This commit is contained in:
Peter Vrabec 2012-03-20 17:39:28 +01:00
parent c2e7e463a1
commit 4c8c528414
20 changed files with 137 additions and 1639 deletions

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
shadow-4.1.4.2.tar.bz2 shadow-4.1.4.2.tar.bz2
/shadow-4.1.4.3.tar.bz2 /shadow-4.1.4.3.tar.bz2
/shadow-4.1.5.tar.bz2

View file

@ -1,151 +0,0 @@
diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c
--- shadow-4.1.4.2/libmisc/copydir.c.acl 2011-02-09 17:35:23.455413575 +0100
+++ shadow-4.1.4.2/libmisc/copydir.c 2011-02-09 17:49:17.606330202 +0100
@@ -45,6 +45,9 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#endif
+#include <attr/error_context.h>
+#include <acl/libacl.h>
+
static /*@null@*/const char *src_orig;
static /*@null@*/const char *dst_orig;
@@ -70,7 +73,7 @@ static int copy_symlink (const char *src
#endif
static int copy_hardlink (const char *src, const char *dst,
struct link_name *lp);
-static int copy_special (const char *dst,
+static int copy_special (const char *src, const char *dst,
const struct stat *statp, const struct timeval mt[],
long int uid, long int gid);
static int copy_file (const char *src, const char *dst,
@@ -78,6 +81,28 @@ static int copy_file (const char *src, c
long int uid, long int gid);
#ifdef WITH_SELINUX
+
+void error (struct error_context *ctx, const char *fmt, ...)
+{
+ va_list ap;
+
+ /* ignore the case when destination does not support ACLs */
+ if(errno==EOPNOTSUPP)
+ return;
+
+ va_start (ap, fmt);
+ (void) fprintf (stderr, _("%s: "), Prog);
+ if (vfprintf (stderr, fmt, ap) != 0) {
+ (void) fputs (_(": "), stderr);
+ }
+ (void) fprintf (stderr, "%s\n", strerror (errno));
+ va_end (ap);
+}
+
+struct error_context ctx = {
+ error
+};
+
/*
* selinux_file_context - Set the security context before any file or
* directory creation.
@@ -369,7 +394,7 @@ static int copy_entry (const char *src,
*/
else if (!S_ISREG (sb.st_mode)) {
- err = copy_special (dst, &sb, mt, uid, gid);
+ err = copy_special (src, dst, &sb, mt, uid, gid);
}
/*
@@ -413,8 +438,20 @@ static int copy_dir (const char *src, co
|| (chown (dst,
(uid == - 1) ? statp->st_uid : (uid_t) uid,
(gid == - 1) ? statp->st_gid : (gid_t) gid) != 0)
- || (chmod (dst, statp->st_mode) != 0)
- || (copy_tree (src, dst, uid, gid) != 0)
+ || (chmod (dst, statp->st_mode) != 0)) {
+ err = -1;
+ return err;
+ }
+
+ /* ignore the case when destination does not support ACLs */
+ if (perm_copy_file (src, dst, &ctx) != 0) {
+ if (errno!=EOPNOTSUPP) {
+ err = -1;
+ return err;
+ }
+ }
+
+ if ((copy_tree (src, dst, uid, gid) != 0)
|| (utimes (dst, mt) != 0)) {
err = -1;
}
@@ -514,6 +551,13 @@ static int copy_symlink (const char *src
|| (lchown (dst,
(uid == -1) ? statp->st_uid : (uid_t) uid,
(gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) {
+ /* FIXME: there are no modes on symlinks, right?
+ * ACL could be copied, but this would be much more
+ * complex than calling perm_copy_file.
+ * Ditto for Extended Attributes.
+ * We currently only document that ACL and Extended
+ * Attributes are not copied.
+ */
free (oldlink);
return -1;
}
@@ -542,7 +586,7 @@ static int copy_symlink (const char *src
static int copy_hardlink (const char *src, const char *dst,
struct link_name *lp)
{
- /* TODO: selinux needed? */
+ /* TODO: selinux, ACL, Extended Attributes needed? */
if (link (lp->ln_name, dst) != 0) {
return -1;
@@ -574,7 +618,7 @@ static int copy_hardlink (const char *sr
*
* Return 0 on success, -1 on error.
*/
-static int copy_special (const char *dst,
+static int copy_special (const char *src, const char *dst,
const struct stat *statp, const struct timeval mt[],
long int uid, long int gid)
{
@@ -628,11 +672,18 @@ static int copy_file (const char *src, c
|| (fchown (ofd,
(uid == -1) ? statp->st_uid : (uid_t) uid,
(gid == -1) ? statp->st_gid : (gid_t) gid) != 0)
- || (fchmod (ofd, statp->st_mode & 07777) != 0)) {
+ || (fchmod (ofd, statp->st_mode & 07777) != 0)) {
(void) close (ifd);
return -1;
}
+ if (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) {
+ if (errno!=EOPNOTSUPP) {
+ (void) close (ifd);
+ return -1;
+ }
+ }
+
while ((cnt = read (ifd, buf, sizeof buf)) > 0) {
if (write (ofd, buf, (size_t)cnt) != cnt) {
return -1;
diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in
--- shadow-4.1.4.2/src/Makefile.in.acl 2009-07-24 03:16:00.000000000 +0200
+++ shadow-4.1.4.2/src/Makefile.in 2011-02-09 17:35:23.470411800 +0100
@@ -430,9 +430,9 @@ su_SOURCES = \
su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
sulogin_LDADD = $(LDADD) $(LIBCRYPT)
-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
vipw_LDADD = $(LDADD) $(LIBSELINUX)
all: all-am

