packages/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 4.9 and modify check ID range for system users

Browse Source
This commit is contained in:
panxiaohe 2022-02-21 10:35:04 +08:00
parent 404eae4926
commit d168ce83f3
31 changed files with 1466 additions and 610 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch Normal file
View File

@ -0,0 +1,112 @@
From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Fri, 23 Jul 2021 17:51:13 -0500
Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
There's a better way to do this, and I hope to clean that up,
but this fixes out of tree builds for me right now.
Closes #386
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
lib/Makefile.am | 2 ++
libmisc/Makefile.am | 2 +-
libsubid/Makefile.am | 4 ++--
src/Makefile.am | 6 ++++++
4 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/Makefile.am b/lib/Makefile.am
index ecf3ee2..5ac2e11 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
endif
+libshadow_la_CPPFLAGS += -I$(top_srcdir)
+
libshadow_la_SOURCES = \
commonio.c \
commonio.h \
diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
index 9766a7e..9f237e0 100644
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@@ -1,7 +1,7 @@
EXTRA_DIST = .indent.pro xgetXXbyYY.c
-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
noinst_LTLIBRARIES = libmisc.la
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index 8305156..99308c1 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -20,8 +20,8 @@ MISCLIBS = \
$(LIBPAM)
libsubid_la_LIBADD = \
- $(top_srcdir)/lib/libshadow.la \
- $(top_srcdir)/libmisc/libmisc.la \
+ $(top_builddir)/lib/libshadow.la \
+ $(top_builddir)/libmisc/libmisc.la \
$(MISCLIBS) -ldl
AM_CPPFLAGS = \
diff --git a/src/Makefile.am b/src/Makefile.am
index 3502701..7c1a349 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,6 +10,7 @@ sgidperms = 2755
AM_CPPFLAGS = \
-I${top_srcdir}/lib \
-I$(top_srcdir)/libmisc \
+ -I$(top_srcdir) \
-DLOCALEDIR=\"$(datadir)/locale\"
# XXX why are login and su in /bin anyway (other than for
@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
list_subid_ranges_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
+ -I$(top_srcdir) \
-I$(top_srcdir)/libsubid
get_subid_owners_LDADD = \
@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
get_subid_owners_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
+ -I$(top_srcdir) \
-I$(top_srcdir)/libsubid
new_subid_range_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
+ -I$(top_srcdir) \
-I$(top_srcdir)/libsubid
new_subid_range_LDADD = \
@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
free_subid_range_CPPFLAGS = \
-I$(top_srcdir)/lib \
-I$(top_srcdir)/libmisc \
+ -I$(top_srcdir) \
-I$(top_srcdir)/libsubid
free_subid_range_LDADD = \
@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
check_subid_range_CPPFLAGS = \
-I$(top_srcdir)/lib \
+ -I$(top_srcdir) \
-I$(top_srcdir)/libmisc
check_subid_range_LDADD = \
--
1.8.3.1

28
Fixes-the-linking-issues-when-libsubid-is-static-and.patch Normal file
View File

@ -0,0 +1,28 @@
From fc832e4648d6e80e95aaa762a158453ee43fe1cb Mon Sep 17 00:00:00 2001
From: "(GalaxyMaster)" <galaxy4public@users.noreply.github.com>
Date: Wed, 27 Oct 2021 20:14:42 +1100
Subject: [PATCH] Fixes the linking issues when libsubid is static and linked
to binaries that also define the Prog and shadow_logfd variables.
---
libsubid/api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsubid/api.c b/libsubid/api.c
index a7b904d..a51b4e0 100644
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -39,8 +39,8 @@
#include "idmapping.h"
#include "subid.h"
-const char *Prog = "(libsubid)";
-FILE *shadow_logfd;
+static const char *Prog = "(libsubid)";
+static FILE *shadow_logfd;
bool libsubid_init(const char *progname, FILE * logfd)
{
--
1.8.3.1

32
Makefile-include-libeconf-dependency-in-new-idmap.patch Normal file
View File

@ -0,0 +1,32 @@
From c6847011e8b656adacd9a0d2a78418cad0de34cb Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 2 Aug 2021 15:54:20 +0200
Subject: [PATCH] Makefile: include libeconf dependency in new*idmap
new*idmap has a dependency with libeconf since commit
c464ec55709dc931ba2f24073b8b1a86d5209ab0. I'm just adding it to the
Makefile to be able to compile in distributions that include libeconf.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 7c1a349..6cc873b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
endif
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
-newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
-newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
--
1.8.3.1

45
Respect-enable-static-no-in-libsubid.patch Normal file
View File

@ -0,0 +1,45 @@
From fa986b1d73605ecca54a4f19249227aeab827bf6 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <shallyn@cisco.com>
Date: Sun, 25 Jul 2021 17:18:02 +0000
Subject: [PATCH] Respect --enable-static=no in libsubid
libsubid's Makefile.am was always setting enable-shared in its LDFLAGS.
Do that only if not building static.
Closes #387
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
---
configure.ac | 2 ++
libsubid/Makefile.am | 2 ++
2 files changed, 4 insertions(+)
diff --git a/configure.ac b/configure.ac
index 0f237cc..994836b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
if test "$with_bcrypt" = "yes"; then
AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index 99308c1..8bba02a 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -1,6 +1,8 @@
lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
libsubid_la_SOURCES = api.c
pkginclude_HEADERS = subid.h
--
1.8.3.1

30
Revert-useradd.c-fix-memleaks-of-grp.patch Normal file
View File

@ -0,0 +1,30 @@
From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sat, 14 Aug 2021 19:37:24 -0500
Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
In some cases, the value which was being freed is not actually
safe to free.
Closes #394
This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
---
src/useradd.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index f90127c..0d3f390 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -413,7 +413,6 @@ static void get_defaults (void)
} else {
def_group = grp->gr_gid;
def_gname = xstrdup (grp->gr_name);
- gr_free(grp);
}
}
--
1.8.3.1

62
add-home_mode-xml-file.patch
View File

@ -1,62 +0,0 @@
From 56073640403f65193689d94a5024547181c8c4d8 Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Wed, 15 Apr 2020 19:15:53 -0400
Subject: [PATCH] add home_mode xml file
---
man/login.defs.d/HOME_MODE.xml | 43 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
create mode 100644 man/login.defs.d/HOME_MODE.xml
diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
new file mode 100644
index 0000000..21aa55f
--- /dev/null
+++ b/man/login.defs.d/HOME_MODE.xml
@@ -0,0 +1,43 @@
+<!--
+ Copyright (c) 1991 - 1993, Julianne Frances Haugh
+ Copyright (c) 1991 - 1993, Chip Rosenthal
+ Copyright (c) 2007 - 2009, Nicolas François
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+ <term><option>HOME_MODE</option> (number)</term>
+ <listitem>
+ <para>
+ The mode for new home directories. If not specified,
+ the <option>UMASK</option> is used to create the mode.
+ </para>
+ <para>
+ <command>useradd</command> and <command>newusers</command> use this
+ to set the mode of the home directory they create.
+ </para>
+ </listitem>
+</varlistentry>
--
1.8.3.1

42
backport-useradd-modify-check-ID-range-for-system-users.patch Normal file
View File

@ -0,0 +1,42 @@
From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 4 Jan 2022 13:06:00 +0100
Subject: [PATCH] useradd: modify check ID range for system users
useradd warns that a system user ID less than SYS_UID_MIN is outside the
expected range, even though that ID has been specifically selected with
the "-u" option.
In my opinion all the user ID's below SYS_UID_MAX are for the system,
thus I change the condition to take that into account.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Conflict: context adaptation
---
src/useradd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 34376fa..4c71c38 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
uid_t uid_min ;
uid_t uid_max ;
if(rflg){
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
- if(uid_min <= uid_max){
- if(user_id < uid_min || user_id >uid_max)
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
+ if (user_id > uid_max) {
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
}
}else{
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
--
1.8.3.1

13
fix-logmsg.patch
View File

@ -1,13 +0,0 @@
Index: shadow-4.5/src/useradd.c
===================================================================
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -329,7 +329,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
exit (code);
}

61
generate-mail-USER-with-the-proper-selinux-identity.patch
View File

@ -1,61 +0,0 @@
From 8a1e92aff17be6266d0dc89321082e062af05832 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 5 Feb 2020 15:04:39 +0100
Subject: [PATCH] useradd: generate /var/spool/mail/$USER with the proper
SELinux user identity
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
---
src/useradd.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/useradd.c b/src/useradd.c
index a679392d..645d4a40 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -190,6 +190,7 @@ static bool home_added = false;
#define E_NAME_IN_USE 9 /* username already in use */
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
+#define E_MAILBOXFILE 13 /* can't create mailbox file */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
@@ -2210,6 +2211,16 @@ static void create_mail (void)
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
else
sprintf (file, "%s/%s", spool, user_name);
+
+#ifdef WITH_SELINUX
+ if (set_selinux_file_context (file) != 0) {
+ fprintf (stderr,
+ _("%s: cannot set SELinux context for mailbox file %s\n"),
+ Prog, file);
+ fail_exit (E_MAILBOXFILE);
+ }
+#endif
+
fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
if (fd < 0) {
perror (_("Creating mailbox file"));
@@ -2234,6 +2245,15 @@ static void create_mail (void)
fsync (fd);
close (fd);
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ if (reset_selinux_file_context () != 0) {
+ fprintf (stderr,
+ _("%s: cannot reset SELinux file creation context\n"),
+ Prog);
+ fail_exit (E_MAILBOXFILE);
+ }
+#endif
}
}
--
2.24.1

32
groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch Normal file
View File

@ -0,0 +1,32 @@
From a757b458ffb4fb9a40bcbb4f7869449431c67f83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= <frigo@amadeus.com>
Date: Mon, 1 Nov 2021 13:54:25 +0100
Subject: [PATCH] groupdel: fix SIGSEGV when passwd does not exist
When using groupdel with a prefix, groupdel will attempt to read a
passwd file to look for any user in the group. When the file does not
exist it cores with segmentation fault.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986111
Conflict: context adaptation
---
libmisc/prefix_flag.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
index cca553a..b6628ac 100644
--- a/libmisc/prefix_flag.c
+++ b/libmisc/prefix_flag.c
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
if(!passwd_db_file) {
return getpwent();
}
+ if (!fp_pwent) {
+ return NULL;
+ }
return fgetpwent(fp_pwent);
}
extern void prefix_endpwent()
--
1.8.3.1

60
libmisc-fix-default-value-in-SHA_get_salt_rounds.patch Normal file
View File

@ -0,0 +1,60 @@
From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sat, 14 Aug 2021 13:24:34 -0400
Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
use SHA_ROUNDS_DEFAULT.
Previously, the code fell through, calling shadow_random(-1, -1). This
ultimately set rounds = (unsigned long) -1, which ends up being a very
large number! This then got capped to SHA_ROUNDS_MAX later in the
function.
The new behavior matches BCRYPT_get_salt_rounds().
Bug: https://bugs.gentoo.org/808195
Fixes: https://github.com/shadow-maint/shadow/issues/393
---
libmisc/salt.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/libmisc/salt.c b/libmisc/salt.c
index 91d528f..30eefb9 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
if ((-1 == min_rounds) && (-1 == max_rounds)) {
rounds = SHA_ROUNDS_DEFAULT;
}
+ else {
+ if (-1 == min_rounds) {
+ min_rounds = max_rounds;
+ }
- if (-1 == min_rounds) {
- min_rounds = max_rounds;
- }
+ if (-1 == max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (-1 == max_rounds) {
- max_rounds = min_rounds;
- }
+ if (min_rounds > max_rounds) {
+ max_rounds = min_rounds;
+ }
- if (min_rounds > max_rounds) {
- max_rounds = min_rounds;
+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
}
-
- rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
} else if (0 == *prefered_rounds) {
rounds = SHA_ROUNDS_DEFAULT;
} else {
--
1.8.3.1

