Compare commits
4 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
ad630e5c8e | ||
|
9725f21893 | ||
|
f527cc2a1b | ||
|
b01d32cfea |
4
.gitignore
vendored
4
.gitignore
vendored
@ -14,7 +14,3 @@ shadow-4.1.4.2.tar.bz2
|
|||||||
/shadow-4.8.tar.xz.asc
|
/shadow-4.8.tar.xz.asc
|
||||||
/shadow-4.8.1.tar.xz
|
/shadow-4.8.1.tar.xz
|
||||||
/shadow-4.8.1.tar.xz.asc
|
/shadow-4.8.1.tar.xz.asc
|
||||||
/shadow-4.9.tar.xz
|
|
||||||
/shadow-4.9.tar.xz.asc
|
|
||||||
/shadow-4.11.1.tar.xz
|
|
||||||
/shadow-4.11.1.tar.xz.asc
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
|
Index: shadow-4.5/lib/semanage.c
|
||||||
--- shadow-4.9/lib/semanage.c.default-range 2021-07-22 23:55:35.000000000 +0200
|
===================================================================
|
||||||
+++ shadow-4.9/lib/semanage.c 2021-08-02 12:43:16.822817392 +0200
|
--- shadow-4.5.orig/lib/semanage.c
|
||||||
|
+++ shadow-4.5/lib/semanage.c
|
||||||
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
|
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -8,7 +9,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
|
|||||||
+#if 0
|
+#if 0
|
||||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
fprintf (shadow_logfd,
|
fprintf (stderr,
|
||||||
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
|
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
|
||||||
ret = 1;
|
ret = 1;
|
||||||
goto done;
|
goto done;
|
||||||
@ -24,7 +25,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
|
|||||||
+#if 0
|
+#if 0
|
||||||
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
fprintf (shadow_logfd,
|
fprintf (stderr,
|
||||||
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
|
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
|
||||||
ret = 1;
|
ret = 1;
|
||||||
goto done;
|
goto done;
|
21
shadow-4.1.5.1-info-parent-dir.patch
Normal file
21
shadow-4.1.5.1-info-parent-dir.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
Index: shadow-4.5/man/newusers.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/man/newusers.8.xml
|
||||||
|
+++ shadow-4.5/man/newusers.8.xml
|
||||||
|
@@ -218,7 +218,15 @@
|
||||||
|
<para>
|
||||||
|
If this field does not specify an existing directory, the
|
||||||
|
specified directory is created, with ownership set to the
|
||||||
|
- user being created or updated and its primary group.
|
||||||
|
+ user being created or updated and its primary group. Note
|
||||||
|
+ that newusers does not create parent directories of the new
|
||||||
|
+ user's home directory. The newusers command will fail to
|
||||||
|
+ create the home directory if the parent directories do not
|
||||||
|
+ exist, and will send a message to stderr informing the user
|
||||||
|
+ of the failure. The newusers command will not halt or return
|
||||||
|
+ a failure to the calling shell if it fails to create the home
|
||||||
|
+ directory, it will continue to process the batch of new users
|
||||||
|
+ specified.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
If the home directory of an existing user is changed,
|
13
shadow-4.1.5.1-logmsg.patch
Normal file
13
shadow-4.1.5.1-logmsg.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Index: shadow-4.5/src/useradd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/useradd.c
|
||||||
|
+++ shadow-4.5/src/useradd.c
|
||||||
|
@@ -323,7 +323,7 @@ static void fail_exit (int code)
|
||||||
|
user_name, AUDIT_NO_ID,
|
||||||
|
SHADOW_AUDIT_FAILURE);
|
||||||
|
#endif
|
||||||
|
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
|
||||||
|
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
|
||||||
|
exit (code);
|
||||||
|
}
|
||||||
|
|
16
shadow-4.1.5.1-userdel-helpfix.patch
Normal file
16
shadow-4.1.5.1-userdel-helpfix.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Index: shadow-4.5/src/userdel.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/userdel.c
|
||||||
|
+++ shadow-4.5/src/userdel.c
|
||||||
|
@@ -143,8 +143,9 @@ static void usage (int status)
|
||||||
|
"\n"
|
||||||
|
"Options:\n"),
|
||||||
|
Prog);
|
||||||
|
- (void) fputs (_(" -f, --force force removal of files,\n"
|
||||||
|
- " even if not owned by user\n"),
|
||||||
|
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
|
||||||
|
+ " e.g. removal of user still logged in\n"
|
||||||
|
+ " or files, even if not owned by the user\n"),
|
||||||
|
usageout);
|
||||||
|
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
||||||
|
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);
|
@ -1,22 +0,0 @@
|
|||||||
diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
|
|
||||||
diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
|
|
||||||
--- shadow-4.11.1/src/lastlog.c.null-tm 2022-01-03 15:31:56.348555620 +0100
|
|
||||||
+++ shadow-4.11.1/src/lastlog.c 2022-01-03 15:38:41.262229024 +0100
|
|
||||||
@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
|
|
||||||
|
|
||||||
ll_time = ll.ll_time;
|
|
||||||
tm = localtime (&ll_time);
|
|
||||||
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
|
||||||
- cp = ptime;
|
|
||||||
-
|
|
||||||
+ if (tm == NULL) {
|
|
||||||
+ cp = "(unknown)";
|
|
||||||
+ } else {
|
|
||||||
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
|
||||||
+ cp = ptime;
|
|
||||||
+ }
|
|
||||||
if (ll.ll_time == (time_t) 0) {
|
|
||||||
cp = _("**Never logged in**\0");
|
|
||||||
}
|
|
||||||
diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
|
|
||||||
diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c
|
|
@ -1,40 +0,0 @@
|
|||||||
From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Date: Tue, 4 Jan 2022 13:06:00 +0100
|
|
||||||
Subject: [PATCH] useradd: modify check ID range for system users
|
|
||||||
|
|
||||||
useradd warns that a system user ID less than SYS_UID_MIN is outside the
|
|
||||||
expected range, even though that ID has been specifically selected with
|
|
||||||
the "-u" option.
|
|
||||||
|
|
||||||
In my opinion all the user ID's below SYS_UID_MAX are for the system,
|
|
||||||
thus I change the condition to take that into account.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
|
|
||||||
|
|
||||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
src/useradd.c | 6 ++----
|
|
||||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/useradd.c b/src/useradd.c
|
|
||||||
index 34376fa5..4c71c38a 100644
|
|
||||||
--- a/src/useradd.c
|
|
||||||
+++ b/src/useradd.c
|
|
||||||
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
|
|
||||||
uid_t uid_min ;
|
|
||||||
uid_t uid_max ;
|
|
||||||
if (rflg) {
|
|
||||||
- uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
|
|
||||||
uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
|
|
||||||
- if (uid_min <= uid_max) {
|
|
||||||
- if (user_id < uid_min || user_id >uid_max)
|
|
||||||
- fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
|
|
||||||
+ if (user_id > uid_max) {
|
|
||||||
+ fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
|
|
||||||
}
|
|
||||||
}else{
|
|
||||||
uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
|
|
||||||
--
|
|
||||||
2.37.1
|
|
||||||
|
|
91
shadow-4.2.1-null-tm.patch
Normal file
91
shadow-4.2.1-null-tm.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
Index: shadow-4.5/src/faillog.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/faillog.c
|
||||||
|
+++ shadow-4.5/src/faillog.c
|
||||||
|
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
|
||||||
|
}
|
||||||
|
|
||||||
|
tm = localtime (&fl.fail_time);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ cp = "(unknown)";
|
||||||
|
+ } else {
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||||
|
- cp = ptime;
|
||||||
|
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
|
||||||
|
+ cp = ptime;
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
printf ("%-9s %5d %5d ",
|
||||||
|
pw->pw_name, fl.fail_cnt, fl.fail_max);
|
||||||
|
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
|
||||||
|
Index: shadow-4.5/src/chage.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/chage.c
|
||||||
|
+++ shadow-4.5/src/chage.c
|
||||||
|
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
|
||||||
|
struct tm *tp;
|
||||||
|
|
||||||
|
tp = gmtime (&date);
|
||||||
|
+ if (tp == NULL) {
|
||||||
|
+ (void) snprintf (buf, maxsize, "(unknown)");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||||
|
#else
|
||||||
|
Index: shadow-4.5/src/lastlog.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/lastlog.c
|
||||||
|
+++ shadow-4.5/src/lastlog.c
|
||||||
|
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
|
||||||
|
|
||||||
|
ll_time = ll.ll_time;
|
||||||
|
tm = localtime (&ll_time);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ cp = "(unknown)";
|
||||||
|
+ } else {
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||||
|
- cp = ptime;
|
||||||
|
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
|
||||||
|
+ cp = ptime;
|
||||||
|
#else
|
||||||
|
- cp = asctime (tm);
|
||||||
|
- cp[24] = '\0';
|
||||||
|
+ cp = asctime (tm);
|
||||||
|
+ cp[24] = '\0';
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (ll.ll_time == (time_t) 0) {
|
||||||
|
cp = _("**Never logged in**\0");
|
||||||
|
Index: shadow-4.5/src/passwd.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/passwd.c
|
||||||
|
+++ shadow-4.5/src/passwd.c
|
||||||
|
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
|
||||||
|
struct tm *tm;
|
||||||
|
|
||||||
|
tm = gmtime (&t);
|
||||||
|
+ if (tm == NULL) {
|
||||||
|
+ return "(unknown)";
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
|
||||||
|
#else /* !HAVE_STRFTIME */
|
||||||
|
Index: shadow-4.5/src/usermod.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.5.orig/src/usermod.c
|
||||||
|
+++ shadow-4.5/src/usermod.c
|
||||||
|
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
|
||||||
|
} else {
|
||||||
|
time_t t = (time_t) date;
|
||||||
|
tp = gmtime (&t);
|
||||||
|
+ if (tp == NULL) {
|
||||||
|
+ strncpy (buf, "unknown", maxsize);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
#ifdef HAVE_STRFTIME
|
||||||
|
strftime (buf, maxsize, "%Y-%m-%d", tp);
|
||||||
|
#else
|
21
shadow-4.6-getenforce.patch
Normal file
21
shadow-4.6-getenforce.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
|
||||||
|
--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200
|
||||||
|
+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200
|
||||||
|
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
error:
