From e024307bdca431c533ef304519976564d022490e Mon Sep 17 00:00:00 2001 From: xiongshenglan Date: Fri, 11 Aug 2023 10:45:41 +0800 Subject: [PATCH 1/3] shadow: Remove encrypted passwd for useradd-groupadd-groupmod-usermod Remove encrypted passwd for useradd/groupadd/groupmod/usermod In groupadd/useradd, p parameter does not meet password complexity checks. Do not satisfy security requirements. use CONFIG_SHADOW_REMOVE_POPTION Signed-off-by: xiongshenglan --- ...move-encrypted-passwd-for-useradd-gr.patch | 133 ++++++++++++++++++ shadow.spec | 6 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch diff --git a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch b/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch new file mode 100644 index 0000000..80cc838 --- /dev/null +++ b/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch @@ -0,0 +1,133 @@ +From 280a8474ad87f44f9620eeac75cbf8a34b5edc2f Mon Sep 17 00:00:00 2001 +From: xiongshenglan +Date: Thu, 27 Jul 2023 09:30:16 +0800 +Subject: [PATCH] shadow: Remove encrypted passwd for + useradd-groupadd-groupmod-usermod + +Remove encrypted passwd for useradd/groupadd/groupmod/usermod +In groupadd/useradd, p parameter does not meet password complexity checks. Do +not satisfy security requirements. + +Signed-off-by: xiongshenglan +--- + src/groupadd.c | 4 ++++ + src/groupmod.c | 4 ++++ + src/useradd.c | 4 ++++ + src/usermod.c | 4 ++++ + 4 files changed, 16 insertions(+) + +diff --git a/src/groupadd.c b/src/groupadd.c +index d7f68b1..9b7a521 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -125,7 +125,9 @@ static /*@noreturn@*/void usage (int status) + (void) fputs (_(" -K, --key KEY=VALUE override /etc/login.defs defaults\n"), usageout); + (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" + " (non-unique) GID\n"), usageout); ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); ++#endif + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -P, --prefix PREFIX_DI directory prefix\n"), usageout); +@@ -459,10 +461,12 @@ static void process_flags (int argc, char **argv) + case 'o': + oflg = true; + break; ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + case 'p': + pflg = true; + group_passwd = optarg; + break; ++#endif + case 'r': + rflg = true; + break; +diff --git a/src/groupmod.c b/src/groupmod.c +index acd6f35..f9dcabd 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -139,8 +139,10 @@ static void usage (int status) + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -n, --new-name NEW_GROUP change the name to NEW_GROUP\n"), usageout); + (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" + " PASSWORD\n"), usageout); ++#endif + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); + (void) fputs (_(" -U, --users USERS list of user members of this group\n"), usageout); +@@ -449,10 +451,12 @@ static void process_flags (int argc, char **argv) + case 'o': + oflg = true; + break; ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + case 'p': + group_passwd = optarg; + pflg = true; + break; ++#endif + case 'R': /* no-op, handled in process_root_flag () */ + break; + case 'P': /* no-op, handled in process_prefix_flag () */ +diff --git a/src/useradd.c b/src/useradd.c +index 89abd5e..e5ba3dd 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -907,7 +907,9 @@ static void usage (int status) + " the user\n"), usageout); + (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" + " (non-unique) UID\n"), usageout); ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); ++#endif + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); +@@ -1366,6 +1368,7 @@ static void process_flags (int argc, char **argv) + case 'o': + oflg = true; + break; ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + case 'p': /* set encrypted password */ + if (!VALID (optarg)) { + fprintf (stderr, +@@ -1375,6 +1378,7 @@ static void process_flags (int argc, char **argv) + } + user_pass = optarg; + break; ++#endif + case 'r': + rflg = true; + break; +diff --git a/src/usermod.c b/src/usermod.c +index ca8db92..509a50b 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -435,7 +435,9 @@ static /*@noreturn@*/void usage (int status) + (void) fputs (_(" -m, --move-home move contents of the home directory to the\n" + " new location (use only with -d)\n"), usageout); + (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); ++#endif + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); + (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); +@@ -1152,10 +1154,12 @@ static void process_flags (int argc, char **argv) + case 'o': + oflg = true; + break; ++#ifndef CONFIG_SHADOW_REMOVE_POPTION + case 'p': + user_pass = optarg; + pflg = true; + break; ++#endif + case 'R': /* no-op, handled in process_root_flag () */ + break; + case 'P': /* no-op, handled in process_prefix_flag () */ +-- +2.12.3 + diff --git a/shadow.spec b/shadow.spec index 5a952d0..90b9dff 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.13 -Release: 5 +Release: 6 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -30,6 +30,7 @@ Patch10: backport-Read-whole-line-in-yes_or_no.patch Patch11: backport-commonio-free-removed-database-entries.patch Patch12: backport-semanage-disconnect-to-free-libsemanage-internals.patch Patch13: backport-run_parts-for-groupadd-and-groupdel.patch +Patch14: backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -197,6 +198,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Fri Aug 11 2023 xiongshenglan - 2:4.13-6 +- backport Remove encrypted passwd for useradd-groupadd-groupmod-usermod + * Mon Jun 19 2023 yunjia_w - 2:4.13-5 - backport patches from upstream From 2cf1b7d0f3a3acce607f59720d5be98782558879 Mon Sep 17 00:00:00 2001 From: xiongshenglan Date: Fri, 11 Aug 2023 15:13:31 +0800 Subject: [PATCH 2/3] shadow: Remove encrypted passwd for useradd-groupadd-groupmod-usermod Remove encrypted passwd for useradd/groupadd/groupmod/usermod In groupadd/useradd, p parameter does not meet password complexity checks. Do not satisfy security requirements. Signed-off-by: xiongshenglan --- ...adow-Remove-encrypted-passwd-for-useradd-gr.patch | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch b/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch index 80cc838..07b29c1 100644 --- a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch +++ b/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch @@ -105,17 +105,17 @@ diff --git a/src/usermod.c b/src/usermod.c index ca8db92..509a50b 100644 --- a/src/usermod.c +++ b/src/usermod.c -@@ -435,7 +435,9 @@ static /*@noreturn@*/void usage (int status) +@@ -384,7 +384,9 @@ static /*@noreturn@*/void usage (int status) (void) fputs (_(" -m, --move-home move contents of the home directory to the\n" " new location (use only with -d)\n"), usageout); (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); +#ifndef CONFIG_SHADOW_REMOVE_POPTION (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); +#endif - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); -@@ -1152,10 +1154,12 @@ static void process_flags (int argc, char **argv) + (void) fputs (_(" -r, --remove remove the user from only the supplemental GROUPS\n" + " mentioned by the -G option without removing\n" +@@ -1121,10 +1123,12 @@ static void process_flags (int argc, char **argv) case 'o': oflg = true; break; @@ -125,9 +125,9 @@ index ca8db92..509a50b 100644 pflg = true; break; +#endif - case 'R': /* no-op, handled in process_root_flag () */ + case 'r': + rflg = true; break; - case 'P': /* no-op, handled in process_prefix_flag () */ -- 2.12.3 From 321b447d607b81ed4e1832cd8bf901ffa66748ff Mon Sep 17 00:00:00 2001 From: xiongshenglan Date: Fri, 11 Aug 2023 15:13:31 +0800 Subject: [PATCH 3/3] shadow: Remove encrypted passwd for useradd-groupadd-groupmod-usermod Remove encrypted passwd for useradd/groupadd/groupmod/usermod In groupadd/useradd, p parameter does not meet password complexity checks. Do not satisfy security requirements. Signed-off-by: xiongshenglan --- ...adow-Remove-encrypted-passwd-for-useradd-gr.patch | 12 ++++++------ shadow.spec | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) rename backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch => shadow-Remove-encrypted-passwd-for-useradd-gr.patch (92%) diff --git a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch b/shadow-Remove-encrypted-passwd-for-useradd-gr.patch similarity index 92% rename from backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch rename to shadow-Remove-encrypted-passwd-for-useradd-gr.patch index 80cc838..07b29c1 100644 --- a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch +++ b/shadow-Remove-encrypted-passwd-for-useradd-gr.patch @@ -105,17 +105,17 @@ diff --git a/src/usermod.c b/src/usermod.c index ca8db92..509a50b 100644 --- a/src/usermod.c +++ b/src/usermod.c -@@ -435,7 +435,9 @@ static /*@noreturn@*/void usage (int status) +@@ -384,7 +384,9 @@ static /*@noreturn@*/void usage (int status) (void) fputs (_(" -m, --move-home move contents of the home directory to the\n" " new location (use only with -d)\n"), usageout); (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); +#ifndef CONFIG_SHADOW_REMOVE_POPTION (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); +#endif - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); -@@ -1152,10 +1154,12 @@ static void process_flags (int argc, char **argv) + (void) fputs (_(" -r, --remove remove the user from only the supplemental GROUPS\n" + " mentioned by the -G option without removing\n" +@@ -1121,10 +1123,12 @@ static void process_flags (int argc, char **argv) case 'o': oflg = true; break; @@ -125,9 +125,9 @@ index ca8db92..509a50b 100644 pflg = true; break; +#endif - case 'R': /* no-op, handled in process_root_flag () */ + case 'r': + rflg = true; break; - case 'P': /* no-op, handled in process_prefix_flag () */ -- 2.12.3 diff --git a/shadow.spec b/shadow.spec index 90b9dff..6bda4fe 100644 --- a/shadow.spec +++ b/shadow.spec @@ -30,7 +30,7 @@ Patch10: backport-Read-whole-line-in-yes_or_no.patch Patch11: backport-commonio-free-removed-database-entries.patch Patch12: backport-semanage-disconnect-to-free-libsemanage-internals.patch Patch13: backport-run_parts-for-groupadd-and-groupdel.patch -Patch14: backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch +Patch14: shadow-Remove-encrypted-passwd-for-useradd-gr.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -199,7 +199,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %changelog * Fri Aug 11 2023 xiongshenglan - 2:4.13-6 -- backport Remove encrypted passwd for useradd-groupadd-groupmod-usermod +- Remove encrypted passwd for useradd-groupadd-groupmod-usermod * Mon Jun 19 2023 yunjia_w - 2:4.13-5 - backport patches from upstream