diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch new file mode 100644 index 0000000..8fcfd97 --- /dev/null +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -0,0 +1,70 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 +@@ -382,6 +382,7 @@ int main (int argc, char **argv) + { + bool initflag = false; + int i; ++ bool is_member = false; + bool cflag = false; + int err = 0; + gid_t gid; +@@ -631,22 +632,36 @@ int main (int argc, char **argv) + goto failure; + } + ++#ifdef HAVE_SETGROUPS ++ /* when using pam_group, she will not be listed in the groups ++ * database. However getgroups() will return the group. So ++ * if she is listed there already it is ok to grant membership. ++ */ ++ for (i = 0; i < ngroups; i++) { ++ if (grp->gr_gid == grouplist[i]) { ++ is_member = true; ++ break; ++ } ++ } ++#endif /* HAVE_SETGROUPS */ + /* + * For splitted groups (due to limitations of NIS), check all + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp); +- if (NULL == grp) { +- /* +- * No matching group found. As we already know that +- * the group exists, this happens only in the case +- * of a requested group where the user is not member. +- * +- * Re-read the group entry for further processing. +- */ +- grp = xgetgrnam (group); +- assert (NULL != grp); ++ if (!is_member) { ++ grp = find_matching_group (name, grp); ++ if (NULL == grp) { ++ /* ++ * No matching group found. As we already know that ++ * the group exists, this happens only in the case ++ * of a requested group where the user is not member. ++ * ++ * Re-read the group entry for further processing. ++ */ ++ grp = xgetgrnam (group); ++ assert (NULL != grp); ++ } + } + #ifdef SHADOWGRP + sgrp = getsgnam (group); +@@ -659,7 +674,9 @@ int main (int argc, char **argv) + /* + * Check if the user is allowed to access this group. + */ +- check_perms (grp, pwd, group); ++ if (!is_member) { ++ check_perms (grp, pwd, group); ++ } + + /* + * all successful validations pass through this point. The group id diff --git a/shadow-utils.spec b/shadow-utils.spec index adf57c2..a8e6b48 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -28,6 +28,7 @@ Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.1.5.1-newgrp-grouplist.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -76,6 +77,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .grouplist iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 +- allow switching to secondary group without checking the membership + explicitly (patch from upstream) + * Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild