- preserve ACL's on files in /etc/skel Resolves: #513055

2010-04-29 15:09:49 +00:00 · 2010-04-29 15:09:49 +00:00 · 4f86795e64
parent d787a9d254
commit 4f86795e64
3 changed files with 129 additions and 2 deletions
--- a/shadow-4.1.4.2-acl.patch
+++ b/shadow-4.1.4.2-acl.patch
@ -0,0 +1,121 @@
+diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c
+--- shadow-4.1.4.2/libmisc/copydir.c.acl	2010-04-29 15:55:26.949959971 +0200
+++ shadow-4.1.4.2/libmisc/copydir.c	2010-04-29 15:55:26.956960471 +0200
+@@ -45,6 +45,9 @@
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+ #endif
+#include <attr/error_context.h>
+#include <acl/libacl.h>
+
+ static /*@null@*/const char *src_orig;
+ static /*@null@*/const char *dst_orig;
+ 
+@@ -70,7 +73,7 @@ static int copy_symlink (const char *src
+ #endif
+ static int copy_hardlink (const char *src, const char *dst,
+                           struct link_name *lp);
+-static int copy_special (const char *dst,
+static int copy_special (const char *src, const char *dst,
+                          const struct stat *statp, const struct timeval mt[],
+                          long int uid, long int gid);
+ static int copy_file (const char *src, const char *dst,
+@@ -78,6 +81,24 @@ static int copy_file (const char *src, c
+                       long int uid, long int gid);
+ 
+ #ifdef WITH_SELINUX
+
+void error (struct error_context *ctx, const char *fmt, ...)
+{
+        va_list ap;
+ 
+        va_start (ap, fmt);
+        (void) fprintf (stderr, _("%s: "), Prog);
+        if (vfprintf (stderr, fmt, ap) != 0) {
+                (void) fputs (_(": "), stderr);
+        }
+        (void) fprintf (stderr, "%s\n", strerror (errno));
+        va_end (ap);
+}
+
+struct error_context ctx = {
+        error
+};
+
+ /*
+  * selinux_file_context - Set the security context before any file or
+  *                        directory creation.
+@@ -369,7 +390,7 @@ static int copy_entry (const char *src, 
+ 		 */
+ 
+ 		else if (!S_ISREG (sb.st_mode)) {
+-			err = copy_special (dst, &sb, mt, uid, gid);
+			err = copy_special (src, dst, &sb, mt, uid, gid);
+ 		}
+ 
+ 		/*
+@@ -413,6 +434,7 @@ static int copy_dir (const char *src, co
+ 	    || (chown (dst,
+ 	               (uid == - 1) ? statp->st_uid : (uid_t) uid,
+ 	               (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0)
+	    || (perm_copy_file (src, dst, &ctx) != 0)
+ 	    || (chmod (dst, statp->st_mode) != 0)
+ 	    || (copy_tree (src, dst, uid, gid) != 0)
+ 	    || (utimes (dst, mt) != 0)) {
+@@ -514,6 +536,13 @@ static int copy_symlink (const char *src
+ 	    || (lchown (dst,
+ 	                (uid == -1) ? statp->st_uid : (uid_t) uid,
+ 	                (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) {
+                /* FIXME: there are no modes on symlinks, right?
+                *        ACL could be copied, but this would be much more
+                *        complex than calling perm_copy_file.
+                *        Ditto for Extended Attributes.
+                *        We currently only document that ACL and Extended
+                *        Attributes are not copied.
+                */
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -542,7 +571,7 @@ static int copy_symlink (const char *src
+ static int copy_hardlink (const char *src, const char *dst,
+                           struct link_name *lp)
+ {
+-	/* TODO: selinux needed? */
+	/* TODO: selinux, ACL, Extended Attributes needed? */
+ 
+ 	if (link (lp->ln_name, dst) != 0) {
+ 		return -1;
+@@ -574,7 +603,7 @@ static int copy_hardlink (const char *sr
+  *
+  *	Return 0 on success, -1 on error.
+  */
+-static int copy_special (const char *dst,
+static int copy_special (const char *src, const char *dst,
+                          const struct stat *statp, const struct timeval mt[],
+                          long int uid, long int gid)
+ {
+@@ -628,7 +657,7 @@ static int copy_file (const char *src, c
+ 	    || (fchown (ofd,
+ 	                (uid == -1) ? statp->st_uid : (uid_t) uid,
+ 	                (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)
+-	    || (fchmod (ofd, statp->st_mode & 07777) != 0)) {
+	    || (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) ) {
+ 		(void) close (ifd);
+ 		return -1;
+ 	}
+diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in
+--- shadow-4.1.4.2/src/Makefile.in.acl	2009-07-24 03:16:00.000000000 +0200
+++ shadow-4.1.4.2/src/Makefile.in	2010-04-29 16:08:34.347960372 +0200
+@@ -430,9 +430,9 @@ su_SOURCES = \
+ 
+ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ sulogin_LDADD = $(LDADD) $(LIBCRYPT)
+-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+ vipw_LDADD = $(LDADD) $(LIBSELINUX)
+ all: all-am
+ 
--- a/shadow-4.1.4.2-infoParentDir.patch
+++ b/shadow-4.1.4.2-infoParentDir.patch
@ -6,7 +6,7 @@ diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers
 This field is used to define the home directory of the user\&.
 .sp
 -If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&.
-+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&.Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&.
+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&.
 .sp
 If the home directory of an existing user is changed,
 \fBnewusers\fR
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.4.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@ -13,6 +13,7 @@ Patch2: shadow-4.1.4.2-leak.patch
 Patch3: shadow-4.1.4.2-fixes.patch
 Patch4: shadow-4.1.4.2-infoParentDir.patch
 Patch5: shadow-4.1.4.2-semange.patch
+Patch6: shadow-4.1.4.2-acl.patch
 License: BSD and GPLv2+
 Group: System Environment/Base
 BuildRequires: libselinux-devel >= 1.25.2-1
@ -43,6 +44,7 @@ are used for managing group accounts.
 %patch3 -p1 -b .fixes
 %patch4 -p1 -b .infoParentDir
 %patch5 -p1 -b .semange
+%patch6 -p1 -b .acl

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -185,6 +187,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*

 %changelog
+* Thu Apr 29 2010 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-6
+- preserve ACL's on files in /etc/skel 
+  Resolves: #513055 
+
 * Wed Apr 28 2010 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-5
 - newusers man page more informative
 - userdel should not need to run semanage