View file

@ -1,53 +0,0 @@
diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c
--- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200
+++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200
@@ -107,7 +107,7 @@ void del_cleanup (cleanup_function pcf)
assert (i<CLEANUP_FUNCTIONS);
/* Move the rest of the cleanup functions */
- for (; i<CLEANUP_FUNCTIONS; i++) {
+ for (; i<(CLEANUP_FUNCTIONS - 1); i++) {
/* Make sure the cleanup function was specified only once */
assert (cleanup_functions[i+1] != pcf);
diff -up shadow-4.1.4.2/libmisc/limits.c.fixes shadow-4.1.4.2/libmisc/limits.c
--- shadow-4.1.4.2/libmisc/limits.c.fixes 2009-09-07 15:55:38.734034494 +0200
+++ shadow-4.1.4.2/libmisc/limits.c 2009-09-07 15:56:10.545044166 +0200
@@ -167,7 +167,7 @@ static int check_logins (const char *nam
* includes the user who is currently trying to log in.
*/
if (count > limit) {
- SYSLOG ((LOG_WARN, "Too many logins (max %d) for %s\n",
+ SYSLOG ((LOG_WARN, "Too many logins (max %lu) for %s\n",
limit, name));
return LOGIN_ERROR_LOGIN;
}
diff -up shadow-4.1.4.2/libmisc/utmp.c.fixes shadow-4.1.4.2/libmisc/utmp.c
--- shadow-4.1.4.2/libmisc/utmp.c.fixes 2009-09-07 15:56:30.534033865 +0200
+++ shadow-4.1.4.2/libmisc/utmp.c 2009-09-07 16:11:23.049069289 +0200
@@ -56,7 +56,7 @@ static bool is_my_tty (const char *tty)
/* full_tty shall be at least sizeof utmp.ut_line + 5 */
char full_tty[200];
/* tmptty shall be bigger than full_tty */
- static char tmptty[sizeof (full_tty)+1];
+ static char tmptty[sizeof (full_tty)+1] = "";
if ('/' != *tty) {
(void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty);
@@ -71,7 +71,7 @@ static bool is_my_tty (const char *tty)
}
}
- if (NULL == tmptty) {
+ if ('\0' == tmptty[0]) {
(void) puts (_("Unable to determine your tty name."));
exit (EXIT_FAILURE);
} else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) {
@@ -200,7 +200,6 @@ static void updwtmpx (const char *filena
strcpy (hostname, host);
#ifdef HAVE_STRUCT_UTMP_UT_HOST
} else if ( (NULL != ut)
- && (NULL != ut->ut_host)
&& ('\0' != ut->ut_host[0])) {
hostname = (char *) xmalloc (sizeof (ut->ut_host) + 1);
strncpy (hostname, ut->ut_host, sizeof (ut->ut_host));

View file

@ -1,23 +0,0 @@
diff -up shadow-4.1.4.2/lib/gshadow.c.gshadow shadow-4.1.4.2/lib/gshadow.c
--- shadow-4.1.4.2/lib/gshadow.c.gshadow 2009-06-12 19:50:23.000000000 +0200
+++ shadow-4.1.4.2/lib/gshadow.c 2011-01-05 16:28:55.207685148 +0100
@@ -223,6 +223,7 @@ void endsgent (void)
if (NULL == buf) {
return NULL;
}
+ buflen = BUFSIZ;
}
if (NULL == fp) {
@@ -230,9 +231,9 @@ void endsgent (void)
}
#ifdef USE_NIS
- while (fgetsx (buf, (int) sizeof buf, fp) == buf)
+ while (fgetsx (buf, (int) buflen, fp) == buf)
#else
- if (fgetsx (buf, (int) sizeof buf, fp) == buf)
+ if (fgetsx (buf, (int) buflen, fp) == buf)
#endif
{
while ( ((cp = strrchr (buf, '\n')) == NULL)

View file

@ -1,108 +0,0 @@
diff -up shadow-4.1.4.2/lib/groupmem.c.leak shadow-4.1.4.2/lib/groupmem.c
--- shadow-4.1.4.2/lib/groupmem.c.leak 2009-04-23 19:43:27.000000000 +0200
+++ shadow-4.1.4.2/lib/groupmem.c 2009-09-07 15:43:23.314129427 +0200
@@ -51,10 +51,13 @@
*gr = *grent;
gr->gr_name = strdup (grent->gr_name);
if (NULL == gr->gr_name) {
+ free(gr);
return NULL;
}
gr->gr_passwd = strdup (grent->gr_passwd);
if (NULL == gr->gr_passwd) {
+ free(gr->gr_name);
+ free(gr);
return NULL;
}
@@ -62,11 +65,21 @@
gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *));
if (NULL == gr->gr_mem) {
+ free(gr->gr_passwd);
+ free(gr->gr_name);
+ free(gr);
return NULL;
}
for (i = 0; grent->gr_mem[i]; i++) {
gr->gr_mem[i] = strdup (grent->gr_mem[i]);
if (NULL == gr->gr_mem[i]) {
+ int j;
+ for (j=0; j<i; j++)
+ free(gr->gr_mem[j]);
+ free(gr->gr_mem);
+ free(gr->gr_passwd);
+ free(gr->gr_name);
+ free(gr);
return NULL;
}
}
diff -up shadow-4.1.4.2/libmisc/copydir.c.leak shadow-4.1.4.2/libmisc/copydir.c
--- shadow-4.1.4.2/libmisc/copydir.c.leak 2009-05-22 12:16:14.000000000 +0200
+++ shadow-4.1.4.2/libmisc/copydir.c 2009-09-07 15:41:49.217192095 +0200
@@ -443,6 +443,7 @@ static char *readlink_malloc (const char
nchars = readlink (filename, buffer, size);
if (nchars < 0) {
+ free(buffer);
return NULL;
}
diff -up shadow-4.1.4.2/lib/pwmem.c.leak shadow-4.1.4.2/lib/pwmem.c
--- shadow-4.1.4.2/lib/pwmem.c.leak 2009-04-23 19:43:27.000000000 +0200
+++ shadow-4.1.4.2/lib/pwmem.c 2009-09-07 15:41:49.218203063 +0200
@@ -51,22 +51,37 @@
*pw = *pwent;
pw->pw_name = strdup (pwent->pw_name);
if (NULL == pw->pw_name) {
+ free(pw);
return NULL;
}
pw->pw_passwd = strdup (pwent->pw_passwd);
if (NULL == pw->pw_passwd) {
+ free(pw->pw_name);
+ free(pw);
return NULL;
}
pw->pw_gecos = strdup (pwent->pw_gecos);
if (NULL == pw->pw_gecos) {
+ free(pw->pw_passwd);
+ free(pw->pw_name);
+ free(pw);
return NULL;
}
pw->pw_dir = strdup (pwent->pw_dir);
if (NULL == pw->pw_dir) {
+ free(pw->pw_gecos);
+ free(pw->pw_passwd);
+ free(pw->pw_name);
+ free(pw);
return NULL;
}
pw->pw_shell = strdup (pwent->pw_shell);
if (NULL == pw->pw_shell) {
+ free(pw->pw_dir);
+ free(pw->pw_gecos);
+ free(pw->pw_passwd);
+ free(pw->pw_name);
+ free(pw);
return NULL;
}
diff -up shadow-4.1.4.2/lib/shadowmem.c.leak shadow-4.1.4.2/lib/shadowmem.c
--- shadow-4.1.4.2/lib/shadowmem.c.leak 2009-04-23 19:43:27.000000000 +0200
+++ shadow-4.1.4.2/lib/shadowmem.c 2009-09-07 15:41:49.218203063 +0200
@@ -52,10 +52,13 @@
*sp = *spent;
sp->sp_namp = strdup (spent->sp_namp);
if (NULL == sp->sp_namp) {
+ free(sp);
return NULL;
}
sp->sp_pwdp = strdup (spent->sp_pwdp);
if (NULL == sp->sp_pwdp) {
+ free(sp->sp_namp);
+ free(sp);
return NULL;
}

View file

@ -1,53 +0,0 @@
diff -up shadow-4.1.4.2/man/useradd.8.redhat shadow-4.1.4.2/man/useradd.8
--- shadow-4.1.4.2/man/useradd.8.redhat 2009-07-24 03:16:44.000000000 +0200
+++ shadow-4.1.4.2/man/useradd.8 2011-02-09 11:04:24.851151246 +0100
@@ -211,7 +211,7 @@ Create the user\'s home directory if it
\fB\-k\fR
option) will be copied to the home directory\&.
.sp
-By default, no home directories are created\&.
+The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&.
.RE
.PP
\fB\-M\fR
diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c
--- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200
+++ shadow-4.1.4.2/src/useradd.c 2011-02-09 11:04:06.031036886 +0100
@@ -90,7 +90,7 @@ char *Prog;
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -989,9 +989,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:",
+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:",
#else
- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
#endif
long_options, NULL)) != -1) {
switch (c) {
@@ -1141,6 +1141,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

View file

@ -1,58 +0,0 @@
diff -up shadow-4.1.4.3/src/faillog.c.underflow shadow-4.1.4.3/src/faillog.c
--- shadow-4.1.4.3/src/faillog.c.underflow 2011-02-13 12:58:16.000000000 -0500
+++ shadow-4.1.4.3/src/faillog.c 2011-05-30 17:48:55.000000000 -0400
@@ -106,8 +106,8 @@ static void print_one (/*@null@*/const s
return;
}
- offset = pw->pw_uid * sizeof (fl);
- if (offset <= (statbuf.st_size - sizeof (fl))) {
+ offset = (off_t) pw->pw_uid * sizeof (fl);
+ if (offset + sizeof (fl) <= statbuf.st_size) {
/* fseeko errors are not really relevant for us. */
int err = fseeko (fail, offset, SEEK_SET);
assert (0 == err);
@@ -206,8 +206,8 @@ static bool reset_one (uid_t uid)
off_t offset;
struct faillog fl;
- offset = uid * sizeof (fl);
- if (offset <= (statbuf.st_size - sizeof (fl))) {
+ offset = (off_t) uid * sizeof (fl);
+ if (offset + sizeof (fl) <= statbuf.st_size) {
/* fseeko errors are not really relevant for us. */
int err = fseeko (fail, offset, SEEK_SET);
assert (0 == err);
@@ -294,7 +294,7 @@ static bool setmax_one (uid_t uid, int m
struct faillog fl;
offset = (off_t) uid * sizeof (fl);
- if (offset <= (statbuf.st_size - sizeof (fl))) {
+ if (offset + sizeof (fl) <= statbuf.st_size) {
/* fseeko errors are not really relevant for us. */
int err = fseeko (fail, offset, SEEK_SET);
assert (0 == err);
@@ -385,7 +385,7 @@ static bool set_locktime_one (uid_t uid,
struct faillog fl;
offset = (off_t) uid * sizeof (fl);
- if (offset <= (statbuf.st_size - sizeof (fl))) {
+ if (offset + sizeof (fl) <= statbuf.st_size) {
/* fseeko errors are not really relevant for us. */
int err = fseeko (fail, offset, SEEK_SET);
assert (0 == err);
diff -up shadow-4.1.4.3/src/lastlog.c.underflow shadow-4.1.4.3/src/lastlog.c
--- shadow-4.1.4.3/src/lastlog.c.underflow 2011-05-31 03:52:25.000000000 -0400
+++ shadow-4.1.4.3/src/lastlog.c 2011-05-31 03:53:32.000000000 -0400
@@ -102,9 +102,8 @@ static void print_one (/*@null@*/const s
}
- offset = pw->pw_uid * sizeof (ll);
-
- if (offset <= (statbuf.st_size - sizeof (ll))) {
+ offset = (off_t) pw->pw_uid * sizeof (ll);
+ if (offset + sizeof (ll) <= statbuf.st_size) {
/* fseeko errors are not really relevant for us. */
int err = fseeko (lastlogfile, offset, SEEK_SET);
assert (0 == err);

View file

@ -1,115 +0,0 @@
diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.IDs shadow-4.1.4.3/libmisc/find_new_gid.c
--- shadow-4.1.4.3/libmisc/find_new_gid.c.IDs 2011-12-20 13:28:13.042668305 +0100
+++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-12-20 13:35:40.011817589 +0100
@@ -32,6 +32,7 @@
#include <assert.h>
#include <stdio.h>
+#include <errno.h>
#include "prototypes.h"
#include "groupio.h"
@@ -65,8 +66,6 @@ int find_new_gid (bool sys_group,
gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
}
- used_gids = alloca (sizeof (bool) * (gid_max +1));
- memset (used_gids, false, sizeof (bool) * (gid_max + 1));
if ( (NULL != preferred_gid)
&& (*preferred_gid >= gid_min)
@@ -80,6 +79,14 @@ int find_new_gid (bool sys_group,
return 0;
}
+ used_gids = malloc (sizeof (bool) * (gid_max +1));
+ if(used_gids==NULL) {
+ fprintf (stderr,
+ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno));
+ return -1;
+ }
+ memset (used_gids, false, sizeof (bool) * (gid_max + 1));
+
/* if we did not find free preffered system gid, we start to look for
* one in the range assigned to dynamic system IDs */
if (sys_group)
@@ -162,6 +169,7 @@ int find_new_gid (bool sys_group,
Prog);
SYSLOG ((LOG_WARN,
"no more available GID on the system"));
+ free(used_gids);
return -1;
}
}
@@ -177,12 +185,14 @@ int find_new_gid (bool sys_group,
_("%s: Can't get unique GID (no more available GIDs)\n"),
Prog);
SYSLOG ((LOG_WARN, "no more available GID on the system"));
+ free(used_gids);
return -1;
}
}
}
*gid = group_id;
+ free(used_gids);
return 0;
}
diff -up shadow-4.1.4.3/libmisc/find_new_uid.c.IDs shadow-4.1.4.3/libmisc/find_new_uid.c
--- shadow-4.1.4.3/libmisc/find_new_uid.c.IDs 2011-02-13 18:58:11.000000000 +0100
+++ shadow-4.1.4.3/libmisc/find_new_uid.c 2011-12-20 13:37:27.415023688 +0100
@@ -32,6 +32,7 @@
#include <assert.h>
#include <stdio.h>
+#include <errno.h>
#include "prototypes.h"
#include "pwio.h"
@@ -65,8 +66,6 @@ int find_new_uid (bool sys_user,
uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max);
}
- used_uids = alloca (sizeof (bool) * (uid_max +1));
- memset (used_uids, false, sizeof (bool) * (uid_max + 1));
if ( (NULL != preferred_uid)
&& (*preferred_uid >= uid_min)
@@ -80,6 +79,13 @@ int find_new_uid (bool sys_user,
return 0;
}
+ used_uids = malloc (sizeof (bool) * (uid_max +1));
+ if(used_uids==NULL) {
+ fprintf (stderr,
+ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno));
+ return -1;
+ }
+ memset (used_uids, false, sizeof (bool) * (uid_max + 1));
/*
* Search the entire password file,
@@ -158,6 +164,7 @@ int find_new_uid (bool sys_user,
Prog);
SYSLOG ((LOG_WARN,
"no more available UID on the system"));
+ free(used_uids);
return -1;
}
}
@@ -173,12 +180,14 @@ int find_new_uid (bool sys_user,
_("%s: Can't get unique UID (no more available UIDs)\n"),
Prog);
SYSLOG ((LOG_WARN, "no more available UID on the system"));
+ free(used_uids);
return -1;
}
}
}
*uid = user_id;
+ free(used_uids);
return 0;
}

View file

@ -1,640 +0,0 @@
diff -up shadow-4.1.4.3/lib/Makefile.in.libsemanage shadow-4.1.4.3/lib/Makefile.in
--- shadow-4.1.4.3/lib/Makefile.in.libsemanage 2011-02-15 23:18:15.000000000 +0100
+++ shadow-4.1.4.3/lib/Makefile.in 2011-11-09 14:11:26.455362101 +0100
@@ -52,7 +52,7 @@ am_libshadow_la_OBJECTS = commonio.lo en
groupio.lo groupmem.lo gshadow.lo lockpw.lo nscd.lo port.lo \
pwauth.lo pwio.lo pwmem.lo sgetgrent.lo sgetpwent.lo \
sgetspent.lo sgroupio.lo shadow.lo shadowio.lo shadowmem.lo \
- utent.lo
+ utent.lo selinux.lo
libshadow_la_OBJECTS = $(am_libshadow_la_OBJECTS)
libshadow_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -202,7 +202,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@@ -261,7 +260,8 @@ libshadow_la_SOURCES = \
shadowio.c \
shadowio.h \
shadowmem.c \
- utent.c
+ utent.c \
+ selinux.c
# These files are unneeded for some reason, listed in
@@ -349,6 +349,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadow.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowio.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowmem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selinux.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utent.Plo@am__quote@
.c.o:
diff -up shadow-4.1.4.3/libmisc/Makefile.in.libsemanage shadow-4.1.4.3/libmisc/Makefile.in
--- shadow-4.1.4.3/libmisc/Makefile.in.libsemanage 2011-02-15 23:18:16.000000000 +0100
+++ shadow-4.1.4.3/libmisc/Makefile.in 2011-11-09 14:11:26.456362098 +0100
@@ -64,7 +64,7 @@ am_libmisc_a_OBJECTS = addgrps.$(OBJEXT)
pam_pass_non_interractive.$(OBJEXT) pwd2spwd.$(OBJEXT) \
pwdcheck.$(OBJEXT) pwd_init.$(OBJEXT) rlogin.$(OBJEXT) \
salt.$(OBJEXT) setugid.$(OBJEXT) setupenv.$(OBJEXT) \
- shell.$(OBJEXT) system.$(OBJEXT) strtoday.$(OBJEXT) \
+ shell.$(OBJEXT) strtoday.$(OBJEXT) \
sub.$(OBJEXT) sulog.$(OBJEXT) ttytype.$(OBJEXT) tz.$(OBJEXT) \
ulimit.$(OBJEXT) user_busy.$(OBJEXT) utmp.$(OBJEXT) \
valid.$(OBJEXT) xgetpwnam.$(OBJEXT) xgetpwuid.$(OBJEXT) \
@@ -284,7 +284,6 @@ libmisc_a_SOURCES = \
setugid.c \
setupenv.c \
shell.c \
- system.c \
strtoday.c \
sub.c \
sulog.c \
@@ -394,7 +393,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strtoday.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sub.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sulog.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttytype.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tz.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ulimit.Po@am__quote@
diff -up shadow-4.1.4.3/libmisc/system.c.libsemanage shadow-4.1.4.3/libmisc/system.c
--- shadow-4.1.4.3/libmisc/system.c.libsemanage 2011-02-13 18:58:11.000000000 +0100
+++ shadow-4.1.4.3/libmisc/system.c 2011-11-09 14:11:26.457362095 +0100
@@ -1,72 +0,0 @@
-/*
- * Copyright (c) 2009 , Dan Walsh <dwalsh@redhat.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the copyright holders or contributors may not be used to
- * endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include <config.h>
-
-#ident "$Id: system.c 2849 2009-04-30 21:08:49Z nekral-guest $"
-
-#include <stdio.h>
-#include <sys/wait.h>
-#include <fcntl.h>
-#include "prototypes.h"
-#include "defines.h"
-
-int safe_system (const char *command,
- const char *argv[],
- const char *env[],
- int ignore_stderr)
-{
- int status = -1;
- int fd;
- pid_t pid;
-
- pid = fork();
- if (pid < 0) {
- return -1;
- }
-
- if (pid) { /* Parent */
- if (waitpid (pid, &status, 0) > 0) {
- return status;
- } else {
- return -1;
- }
- }
-
- fd = open ("/dev/null", O_RDWR);
- /* Child */
- dup2 (fd, 0); // Close Stdin
- if (ignore_stderr) {
- dup2 (fd, 2); // Close Stderr
- }
-
- execve (command, (char *const *) argv, (char *const *) env);
- fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]);
- exit (EXIT_FAILURE);
-}
-
diff -up shadow-4.1.4.3/lib/prototypes.h.libsemanage shadow-4.1.4.3/lib/prototypes.h
--- shadow-4.1.4.3/lib/prototypes.h.libsemanage 2011-02-13 18:58:23.000000000 +0100
+++ shadow-4.1.4.3/lib/prototypes.h 2011-11-09 14:11:26.457362095 +0100
@@ -331,12 +331,6 @@ extern void spw_free (/*@out@*/ /*@only@
/* shell.c */
extern int shell (const char *file, /*@null@*/const char *arg, char *const envp[]);
-/* system.c */
-extern int safe_system (const char *command,
- const char *argv[],
- const char *env[],
- int ignore_stderr);
-
/* strtoday.c */
extern long strtoday (const char *);
@@ -403,4 +397,8 @@ extern /*@null@*/ /*@only@*/struct spwd
/* yesno.c */
extern bool yes_or_no (bool read_only);
+/* selinux.c */
+int set_seuser(const char *login_name, const char *seuser_name);
+int del_seuser(const char *login_name);
+
#endif /* _PROTOTYPES_H */
diff -up shadow-4.1.4.3/lib/selinux.c.libsemanage shadow-4.1.4.3/lib/selinux.c
--- shadow-4.1.4.3/lib/selinux.c.libsemanage 2011-11-09 14:11:26.458362092 +0100
+++ shadow-4.1.4.3/lib/selinux.c 2011-11-09 14:11:26.458362092 +0100
@@ -0,0 +1,341 @@
+/*
+ shadow-utils
+
+ su-selinux.c
+
+ Copyright (C) Jakub Hrozek <jhrozek@redhat.com> 2010
+ Copyright (C) Peter Vrabec <pvrabec@redhat.com> 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <config.h>
+
+#include "defines.h"
+
+#include <stdio.h>
+#include <selinux/selinux.h>
+#include <semanage/semanage.h>
+
+
+#ifndef DEFAULT_SERANGE
+#define DEFAULT_SERANGE "s0"
+#endif
+
+
+static void semanage_error_callback(void *varg,
+ semanage_handle_t *handle,
+ const char *fmt, ...)
+{
+ int ret;
+ char * message = NULL;
+ va_list ap;
+
+
+ va_start(ap, fmt);
+ ret = vasprintf(&message, fmt, ap);
+ va_end(ap);
+ if (ret < 0) {
+ /* ENOMEM */
+ return;
+ }
+
+ switch (semanage_msg_get_level(handle)) {
+ case SEMANAGE_MSG_ERR:
+ case SEMANAGE_MSG_WARN:
+ fprintf(stderr, "[libsemanage]: %s\n", message);
+ break;
+ case SEMANAGE_MSG_INFO:
+ /* nop */
+ break;
+ }
+
+ free(message);
+}
+
+
+static semanage_handle_t *semanage_init(void)
+{
+ int ret;
+ semanage_handle_t *handle = NULL;
+
+ handle = semanage_handle_create();
+ if (!handle) {
+ fprintf(stderr, _("Cannot create SELinux management handle\n"));
+ return NULL;
+ }
+
+ semanage_msg_set_callback(handle, semanage_error_callback, NULL);
+
+ ret = semanage_is_managed(handle);
+ if (ret != 1) {
+ fprintf(stderr, _("SELinux policy not managed\n"));
+ goto fail;
+ }
+
+ ret = semanage_access_check(handle);
+ if (ret < SEMANAGE_CAN_READ) {
+ fprintf(stderr, _("Cannot read SELinux policy store\n"));
+ goto fail;
+ }
+
+ ret = semanage_connect(handle);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot estabilish SELinux management connection\n"));
+ goto fail;
+ }
+
+ ret = semanage_begin_transaction(handle);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot begin SELinux transaction\n"));
+ goto fail;
+ }
+
+ return handle;
+fail:
+ semanage_handle_destroy(handle);
+ return NULL;
+}
+
+
+static int semanage_user_mod(semanage_handle_t *handle,
+ semanage_seuser_key_t *key,
+ const char *login_name,
+ const char *seuser_name)
+{
+ int ret;
+ semanage_seuser_t *seuser = NULL;
+
+ semanage_seuser_query(handle, key, &seuser);
+ if (seuser == NULL) {
