Multiple fixes.
- unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd
This commit is contained in:
parent
283bf24723
commit
25899fefb0
4 changed files with 91 additions and 1 deletions
24
shadow-4.2.1-defs-chroot.patch
Normal file
24
shadow-4.2.1-defs-chroot.patch
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c
|
||||||
|
--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100
|
||||||
|
+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200
|
||||||
|
@@ -1938,8 +1938,8 @@ int main (int argc, char **argv)
|
||||||
|
#endif /* ACCT_TOOLS_SETUID */
|
||||||
|
|
||||||
|
/* Needed for userns check */
|
||||||
|
- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
|
||||||
|
- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
|
||||||
|
+ uid_t uid_min;
|
||||||
|
+ uid_t uid_max;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get my name so that I can use it to report errors.
|
||||||
|
@@ -1957,6 +1957,9 @@ int main (int argc, char **argv)
|
||||||
|
audit_help_open ();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
|
||||||
|
+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
|
||||||
|
+
|
||||||
|
sys_ngroups = sysconf (_SC_NGROUPS_MAX);
|
||||||
|
user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *));
|
||||||
|
/*
|
15
shadow-4.2.1-no-lock-dos.patch
Normal file
15
shadow-4.2.1-no-lock-dos.patch
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c
|
||||||
|
--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200
|
||||||
|
+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200
|
||||||
|
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
|
||||||
|
int retval;
|
||||||
|
char buf[32];
|
||||||
|
|
||||||
|
- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
|
||||||
|
+ /* We depend here on the fact, that the file name is pid-specific.
|
||||||
|
+ * So no O_EXCL here and no DoS.
|
||||||
|
+ */
|
||||||
|
+ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
|
||||||
|
if (-1 == fd) {
|
||||||
|
if (log) {
|
||||||
|
(void) fprintf (stderr,
|
39
shadow-4.2.1-usermod-unlock.patch
Normal file
39
shadow-4.2.1-usermod-unlock.patch
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c
|
||||||
|
--- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100
|
||||||
|
+++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200
|
||||||
|
@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas
|
||||||
|
strcat (buf, pw_pass);
|
||||||
|
pw_pass = buf;
|
||||||
|
} else if (Uflg && pw_pass[0] == '!') {
|
||||||
|
- char *s;
|
||||||
|
+ char *s = pw_pass;
|
||||||
|
|
||||||
|
- if (pw_pass[1] == '\0') {
|
||||||
|
+ while ('!' == *s)
|
||||||
|
+ ++s;
|
||||||
|
+
|
||||||
|
+ if (*s == '\0') {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: unlocking the user's password would result in a passwordless account.\n"
|
||||||
|
"You should set a password with usermod -p to unlock this user's password.\n"),
|
||||||
|
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
|
||||||
|
user_newname, (unsigned int) user_newid, 1);
|
||||||
|
#endif
|
||||||
|
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
|
||||||
|
- s = pw_pass;
|
||||||
|
- while ('\0' != *s) {
|
||||||
|
- *s = *(s + 1);
|
||||||
|
- s++;
|
||||||
|
- }
|
||||||
|
+ memmove (pw_pass, s, strlen (s) + 1);
|
||||||
|
} else if (pflg) {
|
||||||
|
+ if (strchr (user_pass, ':') != NULL) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: The password field cannot contain a colon character.\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ return pw_pass;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
#ifdef WITH_AUDIT
|
||||||
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||||
|
"updating-password",
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.2.1
|
Version: 4.2.1
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
URL: http://pkg-shadow.alioth.debian.org/
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
||||||
|
@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch
|
||||||
Patch20: shadow-4.1.5.1-ingroup.patch
|
Patch20: shadow-4.1.5.1-ingroup.patch
|
||||||
Patch21: shadow-4.1.5.1-move-home.patch
|
Patch21: shadow-4.1.5.1-move-home.patch
|
||||||
Patch22: shadow-4.2.1-audit-update.patch
|
Patch22: shadow-4.2.1-audit-update.patch
|
||||||
|
Patch23: shadow-4.2.1-usermod-unlock.patch
|
||||||
|
Patch24: shadow-4.2.1-no-lock-dos.patch
|
||||||
|
Patch25: shadow-4.2.1-defs-chroot.patch
|
||||||
|
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
|
@ -80,6 +83,9 @@ are used for managing group accounts.
|
||||||
%patch20 -p1 -b .ingroup
|
%patch20 -p1 -b .ingroup
|
||||||
%patch21 -p1 -b .move-home
|
%patch21 -p1 -b .move-home
|
||||||
%patch22 -p1 -b .audit-update
|
%patch22 -p1 -b .audit-update
|
||||||
|
%patch23 -p1 -b .unlock
|
||||||
|
%patch24 -p1 -b .no-lock-dos
|
||||||
|
%patch25 -p1 -b .defs-chroot
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||||
|
@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
|
||||||
|
- unlock also passwords locked with passwd -l
|
||||||
|
- prevent breaking user entry by entering a password containing colon
|
||||||
|
- fix possible DoS when locking the database files for update
|
||||||
|
- properly use login.defs from the chroot in useradd
|
||||||
|
|
||||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
|
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue