From 4f86795e64d955151c33275dbfb7334e61c0f99d Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 29 Apr 2010 15:09:49 +0000 Subject: [PATCH] - preserve ACL's on files in /etc/skel Resolves: #513055 --- shadow-4.1.4.2-acl.patch | 121 +++++++++++++++++++++++++++++ shadow-4.1.4.2-infoParentDir.patch | 2 +- shadow-utils.spec | 8 +- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 shadow-4.1.4.2-acl.patch diff --git a/shadow-4.1.4.2-acl.patch b/shadow-4.1.4.2-acl.patch new file mode 100644 index 0000000..9af543c --- /dev/null +++ b/shadow-4.1.4.2-acl.patch @@ -0,0 +1,121 @@ +diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c +--- shadow-4.1.4.2/libmisc/copydir.c.acl 2010-04-29 15:55:26.949959971 +0200 ++++ shadow-4.1.4.2/libmisc/copydir.c 2010-04-29 15:55:26.956960471 +0200 +@@ -45,6 +45,9 @@ + #ifdef WITH_SELINUX + #include + #endif ++#include ++#include ++ + static /*@null@*/const char *src_orig; + static /*@null@*/const char *dst_orig; + +@@ -70,7 +73,7 @@ static int copy_symlink (const char *src + #endif + static int copy_hardlink (const char *src, const char *dst, + struct link_name *lp); +-static int copy_special (const char *dst, ++static int copy_special (const char *src, const char *dst, + const struct stat *statp, const struct timeval mt[], + long int uid, long int gid); + static int copy_file (const char *src, const char *dst, +@@ -78,6 +81,24 @@ static int copy_file (const char *src, c + long int uid, long int gid); + + #ifdef WITH_SELINUX ++ ++void error (struct error_context *ctx, const char *fmt, ...) ++{ ++ va_list ap; ++ ++ va_start (ap, fmt); ++ (void) fprintf (stderr, _("%s: "), Prog); ++ if (vfprintf (stderr, fmt, ap) != 0) { ++ (void) fputs (_(": "), stderr); ++ } ++ (void) fprintf (stderr, "%s\n", strerror (errno)); ++ va_end (ap); ++} ++ ++struct error_context ctx = { ++ error ++}; ++ + /* + * selinux_file_context - Set the security context before any file or + * directory creation. +@@ -369,7 +390,7 @@ static int copy_entry (const char *src, + */ + + else if (!S_ISREG (sb.st_mode)) { +- err = copy_special (dst, &sb, mt, uid, gid); ++ err = copy_special (src, dst, &sb, mt, uid, gid); + } + + /* +@@ -413,6 +434,7 @@ static int copy_dir (const char *src, co + || (chown (dst, + (uid == - 1) ? statp->st_uid : (uid_t) uid, + (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0) ++ || (perm_copy_file (src, dst, &ctx) != 0) + || (chmod (dst, statp->st_mode) != 0) + || (copy_tree (src, dst, uid, gid) != 0) + || (utimes (dst, mt) != 0)) { +@@ -514,6 +536,13 @@ static int copy_symlink (const char *src + || (lchown (dst, + (uid == -1) ? statp->st_uid : (uid_t) uid, + (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) { ++ /* FIXME: there are no modes on symlinks, right? ++ * ACL could be copied, but this would be much more ++ * complex than calling perm_copy_file. ++ * Ditto for Extended Attributes. ++ * We currently only document that ACL and Extended ++ * Attributes are not copied. ++ */ + free (oldlink); + return -1; + } +@@ -542,7 +571,7 @@ static int copy_symlink (const char *src + static int copy_hardlink (const char *src, const char *dst, + struct link_name *lp) + { +- /* TODO: selinux needed? */ ++ /* TODO: selinux, ACL, Extended Attributes needed? */ + + if (link (lp->ln_name, dst) != 0) { + return -1; +@@ -574,7 +603,7 @@ static int copy_hardlink (const char *sr + * + * Return 0 on success, -1 on error. + */ +-static int copy_special (const char *dst, ++static int copy_special (const char *src, const char *dst, + const struct stat *statp, const struct timeval mt[], + long int uid, long int gid) + { +@@ -628,7 +657,7 @@ static int copy_file (const char *src, c + || (fchown (ofd, + (uid == -1) ? statp->st_uid : (uid_t) uid, + (gid == -1) ? statp->st_gid : (gid_t) gid) != 0) +- || (fchmod (ofd, statp->st_mode & 07777) != 0)) { ++ || (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) ) { + (void) close (ifd); + return -1; + } +diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in +--- shadow-4.1.4.2/src/Makefile.in.acl 2009-07-24 03:16:00.000000000 +0200 ++++ shadow-4.1.4.2/src/Makefile.in 2010-04-29 16:08:34.347960372 +0200 +@@ -430,9 +430,9 @@ su_SOURCES = \ + + su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + sulogin_LDADD = $(LDADD) $(LIBCRYPT) +-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl ++userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl ++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl + vipw_LDADD = $(LDADD) $(LIBSELINUX) + all: all-am + diff --git a/shadow-4.1.4.2-infoParentDir.patch b/shadow-4.1.4.2-infoParentDir.patch index 5a83f6a..da260bf 100644 --- a/shadow-4.1.4.2-infoParentDir.patch +++ b/shadow-4.1.4.2-infoParentDir.patch @@ -6,7 +6,7 @@ diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers This field is used to define the home directory of the user\&. .sp -If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. -+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&.Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. ++If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. .sp If the home directory of an existing user is changed, \fBnewusers\fR diff --git a/shadow-utils.spec b/shadow-utils.spec index b40ed70..4b1c2c0 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -13,6 +13,7 @@ Patch2: shadow-4.1.4.2-leak.patch Patch3: shadow-4.1.4.2-fixes.patch Patch4: shadow-4.1.4.2-infoParentDir.patch Patch5: shadow-4.1.4.2-semange.patch +Patch6: shadow-4.1.4.2-acl.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -43,6 +44,7 @@ are used for managing group accounts. %patch3 -p1 -b .fixes %patch4 -p1 -b .infoParentDir %patch5 -p1 -b .semange +%patch6 -p1 -b .acl iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -185,6 +187,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Apr 29 2010 Peter Vrabec - 2:4.1.4.2-6 +- preserve ACL's on files in /etc/skel + Resolves: #513055 + * Wed Apr 28 2010 Peter Vrabec - 2:4.1.4.2-5 - newusers man page more informative - userdel should not need to run semanage