From 8c824a0b041cf9bb6846774392bf9869bcc9bfa2 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 17 Jul 2009 14:04:27 +0000 Subject: [PATCH] - fix a list of owned directories (#510366) - reduce the reuse of system IDs - speed up sys users look up on LDAP boxes (#511813) - upgrade --- .cvsignore | 4 +- shadow-4.0.17-login.defs | 58 ++++ shadow-4.0.18.1-useradd | 9 + shadow-4.1.3-redhat.patch | 75 ----- shadow-4.1.3-selinux.patch | 54 ---- shadow-4.1.4-redhat.patch | 75 +++++ ...ame.patch => shadow-4.1.4.1-goodname.patch | 28 +- shadow-4.1.4.1-largeGroup.patch | 230 ++++++++++++++ shadow-4.1.4.1-ldap.patch | 85 +++++ shadow-4.1.4.1-sysacc.patch | 300 ++++++++++++++++++ shadow-utils.spec | 41 ++- sources | 4 +- 12 files changed, 807 insertions(+), 156 deletions(-) create mode 100644 shadow-4.0.17-login.defs create mode 100644 shadow-4.0.18.1-useradd delete mode 100644 shadow-4.1.3-redhat.patch delete mode 100644 shadow-4.1.3-selinux.patch create mode 100644 shadow-4.1.4-redhat.patch rename shadow-4.1.3-goodname.patch => shadow-4.1.4.1-goodname.patch (57%) create mode 100644 shadow-4.1.4.1-largeGroup.patch create mode 100644 shadow-4.1.4.1-ldap.patch create mode 100644 shadow-4.1.4.1-sysacc.patch diff --git a/.cvsignore b/.cvsignore index 5e650b5..0fb2454 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1 @@ -shadow-4.0.17-login.defs -shadow-4.0.18.1-useradd -shadow-4.1.3.tar.bz2 +shadow-4.1.4.1.tar.bz2 diff --git a/shadow-4.0.17-login.defs b/shadow-4.0.17-login.defs new file mode 100644 index 0000000..18733bf --- /dev/null +++ b/shadow-4.0.17-login.defs @@ -0,0 +1,58 @@ +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# QMAIL_DIR is for Qmail +# +#QMAIL_DIR Maildir +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 500 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 500 +GID_MAX 60000 + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If useradd should create home directories for users by default +# On RH systems, we do. This option is overridden with the -m flag on +# useradd command line. +# +CREATE_HOME yes + +# The permission mask is initialized to this value. If not specified, +# the permission mask will be initialized to 022. +UMASK 077 + +# This enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# Use MD5 or DES to encrypt password? Red Hat use MD5 by default. +MD5_CRYPT_ENAB yes + diff --git a/shadow-4.0.18.1-useradd b/shadow-4.0.18.1-useradd new file mode 100644 index 0000000..4e81146 --- /dev/null +++ b/shadow-4.0.18.1-useradd @@ -0,0 +1,9 @@ +# useradd defaults file +GROUP=100 +HOME=/home +INACTIVE=-1 +EXPIRE= +SHELL=/bin/bash +SKEL=/etc/skel +CREATE_MAIL_SPOOL=yes + diff --git a/shadow-4.1.3-redhat.patch b/shadow-4.1.3-redhat.patch deleted file mode 100644 index 92ea691..0000000 --- a/shadow-4.1.3-redhat.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff -up shadow-4.1.3/libmisc/find_new_gid.c.redhat shadow-4.1.3/libmisc/find_new_gid.c ---- shadow-4.1.3/libmisc/find_new_gid.c.redhat 2009-04-11 17:55:13.000000000 +0200 -+++ shadow-4.1.3/libmisc/find_new_gid.c 2009-04-14 14:49:34.000000000 +0200 -@@ -56,11 +56,11 @@ int find_new_gid (bool sys_group, gid_t - assert (gid != NULL); - - if (!sys_group) { -- gid_min = getdef_ulong ("GID_MIN", 1000L); -+ gid_min = getdef_ulong ("GID_MIN", 500L); - gid_max = getdef_ulong ("GID_MAX", 60000L); - } else { - gid_min = getdef_ulong ("SYS_GID_MIN", 1L); -- gid_max = getdef_ulong ("GID_MIN", 1000L) - 1; -+ gid_max = getdef_ulong ("GID_MIN", 500L) - 1; - gid_max = getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } - used_gids = alloca (sizeof (char) * gid_max +1); -diff -up