rpms
/
shadow-utils
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i9c
rpms:c9
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i8c
rpms:c8
...
pull from: rpms:c10-beta
Branches Tags
rpms:i9c
rpms:c9
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i8c
rpms:c8

No commits in common. 'c9' and 'c10-beta' have entirely different histories.
c9 ... c10-beta

42 changed files with 2767 additions and 3249 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/shadow-4.9.tar.xz SOURCES/shadow-4.15.0.tar.xz

2
.shadow-utils.metadata
Unescape View File

@ -1 +1 @@
fa2307ff6c85ab3863d9e24dba0935bbbb337f3f SOURCES/shadow-4.9.tar.xz cb918a7412f5b57d268e3b1964111c9cdb84bb56 SOURCES/shadow-4.15.0.tar.xz

5
SOURCES/passwd.pamd
Unescape View File

@ -0,0 +1,5 @@
#%PAM-1.0
# This tool only uses the password stack.
password substack system-auth
-password optional pam_gnome_keyring.so use_authtok
password substack postlogin

380
SOURCES/shadow-4.15.0-account-tools-setuid.patch
Unescape View File

@ -0,0 +1,380 @@
diff -up shadow-4.15.0/src/chpasswd.c.account-tools-setuid shadow-4.15.0/src/chpasswd.c
--- shadow-4.15.0/src/chpasswd.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/chpasswd.c 2024-03-11 11:21:57.561150382 +0100
@@ -443,9 +443,11 @@ int main (int argc, char **argv)
char *cp;
const char *salt;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
bool use_pam = true;
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
int errors = 0;
int line = 0;
@@ -469,19 +471,23 @@ int main (int argc, char **argv)
process_root_flag ("-R", argc, argv);
prefix = process_prefix_flag ("-P", argc, argv);
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (md5flg || eflg || cflg || prefix[0]) {
use_pam = false;
}
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
OPENLOG (Prog);
check_perms ();
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
is_shadow_pwd = spw_file_present ();
@@ -543,6 +549,7 @@ int main (int argc, char **argv)
}
newpwd = cp;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (use_pam) {
if (do_pam_passwd_non_interactive (Prog, name, newpwd) != 0) {
@@ -553,6 +560,7 @@ int main (int argc, char **argv)
}
} else
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
const struct spwd *sp;
struct spwd newsp;
@@ -672,9 +680,11 @@ int main (int argc, char **argv)
* password database.
*/
if (0 != errors) {
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
fprintf (stderr,
_("%s: error detected, changes ignored\n"),
@@ -683,9 +693,11 @@ int main (int argc, char **argv)
fail_exit (1);
}
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
{
/* Save the changes */
close_files ();
diff -up shadow-4.15.0/src/groupmems.c.account-tools-setuid shadow-4.15.0/src/groupmems.c
--- shadow-4.15.0/src/groupmems.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/groupmems.c 2024-03-11 11:16:18.365408572 +0100
@@ -14,9 +14,11 @@
#include <grp.h>
#include <stdio.h>
#include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
#include <pwd.h>
#include "alloc.h"
@@ -430,6 +432,7 @@ static void process_flags (int argc, cha
static void check_perms (void)
{
if (!list) {
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
int retval;
@@ -463,7 +466,8 @@ static void check_perms (void)
fail_exit (1);
}
(void) pam_end (pamh, retval);
-#endif
+#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
}
}
diff -up shadow-4.15.0/src/newusers.c.account-tools-setuid shadow-4.15.0/src/newusers.c
--- shadow-4.15.0/src/newusers.c.account-tools-setuid 2024-03-08 22:27:04.000000000 +0100
+++ shadow-4.15.0/src/newusers.c 2024-03-11 11:20:07.198909046 +0100
@@ -59,6 +59,7 @@
static const char Prog[] = "newusers";
static bool rflg = false; /* create a system account */
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
static /*@null@*//*@observer@*/char *crypt_method = NULL;
#define cflg (NULL != crypt_method)
@@ -75,6 +76,7 @@ static long bcrypt_rounds = 13;
static long yescrypt_cost = 5;
#endif /* USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static bool is_shadow;
#ifdef SHADOWGRP
@@ -97,9 +99,11 @@ NORETURN static void fail_exit (int);
static int add_group (const char *, const char *, gid_t *, gid_t);
static int get_user_id (const char *, uid_t *);
static int add_user (const char *, uid_t, gid_t);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
static int update_passwd (struct passwd *, const char *);
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static int add_passwd (struct passwd *, const char *);
static void process_flags (int argc, char **argv);
static void check_flags (void);
@@ -121,6 +125,7 @@ static void usage (int status)
"Options:\n"),
Prog);
(void) fputs (_(" -b, --badname allow bad names\n"), usageout);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
(void) fprintf (usageout,
_(" -c, --crypt-method METHOD the crypt method (one of %s)\n"),
@@ -136,9 +141,11 @@ static void usage (int status)
#endif
);
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --system create system accounts\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
(void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
@@ -146,6 +153,7 @@ static void usage (int status)
usageout);
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
(void) fputs ("\n", usageout);
exit (status);
@@ -405,6 +413,7 @@ static int add_user (const char *name, u
return (pw_update (&pwent) == 0) ? -1 : 0;
}
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
/*
* update_passwd - update the password in the passwd entry
@@ -457,6 +466,7 @@ static int update_passwd (struct passwd
return 0;
}
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
/*
* add_passwd - add or update the encrypted password
@@ -465,10 +475,13 @@ static int add_passwd (struct passwd *pw
{
const struct spwd *sp;
struct spwd spent;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
char *cp;
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
void *crypt_arg = NULL;
if (NULL != crypt_method) {
@@ -505,13 +518,14 @@ static int add_passwd (struct passwd *pw
return update_passwd (pwd, password);
}
#endif /* USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
/*
* Do the first and easiest shadow file case. The user already
* exists in the shadow password file.
*/
sp = spw_locate (pwd->pw_name);
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
if (NULL != sp) {
spent = *sp;
if ( (NULL != crypt_method)
@@ -547,7 +561,7 @@ static int add_passwd (struct passwd *pw
if (strcmp (pwd->pw_passwd, "x") != 0) {
return update_passwd (pwd, password);
}
-#else /* USE_PAM */
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
/*
* If there is already a shadow entry, do not touch it.
* If there is already a passwd entry with a password, do not
@@ -558,14 +572,14 @@ static int add_passwd (struct passwd *pw
|| (strcmp (pwd->pw_passwd, "x") != 0)) {
return 0;
}
-#endif /* USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID && !USE_PAM */
/*
* Now the really hard case - I need to create an entirely new
* shadow password file entry.
*/
spent.sp_namp = pwd->pw_name;
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
spent.sp_pwdp = (char *)password;
} else {
@@ -610,35 +624,41 @@ static int add_passwd (struct passwd *pw
static void process_flags (int argc, char **argv)
{
int c;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
int bad_s;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
static struct option long_options[] = {
{"badname", no_argument, NULL, 'b'},
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
{"crypt-method", required_argument, NULL, 'c'},
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
{"help", no_argument, NULL, 'h'},
{"system", no_argument, NULL, 'r'},
{"root", required_argument, NULL, 'R'},
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
{"sha-rounds", required_argument, NULL, 's'},
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
-#ifndef USE_PAM
+#if !defined(ACCT_TOOLS_SETUID) && !defined(USE_PAM)
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
"c:bhrs:",
#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */
"c:bhr",
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
-#else /* USE_PAM */
+#else /* !ACCT_TOOLS_SETUID && !USE_PAM */
"bhr",
#endif
long_options, NULL)) != -1) {
@@ -646,11 +666,13 @@ static void process_flags (int argc, cha
case 'b':
allow_bad_names = true;
break;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
case 'c':
crypt_method = optarg;
break;
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
case 'h':
usage (EXIT_SUCCESS);
break;
@@ -659,6 +681,7 @@ static void process_flags (int argc, cha
break;
case 'R': /* no-op, handled in process_root_flag () */
break;
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
case 's':
@@ -698,6 +721,7 @@ static void process_flags (int argc, cha
break;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
default:
usage (EXIT_FAILURE);
break;
@@ -730,6 +754,7 @@ static void process_flags (int argc, cha
*/
static void check_flags (void)
{
+#ifndef ACCT_TOOLS_SETUID
#ifndef USE_PAM
#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
if (sflg && !cflg) {
@@ -762,6 +787,7 @@ static void check_flags (void)
}
}
#endif /* !USE_PAM */
+#endif /* !ACCT_TOOLS_SETUID */
}
/*
@@ -1052,12 +1078,14 @@ int main (int argc, char **argv)
int line = 0;
uid_t uid;
gid_t gid;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
int *lines = NULL;
char **usernames = NULL;
char **passwords = NULL;
unsigned int nusers = 0;
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
log_set_progname(Prog);
log_set_logfd(stderr);
@@ -1195,6 +1223,7 @@ int main (int argc, char **argv)
}
newpw = *pw;
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
/* keep the list of user/password for later update by PAM */
nusers++;
@@ -1211,6 +1240,7 @@ int main (int argc, char **argv)
usernames[nusers-1] = strdup (fields[0]);
passwords[nusers-1] = strdup (fields[1]);
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
if (add_passwd (&newpw, fields[1]) != 0) {
fprintf (stderr,
_("%s: line %d: can't update password\n"),
@@ -1327,6 +1357,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
unsigned int i;
/* Now update the passwords using PAM */
@@ -1339,6 +1370,7 @@ int main (int argc, char **argv)
}
}
#endif /* USE_PAM */
+#endif /* ACCT_TOOLS_SETUID */
exit (EXIT_SUCCESS);
}

