
|
||||
--with-group-name-max-length=32 \
|
||||
--enable-lastlog \
|
||||
--enable-logind=no \
|
||||
--disable-account-tools-setuid
|
||||
%make_build
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
||||
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
|
||||
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
|
||||
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
|
||||
%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
|
||||
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
|
||||
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{_pam_confdir}
|
||||
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pam_confdir}/passwd
|
||||
|
||||
|
||||
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
|
||||
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
|
||||
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
||||
ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
|
||||
for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
||||
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
|
||||
done
|
||||
|
||||
# Remove binaries we don't use.
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/chfn
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/chsh
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/expiry
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/groups
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/login
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/passwd
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/su
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/faillog
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
|
||||
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
|
||||
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/chfn
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/chsh
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/expiry
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/groups
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/login
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/su
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/faillog
|
||||
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
|
||||
rm $RPM_BUILD_ROOT%{_sbindir}/nologin
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
|
||||
|
||||
# Remove PAM service files we don't use.
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/chfn
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/chpasswd
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/chsh
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/groupmems
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/login
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/newusers
|
||||
rm $RPM_BUILD_ROOT%{_pam_confdir}/su
|
||||
|
||||
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
|
||||
%find_lang shadow
|
||||
@ -310,18 +211,20 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
|
||||
done
|
||||
|
||||
# Move header files to its own folder
|
||||
echo $(ls)
|
||||
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
|
||||
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
|
||||
|
||||
# Remove .la files created by libsubid
|
||||
# Remove .la and .a files created by libsubid
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
|
||||
|
||||
%files -f shadow.lang
|
||||
%doc NEWS doc/HOWTO README
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license gpl-2.0.txt shadow-bsd.txt
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
|
||||
%config(noreplace) %{_pam_confdir}/passwd
|
||||
%{_bindir}/sg
|
||||
%attr(4755,root,root) %{_bindir}/chage
|
||||
%attr(4755,root,root) %{_bindir}/gpasswd
|
||||
@ -329,6 +232,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%attr(4755,root,root) %{_bindir}/newgrp
|
||||
%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
|
||||
%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
|
||||
%attr(4755,root,root) %{_bindir}/passwd
|
||||
%{_sbindir}/adduser
|
||||
%attr(0755,root,root) %{_sbindir}/user*
|
||||
%attr(0755,root,root) %{_sbindir}/group*
|
||||
@ -346,6 +250,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%{_mandir}/man1/newgrp.1*
|
||||
%{_mandir}/man1/newgidmap.1*
|
||||
%{_mandir}/man1/newuidmap.1*
|
||||
%{_mandir}/man1/passwd.*
|
||||
%{_mandir}/man3/shadow.3*
|
||||
%{_mandir}/man5/shadow.5*
|
||||
%{_mandir}/man5/login.defs.5*
|
||||
@ -375,97 +280,285 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
%{_libdir}/libsubid.so
|
||||
|
||||
%changelog
|
||||
* Tue Nov 21 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-22
|
||||
- salt: remove rounds from salt string. Resolves: RHEL-16668
|
||||
* Mon Nov 4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-5
|
||||
- Disable nscd. Resolves: RHEL-56355
|
||||
- useradd: fix write_full() return value
|
||||
|
||||
* Thu Nov 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-21
|
||||
- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2:4.15.0-4
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
|
||||
- gpasswd: fix password leak. Resolves: #2215947
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2:4.15.0-3
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Wed May 17 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-18
|
||||
- Update patch to close label to reset libselinux state. Resolves: #1984740
|
||||
- useradd: check if subid range exists for user. Resolves: #2012929
|
||||
- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #1994269
|
||||
* Tue Jun 18 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-2
|
||||
- Fix static analyzer detected issues. Resolves: RHEL-35383
|
||||
|
||||
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-17
|
||||
- subordinateio: also compare the owner ID. Resolves: #2093311
|
||||
* Wed Apr 3 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-1
|
||||
- Rebase to version 4.15.0
|
||||
- getdef: avoid spurious error messages about unknown configuration options
|
||||
|
||||
* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-6
|
||||
- Build linking `libpam`
|
||||
|
||||
* Thu Feb 1 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-5
|
||||
- passwd: Provide binary from this package. Enable libpam and
|
||||
disable account-tools-setuid. Provide passwd PAM service file.