shadow-4.1.3/libmisc/find_new_uid.c.redhat shadow-4.1.3/libmisc/find_new_uid.c ---- shadow-4.1.3/libmisc/find_new_uid.c.redhat 2009-04-11 17:53:19.000000000 +0200 -+++ shadow-4.1.3/libmisc/find_new_uid.c 2009-04-14 14:49:34.000000000 +0200 -@@ -56,11 +56,11 @@ int find_new_uid (bool sys_user, uid_t * - assert (uid != NULL); - - if (!sys_user) { -- uid_min = getdef_ulong ("UID_MIN", 1000L); -+ uid_min = getdef_ulong ("UID_MIN", 500L); - uid_max = getdef_ulong ("UID_MAX", 60000L); - } else { - uid_min = getdef_ulong ("SYS_UID_MIN", 1L); -- uid_max = getdef_ulong ("UID_MIN", 1000L) - 1; -+ uid_max = getdef_ulong ("UID_MIN", 500L) - 1; - uid_max = getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); - } - used_uids = alloca (sizeof (char) * uid_max +1); -diff -up shadow-4.1.3/src/useradd.c.redhat shadow-4.1.3/src/useradd.c ---- shadow-4.1.3/src/useradd.c.redhat 2009-04-11 20:39:52.000000000 +0200 -+++ shadow-4.1.3/src/useradd.c 2009-04-14 14:58:17.000000000 +0200 -@@ -89,7 +89,7 @@ char *Prog; - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -101,7 +101,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -978,9 +978,9 @@ static void process_flags (int argc, cha - }; - while ((c = getopt_long (argc, argv, - #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", - #else -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", - #endif - long_options, NULL)) != -1) { - switch (c) { -@@ -1130,6 +1130,7 @@ static void process_flags (int argc, cha - case 'M': - Mflg = true; - break; -+ case 'n': - case 'N': - Nflg = true; - break; diff --git a/shadow-4.1.3-selinux.patch b/shadow-4.1.3-selinux.patch deleted file mode 100644 index 97dc317..0000000 --- a/shadow-4.1.3-selinux.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up shadow-4.1.3/src/useradd.c.selinux shadow-4.1.3/src/useradd.c ---- shadow-4.1.3/src/useradd.c.selinux 2009-04-14 15:55:44.000000000 +0200 -+++ shadow-4.1.3/src/useradd.c 2009-04-14 15:55:44.000000000 +0200 -@@ -2011,9 +2011,7 @@ int main (int argc, char **argv) - close_files (); - - #ifdef WITH_SELINUX -- if (Zflg) { -- selinux_update_mapping (); -- } -+ selinux_update_mapping (); - #endif - - nscd_flush_cache ("passwd"); -diff -up shadow-4.1.3/src/userdel.c.selinux shadow-4.1.3/src/userdel.c ---- shadow-4.1.3/src/userdel.c.selinux 2009-04-11 18:52:42.000000000 +0200 -+++ shadow-4.1.3/src/userdel.c 2009-04-14 16:01:10.000000000 +0200 -@@ -797,17 +797,6 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - --#ifdef WITH_SELINUX -- if (is_selinux_enabled () > 0) { -- const char *args[5]; -- args[0] = "/usr/sbin/semanage"; -- args[1] = "login"; -- args[2] = "-d"; -- args[3] = user_name; -- args[4] = NULL; -- safe_system (args[0], args, NULL, 1); -- } --#endif - /* - * Get my name so that I can use it to report errors. - */ -@@ -1010,6 +999,18 @@ int main (int argc, char **argv) - } - #endif - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled () > 0) { -+ const char *args[5]; -+ args[0] = "/usr/sbin/semanage"; -+ args[1] = "login"; -+ args[2] = "-d"; -+ args[3] = user_name; -+ args[4] = NULL; -+ safe_system (args[0], args, NULL, 1); -+ } -+#endif -+ - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. diff --git a/shadow-4.1.4-redhat.patch b/shadow-4.1.4-redhat.patch new file mode 100644 index 0000000..3143c21 --- /dev/null +++ b/shadow-4.1.4-redhat.patch @@ -0,0 +1,75 @@ +diff -up shadow-4.1.4/libmisc/find_new_gid.c.redhat shadow-4.1.4/libmisc/find_new_gid.c +--- shadow-4.1.4/libmisc/find_new_gid.c.redhat 2009-04-23 19:36:42.000000000 +0200 ++++ shadow-4.1.4/libmisc/find_new_gid.c 2009-05-15 12:01:18.000000000 +0200 +@@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, + assert (gid != NULL); + + if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); ++ gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { + gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; ++ gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } + used_gids = alloca (sizeof (bool) * (gid_max +1)); +diff -up shadow-4.1.4/libmisc/find_new_uid.c.redhat shadow-4.1.4/libmisc/find_new_uid.c +--- shadow-4.1.4/libmisc/find_new_uid.c.redhat 2009-04-23 19:37:12.000000000 +0200 ++++ shadow-4.1.4/libmisc/find_new_uid.c 2009-05-15 12:01:39.000000000 +0200 +@@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, + assert (uid != NULL); + + if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + } else { + uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; ++ uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } + used_uids = alloca (sizeof (bool) * (uid_max +1)); +diff -up shadow-4.1.4/src/useradd.c.redhat shadow-4.1.4/src/useradd.c +--- shadow-4.1.4/src/useradd.c.redhat 2009-05-10 20:26:35.000000000 +0200 ++++ shadow-4.1.4/src/useradd.c 2009-05-15 11:59:40.000000000 +0200 +@@ -90,7 +90,7 @@ char *Prog; + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -996,9 +996,9 @@ static void process_flags (int argc, cha + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", + #else +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + #endif + long_options, NULL)) != -1) { + switch (c) { +@@ -1148,6 +1148,7 @@ static void process_flags (int argc, cha + case 'M': + Mflg = true; + break; ++ case 'n': + case 'N': + Nflg = true; + break; diff --git a/shadow-4.1.3-goodname.patch b/shadow-4.1.4.1-goodname.patch similarity index 57% rename from shadow-4.1.3-goodname.patch rename to shadow-4.1.4.1-goodname.patch index 43b933f..7ba4c2c 100644 --- a/shadow-4.1.3-goodname.patch +++ b/shadow-4.1.4.1-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.3/libmisc/chkname.c.goodname shadow-4.1.3/libmisc/chkname.c ---- shadow-4.1.3/libmisc/chkname.c.goodname 2008-12-23 23:42:21.000000000 +0100 -+++ shadow-4.1.3/libmisc/chkname.c 2009-04-14 11:46:21.000000000 +0200 -@@ -54,20 +54,28 @@ +diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chkname.c +--- shadow-4.1.4.1/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/chkname.c 2009-06-16 13:47:08.000000000 +0200 +@@ -49,20 +49,28 @@ static bool is_valid_name (const char *name) { /* @@ -40,28 +40,28 @@ diff -up shadow-4.1.3/libmisc/chkname.c.goodname shadow-4.1.3/libmisc/chkname.c return false; } } -diff -up shadow-4.1.3/man/groupadd.8.goodname shadow-4.1.3/man/groupadd.8 ---- shadow-4.1.3/man/groupadd.8.goodname 2009-04-12 04:46:15.000000000 +0200 -+++ shadow-4.1.3/man/groupadd.8 2009-04-14 11:45:13.000000000 +0200 -@@ -139,9 +139,7 @@ Shadow password suite configuration\&. +diff -up shadow-4.1.4.1/man/groupadd.8.goodname shadow-4.1.4.1/man/groupadd.8 +--- shadow-4.1.4.1/man/groupadd.8.goodname 2009-05-22 15:56:08.000000000 +0200 ++++ shadow-4.1.4.1/man/groupadd.8 2009-06-16 13:50:41.000000000 +0200 +@@ -153,9 +153,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP -Groupnames may only be up to 16 characters long\&. +Groupnames may only be up to 32 characters long\&. .PP You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. .PP -diff -up shadow-4.1.3/man/useradd.8.goodname shadow-4.1.3/man/useradd.8 ---- shadow-4.1.3/man/useradd.8.goodname 2009-04-12 04:46:35.000000000 +0200 -+++ shadow-4.1.3/man/useradd.8 2009-04-14 11:45:13.000000000 +0200 -@@ -385,8 +385,6 @@ Similarly, if the username already exist +diff -up shadow-4.1.4.1/man/useradd.8.goodname shadow-4.1.4.1/man/useradd.8 +--- shadow-4.1.4.1/man/useradd.8.goodname 