Compare commits
52 Commits
Author | SHA1 | Date |
---|---|---|
Iker Pedrosa | 97547bc00a | |
Fedora Release Engineering | 71c99ba5b1 | |
Iker Pedrosa | 5ba2bc90cc | |
Iker Pedrosa | a986f4a036 | |
Iker Pedrosa | 2b851f7e96 | |
Fedora Release Engineering | bfa562aaf2 | |
Iker Pedrosa | 77cc4a7c14 | |
Iker Pedrosa | 957f0eb09e | |
Iker Pedrosa | a2d5d3dbda | |
Iker Pedrosa | 4a03ec740c | |
Iker Pedrosa | 11164c2c0a | |
Iker Pedrosa | 981bd7a093 | |
Iker Pedrosa | fbc8eba072 | |
Iker Pedrosa | 3a32832856 | |
Iker Pedrosa | 94f04f9e71 | |
Fedora Release Engineering | 58090e11f1 | |
Björn Esser | 0d2b677f8f | |
Iker Pedrosa | fbe143d1bd | |
Björn Esser | 08a62b5fa3 | |
Björn Esser | 90349359e4 | |
Björn Esser | a4f9def9dd | |
Björn Esser | a6d57fc8a3 | |
Iker Pedrosa | 2b6f713524 | |
Björn Esser | bace2f8c6b | |
Björn Esser | 1b6e097b0e | |
Björn Esser | 2615b08c31 | |
Björn Esser | c0e594d3c5 | |
Iker Pedrosa | c5fd8d4a0a | |
Björn Esser | e967948ce8 | |
Björn Esser | 0946f2a3b0 | |
Björn Esser | cb2f54a2c1 | |
Iker Pedrosa | cbc60528c3 | |
Iker Pedrosa | 1ec5088225 | |
Iker Pedrosa | 5292920d9b | |
Iker Pedrosa | 3e39e1d4e3 | |
Fedora Release Engineering | 4e14ecca65 | |
Tom Stellard | cc27294138 | |
Robert Scheck | 7abff5646c | |
ipedrosa | 4f395dd42d | |
Petr Lautrbach | b7aa9ac8ec | |
Ludwig Nussel | 9f643a3011 | |
Fedora Release Engineering | a222f7e825 | |
ipedrosa | 59585bb370 | |
ikerexxe | a66f10a891 | |
ikerexxe | b926b118d9 | |
ikerexxe | 7309a53c2a | |
ikerexxe | f5a51331fe | |
Fedora Release Engineering | c44360b6f9 | |
Tomas Mraz | a1cd6a4b05 | |
Tomas Mraz | fd2aa2917b | |
Tomas Mraz | 88156a4067 | |
Tomas Mraz | b76250c68a |
|
@ -10,3 +10,11 @@ shadow-4.1.4.2.tar.bz2
|
|||
/shadow-4.5.tar.xz.asc
|
||||
/shadow-4.6.tar.xz
|
||||
/shadow-4.6.tar.xz.asc
|
||||
/shadow-4.8.tar.xz
|
||||
/shadow-4.8.tar.xz.asc
|
||||
/shadow-4.8.1.tar.xz
|
||||
/shadow-4.8.1.tar.xz.asc
|
||||
/shadow-4.9.tar.xz
|
||||
/shadow-4.9.tar.xz.asc
|
||||
/shadow-4.11.1.tar.xz
|
||||
/shadow-4.11.1.tar.xz.asc
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
Index: shadow-4.5/man/newusers.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/newusers.8.xml
|
||||
+++ shadow-4.5/man/newusers.8.xml
|
||||
@@ -218,7 +218,15 @@
|
||||
<para>
|
||||
If this field does not specify an existing directory, the
|
||||
specified directory is created, with ownership set to the
|
||||
- user being created or updated and its primary group.
|
||||
+ user being created or updated and its primary group. Note
|
||||
+ that newusers does not create parent directories of the new
|
||||
+ user's home directory. The newusers command will fail to
|
||||
+ create the home directory if the parent directories do not
|
||||
+ exist, and will send a message to stderr informing the user
|
||||
+ of the failure. The newusers command will not halt or return
|
||||
+ a failure to the calling shell if it fails to create the home
|
||||
+ directory, it will continue to process the batch of new users
|
||||
+ specified.
|
||||
</para>
|
||||
<para>
|
||||
If the home directory of an existing user is changed,
|
|
@ -1,13 +0,0 @@
|
|||
Index: shadow-4.5/src/useradd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/useradd.c
|
||||
+++ shadow-4.5/src/useradd.c
|
||||
@@ -323,7 +323,7 @@ static void fail_exit (int code)
|
||||
user_name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
|
||||
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
|
||||
exit (code);
|
||||
}
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
Index: shadow-4.5/src/userdel.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/userdel.c
|
||||
+++ shadow-4.5/src/userdel.c
|
||||
@@ -143,8 +143,9 @@ static void usage (int status)
|
||||
"\n"
|
||||
"Options:\n"),
|
||||
Prog);
|
||||
- (void) fputs (_(" -f, --force force removal of files,\n"
|
||||
- " even if not owned by user\n"),
|
||||
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
|
||||
+ " e.g. removal of user still logged in\n"
|
||||
+ " or files, even if not owned by the user\n"),
|
||||
usageout);
|
||||
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
||||
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,22 @@
|
|||
diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
|
||||
diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
|
||||
--- shadow-4.11.1/src/lastlog.c.null-tm 2022-01-03 15:31:56.348555620 +0100
|
||||
+++ shadow-4.11.1/src/lastlog.c 2022-01-03 15:38:41.262229024 +0100
|
||||
@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
|
||||
|
||||
ll_time = ll.ll_time;
|
||||
tm = localtime (&ll_time);
|
||||
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
- cp = ptime;
|
||||
-
|
||||
+ if (tm == NULL) {
|
||||
+ cp = "(unknown)";
|
||||
+ } else {
|
||||
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
+ cp = ptime;
|
||||
+ }
|
||||
if (ll.ll_time == (time_t) 0) {
|
||||
cp = _("**Never logged in**\0");
|
||||
}
|
||||
diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
|
||||
diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c
|
|
@ -1,16 +1,16 @@
|
|||
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
|
||||
@@ -98,7 +98,7 @@ const char *Prog;
|
||||
static gid_t def_group = 100;
|
||||
diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
|
||||
--- shadow-4.11.1/src/useradd.c.redhat 2022-01-03 01:46:53.000000000 +0100
|
||||
+++ shadow-4.11.1/src/useradd.c 2022-01-03 14:53:12.988484829 +0100
|
||||
@@ -82,7 +82,7 @@ const char *Prog;
|
||||
static gid_t def_group = 1000;
|
||||
static const char *def_gname = "other";
|
||||
static const char *def_home = "/home";
|
||||
-static const char *def_shell = "";
|
||||
-static const char *def_shell = "/bin/bash";
|
||||
+static const char *def_shell = "/sbin/nologin";
|
||||
static const char *def_template = SKEL_DIR;
|
||||
static const char *def_create_mail_spool = "no";
|
||||
|
||||
@@ -108,7 +108,7 @@ static const char *def_expire = "";
|
||||
static const char *def_create_mail_spool = "yes";
|
||||
static const char *def_log_init = "yes";
|
||||
@@ -93,7 +93,7 @@ static const char *def_expire = "";
|
||||
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||
|
||||
static const char *user_name = "";
|
||||
|
@ -19,7 +19,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
|||
static uid_t user_id;
|
||||
static gid_t user_gid;
|
||||
static const char *user_comment = "";
|
||||
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
|
||||
@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
|
||||
};
|
||||
while ((c = getopt_long (argc, argv,
|
||||
#ifdef WITH_SELINUX
|
||||
|
@ -31,7 +31,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
|||
#endif /* !WITH_SELINUX */
|
||||
long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
|
||||
@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
|
||||
case 'M':
|
||||
Mflg = true;
|
||||
break;
|
|
@ -0,0 +1,40 @@
|
|||
From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 13:06:00 +0100
|
||||
Subject: [PATCH] useradd: modify check ID range for system users
|
||||
|
||||
useradd warns that a system user ID less than SYS_UID_MIN is outside the
|
||||
expected range, even though that ID has been specifically selected with
|
||||
the "-u" option.
|
||||
|
||||
In my opinion all the user ID's below SYS_UID_MAX are for the system,
|
||||
thus I change the condition to take that into account.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
src/useradd.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 34376fa5..4c71c38a 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
|
||||
uid_t uid_min ;
|
||||
uid_t uid_max ;
|
||||
if (rflg) {
|
||||
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
|
||||
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
|
||||
- if (uid_min <= uid_max) {
|
||||
- if (user_id < uid_min || user_id >uid_max)
|
||||
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
|
||||
+ if (user_id > uid_max) {
|
||||
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
|
||||
}
|
||||
}else{
|
||||
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
|
||||
--
|
||||
2.37.1
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
Index: shadow-4.5/lib/commonio.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/commonio.c
|
||||
+++ shadow-4.5/lib/commonio.c
|
||||
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
|
||||
int retval;
|
||||
char buf[32];
|
||||
|
||||
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
|
||||
+ /* We depend here on the fact, that the file name is pid-specific.
|
||||
+ * So no O_EXCL here and no DoS.
|
||||
+ */
|
||||
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
|
||||
if (-1 == fd) {
|
||||
if (log) {
|
||||
(void) fprintf (stderr,
|
|
@ -1,91 +0,0 @@
|
|||
Index: shadow-4.5/src/faillog.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/faillog.c
|
||||
+++ shadow-4.5/src/faillog.c
|
||||
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
|
||||
}
|
||||
|
||||
tm = localtime (&fl.fail_time);
|
||||
+ if (tm == NULL) {
|
||||
+ cp = "(unknown)";
|
||||
+ } else {
|
||||
#ifdef HAVE_STRFTIME
|
||||
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||
- cp = ptime;
|
||||
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||
+ cp = ptime;
|
||||
#endif
|
||||
+ }
|
||||
printf ("%-9s %5d %5d ",
|
||||
pw->pw_name, fl.fail_cnt, fl.fail_max);
|
||||
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
|
||||
Index: shadow-4.5/src/chage.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/chage.c
|
||||
+++ shadow-4.5/src/chage.c
|
||||
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
|
||||
struct tm *tp;
|
||||
|
||||
tp = gmtime (&date);
|
||||
+ if (tp == NULL) {
|
||||
+ (void) snprintf (buf, maxsize, "(unknown)");
|
||||
+ return;
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||
#else
|
||||
Index: shadow-4.5/src/lastlog.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/lastlog.c
|
||||
+++ shadow-4.5/src/lastlog.c
|
||||
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
|
||||
|
||||
ll_time = ll.ll_time;
|
||||
tm = localtime (&ll_time);
|
||||
+ if (tm == NULL) {
|
||||
+ cp = "(unknown)";
|
||||
+ } else {
|
||||
#ifdef HAVE_STRFTIME
|
||||
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
- cp = ptime;
|
||||
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||
+ cp = ptime;
|
||||
#else
|
||||
- cp = asctime (tm);
|
||||
- cp[24] = '\0';
|
||||
+ cp = asctime (tm);
|
||||
+ cp[24] = '\0';
|
||||
#endif
|
||||
+ }
|
||||
|
||||
if (ll.ll_time == (time_t) 0) {
|
||||
cp = _("**Never logged in**\0");
|
||||
Index: shadow-4.5/src/passwd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/passwd.c
|
||||
+++ shadow-4.5/src/passwd.c
|
||||
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
|
||||
struct tm *tm;
|
||||
|
||||
tm = gmtime (&t);
|
||||
+ if (tm == NULL) {
|
||||
+ return "(unknown)";
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
|
||||
#else /* !HAVE_STRFTIME */
|
||||
Index: shadow-4.5/src/usermod.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/usermod.c
|
||||
+++ shadow-4.5/src/usermod.c
|
||||
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
|
||||
} else {
|
||||
time_t t = (time_t) date;
|
||||
tp = gmtime (&t);
|
||||
+ if (tp == NULL) {
|
||||
+ strncpy (buf, "unknown", maxsize);
|
||||
+ return;
|
||||
+ }
|
||||
#ifdef HAVE_STRFTIME
|
||||
strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||
#else
|
|
@ -1,349 +0,0 @@
|
|||
Index: shadow-4.5/man/groupmems.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/groupmems.8.xml
|
||||
+++ shadow-4.5/man/groupmems.8.xml
|
||||
@@ -179,20 +179,10 @@
|
||||
<refsect1 id='setup'>
|
||||
<title>SETUP</title>
|
||||
<para>
|
||||
- The <command>groupmems</command> executable should be in mode
|
||||
- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
|
||||
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||
- <command>groupmems</command> utility to manage their own group
|
||||
- membership list.
|
||||
+ In this operating system the <command>groupmems</command> executable
|
||||
+ is not setuid and regular users cannot use it to manipulate
|
||||
+ the membership of their own group.
