From b76250c68afcfb22146f4f0053d82a0975e85252 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 13 Jan 2020 11:46:38 +0100 Subject: [PATCH] update to current upstream release 4.8 --- .gitignore | 2 + shadow-4.2.1-no-lock-dos.patch | 16 - shadow-4.5-crypt_h.patch | 41 -- shadow-4.6-chgrp-guard.patch | 44 -- shadow-4.6-coverity.patch | 223 ------ shadow-4.6-ignore-login-prompt.patch | 11 - shadow-4.6-orig-context.patch | 128 ---- shadow-4.6-selinux.patch | 115 ---- shadow-4.6-sssd-flush.patch | 641 ------------------ shadow-4.6-use-itstool.patch | 31 - shadow-4.6-use-lckpwdf.patch | 190 ------ shadow-4.6-usermod-crash.patch | 42 -- ...ate.patch => shadow-4.8-audit-update.patch | 538 +++++++-------- shadow-4.8-crypt_h.patch | 35 + ...oodname.patch => shadow-4.8-goodname.patch | 38 +- shadow-4.8-ignore-login-prompt.patch | 11 + ...entry.patch => shadow-4.8-long-entry.patch | 36 +- ....1-manfix.patch => shadow-4.8-manfix.patch | 216 +++--- ...ms.patch => shadow-4.8-selinux-perms.patch | 76 +-- shadow-4.8-selinux.patch | 241 +++++++ shadow-utils.spec | 58 +- sources | 4 +- 22 files changed, 744 insertions(+), 1993 deletions(-) delete mode 100644 shadow-4.2.1-no-lock-dos.patch delete mode 100644 shadow-4.5-crypt_h.patch delete mode 100644 shadow-4.6-chgrp-guard.patch delete mode 100644 shadow-4.6-coverity.patch delete mode 100644 shadow-4.6-ignore-login-prompt.patch delete mode 100644 shadow-4.6-orig-context.patch delete mode 100644 shadow-4.6-selinux.patch delete mode 100644 shadow-4.6-sssd-flush.patch delete mode 100644 shadow-4.6-use-itstool.patch delete mode 100644 shadow-4.6-use-lckpwdf.patch delete mode 100644 shadow-4.6-usermod-crash.patch rename shadow-4.6-audit-update.patch => shadow-4.8-audit-update.patch (87%) create mode 100644 shadow-4.8-crypt_h.patch rename shadow-4.5-goodname.patch => shadow-4.8-goodname.patch (79%) create mode 100644 shadow-4.8-ignore-login-prompt.patch rename shadow-4.5-long-entry.patch => shadow-4.8-long-entry.patch (64%) rename shadow-4.3.1-manfix.patch => shadow-4.8-manfix.patch (74%) rename shadow-4.3.1-selinux-perms.patch => shadow-4.8-selinux-perms.patch (65%) create mode 100644 shadow-4.8-selinux.patch diff --git a/.gitignore b/.gitignore index 3b04b1e..9e9905a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.5.tar.xz.asc /shadow-4.6.tar.xz /shadow-4.6.tar.xz.asc +/shadow-4.8.tar.xz +/shadow-4.8.tar.xz.asc diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch deleted file mode 100644 index c6873e9..0000000 --- a/shadow-4.2.1-no-lock-dos.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: shadow-4.5/lib/commonio.c -=================================================================== ---- shadow-4.5.orig/lib/commonio.c -+++ shadow-4.5/lib/commonio.c -@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil - int retval; - char buf[32]; - -- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600); -+ /* We depend here on the fact, that the file name is pid-specific. -+ * So no O_EXCL here and no DoS. -+ */ -+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600); - if (-1 == fd) { - if (log) { - (void) fprintf (stderr, diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch deleted file mode 100644 index c8d19e4..0000000 --- a/shadow-4.5-crypt_h.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: shadow-4.5/configure.ac -=================================================================== ---- shadow-4.5.orig/configure.ac -+++ shadow-4.5/configure.ac -@@ -32,9 +32,9 @@ AC_HEADER_STDC - AC_HEADER_SYS_WAIT - AC_HEADER_STDBOOL - --AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ -- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ -- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ -+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ -+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ -+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ - locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ - attr/error_context.h) - -Index: shadow-4.5/lib/defines.h -=================================================================== ---- shadow-4.5.orig/lib/defines.h -+++ shadow-4.5/lib/defines.h -@@ -4,6 +4,8 @@ - #ifndef _DEFINES_H_ - #define _DEFINES_H_ - -+#include "config.h" -+ - #if HAVE_STDBOOL_H - # include - #else -@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () - # include - #endif - -+#if HAVE_CRYPT_H -+# include /* crypt(3) may be defined in here */ -+#endif -+ - #if TIME_WITH_SYS_TIME - # include - # include diff --git a/shadow-4.6-chgrp-guard.patch b/shadow-4.6-chgrp-guard.patch deleted file mode 100644 index 2918684..0000000 --- a/shadow-4.6-chgrp-guard.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml ---- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100 -+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100 -@@ -195,6 +195,12 @@ - The group ownership of files outside of the user's home directory - must be fixed manually. - -+ -+ The change of the group ownership of files inside of the user's -+ home directory is also not done if the home dir owner uid is -+ different from the current or new user id. This is safety measure -+ for special home directories such as /. -+ - - - -@@ -372,6 +378,12 @@ - must be fixed manually. - - -+ The change of the user ownership of files inside of the user's -+ home directory is also not done if the home dir owner uid is -+ different from the current or new user id. This is safety measure -+ for special home directories such as /. -+ -+ - No checks will be performed with regard to the - , , - , or -diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100 -+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100 -@@ -2336,7 +2336,10 @@ int main (int argc, char **argv) - } - - if (!mflg && (uflg || gflg)) { -- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) { -+ struct stat sb; -+ -+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 && -+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) { - /* - * Change the UID on all of the files owned by - * `user_id' to `user_newid' in the user's home diff --git a/shadow-4.6-coverity.patch b/shadow-4.6-coverity.patch deleted file mode 100644 index 44533e2..0000000 --- a/shadow-4.6-coverity.patch +++ /dev/null @@ -1,223 +0,0 @@ -diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c ---- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200 -+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200 -@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni - char* lock = NULL; - size_t lock_file_len; - size_t file_len; -- int err; -+ int err = 0; - - if (db->locked) { - return 1; -@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni - lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */ - file = (char*)malloc(file_len); - if(file == NULL) { -- err = ENOMEM; - goto cleanup_ENOMEM; - } - lock = (char*)malloc(lock_file_len); - if(lock == NULL) { -- err = ENOMEM; - goto cleanup_ENOMEM; - } - snprintf (file, file_len, "%s.%lu", -diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c ---- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200 -@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin - static bool is_listed (const char *cfgin, const char *tty, bool def) - { - FILE *fp; -- char buf[200], *s; -+ char buf[1024], *s; - const char *cons; - - /* -@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin - - if (*cons != '/') { - char *pbuf; -- strcpy (buf, cons); -+ strncpy (buf, cons, sizeof (buf)); -+ buf[sizeof (buf) - 1] = '\0'; - pbuf = &buf[0]; - while ((s = strtok (pbuf, ":")) != NULL) { - if (strcmp (s, tty) == 0) { -diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c ---- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200 -+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200 -@@ -69,7 +69,7 @@ int run_command (const char *cmd, const - do { - wpid = waitpid (pid, status, 0); - } while ( ((pid_t)-1 == wpid && errno == EINTR) -- || (wpid != pid)); -+ || ((pid_t)-1 != wpid && wpid != pid)); - - if ((pid_t)-1 == wpid) { - fprintf (stderr, "%s: waitpid (status: %d): %s\n", -diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200 -+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200 -@@ -314,7 +314,7 @@ static void fail_exit (int code) - static void get_defaults (void) - { - FILE *fp; -- char* default_file = USER_DEFAULTS_FILE; -+ char *default_file = USER_DEFAULTS_FILE; - char buf[1024]; - char *cp; - -@@ -324,6 +324,8 @@ static void get_defaults (void) - - len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2; - default_file = malloc(len); -+ if (default_file == NULL) -+ return; - wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE); - assert (wlen == (int) len -1); - } -@@ -334,7 +336,7 @@ static void get_defaults (void) - - fp = fopen (default_file, "r"); - if (NULL == fp) { -- return; -+ goto getdef_err; - } - - /* -@@ -445,7 +447,7 @@ static void get_defaults (void) - } - } - (void) fclose (fp); -- -+ getdef_err: - if(prefix[0]) { - free(default_file); - } -@@ -480,8 +482,8 @@ static int set_defaults (void) - FILE *ifp; - FILE *ofp; - char buf[1024]; -- char* new_file = NEW_USER_FILE; -- char* default_file = USER_DEFAULTS_FILE; -+ char *new_file = NULL; -+ char *default_file = USER_DEFAULTS_FILE; - char *cp; - int ofd; - int wlen; -@@ -492,17 +494,30 @@ static int set_defaults (void) - bool out_shell = false; - bool out_skel = false; - bool out_create_mail_spool = false; -+ size_t len; -+ int ret = -1; - -- if(prefix[0]) { -- size_t len; - -- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2; -- new_file = malloc(len); -- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE); -- assert (wlen == (int) len -1); -+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2; -+ new_file = malloc(len); -+ if (new_file == NULL) { -+ fprintf (stderr, -+ _("%s: cannot create new defaults file: %s\n"), -+ Prog, strerror(errno)); -+ return -1; -+ } -+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE); -+ assert (wlen <= (int) len -1); - -+ if(prefix[0]) { - len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2; - default_file = malloc(len); -+ if (default_file == NULL) { -+ fprintf (stderr, -+ _("%s: cannot create new defaults file: %s\n"), -+ Prog, strerror(errno)); -+ goto setdef_err; -+ } - wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE); - assert (wlen == (int) len -1); - } -@@ -515,7 +530,7 @@ static int set_defaults (void) - fprintf (stderr, - _("%s: cannot create new defaults file\n"), - Prog); -- return -1; -+ goto setdef_err; - } - - ofp = fdopen (ofd, "w"); -@@ -523,7 +538,7 @@ static int set_defaults (void) - fprintf (stderr, - _("%s: cannot open new defaults file\n"), - Prog); -- return -1; -+ goto setdef_err; - } - - /* -@@ -550,7 +565,7 @@ static int set_defaults (void) - _("%s: line too long in %s: %s..."), - Prog, default_file, buf); - (void) fclose (ifp); -- return -1; -+ goto setdef_err; - } - } - -@@ -614,7 +629,7 @@ static int set_defaults (void) - || (fsync (fileno (ofp)) != 0) - || (fclose (ofp) != 0)) { - unlink (new_file); -- return -1; -+ goto setdef_err; - } - - /* -@@ -629,7 +644,7 @@ static int set_defaults (void) - _("%s: Cannot create backup file (%s): %s\n"), - Prog, buf, strerror (err)); - unlink (new_file); -- return -1; -+ goto setdef_err; - } - - /* -@@ -640,11 +655,11 @@ static int set_defaults (void) - fprintf (stderr, - _("%s: rename: %s: %s\n"), - Prog, new_file, strerror (err)); -- return -1; -+ goto setdef_err; - } - #ifdef WITH_AUDIT - audit_logger (AUDIT_USYS_CONFIG, Prog, -- "changing-useradd-defaults", -+ "changing useradd defaults", - NULL, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif -@@ -654,13 +669,14 @@ static int set_defaults (void) - (unsigned int) def_group, def_home, def_shell, - def_inactive, def_expire, def_template, - def_create_mail_spool)); -- -+ ret = 0; -+ setdef_err: -+ free(new_file); - if(prefix[0]) { -- free(new_file); - free(default_file); - } - -- return 0; -+ return ret; - } - - /* diff --git a/shadow-4.6-ignore-login-prompt.patch b/shadow-4.6-ignore-login-prompt.patch deleted file mode 100644 index faf50f7..0000000 --- a/shadow-4.6-ignore-login-prompt.