1377
SOURCES/shadow-4.9-audit-update.patch → SOURCES/shadow-4.15.0-audit-update.patch
View File

File diff suppressed because it is too large Load Diff

6
SOURCES/shadow-4.2.1-date-parsing.patch → SOURCES/shadow-4.15.0-date-parsing.patch
Unescape View File

@ -1,7 +1,7 @@
Index: shadow-4.5/libmisc/getdate.y Index: shadow-4.5/lib/getdate.y
=================================================================== ===================================================================
--- shadow-4.5.orig/libmisc/getdate.y --- shadow-4.5.orig/lib/getdate.y
+++ shadow-4.5/libmisc/getdate.y +++ shadow-4.5/lib/getdate.y
@@ -152,6 +152,7 @@ static int yyHaveDay; @@ -152,6 +152,7 @@ static int yyHaveDay;
static int yyHaveRel; static int yyHaveRel;
static int yyHaveTime; static int yyHaveTime;

137
SOURCES/shadow-4.15.0-getdef-spurious-error.patch
Unescape View File

@ -0,0 +1,137 @@
From ead55e9ba8958504e23e29545f90c4dd925c7462 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Wed, 20 Mar 2024 17:39:46 -0500
Subject: [PATCH] getdef: avoid spurious error messages about unknown
configuration options
def_find can return NULL for unset, not just unknown, config options. So
move the decision of whether to log an error message about an unknown config
option back into def_find, which knows the difference. Only putdef_str()
will pass a char* srcfile to def_find, so only calls from putdef_str will
cause the message, which was the original intent of fa68441bc4be8.
closes #967
fixes: fa68441bc4be8 ("Improve the login.defs unknown item error message")
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
lib/getdef.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/lib/getdef.c b/lib/getdef.c
index 4d4d4e19..ef2ae1f0 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -176,7 +176,7 @@ static const char* def_fname = LOGINDEFS; /* login config defs file */
static bool def_loaded = false; /* are defs already loaded? */
/* local function prototypes */
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *);
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *, const char *);
static void def_load (void);
@@ -195,7 +195,7 @@ static void def_load (void);
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
return (NULL == d) ? NULL : d->value;
}
@@ -214,7 +214,7 @@ bool getdef_bool (const char *item)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return false;
}
@@ -240,7 +240,7 @@ int getdef_num (const char *item, int dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -275,7 +275,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -310,7 +310,7 @@ long getdef_long (const char *item, long dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -342,7 +342,7 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
def_load ();
}
- d = def_find (item);
+ d = def_find (item, NULL);
if ((NULL == d) || (NULL == d->value)) {
return dflt;
}
@@ -375,12 +375,9 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
* Locate the slot to save the value. If this parameter
* is unknown then "def_find" will print an err message.
*/
- d = def_find (name);
- if (NULL == d) {
- if (NULL != srcfile)
- SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
+ d = def_find (name, srcfile);
+ if (NULL == d)
return -1;
- }
/*
* Save off the value.
@@ -404,9 +401,12 @@ int putdef_str (const char *name, const char *value, const char *srcfile)
*
* Search through a table of configurable items to locate the
* specified configuration option.
+ *
+ * If srcfile is not NULL, and the item is not found, then report an error saying
+ * the unknown item was used in this file.
*/
-static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
+static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name, const char *srcfile)
{
struct itemdef *ptr;
@@ -432,6 +432,8 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
fprintf (shadow_logfd,
_("configuration error - unknown item '%s' (notify administrator)\n"),
name);
+ if (srcfile != NULL)
+ SYSLOG ((LOG_CRIT, "shadow: unknown configuration item '%s' in '%s'", name, srcfile));
out:
return NULL;
@@ -610,7 +612,7 @@ int main (int argc, char **argv)
def_load ();
for (i = 0; i < NUMDEFS; ++i) {
- d = def_find (def_table[i].name);
+ d = def_find (def_table[i].name, NULL);
if (NULL == d) {
printf ("error - lookup '%s' failed\n",
def_table[i].name);
--
2.44.0

56
SOURCES/shadow-4.9-manfix.patch → SOURCES/shadow-4.15.0-manfix.patch
Unescape View File

@ -1,7 +1,7 @@
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml diff -up shadow-4.15.0/man/groupmems.8.xml.manfix shadow-4.15.0/man/groupmems.8.xml
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100 --- shadow-4.15.0/man/groupmems.8.xml.manfix 2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100 +++ shadow-4.15.0/man/groupmems.8.xml 2024-02-09 10:42:20.337036378 +0100
@@ -179,20 +179,10 @@ @@ -156,20 +156,10 @@
<refsect1 id='setup'> <refsect1 id='setup'>
<title>SETUP</title> <title>SETUP</title>
<para> <para>
@ -19,16 +19,16 @@ diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xm
- <programlisting> - <programlisting>
- $ groupadd -r groups - $ groupadd -r groups
- $ chmod 2710 groupmems - $ chmod 2710 groupmems
- $ chown root.groups groupmems - $ chown root:groups groupmems
- $ groupmems -g groups -a gk4 - $ groupmems -g groups -a gk4
- </programlisting> - </programlisting>
</refsect1> </refsect1>
<refsect1 id='configuration'> <refsect1 id='configuration'>
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5 diff -up shadow-4.15.0/man/ja/man5/login.defs.5.manfix shadow-4.15.0/man/ja/man5/login.defs.5
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200 --- shadow-4.15.0/man/ja/man5/login.defs.5.manfix 2023-03-13 21:58:56.000000000 +0100
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100 +++ shadow-4.15.0/man/ja/man5/login.defs.5 2024-02-09 10:42:20.337036378 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、 @@ -123,10 +123,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。 どのパラメータを使用するかを示したものである。
.na .na
@ -39,10 +39,10 @@ diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/l
.IP groupadd 12 .IP groupadd 12
GID_MAX GID_MIN GID_MAX GID_MIN
.IP newusers 12 .IP newusers 12
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml diff -up shadow-4.15.0/man/login.defs.5.xml.manfix shadow-4.15.0/man/login.defs.5.xml
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100 --- shadow-4.15.0/man/login.defs.5.xml.manfix 2024-01-22 22:36:43.000000000 +0100
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100 +++ shadow-4.15.0/man/login.defs.5.xml 2024-02-09 10:45:49.014407259 +0100
@@ -164,6 +164,17 @@ @@ -144,6 +144,17 @@
long numeric parameters is machine-dependent. long numeric parameters is machine-dependent.
</para> </para>
@ -60,7 +60,7 @@ diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.
<para>The following configuration items are provided:</para> <para>The following configuration items are provided:</para>
<variablelist remap='IP'> <variablelist remap='IP'>
@@ -256,16 +267,6 @@ @@ -240,16 +251,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -77,7 +77,7 @@ diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.
<term>chgpasswd</term> <term>chgpasswd</term>
<listitem> <listitem>
<para> <para>
@@ -286,14 +287,6 @@ @@ -276,14 +277,6 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -92,7 +92,7 @@ diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) --> <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables --> <!-- faillog: no variables -->
<varlistentry> <varlistentry>
@@ -359,34 +352,6 @@ @@ -352,34 +345,6 @@
<para>LASTLOG_UID_MAX</para> <para>LASTLOG_UID_MAX</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -127,25 +127,7 @@ diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.
<!-- logoutd: no variables --> <!-- logoutd: no variables -->
<varlistentry> <varlistentry>
<term>newgrp / sg</term> <term>newgrp / sg</term>
@@ -415,17 +380,6 @@ @@ -451,32 +416,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -452,32 +406,6 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -166,12 +148,12 @@ diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.
- </para> - </para>
- </listitem> - </listitem>
- </varlistentry> - </varlistentry>
- <varlistentry> - <varlistentry condition="no_pam">
- <term>sulogin</term> - <term>sulogin</term>
- <listitem> - <listitem>
- <para> - <para>
- ENV_HZ - ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase> - ENV_TZ
- </para> - </para>
- </listitem> - </listitem>
- </varlistentry> - </varlistentry>

1413
SOURCES/shadow-4.15.0-sast-fixes.patch
View File

File diff suppressed because it is too large Load Diff

16
SOURCES/shadow-4.15.0.tar.xz.asc
Unescape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmXrjOcACgkQfcJMNsM0
HSC+Xg/8DIzBlPlkuvgmKSQbTV2AsRDrGxRSSks36hAsi/uBNhpIi5RI5OftN9S2
PuuY+nfja8K1zbOt8IyUx8dLmBFbN5U3u53mb0W0hI2RQFn3G18Pg4CurzBktA6P
tQ23wr2YnWfjbq6k7ed8keAKh0CTxe+hy7IYpYww+RImxAuYOYgSoRn7qBbcFMkI
WUbg5dku4ijy+2N1llxjOX7hIKaYN+BlKBIxAiku4IBmxdRyVrKi5njmiFEQh8PG
53ZLW6lIy8Q2GJxZA+A/xEm+sZnaMuVTIKlQJouHTEYwhQ882PPm1lnFBFvoMPsk
mAXoUj4otJcXWnJbMgkFYv0BFWKKUpMdhT61miwGywOY8d60D9V85AnUjwRk8EOD
7pSGiVECZGEQsSaFXWDboYhNZZ7VlvpTUkMEphNfj7xENnGbr7BlgQEEPNpFwkUL
zNwIV30bP1qLwZD/MowjKfB5uc9MYt8Q7dP5IZNwqJv+WIRBQjr9LA3iGLxc3YfH
DlYLP8pLjmd0+4HuHdtlc2b8QSY5kLQKYy12MnvGL77EGUq76bjGVtgrE9AWy9V4
PRlS91lAdRqCCqAvWQ5wQx5lJwAED5uxAl64GEdyvHzGTkbFaH5DqTJBLd6v7Jyj
UTP+RxIAVrV+lCYy5TWwemeSlZkO/F0T/Lkk2wU/9S4rSltOkT4=
=fkei
-----END PGP SIGNATURE-----

64
SOURCES/shadow-4.5-usermod-unlock.patch
Unescape View File

@ -1,64 +0,0 @@
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
strcat (buf, pw_pass);
pw_pass = buf;
} else if (Uflg && pw_pass[0] == '!') {
- char *s;
+ char *s = pw_pass;
- if (pw_pass[1] == '\0') {
+ while ('!' == *s)
+ ++s;
+
+ if (*s == '\0') {
fprintf (stderr,
_("%s: unlocking the user's password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user's password.\n"),
Prog);
- return pw_pass;
+ return NULL;
}
#ifdef WITH_AUDIT
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
user_newname, (unsigned int) user_newid, 1);
#endif
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
- s = pw_pass;
- while ('\0' != *s) {
- *s = *(s + 1);
- s++;
- }
+ memmove (pw_pass, s, strlen (s) + 1);
} else if (pflg) {
+ if (strchr (user_pass, ':') != NULL) {
+ fprintf (stderr,
+ _("%s: The password field cannot contain a colon character.\n"),
+ Prog);
+ return NULL;
+
+ }
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"updating-password",
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
if ( (!is_shadow_pwd)
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
+ if (pwent->pw_passwd == NULL)
+ fail_exit (E_PW_UPDATE);
}
if (uflg) {
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
* + aging has been requested
*/
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+ if (spent->sp_pwdp == NULL)
+ fail_exit(E_PW_UPDATE);
if (pflg) {
spent->sp_lstchg = (long) gettime () / SCALE;

15
SOURCES/shadow-4.6-move-home.patch
Unescape View File

@ -1,15 +0,0 @@
diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200
+++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200
@@ -1845,6 +1845,11 @@ static void move_home (void)
Prog, prefix_user_home, prefix_user_newhome);
fail_exit (E_HOMEDIR);
}
+ } else {
+ fprintf (stderr,
+ _("%s: The previous home directory (%s) does "
+ "not exist or is inaccessible. Move cannot be completed.\n"),
+ Prog, prefix_user_home);
}
}

34
SOURCES/shadow-4.6-sysugid-min-limit.patch
Unescape View File

@ -1,34 +0,0 @@
diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:51:20.554963292 +0100
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_group, g
(unsigned long) *max_id);
return EINVAL;
}
+ /*
+ * Zero is reserved for root and the allocation algorithm does not
+ * work right with it.
+ */
+ if (*min_id == 0) {
+ *min_id = (gid_t) 1;
+ }
} else {
/* Non-system groups */
diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:51:39.341399569 +0100
@@ -82,6 +82,13 @@ static int get_ranges (bool sys_user, ui
(unsigned long) *max_id);
return EINVAL;
}
+ /*
+ * Zero is reserved for root and the allocation algorithm does not
+ * work right with it.
+ */
+ if (*min_id == 0) {
+ *min_id = (uid_t) 1;
+ }
} else {
/* Non-system users */

100
SOURCES/shadow-4.8-goodname.patch
Unescape View File

@ -1,100 +0,0 @@
diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
--- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100
+++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
}
/*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
+ * User/group names must match gnu e-regex:
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+ *
+ * as a non-POSIX, extension, allow "$" as the last char for
+ * sake of Samba 3.x "add machine script"
+ *
+ * Also do not allow fully numeric names or just "." or "..".
+ */
+ int numeric;
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
+ !((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.')) {
return false;
}
+ numeric = isdigit(*name);
+
while ('\0' != *++name) {
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
+ if (!((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.' ||
+ *name == '-' ||
+ (*name == '$' && name[1] == '\0')
)) {
return false;
}
+ numeric &= isdigit(*name);
}
- return true;
+ return !numeric;
}
bool is_valid_user_name (const char *name)
diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
--- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -273,10 +273,12 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
- Groupnames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Groupnames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Dashes are not allowed at the beginning of the groupname.
+ Fully numeric groupnames and groupnames . or .. are
+ also disallowed.
</para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
--- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -661,10 +661,14 @@
</para>
<para>
- Usernames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Usernames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Dashes are not allowed at the beginning of the username.
+ Fully numeric usernames and usernames . or .. are
+ also disallowed. It is not recommended to use usernames beginning
+ with . character as their home directories will be hidden in
+ the <command>ls</command> output.
</para>
<para>
Usernames may only be up to 32 characters long.

11
SOURCES/shadow-4.8-ignore-login-prompt.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100
+++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100
@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
{"LASTLOG_UID_MAX", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
{"MAIL_DIR", NULL},

86
SOURCES/shadow-4.8-long-entry.patch
Unescape View File

@ -1,86 +0,0 @@
diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100
+++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100
@@ -388,6 +388,9 @@ extern char *strerror ();
# endif
#endif
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
#ifdef HAVE_SECURE_GETENV
# define shadow_getenv(name) secure_getenv(name)
# else
diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|| (valid_field (pw->pw_dir, ":\n") == -1)
- || (valid_field (pw->pw_shell, ":\n") == -1)) {
+ || (valid_field (pw->pw_shell, ":\n") == -1)
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}
diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
--- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf)
{
static struct passwd pwent;
- static char pwdbuf[1024];
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
register int i;
register char *cp;
char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
* the password structure remain valid.
*/
- if (strlen (buf) >= sizeof pwdbuf)
+ if (strlen (buf) >= sizeof pwdbuf) {
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
return 0; /* fail if too long */
+ }
strcpy (pwdbuf, buf);
/*
diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
--- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@
*/
struct spwd *sgetspent (const char *string)
{
- static char spwbuf[1024];
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
static struct spwd spwd;
char *fields[FIELDS];
char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
*/
if (strlen (string) >= sizeof spwbuf) {
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
return 0; /* fail if too long */
}
strcpy (spwbuf, string);
diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
--- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp)
|| (valid_field (sp->sp_namp, ":\n") == -1)
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
+ || (valid_field (sp->sp_pwdp, ":\n") == -1)
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}

240
SOURCES/shadow-4.8-selinux-perms.patch
Unescape View File

@ -1,240 +0,0 @@
diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
--- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
+++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
@@ -80,6 +87,9 @@ static bool sgr_locked = false;
#endif
static bool gr_locked = false;
+/* The name of the caller */
+static char *myname = NULL;
+
/* local function prototypes */
static void fail_exit (int code);
static /*@noreturn@*/void usage (int status);
@@ -334,6 +344,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the group databases
*/
@@ -427,6 +494,7 @@ int main (int argc, char **argv)
const struct group *gr;
struct group newgr;
+ struct passwd *pw = NULL;
int errors = 0;
int line = 0;
@@ -436,12 +504,37 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
OPENLOG ("chgpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
+ /*
+ * Determine the name of the user that invoked this command. This
+ * is really hit or miss because there are so many ways that command
+ * can be executed and so many ways to trip up the routines that
+ * report the user name.
+ */
+ pw = get_my_pwent ();
+ if (NULL == pw) {
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
+ Prog);
+ SYSLOG ((LOG_WARN,
+ "Cannot determine the user name of the caller (UID %lu)",
+ (unsigned long) getuid ()));
+ exit (E_NOPERM);
+ }
+ myname = xstrdup (pw->pw_name);
+
check_perms ();
#ifdef SHADOWGRP
diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
+++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
@@ -332,6 +339,63 @@ static void check_perms (void)
#endif /* USE_PAM */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the password databases
*/
@@ -428,6 +492,10 @@ int main (int argc, char **argv)
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
@@ -440,6 +508,10 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
check_perms ();
#ifdef USE_PAM

106
SOURCES/shadow-4.9-badname-special-characters.patch
Unescape View File

@ -1,106 +0,0 @@
diff -up shadow-4.9/man/usermod.8.xml.badname-special-characters shadow-4.9/man/usermod.8.xml
--- shadow-4.9/man/usermod.8.xml.badname-special-characters 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/man/usermod.8.xml 2022-09-26 16:32:46.214519257 +0200
@@ -110,7 +110,7 @@
</varlistentry>
<varlistentry>
<term>
- <option>-b</option>, <option>--badnames</option>
+ <option>-b</option>, <option>--badname</option>
</term>
<listitem>
<para>
diff -up shadow-4.9/src/newusers.c.badname-special-characters shadow-4.9/src/newusers.c
--- shadow-4.9/src/newusers.c.badname-special-characters 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/src/newusers.c 2022-09-26 16:33:31.331869855 +0200
@@ -139,7 +139,7 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
#ifndef USE_PAM
(void) fprintf (usageout,
_(" -c, --crypt-method METHOD the crypt method (one of %s)\n"),
@@ -406,7 +406,7 @@ static int add_user (const char *name, u
/* Check if this is a valid user name */
if (!is_valid_user_name (name)) {
fprintf (stderr,
- _("%s: invalid user name '%s'\n"),
+ _("%s: invalid user name '%s': use --badname to ignore\n"),
Prog, name);
return -1;
}
@@ -634,7 +634,7 @@ static void process_flags (int argc, cha
int bad_s;
#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
static struct option long_options[] = {
- {"badnames", no_argument, NULL, 'b'},
+ {"badname", no_argument, NULL, 'b'},
#ifndef USE_PAM
{"crypt-method", required_argument, NULL, 'c'},
#endif /* !USE_PAM */
diff -up shadow-4.9/src/pwck.c.badname-special-characters shadow-4.9/src/pwck.c
--- shadow-4.9/src/pwck.c.badname-special-characters 2022-09-26 16:32:46.208519211 +0200
+++ shadow-4.9/src/pwck.c 2022-09-26 16:32:46.214519257 +0200
@@ -151,7 +151,7 @@ static /*@noreturn@*/void usage (int sta
"Options:\n"),
Prog);
}
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -q, --quiet report errors only\n"), usageout);
(void) fputs (_(" -r, --read-only display errors and warnings\n"
@@ -176,7 +176,7 @@ static void process_flags (int argc, cha
{
int c;
static struct option long_options[] = {
- {"badnames", no_argument, NULL, 'b'},
+ {"badname", no_argument, NULL, 'b'},
{"help", no_argument, NULL, 'h'},
{"quiet", no_argument, NULL, 'q'},
{"read-only", no_argument, NULL, 'r'},
@@ -493,7 +493,8 @@ static void check_pw_file (int *errors,
*/
if (!is_valid_user_name (pwd->pw_name)) {
- printf (_("invalid user name '%s'\n"), pwd->pw_name);
+ printf (_("invalid user name '%s': use --badname to ignore\n"),
+ pwd->pw_name);
*errors += 1;
}
diff -up shadow-4.9/src/useradd.c.badname-special-characters shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.badname-special-characters 2022-09-26 16:32:46.212519242 +0200
+++ shadow-4.9/src/useradd.c 2022-09-26 16:32:46.214519257 +0200
@@ -852,7 +852,7 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog, Prog, Prog);
- (void) fputs (_(" --badnames do not check for bad names\n"), usageout);
+ (void) fputs (_(" --badname do not check for bad names\n"), usageout);
(void) fputs (_(" -b, --base-dir BASE_DIR base directory for the home directory of the\n"
" new account\n"), usageout);
#ifdef WITH_BTRFS
@@ -1119,7 +1119,7 @@ static void process_flags (int argc, cha
#ifdef WITH_BTRFS
{"btrfs-subvolume-home", no_argument, NULL, 200},
#endif
- {"badnames", no_argument, NULL, 201},
+ {"badname", no_argument, NULL, 201},
{"comment", required_argument, NULL, 'c'},
{"home-dir", required_argument, NULL, 'd'},
{"defaults", no_argument, NULL, 'D'},
diff -up shadow-4.9/src/usermod.c.badname-special-characters shadow-4.9/src/usermod.c
--- shadow-4.9/src/usermod.c.badname-special-characters 2022-09-26 16:32:46.215519265 +0200
+++ shadow-4.9/src/usermod.c 2022-09-26 16:33:52.274032599 +0200
@@ -418,7 +418,7 @@ static /*@noreturn@*/void usage (int sta
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -b, --badnames allow bad names\n"), usageout);
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
(void) fputs (_(" -c, --comment COMMENT new value of the GECOS field\n"), usageout);
(void) fputs (_(" -d, --home HOME_DIR new home directory for the user account\n"), usageout);
(void) fputs (_(" -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE\n"), usageout);

35
SOURCES/shadow-4.9-default-range.patch
Unescape View File

@ -1,35 +0,0 @@
diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
--- shadow-4.9/lib/semanage.c.default-range 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/lib/semanage.c 2021-08-02 12:43:16.822817392 +0200
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (shadow_logfd,
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (shadow_logfd,
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {

12
SOURCES/shadow-4.9-disable-sssd.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up shadow-4.9/lib/sssd.c.disable-sssd shadow-4.9/lib/sssd.c
--- shadow-4.9/lib/sssd.c.disable-sssd 2024-09-13 10:28:17.144473113 +0200
+++ shadow-4.9/lib/sssd.c 2024-09-13 10:29:07.135621104 +0200
@@ -16,7 +16,7 @@
int sssd_flush_cache (int dbflags)
{
int status, code, rv;
- const char *cmd = "/usr/sbin/sss_cache";
+ const char *cmd = "/usr/sbin/sss_cache_shadow_utils";
char *sss_cache_args = NULL;
const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
const char *spawnedEnv[] = {NULL};

245
SOURCES/shadow-4.9-getsubids.patch
Unescape View File

@ -1,245 +0,0 @@
diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
--- shadow-4.9/man/getsubids.1.xml.getsubids 2021-11-18 16:27:33.951053120 +0100
+++ shadow-4.9/man/getsubids.1.xml 2021-11-18 16:27:33.951053120 +0100
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (c) 2021 Iker Pedrosa
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+ <refentryinfo>
+ <author>
+ <firstname>Iker</firstname>
+ <surname>Pedrosa</surname>
+ <contrib>Creation, 2021</contrib>
+ </author>
+ </refentryinfo>
+ <refmeta>
+ <refentrytitle>getsubids</refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+ </refmeta>
+ <refnamediv id='name'>
+ <refname>getsubids</refname>
+ <refpurpose>get the subordinate id ranges for a user</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>getsubids</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'>
+ <replaceable>USER</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The <command>getsubids</command> command lists the subordinate user ID
+ ranges for a given user. The subordinate group IDs can be listed using
+ the <option>-g</option> option.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <para>
+ The options which apply to the <command>getsubids</command> command are:
+ </para>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-g</option>
+ </term>
+ <listitem>
+ <para>
+ List the subordinate group ID ranges.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ For example, to obtain the subordinate UIDs of the testuser:
+ </para>
+ <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+ </para>
+ <para>
+ This command output provides (in order from left to right) the list
+ index, username, UID range start, and number of UIDs in range.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ <citerefentry>
+ <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ </para>
+ </refsect1>
+</refentry>
diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
--- shadow-4.9/man/Makefile.am.getsubids 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/man/Makefile.am 2021-11-18 16:27:33.951053120 +0100
@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
endif
man_subids = \
+ man1/getsubids.1 \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
@@ -80,6 +81,7 @@ man_XMANS = \
expiry.1.xml \
faillog.5.xml \
faillog.8.xml \
+ getsubids.1.xml \
gpasswd.1.xml \
groupadd.8.xml \
groupdel.8.xml \
diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
--- shadow-4.9/src/getsubids.c.getsubids 2021-11-18 16:27:33.951053120 +0100
+++ shadow-4.9/src/getsubids.c 2021-11-18 16:27:33.951053120 +0100
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "subid.h"
+#include "prototypes.h"
+
+const char *Prog;
+FILE *shadow_logfd = NULL;
+
+void usage(void)
+{
+ fprintf(stderr, "Usage: %s [-g] user\n", Prog);
+ fprintf(stderr, " list subuid ranges for user\n");
+ fprintf(stderr, " pass -g to list subgid ranges\n");
+ exit(EXIT_FAILURE);
+}
+
+int main(int argc, char *argv[])
+{
+ int i, count=0;
+ struct subid_range *ranges;
+ const char *owner;
+
+ Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
+ if (argc < 2)
+ usage();
+ owner = argv[1];
+ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
+ owner = argv[2];
+ count = get_subgid_ranges(owner, &ranges);
+ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ usage();
+ } else {
+ count = get_subuid_ranges(owner, &ranges);
+ }
+ if (!ranges) {
+ fprintf(stderr, "Error fetching ranges\n");
+ exit(1);
+ }
+ for (i = 0; i < count; i++) {
+ printf("%d: %s %lu %lu\n", i, owner,
+ ranges[i].start, ranges[i].count);
+ }
+ return 0;
+}
diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c
diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
--- shadow-4.9/src/Makefile.am.getsubids 2021-11-18 16:27:33.943053061 +0100
+++ shadow-4.9/src/Makefile.am 2021-11-18 16:28:03.647272392 +0100
@@ -157,8 +157,8 @@ if FCAPS
setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
endif
-noinst_PROGRAMS += list_subid_ranges \
- get_subid_owners \
+bin_PROGRAMS += getsubids
+noinst_PROGRAMS += get_subid_owners \
new_subid_range \
free_subid_range \
check_subid_range
@@ -174,13 +174,13 @@ MISCLIBS = \
$(LIBCRYPT) \
$(LIBTCB)
-list_subid_ranges_LDADD = \
+getsubids_LDADD = \
$(top_builddir)/lib/libshadow.la \
$(top_builddir)/libmisc/libmisc.la \
$(top_builddir)/libsubid/libsubid.la \
$(MISCLIBS) -ldl
-list_subid_ranges_CPPFLAGS = \
+getsubids_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
-I$(top_srcdir)/libsubid

11
SOURCES/shadow-4.9-gpasswd-fix-password-leak.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak shadow-4.9/src/gpasswd.c
--- shadow-4.9/src/gpasswd.c.gpasswd-fix-password-leak 2023-07-12 09:38:32.062546006 +0200
+++ shadow-4.9/src/gpasswd.c 2023-07-12 09:42:33.194154548 +0200
@@ -857,6 +857,7 @@ static void change_passwd (struct group
strzero (cp);
cp = getpass (_("Re-enter new password: "));
if (NULL == cp) {
+ memzero (pass, sizeof pass);
exit (1);
}

13
SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
Unescape View File

@ -1,13 +0,0 @@
diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100
+++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
if(!passwd_db_file) {
return getpwent();
}
+ if (!fp_pwent) {
+ return NULL;
+ }
return fgetpwent(fp_pwent);
}
extern void prefix_endpwent()

60
SOURCES/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
Unescape View File

@ -1,60 +0,0 @@
From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sat, 14 Aug 2021 13:24:34 -0400
Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
use SHA_ROUNDS_DEFAULT.
Previously, the code fell through, calling shadow_random(-1, -1). This
ultimately set rounds = (unsigned long) -1, which ends up being a very
large number! This then got capped to SHA_ROUNDS_MAX later in the
function.
The new behavior matches BCRYPT_get_salt_rounds().
Bug: https://bugs.gentoo.org/808195
Fixes: https://github.com/shadow-maint/shadow/issues/393
---
libmisc/salt.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/libmisc/salt.c b/libmisc/salt.c
index 91d528fd..30eefb9c 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
if ((-1 == min_rounds) && (-1 == max_rounds)) {
rounds = SHA_ROUNDS_DEFAULT;
}
+ else {
+ if (-1 == min_rounds) {
+ min_rounds = max_rounds;
+ }
- if (-1 == min_rounds) {
- min_rounds = max_rounds;
- }
+ if (-1 == max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (-1 == max_rounds) {
- max_rounds = min_rounds;
- }
+ if (min_rounds > max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (min_rounds > max_rounds) {
- max_rounds = min_rounds;
+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
}
-
- rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
} else if (0 == *prefered_rounds) {
rounds = SHA_ROUNDS_DEFAULT;
} else {
--
2.31.1

88
SOURCES/shadow-4.9-move-create-home.patch
Unescape View File

@ -1,88 +0,0 @@
From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:09:59 +0200
Subject: [PATCH] useradd: create directories after the SELinux user
Create the home and mail folders after the SELinux user has been set for
the added user. This will allow the folders to be created with the
SELinux user label.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 6269c01c..b463a170 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
}
#endif /* WITH_SELINUX */
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, false,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory %s already exists.\n"
+ "%s: Not copying any file from skel directory into it.\n"),
+ Prog, user_home, Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
+
if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
"useradd")) {
exit(1);
}
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-
return E_SUCCESS;
}
--
2.31.1

