useradd: avoid generating an empty subid range (#1990653)

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-11 14:58:12 +02:00 · 2021-08-11 14:58:12 +02:00 · 3a32832856
parent 94f04f9e71
commit 3a32832856
2 changed files with 88 additions and 3 deletions
--- a/shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
+++ b/shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
@ -0,0 +1,79 @@
+diff --git a/src/useradd.c b/src/useradd.c
+index baeffb35..9abeea6e 100644
+--- a/src/useradd.c
+++ b/src/useradd.c
+@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
+ static bool sub_uid_locked = false;
+ static bool sub_gid_locked = false;
+ static uid_t sub_uid_start;	/* New subordinate uid range */
+-static unsigned long sub_uid_count;
+ static gid_t sub_gid_start;	/* New subordinate gid range */
+-static unsigned long sub_gid_count;
+ #endif				/* ENABLE_SUBIDS */
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+@@ -234,7 +232,7 @@ static void open_shadow (void);
+ static void faillog_reset (uid_t);
+ static void lastlog_reset (uid_t);
+ static void tallylog_reset (const char *);
+-static void usr_update (void);
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
+ static void create_home (void);
+ static void create_mail (void);
+ static void check_uid_range(int rflg, uid_t user_id);
+@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
+  *	usr_update() creates the password file entries for this user
+  *	and will update the group entries if required.
+  */
+-static void usr_update (void)
+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
+ {
+ 	struct passwd pwent;
+ 	struct spwd spent;
+@@ -2155,14 +2153,14 @@ static void usr_update (void)
+ 	}
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid &&
+-	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
+	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),
+ 		         Prog, sub_uid_dbname ());
+ 		fail_exit (E_SUB_UID_UPDATE);
+ 	}
+ 	if (is_sub_gid &&
+-	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
+	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),
+ 		         Prog, sub_uid_dbname ());
+@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef ENABLE_SUBIDS
+-	if (is_sub_uid && sub_uid_count != 0) {
+-		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
+	if (is_sub_uid && subuid_count != 0) {
+		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate user IDs\n"),
+ 			         Prog);
+ 			fail_exit(E_SUB_UID_UPDATE);
+ 		}
+ 	}
+-	if (is_sub_gid && sub_gid_count != 0) {
+-		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
+	if (is_sub_gid && subgid_count != 0) {
+		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate group IDs\n"),
+ 			         Prog);
+@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
+ 	}
+ #endif				/* ENABLE_SUBIDS */
+ 
+-	usr_update ();
+	usr_update (subuid_count, subgid_count);
+ 
+ 	close_files ();
+ 
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 2
 URL: https://github.com/shadow-maint/shadow
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -44,10 +44,12 @@ Patch11: shadow-4.8-long-entry.patch
 Patch12: shadow-4.6-sysugid-min-limit.patch
 # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
 Patch13: shadow-4.8-ignore-login-prompt.patch
-# https://github.com/shadow-maint/shadow/pull/395
+# https://github.com/shadow-maint/shadow/commit/c6847011e8b656adacd9a0d2a78418cad0de34cb
 Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch
-# https://github.com/shadow-maint/shadow/pull/397
+# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
 Patch15: shadow-4.9-usermod-allow-all-group-types.patch
+# https://github.com/shadow-maint/shadow/pull/399
+Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch

 License: BSD and GPLv2+
 BuildRequires: make
@ -111,6 +113,7 @@ Development files for shadow-utils-subid.
 %patch13 -p1 -b .login-prompt
 %patch14 -p1 -b .newuidmap-libeconf-dependency
 %patch15 -p1 -b .usermod-allow-all-group-types
+%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -281,6 +284,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so

 %changelog
+* Mon Aug  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
+- useradd: avoid generating an empty subid range (#1990653)
+
 * Wed Aug  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
 - Rebase to version 4.9
 - usermod: allow all group types with -G option (#1975327)