+ fprintf(stderr, _("Could not query seuser for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not set serange for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not set sename for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_modify_local(handle, key, seuser);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not modify login mapping for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = 0;
+done:
+ semanage_seuser_free(seuser);
+ return ret;
+}
+
+
+static int semanage_user_add(semanage_handle_t *handle,
+ semanage_seuser_key_t *key,
+ const char *login_name,
+ const char *seuser_name)
+{
+ int ret;
+ semanage_seuser_t *seuser = NULL;
+
+ ret = semanage_seuser_create(handle, &seuser);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot create SELinux login mapping for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_name(handle, seuser, login_name);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not set name for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not set serange for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not set SELinux user for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_modify_local(handle, key, seuser);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not add login mapping for %s\n"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = 0;
+done:
+ semanage_seuser_free(seuser);
+ return ret;
+}
+
+
+int set_seuser(const char *login_name, const char *seuser_name)
+{
+ semanage_handle_t *handle = NULL;
+ semanage_seuser_key_t *key = NULL;
+ int ret;
+ int seuser_exists = 0;
+
+ if (seuser_name == NULL) {
+ /* don't care, just let system pick the defaults */
+ return 0;
+ }
+
+ handle = semanage_init();
+ if (!handle) {
+ fprintf(stderr, _("Cannot init SELinux management\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_key_create(handle, login_name, &key);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot create SELinux user key\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_exists(handle, key, &seuser_exists);
+ if (ret < 0) {
+ fprintf(stderr, _("Cannot verify the SELinux user\n"));
+ ret = 1;
+ goto done;
+ }
+
+ if (seuser_exists) {
+ ret = semanage_user_mod(handle, key, login_name, seuser_name);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot modify SELinux user mapping\n"));
+ ret = 1;
+ goto done;
+ }
+ } else {
+ ret = semanage_user_add(handle, key, login_name, seuser_name);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot add SELinux user mapping\n"));
+ ret = 1;
+ goto done;
+ }
+ }
+
+ ret = semanage_commit(handle);
+ if (ret < 0) {
+ fprintf(stderr,_("Cannot commit SELinux transaction\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = 0;
+
+done:
+ semanage_seuser_key_free(key);
+ semanage_handle_destroy(handle);
+ return ret;
+}
+
+
+
+
+
+int del_seuser(const char *login_name)
+{
+ semanage_handle_t *handle = NULL;
+ semanage_seuser_key_t *key = NULL;
+ int ret;
+ int exists = 0;
+
+ handle = semanage_init();
+ if (!handle) {
+ fprintf(stderr, _("Cannot init SELinux management\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_key_create(handle, login_name, &key);
+ if (ret != 0) {
+ fprintf(stderr, _("Cannot create SELinux user key\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_seuser_exists(handle, key, &exists);
+ if (ret < 0) {
+ fprintf(stderr, _("Cannot verify the SELinux user\n"));
+ ret = 1;
+ goto done;
+ }
+
+ if (!exists) {
+ fprintf(stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"),
+ login_name);
+ ret = 0; /* probably default mapping */
+ goto done;
+ }
+
+ ret = semanage_seuser_exists_local(handle, key, &exists);
+ if (ret < 0) {
+ fprintf(stderr, _("Cannot verify the SELinux user\n"));
+ ret = 1;
+ goto done;
+ }
+
+ if (!exists) {
+ fprintf(stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"),
+ login_name);
+ ret = 0; /* Login mapping defined in policy can't be deleted */
+ goto done;
+ }
+
+ ret = semanage_seuser_del_local(handle, key);
+ if (ret != 0) {
+ fprintf(stderr, _("Could not delete login mapping for %s"), login_name);
+ ret = 1;
+ goto done;
+ }
+
+ ret = semanage_commit(handle);
+ if (ret < 0) {
+ fprintf(stderr, _("Cannot commit SELinux transaction\n"));
+ ret = 1;
+ goto done;
+ }
+
+ ret = 0;
+done:
+ semanage_handle_destroy(handle);
+ return ret;
+}
+
diff -up shadow-4.1.4.3/man/userdel.8.libsemanage shadow-4.1.4.3/man/userdel.8
--- shadow-4.1.4.3/man/userdel.8.libsemanage 2011-11-09 14:19:27.772753117 +0100
+++ shadow-4.1.4.3/man/userdel.8 2011-11-09 14:21:13.947365740 +0100
@@ -243,6 +243,11 @@ can\*(Aqt update group file
.RS 4
can\*(Aqt remove home directory
.RE
+.PP
+\fI14\fR
+.RS 4
+can\*(Aqt update SELinux user mapping
+.PP
.SH "CAVEATS"
.PP
diff -up shadow-4.1.4.3/src/Makefile.in.libsemanage shadow-4.1.4.3/src/Makefile.in
--- shadow-4.1.4.3/src/Makefile.in.libsemanage 2011-11-09 14:11:26.431362175 +0100
+++ shadow-4.1.4.3/src/Makefile.in 2011-11-09 14:11:26.459362089 +0100
@@ -431,9 +431,9 @@ su_SOURCES = \
su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
sulogin_LDADD = $(LDADD) $(LIBCRYPT)
-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl
+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage
+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage
+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage
vipw_LDADD = $(LDADD) $(LIBSELINUX)
all: all-am
diff -up shadow-4.1.4.3/src/useradd.c.libsemanage shadow-4.1.4.3/src/useradd.c
--- shadow-4.1.4.3/src/useradd.c.libsemanage 2011-11-09 14:11:26.424362196 +0100
+++ shadow-4.1.4.3/src/useradd.c 2011-11-09 14:11:26.460362086 +0100
@@ -1999,16 +1999,7 @@ int main (int argc, char **argv)
#ifdef WITH_SELINUX
if (Zflg && *user_selinux) {
if (is_selinux_enabled () > 0) {
- const char *argv[7];
-
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
+ if (set_seuser(user_name, user_selinux)) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
diff -up shadow-4.1.4.3/src/userdel.c.libsemanage shadow-4.1.4.3/src/userdel.c
--- shadow-4.1.4.3/src/userdel.c.libsemanage 2011-11-09 14:11:26.425362193 +0100
+++ shadow-4.1.4.3/src/userdel.c 2011-11-09 14:18:59.274855167 +0100
@@ -70,6 +70,7 @@
#define E_USER_BUSY 8 /* user currently logged in */
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't remove home directory */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
/*
* Global variables
@@ -1002,13 +1003,17 @@ int main (int argc, char **argv)
#ifdef WITH_SELINUX
if (Zflg) {
if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
+ if (del_seuser(user_name)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
+ Prog, user_name);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "removing SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
}
}
#endif
diff -up shadow-4.1.4.3/src/usermod.c.libsemanage shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3/src/usermod.c.libsemanage 2011-11-09 14:11:26.426362190 +0100
+++ shadow-4.1.4.3/src/usermod.c 2011-11-09 14:11:26.463362076 +0100
@@ -1787,28 +1787,16 @@ int main (int argc, char **argv)
#ifdef WITH_SELINUX
if (Zflg && *user_selinux) {
if (is_selinux_enabled () > 0) {
- const char *argv[7];
-
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
+ if (set_seuser(user_name, user_selinux)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
#endif
- fail_exit (E_SE_UPDATE);
- }
+ fail_exit (E_SE_UPDATE);
}
}
}

View file

@ -1,27 +0,0 @@
diff -up shadow-4.1.4.3/man/useradd.8.man shadow-4.1.4.3/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.man 2011-11-09 14:30:51.402072168 +0100
+++ shadow-4.1.4.3/man/useradd.8 2011-11-10 11:09:14.266810444 +0100
@@ -220,12 +220,12 @@ Create the user\*(Aqs home directory if
\fB\-k\fR
option) will be copied to the home directory\&.
.sp
-The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&.
+useradd will create the home directory unless \fBCREATE_HOME\fR in /etc/login.defs is set to no\&.
.RE
.PP
\fB\-M\fR
.RS 4
-Do no create the user\*(Aqs home directory, even if the system wide setting from
+Do not create the user\*(Aqs home directory, even if the system wide setting from
/etc/login\&.defs
(\fBCREATE_HOME\fR) is set to
\fIyes\fR\&.
@@ -255,7 +255,7 @@ variable in
Allow the creation of a user account with a duplicate (non\-unique) UID\&.
.sp
This option is only valid in combination with the
-\fB\-o\fR
+\fB\-u\fR
option\&.
.RE
.PP

View file

@ -1,32 +0,0 @@
diff -up shadow-4.1.4.3/man/ru/Makefile.in.nopam shadow-4.1.4.3/man/ru/Makefile.in
--- shadow-4.1.4.3/man/ru/Makefile.in.nopam 2011-05-20 22:42:23.145018292 +0200
+++ shadow-4.1.4.3/man/ru/Makefile.in 2011-05-20 22:43:56.654017229 +0200
@@ -150,7 +150,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
POSUB = @POSUB@
@@ -222,13 +221,13 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-man_MANS = $(man_nopam) chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 \
- expiry.1 faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 \
- groupdel.8 groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 \
- grpunconv.8 gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 \
- newgrp.1 newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 \
- pwconv.8 pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 \
- useradd.8 userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1)
+man_MANS = chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 expiry.1 \
+ faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 groupdel.8 \
+ groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 grpunconv.8 \
+ gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 newgrp.1 \
+ newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 pwconv.8 \
+ pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 useradd.8 \
+ userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1)
man_nopam = \
limits.5 \
login.access.5 \

View file

@ -1,15 +0,0 @@
diff -up shadow-4.1.4.3/lib/commonio.c.selinux shadow-4.1.4.3/lib/commonio.c
--- shadow-4.1.4.3/lib/commonio.c.selinux 2011-02-13 18:58:23.000000000 +0100
+++ shadow-4.1.4.3/lib/commonio.c 2011-11-16 17:09:46.615837659 +0100
@@ -921,10 +921,10 @@ int commonio_close (struct commonio_db *
#ifdef WITH_SELINUX
if (db->scontext != NULL) {
- if (NULL != old_context) {
if (setfscreatecon (old_context) < 0) {
errors++;
}
+ if (NULL != old_context) {
freecon (old_context);
old_context = NULL;
}