35
SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch
Unescape View File

@ -1,35 +0,0 @@
From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 10 Nov 2021 12:02:04 +0100
Subject: [PATCH] newgrp: fix segmentation fault
Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
that is immediately freed.
The error was committed in
https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/newgrp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/newgrp.c b/src/newgrp.c
index 730f47e8..566f1c89 100644
--- a/src/newgrp.c
+++ b/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
spwd = xgetspnam (pwd->pw_name);
if (NULL != spwd) {
pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
+ spw_free (spwd);
}
- spw_free (spwd);
if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
needspasswd = true;
--
2.31.1

15
SOURCES/shadow-4.9-newuidmap-libeconf-dependency.patch
Unescape View File

@ -1,15 +0,0 @@
diff --git a/src/Makefile.am b/src/Makefile.am
index 7c1a3491..6cc873be 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
endif
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
-newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
-newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

70
SOURCES/shadow-4.9-null-tm.patch
Unescape View File

@ -1,70 +0,0 @@
Index: shadow-4.5/src/chage.c
===================================================================
--- shadow-4.5.orig/src/chage.c
+++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
struct tm *tp;
tp = gmtime (&date);
+ if (tp == NULL) {
+ (void) snprintf (buf, maxsize, "(unknown)");
+ return;
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
Index: shadow-4.5/src/lastlog.c
===================================================================
--- shadow-4.5.orig/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ cp = ptime;
#else
- cp = asctime (tm);
- cp[24] = '\0';
+ cp = asctime (tm);
+ cp[24] = '\0';
#endif
+ }
if (ll.ll_time == (time_t) 0) {
cp = _("**Never logged in**\0");
Index: shadow-4.5/src/passwd.c
===================================================================
--- shadow-4.5.orig/src/passwd.c
+++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
struct tm *tm;
tm = gmtime (&t);
+ if (tm == NULL) {
+ return "(unknown)";
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
#else /* !HAVE_STRFTIME */
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
} else {
time_t t = (time_t) date;
tp = gmtime (&t);
+ if (tp == NULL) {
+ strncpy (buf, "unknown", maxsize);
+ return;
+ }
#ifdef HAVE_STRFTIME
strftime (buf, maxsize, "%Y-%m-%d", tp);
#else

30
SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
Unescape View File

@ -1,30 +0,0 @@
From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 15 Nov 2021 12:40:15 +0100
Subject: [PATCH] pwck: fix segfault when calling fprintf()
As shadow_logfd variable is not set at the beginning of the program if
something fails and fprintf() is called a segmentation fault happens.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/pwck.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pwck.c b/src/pwck.c
index 4248944a..4ce86af2 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
* Get my name so that I can use it to report errors.
*/
Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
--
2.31.1

41
SOURCES/shadow-4.9-redhat.patch
Unescape View File

@ -1,41 +0,0 @@
diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.redhat 2021-07-22 23:55:35.000000000 +0200
+++ shadow-4.9/src/useradd.c 2021-08-02 11:45:11.942867250 +0200
@@ -104,7 +104,7 @@ FILE *shadow_logfd = NULL;
static gid_t def_group = 1000;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "/bin/bash";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "yes";
@@ -114,7 +114,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1204,9 +1204,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1363,6 +1363,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

30
SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch
Unescape View File

@ -1,30 +0,0 @@
From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 14 Aug 2021 19:37:24 -0500
Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
In some cases, the value which was being freed is not actually
safe to free.
Closes #394
This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
---
src/useradd.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index f90127cd..0d3f390d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -413,7 +413,6 @@ static void get_defaults (void)
} else {
def_group = grp->gr_gid;
def_gname = xstrdup (grp->gr_name);
- gr_free(grp);
}
}
--
2.31.1

61
SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch
Unescape View File

@ -1,61 +0,0 @@
From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:13:13 +0200
Subject: [PATCH] semanage: close the selabel handle
Close the selabel handle to update the file_context. This means that the
file_context will be remmaped and used by selabel_lookup() to return
the appropriate context to label the home folder.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/prototypes.h | 1 +
lib/selinux.c | 5 +++++
lib/semanage.c | 1 +
3 files changed, 7 insertions(+)
diff --git a/lib/prototypes.h b/lib/prototypes.h
index 1d1586d4..b697e0ec 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
/* selinux.c */
#ifdef WITH_SELINUX
extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
extern int reset_selinux_file_context (void);
extern int check_selinux_permit (const char *perm_name);
#endif
diff --git a/lib/selinux.c b/lib/selinux.c
index c83545f9..b075d4c0 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -50,6 +50,11 @@ static void cleanup(void)
}
}
+void reset_selinux_handle (void)
+{
+ cleanup();
+}
+
/*
* set_selinux_file_context - Set the security context before any file or
* directory creation.
diff --git a/lib/semanage.c b/lib/semanage.c
index 0d30456a..a5bf9218 100644
--- a/lib/semanage.c
+++ b/lib/semanage.c
@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
}
ret = 0;
+ reset_selinux_handle();
done:
semanage_seuser_key_free (key);
--
2.31.1

214
SOURCES/shadow-4.9-skip-over-reserved-ids.patch
Unescape View File

@ -1,214 +0,0 @@
From baae5b4a06c905d9f52ed1f922a0d7d0625d11cf Mon Sep 17 00:00:00 2001
From: Martin Kletzander <nert.pinx@gmail.com>
Date: Wed, 1 Feb 2023 15:36:41 +0100
Subject: [PATCH] find_new_[gu]id(): Skip over IDs that are reserved for legacy
reasons
Some programs don't support `(uint16_t) -1` or `(uint32_t) -1` as user
or group IDs. This is because `-1` is used as an error code or as an
unspecified ID, e.g. in `chown(2)` parameters, and in the past, `gid_t`
and `uid_t` have changed width. For legacy reasons, those values have
been kept reserved in programs today (for example systemd does this; see
the documentation in the link below).
This should not be confused with catching overflow in the ID values,
since that is already caught by our ERANGE checks. This is about not
using reserved values that have been reserved for legacy reasons.
Link: <https://systemd.io/UIDS-GIDS/>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
libmisc/find_new_gid.c | 38 ++++++++++++++++++++++++++++----------
libmisc/find_new_uid.c | 38 ++++++++++++++++++++++++++++----------
2 files changed, 56 insertions(+), 20 deletions(-)
diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c
index 70ba95a2..da1d8d55 100644
--- a/libmisc/find_new_gid.c
+++ b/libmisc/find_new_gid.c
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
*
* On success, return 0
* If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
* If the ID is outside the range, return ERANGE
* In other cases, return errno from getgrgid()
*/
@@ -111,6 +112,11 @@ static int check_gid (const gid_t gid,
return ERANGE;
}
+ /* Check for compatibility with 16b and 32b gid_t error codes */
+ if (gid == UINT16_MAX || gid == UINT32_MAX) {
+ return EINVAL;
+ }
+
/*
* Check whether we already detected this GID
* using the gr_next() loop
@@ -182,10 +188,10 @@ int find_new_gid (bool sys_group,
* gr_locate_gid() found the GID in an as-yet uncommitted
* entry. We'll proceed below and auto-set a GID.
*/
- } else if (result == EEXIST || result == ERANGE) {
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
/*
* Continue on below. At this time, we won't
- * treat these two cases differently.
+ * treat these three cases differently.
*/
} else {
/*
@@ -296,8 +302,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -339,8 +348,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -399,8 +411,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -442,8 +457,11 @@ int find_new_gid (bool sys_group,
*gid = id;
free (used_gids);
return 0;
- } else if (result == EEXIST) {
- /* This GID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c
index 6b71dfe5..09885236 100644
--- a/libmisc/find_new_uid.c
+++ b/libmisc/find_new_uid.c
@@ -98,6 +98,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
*
* On success, return 0
* If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
* If the ID is outside the range, return ERANGE
* In other cases, return errno from getpwuid()
*/
@@ -111,6 +112,11 @@ static int check_uid(const uid_t uid,
return ERANGE;
}
+ /* Check for compatibility with 16b and 32b uid_t error codes */
+ if (uid == UINT16_MAX || uid == UINT32_MAX) {
+ return EINVAL;
+ }
+
/*
* Check whether we already detected this UID
* using the pw_next() loop
@@ -182,10 +188,10 @@ int find_new_uid(bool sys_user,
* pw_locate_uid() found the UID in an as-yet uncommitted
* entry. We'll proceed below and auto-set an UID.
*/
- } else if (result == EEXIST || result == ERANGE) {
+ } else if (result == EEXIST || result == ERANGE || result == EINVAL) {
/*
* Continue on below. At this time, we won't
- * treat these two cases differently.
+ * treat these three cases differently.
*/
} else {
/*
@@ -296,8 +302,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -339,8 +348,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -399,8 +411,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
@@ -442,8 +457,11 @@ int find_new_uid(bool sys_user,
*uid = id;
free (used_uids);
return 0;
- } else if (result == EEXIST) {
- /* This UID is in use, we'll continue to the next */
+ } else if (result == EEXIST || result == EINVAL) {
+ /*
+ * This GID is in use or unusable, we'll
+ * continue to the next.
+ */
} else {
/*
* An unexpected error occurred.
--
2.40.1

108
SOURCES/shadow-4.9-subordinateio-compare-owner-ID.patch
Unescape View File

@ -1,108 +0,0 @@
From 3ec32f9975f262073f8fbdecd2bfaee4a1d3db48 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 13 Jul 2022 09:55:14 +0200
Subject: [PATCH] subordinateio: also compare the owner ID
IDs already populate /etc/subuid and /etc/subgid files so it's necessary
not only to check for the owner name but also for the owner ID of a
given range.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2093311
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/subordinateio.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
index 9ca70b8b..6bc45283 100644
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@@ -17,6 +17,8 @@
#include <ctype.h>
#include <fcntl.h>
+#define ID_SIZE 31
+
/*
* subordinate_dup: create a duplicate range
*
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
return start == ULONG_MAX ? (gid_t) -1 : start;
}
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
+{
+ struct passwd *pw;
+ struct group *gr;
+ int ret = 0;
+
+ switch (id_type) {
+ case ID_TYPE_UID:
+ pw = getpwnam(owner);
+ if (pw == NULL) {
+ return false;
+ }
+ ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
+ if (ret < 0 || ret >= ID_SIZE) {
+ return false;
+ }
+ break;
+ case ID_TYPE_GID:
+ gr = getgrnam(owner);
+ if (gr == NULL) {
+ return false;
+ }
+ ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
+ if (ret < 0 || ret >= ID_SIZE) {
+ return false;
+ }
+ break;
+ default:
+ return false;
+ }
+
+ return true;
+}
+
/*
* int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
*
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
enum subid_status status;
int count = 0;
struct subid_nss_ops *h;
+ char id[ID_SIZE];
+ bool have_owner_id;
*in_ranges = NULL;
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
return -1;
}
+ have_owner_id = get_owner_id(owner, id_type, id);
+
commonio_rewind(db);
while ((range = commonio_next(db)) != NULL) {
if (0 == strcmp(range->owner, owner)) {
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
goto out;
}
}
+
+ // Let's also compare with the ID
+ if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
+ if (!append_range(&ranges, range, count++)) {
+ free(ranges);
+ ranges = NULL;
+ count = -1;
+ goto out;
+ }
+ }
}
out:
--
2.36.1

79
SOURCES/shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
Unescape View File

@ -1,79 +0,0 @@
diff --git a/src/useradd.c b/src/useradd.c
index baeffb35..9abeea6e 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
static uid_t sub_uid_start; /* New subordinate uid range */
-static unsigned long sub_uid_count;
static gid_t sub_gid_start; /* New subordinate gid range */
-static unsigned long sub_gid_count;
#endif /* ENABLE_SUBIDS */
static bool pw_locked = false;
static bool gr_locked = false;
@@ -234,7 +232,7 @@ static void open_shadow (void);
static void faillog_reset (uid_t);
static void lastlog_reset (uid_t);
static void tallylog_reset (const char *);
-static void usr_update (void);
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
static void create_home (void);
static void create_mail (void);
static void check_uid_range(int rflg, uid_t user_id);
@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
* usr_update() creates the password file entries for this user
* and will update the group entries if required.
*/
-static void usr_update (void)
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
{
struct passwd pwent;
struct spwd spent;
@@ -2155,14 +2153,14 @@ static void usr_update (void)
}
#ifdef ENABLE_SUBIDS
if (is_sub_uid &&
- (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
+ (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
if (is_sub_gid &&
- (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
+ (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid && sub_uid_count != 0) {
- if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
+ if (is_sub_uid && subuid_count != 0) {
+ if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
Prog);
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid && sub_gid_count != 0) {
- if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
+ if (is_sub_gid && subgid_count != 0) {
+ if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),
Prog);
@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
}
#endif /* ENABLE_SUBIDS */
- usr_update ();
+ usr_update (subuid_count, subgid_count);
close_files ();

38
SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch
Unescape View File

@ -1,38 +0,0 @@
From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 24 Oct 2022 10:46:36 +0200
Subject: [PATCH] useradd: check if subid range exists for user
Check if a user already has a subid range before assigning one.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 7ea0a9c4..e784d602 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid &&
+ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
(sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
- if (is_sub_gid &&
+ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
(sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
--
2.40.1

13
SOURCES/shadow-4.9-useradd-copy-tree-argument.patch
Unescape View File

@ -1,13 +0,0 @@
diff --git a/src/useradd.c b/src/useradd.c
index b463a170..f7c97958 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
if (mflg) {
create_home ();
if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
+ copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
} else {
fprintf (stderr,

19
SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
Unescape View File

@ -1,19 +0,0 @@
diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
--- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users 2022-04-22 14:50:10.658371270 +0200
+++ shadow-4.9/src/useradd.c 2022-04-22 14:54:34.810100549 +0200
@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
{
uid_t uid_min ;
uid_t uid_max ;
- if(rflg){
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
+ if (rflg) {
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
- if(uid_min <= uid_max){
- if(user_id < uid_min || user_id >uid_max)
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
+ if (user_id > uid_max) {
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
}
}else{
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);

322
SOURCES/shadow-4.9-usermod-allow-all-group-types.patch
Unescape View File

@ -1,322 +0,0 @@
From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 3 Aug 2021 08:57:20 +0200
Subject: [PATCH] usermod: allow all group types with -G option
The only way of removing a group from the supplementary list is to use
-G option, and list all groups that the user is a member of except for
the one that wants to be removed. The problem lies when there's a user
that contains both local and remote groups, and the group to be removed
is a local one. As we need to include the remote group with -G option
the command will fail.
This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
it would be possible to remove the remote groups from the supplementary
list.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
Resolves: https://github.com/shadow-maint/shadow/issues/338
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/usermod.c | 220 ++++++++++++++++++--------------------------------
1 file changed, 77 insertions(+), 143 deletions(-)
diff --git a/src/usermod.c b/src/usermod.c
index 03bb9b9d..a0c03afa 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
long int date);
static int get_groups (char *);
-static struct group * get_local_group (char * grp_name);
static /*@noreturn@*/void usage (int status);
static void new_pwent (struct passwd *);
static void new_spent (struct spwd *);
@@ -201,9 +200,7 @@ static void grp_update (void);
static void process_flags (int, char **);
static void close_files (void);
-static void close_group_files (void);
static void open_files (void);
-static void open_group_files (void);
static void usr_update (void);
static void move_home (void);
static void update_lastlog (void);
@@ -260,11 +257,6 @@ static int get_groups (char *list)
return 0;
}
- /*
- * Open the group files
- */
- open_group_files ();
-
/*
* So long as there is some data to be converted, strip off each
* name and look it up. A mix of numerical and string values for
@@ -284,7 +276,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical GID
* values, otherwise the string is looked up as is.
*/
- grp = get_local_group (list);
+ grp = prefix_getgr_nam_gid (list);
/*
* There must be a match, either by GID value or by
@@ -334,8 +326,6 @@ static int get_groups (char *list)
gr_free ((struct group *)grp);
} while (NULL != list);
- close_group_files ();
-
user_groups[ngroups] = (char *) 0;
/*
@@ -348,44 +338,6 @@ static int get_groups (char *list)
return 0;
}
-/*
- * get_local_group - checks if a given group name exists locally
- *
- * get_local_group() checks if a given group name exists locally.
- * If the name exists the group information is returned, otherwise NULL is
- * returned.
- */
-static struct group * get_local_group(char * grp_name)
-{
- const struct group *grp;
- struct group *result_grp = NULL;
- long long int gid;
- char *endptr;
-
- gid = strtoll (grp_name, &endptr, 10);
- if ( ('\0' != *grp_name)
- && ('\0' == *endptr)
- && (ERANGE != errno)
- && (gid == (gid_t)gid)) {
- grp = gr_locate_gid ((gid_t) gid);
- }
- else {
- grp = gr_locate(grp_name);
- }
-
- if (grp != NULL) {
- result_grp = __gr_dup (grp);
- if (NULL == result_grp) {
- fprintf (stderr,
- _("%s: Out of memory. Cannot find group '%s'.\n"),
- Prog, grp_name);
- fail_exit (E_GRP_UPDATE);
- }
- }
-
- return result_grp;
-}
-
#ifdef ENABLE_SUBIDS
struct ulong_range
{
@@ -1523,7 +1475,50 @@ static void close_files (void)
}
if (Gflg || lflg) {
- close_group_files ();
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+ if (gr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ gr_dbname ()));
+ /* continue */
+ }
}
if (is_shadow_pwd) {
@@ -1592,60 +1587,6 @@ static void close_files (void)
#endif
}
-/*
- * close_group_files - close all of the files that were opened
- *
- * close_group_files() closes all of the files that were opened related
- * with groups. This causes any modified entries to be written out.
- */
-static void close_group_files (void)
-{
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- sgr_dbname ()));
- /* continue */
- }
- }
-#endif
- if (gr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- gr_dbname ()));
- /* continue */
- }
-}
-
/*
* open_files - lock and open the password files
*
@@ -1681,7 +1622,38 @@ static void open_files (void)
}
if (Gflg || lflg) {
- open_group_files ();
+ /*
+ * Lock and open the group file. This will load all of the
+ * group entries.
+ */
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_lock () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif
}
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
@@ -1717,44 +1689,6 @@ static void open_files (void)
#endif /* ENABLE_SUBIDS */
}
-/*
- * open_group_files - lock and open the group files
- *
- * open_group_files() loads all of the group entries.
- */
-static void open_group_files (void)
-{
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#endif
-}
-
/*
* usr_update - create the user entries
*
--
2.31.1

11
SOURCES/shadow-4.9.tar.xz.asc
Unescape View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAmD5+dkACgkQ6f7qBqhe
P53Qywf/ShkcKvecTDRIrKUNJUTIlP8iywZ1NXypfdDKG/J63awMAGrKMZwOkLUS
AnImsvyoW3+XDIhdkeJd1Kv+8JDEt3oJ0ifHjfpXl4FzOervb1ZKtRPUcoJzzpnJ
Szt/7f3Sd0VfbItgf5F6jgMi7iDA/ZIqJTXeI0kEfVVL7DT681jVRjpnoURlrEq1
6SmIyAul50VmZjLXq1xJ35uktr7VclnaRu17acax95e+oekP4sdNMaV5E5DSeq2N
db7kKCu80+lPvtQpj22vOO2w15ActH6f5Ec3P7OG8jL125q3yZNebVoh8FKxmFsh
PssfXu0TL50qH/p7qNEeihDLpwoI7g==
=6MLu
-----END PGP SIGNATURE-----

59
SOURCES/shadow-utils.login.defs
Unescape View File

@ -130,10 +130,9 @@ HOME_MODE 0700
# #
PASS_MAX_DAYS 99999 PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0 PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7 PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported # Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported # Currently CRACKLIB_DICTPATH is not supported
@ -147,7 +146,7 @@ UID_MAX 60000
SYS_UID_MIN 201 SYS_UID_MIN 201
SYS_UID_MAX 999 SYS_UID_MAX 999
# Extra per user uids # Extra per user uids
SUB_UID_MIN 100000 SUB_UID_MIN 524288
SUB_UID_MAX 600100000 SUB_UID_MAX 600100000
SUB_UID_COUNT 65536 SUB_UID_COUNT 65536
@ -160,7 +159,7 @@ GID_MAX 60000
SYS_GID_MIN 201 SYS_GID_MIN 201
SYS_GID_MAX 999 SYS_GID_MAX 999
# Extra per user group ids # Extra per user group ids
SUB_GID_MIN 100000 SUB_GID_MIN 524288
SUB_GID_MAX 600100000 SUB_GID_MAX 600100000
SUB_GID_COUNT 65536 SUB_GID_COUNT 65536
@ -174,11 +173,22 @@ SUB_GID_COUNT 65536
# #
#LOGIN_TIMEOUT 60 #LOGIN_TIMEOUT 60
# Currently PASS_CHANGE_TRIES is not supported #
# Maximum number of attempts to change password if rejected (too easy)
#
PASS_CHANGE_TRIES 5
# Currently PASS_ALWAYS_WARN is not supported #
# Warn about weak passwords (but still allow them) if you are root.
#
PASS_ALWAYS_WARN yes
# Currently PASS_MAX_LEN is not supported #
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
# Currently CHFN_AUTH is not supported # Currently CHFN_AUTH is not supported
@ -198,10 +208,11 @@ SUB_GID_COUNT 65536
# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default) # If set to DES, DES-based algorithm will be used for encrypting password (default)
# #
ENCRYPT_METHOD SHA512 ENCRYPT_METHOD YESCRYPT
# #
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@ -214,11 +225,37 @@ ENCRYPT_METHOD SHA512
# If not specified, the libc will choose the default number of rounds (5000). # If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range. # The values must be within the 1000-999999999 range.
# #
SHA_CRYPT_MAX_ROUNDS 100000 #SHA_CRYPT_MAX_ROUNDS 5000
# Currently SHA_CRYPT_MIN_ROUNDS is not supported # Currently SHA_CRYPT_MIN_ROUNDS is not supported
# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported #
# Only works if ENCRYPT_METHOD is set to BCRYPT.
#
# Define the number of BCRYPT rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, 13 rounds will be attempted.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#BCRYPT_MIN_ROUNDS 13
#BCRYPT_MAX_ROUNDS 31
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
# Define the YESCRYPT cost factor.
# With a higher cost factor, it is more difficult to brute-force the password.
# However, more CPU time and more memory will be needed to authenticate users
# if this value is increased.
#
# If not specified, a cost factor of 5 will be used.
# The value must be within the 1-11 range.
#
#YESCRYPT_COST_FACTOR 5
# Currently CONSOLE_GROUPS is not supported # Currently CONSOLE_GROUPS is not supported