|
||||
</para>
|
||||
-
|
||||
- <programlisting>
|
||||
- $ groupadd -r groups
|
||||
- $ chmod 2770 groupmems
|
||||
- $ chown root.groups groupmems
|
||||
- $ groupmems -g groups -a gk4
|
||||
- </programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration'>
|
||||
Index: shadow-4.5/man/chage.1.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/chage.1.xml
|
||||
+++ shadow-4.5/man/chage.1.xml
|
||||
@@ -102,6 +102,9 @@
|
||||
Set the number of days since January 1st, 1970 when the password
|
||||
was last changed. The date may also be expressed in the format
|
||||
YYYY-MM-DD (or the format more commonly used in your area).
|
||||
+ If the <replaceable>LAST_DAY</replaceable> is set to
|
||||
+ <emphasis>0</emphasis> the user is forced to change his password
|
||||
+ on the next log on.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -119,6 +122,13 @@
|
||||
system again.
|
||||
</para>
|
||||
<para>
|
||||
+ For example the following can be used to set an account to expire
|
||||
+ in 180 days:
|
||||
+ </para>
|
||||
+ <programlisting>
|
||||
+ chage -E $(date -d +180days +%Y-%m-%d)
|
||||
+ </programlisting>
|
||||
+ <para>
|
||||
Passing the number <emphasis remap='I'>-1</emphasis> as the
|
||||
<replaceable>EXPIRE_DATE</replaceable> will remove an account
|
||||
expiration date.
|
||||
@@ -233,6 +243,18 @@
|
||||
The <command>chage</command> program requires a shadow password file to
|
||||
be available.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The chage program will report only the information from the shadow
|
||||
+ password file. This implies that configuration from other sources
|
||||
+ (e.g. LDAP or empty password hash field from the passwd file) that
|
||||
+ affect the user's login will not be shown in the chage output.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The <command>chage</command> program will also not report any
|
||||
+ inconsistency between the shadow and passwd files (e.g. missing x in
|
||||
+ the passwd file). The <command>pwck</command> can be used to check
|
||||
+ for this kind of inconsistencies.
|
||||
+ </para>
|
||||
<para>The <command>chage</command> command is restricted to the root
|
||||
user, except for the <option>-l</option> option, which may be used by
|
||||
an unprivileged user to determine when their password or account is due
|
||||
Index: shadow-4.5/man/ja/man5/login.defs.5
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/ja/man5/login.defs.5
|
||||
+++ shadow-4.5/man/ja/man5/login.defs.5
|
||||
@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
|
||||
shadow パスワード機能のどのプログラムが
|
||||
どのパラメータを使用するかを示したものである。
|
||||
.na
|
||||
-.IP chfn 12
|
||||
-CHFN_AUTH CHFN_RESTRICT
|
||||
-.IP chsh 12
|
||||
-CHFN_AUTH
|
||||
.IP groupadd 12
|
||||
GID_MAX GID_MIN
|
||||
.IP newusers 12
|
||||
Index: shadow-4.5/man/login.defs.5.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/login.defs.5.xml
|
||||
+++ shadow-4.5/man/login.defs.5.xml
|
||||
@@ -162,6 +162,17 @@
|
||||
long numeric parameters is machine-dependent.
|
||||
</para>
|
||||
|
||||
+ <para>
|
||||
+ Please note that the parameters in this configuration file control the
|
||||
+ behavior of the tools from the shadow-utils component. None of these
|
||||
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
+ passwd command) should be configured elsewhere. The only values that
|
||||
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||
+ pam(8) for more information.
|
||||
+ </para>
|
||||
+
|
||||
<para>The following configuration items are provided:</para>
|
||||
|
||||
<variablelist remap='IP'>
|
||||
@@ -252,16 +263,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term>chfn</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||
- CHFN_RESTRICT
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
<term>chgpasswd</term>
|
||||
<listitem>
|
||||
<para>
|
||||
@@ -282,14 +283,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>chsh</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- CHSH_AUTH LOGIN_STRING
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||
<!-- faillog: no variables -->
|
||||
<varlistentry>
|
||||
@@ -350,34 +343,6 @@
|
||||
</varlistentry>
|
||||
<!-- id: no variables -->
|
||||
<!-- lastlog: no variables -->
|
||||
- <varlistentry>
|
||||
- <term>login</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||
- ENV_TZ ENVIRON_FILE</phrase>
|
||||
- ERASECHAR FAIL_DELAY
|
||||
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||
- FAKE_SHELL
|
||||
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||
- HUSHLOGIN_FILE
|
||||
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||
- KILLCHAR
|
||||
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
|
||||
- LOGIN_RETRIES
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||
- QUOTAS_ENAB</phrase>
|
||||
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||
- USERGROUPS_ENAB
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- logoutd: no variables -->
|
||||
<varlistentry>
|
||||
<term>newgrp / sg</term>
|
||||
@@ -405,17 +370,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<!-- nologin: no variables -->
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>passwd</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
||||
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
||||
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>pwck</term>
|
||||
<listitem>
|
||||
@@ -442,32 +396,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>su</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||
- ENV_PATH ENV_SUPATH
|
||||
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||
- SULOG_FILE SU_NAME
|
||||
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||
- SYSLOG_SU_ENAB
|
||||
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>sulogin</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENV_HZ
|
||||
- <phrase condition="no_pam">ENV_TZ</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>useradd</term>
|
||||
<listitem>
|
||||
Index: shadow-4.5/man/shadow.5.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/shadow.5.xml
|
||||
+++ shadow-4.5/man/shadow.5.xml
|
||||
@@ -129,7 +129,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The date of the last password change, expressed as the number
|
||||
- of days since Jan 1, 1970.
|
||||
+ of days since Jan 1, 1970 00:00 UTC.
|
||||
</para>
|
||||
<para>
|
||||
The value 0 has a special meaning, which is that the user
|
||||
@@ -208,8 +208,8 @@
|
||||
</para>
|
||||
<para>
|
||||
After expiration of the password and this expiration period is
|
||||
- elapsed, no login is possible using the current user's
|
||||
- password. The user should contact her administrator.
|
||||
+ elapsed, no login is possible for the user.
|
||||
+ The user should contact her administrator.
|
||||
</para>
|
||||
<para>
|
||||
An empty field means that there are no enforcement of an
|
||||
@@ -224,7 +224,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The date of expiration of the account, expressed as the number
|
||||
- of days since Jan 1, 1970.
|
||||
+ of days since Jan 1, 1970 00:00 UTC.
|
||||
</para>
|
||||
<para>
|
||||
Note that an account expiration differs from a password
|
||||
Index: shadow-4.5/man/useradd.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/useradd.8.xml
|
||||
+++ shadow-4.5/man/useradd.8.xml
|
||||
@@ -347,6 +347,11 @@
|
||||
<option>CREATE_HOME</option> is not enabled, no home
|
||||
directories are created.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The directory where the user's home directory is created must
|
||||
+ exist and have proper SELinux context and permissions. Otherwise
|
||||
+ the user's home directory cannot be created or accessed.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
Index: shadow-4.5/man/usermod.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/usermod.8.xml
|
||||
+++ shadow-4.5/man/usermod.8.xml
|
||||
@@ -132,7 +132,8 @@
|
||||
If the <option>-m</option>
|
||||
option is given, the contents of the current home directory will
|
||||
be moved to the new home directory, which is created if it does
|
||||
- not already exist.
|
||||
+ not already exist. If the current home directory does not exist
|
||||
+ the new home directory will not be created.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -256,7 +257,8 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Move the content of the user's home directory to the new
|
||||
- location.
|
||||
+ location. If the current home directory does not exist
|
||||
+ the new home directory will not be created.
|
||||
</para>
|
||||
<para>
|
||||
This option is only valid in combination with the
|
||||
diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
|
||||
index 01ace007..93fe7421 100644
|
||||
--- a/man/login.defs.d/SUB_GID_COUNT.xml
|
||||
+++ b/man/login.defs.d/SUB_GID_COUNT.xml
|
||||
@@ -42,7 +42,7 @@
|
||||
<para>
|
||||
The default values for <option>SUB_GID_MIN</option>,
|
||||
<option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
|
||||
- are respectively 100000, 600100000 and 10000.
|
||||
+ are respectively 100000, 600100000 and 65536.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
|
||||
index 5ad812f7..516417b7 100644
|
||||
--- a/man/login.defs.d/SUB_UID_COUNT.xml
|
||||
+++ b/man/login.defs.d/SUB_UID_COUNT.xml
|
||||
@@ -42,7 +42,7 @@
|
||||
<para>
|
||||
The default values for <option>SUB_UID_MIN</option>,
|
||||
<option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
|
||||
- are respectively 100000, 600100000 and 10000.
|
||||
+ are respectively 100000, 600100000 and 65536.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
|
||||
--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
|
||||
+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
|
||||
@@ -320,13 +320,13 @@
|
||||
<varlistentry>
|
||||
<term><replaceable>4</replaceable></term>
|
||||
<listitem>
|
||||
- <para>GID not unique (when <option>-o</option> not used)</para>
|
||||
+ <para>GID is already used (when called without <option>-o</option>)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><replaceable>9</replaceable></term>
|
||||
<listitem>
|
||||
- <para>group name not unique</para>
|
||||
+ <para>group name is already used</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
Index: shadow-4.5/configure.ac
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/configure.ac
|
||||
+++ shadow-4.5/configure.ac
|
||||
@@ -32,9 +32,9 @@ AC_HEADER_STDC
|
||||
AC_HEADER_SYS_WAIT
|
||||
AC_HEADER_STDBOOL
|
||||
|
||||
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||
- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
|
||||
- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
|
||||
+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
|
||||
+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
|
||||
attr/error_context.h)
|
||||
|
||||
Index: shadow-4.5/lib/defines.h
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/defines.h
|
||||
+++ shadow-4.5/lib/defines.h
|
||||
@@ -4,6 +4,8 @@
|
||||
#ifndef _DEFINES_H_
|
||||
#define _DEFINES_H_
|
||||
|
||||
+#include "config.h"
|
||||
+
|
||||
#if HAVE_STDBOOL_H
|
||||
# include <stdbool.h>
|
||||
#else
|
||||
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
|
||||
# include <unistd.h>
|
||||
#endif
|
||||
|
||||
+#if HAVE_CRYPT_H
|
||||
+# include <crypt.h> /* crypt(3) may be defined in here */
|
||||
+#endif
|
||||
+
|
||||
#if TIME_WITH_SYS_TIME
|
||||
# include <sys/time.h>
|
||||
# include <time.h>
|
|
@ -1,44 +0,0 @@
|
|||
diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
|
||||
--- shadow-4.6/man/usermod.8.xml.chgrp-guard 2018-11-06 09:08:54.170095358 +0100
|
||||
+++ shadow-4.6/man/usermod.8.xml 2018-12-18 15:24:12.283181180 +0100
|
||||
@@ -195,6 +195,12 @@
|
||||
The group ownership of files outside of the user's home directory
|
||||
must be fixed manually.
|
||||
</para>
|
||||
+ <para>
|
||||
+ The change of the group ownership of files inside of the user's
|
||||
+ home directory is also not done if the home dir owner uid is
|
||||
+ different from the current or new user id. This is safety measure
|
||||
+ for special home directories such as <filename>/</filename>.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@@ -372,6 +378,12 @@
|
||||
must be fixed manually.
|
||||
</para>
|
||||
<para>
|
||||
+ The change of the user ownership of files inside of the user's
|
||||
+ home directory is also not done if the home dir owner uid is
|
||||
+ different from the current or new user id. This is safety measure
|
||||
+ for special home directories such as <filename>/</filename>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
No checks will be performed with regard to the
|
||||
<option>UID_MIN</option>, <option>UID_MAX</option>,
|
||||
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
|
||||
diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
|
||||
--- shadow-4.6/src/usermod.c.chgrp-guard 2018-12-18 15:24:12.286181249 +0100
|
||||
+++ shadow-4.6/src/usermod.c 2018-12-18 15:26:51.227841435 +0100
|
||||
@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
if (!mflg && (uflg || gflg)) {
|
||||
- if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
|
||||
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
|
||||
/*
|
||||
* Change the UID on all of the files owned by
|
||||
* `user_id' to `user_newid' in the user's home
|
|
@ -1,223 +0,0 @@
|
|||
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
|
||||
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
|
||||
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
|
||||
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
|
||||
char* lock = NULL;
|
||||
size_t lock_file_len;
|
||||
size_t file_len;
|
||||
- int err;
|
||||
+ int err = 0;
|
||||
|
||||
if (db->locked) {
|
||||
return 1;
|
||||
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
|
||||
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
|
||||
file = (char*)malloc(file_len);
|
||||
if(file == NULL) {
|
||||
- err = ENOMEM;
|
||||
goto cleanup_ENOMEM;
|
||||
}
|
||||
lock = (char*)malloc(lock_file_len);
|
||||
if(lock == NULL) {
|
||||
- err = ENOMEM;
|
||||
goto cleanup_ENOMEM;
|
||||
}
|
||||
snprintf (file, file_len, "%s.%lu",
|
||||
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
|
||||
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
|
||||
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
|
||||
static bool is_listed (const char *cfgin, const char *tty, bool def)
|
||||
{
|
||||
FILE *fp;
|
||||
- char buf[200], *s;
|
||||
+ char buf[1024], *s;
|
||||
const char *cons;
|
||||
|
||||
/*
|
||||
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
|
||||
|
||||
if (*cons != '/') {
|
||||
char *pbuf;
|
||||
- strcpy (buf, cons);
|
||||
+ strncpy (buf, cons, sizeof (buf));
|
||||
+ buf[sizeof (buf) - 1] = '\0';
|
||||
pbuf = &buf[0];
|
||||
while ((s = strtok (pbuf, ":")) != NULL) {
|
||||
if (strcmp (s, tty) == 0) {
|
||||
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
|
||||
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
|
||||
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
|
||||
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
|
||||
do {
|
||||
wpid = waitpid (pid, status, 0);
|
||||
} while ( ((pid_t)-1 == wpid && errno == EINTR)
|
||||
- || (wpid != pid));
|
||||
+ || ((pid_t)-1 != wpid && wpid != pid));
|
||||
|
||||
if ((pid_t)-1 == wpid) {
|
||||
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
|
||||
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
|
||||
@@ -314,7 +314,7 @@ static void fail_exit (int code)
|
||||
static void get_defaults (void)
|
||||
{
|
||||
FILE *fp;
|
||||
- char* default_file = USER_DEFAULTS_FILE;
|
||||
+ char *default_file = USER_DEFAULTS_FILE;
|
||||
char buf[1024];
|
||||
char *cp;
|
||||
|
||||
@@ -324,6 +324,8 @@ static void get_defaults (void)
|
||||
|
||||
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||
default_file = malloc(len);
|
||||
+ if (default_file == NULL)
|
||||
+ return;
|
||||
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||
assert (wlen == (int) len -1);
|
||||
}
|
||||
@@ -334,7 +336,7 @@ static void get_defaults (void)
|
||||
|
||||
fp = fopen (default_file, "r");
|
||||
if (NULL == fp) {
|
||||
- return;
|
||||
+ goto getdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -445,7 +447,7 @@ static void get_defaults (void)
|
||||
}
|
||||
}
|
||||
(void) fclose (fp);
|
||||
-
|
||||
+ getdef_err:
|
||||
if(prefix[0]) {
|
||||
free(default_file);
|
||||
}
|
||||
@@ -480,8 +482,8 @@ static int set_defaults (void)
|
||||
FILE *ifp;
|
||||
FILE *ofp;
|
||||
char buf[1024];
|
||||
- char* new_file = NEW_USER_FILE;
|
||||
- char* default_file = USER_DEFAULTS_FILE;
|
||||
+ char *new_file = NULL;
|
||||
+ char *default_file = USER_DEFAULTS_FILE;
|
||||
char *cp;
|
||||
int ofd;
|
||||
int wlen;
|
||||
@@ -492,17 +494,30 @@ static int set_defaults (void)
|
||||
bool out_shell = false;
|
||||
bool out_skel = false;
|
||||
bool out_create_mail_spool = false;
|
||||
+ size_t len;
|
||||
+ int ret = -1;
|
||||
|
||||
- if(prefix[0]) {
|
||||
- size_t len;
|
||||
|
||||
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||
- new_file = malloc(len);
|
||||
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
|
||||
- assert (wlen == (int) len -1);
|
||||
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
|
||||
+ new_file = malloc(len);
|
||||
+ if (new_file == NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot create new defaults file: %s\n"),
|
||||
+ Prog, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
|
||||
+ assert (wlen <= (int) len -1);
|
||||
|
||||
+ if(prefix[0]) {
|
||||
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
|
||||
default_file = malloc(len);
|
||||
+ if (default_file == NULL) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: cannot create new defaults file: %s\n"),
|
||||
+ Prog, strerror(errno));
|
||||
+ goto setdef_err;
|
||||
+ }
|
||||
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
|
||||
assert (wlen == (int) len -1);
|
||||
}
|
||||
@@ -515,7 +530,7 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: cannot create new defaults file\n"),
|
||||
Prog);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
ofp = fdopen (ofd, "w");
|
||||
@@ -523,7 +538,7 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: cannot open new defaults file\n"),
|
||||
Prog);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -550,7 +565,7 @@ static int set_defaults (void)
|
||||
_("%s: line too long in %s: %s..."),
|
||||
Prog, default_file, buf);
|
||||
(void) fclose (ifp);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -614,7 +629,7 @@ static int set_defaults (void)
|
||||
|| (fsync (fileno (ofp)) != 0)
|
||||
|| (fclose (ofp) != 0)) {
|
||||
unlink (new_file);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -629,7 +644,7 @@ static int set_defaults (void)
|
||||
_("%s: Cannot create backup file (%s): %s\n"),
|
||||
Prog, buf, strerror (err));
|
||||
unlink (new_file);
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -640,11 +655,11 @@ static int set_defaults (void)
|
||||
fprintf (stderr,
|
||||
_("%s: rename: %s: %s\n"),
|
||||
Prog, new_file, strerror (err));
|
||||
- return -1;
|
||||
+ goto setdef_err;
|
||||
}
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USYS_CONFIG, Prog,
|
||||
- "changing-useradd-defaults",
|
||||
+ "changing useradd defaults",
|
||||
NULL, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_SUCCESS);
|
||||
#endif
|
||||
@@ -654,13 +669,14 @@ static int set_defaults (void)
|
||||
(unsigned int) def_group, def_home, def_shell,
|
||||
def_inactive, def_expire, def_template,
|
||||
def_create_mail_spool));
|
||||
-
|
||||
+ ret = 0;
|
||||
+ setdef_err:
|
||||
+ free(new_file);
|
||||
if(prefix[0]) {
|
||||
- free(new_file);
|
||||
free(default_file);
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/*
|
|
@ -1,21 +0,0 @@
|
|||
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
|
||||
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
|
||||
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
|
||||
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
|
||||
}
|
||||
return 0;
|
||||
error:
|
||||
- if (security_getenforce () != 0) {
|
||||
+ if (security_getenforce () > 0) {
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
|
||||
selinux_checked = true;
|
||||
}
|
||||
if (selinux_enabled) {
|
||||
- if (setfscreatecon (NULL) != 0) {
|
||||
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
|
||||
return 1;
|
||||
}
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
|
||||
--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
|
||||
@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
|
||||
{"KILLCHAR", NULL},
|
||||
{"LOGIN_RETRIES", NULL},
|
||||
{"LOGIN_TIMEOUT", NULL},
|
||||
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||
{"LOG_OK_LOGINS", NULL},
|
||||
{"LOG_UNKFAIL_ENAB", NULL},
|
||||
{"MAIL_DIR", NULL},
|
|
@ -1,128 +0,0 @@
|
|||
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
|
||||
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
|
||||
snprintf (buf, sizeof buf, "%s-", db->filename);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (buf) != 0) {
|
||||
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||
errors++;
|
||||
}
|
||||
#endif
|
||||
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
|
||||
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (buf) != 0) {
|
||||
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||
errors++;
|
||||
}
|
||||
#endif
|
||||
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
|
||||
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
|
||||
*/
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
free (oldlink);
|
||||
return -1;
|
||||
}
|
||||
@@ -684,7 +684,7 @@ static int copy_special (const char *src
|
||||
int err = 0;
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
|
||||
return -1;
|
||||
}
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (dst) != 0) {
|
||||
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
|
||||
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
|
||||
|
||||
/* selinux.c */
|
||||
#ifdef WITH_SELINUX
|
||||
-extern int set_selinux_file_context (const char *dst_name);
|
||||
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
|
||||
extern int reset_selinux_file_context (void);
|
||||
#endif
|
||||
|
||||
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
|
||||
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
|
||||
@@ -50,7 +50,7 @@ static bool selinux_enabled;
|
||||
* Callers may have to Reset SELinux to create files with default
|
||||
* contexts with reset_selinux_file_context
|
||||
*/
|
||||
-int set_selinux_file_context (const char *dst_name)
|
||||
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
|
||||
{
|
||||
/*@null@*/security_context_t scontext = NULL;
|
||||
|
||||
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
|
||||
if (selinux_enabled) {
|
||||
/* Get the default security context for this file */
|
||||
if (matchpathcon (dst_name, 0, &scontext) < 0) {
|
||||
- if (security_getenforce () != 0) {
|
||||
- return 1;
|
||||
- }
|
||||
+ /* We could not get the default, copy the original */
|
||||
+ if (orig_name == NULL)
|
||||
+ goto error;
|
||||
+ if (getfilecon (orig_name, &scontext) < 0)
|
||||
+ goto error;
|
||||
}
|
||||
/* Set the security context for the next created file */
|
||||
- if (setfscreatecon (scontext) < 0) {
|
||||
- if (security_getenforce () != 0) {
|
||||
- return 1;
|
||||
- }
|
||||
- }
|
||||
+ if (setfscreatecon (scontext) < 0)
|
||||
+ goto error;
|
||||
freecon (scontext);
|
||||
}
|
||||
return 0;
|
||||
+ error:
|
||||
+ if (security_getenforce () != 0) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
|
||||
@@ -2020,7 +2020,7 @@ static void create_home (void)
|
||||
{
|
||||
if (access (prefix_user_home, F_OK) != 0) {
|
||||
#ifdef WITH_SELINUX
|
||||
- if (set_selinux_file_context (prefix_user_home) != 0) {
|
||||
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: cannot set SELinux context for home directory %s\n"),
|
||||
Prog, user_home);
|
|
@ -1,115 +0,0 @@
|
|||
diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
|
||||
--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200
|
||||
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
|
||||
|
||||
ret = 0;
|
||||
|
||||
+ /* drop obsolete matchpathcon cache */
|
||||
+ matchpathcon_fini();
|
||||
+
|
||||
done:
|
||||
semanage_seuser_key_free (key);
|
||||
semanage_handle_destroy (handle);
|
||||
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
+
|
||||
+ /* drop obsolete matchpathcon cache */
|
||||
+ matchpathcon_fini();
|
||||
+
|
||||
done:
|
||||
semanage_handle_destroy (handle);
|
||||
return ret;
|
||||
diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
|
||||
--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200
|
||||
+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200
|
||||
@@ -2120,6 +2120,7 @@ static void create_mail (void)
|
||||
*/
|
||||
int main (int argc, char **argv)
|
||||
{
|
||||
+ int rv = E_SUCCESS;
|
||||
#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
pam_handle_t *pamh = NULL;
|
||||
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
|
||||
|
||||
usr_update ();
|
||||
|
||||
- if (mflg) {
|
||||
- create_home ();
|
||||
- if (home_added) {
|
||||
- copy_tree (def_template, prefix_user_home, false, false,
|
||||
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
- } else {
|
||||
- fprintf (stderr,
|
||||
- _("%s: warning: the home directory already exists.\n"
|
||||
- "Not copying any file from skel directory into it.\n"),
|
||||
- Prog);
|
||||
- }
|
||||
-
|
||||
- }
|
||||
-
|
||||
- /* Do not create mail directory for system accounts */
|
||||
- if (!rflg) {
|
||||
- create_mail ();
|
||||
- }
|
||||
-
|
||||
close_files ();
|
||||
|
||||
+ nscd_flush_cache ("passwd");
|
||||
+ nscd_flush_cache ("group");
|
||||
+
|
||||
/*
|
||||
* tallylog_reset needs to be able to lookup
|
||||
* a valid existing user name,
|
||||
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (Zflg) {
|
||||
- if (set_seuser (user_name, user_selinux) != 0) {
|
||||
+ if (Zflg && *user_selinux) {
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ if (set_seuser (user_name, user_selinux) != 0) {
|
||||
fprintf (stderr,
|
||||
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
Prog, user_name, user_selinux);
|
||||
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
|
||||
"adding SELinux user mapping",
|
||||
user_name, (unsigned int) user_id, 0);
|
||||
#endif /* WITH_AUDIT */
|
||||
- fail_exit (E_SE_UPDATE);
|
||||
+ rv = E_SE_UPDATE;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
-#endif /* WITH_SELINUX */
|
||||
+#endif
|
||||
|
||||
- nscd_flush_cache ("passwd");
|
||||
- nscd_flush_cache ("group");
|
||||
+ if (mflg) {
|
||||
+ create_home ();
|
||||
+ if (home_added) {
|
||||
+ copy_tree (def_template, prefix_user_home, false, true,
|
||||
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
+ } else {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: warning: the home directory already exists.\n"
|
||||
+ "Not copying any file from skel directory into it.\n"),
|
||||
+ Prog);
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ /* Do not create mail directory for system accounts */
|
||||
+ if (!rflg) {
|
||||
+ create_mail ();
|
||||
+ }
|
||||
|
||||
- return E_SUCCESS;
|
||||
+ return rv;
|
||||
}
|
||||
|
|
@ -1,641 +0,0 @@
|
|||
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jakub.hrozek@posteo.se>
|
||||
Date: Wed, 12 Sep 2018 14:22:11 +0200
|
||||
Subject: [PATCH] Flush sssd caches in addition to nscd caches
|
||||
|
||||
Some distributions, notably Fedora, have the following order of nsswitch
|
||||
modules by default:
|
||||
passwd: sss files
|
||||
group: sss files
|
||||
|
||||
The advantage of serving local users through SSSD is that the nss_sss
|
||||
module has a fast mmapped-cache that speeds up NSS lookups compared to
|
||||
accessing the disk an opening the files on each NSS request.
|
||||
|
||||
Traditionally, this has been done with the help of nscd, but using nscd
|
||||
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
|
||||
independent caching, so using nscd in setups where sssd is also serving
|
||||
users from some remote domain (LDAP, AD, ...) can result in a bit of
|
||||
unpredictability.
|
||||
|
||||
More details about why Fedora chose to use sss before files can be found
|
||||
on e.g.:
|
||||
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
|
||||
or:
|
||||
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
|
||||
|
||||
Now, even though sssd watches the passwd and group files with the help
|
||||
of inotify, there can still be a small window where someone requests a
|
||||
user or a group, finds that it doesn't exist, adds the entry and checks
|
||||
again. Without some support in shadow-utils that would explicitly drop
|
||||
the sssd caches, the inotify watch can fire a little late, so a
|
||||
combination of commands like this:
|
||||
getent passwd user || useradd user; getent passwd user
|
||||
can result in the second getent passwd not finding the newly added user
|
||||
as the racy behaviour might still return the cached negative hit from
|
||||
the first getent passwd.
|
||||
|
||||
This patch more or less copies the already existing support that
|
||||
shadow-utils had for dropping nscd caches, except using the "sss_cache"
|
||||
tool that sssd ships.
|
||||
---
|
||||
configure.ac | 10 +++++++
|
||||
lib/Makefile.am | 2 ++
|
||||
lib/commonio.c | 2 ++
|
||||
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/sssd.h | 17 +++++++++++
|
||||
src/chfn.c | 2 ++
|
||||
src/chgpasswd.c | 2 ++
|
||||
src/chpasswd.c | 2 ++
|
||||
src/chsh.c | 2 ++
|
||||
src/gpasswd.c | 2 ++
|
||||
src/groupadd.c | 2 ++
|
||||
src/groupdel.c | 2 ++
|
||||
src/groupmod.c | 2 ++
|
||||
src/grpck.c | 2 ++
|
||||
src/grpconv.c | 2 ++
|
||||
src/grpunconv.c | 2 ++
|
||||
src/newusers.c | 2 ++
|
||||
src/passwd.c | 2 ++
|
||||
src/pwck.c | 2 ++
|
||||
src/pwconv.c | 2 ++
|
||||
src/pwunconv.c | 2 ++
|
||||
src/useradd.c | 2 ++
|
||||
src/userdel.c | 2 ++
|
||||
src/usermod.c | 2 ++
|
||||
src/vipw.c | 2 ++
|
||||
25 files changed, 146 insertions(+)
|
||||
create mode 100644 lib/sssd.c
|
||||
create mode 100644 lib/sssd.h
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 41068a5d..10ad70cf 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
|
||||
AC_ARG_WITH(nscd,
|
||||
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
|
||||
[with_nscd=$withval], [with_nscd=yes])
|
||||
+AC_ARG_WITH(sssd,
|
||||
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
|
||||
+ [with_sssd=$withval], [with_sssd=yes])
|
||||
AC_ARG_WITH(group-name-max-length,
|
||||
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
|
||||
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
|
||||
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
|
||||
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
|
||||
fi
|
||||
|
||||
+if test "$with_sssd" = "yes"; then
|
||||
+ AC_CHECK_FUNC(posix_spawn,
|
||||
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
|
||||
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
|
||||
+fi
|
||||
+
|
||||
dnl Check for some functions in libc first, only if not found check for
|
||||
dnl other libraries. This should prevent linking libnsl if not really
|
||||
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
|
||||
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
|
||||
echo " S/Key support: $with_skey"
|
||||
echo " SHA passwords encryption: $with_sha_crypt"
|
||||
echo " nscd support: $with_nscd"
|
||||
+echo " sssd support: $with_sssd"
|
||||
echo " subordinate IDs support: $enable_subids"
|
||||
echo
|
||||
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
||||
index 6db86cd6..fd634542 100644
|
||||
--- a/lib/Makefile.am
|
||||
+++ b/lib/Makefile.am
|
||||
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
|
||||
lockpw.c \
|
||||
nscd.c \
|
||||
nscd.h \
|
||||
+ sssd.c \
|
||||
+ sssd.h \
|
||||
pam_defs.h \
|
||||
port.c \
|
||||
port.h \
|
||||
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||
index d06b8e7d..96f2d5f7 100644
|
||||
--- a/lib/commonio.c
|
||||
+++ b/lib/commonio.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include <stdio.h>
|
||||
#include <signal.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef WITH_TCB
|
||||
#include <tcb.h>
|
||||
#endif /* WITH_TCB */
|
||||
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
|
||||
if (nscd_need_reload) {
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
nscd_need_reload = false;
|
||||
}
|
||||
#ifdef HAVE_LCKPWDF
|
||||
diff --git a/lib/sssd.c b/lib/sssd.c
|
||||
new file mode 100644
|
||||
index 00000000..80e49e55
|
||||
--- /dev/null
|
||||
+++ b/lib/sssd.c
|
||||
@@ -0,0 +1,75 @@
|
||||
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
|
||||
+
|
||||
+#include <config.h>
|
||||
+#ifdef USE_SSSD
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <sys/wait.h>
|
||||
+#include <sys/types.h>
|
||||
+#include "exitcodes.h"
|
||||
+#include "defines.h"
|
||||
+#include "prototypes.h"
|
||||
+#include "sssd.h"
|
||||
+
|
||||
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
|
||||
+
|
||||
+int sssd_flush_cache (int dbflags)
|
||||
+{
|
||||
+ int status, code, rv;
|
||||
+ const char *cmd = "/usr/sbin/sss_cache";
|
||||
+ char *sss_cache_args = NULL;
|
||||
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
|
||||
+ const char *spawnedEnv[] = {NULL};
|
||||
+ int i = 0;
|
||||
+
|
||||
+ sss_cache_args = malloc(4);
|
||||
+ if (sss_cache_args == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sss_cache_args[i++] = '-';
|
||||
+ if (dbflags & SSSD_DB_PASSWD) {
|
||||
+ sss_cache_args[i++] = 'U';
|
||||
+ }
|
||||
+ if (dbflags & SSSD_DB_GROUP) {
|
||||
+ sss_cache_args[i++] = 'G';
|
||||
+ }
|
||||
+ sss_cache_args[i++] = '\0';
|
||||
+ if (i == 2) {
|
||||
+ /* Neither passwd nor group, nothing to do */
|
||||
+ free(sss_cache_args);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ spawnedArgs[1] = sss_cache_args;
|
||||
+
|
||||
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
|
||||
+ free(sss_cache_args);
|
||||
+ if (rv != 0) {
|
||||
+ /* run_command writes its own more detailed message. */
|
||||
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ code = WEXITSTATUS (status);
|
||||
+ if (!WIFEXITED (status)) {
|
||||
+ (void) fprintf (stderr,
|
||||
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
|
||||
+ Prog, WTERMSIG (status));
|
||||
+ return -1;
|
||||
+ } else if (code == E_CMD_NOTFOUND) {
|
||||
+ /* sss_cache is not installed, or it is installed but uses an
|
||||
+ interpreter that is missing. Probably the former. */
|
||||
+ return 0;
|
||||
+ } else if (code != 0) {
|
||||
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
|
||||
+ Prog, code);
|
||||
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+#else /* USE_SSSD */
|
||||
+extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||
+#endif /* USE_SSSD */
|
||||
+
|
||||
diff --git a/lib/sssd.h b/lib/sssd.h
|
||||
new file mode 100644
|
||||
index 00000000..00ff2a8a
|
||||
--- /dev/null
|
||||
+++ b/lib/sssd.h
|
||||
@@ -0,0 +1,17 @@
|
||||
+#ifndef _SSSD_H_
|
||||
+#define _SSSD_H_
|
||||
+
|
||||
+#define SSSD_DB_PASSWD 0x001
|
||||
+#define SSSD_DB_GROUP 0x002
|
||||
+
|
||||
+/*
|
||||
+ * sssd_flush_cache - flush specified service buffer in sssd cache
|
||||
+ */
|
||||
+#ifdef USE_SSSD
|
||||
+extern int sssd_flush_cache (int dbflags);
|
||||
+#else
|
||||
+#define sssd_flush_cache(service) (0)
|
||||
+#endif
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/src/chfn.c b/src/chfn.c
|
||||
index 18aa3de7..0725e1c7 100644
|
||||
--- a/src/chfn.c
|
||||
+++ b/src/chfn.c
|
||||
@@ -47,6 +47,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif
|
||||
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
|
||||
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
closelog ();
|
||||
exit (E_SUCCESS);
|
||||
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
|
||||
index 13203a46..e5f2eb7e 100644
|
||||
--- a/src/chgpasswd.c
|
||||
+++ b/src/chgpasswd.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "groupio.h"
|
||||
#ifdef SHADOWGRP
|
||||
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return (0);
|
||||
}
|
||||
diff --git a/src/chpasswd.c b/src/chpasswd.c
|
||||
index 918b27ee..49e79cdb 100644
|
||||
--- a/src/chpasswd.c
|
||||
+++ b/src/chpasswd.c
|
||||
@@ -44,6 +44,7 @@
|
||||
#endif /* USE_PAM */
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "getdef.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return (0);
|
||||
}
|
||||
diff --git a/src/chsh.c b/src/chsh.c
|
||||
index c89708b9..910e3dd4 100644
|
||||
--- a/src/chsh.c
|
||||
+++ b/src/chsh.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
|
||||
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
closelog ();
|
||||
exit (E_SUCCESS);
|
||||
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
||||
index c4a492b1..4d75af96 100644
|
||||
--- a/src/gpasswd.c
|
||||
+++ b/src/gpasswd.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
exit (E_SUCCESS);
|
||||
}
|
||||
diff --git a/src/groupadd.c b/src/groupadd.c
|
||||
index b57006c5..2dd8eec9 100644
|
||||
--- a/src/groupadd.c
|
||||
+++ b/src/groupadd.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/groupdel.c b/src/groupdel.c
|
||||
index 70bed010..f941a84a 100644
|
||||
--- a/src/groupdel.c
|
||||
+++ b/src/groupdel.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/groupmod.c b/src/groupmod.c
|
||||
index b293b98f..1dca5fc9 100644
|
||||
--- a/src/groupmod.c
|
||||
+++ b/src/groupmod.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "groupio.h"
|
||||
#include "pwio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#ifdef SHADOWGRP
|
||||
#include "sgroupio.h"
|
||||
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||
close_files ();
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/grpck.c b/src/grpck.c
|
||||
index ea5d3b39..6140b10d 100644
|
||||
--- a/src/grpck.c
|
||||
+++ b/src/grpck.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
|
||||
close_files (changed);
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
/*
|
||||
* Tell the user what we did and exit.
|
||||
diff --git a/src/grpconv.c b/src/grpconv.c
|
||||
index f95f4960..5e5eaaca 100644
|
||||
--- a/src/grpconv.c
|
||||
+++ b/src/grpconv.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <unistd.h>
|
||||
#include <getopt.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
/*@-exitarg@*/
|
||||
#include "exitcodes.h"
|
||||
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/grpunconv.c b/src/grpunconv.c
|
||||
index 253f06f5..e4105c26 100644
|
||||
--- a/src/grpunconv.c
|
||||
+++ b/src/grpunconv.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <grp.h>
|
||||
#include <getopt.h>
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
/*@-exitarg@*/
|
||||
#include "exitcodes.h"
|
||||
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_GROUP);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/newusers.c b/src/newusers.c
|
||||
index 8e4bef97..7c3bb1c2 100644
|
||||
--- a/src/newusers.c
|
||||
+++ b/src/newusers.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "pwio.h"
|
||||
#include "sgroupio.h"
|
||||
#include "shadowio.h"
|
||||
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
#ifdef USE_PAM
|
||||
unsigned int i;
|
||||
diff --git a/src/passwd.c b/src/passwd.c
|
||||
index 3af3e651..5bea2765 100644
|
||||
--- a/src/passwd.c
|
||||
+++ b/src/passwd.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include "defines.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
|
||||
closelog ();
|
||||
diff --git a/src/pwck.c b/src/pwck.c
|
||||
index 05df68ec..0ffb711e 100644
|
||||
--- a/src/pwck.c
|
||||
+++ b/src/pwck.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include "shadowio.h"
|
||||
#include "getdef.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#ifdef WITH_TCB
|
||||
#include "tcbfuncs.h"
|
||||
#endif /* WITH_TCB */
|
||||
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
|
||||
close_files (changed);
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
/*
|
||||
* Tell the user what we did and exit.