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c ---- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100 -@@ -94,6 +94,7 @@ static struct itemdef def_table[] = { - {"KILLCHAR", NULL}, - {"LOGIN_RETRIES", NULL}, - {"LOGIN_TIMEOUT", NULL}, -+ {"LOGIN_PLAIN_PROMPT", NULL}, - {"LOG_OK_LOGINS", NULL}, - {"LOG_UNKFAIL_ENAB", NULL}, - {"MAIL_DIR", NULL}, diff --git a/shadow-4.6-orig-context.patch b/shadow-4.6-orig-context.patch deleted file mode 100644 index ea522e7..0000000 --- a/shadow-4.6-orig-context.patch +++ /dev/null @@ -1,128 +0,0 @@ -diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c ---- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 -@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * - snprintf (buf, sizeof buf, "%s-", db->filename); - - #ifdef WITH_SELINUX -- if (set_selinux_file_context (buf) != 0) { -+ if (set_selinux_file_context (buf, db->filename) != 0) { - errors++; - } - #endif -@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * - snprintf (buf, sizeof buf, "%s+", db->filename); - - #ifdef WITH_SELINUX -- if (set_selinux_file_context (buf) != 0) { -+ if (set_selinux_file_context (buf, db->filename) != 0) { - errors++; - } - #endif -diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c ---- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 -@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co - */ - - #ifdef WITH_SELINUX -- if (set_selinux_file_context (dst) != 0) { -+ if (set_selinux_file_context (dst, NULL) != 0) { - return -1; - } - #endif /* WITH_SELINUX */ -@@ -605,7 +605,7 @@ static int copy_symlink (const char *src - } - - #ifdef WITH_SELINUX -- if (set_selinux_file_context (dst) != 0) { -+ if (set_selinux_file_context (dst, NULL) != 0) { - free (oldlink); - return -1; - } -@@ -684,7 +684,7 @@ static int copy_special (const char *src - int err = 0; - - #ifdef WITH_SELINUX -- if (set_selinux_file_context (dst) != 0) { -+ if (set_selinux_file_context (dst, NULL) != 0) { - return -1; - } - #endif /* WITH_SELINUX */ -@@ -744,7 +744,7 @@ static int copy_file (const char *src, c - return -1; - } - #ifdef WITH_SELINUX -- if (set_selinux_file_context (dst) != 0) { -+ if (set_selinux_file_context (dst, NULL) != 0) { - return -1; - } - #endif /* WITH_SELINUX */ -diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h ---- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 -@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m - - /* selinux.c */ - #ifdef WITH_SELINUX --extern int set_selinux_file_context (const char *dst_name); -+extern int set_selinux_file_context (const char *dst_name, const char *orig_name); - extern int reset_selinux_file_context (void); - #endif - -diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c ---- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 -@@ -50,7 +50,7 @@ static bool selinux_enabled; - * Callers may have to Reset SELinux to create files with default - * contexts with reset_selinux_file_context - */ --int set_selinux_file_context (const char *dst_name) -+int set_selinux_file_context (const char *dst_name, const char *orig_name) - { - /*@null@*/security_context_t scontext = NULL; - -@@ -62,19 +62,23 @@ int set_selinux_file_context (const char - if (selinux_enabled) { - /* Get the default security context for this file */ - if (matchpathcon (dst_name, 0, &scontext) < 0) { -- if (security_getenforce () != 0) { -- return 1; -- } -+ /* We could not get the default, copy the original */ -+ if (orig_name == NULL) -+ goto error; -+ if (getfilecon (orig_name, &scontext) < 0) -+ goto error; - } - /* Set the security context for the next created file */ -- if (setfscreatecon (scontext) < 0) { -- if (security_getenforce () != 0) { -- return 1; -- } -- } -+ if (setfscreatecon (scontext) < 0) -+ goto error; - freecon (scontext); - } - return 0; -+ error: -+ if (security_getenforce () != 0) { -+ return 1; -+ } -+ return 0; - } - - /* -diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 -@@ -2020,7 +2020,7 @@ static void create_home (void) - { - if (access (prefix_user_home, F_OK) != 0) { - #ifdef WITH_SELINUX -- if (set_selinux_file_context (prefix_user_home) != 0) { -+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { - fprintf (stderr, - _("%s: cannot set SELinux context for home directory %s\n"), - Prog, user_home); diff --git a/shadow-4.6-selinux.patch b/shadow-4.6-selinux.patch deleted file mode 100644 index dfd5140..0000000 --- a/shadow-4.6-selinux.patch +++ /dev/null @@ -1,115 +0,0 @@ -diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c ---- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 -@@ -2120,6 +2120,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) - - usr_update (); - -- if (mflg) { -- create_home (); -- if (home_added) { -- copy_tree (def_template, prefix_user_home, false, false, -- (uid_t)-1, user_id, (gid_t)-1, user_gid); -- } else { -- fprintf (stderr, -- _("%s: warning: the home directory already exists.\n" -- "Not copying any file from skel directory into it.\n"), -- Prog); -- } -- -- } -- -- /* Do not create mail directory for system accounts */ -- if (!rflg) { -- create_mail (); -- } -- - close_files (); - -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ - /* - * tallylog_reset needs to be able to lookup - * a valid existing user name, -@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) - } - - #ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); -@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) - "adding SELinux user mapping", - user_name, (unsigned int) user_id, 0); - #endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -+ rv = E_SE_UPDATE; -+ } - } - } --#endif /* WITH_SELINUX */ -+#endif - -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -+ if (mflg) { -+ create_home (); -+ if (home_added) { -+ copy_tree (def_template, prefix_user_home, false, true, -+ (uid_t)-1, user_id, (gid_t)-1, user_gid); -+ } else { -+ fprintf (stderr, -+ _("%s: warning: the home directory already exists.\n" -+ "Not copying any file from skel directory into it.\n"), -+ Prog); -+ } -+ -+ } -+ -+ /* Do not create mail directory for system accounts */ -+ if (!rflg) { -+ create_mail (); -+ } - -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.6-sssd-flush.patch b/shadow-4.6-sssd-flush.patch deleted file mode 100644 index 025c1d3..0000000 --- a/shadow-4.6-sssd-flush.patch +++ /dev/null @@ -1,641 +0,0 @@ -From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 12 Sep 2018 14:22:11 +0200 -Subject: [PATCH] Flush sssd caches in addition to nscd caches - -Some distributions, notably Fedora, have the following order of nsswitch -modules by default: - passwd: sss files - group: sss files - -The advantage of serving local users through SSSD is that the nss_sss -module has a fast mmapped-cache that speeds up NSS lookups compared to -accessing the disk an opening the files on each NSS request. - -Traditionally, this has been done with the help of nscd, but using nscd -in parallel with sssd is cumbersome, as both SSSD and nscd use their own -independent caching, so using nscd in setups where sssd is also serving -users from some remote domain (LDAP, AD, ...) can result in a bit of -unpredictability. - -More details about why Fedora chose to use sss before files can be found -on e.g.: - https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers -or: - https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html - -Now, even though sssd watches the passwd and group files with the help -of inotify, there can still be a small window where someone requests a -user or a group, finds that it doesn't exist, adds the entry and checks -again. Without some support in shadow-utils that would explicitly drop -the sssd caches, the inotify watch can fire a little late, so a -combination of commands like this: - getent passwd user || useradd user; getent passwd user -can result in the second getent passwd not finding the newly added user -as the racy behaviour might still return the cached negative hit from -the first getent passwd. - -This patch more or less copies the already existing support that -shadow-utils had for dropping nscd caches, except using the "sss_cache" -tool that sssd ships. ---- - configure.ac | 10 +++++++ - lib/Makefile.am | 2 ++ - lib/commonio.c | 2 ++ - lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ - lib/sssd.h | 17 +++++++++++ - src/chfn.c | 2 ++ - src/chgpasswd.c | 2 ++ - src/chpasswd.c | 2 ++ - src/chsh.c | 2 ++ - src/gpasswd.c | 2 ++ - src/groupadd.c | 2 ++ - src/groupdel.c | 2 ++ - src/groupmod.c | 2 ++ - src/grpck.c | 2 ++ - src/grpconv.c | 2 ++ - src/grpunconv.c | 2 ++ - src/newusers.c | 2 ++ - src/passwd.c | 2 ++ - src/pwck.c | 2 ++ - src/pwconv.c | 2 ++ - src/pwunconv.c | 2 ++ - src/useradd.c | 2 ++ - src/userdel.c | 2 ++ - src/usermod.c | 2 ++ - src/vipw.c | 2 ++ - 25 files changed, 146 insertions(+) - create mode 100644 lib/sssd.c - create mode 100644 lib/sssd.h - -diff --git a/configure.ac b/configure.ac -index 41068a5d..10ad70cf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt, - AC_ARG_WITH(nscd, - [AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])], - [with_nscd=$withval], [with_nscd=yes]) -+AC_ARG_WITH(sssd, -+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])], -+ [with_sssd=$withval], [with_sssd=yes]) - AC_ARG_WITH(group-name-max-length, - [AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])], - [with_group_name_max_length=$withval], [with_group_name_max_length=yes]) -@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then - [AC_MSG_ERROR([posix_spawn is needed for nscd support])]) - fi - -+if test "$with_sssd" = "yes"; then -+ AC_CHECK_FUNC(posix_spawn, -+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])], -+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) -+fi -+ - dnl Check for some functions in libc first, only if not found check for - dnl other libraries. This should prevent linking libnsl if not really - dnl needed (Linux glibc, Irix), but still link it if needed (Solaris). -@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp" - echo " S/Key support: $with_skey" - echo " SHA passwords encryption: $with_sha_crypt" - echo " nscd support: $with_nscd" -+echo " sssd support: $with_sssd" - echo " subordinate IDs support: $enable_subids" - echo -diff --git a/lib/Makefile.am b/lib/Makefile.am -index 6db86cd6..fd634542 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \ - lockpw.c \ - nscd.c \ - nscd.h \ -+ sssd.c \ -+ sssd.h \ - pam_defs.h \ - port.c \ - port.h \ -diff --git a/lib/commonio.c b/lib/commonio.c -index d06b8e7d..96f2d5f7 100644 ---- a/lib/commonio.c -+++ b/lib/commonio.c -@@ -45,6 +45,7 @@ - #include - #include - #include "nscd.h" -+#include "sssd.h" - #ifdef WITH_TCB - #include - #endif /* WITH_TCB */ -@@ -485,6 +486,7 @@ static void dec_lock_count (void) - if (nscd_need_reload) { - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - nscd_need_reload = false; - } - #ifdef HAVE_LCKPWDF -diff --git a/lib/sssd.c b/lib/sssd.c -new file mode 100644 -index 00000000..80e49e55 ---- /dev/null -+++ b/lib/sssd.c -@@ -0,0 +1,75 @@ -+/* Author: Peter Vrabec */ -+ -+#include -+#ifdef USE_SSSD -+ -+#include -+#include -+#include -+#include "exitcodes.h" -+#include "defines.h" -+#include "prototypes.h" -+#include "sssd.h" -+ -+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n" -+ -+int sssd_flush_cache (int dbflags) -+{ -+ int status, code, rv; -+ const char *cmd = "/usr/sbin/sss_cache"; -+ char *sss_cache_args = NULL; -+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL}; -+ const char *spawnedEnv[] = {NULL}; -+ int i = 0; -+ -+ sss_cache_args = malloc(4); -+ if (sss_cache_args == NULL) { -+ return -1; -+ } -+ -+ sss_cache_args[i++] = '-'; -+ if (dbflags & SSSD_DB_PASSWD) { -+ sss_cache_args[i++] = 'U'; -+ } -+ if (dbflags & SSSD_DB_GROUP) { -+ sss_cache_args[i++] = 'G'; -+ } -+ sss_cache_args[i++] = '\0'; -+ if (i == 2) { -+ /* Neither passwd nor group, nothing to do */ -+ free(sss_cache_args); -+ return 0; -+ } -+ spawnedArgs[1] = sss_cache_args; -+ -+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status); -+ free(sss_cache_args); -+ if (rv != 0) { -+ /* run_command writes its own more detailed message. */ -+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); -+ return -1; -+ } -+ -+ code = WEXITSTATUS (status); -+ if (!WIFEXITED (status)) { -+ (void) fprintf (stderr, -+ _("%s: sss_cache did not terminate normally (signal %d)\n"), -+ Prog, WTERMSIG (status)); -+ return -1; -+ } else if (code == E_CMD_NOTFOUND) { -+ /* sss_cache is not installed, or it is installed but uses an -+ interpreter that is missing. Probably the former. */ -+ return 0; -+ } else if (code != 0) { -+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"), -+ Prog, code); -+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); -+ return -1; -+ } -+ -+ return 0; -+} -+#else /* USE_SSSD */ -+extern int errno; /* warning: ANSI C forbids an empty source file */ -+#endif /* USE_SSSD */ -+ -diff --git a/lib/sssd.h b/lib/sssd.h -new file mode 100644 -index 00000000..00ff2a8a ---- /dev/null -+++ b/lib/sssd.h -@@ -0,0 +1,17 @@ -+#ifndef _SSSD_H_ -+#define _SSSD_H_ -+ -+#define SSSD_DB_PASSWD 0x001 -+#define SSSD_DB_GROUP 0x002 -+ -+/* -+ * sssd_flush_cache - flush specified service buffer in sssd cache -+ */ -+#ifdef USE_SSSD -+extern int sssd_flush_cache (int dbflags); -+#else -+#define sssd_flush_cache(service) (0) -+#endif -+ -+#endif -+ -diff --git a/src/chfn.c b/src/chfn.c -index 18aa3de7..0725e1c7 100644 ---- a/src/chfn.c -+++ b/src/chfn.c -@@ -47,6 +47,7 @@ - #include "defines.h" - #include "getdef.h" - #include "nscd.h" -+#include "sssd.h" - #ifdef USE_PAM - #include "pam_defs.h" - #endif -@@ -746,6 +747,7 @@ int main (int argc, char **argv) - SYSLOG ((LOG_INFO, "changed user '%s' information", user)); - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - closelog (); - exit (E_SUCCESS); -diff --git a/src/chgpasswd.c b/src/chgpasswd.c -index 13203a46..e5f2eb7e 100644 ---- a/src/chgpasswd.c -+++ b/src/chgpasswd.c -@@ -46,6 +46,7 @@ - #endif /* ACCT_TOOLS_SETUID */ - #include "defines.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "groupio.h" - #ifdef SHADOWGRP -@@ -581,6 +582,7 @@ int main (int argc, char **argv) - close_files (); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return (0); - } -diff --git a/src/chpasswd.c b/src/chpasswd.c -index 918b27ee..49e79cdb 100644 ---- a/src/chpasswd.c -+++ b/src/chpasswd.c -@@ -44,6 +44,7 @@ - #endif /* USE_PAM */ - #include "defines.h" - #include "nscd.h" -+#include "sssd.h" - #include "getdef.h" - #include "prototypes.h" - #include "pwio.h" -@@ -624,6 +625,7 @@ int main (int argc, char **argv) - } - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - return (0); - } -diff --git a/src/chsh.c b/src/chsh.c -index c89708b9..910e3dd4 100644 ---- a/src/chsh.c -+++ b/src/chsh.c -@@ -46,6 +46,7 @@ - #include "defines.h" - #include "getdef.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwauth.h" - #include "pwio.h" -@@ -557,6 +558,7 @@ int main (int argc, char **argv) - SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh)); - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - closelog (); - exit (E_SUCCESS); -diff --git a/src/gpasswd.c b/src/gpasswd.c -index c4a492b1..4d75af96 100644 ---- a/src/gpasswd.c -+++ b/src/gpasswd.c -@@ -45,6 +45,7 @@ - #include "defines.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #ifdef SHADOWGRP - #include "sgroupio.h" -@@ -1201,6 +1202,7 @@ int main (int argc, char **argv) - close_files (); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - exit (E_SUCCESS); - } -diff --git a/src/groupadd.c b/src/groupadd.c -index b57006c5..2dd8eec9 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -51,6 +51,7 @@ - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #ifdef SHADOWGRP - #include "sgroupio.h" -@@ -625,6 +626,7 @@ int main (int argc, char **argv) - close_files (); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return E_SUCCESS; - } -diff --git a/src/groupdel.c b/src/groupdel.c -index 70bed010..f941a84a 100644 ---- a/src/groupdel.c -+++ b/src/groupdel.c -@@ -49,6 +49,7 @@ - #include "defines.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #ifdef SHADOWGRP - #include "sgroupio.h" -@@ -492,6 +493,7 @@ int main (int argc, char **argv) - close_files (); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return E_SUCCESS; - } -diff --git a/src/groupmod.c b/src/groupmod.c -index b293b98f..1dca5fc9 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -51,6 +51,7 @@ - #include "groupio.h" - #include "pwio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #ifdef SHADOWGRP - #include "sgroupio.h" -@@ -877,6 +878,7 @@ int main (int argc, char **argv) - close_files (); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return E_SUCCESS; - } -diff --git a/src/grpck.c b/src/grpck.c -index ea5d3b39..6140b10d 100644 ---- a/src/grpck.c -+++ b/src/grpck.c -@@ -45,6 +45,7 @@ - #include "defines.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - - #ifdef SHADOWGRP -@@ -870,6 +871,7 @@ int main (int argc, char **argv) - close_files (changed); - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - /* - * Tell the user what we did and exit. -diff --git a/src/grpconv.c b/src/grpconv.c -index f95f4960..5e5eaaca 100644 ---- a/src/grpconv.c -+++ b/src/grpconv.c -@@ -48,6 +48,7 @@ - #include - #include - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - /*@-exitarg@*/ - #include "exitcodes.h" -@@ -273,6 +274,7 @@ int main (int argc, char **argv) - } - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return 0; - } -diff --git a/src/grpunconv.c b/src/grpunconv.c -index 253f06f5..e4105c26 100644 ---- a/src/grpunconv.c -+++ b/src/grpunconv.c -@@ -48,6 +48,7 @@ - #include - #include - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - /*@-exitarg@*/ - #include "exitcodes.h" -@@ -236,6 +237,7 @@ int main (int argc, char **argv) - } - - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_GROUP); - - return 0; - } -diff --git a/src/newusers.c b/src/newusers.c -index 8e4bef97..7c3bb1c2 100644 ---- a/src/newusers.c -+++ b/src/newusers.c -@@ -62,6 +62,7 @@ - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "pwio.h" - #include "sgroupio.h" - #include "shadowio.h" -@@ -1233,6 +1234,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - #ifdef USE_PAM - unsigned int i; -diff --git a/src/passwd.c b/src/passwd.c -index 3af3e651..5bea2765 100644 ---- a/src/passwd.c -+++ b/src/passwd.c -@@ -51,6 +51,7 @@ - #include "defines.h" - #include "getdef.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwauth.h" - #include "pwio.h" -@@ -1150,6 +1151,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname)); - closelog (); -diff --git a/src/pwck.c b/src/pwck.c -index 05df68ec..0ffb711e 100644 ---- a/src/pwck.c -+++ b/src/pwck.c -@@ -48,6 +48,7 @@ - #include "shadowio.h" - #include "getdef.h" - #include "nscd.h" -+#include "sssd.h" - #ifdef WITH_TCB - #include "tcbfuncs.h" - #endif /* WITH_TCB */ -@@ -877,6 +878,7 @@ int main (int argc, char **argv) - close_files (changed); - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - /* - * Tell the user what we did and exit. -diff --git a/src/pwconv.c b/src/pwconv.c -index d6ee31a8..9c69fa13 100644 ---- a/src/pwconv.c -+++ b/src/pwconv.c -@@ -72,6 +72,7 @@ - #include "pwio.h" - #include "shadowio.h" - #include "nscd.h" -+#include "sssd.h" - - /* - * exit status values -@@ -328,6 +329,7 @@ int main (int argc, char **argv) - } - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - return E_SUCCESS; - } -diff --git a/src/pwunconv.c b/src/pwunconv.c -index fabf0237..e11ea494 100644 ---- a/src/pwunconv.c -+++ b/src/pwunconv.c -@@ -42,6 +42,7 @@ - #include - #include "defines.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwio.h" - #include "shadowio.h" -@@ -250,6 +251,7 @@ int main (int argc, char **argv) - } - - nscd_flush_cache ("passwd"); -+ sssd_flush_cache (SSSD_DB_PASSWD); - - return 0; - } -diff --git a/src/useradd.c b/src/useradd.c -index ca90f076..b0c2224d 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -60,6 +60,7 @@ - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwauth.h" - #include "pwio.h" -@@ -2425,6 +2426,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - /* - * tallylog_reset needs to be able to lookup -diff --git a/src/userdel.c b/src/userdel.c -index c8de1d31..0715e4fe 100644 ---- a/src/userdel.c -+++ b/src/userdel.c -@@ -53,6 +53,7 @@ - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwauth.h" - #include "pwio.h" -@@ -1328,6 +1329,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - return ((0 != errors) ? E_HOMEDIR : E_SUCCESS); - } -diff --git a/src/usermod.c b/src/usermod.c -index 7355ad31..fd9a98a6 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -57,6 +57,7 @@ - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwauth.h" - #include "pwio.h" -@@ -2255,6 +2256,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - #ifdef WITH_SELINUX - if (Zflg) { -diff --git a/src/vipw.c b/src/vipw.c -index 6d730f65..2cfac6b4 100644 ---- a/src/vipw.c -+++ b/src/vipw.c -@@ -42,6 +42,7 @@ - #include "defines.h" - #include "groupio.h" - #include "nscd.h" -+#include "sssd.h" - #include "prototypes.h" - #include "pwio.h" - #include "sgroupio.h" -@@ -556,6 +557,7 @@ int main (int argc, char **argv) - - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); -+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - - return E_SUCCESS; - } diff --git a/shadow-4.6-use-itstool.patch b/shadow-4.6-use-itstool.patch deleted file mode 100644 index 760b5b3..0000000 --- a/shadow-4.6-use-itstool.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak ---- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200 -@@ -5,8 +5,19 @@ config.xml: ../config.xml.in - $(MAKE) -C .. config.xml - cp ../config.xml $@ - --%.xml: ../%.xml ../po/$(LANG).po -- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@ -+messages.mo: ../po/$(LANG).po -+ msgfmt ../po/$(LANG).po -o messages.mo -+ -+login.defs.d: -+ ln -sf ../login.defs.d login.defs.d -+ -+%.xml: ../%.xml messages.mo login.defs.d -+ if grep -q SHADOW-CONFIG-HERE $< ; then \ -+ sed -e 's/^/%config;/' $< > $@; \ -+ else \ -+ sed -e 's/^\(/\1 [%config;]>/' $< > $@; \ -+ fi -+ itstool -d -l $(LANG) -m messages.mo -o . $@ - sed -i 's:\(^:\1 lang="$(LANG)">:' $@ - - include ../generate_mans.mak -@@ -16,4 +27,4 @@ $(man_MANS): - @echo you need to run configure with --enable-man to generate man pages - endif - --CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml -+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml diff --git a/shadow-4.6-use-lckpwdf.patch b/shadow-4.6-use-lckpwdf.patch deleted file mode 100644 index 363579a..0000000 --- a/shadow-4.6-use-lckpwdf.patch +++ /dev/null @@ -1,190 +0,0 @@ -commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0 -Author: Tomas Mraz -Date: Thu May 2 14:33:06 2019 +0200 - - Use the lckpwdf() again if prefix is not set - - The implementation of prefix option dropped the use of lckpwdf(). - However that is incorrect as other tools manipulating the shadow passwords - such as PAM use lckpwdf() and do not know anything about the - shadow's own locking mechanism. - - This reverts the implementation to use lckpwdf() if prefix option - is not used. - -diff --git a/lib/commonio.c b/lib/commonio.c -index 26e518f2..94dda779 100644 ---- a/lib/commonio.c -+++ b/lib/commonio.c -@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db) - int commonio_setname (struct commonio_db *db, const char *name) - { - snprintf (db->filename, sizeof (db->filename), "%s", name); -+ db->setname = true; - return 1; - } - -@@ -414,37 +415,39 @@ cleanup_ENOMEM: - - int commonio_lock (struct commonio_db *db) - { --/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/ --#if 0 -- /* -- * only if the system libc has a real lckpwdf() - the one from -- * lockpw.c calls us and would cause infinite recursion! -- */ -+ int i; - -+#ifdef HAVE_LCKPWDF - /* -- * Call lckpwdf() on the first lock. -- * If it succeeds, call *_lock() only once -- * (no retries, it should always succeed). -+ * Only if the system libc has a real lckpwdf() - the one from -+ * lockpw.c calls us and would cause infinite recursion! -+ * It is also not used with the prefix option. - */ -- if (0 == lock_count) { -- if (lckpwdf () == -1) { -- if (geteuid () != 0) { -- (void) fprintf (stderr, -- "%s: Permission denied.\n", -- Prog); -+ if (!db->setname) { -+ /* -+ * Call lckpwdf() on the first lock. -+ * If it succeeds, call *_lock() only once -+ * (no retries, it should always succeed). -+ */ -+ if (0 == lock_count) { -+ if (lckpwdf () == -1) { -+ if (geteuid () != 0) { -+ (void) fprintf (stderr, -+ "%s: Permission denied.\n", -+ Prog); -+ } -+ return 0; /* failure */ - } -- return 0; /* failure */ - } -- } - -- if (commonio_lock_nowait (db, true) != 0) { -- return 1; /* success */ -- } -+ if (commonio_lock_nowait (db, true) != 0) { -+ return 1; /* success */ -+ } - -- ulckpwdf (); -- return 0; /* failure */ --#else /* !HAVE_LCKPWDF */ -- int i; -+ ulckpwdf (); -+ return 0; /* failure */ -+ } -+#endif /* !HAVE_LCKPWDF */ - - /* - * lckpwdf() not used - do it the old way. -@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db) - } - } - return 0; /* failure */ --#endif /* !HAVE_LCKPWDF */ - } - - static void dec_lock_count (void) -diff --git a/lib/commonio.h b/lib/commonio.h -index 40e5708f..64e83073 100644 ---- a/lib/commonio.h -+++ b/lib/commonio.h -@@ -143,6 +143,7 @@ struct commonio_db { - bool isopen:1; - bool locked:1; - bool readonly:1; -+ bool setname:1; - }; - - extern int commonio_setname (struct commonio_db *, const char *); -diff --git a/lib/groupio.c b/lib/groupio.c -index ae2302b5..bffb06e0 100644 ---- a/lib/groupio.c -+++ b/lib/groupio.c -@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int gr_setdbname (const char *filename) -diff --git a/lib/pwio.c b/lib/pwio.c -index 7ee85377..127719cb 100644 ---- a/lib/pwio.c -+++ b/lib/pwio.c -@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int pw_setdbname (const char *filename) -diff --git a/lib/sgroupio.c b/lib/sgroupio.c -index 5423626a..ffbdb263 100644 ---- a/lib/sgroupio.c -+++ b/lib/sgroupio.c -@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int sgr_setdbname (const char *filename) -diff --git a/lib/shadowio.c b/lib/shadowio.c -index 5fa3d312..676b1f1a 100644 ---- a/lib/shadowio.c -+++ b/lib/shadowio.c -@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int spw_setdbname (const char *filename) -diff --git a/lib/subordinateio.c b/lib/subordinateio.c -index a662e67e..dd779c59 100644 ---- a/lib/subordinateio.c -+++ b/lib/subordinateio.c -@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int sub_uid_setdbname (const char *filename) -@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = { - false, /* changed */ - false, /* isopen */ - false, /* locked */ -- false /* readonly */ -+ false, /* readonly */ -+ false /* setname */ - }; - - int sub_gid_setdbname (const char *filename) diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch deleted file mode 100644 index d2861b3..0000000 --- a/shadow-4.6-usermod-crash.