Use cap_setxid file capabilities for newxidmap instead of making them setuid
Also: limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0 and the 0 is always used by root anyway manual page improvements
This commit is contained in:
parent
d80def3861
commit
f38d60a562
|
@ -213,6 +213,15 @@ Index: shadow-4.5/man/shadow.5.xml
|
||||||
===================================================================
|
===================================================================
|
||||||
--- shadow-4.5.orig/man/shadow.5.xml
|
--- shadow-4.5.orig/man/shadow.5.xml
|
||||||
+++ shadow-4.5/man/shadow.5.xml
|
+++ shadow-4.5/man/shadow.5.xml
|
||||||
|
@@ -129,7 +129,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of the last password change, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The value 0 has a special meaning, which is that the user
|
||||||
@@ -208,8 +208,8 @@
|
@@ -208,8 +208,8 @@
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
@ -224,6 +233,15 @@ Index: shadow-4.5/man/shadow.5.xml
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
An empty field means that there are no enforcement of an
|
An empty field means that there are no enforcement of an
|
||||||
|
@@ -224,7 +224,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of expiration of the account, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Note that an account expiration differs from a password
|
||||||
Index: shadow-4.5/man/useradd.8.xml
|
Index: shadow-4.5/man/useradd.8.xml
|
||||||
===================================================================
|
===================================================================
|
||||||
--- shadow-4.5.orig/man/useradd.8.xml
|
--- shadow-4.5.orig/man/useradd.8.xml
|
||||||
|
|
|
@ -64,7 +64,7 @@ Index: shadow-4.5/man/groupadd.8.xml
|
||||||
===================================================================
|
===================================================================
|
||||||
--- shadow-4.5.orig/man/groupadd.8.xml
|
--- shadow-4.5.orig/man/groupadd.8.xml
|
||||||
+++ shadow-4.5/man/groupadd.8.xml
|
+++ shadow-4.5/man/groupadd.8.xml
|
||||||
@@ -256,12 +256,6 @@
|
@@ -256,10 +256,14 @@
|
||||||
<refsect1 id='caveats'>
|
<refsect1 id='caveats'>
|
||||||
<title>CAVEATS</title>
|
<title>CAVEATS</title>
|
||||||
<para>
|
<para>
|
||||||
|
@ -72,16 +72,22 @@ Index: shadow-4.5/man/groupadd.8.xml
|
||||||
- followed by lower case letters, digits, underscores, or dashes.
|
- followed by lower case letters, digits, underscores, or dashes.
|
||||||
- They can end with a dollar sign.
|
- They can end with a dollar sign.
|
||||||
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||||
- </para>
|
+ Groupnames may contain only lower and upper case letters, digits,
|
||||||
- <para>
|
+ underscores, or dashes. They can end with a dollar sign.
|
||||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
+
|
||||||
|
+ Dashes are not allowed at the beginning of the groupname.
|
||||||
|
+ Fully numeric groupnames and groupnames . or .. are
|
||||||
|
+ also disallowed.
|
||||||
|
+
|
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||||
Index: shadow-4.5/man/useradd.8.xml
|
Index: shadow-4.5/man/useradd.8.xml
|
||||||
===================================================================
|
===================================================================
|
||||||
--- shadow-4.5.orig/man/useradd.8.xml
|
--- shadow-4.5.orig/man/useradd.8.xml
|
||||||
+++ shadow-4.5/man/useradd.8.xml
|
+++ shadow-4.5/man/useradd.8.xml
|
||||||
@@ -633,12 +633,6 @@
|
@@ -633,10 +633,16 @@
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
|
@ -89,8 +95,16 @@ Index: shadow-4.5/man/useradd.8.xml
|
||||||
- followed by lower case letters, digits, underscores, or dashes.
|
- followed by lower case letters, digits, underscores, or dashes.
|
||||||
- They can end with a dollar sign.
|
- They can end with a dollar sign.
|
||||||
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||||
- </para>
|
+ Usernames may contain only lower and upper case letters, digits,
|
||||||
- <para>
|
+ underscores, or dashes. They can end with a dollar sign.
|
||||||
Usernames may only be up to 32 characters long.
|
+
|
||||||
|
+ Dashes are not allowed at the beginning of the username.
|
||||||
|
+ Fully numeric usernames and usernames . or .. are
|
||||||
|
+ also disallowed. It is not recommended to use usernames beginning
|
||||||
|
+ with . character as their home directories will be hidden in
|
||||||
|
+ the <command>ls</command> output.
|
||||||
|
+
|
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
|
||||||
</para>
|
</para>
|
||||||
</refsect1>
|
<para>
|
||||||
|
Usernames may only be up to 32 characters long.
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
|
||||||
|
--- shadow-4.6/libmisc/find_new_gid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||||
|
+++ shadow-4.6/libmisc/find_new_gid.c 2018-11-06 10:07:14.567611067 +0100
|
||||||
|
@@ -81,6 +81,12 @@ static int get_ranges (bool sys_group, g
|
||||||
|
getdef_ulong ("GID_MIN", 1000UL),
|
||||||
|
(unsigned long) *max_id);
|
||||||
|
return EINVAL;
|
||||||
|
+ /*
|
||||||
|
+ * Zero is reserved for root and the allocation algorithm does not
|
||||||
|
+ * work right with it.
|
||||||
|
+ */
|
||||||
|
+ if (*min_id == 0) {
|
||||||
|
+ *min_id = (gid_t) 1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
/* Non-system groups */
|
||||||
|
diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
|
||||||
|
--- shadow-4.6/libmisc/find_new_uid.c.min-limit 2018-04-29 18:42:37.000000001 +0200
|
||||||
|
+++ shadow-4.6/libmisc/find_new_uid.c 2018-11-06 10:07:34.392075491 +0100
|
||||||
|
@@ -81,6 +81,12 @@ static int get_ranges (bool sys_user, ui
|
||||||
|
getdef_ulong ("UID_MIN", 1000UL),
|
||||||
|
(unsigned long) *max_id);
|
||||||
|
return EINVAL;
|
||||||
|
+ /*
|
||||||
|
+ * Zero is reserved for root and the allocation algorithm does not
|
||||||
|
+ * work right with it.
|
||||||
|
+ */
|
||||||
|
+ if (*min_id == 0) {
|
||||||
|
+ *min_id = (uid_t) 1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
/* Non-system users */
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.6
|
Version: 4.6
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
URL: http://pkg-shadow.alioth.debian.org/
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||||
|
@ -32,6 +32,7 @@ Patch33: shadow-4.5-long-entry.patch
|
||||||
Patch34: shadow-4.6-usermod-crash.patch
|
Patch34: shadow-4.6-usermod-crash.patch
|
||||||
Patch35: shadow-4.6-coverity.patch
|
Patch35: shadow-4.6-coverity.patch
|
||||||
Patch36: shadow-4.6-sssd-flush.patch
|
Patch36: shadow-4.6-sssd-flush.patch
|
||||||
|
Patch37: shadow-4.6-sysugid-min-limit.patch
|
||||||
|
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
|
@ -85,6 +86,7 @@ are used for managing group accounts.
|
||||||
%patch34 -p1 -b .usermod-crash
|
%patch34 -p1 -b .usermod-crash
|
||||||
%patch35 -p1 -b .coverity
|
%patch35 -p1 -b .coverity
|
||||||
%patch36 -p1 -b .sssd-flush
|
%patch36 -p1 -b .sssd-flush
|
||||||
|
%patch37 -p1 -b .sysugid-min-limit
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||||
|
@ -197,8 +199,8 @@ done
|
||||||
%attr(4755,root,root) %{_bindir}/gpasswd
|
%attr(4755,root,root) %{_bindir}/gpasswd
|
||||||
%{_bindir}/lastlog
|
%{_bindir}/lastlog
|
||||||
%attr(4755,root,root) %{_bindir}/newgrp
|
%attr(4755,root,root) %{_bindir}/newgrp
|
||||||
%attr(4755,root,root) %{_bindir}/newgidmap
|
%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
|
||||||
%attr(4755,root,root) %{_bindir}/newuidmap
|
%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
|
||||||
%{_sbindir}/adduser
|
%{_sbindir}/adduser
|
||||||
%attr(0755,root,root) %{_sbindir}/user*
|
%attr(0755,root,root) %{_sbindir}/user*
|
||||||
%attr(0755,root,root) %{_sbindir}/group*
|
%attr(0755,root,root) %{_sbindir}/group*
|
||||||
|
@ -236,6 +238,12 @@ done
|
||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
|
||||||
|
- use cap_setxid file capabilities for newxidmap instead of making them setuid
|
||||||
|
- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
|
||||||
|
and the 0 is always used by root anyway
|
||||||
|
- manual page improvements
|
||||||
|
|
||||||
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
|
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
|
||||||
- fix some issues from Coverity scan
|
- fix some issues from Coverity scan
|
||||||
- flush sssd caches - patch by Jakub Hrozek
|
- flush sssd caches - patch by Jakub Hrozek
|
||||||
|
|
Loading…
Reference in New Issue