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
+ if (security_getenforce () > 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
|
||||||
|
selinux_checked = true;
|
||||||
|
}
|
||||||
|
if (selinux_enabled) {
|
||||||
|
- if (setfscreatecon (NULL) != 0) {
|
||||||
|
+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
@ -1,16 +1,16 @@
|
|||||||
diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
|
diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
|
||||||
--- shadow-4.11.1/src/useradd.c.redhat 2022-01-03 01:46:53.000000000 +0100
|
--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200
|
||||||
+++ shadow-4.11.1/src/useradd.c 2022-01-03 14:53:12.988484829 +0100
|
+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200
|
||||||
@@ -82,7 +82,7 @@ const char *Prog;
|
@@ -98,7 +98,7 @@ const char *Prog;
|
||||||
static gid_t def_group = 1000;
|
static gid_t def_group = 100;
|
||||||
static const char *def_gname = "other";
|
static const char *def_gname = "other";
|
||||||
static const char *def_home = "/home";
|
static const char *def_home = "/home";
|
||||||
-static const char *def_shell = "/bin/bash";
|
-static const char *def_shell = "";
|
||||||
+static const char *def_shell = "/sbin/nologin";
|
+static const char *def_shell = "/sbin/nologin";
|
||||||
static const char *def_template = SKEL_DIR;
|
static const char *def_template = SKEL_DIR;
|
||||||
static const char *def_create_mail_spool = "yes";
|
static const char *def_create_mail_spool = "no";
|
||||||
static const char *def_log_init = "yes";
|
|
||||||
@@ -93,7 +93,7 @@ static const char *def_expire = "";
|
@@ -108,7 +108,7 @@ static const char *def_expire = "";
|
||||||
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||||
|
|
||||||
static const char *user_name = "";
|
static const char *user_name = "";
|
||||||
@ -19,7 +19,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
|
|||||||
static uid_t user_id;
|
static uid_t user_id;
|
||||||
static gid_t user_gid;
|
static gid_t user_gid;
|
||||||
static const char *user_comment = "";
|
static const char *user_comment = "";
|
||||||
@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
|
@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
|
||||||
};
|
};
|
||||||
while ((c = getopt_long (argc, argv,
|
while ((c = getopt_long (argc, argv,
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
@ -31,7 +31,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
|
|||||||
#endif /* !WITH_SELINUX */
|
#endif /* !WITH_SELINUX */
|
||||||
long_options, NULL)) != -1) {
|
long_options, NULL)) != -1) {
|
||||||
switch (c) {
|
switch (c) {
|
||||||
@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
|
@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
|
||||||
case 'M':
|
case 'M':
|
||||||
Mflg = true;
|
Mflg = true;
|
||||||
break;
|
break;
|
35
shadow-4.8-crypt_h.patch
Normal file
35
shadow-4.8-crypt_h.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
|
||||||
|
--- shadow-4.8/configure.ac.crypt_h 2020-01-13 10:26:17.400481712 +0100
|
||||||
|
+++ shadow-4.8/configure.ac 2020-01-13 10:29:11.563529093 +0100
|
||||||
|
@@ -32,7 +32,7 @@ AC_HEADER_STDC
|
||||||
|
AC_HEADER_SYS_WAIT
|
||||||
|
AC_HEADER_STDBOOL
|
||||||
|
|
||||||
|
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||||
|
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||||
|
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
|
||||||
|
utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
|
||||||
|
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
|
||||||
|
diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
|
||||||
|
--- shadow-4.8/lib/defines.h.crypt_h 2019-07-23 17:26:08.000000000 +0200
|
||||||
|
+++ shadow-4.8/lib/defines.h 2020-01-13 10:26:17.400481712 +0100
|
||||||
|
@@ -4,6 +4,8 @@
|
||||||
|
#ifndef _DEFINES_H_
|
||||||
|
#define _DEFINES_H_
|
||||||
|
|
||||||
|
+#include "config.h"
|
||||||
|
+
|
||||||
|
#if HAVE_STDBOOL_H
|
||||||
|
# include <stdbool.h>
|
||||||
|
#else
|
||||||
|
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
|
||||||
|
# include <unistd.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if HAVE_CRYPT_H
|
||||||
|
+# include <crypt.h> /* crypt(3) may be defined in here */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#if TIME_WITH_SYS_TIME
|
||||||
|
# include <sys/time.h>
|
||||||
|
# include <time.h>
|
241
shadow-4.8-selinux.patch
Normal file
241
shadow-4.8-selinux.patch
Normal file
@ -0,0 +1,241 @@
|
|||||||
|
diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c
|
||||||
|
--- shadow-4.8/lib/commonio.c.selinux 2019-07-23 17:26:08.000000000 +0200
|
||||||
|
+++ shadow-4.8/lib/commonio.c 2020-01-13 10:08:53.769101131 +0100
|
||||||
|
@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *
|
||||||
|
snprintf (buf, sizeof buf, "%s-", db->filename);
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (buf) != 0) {
|
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||||
|
errors++;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *
|
||||||
|
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (buf) != 0) {
|
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
||||||
|
errors++;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c
|
||||||
|
--- shadow-4.8/libmisc/copydir.c.selinux 2019-07-23 17:26:08.000000000 +0200
|
||||||
|
+++ shadow-4.8/libmisc/copydir.c 2020-01-13 10:08:53.769101131 +0100
|
||||||
|
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
free (oldlink);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -684,7 +684,7 @@ static int copy_special (const char *src
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (dst) != 0) {
|
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h
|
||||||
|
--- shadow-4.8/lib/prototypes.h.selinux 2020-01-13 10:08:53.769101131 +0100
|
||||||
|
+++ shadow-4.8/lib/prototypes.h 2020-01-13 10:11:20.914627399 +0100
|
||||||
|
@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m
|
||||||
|
|
||||||
|
/* selinux.c */
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
-extern int set_selinux_file_context (const char *dst_name);
|
||||||
|
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
|
||||||
|
extern int reset_selinux_file_context (void);
|
||||||
|
extern int check_selinux_permit (const char *perm_name);
|
||||||
|
#endif
|
||||||
|
diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c
|
||||||
|
--- shadow-4.8/lib/selinux.c.selinux 2019-11-12 01:18:25.000000000 +0100
|
||||||
|
+++ shadow-4.8/lib/selinux.c 2020-01-13 10:08:53.769101131 +0100
|
||||||
|
@@ -51,7 +51,7 @@ static bool selinux_enabled;
|
||||||
|
* Callers may have to Reset SELinux to create files with default
|
||||||
|
* contexts with reset_selinux_file_context
|
||||||
|
*/
|
||||||
|
-int set_selinux_file_context (const char *dst_name)
|
||||||
|
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
|
||||||
|
{
|
||||||
|
/*@null@*/security_context_t scontext = NULL;
|
||||||
|
|
||||||
|
@@ -63,19 +63,23 @@ int set_selinux_file_context (const char
|
||||||
|
if (selinux_enabled) {
|
||||||
|
/* Get the default security context for this file */
|
||||||
|
if (matchpathcon (dst_name, 0, &scontext) < 0) {
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
+ /* We could not get the default, copy the original */
|
||||||
|
+ if (orig_name == NULL)
|
||||||
|
+ goto error;
|
||||||
|
+ if (getfilecon (orig_name, &scontext) < 0)
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
/* Set the security context for the next created file */
|
||||||
|
- if (setfscreatecon (scontext) < 0) {
|
||||||
|
- if (security_getenforce () != 0) {
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ if (setfscreatecon (scontext) < 0)
|
||||||
|
+ goto error;
|
||||||
|
freecon (scontext);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
+ error:
|
||||||
|
+ if (security_getenforce () != 0) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c
|
||||||
|
--- shadow-4.8/lib/semanage.c.selinux 2019-07-23 17:26:08.000000000 +0200
|
||||||
|
+++ shadow-4.8/lib/semanage.c 2020-01-13 10:08:53.766101181 +0100
|
||||||
|
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
+ /* drop obsolete matchpathcon cache */
|
||||||
|
+ matchpathcon_fini();
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
semanage_seuser_key_free (key);
|
||||||
|
semanage_handle_destroy (handle);
|
||||||
|
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
+
|
||||||
|
+ /* drop obsolete matchpathcon cache */
|
||||||
|
+ matchpathcon_fini();
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
semanage_handle_destroy (handle);
|
||||||
|
return ret;
|
||||||
|
diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c
|
||||||
|
--- shadow-4.8/src/useradd.c.selinux 2020-01-13 10:08:53.762101248 +0100
|
||||||
|
+++ shadow-4.8/src/useradd.c 2020-01-13 10:08:53.767101164 +0100
|
||||||
|
@@ -2078,7 +2078,7 @@ static void create_home (void)
|
||||||
|
++bhome;
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (set_selinux_file_context (prefix_user_home) != 0) {
|
||||||
|
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: cannot set SELinux context for home directory %s\n"),
|
||||||
|
Prog, user_home);
|
||||||
|
@@ -2232,6 +2232,7 @@ static void create_mail (void)
|
||||||
|
*/
|
||||||
|
int main (int argc, char **argv)
|
||||||
|
{
|
||||||
|
+ int rv = E_SUCCESS;
|
||||||
|
#ifdef ACCT_TOOLS_SETUID
|
||||||
|
#ifdef USE_PAM
|
||||||
|
pam_handle_t *pamh = NULL;
|
||||||
|
@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
usr_update ();
|
||||||
|
|
||||||
|
- if (mflg) {
|
||||||
|
- create_home ();
|
||||||
|
- if (home_added) {
|
||||||
|
- copy_tree (def_template, prefix_user_home, false, false,
|
||||||
|
- (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||||
|
- } else {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: warning: the home directory %s already exists.\n"
|
||||||
|
- "%s: Not copying any file from skel directory into it.\n"),
|
||||||
|
- Prog, user_home, Prog);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Do not create mail directory for system accounts */
|
||||||
|
- if (!rflg) {
|
||||||
|
- create_mail ();
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
close_files ();
|
||||||
|
|
||||||
|
+ nscd_flush_cache ("passwd");
|
||||||
|
+ nscd_flush_cache ("group");
|
||||||
|
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* tallylog_reset needs to be able to lookup
|
||||||
|
* a valid existing user name,
|
||||||
|
@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
- if (Zflg) {
|
||||||
|
- if (set_seuser (user_name, user_selinux) != 0) {
|
||||||
|
+ if (Zflg && *user_selinux) {
|
||||||
|
+ if (is_selinux_enabled () > 0) {
|
||||||
|
+ if (set_seuser (user_name, user_selinux) != 0) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||||
|
Prog, user_name, user_selinux);
|
||||||
|
@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)
|
||||||
|
"adding SELinux user mapping",
|
||||||
|
user_name, (unsigned int) user_id, 0);
|
||||||
|
#endif /* WITH_AUDIT */
|
||||||
|
- fail_exit (E_SE_UPDATE);
|
||||||
|
+ rv = E_SE_UPDATE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
|
|
||||||
|
- nscd_flush_cache ("passwd");
|
||||||
|
- nscd_flush_cache ("group");
|
||||||
|
- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
||||||
|
+ if (mflg) {
|
||||||
|
+ create_home ();
|
||||||
|
+ if (home_added) {
|
||||||
|
+ copy_tree (def_template, prefix_user_home, false, true,
|
||||||
|
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||||
|
+ } else {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: warning: the home directory %s already exists.\n"
|
||||||
|
+ "%s: Not copying any file from skel directory into it.\n"),
|
||||||
|
+ Prog, user_home, Prog);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Do not create mail directory for system accounts */
|
||||||
|
+ if (!rflg) {
|
||||||
|
+ create_mail ();
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return E_SUCCESS;
|
||||||
|
+ return rv;
|
||||||
|
}
|
||||||
|
|
61
shadow-4.8-useradd-selinux-mail.patch
Normal file
61
shadow-4.8-useradd-selinux-mail.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
|
||||||
|
From: ikerexxe <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 5 Feb 2020 15:04:39 +0100
|
||||||
|
Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
|
||||||
|
proper SELinux user identity
|
||||||
|
|
||||||
|
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
|
||||||
|
---
|
||||||
|
src/useradd.c | 20 ++++++++++++++++++++
|
||||||
|
1 file changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/useradd.c b/src/useradd.c
|
||||||
|
index a679392d..645d4a40 100644
|
||||||
|
--- a/src/useradd.c
|
||||||
|
+++ b/src/useradd.c
|
||||||
|
@@ -190,6 +190,7 @@ static bool home_added = false;
|
||||||
|
#define E_NAME_IN_USE 9 /* username already in use */
|
||||||
|
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||||
|
#define E_HOMEDIR 12 /* can't create home directory */
|
||||||
|
+#define E_MAILBOXFILE 13 /* can't create mailbox file */
|
||||||
|
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
||||||
|
@@ -2210,6 +2211,16 @@ static void create_mail (void)
|
||||||
|
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
|
||||||
|
else
|
||||||
|
sprintf (file, "%s/%s", spool, user_name);
|
||||||
|
+
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (set_selinux_file_context (file, NULL) != 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot set SELinux context for mailbox file %s\n"),
|
||||||
|
+ Prog, file);
|
||||||
|
+ fail_exit (E_MAILBOXFILE);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
|
||||||
|
if (fd < 0) {
|
||||||
|
perror (_("Creating mailbox file"));
|
||||||
|
@@ -2234,6 +2245,15 @@ static void create_mail (void)
|
||||||
|
|
||||||
|
fsync (fd);
|
||||||
|
close (fd);
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ /* Reset SELinux to create files with default contexts */
|
||||||
|
+ if (reset_selinux_file_context () != 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot reset SELinux file creation context\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ fail_exit (E_MAILBOXFILE);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
331
shadow-4.8.1-check-local-groups.patch
Normal file
331
shadow-4.8.1-check-local-groups.patch
Normal file
@ -0,0 +1,331 @@
|
|||||||
|
From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: ikerexxe <ipedrosa@redhat.com>
|
||||||
|
Date: Mon, 30 Mar 2020 09:08:23 +0200
|
||||||
|
Subject: [PATCH 2/2] useradd: check only local groups with -G option
|
||||||
|
|
||||||
|
Check only local groups when adding new supplementary groups to a user
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
|
||||||
|
---
|
||||||
|
src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
|
||||||
|
1 file changed, 157 insertions(+), 77 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/useradd.c b/src/useradd.c
|
||||||
|
index 645d4a40..90210233 100644
|
||||||
|
--- a/src/useradd.c
|
||||||
|
+++ b/src/useradd.c
|
||||||
|
@@ -211,6 +211,7 @@ static void get_defaults (void);
|
||||||
|
static void show_defaults (void);
|
||||||
|
static int set_defaults (void);
|
||||||
|
static int get_groups (char *);
|
||||||
|
+static struct group * get_local_group (char * grp_name);
|
||||||
|
static void usage (int status);
|
||||||
|
static void new_pwent (struct passwd *);
|
||||||
|
|
||||||
|
@@ -220,7 +221,10 @@ static void grp_update (void);
|
||||||
|
|
||||||
|
static void process_flags (int argc, char **argv);
|
||||||
|
static void close_files (void);
|
||||||
|
+static void close_group_files (void);
|
||||||
|
+static void unlock_group_files (void);
|
||||||
|
static void open_files (void);
|
||||||
|
+static void open_group_files (void);
|
||||||
|
static void open_shadow (void);
|
||||||
|
static void faillog_reset (uid_t);
|
||||||
|
static void lastlog_reset (uid_t);
|
||||||
|
@@ -731,6 +735,11 @@ static int get_groups (char *list)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Open the group files
|
||||||
|
+ */
|
||||||
|
+ open_group_files ();
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* So long as there is some data to be converted, strip off
|
||||||
|
* each name and look it up. A mix of numerical and string
|
||||||
|
@@ -749,7 +758,7 @@ static int get_groups (char *list)
|
||||||
|
* Names starting with digits are treated as numerical
|
||||||
|
* GID values, otherwise the string is looked up as is.
|
||||||
|
*/
|
||||||
|
- grp = prefix_getgr_nam_gid (list);
|
||||||
|
+ grp = get_local_group (list);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* There must be a match, either by GID value or by
|
||||||
|
@@ -799,6 +808,9 @@ static int get_groups (char *list)
|
||||||
|
user_groups[ngroups++] = xstrdup (grp->gr_name);
|
||||||
|
} while (NULL != list);
|
||||||
|
|
||||||
|
+ close_group_files ();
|
||||||
|
+ unlock_group_files ();
|
||||||
|
+
|
||||||
|
user_groups[ngroups] = (char *) 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -811,6 +823,44 @@ static int get_groups (char *list)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * get_local_group - checks if a given group name exists locally
|
||||||
|
+ *
|
||||||
|
+ * get_local_group() checks if a given group name exists locally.
|
||||||
|
+ * If the name exists the group information is returned, otherwise NULL is
|
||||||
|
+ * returned.
|
||||||
|
+ */
|
||||||
|
+static struct group * get_local_group(char * grp_name)
|
||||||
|
+{
|
||||||
|
+ const struct group *grp;
|
||||||
|
+ struct group *result_grp = NULL;
|
||||||
|
+ long long int gid;
|
||||||
|
+ char *endptr;
|
||||||
|
+
|
||||||
|
+ gid = strtoll (grp_name, &endptr, 10);
|
||||||
|
+ if ( ('\0' != *grp_name)
|
||||||
|
+ && ('\0' == *endptr)
|
||||||
|
+ && (ERANGE != errno)
|
||||||
|
+ && (gid == (gid_t)gid)) {
|
||||||
|
+ grp = gr_locate_gid ((gid_t) gid);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ grp = gr_locate(grp_name);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (grp != NULL) {
|
||||||
|
+ result_grp = __gr_dup (grp);
|
||||||
|
+ if (NULL == result_grp) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: Out of memory. Cannot find group '%s'.\n"),
|
||||||
|
+ Prog, grp_name);
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return result_grp;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* usage - display usage message and exit
|
||||||
|
*/
|
||||||
|
@@ -1530,23 +1580,9 @@ static void close_files (void)
|
||||||
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
|
||||||
|
fail_exit (E_PW_UPDATE);
|
||||||
|
}
|
||||||
|
- if (do_grp_update) {
|
||||||
|
- if (gr_close () == 0) {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
|
||||||
|
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
-#ifdef SHADOWGRP
|
||||||
|
- if (is_shadow_grp && (sgr_close () == 0)) {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: failure while writing changes to %s\n"),
|
||||||
|
- Prog, sgr_dbname ());
|
||||||
|
- SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
+ close_group_files ();
|
||||||
|
+
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
if (is_sub_uid && (sub_uid_close () == 0)) {
|
||||||
|
fprintf (stderr,
|
||||||
|
@@ -1587,34 +1623,9 @@ static void close_files (void)
|
||||||
|
/* continue */
|
||||||
|
}
|
||||||
|
pw_locked = false;
|
||||||
|
- if (gr_unlock () == 0) {
|
||||||
|
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
|
||||||
|
- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
||||||
|
-#ifdef WITH_AUDIT
|
||||||
|
- audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
|
- "unlocking-group-file",
|
||||||
|
- user_name, AUDIT_NO_ID,
|
||||||
|
- SHADOW_AUDIT_FAILURE);
|
||||||
|
-#endif
|
||||||
|
- /* continue */
|
||||||
|
- }
|
||||||
|
- gr_locked = false;
|
||||||
|
-#ifdef SHADOWGRP
|
||||||
|
- if (is_shadow_grp) {
|
||||||
|
- if (sgr_unlock () == 0) {
|
||||||
|
- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
|
||||||
|
- SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
||||||
|
-#ifdef WITH_AUDIT
|
||||||
|
- audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
|
- "unlocking-gshadow-file",
|
||||||
|
- user_name, AUDIT_NO_ID,
|
||||||
|
- SHADOW_AUDIT_FAILURE);
|
||||||
|
-#endif
|
||||||
|
- /* continue */
|
||||||
|
- }
|
||||||
|
- sgr_locked = false;
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
+
|
||||||
|
+ unlock_group_files ();
|
||||||
|
+
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
if (is_sub_uid) {
|
||||||
|
if (sub_uid_unlock () == 0) {
|
||||||
|
@@ -1647,6 +1658,71 @@ static void close_files (void)
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * close_group_files - close all of the files that were opened
|
||||||
|
+ *
|
||||||
|
+ * close_group_files() closes all of the files that were opened related
|
||||||
|
+ * with groups. This causes any modified entries to be written out.
|
||||||
|
+ */
|
||||||
|
+static void close_group_files (void)
|
||||||
|
+{
|
||||||
|
+ if (do_grp_update) {
|
||||||
|
+ if (gr_close () == 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
|
||||||
|
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+#ifdef SHADOWGRP
|
||||||
|
+ if (is_shadow_grp && (sgr_close () == 0)) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: failure while writing changes to %s\n"),
|
||||||
|
+ Prog, sgr_dbname ());
|
||||||
|
+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+#endif /* SHADOWGRP */
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * unlock_group_files - unlock all of the files that were locked
|
||||||
|
+ *
|
||||||
|
+ * unlock_group_files() unlocks all of the files that were locked related
|
||||||
|
+ * with groups. This causes any modified entries to be written out.
|
||||||
|
+ */
|
||||||
|
+static void unlock_group_files (void)
|
||||||
|
+{
|
||||||
|
+ if (gr_unlock () == 0) {
|
||||||
|
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
|
||||||
|
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
|
+ "unlocking-group-file",
|
||||||
|
+ user_name, AUDIT_NO_ID,
|
||||||
|
+ SHADOW_AUDIT_FAILURE);
|
||||||
|
+#endif /* WITH_AUDIT */
|
||||||
|
+ /* continue */
|
||||||
|
+ }
|
||||||
|
+ gr_locked = false;
|
||||||
|
+#ifdef SHADOWGRP
|
||||||
|
+ if (is_shadow_grp) {
|
||||||
|
+ if (sgr_unlock () == 0) {
|
||||||
|
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
|
||||||
|
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
|
+ "unlocking-gshadow-file",
|
||||||
|
+ user_name, AUDIT_NO_ID,
|
||||||
|
+ SHADOW_AUDIT_FAILURE);
|
||||||
|
+#endif /* WITH_AUDIT */
|
||||||
|
+ /* continue */
|
||||||
|
+ }
|
||||||
|
+ sgr_locked = false;
|
||||||
|
+ }
|
||||||
|
+#endif /* SHADOWGRP */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* open_files - lock and open the password files
|
||||||
|
*
|
||||||
|
@@ -1668,37 +1744,8 @@ static void open_files (void)
|
||||||
|
|
||||||
|
/* shadow file will be opened by open_shadow(); */
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Lock and open the group file.
|
||||||
|
- */
|
||||||
|
- if (gr_lock () == 0) {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: cannot lock %s; try again later.\n"),
|
||||||
|
- Prog, gr_dbname ());
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
- gr_locked = true;
|
||||||
|
- if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||||
|
- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
-#ifdef SHADOWGRP
|
||||||
|
- if (is_shadow_grp) {
|
||||||
|
- if (sgr_lock () == 0) {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: cannot lock %s; try again later.\n"),
|
||||||
|
- Prog, sgr_dbname ());
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
- sgr_locked = true;
|
||||||
|
- if (sgr_open (O_CREAT | O_RDWR) == 0) {
|
||||||
|
- fprintf (stderr,
|
||||||
|
- _("%s: cannot open %s\n"),
|
||||||
|
- Prog, sgr_dbname ());
|
||||||
|
- fail_exit (E_GRP_UPDATE);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
+ open_group_files ();
|
||||||
|
+
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
if (is_sub_uid) {
|
||||||
|
if (sub_uid_lock () == 0) {
|
||||||
|
@@ -1733,6 +1780,39 @@ static void open_files (void)
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void open_group_files (void)
|
||||||
|
+{
|
||||||
|
+ if (gr_lock () == 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot lock %s; try again later.\n"),
|
||||||
|
+ Prog, gr_dbname ());
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+ gr_locked = true;
|
||||||
|
+ if (gr_open (O_CREAT | O_RDWR) == 0) {
|
||||||
|
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef SHADOWGRP
|
||||||
|
+ if (is_shadow_grp) {
|
||||||
|
+ if (sgr_lock () == 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot lock %s; try again later.\n"),
|
||||||
|
+ Prog, sgr_dbname ());
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+ sgr_locked = true;
|
||||||
|
+ if (sgr_open (O_CREAT | O_RDWR) == 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot open %s\n"),
|
||||||
|
+ Prog, sgr_dbname ());
|
||||||
|
+ fail_exit (E_GRP_UPDATE);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif /* SHADOWGRP */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void open_shadow (void)
|
||||||
|
{
|
||||||
|
if (!is_shadow_pwd) {
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
39
shadow-4.8.1-commonio-force-lock-file-sync.patch
Normal file
39
shadow-4.8.1-commonio-force-lock-file-sync.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: ikerexxe <ipedrosa@redhat.com>
|
||||||
|
Date: Mon, 2 Nov 2020 17:08:55 +0100
|
||||||
|
Subject: [PATCH] commonio: force lock file sync
|
||||||
|
|
||||||
|
lib/commonio.c: after writing to the lock file, force a file sync to
|
||||||
|
the storage system.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
|
||||||
|
---
|
||||||
|
lib/commonio.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/commonio.c b/lib/commonio.c
|
||||||
|
index 16fa7e75..c5b3d104 100644
|
||||||
|
--- a/lib/commonio.c
|
||||||
|
+++ b/lib/commonio.c
|
||||||
|
@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
|
||||||
|
if (write (fd, buf, (size_t) len) != len) {
|
||||||
|
if (log) {
|
||||||
|
(void) fprintf (stderr,
|
||||||
|
- "%s: %s: %s\n",
|
||||||
|
+ "%s: %s file write error: %s\n",
|
||||||
|
+ Prog, file, strerror (errno));
|
||||||
|
+ }
|
||||||
|
+ (void) close (fd);
|
||||||
|
+ unlink (file);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (fdatasync (fd) == -1) {
|
||||||
|
+ if (log) {
|
||||||
|
+ (void) fprintf (stderr,
|
||||||
|
+ "%s: %s file sync error: %s\n",
|
||||||
|
Prog, file, strerror (errno));
|
||||||
|
}
|
||||||
|
(void) close (fd);
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
33
shadow-4.8.1-man-include-lastlog-file-caveat.patch
Normal file
33
shadow-4.8.1-man-include-lastlog-file-caveat.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From df6ec1d1693c8c80c323b40d6fc82bb549363db3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Mon, 29 Mar 2021 05:26:28 +0200
|
||||||
|
Subject: [PATCH] man: include lastlog file caveat (#313)
|
||||||
|
|
||||||
|
man/lastlog.8.xml: add another point to the caveats section regarding
|
||||||
|
the handling of the lastlog file by external tools.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=951564
|
||||||
|
---
|
||||||
|
man/lastlog.8.xml | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/man/lastlog.8.xml b/man/lastlog.8.xml
|
||||||
|
index fc096c8f..7e68282f 100644
|
||||||
|
--- a/man/lastlog.8.xml
|
||||||
|
+++ b/man/lastlog.8.xml
|
||||||
|
@@ -233,5 +233,12 @@
|
||||||
|
is no entries for users with UID between 170 and 800 lastlog will appear
|
||||||
|
to hang as it processes entries with UIDs 171-799).
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ Having high UIDs can create problems when handling the <term><filename>
|
||||||
|
+ /var/log/lastlog</filename></term> with external tools. Although the
|
||||||
|
+ actual file is sparse and does not use too much space, certain
|
||||||
|
+ applications are not designed to identify sparse files by default and may
|
||||||
|
+ require a specific option to handle them.
|
||||||
|
+ </para>
|
||||||
|
</refsect1>
|
||||||
|
</refentry>
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
341
shadow-4.8.1-manfix.patch
Normal file
341
shadow-4.8.1-manfix.patch
Normal file
@ -0,0 +1,341 @@
|
|||||||
|
diff -up shadow-4.8.1/man/chage.1.xml.manfix shadow-4.8.1/man/chage.1.xml
|
||||||
|
--- shadow-4.8.1/man/chage.1.xml.manfix 2019-10-05 01:28:34.000000000 +0200
|
||||||
|
+++ shadow-4.8.1/man/chage.1.xml 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
@@ -102,6 +102,9 @@
|
||||||
|
Set the number of days since January 1st, 1970 when the password
|
||||||
|
was last changed. The date may also be expressed in the format
|
||||||
|
YYYY-MM-DD (or the format more commonly used in your area).
|
||||||
|
+ If the <replaceable>LAST_DAY</replaceable> is set to
|
||||||
|
+ <emphasis>0</emphasis> the user is forced to change his password
|
||||||
|
+ on the next log on.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
@@ -119,6 +122,13 @@
|
||||||
|
system again.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
+ For example the following can be used to set an account to expire
|
||||||
|
+ in 180 days:
|
||||||
|
+ </para>
|
||||||
|
+ <programlisting>
|
||||||
|
+ chage -E $(date -d +180days +%Y-%m-%d)
|
||||||
|
+ </programlisting>
|
||||||
|
+ <para>
|
||||||
|
Passing the number <emphasis remap='I'>-1</emphasis> as the
|
||||||
|
<replaceable>EXPIRE_DATE</replaceable> will remove an account
|
||||||
|
expiration date.
|
||||||
|
@@ -239,6 +249,18 @@
|
||||||
|
The <command>chage</command> program requires a shadow password file to
|
||||||
|
be available.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The chage program will report only the information from the shadow
|
||||||
|
+ password file. This implies that configuration from other sources
|
||||||
|
+ (e.g. LDAP or empty password hash field from the passwd file) that
|
||||||
|
+ affect the user's login will not be shown in the chage output.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ The <command>chage</command> program will also not report any
|
||||||
|
+ inconsistency between the shadow and passwd files (e.g. missing x in
|
||||||
|
+ the passwd file). The <command>pwck</command> can be used to check
|
||||||
|
+ for this kind of inconsistencies.
|
||||||
|
+ </para>
|
||||||
|
<para>The <command>chage</command> command is restricted to the root
|
||||||
|
user, except for the <option>-l</option> option, which may be used by
|
||||||
|
an unprivileged user to determine when their password or account is due
|
||||||
|
diff -up shadow-4.8.1/man/groupadd.8.xml.manfix shadow-4.8.1/man/groupadd.8.xml
|
||||||
|
--- shadow-4.8.1/man/groupadd.8.xml.manfix 2020-03-17 15:34:48.745414917 +0100
|
||||||
|
+++ shadow-4.8.1/man/groupadd.8.xml 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
@@ -320,13 +320,13 @@
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>4</replaceable></term>
|
||||||
|
<listitem>
|
||||||
|
- <para>GID not unique (when <option>-o</option> not used)</para>
|
||||||
|
+ <para>GID is already used (when called without <option>-o</option>)</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>9</replaceable></term>
|
||||||
|
<listitem>
|
||||||
|
- <para>group name not unique</para>
|
||||||
|
+ <para>group name is already used</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
|
||||||
|
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
|
||||||
|
@@ -179,20 +179,10 @@
|
||||||
|
<refsect1 id='setup'>
|
||||||
|
<title>SETUP</title>
|
||||||
|
<para>
|
||||||
|
- The <command>groupmems</command> executable should be in mode
|
||||||
|
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
|
||||||
|
- <emphasis>groups</emphasis>. The system administrator can add users to
|
||||||
|
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
||||||
|
- <command>groupmems</command> utility to manage their own group
|
||||||
|
- membership list.
|
||||||
|
+ In this operating system the <command>groupmems</command> executable
|
||||||
|
+ is not setuid and regular users cannot use it to manipulate
|
||||||
|
+ the membership of their own group.
|
||||||
|
</para>
|
||||||
|
-
|
||||||
|
- <programlisting>
|
||||||
|
- $ groupadd -r groups
|
||||||
|
- $ chmod 2710 groupmems
|
||||||
|
- $ chown root.groups groupmems
|
||||||
|
- $ groupmems -g groups -a gk4
|
||||||
|
- </programlisting>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1 id='configuration'>
|
||||||
|
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
|
||||||
|
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
|
||||||
|
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
@@ -147,10 +147,6 @@ 以下の参照表は、
|
||||||
|
shadow パスワード機能のどのプログラムが
|
||||||
|
どのパラメータを使用するかを示したものである。
|
||||||
|
.na
|
||||||
|
-.IP chfn 12
|
||||||
|
-CHFN_AUTH CHFN_RESTRICT
|
||||||
|
-.IP chsh 12
|
||||||
|
-CHFN_AUTH
|
||||||
|
.IP groupadd 12
|
||||||
|
GID_MAX GID_MIN
|
||||||
|
.IP newusers 12
|
||||||
|
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
|
||||||
|
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
|
||||||
|
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
@@ -164,6 +164,17 @@
|
||||||
|
long numeric parameters is machine-dependent.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
+ <para>
|
||||||
|
+ Please note that the parameters in this configuration file control the
|
||||||
|
+ behavior of the tools from the shadow-utils component. None of these
|
||||||
|
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
||||||
|
+ passwd command) should be configured elsewhere. The only values that
|
||||||
|
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
||||||
|
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
||||||
|
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
||||||
|
+ pam(8) for more information.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
<para>The following configuration items are provided:</para>
|
||||||
|
|
||||||
|
<variablelist remap='IP'>
|
||||||
|
@@ -256,16 +267,6 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
- <term>chfn</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
||||||
|
- CHFN_RESTRICT
|
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
<term>chgpasswd</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
@@ -286,14 +287,6 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
- <varlistentry condition="no_pam">
|
||||||
|
- <term>chsh</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- CHSH_AUTH LOGIN_STRING
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
||||||
|
<!-- faillog: no variables -->
|
||||||
|
<varlistentry>
|
||||||
|
@@ -359,34 +352,6 @@
|
||||||
|
<para>LASTLOG_UID_MAX</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>login</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME
|
||||||
|
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
||||||
|
- ENV_TZ ENVIRON_FILE</phrase>
|
||||||
|
- ERASECHAR FAIL_DELAY
|
||||||
|
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
||||||
|
- FAKE_SHELL
|
||||||
|
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
||||||
|
- HUSHLOGIN_FILE
|
||||||
|
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
||||||
|
- KILLCHAR
|
||||||
|
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
|
||||||
|
- LOGIN_RETRIES
|
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
||||||
|
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
||||||
|
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
||||||
|
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
||||||
|
- QUOTAS_ENAB</phrase>
|
||||||
|
- TTYGROUP TTYPERM TTYTYPE_FILE
|
||||||
|
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
||||||
|
- USERGROUPS_ENAB
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<!-- logoutd: no variables -->
|
||||||
|
<varlistentry>
|
||||||
|
<term>newgrp / sg</term>
|
||||||
|
@@ -415,17 +380,6 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<!-- nologin: no variables -->
|
||||||
|
- <varlistentry condition="no_pam">
|
||||||
|
- <term>passwd</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
||||||
|
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
||||||
|
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
||||||
|
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>pwck</term>
|
||||||
|
<listitem>
|
||||||
|
@@ -452,32 +406,6 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>su</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase>
|
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME
|
||||||
|
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
||||||
|
- ENV_PATH ENV_SUPATH
|
||||||
|
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
||||||
|
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
||||||
|
- SULOG_FILE SU_NAME
|
||||||
|
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
||||||
|
- SYSLOG_SU_ENAB
|
||||||
|
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
- <varlistentry>
|
||||||
|
- <term>sulogin</term>
|
||||||
|
- <listitem>
|
||||||
|
- <para>
|
||||||
|
- ENV_HZ
|
||||||
|
- <phrase condition="no_pam">ENV_TZ</phrase>
|
||||||
|
- </para>
|
||||||
|
- </listitem>
|
||||||
|
- </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>useradd</term>
|
||||||
|
<listitem>
|
||||||
|
diff -up shadow-4.8.1/man/shadow.5.xml.manfix shadow-4.8.1/man/shadow.5.xml
|
||||||
|
--- shadow-4.8.1/man/shadow.5.xml.manfix 2019-12-01 17:52:32.000000000 +0100
|
||||||
|
+++ shadow-4.8.1/man/shadow.5.xml 2020-03-17 15:34:48.750414984 +0100
|
||||||
|
@@ -129,7 +129,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of the last password change, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The value 0 has a special meaning, which is that the user
|
||||||
|
@@ -208,8 +208,8 @@
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
After expiration of the password and this expiration period is
|
||||||
|
- elapsed, no login is possible using the current user's
|
||||||
|
- password. The user should contact her administrator.
|
||||||
|
+ elapsed, no login is possible for the user.
|
||||||
|
+ The user should contact her administrator.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
An empty field means that there are no enforcement of an
|
||||||
|
@@ -224,7 +224,7 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The date of expiration of the account, expressed as the number
|
||||||
|
- of days since Jan 1, 1970.
|
||||||
|
+ of days since Jan 1, 1970 00:00 UTC.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Note that an account expiration differs from a password
|
||||||
|
diff -up shadow-4.8.1/man/useradd.8.xml.manfix shadow-4.8.1/man/useradd.8.xml
|
||||||
|
--- shadow-4.8.1/man/useradd.8.xml.manfix 2020-03-17 15:34:48.745414917 +0100
|
||||||
|
+++ shadow-4.8.1/man/useradd.8.xml 2020-03-17 15:34:48.751414997 +0100
|
||||||
|
@@ -359,6 +359,11 @@
|
||||||
|
<option>CREATE_HOME</option> is not enabled, no home
|
||||||
|
directories are created.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The directory where the user's home directory is created must
|
||||||
|
+ exist and have proper SELinux context and permissions. Otherwise
|
||||||
|
+ the user's home directory cannot be created or accessed.
|
||||||
|
+ </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
diff -up shadow-4.8.1/man/usermod.8.xml.manfix shadow-4.8.1/man/usermod.8.xml
|
||||||
|
--- shadow-4.8.1/man/usermod.8.xml.manfix 2019-12-20 06:58:23.000000000 +0100
|
||||||
|
+++ shadow-4.8.1/man/usermod.8.xml 2020-03-17 15:34:48.751414997 +0100
|
||||||
|
@@ -143,7 +143,8 @@
|
||||||
|
If the <option>-m</option>
|
||||||
|
option is given, the contents of the current home directory will
|
||||||
|
be moved to the new home directory, which is created if it does
|
||||||
|
- not already exist.
|
||||||
|
+ not already exist. If the current home directory does not exist
|
||||||
|
+ the new home directory will not be created.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
@@ -205,6 +206,12 @@
|
||||||
|
The group ownership of files outside of the user's home directory
|
||||||
|
must be fixed manually.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ The change of the group ownership of files inside of the user's
|
||||||
|
+ home directory is also not done if the home dir owner uid is
|
||||||
|
+ different from the current or new user id. This is safety measure
|
||||||
|
+ for special home directories such as <filename>/</filename>.
|
||||||
|
+ </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
@@ -267,7 +274,8 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Move the content of the user's home directory to the new
|
||||||
|
- location.
|
||||||
|
+ location. If the current home directory does not exist
|
||||||
|
+ the new home directory will not be created.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
This option is only valid in combination with the
|
||||||
|
@@ -381,6 +389,12 @@
|
||||||
|
must be fixed manually.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
+ The change of the user ownership of files inside of the user's
|
||||||
|
+ home directory is also not done if the home dir owner uid is
|
||||||
|
+ different from the current or new user id. This is safety measure
|
||||||
|
+ for special home directories such as <filename>/</filename>.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
No checks will be performed with regard to the
|
||||||
|
<option>UID_MIN</option>, <option>UID_MAX</option>,
|
||||||
|
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
|
35
shadow-4.8.1-useradd-man-clarification.patch
Normal file
35
shadow-4.8.1-useradd-man-clarification.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 6543c600d841e4f7779269412d470e50eae25b13 Mon Sep 17 00:00:00 2001
|
||||||
|
From: ikerexxe <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 4 Mar 2020 14:50:04 +0100
|
||||||
|
Subject: [PATCH] useradd: clarify the useradd -d parameter behavior in man
|
||||||
|
page
|
||||||
|
|
||||||
|
Explanation: clarify the useradd -d parameter as it does create directory HOME_DIR if it doesn't exit.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1677005
|
||||||
|
|
||||||
|
Changelog: [serge] minor tweak to the text
|
||||||
|
---
|
||||||
|
man/useradd.8.xml | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
|
||||||
|
index 03612ce8..023c0d69 100644
|
||||||
|
--- a/man/useradd.8.xml
|
||||||
|
+++ b/man/useradd.8.xml
|
||||||
|
@@ -181,8 +181,10 @@
|
||||||
|
login directory. The default is to append the
|
||||||
|
<replaceable>LOGIN</replaceable> name to
|
||||||
|
<replaceable>BASE_DIR</replaceable> and use that as the login
|
||||||
|
- directory name. The directory <replaceable>HOME_DIR</replaceable>
|
||||||
|
- does not have to exist but will not be created if it is missing.
|
||||||
|
+ directory name. If the directory
|
||||||
|
+ <replaceable>HOME_DIR</replaceable> does not exist, then it
|
||||||
|
+ will be created unless the <option>-M</option> option is
|
||||||
|
+ specified.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
@ -1,180 +0,0 @@
|
|||||||
diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
|
|
||||||
--- shadow-4.8.1/man/groupmems.8.xml.manfix 2020-03-17 15:34:48.750414984 +0100
|
|
||||||
+++ shadow-4.8.1/man/groupmems.8.xml 2020-03-17 15:41:13.383588722 +0100
|
|
||||||
@@ -179,20 +179,10 @@
|
|
||||||
<refsect1 id='setup'>
|
|
||||||
<title>SETUP</title>
|
|
||||||
<para>
|
|
||||||
- The <command>groupmems</command> executable should be in mode
|
|
||||||
- <literal>2710</literal> as user <emphasis>root</emphasis> and in group
|
|
||||||
- <emphasis>groups</emphasis>. The system administrator can add users to
|
|
||||||
- group <emphasis>groups</emphasis> to allow or disallow them using the
|
|
||||||
- <command>groupmems</command> utility to manage their own group
|
|
||||||
- membership list.
|
|
||||||
+ In this operating system the <command>groupmems</command> executable
|
|
||||||
+ is not setuid and regular users cannot use it to manipulate
|
|
||||||
+ the membership of their own group.
|
|
||||||
</para>
|
|
||||||
-
|
|
||||||
- <programlisting>
|
|
||||||
- $ groupadd -r groups
|
|
||||||
- $ chmod 2710 groupmems
|
|
||||||
- $ chown root.groups groupmems
|
|
||||||
- $ groupmems -g groups -a gk4
|
|
||||||
- </programlisting>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id='configuration'>
|
|
||||||
diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
|
|
||||||
--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix 2019-07-23 17:26:08.000000000 +0200
|
|
||||||
+++ shadow-4.8.1/man/ja/man5/login.defs.5 2020-03-17 15:34:48.750414984 +0100
|
|
||||||
@@ -147,10 +147,6 @@ 以下の参照表は、
|
|
||||||
shadow パスワード機能のどのプログラムが
|
|
||||||
どのパラメータを使用するかを示したものである。
|
|
||||||
.na
|
|
||||||
-.IP chfn 12
|
|
||||||
-CHFN_AUTH CHFN_RESTRICT
|
|
||||||
-.IP chsh 12
|
|
||||||
-CHFN_AUTH
|
|
||||||
.IP groupadd 12
|
|
||||||
GID_MAX GID_MIN
|
|
||||||
.IP newusers 12
|
|
||||||
diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
|
|
||||||
--- shadow-4.8.1/man/login.defs.5.xml.manfix 2020-01-17 16:47:56.000000000 +0100
|
|
||||||
+++ shadow-4.8.1/man/login.defs.5.xml 2020-03-17 15:34:48.750414984 +0100
|
|
||||||
@@ -164,6 +164,17 @@
|
|
||||||
long numeric parameters is machine-dependent.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
+ <para>
|
|
||||||
+ Please note that the parameters in this configuration file control the
|
|
||||||
+ behavior of the tools from the shadow-utils component. None of these
|
|
||||||
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
|
||||||
+ passwd command) should be configured elsewhere. The only values that
|
|
||||||
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
|
|
||||||
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
|
|
||||||
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
|
|
||||||
+ pam(8) for more information.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
<para>The following configuration items are provided:</para>
|
|
||||||
|
|
||||||
<variablelist remap='IP'>
|
|
||||||
@@ -256,16 +267,6 @@
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
- <term>chfn</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- <phrase condition="no_pam">CHFN_AUTH</phrase>
|
|
||||||
- CHFN_RESTRICT
|
|
||||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
<term>chgpasswd</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
@@ -286,14 +287,6 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
- <varlistentry condition="no_pam">
|
|
||||||
- <term>chsh</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- CHSH_AUTH LOGIN_STRING
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
|
|
||||||
<!-- faillog: no variables -->
|
|
||||||
<varlistentry>
|
|
||||||
@@ -359,34 +352,6 @@
|
|
||||||
<para>LASTLOG_UID_MAX</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
- <term>login</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
|
||||||
- CONSOLE_GROUPS DEFAULT_HOME
|
|
||||||
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
|
|
||||||
- ENV_TZ ENVIRON_FILE</phrase>
|
|
||||||
- ERASECHAR FAIL_DELAY
|
|
||||||
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
|
|
||||||
- FAKE_SHELL
|
|
||||||
- <phrase condition="no_pam">FTMP_FILE</phrase>
|
|
||||||
- HUSHLOGIN_FILE
|
|
||||||
- <phrase condition="no_pam">ISSUE_FILE</phrase>
|
|
||||||
- KILLCHAR
|
|
||||||
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
|
|
||||||
- LOGIN_RETRIES
|
|
||||||
- <phrase condition="no_pam">LOGIN_STRING</phrase>
|
|
||||||
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
|
|
||||||
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
|
|
||||||
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
|
|
||||||
- QUOTAS_ENAB</phrase>
|
|
||||||
- TTYGROUP TTYPERM TTYTYPE_FILE
|
|
||||||
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
|
|
||||||
- USERGROUPS_ENAB
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
<!-- logoutd: no variables -->
|
|
||||||
<varlistentry>
|
|
||||||
<term>newgrp / sg</term>
|
|
||||||
@@ -415,17 +380,6 @@
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<!-- nologin: no variables -->
|
|
||||||
- <varlistentry condition="no_pam">
|
|
||||||
- <term>passwd</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
|
|
||||||
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
|
|
||||||
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
|
|
||||||
- SHA_CRYPT_MIN_ROUNDS</phrase>
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
<term>pwck</term>
|
|
||||||
<listitem>
|
|
||||||
@@ -452,32 +406,6 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
- <term>su</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- <phrase condition="no_pam">CONSOLE</phrase>
|
|
||||||
- CONSOLE_GROUPS DEFAULT_HOME
|
|
||||||
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
|
|
||||||
- ENV_PATH ENV_SUPATH
|
|
||||||
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
|
|
||||||
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
|
|
||||||
- SULOG_FILE SU_NAME
|
|
||||||
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
|
|
||||||
- SYSLOG_SU_ENAB
|
|
||||||
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
- <term>sulogin</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- ENV_HZ
|
|
||||||
- <phrase condition="no_pam">ENV_TZ</phrase>
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
<term>useradd</term>
|
|
||||||
<listitem>
|
|
@ -1,48 +0,0 @@
|
|||||||
From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Date: Mon, 10 Jan 2022 15:30:28 +0100
|
|
||||||
Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
|
|
||||||
|
|
||||||
If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
|
|
||||||
is NULL. In order to avoid that load the log file descriptor with the
|
|
||||||
log_get_logfd() helper function.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
|
|
||||||
|
|
||||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
lib/nss.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/nss.c b/lib/nss.c
|
|
||||||
index 02742902..06fa48e5 100644
|
|
||||||
--- a/lib/nss.c
|
|
||||||
+++ b/lib/nss.c
|
|
||||||
@@ -9,6 +9,7 @@
|
|
||||||
#include "prototypes.h"
|
|
||||||
#include "../libsubid/subid.h"
|
|
||||||
#include "shadowlog_internal.h"
|
|
||||||
+#include "shadowlog.h"
|
|
||||||
|
|
||||||
#define NSSWITCH "/etc/nsswitch.conf"
|
|
||||||
|
|
||||||
@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
|
|
||||||
FILE *nssfp = NULL;
|
|
||||||
char *line = NULL, *p, *token, *saveptr;
|
|
||||||
size_t len = 0;
|
|
||||||
+ FILE *shadow_logfd = log_get_logfd();
|
|
||||||
|
|
||||||
if (atomic_flag_test_and_set(&nss_init_started)) {
|
|
||||||
// Another thread has started nss_init, wait for it to complete
|
|
||||||
@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
|
|
||||||
// subid: files
|
|
||||||
nssfp = fopen(nsswitch_path, "r");
|
|
||||||
if (!nssfp) {
|
|
||||||
- fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
|
|
||||||
+ fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
|
|
||||||
atomic_store(&nss_init_completed, true);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -198,11 +198,10 @@ SUB_GID_COUNT 65536
|
|||||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
|
||||||
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
|
||||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||||
#
|
#
|
||||||
ENCRYPT_METHOD YESCRYPT
|
ENCRYPT_METHOD SHA512
|
||||||
|
|
||||||
#
|
#
|
||||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||||
@ -219,33 +218,7 @@ ENCRYPT_METHOD YESCRYPT
|
|||||||
|
|
||||||
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
|
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
|
||||||
|
|
||||||
#
|
# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
|
||||||
# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
|
||||||
#
|
|
||||||
# Define the number of BCRYPT rounds.
|
|
||||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
|
||||||
# However, more CPU resources will be needed to authenticate users if
|
|
||||||
# this value is increased.
|
|
||||||
#
|
|
||||||
# If not specified, 13 rounds will be attempted.
|
|
||||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
|
||||||
# If MIN > MAX, the highest value will be used.
|
|
||||||
#
|
|
||||||
#BCRYPT_MIN_ROUNDS 13
|
|
||||||
#BCRYPT_MAX_ROUNDS 31
|
|
||||||
|
|
||||||
#
|
|
||||||
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
|
||||||
#
|
|
||||||
# Define the YESCRYPT cost factor.
|
|
||||||
# With a higher cost factor, it is more difficult to brute-force the password.
|
|
||||||
# However, more CPU time and more memory will be needed to authenticate users
|
|
||||||
# if this value is increased.
|
|
||||||
#
|
|
||||||
# If not specified, a cost factor of 5 will be used.
|
|
||||||
# The value must be within the 1-11 range.
|
|
||||||
#
|
|
||||||
#YESCRYPT_COST_FACTOR 5
|
|
||||||
|
|
||||||
# Currently CONSOLE_GROUPS is not supported
|
# Currently CONSOLE_GROUPS is not supported
|
||||||
|
|
||||||
@ -293,13 +266,3 @@ CREATE_HOME yes
|
|||||||
# missing.
|
# missing.
|
||||||
#
|
#
|
||||||
#FORCE_SHADOW yes
|
#FORCE_SHADOW yes
|
||||||
|
|
||||||
#
|
|
||||||
# Select the HMAC cryptography algorithm.
|
|
||||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
|
||||||
# authentication code.
|
|
||||||
#
|
|
||||||
# Note: It is recommended to check hmac(3) to see the possible algorithms
|
|
||||||
# that are available in your system.
|
|
||||||
#
|
|
||||||
HMAC_CRYPTO_ALGO SHA512
|
|
||||||
|
@ -1,78 +1,79 @@
|
|||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.11.1
|
Version: 4.8.1
|
||||||
Release: 4%{?dist}
|
Release: 7%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: BSD and GPLv2+
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
URL: https://github.com/shadow-maint/shadow
|
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||||
Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
|
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||||
Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
|
|
||||||
Source2: shadow-utils.useradd
|
Source2: shadow-utils.useradd
|
||||||
Source3: shadow-utils.login.defs
|
Source3: shadow-utils.login.defs
|
||||||
Source4: shadow-bsd.txt
|
Source4: shadow-bsd.txt
|
||||||
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
Source6: shadow-utils.HOME_MODE.xml
|
Source6: shadow-utils.HOME_MODE.xml
|
||||||
|
|
||||||
### Globals ###
|
|
||||||
%global includesubiddir %{_includedir}/shadow
|
|
||||||
|
|
||||||
### Patches ###
|
|
||||||
# Misc small changes - most probably non-upstreamable
|
# Misc small changes - most probably non-upstreamable
|
||||||
Patch0: shadow-4.11.1-redhat.patch
|
Patch0: shadow-4.6-redhat.patch
|
||||||
# Be more lenient with acceptable user/group names - non upstreamable
|
# Be more lenient with acceptable user/group names - non upstreamable
|
||||||
Patch1: shadow-4.8-goodname.patch
|
Patch1: shadow-4.8-goodname.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/7384865775b0203b9cf5337a047744f0a4555868
|
||||||
|
Patch2: shadow-4.1.5.1-info-parent-dir.patch
|
||||||
|
# Misc SElinux related changes - upstreamability unknown
|
||||||
|
Patch6: shadow-4.8-selinux.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/a8361e741040cd926c9c93aac89820052531b1a3
|
||||||
|
Patch11: shadow-4.1.5.1-logmsg.patch
|
||||||
# SElinux related - upstreamability unknown
|
# SElinux related - upstreamability unknown
|
||||||
Patch3: shadow-4.9-default-range.patch
|
Patch14: shadow-4.1.5.1-default-range.patch
|
||||||
# Misc manual page changes - non-upstreamable
|
# Misc manual page changes
|
||||||
Patch4: shadow-4.9-manfix.patch
|
# https://github.com/shadow-maint/shadow/commit/c0818ab01d1896784245eedec9495e1e6e0260af
|
||||||
|
# Changes in man/groupmems.8.xml, man/ja/man5/login.defs.5 and man/login.defs.5.xml not upstreamed
|
||||||
|
Patch15: shadow-4.8.1-manfix.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/f4cbf38ad7801bab6fae50e9b5a2effc3c48a1ea
|
||||||
|
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
|
||||||
# Date parsing improvement - could be upstreamed
|
# Date parsing improvement - could be upstreamed
|
||||||
Patch5: shadow-4.2.1-date-parsing.patch
|
Patch19: shadow-4.2.1-date-parsing.patch
|
||||||
# Additional error message - could be upstreamed
|
# Additional error message - could be upstreamed
|
||||||
Patch6: shadow-4.6-move-home.patch
|
Patch21: shadow-4.6-move-home.patch
|
||||||
# Audit message changes - upstreamability unknown
|
# Audit message changes - upstreamability unknown
|
||||||
Patch7: shadow-4.11.1-audit-update.patch
|
Patch22: shadow-4.8.1-audit-update.patch
|
||||||
# Changes related to password unlocking - could be upstreamed
|
# Changes related to password unlocking - could be upstreamed
|
||||||
Patch8: shadow-4.5-usermod-unlock.patch
|
Patch23: shadow-4.5-usermod-unlock.patch
|
||||||
# Additional SElinux related changes - upstreamability unknown
|
# Additional SElinux related changes - upstreamability unknown
|
||||||
Patch9: shadow-4.8-selinux-perms.patch
|
Patch28: shadow-4.8-selinux-perms.patch
|
||||||
# Handle NULL return from *time funcs - upstreamable
|
# Handle NULL return from *time funcs - could be upstreamed
|
||||||
Patch10: shadow-4.11.1-null-tm.patch
|
Patch29: shadow-4.2.1-null-tm.patch
|
||||||
|
# SElinux related - upstreamability unknown
|
||||||
|
Patch31: shadow-4.6-getenforce.patch
|
||||||
|
# Handle include of crypt.h - could be upstreamed
|
||||||
|
Patch32: shadow-4.8-crypt_h.patch
|
||||||
# Handle /etc/passwd corruption - could be upstreamed
|
# Handle /etc/passwd corruption - could be upstreamed
|
||||||
Patch11: shadow-4.8-long-entry.patch
|
Patch33: shadow-4.8-long-entry.patch
|
||||||
# Limit uid/gid allocation to non-zero - could be upstreamed
|
# Limit uid/gid allocation to non-zero - could be upstreamed
|
||||||
Patch12: shadow-4.6-sysugid-min-limit.patch
|
Patch38: shadow-4.6-sysugid-min-limit.patch
|
||||||
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
|
# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
|
||||||
Patch13: shadow-4.8-ignore-login-prompt.patch
|
Patch40: shadow-4.8-ignore-login-prompt.patch
|
||||||
# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
|
# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
|
||||||
Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
|
Patch42: shadow-4.8-useradd-selinux-mail.patch
|
||||||
# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
|
# Clarify useradd man regarding "-d" parameter - already upstreamed
|
||||||
Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
|
Patch43: shadow-4.8.1-useradd-man-clarification.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9
|
||||||
|
Patch44: shadow-4.8.1-check-local-groups.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
|
||||||
|
Patch45: shadow-4.8.1-commonio-force-lock-file-sync.patch
|
||||||
|
# https://github.com/shadow-maint/shadow/commit/df6ec1d1693c8c80c323b40d6fc82bb549363db3
|
||||||
|
Patch46: shadow-4.8.1-man-include-lastlog-file-caveat.patch
|
||||||
|
|
||||||
### Dependencies ###
|
License: BSD and GPLv2+
|
||||||
Requires: audit-libs >= 1.6.5
|
|
||||||
Requires: libselinux >= 1.25.2-1
|
|
||||||
Requires: setup
|
|
||||||
|
|
||||||
### Build Dependencies ###
|
|
||||||
BuildRequires: audit-libs-devel >= 1.6.5
|
|
||||||
BuildRequires: autoconf
|
|
||||||
BuildRequires: automake
|
|
||||||
BuildRequires: bison
|
|
||||||
BuildRequires: docbook-dtds
|
|
||||||
BuildRequires: docbook-style-xsl
|
|
||||||
BuildRequires: flex
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gettext-devel
|
|
||||||
BuildRequires: itstool
|
|
||||||
BuildRequires: libacl-devel
|
|
||||||
BuildRequires: libattr-devel
|
|
||||||
BuildRequires: libselinux-devel >= 1.25.2-1
|
BuildRequires: libselinux-devel >= 1.25.2-1
|
||||||
|
BuildRequires: audit-libs-devel >= 1.6.5
|
||||||
BuildRequires: libsemanage-devel
|
BuildRequires: libsemanage-devel
|
||||||
BuildRequires: libtool
|
BuildRequires: libacl-devel, libattr-devel
|
||||||
BuildRequires: libxslt
|
BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
|
||||||
BuildRequires: make
|
BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||||
|
BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
|
||||||
### Provides ###
|
Requires: libselinux >= 1.25.2-1
|
||||||
|
Requires: audit-libs >= 1.6.5
|
||||||
|
Requires: setup
|
||||||
Provides: shadow = %{epoch}:%{version}-%{release}
|
Provides: shadow = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -87,41 +88,32 @@ for all users. The useradd, userdel, and usermod commands are used for
|
|||||||
managing user accounts. The groupadd, groupdel, and groupmod commands
|
managing user accounts. The groupadd, groupdel, and groupmod commands
|
||||||
are used for managing group accounts.
|
are used for managing group accounts.
|
||||||
|
|
||||||
|
|
||||||
### Subpackages ###
|
|
||||||
%package subid
|
|
||||||
Summary: A library to manage subordinate uid and gid ranges
|
|
||||||
License: BSD and GPLv2+
|
|
||||||
|
|
||||||
%description subid
|
|
||||||
Utility library that provides a way to manage subid ranges.
|
|
||||||
|
|
||||||
|
|
||||||
%package subid-devel
|
|
||||||
Summary: Development package for shadow-utils-subid
|
|
||||||
License: BSD and GPLv2+
|
|
||||||
Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
|
|
||||||
|
|
||||||
%description subid-devel
|
|
||||||
Development files for shadow-utils-subid.
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n shadow-%{version}
|
%setup -q -n shadow-%{version}
|
||||||
%patch0 -p1 -b .redhat
|
%patch0 -p1 -b .redhat
|
||||||
%patch1 -p1 -b .goodname
|
%patch1 -p1 -b .goodname
|
||||||
%patch3 -p1 -b .default-range
|
%patch2 -p1 -b .info-parent-dir
|
||||||
%patch4 -p1 -b .manfix
|
%patch6 -p1 -b .selinux
|
||||||
%patch5 -p1 -b .date-parsing
|
%patch11 -p1 -b .logmsg
|
||||||
%patch6 -p1 -b .move-home
|
%patch14 -p1 -b .default-range
|
||||||
%patch7 -p1 -b .audit-update
|
%patch15 -p1 -b .manfix
|
||||||
%patch8 -p1 -b .unlock
|
%patch17 -p1 -b .userdel
|
||||||
%patch9 -p1 -b .selinux-perms
|
%patch19 -p1 -b .date-parsing
|
||||||
%patch10 -p1 -b .null-tm
|
%patch21 -p1 -b .move-home
|
||||||
%patch11 -p1 -b .long-entry
|
%patch22 -p1 -b .audit-update
|
||||||
%patch12 -p1 -b .sysugid-min-limit
|
%patch23 -p1 -b .unlock
|
||||||
%patch13 -p1 -b .login-prompt
|
%patch28 -p1 -b .selinux-perms
|
||||||
%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
|
%patch29 -p1 -b .null-tm
|
||||||
%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
|
%patch31 -p1 -b .getenforce
|
||||||
|
%patch32 -p1 -b .crypt_h
|
||||||
|
%patch33 -p1 -b .long-entry
|
||||||
|
%patch38 -p1 -b .sysugid-min-limit
|
||||||
|
%patch40 -p1 -b .login-prompt
|
||||||
|
%patch42 -p1 -b .useradd-selinux-mail
|
||||||
|
%patch43 -p1 -b .useradd-man-clarification
|
||||||
|
%patch44 -p1 -b .check-local-groups
|
||||||
|
%patch45 -p1 -b .commonio-force-lock-file-sync
|
||||||
|
%patch46 -p1 -b .man-include-lastlog-file-caveat
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||||
@ -148,75 +140,74 @@ autoreconf
|
|||||||
--enable-man \
|
--enable-man \
|
||||||
--with-audit \
|
--with-audit \
|
||||||
--with-sha-crypt \
|
--with-sha-crypt \
|
||||||
--with-bcrypt \
|
|
||||||
--with-yescrypt \
|
|
||||||
--with-selinux \
|
--with-selinux \
|
||||||
--without-libcrack \
|
--without-libcrack \
|
||||||
--without-libpam \
|
--without-libpam \
|
||||||
--enable-shared \
|
--disable-shared \
|
||||||
--with-group-name-max-length=32
|
--with-group-name-max-length=32
|
||||||
%make_build
|
%make_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
rm -rf $RPM_BUILD_ROOT
|
||||||
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
|
%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
|
||||||
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
|
install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
|
||||||
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
|
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
|
||||||
|
install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
|
||||||
|
|
||||||
|
|
||||||
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
|
ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
|
||||||
ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
|
ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
|
||||||
for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
|
||||||
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
|
test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
|
||||||
done
|
done
|
||||||
|
|
||||||
# Remove binaries we don't use.
|
# Remove binaries we don't use.
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/chfn
|
rm $RPM_BUILD_ROOT/%{_bindir}/chfn
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/chsh
|
rm $RPM_BUILD_ROOT/%{_bindir}/chsh
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/expiry
|
rm $RPM_BUILD_ROOT/%{_bindir}/expiry
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/groups
|
rm $RPM_BUILD_ROOT/%{_bindir}/groups
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/login
|
rm $RPM_BUILD_ROOT/%{_bindir}/login
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/passwd
|
rm $RPM_BUILD_ROOT/%{_bindir}/passwd
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/su
|
rm $RPM_BUILD_ROOT/%{_bindir}/su
|
||||||
rm $RPM_BUILD_ROOT%{_bindir}/faillog
|
rm $RPM_BUILD_ROOT/%{_bindir}/faillog
|
||||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
|
rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
|
||||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
|
rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
|
||||||
rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
|
rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
|
||||||
rm $RPM_BUILD_ROOT%{_sbindir}/nologin
|
rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
|
||||||
rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
|
rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
|
||||||
|
|
||||||
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
|
find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
|
||||||
%find_lang shadow
|
%find_lang shadow
|
||||||
@ -228,17 +219,9 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
|
|||||||
echo "%%lang($lang) $dir/man*/*" >> shadow.lang
|
echo "%%lang($lang) $dir/man*/*" >> shadow.lang
|
||||||
done
|
done
|
||||||
|
|
||||||
# Move header files to its own folder
|
|
||||||
echo $(ls)
|
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
|
|
||||||
install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
|
|
||||||
|
|
||||||
# Remove .la and .a files created by libsubid
|
|
||||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
|
|
||||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
|
|
||||||
|
|
||||||
%files -f shadow.lang
|
%files -f shadow.lang
|
||||||
%doc NEWS doc/HOWTO README
|
%doc NEWS doc/HOWTO README
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
%license gpl-2.0.txt shadow-bsd.txt
|
%license gpl-2.0.txt shadow-bsd.txt
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
|
||||||
@ -285,135 +268,17 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
|
|||||||
%{_mandir}/man8/vipw.8*
|
%{_mandir}/man8/vipw.8*
|
||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%files subid
|
|
||||||
%{_libdir}/libsubid.so.*
|
|
||||||
%{_bindir}/getsubids
|
|
||||||
%{_mandir}/man1/getsubids.1*
|
|
||||||
|
|
||||||
%files subid-devel
|
|
||||||
%{includesubiddir}/subid.h
|
|
||||||
%{_libdir}/libsubid.so
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Aug 1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
|
* Mon Aug 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-7
|
||||||
- useradd: modify check ID range for system users. Resolves: #2093692
|
- allow all types of groups when modifying supplementary groups (#1975327)
|
||||||
|
|
||||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
|
* Mon Apr 26 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
|
|
||||||
- Fix explicit subid requirement for subid-devel
|
|
||||||
|
|
||||||
* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
|
|
||||||
- Rebase to version 4.11.1 (#2034038)
|
|
||||||
- Fix release sources
|
|
||||||
- Add explicit subid requirement for subid-devel
|
|
||||||
|
|
||||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
|
|
||||||
- nss: get shadow_logfd with log_get_logfd() (#2038811)
|
|
||||||
- lib: make shadow_logfd and Prog not extern
|
|
||||||
- lib: rename Prog to shadow_progname
|
|
||||||
- lib: provide default values for shadow_progname
|
|
||||||
- libsubid: use log_set_progname in subid_init
|
|
||||||
|
|
||||||
* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
|
|
||||||
- getsubids: provide system binary and man page (#1980780)
|
|
||||||
- pwck: fix segfault when calling fprintf() (#2021339)
|
|
||||||
- newgrp: fix segmentation fault (#2019553)
|
|
||||||
- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
|
|
||||||
|
|
||||||
* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
|
|
||||||
- useradd: change SELinux labels for home files (#2022658)
|
|
||||||
|
|
||||||
* Thu Nov 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
|
|
||||||
- useradd: revert fix memleak of grp (#2018697)
|
|
||||||
|
|
||||||
* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
|
|
||||||
- useradd: generate home and mail directories with selinux user attribute
|
|
||||||
|
|
||||||
* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
|
|
||||||
- login.defs: include HMAC_CRYPTO_ALGO key
|
|
||||||
- Clean spec file: organize dependencies and move License location
|
|
||||||
|
|
||||||
* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
|
|
||||||
- libmisc: fix default value in SHA_get_salt_rounds()
|
|
||||||
|
|
||||||
* Mon Aug 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
|
|
||||||
- useradd: avoid generating an empty subid range (#1990653)
|
|
||||||
|
|
||||||
* Wed Aug 4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
|
|
||||||
- Rebase to version 4.9
|
|
||||||
- usermod: allow all group types with -G option (#1975327)
|
|
||||||
- Clean spec file
|
|
||||||
|
|
||||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
|
|
||||||
- Add patch to fix 'fread returns element count, not element size'
|
|
||||||
|
|
||||||
* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
|
|
||||||
- Fix regression issues detected in rhbz#667593 and rhbz#672510
|
|
||||||
|
|
||||||
* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
|
|
||||||
- Enable bcrypt support, as libxcrypt supports it well
|
|
||||||
|
|
||||||
* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
|
|
||||||
- Add a patch to obtain random bytes using getentropy()
|
|
||||||
- Update shadow-4.8-crypt_h.patch with the upstreamed version
|
|
||||||
- Add a patch to make use of crypt_gensalt() from libxcrypt
|
|
||||||
|
|
||||||
* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
|
|
||||||
- useradd: free correct pointer (#1976809)
|
|
||||||
|
|
||||||
* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
|
|
||||||
- Add a patch to fix the used prefix for the bcrypt hash method
|
|
||||||
- Add a patch to cleanup the code in libmisc/salt.c
|
|
||||||
- Add a patch adding some clarifying comments in libmisc/salt.c
|
|
||||||
- Add a patch to obtain random bytes from /dev/urandom
|
|
||||||
|
|
||||||
* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
|
|
||||||
- Covscan fixes
|
|
||||||
|
|
||||||
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
|
|
||||||
- Backport support for yescrypt hash method
|
|
||||||
- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
|
|
||||||
|
|
||||||
* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
|
|
||||||
- libsubid: don't print error messages on stderr by default
|
|
||||||
- libsubid: libsubid_init return false if out of memory
|
|
||||||
- useradd: fix SUB_UID_COUNT=0
|
|
||||||
- libsubid: don't return owner in list_owner_ranges API call
|
|
||||||
- libsubid: libsubid_init don't print messages on error
|
|
||||||
- libsubid: fix newusers when nss provides subids
|
|
||||||
- man: clarify subid delegation
|
|
||||||
- libsubid: make shadow_logfd not extern
|
|
||||||
|
|
||||||
* Thu May 6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
|
|
||||||
- man: mention NSS in new[ug]idmap manpages
|
|
||||||
- libsubid: move development header to shadow folder
|
|
||||||
|
|
||||||
* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
|
|
||||||
- libsubid: creation and nsswitch support
|
|
||||||
- Creation of subid and subid-devel subpackages
|
|
||||||
|
|
||||||
* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
|
|
||||||
- man: include lastlog file caveat (#951564)
|
- man: include lastlog file caveat (#951564)
|
||||||
- Upstream links to several patches
|
- Upstream links to several patches
|
||||||
- Spec file cleanup by Robert Scheck
|
|
||||||
- Add BuildRequires: make by Tom Stellard
|
|
||||||
|
|
||||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
|
* Mon Nov 16 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-5
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Nov 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
|
|
||||||
- commonio: force lock file sync (#1862056)
|
- commonio: force lock file sync (#1862056)
|
||||||
|
- spec: add Provides keyword
|
||||||
* Tue Nov 3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
|
|
||||||
- Rebuild with libsemanage.so.2
|
|
||||||
|
|
||||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
|
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
|
SHA512 (shadow-4.8.1.tar.xz) = 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
|
||||||
SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd
|
SHA512 (shadow-4.8.1.tar.xz.asc) = ec7686263c81d3feb8ee4314c3323a9a3ada74aafaaf99f4f0d9af9b1341f8c5ff5477ecf98dd94dbb7d921f532d655b0b6a87d94c71893f35dc9bc54c84dd42
|
||||||
|
Loading…
Reference in New Issue
Block a user