allow all types of groups when modifying supplementary groups (#1975327 )

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
- man: include lastlog file caveat (#951564 )
2021-08-16 09:53:32 +02:00 · 2021-04-26 14:57:45 +02:00 · 2020-11-16 09:48:24 +01:00 · 2020-11-16 09:45:32 +01:00
4 changed files with 98 additions and 317 deletions
--- a/shadow-4.8.1-check-local-groups.patch
+++ b/shadow-4.8.1-check-local-groups.patch
@ -1,314 +1,3 @@
-From 140510de9de4771feb3af1d859c09604043a4c9b Mon Sep 17 00:00:00 2001
-From: ikerexxe <ipedrosa@redhat.com>
-Date: Fri, 27 Mar 2020 14:23:02 +0100
-Subject: [PATCH 1/2] usermod: check only local groups with -G option
-
-Check only local groups when adding new supplementary groups to a user
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
---
- src/usermod.c | 220 ++++++++++++++++++++++++++++++++------------------
- 1 file changed, 143 insertions(+), 77 deletions(-)
-
-diff --git a/src/usermod.c b/src/usermod.c
-index 05b98715..ef430296 100644
--- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -183,6 +183,7 @@ static bool sub_gid_locked = false;
- static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
-                          long int date);
- static int get_groups (char *);
-+static struct group * get_local_group (char * grp_name);
- static /*@noreturn@*/void usage (int status);
- static void new_pwent (struct passwd *);
- static void new_spent (struct spwd *);
-@@ -196,7 +197,9 @@ static void grp_update (void);
- 
- static void process_flags (int, char **);
- static void close_files (void);
-+static void close_group_files (void);
- static void open_files (void);
-+static void open_group_files (void);
- static void usr_update (void);
- static void move_home (void);
- static void update_lastlog (void);
-@@ -253,6 +256,11 @@ static int get_groups (char *list)
- 		return 0;
- 	}
- 
-+	/*
-+	 * Open the group files
-+	 */
-+	open_group_files ();
-+
- 	/*
- 	 * So long as there is some data to be converted, strip off each
- 	 * name and look it up. A mix of numerical and string values for
-@@ -272,7 +280,7 @@ static int get_groups (char *list)
- 		 * Names starting with digits are treated as numerical GID
- 		 * values, otherwise the string is looked up as is.
- 		 */
-		grp = prefix_getgr_nam_gid (list);
-+		grp = get_local_group (list);
- 
- 		/*
- 		 * There must be a match, either by GID value or by
-@@ -322,6 +330,8 @@ static int get_groups (char *list)
- 		gr_free ((struct group *)grp);
- 	} while (NULL != list);
- 
-+	close_group_files ();
-+
- 	user_groups[ngroups] = (char *) 0;
- 
- 	/*
-@@ -334,6 +344,44 @@ static int get_groups (char *list)
- 	return 0;
- }
- 
-+/*
-+ * get_local_group - checks if a given group name exists locally
-+ *
-+ *	get_local_group() checks if a given group name exists locally.
-+ *	If the name exists the group information is returned, otherwise NULL is
-+ *	returned.
-+ */
-+static struct group * get_local_group(char * grp_name)
-+{
-+	const struct group *grp;
-+	struct group *result_grp = NULL;
-+	long long int gid;
-+	char *endptr;
-+
-+	gid = strtoll (grp_name, &endptr, 10);
-+	if (   ('\0' != *grp_name)
-+		&& ('\0' == *endptr)
-+		&& (ERANGE != errno)
-+		&& (gid == (gid_t)gid)) {
-+		grp = gr_locate_gid ((gid_t) gid);
-+	}
-+	else {
-+		grp = gr_locate(grp_name);
-+	}
-+
-+	if (grp != NULL) {
-+		result_grp = __gr_dup (grp);
-+		if (NULL == result_grp) {
-+			fprintf (stderr,
-+					_("%s: Out of memory. Cannot find group '%s'.\n"),
-+					Prog, grp_name);
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+	}
-+
-+	return result_grp;
-+}
-+
- #ifdef ENABLE_SUBIDS
- struct ulong_range
- {
-@@ -1447,50 +1495,7 @@ static void close_files (void)
- 	}
- 
- 	if (Gflg || lflg) {
-		if (gr_close () == 0) {
-			fprintf (stderr,
-			         _("%s: failure while writing changes to %s\n"),
-			         Prog, gr_dbname ());
-			SYSLOG ((LOG_ERR,
-			         "failure while writing changes to %s",
-			         gr_dbname ()));
-			fail_exit (E_GRP_UPDATE);
-		}
-#ifdef SHADOWGRP
-		if (is_shadow_grp) {
-			if (sgr_close () == 0) {
-				fprintf (stderr,
-				         _("%s: failure while writing changes to %s\n"),
-				         Prog, sgr_dbname ());
-				SYSLOG ((LOG_ERR,
-				         "failure while writing changes to %s",
-				         sgr_dbname ()));
-				fail_exit (E_GRP_UPDATE);
-			}
-		}
-#endif
-#ifdef SHADOWGRP
-		if (is_shadow_grp) {
-			if (sgr_unlock () == 0) {
-				fprintf (stderr,
-				         _("%s: failed to unlock %s\n"),
-				         Prog, sgr_dbname ());
-				SYSLOG ((LOG_ERR,
-				         "failed to unlock %s",
-				         sgr_dbname ()));
-				/* continue */
-			}
-		}
-#endif
-		if (gr_unlock () == 0) {
-			fprintf (stderr,
-			         _("%s: failed to unlock %s\n"),
-			         Prog, gr_dbname ());
-			SYSLOG ((LOG_ERR,
-			         "failed to unlock %s",
-			         gr_dbname ()));
-			/* continue */
-		}
-+		close_group_files ();
- 	}
- 
- 	if (is_shadow_pwd) {
-@@ -1559,6 +1564,60 @@ static void close_files (void)
- #endif
- }
- 
-+/*
-+ * close_group_files - close all of the files that were opened
-+ *
-+ *	close_group_files() closes all of the files that were opened related
-+ *  with groups. This causes any modified entries to be written out.
-+ */
-+static void close_group_files (void)
-+{
-+	if (gr_close () == 0) {
-+		fprintf (stderr,
-+					_("%s: failure while writing changes to %s\n"),
-+					Prog, gr_dbname ());
-+		SYSLOG ((LOG_ERR,
-+					"failure while writing changes to %s",
-+					gr_dbname ()));
-+		fail_exit (E_GRP_UPDATE);
-+	}
-+#ifdef SHADOWGRP
-+	if (is_shadow_grp) {
-+		if (sgr_close () == 0) {
-+			fprintf (stderr,
-+						_("%s: failure while writing changes to %s\n"),
-+						Prog, sgr_dbname ());
-+			SYSLOG ((LOG_ERR,
-+						"failure while writing changes to %s",
-+						sgr_dbname ()));
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+	}
-+#endif
-+#ifdef SHADOWGRP
-+	if (is_shadow_grp) {
-+		if (sgr_unlock () == 0) {
-+			fprintf (stderr,
-+						_("%s: failed to unlock %s\n"),
-+						Prog, sgr_dbname ());
-+			SYSLOG ((LOG_ERR,
-+						"failed to unlock %s",
-+						sgr_dbname ()));
-+			/* continue */
-+		}
-+	}
-+#endif
-+	if (gr_unlock () == 0) {
-+		fprintf (stderr,
-+					_("%s: failed to unlock %s\n"),
-+					Prog, gr_dbname ());
-+		SYSLOG ((LOG_ERR,
-+					"failed to unlock %s",
-+					gr_dbname ()));
-+		/* continue */
-+	}
-+}
-+
- /*
-  * open_files - lock and open the password files
-  *
-@@ -1594,38 +1653,7 @@ static void open_files (void)
- 	}
- 
- 	if (Gflg || lflg) {
-		/*
-		 * Lock and open the group file. This will load all of the
-		 * group entries.
-		 */
-		if (gr_lock () == 0) {
-			fprintf (stderr,
-			         _("%s: cannot lock %s; try again later.\n"),
-			         Prog, gr_dbname ());
-			fail_exit (E_GRP_UPDATE);
-		}
-		gr_locked = true;
-		if (gr_open (O_CREAT | O_RDWR) == 0) {
-			fprintf (stderr,
-			         _("%s: cannot open %s\n"),
-			         Prog, gr_dbname ());
-			fail_exit (E_GRP_UPDATE);
-		}
-#ifdef SHADOWGRP
-		if (is_shadow_grp && (sgr_lock () == 0)) {
-			fprintf (stderr,
-			         _("%s: cannot lock %s; try again later.\n"),
-			         Prog, sgr_dbname ());
-			fail_exit (E_GRP_UPDATE);
-		}
-		sgr_locked = true;
-		if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
-			fprintf (stderr,
-			         _("%s: cannot open %s\n"),
-			         Prog, sgr_dbname ());
-			fail_exit (E_GRP_UPDATE);
-		}
-#endif
-+		open_group_files ();
- 	}
- #ifdef ENABLE_SUBIDS
- 	if (vflg || Vflg) {
-@@ -1661,6 +1689,44 @@ static void open_files (void)
- #endif				/* ENABLE_SUBIDS */
- }
- 
-+/*
-+ * open_group_files - lock and open the group files
-+ *
-+ *	open_group_files() loads all of the group entries.
