Compare commits

..

47 Commits
f32 ... rawhide

Author SHA1 Message Date
Iker Pedrosa
97547bc00a useradd: modify check ID range for system users
Resolves: #2093692

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-08-01 11:13:56 +02:00
Fedora Release Engineering
71c99ba5b1 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-23 08:29:04 +00:00
Iker Pedrosa
5ba2bc90cc Fix explicit subid requirement for subid-devel
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-02-10 17:46:56 +01:00
Iker Pedrosa
a986f4a036 Add forgotten sources
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-01-26 09:39:55 +01:00
Iker Pedrosa
2b851f7e96 - Rebase to version 4.11.1 (#2034038)
- Fix release sources
- Add explicit subid requirement for subid-devel

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-01-26 09:30:07 +01:00
Fedora Release Engineering
bfa562aaf2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-22 00:46:50 +00:00
Iker Pedrosa
77cc4a7c14 - nss: get shadow_logfd with log_get_logfd() (#2038811)
- lib: make shadow_logfd and Prog not extern
- lib: rename Prog to shadow_progname
- lib: provide default values for shadow_progname
- libsubid: use log_set_progname in subid_init

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-01-17 10:00:50 +01:00
Iker Pedrosa
957f0eb09e - getsubids: provide system binary and man page (#1980780)
- pwck: fix segfault when calling fprintf() (#2021339)
- newgrp: fix segmentation fault (#2019553)
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-11-19 09:44:08 +01:00
Iker Pedrosa
a2d5d3dbda useradd: change SELinux labels for home files (#2022658)
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-11-12 15:47:43 +01:00
Iker Pedrosa
4a03ec740c useradd: revert fix memleak of grp (#2018697)
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-11-04 12:47:10 +01:00
Iker Pedrosa
11164c2c0a useradd: generate home and mail directories with selinux user attribute
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-10-27 12:02:57 +02:00
Iker Pedrosa
981bd7a093 - login.defs: include HMAC_CRYPTO_ALGO key
- Clean spec file: organize dependencies and move License location

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-09-23 09:48:39 +02:00
Iker Pedrosa
fbc8eba072 libmisc: fix default value in SHA_get_salt_rounds()
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-17 09:49:01 +02:00
Iker Pedrosa
3a32832856 useradd: avoid generating an empty subid range (#1990653)
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-11 14:58:12 +02:00
Iker Pedrosa
94f04f9e71 Rebase to version 4.9
usermod: allow all group types with -G option (#1975327)
Clean spec file

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-04 10:14:14 +02:00
Fedora Release Engineering
58090e11f1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-23 17:27:44 +00:00
Björn Esser
0d2b677f8f
Add patch to fix 'fread returns element count, not element size'
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-14 16:52:12 +02:00
Iker Pedrosa
fbe143d1bd Fix regression issues detected in rhbz#667593 and rhbz#672510
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-07-14 11:30:55 +02:00
Björn Esser
08a62b5fa3
Enable bcrypt support, as libxcrypt supports it well
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-12 10:07:01 +02:00
Björn Esser
90349359e4
Fix release tag
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-05 12:08:36 +02:00
Björn Esser
a4f9def9dd
Update shadow-4.8-crypt_h.patch with the upstreamed version
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-05 12:00:59 +02:00
Björn Esser
a6d57fc8a3
Add a patch to obtain random bytes using getentropy()
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-04 13:04:39 +02:00
Iker Pedrosa
2b6f713524 useradd: free correct pointer (#1976809) 2021-06-29 08:53:22 +02:00
Björn Esser
bace2f8c6b
Add a patch to obtain random bytes from /dev/urandom
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-28 11:04:47 +02:00
Björn Esser
1b6e097b0e
Add a patch adding some clarifying comments in libmisc/salt.c
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-28 11:04:04 +02:00
Björn Esser
2615b08c31
Add a patch to cleanup the code in libmisc/salt.c
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-28 11:03:13 +02:00
Björn Esser
c0e594d3c5
Add a patch to fix the used prefix for the bcrypt hash method
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-28 11:02:08 +02:00
Iker Pedrosa
c5fd8d4a0a Covscan fixes 2021-06-28 10:53:45 +02:00
Björn Esser
e967948ce8
Reference actual upstream commit for Patch59 2021-06-22 21:59:30 +02:00
Björn Esser
0946f2a3b0
Add a patch to fix the parameter type of YESCRYPT_salt_cost()
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-21 14:49:14 +02:00
Björn Esser
cb2f54a2c1
Backport support for yescrypt hash method
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-21 14:41:28 +02:00
Iker Pedrosa
cbc60528c3 libsubid improvements
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern
2021-06-21 13:24:36 +02:00
Iker Pedrosa
1ec5088225 - man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
2021-05-06 11:41:05 +02:00
Iker Pedrosa
5292920d9b - libsubid: creation and nsswitch support
- Creation of subid and subid-devel subpackages
2021-04-23 17:13:51 +02:00
Iker Pedrosa
3e39e1d4e3 - man: include lastlog file caveat (#951564)
- Upstream links to several patches
- Spec file cleanup by Robert Scheck
- Add BuildRequires: make by Tom Stellard
2021-03-29 12:30:28 +02:00
Fedora Release Engineering
4e14ecca65 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-27 20:17:47 +00:00
Tom Stellard
cc27294138 Add BuildRequires: make
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2021-01-08 21:26:08 +00:00
Robert Scheck
7abff5646c Spec file cleanup 2020-12-24 21:10:44 +00:00
ipedrosa
4f395dd42d commonio: force lock file sync (#1862056) 2020-11-09 10:53:20 +01:00
Petr Lautrbach
b7aa9ac8ec Rebuild with libsemanage.so.2 2020-11-03 16:14:35 +01:00
Ludwig Nussel
9f643a3011 Add Provides: shadow
The upstream source tarball is actually called 'shadow' rather than 'shadow-utils'.
Add a compat provides for the former.
2020-10-01 13:23:15 +00:00
Fedora Release Engineering
a222f7e825 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-29 10:37:48 +00:00
ipedrosa
59585bb370 check only local groups when adding new supplementary groups to a user 2020-05-14 14:28:59 +02:00
ikerexxe
a66f10a891 useradd: clarify the useradd -d parameter behavior in man page 2020-03-24 10:46:27 +01:00
ikerexxe
b926b118d9 Rebased to 4.8.1 2020-03-17 18:18:50 +01:00
ikerexxe
7309a53c2a Synchronized login.defs with upstream file (#1261099 and #1807957) 2020-03-17 12:17:29 +01:00
ikerexxe
f5a51331fe useradd: generate /var/spool/mail/$USER with the proper SELinux user identity
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
2020-02-24 16:36:57 +01:00
22 changed files with 863 additions and 1309 deletions

