Use cap_setxid file capabilities for newxidmap instead of making them setuid

Also: limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0 and the 0 is always used by root anyway manual page improvements
2018-11-06 10:40:50 +01:00 · 2018-11-06 10:40:50 +01:00 · f38d60a562
commit f38d60a562
parent d80def3861
4 changed files with 84 additions and 12 deletions
--- a/shadow-4.3.1-manfix.patch
+++ b/shadow-4.3.1-manfix.patch
@ -213,6 +213,15 @@ Index: shadow-4.5/man/shadow.5.xml
 ===================================================================
 --- shadow-4.5.orig/man/shadow.5.xml
 +++ shadow-4.5/man/shadow.5.xml
+@@ -129,7 +129,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of the last password change, expressed as the number
+-	    of days since Jan 1, 1970.
+	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    The value 0 has a special meaning, which is that the user
@@ -208,8 +208,8 @@
 	  </para>
 	  <para>
@ -224,6 +233,15 @@ Index: shadow-4.5/man/shadow.5.xml
 	  </para>
 	  <para>
 	    An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of expiration of the account, expressed as the number
+-	    of days since Jan 1, 1970.
+	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    Note that an account expiration differs from a password
 Index: shadow-4.5/man/useradd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/useradd.8.xml
--- a/shadow-4.5-goodname.patch
+++ b/shadow-4.5-goodname.patch
@ -64,7 +64,7 @@ Index: shadow-4.5/man/groupadd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/groupadd.8.xml
 +++ shadow-4.5/man/groupadd.8.xml
-@@ -256,12 +256,6 @@
+@@ -256,10 +256,14 @@
    <refsect1 id='caveats'>
      <title>CAVEATS</title>
      <para>
@ -72,16 +72,22 @@ Index: shadow-4.5/man/groupadd.8.xml
 -       followed by lower case letters, digits, underscores, or dashes.
 -       They can end with a dollar sign.
 -       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-     </para>
-     <para>
-        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+       Groupnames may contain only lower and upper case letters, digits,
+       underscores, or dashes. They can end with a dollar sign.
+
+       Dashes are not allowed at the beginning of the groupname.
+       Fully numeric groupnames and groupnames . or .. are
+       also disallowed.
+
+       In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
      </para>
      <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
 Index: shadow-4.5/man/useradd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/useradd.8.xml
 +++ shadow-4.5/man/useradd.8.xml
-@@ -633,12 +633,6 @@
+@@ -633,10 +633,16 @@
     </para>
 
     <para>
@ -89,8 +95,16 @@ Index: shadow-4.5/man/useradd.8.xml
 -      followed by lower case letters, digits, underscores, or dashes.
 -      They can end with a dollar sign.
 -      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-    </para>
-    <para>
-       Usernames may only be up to 32 characters long.
+      Usernames may contain only lower and upper case letters, digits,
+      underscores, or dashes. They can end with a dollar sign.
+
+      Dashes are not allowed at the beginning of the username.
+      Fully numeric usernames and usernames . or .. are
+      also disallowed. It is not recommended to use usernames beginning
+      with . character as their home directories will be hidden in
+      the <command>ls</command> output.
+
+      In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
     </para>
-   </refsect1>
+     <para>
+       Usernames may only be up to 32 characters long.
--- a/shadow-4.6-sysugid-min-limit.patch
+++ b/shadow-4.6-sysugid-min-limit.patch
@ -0,0 +1,32 @@
+diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
+--- shadow-4.6/libmisc/find_new_gid.c.min-limit	2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_gid.c	2018-11-06 10:07:14.567611067 +0100
+@@ -81,6 +81,12 @@ static int get_ranges (bool sys_group, g
+                             getdef_ulong ("GID_MIN", 1000UL),
+                             (unsigned long) *max_id);
+ 			return EINVAL;
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (gid_t) 1;
+ 		}
+ 	} else {
+ 		/* Non-system groups */
+diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
+--- shadow-4.6/libmisc/find_new_uid.c.min-limit	2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/libmisc/find_new_uid.c	2018-11-06 10:07:34.392075491 +0100
+@@ -81,6 +81,12 @@ static int get_ranges (bool sys_user, ui
+                             getdef_ulong ("UID_MIN", 1000UL),
+                             (unsigned long) *max_id);
+ 			return EINVAL;
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (uid_t) 1;
+ 		}
+ 	} else {
+ 		/* Non-system users */
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -32,6 +32,7 @@ Patch33: shadow-4.5-long-entry.patch
 Patch34: shadow-4.6-usermod-crash.patch
 Patch35: shadow-4.6-coverity.patch
 Patch36: shadow-4.6-sssd-flush.patch
+Patch37: shadow-4.6-sysugid-min-limit.patch

 License: BSD and GPLv2+
 Group: System Environment/Base
@ -85,6 +86,7 @@ are used for managing group accounts.
 %patch34 -p1 -b .usermod-crash
 %patch35 -p1 -b .coverity
 %patch36 -p1 -b .sssd-flush
+%patch37 -p1 -b .sysugid-min-limit

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -197,8 +199,8 @@ done
 %attr(4755,root,root) %{_bindir}/gpasswd
 %{_bindir}/lastlog
 %attr(4755,root,root) %{_bindir}/newgrp
-%attr(4755,root,root) %{_bindir}/newgidmap
-%attr(4755,root,root) %{_bindir}/newuidmap
+%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
+%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
 %{_sbindir}/adduser
 %attr(0755,root,root)   %{_sbindir}/user*
 %attr(0755,root,root)   %{_sbindir}/group*
@ -236,6 +238,12 @@ done
 %{_mandir}/man8/vigr.8*

 %changelog
+* Tue Nov  6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
+- use cap_setxid file capabilities for newxidmap instead of making them setuid
+- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
+  and the 0 is always used by root anyway
+- manual page improvements
+
 * Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
 - fix some issues from Coverity scan
 - flush sssd caches - patch by Jakub Hrozek