From de7a44355a759b7751f0db4d62c76a5eb05f8a15 Mon Sep 17 00:00:00 2001
From: Peter Vrabec <pvrabec@fedoraproject.org>
Date: Thu, 29 Apr 2010 15:40:36 +0000
Subject: [PATCH] - preserve ACL's on files in /etc/skel Resolves: #513055

---
 shadow-4.1.4.2-acl.patch | 121 +++++++++++++++++++++++++++++++++++++++
 shadow-utils.spec        |   9 ++-
 2 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 shadow-4.1.4.2-acl.patch

diff --git a/shadow-4.1.4.2-acl.patch b/shadow-4.1.4.2-acl.patch
new file mode 100644
index 0000000..9af543c
--- /dev/null
+++ b/shadow-4.1.4.2-acl.patch
@@ -0,0 +1,121 @@
+diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c
+--- shadow-4.1.4.2/libmisc/copydir.c.acl	2010-04-29 15:55:26.949959971 +0200
++++ shadow-4.1.4.2/libmisc/copydir.c	2010-04-29 15:55:26.956960471 +0200
+@@ -45,6 +45,9 @@
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+ #endif
++#include <attr/error_context.h>
++#include <acl/libacl.h>
++
+ static /*@null@*/const char *src_orig;
+ static /*@null@*/const char *dst_orig;
+ 
+@@ -70,7 +73,7 @@ static int copy_symlink (const char *src
+ #endif
+ static int copy_hardlink (const char *src, const char *dst,
+                           struct link_name *lp);
+-static int copy_special (const char *dst,
++static int copy_special (const char *src, const char *dst,
+                          const struct stat *statp, const struct timeval mt[],
+                          long int uid, long int gid);
+ static int copy_file (const char *src, const char *dst,
+@@ -78,6 +81,24 @@ static int copy_file (const char *src, c
+                       long int uid, long int gid);
+ 
+ #ifdef WITH_SELINUX
++
++void error (struct error_context *ctx, const char *fmt, ...)
++{
++        va_list ap;
++ 
++        va_start (ap, fmt);
++        (void) fprintf (stderr, _("%s: "), Prog);
++        if (vfprintf (stderr, fmt, ap) != 0) {
++                (void) fputs (_(": "), stderr);
++        }
++        (void) fprintf (stderr, "%s\n", strerror (errno));
++        va_end (ap);
++}
++
++struct error_context ctx = {
++        error
++};
++
+ /*
+  * selinux_file_context - Set the security context before any file or
+  *                        directory creation.
+@@ -369,7 +390,7 @@ static int copy_entry (const char *src, 
+ 		 */
+ 
+ 		else if (!S_ISREG (sb.st_mode)) {
+-			err = copy_special (dst, &sb, mt, uid, gid);
++			err = copy_special (src, dst, &sb, mt, uid, gid);
+ 		}
+ 
+ 		/*
+@@ -413,6 +434,7 @@ static int copy_dir (const char *src, co
+ 	    || (chown (dst,
+ 	               (uid == - 1) ? statp->st_uid : (uid_t) uid,
+ 	               (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0)
++	    || (perm_copy_file (src, dst, &ctx) != 0)
+ 	    || (chmod (dst, statp->st_mode) != 0)
+ 	    || (copy_tree (src, dst, uid, gid) != 0)
+ 	    || (utimes (dst, mt) != 0)) {
+@@ -514,6 +536,13 @@ static int copy_symlink (const char *src
+ 	    || (lchown (dst,
+ 	                (uid == -1) ? statp->st_uid : (uid_t) uid,
+ 	                (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) {
++                /* FIXME: there are no modes on symlinks, right?
++                *        ACL could be copied, but this would be much more
++                *        complex than calling perm_copy_file.
++                *        Ditto for Extended Attributes.
++                *        We currently only document that ACL and Extended
++                *        Attributes are not copied.
++                */
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -542,7 +571,7 @@ static int copy_symlink (const char *src
+ static int copy_hardlink (const char *src, const char *dst,
+                           struct link_name *lp)
+ {
+-	/* TODO: selinux needed? */
++	/* TODO: selinux, ACL, Extended Attributes needed? */
+ 
+ 	if (link (lp->ln_name, dst) != 0) {
+ 		return -1;
+@@ -574,7 +603,7 @@ static int copy_hardlink (const char *sr
+  *
+  *	Return 0 on success, -1 on error.
+  */
+-static int copy_special (const char *dst,
++static int copy_special (const char *src, const char *dst,
+                          const struct stat *statp, const struct timeval mt[],
+                          long int uid, long int gid)
+ {
+@@ -628,7 +657,7 @@ static int copy_file (const char *src, c
+ 	    || (fchown (ofd,
+ 	                (uid == -1) ? statp->st_uid : (uid_t) uid,
+ 	                (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)
+-	    || (fchmod (ofd, statp->st_mode & 07777) != 0)) {
++	    || (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) ) {
+ 		(void) close (ifd);
+ 		return -1;
+ 	}
+diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in
+--- shadow-4.1.4.2/src/Makefile.in.acl	2009-07-24 03:16:00.000000000 +0200
++++ shadow-4.1.4.2/src/Makefile.in	2010-04-29 16:08:34.347960372 +0200
+@@ -430,9 +430,9 @@ su_SOURCES = \
+ 
+ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ sulogin_LDADD = $(LDADD) $(LIBCRYPT)
+-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
++userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+ vipw_LDADD = $(LDADD) $(LIBSELINUX)
+ all: all-am
+ 
diff --git a/shadow-utils.spec b/shadow-utils.spec
index b40ed70..78bdef5 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.4.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@@ -13,10 +13,12 @@ Patch2: shadow-4.1.4.2-leak.patch
 Patch3: shadow-4.1.4.2-fixes.patch
 Patch4: shadow-4.1.4.2-infoParentDir.patch
 Patch5: shadow-4.1.4.2-semange.patch
+Patch6: shadow-4.1.4.2-acl.patch
 License: BSD and GPLv2+
 Group: System Environment/Base
 BuildRequires: libselinux-devel >= 1.25.2-1
 BuildRequires: audit-libs-devel >= 1.6.5
+BuildRequires: libacl-devel libattr-devel
 #BuildRequires: autoconf, automake, libtool, gettext-devel
 Requires: libselinux >= 1.25.2-1
 Requires: audit-libs >= 1.6.5
@@ -43,6 +45,7 @@ are used for managing group accounts.
 %patch3 -p1 -b .fixes
 %patch4 -p1 -b .infoParentDir
 %patch5 -p1 -b .semange
+%patch6 -p1 -b .acl
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -185,6 +188,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Thu Apr 29 2010 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-6
+- preserve ACL's on files in /etc/skel 
+  Resolves: #513055 
+
 * Wed Apr 28 2010 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-5
 - newusers man page more informative
 - userdel should not need to run semanage