4
.gitignore vendored
View File

@ -14,3 +14,7 @@ shadow-4.1.4.2.tar.bz2
/shadow-4.8.tar.xz.asc /shadow-4.8.tar.xz.asc
/shadow-4.8.1.tar.xz /shadow-4.8.1.tar.xz
/shadow-4.8.1.tar.xz.asc /shadow-4.8.1.tar.xz.asc
/shadow-4.9.tar.xz
/shadow-4.9.tar.xz.asc
/shadow-4.11.1.tar.xz
/shadow-4.11.1.tar.xz.asc

View File

@ -1,21 +0,0 @@
Index: shadow-4.5/man/newusers.8.xml
===================================================================
--- shadow-4.5.orig/man/newusers.8.xml
+++ shadow-4.5/man/newusers.8.xml
@@ -218,7 +218,15 @@
<para>
If this field does not specify an existing directory, the
specified directory is created, with ownership set to the
- user being created or updated and its primary group.
+ user being created or updated and its primary group. Note
+ that newusers does not create parent directories of the new
+ user's home directory. The newusers command will fail to
+ create the home directory if the parent directories do not
+ exist, and will send a message to stderr informing the user
+ of the failure. The newusers command will not halt or return
+ a failure to the calling shell if it fails to create the home
+ directory, it will continue to process the batch of new users
+ specified.
</para>
<para>
If the home directory of an existing user is changed,

View File

@ -1,13 +0,0 @@
Index: shadow-4.5/src/useradd.c
===================================================================
--- shadow-4.5.orig/src/useradd.c
+++ shadow-4.5/src/useradd.c
@@ -323,7 +323,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
exit (code);
}

View File

@ -1,16 +0,0 @@
Index: shadow-4.5/src/userdel.c
===================================================================
--- shadow-4.5.orig/src/userdel.c
+++ shadow-4.5/src/userdel.c
@@ -143,8 +143,9 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -f, --force force removal of files,\n"
- " even if not owned by user\n"),
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
+ " e.g. removal of user still logged in\n"
+ " or files, even if not owned by the user\n"),
usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);

View File

@ -0,0 +1,22 @@
diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
--- shadow-4.11.1/src/lastlog.c.null-tm 2022-01-03 15:31:56.348555620 +0100
+++ shadow-4.11.1/src/lastlog.c 2022-01-03 15:38:41.262229024 +0100
@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
- cp = ptime;
-
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ cp = ptime;
+ }
if (ll.ll_time == (time_t) 0) {
cp = _("**Never logged in**\0");
}
diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c

View File

@ -1,16 +1,16 @@
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 --- shadow-4.11.1/src/useradd.c.redhat 2022-01-03 01:46:53.000000000 +0100
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 +++ shadow-4.11.1/src/useradd.c 2022-01-03 14:53:12.988484829 +0100
@@ -98,7 +98,7 @@ const char *Prog; @@ -82,7 +82,7 @@ const char *Prog;
static gid_t def_group = 100; static gid_t def_group = 1000;
static const char *def_gname = "other"; static const char *def_gname = "other";
static const char *def_home = "/home"; static const char *def_home = "/home";
-static const char *def_shell = ""; -static const char *def_shell = "/bin/bash";
+static const char *def_shell = "/sbin/nologin"; +static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR; static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no"; static const char *def_create_mail_spool = "yes";
static const char *def_log_init = "yes";
@@ -108,7 +108,7 @@ static const char *def_expire = ""; @@ -93,7 +93,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s)) #define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = ""; static const char *user_name = "";
@ -19,7 +19,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
static uid_t user_id; static uid_t user_id;
static gid_t user_gid; static gid_t user_gid;
static const char *user_comment = ""; static const char *user_comment = "";
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha @@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
}; };
while ((c = getopt_long (argc, argv, while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -31,7 +31,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
#endif /* !WITH_SELINUX */ #endif /* !WITH_SELINUX */
long_options, NULL)) != -1) { long_options, NULL)) != -1) {
switch (c) { switch (c) {
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha @@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
case 'M': case 'M':
Mflg = true; Mflg = true;
break; break;

View File

@ -0,0 +1,40 @@
From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 4 Jan 2022 13:06:00 +0100
Subject: [PATCH] useradd: modify check ID range for system users
useradd warns that a system user ID less than SYS_UID_MIN is outside the
expected range, even though that ID has been specifically selected with
the "-u" option.
In my opinion all the user ID's below SYS_UID_MAX are for the system,
thus I change the condition to take that into account.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/useradd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 34376fa5..4c71c38a 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
uid_t uid_min ;
uid_t uid_max ;
if (rflg) {
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
- if (uid_min <= uid_max) {
- if (user_id < uid_min || user_id >uid_max)
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
+ if (user_id > uid_max) {
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
}
}else{
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
--
2.37.1

View File

@ -1,91 +0,0 @@
Index: shadow-4.5/src/faillog.c
===================================================================
--- shadow-4.5.orig/src/faillog.c
+++ shadow-4.5/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
}
tm = localtime (&fl.fail_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+ cp = ptime;
#endif
+ }
printf ("%-9s %5d %5d ",
pw->pw_name, fl.fail_cnt, fl.fail_max);
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
Index: shadow-4.5/src/chage.c
===================================================================
--- shadow-4.5.orig/src/chage.c
+++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
struct tm *tp;
tp = gmtime (&date);
+ if (tp == NULL) {
+ (void) snprintf (buf, maxsize, "(unknown)");
+ return;
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
Index: shadow-4.5/src/lastlog.c
===================================================================
--- shadow-4.5.orig/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ cp = ptime;
#else
- cp = asctime (tm);
- cp[24] = '\0';
+ cp = asctime (tm);
+ cp[24] = '\0';
#endif
+ }
if (ll.ll_time == (time_t) 0) {
cp = _("**Never logged in**\0");
Index: shadow-4.5/src/passwd.c
===================================================================
--- shadow-4.5.orig/src/passwd.c
+++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
struct tm *tm;
tm = gmtime (&t);
+ if (tm == NULL) {
+ return "(unknown)";
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
#else /* !HAVE_STRFTIME */
Index: shadow-4.5/src/usermod.c
===================================================================
--- shadow-4.5.orig/src/usermod.c
+++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
} else {
time_t t = (time_t) date;
tp = gmtime (&t);
+ if (tp == NULL) {
+ strncpy (buf, "unknown", maxsize);
+ return;
+ }
#ifdef HAVE_STRFTIME
strftime (buf, maxsize, "%Y-%m-%d", tp);
#else

View File

@ -1,21 +0,0 @@
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
}
return 0;
error:
- if (security_getenforce () != 0) {
+ if (security_getenforce () > 0) {
return 1;
}
return 0;
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
selinux_checked = true;
}
if (selinux_enabled) {
- if (setfscreatecon (NULL) != 0) {
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
return 1;
}
}

View File

@ -1,35 +0,0 @@
diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
--- shadow-4.8/configure.ac.crypt_h 2020-01-13 10:26:17.400481712 +0100
+++ shadow-4.8/configure.ac 2020-01-13 10:29:11.563529093 +0100
@@ -32,7 +32,7 @@ AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
--- shadow-4.8/lib/defines.h.crypt_h 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/defines.h 2020-01-13 10:26:17.400481712 +0100
@@ -4,6 +4,8 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
+#include "config.h"
+
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
# include <unistd.h>
#endif
+#if HAVE_CRYPT_H
+# include <crypt.h> /* crypt(3) may be defined in here */
+#endif
+
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>

View File

@ -1,241 +0,0 @@
diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c
--- shadow-4.8/lib/commonio.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/commonio.c 2020-01-13 10:08:53.769101131 +0100
@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c
--- shadow-4.8/libmisc/copydir.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/libmisc/copydir.c 2020-01-13 10:08:53.769101131 +0100
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h
--- shadow-4.8/lib/prototypes.h.selinux 2020-01-13 10:08:53.769101131 +0100
+++ shadow-4.8/lib/prototypes.h 2020-01-13 10:11:20.914627399 +0100
@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
extern int check_selinux_permit (const char *perm_name);
#endif
diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c
--- shadow-4.8/lib/selinux.c.selinux 2019-11-12 01:18:25.000000000 +0100
+++ shadow-4.8/lib/selinux.c 2020-01-13 10:08:53.769101131 +0100
@@ -51,7 +51,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -63,19 +63,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c
--- shadow-4.8/lib/semanage.c.selinux 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8/lib/semanage.c 2020-01-13 10:08:53.766101181 +0100
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c
--- shadow-4.8/src/useradd.c.selinux 2020-01-13 10:08:53.762101248 +0100
+++ shadow-4.8/src/useradd.c 2020-01-13 10:08:53.767101164 +0100
@@ -2078,7 +2078,7 @@ static void create_home (void)
++bhome;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (prefix_user_home) != 0) {
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for home directory %s\n"),
Prog, user_home);
@@ -2232,6 +2232,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)
usr_update ();
- if (mflg) {
- create_home ();
- if (home_added) {
- copy_tree (def_template, prefix_user_home, false, false,
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
- } else {
- fprintf (stderr,
- _("%s: warning: the home directory %s already exists.\n"
- "%s: Not copying any file from skel directory into it.\n"),
- Prog, user_home, Prog);
- }
-
- }
-
- /* Do not create mail directory for system accounts */
- if (!rflg) {
- create_mail ();
- }
-
close_files ();
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)
}
#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)
"adding SELinux user mapping",
user_name, (unsigned int) user_id, 0);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ rv = E_SE_UPDATE;
+ }
}
}
#endif /* WITH_SELINUX */
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
+ _("%s: warning: the home directory %s already exists.\n"
+ "%s: Not copying any file from skel directory into it.\n"),
+ Prog, user_home, Prog);
+ }
+
+ }
+
+ /* Do not create mail directory for system accounts */
+ if (!rflg) {
+ create_mail ();
+ }
- return E_SUCCESS;
+ return rv;
}

View File

@ -1,61 +0,0 @@
From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 5 Feb 2020 15:04:39 +0100
Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
proper SELinux user identity
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
---
src/useradd.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/useradd.c b/src/useradd.c
index a679392d..645d4a40 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -190,6 +190,7 @@ static bool home_added = false;
#define E_NAME_IN_USE 9 /* username already in use */
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
+#define E_MAILBOXFILE 13 /* can't create mailbox file */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
@@ -2210,6 +2211,16 @@ static void create_mail (void)
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
else
sprintf (file, "%s/%s", spool, user_name);
+
+#ifdef WITH_SELINUX
+ if (set_selinux_file_context (file, NULL) != 0) {
+ fprintf (stderr,
+ _("%s: cannot set SELinux context for mailbox file %s\n"),
+ Prog, file);
+ fail_exit (E_MAILBOXFILE);
+ }
+#endif
+
fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
if (fd < 0) {
perror (_("Creating mailbox file"));
@@ -2234,6 +2245,15 @@ static void create_mail (void)
fsync (fd);
close (fd);
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ if (reset_selinux_file_context () != 0) {
+ fprintf (stderr,
+ _("%s: cannot reset SELinux file creation context\n"),
+ Prog);
+ fail_exit (E_MAILBOXFILE);
+ }
+#endif
}
}
--
2.24.1

View File

@ -1,39 +0,0 @@
From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Mon, 2 Nov 2020 17:08:55 +0100
Subject: [PATCH] commonio: force lock file sync
lib/commonio.c: after writing to the lock file, force a file sync to
the storage system.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
---
lib/commonio.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/lib/commonio.c b/lib/commonio.c
index 16fa7e75..c5b3d104 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
if (write (fd, buf, (size_t) len) != len) {
if (log) {
(void) fprintf (stderr,
- "%s: %s: %s\n",
+ "%s: %s file write error: %s\n",
+ Prog, file, strerror (errno));
+ }
+ (void) close (fd);
+ unlink (file);
+ return 0;
+ }
+ if (fdatasync (fd) == -1) {
+ if (log) {
+ (void) fprintf (stderr,
+ "%s: %s file sync error: %s\n",
Prog, file, strerror (errno));
}
(void) close (fd);
--
2.26.2

View File

@ -1,341 +0,0 @@
diff -up shadow-4.8.1/man/chage.1.xml.manfix shadow-4.8.1/man/chage.1.xml
--- shadow-4.8.1/man/chage.1.xml.manfix 2019-10-05 01:28:34.000000000 +0200
+++ shadow-4.8.1/man/chage.1.xml 2020-03-17 15:34:48.750414984 +0100
@@ -102,6 +102,9 @@
Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
+ If the <replaceable>LAST_DAY</replaceable> is set to
+ <emphasis>0</emphasis> the user is forced to change his password
+ on the next log on.
</para>
</listitem>
</varlistentry>
@@ -119,6 +122,13 @@
system again.
</para>
<para>
+ For example the following can be used to set an account to expire
+ in 180 days:
+ </para>
+ <programlisting>
+ chage -E $(date -d +180days +%Y-%m-%d)
+ </programlisting>
+ <para>
Passing the number <emphasis remap='I'>-1</emphasis> as the
<replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date.
@@ -239,6 +249,18 @@
The <command>chage</command> program requires a shadow password file to
be available.
</para>
+ <para>
+ The chage program will report only the information from the shadow
+ password file. This implies that configuration from other sources
+ (e.g. LDAP or empty password hash field from the passwd file) that
+ affect the user's login will not be shown in the chage output.
+ </para>
+ <para>
+ The <command>chage</command> program will also not report any
+ inconsistency between the shadow and passwd files (e.g. missing x in
+ the passwd file). The <command>pwck</command> can be used to check
+ for this kind of inconsistencies.
+ </para>
<para>The <command>chage</command> command is restricted to the root
user, except for the <option>-l</option> option, which may be used by
an unprivileged user to determine when their password or account is due
diff -up shadow-4.8.1/man/groupadd.8.xml.manfix shadow-4.8.1/man/groupadd.8.xml
--- shadow-4.8.1/man/groupadd.8.xml.manfix 2020-03-17 15:34:48.745414917 +0100
+++ shadow-4.8.1/man/groupadd.8.xml 2020-03-17 15:34:48.750414984 +0100
@@ -320,13 +320,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2710 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
@@ -164,6 +164,17 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -256,16 +267,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -286,14 +287,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -359,34 +352,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -415,17 +380,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -452,32 +406,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>
diff -up shadow-4.8.1/man/shadow.5.xml.manfix shadow-4.8.1/man/shadow.5.xml
--- shadow-4.8.1/man/shadow.5.xml.manfix 2019-12-01 17:52:32.000000000 +0100
+++ shadow-4.8.1/man/shadow.5.xml 2020-03-17 15:34:48.750414984 +0100
@@ -129,7 +129,7 @@
<listitem>
<para>
The date of the last password change, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
The value 0 has a special meaning, which is that the user
@@ -208,8 +208,8 @@
</para>
<para>
After expiration of the password and this expiration period is
- elapsed, no login is possible using the current user's
- password. The user should contact her administrator.
+ elapsed, no login is possible for the user.
+ The user should contact her administrator.
</para>
<para>
An empty field means that there are no enforcement of an
@@ -224,7 +224,7 @@
<listitem>
<para>
The date of expiration of the account, expressed as the number
- of days since Jan 1, 1970.
+ of days since Jan 1, 1970 00:00 UTC.
</para>
<para>
Note that an account expiration differs from a password
diff -up shadow-4.8.1/man/useradd.8.xml.manfix shadow-4.8.1/man/useradd.8.xml
--- shadow-4.8.1/man/useradd.8.xml.manfix 2020-03-17 15:34:48.745414917 +0100
+++ shadow-4.8.1/man/useradd.8.xml 2020-03-17 15:34:48.751414997 +0100
@@ -359,6 +359,11 @@
<option>CREATE_HOME</option> is not enabled, no home
directories are created.
</para>
+ <para>
+ The directory where the user's home directory is created must
+ exist and have proper SELinux context and permissions. Otherwise
+ the user's home directory cannot be created or accessed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.8.1/man/usermod.8.xml.manfix shadow-4.8.1/man/usermod.8.xml
--- shadow-4.8.1/man/usermod.8.xml.manfix 2019-12-20 06:58:23.000000000 +0100
+++ shadow-4.8.1/man/usermod.8.xml 2020-03-17 15:34:48.751414997 +0100
@@ -143,7 +143,8 @@
If the <option>-m</option>
option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does
- not already exist.
+ not already exist. If the current home directory does not exist
+ the new home directory will not be created.
</para>
</listitem>
</varlistentry>
@@ -205,6 +206,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -267,7 +274,8 @@
<listitem>
<para>
Move the content of the user's home directory to the new
- location.
+ location. If the current home directory does not exist
+ the new home directory will not be created.
</para>
<para>
This option is only valid in combination with the
@@ -381,6 +389,12 @@
must be fixed manually.
</para>
<para>
+ The change of the user ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
+ <para>
No checks will be performed with regard to the
<option>UID_MIN</option>, <option>UID_MAX</option>,
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>

View File

@ -1,35 +0,0 @@
From 6543c600d841e4f7779269412d470e50eae25b13 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 4 Mar 2020 14:50:04 +0100
Subject: [PATCH] useradd: clarify the useradd -d parameter behavior in man
page
Explanation: clarify the useradd -d parameter as it does create directory HOME_DIR if it doesn't exit.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1677005
Changelog: [serge] minor tweak to the text
---
man/useradd.8.xml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 03612ce8..023c0d69 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -181,8 +181,10 @@
login directory. The default is to append the
<replaceable>LOGIN</replaceable> name to
<replaceable>BASE_DIR</replaceable> and use that as the login
- directory name. The directory <replaceable>HOME_DIR</replaceable>
- does not have to exist but will not be created if it is missing.
+ directory name. If the directory
+ <replaceable>HOME_DIR</replaceable> does not exist, then it
+ will be created unless the <option>-M</option> option is
+ specified.
</para>
</listitem>
</varlistentry>
--
2.25.1

View File

@ -1,7 +1,6 @@
Index: shadow-4.5/lib/semanage.c diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
=================================================================== --- shadow-4.9/lib/semanage.c.default-range 2021-07-22 23:55:35.000000000 +0200
--- shadow-4.5.orig/lib/semanage.c +++ shadow-4.9/lib/semanage.c 2021-08-02 12:43:16.822817392 +0200
+++ shadow-4.5/lib/semanage.c
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
goto done; goto done;
} }
@ -9,7 +8,7 @@ Index: shadow-4.5/lib/semanage.c
+#if 0 +#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) { if (ret != 0) {
fprintf (stderr, fprintf (shadow_logfd,
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h @@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
ret = 1; ret = 1;
goto done; goto done;
@ -25,7 +24,7 @@ Index: shadow-4.5/lib/semanage.c
+#if 0 +#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) { if (ret != 0) {
fprintf (stderr, fprintf (shadow_logfd,
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h @@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
ret = 1; ret = 1;
goto done; goto done;