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c ---- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 -@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi - { - long long int gid; - char *endptr; -+ struct group *g; - - if (NULL == grname) { - return NULL; -@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi - && (gid == (gid_t)gid)) { - return prefix_getgrgid ((gid_t) gid); - } -- return prefix_getgrnam (grname); -+ g = prefix_getgrnam (grname); -+ return g ? __gr_dup(g) : NULL; - } - else - return getgr_nam_gid(grname); -diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 -+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 -@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha - prefix_user_home = xmalloc(len); - wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); - assert (wlen == (int) len -1); -+ if (user_newhome) { -+ len = strlen(prefix) + strlen(user_newhome) + 2; -+ prefix_user_newhome = xmalloc(len); -+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); -+ assert (wlen == (int) len -1); -+ } - -- len = strlen(prefix) + strlen(user_newhome) + 2; -- prefix_user_newhome = xmalloc(len); -- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); -- assert (wlen == (int) len -1); - } - else { - prefix_user_home = user_home; diff --git a/shadow-4.6-audit-update.patch b/shadow-4.8-audit-update.patch similarity index 87% rename from shadow-4.6-audit-update.patch rename to shadow-4.8-audit-update.patch index 4237739..153adfe 100644 --- a/shadow-4.6-audit-update.patch +++ b/shadow-4.8-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c ---- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.8/libmisc/audit_help.c.audit-update shadow-4.8/libmisc/audit_help.c +--- shadow-4.8/libmisc/audit_help.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/libmisc/audit_help.c 2020-01-13 10:15:51.802073378 +0100 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_h void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c ---- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.8/libmisc/cleanup_group.c.audit-update shadow-4.8/libmisc/cleanup_group.c +--- shadow-4.8/libmisc/cleanup_group.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/libmisc/cleanup_group.c 2020-01-13 10:15:51.802073378 +0100 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/clea SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c ---- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.8/libmisc/cleanup_user.c.audit-update shadow-4.8/libmisc/cleanup_user.c +--- shadow-4.8/libmisc/cleanup_user.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/libmisc/cleanup_user.c 2020-01-13 10:15:51.802073378 +0100 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +181,10 @@ diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/clean SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h ---- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 -+++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 -@@ -211,12 +211,21 @@ extern int audit_fd; +diff -up shadow-4.8/lib/prototypes.h.audit-update shadow-4.8/lib/prototypes.h +--- shadow-4.8/lib/prototypes.h.audit-update 2020-01-13 10:15:51.785073664 +0100 ++++ shadow-4.8/lib/prototypes.h 2020-01-13 10:15:51.803073362 +0100 +@@ -219,12 +219,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,10 +206,100 @@ diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c ---- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 -@@ -137,7 +137,7 @@ static void usage (int status) +diff -up shadow-4.8/src/chage.c.audit-update shadow-4.8/src/chage.c +--- shadow-4.8/src/chage.c.audit-update 2019-11-12 01:18:25.000000000 +0100 ++++ shadow-4.8/src/chage.c 2020-01-13 10:15:51.806073311 +0100 +@@ -123,9 +123,10 @@ static /*@noreturn@*/void fail_exit (int + + #ifdef WITH_AUDIT + if (E_SUCCESS != code) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change age", +- user_name, (unsigned int) user_uid, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_FAILURE); + } + #endif + +@@ -883,11 +884,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: Permission denied.\n"), Prog); + fail_exit (E_NOPERM); + } +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "display aging info", +- user_name, (unsigned int) user_uid, 1); +-#endif ++ /* Displaying fields is not of interest to audit */ + list_fields (); + fail_exit (E_SUCCESS); + } +@@ -906,41 +903,43 @@ int main (int argc, char **argv) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change all aging information", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-all-aging-information", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + #endif + } else { + #ifdef WITH_AUDIT + if (Mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change max age", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-max-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + if (mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change min age", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-min-age", + user_name, (unsigned int) user_uid, 1); + } + if (dflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change last change date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-last-change-date", + user_name, (unsigned int) user_uid, 1); + } + if (Wflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd warning", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-warning", + user_name, (unsigned int) user_uid, 1); + } + if (Iflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-inactive-days", + user_name, (unsigned int) user_uid, 1); + } + if (Eflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd expiration", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-expiration", + user_name, (unsigned int) user_uid, 1); + } + #endif +diff -up shadow-4.8/src/gpasswd.c.audit-update shadow-4.8/src/gpasswd.c +--- shadow-4.8/src/gpasswd.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/src/gpasswd.c 2020-01-13 10:15:51.803073362 +0100 +@@ -138,7 +138,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); (void) fputs (_(" -Q, --root CHROOT_DIR directory to chroot into\n"), usageout); @@ -218,7 +308,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -396,21 +396,14 @@ static void open_files (void) +@@ -397,21 +397,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +333,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c +@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +350,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c +@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +367,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c +@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +384,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c +@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +401,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c +@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +418,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c +@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +435,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow +@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +460,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c +@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +477,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c +@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +494,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c +@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +511,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c +@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +528,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c +@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +545,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c +@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,10 +562,10 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c ---- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 -@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.8/src/groupadd.c.audit-update shadow-4.8/src/groupadd.c +--- shadow-4.8/src/groupadd.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/src/groupadd.c 2020-01-13 10:15:51.804073345 +0100 +@@ -131,6 +131,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -491,7 +581,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -213,7 +222,7 @@ static void grp_update (void) +@@ -214,7 +223,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -500,7 +590,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -223,7 +232,7 @@ static void grp_update (void) +@@ -224,7 +233,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -509,7 +599,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -247,7 +256,7 @@ static void check_new_name (void) +@@ -248,7 +257,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -518,7 +608,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } /* -@@ -263,11 +272,11 @@ static void close_files (void) +@@ -264,11 +273,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -532,7 +622,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -285,11 +294,11 @@ static void close_files (void) +@@ -286,11 +295,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -547,7 +637,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -303,12 +312,6 @@ static void close_files (void) +@@ -304,12 +313,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -560,7 +650,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -326,7 +329,7 @@ static void open_files (void) +@@ -327,7 +330,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -569,7 +659,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -336,7 +339,7 @@ static void open_files (void) +@@ -337,7 +340,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -578,7 +668,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -352,7 +355,7 @@ static void open_files (void) +@@ -353,7 +356,7 @@ static void open_files (void) if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -587,7 +677,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #ifdef SHADOWGRP -@@ -362,7 +365,7 @@ static void open_files (void) +@@ -363,7 +366,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -596,7 +686,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -495,7 +498,7 @@ static void check_flags (void) +@@ -496,7 +499,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -605,7 +695,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } if (gflg && (prefix_getgrgid (group_id) != NULL)) { -@@ -514,7 +517,7 @@ static void check_flags (void) +@@ -515,7 +518,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -614,7 +704,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } } -@@ -542,7 +545,7 @@ static void check_perms (void) +@@ -543,7 +546,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -623,7 +713,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -562,7 +565,7 @@ static void check_perms (void) +@@ -563,7 +566,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -632,7 +722,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -595,7 +598,7 @@ int main (int argc, char **argv) +@@ -596,7 +599,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -641,7 +731,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } /* -@@ -617,7 +620,7 @@ int main (int argc, char **argv) +@@ -618,7 +621,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -650,10 +740,10 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } -diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c ---- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 -@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.8/src/groupdel.c.audit-update shadow-4.8/src/groupdel.c +--- shadow-4.8/src/groupdel.