28
libsubid-link-to-PAM-libraries.patch Normal file
View File

@ -0,0 +1,28 @@
From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Fri, 23 Jul 2021 14:38:08 +0800
Subject: [PATCH] libsubid: link to PAM libraries
libsubid.so links to libmisc.a, which contains several routines referring to
PAM functions.
---
libsubid/Makefile.am | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
index 189165b..8305156 100644
--- a/libsubid/Makefile.am
+++ b/libsubid/Makefile.am
@@ -16,7 +16,8 @@ MISCLIBS = \
$(LIBCRYPT) \
$(LIBACL) \
$(LIBATTR) \
- $(LIBTCB)
+ $(LIBTCB) \
+ $(LIBPAM)
libsubid_la_LIBADD = \
$(top_srcdir)/lib/libshadow.la \
--
1.8.3.1

93
man-zh_CN-fix-typo.patch
View File

@ -1,93 +0,0 @@
From 915cc6bb9cc8463576aea4b0262ad5f4f1700cd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=B0=AD=E4=B9=9D=E9=BC=8E?= <109224573@qq.com>
Date: Mon, 3 Feb 2020 22:02:16 +0800
Subject: [PATCH] =?UTF-8?q?man(zh=5FCN):=20fix=20typo=20=E7=8E=B0=E5=AE=9E?=
=?UTF-8?q?=20->=20=E6=98=BE=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Anakin Zhang <benjamin93@163.com>
---
man/po/zh_CN.po | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/po/zh_CN.po b/man/po/zh_CN.po
index 2537807..85d1243 100644
--- a/man/po/zh_CN.po
+++ b/man/po/zh_CN.po
@@ -334,7 +334,7 @@ msgstr "<option>-h</option>, <option>--help</option>"
#: expiry.1.xml:114(para) chsh.1.xml:103(para) chpasswd.8.xml:173(para)
#: chgpasswd.8.xml:133(para) chfn.1.xml:169(para) chage.1.xml:131(para)
msgid "Display help message and exit."
-msgstr "现实帮助信息并退出。"
+msgstr "显示帮助信息并退出。"
#: vipw.8.xml:126(term)
msgid "<option>-p</option>, <option>--passwd</option>"
@@ -3710,7 +3710,7 @@ msgstr "<option>MAIL_CHECK_ENAB</option> (boolean)"
#: su.1.xml:34(para) login.defs.5.xml:34(para) login.1.xml:34(para)
msgid "Enable checking and display of mailbox status upon login."
-msgstr "启用登录时检查和现实邮箱状态。"
+msgstr "启用登录时检查和显示邮箱状态。"
#: su.1.xml:37(para) login.defs.5.xml:37(para) login.1.xml:37(para)
msgid ""
@@ -6372,7 +6372,7 @@ msgstr "<option>ISSUE_FILE</option> (string)"
#: login.defs.5.xml:34(para) login.1.xml:34(para)
msgid "If defined, this file will be displayed before each login prompt."
-msgstr "如果定义了,此文件将在每次的登录提示之前现实。"
+msgstr "如果定义了,此文件将在每次的登录提示之前显示。"
#: login.defs.5.xml:32(term) login.1.xml:32(term)
msgid "<option>KILLCHAR</option> (number)"
@@ -7125,7 +7125,7 @@ msgstr "$HOME/.hushlogin"
#: login.1.xml:385(para)
msgid "Suppress printing of system messages."
-msgstr "阻止现实系统信息。"
+msgstr "阻止显示系统信息。"
#: login.1.xml:399(para)
msgid ""
@@ -7453,7 +7453,7 @@ msgstr ""
msgid ""
"Print the lastlog records more recent than <emphasis remap=\"I\">DAYS</"
"emphasis>."
-msgstr "只现实新于 <emphasis remap=\"I\">DAYS</emphasis> 的最近登录记录。"
+msgstr "只显示新于 <emphasis remap=\"I\">DAYS</emphasis> 的最近登录记录。"
#: lastlog.8.xml:161(term) faillog.8.xml:202(term)
msgid ""
@@ -7465,7 +7465,7 @@ msgstr ""
#: lastlog.8.xml:165(para)
msgid "Print the lastlog record of the specified user(s)."
-msgstr "现实指定用户的最近登录记录。"
+msgstr "显示指定用户的最近登录记录。"
#: lastlog.8.xml:168(para) faillog.8.xml:211(para)
msgid ""
@@ -7790,7 +7790,7 @@ msgstr "groups"
#: groups.1.xml:65(refpurpose)
msgid "display current group names"
-msgstr "现实当前组名"
+msgstr "显示当前组名"
#: groups.1.xml:72(replaceable)
msgid "user"
@@ -9396,7 +9396,7 @@ msgstr ""
#: chage.1.xml:164(para)
msgid "Show account aging information."
-msgstr "现实账户年龄信息。"
+msgstr "显示账户年龄信息。"
#: chage.1.xml:170(term)
msgid ""
--
2.23.0.windows.1

35
newgrp-fix-segmentation-fault.patch Normal file
View File

@ -0,0 +1,35 @@
From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 10 Nov 2021 12:02:04 +0100
Subject: [PATCH] newgrp: fix segmentation fault
Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
that is immediately freed.
The error was committed in
https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/newgrp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/newgrp.c b/src/newgrp.c
index 730f47e..566f1c8 100644
--- a/src/newgrp.c
+++ b/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
spwd = xgetspnam (pwd->pw_name);
if (NULL != spwd) {
pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
+ spw_free (spwd);
}
- spw_free (spwd);
if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
needspasswd = true;
--
1.8.3.1

30
pwck-fix-segfault-when-calling-fprintf.patch Normal file
View File

@ -0,0 +1,30 @@
From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 15 Nov 2021 12:40:15 +0100
Subject: [PATCH] pwck: fix segfault when calling fprintf()
As shadow_logfd variable is not set at the beginning of the program if
something fails and fprintf() is called a segmentation fault happens.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/pwck.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pwck.c b/src/pwck.c
index 4248944..4ce86af 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
* Get my name so that I can use it to report errors.
*/
Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
--
1.8.3.1

140
selinux-flag.patch
View File

@ -1,140 +0,0 @@
From 73e2af119d62d76cd7edcd2109a122a22e143e91 Mon Sep 17 00:00:00 2001
From: "guiyao" <guiyao@huawei.com>
Date: Wed, 15 Apr 2020 15:41:18 -0400
Subject: [PATCH] selinux-flag
backport selinux flag patch and modified for new code
---
lib/semanage.c | 7 ++++++
src/useradd.c | 69 ++++++++++++++++++++++++++++++----------------------------
2 files changed, 43 insertions(+), 33 deletions(-)
diff --git a/lib/semanage.c b/lib/semanage.c
index e983f5f..7ec8969 100644
--- a/lib/semanage.c
+++ b/lib/semanage.c
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, const char *seuser_name)
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff --git a/src/useradd.c b/src/useradd.c
index b294439..47394a3 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2242,6 +2242,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2464,27 +2465,11 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2495,25 +2480,43 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+#endif /* WITH_AUDIT */
+ rv = E_SE_UPDATE;
+ }
}
}
-#endif /* WITH_SELINUX */
+#endif
+
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory already exists.\n"
+ "Not copying any file from skel directory into it.\n"),
+ Prog);
+ }
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
- return E_SUCCESS;
+ return rv;
}
--
1.8.3.1

61
semanage-close-the-selabel-handle.patch Normal file
View File

@ -0,0 +1,61 @@
From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:13:13 +0200
Subject: [PATCH] semanage: close the selabel handle
Close the selabel handle to update the file_context. This means that the
file_context will be remmaped and used by selabel_lookup() to return
the appropriate context to label the home folder.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/prototypes.h | 1 +
lib/selinux.c | 5 +++++
lib/semanage.c | 1 +
3 files changed, 7 insertions(+)
diff --git a/lib/prototypes.h b/lib/prototypes.h
index 1d1586d..b697e0e 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
/* selinux.c */
#ifdef WITH_SELINUX
extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
extern int reset_selinux_file_context (void);
extern int check_selinux_permit (const char *perm_name);
#endif
diff --git a/lib/selinux.c b/lib/selinux.c
index c83545f..b075d4c 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -50,6 +50,11 @@ static void cleanup(void)
}
}
+void reset_selinux_handle (void)
+{
+ cleanup();
+}
+
/*
* set_selinux_file_context - Set the security context before any file or
* directory creation.
diff --git a/lib/semanage.c b/lib/semanage.c
index 0d30456..a5bf921 100644
--- a/lib/semanage.c
+++ b/lib/semanage.c
@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
}
ret = 0;
+ reset_selinux_handle();
done:
semanage_seuser_key_free (key);
--
1.8.3.1

69
shadow-4.5-goodname.patch → shadow-4.8-goodname.patch
View File

@ -1,20 +1,7 @@
From a386a250712771e44e2020060e6a3ca690f72129 Mon Sep 17 00:00:00 2001
From: "guiyao" <guiyao@huawei.com>
Date: Wed, 15 Apr 2020 15:18:25 -0400
Subject: [PATCH] shadow: shadow-4.5-goodname
backport patch and do some modify for new code
---
libmisc/chkname.c | 40 +++++++++++++++++++++++++++++-----------
man/groupadd.8.xml | 10 ++++++----
man/useradd.8.xml | 12 ++++++++----
3 files changed, 43 insertions(+), 19 deletions(-)
diff --git a/libmisc/chkname.c b/libmisc/chkname.c
index bdd1e72..957c966 100644
--- a/libmisc/chkname.c
+++ b/libmisc/chkname.c
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *name)
diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
--- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100
+++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
}
/*
@ -33,13 +20,13 @@ index bdd1e72..957c966 100644
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
+ !((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.')) {
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
+ !((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.')) {
return false;
}
@ -51,15 +38,14 @@ index bdd1e72..957c966 100644
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
- )) {
+ if (!((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.' ||
+ *name == '-' ||
+ (*name == '$' && name[1] == '\0')
+ )) {
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.' ||
+ *name == '-' ||
+ (*name == '$' && name[1] == '\0')
)) {
return false;
}
+ numeric &= isdigit(*name);
@ -70,10 +56,9 @@ index bdd1e72..957c966 100644
}
bool is_valid_user_name (const char *name)
diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
index 1e58f09..47a4c95 100644
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
--- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -273,10 +273,12 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
@ -91,11 +76,10 @@ index 1e58f09..47a4c95 100644
</para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 03612ce..4e9e0dc 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -662,10 +662,14 @@
diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
--- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100
@@ -661,10 +661,14 @@
</para>
<para>
@ -114,6 +98,3 @@ index 03612ce..4e9e0dc 100644
</para>
<para>
Usernames may only be up to 32 characters long.
--
1.8.3.1