2009-05-22 15:56:28.000000000 +0200 ++++ shadow-4.1.4.1/man/useradd.8 2009-06-16 13:51:17.000000000 +0200 +@@ -405,8 +405,6 @@ Similarly, if the username already exist \fBuseradd\fR will deny the user account creation request\&. .PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP Usernames may only be up to 32 characters long\&. .SH "CONFIGURATION" diff --git a/shadow-4.1.4.1-largeGroup.patch b/shadow-4.1.4.1-largeGroup.patch new file mode 100644 index 0000000..8777e24 --- /dev/null +++ b/shadow-4.1.4.1-largeGroup.patch @@ -0,0 +1,230 @@ +diff -U0 shadow-4.1.4.1/ChangeLog.large_group shadow-4.1.4.1/ChangeLog +diff -up shadow-4.1.4.1/lib/gshadow.c.large_group shadow-4.1.4.1/lib/gshadow.c +--- shadow-4.1.4.1/lib/gshadow.c.large_group 2009-04-23 13:53:56.000000000 +0200 ++++ shadow-4.1.4.1/lib/gshadow.c 2009-06-16 14:47:08.000000000 +0200 +@@ -2,7 +2,7 @@ + * Copyright (c) 1990 - 1994, Julianne Frances Haugh + * Copyright (c) 1996 - 1998, Marek Michałkiewicz + * Copyright (c) 2005 , Tomasz Kłoczko +- * Copyright (c) 2008 , Nicolas François ++ * Copyright (c) 2008 - 2009, Nicolas François + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -41,7 +41,6 @@ + #include "prototypes.h" + #include "defines.h" + static /*@null@*/FILE *shadow; +-static char sgrbuf[BUFSIZ * 4]; + static /*@null@*//*@only@*/char **members = NULL; + static size_t nmembers = 0; + static /*@null@*//*@only@*/char **admins = NULL; +@@ -131,12 +130,25 @@ void endsgent (void) + + /*@observer@*//*@null@*/struct sgrp *sgetsgent (const char *string) + { ++ static char *sgrbuf = NULL; ++ static size_t sgrbuflen = 0; ++ + char *fields[FIELDS]; + char *cp; + int i; ++ size_t len = strlen (string) + 1; ++ ++ if (len > sgrbuflen) { ++ char *buf = (char *) realloc (sgrbuf, sizeof (char) * len); ++ if (NULL == buf) { ++ return NULL; ++ } ++ sgrbuf = buf; ++ sgrbuflen = len; ++ } + +- strncpy (sgrbuf, string, sizeof sgrbuf - 1); +- sgrbuf[sizeof sgrbuf - 1] = '\0'; ++ strncpy (sgrbuf, string, len); ++ sgrbuf[len-1] = '\0'; + + cp = strrchr (sgrbuf, '\n'); + if (NULL != cp) { +@@ -161,7 +173,7 @@ void endsgent (void) + * the line is invalid. + */ + +- if ((NULL != cp) || (i != FIELDS)) ++ if ((NULL != cp) || (i != FIELDS)) { + #ifdef USE_NIS + if (!IS_NISCHAR (fields[0][0])) { + return 0; +@@ -171,6 +183,7 @@ void endsgent (void) + #else + return 0; + #endif ++ } + + sgroup.sg_name = fields[0]; + sgroup.sg_passwd = fields[1]; +@@ -199,20 +212,48 @@ void endsgent (void) + + /*@observer@*//*@null@*/struct sgrp *fgetsgent (/*@null@*/FILE * fp) + { +- char buf[sizeof sgrbuf]; ++ static size_t buflen = 0; ++ static char *buf = NULL; ++ + char *cp; ++ struct sgrp *ret; ++ ++ if (0 == buflen) { ++ buf = (char *) malloc (BUFSIZ); ++ if (NULL == buf) { ++ return NULL; ++ } ++ } + + if (NULL == fp) { +- return (0); ++ return NULL; + } + + #ifdef USE_NIS +- while (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) ++ while (fgetsx (buf, (int) sizeof buf, fp) == buf) + #else +- if (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) ++ if (fgetsx (buf, (int) sizeof buf, fp) == buf) + #endif + { +- cp = strchr (buf, '\n'); ++ while ( ((cp = strrchr (buf, '\n')) == NULL) ++ && (feof (fp) == 0)) { ++ size_t len; ++ ++ cp = (char *) realloc (buf, buflen*2); ++ if (NULL == cp) { ++ return NULL; ++ } ++ buf = cp; ++ buflen *= 2; ++ ++ len = strlen (buf); ++ if (fgetsx (&buf[len], ++ (int) (buflen - len), ++ fp) != &buf[len]) { ++ return NULL; ++ } ++ } ++ cp = strrchr (buf, '\n'); + if (NULL != cp) { + *cp = '\0'; + } +@@ -223,7 +264,7 @@ void endsgent (void) + #endif + return (sgetsgent (buf)); + } +- return 0; ++ return NULL; + } + + /* +@@ -235,7 +276,6 @@ void endsgent (void) + #ifdef USE_NIS + bool nis_1_group = false; + struct sgrp *val; +- char buf[BUFSIZ]; + #endif + if (NULL == shadow) { + setsgent (); +@@ -334,7 +374,6 @@ void endsgent (void) + struct sgrp *sgrp; + + #ifdef USE_NIS +- char buf[BUFSIZ]; + static char save_name[16]; + int nis_disabled = 0; + #endif +diff -up shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group shadow-4.1.4.1/libmisc/xgetgrgid.c +--- shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group 2008-09-06 16:56:51.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetgrgid.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE gid_t + #define ARG_NAME gid + #define DUP_FUNCTION __gr_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETGRGID_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group shadow-4.1.4.1/libmisc/xgetgrnam.c +--- shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group 2008-09-06 16:56:57.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetgrnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __gr_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETGRNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group shadow-4.1.4.1/libmisc/xgetpwnam.c +--- shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group 2008-09-06 16:57:05.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetpwnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __pw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETPWNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group shadow-4.1.4.1/libmisc/xgetpwuid.c +--- shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group 2008-09-06 16:57:11.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetpwuid.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE uid_t + #define ARG_NAME uid + #define DUP_FUNCTION __pw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETPWUID_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetspnam.c.large_group shadow-4.1.4.1/libmisc/xgetspnam.c +--- shadow-4.1.4.1/libmisc/xgetspnam.c.large_group 2008-09-06 16:57:17.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetspnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __spw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETSPNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group shadow-4.1.4.1/libmisc/xgetXXbyYY.c +--- shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group 2009-04-23 11:15:53.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetXXbyYY.c 2009-06-16 14:15:08.000000000 +0200 +@@ -79,7 +79,7 @@ + exit (13); + } + +- do { ++ while (true) { + int status; + LOOKUP_TYPE *resbuf = NULL; + buffer = (char *)realloc (buffer, length); +@@ -106,8 +106,14 @@ + return NULL; + } + +- length *= 4; +- } while (length < MAX_LENGTH); ++ if (length <= ((size_t)-1 / 4)) { ++ length *= 4; ++ } else if (length == (size_t) -1) { ++ break; ++ } else { ++ length = (size_t) -1; ++ } ++ } + + free(buffer); + free(result); +diff -up shadow-4.1.4.1/NEWS.large_group shadow-4.1.4.1/NEWS diff --git a/shadow-4.1.4.1-ldap.patch b/shadow-4.1.4.1-ldap.patch new file mode 100644 index 0000000..9d97188 --- /dev/null +++ b/shadow-4.1.4.1-ldap.patch @@ -0,0 +1,85 @@ +diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.ldap shadow-4.1.4.1/libmisc/find_new_gid.c +--- shadow-4.1.4.1/libmisc/find_new_gid.c.ldap 2009-07-16 10:37:41.653798746 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 10:44:14.482808945 +0200 +@@ -90,17 +90,26 @@ int find_new_gid (bool sys_group, + * but we also check the local database (gr_rewind/gr_next) in case + * some groups were created but the changes were not committed yet. + */ +- setgrent (); +- while ((grp = getgrent ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; ++ if (sys_group ) { ++ for(group_id = gid_min; group_id<=gid_max; group_id++) { ++ grp = getgrgid(group_id); ++ if(grp) ++ used_gids[grp->gr_gid] = true; + } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ } ++ else { ++ setgrent (); ++ while ((grp = getgrent ()) != NULL) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; ++ } + } ++ endgrent (); + } +- endgrent (); + gr_rewind (); + while ((grp = gr_next ()) != NULL) { + if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.ldap shadow-4.1.4.1/libmisc/find_new_uid.c +--- shadow-4.1.4.1/libmisc/find_new_uid.c.ldap 2009-07-16 10:37:41.653798746 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 10:37:41.668798323 +0200 +@@ -91,17 +91,27 @@ int find_new_uid (bool sys_user, + * but we also check the local database (pw_rewind/pw_next) in case + * some users were created but the changes were not committed yet. + */ +- setpwent (); +- while ((pwd = getpwent ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; ++ /* speed up sys users look up on LDAP boxes */ ++ if (sys_user) { ++ for (user_id = uid_min; user_id<=uid_max; user_id++) { ++ pwd = getpwuid(user_id); ++ if(pwd) ++ used_uids[user_id] = true; + } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ } ++ else { ++ setpwent (); ++ while ((pwd = getpwent ()) != NULL) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; ++ } + } ++ endpwent (); + } +- endpwent (); + pw_rewind (); + while ((pwd = pw_next ()) != NULL) { + if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +@@ -113,6 +123,7 @@ int find_new_uid (bool sys_user, + } + } + ++ + /* find free system account in reverse order */ + if (sys_user) { + for (user_id = uid_max; user_id >= uid_min; user_id--) { diff --git a/shadow-4.1.4.1-sysacc.patch b/shadow-4.1.4.1-sysacc.patch new file mode 100644 index 0000000..3e204bd --- /dev/null +++ b/shadow-4.1.4.1-sysacc.patch @@ -0,0 +1,300 @@ +diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc shadow-4.1.4.1/libmisc/find_new_gid.c +--- shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 14:19:08.678798578 +0200 +@@ -52,7 +52,7 @@ int find_new_gid (bool sys_group, + /*@null@*/gid_t const *preferred_gid) + { + const struct group *grp; +- gid_t gid_min, gid_max, group_id; ++ gid_t gid_min, gid_max, group_id, id; + bool *used_gids; + + assert (gid != NULL); +@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, + gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } +@@ -80,7 +80,6 @@ int find_new_gid (bool sys_group, + return 0; + } + +- group_id = gid_min; + + /* + * Search the entire group file, +@@ -91,13 +90,28 @@ int find_new_gid (bool sys_group, + * some groups were created but the changes were not committed yet. + */ + if (sys_group ) { +- for(group_id = gid_min; group_id<=gid_max; group_id++) { +- grp = getgrgid(group_id); +- if(grp) ++ group_id = gid_max; ++ for(id = gid_max; id>=gid_min; id--) { ++ grp = getgrgid(id); ++ if(grp) { ++ group_id = id - 1; + used_gids[grp->gr_gid] = true; ++ } ++ } ++ ++ gr_rewind (); ++ while ((grp = gr_next ()) != NULL) { ++ if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { ++ group_id = grp->gr_gid - 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; ++ } + } + } + else { ++ group_id = gid_min; + setgrent (); + while ((grp = getgrent ()) != NULL) { + if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +@@ -109,32 +123,16 @@ int find_new_gid (bool sys_group, + } + } + endgrent (); +- } +- gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; +- } +- } + +- /* find