Compare commits

...

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

87 changed files with 2957 additions and 10080 deletions

19
.gitignore vendored
View File

@ -1 +1,18 @@
SOURCES/shadow-4.6.tar.xz
shadow-4.1.4.2.tar.bz2
/shadow-4.1.4.3.tar.bz2
/shadow-4.1.5.tar.bz2
/shadow-4.1.5.1.tar.bz2
/shadow-4.1.5.1.tar.bz2.sig
/shadow-4.2.1.tar.xz
/shadow-4.2.1.tar.xz.sig
/shadow-4.3.1.tar.gz
/shadow-4.5.tar.xz
/shadow-4.5.tar.xz.asc
/shadow-4.6.tar.xz
/shadow-4.6.tar.xz.asc
/shadow-4.8.tar.xz
/shadow-4.8.tar.xz.asc
/shadow-4.8.1.tar.xz
/shadow-4.8.1.tar.xz.asc
/shadow-4.9.tar.xz
/shadow-4.9.tar.xz.asc

View File

@ -1 +0,0 @@
0b84eb1010fda5edca2a9d1733f9480200e02de6 SOURCES/shadow-4.6.tar.xz

View File

@ -1,21 +0,0 @@
Index: shadow-4.5/man/newusers.8.xml
===================================================================
--- shadow-4.5.orig/man/newusers.8.xml
+++ shadow-4.5/man/newusers.8.xml
@@ -218,7 +218,15 @@
<para>
If this field does not specify an existing directory, the
specified directory is created, with ownership set to the
- user being created or updated and its primary group.
+ user being created or updated and its primary group. Note
+ that newusers does not create parent directories of the new
+ user's home directory. The newusers command will fail to
+ create the home directory if the parent directories do not
+ exist, and will send a message to stderr informing the user
+ of the failure. The newusers command will not halt or return
+ a failure to the calling shell if it fails to create the home
+ directory, it will continue to process the batch of new users
+ specified.
</para>
<para>
If the home directory of an existing user is changed,

View File

@ -1,13 +0,0 @@
Index: shadow-4.5/src/useradd.c
===================================================================
--- shadow-4.5.orig/src/useradd.c
+++ shadow-4.5/src/useradd.c
@@ -323,7 +323,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
exit (code);
}

View File

@ -1,16 +0,0 @@
Index: shadow-4.5/src/userdel.c
===================================================================
--- shadow-4.5.orig/src/userdel.c
+++ shadow-4.5/src/userdel.c
@@ -143,8 +143,9 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -f, --force force removal of files,\n"
- " even if not owned by user\n"),
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
+ " e.g. removal of user still logged in\n"
+ " or files, even if not owned by the user\n"),
usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);

View File

@ -1,16 +0,0 @@
Index: shadow-4.5/lib/commonio.c
===================================================================
--- shadow-4.5.orig/lib/commonio.c
+++ shadow-4.5/lib/commonio.c
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
int retval;
char buf[32];
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
+ /* We depend here on the fact, that the file name is pid-specific.
+ * So no O_EXCL here and no DoS.
+ */
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
if (-1 == fd) {
if (log) {
(void) fprintf (stderr,

View File

@ -1,41 +0,0 @@
Index: shadow-4.5/configure.ac
===================================================================
--- shadow-4.5.orig/configure.ac
+++ shadow-4.5/configure.ac
@@ -32,9 +32,9 @@ AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
attr/error_context.h)
Index: shadow-4.5/lib/defines.h
===================================================================
--- shadow-4.5.orig/lib/defines.h
+++ shadow-4.5/lib/defines.h
@@ -4,6 +4,8 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
+#include "config.h"
+
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
# include <unistd.h>
#endif
+#if HAVE_CRYPT_H
+# include <crypt.h> /* crypt(3) may be defined in here */
+#endif
+
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>

View File

@ -1,642 +0,0 @@
From 140510de9de4771feb3af1d859c09604043a4c9b Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Fri, 27 Mar 2020 14:23:02 +0100
Subject: [PATCH 1/2] usermod: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
---
src/usermod.c | 220 ++++++++++++++++++++++++++++++++------------------
1 file changed, 143 insertions(+), 77 deletions(-)
diff --git a/src/usermod.c b/src/usermod.c
index 05b98715..ef430296 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -183,6 +183,7 @@ static bool sub_gid_locked = false;
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
long int date);
static int get_groups (char *);
+static struct group * get_local_group (char * grp_name);
static /*@noreturn@*/void usage (int status);
static void new_pwent (struct passwd *);
static void new_spent (struct spwd *);
@@ -196,7 +197,9 @@ static void grp_update (void);
static void process_flags (int, char **);
static void close_files (void);
+static void close_group_files (void);
static void open_files (void);
+static void open_group_files (void);
static void usr_update (void);
static void move_home (void);
static void update_lastlog (void);
@@ -253,6 +256,11 @@ static int get_groups (char *list)
return 0;
}
+ /*
+ * Open the group files
+ */
+ open_group_files ();
+
/*
* So long as there is some data to be converted, strip off each
* name and look it up. A mix of numerical and string values for
@@ -272,7 +280,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical GID
* values, otherwise the string is looked up as is.
*/
- grp = prefix_getgr_nam_gid (list);
+ grp = get_local_group (list);
/*
* There must be a match, either by GID value or by
@@ -322,6 +330,8 @@ static int get_groups (char *list)
gr_free ((struct group *)grp);
} while (NULL != list);
+ close_group_files ();
+
user_groups[ngroups] = (char *) 0;
/*
@@ -334,6 +344,44 @@ static int get_groups (char *list)
return 0;
}
+/*
+ * get_local_group - checks if a given group name exists locally
+ *
+ * get_local_group() checks if a given group name exists locally.
+ * If the name exists the group information is returned, otherwise NULL is
+ * returned.
+ */
+static struct group * get_local_group(char * grp_name)
+{
+ const struct group *grp;
+ struct group *result_grp = NULL;
+ long long int gid;
+ char *endptr;
+
+ gid = strtoll (grp_name, &endptr, 10);
+ if ( ('\0' != *grp_name)
+ && ('\0' == *endptr)
+ && (ERANGE != errno)
+ && (gid == (gid_t)gid)) {
+ grp = gr_locate_gid ((gid_t) gid);
+ }
+ else {
+ grp = gr_locate(grp_name);
+ }
+
+ if (grp != NULL) {
+ result_grp = __gr_dup (grp);
+ if (NULL == result_grp) {
+ fprintf (stderr,
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
+ Prog, grp_name);
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+
+ return result_grp;
+}
+
#ifdef ENABLE_SUBIDS
struct ulong_range
{
@@ -1447,50 +1495,7 @@ static void close_files (void)
}
if (Gflg || lflg) {
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- sgr_dbname ()));
- /* continue */
- }
- }
-#endif
- if (gr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- gr_dbname ()));
- /* continue */
- }
+ close_group_files ();
}
if (is_shadow_pwd) {
@@ -1559,6 +1564,60 @@ static void close_files (void)
#endif
}
+/*
+ * close_group_files - close all of the files that were opened
+ *
+ * close_group_files() closes all of the files that were opened related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void close_group_files (void)
+{
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+ if (gr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ gr_dbname ()));
+ /* continue */
+ }
+}
+
/*
* open_files - lock and open the password files
*
@@ -1594,38 +1653,7 @@ static void open_files (void)
}
if (Gflg || lflg) {
- /*
- * Lock and open the group file. This will load all of the
- * group entries.
- */
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#endif
+ open_group_files ();
}
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
@@ -1661,6 +1689,44 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
+/*
+ * open_group_files - lock and open the group files
+ *
+ * open_group_files() loads all of the group entries.
+ */
+static void open_group_files (void)
+{
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_lock () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif
+}
+
/*
* usr_update - create the user entries
*
--
2.25.4
From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Mon, 30 Mar 2020 09:08:23 +0200
Subject: [PATCH 2/2] useradd: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
---
src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
1 file changed, 157 insertions(+), 77 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 645d4a40..90210233 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -211,6 +211,7 @@ static void get_defaults (void);
static void show_defaults (void);
static int set_defaults (void);
static int get_groups (char *);
+static struct group * get_local_group (char * grp_name);
static void usage (int status);
static void new_pwent (struct passwd *);
@@ -220,7 +221,10 @@ static void grp_update (void);
static void process_flags (int argc, char **argv);
static void close_files (void);
+static void close_group_files (void);
+static void unlock_group_files (void);
static void open_files (void);
+static void open_group_files (void);
static void open_shadow (void);
static void faillog_reset (uid_t);
static void lastlog_reset (uid_t);
@@ -731,6 +735,11 @@ static int get_groups (char *list)
return 0;
}
+ /*
+ * Open the group files
+ */
+ open_group_files ();
+
/*
* So long as there is some data to be converted, strip off
* each name and look it up. A mix of numerical and string
@@ -749,7 +758,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical
* GID values, otherwise the string is looked up as is.
*/
- grp = prefix_getgr_nam_gid (list);
+ grp = get_local_group (list);
/*
* There must be a match, either by GID value or by
@@ -799,6 +808,9 @@ static int get_groups (char *list)
user_groups[ngroups++] = xstrdup (grp->gr_name);
} while (NULL != list);
+ close_group_files ();
+ unlock_group_files ();
+
user_groups[ngroups] = (char *) 0;
/*
@@ -811,6 +823,44 @@ static int get_groups (char *list)
return 0;
}
+/*
+ * get_local_group - checks if a given group name exists locally
+ *
+ * get_local_group() checks if a given group name exists locally.
+ * If the name exists the group information is returned, otherwise NULL is
+ * returned.
+ */
+static struct group * get_local_group(char * grp_name)
+{
+ const struct group *grp;
+ struct group *result_grp = NULL;
+ long long int gid;
+ char *endptr;
+
+ gid = strtoll (grp_name, &endptr, 10);
+ if ( ('\0' != *grp_name)
+ && ('\0' == *endptr)
+ && (ERANGE != errno)
+ && (gid == (gid_t)gid)) {
+ grp = gr_locate_gid ((gid_t) gid);
+ }
+ else {
+ grp = gr_locate(grp_name);
+ }
+
+ if (grp != NULL) {
+ result_grp = __gr_dup (grp);
+ if (NULL == result_grp) {
+ fprintf (stderr,
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
+ Prog, grp_name);
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+
+ return result_grp;
+}
+
/*
* usage - display usage message and exit
*/
@@ -1530,23 +1580,9 @@ static void close_files (void)
SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
fail_exit (E_PW_UPDATE);
}
- if (do_grp_update) {
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#endif
- }
+
+ close_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr,
@@ -1587,34 +1623,9 @@ static void close_files (void)
/* continue */
}
pw_locked = false;
- if (gr_unlock () == 0) {
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "unlocking-group-file",
- user_name, AUDIT_NO_ID,
- SHADOW_AUDIT_FAILURE);
-#endif
- /* continue */
- }
- gr_locked = false;
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "unlocking-gshadow-file",
- user_name, AUDIT_NO_ID,
- SHADOW_AUDIT_FAILURE);
-#endif
- /* continue */
- }
- sgr_locked = false;
- }
-#endif
+
+ unlock_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_unlock () == 0) {
@@ -1647,6 +1658,71 @@ static void close_files (void)
#endif /* ENABLE_SUBIDS */
}
+/*
+ * close_group_files - close all of the files that were opened
+ *
+ * close_group_files() closes all of the files that were opened related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void close_group_files (void)
+{
+ if (do_grp_update) {
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_close () == 0)) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif /* SHADOWGRP */
+ }
+}
+
+/*
+ * unlock_group_files - unlock all of the files that were locked
+ *
+ * unlock_group_files() unlocks all of the files that were locked related
+ * with groups. This causes any modified entries to be written out.
+ */
+static void unlock_group_files (void)
+{
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "unlocking-group-file",
+ user_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_FAILURE);
+#endif /* WITH_AUDIT */
+ /* continue */
+ }
+ gr_locked = false;
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "unlocking-gshadow-file",
+ user_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_FAILURE);
+#endif /* WITH_AUDIT */
+ /* continue */
+ }
+ sgr_locked = false;
+ }
+#endif /* SHADOWGRP */
+}
+
/*
* open_files - lock and open the password files
*
@@ -1668,37 +1744,8 @@ static void open_files (void)
/* shadow file will be opened by open_shadow(); */
- /*
- * Lock and open the group file.
- */
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (sgr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
+ open_group_files ();
+
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
@@ -1733,6 +1780,39 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
+static void open_group_files (void)
+{
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (sgr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif /* SHADOWGRP */
+}
+
static void open_shadow (void)
{
if (!is_shadow_pwd) {
--
2.25.4

View File

@ -1,44 +0,0 @@
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
@@ -195,6 +195,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -372,6 +378,12 @@
must be fixed manually.
</para>
<para>
+ The change of the user ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
+ <para>
No checks will be performed with regard to the
<option>UID_MIN</option>, <option>UID_MAX</option>,
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
}
if (!mflg && (uflg || gflg)) {
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
+ struct stat sb;
+
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
/*
* Change the UID on all of the files owned by
* `user_id' to `user_newid' in the user's home