-+ */
-+static void open_group_files (void)
-+{
-+	if (gr_lock () == 0) {
-+		fprintf (stderr,
-+					_("%s: cannot lock %s; try again later.\n"),
-+					Prog, gr_dbname ());
-+		fail_exit (E_GRP_UPDATE);
-+	}
-+	gr_locked = true;
-+	if (gr_open (O_CREAT | O_RDWR) == 0) {
-+		fprintf (stderr,
-+					_("%s: cannot open %s\n"),
-+					Prog, gr_dbname ());
-+		fail_exit (E_GRP_UPDATE);
-+	}
-+
-+#ifdef SHADOWGRP
-+	if (is_shadow_grp && (sgr_lock () == 0)) {
-+		fprintf (stderr,
-+					_("%s: cannot lock %s; try again later.\n"),
-+					Prog, sgr_dbname ());
-+		fail_exit (E_GRP_UPDATE);
-+	}
-+	sgr_locked = true;
-+	if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
-+		fprintf (stderr,
-+					_("%s: cannot open %s\n"),
-+					Prog, sgr_dbname ());
-+		fail_exit (E_GRP_UPDATE);
-+	}
-+#endif
-+}
-+
- /*
-  * usr_update - create the user entries
-  *
-- 
-2.25.4
-
-
 From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
 From: ikerexxe <ipedrosa@redhat.com>
 Date: Mon, 30 Mar 2020 09:08:23 +0200
--- a/shadow-4.8.1-commonio-force-lock-file-sync.patch
+++ b/shadow-4.8.1-commonio-force-lock-file-sync.patch
@ -0,0 +1,39 @@
+From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 2 Nov 2020 17:08:55 +0100
+Subject: [PATCH] commonio: force lock file sync
+
+lib/commonio.c: after writing to the lock file, force a file sync to
+the storage system.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
+---
+ lib/commonio.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 16fa7e75..c5b3d104 100644
+--- a/lib/commonio.c
+++ b/lib/commonio.c
+@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
+ 	if (write (fd, buf, (size_t) len) != len) {
+ 		if (log) {
+ 			(void) fprintf (stderr,
+-			                "%s: %s: %s\n",
+			                "%s: %s file write error: %s\n",
+			                Prog, file, strerror (errno));
+		}
+		(void) close (fd);
+		unlink (file);
+		return 0;
+	}
+	if (fdatasync (fd) == -1) {
+		if (log) {
+			(void) fprintf (stderr,
+			                "%s: %s file sync error: %s\n",
+ 			                Prog, file, strerror (errno));
+ 		}
+ 		(void) close (fd);
+-- 
+2.26.2
+
--- a/shadow-4.8.1-man-include-lastlog-file-caveat.patch
+++ b/shadow-4.8.1-man-include-lastlog-file-caveat.patch
@ -0,0 +1,33 @@
+From df6ec1d1693c8c80c323b40d6fc82bb549363db3 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 29 Mar 2021 05:26:28 +0200
+Subject: [PATCH] man: include lastlog file caveat (#313)
+
+man/lastlog.8.xml: add another point to the caveats section regarding
+the handling of the lastlog file by external tools.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=951564
+---
+ man/lastlog.8.xml | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/man/lastlog.8.xml b/man/lastlog.8.xml
+index fc096c8f..7e68282f 100644
+--- a/man/lastlog.8.xml
+++ b/man/lastlog.8.xml
+@@ -233,5 +233,12 @@
+       is no entries for users with UID between 170 and 800 lastlog will appear
+       to hang as it processes entries with UIDs 171-799).
+     </para>
+    <para>
+      Having high UIDs can create problems when handling the <term><filename>
+      /var/log/lastlog</filename></term> with external tools. Although the
+      actual file is sparse and does not use too much space, certain
+      applications are not designed to identify sparse files by default and may
+      require a specific option to handle them.
+    </para>
+   </refsect1>
+ </refentry>
+-- 
+2.30.2
+
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.8.1
-Release: 4%{?dist}
+Release: 7%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -15,17 +15,19 @@ Source6: shadow-utils.HOME_MODE.xml
 Patch0: shadow-4.6-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
-# Docfix for newusers - could be upstreamed
+# https://github.com/shadow-maint/shadow/commit/7384865775b0203b9cf5337a047744f0a4555868
 Patch2: shadow-4.1.5.1-info-parent-dir.patch
 # Misc SElinux related changes - upstreamability unknown
 Patch6: shadow-4.8-selinux.patch
-# Syslog message change - could be upstreamed
+# https://github.com/shadow-maint/shadow/commit/a8361e741040cd926c9c93aac89820052531b1a3
 Patch11: shadow-4.1.5.1-logmsg.patch
 # SElinux related - upstreamability unknown
 Patch14: shadow-4.1.5.1-default-range.patch
-# Misc manual page changes - only some of them could be upstreamed
+# Misc manual page changes
+# https://github.com/shadow-maint/shadow/commit/c0818ab01d1896784245eedec9495e1e6e0260af
+# Changes in man/groupmems.8.xml, man/ja/man5/login.defs.5 and man/login.defs.5.xml not upstreamed
 Patch15: shadow-4.8.1-manfix.patch
-# Userdel usage message change - could be upstreamed
+# https://github.com/shadow-maint/shadow/commit/f4cbf38ad7801bab6fae50e9b5a2effc3c48a1ea
 Patch17: shadow-4.1.5.1-userdel-helpfix.patch
 # Date parsing improvement - could be upstreamed
 Patch19: shadow-4.2.1-date-parsing.patch
@ -53,8 +55,12 @@ Patch40: shadow-4.8-ignore-login-prompt.patch
 Patch42: shadow-4.8-useradd-selinux-mail.patch
 # Clarify useradd man regarding "-d" parameter - already upstreamed
 Patch43: shadow-4.8.1-useradd-man-clarification.patch
-# Upstreamed
+# https://github.com/shadow-maint/shadow/commit/8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9
 Patch44: shadow-4.8.1-check-local-groups.patch
+# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
+Patch45: shadow-4.8.1-commonio-force-lock-file-sync.patch
+# https://github.com/shadow-maint/shadow/commit/df6ec1d1693c8c80c323b40d6fc82bb549363db3
+Patch46: shadow-4.8.1-man-include-lastlog-file-caveat.patch

 License: BSD and GPLv2+
 BuildRequires: gcc
@ -68,6 +74,7 @@ BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
 Requires: libselinux >= 1.25.2-1
 Requires: audit-libs >= 1.6.5
 Requires: setup
+Provides: shadow = %{epoch}:%{version}-%{release}

 %description
 The shadow-utils package includes the necessary programs for
@ -105,6 +112,8 @@ are used for managing group accounts.
 %patch42 -p1 -b .useradd-selinux-mail
 %patch43 -p1 -b .useradd-man-clarification
 %patch44 -p1 -b .check-local-groups
+%patch45 -p1 -b .commonio-force-lock-file-sync
+%patch46 -p1 -b .man-include-lastlog-file-caveat

 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@ -260,6 +269,17 @@ done
 %{_mandir}/man8/vigr.8*

 %changelog
+* Mon Aug 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-7
+- allow all types of groups when modifying supplementary groups (#1975327)
+
+* Mon Apr 26 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
+- man: include lastlog file caveat (#951564)
+- Upstream links to several patches
+
+* Mon Nov 16 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-5
+- commonio: force lock file sync (#1862056)
+- spec: add Provides keyword
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Author	SHA1	Message	Date
Iker Pedrosa	ad630e5c8e	allow all types of groups when modifying supplementary groups (#1975327 ) Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2021-08-16 09:53:32 +02:00
Iker Pedrosa	9725f21893	- man: include lastlog file caveat (#951564 ) - Upstream links to several patches	2021-04-26 14:57:45 +02:00
ipedrosa	f527cc2a1b	commonio: force lock file sync (#1862056 )	2020-11-16 09:48:24 +01:00
Ludwig Nussel	b01d32cfea	Add Provides: shadow The upstream source tarball is actually called 'shadow' rather than 'shadow-utils'. Add a compat provides for the former.	2020-11-16 09:45:32 +01:00