free system account in reverse order */ +- if (sys_group) { +- for (group_id = gid_max; group_id >= gid_min; group_id--) { +- if (false == used_gids[group_id]) { +- break; ++ gr_rewind (); ++ while ((grp = gr_next ()) != NULL) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; + } +- } +- if ( group_id < gid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available GID on the system")); +- return -1; + } + } + +@@ -143,16 +141,35 @@ int find_new_gid (bool sys_group, + * will give us GID_MAX+1 even if not unique. Search for the first + * free GID starting with GID_MIN. + */ +- if (group_id == gid_max + 1) { +- for (group_id = gid_min; group_id < gid_max; group_id++) { +- if (false == used_gids[group_id]) { +- break; ++ if (sys_group) { ++ if (group_id == gid_min - 1) { ++ for (group_id = gid_max; group_id >= gid_min; group_id--) { ++ if (false == used_gids[group_id]) { ++ break; ++ } ++ } ++ if ( group_id < gid_min ) { ++ fprintf (stderr, ++ _("%s: Can't get unique GID (no more available GIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "no more available GID on the system")); ++ return -1; + } + } +- if (group_id == gid_max) { +- fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); +- SYSLOG ((LOG_WARN, "no more available GID on the system")); +- return -1; ++ } ++ else { ++ if (group_id == gid_max + 1) { ++ for (group_id = gid_min; group_id < gid_max; group_id++) { ++ if (false == used_gids[group_id]) { ++ break; ++ } ++ } ++ if (group_id == gid_max) { ++ fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); ++ SYSLOG ((LOG_WARN, "no more available GID on the system")); ++ return -1; ++ } + } + } + +diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc shadow-4.1.4.1/libmisc/find_new_uid.c +--- shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 14:13:38.120798526 +0200 +@@ -52,7 +52,7 @@ int find_new_uid (bool sys_user, + /*@null@*/uid_t const *preferred_uid) + { + const struct passwd *pwd; +- uid_t uid_min, uid_max, user_id; ++ uid_t uid_min, uid_max, user_id, id; + bool *used_uids; + + assert (uid != NULL); +@@ -61,7 +61,7 @@ int find_new_uid (bool sys_user, + uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); ++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); + uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } +@@ -81,8 +81,6 @@ int find_new_uid (bool sys_user, + } + + +- user_id = uid_min; +- + /* + * Search the entire password file, + * looking for the largest unused value. +@@ -91,15 +89,30 @@ int find_new_uid (bool sys_user, + * but we also check the local database (pw_rewind/pw_next) in case + * some users were created but the changes were not committed yet. + */ +- /* speed up sys users look up on LDAP boxes */ + if (sys_user) { +- for (user_id = uid_min; user_id<=uid_max; user_id++) { +- pwd = getpwuid(user_id); +- if(pwd) ++ user_id = uid_max; ++ for (id = uid_max; id>=uid_min; id--) { ++ pwd = getpwuid(id); ++ if(pwd) { ++ user_id = id - 1; + used_uids[user_id] = true; ++ } + } ++ ++ pw_rewind (); ++ while ((pwd = pw_next ()) != NULL) { ++ if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { ++ user_id = pwd->pw_uid - 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; ++ } ++ } ++ + } + else { ++ user_id = uid_min; + setpwent (); + while ((pwd = getpwent ()) != NULL) { + if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +@@ -111,51 +124,55 @@ int find_new_uid (bool sys_user, + } + } + endpwent (); +- } +- pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; +- } +- } +- + +- /* find free system account in reverse order */ +- if (sys_user) { +- for (user_id = uid_max; user_id >= uid_min; user_id--) { +- if (false == used_uids[user_id]) { +- break; ++ pw_rewind (); ++ while ((pwd = pw_next ()) != NULL) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; + } +- } +- if (user_id < uid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique system UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available UID on the system")); +- return -1; + } + } + ++ + /* + * If a user with UID equal to UID_MAX exists, the above algorithm + * will give us UID_MAX+1 even if not unique. Search for the first + * free UID starting with UID_MIN. + */ +- if (user_id == uid_max + 1) { +- for (user_id = uid_min; user_id < uid_max; user_id++) { +- if (false == used_uids[user_id]) { +- break; ++ if (sys_user) { ++ if (user_id == uid_min - 1) { ++ for (user_id = uid_max; user_id >= uid_min; user_id--) { ++ if (false == used_uids[user_id]) { ++ break; ++ } ++ } ++ if (user_id < uid_min ) { ++ fprintf (stderr, ++ _("%s: Can't get unique system UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "no more available UID on the system")); ++ return -1; + } + } +- if (user_id == uid_max) { +- fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), Prog); +- SYSLOG ((LOG_WARN, "no more available UID on the system")); +- return -1; ++ } ++ else { ++ if (user_id == uid_max + 1) { ++ for (user_id = uid_min; user_id < uid_max; user_id++) { ++ if (false == used_uids[user_id]) { ++ break; ++ } ++ } ++ if (user_id == uid_max) { ++ fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, "no more available UID on the system")); ++ return -1; ++ } + } + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index f3a6a7c..ffd2846 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,15 +1,17 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.3 -Release: 2%{?dist} +Version: 4.1.4.1 +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.3-redhat.patch -Patch1: shadow-4.1.3-goodname.patch -Patch2: shadow-4.1.3-selinux.patch +Patch0: shadow-4.1.4-redhat.patch +Patch1: shadow-4.1.4.1-goodname.patch +Patch2: shadow-4.1.4.1-largeGroup.patch +Patch3: shadow-4.1.4.1-ldap.patch +Patch4: shadow-4.1.4.1-sysacc.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -36,7 +38,9 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .selinux +%patch2 -p1 -b .largeGroup +%patch3 -p1 -b .ldap +%patch4 -p1 -b .sysacc iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -125,7 +129,9 @@ find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do dir=$(echo $dir | sed -e "s|^$RPM_BUILD_ROOT||") lang=$(basename $dir) - echo "%%lang($lang) $dir/man*/*" >> shadow.lang + echo "%%lang($lang) $dir" >> shadow.lang + echo "%%lang($lang) $dir/man*" >> shadow.lang +# echo "%%lang($lang) $dir/man*/*" >> shadow.lang done %clean @@ -176,6 +182,27 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 16 2009 Peter Vrabec 2:4.1.4.1-4 +- fix a list of owned directories (#510366) + +* Thu Jul 16 2009 Peter Vrabec 2:4.1.4.1-3 +- reduce the reuse of system IDs + +* Wed Jul 15 2009 Peter Vrabec 2:4.1.4.1-2 +- speed up sys users look up on LDAP boxes (#511813) + +* Tue Jun 16 2009 Peter Vrabec 2:4.1.4.1-1 +- upgrade + +* Fri May 15 2009 Peter Vrabec 2:4.1.4-1 +- upgrade + +* Wed Apr 22 2009 Peter Vrabec 2:4.1.3.1-2 +- lastlog fix + +* Fri Apr 17 2009 Peter Vrabec 2:4.1.3.1-1 +- upgrade + * Tue Apr 14 2009 Peter Vrabec 2:4.1.3-2 - get "-n" option back - fix selinux issues diff --git a/sources b/sources index beeb25f..13714cc 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs -ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd -d222bd50f64d52a32882c82ab1e85f28 shadow-4.1.3.tar.bz2 +62f7dae4cb54fa84e478c4602d58cbe8 shadow-4.1.4.1.tar.bz2