View file

@ -1,294 +0,0 @@
diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.semange 2011-08-02 12:57:47.971838218 +0200
+++ shadow-4.1.4.3/man/useradd.8 2011-08-02 12:57:47.985838145 +0200
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
.RS 4
can\*(Aqt create mail spool
.RE
+.PP
+\fI14\fR
+.RS 4
+can\'t update SELinux user mapping
+.RE
.SH "SEE ALSO"
.PP
diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
+++ shadow-4.1.4.3/man/userdel.8 2011-08-02 12:57:47.985838145 +0200
@@ -76,6 +76,11 @@ variable in the
login\&.defs
file\&.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR
+.RS 4
+Remove SELinux user assigned to the user´s login from SELinux login mapping.
+.RE
.SH "CONFIGURATION"
.PP
The following configuration variables in
diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
--- shadow-4.1.4.3/src/useradd.c.semange 2011-08-02 12:57:47.968838234 +0200
+++ shadow-4.1.4.3/src/useradd.c 2011-08-02 12:58:17.626684439 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_MAIL_SPOOL 13 /* can't create mail spool */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#define DGROUP "GROUP="
#define HOME "HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
}
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) { /* must be done after passwd write() */
- const char *argv[7];
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
-}
-#endif
/*
* create_home - create the user's home directory
*
@@ -2025,7 +1997,30 @@ int main (int argc, char **argv)
close_files ();
#ifdef WITH_SELINUX
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
#endif
nscd_flush_cache ("passwd");
diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/userdel.c 2011-08-02 12:57:47.988838130 +0200
@@ -82,6 +82,7 @@ static char *user_home;
static bool fflg = false;
static bool rflg = false;
+static bool Zflg = false;
static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
" even if not owned by user\n"
" -h, --help display this help message and exit\n"
" -r, --remove remove home directory and mail spool\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
{"force", no_argument, NULL, 'f'},
{"help", no_argument, NULL, 'h'},
{"remove", no_argument, NULL, 'r'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fhr",
+ while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "fhrZ",
+#else
+ "fhr",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'f': /* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
case 'r': /* remove home dir and mailbox */
rflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
+ if (Zflg) {
+ if (is_selinux_enabled () > 0) {
+ const char *args[5];
+ args[0] = "/usr/sbin/semanage";
+ args[1] = "login";
+ args[2] = "-d";
+ args[3] = user_name;
+ args[4] = NULL;
+ safe_system (args[0], args, NULL, 1);
+ }
}
#endif
diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/usermod.c 2011-08-02 12:57:47.989838125 +0200
@@ -82,6 +82,9 @@
#define E_GRP_UPDATE 10 /* can't update group file */
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
/*
* Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg) {
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
}
#endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- const char *argv[7];
-
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) {
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
- }
-}
-#endif
-

View file

@ -1,6 +1,6 @@
diff -up shadow-4.1.4.3/libmisc/chkname.c.goodname shadow-4.1.4.3/libmisc/chkname.c diff -up shadow-4.1.5/libmisc/chkname.c.goodname shadow-4.1.5/libmisc/chkname.c
--- shadow-4.1.4.3/libmisc/chkname.c.goodname 2011-02-13 18:58:11.000000000 +0100 --- shadow-4.1.5/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200
+++ shadow-4.1.4.3/libmisc/chkname.c 2011-05-18 20:38:50.639341048 +0200 +++ shadow-4.1.5/libmisc/chkname.c 2012-03-19 09:52:12.910605026 +0100
@@ -49,20 +49,28 @@ @@ -49,20 +49,28 @@
static bool is_valid_name (const char *name) static bool is_valid_name (const char *name)
{ {
@ -40,24 +40,24 @@ diff -up shadow-4.1.4.3/libmisc/chkname.c.goodname shadow-4.1.4.3/libmisc/chknam
return false; return false;
} }
} }
diff -up shadow-4.1.4.3/man/groupadd.8.goodname shadow-4.1.4.3/man/groupadd.8 diff -up shadow-4.1.5/man/groupadd.8.goodname shadow-4.1.5/man/groupadd.8
--- shadow-4.1.4.3/man/groupadd.8.goodname 2011-02-16 00:12:34.000000000 +0100 --- shadow-4.1.5/man/groupadd.8.goodname 2012-02-12 22:27:42.000000000 +0100
+++ shadow-4.1.4.3/man/groupadd.8 2011-05-18 20:42:53.204324534 +0200 +++ shadow-4.1.5/man/groupadd.8 2012-03-19 09:56:17.113723732 +0100
@@ -162,9 +162,7 @@ Shadow password suite configuration\&. @@ -181,9 +181,7 @@ Shadow password suite configuration\&.
.RE .RE
.SH "CAVEATS" .SH "CAVEATS"
.PP .PP
-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
-.PP -.PP
-Groupnames may only be up to characters long\&. -Groupnames may only be up to 16 characters long\&.
+Groupnames may only be up to 32 characters long\&. +Groupnames may only be up to 32 characters long\&.
.PP .PP
You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&.
.PP .PP
diff -up shadow-4.1.4.3/man/useradd.8.goodname shadow-4.1.4.3/man/useradd.8 diff -up shadow-4.1.5/man/useradd.8.goodname shadow-4.1.5/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.goodname 2011-05-18 20:38:50.635376546 +0200 --- shadow-4.1.5/man/useradd.8.goodname 2012-02-12 22:28:02.000000000 +0100
+++ shadow-4.1.4.3/man/useradd.8 2011-05-18 20:38:50.641332694 +0200 +++ shadow-4.1.5/man/useradd.8 2012-03-19 09:52:12.911605018 +0100
@@ -414,8 +414,6 @@ Similarly, if the username already exist @@ -421,8 +421,6 @@ Similarly, if the username already exist
\fBuseradd\fR \fBuseradd\fR
will deny the user account creation request\&. will deny the user account creation request\&.
.PP .PP

View file

@ -0,0 +1,45 @@
diff -up shadow-4.1.5/src/userdel.c.grremove shadow-4.1.5/src/userdel.c
--- shadow-4.1.5/src/userdel.c.grremove 2012-03-20 12:19:13.260854838 +0100
+++ shadow-4.1.5/src/userdel.c 2012-03-20 12:38:26.235622957 +0100
@@ -333,22 +333,22 @@ static void remove_usergroup (void)
* We can remove this group, it is not the primary
* group of any remaining user.
*/
- if (gr_remove (grp->gr_name) == 0) {
+ if (gr_remove (user_name) == 0) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
- Prog, grp->gr_name, gr_dbname ());
+ Prog, user_name, gr_dbname ());
fail_exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_GROUP, Prog,
"deleting group",
- grp->gr_name, AUDIT_NO_ID,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif /* WITH_AUDIT */
SYSLOG ((LOG_INFO,
"removed group '%s' owned by '%s'\n",
- grp->gr_name, user_name));
+ user_name, user_name));
#ifdef SHADOWGRP
if (sgr_locate (user_name) != NULL) {
@@ -361,12 +361,12 @@ static void remove_usergroup (void)
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_GROUP, Prog,
"deleting shadow group",
- grp->gr_name, AUDIT_NO_ID,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif /* WITH_AUDIT */
SYSLOG ((LOG_INFO,
"removed shadow group '%s' owned by '%s'\n",
- grp->gr_name, user_name));
+ user_name, user_name));
}
#endif /* SHADOWGRP */

12
shadow-4.1.5-man.patch Normal file
View file

@ -0,0 +1,12 @@
diff -up shadow-4.1.5/man/useradd.8.man shadow-4.1.5/man/useradd.8
--- shadow-4.1.5/man/useradd.8.man 2012-03-19 13:06:48.000000000 +0100
+++ shadow-4.1.5/man/useradd.8 2012-03-19 13:07:44.540169270 +0100
@@ -215,7 +215,7 @@ is not enabled, no home directories are
.PP
\fB\-M\fR
.RS 4
-Do no create the user\*(Aqs home directory, even if the system wide setting from
+Do not create the user\*(Aqs home directory, even if the system wide setting from
/etc/login\&.defs
(\fBCREATE_HOME\fR) is set to
\fIyes\fR\&.

42
shadow-4.1.5-redhat.patch Normal file
View file

@ -0,0 +1,42 @@
diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8
diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
--- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100
+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100
@@ -93,7 +93,7 @@ const char *Prog;
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
@@ -103,7 +103,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

View file

@ -1,16 +1,16 @@
diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.uflg shadow-4.1.4.3/libmisc/find_new_gid.c diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c
--- shadow-4.1.4.3/libmisc/find_new_gid.c.uflg 2011-05-20 21:18:24.474018778 +0200 --- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200
+++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-05-20 21:18:43.178018729 +0200 +++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100
@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, @@ -68,7 +68,7 @@ int find_new_gid (bool sys_group,
gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); return -1;
gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); }
} else { } else {
- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+ gid_min = (gid_t) 1; + gid_min = (gid_t) 1;
gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
} if (gid_max < gid_min) {
@@ -80,6 +80,10 @@ int find_new_gid (bool sys_group, @@ -100,6 +100,10 @@ int find_new_gid (bool sys_group,
return 0; return 0;
} }

View file

@ -1,29 +1,18 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.1.4.3 Version: 4.1.5
Release: 14%{?dist} Release: 1%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2
Source1: shadow-utils.login.defs Source1: shadow-utils.login.defs
Source2: shadow-utils.useradd Source2: shadow-utils.useradd
Patch0: shadow-4.1.4.2-redhat.patch Patch0: shadow-4.1.5-redhat.patch
Patch1: shadow-4.1.4.3-goodname.patch Patch1: shadow-4.1.5-goodname.patch
Patch2: shadow-4.1.4.2-leak.patch Patch2: shadow-4.1.4.2-infoParentDir.patch
Patch3: shadow-4.1.4.2-fixes.patch Patch3: shadow-4.1.5-uflg.patch
Patch4: shadow-4.1.4.2-infoParentDir.patch Patch4: shadow-4.1.5-man.patch
Patch5: shadow-4.1.4.3-semange.patch Patch5: shadow-4.1.5-grremove.patch
Patch6: shadow-4.1.4.2-acl.patch
Patch7: shadow-4.1.4.2-underflow.patch
Patch8: shadow-4.1.4.3-uflg.patch
Patch9: shadow-4.1.4.2-gshadow.patch
Patch10: shadow-4.1.4.3-nopam.patch
Patch11: shadow-4.1.4.3-IDs.patch
#696213 #674878 #739147
Patch12: shadow-4.1.4.3-man.patch
#749205
Patch13: shadow-4.1.4.3-libsemanage.patch
Patch14: shadow-4.1.4.3-selinux.patch
License: BSD and GPLv2+ License: BSD and GPLv2+
Group: System Environment/Base Group: System Environment/Base
BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: libselinux-devel >= 1.25.2-1
@ -54,19 +43,11 @@ are used for managing group accounts.
%setup -q -n shadow-%{version} %setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat %patch0 -p1 -b .redhat
%patch1 -p1 -b .goodname %patch1 -p1 -b .goodname
%patch2 -p1 -b .leak %patch2 -p1 -b .infoParentDir
%patch3 -p1 -b .fixes %patch3 -p1 -b .uflg
%patch4 -p1 -b .infoParentDir %patch4 -p1 -b .man
%patch5 -p1 -b .semange %patch5 -p1 -b .grremove
%patch6 -p1 -b .acl
%patch7 -p1 -b .underflow
%patch8 -p1 -b .uflg
%patch9 -p1 -b .gshadow
%patch10 -p1 -b .nopam
%patch11 -p1 -b .IDs
%patch12 -p1 -b .man
%patch13 -p1 -b .libsemanage
%patch14 -p1 -b .selinux
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO cp -f doc/HOWTO.utf8 doc/HOWTO
@ -176,23 +157,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
echo "%%lang($lang) $dir/man*/*" >> shadow.lang echo "%%lang($lang) $dir/man*/*" >> shadow.lang
done done
# Make sure old configuration files specifying UID_MIN=500 are not overwritten
# on upgrades. Remove the scriptlets after upgrades from Fedora 15 are no
# longer supported.
%pre
if [ "$1" -gt 1 ]; then
hash=$(md5sum %{_sysconfdir}/login.defs | cut -d ' ' -f 1)
if [ "$hash" = 111354806cbbee33a73fa4d538055510 ]; then
cp -a %{_sysconfdir}/login.defs{,.rpm-saved-in-pre}
fi
fi
%post
if [ -e %{_sysconfdir}/login.defs.rpm-saved-in-pre ]; then
mv %{_sysconfdir}/login.defs{,.rpmnew}
mv %{_sysconfdir}/login.defs{.rpm-saved-in-pre,}
fi
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -238,6 +202,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%changelog %changelog
* Mon Mar 19 2012 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.5-1
- upgrade
* Tue Feb 07 2012 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-14 * Tue Feb 07 2012 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-14
- compile with PIE and RELRO flags (#784349) - compile with PIE and RELRO flags (#784349)

View file

@ -1 +1 @@
b8608d8294ac88974f27b20f991c0e79 shadow-4.1.4.3.tar.bz2 d5f7a588fadb79faeb4b08b1eee82e9a shadow-4.1.5.tar.bz2