|
||||
diff --git a/src/pwconv.c b/src/pwconv.c
|
||||
index d6ee31a8..9c69fa13 100644
|
||||
--- a/src/pwconv.c
|
||||
+++ b/src/pwconv.c
|
||||
@@ -72,6 +72,7 @@
|
||||
#include "pwio.h"
|
||||
#include "shadowio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
|
||||
/*
|
||||
* exit status values
|
||||
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
||||
diff --git a/src/pwunconv.c b/src/pwunconv.c
|
||||
index fabf0237..e11ea494 100644
|
||||
--- a/src/pwunconv.c
|
||||
+++ b/src/pwunconv.c
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <getopt.h>
|
||||
#include "defines.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
#include "shadowio.h"
|
||||
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index ca90f076..b0c2224d 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -60,6 +60,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
/*
|
||||
* tallylog_reset needs to be able to lookup
|
||||
diff --git a/src/userdel.c b/src/userdel.c
|
||||
index c8de1d31..0715e4fe 100644
|
||||
--- a/src/userdel.c
|
||||
+++ b/src/userdel.c
|
||||
@@ -53,6 +53,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
|
||||
}
|
||||
diff --git a/src/usermod.c b/src/usermod.c
|
||||
index 7355ad31..fd9a98a6 100644
|
||||
--- a/src/usermod.c
|
||||
+++ b/src/usermod.c
|
||||
@@ -57,6 +57,7 @@
|
||||
#include "getdef.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwauth.h"
|
||||
#include "pwio.h"
|
||||
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (Zflg) {
|
||||
diff --git a/src/vipw.c b/src/vipw.c
|
||||
index 6d730f65..2cfac6b4 100644
|
||||
--- a/src/vipw.c
|
||||
+++ b/src/vipw.c
|
||||
@@ -42,6 +42,7 @@
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "nscd.h"
|
||||
+#include "sssd.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
#include "sgroupio.h"
|
||||
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
|
||||
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||
|
||||
return E_SUCCESS;
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
|
||||
--- shadow-4.6/man/generate_translations.mak.use-itstool 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/man/generate_translations.mak 2018-07-31 16:42:21.623990969 +0200
|
||||
@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
|
||||
$(MAKE) -C .. config.xml
|
||||
cp ../config.xml $@
|
||||
|
||||
-%.xml: ../%.xml ../po/$(LANG).po
|
||||
- xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
|
||||
+messages.mo: ../po/$(LANG).po
|
||||
+ msgfmt ../po/$(LANG).po -o messages.mo
|
||||
+
|
||||
+login.defs.d:
|
||||
+ ln -sf ../login.defs.d login.defs.d
|
||||
+
|
||||
+%.xml: ../%.xml messages.mo login.defs.d
|
||||
+ if grep -q SHADOW-CONFIG-HERE $< ; then \
|
||||
+ sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
|
||||
+ else \
|
||||
+ sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
|
||||
+ fi
|
||||
+ itstool -d -l $(LANG) -m messages.mo -o . $@
|
||||
sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
|
||||
|
||||
include ../generate_mans.mak
|
||||
@@ -16,4 +27,4 @@ $(man_MANS):
|
||||
@echo you need to run configure with --enable-man to generate man pages
|
||||
endif
|
||||
|
||||
-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
||||
+CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
|
|
@ -1,190 +0,0 @@
|
|||
commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
|
||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu May 2 14:33:06 2019 +0200
|
||||
|
||||
Use the lckpwdf() again if prefix is not set
|
||||
|
||||
The implementation of prefix option dropped the use of lckpwdf().
|
||||
However that is incorrect as other tools manipulating the shadow passwords
|
||||
such as PAM use lckpwdf() and do not know anything about the
|
||||
shadow's own locking mechanism.
|
||||
|
||||
This reverts the implementation to use lckpwdf() if prefix option
|
||||
is not used.
|
||||
|
||||
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||
index 26e518f2..94dda779 100644
|
||||
--- a/lib/commonio.c
|
||||
+++ b/lib/commonio.c
|
||||
@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
|
||||
int commonio_setname (struct commonio_db *db, const char *name)
|
||||
{
|
||||
snprintf (db->filename, sizeof (db->filename), "%s", name);
|
||||
+ db->setname = true;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -414,37 +415,39 @@ cleanup_ENOMEM:
|
||||
|
||||
int commonio_lock (struct commonio_db *db)
|
||||
{
|
||||
-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
|
||||
-#if 0
|
||||
- /*
|
||||
- * only if the system libc has a real lckpwdf() - the one from
|
||||
- * lockpw.c calls us and would cause infinite recursion!
|
||||
- */
|
||||
+ int i;
|
||||
|
||||
+#ifdef HAVE_LCKPWDF
|
||||
/*
|
||||
- * Call lckpwdf() on the first lock.
|
||||
- * If it succeeds, call *_lock() only once
|
||||
- * (no retries, it should always succeed).
|
||||
+ * Only if the system libc has a real lckpwdf() - the one from
|
||||
+ * lockpw.c calls us and would cause infinite recursion!
|
||||
+ * It is also not used with the prefix option.
|
||||
*/
|
||||
- if (0 == lock_count) {
|
||||
- if (lckpwdf () == -1) {
|
||||
- if (geteuid () != 0) {
|
||||
- (void) fprintf (stderr,
|
||||
- "%s: Permission denied.\n",
|
||||
- Prog);
|
||||
+ if (!db->setname) {
|
||||
+ /*
|
||||
+ * Call lckpwdf() on the first lock.
|
||||
+ * If it succeeds, call *_lock() only once
|
||||
+ * (no retries, it should always succeed).
|
||||
+ */
|
||||
+ if (0 == lock_count) {
|
||||
+ if (lckpwdf () == -1) {
|
||||
+ if (geteuid () != 0) {
|
||||
+ (void) fprintf (stderr,
|
||||
+ "%s: Permission denied.\n",
|
||||
+ Prog);
|
||||
+ }
|
||||
+ return 0; /* failure */
|
||||
}
|
||||
- return 0; /* failure */
|
||||
}
|
||||
- }
|
||||
|
||||
- if (commonio_lock_nowait (db, true) != 0) {
|
||||
- return 1; /* success */
|
||||
- }
|
||||
+ if (commonio_lock_nowait (db, true) != 0) {
|
||||
+ return 1; /* success */
|
||||
+ }
|
||||
|
||||
- ulckpwdf ();
|
||||
- return 0; /* failure */
|
||||
-#else /* !HAVE_LCKPWDF */
|
||||
- int i;
|
||||
+ ulckpwdf ();
|
||||
+ return 0; /* failure */
|
||||
+ }
|
||||
+#endif /* !HAVE_LCKPWDF */
|
||||
|
||||
/*
|
||||
* lckpwdf() not used - do it the old way.
|
||||
@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
|
||||
}
|
||||
}
|
||||
return 0; /* failure */
|
||||
-#endif /* !HAVE_LCKPWDF */
|
||||
}
|
||||
|
||||
static void dec_lock_count (void)
|
||||
diff --git a/lib/commonio.h b/lib/commonio.h
|
||||
index 40e5708f..64e83073 100644
|
||||
--- a/lib/commonio.h
|
||||
+++ b/lib/commonio.h
|
||||
@@ -143,6 +143,7 @@ struct commonio_db {
|
||||
bool isopen:1;
|
||||
bool locked:1;
|
||||
bool readonly:1;
|
||||
+ bool setname:1;
|
||||
};
|
||||
|
||||
extern int commonio_setname (struct commonio_db *, const char *);
|
||||
diff --git a/lib/groupio.c b/lib/groupio.c
|
||||
index ae2302b5..bffb06e0 100644
|
||||
--- a/lib/groupio.c
|
||||
+++ b/lib/groupio.c
|
||||
@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int gr_setdbname (const char *filename)
|
||||
diff --git a/lib/pwio.c b/lib/pwio.c
|
||||
index 7ee85377..127719cb 100644
|
||||
--- a/lib/pwio.c
|
||||
+++ b/lib/pwio.c
|
||||
@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int pw_setdbname (const char *filename)
|
||||
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
|
||||
index 5423626a..ffbdb263 100644
|
||||
--- a/lib/sgroupio.c
|
||||
+++ b/lib/sgroupio.c
|
||||
@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sgr_setdbname (const char *filename)
|
||||
diff --git a/lib/shadowio.c b/lib/shadowio.c
|
||||
index 5fa3d312..676b1f1a 100644
|
||||
--- a/lib/shadowio.c
|
||||
+++ b/lib/shadowio.c
|
||||
@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int spw_setdbname (const char *filename)
|
||||
diff --git a/lib/subordinateio.c b/lib/subordinateio.c
|
||||
index a662e67e..dd779c59 100644
|
||||
--- a/lib/subordinateio.c
|
||||
+++ b/lib/subordinateio.c
|
||||
@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sub_uid_setdbname (const char *filename)
|
||||
@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
|
||||
false, /* changed */
|
||||
false, /* isopen */
|
||||
false, /* locked */
|
||||
- false /* readonly */
|
||||
+ false, /* readonly */
|
||||
+ false /* setname */
|
||||
};
|
||||
|
||||
int sub_gid_setdbname (const char *filename)
|
|
@ -1,42 +0,0 @@
|
|||
diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
|
||||
--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200
|
||||
+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200
|
||||
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
|
||||
{
|
||||
long long int gid;
|
||||
char *endptr;
|
||||
+ struct group *g;
|
||||
|
||||
if (NULL == grname) {
|
||||
return NULL;
|
||||
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
|
||||
&& (gid == (gid_t)gid)) {
|
||||
return prefix_getgrgid ((gid_t) gid);
|
||||
}
|
||||
- return prefix_getgrnam (grname);
|
||||
+ g = prefix_getgrnam (grname);
|
||||
+ return g ? __gr_dup(g) : NULL;
|
||||
}
|
||||
else
|
||||
return getgr_nam_gid(grname);
|
||||
diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
|
||||
--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200
|
||||
+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200
|
||||
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
|
||||
prefix_user_home = xmalloc(len);
|
||||
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
|
||||
assert (wlen == (int) len -1);
|
||||
+ if (user_newhome) {
|
||||
+ len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||
+ prefix_user_newhome = xmalloc(len);
|
||||
+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||
+ assert (wlen == (int) len -1);
|
||||
+ }
|
||||
|
||||
- len = strlen(prefix) + strlen(user_newhome) + 2;
|
||||
- prefix_user_newhome = xmalloc(len);
|
||||
- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
||||
- assert (wlen == (int) len -1);
|
||||
}
|
||||
else {
|
||||
prefix_user_home = user_home;
|
|
@ -1,18 +1,12 @@
|
|||
Index: shadow-4.5/libmisc/chkname.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/libmisc/chkname.c
|
||||
+++ shadow-4.5/libmisc/chkname.c
|
||||
@@ -47,27 +47,46 @@
|
||||
#include "chkname.h"
|
||||
diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
|
||||
--- shadow-4.8/libmisc/chkname.c.goodname 2020-01-13 09:44:41.968507996 +0100
|
||||
+++ shadow-4.8/libmisc/chkname.c 2020-01-13 09:46:27.863727732 +0100
|
||||
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
|
||||
}
|
||||
|
||||
static bool is_valid_name (const char *name)
|
||||
-{
|
||||
+{
|
||||
/*
|
||||
- * User/group names must match [a-z_][a-z0-9_-]*[$]
|
||||
- */
|
||||
- if (('\0' == *name) ||
|
||||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
|
||||
+ * User/group names must match gnu e-regex:
|
||||
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
|
||||
+ *
|
||||
|
@ -22,7 +16,9 @@ Index: shadow-4.5/libmisc/chkname.c
|
|||
+ * Also do not allow fully numeric names or just "." or "..".