View File

@ -1,223 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
char* lock = NULL;
size_t lock_file_len;
size_t file_len;
- int err;
+ int err = 0;
if (db->locked) {
return 1;
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
file = (char*)malloc(file_len);
if(file == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
lock = (char*)malloc(lock_file_len);
if(lock == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
snprintf (file, file_len, "%s.%lu",
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
static bool is_listed (const char *cfgin, const char *tty, bool def)
{
FILE *fp;
- char buf[200], *s;
+ char buf[1024], *s;
const char *cons;
/*
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
if (*cons != '/') {
char *pbuf;
- strcpy (buf, cons);
+ strncpy (buf, cons, sizeof (buf));
+ buf[sizeof (buf) - 1] = '\0';
pbuf = &buf[0];
while ((s = strtok (pbuf, ":")) != NULL) {
if (strcmp (s, tty) == 0) {
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
do {
wpid = waitpid (pid, status, 0);
} while ( ((pid_t)-1 == wpid && errno == EINTR)
- || (wpid != pid));
+ || ((pid_t)-1 != wpid && wpid != pid));
if ((pid_t)-1 == wpid) {
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
@@ -314,7 +314,7 @@ static void fail_exit (int code)
static void get_defaults (void)
{
FILE *fp;
- char* default_file = USER_DEFAULTS_FILE;
+ char *default_file = USER_DEFAULTS_FILE;
char buf[1024];
char *cp;
@@ -324,6 +324,8 @@ static void get_defaults (void)
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL)
+ return;
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -334,7 +336,7 @@ static void get_defaults (void)
fp = fopen (default_file, "r");
if (NULL == fp) {
- return;
+ goto getdef_err;
}
/*
@@ -445,7 +447,7 @@ static void get_defaults (void)
}
}
(void) fclose (fp);
-
+ getdef_err:
if(prefix[0]) {
free(default_file);
}
@@ -480,8 +482,8 @@ static int set_defaults (void)
FILE *ifp;
FILE *ofp;
char buf[1024];
- char* new_file = NEW_USER_FILE;
- char* default_file = USER_DEFAULTS_FILE;
+ char *new_file = NULL;
+ char *default_file = USER_DEFAULTS_FILE;
char *cp;
int ofd;
int wlen;
@@ -492,17 +494,30 @@ static int set_defaults (void)
bool out_shell = false;
bool out_skel = false;
bool out_create_mail_spool = false;
+ size_t len;
+ int ret = -1;
- if(prefix[0]) {
- size_t len;
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
- new_file = malloc(len);
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
- assert (wlen == (int) len -1);
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+ new_file = malloc(len);
+ if (new_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ return -1;
+ }
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
+ assert (wlen <= (int) len -1);
+ if(prefix[0]) {
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ goto setdef_err;
+ }
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -515,7 +530,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot create new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
ofp = fdopen (ofd, "w");
@@ -523,7 +538,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot open new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
/*
@@ -550,7 +565,7 @@ static int set_defaults (void)
_("%s: line too long in %s: %s..."),
Prog, default_file, buf);
(void) fclose (ifp);
- return -1;
+ goto setdef_err;
}
}
@@ -614,7 +629,7 @@ static int set_defaults (void)
|| (fsync (fileno (ofp)) != 0)
|| (fclose (ofp) != 0)) {
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -629,7 +644,7 @@ static int set_defaults (void)
_("%s: Cannot create backup file (%s): %s\n"),
Prog, buf, strerror (err));
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -640,11 +655,11 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: rename: %s: %s\n"),
Prog, new_file, strerror (err));
- return -1;
+ goto setdef_err;
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USYS_CONFIG, Prog,
- "changing-useradd-defaults",
+ "changing useradd defaults",
NULL, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -654,13 +669,14 @@ static int set_defaults (void)
(unsigned int) def_group, def_home, def_shell,
def_inactive, def_expire, def_template,
def_create_mail_spool));
-
+ ret = 0;
+ setdef_err:
+ free(new_file);
if(prefix[0]) {
- free(new_file);
free(default_file);
}
- return 0;
+ return ret;
}
/*

View File

@ -1,21 +0,0 @@
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
}
return 0;
error:
- if (security_getenforce () != 0) {
+ if (security_getenforce () > 0) {
return 1;
}
return 0;
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
selinux_checked = true;
}
if (selinux_enabled) {
- if (setfscreatecon (NULL) != 0) {
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
return 1;
}
}

View File

@ -1,201 +0,0 @@
From a847899b521b0df0665e442845bcff23407d9ea0 Mon Sep 17 00:00:00 2001
From: Duncan Overbruck <mail@duncano.de>
Date: Sat, 11 Jan 2020 22:19:37 +0100
Subject: [PATCH] add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.
There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.
A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
---
etc/login.defs | 7 ++++++-
lib/getdef.c | 1 +
man/login.defs.5.xml | 4 ++++
man/login.defs.d/UMASK.xml | 3 ++-
src/newusers.c | 6 +++---
src/useradd.c | 5 +++--
6 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index cd2597dc..a2f8cd50 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+HOME_MODE 0700
+
#
# Password aging controls:
#
diff --git a/lib/getdef.c b/lib/getdef.c
index bbb273f4..00f6abfe 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
+ {"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
index ebf60ba3..9e95da20 100644
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -50,6 +50,7 @@
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
@@ -185,6 +186,7 @@
&FAKE_SHELL;
&FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN -->
+ &HOME_MODE;
&HUSHLOGIN_FILE;
&ISSUE_FILE;
&KILLCHAR;
@@ -401,6 +403,7 @@
ENCRYPT_METHOD
GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
@@ -481,6 +484,7 @@
<para>
CREATE_HOME
GID_MAX GID_MIN
+ HOME_MODE
MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
new file mode 100644
index 00000000..21aa55f7
--- /dev/null
+++ b/man/login.defs.d/HOME_MODE.xml
@@ -0,0 +1,43 @@
+<!--
+ Copyright (c) 1991 - 1993, Julianne Frances Haugh
+ Copyright (c) 1991 - 1993, Chip Rosenthal
+ Copyright (c) 2007 - 2009, Nicolas François
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+ <term><option>HOME_MODE</option> (number)</term>
+ <listitem>
+ <para>
+ The mode for new home directories. If not specified,
+ the <option>UMASK</option> is used to create the mode.
+ </para>
+ <para>
+ <command>useradd</command> and <command>newusers</command> use this
+ to set the mode of the home directory they create.
+ </para>
+ </listitem>
+</varlistentry>
diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml
index d7b71a5e..0f061dbb 100644
--- a/man/login.defs.d/UMASK.xml
+++ b/man/login.defs.d/UMASK.xml
@@ -37,7 +37,8 @@
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
- mask to set the mode of the home directory they create
+ mask to set the mode of the home directory they create if
+ <option>HOME_MODE</option> is not set.
</para>
<para condition="no_pam">
It is also used by <command>login</command> to define users' initial
diff --git a/src/newusers.c b/src/newusers.c
index 99c69f78..e9fe0e27 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */
- mode_t msk = 0777 & ~getdef_num ("UMASK",
- GETDEF_DEFAULT_UMASK);
- if (mkdir (newpw.pw_dir, msk) != 0) {
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir,
diff --git a/src/useradd.c b/src/useradd.c
index 4af0f7c6..8b453e3c 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2152,8 +2152,9 @@ static void create_home (void)
fail_exit (E_HOMEDIR);
}
(void) chown (prefix_user_home, user_id, user_gid);
- chmod (prefix_user_home,
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ chmod (prefix_user_home, mode);
home_added = true;
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_MGMT, Prog,
--
2.25.2

View File

@ -1,11 +0,0 @@
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

View File

@ -1,28 +0,0 @@
From 77e39de1e6cbd6925f16bb260abb7d216296886b Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 09:21:11 -0500
Subject: [PATCH] Install subid.h
Now subid.h gets installed under /usr/include/shadow/subid.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index f543b5eb..189165b0 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -3,6 +3,8 @@ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
libsubid_la_SOURCES = api.c
+pkginclude_HEADERS = subid.h
+
MISCLIBS = \
$(LIBAUDIT) \
$(LIBSELINUX) \
--
2.31.1

File diff suppressed because it is too large Load Diff

View File

@ -1,151 +0,0 @@
diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200
+++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200
@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
subid_nss = NULL;
goto done;
}
- subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
- if (!subid_nss->has_any_range) {
- fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
- dlclose(h);
- free(subid_nss);
- subid_nss = NULL;
- goto done;
- }
subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
if (!subid_nss->find_subid_owners) {
fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200
@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
struct subid_nss_ops {
/*
- * nss_has_any_range: does a user own any subid range
- *
- * @owner: username
- * @idtype: subuid or subgid
- * @result: true if a subid allocation was found for @owner
- *
- * returns success if the module was able to determine an answer (true or false),
- * else an error status.
- */
- enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
-
- /*
* nss_has_range: does a user own a given subid range
*
* @owner: username
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200
@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
return commonio_open (&subordinate_uid_db, mode);
}
-bool sub_uid_assigned(const char *owner)
+bool local_sub_uid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_UID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
-
return range_exists (&subordinate_uid_db, owner);
}
@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
return have_range(&subordinate_gid_db, owner, start, count);
}
-bool sub_gid_assigned(const char *owner)
+bool local_sub_gid_assigned(const char *owner)
{
- struct subid_nss_ops *h;
- bool found;
- enum subid_status status;
- h = get_subid_nss_handle();
- if (h) {
- status = h->has_any_range(owner, ID_TYPE_GID, &found);
- if (status == SUBID_STATUS_SUCCESS && found)
- return true;
- return false;
- }
return range_exists (&subordinate_gid_db, owner);
}
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200
@@ -16,7 +16,7 @@
extern int sub_uid_close(void);
extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
extern bool sub_uid_file_present (void);
-extern bool sub_uid_assigned(const char *owner);
+extern bool local_sub_uid_assigned(const char *owner);
extern int sub_uid_lock (void);
extern int sub_uid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_uid_dbname (void);
@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
extern int sub_gid_close(void);
extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
extern bool sub_gid_file_present (void);
-extern bool sub_gid_assigned(const char *owner);
+extern bool local_sub_gid_assigned(const char *owner);
extern int sub_gid_lock (void);
extern int sub_gid_setdbname (const char *filename);
extern /*@observer@*/const char *sub_gid_dbname (void);
diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200
+++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200
@@ -1021,6 +1021,24 @@ static void close_files (void)
#endif /* ENABLE_SUBIDS */
}
+static bool want_subuids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
+static bool want_subgids(void)
+{
+ if (get_subid_nss_handle() != NULL)
+ return false;
+ if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
+ return false;
+ return true;
+}
+
int main (int argc, char **argv)
{
char buf[BUFSIZ];
@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
/*
* Add subordinate uids if the user does not have them.
*/
- if (is_sub_uid && !sub_uid_assigned(fields[0])) {
+ if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
uid_t sub_uid_start = 0;
unsigned long sub_uid_count = 0;
if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
/*
* Add subordinate gids if the user does not have them.
*/
- if (is_sub_gid && !sub_gid_assigned(fields[0])) {
+ if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
gid_t sub_gid_start = 0;
unsigned long sub_gid_count = 0;
if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

View File

@ -1,40 +0,0 @@
From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 23 May 2021 08:03:10 -0500
Subject: [PATCH] libsubid_init: don't print messages on error
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index c4848142..b477b271 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname) {
+ if (progname)
Prog = progname;
- } else {
- fprintf(stderr, "Out of memory");
+ else
return false;
- }
}
if (logfd) {
@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
}
shadow_logfd = fopen("/dev/null", "w");
if (!shadow_logfd) {
- fprintf(stderr, "ERROR opening /dev/null for error messages. Using stderr.");
shadow_logfd = stderr;
return false;
}
--
2.30.2

View File

@ -1,37 +0,0 @@
From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Mon, 17 May 2021 08:48:03 -0500
Subject: [PATCH] libsubid_init: return false if out of memory
The rest of the run isn't likely to get much better, is it?
Thanks to Alexey for pointing this out.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Cc: Alexey Tikhonov <atikhono@redhat.com>
---
libsubid/api.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index 8ca09859..8618e500 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
{
if (progname) {
progname = strdup(progname);
- if (progname)
+ if (progname) {
Prog = progname;
- else
+ } else {
fprintf(stderr, "Out of memory");
+ return false;
+ }
}
if (logfd) {
--
2.30.2

View File

@ -1,41 +0,0 @@
From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Fri, 28 May 2021 22:02:16 -0500
Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
Closes #346
Also #include stdio.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
libsubid/api.c | 2 +-
libsubid/subid.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index b477b271..a7b904d0 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -40,7 +40,7 @@
#include "subid.h"
const char *Prog = "(libsubid)";
-extern FILE * shadow_logfd;
+FILE *shadow_logfd;
bool libsubid_init(const char *progname, FILE * logfd)
{
diff --git a/libsubid/subid.h b/libsubid/subid.h
index 5fef2572..eabafe4d 100644
--- a/libsubid/subid.h
+++ b/libsubid/subid.h
@@ -1,4 +1,5 @@
#include <sys/types.h>
+#include <stdio.h>
#include <stdbool.h>
#ifndef SUBID_RANGE_DEFINED
--
2.31.1

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,264 +0,0 @@
diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.165917066 +0200
+++ shadow-4.8.1/configure.ac 2021-05-24 15:02:56.184917324 +0200
@@ -1,6 +1,6 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 2)
+m4_define([libsubid_abi_major], 3)
m4_define([libsubid_abi_minor], 0)
m4_define([libsubid_abi_micro], 0)
m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.184917324 +0200
+++ shadow-4.8.1/lib/prototypes.h 2021-05-24 16:38:57.610619467 +0200
@@ -309,16 +309,15 @@ struct subid_nss_ops {
*
* @owner - string representing username being queried
* @id_type - subuid or subgid
- * @ranges - pointer to an array of struct subordinate_range pointers, or
- * NULL. The returned array of struct subordinate_range and its
- * members must be freed by the caller.
+ * @ranges - pointer to an array of struct subid_range, or NULL. The
+ * returned array must be freed by the caller.
* @count - pointer to an integer into which the number of returned ranges
* is written.
* returns success if the module was able to determine an answer,
* else an error status.
*/
- enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
+ enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
/*
* nss_find_subid_owners: find uids who own a given subuid or subgid.
diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/libsubid/api.c 2021-05-24 16:42:32.091584531 +0200
@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
}
static
-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
{
return list_owner_ranges(owner, id_type, ranges);
}
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subuid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_UID, ranges);
}
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
+int get_subgid_ranges(const char *owner, struct subid_range **ranges)
{
return get_subid_ranges(owner, ID_TYPE_GID, ranges);
}
-void subid_free_ranges(struct subordinate_range **ranges, int count)
-{
- return free_subordinate_ranges(ranges, count);
-}
-
static
int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
{
diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/libsubid/subid.h 2021-05-24 16:43:49.697657383 +0200
@@ -3,6 +3,15 @@
#ifndef SUBID_RANGE_DEFINED
#define SUBID_RANGE_DEFINED 1
+
+/* subid_range is just a starting point and size of a range */
+struct subid_range {
+ unsigned long start;
+ unsigned long count;
+};
+
+/* subordinage_range is a subid_range plus an owner, representing
+ * a range in /etc/subuid or /etc/subgid */
struct subordinate_range {
const char *owner;
unsigned long start;
@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
* get_subuid_ranges: return a list of UID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
+ *
+ * The caller must free(ranges) when done.
*
* returns: number of ranges found, ir < 0 on error.
*/
-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
+int get_subuid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subgid_ranges: return a list of GID ranges for a user
*
* @owner: username being queried
- * @ranges: a pointer to a subordinate range ** in which the result will be
- * returned.
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ * will be returned.
*
- * returns: number of ranges found, ir < 0 on error.
- */
-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
-
-/*
- * subid_free_ranges: free an array of subordinate_ranges returned by either
- * get_subuid_ranges() or get_subgid_ranges().
+ * The caller must free(ranges) when done.
*
- * @ranges: the ranges to free
- * @count: the number of ranges in @ranges
+ * returns: number of ranges found, ir < 0 on error.
*/
-void subid_free_ranges(struct subordinate_range **ranges, int count);
+int get_subgid_ranges(const char *owner, struct subid_range **ranges);
/*
* get_subuid_owners: return a list of uids to which the given uid has been
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify 2021-05-24 17:27:38.721035241 +0200
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-24 17:28:06.481420946 +0200
@@ -11,6 +11,7 @@
#include <stdio.h>
#include "commonio.h"
#include "subordinateio.h"
+#include "../libsubid/subid.h"
#include <sys/types.h>
#include <pwd.h>
#include <ctype.h>
@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
return false;
}
-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
+static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
{
- struct subordinate_range *tmp;
if (!*ranges) {
- *ranges = malloc(sizeof(struct subordinate_range *));
+ *ranges = malloc(sizeof(struct subid_range));
if (!*ranges)
return false;
} else {
- struct subordinate_range **new;
- new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
- if (!new)
+ struct subid_range *alloced;
+ alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
+ if (!alloced)
return false;
- *ranges = new;
+ *ranges = alloced;
}
- (*ranges)[n] = NULL;
- tmp = subordinate_dup(new);
- if (!tmp)
- return false;
- (*ranges)[n] = tmp;
+ (*ranges)[n].start = new->start;
+ (*ranges)[n].count = new->count;
return true;
}
@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
*
* The caller must free the subordinate range list.
*/
-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
+int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
{
// TODO - need to handle owner being either uid or username
- struct subordinate_range **ranges = NULL;
+ struct subid_range *ranges = NULL;
const struct subordinate_range *range;
struct commonio_db *db;
enum subid_status status;
@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
while ((range = commonio_next(db)) != NULL) {
if (0 == strcmp(range->owner, owner)) {
if (!append_range(&ranges, range, count++)) {
- free_subordinate_ranges(ranges, count-1);
+ free(ranges);
ranges = NULL;
count = -1;
goto out;
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.467989079 +0200
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-24 16:40:56.978269647 +0200
@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
+extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable 2021-05-24 15:03:01.468989093 +0200
+++ shadow-4.8.1/src/list_subid_ranges.c 2021-05-24 16:45:10.884779740 +0200
@@ -17,27 +17,29 @@ void usage(void)
int main(int argc, char *argv[])
{
int i, count=0;
- struct subordinate_range **ranges;
+ struct subid_range *ranges;
+ const char *owner;
Prog = Basename (argv[0]);
shadow_logfd = stderr;
- if (argc < 2) {
+ if (argc < 2)
usage();
- }
- if (argc == 3 && strcmp(argv[1], "-g") == 0)
- count = get_subgid_ranges(argv[2], &ranges);
- else if (argc == 2 && strcmp(argv[1], "-h") == 0)
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
usage();
- else
- count = get_subuid_ranges(argv[1], &ranges);
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
if (!ranges) {
fprintf(stderr, "Error fetching ranges\n");
exit(1);
}
for (i = 0; i < count; i++) {
- printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
- ranges[i]->start, ranges[i]->count);
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
}
- subid_free_ranges(ranges, count);
return 0;
}
diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable 2021-05-24 15:02:56.166917079 +0200
+++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c 2021-05-24 15:03:01.469989106 +0200
@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
if (strcmp(owner, "conn") == 0)
return SUBID_STATUS_ERROR_CONN;
- *ranges = NULL;
+ *in_ranges = NULL;
if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
strcmp(owner, "group1") != 0)
return SUBID_STATUS_SUCCESS;

View File

@ -1,44 +0,0 @@
From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Tue, 4 May 2021 14:39:26 -0500
Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
Closes #328
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
man/newgidmap.1.xml | 3 ++-
man/newuidmap.1.xml | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
index 71b03e56..76fc1e30 100644
--- a/man/newgidmap.1.xml
+++ b/man/newgidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
+ command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
index a6f1f085..44eca50a 100644
--- a/man/newuidmap.1.xml
+++ b/man/newuidmap.1.xml
@@ -88,7 +88,8 @@
<title>DESCRIPTION</title>
<para>
The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
+ command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+ through the configured NSS subid module).
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
--
2.30.2

View File

@ -1,166 +0,0 @@
diff -up shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newgidmap.1.xml
--- shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newgidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,10 +80,15 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
- command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
- through the configured NSS subid module).
- Note that the root user is not exempted from the requirement for a valid
+ The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
+ based on its command line arguments and the gids allowed. Subgid
+ delegation can either be managed via <filename>/etc/subgid</filename>
+ or through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
+ Note that the root group is not exempted from the requirement for a valid
<filename>/etc/subgid</filename> entry.
</para>
diff -up shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newuidmap.1.xml
--- shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation 2021-11-03 09:58:34.176484342 +0100
+++ shadow-4.6/man/newuidmap.1.xml 2021-11-03 09:58:34.191484452 +0100
@@ -80,9 +80,14 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
- command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
- through the configured NSS subid module).
+ The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
+ based on its command line arguments and the uids allowed. Subuid
+ delegation can either be managed via <filename>/etc/subuid</filename> or
+ through the configured NSS subid module. These options are mutually
+ exclusive.
+ </para>
+
+ <para>
Note that the root user is not exempted from the requirement for a valid
<filename>/etc/subuid</filename> entry.
</para>
diff -up shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subgid.5.xml
--- shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subgid.5.xml 2021-11-03 09:59:55.752084920 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subgid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subgid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subgid</refname>
- <refpurpose>the subordinate gid file</refpurpose>
+ <refpurpose>the configuration for subordinate group ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subgid authorizes a group id to map ranges of group ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate gids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of gids to
+ <filename>/etc/subgid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate gid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>groupadd</command> will only create entries in
+ <filename>/etc/subgid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subgid</filename> contains
a user name and a range of subordinate group ids that user
is allowed to use.
diff -up shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subuid.5.xml
--- shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/subuid.5.xml 2021-11-03 10:00:18.888255255 +0100
@@ -32,6 +32,18 @@
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='subuid.5'>
+ <refentryinfo>
+ <author>
+ <firstname>Eric</firstname>
+ <surname>Biederman</surname>
+ <contrib>Creation, 2013</contrib>
+ </author>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Developer, 2021</contrib>
+ </author>
+ </refentryinfo>
<refmeta>
<refentrytitle>subuid</refentrytitle>
<manvolnum>5</manvolnum>
@@ -41,12 +53,37 @@
</refmeta>
<refnamediv id='name'>
<refname>subuid</refname>
- <refpurpose>the subordinate uid file</refpurpose>
+ <refpurpose>the configuration for subordinate user ids</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ Subuid authorizes a user id to map ranges of user ids from its namespace
+ into child namespaces.
+ </para>
+ <para>
+ The delegation of the subordinate uids can be configured via the
+ <replaceable>subid</replaceable> field in
+ <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
+ as the delegation source. Setting this field to
+ <replaceable>files</replaceable> configures the delegation of uids to
+ <filename>/etc/subuid</filename>. Setting any other value treats
+ the delegation as a plugin following with a name of the form
+ <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
+ missing, then the subordinate uid delegation falls back to
+ <replaceable>files</replaceable>.
+ </para>
+ <para>
+ Note, that <command>useradd</command> will only create entries in
+ <filename>/etc/subuid</filename> if subid delegation is managed via subid
+ files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='local-subordinate-delegation'>
+ <title>LOCAL SUBORDINATE DELEGATION</title>
+ <para>
Each line in <filename>/etc/subuid</filename> contains
a user name and a range of subordinate user ids that user
is allowed to use.

View File

@ -1,349 +0,0 @@
diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml
--- shadow-4.6/man/groupmems.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/groupmems.8.xml 2020-10-23 13:15:24.105387634 +0200
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2770 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml
--- shadow-4.6/man/chage.1.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/chage.1.xml 2020-10-23 13:15:24.105387634 +0200
@@ -102,6 +102,9 @@
Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
+ If the <replaceable>LAST_DAY</replaceable> is set to
+ <emphasis>0</emphasis> the user is forced to change his password
+ on the next log on.
</para>
</listitem>
</varlistentry>
@@ -119,6 +122,13 @@
system again.
</para>
<para>
+ For example the following can be used to set an account to expire
+ in 180 days:
+ </para>
+ <programlisting>
+ chage -E $(date -d +180days +%Y-%m-%d)
+ </programlisting>
+ <para>
Passing the number <emphasis remap='I'>-1</emphasis> as the
<replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date.
@@ -233,6 +243,18 @@
The <command>chage</command> program requires a shadow password file to
be available.
</para>
+ <para>
+ The chage program will report only the information from the shadow
+ password file. This implies that configuration from other sources
+ (e.g. LDAP or empty password hash field from the passwd file) that
+ affect the user's login will not be shown in the chage output.
+ </para>
+ <para>
+ The <command>chage</command> program will also not report any
+ inconsistency between the shadow and passwd files (e.g. missing x in
+ the passwd file). The <command>pwck</command> can be used to check
+ for this kind of inconsistencies.
+ </para>
<para>The <command>chage</command> command is restricted to the root
user, except for the <option>-l</option> option, which may be used by
an unprivileged user to determine when their password or account is due
diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5
--- shadow-4.6/man/ja/man5/login.defs.5.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/ja/man5/login.defs.5 2020-10-23 13:15:24.106387639 +0200
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml
--- shadow-4.6/man/login.defs.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.5.xml 2020-10-23 13:15:43.280475188 +0200
@@ -162,6 +162,27 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
+ <para>
+ Please also take into account that this man page is generic and some of
+ the options may be unsupported by currently installed tools. In case of
+ doubt check <xref linkend="cross_references"/> and
+ <xref linkend="see_also"/>. For example see
+ <citerefentry><refentrytitle>login</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> for login specific options such
+ as <emphasis>LOGIN_STRING</emphasis>.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -252,16 +273,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -282,14 +293,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -350,34 +353,6 @@
</varlistentry>
<!-- id: no variables -->
<!-- lastlog: no variables -->
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -405,17 +380,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -442,32 +406,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>
diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml
--- shadow-4.6/man/shadow.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/shadow.5.xml 2020-10-23 13:15:24.106387639 +0200
@@ -129,7 +129,7 @@
<listitem>
<para>
The date of the last password change, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
The value 0 has a special meaning, which is that the user
@@ -208,8 +208,8 @@
</para>
<para>
After expiration of the password and this expiration period is
- elapsed, no login is possible using the current user's
- password. The user should contact her administrator.
+ elapsed, no login is possible for the user.
+ The user should contact her administrator.
</para>
<para>
An empty field means that there are no enforcement of an
@@ -224,7 +224,7 @@
<listitem>
<para>
The date of expiration of the account, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
Note that an account expiration differs from a password
diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml
--- shadow-4.6/man/useradd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -347,6 +347,11 @@
<option>CREATE_HOME</option> is not enabled, no home
directories are created.
</para>
+ <para>
+ The directory where the user's home directory is created must
+ exist and have proper SELinux context and permissions. Otherwise
+ the user's home directory cannot be created or accessed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml
--- shadow-4.6/man/usermod.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/usermod.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -132,7 +132,8 @@
If the <option>-m</option>
option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does
- not already exist.
+ not already exist. If the current home directory does not exist
+ the new home directory will not be created.
</para>
</listitem>
</varlistentry>
@@ -256,7 +257,8 @@
<listitem>
<para>
Move the content of the user's home directory to the new
- location.
+ location. If the current home directory does not exist
+ the new home directory will not be created.
</para>
<para>
This option is only valid in combination with the
diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml
--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_GID_MIN</option>,
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml
--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
@@ -42,7 +42,7 @@
<para>
The default values for <option>SUB_UID_MIN</option>,
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
- are respectively 100000, 600100000 and 10000.
+ are respectively 100000, 600100000 and 65536.
</para>
</listitem>
</varlistentry>
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 13:15:24.106387639 +0200
@@ -322,13 +322,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>

View File

@ -1,128 +0,0 @@
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
#endif
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
@@ -50,7 +50,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
@@ -2020,7 +2020,7 @@ static void create_home (void)
{
if (access (prefix_user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
- if (set_selinux_file_context (prefix_user_home) != 0) {
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for home directory %s\n"),
Prog, user_home);

View File

@ -1,108 +0,0 @@
From fd4405b763d26649339069532e79bd45013c8c38 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 20 Jan 2020 13:58:07 +0100
Subject: [PATCH] Do not mistake a regular user process for a namespaced one
In case there is a regular user with a process running on a system
with uid falling into a namespaced uid range of another user.
The user with the colliding namespaced uid range will not be
allowed to be deleted without forcing the action with -f.
The user_busy() is adjusted to check whether the suspected process
is really a namespaced process in a different namespace.
---
libmisc/user_busy.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c
index b0867568..324bb946 100644
--- a/libmisc/user_busy.c
+++ b/libmisc/user_busy.c
@@ -39,6 +39,7 @@
#include <sys/types.h>
#include <dirent.h>
#include <fcntl.h>
+#include <unistd.h>
#include "defines.h"
#include "prototypes.h"
#ifdef ENABLE_SUBIDS
@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
#endif /* !__linux__ */
#ifdef __linux__
+#ifdef ENABLE_SUBIDS
+#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
+static int different_namespace (const char *sname)
+{
+ /* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
+ char path[41];
+ char buf[512], buf2[512];
+ ssize_t llen1, llen2;
+
+ snprintf (path, 41, "/proc/%s/ns/user", sname);
+
+ if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
+ return 0;
+
+ if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
+ return 0;
+
+ if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
+ return 0; /* same namespace */
+
+ return 1;
+}
+#endif /* ENABLE_SUBIDS */
+
+
static int check_status (const char *name, const char *sname, uid_t uid)
{
/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
FILE *sfile;
snprintf (status, 40, "/proc/%s/status", sname);
- status[39] = '\0';
sfile = fopen (status, "r");
if (NULL == sfile) {
@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
while (fgets (line, sizeof (line), sfile) == line) {
if (strncmp (line, "Uid:\t", 5) == 0) {
unsigned long ruid, euid, suid;
+
assert (uid == (unsigned long) uid);
+ (void) fclose (sfile);
if (sscanf (line,
"Uid:\t%lu\t%lu\t%lu\n",
&ruid, &euid, &suid) == 3) {
if ( (ruid == (unsigned long) uid)
|| (euid == (unsigned long) uid)
- || (suid == (unsigned long) uid)
+ || (suid == (unsigned long) uid) ) {
+ return 1;
+ }
#ifdef ENABLE_SUBIDS
- || have_sub_uids(name, ruid, 1)
- || have_sub_uids(name, euid, 1)
- || have_sub_uids(name, suid, 1)
-#endif /* ENABLE_SUBIDS */
+ if ( different_namespace (sname)
+ && ( have_sub_uids(name, ruid, 1)
+ || have_sub_uids(name, euid, 1)
+ || have_sub_uids(name, suid, 1))
) {
- (void) fclose (sfile);
return 1;
}
+#endif /* ENABLE_SUBIDS */
} else {
/* Ignore errors. This is just a best effort. */
}
- (void) fclose (sfile);
return 0;
}
}
--
2.25.2

View File

@ -1,19 +0,0 @@
diff -up shadow-4.6/man/login.defs.5.xml.remove_login_string_references shadow-4.6/man/login.defs.5.xml
--- shadow-4.6/man/login.defs.5.xml.remove_login_string_references 2021-04-27 13:01:49.428338258 +0200
+++ shadow-4.6/man/login.defs.5.xml 2021-04-27 13:01:49.433338329 +0200
@@ -58,7 +58,6 @@
<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
<!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
<!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml">
<!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
@@ -214,7 +213,6 @@
&LOG_OK_LOGINS;
&LOG_UNKFAIL_ENAB;
&LOGIN_RETRIES;
- &LOGIN_STRING;
&LOGIN_TIMEOUT;
&MAIL_CHECK_ENAB;
&MAIL_DIR;

View File

@ -1,24 +0,0 @@
diff -up shadow-4.6/configure.ac.respect_enable_static_no shadow-4.6/configure.ac
--- shadow-4.6/configure.ac.respect_enable_static_no 2021-11-03 12:09:39.852829632 +0100
+++ shadow-4.6/configure.ac 2021-11-03 12:10:32.447203434 +0100
@@ -311,6 +311,8 @@ if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
if test "$with_nscd" = "yes"; then
AC_CHECK_FUNC(posix_spawn,
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
diff -up shadow-4.6/libsubid/Makefile.am.respect_enable_static_no shadow-4.6/libsubid/Makefile.am
--- shadow-4.6/libsubid/Makefile.am.respect_enable_static_no 2021-11-03 12:09:39.851829625 +0100
+++ shadow-4.6/libsubid/Makefile.am 2021-11-03 12:09:39.852829632 +0100
@@ -1,6 +1,8 @@
lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
libsubid_la_SOURCES = api.c
pkginclude_HEADERS = subid.h

View File

@ -1,15 +0,0 @@
diff --git a/libmisc/salt.c b/libmisc/salt.c
index c72447ea..4940d76e 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
result[0] = '\0';
}
+ if (strstr(result, "rounds=") != NULL) {
+ result[3] = '\0';
+ }
+
/*
* Concatenate a pseudo random salt.
*/

View File

@ -1,115 +0,0 @@
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
@@ -2120,6 +2120,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory already exists.\n"
- "Not copying any file from skel directory into it.\n"),
- Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
"adding SELinux user mapping",
user_name, (unsigned int) user_id, 0);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ rv = E_SE_UPDATE;
+ }
}
}
-#endif /* WITH_SELINUX */
+#endif
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory already exists.\n"
+ "Not copying any file from skel directory into it.\n"),
+ Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- return E_SUCCESS;
+ return rv;
}

View File

@ -1,641 +0,0 @@
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 12 Sep 2018 14:22:11 +0200
Subject: [PATCH] Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
---
configure.ac | 10 +++++++
lib/Makefile.am | 2 ++
lib/commonio.c | 2 ++
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
lib/sssd.h | 17 +++++++++++
src/chfn.c | 2 ++
src/chgpasswd.c | 2 ++
src/chpasswd.c | 2 ++
src/chsh.c | 2 ++
src/gpasswd.c | 2 ++
src/groupadd.c | 2 ++
src/groupdel.c | 2 ++
src/groupmod.c | 2 ++
src/grpck.c | 2 ++
src/grpconv.c | 2 ++
src/grpunconv.c | 2 ++
src/newusers.c | 2 ++
src/passwd.c | 2 ++
src/pwck.c | 2 ++
src/pwconv.c | 2 ++
src/pwunconv.c | 2 ++
src/useradd.c | 2 ++
src/userdel.c | 2 ++
src/usermod.c | 2 ++
src/vipw.c | 2 ++
25 files changed, 146 insertions(+)
create mode 100644 lib/sssd.c
create mode 100644 lib/sssd.h
diff --git a/configure.ac b/configure.ac
index 41068a5d..10ad70cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
AC_ARG_WITH(nscd,
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
[with_nscd=$withval], [with_nscd=yes])
+AC_ARG_WITH(sssd,
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
+ [with_sssd=$withval], [with_sssd=yes])
AC_ARG_WITH(group-name-max-length,
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
fi
+if test "$with_sssd" = "yes"; then
+ AC_CHECK_FUNC(posix_spawn,
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
+fi
+
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
+echo " sssd support: $with_sssd"
echo " subordinate IDs support: $enable_subids"
echo
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6db86cd6..fd634542 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
lockpw.c \
nscd.c \
nscd.h \
+ sssd.c \
+ sssd.h \
pam_defs.h \
port.c \
port.h \
diff --git a/lib/commonio.c b/lib/commonio.c
index d06b8e7d..96f2d5f7 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -45,6 +45,7 @@
#include <stdio.h>
#include <signal.h>
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include <tcb.h>
#endif /* WITH_TCB */
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
if (nscd_need_reload) {
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
nscd_need_reload = false;
}
#ifdef HAVE_LCKPWDF
diff --git a/lib/sssd.c b/lib/sssd.c
new file mode 100644
index 00000000..80e49e55
--- /dev/null
+++ b/lib/sssd.c
@@ -0,0 +1,75 @@
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
+
+#include <config.h>
+#ifdef USE_SSSD
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include "exitcodes.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "sssd.h"
+
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+
+int sssd_flush_cache (int dbflags)
+{
+ int status, code, rv;
+ const char *cmd = "/usr/sbin/sss_cache";
+ char *sss_cache_args = NULL;
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
+ const char *spawnedEnv[] = {NULL};
+ int i = 0;
+
+ sss_cache_args = malloc(4);
+ if (sss_cache_args == NULL) {
+ return -1;
+ }
+
+ sss_cache_args[i++] = '-';
+ if (dbflags & SSSD_DB_PASSWD) {
+ sss_cache_args[i++] = 'U';
+ }
+ if (dbflags & SSSD_DB_GROUP) {
+ sss_cache_args[i++] = 'G';
+ }
+ sss_cache_args[i++] = '\0';
+ if (i == 2) {
+ /* Neither passwd nor group, nothing to do */
+ free(sss_cache_args);
+ return 0;
+ }
+ spawnedArgs[1] = sss_cache_args;
+
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
+ free(sss_cache_args);
+ if (rv != 0) {
+ /* run_command writes its own more detailed message. */
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ code = WEXITSTATUS (status);
+ if (!WIFEXITED (status)) {
+ (void) fprintf (stderr,
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
+ Prog, WTERMSIG (status));
+ return -1;
+ } else if (code == E_CMD_NOTFOUND) {
+ /* sss_cache is not installed, or it is installed but uses an
+ interpreter that is missing. Probably the former. */
+ return 0;
+ } else if (code != 0) {
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+ Prog, code);
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ return 0;
+}
+#else /* USE_SSSD */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* USE_SSSD */
+
diff --git a/lib/sssd.h b/lib/sssd.h
new file mode 100644
index 00000000..00ff2a8a
--- /dev/null
+++ b/lib/sssd.h
@@ -0,0 +1,17 @@
+#ifndef _SSSD_H_
+#define _SSSD_H_
+
+#define SSSD_DB_PASSWD 0x001
+#define SSSD_DB_GROUP 0x002
+
+/*
+ * sssd_flush_cache - flush specified service buffer in sssd cache
+ */
+#ifdef USE_SSSD
+extern int sssd_flush_cache (int dbflags);
+#else
+#define sssd_flush_cache(service) (0)
+#endif
+
+#endif
+
diff --git a/src/chfn.c b/src/chfn.c
index 18aa3de7..0725e1c7 100644
--- a/src/chfn.c
+++ b/src/chfn.c
@@ -47,6 +47,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef USE_PAM
#include "pam_defs.h"
#endif
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 13203a46..e5f2eb7e 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -46,6 +46,7 @@
#endif /* ACCT_TOOLS_SETUID */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "groupio.h"
#ifdef SHADOWGRP
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return (0);
}
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 918b27ee..49e79cdb 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -44,6 +44,7 @@
#endif /* USE_PAM */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "getdef.h"
#include "prototypes.h"
#include "pwio.h"
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return (0);
}
diff --git a/src/chsh.c b/src/chsh.c
index c89708b9..910e3dd4 100644
--- a/src/chsh.c
+++ b/src/chsh.c
@@ -46,6 +46,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/gpasswd.c b/src/gpasswd.c
index c4a492b1..4d75af96 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
exit (E_SUCCESS);
}
diff --git a/src/groupadd.c b/src/groupadd.c
index b57006c5..2dd8eec9 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -51,6 +51,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupdel.c b/src/groupdel.c
index 70bed010..f941a84a 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -49,6 +49,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupmod.c b/src/groupmod.c
index b293b98f..1dca5fc9 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -51,6 +51,7 @@
#include "groupio.h"
#include "pwio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/grpck.c b/src/grpck.c
index ea5d3b39..6140b10d 100644
--- a/src/grpck.c
+++ b/src/grpck.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
/*
* Tell the user what we did and exit.
diff --git a/src/grpconv.c b/src/grpconv.c
index f95f4960..5e5eaaca 100644
--- a/src/grpconv.c
+++ b/src/grpconv.c
@@ -48,6 +48,7 @@
#include <unistd.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/grpunconv.c b/src/grpunconv.c
index 253f06f5..e4105c26 100644
--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -48,6 +48,7 @@
#include <grp.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/newusers.c b/src/newusers.c
index 8e4bef97..7c3bb1c2 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -62,6 +62,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "pwio.h"
#include "sgroupio.h"
#include "shadowio.h"
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef USE_PAM
unsigned int i;
diff --git a/src/passwd.c b/src/passwd.c
index 3af3e651..5bea2765 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -51,6 +51,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
closelog ();
diff --git a/src/pwck.c b/src/pwck.c
index 05df68ec..0ffb711e 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -48,6 +48,7 @@
#include "shadowio.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif /* WITH_TCB */
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
/*
* Tell the user what we did and exit.
diff --git a/src/pwconv.c b/src/pwconv.c
index d6ee31a8..9c69fa13 100644
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -72,6 +72,7 @@
#include "pwio.h"
#include "shadowio.h"
#include "nscd.h"
+#include "sssd.h"
/*
* exit status values
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return E_SUCCESS;
}
diff --git a/src/pwunconv.c b/src/pwunconv.c
index fabf0237..e11ea494 100644
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -42,6 +42,7 @@
#include <getopt.h>
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "shadowio.h"
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return 0;
}
diff --git a/src/useradd.c b/src/useradd.c
index ca90f076..b0c2224d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -60,6 +60,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
/*
* tallylog_reset needs to be able to lookup
diff --git a/src/userdel.c b/src/userdel.c
index c8de1d31..0715e4fe 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -53,6 +53,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
}
diff --git a/src/usermod.c b/src/usermod.c
index 7355ad31..fd9a98a6 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -57,6 +57,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef WITH_SELINUX
if (Zflg) {
diff --git a/src/vipw.c b/src/vipw.c
index 6d730f65..2cfac6b4 100644
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -42,6 +42,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "sgroupio.h"
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return E_SUCCESS;
}

View File

@ -1,59 +0,0 @@
From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Fri, 2 Oct 2020 16:09:42 +0200
Subject: [PATCH] lib/sssd: redirect warning message to file
Instead of printing warning in stderr print it to file. This way the
user is not spammed with unnecessary messages when updating packages.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
---
lib/sssd.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/lib/sssd.c b/lib/sssd.c
index 80e49e55..f864ce68 100644
--- a/lib/sssd.c
+++ b/lib/sssd.c
@@ -11,7 +11,7 @@
#include "prototypes.h"
#include "sssd.h"
-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
int sssd_flush_cache (int dbflags)
{
@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
free(sss_cache_args);
if (rv != 0) {
/* run_command writes its own more detailed message. */
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
return -1;
}
code = WEXITSTATUS (status);
if (!WIFEXITED (status)) {
- (void) fprintf (stderr,
- _("%s: sss_cache did not terminate normally (signal %d)\n"),
- Prog, WTERMSIG (status));
+ SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
+ Prog, WTERMSIG (status)));
return -1;
} else if (code == E_CMD_NOTFOUND) {
/* sss_cache is not installed, or it is installed but uses an
interpreter that is missing. Probably the former. */
return 0;
} else if (code != 0) {
- (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
- Prog, code);
- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
+ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
return -1;
}
--
2.26.2

View File

@ -1,31 +0,0 @@
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
$(MAKE) -C .. config.xml
cp ../config.xml $@
-%.xml: ../%.xml ../po/$(LANG).po
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
+messages.mo: ../po/$(LANG).po
+ msgfmt ../po/$(LANG).po -o messages.mo
+
+login.defs.d:
+ ln -sf ../login.defs.d login.defs.d
+
+%.xml: ../%.xml messages.mo login.defs.d
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
+ else \
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
+ fi
+ itstool -d -l $(LANG) -m messages.mo -o . $@
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
include ../generate_mans.mak
@@ -16,4 +27,4 @@ $(man_MANS):
@echo you need to run configure with --enable-man to generate man pages
endif
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

View File

@ -1,190 +0,0 @@
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu May 2 14:33:06 2019 +0200
Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.
This reverts the implementation to use lckpwdf() if prefix option
is not used.
diff --git a/lib/commonio.c b/lib/commonio.c
index 26e518f2..94dda779 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
int commonio_setname (struct commonio_db *db, const char *name)
{
snprintf (db->filename, sizeof (db->filename), "%s", name);
+ db->setname = true;
return 1;
}
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
int commonio_lock (struct commonio_db *db)
{
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
-#if 0
- /*
- * only if the system libc has a real lckpwdf() - the one from
- * lockpw.c calls us and would cause infinite recursion!
- */
+ int i;
+#ifdef HAVE_LCKPWDF
/*
- * Call lckpwdf() on the first lock.
- * If it succeeds, call *_lock() only once
- * (no retries, it should always succeed).
+ * Only if the system libc has a real lckpwdf() - the one from
+ * lockpw.c calls us and would cause infinite recursion!
+ * It is also not used with the prefix option.
*/
- if (0 == lock_count) {
- if (lckpwdf () == -1) {
- if (geteuid () != 0) {
- (void) fprintf (stderr,
- "%s: Permission denied.\n",
- Prog);
+ if (!db->setname) {
+ /*
+ * Call lckpwdf() on the first lock.
+ * If it succeeds, call *_lock() only once
+ * (no retries, it should always succeed).
+ */
+ if (0 == lock_count) {
+ if (lckpwdf () == -1) {
+ if (geteuid () != 0) {
+ (void) fprintf (stderr,
+ "%s: Permission denied.\n",
+ Prog);
+ }
+ return 0; /* failure */
}
- return 0; /* failure */
}
- }
- if (commonio_lock_nowait (db, true) != 0) {
- return 1; /* success */
- }
+ if (commonio_lock_nowait (db, true) != 0) {
+ return 1; /* success */
+ }
- ulckpwdf ();
- return 0; /* failure */
-#else /* !HAVE_LCKPWDF */
- int i;
+ ulckpwdf ();
+ return 0; /* failure */
+ }
+#endif /* !HAVE_LCKPWDF */
/*
* lckpwdf() not used - do it the old way.
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
}
}
return 0; /* failure */
-#endif /* !HAVE_LCKPWDF */
}
static void dec_lock_count (void)
diff --git a/lib/commonio.h b/lib/commonio.h
index 40e5708f..64e83073 100644
--- a/lib/commonio.h
+++ b/lib/commonio.h
@@ -143,6 +143,7 @@ struct commonio_db {
bool isopen:1;
bool locked:1;
bool readonly:1;
+ bool setname:1;
};
extern int commonio_setname (struct commonio_db *, const char *);
diff --git a/lib/groupio.c b/lib/groupio.c
index ae2302b5..bffb06e0 100644
--- a/lib/groupio.c
+++ b/lib/groupio.c
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int gr_setdbname (const char *filename)
diff --git a/lib/pwio.c b/lib/pwio.c
index 7ee85377..127719cb 100644
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int pw_setdbname (const char *filename)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 5423626a..ffbdb263 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sgr_setdbname (const char *filename)
diff --git a/lib/shadowio.c b/lib/shadowio.c
index 5fa3d312..676b1f1a 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int spw_setdbname (const char *filename)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index a662e67e..dd779c59 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_uid_setdbname (const char *filename)
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
false, /* changed */
false, /* isopen */
false, /* locked */
- false /* readonly */
+ false, /* readonly */
+ false /* setname */
};
int sub_gid_setdbname (const char *filename)

View File

@ -1,20 +0,0 @@
diff -up shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists 2023-05-17 10:39:41.457826153 +0200
+++ shadow-4.6/src/useradd.c 2023-05-17 10:41:30.937036772 +0200
@@ -2019,14 +2019,14 @@ static void usr_update (void)
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid &&
+ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
- if (is_sub_gid &&
+ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
(sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),

View File

@ -1,44 +0,0 @@
From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 22 May 2021 11:42:02 -0500
Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
Closes #298
Fix useradd when SUB_UID_COUNT=0 in login.defs.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
src/useradd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 06accb2f..9862ae55 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_t uid_min;
uid_t uid_max;
+ unsigned long subuid_count;
+ unsigned long subgid_count;
#endif
/*
@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
#ifdef ENABLE_SUBIDS
uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
- is_sub_uid = sub_uid_file_present () && !rflg &&
+ subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
+ subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
+ is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
- is_sub_gid = sub_gid_file_present () && !rflg &&
+ is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
#endif /* ENABLE_SUBIDS */
--
2.30.2

View File

@ -1,21 +0,0 @@
diff -up shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids 2021-11-03 11:55:00.189562187 +0100
+++ shadow-4.6/src/useradd.c 2021-11-03 11:57:34.128658978 +0100
@@ -2350,7 +2350,7 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid) {
+ if (is_sub_uid && subuid_count != 0) {
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
@@ -2358,7 +2358,7 @@ int main (int argc, char **argv)
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid) {
+ if (is_sub_gid && subgid_count != 0) {
if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),

View File

@ -1,42 +0,0 @@
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
{
long long int gid;
char *endptr;
+ struct group *g;
if (NULL == grname) {
return NULL;
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
&& (gid == (gid_t)gid)) {
return prefix_getgrgid ((gid_t) gid);
}
- return prefix_getgrnam (grname);
+ g = prefix_getgrnam (grname);
+ return g ? __gr_dup(g) : NULL;
}
else
return getgr_nam_gid(grname);
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
prefix_user_home = xmalloc(len);
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
assert (wlen == (int) len -1);
+ if (user_newhome) {
+ len = strlen(prefix) + strlen(user_newhome) + 2;
+ prefix_user_newhome = xmalloc(len);
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+ assert (wlen == (int) len -1);
+ }
- len = strlen(prefix) + strlen(user_newhome) + 2;
- prefix_user_newhome = xmalloc(len);
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
- assert (wlen == (int) len -1);
}
else {
prefix_user_home = user_home;

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAlrncOkACgkQ6f7qBqhe
P52UGAf/eOnoIYIZ52y72iMxeNfQMTMjYTZd1YrtjlK0RQKquK7FrCOg91MvOF2B
hLVKu2OU7mzuPTMSAraAxjXLkrM0E3vFjMtu1fHBGlGTMspAfik/9Gu9qoevAKXy
BRqgN5m5HMfoGPeEjzILzaGq8bnPKIOfJ0iAYVkjjIa73Vn20uTmNgNZIRqHqwfw
5GUFHn6cjQXFcQ3ngywgwQD7/h/65w8dBbGysF551sAqzPJRbneQL9Wtklcqi1ub
55NyF0ifT67RqMh+EyxhuhXP1Hi57PTEAeqaFMFxnPlQPb+8pQ8nszWBmI+vUN8D
FmhwCtSTnmKlj0jeAqevmkijJhGPQQ==
=fk/F
-----END PGP SIGNATURE-----

View File

@ -1,98 +0,0 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# The values must be within the 1000-999999999 range.
#
SHA_CRYPT_MAX_ROUNDS 5000

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
# recipients: sssd-qe
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1,14 +1,12 @@
diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
--- shadow-4.6/libmisc/chkname.c.goodname 2020-10-23 12:50:47.202529031 +0200
+++ shadow-4.6/libmisc/chkname.c 2020-10-23 12:54:54.604692559 +0200
@@ -49,25 +49,44 @@
static bool is_valid_name (const char *name)
{
diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
--- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100
+++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
}
/*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ * User/group names must match gnu e-regex:
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+ *
@ -18,7 +16,9 @@ diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
+ * Also do not allow fully numeric names or just "." or "..".
+ */
+ int numeric;
+
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
@ -56,10 +56,10 @@ diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
}
bool is_valid_user_name (const char *name)
diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/groupadd.8.xml 2020-10-23 12:50:47.202529031 +0200
@@ -273,10 +273,14 @@
diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
--- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -273,10 +273,12 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
@ -67,21 +67,19 @@ diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Groupnames may begin with lower and upper case letters, digits,
+ underscores, or periods. They may continue with all the aforementioned
+ characters, or dashes. Finally, they can end with a dollar sign.
+ Groupnames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Fully numeric groupnames and groupnames containing only . or .. are
+ disallowed.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
+ Dashes are not allowed at the beginning of the groupname.
+ Fully numeric groupnames and groupnames . or .. are
+ also disallowed.
</para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
--- shadow-4.6/man/useradd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/useradd.8.xml 2020-10-23 12:50:47.202529031 +0200
@@ -650,10 +650,16 @@
diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
--- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -661,10 +661,14 @@
</para>
<para>
@ -89,16 +87,14 @@ diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Usernames may begin with lower and upper case letters, digits,
+ underscores, or periods. They may continue with all the aforementioned
+ characters, or dashes. Finally, they can end with a dollar sign.
+ Usernames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Fully numeric usernames and usernames containing only . or .. are
+ disallowed. It is not recommended to use usernames beginning
+ Dashes are not allowed at the beginning of the username.
+ Fully numeric usernames and usernames . or .. are
+ also disallowed. It is not recommended to use usernames beginning
+ with . character as their home directories will be hidden in
+ the <command>ls</command> output.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
</para>
<para>
Usernames may only be up to 32 characters long.

View File

@ -0,0 +1,11 @@
diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100
+++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100
@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
{"LASTLOG_UID_MAX", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

View File

@ -1,17 +1,19 @@
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200
@@ -382,4 +382,7 @@ extern char *strerror ();
diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100
+++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100
@@ -388,6 +388,9 @@ extern char *strerror ();
# endif
#endif
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
#endif /* _DEFINES_H_ */
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200
#ifdef HAVE_SECURE_GETENV
# define shadow_getenv(name) secure_getenv(name)
# else
diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1)
@ -24,9 +26,9 @@ diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
return -1;
}
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200
diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
--- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf)
{
@ -48,9 +50,9 @@ diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
strcpy (pwdbuf, buf);
/*
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200
diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
--- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@
*/
struct spwd *sgetspent (const char *string)
@ -68,9 +70,9 @@ diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
return 0; /* fail if too long */
}
strcpy (spwbuf, string);
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200
diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
--- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp)

View File

@ -135,22 +135,6 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
check_perms ();
#ifdef SHADOWGRP
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
newgr.gr_passwd = cp;
}
+#ifdef WITH_AUDIT
+ {
+
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+ "change-password",
+ myname, AUDIT_NO_ID, gr->gr_name,
+ SHADOW_AUDIT_SUCCESS);
+ }
+#endif
/*
* The updated group file entry is then put back and will
* be written to the group file later, after all the
diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
+++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
@ -254,31 +238,3 @@ diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
check_perms ();
#ifdef USE_PAM
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
newpw.pw_passwd = cp;
}
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "updating-password",
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
+#endif
/*
* The updated password file entry is then put back and will
* be written to the password file later, after all the
Index: shadow-4.5/src/Makefile.am
===================================================================
--- shadow-4.5.orig/src/Makefile.am
+++ shadow-4.5/src/Makefile.am
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

View File

@ -0,0 +1,106 @@
diff -up shadow-4.9/man/usermod.8.xml.badname-special-characters shadow-4.9/man/usermod.8.xml
--- shadow-4.9/man/usermod.8.xml.badname-special-characters 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/man/usermod.8.xml 2022-09-26 16:32:46.214519257 +0200
@@ -110,7 +110,7 @@
</varlistentry>
<varlistentry>
<term>
- <option>-b</option>, <option>--badnames</option>
+ <option>-b</option>, <option>--badname</option>
</term>
<listitem>
<para>
diff -up shadow-4.9/src/newusers.c.badname-special-characters shadow-4.9/src/newusers.c
--- shadow-4.9/src/newusers.c.badname-special-characters 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/src/newusers.c 2022-09-26 16:33:31.331869855 +0200
@@ -139,7 +139,7 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
#ifndef USE_PAM
(void) fprintf (usageout,
_(" -c, --crypt-method METHOD the crypt method (one of %s)\n"),
@@ -406,7 +406,7 @@ static int add_user (const char *name, u
/* Check if this is a valid user name */
if (!is_valid_user_name (name)) {
fprintf (stderr,
- _("%s: invalid user name '%s'\n"),
+ _("%s: invalid user name '%s': use --badname to ignore\n"),
Prog, name);
return -1;
}
@@ -634,7 +634,7 @@ static void process_flags (int argc, cha
int bad_s;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
static struct option long_options[] = {
- {"badnames", no_argument, NULL, 'b'},
+ {"badname", no_argument, NULL, 'b'},
#ifndef USE_PAM
{"crypt-method", required_argument, NULL, 'c'},
#endif /* !USE_PAM */
diff -up shadow-4.9/src/pwck.c.badname-special-characters shadow-4.9/src/pwck.c
--- shadow-4.9/src/pwck.c.badname-special-characters 2022-09-26 16:32:46.208519211 +0200
+++ shadow-4.9/src/pwck.c 2022-09-26 16:32:46.214519257 +0200
@@ -151,7 +151,7 @@ static /*@noreturn@*/void usage (int sta
"Options:\n"),
Prog);
}
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -q, --quiet report errors only\n"), usageout);
(void) fputs (_(" -r, --read-only display errors and warnings\n"
@@ -176,7 +176,7 @@ static void process_flags (int argc, cha
{
int c;
static struct option long_options[] = {
- {"badnames", no_argument, NULL, 'b'},
+ {"badname", no_argument, NULL, 'b'},
{"help", no_argument, NULL, 'h'},
{"quiet", no_argument, NULL, 'q'},
{"read-only", no_argument, NULL, 'r'},
@@ -493,7 +493,8 @@ static void check_pw_file (int *errors,
*/
if (!is_valid_user_name (pwd->pw_name)) {
- printf (_("invalid user name '%s'\n"), pwd->pw_name);
+ printf (_("invalid user name '%s': use --badname to ignore\n"),
+ pwd->pw_name);
*errors += 1;
}
diff -up shadow-4.9/src/useradd.c.badname-special-characters shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.badname-special-characters 2022-09-26 16:32:46.212519242 +0200
+++ shadow-4.9/src/useradd.c 2022-09-26 16:32:46.214519257 +0200
@@ -852,7 +852,7 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog, Prog, Prog);
- (void) fputs (_(" --badnames do not check for bad names\n"), usageout);
+ (void) fputs (_(" --badname do not check for bad names\n"), usageout);
(void) fputs (_(" -b, --base-dir BASE_DIR base directory for the home directory of the\n"
" new account\n"), usageout);
#ifdef WITH_BTRFS
@@ -1119,7 +1119,7 @@ static void process_flags (int argc, cha
#ifdef WITH_BTRFS
{"btrfs-subvolume-home", no_argument, NULL, 200},
#endif
- {"badnames", no_argument, NULL, 201},
+ {"badname", no_argument, NULL, 201},
{"comment", required_argument, NULL, 'c'},
{"home-dir", required_argument, NULL, 'd'},
{"defaults", no_argument, NULL, 'D'},
diff -up shadow-4.9/src/usermod.c.badname-special-characters shadow-4.9/src/usermod.c
--- shadow-4.9/src/usermod.c.badname-special-characters 2022-09-26 16:32:46.215519265 +0200
+++ shadow-4.9/src/usermod.c 2022-09-26 16:33:52.274032599 +0200
@@ -418,7 +418,7 @@ static /*@noreturn@*/void usage (int sta
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
(void) fputs (_(" -c, --comment COMMENT new value of the GECOS field\n"), usageout);
(void) fputs (_(" -d, --home HOME_DIR new home directory for the user account\n"), usageout);
(void) fputs (_(" -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE\n"), usageout);

View File

@ -1,7 +1,6 @@
Index: shadow-4.5/lib/semanage.c
===================================================================
--- shadow-4.5.orig/lib/semanage.c
+++ shadow-4.5/lib/semanage.c
diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
--- shadow-4.9/lib/semanage.c.default-range 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/lib/semanage.c 2021-08-02 12:43:16.822817392 +0200
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
@ -9,7 +8,7 @@ Index: shadow-4.5/lib/semanage.c
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
fprintf (shadow_logfd,
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
ret = 1;
goto done;
@ -25,7 +24,7 @@ Index: shadow-4.5/lib/semanage.c
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
fprintf (shadow_logfd,
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
ret = 1;
goto done;

View File

@ -0,0 +1,12 @@
diff -up shadow-4.9/lib/sssd.c.disable-sssd shadow-4.9/lib/sssd.c
--- shadow-4.9/lib/sssd.c.disable-sssd 2024-09-13 10:28:17.144473113 +0200
+++ shadow-4.9/lib/sssd.c 2024-09-13 10:29:07.135621104 +0200
@@ -16,7 +16,7 @@
int sssd_flush_cache (int dbflags)
{
int status, code, rv;
- const char *cmd = "/usr/sbin/sss_cache";
+ const char *cmd = "/usr/sbin/sss_cache_shadow_utils";
char *sss_cache_args = NULL;
const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
const char *spawnedEnv[] = {NULL};

View File

@ -1,6 +1,6 @@
diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
--- shadow-4.6/man/getsubids.1.xml.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/man/getsubids.1.xml 2021-12-09 10:40:50.730275761 +0100
diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
--- shadow-4.9/man/getsubids.1.xml.getsubids 2021-11-18 16:27:33.951053120 +0100
+++ shadow-4.9/man/getsubids.1.xml 2021-11-18 16:27:33.951053120 +0100
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
@ -143,10 +143,10 @@ diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
+ </para>
+ </refsect1>
+</refentry>
diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
--- shadow-4.6/man/Makefile.am.getsubids 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/man/Makefile.am 2021-12-09 10:40:50.730275761 +0100
@@ -59,6 +59,7 @@ man_MANS += $(man_nopam)
diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
--- shadow-4.9/man/Makefile.am.getsubids 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/man/Makefile.am 2021-11-18 16:27:33.951053120 +0100
@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
endif
man_subids = \
@ -154,7 +154,7 @@ diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
@@ -77,6 +78,7 @@ man_XMANS = \
@@ -80,6 +81,7 @@ man_XMANS = \
expiry.1.xml \
faillog.5.xml \
faillog.8.xml \
@ -162,9 +162,9 @@ diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
gpasswd.1.xml \
groupadd.8.xml \
groupdel.8.xml \
diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
--- shadow-4.6/src/getsubids.c.getsubids 2021-12-09 10:40:50.730275761 +0100
+++ shadow-4.6/src/getsubids.c 2021-12-09 10:40:50.730275761 +0100
diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
--- shadow-4.9/src/getsubids.c.getsubids 2021-11-18 16:27:33.951053120 +0100
+++ shadow-4.9/src/getsubids.c 2021-11-18 16:27:33.951053120 +0100
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <string.h>
@ -212,13 +212,14 @@ diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
+ }
+ return 0;
+}
diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
--- shadow-4.6/src/Makefile.am.getsubids 2021-12-09 10:40:50.710275627 +0100
+++ shadow-4.6/src/Makefile.am 2021-12-09 10:45:04.465985510 +0100
@@ -140,8 +140,8 @@ if WITH_TCB
diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c
diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
--- shadow-4.9/src/Makefile.am.getsubids 2021-11-18 16:27:33.943053061 +0100
+++ shadow-4.9/src/Makefile.am 2021-11-18 16:28:03.647272392 +0100
@@ -157,8 +157,8 @@ if FCAPS
setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
endif
if ENABLE_SUBIDS
-noinst_PROGRAMS += list_subid_ranges \
- get_subid_owners \
+bin_PROGRAMS += getsubids
@ -226,7 +227,7 @@ diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
new_subid_range \
free_subid_range \
check_subid_range
@@ -156,13 +156,13 @@ MISCLIBS = \
@@ -174,13 +174,13 @@ MISCLIBS = \
$(LIBCRYPT) \
$(LIBTCB)

View File

@ -0,0 +1,60 @@
From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sat, 14 Aug 2021 13:24:34 -0400
Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
use SHA_ROUNDS_DEFAULT.
Previously, the code fell through, calling shadow_random(-1, -1). This
ultimately set rounds = (unsigned long) -1, which ends up being a very
large number! This then got capped to SHA_ROUNDS_MAX later in the
function.
The new behavior matches BCRYPT_get_salt_rounds().
Bug: https://bugs.gentoo.org/808195
Fixes: https://github.com/shadow-maint/shadow/issues/393
---
libmisc/salt.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/libmisc/salt.c b/libmisc/salt.c
index 91d528fd..30eefb9c 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
if ((-1 == min_rounds) && (-1 == max_rounds)) {
rounds = SHA_ROUNDS_DEFAULT;
}
+ else {
+ if (-1 == min_rounds) {
+ min_rounds = max_rounds;
+ }
- if (-1 == min_rounds) {
- min_rounds = max_rounds;
- }
+ if (-1 == max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (-1 == max_rounds) {
- max_rounds = min_rounds;
- }
+ if (min_rounds > max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (min_rounds > max_rounds) {
- max_rounds = min_rounds;
+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
}
-
- rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
} else if (0 == *prefered_rounds) {
rounds = SHA_ROUNDS_DEFAULT;
} else {
--
2.31.1

180
shadow-4.9-manfix.patch Normal file
View File

@ -0,0 +1,180 @@
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2710 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
@@ -164,6 +164,17 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -256,16 +267,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -286,14 +287,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -359,34 +352,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -415,17 +380,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -452,32 +406,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>

View File

@ -0,0 +1,88 @@
From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:09:59 +0200
Subject: [PATCH] useradd: create directories after the SELinux user
Create the home and mail folders after the SELinux user has been set for
the added user. This will allow the folders to be created with the
SELinux user label.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 6269c01c..b463a170 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
}
#endif /* WITH_SELINUX */
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, false,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory %s already exists.\n"
+ "%s: Not copying any file from skel directory into it.\n"),
+ Prog, user_home, Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
+
if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
"useradd")) {
exit(1);
}
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-
return E_SUCCESS;
}
--
2.31.1

View File

@ -0,0 +1,35 @@
From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 10 Nov 2021 12:02:04 +0100
Subject: [PATCH] newgrp: fix segmentation fault
Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
that is immediately freed.
The error was committed in
https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/newgrp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/newgrp.c b/src/newgrp.c
index 730f47e8..566f1c89 100644
--- a/src/newgrp.c
+++ b/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
spwd = xgetspnam (pwd->pw_name);
if (NULL != spwd) {
pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
+ spw_free (spwd);
}
- spw_free (spwd);
if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
needspasswd = true;
--
2.31.1

View File

@ -0,0 +1,15 @@
diff --git a/src/Makefile.am b/src/Makefile.am
index 7c1a3491..6cc873be 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
endif
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
-newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
-newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

View File

@ -1,24 +1,3 @@
Index: shadow-4.5/src/faillog.c
===================================================================
--- shadow-4.5.orig/src/faillog.c
+++ shadow-4.5/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
}
tm = localtime (&fl.fail_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+ cp = ptime;
#endif
+ }
printf ("%-9s %5d %5d ",
pw->pw_name, fl.fail_cnt, fl.fail_max);
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
Index: shadow-4.5/src/chage.c
===================================================================
--- shadow-4.5.orig/src/chage.c

View File

@ -0,0 +1,30 @@
From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 15 Nov 2021 12:40:15 +0100
Subject: [PATCH] pwck: fix segfault when calling fprintf()
As shadow_logfd variable is not set at the beginning of the program if
something fails and fprintf() is called a segmentation fault happens.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/pwck.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pwck.c b/src/pwck.c
index 4248944a..4ce86af2 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
* Get my name so that I can use it to report errors.
*/
Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
--
2.31.1

View File

@ -1,16 +1,16 @@
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
@@ -98,7 +98,7 @@ const char *Prog;
static gid_t def_group = 100;
diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.redhat 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/src/useradd.c 2021-08-02 11:45:11.942867250 +0200
@@ -104,7 +104,7 @@ FILE *shadow_logfd = NULL;
static gid_t def_group = 1000;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
-static const char *def_shell = "/bin/bash";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
static const char *def_create_mail_spool = "yes";
@@ -108,7 +108,7 @@ static const char *def_expire = "";
@@ -114,7 +114,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
@ -19,7 +19,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
@@ -1204,9 +1204,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
@ -31,7 +31,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
@@ -1363,6 +1363,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;

View File

@ -0,0 +1,30 @@
From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 14 Aug 2021 19:37:24 -0500
Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
In some cases, the value which was being freed is not actually
safe to free.
Closes #394
This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
---
src/useradd.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index f90127cd..0d3f390d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -413,7 +413,6 @@ static void get_defaults (void)
} else {
def_group = grp->gr_gid;
def_gname = xstrdup (grp->gr_name);
- gr_free(grp);
}
}
--
2.31.1

View File

@ -0,0 +1,24 @@
diff --git a/libmisc/salt.c b/libmisc/salt.c
index efef4e59..823b093d 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -439,6 +439,19 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
exit (1);
}
+ char *pos = strstr(retval, "$rounds=");
+ if (pos != NULL) {
+ char str[128];
+ int len;
+ int ret;
+
+ ret = sprintf(str, "%lu", rounds);
+ if (ret > 0) {
+ len = strlen("$rounds=") + strlen(str);
+ memmove(pos, pos + len, strlen(pos + len) + 1);
+ }
+ }
+
return retval;
#else /* USE_XCRYPT_GENSALT */
/* Check if the result buffer is long enough. */