46
long-password-entry.patch → shadow-4.8-long-entry.patch
View File

@ -1,18 +1,20 @@
diff --git a/lib/defines.h b/lib/defines.h
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -388,4 +388,7 @@ extern char *strerror ();
# define shadow_getenv(name) getenv(name)
diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100
+++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100
@@ -388,6 +388,9 @@ extern char *strerror ();
# endif
#endif
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
#endif /* _DEFINES_H_ */
diff --git a/lib/pwio.c b/lib/pwio.c
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, FILE * file)
#ifdef HAVE_SECURE_GETENV
# define shadow_getenv(name) secure_getenv(name)
# else
diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|| (valid_field (pw->pw_dir, ":\n") == -1)
@ -24,9 +26,9 @@ diff --git a/lib/pwio.c b/lib/pwio.c
return -1;
}
diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
--- a/lib/sgetpwent.c
+++ b/lib/sgetpwent.c
diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
--- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200
+++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf)
{
@ -36,7 +38,7 @@ diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
register int i;
register char *cp;
char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *buf)
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
* the password structure remain valid.
*/
@ -48,9 +50,9 @@ diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
strcpy (pwdbuf, buf);
/*
diff --git a/lib/sgetspent.c b/lib/sgetspent.c
--- a/lib/sgetspent.c
+++ b/lib/sgetspent.c
diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
--- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@
*/
struct spwd *sgetspent (const char *string)
@ -60,7 +62,7 @@ diff --git a/lib/sgetspent.c b/lib/sgetspent.c
static struct spwd spwd;
char *fields[FIELDS];
char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *string)
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
*/
if (strlen (string) >= sizeof spwbuf) {
@ -68,10 +70,10 @@ diff --git a/lib/sgetspent.c b/lib/sgetspent.c
return 0; /* fail if too long */
}
strcpy (spwbuf, string);
diff --git a/lib/shadowio.c b/lib/shadowio.c
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, FILE * file)
diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
--- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp)
|| (valid_field (sp->sp_namp, ":\n") == -1)

BIN
shadow-4.8.1.tar.xz
View File

Binary file not shown.

48
null-time.patch → shadow-4.9-null-tm.patch
View File

@ -1,8 +1,8 @@
Index: shadow-4.5/src/chage.c
===================================================================
--- a/src/chage.c
+++ b/src/chage.c
@@ -167,6 +167,10 @@ static void date_to_str (char *buf, size_t maxsize, time_t date)
--- shadow-4.5.orig/src/chage.c
+++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
struct tm *tp;
tp = gmtime (&date);
@ -13,32 +13,11 @@ Index: shadow-4.5/src/chage.c
#ifdef HAVE_STRFTIME
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
Index: shadow-4.5/src/faillog.c
===================================================================
--- a/src/faillog.c
+++ b/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const struct passwd *pw, bool force)
}
tm = localtime (&fl.fail_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+ cp = ptime;
#endif
+ }
printf ("%-9s %5d %5d ",
pw->pw_name, fl.fail_cnt, fl.fail_max);
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
Index: shadow-4.5/src/lastlog.c
===================================================================
--- a/src/lastlog.c
+++ b/src/lastlog.c
@@ -159,13 +159,17 @@ static void print_one (/*@null@*/const struct passwd *pw)
--- shadow-4.5.orig/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
@ -62,9 +41,9 @@ Index: shadow-4.5/src/lastlog.c
cp = _("**Never logged in**\0");
Index: shadow-4.5/src/passwd.c
===================================================================
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -456,6 +456,9 @@ static /*@observer@*/const char *date_to_str (time_t t)
--- shadow-4.5.orig/src/passwd.c
+++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
struct tm *tm;
tm = gmtime (&t);
@ -76,9 +55,9 @@ Index: shadow-4.5/src/passwd.c
#else /* !HAVE_STRFTIME */
Index: shadow-4.5/src/usermod.c
===================================================================
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -216,6 +216,10 @@ static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
} else {
time_t t = (time_t) date;
tp = gmtime (&t);
@ -89,6 +68,3 @@ Index: shadow-4.5/src/usermod.c
#ifdef HAVE_STRFTIME
strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
--
2.19.1

BIN
shadow-4.9.tar.xz Normal file
View File

Binary file not shown.

278
shadow-utils.login.defs
View File

@ -1,12 +1,126 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 077
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
@ -19,38 +133,174 @@ PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
# Max number of login(1) retries if password is bad
#
CREATE_HOME yes
#LOGIN_RETRIES 3
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
#
# Max time in seconds for login(1)
#
#LOGIN_TIMEOUT 60
# This enables userdel to remove user groups if no members exist.
# Currently PASS_CHANGE_TRIES is not supported
# Currently PASS_ALWAYS_WARN is not supported
# Currently PASS_MAX_LEN is not supported
# Currently CHFN_AUTH is not supported
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
#CHFN_RESTRICT rwh
# Currently LOGIN_STRING is not supported
# Currently MD5_CRYPT_ENAB is not supported
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password (default)
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
#
#SHA_CRYPT_MAX_ROUNDS 5000
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
#
# Only works if ENCRYPT_METHOD is set to BCRYPT.
#
# Define the number of BCRYPT rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, 13 rounds will be attempted.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#BCRYPT_MIN_ROUNDS 13
#BCRYPT_MAX_ROUNDS 31
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
# Define the YESCRYPT cost factor.
# With a higher cost factor, it is more difficult to brute-force the password.
# However, more CPU time and more memory will be needed to authenticate users
# if this value is increased.
#
# If not specified, a cost factor of 5 will be used.
# The value must be within the 1-11 range.
#
#YESCRYPT_COST_FACTOR 5
# Currently CONSOLE_GROUPS is not supported
#
# Should login be allowed if we can't cd to the home directory?
# Default is yes.
#
#DEFAULT_HOME yes
# Currently ENVIRON_FILE is not supported
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# Enables userdel(8) to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
#
# If set to a non-zero number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
#FORCE_SHADOW yes
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
#HMAC_CRYPTO_ALGO SHA512