|
||||
+ */
|
||||
+ int numeric;
|
||||
+
|
||||
|
||||
- if (('\0' == *name) ||
|
||||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
|
||||
+ if ('\0' == *name ||
|
||||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
|
||||
+ '\0' == name[1])) ||
|
||||
|
@ -60,11 +56,10 @@ Index: shadow-4.5/libmisc/chkname.c
|
|||
}
|
||||
|
||||
bool is_valid_user_name (const char *name)
|
||||
Index: shadow-4.5/man/groupadd.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/groupadd.8.xml
|
||||
+++ shadow-4.5/man/groupadd.8.xml
|
||||
@@ -256,10 +256,12 @@
|
||||
diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
|
||||
--- shadow-4.8/man/groupadd.8.xml.goodname 2019-07-23 17:26:08.000000000 +0200
|
||||
+++ shadow-4.8/man/groupadd.8.xml 2020-01-13 09:44:41.968507996 +0100
|
||||
@@ -273,10 +273,12 @@
|
||||
<refsect1 id='caveats'>
|
||||
<title>CAVEATS</title>
|
||||
<para>
|
||||
|
@ -81,11 +76,10 @@ Index: shadow-4.5/man/groupadd.8.xml
|
|||
</para>
|
||||
<para>
|
||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||
Index: shadow-4.5/man/useradd.8.xml
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/man/useradd.8.xml
|
||||
+++ shadow-4.5/man/useradd.8.xml
|
||||
@@ -633,10 +633,14 @@
|
||||
diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
|
||||
--- shadow-4.8/man/useradd.8.xml.goodname 2019-10-05 03:23:58.000000000 +0200
|
||||
+++ shadow-4.8/man/useradd.8.xml 2020-01-13 09:44:41.968507996 +0100
|
||||
@@ -661,10 +661,14 @@
|
||||
</para>
|
||||
|
||||
<para>
|
|
@ -0,0 +1,11 @@
|
|||
diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
|
||||
--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100
|
||||
+++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100
|
||||
@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
|
||||
{"LASTLOG_UID_MAX", NULL},
|
||||
{"LOGIN_RETRIES", NULL},
|
||||
{"LOGIN_TIMEOUT", NULL},
|
||||
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||
{"LOG_OK_LOGINS", NULL},
|
||||
{"LOG_UNKFAIL_ENAB", NULL},
|
||||
{"MAIL_DIR", NULL},
|
|
@ -1,17 +1,19 @@
|
|||
diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
|
||||
--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200
|
||||
@@ -382,4 +382,7 @@ extern char *strerror ();
|
||||
diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
|
||||
--- shadow-4.8/lib/defines.h.long-entry 2020-01-13 10:29:45.288957339 +0100
|
||||
+++ shadow-4.8/lib/defines.h 2020-01-13 10:30:47.482902954 +0100
|
||||
@@ -388,6 +388,9 @@ extern char *strerror ();
|
||||
# endif
|
||||
#endif
|
||||
|
||||
+/* Maximum length of passwd entry */
|
||||
+#define PASSWD_ENTRY_MAX_LENGTH 32768
|
||||
+
|
||||
#endif /* _DEFINES_H_ */
|
||||
diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
|
||||
--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100
|
||||
+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200
|
||||
#ifdef HAVE_SECURE_GETENV
|
||||
# define shadow_getenv(name) secure_getenv(name)
|
||||
# else
|
||||
diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
|
||||
--- shadow-4.8/lib/pwio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
|
||||
+++ shadow-4.8/lib/pwio.c 2020-01-13 10:29:45.288957339 +0100
|
||||
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|
||||
|| (pw->pw_gid == (gid_t)-1)
|
||||
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|
||||
|
@ -24,9 +26,9 @@ diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
|
|||
return -1;
|
||||
}
|
||||
|
||||
diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
|
||||
--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200
|
||||
diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
|
||||
--- shadow-4.8/lib/sgetpwent.c.long-entry 2019-10-05 03:23:58.000000000 +0200
|
||||
+++ shadow-4.8/lib/sgetpwent.c 2020-01-13 10:29:45.288957339 +0100
|
||||
@@ -57,7 +57,7 @@
|
||||
struct passwd *sgetpwent (const char *buf)
|
||||
{
|
||||
|
@ -48,9 +50,9 @@ diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
|
|||
strcpy (pwdbuf, buf);
|
||||
|
||||
/*
|
||||
diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
|
||||
--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200
|
||||
+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200
|
||||
diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
|
||||
--- shadow-4.8/lib/sgetspent.c.long-entry 2019-07-23 17:26:08.000000000 +0200
|
||||
+++ shadow-4.8/lib/sgetspent.c 2020-01-13 10:29:45.289957322 +0100
|
||||
@@ -48,7 +48,7 @@
|
||||
*/
|
||||
struct spwd *sgetspent (const char *string)
|
||||
|
@ -68,9 +70,9 @@ diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
|
|||
return 0; /* fail if too long */
|
||||
}
|
||||
strcpy (spwbuf, string);
|
||||
diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
|
||||
--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100
|
||||
+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200
|
||||
diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
|
||||
--- shadow-4.8/lib/shadowio.c.long-entry 2019-07-23 17:26:08.000000000 +0200
|
||||
+++ shadow-4.8/lib/shadowio.c 2020-01-13 10:29:45.289957322 +0100
|
||||
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
|
||||
|
||||
if ( (NULL == sp)
|
|
@ -1,7 +1,6 @@
|
|||
Index: shadow-4.5/src/chgpasswd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/chgpasswd.c
|
||||
+++ shadow-4.5/src/chgpasswd.c
|
||||
diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
|
||||
--- shadow-4.8/src/chgpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
|
||||
+++ shadow-4.8/src/chgpasswd.c 2020-01-13 10:21:44.558107260 +0100
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
|
@ -16,7 +15,7 @@ Index: shadow-4.5/src/chgpasswd.c
|
|||
#ifdef ACCT_TOOLS_SETUID
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
@@ -76,6 +83,9 @@ static bool sgr_locked = false;
|
||||
@@ -80,6 +87,9 @@ static bool sgr_locked = false;
|
||||
#endif
|
||||
static bool gr_locked = false;
|
||||
|
||||
|
@ -26,7 +25,7 @@ Index: shadow-4.5/src/chgpasswd.c
|
|||
/* local function prototypes */
|
||||
static void fail_exit (int code);
|
||||
static /*@noreturn@*/void usage (int status);
|
||||
@@ -300,6 +310,63 @@ static void check_perms (void)
|
||||
@@ -334,6 +344,63 @@ static void check_perms (void)
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
}
|
||||
|
||||
|
@ -90,7 +89,7 @@ Index: shadow-4.5/src/chgpasswd.c
|
|||
/*
|
||||
* open_files - lock and open the group databases
|
||||
*/
|
||||
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
|
||||
@@ -427,6 +494,7 @@ int main (int argc, char **argv)
|
||||
|
||||
const struct group *gr;
|
||||
struct group newgr;
|
||||
|
@ -98,7 +97,7 @@ Index: shadow-4.5/src/chgpasswd.c
|
|||
int errors = 0;
|
||||
int line = 0;
|
||||
|
||||
@@ -402,12 +470,37 @@ int main (int argc, char **argv)
|
||||
@@ -436,12 +504,37 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
|
@ -136,28 +135,9 @@ Index: shadow-4.5/src/chgpasswd.c
|
|||
check_perms ();
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
is_shadow_grp = sgr_file_present ();
|
||||
#endif
|
||||
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
|
||||
newgr.gr_passwd = cp;
|
||||
}
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ {
|
||||
+
|
||||
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
|
||||
+ "change-password",
|
||||
+ myname, AUDIT_NO_ID, gr->gr_name,
|
||||
+ SHADOW_AUDIT_SUCCESS);
|
||||
+ }
|
||||
+#endif
|
||||
/*
|
||||
* The updated group file entry is then put back and will
|
||||
* be written to the group file later, after all the
|
||||
Index: shadow-4.5/src/chpasswd.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/chpasswd.c
|
||||
+++ shadow-4.5/src/chpasswd.c
|
||||
diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
|
||||
--- shadow-4.8/src/chpasswd.c.selinux-perms 2019-12-01 18:02:43.000000000 +0100
|
||||
+++ shadow-4.8/src/chpasswd.c 2020-01-13 10:21:44.558107260 +0100
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
|
@ -172,7 +152,7 @@ Index: shadow-4.5/src/chpasswd.c
|
|||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif /* USE_PAM */
|
||||
@@ -297,6 +304,63 @@ static void check_perms (void)
|
||||
@@ -332,6 +339,63 @@ static void check_perms (void)
|
||||
#endif /* USE_PAM */
|
||||
}
|
||||
|
||||
|
@ -236,7 +216,7 @@ Index: shadow-4.5/src/chpasswd.c
|
|||
/*
|
||||
* open_files - lock and open the password databases
|
||||
*/
|
||||
@@ -393,6 +457,10 @@ int main (int argc, char **argv)
|
||||
@@ -428,6 +492,10 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
|
@ -247,7 +227,7 @@ Index: shadow-4.5/src/chpasswd.c
|
|||
process_root_flag ("-R", argc, argv);
|
||||
|
||||
process_flags (argc, argv);
|
||||
@@ -405,6 +473,10 @@ int main (int argc, char **argv)
|
||||
@@ -440,6 +508,10 @@ int main (int argc, char **argv)
|
||||
|
||||
OPENLOG ("chpasswd");
|
||||
|
||||
|
@ -258,33 +238,3 @@ Index: shadow-4.5/src/chpasswd.c
|
|||
check_perms ();
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
|
||||
newpw.pw_passwd = cp;
|
||||
}
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
+ "updating-password",
|
||||
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
|
||||
+#endif
|
||||
/*
|
||||
* The updated password file entry is then put back and will
|
||||
* be written to the password file later, after all the
|
||||
Index: shadow-4.5/src/Makefile.am
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/src/Makefile.am
|
||||
+++ shadow-4.5/src/Makefile.am
|
||||
@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
|
||||
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
|
@ -1,7 +1,6 @@
|
|||
Index: shadow-4.5/lib/semanage.c
|
||||
===================================================================
|
||||
--- shadow-4.5.orig/lib/semanage.c
|
||||
+++ shadow-4.5/lib/semanage.c
|
||||
diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
|
||||
--- shadow-4.9/lib/semanage.c.default-range 2021-07-22 23:55:35.000000000 +0200
|
||||
+++ shadow-4.9/lib/semanage.c 2021-08-02 12:43:16.822817392 +0200
|
||||
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
|
||||
goto done;
|
||||
}
|
||||
|
@ -9,7 +8,7 @@ Index: shadow-4.5/lib/semanage.c
|
|||
+#if 0
|
||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||
if (ret != 0) {
|
||||
fprintf (stderr,
|
||||
fprintf (shadow_logfd,
|
||||
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
|
||||
ret = 1;
|
||||
goto done;
|
||||
|
@ -25,7 +24,7 @@ Index: shadow-4.5/lib/semanage.c
|
|||
+#if 0
|
||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||
if (ret != 0) {
|
||||
fprintf (stderr,
|
||||
fprintf (shadow_logfd,
|
||||
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
|
||||
ret = 1;
|
||||
goto done;
|
|
@ -0,0 +1,180 @@
|
|||
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
|
||||
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
|
||||
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
|
||||
@@ -179,20 +179,10 @@
|
||||
<refsect1 id='setup'>
|
||||
<title>SETUP</title>
|
||||
<para>
|
||||
- The <command>groupmems</command> executable should be in mode
|
||||
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
|
||||
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||
- <command>groupmems</command> utility to manage their own group
|
||||
- membership list.
|
||||
+ In this operating system the <command>groupmems</command> executable
|
||||
+ is not setuid and regular users cannot use it to manipulate
|
||||
+ the membership of their own group.
|
||||
</para>
|
||||
-
|
||||
- <programlisting>
|
||||
- $ groupadd -r groups
|
||||
- $ chmod 2710 groupmems
|
||||
- $ chown root.groups groupmems
|
||||
- $ groupmems -g groups -a gk4
|
||||
- </programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration'>
|
||||
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
|
||||
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
|
||||
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
|
||||
@@ -147,10 +147,6 @@ 以下の参照表は、
|
||||
shadow パスワード機能のどのプログラムが
|
||||
どのパラメータを使用するかを示したものである。
|
||||
.na
|
||||
-.IP chfn 12
|
||||
-CHFN_AUTH CHFN_RESTRICT
|
||||
-.IP chsh 12
|
||||
-CHFN_AUTH
|
||||
.IP groupadd 12
|
||||
GID_MAX GID_MIN
|
||||
.IP newusers 12
|
||||
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
|
||||
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
|
||||
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
|
||||
@@ -164,6 +164,17 @@
|
||||
long numeric parameters is machine-dependent.
|
||||
</para>
|
||||
|
||||
+ <para>
|
||||
+ Please note that the parameters in this configuration file control the
|
||||
+ behavior of the tools from the shadow-utils component. None of these
|
||||
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||
+ passwd command) should be configured elsewhere. The only values that
|
||||
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||
+ pam(8) for more information.
|
||||
+ </para>
|
||||
+
|
||||
<para>The following configuration items are provided:</para>
|
||||
|
||||
<variablelist remap='IP'>
|
||||
@@ -256,16 +267,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term>chfn</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||
- CHFN_RESTRICT
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
<term>chgpasswd</term>
|
||||
<listitem>
|
||||
<para>
|
||||
@@ -286,14 +287,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>chsh</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- CHSH_AUTH LOGIN_STRING
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||
<!-- faillog: no variables -->
|
||||
<varlistentry>
|
||||
@@ -359,34 +352,6 @@
|
||||
<para>LASTLOG_UID_MAX</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>login</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||
- ENV_TZ ENVIRON_FILE</phrase>
|
||||
- ERASECHAR FAIL_DELAY
|
||||
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||
- FAKE_SHELL
|
||||
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||
- HUSHLOGIN_FILE
|
||||
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||
- KILLCHAR
|
||||
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
|
||||
- LOGIN_RETRIES
|
||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||
- QUOTAS_ENAB</phrase>
|
||||
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||
- USERGROUPS_ENAB
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<!-- logoutd: no variables -->
|
||||
<varlistentry>
|
||||
<term>newgrp / sg</term>
|
||||
@@ -415,17 +380,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<!-- nologin: no variables -->
|
||||
- <varlistentry condition="no_pam">
|
||||
- <term>passwd</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
||||
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
||||
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>pwck</term>
|
||||
<listitem>
|
||||
@@ -452,32 +406,6 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>su</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||
- CONSOLE_GROUPS DEFAULT_HOME
|
||||
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||
- ENV_PATH ENV_SUPATH
|
||||
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||
- SULOG_FILE SU_NAME
|
||||
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||
- SYSLOG_SU_ENAB
|
||||
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
- <term>sulogin</term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- ENV_HZ
|
||||
- <phrase condition="no_pam">ENV_TZ</phrase>
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
<varlistentry>
|
||||
<term>useradd</term>
|
||||
<listitem>
|
|
@ -0,0 +1,48 @@
|
|||
From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Mon, 10 Jan 2022 15:30:28 +0100
|
||||
Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
|
||||
|
||||
If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
|
||||
is NULL. In order to avoid that load the log file descriptor with the
|
||||
log_get_logfd() helper function.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
lib/nss.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/nss.c b/lib/nss.c
|
||||
index 02742902..06fa48e5 100644
|
||||
--- a/lib/nss.c
|
||||
+++ b/lib/nss.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "prototypes.h"
|
||||
#include "../libsubid/subid.h"
|
||||
#include "shadowlog_internal.h"
|
||||
+#include "shadowlog.h"
|
||||
|
||||
#define NSSWITCH "/etc/nsswitch.conf"
|
||||
|
||||
@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
|
||||
FILE *nssfp = NULL;
|
||||
char *line = NULL, *p, *token, *saveptr;
|
||||
size_t len = 0;
|
||||
+ FILE *shadow_logfd = log_get_logfd();
|
||||
|
||||
if (atomic_flag_test_and_set(&nss_init_started)) {
|
||||
// Another thread has started nss_init, wait for it to complete
|
||||
@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
|
||||
// subid: files
|
||||
nssfp = fopen(nsswitch_path, "r");
|
||||
if (!nssfp) {
|
||||
- fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
|
||||
+ fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
|
||||
atomic_store(&nss_init_completed, true);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
<!--
|
||||
Copyright (c) 1991 - 1993, Julianne Frances Haugh
|
||||
Copyright (c) 1991 - 1993, Chip Rosenthal
|
||||
Copyright (c) 2007 - 2009, Nicolas François
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
3. The name of the copyright holders or contributors may not be used to
|
||||
endorse or promote products derived from this software without
|
||||
specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
-->
|
||||
<varlistentry>
|
||||
<term><option>HOME_MODE</option> (number)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The mode for new home directories. If not specified,
|
||||
the <option>UMASK</option> is used to create the mode.
|
||||
</para>
|
||||
<para>
|
||||
<command>useradd</command> and <command>newusers</command> use this
|
||||
to set the mode of the home directory they create.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
|
@ -6,15 +6,121 @@
|
|||
# /etc/pam.d/system-auth for more information.
|
||||
#
|
||||
|
||||
#
|
||||
# Delay in seconds before being allowed another attempt after a login failure
|
||||
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
|
||||
# pam_unix(8) enforces a 2s delay)
|
||||
#
|
||||
#FAIL_DELAY 3
|
||||
|
||||
# Currently FAILLOG_ENAB is not supported
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login(1) failures are recorded.
|
||||
#
|
||||
#LOG_UNKFAIL_ENAB no
|
||||
|
||||
# Currently LOG_OK_LOGINS is not supported
|
||||
|
||||
# Currently LASTLOG_ENAB is not supported
|
||||
|
||||
#
|
||||
# Limit the highest user ID number for which the lastlog entries should
|
||||
# be updated.
|
||||
#
|
||||
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
# lastlog entries.
|
||||
#
|
||||
#LASTLOG_UID_MAX
|
||||
|
||||
# Currently MAIL_CHECK_ENAB is not supported
|
||||
|
||||
# Currently OBSCURE_CHECKS_ENAB is not supported
|
||||
|
||||
# Currently PORTTIME_CHECKS_ENAB is not supported
|
||||
|
||||
# Currently QUOTAS_ENAB is not supported
|
||||
|
||||
# Currently SYSLOG_SU_ENAB is not supported
|
||||
|
||||
#
|
||||
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
|
||||
#
|
||||
#SYSLOG_SG_ENAB yes
|
||||
|
||||
# Currently CONSOLE is not supported
|
||||
|
||||
# Currently SULOG_FILE is not supported
|
||||
|
||||
# Currently MOTD_FILE is not supported
|
||||
|
||||
# Currently ISSUE_FILE is not supported
|
||||
|
||||
# Currently TTYTYPE_FILE is not supported
|
||||
|
||||
# Currently FTMP_FILE is not supported
|
||||
|
||||
# Currently NOLOGINS_FILE is not supported
|
||||
|
||||
# Currently SU_NAME is not supported
|
||||
|
||||
# *REQUIRED*
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||
# QMAIL_DIR is for Qmail
|
||||
#
|
||||
#QMAIL_DIR Maildir
|
||||
MAIL_DIR /var/spool/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
# user's name or shell are found in the file. If not a full pathname, then
|
||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#
|
||||
#HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
# Currently ENV_TZ is not supported
|
||||
|
||||
# Currently ENV_HZ is not supported
|
||||
|
||||
#
|
||||
# The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
#ENV_PATH PATH=/bin:/usr/bin
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
#
|
||||
# TTYGROUP Login tty will be assigned this group ownership.
|
||||
# TTYPERM Login tty will be set to this permission.
|
||||
#
|
||||
# If you have a write(1) program which is "setgid" to a special group
|
||||
# which owns the terminals, define TTYGROUP as the number of such group
|
||||
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
|
||||
# set TTYPERM to either 622 or 600.
|
||||
#
|
||||
#TTYGROUP tty
|
||||
#TTYPERM 0600
|
||||
|
||||
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
|
||||
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories if HOME_MODE is not set.
|
||||
# 022 is the default value, but 027, or even 077, could be considered
|
||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
# must make up their mind.
|
||||
UMASK 022
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
HOME_MODE 0700
|
||||
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
|
@ -24,26 +130,132 @@ MAIL_DIR /var/spool/mail
|
|||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MIN_LEN 5
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
# Currently PASS_MIN_LEN is not supported
|
||||
|
||||
# Currently SU_WHEEL_ONLY is not supported
|
||||
|
||||
# Currently CRACKLIB_DICTPATH is not supported
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
# Min/max values for automatic uid selection in useradd(8)
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN 201
|
||||
SYS_UID_MAX 999
|
||||
# Extra per user uids
|
||||
SUB_UID_MIN 100000
|
||||
SUB_UID_MAX 600100000
|
||||
SUB_UID_COUNT 65536
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
# Min/max values for automatic gid selection in groupadd(8)
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN 201
|
||||
SYS_GID_MAX 999
|
||||
# Extra per user group ids
|
||||
SUB_GID_MIN 100000
|
||||
SUB_GID_MAX 600100000
|
||||
SUB_GID_COUNT 65536
|
||||
|
||||
#
|
||||
# Max number of login(1) retries if password is bad
|
||||
#
|
||||
#LOGIN_RETRIES 3
|
||||
|
||||
#
|
||||
# Max time in seconds for login(1)
|
||||
#
|
||||
#LOGIN_TIMEOUT 60
|
||||
|
||||
# Currently PASS_CHANGE_TRIES is not supported
|
||||
|
||||
# Currently PASS_ALWAYS_WARN is not supported
|
||||
|
||||
# Currently PASS_MAX_LEN is not supported
|
||||
|
||||
# Currently CHFN_AUTH is not supported
|
||||
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn(1) - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
#CHFN_RESTRICT rwh
|
||||
|
||||
# Currently LOGIN_STRING is not supported
|
||||
|
||||
# Currently MD5_CRYPT_ENAB is not supported
|
||||
|
||||
#
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
#
|
||||
ENCRYPT_METHOD YESCRYPT
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
#
|
||||
# Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, the libc will choose the default number of rounds (5000).
|
||||
# The values must be within the 1000-999999999 range.
|
||||
#
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
#
|
||||
# Define the number of BCRYPT rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, 13 rounds will be attempted.
|
||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#
|
||||
#BCRYPT_MIN_ROUNDS 13
|
||||
#BCRYPT_MAX_ROUNDS 31
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
#
|
||||
# Define the YESCRYPT cost factor.
|
||||
# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
# However, more CPU time and more memory will be needed to authenticate users
|
||||
# if this value is increased.
|
||||
#
|
||||
# If not specified, a cost factor of 5 will be used.
|
||||
# The value must be within the 1-11 range.
|
||||
#
|
||||
#YESCRYPT_COST_FACTOR 5
|
||||
|
||||
# Currently CONSOLE_GROUPS is not supported
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default is yes.
|
||||
#
|
||||
#DEFAULT_HOME yes
|
||||
|
||||
# Currently ENVIRON_FILE is not supported
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
|
@ -53,20 +265,41 @@ SYS_GID_MAX 999
|
|||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# If useradd should create home directories for users by default