|
||||
Resolves: #2233275
|
||||
- passwd: provide --stdin option
|
||||
|
||||
* Mon Jan 29 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-4
|
||||
- Disable SSSD support. Resolves: #2253182
|
||||
|
||||
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.14.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Tue Oct 3 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-2
|
||||
- useradd: Set proper SELinux labels for def_usrtemplate
|
||||
|
||||
* Wed Aug 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-1
|
||||
- Rebase to version 4.14.0. Resolves: #2229000
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Tue Jun 06 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 2:4.13-7
|
||||
- Remove unused libbsd-devel dependency
|
||||
|
||||
* Mon Mar 6 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-6
|
||||
- Add libbsd-devel and libeconf-devel as build dependencies
|
||||
|
||||
* Thu Mar 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-5
|
||||
- newuidmap and newgidmap: support passing pid as fd. Resolves: #2174752
|
||||
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Wed Nov 23 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-3
|
||||
- Change SUB_UID_MIN and SUB_GID_MIN to 524288. Resolves: #2144558
|
||||
|
||||
* Mon Nov 21 2022 Florian Weimer <fweimer@redhat.com> - 2:4.13-2
|
||||
- Fix gshadow configure check (switching to glibc implementation)
|
||||
|
||||
* Wed Nov 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-1
|
||||
- Rebase to version 4.13
|
||||
- SPDX license migration
|
||||
|
||||
* Wed Oct 5 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-3
|
||||
- chage: Fix regression in print_date. Resolves: #2129336
|
||||
|
||||
* Fri Sep 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-2
|
||||
- useradd: Do not reset non-existent data in {last,fail}log
|
||||
|
||||
* Mon Aug 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-1
|
||||
- Rebase to version 4.12.3. Resolves: #2117809
|
||||
|
||||
* Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
|
||||
- useradd: modify check ID range for system users. Resolves: #2093692
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
|
||||
- Fix explicit subid requirement for subid-devel
|
||||
|
||||
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
|
||||
- Rebase to version 4.11.1 (#2034038)
|
||||
- Fix release sources
|
||||
- Add subid requirement for subid-devel
|
||||
- Add explicit subid requirement for subid-devel
|
||||
|
||||
* Thu Dec 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-16
|
||||
- getsubids: provide system binary and man page. Resolves: #2013016
|
||||
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #1986782
|
||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Tue Oct 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-15
|
||||
- Creation of subid and subid-devel subpackages (#2013009)
|
||||
- libsubid: creation and nsswitch support
|
||||
* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
|
||||
- nss: get shadow_logfd with log_get_logfd() (#2038811)
|
||||
- lib: make shadow_logfd and Prog not extern
|
||||
- lib: rename Prog to shadow_progname
|
||||
- lib: provide default values for shadow_progname
|
||||
- libsubid: use log_set_progname in subid_init
|
||||
|
||||
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
|
||||
- getsubids: provide system binary and man page (#1980780)
|
||||
- pwck: fix segfault when calling fprintf() (#2021339)
|
||||
- newgrp: fix segmentation fault (#2019553)
|
||||
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
|
||||
|
||||
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
|
||||
- useradd: change SELinux labels for home files (#2022658)
|
||||
|
||||
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
|
||||
- useradd: revert fix memleak of grp (#2018697)
|
||||
|
||||
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
||||
- useradd: generate home and mail directories with selinux user attribute
|
||||
|
||||
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
||||
- login.defs: include HMAC_CRYPTO_ALGO key
|
||||
- Clean spec file: organize dependencies and move License location
|
||||
|
||||
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
||||
- libmisc: fix default value in SHA_get_salt_rounds()
|
||||
|
||||
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
|
||||
- useradd: avoid generating an empty subid range (#1990653)
|
||||
|
||||
* Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
|
||||
- Rebase to version 4.9
|
||||
- usermod: allow all group types with -G option (#1975327)
|
||||
- Clean spec file
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
|
||||
- Add patch to fix 'fread returns element count, not element size'
|
||||
|
||||
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
|
||||
- Fix regression issues detected in rhbz#667593 and rhbz#672510
|
||||
|
||||
* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
|
||||
- Enable bcrypt support, as libxcrypt supports it well
|
||||
|
||||
* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
|
||||
- Add a patch to obtain random bytes using getentropy()
|
||||
- Update shadow-4.8-crypt_h.patch with the upstreamed version
|
||||
- Add a patch to make use of crypt_gensalt() from libxcrypt
|
||||
|
||||
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
|
||||
- useradd: free correct pointer (#1976809)
|
||||
|
||||
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
|
||||
- Add a patch to fix the used prefix for the bcrypt hash method
|
||||
- Add a patch to cleanup the code in libmisc/salt.c
|
||||
- Add a patch adding some clarifying comments in libmisc/salt.c
|
||||
- Add a patch to obtain random bytes from /dev/urandom
|
||||
|
||||
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
|
||||
- Covscan fixes
|
||||
|
||||
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
|
||||
- Backport support for yescrypt hash method
|
||||
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
|
||||
|
||||
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
|
||||
- libsubid: don't print error messages on stderr by default
|
||||
- libsubid: libsubid_init return false if out of memory
|
||||
- useradd: fix SUB_UID_COUNT=0
|
||||
- libsubid: don't return owner in list_owner_ranges API call
|
||||
- libsubid: libsubid_init don't print messages on error
|
||||
- libsubid: fix newusers when nss provides subids
|
||||
- libsubid: make shadow_logfd not extern
|
||||
- useradd: fix SUB_UID_COUNT=0
|
||||
- man: mention NSS in new[ug]idmap manpages
|
||||
- man: clarify subid delegation
|
||||
- libsubid: make shadow_logfd not extern
|
||||
|
||||
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14
|
||||
- usermod: allow all group types with -G option (#1967641)
|
||||
* Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
|
||||
- man: mention NSS in new[ug]idmap manpages
|
||||
- libsubid: move development header to shadow folder
|
||||
|
||||
* Mon May 3 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-13
|
||||
- man: Remove references to LOGIN_STRING in login.defs (#1884702)
|
||||
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
|
||||
- libsubid: creation and nsswitch support
|
||||
- Creation of subid and subid-devel subpackages
|
||||
|
||||
* Fri Oct 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-12
|
||||
- lib/sssd: redirect warning message to file (#1749001)
|
||||
- useradd: clarify valid usernames/groupnames (#1869432)
|
||||
- login.defs: link login specific information to its own package (#1804766)
|
||||
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
|
||||
- man: include lastlog file caveat (#951564)
|
||||
- Upstream links to several patches
|
||||
- Spec file cleanup by Robert Scheck
|
||||
- Add BuildRequires: make by Tom Stellard
|
||||
|
||||
* Fri Aug 7 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-11
|
||||
- change UMASK value and add HOME_MODE in login.defs (#1777718)
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue May 5 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-10
|
||||
- check only local groups when adding new supplementary groups to a user
|
||||
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
|
||||
- commonio: force lock file sync (#1862056)
|
||||
|
||||
* Fri Apr 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-9
|
||||
- do not mistake a regular user process for a namespaced one (#1788696)
|
||||
- add HOME_MODE support in login.defs (#1777718)
|
||||
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
|
||||
- Rebuild with libsemanage.so.2
|
||||
|
||||
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-8
|
||||
- properly audit group password change
|
||||
- do not add uid of a new (not yet added) user to the audit message
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
|
||||
- check only local groups when adding new supplementary groups to a user (#1727236)
|
||||
|
||||
* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
|
||||
- useradd: clarify the useradd -d parameter behavior in man page
|
||||
|
||||
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
|
||||
- updated upstream to 4.8.1
|
||||
|
||||
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
|
||||
- synchronized login.defs with upstream file (#1261099 and #1807957)
|
||||
|
||||
* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
|
||||
- fix useradd: doesn't generate spool mail with the proper SELinux user identity
|
||||
(#1690527)
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
|
||||
- make the invalid shell check into warning
|
||||
|
||||
* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
|
||||
- update to current upstream release 4.8
|
||||
|
||||
* Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
|
||||
- fix SELinux related problem in chpasswd/chgpasswd when run with -R
|
||||
(patch by Petr Lautrbach) (#1747215)
|
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-15
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
|
||||
- minor auditing fixes
|
||||
|
||||
* Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
|
||||
- use lckpwdf() again to disable concurrent edits of databases by
|
||||
other applications
|
||||
- clarify chage manual page in regards to shadow and passwd
|
||||
inconsistency
|
||||
- fix minor issues in groupadd and login.defs manual pages
|
||||
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
|
||||
|
||||
* Tue Apr 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-12
|
||||
- force regeneration of getdate.c otherwise the date parsing fix
|
||||
is not applied
|
||||
|
||||
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-7
|
||||
* Fri Mar 22 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-11
|
||||
- clarify chage manual page in regards to shadow and passwd
|
||||
inconsistency (#1686440)
|
||||
|
||||
* Thu Mar 21 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-10
|
||||
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
|
||||
|
||||
* Thu Mar 7 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 2:4.6-9
|
||||
- Remove obsolete requirements for post/pre scriptlets
|
||||
|
||||
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:4.6-7
|
||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
||||
|
||||
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
|
||||
- usermod: guard against unsafe change of ownership of
|
||||
special home directories
|
||||
|
||||
* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
|
||||
- drop trailing space from login.defs ENCRYPT_METHOD setting
|
||||
|
||||
* Mon Nov 19 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-5
|
||||
- use itstool instead of xml2po
|
||||
|
||||
* Tue Nov 6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
|
||||
- use cap_setxid file capabilities for newxidmap instead of making them setuid
|
||||
- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
|
||||
and the 0 is always used by root anyway
|
||||
- manual page improvements
|
||||
|
||||
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
|
||||
- fix some issues from Coverity scan
|
||||
- flush sssd caches - patch by Jakub Hrozek
|
||||
|
||||
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
|
||||
- fix some issues from Coverity scan
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-2
|
||||
- use itstool instead of xml2po
|
||||
* Mon May 28 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
|
||||
- update to current upstream release 4.6
|
||||
|
||||
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
|
||||
- Update to current upstream release 4.6
|
||||
* Fri Apr 20 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-10
|
||||
- Raise limit for passwd and shadow entry length but also prevent
|
||||
writing longer entries (#1422497)
|
||||
|
2
sources
Normal file
2
sources
Normal file
@ -0,0 +1,2 @@
|
||||
SHA512 (shadow-4.15.0.tar.xz) = 88d72fb706f6792b460c14a9b1b42fe0b5962834ec3793f296cbc138807736b5ad73d3f802cda74db740a71545eb1c8ec47447c2250299eb730ed2b2674e2249
|
||||
SHA512 (shadow-4.15.0.tar.xz.asc) = 0a39d6a45b7d8df12aade89ed9fc9d481c91297dbd34e85fe831426c1d0051cbcf8478759306b8871cd6b1835604c5836decf398d0165c50ac52fee365561446
|
77
tests/sanity/Makefile
Normal file
77
tests/sanity/Makefile
Normal file
@ -0,0 +1,77 @@
|
||||
# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material
|
||||
# is made available to anyone wishing to use, modify, copy, or
|
||||
# redistribute it subject to the terms and conditions of the GNU General
|
||||
# Public License v.2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
# PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# Author: Jakub Hrozek
|
||||
|
||||
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
|
||||
# Example Makefile for RHTS #
|
||||
# This example is geared towards a test for a specific package #
|
||||
# It does most of the work for you, but may require further coding #
|
||||
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
|
||||
|
||||
# The toplevel namespace within which the test lives.
|
||||
TOPLEVEL_NAMESPACE=CoreOS
|
||||
|
||||
# The name of the package under test:
|
||||
PACKAGE_NAME=shadow-utils
|
||||
|
||||
# The path of the test below the package:
|
||||
RELATIVE_PATH=sanity
|
||||
|
||||
# Version of the Test. Used with make tag.
|
||||
export TESTVERSION=1.1
|
||||
|
||||
# The combined namespace of the test.
|
||||
export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
|
||||
|
||||
# A phony target is one that is not really the name of a file.
|
||||
# It is just a name for some commands to be executed when you
|
||||
# make an explicit request. There are two reasons to use a
|
||||
# phony target: to avoid a conflict with a file of the same
|
||||
# name, and to improve performance.
|
||||
.PHONY: all install download clean
|
||||
|
||||
# Executables to be built should be added here, they will be generated on the system under test.
|
||||
BUILT_FILES=
|
||||
|
||||
# Data files, .c files, scripts anything needed to either compile the test and/or run it.
|
||||
FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x ./sanity_test.py
|
||||
chmod a+x ./runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ *.rpm $(BUILT_FILES)
|
||||
|
||||
# Include Common Makefile
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
# Generate the testinfo.desc here:
|
||||
$(METADATA): Makefile
|
||||
@touch $(METADATA)
|
||||
@echo "Owner: Jakub Hrozek <jhrozek@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "License: GNU GPL" >> $(METADATA)
|
||||
@echo "Description: Basic sanity test for shadow-utils" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA)
|
||||
@echo "Requires: $(PACKAGE_NAME)" >> $(METADATA)
|
||||
@echo "Requires: python" >> $(METADATA)
|
||||
rhts-lint $(METADATA)
|
||||
|
10
tests/sanity/PURPOSE
Normal file
10
tests/sanity/PURPOSE
Normal file
@ -0,0 +1,10 @@
|
||||
This is a basic sanity test for the shadow-utils package. It is implemented
|
||||
in python on top of the unittesting.py module.
|
||||
|
||||
Its purpose is to ensure that the binaries in the shadow-utils package behave
|
||||
as expected and its switches/options work correctly.
|
||||
|
||||
For the most part, every binary in the shadow-utils package is represented by
|
||||
a single class named Test<BinaryName>, i.e. TestUsermod etc. There are some
|
||||
exceptions, like TestUseraddWeirdNameTest though.
|
||||
|
24
tests/sanity/runtest.sh
Executable file
24
tests/sanity/runtest.sh
Executable file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
rlJournalStart
|
||||
rlFileBackup --clean /etc/default/useradd- /etc/default/useradd
|
||||
setenforce 0
|
||||
python sanity_test.py -v
|
||||
setenforce 1
|
||||
rlFileRestore
|
||||
|
||||
EXIT=$?
|
||||
if [[ $EXIT -eq 0 ]]; then
|
||||
RESULT="PASS"
|
||||
else
|
||||
RESULT="FAIL"
|
||||
fi
|
||||
|
||||
|
||||
rlJournalEnd
|
||||
|
||||
echo "Result: $RESULT"
|
||||
echo "Exit: $EXIT"
|
||||
report_result $TEST $RESULT $EXIT
|
1013
tests/sanity/sanity_test.py
Executable file
1013
tests/sanity/sanity_test.py
Executable file
File diff suppressed because it is too large
Load Diff
13
tests/tests.yml
Normal file
13
tests/tests.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
# This first play always runs on the local staging system
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
- atomic
|
||||
tests:
|
||||
- sanity
|
||||
required_packages:
|
||||
- shadow-utils # sanity test needs shadow-utils
|
||||
- python # sanity test needs python
|
Loading…
Reference in New Issue
Block a user