shadow: Remove encrypted passwd for useradd-groupadd-groupmod-usermod

Remove encrypted passwd for useradd/groupadd/groupmod/usermod In groupadd/useradd, p parameter does not meet password complexity checks. Do not satisfy security requirements. use CONFIG_SHADOW_REMOVE_POPTION Signed-off-by: xiongshenglan <xiongshenglan@huawei.com>
2023-08-11 10:45:41 +08:00 · 2023-08-11 10:45:41 +08:00 · e024307bdc
commit e024307bdc
parent 0812d37b6c
2 changed files with 138 additions and 1 deletions
--- a/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch
+++ b/backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch
@ -0,0 +1,133 @@
+From 280a8474ad87f44f9620eeac75cbf8a34b5edc2f Mon Sep 17 00:00:00 2001
+From: xiongshenglan <xiongshenglan@huawei.com>
+Date: Thu, 27 Jul 2023 09:30:16 +0800
+Subject: [PATCH] shadow: Remove encrypted passwd for
+ useradd-groupadd-groupmod-usermod
+
+Remove encrypted passwd for useradd/groupadd/groupmod/usermod
+In groupadd/useradd, p parameter does not meet password complexity checks. Do
+not satisfy security requirements.
+
+Signed-off-by: xiongshenglan <xiongshenglan@huawei.com>
+---
+ src/groupadd.c | 4 ++++
+ src/groupmod.c | 4 ++++
+ src/useradd.c  | 4 ++++
+ src/usermod.c  | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/src/groupadd.c b/src/groupadd.c
+index d7f68b1..9b7a521 100644
+--- a/src/groupadd.c
+++ b/src/groupadd.c
+@@ -125,7 +125,9 @@ static /*@noreturn@*/void usage (int status)
+ 	(void) fputs (_("  -K, --key KEY=VALUE           override /etc/login.defs defaults\n"), usageout);
+ 	(void) fputs (_("  -o, --non-unique              allow to create groups with duplicate\n"
+ 	                "                                (non-unique) GID\n"), usageout);
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 	(void) fputs (_("  -p, --password PASSWORD       use this encrypted password for the new group\n"), usageout);
+#endif
+ 	(void) fputs (_("  -r, --system                  create a system account\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DI        directory prefix\n"), usageout);
+@@ -459,10 +461,12 @@ static void process_flags (int argc, char **argv)
+ 		case 'o':
+ 			oflg = true;
+ 			break;
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 		case 'p':
+ 			pflg = true;
+ 			group_passwd = optarg;
+ 			break;
+#endif
+ 		case 'r':
+ 			rflg = true;
+ 			break;
+diff --git a/src/groupmod.c b/src/groupmod.c
+index acd6f35..f9dcabd 100644
+--- a/src/groupmod.c
+++ b/src/groupmod.c
+@@ -139,8 +139,10 @@ static void usage (int status)
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -n, --new-name NEW_GROUP      change the name to NEW_GROUP\n"), usageout);
+ 	(void) fputs (_("  -o, --non-unique              allow to use a duplicate (non-unique) GID\n"), usageout);
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 	(void) fputs (_("  -p, --password PASSWORD       change the password to this (encrypted)\n"
+ 	                "                                PASSWORD\n"), usageout);
+#endif
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n"), usageout);
+ 	(void) fputs (_("  -U, --users USERS             list of user members of this group\n"), usageout);
+@@ -449,10 +451,12 @@ static void process_flags (int argc, char **argv)
+ 		case 'o':
+ 			oflg = true;
+ 			break;
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 		case 'p':
+ 			group_passwd = optarg;
+ 			pflg = true;
+ 			break;
+#endif
+ 		case 'R': /* no-op, handled in process_root_flag () */
+ 			break;
+ 		case 'P': /* no-op, handled in process_prefix_flag () */
+diff --git a/src/useradd.c b/src/useradd.c
+index 89abd5e..e5ba3dd 100644
+--- a/src/useradd.c
+++ b/src/useradd.c
+@@ -907,7 +907,9 @@ static void usage (int status)
+ 	                "                                the user\n"), usageout);
+ 	(void) fputs (_("  -o, --non-unique              allow to create users with duplicate\n"
+ 	                "                                (non-unique) UID\n"), usageout);
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 	(void) fputs (_("  -p, --password PASSWORD       encrypted password of the new account\n"), usageout);
+#endif
+ 	(void) fputs (_("  -r, --system                  create a system account\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n"), usageout);
+@@ -1366,6 +1368,7 @@ static void process_flags (int argc, char **argv)
+ 			case 'o':
+ 				oflg = true;
+ 				break;
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 			case 'p':	/* set encrypted password */
+ 				if (!VALID (optarg)) {
+ 					fprintf (stderr,
+@@ -1375,6 +1378,7 @@ static void process_flags (int argc, char **argv)
+ 				}
+ 				user_pass = optarg;
+ 				break;
+#endif
+ 			case 'r':
+ 				rflg = true;
+ 				break;
+diff --git a/src/usermod.c b/src/usermod.c
+index ca8db92..509a50b 100644
+--- a/src/usermod.c
+++ b/src/usermod.c
+@@ -435,7 +435,9 @@ static /*@noreturn@*/void usage (int status)
+ 	(void) fputs (_("  -m, --move-home               move contents of the home directory to the\n"
+ 	                "                                new location (use only with -d)\n"), usageout);
+ 	(void) fputs (_("  -o, --non-unique              allow using duplicate (non-unique) UID\n"), usageout);
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 	(void) fputs (_("  -p, --password PASSWORD       use encrypted password for the new password\n"), usageout);
+#endif
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n"), usageout);
+ 	(void) fputs (_("  -s, --shell SHELL             new login shell for the user account\n"), usageout);
+@@ -1152,10 +1154,12 @@ static void process_flags (int argc, char **argv)
+ 			case 'o':
+ 				oflg = true;
+ 				break;
+#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ 			case 'p':
+ 				user_pass = optarg;
+ 				pflg = true;
+ 				break;
+#endif
+ 			case 'R': /* no-op, handled in process_root_flag () */
+ 				break;
+ 			case 'P': /* no-op, handled in process_prefix_flag () */
+-- 
+2.12.3
+
--- a/shadow.spec
+++ b/shadow.spec
@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.13
-Release: 5
+Release: 6
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@ -30,6 +30,7 @@ Patch10: backport-Read-whole-line-in-yes_or_no.patch
 Patch11: backport-commonio-free-removed-database-entries.patch
 Patch12: backport-semanage-disconnect-to-free-libsemanage-internals.patch
 Patch13: backport-run_parts-for-groupadd-and-groupdel.patch
+Patch14: backport-shadow-Remove-encrypted-passwd-for-useradd-gr.patch

 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@ -197,6 +198,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
 %{_mandir}/*/*

 %changelog
+* Fri Aug 11 2023 xiongshenglan<xiongshenglan@huawei.com> - 2:4.13-6
+- backport Remove encrypted passwd for useradd-groupadd-groupmod-usermod 
+
 * Mon Jun 19 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-5
 - backport patches from upstream