72
shadow.spec
View File

@ -1,32 +1,43 @@
Name: shadow
Version: 4.8.1
Release: 7
Version: 4.9
Release: 1
Epoch: 2
License: BSD and GPLv2+
Summary: Tools for managing accounts and shadow password files
URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Source6: chpasswd
Source7: newusers
%global includesubiddir %{_includedir}/shadow
# fix unknown item 'LASTLOG_MAX_UID'
Patch0: shadow-4.5-goodname.patch
Patch1: fix-logmsg.patch
Patch2: null-time.patch
Patch3: long-password-entry.patch
Patch4: usermod-unlock.patch
Patch5: selinux-flag.patch
Patch6: add-home_mode-xml-file.patch
Patch7: shadow-4.1.5.1-var-lock.patch
Patch8: shadow-utils-fix-lock-file-residue.patch
Patch9: generate-mail-USER-with-the-proper-selinux-identity.patch
Patch10: man-zh_CN-fix-typo.patch
Patch11: useradd-free-grp-to-avoid-leak.patch
Patch12: useradd.c-fix-memleaks-of-grp.patch
Patch13: useradd.c-fix-memleak-in-get_groups.patch
Patch0: shadow-4.8-goodname.patch
Patch1: shadow-4.9-null-tm.patch
Patch2: shadow-4.8-long-entry.patch
Patch3: usermod-unlock.patch
Patch4: useradd-create-directories-after-the-SELinux-user.patch
Patch5: shadow-4.1.5.1-var-lock.patch
Patch6: shadow-utils-fix-lock-file-residue.patch
Patch7: Makefile-include-libeconf-dependency-in-new-idmap.patch
Patch8: usermod-allow-all-group-types-with-G-option.patch
Patch9: useradd-avoid-generating-an-empty-subid-range.patch
Patch10: libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
Patch11: semanage-close-the-selabel-handle.patch
Patch12: Revert-useradd.c-fix-memleaks-of-grp.patch
Patch13: useradd-change-SELinux-labels-for-home-files.patch
Patch14: libsubid-link-to-PAM-libraries.patch
Patch15: Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
Patch16: Respect-enable-static-no-in-libsubid.patch
Patch17: Fixes-the-linking-issues-when-libsubid-is-static-and.patch
Patch18: pwck-fix-segfault-when-calling-fprintf.patch
Patch19: newgrp-fix-segmentation-fault.patch
Patch20: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
Patch21: backport-useradd-modify-check-ID-range-for-system-users.patch
BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
BuildRequires: libacl-devel, libattr-devel
@ -47,6 +58,13 @@ This package includes the necessary programs for converting plain
password files to the shadow password format and to manage user and
group accounts.
%package subid-devel
Summary: Development package for shadow-utils-subid
License: BSD and GPLv2+
%description subid-devel
Development files for shadow-utils-subid.
%package_help
%prep
@ -70,7 +88,7 @@ autoreconf -fiv
--with-selinux \
--without-libcrack \
--with-libpam \
--disable-shared \
--enable-shared \
--with-group-name-max-length=32
%make_build
@ -141,6 +159,14 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
lang=$(basename $dir)
done
# Move subid.h to its own folder
echo $(ls)
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
# Remove .la files created by libsubid
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%files -f shadow.lang
%doc NEWS doc/HOWTO README
%{!?_licensedir:%global license %%doc}
@ -169,10 +195,20 @@ done
%{_sysconfdir}/pam.d/groupmems
%{_sysconfdir}/pam.d/newusers
%files subid-devel
%{_libdir}/libsubid.so.*
%{includesubiddir}/subid.h
%{_libdir}/libsubid.so
%files help
%{_mandir}/*/*
%changelog
* Mon Feb 21 2022 panxiaohe <panxh.life@foxmail.com> - 2:4.9-1
- update to 4.9
- synchronized login.defs with upstream file
- useradd: modify check ID range for system users
* Thu Sep 30 2021 steven Y.Gui <steven_ygui@163.com> - 2:4.8.1-7
- backport some patches to fix memory leak

107
useradd-avoid-generating-an-empty-subid-range.patch Normal file
View File

@ -0,0 +1,107 @@
From 9dd720a28578eef5be8171697aae0906e4c53249 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 10 Aug 2021 09:07:03 +0200
Subject: [PATCH] useradd: avoid generating an empty subid range
useradd generates an empty subid range when adding a new user. This is
caused because there are two variables, one local and the other one
global, that have a very similar name and they are used indistinctly in
the code. The local variable loads the SUB_*ID_COUNT configuration from
the login.defs file, while the global variable, which holds a value of
0, is used to generate the subid range. Causing the empty subid range
problem.
I've merged the two variables in the local one and removed the global
variable. I prefer to do it this way to reduce the scope of it but I'm
open to doing it the other way round.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1990653
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Conflict: context adaptation
---
src/useradd.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index baeffb3..9abeea6 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
static uid_t sub_uid_start; /* New subordinate uid range */
-static unsigned long sub_uid_count;
static gid_t sub_gid_start; /* New subordinate gid range */
-static unsigned long sub_gid_count;
#endif /* ENABLE_SUBIDS */
static bool pw_locked = false;
static bool gr_locked = false;
@@ -234,7 +232,7 @@ static void open_shadow (void);
static void faillog_reset (uid_t);
static void lastlog_reset (uid_t);
static void tallylog_reset (const char *);
-static void usr_update (void);
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
static void create_home (void);
static void create_mail (void);
static void check_uid_range(int rflg, uid_t user_id);
@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
* usr_update() creates the password file entries for this user
* and will update the group entries if required.
*/
-static void usr_update (void)
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
{
struct passwd pwent;
struct spwd spent;
@@ -2155,14 +2153,14 @@ static void usr_update (void)
}
#ifdef ENABLE_SUBIDS
if (is_sub_uid &&
- (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
+ (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
fail_exit (E_SUB_UID_UPDATE);
}
if (is_sub_gid &&
- (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
+ (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry\n"),
Prog, sub_uid_dbname ());
@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
}
#ifdef ENABLE_SUBIDS
- if (is_sub_uid && sub_uid_count != 0) {
- if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
+ if (is_sub_uid && subuid_count != 0) {
+ if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate user IDs\n"),
Prog);
fail_exit(E_SUB_UID_UPDATE);
}
}
- if (is_sub_gid && sub_gid_count != 0) {
- if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
+ if (is_sub_gid && subgid_count != 0) {
+ if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
fprintf (stderr,
_("%s: can't create subordinate group IDs\n"),
Prog);
@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
}
#endif /* ENABLE_SUBIDS */
- usr_update ();
+ usr_update (subuid_count, subgid_count);
close_files ();
--
1.8.3.1

34
useradd-change-SELinux-labels-for-home-files.patch Normal file
View File

@ -0,0 +1,34 @@
From 06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 12 Nov 2021 15:23:30 +0100
Subject: [PATCH] useradd: change SELinux labels for home files
Change SELinux labels for files copied from the skeleton directory to
the home directory.
This could cause gnome's graphical user adding to fail without copying
the full skeleton files.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2022658
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index b463a17..f7c9795 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
if (mflg) {
create_home ();
if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
+ copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
} else {
fprintf (stderr,
--
1.8.3.1

89
useradd-create-directories-after-the-SELinux-user.patch Normal file
View File

@ -0,0 +1,89 @@
From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 8 Oct 2021 13:09:59 +0200
Subject: [PATCH] useradd: create directories after the SELinux user
Create the home and mail folders after the SELinux user has been set for
the added user. This will allow the folders to be created with the
SELinux user label.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Conflict: context adaptation
---
src/useradd.c | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 6269c01..b463a17 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
}
#endif /* WITH_SELINUX */
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, false,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory %s already exists.\n"
+ "%s: Not copying any file from skel directory into it.\n"),
+ Prog, user_home, Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
+
if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
"useradd")) {
exit(1);
}
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-
return E_SUCCESS;
}
--
1.8.3.1

42
useradd-free-grp-to-avoid-leak.patch
View File

@ -1,42 +0,0 @@
From 569bd1d54f4be070d4ac88042586d9334343702d Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 27 Oct 2020 11:35:53 +0100
Subject: [PATCH] useradd: free grp to avoid leak
covscan issue:
Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
src/useradd.c:728: alloc_fn: Storage is returned from allocation function "get_local_group".
src/useradd.c:728: var_assign: Assigning: "grp" = storage returned from "get_local_group(list)".
src/useradd.c:728: overwrite_var: Overwriting "grp" in "grp = get_local_group(list)" leaks the storage that "grp" points to.
726| * GID values, otherwise the string is looked up as is.
727| */
728|-> grp = get_local_group (list);
729|
730| /*
---
src/useradd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index 3544acd0..107e65f8 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -729,7 +729,7 @@ static int set_defaults (void)
static int get_groups (char *list)
{
char *cp;
- const struct group *grp;
+ struct group *grp;
int errors = 0;
int ngroups = 0;
@@ -808,6 +808,7 @@ static int get_groups (char *list)
* Add the group name to the user's list of groups.
*/
user_groups[ngroups++] = xstrdup (grp->gr_name);
+ free (grp);
} while (NULL != list);
user_groups[ngroups] = (char *) 0;
--

41
useradd.c-fix-memleak-in-get_groups.patch
View File

@ -1,41 +0,0 @@
From fd9d79a1a3438ba7703939cfcd45fc266782c64e Mon Sep 17 00:00:00 2001
From: whzhe <wanghongzhe@huawei.com>
Date: Thu, 17 Dec 2020 03:27:15 -0500
Subject: [PATCH] useradd.c:fix memleak in get_groups
Signed-off-by: whzhe <wanghongzhe@huawei.com>
---
src/useradd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index 107e65f8..822b67f5 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -793,6 +793,7 @@ static int get_groups (char *list)
fprintf (stderr,
_("%s: group '%s' is a NIS group.\n"),
Prog, grp->gr_name);
+ gr_free(grp);
continue;
}
#endif
@@ -801,6 +802,7 @@ static int get_groups (char *list)
fprintf (stderr,
_("%s: too many groups specified (max %d).\n"),
Prog, ngroups);
+ gr_free(grp);
break;
}
@@ -808,7 +810,7 @@ static int get_groups (char *list)
* Add the group name to the user's list of groups.
*/
user_groups[ngroups++] = xstrdup (grp->gr_name);
- free (grp);
+ gr_free (grp);
} while (NULL != list);
user_groups[ngroups] = (char *) 0;
--

24
useradd.c-fix-memleaks-of-grp.patch
View File

@ -1,24 +0,0 @@
From c44b71cec25d60efc51aec9de3abce1f6efbfcf5 Mon Sep 17 00:00:00 2001
From: whzhe51 <whzhe51@126.com>
Date: Sat, 19 Dec 2020 04:29:06 -0500
Subject: [PATCH] useradd.c:fix memleaks of grp Signed-off-by: whzhe51
<wanghongzhe@huawei.com>
---
src/useradd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/useradd.c b/src/useradd.c
index 107e65f8..29c54e44 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -411,6 +411,7 @@ static void get_defaults (void)
} else {
def_group = grp->gr_gid;
def_gname = xstrdup (grp->gr_name);
+ gr_free(grp);
}
}
--

322
usermod-allow-all-group-types-with-G-option.patch Normal file
View File

@ -0,0 +1,322 @@
From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 3 Aug 2021 08:57:20 +0200
Subject: [PATCH] usermod: allow all group types with -G option
The only way of removing a group from the supplementary list is to use
-G option, and list all groups that the user is a member of except for
the one that wants to be removed. The problem lies when there's a user
that contains both local and remote groups, and the group to be removed
is a local one. As we need to include the remote group with -G option
the command will fail.
This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
it would be possible to remove the remote groups from the supplementary
list.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
Resolves: https://github.com/shadow-maint/shadow/issues/338
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/usermod.c | 220 ++++++++++++++++++++--------------------------------------
1 file changed, 77 insertions(+), 143 deletions(-)
diff --git a/src/usermod.c b/src/usermod.c
index 03bb9b9..a0c03af 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
long int date);
static int get_groups (char *);
-static struct group * get_local_group (char * grp_name);
static /*@noreturn@*/void usage (int status);
static void new_pwent (struct passwd *);
static void new_spent (struct spwd *);
@@ -201,9 +200,7 @@ static void grp_update (void);
static void process_flags (int, char **);
static void close_files (void);
-static void close_group_files (void);
static void open_files (void);
-static void open_group_files (void);
static void usr_update (void);
static void move_home (void);
static void update_lastlog (void);
@@ -261,11 +258,6 @@ static int get_groups (char *list)
}
/*
- * Open the group files
- */
- open_group_files ();
-
- /*
* So long as there is some data to be converted, strip off each
* name and look it up. A mix of numerical and string values for
* group identifiers is permitted.
@@ -284,7 +276,7 @@ static int get_groups (char *list)
* Names starting with digits are treated as numerical GID
* values, otherwise the string is looked up as is.
*/
- grp = get_local_group (list);
+ grp = prefix_getgr_nam_gid (list);
/*
* There must be a match, either by GID value or by
@@ -334,8 +326,6 @@ static int get_groups (char *list)
gr_free ((struct group *)grp);
} while (NULL != list);
- close_group_files ();
-
user_groups[ngroups] = (char *) 0;
/*
@@ -348,44 +338,6 @@ static int get_groups (char *list)
return 0;
}
-/*
- * get_local_group - checks if a given group name exists locally
- *
- * get_local_group() checks if a given group name exists locally.
- * If the name exists the group information is returned, otherwise NULL is
- * returned.
- */
-static struct group * get_local_group(char * grp_name)
-{
- const struct group *grp;
- struct group *result_grp = NULL;
- long long int gid;
- char *endptr;
-
- gid = strtoll (grp_name, &endptr, 10);
- if ( ('\0' != *grp_name)
- && ('\0' == *endptr)
- && (ERANGE != errno)
- && (gid == (gid_t)gid)) {
- grp = gr_locate_gid ((gid_t) gid);
- }
- else {
- grp = gr_locate(grp_name);
- }
-
- if (grp != NULL) {
- result_grp = __gr_dup (grp);
- if (NULL == result_grp) {
- fprintf (stderr,
- _("%s: Out of memory. Cannot find group '%s'.\n"),
- Prog, grp_name);
- fail_exit (E_GRP_UPDATE);
- }
- }
-
- return result_grp;
-}
-
#ifdef ENABLE_SUBIDS
struct ulong_range
{
@@ -1523,7 +1475,50 @@ static void close_files (void)
}
if (Gflg || lflg) {
- close_group_files ();
+ if (gr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ gr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ sgr_dbname ()));
+ fail_exit (E_GRP_UPDATE);
+ }
+ }
+#endif
+#ifdef SHADOWGRP
+ if (is_shadow_grp) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+ if (gr_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ gr_dbname ()));
+ /* continue */
+ }
}
if (is_shadow_pwd) {
@@ -1593,60 +1588,6 @@ static void close_files (void)
}
/*
- * close_group_files - close all of the files that were opened
- *
- * close_group_files() closes all of the files that were opened related
- * with groups. This causes any modified entries to be written out.
- */
-static void close_group_files (void)
-{
- if (gr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- gr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_close () == 0) {
- fprintf (stderr,
- _("%s: failure while writing changes to %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failure while writing changes to %s",
- sgr_dbname ()));
- fail_exit (E_GRP_UPDATE);
- }
- }
-#endif
-#ifdef SHADOWGRP
- if (is_shadow_grp) {
- if (sgr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, sgr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- sgr_dbname ()));
- /* continue */
- }
- }
-#endif
- if (gr_unlock () == 0) {
- fprintf (stderr,
- _("%s: failed to unlock %s\n"),
- Prog, gr_dbname ());
- SYSLOG ((LOG_ERR,
- "failed to unlock %s",
- gr_dbname ()));
- /* continue */
- }
-}
-
-/*
* open_files - lock and open the password files
*
* open_files() opens the two password files.
@@ -1681,7 +1622,38 @@ static void open_files (void)
}
if (Gflg || lflg) {
- open_group_files ();
+ /*
+ * Lock and open the group file. This will load all of the
+ * group entries.
+ */
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ gr_locked = true;
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, gr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow_grp && (sgr_lock () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+ sgr_locked = true;
+ if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, sgr_dbname ());
+ fail_exit (E_GRP_UPDATE);
+ }
+#endif
}
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
@@ -1718,44 +1690,6 @@ static void open_files (void)
}
/*
- * open_group_files - lock and open the group files
- *
- * open_group_files() loads all of the group entries.
- */
-static void open_group_files (void)
-{
- if (gr_lock () == 0) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- gr_locked = true;
- if (gr_open (O_CREAT | O_RDWR) == 0) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, gr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock %s; try again later.\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
- sgr_locked = true;
- if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open %s\n"),
- Prog, sgr_dbname ());
- fail_exit (E_GRP_UPDATE);
- }
-#endif
-}
-
-/*
* usr_update - create the user entries
*
* usr_update() creates the password file entries for this user and
--
1.8.3.1