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/src/groupdel.c 2020-01-13 10:15:51.804073345 +0100 +@@ -106,6 +106,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +759,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c /* * grp_update - update group file entries * -@@ -131,7 +140,7 @@ static void grp_update (void) +@@ -132,7 +141,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +768,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #ifdef SHADOWGRP -@@ -143,7 +152,7 @@ static void grp_update (void) +@@ -144,7 +153,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +777,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -162,12 +171,12 @@ static void close_files (void) +@@ -163,12 +172,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +792,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -187,12 +196,12 @@ static void close_files (void) +@@ -188,12 +197,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +808,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -206,13 +215,6 @@ static void close_files (void) +@@ -207,13 +216,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +822,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -229,7 +231,7 @@ static void open_files (void) +@@ -230,7 +232,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +831,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -238,7 +240,7 @@ static void open_files (void) +@@ -239,7 +241,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +840,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -256,7 +258,7 @@ static void open_files (void) +@@ -257,7 +259,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +849,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -265,7 +267,7 @@ static void open_files (void) +@@ -266,7 +268,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +858,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) +@@ -307,7 +309,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +867,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } /* -@@ -391,7 +393,7 @@ int main (int argc, char **argv) +@@ -392,7 +394,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +876,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } process_flags (argc, argv); -@@ -405,7 +407,7 @@ int main (int argc, char **argv) +@@ -406,7 +408,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +885,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -426,7 +428,7 @@ int main (int argc, char **argv) +@@ -427,7 +429,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +894,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -446,7 +448,7 @@ int main (int argc, char **argv) +@@ -447,7 +449,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +903,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } group_id = grp->gr_gid; -@@ -470,7 +472,7 @@ int main (int argc, char **argv) +@@ -471,7 +473,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,10 +912,10 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #endif -diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c ---- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 -@@ -449,7 +449,7 @@ static void close_files (void) +diff -up shadow-4.8/src/groupmod.c.audit-update shadow-4.8/src/groupmod.c +--- shadow-4.8/src/groupmod.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/src/groupmod.c 2020-01-13 10:15:51.805073328 +0100 +@@ -450,7 +450,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -834,7 +924,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -472,7 +472,14 @@ static void close_files (void) +@@ -473,7 +473,14 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -850,7 +940,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -495,7 +502,7 @@ static void close_files (void) +@@ -496,7 +503,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -859,7 +949,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -510,8 +517,8 @@ static void close_files (void) +@@ -511,8 +518,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -870,7 +960,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -523,6 +530,8 @@ static void close_files (void) +@@ -524,6 +531,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -879,7 +969,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -535,76 +544,109 @@ static void prepare_failure_reports (voi +@@ -536,76 +545,109 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1016,7 +1106,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -612,6 +654,11 @@ static void prepare_failure_reports (voi +@@ -613,6 +655,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1028,99 +1118,9 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c ---- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 -@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int - - #ifdef WITH_AUDIT - if (E_SUCCESS != code) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change age", -- user_name, (unsigned int) user_uid, 0); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_FAILURE); - } - #endif - -@@ -873,11 +874,7 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: Permission denied.\n"), Prog); - fail_exit (E_NOPERM); - } --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "display aging info", -- user_name, (unsigned int) user_uid, 1); --#endif -+ /* Displaying fields is not of interest to audit */ - list_fields (); - fail_exit (E_SUCCESS); - } -@@ -896,41 +893,43 @@ int main (int argc, char **argv) - } - #ifdef WITH_AUDIT - else { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change all aging information", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-all-aging-information", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - #endif - } else { - #ifdef WITH_AUDIT - if (Mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change max age", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-max-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - if (mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change min age", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-min-age", - user_name, (unsigned int) user_uid, 1); - } - if (dflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change last change date", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-last-change-date", - user_name, (unsigned int) user_uid, 1); - } - if (Wflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd warning", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-warning", - user_name, (unsigned int) user_uid, 1); - } - if (Iflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change inactive days", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-inactive-days", - user_name, (unsigned int) user_uid, 1); - } - if (Eflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd expiration", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-expiration", - user_name, (unsigned int) user_uid, 1); - } - #endif -diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c ---- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 +diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c +--- shadow-4.8/src/newgrp.c.audit-update 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/src/newgrp.c 2020-01-13 10:15:51.806073311 +0100 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1325,10 +1325,10 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 -@@ -229,6 +229,8 @@ static void create_mail (void); +diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c +--- shadow-4.8/src/useradd.c.audit-update 2020-01-13 10:15:51.789073597 +0100 ++++ shadow-4.8/src/useradd.c 2020-01-13 10:17:30.929406913 +0100 +@@ -233,6 +233,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1337,7 +1337,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c if (home_added) { if (rmdir (prefix_user_home) != 0) { fprintf (stderr, -@@ -242,12 +244,6 @@ static void fail_exit (int code) +@@ -246,12 +248,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1350,7 +1350,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -255,12 +251,6 @@ static void fail_exit (int code) +@@ -259,12 +255,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1363,7 +1363,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -268,12 +258,6 @@ static void fail_exit (int code) +@@ -272,12 +262,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1376,7 +1376,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -282,12 +266,6 @@ static void fail_exit (int code) +@@ -286,12 +270,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1389,7 +1389,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -297,12 +275,6 @@ static void fail_exit (int code) +@@ -301,12 +279,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1402,7 +1402,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -310,20 +282,19 @@ static void fail_exit (int code) +@@ -314,20 +286,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1430,7 +1430,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -673,7 +644,7 @@ static int set_defaults (void) +@@ -692,7 +663,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1439,7 +1439,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -950,12 +921,6 @@ static void grp_update (void) +@@ -974,12 +945,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1452,7 +1452,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -969,18 +934,12 @@ static void grp_update (void) +@@ -993,18 +958,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1474,7 +1474,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1025,12 +984,6 @@ static void grp_update (void) +@@ -1049,12 +1008,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1487,7 +1487,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -1044,18 +997,13 @@ static void grp_update (void) +@@ -1068,18 +1021,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1510,7 +1510,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha +@@ -1445,7 +1393,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1519,7 +1519,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1522,7 +1470,7 @@ static void close_files (void) +@@ -1560,7 +1508,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1528,7 +1528,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1535,7 +1483,7 @@ static void close_files (void) +@@ -1573,7 +1521,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1537,7 +1537,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1547,7 +1495,7 @@ static void close_files (void) +@@ -1585,7 +1533,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1546,7 +1546,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1561,7 +1509,7 @@ static void close_files (void) +@@ -1599,7 +1547,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1555,7 +1555,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1577,7 +1525,7 @@ static void close_files (void) +@@ -1615,7 +1563,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1564,7 +1564,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1591,7 +1539,7 @@ static void close_files (void) +@@ -1629,7 +1577,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1573,7 +1573,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1783,7 +1731,7 @@ static void grp_add (void) +@@ -1821,7 +1769,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1582,7 +1582,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1799,7 +1747,7 @@ static void grp_add (void) +@@ -1837,7 +1785,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1591,7 +1591,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1809,7 +1757,7 @@ static void grp_add (void) +@@ -1847,7 +1795,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1600,7 +1600,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1970,12 +1918,6 @@ static void usr_update (void) +@@ -2015,12 +1963,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1613,7 +1613,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1996,9 +1938,14 @@ static void usr_update (void) +@@ -2041,9 +1983,14 @@ static void usr_update (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -1630,20 +1630,20 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif /* -@@ -2032,12 +1979,6 @@ static void create_home (void) +@@ -2130,12 +2077,6 @@ static void create_home (void) fprintf (stderr, - _("%s: cannot create directory %s\n"), - Prog, prefix_user_home); + _("%s: cannot create directory %s\n"), + Prog, path); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, -- "adding home directory", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); -#endif fail_exit (E_HOMEDIR); } - (void) chown (prefix_user_home, user_id, user_gid); -@@ -2045,8 +1986,8 @@ static void create_home (void) + if (chown (path, 0, 0) < 0) { +@@ -2157,8 +2098,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1654,7 +1654,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2231,12 +2172,6 @@ int main (int argc, char **argv) +@@ -2343,12 +2284,6 @@ int main (int argc, char **argv) */ if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1667,7 +1667,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2252,12 +2187,6 @@ int main (int argc, char **argv) +@@ -2364,12 +2299,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1680,7 +1680,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2287,12 +2216,6 @@ int main (int argc, char **argv) +@@ -2399,12 +2328,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1693,7 +1693,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) +@@ -2478,9 +2401,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1707,10 +1707,10 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c ---- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 -+++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 -@@ -219,9 +219,9 @@ static void update_groups (void) +diff -up shadow-4.8/src/userdel.c.audit-update shadow-4.8/src/userdel.c +--- shadow-4.8/src/userdel.c.audit-update 2020-01-13 10:15:51.797073462 +0100 ++++ shadow-4.8/src/userdel.c 2020-01-13 10:15:51.809073261 +0100 +@@ -222,9 +222,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1723,7 +1723,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -281,9 +281,9 @@ static void update_groups (void) +@@ -284,9 +284,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1736,7 +1736,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -360,9 +360,9 @@ static void remove_usergroup (void) +@@ -363,9 +363,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1749,7 +1749,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -378,9 +378,9 @@ static void remove_usergroup (void) +@@ -381,9 +381,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1762,7 +1762,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -542,7 +542,7 @@ static void fail_exit (int code) +@@ -545,7 +545,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1771,7 +1771,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -562,24 +562,12 @@ static void open_files (void) +@@ -565,24 +565,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1796,7 +1796,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -587,12 +575,6 @@ static void open_files (void) +@@ -590,12 +578,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1809,7 +1809,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -600,12 +582,6 @@ static void open_files (void) +@@ -603,12 +585,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1822,7 +1822,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -613,23 +589,11 @@ static void open_files (void) +@@ -616,23 +592,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1846,7 +1846,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -638,24 +602,12 @@ static void open_files (void) +@@ -641,24 +605,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1871,7 +1871,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -666,24 +618,12 @@ static void open_files (void) +@@ -669,24 +621,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1896,7 +1896,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -692,24 +632,12 @@ static void open_files (void) +@@ -695,24 +635,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1921,7 +1921,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -754,7 +682,7 @@ static void update_user (void) +@@ -757,7 +685,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1930,7 +1930,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -862,7 +790,7 @@ static int remove_mailbox (void) +@@ -865,7 +793,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1939,7 +1939,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -879,7 +807,7 @@ static int remove_mailbox (void) +@@ -882,7 +810,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1948,7 +1948,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -889,8 +817,8 @@ static int remove_mailbox (void) +@@ -892,8 +820,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1959,7 +1959,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -908,7 +836,7 @@ static int remove_mailbox (void) +@@ -911,7 +839,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1968,7 +1968,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -925,7 +853,7 @@ static int remove_mailbox (void) +@@ -928,7 +856,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1977,7 +1977,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -935,8 +863,8 @@ static int remove_mailbox (void) +@@ -938,8 +866,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1988,7 +1988,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) +@@ -1152,7 +1080,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1997,7 +1997,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) +@@ -1208,7 +1136,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -2006,7 +2006,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) +@@ -1302,8 +1230,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -2017,7 +2017,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) +@@ -1312,7 +1240,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2026,7 +2026,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) +@@ -1325,8 +1253,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2037,10 +2037,10 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 -+++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 -@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.8/src/usermod.c.audit-update shadow-4.8/src/usermod.c +--- shadow-4.8/src/usermod.c.audit-update 2020-01-13 10:15:51.800073412 +0100 ++++ shadow-4.8/src/usermod.c 2020-01-13 10:15:51.812073210 +0100 +@@ -457,8 +457,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2051,7 +2051,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -477,8 +477,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2062,7 +2062,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -489,7 +489,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2071,7 +2071,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw +@@ -518,8 +518,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2082,7 +2082,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw +@@ -539,8 +539,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2093,7 +2093,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw +@@ -550,8 +550,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2104,7 +2104,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw +@@ -561,8 +561,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2115,7 +2115,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw +@@ -570,8 +570,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2126,7 +2126,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw +@@ -581,8 +581,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2137,7 +2137,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen +@@ -612,8 +612,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2148,7 +2148,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen +@@ -629,8 +629,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2159,7 +2159,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -713,9 +713,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2172,7 +2172,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif exit (code); } -@@ -765,9 +765,12 @@ static void update_group (void) +@@ -769,9 +769,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2188,7 +2188,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -781,9 +784,11 @@ static void update_group (void) +@@ -785,9 +788,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2203,7 +2203,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -796,9 +801,11 @@ static void update_group (void) +@@ -800,9 +805,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2218,7 +2218,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -873,9 +880,10 @@ static void update_gshadow (void) +@@ -877,9 +884,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2232,7 +2232,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -895,9 +903,10 @@ static void update_gshadow (void) +@@ -899,9 +907,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2246,7 +2246,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -911,9 +920,10 @@ static void update_gshadow (void) +@@ -915,9 +924,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2260,7 +2260,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -926,9 +936,10 @@ static void update_gshadow (void) +@@ -930,9 +940,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2274,7 +2274,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1789,8 +1800,8 @@ static void move_home (void) +@@ -1799,8 +1810,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2285,7 +2285,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1808,8 +1819,8 @@ static void move_home (void) +@@ -1818,8 +1829,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2296,7 +2296,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1828,9 +1839,9 @@ static void move_home (void) +@@ -1847,9 +1858,9 @@ static void move_home (void) Prog, prefix_user_home); } #ifdef WITH_AUDIT @@ -2308,7 +2308,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2045,8 +2056,8 @@ static void move_mailbox (void) +@@ -2071,8 +2082,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2319,7 +2319,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2072,8 +2083,8 @@ static void move_mailbox (void) +@@ -2098,8 +2109,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2330,7 +2330,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) +@@ -2294,8 +2305,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2341,7 +2341,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) +@@ -2307,8 +2318,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2352,7 +2352,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) +@@ -2349,8 +2360,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.8-crypt_h.patch b/shadow-4.8-crypt_h.patch new file mode 100644 index 0000000..e2704e8 --- /dev/null +++ b/shadow-4.8-crypt_h.patch @@ -0,0 +1,35 @@ +diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac +--- shadow-4.8/configure.ac.crypt_h 2020-01-13 10:26:17.400481712 +0100 ++++ shadow-4.8/configure.ac 2020-01-13 10:29:11.563529093 +0100 +@@ -32,7 +32,7 @@ AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_HEADER_STDBOOL + +-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ ++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ + utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ + utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \ + locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ +diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h +--- shadow-4.8/lib/defines.h.crypt_h 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/defines.h 2020-01-13 10:26:17.400481712 +0100 +@@ -4,6 +4,8 @@ + #ifndef _DEFINES_H_ + #define _DEFINES_H_ + ++#include "config.h" ++ + #if HAVE_STDBOOL_H + # include + #else +@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () + # include + #endif + ++#if HAVE_CRYPT_H ++# include /* crypt(3) may be defined in here */ ++#endif ++ + #if TIME_WITH_SYS_TIME + # include + # include diff --git a/shadow-4.5-goodname.patch b/shadow-4.8-goodname.patch similarity index 79% rename from shadow-4.5-goodname.patch rename to shadow-4.8-goodname.patch index b107e3f..f3c18d5 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.8-goodname.patch @@ -1,18 +1,12 @@ -Index: shadow-4.5/libmisc/chkname.c -=================================================================== ---- shadow-4.5.orig/libmisc/chkname.c -+++ shadow-4.5/libmisc/chkname.c -@@ -47,27 +47,46 @@ - #include "chkname.h" +diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c +--- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100 ++++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100 +@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n + } - static bool is_valid_name (const char *name) --{ -+{ /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { + * User/group names must match gnu e-regex: + * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? + * @@ -22,7 +16,9 @@ Index: shadow-4.5/libmisc/chkname.c + * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; -+ + +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { + if ('\0' == *name || + ('.' == *name && (('.' == name[1] && '\0' == name[2]) || + '\0' == name[1])) || @@ -60,11 +56,10 @@ Index: shadow-4.5/libmisc/chkname.c } bool is_valid_user_name (const char *name) -Index: shadow-4.5/man/groupadd.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupadd.8.xml -+++ shadow-4.5/man/groupadd.8.xml -@@ -256,10 +256,12 @@ +diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml +--- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100 +@@ -273,10 +273,12 @@ CAVEATS @@ -81,11 +76,10 @@ Index: shadow-4.5/man/groupadd.8.xml Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -633,10 +633,14 @@ +diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml +--- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200 ++++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100 +@@ -661,10 +661,14 @@ diff --git a/shadow-4.8-ignore-login-prompt.patch b/shadow-4.8-ignore-login-prompt.patch new file mode 100644 index 0000000..c93aae7 --- /dev/null +++ b/shadow-4.8-ignore-login-prompt.patch @@ -0,0 +1,11 @@ +diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c +--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100 ++++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100 +@@ -98,6 +98,7 @@ static struct itemdef def_table[] = { + {"LASTLOG_UID_MAX", NULL}, + {"LOGIN_RETRIES", NULL}, + {"LOGIN_TIMEOUT", NULL}, ++ {"LOGIN_PLAIN_PROMPT", NULL}, + {"LOG_OK_LOGINS", NULL}, + {"LOG_UNKFAIL_ENAB", NULL}, + {"MAIL_DIR", NULL}, diff --git a/shadow-4.5-long-entry.patch b/shadow-4.8-long-entry.patch similarity index 64% rename from shadow-4.5-long-entry.patch rename to shadow-4.8-long-entry.patch index 8670e75..64d9636 100644 --- a/shadow-4.5-long-entry.patch +++ b/shadow-4.8-long-entry.patch @@ -1,17 +1,19 @@ -diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h ---- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 -@@ -382,4 +382,7 @@ extern char *strerror (); +diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h +--- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100 ++++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100 +@@ -388,6 +388,9 @@ extern char *strerror (); # endif #endif +/* Maximum length of passwd entry */ +#define PASSWD_ENTRY_MAX_LENGTH 32768 + - #endif /* _DEFINES_H_ */ -diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c ---- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 -+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 + #ifdef HAVE_SECURE_GETENV + # define shadow_getenv(name) secure_getenv(name) + # else +diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c +--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100 @@ -79,7 +79,10 @@ static int passwd_put (const void *ent, || (pw->pw_gid == (gid_t)-1) || (valid_field (pw->pw_gecos, ":\n") == -1) @@ -24,9 +26,9 @@ diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c return -1; } -diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c ---- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c +--- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200 ++++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100 @@ -57,7 +57,7 @@ struct passwd *sgetpwent (const char *buf) { @@ -48,9 +50,9 @@ diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c strcpy (pwdbuf, buf); /* -diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c ---- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c +--- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100 @@ -48,7 +48,7 @@ */ struct spwd *sgetspent (const char *string) @@ -68,9 +70,9 @@ diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c return 0; /* fail if too long */ } strcpy (spwbuf, string); -diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c ---- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 -+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c +--- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100 @@ -79,7 +79,9 @@ static int shadow_put (const void *ent, if ( (NULL == sp) diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.8-manfix.patch similarity index 74% rename from shadow-4.3.1-manfix.patch rename to shadow-4.8-manfix.patch index bd1577e..ecb99a4 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.8-manfix.patch @@ -1,35 +1,6 @@ -Index: shadow-4.5/man/groupmems.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupmems.8.xml -+++ shadow-4.5/man/groupmems.8.xml -@@ -179,20 +179,10 @@ - - SETUP - -- The groupmems executable should be in mode -- 2770 as user root and in group -- groups. The system administrator can add users to -- group groups to allow or disallow them using the -- groupmems utility to manage their own group -- membership list. -+ In this operating system the groupmems executable -+ is not setuid and regular users cannot use it to manipulate -+ the membership of their own group. - -- -- -- $ groupadd -r groups -- $ chmod 2770 groupmems -- $ chown root.groups groupmems -- $ groupmems -g groups -a gk4 -- - - - -Index: shadow-4.5/man/chage.1.xml -=================================================================== ---- shadow-4.5.orig/man/chage.1.xml -+++ shadow-4.5/man/chage.1.xml +diff -up shadow-4.8/man/chage.1.xml.manfix shadow-4.8/man/chage.1.xml +--- shadow-4.8/man/chage.1.xml.manfix 2019-10-05 01:28:34.000000000 +0200 ++++ shadow-4.8/man/chage.1.xml 2020-01-13 10:12:48.445155882 +0100 @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -54,7 +25,7 @@ Index: shadow-4.5/man/chage.1.xml Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. -@@ -233,6 +243,18 @@ +@@ -239,6 +249,18 @@ The chage program requires a shadow password file to be available. @@ -73,11 +44,56 @@ Index: shadow-4.5/man/chage.1.xml The chage command is restricted to the root user, except for the option, which may be used by an unprivileged user to determine when their password or account is due -Index: shadow-4.5/man/ja/man5/login.defs.5 -=================================================================== ---- shadow-4.5.orig/man/ja/man5/login.defs.5 -+++ shadow-4.5/man/ja/man5/login.defs.5 -@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ +diff -up shadow-4.8/man/groupadd.8.xml.manfix shadow-4.8/man/groupadd.8.xml +--- shadow-4.8/man/groupadd.8.xml.manfix 2020-01-13 10:12:48.432156100 +0100 ++++ shadow-4.8/man/groupadd.8.xml 2020-01-13 10:13:06.096859122 +0100 +@@ -320,13 +320,13 @@ + + 4 + +- GID not unique (when not used) ++ GID is already used (when called without ) + + + + 9 + +- group name not unique ++ group name is already used + + + +diff -up shadow-4.8/man/groupmems.8.xml.manfix shadow-4.8/man/groupmems.8.xml +--- shadow-4.8/man/groupmems.8.xml.manfix 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/man/groupmems.8.xml 2020-01-13 10:12:48.445155882 +0100 +@@ -179,20 +179,10 @@ + + SETUP + +- The groupmems executable should be in mode +- 2770 as user root and in group +- groups. The system administrator can add users to +- group groups to allow or disallow them using the +- groupmems utility to manage their own group +- membership list. ++ In this operating system the groupmems executable ++ is not setuid and regular users cannot use it to manipulate ++ the membership of their own group. + +- +- +- $ groupadd -r groups +- $ chmod 2770 groupmems +- $ chown root.groups groupmems +- $ groupmems -g groups -a gk4 +- + + + +diff -up shadow-4.8/man/ja/man5/login.defs.5.manfix shadow-4.8/man/ja/man5/login.defs.5 +--- shadow-4.8/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/man/ja/man5/login.defs.5 2020-01-13 10:12:48.445155882 +0100 +@@ -147,10 +147,6 @@ 以下の参照表は、 shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -88,11 +104,10 @@ Index: shadow-4.5/man/ja/man5/login.defs.5 .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -Index: shadow-4.5/man/login.defs.5.xml -=================================================================== ---- shadow-4.5.orig/man/login.defs.5.xml -+++ shadow-4.5/man/login.defs.5.xml -@@ -162,6 +162,17 @@ +diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml +--- shadow-4.8/man/login.defs.5.xml.manfix 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/man/login.defs.5.xml 2020-01-13 10:14:10.491776547 +0100 +@@ -163,6 +163,17 @@ long numeric parameters is machine-dependent. @@ -110,7 +125,7 @@ Index: shadow-4.5/man/login.defs.5.xml The following configuration items are provided: -@@ -252,16 +263,6 @@ +@@ -254,16 +265,6 @@ @@ -127,7 +142,7 @@ Index: shadow-4.5/man/login.defs.5.xml chgpasswd -@@ -282,14 +283,6 @@ +@@ -284,14 +285,6 @@ @@ -142,10 +157,10 @@ Index: shadow-4.5/man/login.defs.5.xml -@@ -350,34 +343,6 @@ +@@ -357,34 +350,6 @@ + LASTLOG_UID_MAX + - - - - login - @@ -161,7 +176,7 @@ Index: shadow-4.5/man/login.defs.5.xml - HUSHLOGIN_FILE - ISSUE_FILE - KILLCHAR -- LASTLOG_ENAB +- LASTLOG_ENAB LASTLOG_UID_MAX - LOGIN_RETRIES - LOGIN_STRING - LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB @@ -177,7 +192,7 @@ Index: shadow-4.5/man/login.defs.5.xml newgrp / sg -@@ -405,17 +370,6 @@ +@@ -412,17 +377,6 @@ @@ -195,7 +210,7 @@ Index: shadow-4.5/man/login.defs.5.xml pwck -@@ -442,32 +396,6 @@ +@@ -449,32 +403,6 @@ @@ -228,10 +243,9 @@ Index: shadow-4.5/man/login.defs.5.xml useradd -Index: shadow-4.5/man/shadow.5.xml -=================================================================== ---- shadow-4.5.orig/man/shadow.5.xml -+++ shadow-4.5/man/shadow.5.xml +diff -up shadow-4.8/man/shadow.5.xml.manfix shadow-4.8/man/shadow.5.xml +--- shadow-4.8/man/shadow.5.xml.manfix 2019-12-01 17:52:32.000000000 +0100 ++++ shadow-4.8/man/shadow.5.xml 2020-01-13 10:12:48.446155865 +0100 @@ -129,7 +129,7 @@ @@ -261,11 +275,10 @@ Index: shadow-4.5/man/shadow.5.xml Note that an account expiration differs from a password -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -347,6 +347,11 @@ +diff -up shadow-4.8/man/useradd.8.xml.manfix shadow-4.8/man/useradd.8.xml +--- shadow-4.8/man/useradd.8.xml.manfix 2020-01-13 10:12:48.432156100 +0100 ++++ shadow-4.8/man/useradd.8.xml 2020-01-13 10:12:48.446155865 +0100 +@@ -358,6 +358,11 @@ is not enabled, no home directories are created. @@ -277,11 +290,10 @@ Index: shadow-4.5/man/useradd.8.xml -Index: shadow-4.5/man/usermod.8.xml -=================================================================== ---- shadow-4.5.orig/man/usermod.8.xml -+++ shadow-4.5/man/usermod.8.xml -@@ -132,7 +132,8 @@ +diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml +--- shadow-4.8/man/usermod.8.xml.manfix 2019-10-05 03:23:58.000000000 +0200 ++++ shadow-4.8/man/usermod.8.xml 2020-01-13 10:12:48.446155865 +0100 +@@ -153,7 +153,8 @@ If the option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does @@ -291,7 +303,20 @@ Index: shadow-4.5/man/usermod.8.xml -@@ -256,7 +257,8 @@ +@@ -215,6 +216,12 @@ + The group ownership of files outside of the user's home directory + must be fixed manually. + ++ ++ The change of the group ownership of files inside of the user's ++ home directory is also not done if the home dir owner uid is ++ different from the current or new user id. This is safety measure ++ for special home directories such as /. ++ + + + +@@ -277,7 +284,8 @@ Move the content of the user's home directory to the new @@ -301,49 +326,16 @@ Index: shadow-4.5/man/usermod.8.xml This option is only valid in combination with the -diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml -index 01ace007..93fe7421 100644 ---- a/man/login.defs.d/SUB_GID_COUNT.xml -+++ b/man/login.defs.d/SUB_GID_COUNT.xml -@@ -42,7 +42,7 @@ - - The default values for , - , -- are respectively 100000, 600100000 and 10000. -+ are respectively 100000, 600100000 and 65536. - - - -diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml -index 5ad812f7..516417b7 100644 ---- a/man/login.defs.d/SUB_UID_COUNT.xml -+++ b/man/login.defs.d/SUB_UID_COUNT.xml -@@ -42,7 +42,7 @@ - - The default values for , - , -- are respectively 100000, 600100000 and 10000. -+ are respectively 100000, 600100000 and 65536. - - - -diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml ---- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200 -+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200 -@@ -320,13 +320,13 @@ - - 4 - -- GID not unique (when not used) -+ GID is already used (when called without ) - - - - 9 - -- group name not unique -+ group name is already used - - - - +@@ -391,6 +399,12 @@ + must be fixed manually. + + ++ The change of the user ownership of files inside of the user's ++ home directory is also not done if the home dir owner uid is ++ different from the current or new user id. This is safety measure ++ for special home directories such as /. ++ ++ + No checks will be performed with regard to the + , , + , or diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.8-selinux-perms.patch similarity index 65% rename from shadow-4.3.1-selinux-perms.patch rename to shadow-4.8-selinux-perms.patch index a08660f..dfb32ec 100644 --- a/shadow-4.3.1-selinux-perms.patch +++ b/shadow-4.8-selinux-perms.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/src/chgpasswd.c -=================================================================== ---- shadow-4.5.orig/src/chgpasswd.c -+++ shadow-4.5/src/chgpasswd.c +diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c +--- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100 ++++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100 @@ -39,6 +39,13 @@ #include #include @@ -16,7 +15,7 @@ Index: shadow-4.5/src/chgpasswd.c #ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" -@@ -76,6 +83,9 @@ static bool sgr_locked = false; +@@ -80,6 +87,9 @@ static bool sgr_locked = false; #endif static bool gr_locked = false; @@ -26,7 +25,7 @@ Index: shadow-4.5/src/chgpasswd.c /* local function prototypes */ static void fail_exit (int code); static /*@noreturn@*/void usage (int status); -@@ -300,6 +310,63 @@ static void check_perms (void) +@@ -334,6 +344,63 @@ static void check_perms (void) #endif /* ACCT_TOOLS_SETUID */ } @@ -90,7 +89,7 @@ Index: shadow-4.5/src/chgpasswd.c /* * open_files - lock and open the group databases */ -@@ -393,6 +460,7 @@ int main (int argc, char **argv) +@@ -427,6 +494,7 @@ int main (int argc, char **argv) const struct group *gr; struct group newgr; @@ -98,7 +97,7 @@ Index: shadow-4.5/src/chgpasswd.c int errors = 0; int line = 0; -@@ -402,12 +470,37 @@ int main (int argc, char **argv) +@@ -436,12 +504,37 @@ int main (int argc, char **argv) (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); @@ -136,28 +135,9 @@ Index: shadow-4.5/src/chgpasswd.c check_perms (); #ifdef SHADOWGRP - is_shadow_grp = sgr_file_present (); - #endif -@@ -536,6 +629,15 @@ int main (int argc, char **argv) - newgr.gr_passwd = cp; - } - -+#ifdef WITH_AUDIT -+ { -+ -+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, -+ "change-password", -+ myname, AUDIT_NO_ID, gr->gr_name, -+ SHADOW_AUDIT_SUCCESS); -+ } -+#endif - /* - * The updated group file entry is then put back and will - * be written to the group file later, after all the -Index: shadow-4.5/src/chpasswd.c -=================================================================== ---- shadow-4.5.orig/src/chpasswd.c -+++ shadow-4.5/src/chpasswd.c +diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c +--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100 ++++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100 @@ -39,6 +39,13 @@ #include #include @@ -172,7 +152,7 @@ Index: shadow-4.5/src/chpasswd.c #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ -@@ -297,6 +304,63 @@ static void check_perms (void) +@@ -332,6 +339,63 @@ static void check_perms (void) #endif /* USE_PAM */ } @@ -236,7 +216,7 @@ Index: shadow-4.5/src/chpasswd.c /* * open_files - lock and open the password databases */ -@@ -393,6 +457,10 @@ int main (int argc, char **argv) +@@ -428,6 +492,10 @@ int main (int argc, char **argv) (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); @@ -247,7 +227,7 @@ Index: shadow-4.5/src/chpasswd.c process_root_flag ("-R", argc, argv); process_flags (argc, argv); -@@ -405,6 +473,10 @@ int main (int argc, char **argv) +@@ -440,6 +508,10 @@ int main (int argc, char **argv) OPENLOG ("chpasswd"); @@ -258,33 +238,3 @@ Index: shadow-4.5/src/chpasswd.c check_perms (); #ifdef USE_PAM - if (!use_pam) - #endif /* USE_PAM */ -@@ -566,6 +638,11 @@ int main (int argc, char **argv) - newpw.pw_passwd = cp; - } - -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "updating-password", -+ pw->pw_name, (unsigned int) pw->pw_uid, 1); -+#endif - /* - * The updated password file entry is then put back and will - * be written to the password file later, after all the -Index: shadow-4.5/src/Makefile.am -=================================================================== ---- shadow-4.5.orig/src/Makefile.am -+++ shadow-4.5/src/Makefile.am -@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) - newuidmap_LDADD = $(LDADD) $(LIBSELINUX) - newgidmap_LDADD = $(LDADD) $(LIBSELINUX) - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-4.8-selinux.patch b/shadow-4.8-selinux.patch new file mode 100644 index 0000000..7b2177b --- /dev/null +++ b/shadow-4.8-selinux.patch @@ -0,0 +1,241 @@ +diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c +--- shadow-4.8/lib/commonio.c.selinux 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/commonio.c 2020-01-13 10:08:53.769101131 +0100 +@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db * + snprintf (buf, sizeof buf, "%s-", db->filename); + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (buf) != 0) { ++ if (set_selinux_file_context (buf, db->filename) != 0) { + errors++; + } + #endif +@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db * + snprintf (buf, sizeof buf, "%s+", db->filename); + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (buf) != 0) { ++ if (set_selinux_file_context (buf, db->filename) != 0) { + errors++; + } + #endif +diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c +--- shadow-4.8/libmisc/copydir.c.selinux 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/libmisc/copydir.c 2020-01-13 10:08:53.769101131 +0100 +@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co + */ + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +@@ -605,7 +605,7 @@ static int copy_symlink (const char *src + } + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + free (oldlink); + return -1; + } +@@ -684,7 +684,7 @@ static int copy_special (const char *src + int err = 0; + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +@@ -744,7 +744,7 @@ static int copy_file (const char *src, c + return -1; + } + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h +--- shadow-4.8/lib/prototypes.h.selinux 2020-01-13 10:08:53.769101131 +0100 ++++ shadow-4.8/lib/prototypes.h 2020-01-13 10:11:20.914627399 +0100 +@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m + + /* selinux.c */ + #ifdef WITH_SELINUX +-extern int set_selinux_file_context (const char *dst_name); ++extern int set_selinux_file_context (const char *dst_name, const char *orig_name); + extern int reset_selinux_file_context (void); + extern int check_selinux_permit (const char *perm_name); + #endif +diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c +--- shadow-4.8/lib/selinux.c.selinux 2019-11-12 01:18:25.000000000 +0100 ++++ shadow-4.8/lib/selinux.c 2020-01-13 10:08:53.769101131 +0100 +@@ -51,7 +51,7 @@ static bool selinux_enabled; + * Callers may have to Reset SELinux to create files with default + * contexts with reset_selinux_file_context + */ +-int set_selinux_file_context (const char *dst_name) ++int set_selinux_file_context (const char *dst_name, const char *orig_name) + { + /*@null@*/security_context_t scontext = NULL; + +@@ -63,19 +63,23 @@ int set_selinux_file_context (const char + if (selinux_enabled) { + /* Get the default security context for this file */ + if (matchpathcon (dst_name, 0, &scontext) < 0) { +- if (security_getenforce () != 0) { +- return 1; +- } ++ /* We could not get the default, copy the original */ ++ if (orig_name == NULL) ++ goto error; ++ if (getfilecon (orig_name, &scontext) < 0) ++ goto error; + } + /* Set the security context for the next created file */ +- if (setfscreatecon (scontext) < 0) { +- if (security_getenforce () != 0) { +- return 1; +- } +- } ++ if (setfscreatecon (scontext) < 0) ++ goto error; + freecon (scontext); + } + return 0; ++ error: ++ if (security_getenforce () != 0) { ++ return 1; ++ } ++ return 0; + } + + /* +diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c +--- shadow-4.8/lib/semanage.c.selinux 2019-07-23 17:26:08.000000000 +0200 ++++ shadow-4.8/lib/semanage.c 2020-01-13 10:08:53.766101181 +0100 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c +--- shadow-4.8/src/useradd.c.selinux 2020-01-13 10:08:53.762101248 +0100 ++++ shadow-4.8/src/useradd.c 2020-01-13 10:08:53.767101164 +0100 +@@ -2078,7 +2078,7 @@ static void create_home (void) + ++bhome; + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (prefix_user_home) != 0) { ++ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { + fprintf (stderr, + _("%s: cannot set SELinux context for home directory %s\n"), + Prog, user_home); +@@ -2232,6 +2232,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2454,27 +2455,12 @@ int main (int argc, char **argv) + + usr_update (); + +- if (mflg) { +- create_home (); +- if (home_added) { +- copy_tree (def_template, prefix_user_home, false, false, +- (uid_t)-1, user_id, (gid_t)-1, user_gid); +- } else { +- fprintf (stderr, +- _("%s: warning: the home directory %s already exists.\n" +- "%s: Not copying any file from skel directory into it.\n"), +- Prog, user_home, Prog); +- } +- +- } +- +- /* Do not create mail directory for system accounts */ +- if (!rflg) { +- create_mail (); +- } +- + close_files (); + ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); ++ + /* + * tallylog_reset needs to be able to lookup + * a valid existing user name, +@@ -2485,8 +2471,9 @@ int main (int argc, char **argv) + } + + #ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +@@ -2495,15 +2482,31 @@ int main (int argc, char **argv) + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); ++ rv = E_SE_UPDATE; ++ } + } + } + #endif /* WITH_SELINUX */ + +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); ++ if (mflg) { ++ create_home (); ++ if (home_added) { ++ copy_tree (def_template, prefix_user_home, false, true, ++ (uid_t)-1, user_id, (gid_t)-1, user_gid); ++ } else { ++ fprintf (stderr, ++ _("%s: warning: the home directory %s already exists.\n" ++ "%s: Not copying any file from skel directory into it.\n"), ++ Prog, user_home, Prog); ++ } ++ ++ } ++ ++ /* Do not create mail directory for system accounts */ ++ if (!rflg) { ++ create_mail (); ++ } + +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index 37dc958..0b0c13e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.6 -Release: 16%{?dist} +Version: 4.8 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -10,33 +10,44 @@ Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt +# Misc small changes - most probably non-upstreamable Patch0: shadow-4.6-redhat.patch -Patch1: shadow-4.5-goodname.patch +# Be more lenient with acceptable user/group names - non upstreamable +Patch1: shadow-4.8-goodname.patch +# Docfix for newusers - could be upstreamed Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch6: shadow-4.6-selinux.patch -Patch10: shadow-4.6-orig-context.patch +# Misc SElinux related changes - upstreamability unknown +Patch6: shadow-4.8-selinux.patch +# Syslog message change - could be upstreamed Patch11: shadow-4.1.5.1-logmsg.patch +# SElinux related - upstreamability unknown Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.3.1-manfix.patch +# Misc manual page changes - only some of them could be upstreamed +Patch15: shadow-4.8-manfix.patch +# Userdel usage message change - could be upstreamed Patch17: shadow-4.1.5.1-userdel-helpfix.patch +# Date parsing improvement - could be upstreamed Patch19: shadow-4.2.1-date-parsing.patch +# Additional error message - could be upstreamed Patch21: shadow-4.6-move-home.patch -Patch22: shadow-4.6-audit-update.patch +# Audit message changes - upstreamability unknown +Patch22: shadow-4.8-audit-update.patch +# Changes related to password unlocking - could be upstreamed Patch23: shadow-4.5-usermod-unlock.patch -Patch24: shadow-4.2.1-no-lock-dos.patch -Patch28: shadow-4.3.1-selinux-perms.patch +# Additional SElinux related changes - upstreamability unknown +Patch28: shadow-4.8-selinux-perms.patch +# Handle NULL return from *time funcs - could be upstreamed Patch29: shadow-4.2.1-null-tm.patch +# SElinux related - upstreamability unknown Patch31: shadow-4.6-getenforce.patch -Patch32: shadow-4.5-crypt_h.patch -Patch33: shadow-4.5-long-entry.patch -Patch34: shadow-4.6-usermod-crash.patch -Patch35: shadow-4.6-coverity.patch -Patch36: shadow-4.6-use-itstool.patch -Patch37: shadow-4.6-sssd-flush.patch +# Handle include of crypt.h - could be upstreamed +Patch32: shadow-4.8-crypt_h.patch +# Handle /etc/passwd corruption - could be upstreamed +Patch33: shadow-4.8-long-entry.patch +# Limit uid/gid allocation to non-zero - could be upstreamed Patch38: shadow-4.6-sysugid-min-limit.patch -Patch39: shadow-4.6-chgrp-guard.patch -Patch40: shadow-4.6-ignore-login-prompt.patch -Patch41: shadow-4.6-use-lckpwdf.patch +# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown +Patch40: shadow-4.8-ignore-login-prompt.patch License: BSD and GPLv2+ BuildRequires: gcc @@ -69,7 +80,6 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir %patch6 -p1 -b .selinux -%patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix @@ -78,20 +88,13 @@ are used for managing group accounts. %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock -%patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm %patch31 -p1 -b .getenforce %patch32 -p1 -b .crypt_h %patch33 -p1 -b .long-entry -%patch34 -p1 -b .usermod-crash -%patch35 -p1 -b .coverity -%patch36 -p1 -b .use-itstool -%patch37 -p1 -b .sssd-flush %patch38 -p1 -b .sysugid-min-limit -%patch39 -p1 -b .chgrp-guard %patch40 -p1 -b .login-prompt -%patch41 -p1 -b .use-lckpwdf iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -246,6 +249,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Mon Jan 13 2020 Tomáš Mráz - 2:4.8-1 +- update to current upstream release 4.8 + * Mon Sep 2 2019 Tomáš Mráz - 2:4.6-16 - fix SELinux related problem in chpasswd/chgpasswd when run with -R (patch by Petr Lautrbach) (#1747215) diff --git a/sources b/sources index 2093465..c9450ff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 -SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed +SHA512 (shadow-4.8.tar.xz) = 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece +SHA512 (shadow-4.8.tar.xz.asc) = 200f7793e55447cc5c0d11988ee26511167c5fe23e1f6622b6b0c8cb74498052f2df855f02e351fee0da16562f6a6510ad3954b4c5e13dd9a8da0d998f8dc5e6