document that groupmems is not setuid root

- document that expiration of the password after inactivity period locks the user account completely
2015-11-06 14:34:35 +01:00 · 2015-11-06 14:34:35 +01:00 · c2f1a1c502
commit c2f1a1c502
parent 25899fefb0
2 changed files with 47 additions and 1 deletions
--- a/shadow-4.2.1-manfix.patch
+++ b/shadow-4.2.1-manfix.patch
@ -1,3 +1,30 @@
+diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml
+--- shadow-4.2.1/man/groupmems.8.xml.manfix	2014-03-01 19:59:51.000000000 +0100
+++ shadow-4.2.1/man/groupmems.8.xml	2015-11-06 14:21:03.013060324 +0100
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
+      In this operating system the <command>groupmems</command> executable
+      is not setuid and regular users cannot use it to manipulate
+      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2770 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
 diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml
 --- shadow-4.2.1/man/chage.1.xml.manfix	2014-03-01 19:59:51.000000000 +0100
 +++ shadow-4.2.1/man/chage.1.xml	2014-11-26 15:34:51.256978960 +0100
@ -32,6 +59,20 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.
     <para>The following configuration items are provided:</para>
 
     <variablelist remap='IP'>
+diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml
+--- shadow-4.2.1/man/shadow.5.xml.manfix	2014-03-01 19:59:51.000000000 +0100
+++ shadow-4.2.1/man/shadow.5.xml	2015-10-27 16:54:29.304231353 +0100
+@@ -208,8 +208,8 @@
+ 	  </para>
+ 	  <para>
+ 	    After expiration of the password and this expiration period is
+-	    elapsed, no login is possible using the current user's
+-	    password.  The user should contact her administrator.
+	    elapsed, no login is possible for the user.
+	    The user should contact her administrator.
+ 	  </para>
+ 	  <para>
+ 	    An empty field means that there are no enforcement of an
 diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml
 --- shadow-4.2.1/man/useradd.8.xml.manfix	2014-11-26 15:34:51.234978891 +0100
 +++ shadow-4.2.1/man/useradd.8.xml	2014-11-26 15:34:51.257978963 +0100
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.2.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@ -252,6 +252,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*

 %changelog
+* Fri Nov  6 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-4
+- document that groupmems is not setuid root
+- document that expiration of the password after inactivity period
+  locks the user account completely
+
 * Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
 - unlock also passwords locked with passwd -l
 - prevent breaking user entry by entering a password containing colon