180
shadow-4.9-manfix.patch Normal file
View File

@ -0,0 +1,180 @@
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
@@ -179,20 +179,10 @@
<refsect1 id='setup'>
<title>SETUP</title>
<para>
- The <command>groupmems</command> executable should be in mode
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
- <emphasis>groups</emphasis>. The system administrator can add users to
- group <emphasis>groups</emphasis> to allow or disallow them using the
- <command>groupmems</command> utility to manage their own group
- membership list.
+ In this operating system the <command>groupmems</command> executable
+ is not setuid and regular users cannot use it to manipulate
+ the membership of their own group.
</para>
-
- <programlisting>
- $ groupadd -r groups
- $ chmod 2710 groupmems
- $ chown root.groups groupmems
- $ groupmems -g groups -a gk4
- </programlisting>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
@@ -164,6 +164,17 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -256,16 +267,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chgpasswd</term>
<listitem>
<para>
@@ -286,14 +287,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -359,34 +352,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -415,17 +380,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -452,32 +406,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>

View File

@ -0,0 +1,48 @@
From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 10 Jan 2022 15:30:28 +0100
Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
is NULL. In order to avoid that load the log file descriptor with the
log_get_logfd() helper function.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
lib/nss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/nss.c b/lib/nss.c
index 02742902..06fa48e5 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -9,6 +9,7 @@
#include "prototypes.h"
#include "../libsubid/subid.h"
#include "shadowlog_internal.h"
+#include "shadowlog.h"
#define NSSWITCH "/etc/nsswitch.conf"
@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
FILE *nssfp = NULL;
char *line = NULL, *p, *token, *saveptr;
size_t len = 0;
+ FILE *shadow_logfd = log_get_logfd();
if (atomic_flag_test_and_set(&nss_init_started)) {
// Another thread has started nss_init, wait for it to complete
@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
// subid: files
nssfp = fopen(nsswitch_path, "r");
if (!nssfp) {
- fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
+ fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
atomic_store(&nss_init_completed, true);
return;
}
--
2.34.1

View File

@ -198,10 +198,11 @@ SUB_GID_COUNT 65536
# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default) # If set to DES, DES-based algorithm will be used for encrypting password (default)
# #
ENCRYPT_METHOD SHA512 ENCRYPT_METHOD YESCRYPT
# #
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@ -218,7 +219,33 @@ ENCRYPT_METHOD SHA512
# Currently SHA_CRYPT_MIN_ROUNDS is not supported # Currently SHA_CRYPT_MIN_ROUNDS is not supported
# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported #
# Only works if ENCRYPT_METHOD is set to BCRYPT.
#
# Define the number of BCRYPT rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, 13 rounds will be attempted.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#BCRYPT_MIN_ROUNDS 13
#BCRYPT_MAX_ROUNDS 31
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
# Define the YESCRYPT cost factor.
# With a higher cost factor, it is more difficult to brute-force the password.
# However, more CPU time and more memory will be needed to authenticate users
# if this value is increased.
#
# If not specified, a cost factor of 5 will be used.
# The value must be within the 1-11 range.
#
#YESCRYPT_COST_FACTOR 5
# Currently CONSOLE_GROUPS is not supported # Currently CONSOLE_GROUPS is not supported
@ -266,3 +293,13 @@ CREATE_HOME yes
# missing. # missing.
# #
#FORCE_SHADOW yes #FORCE_SHADOW yes
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
HMAC_CRYPTO_ALGO SHA512