|
||||
# On RH systems, we do. This option is overridden with the -m flag on
|
||||
# useradd command line.
|
||||
#
|
||||
CREATE_HOME yes
|
||||
|
||||
# The permission mask is initialized to this value. If not specified,
|
||||
# the permission mask will be initialized to 022.
|
||||
UMASK 077
|
||||
|
||||
# This enables userdel to remove user groups if no members exist.
|
||||
# Enables userdel(8) to remove user groups if no members exist.
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
# Use SHA512 to encrypt password.
|
||||
ENCRYPT_METHOD SHA512
|
||||
#
|
||||
# If set to a non-zero number, the shadow utilities will make sure that
|
||||
# groups never have more than this number of users on one line.
|
||||
# This permits to support split groups (groups split into multiple lines,
|
||||
# with the same group ID, to avoid limitation of the line length in the
|
||||
# group file).
|
||||
#
|
||||
# 0 is the default value and disables this feature.
|
||||
#
|
||||
#MAX_MEMBERS_PER_GROUP 0
|
||||
|
||||
#
|
||||
# If useradd(8) should create home directories for users by default (non
|
||||
# system users only).
|
||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||
# command-line.
|
||||
#
|
||||
CREATE_HOME yes
|
||||
|
||||
#
|
||||
# Force use shadow, even if shadow passwd & shadow group files are
|
||||
# missing.
|
||||
#
|
||||
#FORCE_SHADOW yes
|
||||
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
# authentication code.
|
||||
#
|
||||
# Note: It is recommended to check hmac(3) to see the possible algorithms
|
||||
# that are available in your system.
|
||||
#
|
||||
HMAC_CRYPTO_ALGO SHA512
|
||||
|
|
|
@ -1,56 +1,80 @@
|
|||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.6
|
||||
Release: 16%{?dist}
|
||||
Version: 4.11.1
|
||||
Release: 4%{?dist}
|
||||
Epoch: 2
|
||||
URL: http://pkg-shadow.alioth.debian.org/
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||
License: BSD and GPLv2+
|
||||
URL: https://github.com/shadow-maint/shadow
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
|
||||
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
|
||||
Source2: shadow-utils.useradd
|
||||
Source3: shadow-utils.login.defs
|
||||
Source4: shadow-bsd.txt
|
||||
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||
Patch0: shadow-4.6-redhat.patch
|
||||
Patch1: shadow-4.5-goodname.patch
|
||||
Patch2: shadow-4.1.5.1-info-parent-dir.patch
|
||||
Patch6: shadow-4.6-selinux.patch
|
||||
Patch10: shadow-4.6-orig-context.patch
|
||||
Patch11: shadow-4.1.5.1-logmsg.patch
|
||||
Patch14: shadow-4.1.5.1-default-range.patch
|
||||
Patch15: shadow-4.3.1-manfix.patch
|
||||
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
|
||||
Patch19: shadow-4.2.1-date-parsing.patch
|
||||
Patch21: shadow-4.6-move-home.patch
|
||||
Patch22: shadow-4.6-audit-update.patch
|
||||
Patch23: shadow-4.5-usermod-unlock.patch
|
||||
Patch24: shadow-4.2.1-no-lock-dos.patch
|
||||
Patch28: shadow-4.3.1-selinux-perms.patch
|
||||
Patch29: shadow-4.2.1-null-tm.patch
|
||||
Patch31: shadow-4.6-getenforce.patch
|
||||
Patch32: shadow-4.5-crypt_h.patch
|
||||
Patch33: shadow-4.5-long-entry.patch
|
||||
Patch34: shadow-4.6-usermod-crash.patch
|
||||
Patch35: shadow-4.6-coverity.patch
|
||||
Patch36: shadow-4.6-use-itstool.patch
|
||||
Patch37: shadow-4.6-sssd-flush.patch
|
||||
Patch38: shadow-4.6-sysugid-min-limit.patch
|
||||
Patch39: shadow-4.6-chgrp-guard.patch
|
||||
Patch40: shadow-4.6-ignore-login-prompt.patch
|
||||
Patch41: shadow-4.6-use-lckpwdf.patch
|
||||
Source6: shadow-utils.HOME_MODE.xml
|
||||
|
||||
License: BSD and GPLv2+
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libselinux-devel >= 1.25.2-1
|
||||
BuildRequires: audit-libs-devel >= 1.6.5
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: libacl-devel, libattr-devel
|
||||
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
|
||||
BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
|
||||
Requires: libselinux >= 1.25.2-1
|
||||
### Globals ###
|
||||
%global includesubiddir %{_includedir}/shadow
|
||||
|
||||
### Patches ###
|
||||
# Misc small changes - most probably non-upstreamable
|
||||
Patch0: shadow-4.11.1-redhat.patch
|
||||
# Be more lenient with acceptable user/group names - non upstreamable
|
||||
Patch1: shadow-4.8-goodname.patch
|
||||
# SElinux related - upstreamability unknown
|
||||
Patch3: shadow-4.9-default-range.patch
|
||||
# Misc manual page changes - non-upstreamable
|
||||
Patch4: shadow-4.9-manfix.patch
|
||||
# Date parsing improvement - could be upstreamed
|
||||
Patch5: shadow-4.2.1-date-parsing.patch
|
||||
# Additional error message - could be upstreamed
|
||||
Patch6: shadow-4.6-move-home.patch
|
||||
# Audit message changes - upstreamability unknown
|
||||
Patch7: shadow-4.11.1-audit-update.patch
|
||||
# Changes related to password unlocking - could be upstreamed
|
||||
Patch8: shadow-4.5-usermod-unlock.patch
|
||||
# Additional SElinux related changes - upstreamability unknown
|
||||
Patch9: shadow-4.8-selinux-perms.patch
|
||||
# Handle NULL return from *time funcs - upstreamable
|
||||
Patch10: shadow-4.11.1-null-tm.patch
|
||||
# Handle /etc/passwd corruption - could be upstreamed
|
||||
Patch11: shadow-4.8-long-entry.patch
|
||||
# Limit uid/gid allocation to non-zero - could be upstreamed
|
||||
Patch12: shadow-4.6-sysugid-min-limit.patch
|
||||
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
|
||||
Patch13: shadow-4.8-ignore-login-prompt.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
|
||||
Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
|
||||
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
|
||||
Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: audit-libs >= 1.6.5
|
||||
Requires: libselinux >= 1.25.2-1
|
||||
Requires: setup
|
||||
|
||||
### Build Dependencies ###
|
||||
BuildRequires: audit-libs-devel >= 1.6.5
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
BuildRequires: docbook-dtds
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: itstool
|
||||
BuildRequires: libacl-devel
|
||||
BuildRequires: libattr-devel
|
||||
BuildRequires: libselinux-devel >= 1.25.2-1
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: make
|
||||
|
||||
### Provides ###
|
||||
Provides: shadow = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description
|
||||
The shadow-utils package includes the necessary programs for
|
||||
converting UNIX password files to the shadow password format, plus
|
||||
|
@ -63,40 +87,47 @@ for all users. The useradd, userdel, and usermod commands are used for
|
|||
managing user accounts. The groupadd, groupdel, and groupmod commands
|
||||
are used for managing group accounts.
|
||||
|
||||
|
||||
### Subpackages ###
|
||||
%package subid
|
||||
Summary: A library to manage subordinate uid and gid ranges
|
||||
License: BSD and GPLv2+
|
||||
|
||||
%description subid
|
||||
Utility library that provides a way to manage subid ranges.
|
||||
|
||||
|
||||
%package subid-devel
|
||||
Summary: Development package for shadow-utils-subid
|
||||
License: BSD and GPLv2+
|
||||
Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description subid-devel
|
||||
Development files for shadow-utils-subid.
|
||||
|
||||
%prep
|
||||
%setup -q -n shadow-%{version}
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .goodname
|
||||
%patch2 -p1 -b .info-parent-dir
|
||||
%patch6 -p1 -b .selinux
|
||||
%patch10 -p1 -b .orig-context
|
||||
%patch11 -p1 -b .logmsg
|
||||
%patch14 -p1 -b .default-range
|
||||
%patch15 -p1 -b .manfix
|
||||
%patch17 -p1 -b .userdel
|
||||
%patch19 -p1 -b .date-parsing
|
||||
%patch21 -p1 -b .move-home
|
||||
%patch22 -p1 -b .audit-update
|
||||
%patch23 -p1 -b .unlock
|
||||
%patch24 -p1 -b .no-lock-dos
|
||||
%patch28 -p1 -b .selinux-perms
|
||||
%patch29 -p1 -b .null-tm
|
||||
%patch31 -p1 -b .getenforce
|
||||
%patch32 -p1 -b .crypt_h
|
||||
%patch33 -p1 -b .long-entry
|
||||
%patch34 -p1 -b .usermod-crash
|
||||
%patch35 -p1 -b .coverity
|
||||
%patch36 -p1 -b .use-itstool
|
||||
%patch37 -p1 -b .sssd-flush
|
||||
%patch38 -p1 -b .sysugid-min-limit
|
||||
%patch39 -p1 -b .chgrp-guard
|
||||
%patch40 -p1 -b .login-prompt
|
||||
%patch41 -p1 -b .use-lckpwdf
|
||||
%patch3 -p1 -b .default-range
|
||||
%patch4 -p1 -b .manfix
|
||||
%patch5 -p1 -b .date-parsing
|
||||
%patch6 -p1 -b .move-home
|
||||
%patch7 -p1 -b .audit-update
|
||||
%patch8 -p1 -b .unlock
|
||||
%patch9 -p1 -b .selinux-perms
|
||||
%patch10 -p1 -b .null-tm
|
||||
%patch11 -p1 -b .long-entry
|
||||
%patch12 -p1 -b .sysugid-min-limit
|
||||
%patch13 -p1 -b .login-prompt
|
||||
%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
|
||||
%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||
|
||||
cp -a %{SOURCE4} %{SOURCE5} .
|
||||
cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
|
||||
|
||||
# Force regeneration of getdate.c
|
||||
rm libmisc/getdate.c
|
||||
|
@ -117,74 +148,75 @@ autoreconf
|
|||
--enable-man \
|
||||
--with-audit \
|
||||
--with-sha-crypt \
|
||||
--with-bcrypt \
|
||||
--with-yescrypt \
|
||||
--with-selinux \
|
||||
--without-libcrack \
|
||||
--without-libpam \
|
||||
--disable-shared \
|
||||
--enable-shared \
|
||||
--with-group-name-max-length=32
|
||||
%make_build
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
||||
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
|
||||
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
|
||||
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
|
||||
%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
|
||||
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
|
||||
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
|
||||
|
||||
|
||||
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
|
||||
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
|
||||
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
||||
ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
|
||||
for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
||||
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
|
||||
done
|
||||
|
||||
# Remove binaries we don't use.
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/chfn
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/chsh
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/expiry
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/groups
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/login
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/passwd
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/su
|
||||
rm $RPM_BUILD_ROOT/%{_bindir}/faillog
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
|
||||
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
|
||||
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/chfn
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/chsh
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/expiry
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/groups
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/login
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/passwd
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/su
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/faillog
|
||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
|
||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
|
||||
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
|
||||
rm $RPM_BUILD_ROOT%{_sbindir}/nologin
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
|
||||
|
||||
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
|
||||
%find_lang shadow
|
||||
|
@ -196,9 +228,17 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
|
|||
echo "%%lang($lang) $dir/man*/*" >> shadow.lang
|
||||
done
|
||||
|
||||
# Move header files to its own folder
|
||||
echo $(ls)
|
||||
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
|
||||
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
|
||||
|
||||
# Remove .la and .a files created by libsubid
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
|
||||
|
||||
%files -f shadow.lang
|
||||
%doc NEWS doc/HOWTO README
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license gpl-2.0.txt shadow-bsd.txt
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
|
||||
|
@ -245,7 +285,164 @@ done
|
|||
%{_mandir}/man8/vipw.8*
|
||||
%{_mandir}/man8/vigr.8*
|
||||
|
||||
%files subid
|
||||
%{_libdir}/libsubid.so.*
|
||||
%{_bindir}/getsubids
|
||||
%{_mandir}/man1/getsubids.1*
|
||||
|
||||
%files subid-devel
|
||||
%{includesubiddir}/subid.h
|
||||
%{_libdir}/libsubid.so
|
||||
|
||||
%changelog
|
||||
* Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
|
||||
- useradd: modify check ID range for system users. Resolves: #2093692
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
|
||||
- Fix explicit subid requirement for subid-devel
|
||||
|
||||
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
|
||||
- Rebase to version 4.11.1 (#2034038)
|
||||
- Fix release sources
|
||||
- Add explicit subid requirement for subid-devel
|
||||
|
||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
|
||||
- nss: get shadow_logfd with log_get_logfd() (#2038811)
|
||||
- lib: make shadow_logfd and Prog not extern
|
||||
- lib: rename Prog to shadow_progname
|
||||
- lib: provide default values for shadow_progname
|
||||
- libsubid: use log_set_progname in subid_init
|
||||
|
||||
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
|
||||
- getsubids: provide system binary and man page (#1980780)
|
||||
- pwck: fix segfault when calling fprintf() (#2021339)
|
||||
- newgrp: fix segmentation fault (#2019553)
|
||||
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
|
||||
|
||||
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
|
||||
- useradd: change SELinux labels for home files (#2022658)
|
||||
|
||||
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
|
||||
- useradd: revert fix memleak of grp (#2018697)
|
||||
|
||||
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
||||
- useradd: generate home and mail directories with selinux user attribute
|
||||
|
||||
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
||||
- login.defs: include HMAC_CRYPTO_ALGO key
|
||||
- Clean spec file: organize dependencies and move License location
|
||||
|
||||
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
||||
- libmisc: fix default value in SHA_get_salt_rounds()
|
||||
|
||||
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
|
||||
- useradd: avoid generating an empty subid range (#1990653)
|
||||
|
||||
* Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
|
||||
- Rebase to version 4.9
|
||||
- usermod: allow all group types with -G option (#1975327)
|
||||
- Clean spec file
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
|
||||
- Add patch to fix 'fread returns element count, not element size'
|
||||
|
||||
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
|
||||
- Fix regression issues detected in rhbz#667593 and rhbz#672510
|
||||
|
||||
* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
|
||||
- Enable bcrypt support, as libxcrypt supports it well
|
||||
|
||||
* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
|
||||
- Add a patch to obtain random bytes using getentropy()
|
||||
- Update shadow-4.8-crypt_h.patch with the upstreamed version
|
||||
- Add a patch to make use of crypt_gensalt() from libxcrypt
|
||||
|
||||
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
|
||||
- useradd: free correct pointer (#1976809)
|
||||
|
||||
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
|
||||
- Add a patch to fix the used prefix for the bcrypt hash method
|
||||
- Add a patch to cleanup the code in libmisc/salt.c
|
||||
- Add a patch adding some clarifying comments in libmisc/salt.c
|
||||
- Add a patch to obtain random bytes from /dev/urandom
|
||||
|
||||
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
|
||||
- Covscan fixes
|
||||
|
||||
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
|
||||
- Backport support for yescrypt hash method
|
||||
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
|
||||
|
||||
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
|
||||
- libsubid: don't print error messages on stderr by default
|
||||
- libsubid: libsubid_init return false if out of memory
|
||||
- useradd: fix SUB_UID_COUNT=0
|
||||
- libsubid: don't return owner in list_owner_ranges API call
|
||||
- libsubid: libsubid_init don't print messages on error
|
||||
- libsubid: fix newusers when nss provides subids
|
||||
- man: clarify subid delegation
|
||||
- libsubid: make shadow_logfd not extern
|
||||
|
||||
* Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
|
||||
- man: mention NSS in new[ug]idmap manpages
|
||||
- libsubid: move development header to shadow folder
|
||||
|
||||
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
|
||||
- libsubid: creation and nsswitch support
|
||||
- Creation of subid and subid-devel subpackages
|
||||
|
||||
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
|
||||
- man: include lastlog file caveat (#951564)
|
||||
- Upstream links to several patches
|
||||
- Spec file cleanup by Robert Scheck
|
||||
- Add BuildRequires: make by Tom Stellard
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
|
||||
- commonio: force lock file sync (#1862056)
|
||||
|
||||
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
|
||||
- Rebuild with libsemanage.so.2
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
|
||||
- check only local groups when adding new supplementary groups to a user (#1727236)
|
||||
|
||||
* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
|
||||
- useradd: clarify the useradd -d parameter behavior in man page
|
||||
|
||||
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
|
||||
- updated upstream to 4.8.1
|
||||
|
||||
* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
|
||||
- synchronized login.defs with upstream file (#1261099 and #1807957)
|
||||
|
||||
* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
|
||||
- fix useradd: doesn't generate spool mail with the proper SELinux user identity
|
||||
(#1690527)
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
|
||||
- make the invalid shell check into warning
|
||||
|
||||
* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
|
||||
- update to current upstream release 4.8
|
||||
|
||||
* Mon Sep 2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
|
||||
- fix SELinux related problem in chpasswd/chgpasswd when run with -R
|
||||
(patch by Petr Lautrbach) (#1747215)
|
||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631
|
||||
SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed
|
||||
SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
|
||||
SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd
|
||||
|
|
Loading…
Reference in New Issue