View File

@ -0,0 +1,61 @@
From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:13:13 +0200
Subject: [PATCH] semanage: close the selabel handle
Close the selabel handle to update the file_context. This means that the
file_context will be remmaped and used by selabel_lookup() to return
the appropriate context to label the home folder.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/prototypes.h | 1 +
lib/selinux.c | 5 +++++
lib/semanage.c | 1 +
3 files changed, 7 insertions(+)
diff --git a/lib/prototypes.h b/lib/prototypes.h
index 1d1586d4..b697e0ec 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
/* selinux.c */
#ifdef WITH_SELINUX
extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
extern int reset_selinux_file_context (void);
extern int check_selinux_permit (const char *perm_name);
#endif
diff --git a/lib/selinux.c b/lib/selinux.c
index c83545f9..b075d4c0 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -50,6 +50,11 @@ static void cleanup(void)
}
}
+void reset_selinux_handle (void)
+{
+ cleanup();
+}
+
/*
* set_selinux_file_context - Set the security context before any file or
* directory creation.
diff --git a/lib/semanage.c b/lib/semanage.c
index 0d30456a..a5bf9218 100644
--- a/lib/semanage.c
+++ b/lib/semanage.c
@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
}
ret = 0;
+ reset_selinux_handle();
done:
semanage_seuser_key_free (key);
--
2.31.1

View File

@ -0,0 +1,79 @@
diff --git a/src/useradd.c b/src/useradd.c
index baeffb35..9abeea6e 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
static uid_t sub_uid_start; /* New subordinate uid range */
-static unsigned long sub_uid_count;
static gid_t sub_gid_start; /* New subordinate gid range */
-static unsigned long sub_gid_count;
#endif /* ENABLE_SUBIDS */
static bool pw_locked = false;
static bool gr_locked = false;
@@ -234,7 +232,7 @@ static void open_shadow (void);
static void faillog_reset (uid_t);
static void lastlog_reset (uid_t);
static void tallylog_reset (const char *);
-static void usr_update (void);
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
static void create_home (void);
static void create_mail (void);
static void check_uid_range(int rflg, uid_t user_id);
@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
* usr_update() creates the password file entries for this user
* and will update the group entries if required.
*/
-static void usr_update (void)
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
{
struct passwd pwent;
struct spwd spent;
@@ -2155,14 +2153,14 @@ static void usr_update (void)
}
#ifdef ENABLE_SUBIDS
if (is_sub_uid &&
- (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
+ (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
if (is_sub_gid &&
- (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
+ (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid && sub_uid_count != 0) {
- if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
+ if (is_sub_uid && subuid_count != 0) {
+ if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
Prog);
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid && sub_gid_count != 0) {
- if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
+ if (is_sub_gid && subgid_count != 0) {
+ if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),
Prog);
@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
}
#endif /* ENABLE_SUBIDS */
- usr_update ();
+ usr_update (subuid_count, subgid_count);
close_files ();

View File

@ -0,0 +1,38 @@
From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 24 Oct 2022 10:46:36 +0200
Subject: [PATCH] useradd: check if subid range exists for user
Check if a user already has a subid range before assigning one.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 7ea0a9c4..e784d602 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid &&
+ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
(sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
- if (is_sub_gid &&
+ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
(sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
--
2.40.1

View File

@ -0,0 +1,13 @@
diff --git a/src/useradd.c b/src/useradd.c
index b463a170..f7c97958 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
if (mflg) {
create_home ();
if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
+ copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
} else {
fprintf (stderr,

View File

@ -0,0 +1,19 @@
diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users 2022-04-22 14:50:10.658371270 +0200
+++ shadow-4.9/src/useradd.c 2022-04-22 14:54:34.810100549 +0200
@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
{
uid_t uid_min ;
uid_t uid_max ;
- if(rflg){
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
+ if (rflg) {
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
- if(uid_min <= uid_max){
- if(user_id < uid_min || user_id >uid_max)
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
+ if (user_id > uid_max) {
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
}
}else{
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);

View File

@ -0,0 +1,43 @@
<!--
Copyright (c) 1991 - 1993, Julianne Frances Haugh
Copyright (c) 1991 - 1993, Chip Rosenthal
Copyright (c) 2007 - 2009, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<varlistentry>
<term><option>HOME_MODE</option> (number)</term>
<listitem>
<para>
The mode for new home directories. If not specified,
the <option>UMASK</option> is used to create the mode.
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
to set the mode of the home directory they create.
</para>
</listitem>
</varlistentry>

278
shadow-utils.login.defs Normal file
View File

@ -0,0 +1,278 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
#LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
#
#LOGIN_TIMEOUT 60
# Currently PASS_CHANGE_TRIES is not supported
# Currently PASS_ALWAYS_WARN is not supported
# Currently PASS_MAX_LEN is not supported
# Currently CHFN_AUTH is not supported
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
#CHFN_RESTRICT rwh
# Currently LOGIN_STRING is not supported
# Currently MD5_CRYPT_ENAB is not supported
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
#
SHA_CRYPT_MAX_ROUNDS 100000
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
# Currently CONSOLE_GROUPS is not supported
#
# Should login be allowed if we can't cd to the home directory?
# Default is yes.
#
#DEFAULT_HOME yes
# Currently ENVIRON_FILE is not supported
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# Enables userdel(8) to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-zero number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
#FORCE_SHADOW yes
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
HMAC_CRYPTO_ALGO SHA512

View File

@ -1,123 +1,116 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
Release: 22%{?dist}
Version: 4.9
Release: 12%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
License: BSD and GPLv2+
URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Source6: shadow-utils.HOME_MODE.xml
### Globals ###
%global includesubiddir %{_includedir}/shadow
%global includesubiddir %{_includedir}/shadow
### Patches ###
Patch0: shadow-4.6-redhat.patch
Patch1: shadow-4.6-goodname.patch
Patch2: shadow-4.1.5.1-info-parent-dir.patch
Patch6: shadow-4.6-selinux.patch
Patch10: shadow-4.6-orig-context.patch
Patch11: shadow-4.1.5.1-logmsg.patch
Patch14: shadow-4.1.5.1-default-range.patch
Patch15: shadow-4.6-manfix.patch
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
Patch19: shadow-4.2.1-date-parsing.patch
Patch21: shadow-4.6-move-home.patch
Patch22: shadow-4.6-audit-update.patch
Patch23: shadow-4.5-usermod-unlock.patch
Patch24: shadow-4.2.1-no-lock-dos.patch
Patch28: shadow-4.6-selinux-perms.patch
Patch29: shadow-4.2.1-null-tm.patch
Patch31: shadow-4.6-getenforce.patch
Patch32: shadow-4.5-crypt_h.patch
Patch33: shadow-4.5-long-entry.patch
Patch34: shadow-4.6-usermod-crash.patch
Patch35: shadow-4.6-coverity.patch
Patch36: shadow-4.6-use-itstool.patch
Patch37: shadow-4.6-sssd-flush.patch
Patch38: shadow-4.6-sysugid-min-limit.patch
Patch39: shadow-4.6-chgrp-guard.patch
Patch40: shadow-4.6-ignore-login-prompt.patch
Patch41: shadow-4.6-use-lckpwdf.patch
# Upstreamed
Patch42: shadow-4.6-regular-user.patch
# Upstreamed
Patch43: shadow-4.6-home_mode-directive.patch
# Upstreamed
Patch44: shadow-4.6-check-local-groups.patch
# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8
Patch45: shadow-4.6-sssd-redirect-warning.patch
# Unused option in Fedora/RHEL - non upstreamable
Patch46: shadow-4.6-remove-login-string-references.patch
# Misc small changes - most probably non-upstreamable
Patch0: shadow-4.9-redhat.patch
# Be more lenient with acceptable user/group names - non upstreamable
Patch1: shadow-4.8-goodname.patch
# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
Patch2: shadow-4.9-move-create-home.patch
# SElinux related - upstreamability unknown
Patch3: shadow-4.9-default-range.patch
# Misc manual page changes - non-upstreamable
Patch4: shadow-4.9-manfix.patch
# Date parsing improvement - could be upstreamed
Patch5: shadow-4.2.1-date-parsing.patch
# Additional error message - could be upstreamed
Patch6: shadow-4.6-move-home.patch
# Audit message changes - upstreamability unknown
Patch7: shadow-4.9-audit-update.patch
# Changes related to password unlocking - could be upstreamed
Patch8: shadow-4.5-usermod-unlock.patch
# Additional SElinux related changes - upstreamability unknown
Patch9: shadow-4.8-selinux-perms.patch
# Handle NULL return from *time funcs - could be upstreamed
Patch10: shadow-4.9-null-tm.patch
# Handle /etc/passwd corruption - could be upstreamed
Patch11: shadow-4.8-long-entry.patch
# Limit uid/gid allocation to non-zero - could be upstreamed
Patch12: shadow-4.6-sysugid-min-limit.patch
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
Patch13: shadow-4.8-ignore-login-prompt.patch
# https://github.com/shadow-maint/shadow/commit/c6847011e8b656adacd9a0d2a78418cad0de34cb
Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch
# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
Patch47: shadow-4.6-usermod-allow-all-group-types.patch
# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
Patch48: shadow-4.6-libsubid_creation.patch
# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
Patch49: shadow-4.6-libsubid_nsswitch_support.patch
# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
Patch50: shadow-4.6-man-mention-nss-in-newuidmap.patch
# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
Patch51: shadow-4.6-libsubid_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
Patch52: shadow-4.6-libsubid_init_return_false.patch
# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
Patch53: shadow-4.6-useradd_SUB_UID_COUNT-0.patch
# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
Patch54: shadow-4.6-libsubid_simplify_ranges_variable.patch
# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
Patch55: shadow-4.6-libsubid_init_not_print_error_messages.patch
# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
Patch56: shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
# https://github.com/shadow-maint/shadow/pull/353
Patch57: shadow-4.6-man_clarify_subid_delegation.patch
# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
Patch58: shadow-4.6-libsubid_make_logfd_not_extern.patch
# https://github.com/shadow-maint/shadow/commit/0dffc7c61200f492eeac03c29fa7e93b62d3cead
Patch59: shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
# https://github.com/shadow-maint/shadow/commit/77e39de1e6cbd6925f16bb260abb7d216296886b
Patch60: shadow-4.6-install_subid_h.patch
# https://github.com/shadow-maint/shadow/commit/fa986b1d73605ecca54a4f19249227aeab827bf6
Patch61: shadow-4.6-respect_enable_static_no.patch
Patch15: shadow-4.9-usermod-allow-all-group-types.patch
# https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249
Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba
Patch19: shadow-4.9-revert-useradd-fix-memleak.patch
# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2
Patch20: shadow-4.9-useradd-copy-tree-argument.patch
# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
Patch62: shadow-4.6-getsubids.patch
Patch23: shadow-4.9-getsubids.patch
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
Patch63: shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
Patch64: shadow-4.9-subordinateio-compare-owner-ID.patch
Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
# https://github.com/shadow-maint/shadow/commit/0593b330d8413e9694b5d6783bb90974c9b141c5
# https://github.com/shadow-maint/shadow/commit/45d674621918664c8736f94f862e86bddf4c3fd4
Patch27: shadow-4.9-badname-special-characters.patch
# https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
Patch28: shadow-4.9-useradd-check-if-subid-range-exists.patch
# https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
Patch66: shadow-4.6-skip-over-reserved-ids.patch
Patch29: shadow-4.9-skip-over-reserved-ids.patch
# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
Patch68: shadow-4.6-salt-remove-rounds.patch
Patch30: shadow-4.9-gpasswd-fix-password-leak.patch
# Downstream only patch
Patch31: shadow-4.9-disable-sssd.patch
# Downstream only patch
Patch32: shadow-4.9-salt-remove-rounds.patch
License: BSD and GPLv2+
Group: System Environment/Base
BuildRequires: gcc
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: libsemanage-devel
BuildRequires: libacl-devel, libattr-devel
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
BuildRequires: autoconf, automake, libtool, gettext-devel
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
Requires: libselinux >= 1.25.2-1
### Dependencies ###
Requires: audit-libs >= 1.6.5
Requires: libselinux >= 1.25.2-1
Requires: setup
Requires(pre): coreutils
Requires(post): coreutils
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
### Build Dependencies ###
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gettext-devel
BuildRequires: itstool
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: libsemanage-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: make
### Provides ###
Provides: shadow = %{epoch}:%{version}-%{release}
%description
The shadow-utils package includes the necessary programs for
@ -153,63 +146,43 @@ Development files for shadow-utils-subid.
%setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat
%patch1 -p1 -b .goodname
%patch2 -p1 -b .info-parent-dir
%patch6 -p1 -b .selinux
%patch10 -p1 -b .orig-context
%patch11 -p1 -b .logmsg
%patch14 -p1 -b .default-range
%patch15 -p1 -b .manfix
%patch17 -p1 -b .userdel
%patch19 -p1 -b .date-parsing
%patch21 -p1 -b .move-home
%patch22 -p1 -b .audit-update
%patch23 -p1 -b .unlock
%patch24 -p1 -b .no-lock-dos
%patch28 -p1 -b .selinux-perms
%patch29 -p1 -b .null-tm
%patch31 -p1 -b .getenforce
%patch32 -p1 -b .crypt_h
%patch33 -p1 -b .long-entry
%patch34 -p1 -b .usermod-crash
%patch35 -p1 -b .coverity
%patch36 -p1 -b .use-itstool
%patch37 -p1 -b .sssd-flush
%patch38 -p1 -b .sysugid-min-limit
%patch39 -p1 -b .chgrp-guard
%patch40 -p1 -b .login-prompt
%patch41 -p1 -b .use-lckpwdf
%patch42 -p1 -b .regular-user
%patch43 -p1 -b .home_mode-directive
%patch44 -p1 -b .check-local-groups
%patch45 -p1 -b .sssd-redirect-warning
%patch46 -p1 -b .remove-login-string-references
%patch47 -p1 -b .usermod-allow-all-group-types
%patch48 -p1 -b .libsubid_creation
%patch49 -p1 -b .libsubid_nsswitch_support
%patch50 -p1 -b .man-mention-nss-in-newuidmap
%patch51 -p1 -b .libsubid_not_print_error_messages
%patch52 -p1 -b .libsubid_init_return_false
%patch53 -p1 -b .useradd_SUB_UID_COUNT-0
%patch54 -p1 -b .libsubid_simplify_ranges_variable
%patch55 -p1 -b .libsubid_init_not_print_error_messages
%patch56 -p1 -b .libsubid_fix_newusers_nss_provides_subids
%patch57 -p1 -b .man_clarify_subid_delegation
%patch58 -p1 -b .libsubid_make_logfd_not_extern
%patch59 -p1 -b .useradd_dont_try_to_create_0_subuids
%patch60 -p1 -b .install_subid_h
%patch61 -p1 -b .respect_enable_static_no
%patch62 -p1 -b .getsubids
%patch63 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
%patch64 -p1 -b .subordinateio-compare-owner-ID
%patch65 -p1 -b .useradd-check-if-subid-range-exists
%patch66 -p1 -b .skip-over-reserved-ids
%patch67 -p1 -b .gpasswd-fix-password-leak
%patch68 -p1 -b .salt-remove-rounds
%patch2 -p1 -b .move-create-home
%patch3 -p1 -b .default-range
%patch4 -p1 -b .manfix
%patch5 -p1 -b .date-parsing
%patch6 -p1 -b .move-home
%patch7 -p1 -b .audit-update
%patch8 -p1 -b .unlock
%patch9 -p1 -b .selinux-perms
%patch10 -p1 -b .null-tm
%patch11 -p1 -b .long-entry
%patch12 -p1 -b .sysugid-min-limit
%patch13 -p1 -b .login-prompt
%patch14 -p1 -b .newuidmap-libeconf-dependency
%patch15 -p1 -b .usermod-allow-all-group-types
%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
%patch18 -p1 -b .semanage-close-the-selabel-handle
%patch19 -p1 -b .revert-useradd-fix-memleak
%patch20 -p1 -b .useradd-copy-tree-argument
%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf
%patch22 -p1 -b .newgrp-fix-segmentation-fault
%patch23 -p1 -b .getsubids
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
%patch26 -p1 -b .subordinateio-compare-owner-ID
%patch27 -p1 -b .badname-special-characters
%patch28 -p1 -b .useradd-check-if-subid-range-exists
%patch29 -p1 -b .skip-over-reserved-ids
%patch30 -p1 -b .gpasswd-fix-password-leak
%patch31 -p1 -b .disable-sssd
%patch32 -p1 -b .salt-remove-rounds
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
cp -a %{SOURCE4} %{SOURCE5} .
cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
# Force regeneration of getdate.c
rm libmisc/getdate.c
@ -238,66 +211,65 @@ autoreconf
%make_build
%install
rm -rf $RPM_BUILD_ROOT
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
done
# Remove binaries we don't use.
rm $RPM_BUILD_ROOT/%{_bindir}/chfn
rm $RPM_BUILD_ROOT/%{_bindir}/chsh
rm $RPM_BUILD_ROOT/%{_bindir}/expiry
rm $RPM_BUILD_ROOT/%{_bindir}/groups
rm $RPM_BUILD_ROOT/%{_bindir}/login
rm $RPM_BUILD_ROOT/%{_bindir}/passwd
rm $RPM_BUILD_ROOT/%{_bindir}/su
rm $RPM_BUILD_ROOT/%{_bindir}/faillog
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
rm $RPM_BUILD_ROOT%{_bindir}/chfn
rm $RPM_BUILD_ROOT%{_bindir}/chsh
rm $RPM_BUILD_ROOT%{_bindir}/expiry
rm $RPM_BUILD_ROOT%{_bindir}/groups
rm $RPM_BUILD_ROOT%{_bindir}/login
rm $RPM_BUILD_ROOT%{_bindir}/passwd
rm $RPM_BUILD_ROOT%{_bindir}/su
rm $RPM_BUILD_ROOT%{_bindir}/faillog
rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT%{_sbindir}/nologin
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
%find_lang shadow
@ -310,6 +282,7 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
done
# Move header files to its own folder
echo $(ls)
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
@ -318,7 +291,6 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%files -f shadow.lang
%doc NEWS doc/HOWTO README
%{!?_licensedir:%global license %%doc}
%license gpl-2.0.txt shadow-bsd.txt
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
@ -375,97 +347,174 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%{_libdir}/libsubid.so
%changelog
* Tue Nov 21 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-22
- salt: remove rounds from salt string. Resolves: RHEL-16668
* Mon Nov 4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-12
- salt: remove rounds from salt string. Resolves: RHEL-58978
* Thu Nov 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-21
- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
* Fri Sep 13 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-10
- Disable sssd integration by default. Resolves: RHEL-56352
* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
- gpasswd: fix password leak. Resolves: #2215947
* Wed Jul 3 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
- login.defs: Update SHA_CRYPT_MAX_ROUNDS from 5000 to 100000. Resolves: RHEL-40195
* Wed May 17 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-18
- Update patch to close label to reset libselinux state. Resolves: #1984740
- useradd: check if subid range exists for user. Resolves: #2012929
- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #1994269
* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
- gpasswd: fix password leak. Resolves: #2215948
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-17
- subordinateio: also compare the owner ID. Resolves: #2093311
* Tue May 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
- useradd: check if subid range exists for user. Resolves: #2179987
- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #2179988
* Wed Sep 28 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
- Change "badnames" to "badname" as this is the accepted option name. Resolves: #2076819
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
- subordinateio: also compare the owner ID. Resolves: #2109410
* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
- useradd: modify check ID range for system users. Resolves: #2004911
- Fix release sources
- Add subid requirement for subid-devel
* Thu Dec 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-16
- getsubids: provide system binary and man page. Resolves: #2013016
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #1986782
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
- getsubids: provide system binary and man page. Resolves: #2013015
- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
- useradd: revert fix memleak of grp. Resolves: #2020238
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #2024834
- pwck: fix segfault when calling fprintf()
- newgrp: fix segmentation fault
- Clean spec file: organize dependencies and move License location
* Tue Oct 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-15
- Creation of subid and subid-devel subpackages (#2013009)
- libsubid: creation and nsswitch support
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
- libmisc: fix default value in SHA_get_salt_rounds(). Resolves: #1993919
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
- Rebase to version 4.9. Resolves: #1989556
- usermod: allow all group types with -G option. Resolves: #1975329
- useradd: avoid generating an empty subid range
- Clean spec file
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-12
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
- Fix regression issues detected in rhbz#667593 and rhbz#672510. Resolves: #1938871
* Tue Jul 13 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
- Covscan fixes. Resolves: #1938871
* Fri Jun 25 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
- libsubid: creation and nsswitch support. Resolves: #1859252
- Creation of subid and subid-devel subpackages
- man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- libsubid: make shadow_logfd not extern
- useradd: fix SUB_UID_COUNT=0
- man: mention NSS in new[ug]idmap manpages
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern
- login.defs: include HMAC_CRYPTO_ALGO key
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14
- usermod: allow all group types with -G option (#1967641)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon May 3 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-13
- man: Remove references to LOGIN_STRING in login.defs (#1884702)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Oct 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-12
- lib/sssd: redirect warning message to file (#1749001)
- useradd: clarify valid usernames/groupnames (#1869432)
- login.defs: link login specific information to its own package (#1804766)
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
- commonio: force lock file sync (#1862056)
* Fri Aug 7 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-11
- change UMASK value and add HOME_MODE in login.defs (#1777718)
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
- Rebuild with libsemanage.so.2
* Tue May 5 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-10
- check only local groups when adding new supplementary groups to a user
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Apr 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-9
- do not mistake a regular user process for a namespaced one (#1788696)
- add HOME_MODE support in login.defs (#1777718)
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
- check only local groups when adding new supplementary groups to a user (#1727236)
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-8
- properly audit group password change
- do not add uid of a new (not yet added) user to the audit message
* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
- useradd: clarify the useradd -d parameter behavior in man page
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
- updated upstream to 4.8.1
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
- synchronized login.defs with upstream file (#1261099 and #1807957)
* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
- fix useradd: doesn't generate spool mail with the proper SELinux user identity
(#1690527)
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
- make the invalid shell check into warning
* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
- update to current upstream release 4.8
* Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
- fix SELinux related problem in chpasswd/chgpasswd when run with -R
(patch by Petr Lautrbach) (#1747215)
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
- minor auditing fixes
* Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
- use lckpwdf() again to disable concurrent edits of databases by
other applications
- clarify chage manual page in regards to shadow and passwd
inconsistency
- fix minor issues in groupadd and login.defs manual pages
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
* Tue Apr 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-12
- force regeneration of getdate.c otherwise the date parsing fix
is not applied
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-7
* Fri Mar 22 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-11
- clarify chage manual page in regards to shadow and passwd
inconsistency (#1686440)
* Thu Mar 21 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-10
- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
* Thu Mar 7 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 2:4.6-9
- Remove obsolete requirements for post/pre scriptlets
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:4.6-7
- Rebuilt for libcrypt.so.2 (#1666033)
* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
- usermod: guard against unsafe change of ownership of
special home directories
* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
- drop trailing space from login.defs ENCRYPT_METHOD setting
* Mon Nov 19 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-5
- use itstool instead of xml2po
* Tue Nov 6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
- use cap_setxid file capabilities for newxidmap instead of making them setuid
- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
and the 0 is always used by root anyway
- manual page improvements
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
- fix some issues from Coverity scan
- flush sssd caches - patch by Jakub Hrozek
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
- fix some issues from Coverity scan
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-2
- use itstool instead of xml2po
* Mon May 28 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
- update to current upstream release 4.6
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
- Update to current upstream release 4.6
* Fri Apr 20 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-10
- Raise limit for passwd and shadow entry length but also prevent
writing longer entries (#1422497)

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (shadow-4.9.tar.xz) = 254cda49bb14505a7604821e7fa898bf4bf317d648e9ddc881ab80a6860d52053dfffacad6feab87c7d16608c35ed6b6cee99e7757eac930da3a7b31cdcd4b95
SHA512 (shadow-4.9.tar.xz.asc) = 16c0ff7be263c9d471b05656c9a1d14da8ec9b17544910323ca6ab854126d1a03ece221e0caf610e65a9b1d080b4cd1b8b46973f20e3ae45ea0e5581ce6c90d9

77
tests/sanity/Makefile Normal file
View File

@ -0,0 +1,77 @@
# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material
# is made available to anyone wishing to use, modify, copy, or
# redistribute it subject to the terms and conditions of the GNU General
# Public License v.2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# Author: Jakub Hrozek
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Example Makefile for RHTS #
# This example is geared towards a test for a specific package #
# It does most of the work for you, but may require further coding #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# The toplevel namespace within which the test lives.
TOPLEVEL_NAMESPACE=CoreOS
# The name of the package under test:
PACKAGE_NAME=shadow-utils
# The path of the test below the package:
RELATIVE_PATH=sanity
# Version of the Test. Used with make tag.
export TESTVERSION=1.1
# The combined namespace of the test.
export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
# A phony target is one that is not really the name of a file.
# It is just a name for some commands to be executed when you
# make an explicit request. There are two reasons to use a
# phony target: to avoid a conflict with a file of the same
# name, and to improve performance.
.PHONY: all install download clean
# Executables to be built should be added here, they will be generated on the system under test.
BUILT_FILES=
# Data files, .c files, scripts anything needed to either compile the test and/or run it.
FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x ./sanity_test.py
chmod a+x ./runtest.sh
clean:
rm -f *~ *.rpm $(BUILT_FILES)
# Include Common Makefile
include /usr/share/rhts/lib/rhts-make.include
# Generate the testinfo.desc here:
$(METADATA): Makefile
@touch $(METADATA)
@echo "Owner: Jakub Hrozek <jhrozek@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "License: GNU GPL" >> $(METADATA)
@echo "Description: Basic sanity test for shadow-utils" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA)
@echo "Requires: $(PACKAGE_NAME)" >> $(METADATA)
@echo "Requires: python3-devel" >> $(METADATA)
rhts-lint $(METADATA)

10
tests/sanity/PURPOSE Normal file
View File

@ -0,0 +1,10 @@
This is a basic sanity test for the shadow-utils package. It is implemented
in python on top of the unittesting.py module.
Its purpose is to ensure that the binaries in the shadow-utils package behave
as expected and its switches/options work correctly.
For the most part, every binary in the shadow-utils package is represented by
a single class named Test<BinaryName>, i.e. TestUsermod etc. There are some
exceptions, like TestUseraddWeirdNameTest though.

28
tests/sanity/runtest.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh || exit 1
rlJournalStart
rlFileBackup --clean /etc/default/useradd- /etc/default/useradd /etc/nsswitch.conf
setenforce 0
# We do not want sssd to interfere
for i in passwd group shadow ; do
sed -i "s/^$i:.*/$i: files/" /etc/nsswitch.conf
done
python3 sanity_test.py -v
setenforce 1
rlFileRestore
EXIT=$?
if [[ $EXIT -eq 0 ]]; then
RESULT="PASS"
else
RESULT="FAIL"
fi
rlJournalEnd
echo "Result: $RESULT"
echo "Exit: $EXIT"
report_result $TEST $RESULT $EXIT

1018
tests/sanity/sanity_test.py Executable file

File diff suppressed because it is too large Load Diff

13
tests/tests.yml Normal file
View File

@ -0,0 +1,13 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
- atomic
tests:
- sanity
required_packages:
- shadow-utils # sanity test needs shadow-utils
- python3-devel # sanity test needs python3