View File

@ -1,73 +1,78 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.8.1 Version: 4.11.1
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ License: BSD and GPLv2+
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz URL: https://github.com/shadow-maint/shadow
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
Source2: shadow-utils.useradd Source2: shadow-utils.useradd
Source3: shadow-utils.login.defs Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Source6: shadow-utils.HOME_MODE.xml Source6: shadow-utils.HOME_MODE.xml
### Globals ###
%global includesubiddir %{_includedir}/shadow
### Patches ###
# Misc small changes - most probably non-upstreamable # Misc small changes - most probably non-upstreamable
Patch0: shadow-4.6-redhat.patch Patch0: shadow-4.11.1-redhat.patch
# Be more lenient with acceptable user/group names - non upstreamable # Be more lenient with acceptable user/group names - non upstreamable
Patch1: shadow-4.8-goodname.patch Patch1: shadow-4.8-goodname.patch
# Docfix for newusers - could be upstreamed
Patch2: shadow-4.1.5.1-info-parent-dir.patch
# Misc SElinux related changes - upstreamability unknown
Patch6: shadow-4.8-selinux.patch
# Syslog message change - could be upstreamed
Patch11: shadow-4.1.5.1-logmsg.patch
# SElinux related - upstreamability unknown # SElinux related - upstreamability unknown
Patch14: shadow-4.1.5.1-default-range.patch Patch3: shadow-4.9-default-range.patch
# Misc manual page changes - only some of them could be upstreamed # Misc manual page changes - non-upstreamable
Patch15: shadow-4.8.1-manfix.patch Patch4: shadow-4.9-manfix.patch
# Userdel usage message change - could be upstreamed
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
# Date parsing improvement - could be upstreamed # Date parsing improvement - could be upstreamed
Patch19: shadow-4.2.1-date-parsing.patch Patch5: shadow-4.2.1-date-parsing.patch
# Additional error message - could be upstreamed # Additional error message - could be upstreamed
Patch21: shadow-4.6-move-home.patch Patch6: shadow-4.6-move-home.patch
# Audit message changes - upstreamability unknown # Audit message changes - upstreamability unknown
Patch22: shadow-4.8.1-audit-update.patch Patch7: shadow-4.11.1-audit-update.patch
# Changes related to password unlocking - could be upstreamed # Changes related to password unlocking - could be upstreamed
Patch23: shadow-4.5-usermod-unlock.patch Patch8: shadow-4.5-usermod-unlock.patch
# Additional SElinux related changes - upstreamability unknown # Additional SElinux related changes - upstreamability unknown
Patch28: shadow-4.8-selinux-perms.patch Patch9: shadow-4.8-selinux-perms.patch
# Handle NULL return from *time funcs - could be upstreamed # Handle NULL return from *time funcs - upstreamable
Patch29: shadow-4.2.1-null-tm.patch Patch10: shadow-4.11.1-null-tm.patch
# SElinux related - upstreamability unknown
Patch31: shadow-4.6-getenforce.patch
# Handle include of crypt.h - could be upstreamed
Patch32: shadow-4.8-crypt_h.patch
# Handle /etc/passwd corruption - could be upstreamed # Handle /etc/passwd corruption - could be upstreamed
Patch33: shadow-4.8-long-entry.patch Patch11: shadow-4.8-long-entry.patch
# Limit uid/gid allocation to non-zero - could be upstreamed # Limit uid/gid allocation to non-zero - could be upstreamed
Patch38: shadow-4.6-sysugid-min-limit.patch Patch12: shadow-4.6-sysugid-min-limit.patch
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
Patch40: shadow-4.8-ignore-login-prompt.patch Patch13: shadow-4.8-ignore-login-prompt.patch
# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed # https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
Patch42: shadow-4.8-useradd-selinux-mail.patch Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
# Clarify useradd man regarding "-d" parameter - already upstreamed # https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
Patch43: shadow-4.8.1-useradd-man-clarification.patch Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
Patch44: shadow-4.8.1-commonio-force-lock-file-sync.patch
License: BSD and GPLv2+ ### Dependencies ###
BuildRequires: gcc
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: libsemanage-devel
BuildRequires: libacl-devel, libattr-devel
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
BuildRequires: autoconf, automake, libtool, gettext-devel
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
Requires: libselinux >= 1.25.2-1
Requires: audit-libs >= 1.6.5 Requires: audit-libs >= 1.6.5
Requires: libselinux >= 1.25.2-1
Requires: setup Requires: setup
### Build Dependencies ###
BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gettext-devel
BuildRequires: itstool
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libselinux-devel >= 1.25.2-1
BuildRequires: libsemanage-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: make
### Provides ###
Provides: shadow = %{epoch}:%{version}-%{release} Provides: shadow = %{epoch}:%{version}-%{release}
%description %description
@ -82,30 +87,41 @@ for all users. The useradd, userdel, and usermod commands are used for
managing user accounts. The groupadd, groupdel, and groupmod commands managing user accounts. The groupadd, groupdel, and groupmod commands
are used for managing group accounts. are used for managing group accounts.
### Subpackages ###
%package subid
Summary: A library to manage subordinate uid and gid ranges
License: BSD and GPLv2+
%description subid
Utility library that provides a way to manage subid ranges.
%package subid-devel
Summary: Development package for shadow-utils-subid
License: BSD and GPLv2+
Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
%description subid-devel
Development files for shadow-utils-subid.
%prep %prep
%setup -q -n shadow-%{version} %setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat %patch0 -p1 -b .redhat
%patch1 -p1 -b .goodname %patch1 -p1 -b .goodname
%patch2 -p1 -b .info-parent-dir %patch3 -p1 -b .default-range
%patch6 -p1 -b .selinux %patch4 -p1 -b .manfix
%patch11 -p1 -b .logmsg %patch5 -p1 -b .date-parsing
%patch14 -p1 -b .default-range %patch6 -p1 -b .move-home
%patch15 -p1 -b .manfix %patch7 -p1 -b .audit-update
%patch17 -p1 -b .userdel %patch8 -p1 -b .unlock
%patch19 -p1 -b .date-parsing %patch9 -p1 -b .selinux-perms
%patch21 -p1 -b .move-home %patch10 -p1 -b .null-tm
%patch22 -p1 -b .audit-update %patch11 -p1 -b .long-entry
%patch23 -p1 -b .unlock %patch12 -p1 -b .sysugid-min-limit
%patch28 -p1 -b .selinux-perms %patch13 -p1 -b .login-prompt
%patch29 -p1 -b .null-tm %patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
%patch31 -p1 -b .getenforce %patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
%patch32 -p1 -b .crypt_h
%patch33 -p1 -b .long-entry
%patch38 -p1 -b .sysugid-min-limit
%patch40 -p1 -b .login-prompt
%patch42 -p1 -b .useradd-selinux-mail
%patch43 -p1 -b .useradd-man-clarification
%patch44 -p1 -b .commonio-force-lock-file-sync
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO cp -f doc/HOWTO.utf8 doc/HOWTO
@ -132,74 +148,75 @@ autoreconf
--enable-man \ --enable-man \
--with-audit \ --with-audit \
--with-sha-crypt \ --with-sha-crypt \