357
SPECS/shadow-utils.spec
Unescape View File

@ -1,9 +1,9 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.9 Version: 4.15.0
Release: 10%{?dist} Release: 3%{?dist}
Epoch: 2 Epoch: 2
License: BSD and GPLv2+ License: BSD-3-Clause AND GPL-2.0-or-later
URL: https://github.com/shadow-maint/shadow URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
@ -12,80 +12,29 @@ Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Source6: shadow-utils.HOME_MODE.xml Source6: shadow-utils.HOME_MODE.xml
Source7: passwd.pamd
### Globals ### ### Globals ###
%global includesubiddir %{_includedir}/shadow %global includesubiddir %{_includedir}/shadow
### Patches ### ### Patches ###
# Misc small changes - most probably non-upstreamable
Patch0: shadow-4.9-redhat.patch
# Be more lenient with acceptable user/group names - non upstreamable
Patch1: shadow-4.8-goodname.patch
# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
Patch2: shadow-4.9-move-create-home.patch
# SElinux related - upstreamability unknown
Patch3: shadow-4.9-default-range.patch
# Misc manual page changes - non-upstreamable # Misc manual page changes - non-upstreamable
Patch4: shadow-4.9-manfix.patch Patch0: shadow-4.15.0-manfix.patch
# Date parsing improvement - could be upstreamed # Date parsing improvement - could be upstreamed
Patch5: shadow-4.2.1-date-parsing.patch Patch1: shadow-4.15.0-date-parsing.patch
# Additional error message - could be upstreamed # https://github.com/shadow-maint/shadow/commit/d8e6a8b99b4d844328d875287babf6e13860d464
Patch6: shadow-4.6-move-home.patch Patch2: shadow-4.15.0-sast-fixes.patch
# Audit message changes - upstreamability unknown # Audit message changes - partially upstreamed
Patch7: shadow-4.9-audit-update.patch Patch3: shadow-4.15.0-audit-update.patch
# Changes related to password unlocking - could be upstreamed # Probably non-upstreamable
Patch8: shadow-4.5-usermod-unlock.patch Patch4: shadow-4.15.0-account-tools-setuid.patch
# Additional SElinux related changes - upstreamability unknown # https://github.com/shadow-maint/shadow/commit/ead55e9ba8958504e23e29545f90c4dd925c7462
Patch9: shadow-4.8-selinux-perms.patch Patch5: shadow-4.15.0-getdef-spurious-error.patch
# Handle NULL return from *time funcs - could be upstreamed
Patch10: shadow-4.9-null-tm.patch
# Handle /etc/passwd corruption - could be upstreamed
Patch11: shadow-4.8-long-entry.patch
# Limit uid/gid allocation to non-zero - could be upstreamed
Patch12: shadow-4.6-sysugid-min-limit.patch
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
Patch13: shadow-4.8-ignore-login-prompt.patch
# https://github.com/shadow-maint/shadow/commit/c6847011e8b656adacd9a0d2a78418cad0de34cb
Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch
# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
Patch15: shadow-4.9-usermod-allow-all-group-types.patch
# https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249
Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba
Patch19: shadow-4.9-revert-useradd-fix-memleak.patch
# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2
Patch20: shadow-4.9-useradd-copy-tree-argument.patch
# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
Patch23: shadow-4.9-getsubids.patch
# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
# https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
# https://github.com/shadow-maint/shadow/commit/0593b330d8413e9694b5d6783bb90974c9b141c5
# https://github.com/shadow-maint/shadow/commit/45d674621918664c8736f94f862e86bddf4c3fd4
Patch27: shadow-4.9-badname-special-characters.patch
# https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
Patch28: shadow-4.9-useradd-check-if-subid-range-exists.patch
# https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
Patch29: shadow-4.9-skip-over-reserved-ids.patch
# https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
Patch30: shadow-4.9-gpasswd-fix-password-leak.patch
# Downstream only patch
Patch31: shadow-4.9-disable-sssd.patch
### Dependencies ### ### Dependencies ###
Requires: audit-libs >= 1.6.5 Requires: audit-libs >= 1.6.5
Requires: libselinux >= 1.25.2-1 Requires: libselinux >= 1.25.2-1
Requires: pam-libs
Requires: setup Requires: setup
### Build Dependencies ### ### Build Dependencies ###
@ -98,17 +47,22 @@ BuildRequires: docbook-style-xsl
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gettext-devel BuildRequires: gettext-devel
BuildRequires: git
BuildRequires: itstool BuildRequires: itstool
BuildRequires: libacl-devel BuildRequires: libacl-devel
BuildRequires: libattr-devel BuildRequires: libattr-devel
BuildRequires: libeconf-devel
BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: libsemanage-devel BuildRequires: libsemanage-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: make BuildRequires: make
BuildRequires: pam-devel
### Provides ### ### Provides ###
Provides: shadow = %{epoch}:%{version}-%{release} Provides: shadow = %{epoch}:%{version}-%{release}
Provides: passwd = 0.80-18
Obsoletes: passwd <= 0.80-19
%description %description
The shadow-utils package includes the necessary programs for The shadow-utils package includes the necessary programs for
@ -141,39 +95,7 @@ Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
Development files for shadow-utils-subid. Development files for shadow-utils-subid.
%prep %prep
%setup -q -n shadow-%{version} %autosetup -p 1 -S git -n shadow-%{version}
%patch0 -p1 -b .redhat
%patch1 -p1 -b .goodname
%patch2 -p1 -b .move-create-home
%patch3 -p1 -b .default-range
%patch4 -p1 -b .manfix
%patch5 -p1 -b .date-parsing
%patch6 -p1 -b .move-home
%patch7 -p1 -b .audit-update
%patch8 -p1 -b .unlock
%patch9 -p1 -b .selinux-perms
%patch10 -p1 -b .null-tm
%patch11 -p1 -b .long-entry
%patch12 -p1 -b .sysugid-min-limit
%patch13 -p1 -b .login-prompt
%patch14 -p1 -b .newuidmap-libeconf-dependency
%patch15 -p1 -b .usermod-allow-all-group-types
%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
%patch18 -p1 -b .semanage-close-the-selabel-handle
%patch19 -p1 -b .revert-useradd-fix-memleak
%patch20 -p1 -b .useradd-copy-tree-argument
%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf
%patch22 -p1 -b .newgrp-fix-segmentation-fault
%patch23 -p1 -b .getsubids
%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
%patch26 -p1 -b .subordinateio-compare-owner-ID
%patch27 -p1 -b .badname-special-characters
%patch28 -p1 -b .useradd-check-if-subid-range-exists
%patch29 -p1 -b .skip-over-reserved-ids
%patch30 -p1 -b .gpasswd-fix-password-leak
%patch31 -p1 -b .disable-sssd
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO cp -f doc/HOWTO.utf8 doc/HOWTO
@ -182,7 +104,7 @@ cp -a %{SOURCE4} %{SOURCE5} .
cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
# Force regeneration of getdate.c # Force regeneration of getdate.c
rm libmisc/getdate.c rm lib/getdate.c
%build %build
%ifarch sparc64 %ifarch sparc64
@ -199,12 +121,19 @@ autoreconf
--enable-shadowgrp \ --enable-shadowgrp \
--enable-man \ --enable-man \
--with-audit \ --with-audit \
--with-libpam \
--with-sha-crypt \ --with-sha-crypt \
--with-bcrypt \
--with-yescrypt \
--with-selinux \ --with-selinux \
--without-libbsd \
--without-libcrack \ --without-libcrack \
--without-libpam \ --without-sssd \
--enable-shared \ --enable-shared \
--with-group-name-max-length=32 --with-group-name-max-length=32 \
--enable-lastlog \
--enable-logind=no \
--disable-account-tools-setuid
%make_build %make_build
%install %install
@ -212,6 +141,8 @@ autoreconf
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
install -d -m 755 $RPM_BUILD_ROOT%{_pam_confdir}
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pam_confdir}/passwd
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
@ -226,11 +157,8 @@ rm $RPM_BUILD_ROOT%{_bindir}/chsh
rm $RPM_BUILD_ROOT%{_bindir}/expiry rm $RPM_BUILD_ROOT%{_bindir}/expiry
rm $RPM_BUILD_ROOT%{_bindir}/groups rm $RPM_BUILD_ROOT%{_bindir}/groups
rm $RPM_BUILD_ROOT%{_bindir}/login rm $RPM_BUILD_ROOT%{_bindir}/login
rm $RPM_BUILD_ROOT%{_bindir}/passwd
rm $RPM_BUILD_ROOT%{_bindir}/su rm $RPM_BUILD_ROOT%{_bindir}/su
rm $RPM_BUILD_ROOT%{_bindir}/faillog rm $RPM_BUILD_ROOT%{_bindir}/faillog
rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT%{_sbindir}/nologin rm $RPM_BUILD_ROOT%{_sbindir}/nologin
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
@ -243,18 +171,10 @@ rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.* rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.* rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.* rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
@ -268,6 +188,15 @@ rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
# Remove PAM service files we don't use.
rm $RPM_BUILD_ROOT%{_pam_confdir}/chfn
rm $RPM_BUILD_ROOT%{_pam_confdir}/chpasswd
rm $RPM_BUILD_ROOT%{_pam_confdir}/chsh
rm $RPM_BUILD_ROOT%{_pam_confdir}/groupmems
rm $RPM_BUILD_ROOT%{_pam_confdir}/login
rm $RPM_BUILD_ROOT%{_pam_confdir}/newusers
rm $RPM_BUILD_ROOT%{_pam_confdir}/su
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
%find_lang shadow %find_lang shadow
for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
@ -283,14 +212,16 @@ echo $(ls)
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir} mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/ install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
# Remove .la files created by libsubid # Remove .la and .a files created by libsubid
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
%files -f shadow.lang %files -f shadow.lang
%doc NEWS doc/HOWTO README %doc NEWS doc/HOWTO README
%license gpl-2.0.txt shadow-bsd.txt %license gpl-2.0.txt shadow-bsd.txt
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
%config(noreplace) %{_pam_confdir}/passwd
%{_bindir}/sg %{_bindir}/sg
%attr(4755,root,root) %{_bindir}/chage %attr(4755,root,root) %{_bindir}/chage
%attr(4755,root,root) %{_bindir}/gpasswd %attr(4755,root,root) %{_bindir}/gpasswd
@ -298,6 +229,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%attr(4755,root,root) %{_bindir}/newgrp %attr(4755,root,root) %{_bindir}/newgrp
%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap %attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap %attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
%attr(4755,root,root) %{_bindir}/passwd
%{_sbindir}/adduser %{_sbindir}/adduser
%attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/user*
%attr(0755,root,root) %{_sbindir}/group* %attr(0755,root,root) %{_sbindir}/group*
@ -315,6 +247,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%{_mandir}/man1/newgrp.1* %{_mandir}/man1/newgrp.1*
%{_mandir}/man1/newgidmap.1* %{_mandir}/man1/newgidmap.1*
%{_mandir}/man1/newuidmap.1* %{_mandir}/man1/newuidmap.1*
%{_mandir}/man1/passwd.*
%{_mandir}/man3/shadow.3* %{_mandir}/man3/shadow.3*
%{_mandir}/man5/shadow.5* %{_mandir}/man5/shadow.5*
%{_mandir}/man5/login.defs.5* %{_mandir}/man5/login.defs.5*
@ -344,63 +277,159 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%{_libdir}/libsubid.so %{_libdir}/libsubid.so
%changelog %changelog
* Fri Sep 13 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-10 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2:4.15.0-3
- Disable sssd integration by default. Resolves: RHEL-56352 - Bump release for June 2024 mass rebuild
* Tue Jun 18 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-2
- Fix static analyzer detected issues. Resolves: RHEL-35383
* Wed Apr 3 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-1
- Rebase to version 4.15.0
- getdef: avoid spurious error messages about unknown configuration options
* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-6
- Build linking `libpam`
* Thu Feb 1 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-5
- passwd: Provide binary from this package. Enable libpam and
disable account-tools-setuid. Provide passwd PAM service file.
Resolves: #2233275
- passwd: provide --stdin option
* Mon Jan 29 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-4
- Disable SSSD support. Resolves: #2253182
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.14.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Oct 3 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-2
- useradd: Set proper SELinux labels for def_usrtemplate
* Wed Aug 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.14.0-1
- Rebase to version 4.14.0. Resolves: #2229000
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jul 3 2024 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9 * Tue Jun 06 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 2:4.13-7
- login.defs: Update SHA_CRYPT_MAX_ROUNDS from 5000 to 100000. Resolves: RHEL-40195 - Remove unused libbsd-devel dependency
* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8 * Mon Mar 6 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-6
- gpasswd: fix password leak. Resolves: #2215948 - Add libbsd-devel and libeconf-devel as build dependencies
* Tue May 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7 * Thu Mar 2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-5
- useradd: check if subid range exists for user. Resolves: #2179987 - newuidmap and newgidmap: support passing pid as fd. Resolves: #2174752
- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #2179988
* Wed Sep 28 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13-4
- Change "badnames" to "badname" as this is the accepted option name. Resolves: #2076819 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5 * Wed Nov 23 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-3
- subordinateio: also compare the owner ID. Resolves: #2109410 - Change SUB_UID_MIN and SUB_GID_MIN to 524288. Resolves: #2144558
* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4 * Mon Nov 21 2022 Florian Weimer <fweimer@redhat.com> - 2:4.13-2
- useradd: modify check ID range for system users. Resolves: #2004911 - Fix gshadow configure check (switching to glibc implementation)
* Wed Nov 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.13-1
- Rebase to version 4.13
- SPDX license migration
* Wed Oct 5 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-3
- chage: Fix regression in print_date. Resolves: #2129336
* Fri Sep 9 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-2
- useradd: Do not reset non-existent data in {last,fail}log
* Mon Aug 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.12.3-1
- Rebase to version 4.12.3. Resolves: #2117809
* Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
- useradd: modify check ID range for system users. Resolves: #2093692
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
- Fix explicit subid requirement for subid-devel
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
- Rebase to version 4.11.1 (#2034038)
- Fix release sources - Fix release sources
- Add subid requirement for subid-devel - Add explicit subid requirement for subid-devel
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
- getsubids: provide system binary and man page. Resolves: #2013015 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
- useradd: revert fix memleak of grp. Resolves: #2020238 * Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #2024834 - nss: get shadow_logfd with log_get_logfd() (#2038811)
- pwck: fix segfault when calling fprintf() - lib: make shadow_logfd and Prog not extern
- newgrp: fix segmentation fault - lib: rename Prog to shadow_progname
- lib: provide default values for shadow_progname
- libsubid: use log_set_progname in subid_init
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
- getsubids: provide system binary and man page (#1980780)
- pwck: fix segfault when calling fprintf() (#2021339)
- newgrp: fix segmentation fault (#2019553)
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
- useradd: change SELinux labels for home files (#2022658)
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
- useradd: revert fix memleak of grp (#2018697)
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
- useradd: generate home and mail directories with selinux user attribute
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
- login.defs: include HMAC_CRYPTO_ALGO key
- Clean spec file: organize dependencies and move License location - Clean spec file: organize dependencies and move License location
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2 * Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
- libmisc: fix default value in SHA_get_salt_rounds(). Resolves: #1993919 - libmisc: fix default value in SHA_get_salt_rounds()
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
- useradd: avoid generating an empty subid range (#1990653)
* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1 * Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
- Rebase to version 4.9. Resolves: #1989556 - Rebase to version 4.9
- usermod: allow all group types with -G option. Resolves: #1975329 - usermod: allow all group types with -G option (#1975327)
- useradd: avoid generating an empty subid range
- Clean spec file - Clean spec file
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-12 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Related: rhbz#1991688
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11 * Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
- Fix regression issues detected in rhbz#667593 and rhbz#672510. Resolves: #1938871 - Add patch to fix 'fread returns element count, not element size'
* Tue Jul 13 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10 * Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
- Covscan fixes. Resolves: #1938871 - Fix regression issues detected in rhbz#667593 and rhbz#672510
* Fri Jun 25 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9 * Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
- libsubid: creation and nsswitch support. Resolves: #1859252 - Enable bcrypt support, as libxcrypt supports it well
- Creation of subid and subid-devel subpackages
- man: mention NSS in new[ug]idmap manpages * Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
- libsubid: move development header to shadow folder - Add a patch to obtain random bytes using getentropy()
- Update shadow-4.8-crypt_h.patch with the upstreamed version
- Add a patch to make use of crypt_gensalt() from libxcrypt
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
- useradd: free correct pointer (#1976809)
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
- Add a patch to fix the used prefix for the bcrypt hash method
- Add a patch to cleanup the code in libmisc/salt.c
- Add a patch adding some clarifying comments in libmisc/salt.c
- Add a patch to obtain random bytes from /dev/urandom
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
- Covscan fixes
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
- Backport support for yescrypt hash method
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
- libsubid: don't print error messages on stderr by default - libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory - libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0 - useradd: fix SUB_UID_COUNT=0
@ -409,10 +438,20 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
- libsubid: fix newusers when nss provides subids - libsubid: fix newusers when nss provides subids
- man: clarify subid delegation - man: clarify subid delegation
- libsubid: make shadow_logfd not extern - libsubid: make shadow_logfd not extern
- login.defs: include HMAC_CRYPTO_ALGO key
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-8 * Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
- libsubid: creation and nsswitch support
- Creation of subid and subid-devel subpackages
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
- man: include lastlog file caveat (#951564)
- Upstream links to several patches
- Spec file cleanup by Robert Scheck
- Add BuildRequires: make by Tom Stellard
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save