--with-bcrypt \
--with-yescrypt \
--with-selinux \ --with-selinux \
--without-libcrack \ --without-libcrack \
--without-libpam \ --without-libpam \
--disable-shared \ --enable-shared \
--with-group-name-max-length=32 --with-group-name-max-length=32
%make_build %make_build
%install %install
rm -rf $RPM_BUILD_ROOT %make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
done done
# Remove binaries we don't use. # Remove binaries we don't use.
rm $RPM_BUILD_ROOT/%{_bindir}/chfn rm $RPM_BUILD_ROOT%{_bindir}/chfn
rm $RPM_BUILD_ROOT/%{_bindir}/chsh rm $RPM_BUILD_ROOT%{_bindir}/chsh
rm $RPM_BUILD_ROOT/%{_bindir}/expiry rm $RPM_BUILD_ROOT%{_bindir}/expiry
rm $RPM_BUILD_ROOT/%{_bindir}/groups rm $RPM_BUILD_ROOT%{_bindir}/groups
rm $RPM_BUILD_ROOT/%{_bindir}/login rm $RPM_BUILD_ROOT%{_bindir}/login
rm $RPM_BUILD_ROOT/%{_bindir}/passwd rm $RPM_BUILD_ROOT%{_bindir}/passwd
rm $RPM_BUILD_ROOT/%{_bindir}/su rm $RPM_BUILD_ROOT%{_bindir}/su
rm $RPM_BUILD_ROOT/%{_bindir}/faillog rm $RPM_BUILD_ROOT%{_bindir}/faillog
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin rm $RPM_BUILD_ROOT%{_sbindir}/nologin
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.* rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.* rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.* rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.* rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.* rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.* rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.* rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.* rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.* rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.* rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
%find_lang shadow %find_lang shadow
@ -211,9 +228,17 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
echo "%%lang($lang) $dir/man*/*" >> shadow.lang echo "%%lang($lang) $dir/man*/*" >> shadow.lang
done done
# Move header files to its own folder
echo $(ls)
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
# Remove .la and .a files created by libsubid
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
%files -f shadow.lang %files -f shadow.lang
%doc NEWS doc/HOWTO README %doc NEWS doc/HOWTO README
%{!?_licensedir:%global license %%doc}
%license gpl-2.0.txt shadow-bsd.txt %license gpl-2.0.txt shadow-bsd.txt
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
@ -260,10 +285,141 @@ done
%{_mandir}/man8/vipw.8* %{_mandir}/man8/vipw.8*
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%files subid
%{_libdir}/libsubid.so.*
%{_bindir}/getsubids
%{_mandir}/man1/getsubids.1*
%files subid-devel
%{includesubiddir}/subid.h
%{_libdir}/libsubid.so
%changelog %changelog
* Mon Nov 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3 * Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
- useradd: modify check ID range for system users. Resolves: #2093692
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
- Fix explicit subid requirement for subid-devel
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
- Rebase to version 4.11.1 (#2034038)
- Fix release sources
- Add explicit subid requirement for subid-devel
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
- nss: get shadow_logfd with log_get_logfd() (#2038811)
- lib: make shadow_logfd and Prog not extern
- lib: rename Prog to shadow_progname
- lib: provide default values for shadow_progname
- libsubid: use log_set_progname in subid_init
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
- getsubids: provide system binary and man page (#1980780)
- pwck: fix segfault when calling fprintf() (#2021339)
- newgrp: fix segmentation fault (#2019553)
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
- useradd: change SELinux labels for home files (#2022658)
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
- useradd: revert fix memleak of grp (#2018697)
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
- useradd: generate home and mail directories with selinux user attribute
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
- login.defs: include HMAC_CRYPTO_ALGO key
- Clean spec file: organize dependencies and move License location
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
- libmisc: fix default value in SHA_get_salt_rounds()
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
- useradd: avoid generating an empty subid range (#1990653)
* Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
- Rebase to version 4.9
- usermod: allow all group types with -G option (#1975327)
- Clean spec file
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
- Add patch to fix 'fread returns element count, not element size'
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
- Fix regression issues detected in rhbz#667593 and rhbz#672510
* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
- Enable bcrypt support, as libxcrypt supports it well
* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
- Add a patch to obtain random bytes using getentropy()
- Update shadow-4.8-crypt_h.patch with the upstreamed version
- Add a patch to make use of crypt_gensalt() from libxcrypt
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
- useradd: free correct pointer (#1976809)
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
- Add a patch to fix the used prefix for the bcrypt hash method
- Add a patch to cleanup the code in libmisc/salt.c
- Add a patch adding some clarifying comments in libmisc/salt.c
- Add a patch to obtain random bytes from /dev/urandom
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
- Covscan fixes
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
- Backport support for yescrypt hash method
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern
* Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
- man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
- libsubid: creation and nsswitch support
- Creation of subid and subid-devel subpackages
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
- man: include lastlog file caveat (#951564)
- Upstream links to several patches
- Spec file cleanup by Robert Scheck
- Add BuildRequires: make by Tom Stellard
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
- commonio: force lock file sync (#1862056) - commonio: force lock file sync (#1862056)
- spec: add Provides keyword
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
- Rebuild with libsemanage.so.2
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
- check only local groups when adding new supplementary groups to a user (#1727236)
* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2 * Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
- useradd: clarify the useradd -d parameter behavior in man page - useradd: clarify the useradd -d parameter behavior in man page

View File

@ -1,2 +1,2 @@
SHA512 (shadow-4.8.1.tar.xz) = 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
SHA512 (shadow-4.8.1.tar.xz.asc) = ec7686263c81d3feb8ee4314c3323a9a3ada74aafaaf99f4f0d9af9b1341f8c5ff5477ecf98dd94dbb7d921f532d655b0b6a87d94c71893f35dc9bc54c84dd42 SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd