From 4eaf9cda612ae39fbf137e516f0c39ae690cd184 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 19 Jul 2013 07:44:18 +0200 Subject: [PATCH 01/64] fix useradd man page bugs --- shadow-utils.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index a7b86c6..f3f054b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -21,6 +21,7 @@ Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch +Patch15: shadow-4.1.5.1-manfix.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -63,6 +64,7 @@ are used for managing group accounts. %patch12 -p1 -b .errmsg %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range +%patch15 -p1 -b .manfix iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -216,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 19 2013 Tomas Mraz - 2:4.1.5.1-7 +- fix useradd man page bugs + * Fri Jun 14 2013 Tomas Mraz - 2:4.1.5.1-6 - report error to stdout when SELinux context for home directory cannot be determined (#973647) From 047af921d9c464a0ffa3195d0a7e45201e14382a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 19 Jul 2013 08:08:10 +0200 Subject: [PATCH 02/64] fix useradd man page bugs --- shadow-4.1.5.1-manfix.patch | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 shadow-4.1.5.1-manfix.patch diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch new file mode 100644 index 0000000..ef023dc --- /dev/null +++ b/shadow-4.1.5.1-manfix.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 +@@ -161,7 +161,7 @@ + + + +- , ++ , + HOME_DIR + + +@@ -362,7 +362,7 @@ + + + +- ++ , + + + From a451dc3d55537561abfedfd482249e18324b3d52 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Jul 2013 13:26:18 +0200 Subject: [PATCH 03/64] slightly more meaningful error messages if crypt() returns NULL (#988184) - explicit suid permissions --- shadow-4.1.5.1-crypt-null.patch | 195 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++- 2 files changed, 205 insertions(+), 4 deletions(-) create mode 100644 shadow-4.1.5.1-crypt-null.patch diff --git a/shadow-4.1.5.1-crypt-null.patch b/shadow-4.1.5.1-crypt-null.patch new file mode 100644 index 0000000..fba72e7 --- /dev/null +++ b/shadow-4.1.5.1-crypt-null.patch @@ -0,0 +1,195 @@ +diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c +--- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200 ++++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200 +@@ -49,11 +49,10 @@ + if (!cp) { + /* + * Single Unix Spec: crypt() may return a null pointer, +- * and set errno to indicate an error. The caller doesn't +- * expect us to return NULL, so... ++ * and set errno to indicate an error. In this case return ++ * the NULL so the caller can handle appropriately. + */ +- perror ("crypt"); +- exit (EXIT_FAILURE); ++ return cp; + } + + /* The GNU crypt does not return NULL if the algorithm is not +diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c +--- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200 +@@ -95,6 +95,7 @@ bool valid (const char *password, const + */ + + if ( (NULL != ent->pw_name) ++ && (NULL != encrypted) + && (strcmp (encrypted, ent->pw_passwd) == 0)) { + return true; + } else { +diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c +--- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200 ++++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200 +@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, + char prompt[1024]; + char *clear = NULL; + const char *cp; ++ const char *encrypted; + int retval; + + #ifdef SKEY +@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, + * the results there as well. + */ + +- retval = strcmp (pw_encrypt (input, cipher), cipher); ++ encrypted = pw_encrypt (input, cipher); ++ if (encrypted!=NULL) ++ retval = strcmp (encrypted, cipher); ++ else ++ retval = -1; + + #ifdef SKEY + /* +diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c +--- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200 +@@ -469,6 +469,10 @@ int main (int argc, char **argv) + #endif + cp = pw_encrypt (newpwd, + crypt_make_salt (crypt_method, arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + } + + /* +diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c +--- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200 +@@ -492,6 +492,10 @@ int main (int argc, char **argv) + #endif + cp = pw_encrypt (newpwd, + crypt_make_salt(crypt_method, arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + } + + /* +diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c +--- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100 ++++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200 +@@ -939,6 +939,10 @@ static void change_passwd (struct group + } + + cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); ++ if (cp==NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + memzero (pass, sizeof pass); + #ifdef SHADOWGRP + if (is_shadowgrp) { +diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200 +@@ -184,7 +184,8 @@ static void check_perms (const struct gr + cpasswd = pw_encrypt (cp, grp->gr_passwd); + strzero (cp); + +- if (grp->gr_passwd[0] == '\0' || ++ if (cpasswd == NULL || ++ grp->gr_passwd[0] == '\0' || + strcmp (cpasswd, grp->gr_passwd) != 0) { + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c +--- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200 +@@ -387,6 +387,7 @@ static int add_user (const char *name, u + static void update_passwd (struct passwd *pwd, const char *password) + { + void *crypt_arg = NULL; ++ char *cp; + if (crypt_method != NULL) { + #ifdef USE_SHA_CRYPT + if (sflg) { +@@ -398,9 +399,13 @@ static void update_passwd (struct passwd + if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { + pwd->pw_passwd = (char *)password; + } else { +- pwd->pw_passwd = pw_encrypt (password, +- crypt_make_salt (crypt_method, +- crypt_arg)); ++ cp=pw_encrypt (password, crypt_make_salt (crypt_method, ++ crypt_arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ pwd->pw_passwd = cp; + } + } + #endif /* !USE_PAM */ +@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw + { + const struct spwd *sp; + struct spwd spent; ++ char *cp; + + #ifndef USE_PAM + void *crypt_arg = NULL; +@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw + } else { + const char *salt = crypt_make_salt (crypt_method, + crypt_arg); +- spent.sp_pwdp = pw_encrypt (password, salt); ++ cp = pw_encrypt (password, salt); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ spent.sp_pwdp = cp; + } + spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; + if (0 == spent.sp_lstchg) { +@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw + spent.sp_pwdp = (char *)password; + } else { + const char *salt = crypt_make_salt (crypt_method, crypt_arg); +- spent.sp_pwdp = pw_encrypt (password, salt); ++ cp = pw_encrypt (password, salt); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ spent.sp_pwdp = cp; + } + #else + /* +diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c +--- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100 ++++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200 +@@ -242,7 +242,7 @@ static int new_password (const struct pa + } + + cipher = pw_encrypt (clear, crypt_passwd); +- if (strcmp (cipher, crypt_passwd) != 0) { ++ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) { + strzero (clear); + strzero (cipher); + SYSLOG ((LOG_WARN, "incorrect password for %s", +@@ -349,6 +349,10 @@ static int new_password (const struct pa + * Encrypt the password, then wipe the cleartext password. + */ + cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + memzero (pass, sizeof pass); + + #ifdef HAVE_LIBCRACK_HIST diff --git a/shadow-utils.spec b/shadow-utils.spec index f3f054b..56f8a3f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -22,6 +22,7 @@ Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch +Patch16: shadow-4.1.5.1-crypt-null.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -65,6 +66,7 @@ are used for managing group accounts. %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix +%patch16 -p1 -b .crypt-null iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -183,10 +185,10 @@ rm -rf $RPM_BUILD_ROOT %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg -%{_bindir}/chage -%{_bindir}/gpasswd +%attr(4755,root,root) %{_bindir}/chage +%attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog -%{_bindir}/newgrp +%attr(4755,root,root) %{_bindir}/newgrp %{_sbindir}/adduser %attr(0750,root,root) %{_sbindir}/user* %attr(0750,root,root) %{_sbindir}/group* @@ -218,6 +220,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 25 2013 Tomas Mraz - 2:4.1.5.1-8 +- slightly more meaningful error messages if crypt() returns NULL (#988184) +- explicit suid permissions + * Fri Jul 19 2013 Tomas Mraz - 2:4.1.5.1-7 - fix useradd man page bugs From 462b4b2f45f6da8d7737a19b1f3cff55e74f2492 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Jul 2013 14:30:32 +0200 Subject: [PATCH 04/64] Fix bogus dates in changelog --- shadow-utils.spec | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 56f8a3f..1d4ff2e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -258,7 +258,7 @@ rm -rf $RPM_BUILD_ROOT * Mon Jun 18 2012 Peter Vrabec - 2:4.1.5-3 - pwconv/grpconv skipped 2nd of consecutive failures (#832995) -* Wed Mar 22 2012 Peter Vrabec - 2:4.1.5-2 +* Thu Mar 22 2012 Peter Vrabec - 2:4.1.5-2 - fix selinux context handling - reset selinux context on files copied from skel @@ -471,11 +471,11 @@ rm -rf $RPM_BUILD_ROOT * Tue Jun 26 2007 Peter Vrabec 2:4.0.18.1-16 - fix "CAVEATS" section of groupadd man page (#245590) -* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 +* Wed Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 - fix infinitive loop if there are duplicate entries in /etc/group (#240915) -* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 +* Wed Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 - do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) @@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT - fix memory leak, and CPU spinning when grp_update() and duplicate group entries in /etc/group (#151484) -* Mon Mar 29 2005 Peter Vrabec 2:4.0.7-4 +* Tue Mar 29 2005 Peter Vrabec 2:4.0.7-4 - use newgrp binary - newgrp don't ask for password if user's default GID = group ID, ask for password if there is some in /etc/gshadow @@ -756,7 +756,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Sep 4 2003 Dan Walsh 4.0.3-11.sel - build with SELinux support -* Fri Jul 28 2003 Dan Walsh 4.0.3-10 +* Mon Jul 28 2003 Dan Walsh 4.0.3-10 - Add SELinux support * Wed Jun 04 2003 Elliot Lee @@ -980,7 +980,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Nov 06 1997 Cristian Gafton - added forgot lastlog command to the spec file -* Mon Oct 26 1997 Cristian Gafton +* Mon Oct 27 1997 Cristian Gafton - obsoletes adduser * Thu Oct 23 1997 Cristian Gafton From 317fc748b31cde3da89a9191d39f8c422ddd750c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 18 Oct 2013 16:33:21 +0200 Subject: [PATCH 05/64] document that the directory where user's home is created must exist --- shadow-4.1.5.1-manfix.patch | 42 ++++++++++++++++++++++++++++++++++--- shadow-utils.spec | 7 +++++-- 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index ef023dc..c66d7c9 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,33 @@ +diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-07-25 10:39:00.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2013-10-18 16:29:41.003281715 +0200 +@@ -85,7 +85,7 @@ by default\&. + Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. + .RE + .PP +-\fB\-d\fR, \fB\-\-home\fR \fIHOME_DIR\fR ++\fB\-d\fR, \fB\-\-home\-dir\fR \fIHOME_DIR\fR + .RS 4 + The new user will be created using + \fIHOME_DIR\fR +@@ -220,9 +220,13 @@ option) will be copied to the home direc + By default, if this option is not specified and + \fBCREATE_HOME\fR + is not enabled, no home directories are created\&. ++.sp ++The directory where the user\*(Aqs home directory is created must ++exist and have proper SELinux context and permissions\&. Otherwise ++the user\*(Aqs home directory cannot be created or accessed\&. + .RE + .PP +-\fB\-M\fR ++\fB\-M\fR, \fB\-\-no\-create\-home\fR + .RS 4 + Do not create the user\*(Aqs home directory, even if the system wide setting from + /etc/login\&.defs diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-07-25 10:39:00.115637664 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-10-18 16:22:13.151437562 +0200 @@ -161,7 +161,7 @@ @@ -10,7 +37,16 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xm HOME_DIR -@@ -362,7 +362,7 @@ +@@ -358,11 +358,16 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + diff --git a/shadow-utils.spec b/shadow-utils.spec index 1d4ff2e..cf80b64 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -97,7 +97,7 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --without-libcrack \ --without-libpam \ --disable-shared \ - --with-group-name-max-length=32 + --with-group-name-max-length=32 make %install @@ -220,6 +220,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Oct 18 2013 Tomas Mraz - 2:4.1.5.1-9 +- document that the directory where user's home is created must exist + * Thu Jul 25 2013 Tomas Mraz - 2:4.1.5.1-8 - slightly more meaningful error messages if crypt() returns NULL (#988184) - explicit suid permissions From 8d1ef4078b086d9a417f102c8cb6f94e08b363d5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 12 Feb 2014 11:43:04 +0100 Subject: [PATCH 06/64] clean up login.defs manpage - properly document userdel -f behavior --- shadow-4.1.5.1-manfix.patch | 150 ++++++++++++++++++++++++++- shadow-4.1.5.1-userdel-helpfix.patch | 15 +++ shadow-utils.spec | 8 +- 3 files changed, 168 insertions(+), 5 deletions(-) create mode 100644 shadow-4.1.5.1-userdel-helpfix.patch diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index c66d7c9..00b792f 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,148 @@ +diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml +--- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 ++++ shadow-4.1.5.1/man/login.defs.5.xml 2014-02-12 11:18:36.126334872 +0100 +@@ -160,6 +160,17 @@ + long numeric parameters is machine-dependent. + + ++ ++ Please note that the parameters in this configuration file control the ++ behavior of the tools from the shadow-utils component. None of these ++ tools uses the PAM mechanism, and the utilities that use PAM (such as the ++ passwd command) should be configured elsewhere. The only values that ++ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS ++ for pam_unix module, FAIL_DELAY for pam_faildelay module, ++ and UMASK for pam_umask module. Refer to ++ pam(8) for more information. ++ ++ + The following configuration items are provided: + + +diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 +--- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 ++++ shadow-4.1.5.1/man/man5/login.defs.5 2014-02-12 11:26:27.159851843 +0100 +@@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) + \fI0\fR) or hexadecimal values (precede the value with + \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. + .PP ++Please note that the parameters in this configuration file control the ++behavior of the tools from the shadow-utils component\&. None of these ++tools uses the PAM mechanism, and the utilities that use PAM (such as the ++passwd command) should be configured elsewhere\&. The only values that ++affect PAM modules are \fBENCRYPT_METHOD\fR and \fBSHA_CRYPT_MAX_ROUNDS\fR for pam_unix module, ++\fBFAIL_DELAY\fR for pam_faildelay module, and \fBUMASK\fR for pam_umask module\&. Refer to ++pam(8) for more information\&. ++.PP + The following configuration items are provided: + .PP + \fBCHFN_AUTH\fR (boolean) +@@ -625,20 +633,6 @@ will create by default a group with the + .PP + The following cross references show which programs in the shadow password suite use which parameters\&. + .PP +-chfn +-.RS 4 +- +-CHFN_AUTH +-CHFN_RESTRICT +-LOGIN_STRING +-.RE +-.PP +-chgpasswd +-.RS 4 +-ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +-SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS +-.RE +-.PP + chpasswd + .RS 4 + +@@ -646,11 +640,6 @@ ENCRYPT_METHOD MD5_CRYPT_ENAB + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS + .RE + .PP +-chsh +-.RS 4 +-CHSH_AUTH LOGIN_STRING +-.RE +-.PP + gpasswd + .RS 4 + ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +@@ -692,29 +681,6 @@ grpunconv + MAX_MEMBERS_PER_GROUP + .RE + .PP +-login +-.RS 4 +- +-CONSOLE +-CONSOLE_GROUPS DEFAULT_HOME +-ENV_HZ ENV_PATH ENV_SUPATH ENV_TZ ENVIRON_FILE +-ERASECHAR FAIL_DELAY +-FAILLOG_ENAB +-FAKE_SHELL +-FTMP_FILE +-HUSHLOGIN_FILE +-ISSUE_FILE +-KILLCHAR +-LASTLOG_ENAB +-LOGIN_RETRIES +-LOGIN_STRING +-LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +-MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB +-TTYGROUP TTYPERM TTYTYPE_FILE +-ULIMIT UMASK +-USERGROUPS_ENAB +-.RE +-.PP + newgrp / sg + .RS 4 + SYSLOG_SG_ENAB +@@ -727,12 +693,6 @@ SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUND + SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK + .RE + .PP +-passwd +-.RS 4 +-ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN +-SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS +-.RE +-.PP + pwck + .RS 4 + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE +@@ -743,26 +703,6 @@ pwconv + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + .RE + .PP +-su +-.RS 4 +- +-CONSOLE +-CONSOLE_GROUPS DEFAULT_HOME +-ENV_HZ ENVIRON_FILE +-ENV_PATH ENV_SUPATH +-ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE QUOTAS_ENAB +-SULOG_FILE SU_NAME +-SU_WHEEL_ONLY +-SYSLOG_SU_ENAB +-USERGROUPS_ENAB +-.RE +-.PP +-sulogin +-.RS 4 +-ENV_HZ +-ENV_TZ +-.RE +-.PP + useradd + .RS 4 + CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-07-25 10:39:00.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2013-10-18 16:29:41.003281715 +0200 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-11-27 10:25:34.740049650 +0100 ++++ shadow-4.1.5.1/man/man8/useradd.8 2013-11-27 10:25:34.758050045 +0100 @@ -85,7 +85,7 @@ by default\&. Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. .RE @@ -26,8 +168,8 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/userad Do not create the user\*(Aqs home directory, even if the system wide setting from /etc/login\&.defs diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-07-25 10:39:00.115637664 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-10-18 16:22:13.151437562 +0200 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-11-27 10:25:34.740049650 +0100 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-11-27 10:25:34.759050067 +0100 @@ -161,7 +161,7 @@ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch new file mode 100644 index 0000000..03f53bc --- /dev/null +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c +--- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 ++++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 +@@ -130,8 +130,9 @@ static void usage (int status) + "\n" + "Options:\n"), + Prog); +- (void) fputs (_(" -f, --force force removal of files,\n" +- " even if not owned by user\n"), ++ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" ++ " e.g. removal of user still logged in\n ++ " or files, even if not owned by the user\n"), + usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout); diff --git a/shadow-utils.spec b/shadow-utils.spec index cf80b64..9f0e00d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -23,6 +23,7 @@ Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch +Patch17: shadow-4.1.5.1-userdel-helpfix.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -67,6 +68,7 @@ are used for managing group accounts. %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null +%patch17 -p1 -b .userdel iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -220,6 +222,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 12 2014 Tomas Mraz - 2:4.1.5.1-10 +- clean up login.defs manpage +- properly document userdel -f behavior + * Fri Oct 18 2013 Tomas Mraz - 2:4.1.5.1-9 - document that the directory where user's home is created must exist From a8136ba211aacf1e845a61dbbd6982cac5f548ac Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 12 Feb 2014 11:50:55 +0100 Subject: [PATCH 07/64] clean up login.defs manpage - properly document userdel -f behavior --- shadow-4.1.5.1-userdel-helpfix.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index 03f53bc..b79baee 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -8,7 +8,7 @@ diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c - (void) fputs (_(" -f, --force force removal of files,\n" - " even if not owned by user\n"), + (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" -+ " e.g. removal of user still logged in\n ++ " e.g. removal of user still logged in\n" + " or files, even if not owned by the user\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); From c509d20844f05c92752b3f42efc5080d38b7d729 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sun, 8 Jun 2014 01:14:33 -0500 Subject: [PATCH 08/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9f0e00d..1585a51 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -222,6 +222,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sun Jun 08 2014 Fedora Release Engineering - 2:4.1.5.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + * Wed Feb 12 2014 Tomas Mraz - 2:4.1.5.1-10 - clean up login.defs manpage - properly document userdel -f behavior From dad42cc2f595d9a4d02d832e9f1c70be64b97393 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Jun 2014 15:22:33 +0200 Subject: [PATCH 09/64] improve group allocation algorithm - patch by Stephen Gallager (#1089738) --- shadow-4.1.5.1-group-alloc.patch | 642 +++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 648 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-group-alloc.patch diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-group-alloc.patch new file mode 100644 index 0000000..892ae7d --- /dev/null +++ b/shadow-4.1.5.1-group-alloc.patch @@ -0,0 +1,642 @@ +From e551be23be24508ecf5c8afdf74fd69b88832ecd Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 9 Jun 2014 10:34:02 -0400 +Subject: [PATCH] Redesign automatic GID allocation + +Previously, this allocation was optimized for an outdated +deployment style (that of /etc/group alongside nss_db). The issue +here is that this results in extremely poor performance when using +SSSD, Winbind or nss_ldap. + +There were actually three serious bugs here that have been addressed: + +1) Running getgrent() loops won't work in most SSSD or Winbind +environments, as full group enumeration is disabled by default. +This could easily result in auto-allocating a group that was +already in use. (This might result in a security issue as well, if +the shared GID is a privileged group). + +2) For system groups, the loop was always iterating through the +complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this +means hundreds of round-trips to LDAP (unless the GIDs were +specifically configured to be ignored by the SSSD or winbindd). +To a user with a slow connection to their LDAP server, this would +appear as if groupadd -r was hung. (Though it would eventually +complete). + +3) This patch also adds better error-handling for errno from +getgrgid(), since if this function returns an unexpected error, we +should not be treating it as "ID is available". This could result +in assigning a GID that was already in use, with all the same +issues as 1) above. + +This patch changes the algorithm to be more favorable for LDAP +environments, at the expense of some performance when using nss_db. +Given that the DB is a local service, this should have a negligible +effect from a user's perspective. + +With the new algorithm, we simply first iterate through all entries +in the local database with gr_next(), recording the IDs that are in +use. We then start from the highest presumed-available entry and +call getgrgid() to see if it is available. We continue this until +we come to the first unused GID. We then select that and return it. + +If we make it through all the remaining IDs without finding a free +one, we start over from the beginning of the range and try to find +room in one of the gaps in the range. +--- + libmisc/find_new_gid.c | 533 +++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 407 insertions(+), 126 deletions(-) + +diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c +index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b814763a16 100644 +--- a/libmisc/find_new_gid.c ++++ b/libmisc/find_new_gid.c +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, ++ gid_t *preferred_min) ++{ ++ gid_t gid_def_max = 0; ++ ++ if (sys_group) { ++ /* System groups */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (gid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); ++ ++ /* ++ * If SYS_GID_MAX is unspecified, we should assume it to be one ++ * less than the GID_MIN (which is reserved for non-system accounts) ++ */ ++ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; ++ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", ++ (unsigned long) gid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " ++ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("GID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system groups */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); ++ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system groups. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: GID_MIN (%lu), " ++ "GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_gid - See if the requested GID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getgrgid() ++ */ ++static int check_gid(const gid_t gid, ++ const gid_t gid_min, ++ const gid_t gid_max, ++ bool *used_gids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (gid < gid_min || gid > gid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this GID ++ * using the gr_next() loop ++ */ ++ if (used_gids != NULL && used_gids[gid]) { ++ return EEXIST; ++ } ++ /* Check if the GID exists according to NSS */ ++ errno = 0; ++ if (getgrgid(gid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getgrgid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ if (errno != 0) { ++ return errno; ++ } ++ } ++ ++ /* If we've made it here, the GID must be available */ ++ return 0; ++} ++ ++/* + * find_new_gid - Find a new unused GID. + * + * If successful, find_new_gid provides an unused group ID in the +@@ -48,166 +160,339 @@ + * + * Return 0 on success, -1 if no unused GIDs are available. + */ +-int find_new_gid (bool sys_group, +- gid_t *gid, +- /*@null@*/gid_t const *preferred_gid) ++int find_new_gid(bool sys_group, ++ gid_t *gid, ++ /*@null@*/gid_t const *preferred_gid) + { +- const struct group *grp; +- gid_t gid_min, gid_max, group_id; + bool *used_gids; ++ const struct group *grp; ++ gid_t gid_min, gid_max, preferred_min; ++ gid_t group_id, id; ++ gid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + +- assert (gid != NULL); ++ assert(gid != NULL); + +- if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); +- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, (unsigned long) gid_max); +- return -1; +- } +- } else { +- gid_min = (gid_t) 1; +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; +- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred GID is available */ ++ if (preferred_gid) { ++ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the GID isn't queued for use already ++ */ ++ if (gr_locate_gid (preferred_gid) == NULL) { ++ *gid = *preferred_gid; ++ return 0; ++ } ++ /* ++ * gr_locate_gid() found the GID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set a GID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the group creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific GID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred GID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire group file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with gr_rewind/gr_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system groups) or highest (non-system ++ * groups), we will prefer those and avoid potentially reclaiming a ++ * deleted group (which can be a security issue, since it may grant ++ * access to files belonging to that former group). ++ * ++ * If there are no GIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered GIDs */ + used_gids = malloc (sizeof (bool) * (gid_max +1)); + if (NULL == used_gids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_gids, false, sizeof (bool) * (gid_max + 1)); + +- if ( (NULL != preferred_gid) +- && (*preferred_gid >= gid_min) +- && (*preferred_gid <= gid_max) +- /* Check if the user exists according to NSS */ +- && (getgrgid (*preferred_gid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (gr_locate_gid (*preferred_gid) == NULL)) { +- *gid = *preferred_gid; +- free (used_gids); +- return 0; +- } ++ /* First look for the lowest and highest value in the local database */ ++ (void) gr_rewind (); ++ highest_found = gid_min; ++ lowest_found = gid_max; ++ while ((grp = gr_next ()) != NULL) { ++ /* ++ * Does this entry have a lower GID than the lowest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { ++ lowest_found = grp->gr_gid - 1; ++ } ++ ++ /* ++ * Does this entry have a higher GID than the highest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { ++ highest_found = grp->gr_gid + 1; ++ } ++ ++ /* create index of used GIDs */ ++ if (grp->gr_gid >= gid_min ++ && grp->gr_gid <= gid_max) { + +- /* if we did not find free preffered system gid, we start to look for +- * one in the range assigned to dynamic system IDs */ +- if (sys_group) +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ used_gids[grp->gr_gid] = true; ++ } ++ } + +- /* +- * Search the entire group file, +- * looking for the largest unused value. +- * +- * We check the list of groups according to NSS (setgrent/getgrent), +- * but we also check the local database (gr_rewind/gr_next) in case +- * some groups were created but the changes were not committed yet. +- */ + if (sys_group) { +- gid_t id; +- /* setgrent / getgrent / endgrent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getgrgid. ++ /* ++ * For system groups, we want to start from the ++ * top of the range and work downwards. + */ +- group_id = gid_max; +- for (id = gid_max; id >= gid_min; id--) { +- if (getgrgid (id) != NULL) { +- group_id = id - 1; +- used_gids[id] = true; +- } ++ ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MIN - 1. ++ */ ++ if (lowest_found < gid_min) { ++ /* ++ * In this case, a GID is in use at GID_MIN. ++ * ++ * We will reset the search to GID_MAX and proceed down ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ lowest_found = gid_max; + } + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { +- group_id = grp->gr_gid - 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- group_id = gid_min; +- setgrent (); +- while ((grp = getgrent ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * GID_MAX - 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != gid_max) { ++ for (id = gid_max; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ ++ } + } + } +- endgrent (); ++ } else { /* !sys_group */ ++ /* ++ * For non-system groups, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; +- } ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MAX + 1. ++ */ ++ if (highest_found > gid_max) { ++ /* ++ * In this case, a GID is in use at GID_MAX. ++ * ++ * We will reset the search to GID_MIN and proceed up ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ highest_found = gid_min; + } +- } + +- /* +- * If a group (resp. system group) with GID equal to GID_MAX (resp. +- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 +- * (resp. GID_MIN-1) even if not unique. Search for the first free +- * GID starting with GID_MIN (resp. GID_MAX). +- */ +- if (sys_group) { +- if (group_id < gid_min) { +- for (group_id = gid_max; group_id >= gid_min; group_id--) { +- if (false == used_gids[group_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (group_id < gid_min) { +- fprintf (stderr, +- _("%s: Can't get unique system GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available GID on the system")); +- free (used_gids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- if (group_id > gid_max) { +- for (group_id = gid_min; group_id <= gid_max; group_id++) { +- if (false == used_gids[group_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * GID_MIN + 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != gid_min) { ++ for (id = gid_min; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- if (group_id > gid_max) { +- fprintf (stderr, +- _("%s: Can't get unique GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available GID on the system")); +- free (used_gids); +- return -1; +- } + } + } + +- free (used_gids); +- *gid = group_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique GID (no more available GIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available GIDs on the system")); ++ free(used_gids); ++ return -1; + } + +-- +1.9.3 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 1585a51..138872f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -24,6 +24,7 @@ Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch +Patch18: shadow-4.1.5.1-group-alloc.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -69,6 +70,7 @@ are used for managing group accounts. %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel +%patch18 -p1 -b .group-alloc iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -222,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-12 +- improve group allocation algorithm - patch by Stephen Gallager (#1089738) + * Sun Jun 08 2014 Fedora Release Engineering - 2:4.1.5.1-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild From efff9fe79f2cd8ca2d6336c29b71a7f7432079b2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 2 Jul 2014 13:30:31 +0200 Subject: [PATCH 10/64] ignore getgrgid() errors for now --- shadow-4.1.5.1-group-alloc.patch | 6 +++--- shadow-utils.spec | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-group-alloc.patch index 892ae7d..0ac336b 100644 --- a/shadow-4.1.5.1-group-alloc.patch +++ b/shadow-4.1.5.1-group-alloc.patch @@ -158,9 +158,9 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* getgrgid() was NULL, check whether this was + * due to an error, so we can report it. + */ -+ if (errno != 0) { ++ /* ignore errors for now * if (errno != 0) { + return errno; -+ } ++ } */ + } + + /* If we've made it here, the GID must be available */ @@ -228,7 +228,7 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* + * Make sure the GID isn't queued for use already + */ -+ if (gr_locate_gid (preferred_gid) == NULL) { ++ if (gr_locate_gid (*preferred_gid) == NULL) { + *gid = *preferred_gid; + return 0; + } diff --git a/shadow-utils.spec b/shadow-utils.spec index 138872f..0d186a4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 12%{?dist} +Release: 13%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -224,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-13 +- ignore getgrgid() errors for now + * Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-12 - improve group allocation algorithm - patch by Stephen Gallager (#1089738) From 6a7e42e7e913612c911bf2baf286e1db763cf173 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 10 Jul 2014 17:06:38 +0200 Subject: [PATCH 11/64] put system users and groups into /usr/lib/{passwd,group} if the files exist and SHADOW_USE_USRLIB environment variable is set Patch by Colin Walters --- shadow-4.1.5.1-usr-lib.patch | 706 +++++++++++++++++++++++++++++++++++ shadow-utils.spec | 11 +- 2 files changed, 716 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-usr-lib.patch diff --git a/shadow-4.1.5.1-usr-lib.patch b/shadow-4.1.5.1-usr-lib.patch new file mode 100644 index 0000000..b9c7af0 --- /dev/null +++ b/shadow-4.1.5.1-usr-lib.patch @@ -0,0 +1,706 @@ +From 43f9ae51f2629b7c42a5a0e664cf62907b1f1276 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Tue, 17 Dec 2013 18:48:48 -0500 +Subject: [PATCH] Use /usr/lib/passwd for system users (if it exists, and + SHADOW_USE_USRLIB) + +See https://sourceware.org/bugzilla/show_bug.cgi?id=16142 + +This allows OSTree/Atomic to write usernames to /usr/lib/passwd (and +/usr/lib/group). +--- + lib/defines.h | 8 +++++ + lib/groupio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- + lib/groupio.h | 7 +++++ + lib/pwio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- + lib/pwio.h | 7 +++++ + libmisc/cleanup_group.c | 2 +- + src/groupadd.c | 24 +++++++-------- + src/newusers.c | 18 +++++------ + src/useradd.c | 68 ++++++++++++++++++++--------------------- + 9 files changed, 230 insertions(+), 66 deletions(-) + +diff --git a/lib/defines.h b/lib/defines.h +index c5d84a8..27ad429 100644 +--- a/lib/defines.h ++++ b/lib/defines.h +@@ -302,10 +302,18 @@ char *strchr (), *strrchr (), *strtok (); + #define PASSWD_FILE "/etc/passwd" + #endif + ++#ifndef USRLIB_PASSWD_FILE ++#define USRLIB_PASSWD_FILE "/usr/lib/passwd" ++#endif ++ + #ifndef GROUP_FILE + #define GROUP_FILE "/etc/group" + #endif + ++#ifndef USRLIB_GROUP_FILE ++#define USRLIB_GROUP_FILE "/usr/lib/group" ++#endif ++ + #ifndef SHADOW_FILE + #define SHADOW_FILE "/etc/shadow" + #endif +diff --git a/lib/groupio.c b/lib/groupio.c +index e0bb030..d9c01c1 100644 +--- a/lib/groupio.c ++++ b/lib/groupio.c +@@ -139,6 +139,42 @@ static /*@owned@*/struct commonio_db group_db = { + false /* readonly */ + }; + ++static struct commonio_db usrlib_group_db = { ++ USRLIB_GROUP_FILE, /* filename */ ++ &group_ops, /* ops */ ++ NULL, /* fp */ ++#ifdef WITH_SELINUX ++ NULL, /* scontext */ ++#endif ++ NULL, /* head */ ++ NULL, /* tail */ ++ NULL, /* cursor */ ++ false, /* changed */ ++ false, /* isopen */ ++ false, /* locked */ ++ false /* readonly */ ++}; ++ ++static struct commonio_db * ++get_db (int usrlib) ++{ ++ static int checked_usrlib; ++ static int have_usrlib; ++ ++ if (!usrlib) ++ return &group_db; ++ ++ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { ++ struct stat stbuf; ++ checked_usrlib = 1; ++ have_usrlib = lstat (usrlib_group_db.filename, &stbuf) == 0; ++ } ++ ++ if (have_usrlib) ++ return &usrlib_group_db; ++ return &group_db; ++} ++ + int gr_setdbname (const char *filename) + { + return commonio_setname (&group_db, filename); +@@ -149,14 +185,29 @@ int gr_setdbname (const char *filename) + return group_db.filename; + } + ++/*@observer@*/const char *gr_dbname_extended (int usrlib) ++{ ++ return get_db (usrlib)->filename; ++} ++ + int gr_lock (void) + { +- return commonio_lock (&group_db); ++ return gr_lock_extended (0); ++} ++ ++int gr_lock_extended (int usrlib) ++{ ++ return commonio_lock (get_db (usrlib)); + } + + int gr_open (int mode) + { +- return commonio_open (&group_db, mode); ++ return gr_open_extended (0, mode); ++} ++ ++int gr_open_extended (int usrlib, int mode) ++{ ++ return commonio_open (get_db (usrlib), mode); + } + + /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name) +@@ -178,7 +229,12 @@ int gr_open (int mode) + + int gr_update (const struct group *gr) + { +- return commonio_update (&group_db, (const void *) gr); ++ return gr_update_extended (0, gr); ++} ++ ++int gr_update_extended (int usrlib, const struct group *gr) ++{ ++ return commonio_update (get_db (usrlib), (const void *) gr); + } + + int gr_remove (const char *name) +@@ -186,6 +242,11 @@ int gr_remove (const char *name) + return commonio_remove (&group_db, name); + } + ++int gr_remove_extended (int usrlib, const char *name) ++{ ++ return commonio_remove (get_db (usrlib), name); ++} ++ + int gr_rewind (void) + { + return commonio_rewind (&group_db); +@@ -198,12 +259,22 @@ int gr_rewind (void) + + int gr_close (void) + { +- return commonio_close (&group_db); ++ return gr_close_extended (0); ++} ++ ++int gr_close_extended (int usrlib) ++{ ++ return commonio_close (get_db (usrlib)); + } + + int gr_unlock (void) + { +- return commonio_unlock (&group_db); ++ return gr_unlock_extended (0); ++} ++ ++int gr_unlock_extended (int usrlib) ++{ ++ return commonio_unlock (get_db (usrlib)); + } + + void __gr_set_changed (void) +diff --git a/lib/groupio.h b/lib/groupio.h +index 6440523..01f66d5 100644 +--- a/lib/groupio.h ++++ b/lib/groupio.h +@@ -39,17 +39,24 @@ + #include + + extern int gr_close (void); ++extern int gr_close_extended (int usrlib); + extern /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name); + extern /*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid); + extern int gr_lock (void); ++extern int gr_lock_extended (int usrlib); + extern int gr_setdbname (const char *filename); + extern /*@observer@*/const char *gr_dbname (void); ++extern /*@observer@*/const char *gr_dbname_extended (int rflg); + extern /*@observer@*/ /*@null@*/const struct group *gr_next (void); + extern int gr_open (int mode); ++extern int gr_open_extended (int usrlib, int mode); + extern int gr_remove (const char *name); ++extern int gr_remove_extended (int usrlib, const char *name); + extern int gr_rewind (void); + extern int gr_unlock (void); ++extern int gr_unlock_extended (int usrlib); + extern int gr_update (const struct group *gr); ++extern int gr_update_extended (int usrlib, const struct group *gr); + extern int gr_sort (void); + + #endif +diff --git a/lib/pwio.c b/lib/pwio.c +index d63d15d..1ce005f 100644 +--- a/lib/pwio.c ++++ b/lib/pwio.c +@@ -114,6 +114,42 @@ static struct commonio_db passwd_db = { + false /* readonly */ + }; + ++static struct commonio_db usrlib_passwd_db = { ++ USRLIB_PASSWD_FILE, /* filename */ ++ &passwd_ops, /* ops */ ++ NULL, /* fp */ ++#ifdef WITH_SELINUX ++ NULL, /* scontext */ ++#endif ++ NULL, /* head */ ++ NULL, /* tail */ ++ NULL, /* cursor */ ++ false, /* changed */ ++ false, /* isopen */ ++ false, /* locked */ ++ false /* readonly */ ++}; ++ ++static struct commonio_db * ++get_db (int usrlib) ++{ ++ static int checked_usrlib; ++ static int have_usrlib; ++ ++ if (!usrlib) ++ return &passwd_db; ++ ++ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { ++ struct stat stbuf; ++ checked_usrlib = 1; ++ have_usrlib = lstat (usrlib_passwd_db.filename, &stbuf) == 0; ++ } ++ ++ if (have_usrlib) ++ return &usrlib_passwd_db; ++ return &passwd_db; ++} ++ + int pw_setdbname (const char *filename) + { + return commonio_setname (&passwd_db, filename); +@@ -124,9 +160,19 @@ int pw_setdbname (const char *filename) + return passwd_db.filename; + } + ++/*@observer@*/const char *pw_dbname_extended (int usrlib) ++{ ++ return get_db (usrlib)->filename; ++} ++ + int pw_lock (void) + { +- return commonio_lock (&passwd_db); ++ return pw_lock_extended (0); ++} ++ ++int pw_lock_extended (int usrlib) ++{ ++ return commonio_lock (get_db (usrlib)); + } + + int pw_open (int mode) +@@ -134,6 +180,11 @@ int pw_open (int mode) + return commonio_open (&passwd_db, mode); + } + ++int pw_open_extended (int usrlib, int mode) ++{ ++ return commonio_open (get_db (usrlib), mode); ++} ++ + /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name) + { + return commonio_locate (&passwd_db, name); +@@ -153,12 +204,22 @@ int pw_open (int mode) + + int pw_update (const struct passwd *pw) + { +- return commonio_update (&passwd_db, (const void *) pw); ++ return pw_update_extended (0, pw); ++} ++ ++int pw_update_extended (int usrlib, const struct passwd *pw) ++{ ++ return commonio_update (get_db (usrlib), (const void *) pw); + } + + int pw_remove (const char *name) + { +- return commonio_remove (&passwd_db, name); ++ return pw_remove_extended (0, name); ++} ++ ++int pw_remove_extended (int usrlib, const char *name) ++{ ++ return commonio_remove (get_db (usrlib), name); + } + + int pw_rewind (void) +@@ -173,12 +234,22 @@ int pw_rewind (void) + + int pw_close (void) + { +- return commonio_close (&passwd_db); ++ return pw_close_extended (0); ++} ++ ++int pw_close_extended (int usrlib) ++{ ++ return commonio_close (get_db (usrlib)); + } + + int pw_unlock (void) + { +- return commonio_unlock (&passwd_db); ++ return pw_unlock_extended (0); ++} ++ ++int pw_unlock_extended (int usrlib) ++{ ++ return commonio_unlock (get_db (usrlib)); + } + + /*@null@*/struct commonio_entry *__pw_get_head (void) +diff --git a/lib/pwio.h b/lib/pwio.h +index 0ee961d..ca73361 100644 +--- a/lib/pwio.h ++++ b/lib/pwio.h +@@ -39,17 +39,24 @@ + #include + + extern int pw_close (void); ++extern int pw_close_extended (int usrlib); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate_uid (uid_t uid); + extern int pw_lock (void); ++extern int pw_lock_extended (int usrlib); + extern int pw_setdbname (const char *filename); + extern /*@observer@*/const char *pw_dbname (void); ++extern /*@observer@*/const char *pw_dbname_extended (int rflg); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_next (void); + extern int pw_open (int mode); ++extern int pw_open_extended (int usrlib, int mode); + extern int pw_remove (const char *name); ++extern int pw_remove_extended (int usrlib, const char *name); + extern int pw_rewind (void); + extern int pw_unlock (void); ++extern int pw_unlock_extended (int usrlib); + extern int pw_update (const struct passwd *pw); ++extern int pw_update_extended (int usrlib, const struct passwd *pw); + extern int pw_sort (void); + + #endif +diff --git a/libmisc/cleanup_group.c b/libmisc/cleanup_group.c +index d07adc7..cbfc2c6 100644 +--- a/libmisc/cleanup_group.c ++++ b/libmisc/cleanup_group.c +@@ -202,7 +202,7 @@ void cleanup_report_del_group_gshadow (void *group_name) + */ + void cleanup_unlock_group (unused void *arg) + { +- if (gr_unlock () == 0) { ++ if (gr_unlock_extended ((intptr_t)arg) == 0) { + fprintf (stderr, + _("%s: failed to unlock %s\n"), + Prog, gr_dbname ()); +diff --git a/src/groupadd.c b/src/groupadd.c +index 84ff55e..f6079aa 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -206,10 +206,10 @@ static void grp_update (void) + /* + * Write out the new group file entry. + */ +- if (gr_update (&grp) == 0) { ++ if (gr_update_extended (rflg, &grp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), grp.gr_name); ++ Prog, gr_dbname_extended (rflg), grp.gr_name); + exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -256,10 +256,10 @@ static void check_new_name (void) + static void close_files (void) + { + /* First, write the changes in the regular group database */ +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +@@ -269,10 +269,10 @@ static void close_files (void) + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", +- gr_dbname (), group_name, (unsigned int) group_id)); ++ gr_dbname_extended (rflg), group_name, (unsigned int) group_id)); + del_cleanup (cleanup_report_add_group_group); + +- cleanup_unlock_group (NULL); ++ cleanup_unlock_group ((void*)rflg); + del_cleanup (cleanup_unlock_group); + + /* Now, write the changes in the shadow database */ +@@ -319,13 +319,13 @@ static void close_files (void) + static void open_files (void) + { + /* First, lock the databases */ +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + exit (E_GRP_UPDATE); + } +- add_cleanup (cleanup_unlock_group, NULL); ++ add_cleanup (cleanup_unlock_group, (void*)rflg); + + #ifdef SHADOWGRP + if (is_shadow_grp) { +@@ -346,9 +346,9 @@ static void open_files (void) + add_cleanup (cleanup_report_add_group, group_name); + + /* And now open the databases */ +- if (gr_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); ++ if (gr_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname_extended (rflg))); + exit (E_GRP_UPDATE); + } + +diff --git a/src/newusers.c b/src/newusers.c +index ac6f538..136926b 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -380,7 +380,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid) + pwent.pw_dir = ""; /* XXX warning: const */ + pwent.pw_shell = ""; /* XXX warning: const */ + +- return (pw_update (&pwent) == 0) ? -1 : 0; ++ return (pw_update_extended (rflg, &pwent) == 0) ? -1 : 0; + } + + #ifndef USE_PAM +@@ -714,7 +714,7 @@ static void open_files (void) + * modified, or new entries added. The password file is the key - if + * it gets locked, assume the others can be locked right away. + */ +- if (pw_lock () == 0) { ++ if (pw_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, pw_dbname ()); +@@ -730,7 +730,7 @@ static void open_files (void) + } + spw_locked = true; + } +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +@@ -749,7 +749,7 @@ static void open_files (void) + } + #endif + +- if (pw_open (O_RDWR) == 0) { ++ if (pw_open_extended (rflg, O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); + fail_exit (EXIT_FAILURE); + } +@@ -757,7 +757,7 @@ static void open_files (void) + fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); + fail_exit (EXIT_FAILURE); + } +- if (gr_open (O_RDWR) == 0) { ++ if (gr_open_extended (rflg, O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); + fail_exit (EXIT_FAILURE); + } +@@ -774,12 +774,12 @@ static void open_files (void) + */ + static void close_files (void) + { +- if (pw_close () == 0) { ++ if (pw_close_extended (rflg) == 0) { + fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); + fail_exit (EXIT_FAILURE); + } +- if (pw_unlock () == 0) { ++ if (pw_unlock_extended (rflg) == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + /* continue */ +@@ -804,14 +804,14 @@ static void close_files (void) + spw_locked = false; + } + +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); + fail_exit (EXIT_FAILURE); + } +- if (gr_unlock () == 0) { ++ if (gr_unlock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failed to unlock %s\n"), + Prog, gr_dbname ()); +diff --git a/src/useradd.c b/src/useradd.c +index b686f14..78979ab 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -228,9 +228,9 @@ static void fail_exit (int code) + } + } + if (pw_locked) { +- if (pw_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); ++ if (pw_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking passwd file", +@@ -241,9 +241,9 @@ static void fail_exit (int code) + } + } + if (gr_locked) { +- if (gr_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); ++ if (gr_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking group file", +@@ -847,7 +847,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: Out of memory. Cannot update %s.\n"), + Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); ++ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", +@@ -862,11 +862,11 @@ static void grp_update (void) + * update the group entry to reflect the change. + */ + ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); +- if (gr_update (ngrp) == 0) { ++ if (gr_update_extended (rflg, ngrp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), ngrp->gr_name); +- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); ++ Prog, gr_dbname_extended (rflg), ngrp->gr_name); ++ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", +@@ -1351,9 +1351,9 @@ static void process_flags (int argc, char **argv) + */ + static void close_files (void) + { +- if (pw_close () == 0) { +- fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); ++ if (pw_close_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname_extended (rflg))); + fail_exit (E_PW_UPDATE); + } + if (is_shadow_pwd && (spw_close () == 0)) { +@@ -1363,10 +1363,10 @@ static void close_files (void) + fail_exit (E_PW_UPDATE); + } + if (do_grp_update) { +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, +- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); ++ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname_extended (rflg))); + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -1393,9 +1393,9 @@ static void close_files (void) + } + spw_locked = false; + } +- if (pw_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); ++ if (pw_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking passwd file", +@@ -1405,9 +1405,9 @@ static void close_files (void) + /* continue */ + } + pw_locked = false; +- if (gr_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); ++ if (gr_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking group file", +@@ -1442,15 +1442,15 @@ static void close_files (void) + */ + static void open_files (void) + { +- if (pw_lock () == 0) { ++ if (pw_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, pw_dbname ()); ++ Prog, pw_dbname_extended (rflg)); + exit (E_PW_UPDATE); + } + pw_locked = true; +- if (pw_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); ++ if (pw_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname_extended (rflg)); + fail_exit (E_PW_UPDATE); + } + +@@ -1459,15 +1459,15 @@ static void open_files (void) + /* + * Lock and open the group file. + */ +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + fail_exit (E_GRP_UPDATE); + } + gr_locked = true; +- if (gr_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); ++ if (gr_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -1578,10 +1578,10 @@ static void grp_add (void) + /* + * Write out the new group file entry. + */ +- if (gr_update (&grp) == 0) { ++ if (gr_update_extended (rflg, &grp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), grp.gr_name); ++ Prog, gr_dbname_extended (rflg), grp.gr_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, + "adding group", +@@ -1711,10 +1711,10 @@ static void usr_update (void) + /* + * Put the new (struct passwd) in the table. + */ +- if (pw_update (&pwent) == 0) { ++ if (pw_update_extended (rflg, &pwent) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, pw_dbname (), pwent.pw_name); ++ Prog, pw_dbname_extended (rflg), pwent.pw_name); + fail_exit (E_PW_UPDATE); + } + +-- +1.8.3.1 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 0d186a4..729c255 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -25,6 +25,9 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch +# This is needed for Fedora Atomic project and might be dropped if less +# hackish way to create system users and groups is designed. +Patch19: shadow-4.1.5.1-usr-lib.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -71,6 +74,7 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc +%patch19 -p1 -b .usr-lib iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -224,6 +228,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 10 2014 Tomas Mraz - 2:4.1.5.1-14 +- put system users and groups into /usr/lib/{passwd,group} if + the files exist and SHADOW_USE_USRLIB environment variable is set + Patch by Colin Walters + * Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-13 - ignore getgrgid() errors for now From fd2973e24f58f8dbd0f65b25a117a105b6f2290f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Jul 2014 10:34:08 +0200 Subject: [PATCH 12/64] revert the last change as it is not really needed --- shadow-4.1.5.1-usr-lib.patch | 706 ----------------------------------- shadow-utils.spec | 9 +- 2 files changed, 4 insertions(+), 711 deletions(-) delete mode 100644 shadow-4.1.5.1-usr-lib.patch diff --git a/shadow-4.1.5.1-usr-lib.patch b/shadow-4.1.5.1-usr-lib.patch deleted file mode 100644 index b9c7af0..0000000 --- a/shadow-4.1.5.1-usr-lib.patch +++ /dev/null @@ -1,706 +0,0 @@ -From 43f9ae51f2629b7c42a5a0e664cf62907b1f1276 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Tue, 17 Dec 2013 18:48:48 -0500 -Subject: [PATCH] Use /usr/lib/passwd for system users (if it exists, and - SHADOW_USE_USRLIB) - -See https://sourceware.org/bugzilla/show_bug.cgi?id=16142 - -This allows OSTree/Atomic to write usernames to /usr/lib/passwd (and -/usr/lib/group). ---- - lib/defines.h | 8 +++++ - lib/groupio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- - lib/groupio.h | 7 +++++ - lib/pwio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- - lib/pwio.h | 7 +++++ - libmisc/cleanup_group.c | 2 +- - src/groupadd.c | 24 +++++++-------- - src/newusers.c | 18 +++++------ - src/useradd.c | 68 ++++++++++++++++++++--------------------- - 9 files changed, 230 insertions(+), 66 deletions(-) - -diff --git a/lib/defines.h b/lib/defines.h -index c5d84a8..27ad429 100644 ---- a/lib/defines.h -+++ b/lib/defines.h -@@ -302,10 +302,18 @@ char *strchr (), *strrchr (), *strtok (); - #define PASSWD_FILE "/etc/passwd" - #endif - -+#ifndef USRLIB_PASSWD_FILE -+#define USRLIB_PASSWD_FILE "/usr/lib/passwd" -+#endif -+ - #ifndef GROUP_FILE - #define GROUP_FILE "/etc/group" - #endif - -+#ifndef USRLIB_GROUP_FILE -+#define USRLIB_GROUP_FILE "/usr/lib/group" -+#endif -+ - #ifndef SHADOW_FILE - #define SHADOW_FILE "/etc/shadow" - #endif -diff --git a/lib/groupio.c b/lib/groupio.c -index e0bb030..d9c01c1 100644 ---- a/lib/groupio.c -+++ b/lib/groupio.c -@@ -139,6 +139,42 @@ static /*@owned@*/struct commonio_db group_db = { - false /* readonly */ - }; - -+static struct commonio_db usrlib_group_db = { -+ USRLIB_GROUP_FILE, /* filename */ -+ &group_ops, /* ops */ -+ NULL, /* fp */ -+#ifdef WITH_SELINUX -+ NULL, /* scontext */ -+#endif -+ NULL, /* head */ -+ NULL, /* tail */ -+ NULL, /* cursor */ -+ false, /* changed */ -+ false, /* isopen */ -+ false, /* locked */ -+ false /* readonly */ -+}; -+ -+static struct commonio_db * -+get_db (int usrlib) -+{ -+ static int checked_usrlib; -+ static int have_usrlib; -+ -+ if (!usrlib) -+ return &group_db; -+ -+ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { -+ struct stat stbuf; -+ checked_usrlib = 1; -+ have_usrlib = lstat (usrlib_group_db.filename, &stbuf) == 0; -+ } -+ -+ if (have_usrlib) -+ return &usrlib_group_db; -+ return &group_db; -+} -+ - int gr_setdbname (const char *filename) - { - return commonio_setname (&group_db, filename); -@@ -149,14 +185,29 @@ int gr_setdbname (const char *filename) - return group_db.filename; - } - -+/*@observer@*/const char *gr_dbname_extended (int usrlib) -+{ -+ return get_db (usrlib)->filename; -+} -+ - int gr_lock (void) - { -- return commonio_lock (&group_db); -+ return gr_lock_extended (0); -+} -+ -+int gr_lock_extended (int usrlib) -+{ -+ return commonio_lock (get_db (usrlib)); - } - - int gr_open (int mode) - { -- return commonio_open (&group_db, mode); -+ return gr_open_extended (0, mode); -+} -+ -+int gr_open_extended (int usrlib, int mode) -+{ -+ return commonio_open (get_db (usrlib), mode); - } - - /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name) -@@ -178,7 +229,12 @@ int gr_open (int mode) - - int gr_update (const struct group *gr) - { -- return commonio_update (&group_db, (const void *) gr); -+ return gr_update_extended (0, gr); -+} -+ -+int gr_update_extended (int usrlib, const struct group *gr) -+{ -+ return commonio_update (get_db (usrlib), (const void *) gr); - } - - int gr_remove (const char *name) -@@ -186,6 +242,11 @@ int gr_remove (const char *name) - return commonio_remove (&group_db, name); - } - -+int gr_remove_extended (int usrlib, const char *name) -+{ -+ return commonio_remove (get_db (usrlib), name); -+} -+ - int gr_rewind (void) - { - return commonio_rewind (&group_db); -@@ -198,12 +259,22 @@ int gr_rewind (void) - - int gr_close (void) - { -- return commonio_close (&group_db); -+ return gr_close_extended (0); -+} -+ -+int gr_close_extended (int usrlib) -+{ -+ return commonio_close (get_db (usrlib)); - } - - int gr_unlock (void) - { -- return commonio_unlock (&group_db); -+ return gr_unlock_extended (0); -+} -+ -+int gr_unlock_extended (int usrlib) -+{ -+ return commonio_unlock (get_db (usrlib)); - } - - void __gr_set_changed (void) -diff --git a/lib/groupio.h b/lib/groupio.h -index 6440523..01f66d5 100644 ---- a/lib/groupio.h -+++ b/lib/groupio.h -@@ -39,17 +39,24 @@ - #include - - extern int gr_close (void); -+extern int gr_close_extended (int usrlib); - extern /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name); - extern /*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid); - extern int gr_lock (void); -+extern int gr_lock_extended (int usrlib); - extern int gr_setdbname (const char *filename); - extern /*@observer@*/const char *gr_dbname (void); -+extern /*@observer@*/const char *gr_dbname_extended (int rflg); - extern /*@observer@*/ /*@null@*/const struct group *gr_next (void); - extern int gr_open (int mode); -+extern int gr_open_extended (int usrlib, int mode); - extern int gr_remove (const char *name); -+extern int gr_remove_extended (int usrlib, const char *name); - extern int gr_rewind (void); - extern int gr_unlock (void); -+extern int gr_unlock_extended (int usrlib); - extern int gr_update (const struct group *gr); -+extern int gr_update_extended (int usrlib, const struct group *gr); - extern int gr_sort (void); - - #endif -diff --git a/lib/pwio.c b/lib/pwio.c -index d63d15d..1ce005f 100644 ---- a/lib/pwio.c -+++ b/lib/pwio.c -@@ -114,6 +114,42 @@ static struct commonio_db passwd_db = { - false /* readonly */ - }; - -+static struct commonio_db usrlib_passwd_db = { -+ USRLIB_PASSWD_FILE, /* filename */ -+ &passwd_ops, /* ops */ -+ NULL, /* fp */ -+#ifdef WITH_SELINUX -+ NULL, /* scontext */ -+#endif -+ NULL, /* head */ -+ NULL, /* tail */ -+ NULL, /* cursor */ -+ false, /* changed */ -+ false, /* isopen */ -+ false, /* locked */ -+ false /* readonly */ -+}; -+ -+static struct commonio_db * -+get_db (int usrlib) -+{ -+ static int checked_usrlib; -+ static int have_usrlib; -+ -+ if (!usrlib) -+ return &passwd_db; -+ -+ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { -+ struct stat stbuf; -+ checked_usrlib = 1; -+ have_usrlib = lstat (usrlib_passwd_db.filename, &stbuf) == 0; -+ } -+ -+ if (have_usrlib) -+ return &usrlib_passwd_db; -+ return &passwd_db; -+} -+ - int pw_setdbname (const char *filename) - { - return commonio_setname (&passwd_db, filename); -@@ -124,9 +160,19 @@ int pw_setdbname (const char *filename) - return passwd_db.filename; - } - -+/*@observer@*/const char *pw_dbname_extended (int usrlib) -+{ -+ return get_db (usrlib)->filename; -+} -+ - int pw_lock (void) - { -- return commonio_lock (&passwd_db); -+ return pw_lock_extended (0); -+} -+ -+int pw_lock_extended (int usrlib) -+{ -+ return commonio_lock (get_db (usrlib)); - } - - int pw_open (int mode) -@@ -134,6 +180,11 @@ int pw_open (int mode) - return commonio_open (&passwd_db, mode); - } - -+int pw_open_extended (int usrlib, int mode) -+{ -+ return commonio_open (get_db (usrlib), mode); -+} -+ - /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name) - { - return commonio_locate (&passwd_db, name); -@@ -153,12 +204,22 @@ int pw_open (int mode) - - int pw_update (const struct passwd *pw) - { -- return commonio_update (&passwd_db, (const void *) pw); -+ return pw_update_extended (0, pw); -+} -+ -+int pw_update_extended (int usrlib, const struct passwd *pw) -+{ -+ return commonio_update (get_db (usrlib), (const void *) pw); - } - - int pw_remove (const char *name) - { -- return commonio_remove (&passwd_db, name); -+ return pw_remove_extended (0, name); -+} -+ -+int pw_remove_extended (int usrlib, const char *name) -+{ -+ return commonio_remove (get_db (usrlib), name); - } - - int pw_rewind (void) -@@ -173,12 +234,22 @@ int pw_rewind (void) - - int pw_close (void) - { -- return commonio_close (&passwd_db); -+ return pw_close_extended (0); -+} -+ -+int pw_close_extended (int usrlib) -+{ -+ return commonio_close (get_db (usrlib)); - } - - int pw_unlock (void) - { -- return commonio_unlock (&passwd_db); -+ return pw_unlock_extended (0); -+} -+ -+int pw_unlock_extended (int usrlib) -+{ -+ return commonio_unlock (get_db (usrlib)); - } - - /*@null@*/struct commonio_entry *__pw_get_head (void) -diff --git a/lib/pwio.h b/lib/pwio.h -index 0ee961d..ca73361 100644 ---- a/lib/pwio.h -+++ b/lib/pwio.h -@@ -39,17 +39,24 @@ - #include - - extern int pw_close (void); -+extern int pw_close_extended (int usrlib); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate_uid (uid_t uid); - extern int pw_lock (void); -+extern int pw_lock_extended (int usrlib); - extern int pw_setdbname (const char *filename); - extern /*@observer@*/const char *pw_dbname (void); -+extern /*@observer@*/const char *pw_dbname_extended (int rflg); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_next (void); - extern int pw_open (int mode); -+extern int pw_open_extended (int usrlib, int mode); - extern int pw_remove (const char *name); -+extern int pw_remove_extended (int usrlib, const char *name); - extern int pw_rewind (void); - extern int pw_unlock (void); -+extern int pw_unlock_extended (int usrlib); - extern int pw_update (const struct passwd *pw); -+extern int pw_update_extended (int usrlib, const struct passwd *pw); - extern int pw_sort (void); - - #endif -diff --git a/libmisc/cleanup_group.c b/libmisc/cleanup_group.c -index d07adc7..cbfc2c6 100644 ---- a/libmisc/cleanup_group.c -+++ b/libmisc/cleanup_group.c -@@ -202,7 +202,7 @@ void cleanup_report_del_group_gshadow (void *group_name) - */ - void cleanup_unlock_group (unused void *arg) - { -- if (gr_unlock () == 0) { -+ if (gr_unlock_extended ((intptr_t)arg) == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, gr_dbname ()); -diff --git a/src/groupadd.c b/src/groupadd.c -index 84ff55e..f6079aa 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -206,10 +206,10 @@ static void grp_update (void) - /* - * Write out the new group file entry. - */ -- if (gr_update (&grp) == 0) { -+ if (gr_update_extended (rflg, &grp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), grp.gr_name); -+ Prog, gr_dbname_extended (rflg), grp.gr_name); - exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -256,10 +256,10 @@ static void check_new_name (void) - static void close_files (void) - { - /* First, write the changes in the regular group database */ -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failure while writing changes to %s\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - exit (E_GRP_UPDATE); - } - #ifdef WITH_AUDIT -@@ -269,10 +269,10 @@ static void close_files (void) - SHADOW_AUDIT_SUCCESS); - #endif - SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", -- gr_dbname (), group_name, (unsigned int) group_id)); -+ gr_dbname_extended (rflg), group_name, (unsigned int) group_id)); - del_cleanup (cleanup_report_add_group_group); - -- cleanup_unlock_group (NULL); -+ cleanup_unlock_group ((void*)rflg); - del_cleanup (cleanup_unlock_group); - - /* Now, write the changes in the shadow database */ -@@ -319,13 +319,13 @@ static void close_files (void) - static void open_files (void) - { - /* First, lock the databases */ -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - exit (E_GRP_UPDATE); - } -- add_cleanup (cleanup_unlock_group, NULL); -+ add_cleanup (cleanup_unlock_group, (void*)rflg); - - #ifdef SHADOWGRP - if (is_shadow_grp) { -@@ -346,9 +346,9 @@ static void open_files (void) - add_cleanup (cleanup_report_add_group, group_name); - - /* And now open the databases */ -- if (gr_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); -+ if (gr_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname_extended (rflg))); - exit (E_GRP_UPDATE); - } - -diff --git a/src/newusers.c b/src/newusers.c -index ac6f538..136926b 100644 ---- a/src/newusers.c -+++ b/src/newusers.c -@@ -380,7 +380,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid) - pwent.pw_dir = ""; /* XXX warning: const */ - pwent.pw_shell = ""; /* XXX warning: const */ - -- return (pw_update (&pwent) == 0) ? -1 : 0; -+ return (pw_update_extended (rflg, &pwent) == 0) ? -1 : 0; - } - - #ifndef USE_PAM -@@ -714,7 +714,7 @@ static void open_files (void) - * modified, or new entries added. The password file is the key - if - * it gets locked, assume the others can be locked right away. - */ -- if (pw_lock () == 0) { -+ if (pw_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), - Prog, pw_dbname ()); -@@ -730,7 +730,7 @@ static void open_files (void) - } - spw_locked = true; - } -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), - Prog, gr_dbname ()); -@@ -749,7 +749,7 @@ static void open_files (void) - } - #endif - -- if (pw_open (O_RDWR) == 0) { -+ if (pw_open_extended (rflg, O_RDWR) == 0) { - fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); - fail_exit (EXIT_FAILURE); - } -@@ -757,7 +757,7 @@ static void open_files (void) - fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); - fail_exit (EXIT_FAILURE); - } -- if (gr_open (O_RDWR) == 0) { -+ if (gr_open_extended (rflg, O_RDWR) == 0) { - fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); - fail_exit (EXIT_FAILURE); - } -@@ -774,12 +774,12 @@ static void open_files (void) - */ - static void close_files (void) - { -- if (pw_close () == 0) { -+ if (pw_close_extended (rflg) == 0) { - fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); - SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); - fail_exit (EXIT_FAILURE); - } -- if (pw_unlock () == 0) { -+ if (pw_unlock_extended (rflg) == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); - /* continue */ -@@ -804,14 +804,14 @@ static void close_files (void) - spw_locked = false; - } - -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failure while writing changes to %s\n"), - Prog, gr_dbname ()); - SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); - fail_exit (EXIT_FAILURE); - } -- if (gr_unlock () == 0) { -+ if (gr_unlock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, gr_dbname ()); -diff --git a/src/useradd.c b/src/useradd.c -index b686f14..78979ab 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -228,9 +228,9 @@ static void fail_exit (int code) - } - } - if (pw_locked) { -- if (pw_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); -+ if (pw_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking passwd file", -@@ -241,9 +241,9 @@ static void fail_exit (int code) - } - } - if (gr_locked) { -- if (gr_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); -+ if (gr_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking group file", -@@ -847,7 +847,7 @@ static void grp_update (void) - fprintf (stderr, - _("%s: Out of memory. Cannot update %s.\n"), - Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); -+ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding user to group", -@@ -862,11 +862,11 @@ static void grp_update (void) - * update the group entry to reflect the change. - */ - ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); -- if (gr_update (ngrp) == 0) { -+ if (gr_update_extended (rflg, ngrp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), ngrp->gr_name); -- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); -+ Prog, gr_dbname_extended (rflg), ngrp->gr_name); -+ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding user to group", -@@ -1351,9 +1351,9 @@ static void process_flags (int argc, char **argv) - */ - static void close_files (void) - { -- if (pw_close () == 0) { -- fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); -+ if (pw_close_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname_extended (rflg))); - fail_exit (E_PW_UPDATE); - } - if (is_shadow_pwd && (spw_close () == 0)) { -@@ -1363,10 +1363,10 @@ static void close_files (void) - fail_exit (E_PW_UPDATE); - } - if (do_grp_update) { -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, -- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); -+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname_extended (rflg))); - fail_exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -1393,9 +1393,9 @@ static void close_files (void) - } - spw_locked = false; - } -- if (pw_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); -+ if (pw_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking passwd file", -@@ -1405,9 +1405,9 @@ static void close_files (void) - /* continue */ - } - pw_locked = false; -- if (gr_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); -+ if (gr_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking group file", -@@ -1442,15 +1442,15 @@ static void close_files (void) - */ - static void open_files (void) - { -- if (pw_lock () == 0) { -+ if (pw_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, pw_dbname ()); -+ Prog, pw_dbname_extended (rflg)); - exit (E_PW_UPDATE); - } - pw_locked = true; -- if (pw_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -+ if (pw_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname_extended (rflg)); - fail_exit (E_PW_UPDATE); - } - -@@ -1459,15 +1459,15 @@ static void open_files (void) - /* - * Lock and open the group file. - */ -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - fail_exit (E_GRP_UPDATE); - } - gr_locked = true; -- if (gr_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -+ if (gr_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); - fail_exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -1578,10 +1578,10 @@ static void grp_add (void) - /* - * Write out the new group file entry. - */ -- if (gr_update (&grp) == 0) { -+ if (gr_update_extended (rflg, &grp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), grp.gr_name); -+ Prog, gr_dbname_extended (rflg), grp.gr_name); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_GROUP, Prog, - "adding group", -@@ -1711,10 +1711,10 @@ static void usr_update (void) - /* - * Put the new (struct passwd) in the table. - */ -- if (pw_update (&pwent) == 0) { -+ if (pw_update_extended (rflg, &pwent) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, pw_dbname (), pwent.pw_name); -+ Prog, pw_dbname_extended (rflg), pwent.pw_name); - fail_exit (E_PW_UPDATE); - } - --- -1.8.3.1 - diff --git a/shadow-utils.spec b/shadow-utils.spec index 729c255..bab180f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -25,9 +25,6 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch -# This is needed for Fedora Atomic project and might be dropped if less -# hackish way to create system users and groups is designed. -Patch19: shadow-4.1.5.1-usr-lib.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -74,7 +71,6 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc -%patch19 -p1 -b .usr-lib iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -228,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jul 14 2014 Tomas Mraz - 2:4.1.5.1-15 +- revert the last change as it is not really needed + * Thu Jul 10 2014 Tomas Mraz - 2:4.1.5.1-14 - put system users and groups into /usr/lib/{passwd,group} if the files exist and SHADOW_USE_USRLIB environment variable is set From 1e95b5b47956cb3a09a51920b0eb60d7c5de3bfd Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:55:45 -0400 Subject: [PATCH 13/64] fix license handling --- gpl-2.0.txt | 339 ++++++++++++++++++++++++++++++++++++++++++++++ shadow-bsd.txt | 32 +++++ shadow-utils.spec | 9 ++ 3 files changed, 380 insertions(+) create mode 100644 gpl-2.0.txt create mode 100644 shadow-bsd.txt diff --git a/gpl-2.0.txt b/gpl-2.0.txt new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/gpl-2.0.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/shadow-bsd.txt b/shadow-bsd.txt new file mode 100644 index 0000000..a2c1609 --- /dev/null +++ b/shadow-bsd.txt @@ -0,0 +1,32 @@ +/* + * Copyright (c) 1990 - 1994, Julianne Frances Haugh + * Copyright (c) 1996 - 2000, Marek Michałkiewicz + * Copyright (c) 2000 - 2006, Tomasz Kłoczko + * Copyright (c) 2007 - 2011, Nicolas François + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the copyright holders or contributors may not be used to + * endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + diff --git a/shadow-utils.spec b/shadow-utils.spec index bab180f..fce3bd3 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -8,6 +8,8 @@ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd +Source3: shadow-bsd.txt +Source4: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch @@ -75,6 +77,8 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO +cp -a %{SOURCE3} %{SOURCE4} + #rm po/*.gmo #rm po/stamp-po #aclocal @@ -186,6 +190,8 @@ rm -rf $RPM_BUILD_ROOT %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README +%{!?_licensedir:%global license %%doc} +%license gpl-2.0.txt shadow-bsd.txt %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg @@ -224,6 +230,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 5 2014 Tom Callaway - 2:4.1.5.1-16 +- fix license handling + * Mon Jul 14 2014 Tomas Mraz - 2:4.1.5.1-15 - revert the last change as it is not really needed From 5ac7a63576eeb7c6e05eaf37d15d9b2e7f8ed45a Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:57:03 -0400 Subject: [PATCH 14/64] fix license handling --- shadow-utils.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index fce3bd3..f536ff6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -8,8 +8,8 @@ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd -Source3: shadow-bsd.txt -Source4: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt +Source4: shadow-bsd.txt +Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch @@ -77,7 +77,7 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO -cp -a %{SOURCE3} %{SOURCE4} +cp -a %{SOURCE4} %{SOURCE5} #rm po/*.gmo #rm po/stamp-po From 9120a44c3f50d85dc6f2ffe1a7c5046f758b706f Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:57:58 -0400 Subject: [PATCH 15/64] fix license handling --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index f536ff6..8b00f66 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 15%{?dist} +Release: 16%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 From 972907741deb9f6f02a7e8c3ddffad976fc1539b Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 10:56:28 -0400 Subject: [PATCH 16/64] fix license handling --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 8b00f66..07548d6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -77,7 +77,7 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO -cp -a %{SOURCE4} %{SOURCE5} +cp -a %{SOURCE4} %{SOURCE5} . #rm po/*.gmo #rm po/stamp-po From 183c8697037ecc82934fff0e1e9ce2d5886e9476 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 18 Aug 2014 02:08:56 +0000 Subject: [PATCH 17/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 07548d6..98a549b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -230,6 +230,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 18 2014 Fedora Release Engineering - 2:4.1.5.1-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Tue Aug 5 2014 Tom Callaway - 2:4.1.5.1-16 - fix license handling From 4c1ef1cd215d36e73ea9eb4e5acd826e50c8b8a5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Aug 2014 14:28:48 +0200 Subject: [PATCH 18/64] Multiple fixes - label the newly created home dir correctly (#1077809) - mention that chage -d 0 forces password change (#1135010) - improve date parsing and error detecting in chage - avoid full group database scanning in newgrp in most common case - report error if usermod asked for moving homedir and it does not exist --- shadow-4.1.5.1-date-parsing.patch | 138 ++++++++++++++++++++++++++++++ shadow-4.1.5.1-ingroup.patch | 63 ++++++++++++++ shadow-4.1.5.1-manfix.patch | 85 ++++++++++++++++-- shadow-4.1.5.1-move-home.patch | 15 ++++ shadow-4.1.5.1-selinux.patch | 69 ++++++++++++++- shadow-utils.spec | 15 +++- 6 files changed, 375 insertions(+), 10 deletions(-) create mode 100644 shadow-4.1.5.1-date-parsing.patch create mode 100644 shadow-4.1.5.1-ingroup.patch create mode 100644 shadow-4.1.5.1-move-home.patch diff --git a/shadow-4.1.5.1-date-parsing.patch b/shadow-4.1.5.1-date-parsing.patch new file mode 100644 index 0000000..38ec091 --- /dev/null +++ b/shadow-4.1.5.1-date-parsing.patch @@ -0,0 +1,138 @@ +diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c +--- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200 +@@ -261,6 +261,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -1730,6 +1731,7 @@ yyreduce: + yyDay = (yyvsp[(3) - (5)].Number); + yyYear = (yyvsp[(5) - (5)].Number); + } ++ yyHaveYear++; + } + break; + +@@ -1740,6 +1742,7 @@ yyreduce: + yyYear = (yyvsp[(1) - (3)].Number); + yyMonth = -(yyvsp[(2) - (3)].Number); + yyDay = -(yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1750,6 +1753,7 @@ yyreduce: + yyDay = (yyvsp[(1) - (3)].Number); + yyMonth = (yyvsp[(2) - (3)].Number); + yyYear = -(yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1767,6 +1771,7 @@ yyreduce: + yyMonth = (yyvsp[(1) - (4)].Number); + yyDay = (yyvsp[(2) - (4)].Number); + yyYear = (yyvsp[(4) - (4)].Number); ++ yyHaveYear++; + } + break; + +@@ -1784,6 +1789,7 @@ yyreduce: + yyMonth = (yyvsp[(2) - (3)].Number); + yyDay = (yyvsp[(1) - (3)].Number); + yyYear = (yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1928,7 +1934,8 @@ yyreduce: + case 49: + #line 397 "getdate.y" + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = (yyvsp[(1) - (1)].Number); + else + { +@@ -2556,7 +2563,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { +diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y +--- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200 +@@ -152,6 +152,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { + yyDay = $3; + yyYear = $5; + } ++ yyHaveYear++; + } + | tUNUMBER tSNUMBER tSNUMBER { + /* ISO 8601 format. yyyy-mm-dd. */ + yyYear = $1; + yyMonth = -$2; + yyDay = -$3; ++ yyHaveYear++; + } + | tUNUMBER tMONTH tSNUMBER { + /* e.g. 17-JUN-1992. */ + yyDay = $1; + yyMonth = $2; + yyYear = -$3; ++ yyHaveYear++; + } + | tMONTH tUNUMBER { + yyMonth = $1; +@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $1; + yyDay = $2; + yyYear = $4; ++ yyHaveYear++; + } + | tUNUMBER tMONTH { + yyMonth = $2; +@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $2; + yyDay = $1; + yyYear = $3; ++ yyHaveYear++; + } + ; + +@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { + + number : tUNUMBER + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = $1; + else + { +@@ -802,7 +809,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch new file mode 100644 index 0000000..e440431 --- /dev/null +++ b/shadow-4.1.5.1-ingroup.patch @@ -0,0 +1,63 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +@@ -83,15 +83,29 @@ static void usage (void) + } + } + ++static bool ingroup(const char *name, struct group *gr) ++{ ++ char **look; ++ bool notfound = true; ++ ++ look = gr->gr_mem; ++ while (*look && notfound) ++ notfound = strcmp (*look++, name); ++ ++ return !notfound; ++} ++ + /* +- * find_matching_group - search all groups of a given group id for ++ * find_matching_group - search all groups of a gr's group id for + * membership of a given username ++ * but check gr itself first + */ +-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) ++static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) + { +- struct group *gr; +- char **look; +- bool notfound = true; ++ gid_t gid = gr->gr_gid; ++ ++ if (ingroup(name, gr)) ++ return gr; + + setgrent (); + while ((gr = getgrent ()) != NULL) { +@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc + * A group with matching GID was found. + * Test for membership of 'name'. + */ +- look = gr->gr_mem; +- while ((NULL != *look) && notfound) { +- notfound = (strcmp (*look, name) != 0); +- look++; +- } +- if (!notfound) { ++ if (ingroup(name, gr)) + break; +- } + } + endgrent (); + return gr; +@@ -616,7 +624,7 @@ int main (int argc, char **argv) + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp->gr_gid); ++ grp = find_matching_group (name, grp); + if (NULL == grp) { + /* + * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index 00b792f..2963c98 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,19 @@ +diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml +--- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200 ++++ shadow-4.1.5.1/man/chage.1.xml 2014-08-29 13:36:57.713167654 +0200 +@@ -102,6 +102,9 @@ + Set the number of days since January 1st, 1970 when the password + was last changed. The date may also be expressed in the format + YYYY-MM-DD (or the format more commonly used in your area). ++ If the LAST_DAY is set to ++ 0 the user is forced to change his password ++ on the next log on. + + + diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml --- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-02-12 11:18:36.126334872 +0100 ++++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200 @@ -160,6 +160,17 @@ long numeric parameters is machine-dependent. @@ -19,9 +32,25 @@ diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.def The following configuration items are provided: +diff -up shadow-4.1.5.1/man/man1/chage.1.manfix shadow-4.1.5.1/man/man1/chage.1 +--- shadow-4.1.5.1/man/man1/chage.1.manfix 2012-05-25 13:58:18.000000000 +0200 ++++ shadow-4.1.5.1/man/man1/chage.1 2014-08-29 13:36:31.303559366 +0200 +@@ -45,7 +45,11 @@ command are: + .PP + \fB\-d\fR, \fB\-\-lastday\fR \fILAST_DAY\fR + .RS 4 +-Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. ++Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. If the ++\fILAST_DAY\fR ++is set to ++\fB0\fR ++the user is forced to change his password on the next log on\&. + .RE + .PP + \fB\-E\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 --- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 -+++ shadow-4.1.5.1/man/man5/login.defs.5 2014-02-12 11:26:27.159851843 +0100 ++++ shadow-4.1.5.1/man/man5/login.defs.5 2014-08-29 13:31:38.364812323 +0200 @@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) \fI0\fR) or hexadecimal values (precede the value with \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. @@ -141,8 +170,8 @@ diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/log .RS 4 CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-11-27 10:25:34.740049650 +0100 -+++ shadow-4.1.5.1/man/man8/useradd.8 2013-11-27 10:25:34.758050045 +0100 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2014-08-29 13:31:38.347811932 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2014-08-29 13:31:38.364812323 +0200 @@ -85,7 +85,7 @@ by default\&. Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. .RE @@ -167,9 +196,30 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/userad .RS 4 Do not create the user\*(Aqs home directory, even if the system wide setting from /etc/login\&.defs +diff -up shadow-4.1.5.1/man/man8/usermod.8.manfix shadow-4.1.5.1/man/man8/usermod.8 +--- shadow-4.1.5.1/man/man8/usermod.8.manfix 2012-05-25 13:59:33.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/usermod.8 2014-08-29 13:35:27.343086211 +0200 +@@ -63,7 +63,7 @@ The user\*(Aqs new login directory\&. + .sp + If the + \fB\-m\fR +-option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. ++option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. If the current home directory does not exist the new home directory will not be created\&. + .RE + .PP + \fB\-e\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR +@@ -143,7 +143,7 @@ Move the content of the user\*(Aqs home + This option is only valid in combination with the + \fB\-d\fR + (or +-\fB\-\-home\fR) option\&. ++\fB\-\-home\fR) option\&. If the current home directory does not exist the new home directory will not be created\&. + .sp + + \fBusermod\fR diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-11-27 10:25:34.740049650 +0100 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-11-27 10:25:34.759050067 +0100 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2014-08-29 13:31:38.347811932 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2014-08-29 13:31:38.364812323 +0200 @@ -161,7 +161,7 @@ @@ -197,3 +247,26 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xm +diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml +--- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200 ++++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200 +@@ -132,7 +132,8 @@ + If the + option is given, the contents of the current home directory will + be moved to the new home directory, which is created if it does +- not already exist. ++ not already exist. If the current home directory does not exist ++ the new home directory will not be created. + + + +@@ -261,7 +262,8 @@ + + + Move the content of the user's home directory to the new +- location. ++ location. If the current home directory does not exist ++ the new home directory will not be created. + + + This option is only valid in combination with the diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch new file mode 100644 index 0000000..c87e232 --- /dev/null +++ b/shadow-4.1.5.1-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 +@@ -1571,6 +1571,11 @@ static void move_home (void) + Prog, user_home, user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, user_home); + } + } + diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch index 773fd60..adedf0f 100644 --- a/shadow-4.1.5.1-selinux.patch +++ b/shadow-4.1.5.1-selinux.patch @@ -1,7 +1,41 @@ diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2012-09-19 18:28:37.662060468 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2012-09-19 18:28:37.672060688 +0200 -@@ -2040,7 +2040,7 @@ int main (int argc, char **argv) +--- shadow-4.1.5.1/src/useradd.c.selinux 2014-08-28 16:36:09.889422103 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2014-08-28 17:28:04.828166192 +0200 +@@ -1850,6 +1850,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) + + usr_update (); + ++ close_files (); ++ ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ ++#ifdef WITH_SELINUX ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++#endif /* WITH_AUDIT */ ++ rv = E_SE_UPDATE; ++ } ++ } ++ } ++#endif ++ if (mflg) { create_home (); if (home_added) { @@ -10,3 +44,32 @@ diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c (uid_t)-1, user_id, (gid_t)-1, user_gid); } else { fprintf (stderr, +@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) + create_mail (); + } + +- close_files (); +- +-#ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); +-#endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); +- } +- } +-#endif /* WITH_SELINUX */ +- +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index 98a549b..a546b6d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -27,6 +27,9 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch +Patch19: shadow-4.1.5.1-date-parsing.patch +Patch20: shadow-4.1.5.1-ingroup.patch +Patch21: shadow-4.1.5.1-move-home.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -73,6 +76,9 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc +%patch19 -p1 -b .date-parsing +%patch20 -p1 -b .ingroup +%patch21 -p1 -b .move-home iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -230,6 +236,13 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Aug 29 2014 Tomas Mraz - 2:4.1.5.1-18 +- label the newly created home dir correctly (#1077809) +- mention that chage -d 0 forces password change (#1135010) +- improve date parsing and error detecting in chage +- avoid full group database scanning in newgrp in most common case +- report error if usermod asked for moving homedir and it does not exist + * Mon Aug 18 2014 Fedora Release Engineering - 2:4.1.5.1-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From d29b2a8defd58dfbc0015704d97432db33fcd201 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 9 Sep 2014 17:39:08 +0200 Subject: [PATCH 19/64] disallow all-numeric user and group names (#1139318) --- shadow-4.1.5.1-goodname.patch | 30 +++++++++++++++++++++++------- shadow-utils.spec | 5 ++++- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.1.5.1-goodname.patch index 1fdd84f..06c0de6 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.1.5.1-goodname.patch @@ -1,9 +1,12 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c --- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2012-09-19 18:43:53.492160653 +0200 -@@ -49,20 +49,28 @@ ++++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 +@@ -47,27 +47,42 @@ + #include "chkname.h" + static bool is_valid_name (const char *name) - { +-{ ++{ /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ @@ -14,7 +17,11 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" ++ * ++ * Also do not allow fully numeric names. + */ ++ int numeric; ++ + if ( ('\0' == *name) || + !((*name >= 'a' && *name <= 'z') || + (*name >= 'A' && *name <= 'Z') || @@ -24,6 +31,8 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam return false; } ++ numeric = isdigit(*name); ++ while ('\0' != *++name) { - if (!(( ('a' <= *name) && ('z' >= *name) ) || - ( ('0' <= *name) && ('9' >= *name) ) || @@ -39,10 +48,17 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + )) { return false; } ++ numeric &= isdigit(*name); } + +- return true; ++ return !numeric; + } + + bool is_valid_user_name (const char *name) diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml --- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2012-09-19 18:43:53.492160653 +0200 ++++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 @@ -259,12 +259,6 @@ CAVEATS @@ -58,7 +74,7 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8 --- shadow-4.1.5.1/man/man8/groupadd.8.goodname 2012-05-25 13:58:40.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/groupadd.8 2012-09-19 18:44:42.175123079 +0200 ++++ shadow-4.1.5.1/man/man8/groupadd.8 2014-09-09 17:28:46.330300342 +0200 @@ -190,9 +190,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" @@ -72,7 +88,7 @@ diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/gro .PP diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8 --- shadow-4.1.5.1/man/man8/useradd.8.goodname 2012-05-25 13:59:28.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2012-09-19 18:46:09.249033949 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2014-09-09 17:28:46.330300342 +0200 @@ -224,7 +224,7 @@ is not enabled, no home directories are .PP \fB\-M\fR @@ -93,7 +109,7 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/user .PP diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml --- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2012-09-19 18:43:53.493160675 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 @@ -366,7 +366,7 @@ diff --git a/shadow-utils.spec b/shadow-utils.spec index a546b6d..97923b7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -236,6 +236,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Sep 9 2014 Tomas Mraz - 2:4.1.5.1-19 +- disallow all-numeric user and group names (#1139318) + * Fri Aug 29 2014 Tomas Mraz - 2:4.1.5.1-18 - label the newly created home dir correctly (#1077809) - mention that chage -d 0 forces password change (#1135010) From af13db915f24164d6326927f9b7a3a50599f6079 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 10 Sep 2014 10:28:53 +0200 Subject: [PATCH 20/64] discard obsolete matchpathcon cache after semanage_commit() --- shadow-4.1.5.1-selinux.patch | 28 ++++++++++++++++++++++++++-- shadow-utils.spec | 5 ++++- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch index adedf0f..4ac32d2 100644 --- a/shadow-4.1.5.1-selinux.patch +++ b/shadow-4.1.5.1-selinux.patch @@ -1,6 +1,30 @@ +diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-08-28 16:36:09.889422103 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-08-28 17:28:04.828166192 +0200 +--- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 @@ -1850,6 +1850,7 @@ static void create_mail (void) */ int main (int argc, char **argv) diff --git a/shadow-utils.spec b/shadow-utils.spec index 97923b7..e3d6b90 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 19%{?dist} +Release: 20%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -236,6 +236,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Sep 10 2014 Tomas Mraz - 2:4.1.5.1-20 +- discard obsolete matchpathcon cache after semanage_commit() + * Tue Sep 9 2014 Tomas Mraz - 2:4.1.5.1-19 - disallow all-numeric user and group names (#1139318) From e1ce821d4521d7ede777a6cd51f4cbcfeb1b5d9a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 17 Oct 2014 17:03:29 +0200 Subject: [PATCH 21/64] update auditing to cover more events and fix some incorrect audit records (auditing patch by Steve Grubb (#1151580)) - apply the same new allocation algorithm to uids as for gids --- shadow-4.1.5.1-audit-update.patch | 2250 +++++++++++++++++ ...loc.patch => shadow-4.1.5.1-id-alloc.patch | 625 ++++- shadow-utils.spec | 13 +- 3 files changed, 2861 insertions(+), 27 deletions(-) create mode 100644 shadow-4.1.5.1-audit-update.patch rename shadow-4.1.5.1-group-alloc.patch => shadow-4.1.5.1-id-alloc.patch (52%) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch new file mode 100644 index 0000000..c25db61 --- /dev/null +++ b/shadow-4.1.5.1-audit-update.patch @@ -0,0 +1,2250 @@ +diff -urp shadow-4.1.5.1.orig/lib/prototypes.h shadow-4.1.5.1/lib/prototypes.h +--- shadow-4.1.5.1.orig/lib/prototypes.h 2014-09-13 15:45:54.953829562 -0400 ++++ shadow-4.1.5.1/lib/prototypes.h 2014-10-14 08:39:23.785884075 -0400 +@@ -195,12 +195,21 @@ extern int audit_fd; + extern void audit_help_open (void); + /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ + #define AUDIT_NO_ID ((unsigned int) -1) ++#ifndef AUDIT_GRP_MGMT ++#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ ++#endif ++#ifndef AUDIT_GRP_CHAUTHTOK ++#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ ++#endif + typedef enum { + SHADOW_AUDIT_FAILURE = 0, + SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; + extern void audit_logger (int type, const char *pgname, const char *op, + const char *name, unsigned int id, + shadow_audit_result result); ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result); + void audit_logger_message (const char *message, shadow_audit_result result); + #endif + +diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_help.c +--- shadow-4.1.5.1.orig/libmisc/audit_help.c 2010-08-21 07:41:28.000000000 -0400 ++++ shadow-4.1.5.1/libmisc/audit_help.c 2014-10-14 08:39:23.785884075 -0400 +@@ -68,7 +68,7 @@ void audit_help_open (void) + * This function will log a message to the audit system using a predefined + * message format. Parameter usage is as follows: + * +- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account ++ * type - type of message: AUDIT_USER_MGMT for changing any account + * attributes. + * pgname - program's name + * op - operation. "adding user", "changing finger info", "deleting group" +@@ -88,6 +88,39 @@ void audit_logger (int type, unused cons + } + } + ++/* ++ * This function will log a message to the audit system using a predefined ++ * message format. Parameter usage is as follows: ++ * ++ * type - type of message: AUDIT_USER_MGMT for changing any account ++ * attributes. ++ * pgname - program's name ++ * op - operation. "adding user", "changing finger info", "deleting group" ++ * name - user's account or group name. If not available use NULL. ++ * id - uid or gid that the operation is being performed on. This is used ++ * only when user is NULL. ++ * grp - group name associated with event ++ */ ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result) ++{ ++ int len; ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1], buf[1024]; ++ if (audit_fd < 0) { ++ return; ++ } ++ len = strnlen(grp, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(grp, len)) { ++ snprintf(buf, sizeof(buf), "%s grp=%s", op, ++ audit_encode_value(enc_group, grp, len)); ++ } else { ++ snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp); ++ } ++ audit_log_acct_message (audit_fd, type, NULL, buf, name, id, ++ NULL, NULL, NULL, (int) result); ++} ++ + void audit_logger_message (const char *message, shadow_audit_result result) + { + if (audit_fd < 0) { +diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cleanup_group.c +--- shadow-4.1.5.1.orig/libmisc/cleanup_group.c 2008-12-23 17:45:18.000000000 -0500 ++++ shadow-4.1.5.1/libmisc/cleanup_group.c 2014-10-14 09:00:33.594753105 -0400 +@@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle + gr_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -101,7 +101,7 @@ void cleanup_report_mod_gshadow (void *c + sgr_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -122,7 +122,7 @@ void cleanup_report_add_group_group (voi + SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/group", ++ "adding-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -141,8 +141,8 @@ void cleanup_report_add_group_gshadow (v + + SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "adding-shadow-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -164,8 +164,8 @@ void cleanup_report_del_group_group (voi + "failed to remove group %s from %s", + name, gr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "removing group from /etc/group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, ++ "removing-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -187,8 +187,8 @@ void cleanup_report_del_group_gshadow (v + "failed to remove group %s from %s", + name, sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "removing group from /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "removing-shadow-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -208,7 +208,7 @@ void cleanup_unlock_group (unused void * + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking group file", ++ audit_logger_message ("unlocking-group", + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -228,7 +228,7 @@ void cleanup_unlock_gshadow (unused void + Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking gshadow file", ++ audit_logger_message ("unlocking-gshadow", + SHADOW_AUDIT_FAILURE); + #endif + } +diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/cleanup_user.c +--- shadow-4.1.5.1.orig/libmisc/cleanup_user.c 2008-12-23 17:45:18.000000000 -0500 ++++ shadow-4.1.5.1/libmisc/cleanup_user.c 2014-10-14 09:01:51.878745031 -0400 +@@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl + pw_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_USER_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -86,7 +86,7 @@ void cleanup_report_add_user_passwd (voi + SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to /etc/passwd", ++ "adding-user", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -105,8 +105,8 @@ void cleanup_report_add_user_shadow (voi + + SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to /etc/shadow", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "adding-shadow-user", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -125,7 +125,7 @@ void cleanup_unlock_passwd (unused void + Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking passwd file", ++ audit_logger_message ("unlocking-passwd", + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -144,7 +144,7 @@ void cleanup_unlock_shadow (unused void + Prog, spw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking shadow file", ++ audit_logger_message ("unlocking-shadow", + SHADOW_AUDIT_FAILURE); + #endif + } +diff -urp shadow-4.1.5.1.orig/src/chage.c shadow-4.1.5.1/src/chage.c +--- shadow-4.1.5.1.orig/src/chage.c 2011-11-19 17:54:47.000000000 -0500 ++++ shadow-4.1.5.1/src/chage.c 2014-10-14 08:39:23.787884075 -0400 +@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int + + #ifdef WITH_AUDIT + if (E_SUCCESS != code) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change age", +- user_name, (unsigned int) user_uid, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_FAILURE); + } + #endif + +@@ -873,11 +874,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: Permission denied.\n"), Prog); + fail_exit (E_NOPERM); + } +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "display aging info", +- user_name, (unsigned int) user_uid, 1); +-#endif ++ /* Displaying fields is not of interest to audit */ + list_fields (); + fail_exit (E_SUCCESS); + } +@@ -896,41 +893,43 @@ int main (int argc, char **argv) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change all aging information", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-all-aging-information", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + #endif + } else { + #ifdef WITH_AUDIT + if (Mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change max age", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-max-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + if (mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change min age", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-min-age", + user_name, (unsigned int) user_uid, 1); + } + if (dflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change last change date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-last-change-date", + user_name, (unsigned int) user_uid, 1); + } + if (Wflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd warning", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-warning", + user_name, (unsigned int) user_uid, 1); + } + if (Iflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-inactive-days", + user_name, (unsigned int) user_uid, 1); + } + if (Eflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd expiration", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-expiration", + user_name, (unsigned int) user_uid, 1); + } + #endif +diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c +--- shadow-4.1.5.1.orig/src/gpasswd.c 2014-09-13 15:45:54.989829559 -0400 ++++ shadow-4.1.5.1/src/gpasswd.c 2014-10-14 08:43:07.393861012 -0400 +@@ -137,7 +137,7 @@ static void usage (int status) + (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -Q, --root CHROOT_DIR directory to chroot into\n"), usageout); +- (void) fputs (_(" -r, --remove-password remove the GROUP's password\n"), usageout); ++ (void) fputs (_(" -r, --delete-password remove the GROUP's password\n"), usageout); + (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); + (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); + #ifdef SHADOWGRP +@@ -397,21 +397,14 @@ static void open_files (void) + + static void log_gpasswd_failure (const char *suffix) + { +-#ifdef WITH_AUDIT +- char buf[1024]; +-#endif + if (aflg) { + SYSLOG ((LOG_ERR, + "%s failed to add user %s to group %s%s", + myname, user, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to add user %s to group %s%s", +- myname, user, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (dflg) { +@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c + "%s failed to remove user %s from group %s%s", + myname, user, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to remove user %s from group %s%s", +- myname, user, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (rflg) { +@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c + "%s failed to remove password of group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to remove password of group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "delete-group-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (Rflg) { +@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c + "%s failed to restrict access to group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to restrict access to group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "restrict-group", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (Aflg || Mflg) { +@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c + "%s failed to set the administrators of group %s to %s%s", + myname, group, admins, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to set the administrators of group %s to %s%s", +- myname, group, admins, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "set-admins-of-group", ++ admins, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c + "%s failed to set the members of group %s to %s%s", + myname, group, members, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to set the members of group %s to %s%s", +- myname, group, members, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-users-to-group", ++ members, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c + "%s failed to change password of group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to change password of group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow + + static void log_gpasswd_success (const char *suffix) + { +-#ifdef WITH_AUDIT +- char buf[1024]; +-#endif + if (aflg) { + SYSLOG ((LOG_INFO, + "user %s added by %s to group %s%s", + user, myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "user %s added by %s to group %s%s", +- user, myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (dflg) { +@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c + "user %s removed by %s from group %s%s", + user, myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "user %s removed by %s from group %s%s", +- user, myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (rflg) { +@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c + "password of group %s removed by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "password of group %s removed by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "delete-group-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (Rflg) { +@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c + "access to group %s restricted by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "access to group %s restricted by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "restrict-group", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (Aflg || Mflg) { +@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c + "administrators of group %s set by %s to %s%s", + group, myname, admins, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "administrators of group %s set by %s to %s%s", +- group, myname, admins, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "set-admins-of-group", ++ admins, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c + "members of group %s set by %s to %s%s", + group, myname, members, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "members of group %s set by %s to %s%s", +- group, myname, members, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-users-to-group", ++ members, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c + "password of group %s changed by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "password of group %s changed by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c +--- shadow-4.1.5.1.orig/src/groupadd.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupadd.c 2014-10-14 08:39:23.800884073 -0400 +@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta + exit (status); + } + ++static void fail_exit(int status) ++{ ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_ADD_GROUP, Prog, "add-group", group_name, ++ AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); ++#endif ++ exit (status); ++} ++ + /* + * new_grent - initialize the values in a group file entry + * +@@ -210,7 +219,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, gr_dbname (), grp.gr_name); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP + /* +@@ -220,7 +229,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, sgr_dbname (), sgrp.sg_name); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #endif /* SHADOWGRP */ + } +@@ -244,7 +253,7 @@ static void check_new_name (void) + fprintf (stderr, _("%s: '%s' is not a valid group name\n"), + Prog, group_name); + +- exit (E_BAD_ARG); ++ fail_exit (E_BAD_ARG); + } + + /* +@@ -260,11 +269,11 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/group", ++ "add-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -282,11 +291,11 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "add-shadow-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -300,12 +309,6 @@ static void close_files (void) + #endif /* SHADOWGRP */ + + /* Report success at the system level */ +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "", +- group_name, (unsigned int) group_id, +- SHADOW_AUDIT_SUCCESS); +-#endif + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", + group_name, (unsigned int) group_id)); + del_cleanup (cleanup_report_add_group); +@@ -323,7 +326,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_group, NULL); + +@@ -333,7 +336,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_gshadow, NULL); + } +@@ -349,7 +352,7 @@ static void open_files (void) + if (gr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef SHADOWGRP +@@ -359,7 +362,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -489,7 +492,7 @@ static void check_flags (void) + fprintf (stderr, + _("%s: group '%s' already exists\n"), + Prog, group_name); +- exit (E_NAME_IN_USE); ++ fail_exit (E_NAME_IN_USE); + } + + if (gflg && (getgrgid (group_id) != NULL)) { +@@ -508,7 +511,7 @@ static void check_flags (void) + fprintf (stderr, + _("%s: GID '%lu' already exists\n"), + Prog, (unsigned long int) group_id); +- exit (E_GID_IN_USE); ++ fail_exit (E_GID_IN_USE); + } + } + } +@@ -536,7 +539,7 @@ static void check_perms (void) + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); +@@ -556,7 +559,7 @@ static void check_perms (void) + if (NULL != pamh) { + (void) pam_end (pamh, retval); + } +- exit (1); ++ fail_exit (1); + } + (void) pam_end (pamh, retval); + #endif /* USE_PAM */ +@@ -588,7 +591,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot setup cleanup service.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + /* +@@ -610,7 +613,7 @@ int main (int argc, char **argv) + + if (!gflg) { + if (find_new_gid (rflg, &group_id, NULL) < 0) { +- exit (E_GID_IN_USE); ++ fail_exit (E_GID_IN_USE); + } + } + +diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c +--- shadow-4.1.5.1.orig/src/groupdel.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupdel.c 2014-10-14 08:39:23.801884073 -0400 +@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta + exit (status); + } + ++static void fail_exit(int status) ++{ ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_GRP_MGMT, Prog, "delete-group", group_name, ++ AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); ++#endif ++ exit (status); ++} ++ + /* + * grp_update - update group file entries + * +@@ -126,7 +135,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef SHADOWGRP +@@ -138,7 +147,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -157,12 +166,12 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, +- "removing group from /etc/group", ++ "delete-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -182,12 +191,12 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "removing group from /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "delete-shadow-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -201,13 +210,6 @@ static void close_files (void) + } + #endif /* SHADOWGRP */ + +- /* Report success at the system level */ +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "", +- group_name, (unsigned int) group_id, +- SHADOW_AUDIT_SUCCESS); +-#endif + SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); + del_cleanup (cleanup_report_del_group); + } +@@ -224,7 +226,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_group, NULL); + #ifdef SHADOWGRP +@@ -233,7 +235,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_gshadow, NULL); + } +@@ -251,7 +253,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP + if (is_shadow_grp) { +@@ -260,7 +262,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) + fprintf (stderr, + _("%s: cannot remove the primary group of user '%s'\n"), + Prog, pwd->pw_name); +- exit (E_GROUP_BUSY); ++ fail_exit (E_GROUP_BUSY); + } + + /* +@@ -379,7 +381,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot setup cleanup service.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + process_flags (argc, argv); +@@ -393,7 +395,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); +@@ -414,7 +416,7 @@ int main (int argc, char **argv) + if (NULL != pamh) { + (void) pam_end (pamh, retval); + } +- exit (1); ++ fail_exit (1); + } + (void) pam_end (pamh, retval); + #endif /* USE_PAM */ +@@ -434,7 +436,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: group '%s' does not exist\n"), + Prog, group_name); +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + + group_id = grp->gr_gid; +@@ -458,7 +460,7 @@ int main (int argc, char **argv) + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif + +diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c +--- shadow-4.1.5.1.orig/src/groupmod.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupmod.c 2014-10-14 08:49:28.517821702 -0400 +@@ -438,7 +438,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_group.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -461,7 +461,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_gshadow.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -484,7 +484,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_passwd.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -499,8 +499,8 @@ static void close_files (void) + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, +- "modifying group", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "modify-group", + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -512,6 +512,8 @@ static void close_files (void) + */ + static void prepare_failure_reports (void) + { ++ char *nv_pair, nv[64]; ++ + info_group.name = group_name; + #ifdef SHADOWGRP + info_gshadow.name = group_name; +@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi + #endif + info_passwd.audit_msg = xmalloc (512); + +- (void) snprintf (info_group.audit_msg, 511, +- "changing %s; ", gr_dbname ()); ++ info_group.action = xmalloc (512); + #ifdef SHADOWGRP +- (void) snprintf (info_gshadow.audit_msg, 511, +- "changing %s; ", sgr_dbname ()); ++ info_gshadow.action = xmalloc (512); + #endif +- (void) snprintf (info_passwd.audit_msg, 511, +- "changing %s; ", pw_dbname ()); ++ info_passwd.action = xmalloc (512); + +- info_group.action = info_group.audit_msg +- + strlen (info_group.audit_msg); ++ (void) snprintf (info_group.audit_msg, 511, ++ "changing-group"); + #ifdef SHADOWGRP +- info_gshadow.action = info_gshadow.audit_msg +- + strlen (info_gshadow.audit_msg); ++ (void) snprintf (info_gshadow.audit_msg, 511, ++ "changing-shadow-group"); + #endif +- info_passwd.action = info_passwd.audit_msg +- + strlen (info_passwd.audit_msg); ++ (void) snprintf (info_passwd.audit_msg, 511, ++ "changing-group-passwd"); + ++ nv_pair = audit_encode_nv_string(" grp", group_name, ++ strlen(group_name)); ++ if(nv_pair) { ++ strncat(info_group.audit_msg, nv_pair, ++ 511 - strlen(info_group.audit_msg)); ++#ifdef SHADOWGRP ++ strncat(info_gshadow.audit_msg, nv_pair, ++ 511 - strlen(info_gshadow.audit_msg)); ++#endif ++ strncat(info_passwd.audit_msg, nv_pair, ++ 511 - strlen(info_passwd.audit_msg)); ++ free(nv_pair); ++ } ++ snprintf(nv, sizeof(nv), " gid=%lu", group_id); ++ strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg)); ++ strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg)); ++ + (void) snprintf (info_group.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s/%lu", + group_name, (unsigned long int) group_id); + #ifdef SHADOWGRP + (void) snprintf (info_gshadow.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s", group_name); + #endif + (void) snprintf (info_passwd.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s/%lu", + group_name, (unsigned long int) group_id); + + if (nflg) { ++ nv_pair = audit_encode_nv_string(" new_group", group_newname, ++ strlen(group_newname)); ++ strncat(info_group.audit_msg, nv_pair, ++ 511 - strlen(info_group.audit_msg)); + strncat (info_group.action, ", new name: ", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + strncat (info_group.action, group_newname, +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + + #ifdef SHADOWGRP ++ strncat(info_gshadow.audit_msg, nv_pair, ++ 511 - strlen(info_gshadow.audit_msg)); + strncat (info_gshadow.action, ", new name: ", +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + strncat (info_gshadow.action, group_newname, +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + #endif + ++ strncat(info_passwd.audit_msg, nv_pair, ++ 511 - strlen(info_passwd.audit_msg)); + strncat (info_passwd.action, ", new name: ", +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); + strncat (info_passwd.action, group_newname, +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); ++ free(nv_pair); + } + if (pflg) { ++ /* Note: audit doesn't want this value recorded */ + strncat (info_group.action, ", new password", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + + #ifdef SHADOWGRP + strncat (info_gshadow.action, ", new password", +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + #endif + } + if (gflg) { ++ snprintf(nv, sizeof(nv), " new_gid=%lu", group_newid); ++ strncat(info_group.audit_msg, nv, ++ 511 - strlen(info_group.audit_msg)); ++ strncat(info_passwd.audit_msg, nv, ++ 511 - strlen(info_passwd.audit_msg)); ++ + strncat (info_group.action, ", new gid: ", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + (void) snprintf (info_group.action+strlen (info_group.action), +- 511 - strlen (info_group.audit_msg), ++ 511 - strlen (info_group.action), + "%lu", (unsigned long int) group_newid); + + strncat (info_passwd.action, ", new gid: ", +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); + (void) snprintf (info_passwd.action+strlen (info_passwd.action), +- 511 - strlen (info_passwd.audit_msg), ++ 511 - strlen (info_passwd.action), + "%lu", (unsigned long int) group_newid); + } + info_group.audit_msg[511] = '\0'; +@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi + info_gshadow.audit_msg[511] = '\0'; + #endif + info_passwd.audit_msg[511] = '\0'; ++ info_group.action[511] = '\0'; ++#ifdef SHADOWGRP ++ info_gshadow.action[511] = '\0'; ++#endif ++ info_passwd.action[511] = '\0'; + + // FIXME: add a system cleanup + add_cleanup (cleanup_report_mod_group, &info_group); +diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1.orig/src/newgrp.c 2014-09-13 15:45:55.010829557 -0400 ++++ shadow-4.1.5.1/src/newgrp.c 2014-10-14 08:39:23.802884073 -0400 +@@ -197,11 +197,12 @@ static void check_perms (const struct gr + strcmp (cpasswd, grp->gr_passwd) != 0) { + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "authentication new-gid=%lu", ++ "authentication new_gid=%lu", + (unsigned long) grp->gr_gid); + audit_logger (AUDIT_GRP_AUTH, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + #endif + SYSLOG ((LOG_INFO, + "Invalid password for group '%s' from '%s'", +@@ -212,11 +213,12 @@ static void check_perms (const struct gr + } + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "authentication new-gid=%lu", ++ "authentication new_gid=%lu", + (unsigned long) grp->gr_gid); + audit_logger (AUDIT_GRP_AUTH, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 1); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_SUCCESS); + #endif + } + +@@ -227,19 +229,6 @@ failure: + * harm. -- JWP + */ + closelog (); +-#ifdef WITH_AUDIT +- if (groupname) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", groupname); +- audit_logger (AUDIT_CHGRP_ID, Prog, +- audit_buf, NULL, +- (unsigned int) getuid (), 0); +- } else { +- audit_logger (AUDIT_CHGRP_ID, Prog, +- "changing", NULL, +- (unsigned int) getuid (), 0); +- } +-#endif + exit (EXIT_FAILURE); + } + +@@ -308,15 +297,27 @@ static void syslog_sg (const char *name, + is_newgrp ? "newgrp" : "sg", strerror (errno)); + #ifdef WITH_AUDIT + if (group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", ++ group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +@@ -442,7 +443,7 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", + (unsigned long) getuid ())); +@@ -558,15 +559,26 @@ int main (int argc, char **argv) + perror ("getgroups"); + #ifdef WITH_AUDIT + if (group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +@@ -707,10 +719,10 @@ int main (int argc, char **argv) + perror ("setgid"); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + exit (EXIT_FAILURE); + } +@@ -719,10 +731,10 @@ int main (int argc, char **argv) + perror ("setuid"); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + exit (EXIT_FAILURE); + } +@@ -736,10 +748,10 @@ int main (int argc, char **argv) + execl (SHELL, "sh", "-c", command, (char *) 0); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + perror (SHELL); + exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); +@@ -803,11 +815,11 @@ int main (int argc, char **argv) + } + + #ifdef WITH_AUDIT +- snprintf (audit_buf, sizeof(audit_buf), "changing new-gid=%lu", ++ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%lu", + (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 1); ++ (unsigned int) getuid (), SHADOW_AUDIT_SUCCESS); + #endif + /* + * Exec the login shell and go away. We are trying to get back to +@@ -831,15 +843,24 @@ int main (int argc, char **argv) + closelog (); + #ifdef WITH_AUDIT + if (NULL != group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1.orig/src/useradd.c 2014-09-13 15:45:54.957829561 -0400 ++++ shadow-4.1.5.1/src/useradd.c 2014-10-14 08:52:53.066800605 -0400 +@@ -205,6 +205,8 @@ static void create_mail (void); + */ + static void fail_exit (int code) + { ++ int type; ++ + if (home_added) { + if (rmdir (user_home) != 0) { + fprintf (stderr, +@@ -218,12 +220,6 @@ static void fail_exit (int code) + if (spw_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking shadow file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -231,12 +227,6 @@ static void fail_exit (int code) + if (pw_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking passwd file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -244,12 +234,6 @@ static void fail_exit (int code) + if (gr_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking group file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -258,20 +242,19 @@ static void fail_exit (int code) + if (sgr_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking gshadow file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ if (code == E_PW_UPDATE || code >= E_GRP_UPDATE) ++ type = AUDIT_USER_MGMT; ++ else ++ type = AUDIT_ADD_USER; ++ ++ audit_logger (type, Prog, ++ "add-user", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -578,7 +561,7 @@ static int set_defaults (void) + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USYS_CONFIG, Prog, +- "changing useradd defaults", ++ "changing-useradd-defaults", + NULL, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -848,12 +831,6 @@ static void grp_update (void) + _("%s: Out of memory. Cannot update %s.\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); /* XXX */ + } + +@@ -867,18 +844,12 @@ static void grp_update (void) + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, gr_dbname (), ngrp->gr_name); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_name, AUDIT_NO_ID, ngrp->gr_name, + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, +@@ -923,12 +894,6 @@ static void grp_update (void) + _("%s: Out of memory. Cannot update %s.\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); /* XXX */ + } + +@@ -942,18 +907,13 @@ static void grp_update (void) + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, sgr_dbname (), nsgrp->sg_name); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif ++ + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-to-shadow-group", ++ user_name, AUDIT_NO_ID, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, +@@ -1296,7 +1256,7 @@ static void process_flags (int argc, cha + Prog, user_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ "add-user", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1385,7 +1345,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking shadow file", ++ "unlocking-shadow-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1398,7 +1358,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking passwd file", ++ "unlocking-passwd-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1410,7 +1370,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking group file", ++ "unlocking-group-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1424,7 +1384,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking gshadow file", ++ "unlocking-gshadow-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1584,7 +1544,7 @@ static void grp_add (void) + Prog, gr_dbname (), grp.gr_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1600,7 +1560,7 @@ static void grp_add (void) + Prog, sgr_dbname (), sgrp.sg_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1610,7 +1570,7 @@ static void grp_add (void) + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1725,17 +1685,11 @@ static void usr_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, spw_dbname (), spent.sp_namp); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding shadow password", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ "add-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1771,12 +1725,6 @@ static void create_home (void) + fprintf (stderr, + _("%s: cannot create directory %s\n"), + Prog, user_home); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_HOMEDIR); + } + chown (user_home, user_id, user_gid); +@@ -1784,8 +1732,8 @@ static void create_home (void) + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); + home_added = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "add-home-dir", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1951,12 +1899,6 @@ int main (int argc, char **argv) + */ + if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_NAME_IN_USE); + } + +@@ -1972,12 +1914,6 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), + Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_NAME_IN_USE); + } + } +@@ -2007,12 +1943,6 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: UID %lu is not unique\n"), + Prog, (unsigned long) user_id); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_UID_IN_USE); + } + } +@@ -2057,9 +1987,10 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); ++ audit_logger (AUDIT_ROLE_ASSIGN, Prog, ++ "add-selinux-user-mapping", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ + rv = E_SE_UPDATE; + } +diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c +--- shadow-4.1.5.1.orig/src/userdel.c 2014-09-13 15:45:55.001829558 -0400 ++++ shadow-4.1.5.1/src/userdel.c 2014-10-14 08:44:52.714850149 -0400 +@@ -201,9 +201,9 @@ static void update_groups (void) + * Update the DBM group file with the new entry as well. + */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user from group", +- user_name, (unsigned int) user_id, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "deleting-user-from-group", ++ user_name, (unsigned int) user_id, ngrp->gr_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", +@@ -263,9 +263,9 @@ static void update_groups (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user from shadow group", +- user_name, (unsigned int) user_id, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "deleting-user-from-shadow-group", ++ user_name, (unsigned int) user_id, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", +@@ -342,9 +342,9 @@ static void remove_usergroup (void) + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "deleting group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_DEL_GROUP, Prog, ++ "delete-group", ++ user_name, AUDIT_NO_ID, user_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, +@@ -360,9 +360,9 @@ static void remove_usergroup (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "deleting shadow group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "delete-shadow-group", ++ user_name, AUDIT_NO_ID, user_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, +@@ -478,7 +478,7 @@ static void fail_exit (int code) + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user", ++ "delete-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -498,24 +498,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, pw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + pw_locked = true; + if (pw_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, pw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + if (is_shadow_pwd) { +@@ -523,12 +511,6 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, spw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking shadow password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + spw_locked = true; +@@ -536,12 +518,6 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot open %s\n"), + Prog, spw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening shadow password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + } +@@ -549,23 +525,11 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + gr_locked = true; + if (gr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -574,24 +538,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking shadow group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + sgr_locked= true; + if (sgr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening shadow group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + } +@@ -622,7 +574,7 @@ static void update_user (void) + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user entries", ++ "delete-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ +@@ -716,7 +668,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -732,7 +684,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -742,8 +694,8 @@ static int remove_mailbox (void) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -760,7 +712,7 @@ static int remove_mailbox (void) + mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -775,7 +727,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -785,8 +737,8 @@ static int remove_mailbox (void) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -980,7 +932,7 @@ int main (int argc, char **argv) + Prog, user_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user not found", ++ "deleting-user-not-found", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1024,7 +976,7 @@ int main (int argc, char **argv) + if (!fflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user logged in", ++ "deleting-user-logged-in", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1101,8 +1053,8 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "deleting-home-directory", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -1111,7 +1063,7 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + if (0 != errors) { + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting home directory", ++ "deleting-home-directory", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + } +@@ -1124,8 +1076,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "removing SELinux user mapping", ++ audit_logger (AUDIT_ROLE_REMOVE, Prog, ++ "delete-selinux-user-mapping", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1.orig/src/usermod.c 2014-09-13 15:45:55.013829557 -0400 ++++ shadow-4.1.5.1/src/usermod.c 2014-10-14 08:50:05.817817855 -0400 +@@ -352,8 +352,8 @@ static char *new_pw_passwd (char *pw_pas + + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "updating passwd", +- user_newname, (unsigned int) user_newid, 0); ++ "updating-password", ++ user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); + strcpy (buf, "!"); +@@ -372,8 +372,8 @@ static char *new_pw_passwd (char *pw_pas + + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "updating password", +- user_newname, (unsigned int) user_newid, 0); ++ "updating-password", ++ user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); + s = pw_pass; +@@ -384,7 +384,7 @@ static char *new_pw_passwd (char *pw_pas + } else if (pflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing password", ++ "updating-password", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); +@@ -413,8 +413,8 @@ static void new_pwent (struct passwd *pw + fail_exit (E_NAME_IN_USE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing name", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-name", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -434,8 +434,8 @@ static void new_pwent (struct passwd *pw + + if (uflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing uid", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-uid", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -445,8 +445,8 @@ static void new_pwent (struct passwd *pw + } + if (gflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing primary group", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-primary-group", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -456,8 +456,8 @@ static void new_pwent (struct passwd *pw + } + if (cflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing comment", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-comment", + user_newname, (unsigned int) user_newid, 1); + #endif + pwent->pw_gecos = user_newcomment; +@@ -465,8 +465,8 @@ static void new_pwent (struct passwd *pw + + if (dflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-home-dir", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -476,8 +476,8 @@ static void new_pwent (struct passwd *pw + } + if (sflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing user shell", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-shell", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -507,8 +507,8 @@ static void new_spent (struct spwd *spen + + if (fflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-inactive-days", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -524,8 +524,8 @@ static void new_spent (struct spwd *spen + date_to_str (old_exp, sizeof(old_exp), + user_expire * DAY); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing expiration date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-expiration-date", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -592,9 +592,9 @@ static /*@noreturn@*/void fail_exit (int + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying account", +- user_name, AUDIT_NO_ID, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "modify-account", ++ user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); + #endif + exit (code); + } +@@ -648,9 +648,12 @@ static void update_group (void) + user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing group member", +- user_newname, AUDIT_NO_ID, 1); ++ audit_logger_with_group ( ++ AUDIT_USER_MGMT, Prog, ++ "update-member-in-group", ++ user_newname, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "change '%s' to '%s' in group '%s'", +@@ -664,9 +667,11 @@ static void update_group (void) + ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "removing group member", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user_name, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "delete '%s' from group '%s'", +@@ -679,9 +684,11 @@ static void update_group (void) + ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_name, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, "add '%s' to group '%s'", + user_newname, ngrp->gr_name)); +@@ -756,9 +763,10 @@ static void update_gshadow (void) + nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing admin name in shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "update-admin-name-in-group", ++ user_name, AUDIT_NO_ID, nsgrp->sg_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "change admin '%s' to '%s' in shadow group '%s'", +@@ -778,9 +786,10 @@ static void update_gshadow (void) + user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing member in shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "update-member-in-group", ++ user_name, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, + "change '%s' to '%s' in shadow group '%s'", +@@ -794,9 +803,10 @@ static void update_gshadow (void) + nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "removing user from shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user_name, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, + "delete '%s' from shadow group '%s'", +@@ -809,9 +819,10 @@ static void update_gshadow (void) + nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "adding user to shadow group", +- user_newname, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_newname, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", + user_newname, nsgrp->sg_name)); +@@ -1515,8 +1526,8 @@ static void move_home (void) + + #ifdef WITH_AUDIT + if (uflg || gflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-home-dir-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1534,8 +1545,8 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "moving home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "moving-home-dir", + user_newname, (unsigned int) user_newid, + 1); + #endif +@@ -1554,9 +1565,9 @@ static void move_home (void) + Prog, user_home); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, ++ audit_logger (AUDIT_USER_MGMT, + Prog, +- "moving home directory", ++ "moving-home-dir", + user_newname, + (unsigned int) user_newid, + 1); +@@ -1760,8 +1771,8 @@ static void move_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing mail file owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-mail-file-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1779,8 +1790,8 @@ static void move_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing mail file name", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-mail-file-name", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1910,8 +1921,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying User mapping ", ++ audit_logger (AUDIT_ROLE_ASSIGN, Prog, ++ "changing-selinux-user-mapping ", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1923,8 +1934,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "removing SELinux user mapping", ++ audit_logger (AUDIT_ROLE_REMOVE, Prog, ++ "delete-selinux-user-mapping", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1962,8 +1973,8 @@ int main (int argc, char **argv) + */ + #ifdef WITH_AUDIT + if (uflg || gflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-home-dir-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-id-alloc.patch similarity index 52% rename from shadow-4.1.5.1-group-alloc.patch rename to shadow-4.1.5.1-id-alloc.patch index 0ac336b..df6f89f 100644 --- a/shadow-4.1.5.1-group-alloc.patch +++ b/shadow-4.1.5.1-id-alloc.patch @@ -1,8 +1,3 @@ -From e551be23be24508ecf5c8afdf74fd69b88832ecd Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 9 Jun 2014 10:34:02 -0400 -Subject: [PATCH] Redesign automatic GID allocation - Previously, this allocation was optimized for an outdated deployment style (that of /etc/group alongside nss_db). The issue here is that this results in extremely poor performance when using @@ -44,14 +39,13 @@ we come to the first unused GID. We then select that and return it. If we make it through all the remaining IDs without finding a free one, we start over from the beginning of the range and try to find room in one of the gaps in the range. ---- - libmisc/find_new_gid.c | 533 +++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 407 insertions(+), 126 deletions(-) -diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c -index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b814763a16 100644 ---- a/libmisc/find_new_gid.c -+++ b/libmisc/find_new_gid.c +The patch was originally written by Stephen Gallagher and applied +identically also to the user allocation by Tomáš Mráz. + +diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c +--- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 @@ -39,6 +39,118 @@ #include "getdef.h" @@ -302,6 +296,11 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 - free (used_gids); - return 0; - } +- +- /* if we did not find free preffered system gid, we start to look for +- * one in the range assigned to dynamic system IDs */ +- if (sys_group) +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + /* First look for the lowest and highest value in the local database */ + (void) gr_rewind (); + highest_found = gid_min; @@ -326,11 +325,7 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* create index of used GIDs */ + if (grp->gr_gid >= gid_min + && grp->gr_gid <= gid_max) { - -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ + used_gids[grp->gr_gid] = true; + } + } @@ -350,16 +345,17 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 - * Since there is a limited amount of IDs to be tested - * for system accounts, we just check the existence - * of IDs with getgrgid. -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. - */ +- */ - group_id = gid_max; - for (id = gid_max; id >= gid_min; id--) { - if (getgrgid (id) != NULL) { - group_id = id - 1; - used_gids[id] = true; - } ++ /* ++ * For system groups, we want to start from the ++ * top of the range and work downwards. ++ */ + + /* + * At the conclusion of the gr_next() search, we will either @@ -637,6 +633,587 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + return -1; } --- -1.9.3 - +diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c +--- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, ++ uid_t *preferred_min) ++{ ++ uid_t uid_def_max = 0; ++ ++ if (sys_user) { ++ /* System users */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (uid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); ++ ++ /* ++ * If SYS_UID_MAX is unspecified, we should assume it to be one ++ * less than the UID_MIN (which is reserved for non-system accounts) ++ */ ++ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; ++ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", ++ (unsigned long) uid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " ++ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("UID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system users */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); ++ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system users. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: UID_MIN (%lu), " ++ "UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_uid - See if the requested UID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getpwuid() ++ */ ++static int check_uid(const uid_t uid, ++ const uid_t uid_min, ++ const uid_t uid_max, ++ bool *used_uids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (uid < uid_min || uid > uid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this UID ++ * using the pw_next() loop ++ */ ++ if (used_uids != NULL && used_uids[uid]) { ++ return EEXIST; ++ } ++ /* Check if the UID exists according to NSS */ ++ errno = 0; ++ if (getpwuid(uid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getpwuid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ /* ignore errors for now * if (errno != 0) { ++ return errno; ++ } */ ++ } ++ ++ /* If we've made it here, the UID must be available */ ++ return 0; ++} ++ ++/* + * find_new_uid - Find a new unused UID. + * + * If successful, find_new_uid provides an unused user ID in the +@@ -48,162 +160,339 @@ + * + * Return 0 on success, -1 if no unused UIDs are available. + */ +-int find_new_uid (bool sys_user, +- uid_t *uid, +- /*@null@*/uid_t const *preferred_uid) ++int find_new_uid(bool sys_user, ++ uid_t *uid, ++ /*@null@*/uid_t const *preferred_uid) + { +- const struct passwd *pwd; +- uid_t uid_min, uid_max, user_id; + bool *used_uids; ++ const struct passwd *pwd; ++ uid_t uid_min, uid_max, preferred_min; ++ uid_t user_id, id; ++ uid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + + assert (uid != NULL); + +- if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, (unsigned long) uid_max); +- return -1; +- } +- } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; +- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred UID is available */ ++ if (preferred_uid) { ++ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the UID isn't queued for use already ++ */ ++ if (pw_locate_uid (*preferred_uid) == NULL) { ++ *uid = *preferred_uid; ++ return 0; ++ } ++ /* ++ * pw_locate_uid() found the UID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set an UID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the user creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific UID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred UID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire passwd file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with pw_rewind/pw_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system users) or highest (non-system ++ * users), we will prefer those and avoid potentially reclaiming a ++ * deleted user (which can be a security issue, since it may grant ++ * access to files belonging to that former user). ++ * ++ * If there are no UIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered UIDs */ + used_uids = malloc (sizeof (bool) * (uid_max +1)); + if (NULL == used_uids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_uids, false, sizeof (bool) * (uid_max + 1)); + +- if ( (NULL != preferred_uid) +- && (*preferred_uid >= uid_min) +- && (*preferred_uid <= uid_max) +- /* Check if the user exists according to NSS */ +- && (getpwuid (*preferred_uid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (pw_locate_uid (*preferred_uid) == NULL)) { +- *uid = *preferred_uid; +- free (used_uids); +- return 0; +- } ++ /* First look for the lowest and highest value in the local database */ ++ (void) pw_rewind (); ++ highest_found = uid_min; ++ lowest_found = uid_max; ++ while ((pwd = pw_next ()) != NULL) { ++ /* ++ * Does this entry have a lower UID than the lowest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { ++ lowest_found = pwd->pw_uid - 1; ++ } + ++ /* ++ * Does this entry have a higher UID than the highest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { ++ highest_found = pwd->pw_uid + 1; ++ } ++ ++ /* create index of used UIDs */ ++ if (pwd->pw_uid >= uid_min ++ && pwd->pw_uid <= uid_max) { ++ ++ used_uids[pwd->pw_uid] = true; ++ } ++ } + +- /* +- * Search the entire password file, +- * looking for the largest unused value. +- * +- * We check the list of users according to NSS (setpwent/getpwent), +- * but we also check the local database (pw_rewind/pw_next) in case +- * some users were created but the changes were not committed yet. +- */ + if (sys_user) { +- uid_t id; +- /* setpwent / getpwent / endpwent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getpwuid. +- */ +- user_id = uid_max; +- for (id = uid_max; id >= uid_min; id--) { +- if (getpwuid (id) != NULL) { +- user_id = id - 1; +- used_uids[id] = true; +- } ++ /* ++ * For system users, we want to start from the ++ * top of the range and work downwards. ++ */ ++ ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MIN - 1. ++ */ ++ if (lowest_found < uid_min) { ++ /* ++ * In this case, an UID is in use at UID_MIN. ++ * ++ * We will reset the search to UID_MAX and proceed down ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ lowest_found = uid_max; + } + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { +- user_id = pwd->pw_uid - 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- user_id = uid_min; +- setpwent (); +- while ((pwd = getpwent ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * UID_MAX - 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != uid_max) { ++ for (id = uid_max; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ ++ } + } + } +- endpwent (); ++ } else { /* !sys_user */ ++ /* ++ * For non-system users, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; +- } ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MAX + 1. ++ */ ++ if (highest_found > uid_max) { ++ /* ++ * In this case, a UID is in use at UID_MAX. ++ * ++ * We will reset the search to UID_MIN and proceed up ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ highest_found = uid_min; + } +- } + +- /* +- * If a user (resp. system user) with UID equal to UID_MAX (resp. +- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 +- * (resp. UID_MIN-1) even if not unique. Search for the first free +- * UID starting with UID_MIN (resp. UID_MAX). +- */ +- if (sys_user) { +- if (user_id < uid_min) { +- for (user_id = uid_max; user_id >= uid_min; user_id--) { +- if (false == used_uids[user_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (user_id < uid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique system UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available UID on the system")); +- free (used_uids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- if (user_id > uid_max) { +- for (user_id = uid_min; user_id <= uid_max; user_id++) { +- if (false == used_uids[user_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * UID_MIN + 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != uid_min) { ++ for (id = uid_min; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- if (user_id > uid_max) { +- fprintf (stderr, +- _("%s: Can't get unique UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available UID on the system")); +- free (used_uids); +- return -1; +- } + } + } + +- free (used_uids); +- *uid = user_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available UIDs on the system")); ++ free(used_uids); ++ return -1; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index e3d6b90..f1edde1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 20%{?dist} +Release: 21%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -26,10 +26,11 @@ Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-group-alloc.patch +Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.1.5.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch +Patch22: shadow-4.1.5.1-audit-update.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -75,10 +76,11 @@ are used for managing group accounts. %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel -%patch18 -p1 -b .group-alloc +%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home +%patch22 -p1 -b .audit-update iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -236,6 +238,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Oct 17 2014 Tomáš Mráz - 2:4.1.5.1-21 +- update auditing to cover more events and fix some incorrect audit + records - patch by Steve Grubb (#1151580) +- apply the same new allocation algorithm to uids as for gids + * Wed Sep 10 2014 Tomas Mraz - 2:4.1.5.1-20 - discard obsolete matchpathcon cache after semanage_commit() From e77fc2805ecf0c47db1b8dd4b4ce797d57fec20d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 20 Oct 2014 13:49:44 +0200 Subject: [PATCH 22/64] Cast gid_t to unsigned long when printing. --- shadow-4.1.5.1-audit-update.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch index c25db61..75964de 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.1.5.1-audit-update.patch @@ -1006,7 +1006,7 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c + 511 - strlen(info_passwd.audit_msg)); + free(nv_pair); + } -+ snprintf(nv, sizeof(nv), " gid=%lu", group_id); ++ snprintf(nv, sizeof(nv), " gid=%lu", (unsigned long)group_id); + strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg)); + strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg)); + @@ -1073,7 +1073,7 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c #endif } if (gflg) { -+ snprintf(nv, sizeof(nv), " new_gid=%lu", group_newid); ++ snprintf(nv, sizeof(nv), " new_gid=%lu", (unsigned long)group_newid); + strncat(info_group.audit_msg, nv, + 511 - strlen(info_group.audit_msg)); + strncat(info_passwd.audit_msg, nv, From 04260e2340ced2cf2fbda7a1234707d8cee549eb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 25 Nov 2014 11:58:16 +0100 Subject: [PATCH 23/64] small adjustments to the audit patch --- shadow-4.1.5.1-audit-update.patch | 8 ++++---- shadow-utils.spec | 5 ++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch index 75964de..17930bf 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.1.5.1-audit-update.patch @@ -2111,7 +2111,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "changing admin name in shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_GRP_MGMT, Prog, -+ "update-admin-name-in-group", ++ "update-admin-name-in-shadow-group", + user_name, AUDIT_NO_ID, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); #endif @@ -2125,7 +2125,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "changing member in shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "update-member-in-group", ++ "update-member-in-shadow-group", + user_name, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif @@ -2139,7 +2139,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "removing user from shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "delete-user-from-group", ++ "delete-user-from-shadow-group", + user_name, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif @@ -2153,7 +2153,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "adding user to shadow group", - user_newname, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "add-user-to-group", ++ "add-user-to-shadow-group", + user_newname, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif diff --git a/shadow-utils.spec b/shadow-utils.spec index f1edde1..faf9749 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 21%{?dist} +Release: 22%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -238,6 +238,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Nov 25 2014 Tomáš Mráz - 2:4.1.5.1-22 +- small adjustments to the audit patch + * Fri Oct 17 2014 Tomáš Mráz - 2:4.1.5.1-21 - update auditing to cover more events and fix some incorrect audit records - patch by Steve Grubb (#1151580) From 8b4e03b99440f35550118f0d102b3ffc1622586f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 26 Nov 2014 15:58:28 +0100 Subject: [PATCH 24/64] new upstream release with support for subordinate uids and gids --- .gitignore | 2 + shadow-4.1.5.1-crypt-null.patch | 195 ------ shadow-4.1.5.1-date-parsing.patch | 138 ----- shadow-4.1.5.1-goodname.patch | 35 -- shadow-4.1.5.1-info-parent-dir.patch | 12 - shadow-4.1.5.1-manfix.patch | 272 --------- shadow-4.1.5.1-merge-group.patch | 27 - ...e.patch => shadow-4.2.1-audit-update.patch | 563 ++++++++++-------- shadow-4.2.1-date-parsing.patch | 68 +++ shadow-4.2.1-manfix.patch | 78 +++ shadow-4.2.1-merge-group.patch | 13 + shadow-utils.spec | 31 +- sources | 4 +- 13 files changed, 514 insertions(+), 924 deletions(-) delete mode 100644 shadow-4.1.5.1-crypt-null.patch delete mode 100644 shadow-4.1.5.1-date-parsing.patch delete mode 100644 shadow-4.1.5.1-manfix.patch delete mode 100644 shadow-4.1.5.1-merge-group.patch rename shadow-4.1.5.1-audit-update.patch => shadow-4.2.1-audit-update.patch (86%) create mode 100644 shadow-4.2.1-date-parsing.patch create mode 100644 shadow-4.2.1-manfix.patch create mode 100644 shadow-4.2.1-merge-group.patch diff --git a/.gitignore b/.gitignore index f5997c1..e78a553 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.tar.bz2 /shadow-4.1.5.1.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig +/shadow-4.2.1.tar.xz +/shadow-4.2.1.tar.xz.sig diff --git a/shadow-4.1.5.1-crypt-null.patch b/shadow-4.1.5.1-crypt-null.patch deleted file mode 100644 index fba72e7..0000000 --- a/shadow-4.1.5.1-crypt-null.patch +++ /dev/null @@ -1,195 +0,0 @@ -diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c ---- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200 -+++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200 -@@ -49,11 +49,10 @@ - if (!cp) { - /* - * Single Unix Spec: crypt() may return a null pointer, -- * and set errno to indicate an error. The caller doesn't -- * expect us to return NULL, so... -+ * and set errno to indicate an error. In this case return -+ * the NULL so the caller can handle appropriately. - */ -- perror ("crypt"); -- exit (EXIT_FAILURE); -+ return cp; - } - - /* The GNU crypt does not return NULL if the algorithm is not -diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c ---- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200 -@@ -95,6 +95,7 @@ bool valid (const char *password, const - */ - - if ( (NULL != ent->pw_name) -+ && (NULL != encrypted) - && (strcmp (encrypted, ent->pw_passwd) == 0)) { - return true; - } else { -diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c ---- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200 -+++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200 -@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, - char prompt[1024]; - char *clear = NULL; - const char *cp; -+ const char *encrypted; - int retval; - - #ifdef SKEY -@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, - * the results there as well. - */ - -- retval = strcmp (pw_encrypt (input, cipher), cipher); -+ encrypted = pw_encrypt (input, cipher); -+ if (encrypted!=NULL) -+ retval = strcmp (encrypted, cipher); -+ else -+ retval = -1; - - #ifdef SKEY - /* -diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c ---- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200 -@@ -469,6 +469,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt (crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c ---- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200 -@@ -492,6 +492,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt(crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c ---- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100 -+++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200 -@@ -939,6 +939,10 @@ static void change_passwd (struct group - } - - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp==NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - #ifdef SHADOWGRP - if (is_shadowgrp) { -diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200 -@@ -184,7 +184,8 @@ static void check_perms (const struct gr - cpasswd = pw_encrypt (cp, grp->gr_passwd); - strzero (cp); - -- if (grp->gr_passwd[0] == '\0' || -+ if (cpasswd == NULL || -+ grp->gr_passwd[0] == '\0' || - strcmp (cpasswd, grp->gr_passwd) != 0) { - #ifdef WITH_AUDIT - snprintf (audit_buf, sizeof(audit_buf), -diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c ---- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200 -@@ -387,6 +387,7 @@ static int add_user (const char *name, u - static void update_passwd (struct passwd *pwd, const char *password) - { - void *crypt_arg = NULL; -+ char *cp; - if (crypt_method != NULL) { - #ifdef USE_SHA_CRYPT - if (sflg) { -@@ -398,9 +399,13 @@ static void update_passwd (struct passwd - if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { - pwd->pw_passwd = (char *)password; - } else { -- pwd->pw_passwd = pw_encrypt (password, -- crypt_make_salt (crypt_method, -- crypt_arg)); -+ cp=pw_encrypt (password, crypt_make_salt (crypt_method, -+ crypt_arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ pwd->pw_passwd = cp; - } - } - #endif /* !USE_PAM */ -@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw - { - const struct spwd *sp; - struct spwd spent; -+ char *cp; - - #ifndef USE_PAM - void *crypt_arg = NULL; -@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw - } else { - const char *salt = crypt_make_salt (crypt_method, - crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; - if (0 == spent.sp_lstchg) { -@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw - spent.sp_pwdp = (char *)password; - } else { - const char *salt = crypt_make_salt (crypt_method, crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - #else - /* -diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c ---- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100 -+++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200 -@@ -242,7 +242,7 @@ static int new_password (const struct pa - } - - cipher = pw_encrypt (clear, crypt_passwd); -- if (strcmp (cipher, crypt_passwd) != 0) { -+ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) { - strzero (clear); - strzero (cipher); - SYSLOG ((LOG_WARN, "incorrect password for %s", -@@ -349,6 +349,10 @@ static int new_password (const struct pa - * Encrypt the password, then wipe the cleartext password. - */ - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - - #ifdef HAVE_LIBCRACK_HIST diff --git a/shadow-4.1.5.1-date-parsing.patch b/shadow-4.1.5.1-date-parsing.patch deleted file mode 100644 index 38ec091..0000000 --- a/shadow-4.1.5.1-date-parsing.patch +++ /dev/null @@ -1,138 +0,0 @@ -diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c ---- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200 -@@ -261,6 +261,7 @@ static int yyHaveDay; - static int yyHaveRel; - static int yyHaveTime; - static int yyHaveZone; -+static int yyHaveYear; - static int yyTimezone; - static int yyDay; - static int yyHour; -@@ -1730,6 +1731,7 @@ yyreduce: - yyDay = (yyvsp[(3) - (5)].Number); - yyYear = (yyvsp[(5) - (5)].Number); - } -+ yyHaveYear++; - } - break; - -@@ -1740,6 +1742,7 @@ yyreduce: - yyYear = (yyvsp[(1) - (3)].Number); - yyMonth = -(yyvsp[(2) - (3)].Number); - yyDay = -(yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1750,6 +1753,7 @@ yyreduce: - yyDay = (yyvsp[(1) - (3)].Number); - yyMonth = (yyvsp[(2) - (3)].Number); - yyYear = -(yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1767,6 +1771,7 @@ yyreduce: - yyMonth = (yyvsp[(1) - (4)].Number); - yyDay = (yyvsp[(2) - (4)].Number); - yyYear = (yyvsp[(4) - (4)].Number); -+ yyHaveYear++; - } - break; - -@@ -1784,6 +1789,7 @@ yyreduce: - yyMonth = (yyvsp[(2) - (3)].Number); - yyDay = (yyvsp[(1) - (3)].Number); - yyYear = (yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1928,7 +1934,8 @@ yyreduce: - case 49: - #line 397 "getdate.y" - { -- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) -+ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear -+ && (yyHaveDate != 0) && (yyHaveRel == 0)) - yyYear = (yyvsp[(1) - (1)].Number); - else - { -@@ -2556,7 +2563,7 @@ yylex (void) - return LookupWord (buff); - } - if (c != '(') -- return *yyInput++; -+ return (unsigned char)*yyInput++; - Count = 0; - do - { -diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y ---- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200 -@@ -152,6 +152,7 @@ static int yyHaveDay; - static int yyHaveRel; - static int yyHaveTime; - static int yyHaveZone; -+static int yyHaveYear; - static int yyTimezone; - static int yyDay; - static int yyHour; -@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { - yyDay = $3; - yyYear = $5; - } -+ yyHaveYear++; - } - | tUNUMBER tSNUMBER tSNUMBER { - /* ISO 8601 format. yyyy-mm-dd. */ - yyYear = $1; - yyMonth = -$2; - yyDay = -$3; -+ yyHaveYear++; - } - | tUNUMBER tMONTH tSNUMBER { - /* e.g. 17-JUN-1992. */ - yyDay = $1; - yyMonth = $2; - yyYear = -$3; -+ yyHaveYear++; - } - | tMONTH tUNUMBER { - yyMonth = $1; -@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { - yyMonth = $1; - yyDay = $2; - yyYear = $4; -+ yyHaveYear++; - } - | tUNUMBER tMONTH { - yyMonth = $2; -@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { - yyMonth = $2; - yyDay = $1; - yyYear = $3; -+ yyHaveYear++; - } - ; - -@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { - - number : tUNUMBER - { -- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) -+ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear -+ && (yyHaveDate != 0) && (yyHaveRel == 0)) - yyYear = $1; - else - { -@@ -802,7 +809,7 @@ yylex (void) - return LookupWord (buff); - } - if (c != '(') -- return *yyInput++; -+ return (unsigned char)*yyInput++; - Count = 0; - do - { diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.1.5.1-goodname.patch index 06c0de6..15c98a7 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.1.5.1-goodname.patch @@ -72,41 +72,6 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8 ---- shadow-4.1.5.1/man/man8/groupadd.8.goodname 2012-05-25 13:58:40.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/groupadd.8 2014-09-09 17:28:46.330300342 +0200 -@@ -190,9 +190,7 @@ Shadow password suite configuration\&. - .RE - .SH "CAVEATS" - .PP --Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP --Groupnames may only be up to 16 characters long\&. -+Groupnames may only be up to 32 characters long\&. - .PP - You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. - .PP -diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.goodname 2012-05-25 13:59:28.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2014-09-09 17:28:46.330300342 +0200 -@@ -224,7 +224,7 @@ is not enabled, no home directories are - .PP - \fB\-M\fR - .RS 4 --Do no create the user\*(Aqs home directory, even if the system wide setting from -+Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs - (\fBCREATE_HOME\fR) is set to - \fIyes\fR\&. -@@ -430,8 +430,6 @@ Similarly, if the username already exist - \fBuseradd\fR - will deny the user account creation request\&. - .PP --Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP - Usernames may only be up to 32 characters long\&. - .SH "CONFIGURATION" - .PP diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml --- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 +++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index d2bc009..b05e5bb 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,15 +1,3 @@ -diff -up shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir shadow-4.1.5.1/man/man8/newusers.8 ---- shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir 2012-05-25 13:59:09.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/newusers.8 2012-09-19 18:47:17.203525237 +0200 -@@ -99,7 +99,7 @@ This field is copied in the GECOS field - .RS 4 - This field is used to define the home directory of the user\&. - .sp --If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. -+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. - .sp - If the home directory of an existing user is changed, - \fBnewusers\fR diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml --- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 +++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch deleted file mode 100644 index 2963c98..0000000 --- a/shadow-4.1.5.1-manfix.patch +++ /dev/null @@ -1,272 +0,0 @@ -diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml ---- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/chage.1.xml 2014-08-29 13:36:57.713167654 +0200 -@@ -102,6 +102,9 @@ - Set the number of days since January 1st, 1970 when the password - was last changed. The date may also be expressed in the format - YYYY-MM-DD (or the format more commonly used in your area). -+ If the LAST_DAY is set to -+ 0 the user is forced to change his password -+ on the next log on. - - - -diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml ---- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200 -@@ -160,6 +160,17 @@ - long numeric parameters is machine-dependent. - - -+ -+ Please note that the parameters in this configuration file control the -+ behavior of the tools from the shadow-utils component. None of these -+ tools uses the PAM mechanism, and the utilities that use PAM (such as the -+ passwd command) should be configured elsewhere. The only values that -+ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS -+ for pam_unix module, FAIL_DELAY for pam_faildelay module, -+ and UMASK for pam_umask module. Refer to -+ pam(8) for more information. -+ -+ - The following configuration items are provided: - - -diff -up shadow-4.1.5.1/man/man1/chage.1.manfix shadow-4.1.5.1/man/man1/chage.1 ---- shadow-4.1.5.1/man/man1/chage.1.manfix 2012-05-25 13:58:18.000000000 +0200 -+++ shadow-4.1.5.1/man/man1/chage.1 2014-08-29 13:36:31.303559366 +0200 -@@ -45,7 +45,11 @@ command are: - .PP - \fB\-d\fR, \fB\-\-lastday\fR \fILAST_DAY\fR - .RS 4 --Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. -+Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. If the -+\fILAST_DAY\fR -+is set to -+\fB0\fR -+the user is forced to change his password on the next log on\&. - .RE - .PP - \fB\-E\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR -diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 ---- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 -+++ shadow-4.1.5.1/man/man5/login.defs.5 2014-08-29 13:31:38.364812323 +0200 -@@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) - \fI0\fR) or hexadecimal values (precede the value with - \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. - .PP -+Please note that the parameters in this configuration file control the -+behavior of the tools from the shadow-utils component\&. None of these -+tools uses the PAM mechanism, and the utilities that use PAM (such as the -+passwd command) should be configured elsewhere\&. The only values that -+affect PAM modules are \fBENCRYPT_METHOD\fR and \fBSHA_CRYPT_MAX_ROUNDS\fR for pam_unix module, -+\fBFAIL_DELAY\fR for pam_faildelay module, and \fBUMASK\fR for pam_umask module\&. Refer to -+pam(8) for more information\&. -+.PP - The following configuration items are provided: - .PP - \fBCHFN_AUTH\fR (boolean) -@@ -625,20 +633,6 @@ will create by default a group with the - .PP - The following cross references show which programs in the shadow password suite use which parameters\&. - .PP --chfn --.RS 4 -- --CHFN_AUTH --CHFN_RESTRICT --LOGIN_STRING --.RE --.PP --chgpasswd --.RS 4 --ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB --SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS --.RE --.PP - chpasswd - .RS 4 - -@@ -646,11 +640,6 @@ ENCRYPT_METHOD MD5_CRYPT_ENAB - SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS - .RE - .PP --chsh --.RS 4 --CHSH_AUTH LOGIN_STRING --.RE --.PP - gpasswd - .RS 4 - ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -@@ -692,29 +681,6 @@ grpunconv - MAX_MEMBERS_PER_GROUP - .RE - .PP --login --.RS 4 -- --CONSOLE --CONSOLE_GROUPS DEFAULT_HOME --ENV_HZ ENV_PATH ENV_SUPATH ENV_TZ ENVIRON_FILE --ERASECHAR FAIL_DELAY --FAILLOG_ENAB --FAKE_SHELL --FTMP_FILE --HUSHLOGIN_FILE --ISSUE_FILE --KILLCHAR --LASTLOG_ENAB --LOGIN_RETRIES --LOGIN_STRING --LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB --MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB --TTYGROUP TTYPERM TTYTYPE_FILE --ULIMIT UMASK --USERGROUPS_ENAB --.RE --.PP - newgrp / sg - .RS 4 - SYSLOG_SG_ENAB -@@ -727,12 +693,6 @@ SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUND - SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK - .RE - .PP --passwd --.RS 4 --ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN --SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS --.RE --.PP - pwck - .RS 4 - PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE -@@ -743,26 +703,6 @@ pwconv - PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE - .RE - .PP --su --.RS 4 -- --CONSOLE --CONSOLE_GROUPS DEFAULT_HOME --ENV_HZ ENVIRON_FILE --ENV_PATH ENV_SUPATH --ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE QUOTAS_ENAB --SULOG_FILE SU_NAME --SU_WHEEL_ONLY --SYSLOG_SU_ENAB --USERGROUPS_ENAB --.RE --.PP --sulogin --.RS 4 --ENV_HZ --ENV_TZ --.RE --.PP - useradd - .RS 4 - CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK -diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2014-08-29 13:31:38.347811932 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2014-08-29 13:31:38.364812323 +0200 -@@ -85,7 +85,7 @@ by default\&. - Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. - .RE - .PP --\fB\-d\fR, \fB\-\-home\fR \fIHOME_DIR\fR -+\fB\-d\fR, \fB\-\-home\-dir\fR \fIHOME_DIR\fR - .RS 4 - The new user will be created using - \fIHOME_DIR\fR -@@ -220,9 +220,13 @@ option) will be copied to the home direc - By default, if this option is not specified and - \fBCREATE_HOME\fR - is not enabled, no home directories are created\&. -+.sp -+The directory where the user\*(Aqs home directory is created must -+exist and have proper SELinux context and permissions\&. Otherwise -+the user\*(Aqs home directory cannot be created or accessed\&. - .RE - .PP --\fB\-M\fR -+\fB\-M\fR, \fB\-\-no\-create\-home\fR - .RS 4 - Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs -diff -up shadow-4.1.5.1/man/man8/usermod.8.manfix shadow-4.1.5.1/man/man8/usermod.8 ---- shadow-4.1.5.1/man/man8/usermod.8.manfix 2012-05-25 13:59:33.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/usermod.8 2014-08-29 13:35:27.343086211 +0200 -@@ -63,7 +63,7 @@ The user\*(Aqs new login directory\&. - .sp - If the - \fB\-m\fR --option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. -+option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. If the current home directory does not exist the new home directory will not be created\&. - .RE - .PP - \fB\-e\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR -@@ -143,7 +143,7 @@ Move the content of the user\*(Aqs home - This option is only valid in combination with the - \fB\-d\fR - (or --\fB\-\-home\fR) option\&. -+\fB\-\-home\fR) option\&. If the current home directory does not exist the new home directory will not be created\&. - .sp - - \fBusermod\fR -diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2014-08-29 13:31:38.347811932 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-08-29 13:31:38.364812323 +0200 -@@ -161,7 +161,7 @@ - - - -- , -+ , - HOME_DIR - - -@@ -358,11 +358,16 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - - -- -+ , - - - -diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml ---- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200 -@@ -132,7 +132,8 @@ - If the - option is given, the contents of the current home directory will - be moved to the new home directory, which is created if it does -- not already exist. -+ not already exist. If the current home directory does not exist -+ the new home directory will not be created. - - - -@@ -261,7 +262,8 @@ - - - Move the content of the user's home directory to the new -- location. -+ location. If the current home directory does not exist -+ the new home directory will not be created. - - - This option is only valid in combination with the diff --git a/shadow-4.1.5.1-merge-group.patch b/shadow-4.1.5.1-merge-group.patch deleted file mode 100644 index f5cea10..0000000 --- a/shadow-4.1.5.1-merge-group.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c ---- shadow-4.1.5.1/lib/groupio.c.merge-group 2011-02-16 21:32:24.000000000 +0100 -+++ shadow-4.1.5.1/lib/groupio.c 2013-01-29 13:56:43.049275513 +0100 -@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry * - - /* Concatenate the 2 lines */ - new_line_len = strlen (gr1->line) + strlen (gr2->line) +1; -- new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*)); -+ new_line = (char *)malloc (new_line_len + 1); - if (NULL == new_line) { - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - new_line[new_line_len] = '\0'; - - /* Concatenate the 2 list of members */ -@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry * - members++; - } - } -- new_members = (char **)malloc ( (members+1) * sizeof(char*) ); -+ new_members = (char **)calloc (members+1, sizeof(char*)); - if (NULL == new_members) { - free (new_line); - errno = ENOMEM; diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.2.1-audit-update.patch similarity index 86% rename from shadow-4.1.5.1-audit-update.patch rename to shadow-4.2.1-audit-update.patch index 17930bf..8f2edf8 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.2.1-audit-update.patch @@ -1,31 +1,6 @@ -diff -urp shadow-4.1.5.1.orig/lib/prototypes.h shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1.orig/lib/prototypes.h 2014-09-13 15:45:54.953829562 -0400 -+++ shadow-4.1.5.1/lib/prototypes.h 2014-10-14 08:39:23.785884075 -0400 -@@ -195,12 +195,21 @@ extern int audit_fd; - extern void audit_help_open (void); - /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ - #define AUDIT_NO_ID ((unsigned int) -1) -+#ifndef AUDIT_GRP_MGMT -+#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ -+#endif -+#ifndef AUDIT_GRP_CHAUTHTOK -+#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ -+#endif - typedef enum { - SHADOW_AUDIT_FAILURE = 0, - SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; - extern void audit_logger (int type, const char *pgname, const char *op, - const char *name, unsigned int id, - shadow_audit_result result); -+void audit_logger_with_group (int type, unused const char *pgname, -+ const char *op, const char *name, unsigned int id, -+ const char *grp, shadow_audit_result result); - void audit_logger_message (const char *message, shadow_audit_result result); - #endif - -diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_help.c ---- shadow-4.1.5.1.orig/libmisc/audit_help.c 2010-08-21 07:41:28.000000000 -0400 -+++ shadow-4.1.5.1/libmisc/audit_help.c 2014-10-14 08:39:23.785884075 -0400 +diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c +--- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -75,9 +50,9 @@ diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_ void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cleanup_group.c ---- shadow-4.1.5.1.orig/libmisc/cleanup_group.c 2008-12-23 17:45:18.000000000 -0500 -+++ shadow-4.1.5.1/libmisc/cleanup_group.c 2014-10-14 09:00:33.594753105 -0400 +diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c +--- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -156,9 +131,9 @@ diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cle SHADOW_AUDIT_FAILURE); #endif } -diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/cleanup_user.c ---- shadow-4.1.5.1.orig/libmisc/cleanup_user.c 2008-12-23 17:45:18.000000000 -0500 -+++ shadow-4.1.5.1/libmisc/cleanup_user.c 2014-10-14 09:01:51.878745031 -0400 +diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c +--- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -206,99 +181,34 @@ diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/clea SHADOW_AUDIT_FAILURE); #endif } -diff -urp shadow-4.1.5.1.orig/src/chage.c shadow-4.1.5.1/src/chage.c ---- shadow-4.1.5.1.orig/src/chage.c 2011-11-19 17:54:47.000000000 -0500 -+++ shadow-4.1.5.1/src/chage.c 2014-10-14 08:39:23.787884075 -0400 -@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int - - #ifdef WITH_AUDIT - if (E_SUCCESS != code) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change age", -- user_name, (unsigned int) user_uid, 0); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_FAILURE); - } +diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h +--- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 ++++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +@@ -208,12 +208,21 @@ extern int audit_fd; + extern void audit_help_open (void); + /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ + #define AUDIT_NO_ID ((unsigned int) -1) ++#ifndef AUDIT_GRP_MGMT ++#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ ++#endif ++#ifndef AUDIT_GRP_CHAUTHTOK ++#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ ++#endif + typedef enum { + SHADOW_AUDIT_FAILURE = 0, + SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; + extern void audit_logger (int type, const char *pgname, const char *op, + const char *name, unsigned int id, + shadow_audit_result result); ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result); + void audit_logger_message (const char *message, shadow_audit_result result); #endif -@@ -873,11 +874,7 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: Permission denied.\n"), Prog); - fail_exit (E_NOPERM); - } --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "display aging info", -- user_name, (unsigned int) user_uid, 1); --#endif -+ /* Displaying fields is not of interest to audit */ - list_fields (); - fail_exit (E_SUCCESS); - } -@@ -896,41 +893,43 @@ int main (int argc, char **argv) - } - #ifdef WITH_AUDIT - else { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change all aging information", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-all-aging-information", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - #endif - } else { - #ifdef WITH_AUDIT - if (Mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change max age", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-max-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - if (mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change min age", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-min-age", - user_name, (unsigned int) user_uid, 1); - } - if (dflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change last change date", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-last-change-date", - user_name, (unsigned int) user_uid, 1); - } - if (Wflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd warning", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-warning", - user_name, (unsigned int) user_uid, 1); - } - if (Iflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change inactive days", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-inactive-days", - user_name, (unsigned int) user_uid, 1); - } - if (Eflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd expiration", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-expiration", - user_name, (unsigned int) user_uid, 1); - } - #endif -diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c ---- shadow-4.1.5.1.orig/src/gpasswd.c 2014-09-13 15:45:54.989829559 -0400 -+++ shadow-4.1.5.1/src/gpasswd.c 2014-10-14 08:43:07.393861012 -0400 +diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c +--- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -562,9 +472,9 @@ diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c ---- shadow-4.1.5.1.orig/src/groupadd.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupadd.c 2014-10-14 08:39:23.800884073 -0400 +diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c +--- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -740,9 +650,9 @@ diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c } } -diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c ---- shadow-4.1.5.1.orig/src/groupdel.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupdel.c 2014-10-14 08:39:23.801884073 -0400 +diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c +--- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 @@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -912,9 +822,9 @@ diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c } #endif -diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c ---- shadow-4.1.5.1.orig/src/groupmod.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupmod.c 2014-10-14 08:49:28.517821702 -0400 +diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c +--- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1108,10 +1018,100 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1.orig/src/newgrp.c 2014-09-13 15:45:55.010829557 -0400 -+++ shadow-4.1.5.1/src/newgrp.c 2014-10-14 08:39:23.802884073 -0400 -@@ -197,11 +197,12 @@ static void check_perms (const struct gr +diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int + + #ifdef WITH_AUDIT + if (E_SUCCESS != code) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change age", +- user_name, (unsigned int) user_uid, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_FAILURE); + } + #endif + +@@ -873,11 +874,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: Permission denied.\n"), Prog); + fail_exit (E_NOPERM); + } +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "display aging info", +- user_name, (unsigned int) user_uid, 1); +-#endif ++ /* Displaying fields is not of interest to audit */ + list_fields (); + fail_exit (E_SUCCESS); + } +@@ -896,41 +893,43 @@ int main (int argc, char **argv) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change all aging information", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-all-aging-information", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + #endif + } else { + #ifdef WITH_AUDIT + if (Mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change max age", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-max-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + if (mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change min age", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-min-age", + user_name, (unsigned int) user_uid, 1); + } + if (dflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change last change date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-last-change-date", + user_name, (unsigned int) user_uid, 1); + } + if (Wflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd warning", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-warning", + user_name, (unsigned int) user_uid, 1); + } + if (Iflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-inactive-days", + user_name, (unsigned int) user_uid, 1); + } + if (Eflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd expiration", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-expiration", + user_name, (unsigned int) user_uid, 1); + } + #endif +diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c +--- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 ++++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +@@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1126,7 +1126,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif SYSLOG ((LOG_INFO, "Invalid password for group '%s' from '%s'", -@@ -212,11 +213,12 @@ static void check_perms (const struct gr +@@ -221,11 +222,12 @@ static void check_perms (const struct gr } #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1141,7 +1141,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif } -@@ -227,19 +229,6 @@ failure: +@@ -236,19 +238,6 @@ failure: * harm. -- JWP */ closelog (); @@ -1161,7 +1161,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -308,15 +297,27 @@ static void syslog_sg (const char *name, +@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -442,7 +443,7 @@ int main (int argc, char **argv) +@@ -451,7 +452,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -558,15 +559,26 @@ int main (int argc, char **argv) +@@ -567,15 +568,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -707,10 +719,10 @@ int main (int argc, char **argv) +@@ -716,10 +728,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -719,10 +731,10 @@ int main (int argc, char **argv) +@@ -728,10 +740,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -736,10 +748,10 @@ int main (int argc, char **argv) +@@ -745,10 +757,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -803,11 +815,11 @@ int main (int argc, char **argv) +@@ -812,11 +824,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -831,15 +843,24 @@ int main (int argc, char **argv) +@@ -840,15 +852,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,10 +1315,10 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1.orig/src/useradd.c 2014-09-13 15:45:54.957829561 -0400 -+++ shadow-4.1.5.1/src/useradd.c 2014-10-14 08:52:53.066800605 -0400 -@@ -205,6 +205,8 @@ static void create_mail (void); +diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 ++++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +@@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1327,7 +1327,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c if (home_added) { if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -218,12 +220,6 @@ static void fail_exit (int code) +@@ -235,12 +237,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1340,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -231,12 +227,6 @@ static void fail_exit (int code) +@@ -248,12 +244,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1353,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -244,12 +234,6 @@ static void fail_exit (int code) +@@ -261,12 +251,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1366,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -258,20 +242,19 @@ static void fail_exit (int code) +@@ -275,12 +259,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1379,33 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } - #endif +@@ -290,12 +268,6 @@ static void fail_exit (int code) + if (sub_uid_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate user file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -303,20 +275,19 @@ static void fail_exit (int code) + if (sub_gid_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate group file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1394,7 +1420,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -578,7 +561,7 @@ static int set_defaults (void) +@@ -623,7 +594,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1403,7 +1429,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -848,12 +831,6 @@ static void grp_update (void) +@@ -893,12 +864,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1416,7 +1442,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -867,18 +844,12 @@ static void grp_update (void) +@@ -912,18 +877,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1438,7 +1464,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -923,12 +894,6 @@ static void grp_update (void) +@@ -968,12 +927,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1451,7 +1477,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -942,18 +907,13 @@ static void grp_update (void) +@@ -987,18 +940,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1474,7 +1500,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1296,7 +1256,7 @@ static void process_flags (int argc, cha +@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1483,7 +1509,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1385,7 +1345,7 @@ static void close_files (void) +@@ -1444,7 +1392,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1492,7 +1518,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1398,7 +1358,7 @@ static void close_files (void) +@@ -1457,7 +1405,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1501,7 +1527,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1410,7 +1370,7 @@ static void close_files (void) +@@ -1469,7 +1417,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1510,7 +1536,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1424,7 +1384,7 @@ static void close_files (void) +@@ -1483,7 +1431,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1519,7 +1545,25 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1584,7 +1544,7 @@ static void grp_add (void) +@@ -1499,7 +1447,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate user file", ++ "unlocking-subordinate-user-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1513,7 +1461,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate group file", ++ "unlocking-subordinate-group-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1705,7 +1653,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1528,7 +1572,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1600,7 +1560,7 @@ static void grp_add (void) +@@ -1721,7 +1669,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1537,7 +1581,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1610,7 +1570,7 @@ static void grp_add (void) +@@ -1731,7 +1679,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1546,7 +1590,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1725,17 +1685,11 @@ static void usr_update (void) +@@ -1846,12 +1794,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1558,6 +1602,9 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c -#endif fail_exit (E_PW_UPDATE); } + #ifdef ENABLE_SUBIDS +@@ -1873,7 +1815,7 @@ static void usr_update (void) + #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, - "adding user", @@ -1565,7 +1612,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1771,12 +1725,6 @@ static void create_home (void) +@@ -1908,12 +1850,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), Prog, user_home); @@ -1578,7 +1625,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_HOMEDIR); } chown (user_home, user_id, user_gid); -@@ -1784,8 +1732,8 @@ static void create_home (void) +@@ -1921,8 +1857,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1589,7 +1636,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1951,12 +1899,6 @@ int main (int argc, char **argv) +@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1602,7 +1649,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -1972,12 +1914,6 @@ int main (int argc, char **argv) +@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1615,7 +1662,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2007,12 +1943,6 @@ int main (int argc, char **argv) +@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1628,7 +1675,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2057,9 +1987,10 @@ int main (int argc, char **argv) +@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1642,10 +1689,10 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1.orig/src/userdel.c 2014-09-13 15:45:55.001829558 -0400 -+++ shadow-4.1.5.1/src/userdel.c 2014-10-14 08:44:52.714850149 -0400 -@@ -201,9 +201,9 @@ static void update_groups (void) +diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c +--- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 ++++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +@@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1658,7 +1705,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -263,9 +263,9 @@ static void update_groups (void) +@@ -276,9 +276,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1671,7 +1718,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -342,9 +342,9 @@ static void remove_usergroup (void) +@@ -355,9 +355,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1684,7 +1731,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -360,9 +360,9 @@ static void remove_usergroup (void) +@@ -373,9 +373,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1697,7 +1744,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -478,7 +478,7 @@ static void fail_exit (int code) +@@ -537,7 +537,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1706,7 +1753,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -498,24 +498,12 @@ static void open_files (void) +@@ -557,24 +557,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1731,7 +1778,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -523,12 +511,6 @@ static void open_files (void) +@@ -582,12 +570,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1744,7 +1791,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -536,12 +518,6 @@ static void open_files (void) +@@ -595,12 +577,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1757,7 +1804,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -549,23 +525,11 @@ static void open_files (void) +@@ -608,23 +584,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1781,7 +1828,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -574,24 +538,12 @@ static void open_files (void) +@@ -633,24 +597,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1806,8 +1853,58 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -622,7 +574,7 @@ static void update_user (void) +@@ -661,24 +613,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sub_uid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking subordinate user file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_UID_UPDATE); + } + sub_uid_locked = true; + if (sub_uid_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening subordinate user file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_UID_UPDATE); + } } +@@ -687,24 +627,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sub_gid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking subordinate group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_GID_UPDATE); + } + sub_gid_locked = true; + if (sub_gid_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening subordinate group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_GID_UPDATE); + } + } +@@ -749,7 +677,7 @@ static void update_user (void) + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting user entries", @@ -1815,7 +1912,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -716,7 +668,7 @@ static int remove_mailbox (void) +@@ -843,7 +771,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1824,7 +1921,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -732,7 +684,7 @@ static int remove_mailbox (void) +@@ -859,7 +787,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1833,7 +1930,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -742,8 +694,8 @@ static int remove_mailbox (void) +@@ -869,8 +797,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1844,7 +1941,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -760,7 +712,7 @@ static int remove_mailbox (void) +@@ -887,7 +815,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1853,7 +1950,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -775,7 +727,7 @@ static int remove_mailbox (void) +@@ -902,7 +830,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1862,7 +1959,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -785,8 +737,8 @@ static int remove_mailbox (void) +@@ -912,8 +840,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1873,7 +1970,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -980,7 +932,7 @@ int main (int argc, char **argv) +@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1882,7 +1979,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1024,7 +976,7 @@ int main (int argc, char **argv) +@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1891,7 +1988,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1101,8 +1053,8 @@ int main (int argc, char **argv) +@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -1902,7 +1999,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1063,7 @@ int main (int argc, char **argv) +@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -1911,7 +2008,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1124,8 +1076,8 @@ int main (int argc, char **argv) +@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -1922,10 +2019,10 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1.orig/src/usermod.c 2014-09-13 15:45:55.013829557 -0400 -+++ shadow-4.1.5.1/src/usermod.c 2014-10-14 08:50:05.817817855 -0400 -@@ -352,8 +352,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 ++++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1936,7 +2033,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -372,8 +372,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1947,7 +2044,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -384,7 +384,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1956,7 +2053,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -413,8 +413,8 @@ static void new_pwent (struct passwd *pw +@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -1967,7 +2064,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -434,8 +434,8 @@ static void new_pwent (struct passwd *pw +@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -1978,7 +2075,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -445,8 +445,8 @@ static void new_pwent (struct passwd *pw +@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -1989,7 +2086,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -456,8 +456,8 @@ static void new_pwent (struct passwd *pw +@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2000,7 +2097,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -465,8 +465,8 @@ static void new_pwent (struct passwd *pw +@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2011,7 +2108,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -476,8 +476,8 @@ static void new_pwent (struct passwd *pw +@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2022,7 +2119,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -507,8 +507,8 @@ static void new_spent (struct spwd *spen +@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2033,7 +2130,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -524,8 +524,8 @@ static void new_spent (struct spwd *spen +@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2044,8 +2141,8 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -592,9 +592,9 @@ static /*@noreturn@*/void fail_exit (int - } +@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2057,7 +2154,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif exit (code); } -@@ -648,9 +648,12 @@ static void update_group (void) +@@ -759,9 +759,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2073,7 +2170,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -664,9 +667,11 @@ static void update_group (void) +@@ -775,9 +778,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2088,7 +2185,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -679,9 +684,11 @@ static void update_group (void) +@@ -790,9 +795,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2103,7 +2200,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -756,9 +763,10 @@ static void update_gshadow (void) +@@ -867,9 +874,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2117,7 +2214,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -778,9 +786,10 @@ static void update_gshadow (void) +@@ -889,9 +897,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2131,7 +2228,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -794,9 +803,10 @@ static void update_gshadow (void) +@@ -905,9 +914,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2145,7 +2242,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -809,9 +819,10 @@ static void update_gshadow (void) +@@ -920,9 +930,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2159,7 +2256,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1515,8 +1526,8 @@ static void move_home (void) +@@ -1810,8 +1821,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2170,7 +2267,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1534,8 +1545,8 @@ static void move_home (void) +@@ -1829,8 +1840,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2181,7 +2278,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1554,9 +1565,9 @@ static void move_home (void) +@@ -1849,9 +1860,9 @@ static void move_home (void) Prog, user_home); } #ifdef WITH_AUDIT @@ -2193,7 +2290,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -1760,8 +1771,8 @@ static void move_mailbox (void) +@@ -2055,8 +2066,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2204,7 +2301,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1779,8 +1790,8 @@ static void move_mailbox (void) +@@ -2074,8 +2085,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2215,7 +2312,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1910,8 +1921,8 @@ int main (int argc, char **argv) +@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2226,7 +2323,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1923,8 +1934,8 @@ int main (int argc, char **argv) +@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2237,7 +2334,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1962,8 +1973,8 @@ int main (int argc, char **argv) +@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch new file mode 100644 index 0000000..91a85ac --- /dev/null +++ b/shadow-4.2.1-date-parsing.patch @@ -0,0 +1,68 @@ +diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y +--- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +@@ -152,6 +152,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { + yyDay = $3; + yyYear = $5; + } ++ yyHaveYear++; + } + | tUNUMBER tSNUMBER tSNUMBER { + /* ISO 8601 format. yyyy-mm-dd. */ + yyYear = $1; + yyMonth = -$2; + yyDay = -$3; ++ yyHaveYear++; + } + | tUNUMBER tMONTH tSNUMBER { + /* e.g. 17-JUN-1992. */ + yyDay = $1; + yyMonth = $2; + yyYear = -$3; ++ yyHaveYear++; + } + | tMONTH tUNUMBER { + yyMonth = $1; +@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $1; + yyDay = $2; + yyYear = $4; ++ yyHaveYear++; + } + | tUNUMBER tMONTH { + yyMonth = $2; +@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $2; + yyDay = $1; + yyYear = $3; ++ yyHaveYear++; + } + ; + +@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { + + number : tUNUMBER + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = $1; + else + { +@@ -802,7 +809,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch new file mode 100644 index 0000000..4c6520e --- /dev/null +++ b/shadow-4.2.1-manfix.patch @@ -0,0 +1,78 @@ +diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml +--- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +@@ -102,6 +102,9 @@ + Set the number of days since January 1st, 1970 when the password + was last changed. The date may also be expressed in the format + YYYY-MM-DD (or the format more commonly used in your area). ++ If the LAST_DAY is set to ++ 0 the user is forced to change his password ++ on the next log on. + + + +diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml +--- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 ++++ shadow-4.2.1/man/login.defs.5.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -162,6 +162,17 @@ + long numeric parameters is machine-dependent. + + ++ ++ Please note that the parameters in this configuration file control the ++ behavior of the tools from the shadow-utils component. None of these ++ tools uses the PAM mechanism, and the utilities that use PAM (such as the ++ passwd command) should be configured elsewhere. The only values that ++ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS ++ for pam_unix module, FAIL_DELAY for pam_faildelay module, ++ and UMASK for pam_umask module. Refer to ++ pam(8) for more information. ++ ++ + The following configuration items are provided: + + +diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml +--- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 ++++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -347,11 +347,16 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + + +- ++ , + + + +diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml +--- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -132,7 +132,8 @@ + If the + option is given, the contents of the current home directory will + be moved to the new home directory, which is created if it does +- not already exist. ++ not already exist. If the current home directory does not exist ++ the new home directory will not be created. + + + +@@ -256,7 +257,8 @@ + + + Move the content of the user's home directory to the new +- location. ++ location. If the current home directory does not exist ++ the new home directory will not be created. + + + This option is only valid in combination with the diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch new file mode 100644 index 0000000..1adcabd --- /dev/null +++ b/shadow-4.2.1-merge-group.patch @@ -0,0 +1,13 @@ +diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c +--- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 ++++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 +@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * + errno = ENOMEM; + return NULL; + } +- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); +- new_line[new_line_len] = '\0'; ++ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); + + /* Concatenate the 2 list of members */ + for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-utils.spec b/shadow-utils.spec index faf9749..0e04237 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,11 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.5.1 -Release: 22%{?dist} +Version: 4.2.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig +Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz +Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Source4: shadow-bsd.txt @@ -17,20 +17,19 @@ Patch3: shadow-4.1.5-uflg.patch Patch6: shadow-4.1.5.1-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.1.5.1-merge-group.patch +Patch9: shadow-4.2.1-merge-group.patch Patch10: shadow-4.1.5.1-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.1.5.1-manfix.patch -Patch16: shadow-4.1.5.1-crypt-null.patch +Patch15: shadow-4.2.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-id-alloc.patch -Patch19: shadow-4.1.5.1-date-parsing.patch +Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.1.5.1-audit-update.patch +Patch22: shadow-4.2.1-audit-update.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -38,6 +37,7 @@ BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel +BuildRequires: bison flex gnome-doc-utils #BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 @@ -74,7 +74,6 @@ are used for managing group accounts. %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix -%patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing @@ -87,6 +86,8 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . +rm libmisc/getdate.c + #rm po/*.gmo #rm po/stamp-po #aclocal @@ -107,6 +108,7 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %configure \ --enable-shadowgrp \ + --enable-man \ --with-audit \ --with-sha-crypt \ --with-selinux \ @@ -207,6 +209,8 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0750,root,root) %{_sbindir}/user* %attr(0750,root,root) %{_sbindir}/group* @@ -221,10 +225,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* %{_mandir}/man5/gshadow.5* +%{_mandir}/man5/subuid.5* +%{_mandir}/man5/subgid.5* %{_mandir}/man8/adduser.8* %{_mandir}/man8/group*.8* %{_mandir}/man8/user*.8* @@ -238,6 +246,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Nov 26 2014 Tomáš Mráz - 2:4.2.1-1 +- new upstream release with support for subordinate uids and gids + * Tue Nov 25 2014 Tomáš Mráz - 2:4.1.5.1-22 - small adjustments to the audit patch diff --git a/sources b/sources index 888eac7..9a96021 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -a00449aa439c69287b6d472191dc2247 shadow-4.1.5.1.tar.bz2 -f16f31f6f5a607b1ffb1aa1aac4c37f2 shadow-4.1.5.1.tar.bz2.sig +2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz +6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig From 283bf24723e0f61dbe631e3997d030fd6802353d Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 19 Jun 2015 00:44:03 +0000 Subject: [PATCH 25/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 0e04237..26569bb 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -246,6 +246,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jun 19 2015 Fedora Release Engineering - 2:4.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Wed Nov 26 2014 Tomáš Mráz - 2:4.2.1-1 - new upstream release with support for subordinate uids and gids From 25899fefb05e983b4403720125a756665943cf13 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 27 Aug 2015 15:53:13 +0200 Subject: [PATCH 26/64] Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd --- shadow-4.2.1-defs-chroot.patch | 24 +++++++++++++++++++ shadow-4.2.1-no-lock-dos.patch | 15 ++++++++++++ shadow-4.2.1-usermod-unlock.patch | 39 +++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++++++++++- 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-defs-chroot.patch create mode 100644 shadow-4.2.1-no-lock-dos.patch create mode 100644 shadow-4.2.1-usermod-unlock.patch diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch new file mode 100644 index 0000000..827ad40 --- /dev/null +++ b/shadow-4.2.1-defs-chroot.patch @@ -0,0 +1,24 @@ +diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) + #endif /* ACCT_TOOLS_SETUID */ + + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; + + /* + * Get my name so that I can use it to report errors. +@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ + sys_ngroups = sysconf (_SC_NGROUPS_MAX); + user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); + /* diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch new file mode 100644 index 0000000..58fd605 --- /dev/null +++ b/shadow-4.2.1-no-lock-dos.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c +--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 ++++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil + int retval; + char buf[32]; + +- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600); ++ /* We depend here on the fact, that the file name is pid-specific. ++ * So no O_EXCL here and no DoS. ++ */ ++ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600); + if (-1 == fd) { + if (log) { + (void) fprintf (stderr, diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch new file mode 100644 index 0000000..85403cd --- /dev/null +++ b/shadow-4.2.1-usermod-unlock.patch @@ -0,0 +1,39 @@ +diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200 +@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas + strcat (buf, pw_pass); + pw_pass = buf; + } else if (Uflg && pw_pass[0] == '!') { +- char *s; ++ char *s = pw_pass; + +- if (pw_pass[1] == '\0') { ++ while ('!' == *s) ++ ++s; ++ ++ if (*s == '\0') { + fprintf (stderr, + _("%s: unlocking the user's password would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock this user's password.\n"), +@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); +- s = pw_pass; +- while ('\0' != *s) { +- *s = *(s + 1); +- s++; +- } ++ memmove (pw_pass, s, strlen (s) + 1); + } else if (pflg) { ++ if (strchr (user_pass, ':') != NULL) { ++ fprintf (stderr, ++ _("%s: The password field cannot contain a colon character.\n"), ++ Prog); ++ return pw_pass; ++ ++ } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "updating-password", diff --git a/shadow-utils.spec b/shadow-utils.spec index 26569bb..48d0f8b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.2.1-audit-update.patch +Patch23: shadow-4.2.1-usermod-unlock.patch +Patch24: shadow-4.2.1-no-lock-dos.patch +Patch25: shadow-4.2.1-defs-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +83,9 @@ are used for managing group accounts. %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update +%patch23 -p1 -b .unlock +%patch24 -p1 -b .no-lock-dos +%patch25 -p1 -b .defs-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 27 2015 Tomáš Mráz - 2:4.2.1-3 +- unlock also passwords locked with passwd -l +- prevent breaking user entry by entering a password containing colon +- fix possible DoS when locking the database files for update +- properly use login.defs from the chroot in useradd + * Fri Jun 19 2015 Fedora Release Engineering - 2:4.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From c2f1a1c502a09dc27d80637e6c730ab7f0ef525d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 6 Nov 2015 14:34:35 +0100 Subject: [PATCH 27/64] document that groupmems is not setuid root - document that expiration of the password after inactivity period locks the user account completely --- shadow-4.2.1-manfix.patch | 41 +++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 4c6520e..0a26db8 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -1,3 +1,30 @@ +diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml +--- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +@@ -179,20 +179,10 @@ + + SETUP + +- The groupmems executable should be in mode +- 2770 as user root and in group +- groups. The system administrator can add users to +- group groups to allow or disallow them using the +- groupmems utility to manage their own group +- membership list. ++ In this operating system the groupmems executable ++ is not setuid and regular users cannot use it to manipulate ++ the membership of their own group. + +- +- +- $ groupadd -r groups +- $ chmod 2770 groupmems +- $ chown root.groups groupmems +- $ groupmems -g groups -a gk4 +- + + + diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml --- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 +++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 @@ -32,6 +59,20 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: +diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml +--- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +@@ -208,8 +208,8 @@ + + + After expiration of the password and this expiration period is +- elapsed, no login is possible using the current user's +- password. The user should contact her administrator. ++ elapsed, no login is possible for the user. ++ The user should contact her administrator. + + + An empty field means that there are no enforcement of an diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml --- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 +++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 diff --git a/shadow-utils.spec b/shadow-utils.spec index 48d0f8b..691f414 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -252,6 +252,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Nov 6 2015 Tomáš Mráz - 2:4.2.1-4 +- document that groupmems is not setuid root +- document that expiration of the password after inactivity period + locks the user account completely + * Thu Aug 27 2015 Tomáš Mráz - 2:4.2.1-3 - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon From 4e08f5dd0a44e73017bc6753aacfb0c3ab4ca124 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Dec 2015 17:57:58 +0100 Subject: [PATCH 28/64] Remove obsolete patch. --- shadow-4.1.5-grremove.patch | 45 ------------------------------------- 1 file changed, 45 deletions(-) delete mode 100644 shadow-4.1.5-grremove.patch diff --git a/shadow-4.1.5-grremove.patch b/shadow-4.1.5-grremove.patch deleted file mode 100644 index 09e673a..0000000 --- a/shadow-4.1.5-grremove.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up shadow-4.1.5/src/userdel.c.grremove shadow-4.1.5/src/userdel.c ---- shadow-4.1.5/src/userdel.c.grremove 2012-03-20 12:19:13.260854838 +0100 -+++ shadow-4.1.5/src/userdel.c 2012-03-20 12:38:26.235622957 +0100 -@@ -333,22 +333,22 @@ static void remove_usergroup (void) - * We can remove this group, it is not the primary - * group of any remaining user. - */ -- if (gr_remove (grp->gr_name) == 0) { -+ if (gr_remove (user_name) == 0) { - fprintf (stderr, - _("%s: cannot remove entry '%s' from %s\n"), -- Prog, grp->gr_name, gr_dbname ()); -+ Prog, user_name, gr_dbname ()); - fail_exit (E_GRP_UPDATE); - } - - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_GROUP, Prog, - "deleting group", -- grp->gr_name, AUDIT_NO_ID, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif /* WITH_AUDIT */ - SYSLOG ((LOG_INFO, - "removed group '%s' owned by '%s'\n", -- grp->gr_name, user_name)); -+ user_name, user_name)); - - #ifdef SHADOWGRP - if (sgr_locate (user_name) != NULL) { -@@ -361,12 +361,12 @@ static void remove_usergroup (void) - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_GROUP, Prog, - "deleting shadow group", -- grp->gr_name, AUDIT_NO_ID, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif /* WITH_AUDIT */ - SYSLOG ((LOG_INFO, - "removed shadow group '%s' owned by '%s'\n", -- grp->gr_name, user_name)); -+ user_name, user_name)); - - } - #endif /* SHADOWGRP */ From 904910f545376a3d17ae736976623aa1af764f09 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Jan 2016 10:02:12 +0100 Subject: [PATCH 29/64] do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference --- shadow-4.2.1-manfix.patch | 144 +++++++++++++++++++++++++++++++++++++- shadow-utils.spec | 10 ++- 2 files changed, 150 insertions(+), 4 deletions(-) diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 0a26db8..04fcb4a 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -38,9 +38,23 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml +diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 +--- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +@@ -147,10 +147,6 @@ 以下の参照表は、 + shadow パスワード機能のどのプログラムが + どのパラメータを使用するかを示したものである。 + .na +-.IP chfn 12 +-CHFN_AUTH CHFN_RESTRICT +-.IP chsh 12 +-CHFN_AUTH + .IP groupadd 12 + GID_MAX GID_MIN + .IP newusers 12 diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml --- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2014-11-26 15:34:51.257978963 +0100 ++++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -59,6 +73,134 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: +@@ -252,26 +263,6 @@ + + + +- chfn +- +- +- CHFN_AUTH +- CHFN_RESTRICT +- LOGIN_STRING +- +- +- +- +- chgpasswd +- +- +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- +- + chpasswd + + +@@ -282,14 +273,6 @@ + + + +- +- chsh +- +- +- CHSH_AUTH LOGIN_STRING +- +- +- + + + +@@ -350,34 +333,6 @@ + + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- + + + newgrp / sg +@@ -405,17 +360,6 @@ + + + +- +- passwd +- +- +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- + + pwck + +@@ -442,32 +386,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml --- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 +++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 diff --git a/shadow-utils.spec b/shadow-utils.spec index 691f414..a10460b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -218,8 +218,8 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) %{_bindir}/newgidmap %attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser -%attr(0750,root,root) %{_sbindir}/user* -%attr(0750,root,root) %{_sbindir}/group* +%attr(0755,root,root) %{_sbindir}/user* +%attr(0755,root,root) %{_sbindir}/group* %{_sbindir}/grpck %{_sbindir}/pwck %{_sbindir}/*conv @@ -252,6 +252,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jan 8 2015 Tomáš Mráz - 2:4.2.1-5 +- do not use obscure permissions for binaries +- remove unused commands from login.defs(5) cross-reference + * Fri Nov 6 2015 Tomáš Mráz - 2:4.2.1-4 - document that groupmems is not setuid root - document that expiration of the password after inactivity period From 05ccc5cb0bc2d9987857c647eda1267315e8cfcf Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Jan 2016 10:02:44 +0100 Subject: [PATCH 30/64] Correct changelog date. --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index a10460b..21eb936 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -252,7 +252,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog -* Fri Jan 8 2015 Tomáš Mráz - 2:4.2.1-5 +* Fri Jan 8 2016 Tomáš Mráz - 2:4.2.1-5 - do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference From b1dccbc445d9c9d8db3ae105b3f835a493be7da9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 3 Feb 2016 14:01:19 +0100 Subject: [PATCH 31/64] add possibility to clear or set lastlog record for user via lastlog --- shadow-4.2.1-lastlog-unexpire.patch | 249 ++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-lastlog-unexpire.patch diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch new file mode 100644 index 0000000..2596820 --- /dev/null +++ b/shadow-4.2.1-lastlog-unexpire.patch @@ -0,0 +1,249 @@ +diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml +--- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 +@@ -105,6 +105,17 @@ + + + ++ , ++ ++ ++ ++ Clear lastlog record of an user. This option can be used only together ++ with ()). ++ ++ ++ ++ ++ + , + + +@@ -123,6 +134,17 @@ + + + ++ ++ ++ , ++ ++ ++ ++ Set lastlog record of an user to the current time. This option can be ++ used only together with ()). ++ ++ ++ + + + ,  DAYS +diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 +@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf + static bool uflg = false; /* print only an user of range of users */ + static bool tflg = false; /* print is restricted to most recent days */ + static bool bflg = false; /* print excludes most recent days */ ++static bool Cflg = false; /* clear record for user */ ++static bool Sflg = false; /* set record for user */ + + #define NOW (time ((time_t *) 0)) + +@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta + "Options:\n"), + Prog); + (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); ++ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); ++ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); + (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); + (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); + (void) fputs ("\n", usageout); +@@ -194,6 +198,80 @@ static void print (void) + } + } + ++static void update_one (/*@null@*/const struct passwd *pw) ++{ ++ off_t offset; ++ struct lastlog ll; ++ int err; ++ ++ if (NULL == pw) { ++ return; ++ } ++ ++ offset = (off_t) pw->pw_uid * sizeof (ll); ++ /* fseeko errors are not really relevant for us. */ ++ err = fseeko (lastlogfile, offset, SEEK_SET); ++ assert (0 == err); ++ ++ memzero (&ll, sizeof (ll)); ++ ++ if (Sflg) { ++ ll.ll_time = NOW; ++#ifdef HAVE_LL_HOST ++ strcpy (ll.ll_host, "localhost"); ++#endif ++ strcpy (ll.ll_line, "lastlog"); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "clearing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++#endif ++ } ++#ifdef WITH_AUDIT ++ else { ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "refreshing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++ } ++#endif ++ ++ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { ++ fprintf (stderr, ++ _("%s: Failed to update the entry for UID %lu\n"), ++ Prog, (unsigned long int)pw->pw_uid); ++ exit (EXIT_FAILURE); ++ } ++} ++ ++static void update (void) ++{ ++ const struct passwd *pwent; ++ ++ if (!uflg) /* safety measure */ ++ return; ++ ++ if (has_umin && has_umax && (umin == umax)) { ++ update_one (getpwuid ((uid_t)umin)); ++ } else { ++ setpwent (); ++ while ( (pwent = getpwent ()) != NULL ) { ++ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) ++ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { ++ continue; ++ } ++ update_one (pwent); ++ } ++ endpwent (); ++ } ++ ++ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { ++ fprintf (stderr, ++ _("%s: Failed to update the lastlog file\n"), ++ Prog); ++ exit (EXIT_FAILURE); ++ } ++} ++ + int main (int argc, char **argv) + { + /* +@@ -208,18 +286,24 @@ int main (int argc, char **argv) + + process_root_flag ("-R", argc, argv); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + { + int c; + static struct option const longopts[] = { + {"before", required_argument, NULL, 'b'}, ++ {"clear", no_argument, NULL, 'C'}, + {"help", no_argument, NULL, 'h'}, + {"root", required_argument, NULL, 'R'}, ++ {"set", no_argument, NULL, 'S'}, + {"time", required_argument, NULL, 't'}, + {"user", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + +- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, ++ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, + NULL)) != -1) { + switch (c) { + case 'b': +@@ -235,11 +319,21 @@ int main (int argc, char **argv) + bflg = true; + break; + } ++ case 'C': ++ { ++ Cflg = true; ++ break; ++ } + case 'h': + usage (EXIT_SUCCESS); + /*@notreached@*/break; + case 'R': /* no-op, handled in process_root_flag () */ + break; ++ case 'S': ++ { ++ Sflg = true; ++ break; ++ } + case 't': + { + unsigned long days; +@@ -294,9 +388,21 @@ int main (int argc, char **argv) + Prog, argv[optind]); + usage (EXIT_FAILURE); + } ++ if (Cflg && Sflg) { ++ fprintf (stderr, ++ _("%s: Option -C cannot be used together with option -S\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } ++ if ((Cflg || Sflg) && !uflg) { ++ fprintf (stderr, ++ _("%s: Options -C and -S require option -u to specify the user\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } + } + +- lastlogfile = fopen (LASTLOG_FILE, "r"); ++ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); + if (NULL == lastlogfile) { + perror (LASTLOG_FILE); + exit (EXIT_FAILURE); +@@ -310,7 +416,10 @@ int main (int argc, char **argv) + exit (EXIT_FAILURE); + } + +- print (); ++ if (Cflg || Sflg) ++ update (); ++ else ++ print (); + + (void) fclose (lastlogfile); + +diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 +@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) + grpck_LDADD = $(LDADD) $(LIBSELINUX) + grpconv_LDADD = $(LDADD) $(LIBSELINUX) + grpunconv_LDADD = $(LDADD) $(LIBSELINUX) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + login_SOURCES = \ + login.c \ + login_nopam.c +diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 +@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) + $(top_builddir)/lib/libshadow.la + lastlog_SOURCES = lastlog.c + lastlog_OBJECTS = lastlog.$(OBJEXT) +-lastlog_LDADD = $(LDADD) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(top_builddir)/libmisc/libmisc.a \ + $(top_builddir)/lib/libshadow.la diff --git a/shadow-utils.spec b/shadow-utils.spec index 21eb936..404d754 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -33,6 +33,7 @@ Patch22: shadow-4.2.1-audit-update.patch Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch +Patch26: shadow-4.2.1-lastlog-unexpire.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -86,6 +87,7 @@ are used for managing group accounts. %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot +%patch26 -p1 -b .unexpire iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -252,6 +254,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 3 2016 Tomáš Mráz - 2:4.2.1-6 +- add possibility to clear or set lastlog record for user via lastlog + * Fri Jan 8 2016 Tomáš Mráz - 2:4.2.1-5 - do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference From 1bf254df986df2ead06c2739e7c47ac89e3f0537 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 9 Feb 2016 11:54:02 +0100 Subject: [PATCH 32/64] usermod: properly return error during password manipulation --- shadow-4.2.1-usermod-unlock.patch | 32 +++++++++++++++++++++++++++---- shadow-utils.spec | 5 ++++- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch index 85403cd..19feecb 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.2.1-usermod-unlock.patch @@ -1,7 +1,7 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200 -@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas +--- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 ++++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; } else if (Uflg && pw_pass[0] == '!') { @@ -16,6 +16,12 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c fprintf (stderr, _("%s: unlocking the user's password would result in a passwordless account.\n" "You should set a password with usermod -p to unlock this user's password.\n"), + Prog); +- return pw_pass; ++ return NULL; + } + + #ifdef WITH_AUDIT @@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas user_newname, (unsigned int) user_newid, 1); #endif @@ -31,9 +37,27 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fprintf (stderr, + _("%s: The password field cannot contain a colon character.\n"), + Prog); -+ return pw_pass; ++ return NULL; + + } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating-password", +@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw + if ( (!is_shadow_pwd) + || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) { + pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd); ++ if (pwent->pw_passwd == NULL) ++ fail_exit (E_PW_UPDATE); + } + + if (uflg) { +@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen + * + aging has been requested + */ + spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp); ++ if (spent->sp_pwdp == NULL) ++ fail_exit(E_PW_UPDATE); + + if (pflg) { + spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 404d754..786443e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -254,6 +254,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 9 2016 Tomáš Mráz - 2:4.2.1-7 +- usermod: properly return error during password manipulation + * Wed Feb 3 2016 Tomáš Mráz - 2:4.2.1-6 - add possibility to clear or set lastlog record for user via lastlog From a359c84a6ee4a0c9e75b406ff868c1efac7ceeaa Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 17 Mar 2016 17:40:43 +0100 Subject: [PATCH 33/64] userdel: fix userdel -f with /etc/subuid present (#1316168) --- shadow-4.2.1-user-busy.patch | 48 ++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-user-busy.patch diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch new file mode 100644 index 0000000..ee7e41a --- /dev/null +++ b/shadow-4.2.1-user-busy.patch @@ -0,0 +1,48 @@ +From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 +From: Bastian Blank +Date: Tue, 17 Nov 2015 10:52:24 -0600 +Subject: [PATCH] Fix user busy errors at userdel + +From: Bastian Blank +Acked-by: Serge Hallyn +--- + libmisc/user_busy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c +index db7174a..0db32c3 100644 +--- a/libmisc/user_busy.c ++++ b/libmisc/user_busy.c +@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) + if (stat ("/", &sbroot) != 0) { + perror ("stat (\"/\")"); + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + return 0; + } + +@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) + + if (check_status (name, tmp_d_name, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) + } + if (check_status (name, task_path+6, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +-- +2.5.0 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 786443e..b47ae15 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -34,6 +34,7 @@ Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch +Patch27: shadow-4.2.1-user-busy.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -88,6 +89,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot %patch26 -p1 -b .unexpire +%patch27 -p1 -b .user-busy iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -254,6 +256,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 +- userdel: fix userdel -f with /etc/subuid present (#1316168) + * Tue Feb 9 2016 Tomáš Mráz - 2:4.2.1-7 - usermod: properly return error during password manipulation From f884cd4c94710f3944e87f05073c65daba8fb890 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 May 2016 21:05:16 +0200 Subject: [PATCH 34/64] chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) --- shadow-4.2.1-manfix.patch | 22 +-- shadow-4.2.1-selinux-perms.patch | 277 +++++++++++++++++++++++++++++++ shadow-utils.spec | 13 +- 3 files changed, 292 insertions(+), 20 deletions(-) create mode 100644 shadow-4.2.1-selinux-perms.patch diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 04fcb4a..2ca84b3 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -73,7 +73,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: -@@ -252,26 +263,6 @@ +@@ -252,16 +263,6 @@ @@ -87,20 +87,10 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. - - - -- chgpasswd -- -- -- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -- SHA_CRYPT_MAX_ROUNDS -- SHA_CRYPT_MIN_ROUNDS -- -- -- -- - chpasswd + chgpasswd -@@ -282,14 +273,6 @@ +@@ -282,14 +283,6 @@ @@ -115,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +333,6 @@ +@@ -350,34 +342,6 @@ @@ -150,7 +140,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. newgrp / sg -@@ -405,17 +360,6 @@ +@@ -405,17 +370,6 @@ @@ -168,7 +158,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. pwck -@@ -442,32 +386,6 @@ +@@ -442,32 +396,6 @@ diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch new file mode 100644 index 0000000..eb18aeb --- /dev/null +++ b/shadow-4.2.1-selinux-perms.patch @@ -0,0 +1,277 @@ +diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c +--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + #include "pam_defs.h" +@@ -76,6 +83,9 @@ static bool sgr_locked = false; + #endif + static bool gr_locked = false; + ++/* The name of the caller */ ++static char *myname = NULL; ++ + /* local function prototypes */ + static void fail_exit (int code); + static /*@noreturn@*/void usage (int status); +@@ -300,6 +310,62 @@ static void check_perms (void) + #endif /* ACCT_TOOLS_SETUID */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the group databases + */ +@@ -393,6 +459,7 @@ int main (int argc, char **argv) + + const struct group *gr; + struct group newgr; ++ struct passwd *pw = NULL; + int errors = 0; + int line = 0; + +@@ -408,8 +475,29 @@ int main (int argc, char **argv) + + OPENLOG ("chgpasswd"); + ++ /* ++ * Determine the name of the user that invoked this command. This ++ * is really hit or miss because there are so many ways that command ++ * can be executed and so many ways to trip up the routines that ++ * report the user name. ++ */ ++ pw = get_my_pwent (); ++ if (NULL == pw) { ++ fprintf (stderr, _("%s: Cannot determine your user name.\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "Cannot determine the user name of the caller (UID %lu)", ++ (unsigned long) getuid ())); ++ exit (E_NOPERM); ++ } ++ myname = xstrdup (pw->pw_name); ++ + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); + #endif +@@ -536,6 +624,15 @@ int main (int argc, char **argv) + newgr.gr_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ { ++ ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, gr->gr_name, ++ SHADOW_AUDIT_SUCCESS); ++ } ++#endif + /* + * The updated group file entry is then put back and will + * be written to the group file later, after all the +diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c +--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef USE_PAM + #include "pam_defs.h" + #endif /* USE_PAM */ +@@ -297,6 +304,62 @@ static void check_perms (void) + #endif /* USE_PAM */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the password databases + */ +@@ -407,6 +470,10 @@ int main (int argc, char **argv) + + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef USE_PAM + if (!use_pam) + #endif /* USE_PAM */ +@@ -566,6 +633,11 @@ int main (int argc, char **argv) + newpw.pw_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "updating-password", ++ pw->pw_name, (unsigned int) pw->pw_uid, 1); ++#endif + /* + * The updated password file entry is then put back and will + * be written to the password file later, after all the +diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index b47ae15..f8fb4aa 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -35,6 +35,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch +Patch28: shadow-4.2.1-selinux-perms.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -90,6 +91,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy +%patch28 -p1 -b .selinux-perms iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -156,7 +158,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_sbindir}/nologin -rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* @@ -185,8 +186,6 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* @@ -228,6 +227,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/pwck %{_sbindir}/*conv %{_sbindir}/chpasswd +%{_sbindir}/chgpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr @@ -249,6 +249,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/pwck.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/chpasswd.8* +%{_mandir}/man8/chgpasswd.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* @@ -256,6 +257,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 +- chgpasswd: do not remove it +- chpasswd, chgpasswd: add selinux_check_access call (#1336902) + * Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 - userdel: fix userdel -f with /etc/subuid present (#1316168) From abed79ee4e1d44d64b636bc8e906e50eede4d901 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 May 2016 11:59:54 +0200 Subject: [PATCH 35/64] chpasswd, chgpasswd: open audit when starting --- shadow-4.2.1-selinux-perms.patch | 46 ++++++++++++++++++++------------ shadow-utils.spec | 5 +++- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch index eb18aeb..7e7f70e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.2.1-selinux-perms.patch @@ -1,6 +1,6 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c --- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 @@ -39,6 +39,13 @@ #include #include @@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* local function prototypes */ static void fail_exit (int code); static /*@noreturn@*/void usage (int status); -@@ -300,6 +310,62 @@ static void check_perms (void) +@@ -300,6 +310,63 @@ static void check_perms (void) #endif /* ACCT_TOOLS_SETUID */ } @@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * open_files - lock and open the group databases */ -@@ -393,6 +459,7 @@ int main (int argc, char **argv) +@@ -393,6 +460,7 @@ int main (int argc, char **argv) const struct group *gr; struct group newgr; @@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c int errors = 0; int line = 0; -@@ -408,8 +475,29 @@ int main (int argc, char **argv) +@@ -408,8 +476,33 @@ int main (int argc, char **argv) OPENLOG ("chgpasswd"); ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + /* + * Determine the name of the user that invoked this command. This + * is really hit or miss because there are so many ways that command @@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif -@@ -536,6 +624,15 @@ int main (int argc, char **argv) +@@ -536,6 +629,15 @@ int main (int argc, char **argv) newgr.gr_passwd = cp; } @@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c * be written to the group file later, after all the diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c --- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 @@ -39,6 +39,13 @@ #include #include @@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ -@@ -297,6 +304,62 @@ static void check_perms (void) +@@ -297,6 +304,63 @@ static void check_perms (void) #endif /* USE_PAM */ } @@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * open_files - lock and open the password databases */ -@@ -407,6 +470,10 @@ int main (int argc, char **argv) +@@ -405,8 +469,16 @@ int main (int argc, char **argv) + OPENLOG ("chpasswd"); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ check_perms (); +#ifdef WITH_SELINUX @@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM if (!use_pam) #endif /* USE_PAM */ -@@ -566,6 +633,11 @@ int main (int argc, char **argv) +@@ -566,6 +638,11 @@ int main (int argc, char **argv) newpw.pw_passwd = cp; } @@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c * The updated password file entry is then put back and will * be written to the password file later, after all the diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 @@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) @@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 @@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index f8fb4aa..3444f5b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 +- chpasswd, chgpasswd: open audit when starting + * Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 - chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) From c50e17082d12c2ee8735024567cbbf0ad07acb1f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 14 Jun 2016 11:34:10 +0200 Subject: [PATCH 36/64] guard for localtime() and gmtime() failure --- shadow-4.2.1-null-tm.patch | 86 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-null-tm.patch diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch new file mode 100644 index 0000000..15b7720 --- /dev/null +++ b/shadow-4.2.1-null-tm.patch @@ -0,0 +1,86 @@ +diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c +--- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s + } + + tm = localtime (&fl.fail_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); ++ cp = ptime; + #endif ++ } + printf ("%-9s %5d %5d ", + pw->pw_name, fl.fail_cnt, fl.fail_max); + /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size + struct tm *tp; + + tp = gmtime (&date); ++ if (tp == NULL) { ++ (void) snprintf (buf, maxsize, "(unknown)"); ++ return; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, maxsize, "%Y-%m-%d", tp); + #else +diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s + + ll_time = ll.ll_time; + tm = localtime (&ll_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); ++ cp = ptime; + #else +- cp = asctime (tm); +- cp[24] = '\0'; ++ cp = asctime (tm); ++ cp[24] = '\0'; + #endif ++ } + + if (ll.ll_time == (time_t) 0) { + cp = _("**Never logged in**\0"); +diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c +--- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to + struct tm *tm; + + tm = gmtime (&t); ++ if (tm == NULL) { ++ return "(unknown)"; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); + #else /* !HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ + } else { + time_t t = (time_t) date; + tp = gmtime (&t); ++ if (tp == NULL) { ++ strncpy (buf, "unknown", maxsize); ++ return; ++ } + #ifdef HAVE_STRFTIME + strftime (buf, maxsize, "%Y-%m-%d", tp); + #else diff --git a/shadow-utils.spec b/shadow-utils.spec index 3444f5b..70f0b52 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -36,6 +36,7 @@ Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch Patch28: shadow-4.2.1-selinux-perms.patch +Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -92,6 +93,7 @@ are used for managing group accounts. %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms +%patch29 -p1 -b .null-tm iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -257,6 +259,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 +- guard for localtime() and gmtime() failure + * Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 - chpasswd, chgpasswd: open audit when starting From f8ab516d30fa7314792b8f993b439cebecdcb0c2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:03:52 +0200 Subject: [PATCH 37/64] new upstream release fixing low impact security issue --- .gitignore | 1 + shadow-utils.spec | 33 ++++++++++++--------------------- sources | 3 +-- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index e78a553..09b6c9b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig +/shadow-4.3.1.tar.gz diff --git a/shadow-utils.spec b/shadow-utils.spec index 70f0b52..e799786 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,10 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.2.1 -Release: 11%{?dist} +Version: 4.3.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig +Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Source4: shadow-bsd.txt @@ -23,19 +22,17 @@ Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.2.1-manfix.patch +Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.2.1-audit-update.patch +Patch22: shadow-4.3.1-audit-update.patch Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.2.1-defs-chroot.patch -Patch26: shadow-4.2.1-lastlog-unexpire.patch -Patch27: shadow-4.2.1-user-busy.patch -Patch28: shadow-4.2.1-selinux-perms.patch +Patch25: shadow-4.3.1-defs-chroot.patch +Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ @@ -90,8 +87,6 @@ are used for managing group accounts. %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot -%patch26 -p1 -b .unexpire -%patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm @@ -100,17 +95,10 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . -rm libmisc/getdate.c - -#rm po/*.gmo -#rm po/stamp-po -#aclocal -#libtoolize --force -#automake -a -#autoconf - %build +./autogen.sh + %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -259,6 +247,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 +- new upstream release fixing low impact security issue + * Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 - guard for localtime() and gmtime() failure diff --git a/sources b/sources index 9a96021..899422e 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz -6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig +b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz From 6c18d5356b64b72ec7c47962d3d06d70a9b6338d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:06:06 +0200 Subject: [PATCH 38/64] Update patches for rebase --- shadow-4.2.1-lastlog-unexpire.patch | 249 ------------------ shadow-4.2.1-user-busy.patch | 48 ---- ...e.patch => shadow-4.3.1-audit-update.patch | 190 ++++++------- ...ot.patch => shadow-4.3.1-defs-chroot.patch | 12 +- ...-manfix.patch => shadow-4.3.1-manfix.patch | 52 ++-- ....patch => shadow-4.3.1-selinux-perms.patch | 35 +-- 6 files changed, 134 insertions(+), 452 deletions(-) delete mode 100644 shadow-4.2.1-lastlog-unexpire.patch delete mode 100644 shadow-4.2.1-user-busy.patch rename shadow-4.2.1-audit-update.patch => shadow-4.3.1-audit-update.patch (92%) rename shadow-4.2.1-defs-chroot.patch => shadow-4.3.1-defs-chroot.patch (60%) rename shadow-4.2.1-manfix.patch => shadow-4.3.1-manfix.patch (81%) rename shadow-4.2.1-selinux-perms.patch => shadow-4.3.1-selinux-perms.patch (79%) diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch deleted file mode 100644 index 2596820..0000000 --- a/shadow-4.2.1-lastlog-unexpire.patch +++ /dev/null @@ -1,249 +0,0 @@ -diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml ---- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 -@@ -105,6 +105,17 @@ - - - -+ , -+ -+ -+ -+ Clear lastlog record of an user. This option can be used only together -+ with ()). -+ -+ -+ -+ -+ - , - - -@@ -123,6 +134,17 @@ - - - -+ -+ -+ , -+ -+ -+ -+ Set lastlog record of an user to the current time. This option can be -+ used only together with ()). -+ -+ -+ - - - ,  DAYS -diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 -@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf - static bool uflg = false; /* print only an user of range of users */ - static bool tflg = false; /* print is restricted to most recent days */ - static bool bflg = false; /* print excludes most recent days */ -+static bool Cflg = false; /* clear record for user */ -+static bool Sflg = false; /* set record for user */ - - #define NOW (time ((time_t *) 0)) - -@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta - "Options:\n"), - Prog); - (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); -+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); - (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); - (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); - (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); - (void) fputs ("\n", usageout); -@@ -194,6 +198,80 @@ static void print (void) - } - } - -+static void update_one (/*@null@*/const struct passwd *pw) -+{ -+ off_t offset; -+ struct lastlog ll; -+ int err; -+ -+ if (NULL == pw) { -+ return; -+ } -+ -+ offset = (off_t) pw->pw_uid * sizeof (ll); -+ /* fseeko errors are not really relevant for us. */ -+ err = fseeko (lastlogfile, offset, SEEK_SET); -+ assert (0 == err); -+ -+ memzero (&ll, sizeof (ll)); -+ -+ if (Sflg) { -+ ll.ll_time = NOW; -+#ifdef HAVE_LL_HOST -+ strcpy (ll.ll_host, "localhost"); -+#endif -+ strcpy (ll.ll_line, "lastlog"); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "clearing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+#endif -+ } -+#ifdef WITH_AUDIT -+ else { -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "refreshing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+ } -+#endif -+ -+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { -+ fprintf (stderr, -+ _("%s: Failed to update the entry for UID %lu\n"), -+ Prog, (unsigned long int)pw->pw_uid); -+ exit (EXIT_FAILURE); -+ } -+} -+ -+static void update (void) -+{ -+ const struct passwd *pwent; -+ -+ if (!uflg) /* safety measure */ -+ return; -+ -+ if (has_umin && has_umax && (umin == umax)) { -+ update_one (getpwuid ((uid_t)umin)); -+ } else { -+ setpwent (); -+ while ( (pwent = getpwent ()) != NULL ) { -+ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) -+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { -+ continue; -+ } -+ update_one (pwent); -+ } -+ endpwent (); -+ } -+ -+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { -+ fprintf (stderr, -+ _("%s: Failed to update the lastlog file\n"), -+ Prog); -+ exit (EXIT_FAILURE); -+ } -+} -+ - int main (int argc, char **argv) - { - /* -@@ -208,18 +286,24 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - { - int c; - static struct option const longopts[] = { - {"before", required_argument, NULL, 'b'}, -+ {"clear", no_argument, NULL, 'C'}, - {"help", no_argument, NULL, 'h'}, - {"root", required_argument, NULL, 'R'}, -+ {"set", no_argument, NULL, 'S'}, - {"time", required_argument, NULL, 't'}, - {"user", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, -+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, - NULL)) != -1) { - switch (c) { - case 'b': -@@ -235,11 +319,21 @@ int main (int argc, char **argv) - bflg = true; - break; - } -+ case 'C': -+ { -+ Cflg = true; -+ break; -+ } - case 'h': - usage (EXIT_SUCCESS); - /*@notreached@*/break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -+ case 'S': -+ { -+ Sflg = true; -+ break; -+ } - case 't': - { - unsigned long days; -@@ -294,9 +388,21 @@ int main (int argc, char **argv) - Prog, argv[optind]); - usage (EXIT_FAILURE); - } -+ if (Cflg && Sflg) { -+ fprintf (stderr, -+ _("%s: Option -C cannot be used together with option -S\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } -+ if ((Cflg || Sflg) && !uflg) { -+ fprintf (stderr, -+ _("%s: Options -C and -S require option -u to specify the user\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } - } - -- lastlogfile = fopen (LASTLOG_FILE, "r"); -+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); - if (NULL == lastlogfile) { - perror (LASTLOG_FILE); - exit (EXIT_FAILURE); -@@ -310,7 +416,10 @@ int main (int argc, char **argv) - exit (EXIT_FAILURE); - } - -- print (); -+ if (Cflg || Sflg) -+ update (); -+ else -+ print (); - - (void) fclose (lastlogfile); - -diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 -@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - login_SOURCES = \ - login.c \ - login_nopam.c -diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 -@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) - $(top_builddir)/lib/libshadow.la - lastlog_SOURCES = lastlog.c - lastlog_OBJECTS = lastlog.$(OBJEXT) --lastlog_LDADD = $(LDADD) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/libmisc/libmisc.a \ - $(top_builddir)/lib/libshadow.la diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch deleted file mode 100644 index ee7e41a..0000000 --- a/shadow-4.2.1-user-busy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 -From: Bastian Blank -Date: Tue, 17 Nov 2015 10:52:24 -0600 -Subject: [PATCH] Fix user busy errors at userdel - -From: Bastian Blank -Acked-by: Serge Hallyn ---- - libmisc/user_busy.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c -index db7174a..0db32c3 100644 ---- a/libmisc/user_busy.c -+++ b/libmisc/user_busy.c -@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) - if (stat ("/", &sbroot) != 0) { - perror ("stat (\"/\")"); - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - return 0; - } - -@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) - - if (check_status (name, tmp_d_name, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); -@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) - } - if (check_status (name, task_path+6, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); --- -2.5.0 - diff --git a/shadow-4.2.1-audit-update.patch b/shadow-4.3.1-audit-update.patch similarity index 92% rename from shadow-4.2.1-audit-update.patch rename to shadow-4.3.1-audit-update.patch index 8f2edf8..e708f75 100644 --- a/shadow-4.2.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c ---- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c +--- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c ---- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c +--- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c ---- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c +--- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,9 +181,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h ---- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 -+++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h +--- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 ++++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 @@ -208,12 +208,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -206,9 +206,9 @@ diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c ---- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c +--- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -218,7 +218,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -397,21 +397,14 @@ static void open_files (void) +@@ -396,21 +396,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +243,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c +@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +260,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c +@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +277,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c +@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +294,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c +@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +311,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c +@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +328,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c +@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +345,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow +@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +370,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c +@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +387,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c +@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +404,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c +@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +421,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c +@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +438,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c +@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +455,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c +@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,9 +472,9 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c ---- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c +--- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -579,7 +579,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c add_cleanup (cleanup_unlock_gshadow, NULL); } @@ -349,7 +352,7 @@ static void open_files (void) - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); - exit (E_GRP_UPDATE); @@ -650,10 +650,10 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } -diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c ---- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 -@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c +--- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +669,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c /* * grp_update - update group file entries * -@@ -126,7 +135,7 @@ static void grp_update (void) +@@ -128,7 +137,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +678,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP -@@ -138,7 +147,7 @@ static void grp_update (void) +@@ -140,7 +149,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +687,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -157,12 +166,12 @@ static void close_files (void) +@@ -159,12 +168,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +702,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -182,12 +191,12 @@ static void close_files (void) +@@ -184,12 +193,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +718,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -201,13 +210,6 @@ static void close_files (void) +@@ -203,13 +212,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +732,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -224,7 +226,7 @@ static void open_files (void) +@@ -226,7 +228,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +741,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -233,7 +235,7 @@ static void open_files (void) +@@ -235,7 +237,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +750,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -251,7 +253,7 @@ static void open_files (void) +@@ -253,7 +255,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +759,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -260,7 +262,7 @@ static void open_files (void) +@@ -262,7 +264,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +768,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) +@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +777,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } /* -@@ -379,7 +381,7 @@ int main (int argc, char **argv) +@@ -384,7 +386,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +786,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } process_flags (argc, argv); -@@ -393,7 +395,7 @@ int main (int argc, char **argv) +@@ -398,7 +400,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +795,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -414,7 +416,7 @@ int main (int argc, char **argv) +@@ -419,7 +421,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +804,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -434,7 +436,7 @@ int main (int argc, char **argv) +@@ -439,7 +441,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +813,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } group_id = grp->gr_gid; -@@ -458,7 +460,7 @@ int main (int argc, char **argv) +@@ -463,7 +465,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,9 +822,9 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #endif -diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c ---- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 +diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c +--- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1018,9 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c +--- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1108,9 @@ diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c ---- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 -+++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c +--- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 ++++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1161,7 +1161,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, +@@ -320,15 +309,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -451,7 +452,7 @@ int main (int argc, char **argv) +@@ -456,7 +457,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -567,15 +568,26 @@ int main (int argc, char **argv) +@@ -572,15 +573,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -716,10 +728,10 @@ int main (int argc, char **argv) +@@ -721,10 +733,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -728,10 +740,10 @@ int main (int argc, char **argv) +@@ -733,10 +745,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -745,10 +757,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -812,11 +824,11 @@ int main (int argc, char **argv) +@@ -817,11 +829,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -840,15 +852,24 @@ int main (int argc, char **argv) +@@ -845,15 +857,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,9 +1315,9 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 -+++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 @@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) @@ -1636,7 +1636,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) +@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1649,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) +@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1662,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) +@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1675,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) +@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1689,9 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c ---- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 -+++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c +--- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 ++++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -1766,7 +1766,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT @@ -1817,7 +1817,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, @@ -1841,7 +1841,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT @@ -1866,7 +1866,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT @@ -1891,7 +1891,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT @@ -2019,9 +2019,9 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 -+++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c +--- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 ++++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT @@ -2256,7 +2256,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1810,8 +1821,8 @@ static void move_home (void) +@@ -1758,8 +1769,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2267,7 +2267,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1829,8 +1840,8 @@ static void move_home (void) +@@ -1777,8 +1788,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2278,7 +2278,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1849,9 +1860,9 @@ static void move_home (void) +@@ -1797,9 +1808,9 @@ static void move_home (void) Prog, user_home); } #ifdef WITH_AUDIT @@ -2290,7 +2290,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2055,8 +2066,8 @@ static void move_mailbox (void) +@@ -2003,8 +2014,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2301,7 +2301,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2074,8 +2085,8 @@ static void move_mailbox (void) +@@ -2022,8 +2033,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2312,7 +2312,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) +@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2323,7 +2323,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) +@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2334,7 +2334,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch similarity index 60% rename from shadow-4.2.1-defs-chroot.patch rename to shadow-4.3.1-defs-chroot.patch index 827ad40..e57fac8 100644 --- a/shadow-4.2.1-defs-chroot.patch +++ b/shadow-4.3.1-defs-chroot.patch @@ -1,18 +1,18 @@ -diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 @@ -1938,8 +1938,8 @@ int main (int argc, char **argv) #endif /* ACCT_TOOLS_SETUID */ - /* Needed for userns check */ + #ifdef ENABLE_SUBIDS - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + uid_t uid_min; + uid_t uid_max; + #endif /* - * Get my name so that I can use it to report errors. -@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) +@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) audit_help_open (); #endif diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.3.1-manfix.patch similarity index 81% rename from shadow-4.2.1-manfix.patch rename to shadow-4.3.1-manfix.patch index 2ca84b3..2aeb0a8 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml ---- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml +--- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 @@ -179,20 +179,10 @@ SETUP @@ -25,9 +25,9 @@ diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xm -diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml ---- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +--- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -38,9 +38,9 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml -diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 ---- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 +--- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 @@ -147,10 +147,6 @@ 以下の参照表は、 shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 @@ -52,9 +52,9 @@ diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml ---- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 +diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml +--- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -105,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +342,6 @@ +@@ -350,34 +343,6 @@ @@ -191,9 +191,9 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. useradd -diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml ---- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml +--- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -208,8 +208,8 @@ @@ -205,10 +205,10 @@ diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml ---- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 -+++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 -@@ -347,11 +347,16 @@ +diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml +--- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 ++++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +@@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -220,15 +220,9 @@ diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml - -- -+ , - - - -diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml ---- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml +--- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch similarity index 79% rename from shadow-4.2.1-selinux-perms.patch rename to shadow-4.3.1-selinux-perms.patch index 7e7f70e..9469a7e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c ---- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 +diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c +--- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -147,9 +147,9 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c ---- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 +diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c +--- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -257,10 +257,10 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 -@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) +diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am +--- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) @@ -272,18 +272,3 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 -@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( - newuidmap_LDADD = $(LDADD) $(LIBSELINUX) - newgidmap_LDADD = $(LDADD) $(LIBSELINUX) - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) From 86cbf7e19d07d19e68d992aa94dc844a05d4f57f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:30:57 +0200 Subject: [PATCH 39/64] Add proper buildrequires for autotools. --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e799786..fffefc9 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -42,7 +42,7 @@ BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel BuildRequires: bison flex gnome-doc-utils -#BuildRequires: autoconf, automake, libtool, gettext-devel +BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup From 457acab6b41318deb60951e7c687b372e8aba07a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:51:22 +0200 Subject: [PATCH 40/64] Add buildrequires for docbook. --- shadow-utils.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index fffefc9..a42dc34 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -40,8 +40,8 @@ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel libattr-devel -BuildRequires: bison flex gnome-doc-utils +BuildRequires: libacl-devel, libattr-devel +BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 From bb62fd7837348eb8b277051626ad4af0db7f3741 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Aug 2016 11:24:38 +0200 Subject: [PATCH 41/64] fix regression in useradd - not processing defaults properly (#1369979) --- shadow-4.3.1-process-defaults.patch | 21 +++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 shadow-4.3.1-process-defaults.patch diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch new file mode 100644 index 0000000..b337376 --- /dev/null +++ b/shadow-4.3.1-process-defaults.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 +@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) + is_shadow_grp = sgr_file_present (); + #endif + ++ get_defaults (); ++ + process_flags (argc, argv); + + #ifdef ENABLE_SUBIDS +@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) + (!user_id || (user_id <= uid_max && user_id >= uid_min)); + #endif /* ENABLE_SUBIDS */ + +- get_defaults (); +- + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + { diff --git a/shadow-utils.spec b/shadow-utils.spec index a42dc34..d748e24 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -34,6 +34,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -89,6 +90,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -247,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 +- fix regression in useradd - not processing defaults properly (#1369979) + * Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 - new upstream release fixing low impact security issue From ba9340caf5a3f86043659dd5dc83d9280cd38185 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 11 Feb 2017 13:21:56 +0000 Subject: [PATCH 42/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d748e24..5d536e6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -249,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 - fix regression in useradd - not processing defaults properly (#1369979) From ec99eade4e4fc141e2c55581ecc913cde348296c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 21 Jul 2017 14:04:11 +0200 Subject: [PATCH 43/64] update to current upstream release 4.5 --- .gitignore | 2 + shadow-4.1.5-uflg.patch | 23 - shadow-4.1.5.1-audit-owner.patch | 32 - shadow-4.1.5.1-backup-mode.patch | 20 - shadow-4.1.5.1-errmsg.patch | 23 - shadow-4.1.5.1-id-alloc.patch | 1219 ----------------- shadow-4.1.5.1-selinux.patch | 99 -- shadow-4.2.1-merge-group.patch | 13 - shadow-4.3.1-defs-chroot.patch | 24 - shadow-4.3.1-process-defaults.patch | 21 - ...ext.patch => shadow-4.5-orig-context.patch | 42 +- shadow-4.5-selinux.patch | 115 ++ ...k.patch => shadow-4.5-usermod-unlock.patch | 8 +- shadow-utils.spec | 40 +- sources | 3 +- 15 files changed, 157 insertions(+), 1527 deletions(-) delete mode 100644 shadow-4.1.5-uflg.patch delete mode 100644 shadow-4.1.5.1-audit-owner.patch delete mode 100644 shadow-4.1.5.1-backup-mode.patch delete mode 100644 shadow-4.1.5.1-errmsg.patch delete mode 100644 shadow-4.1.5.1-id-alloc.patch delete mode 100644 shadow-4.1.5.1-selinux.patch delete mode 100644 shadow-4.2.1-merge-group.patch delete mode 100644 shadow-4.3.1-defs-chroot.patch delete mode 100644 shadow-4.3.1-process-defaults.patch rename shadow-4.1.5.1-orig-context.patch => shadow-4.5-orig-context.patch (67%) create mode 100644 shadow-4.5-selinux.patch rename shadow-4.2.1-usermod-unlock.patch => shadow-4.5-usermod-unlock.patch (86%) diff --git a/.gitignore b/.gitignore index 09b6c9b..d1e7d76 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig /shadow-4.3.1.tar.gz +/shadow-4.5.tar.xz +/shadow-4.5.tar.xz.asc diff --git a/shadow-4.1.5-uflg.patch b/shadow-4.1.5-uflg.patch deleted file mode 100644 index f72bca3..0000000 --- a/shadow-4.1.5-uflg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c ---- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 -+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 -@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, - return -1; - } - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ gid_min = (gid_t) 1; - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - if (gid_max < gid_min) { -@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, - return 0; - } - -+ /* if we did not find free preffered system gid, we start to look for -+ * one in the range assigned to dynamic system IDs */ -+ if (sys_group) -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - - /* - * Search the entire group file, diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch deleted file mode 100644 index 6fbbdbf..0000000 --- a/shadow-4.1.5.1-audit-owner.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 -+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 -@@ -1513,6 +1513,14 @@ static void move_home (void) - fail_exit (E_HOMEDIR); - } - -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif -+ - if (rename (user_home, user_newhome) == 0) { - /* FIXME: rename above may have broken symlinks - * pointing to the user's home directory -@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) - * ownership. - * - */ -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif - if (chown_tree (dflg ? user_newhome : user_home, - user_id, - uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch deleted file mode 100644 index 7366b86..0000000 --- a/shadow-4.1.5.1-backup-mode.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba - struct utimbuf ub; - FILE *bkfp; - int c; -- mode_t mask; - - if (fstat (fileno (fp), &sb) != 0) { - return -1; - } - -- mask = umask (077); -- bkfp = fopen (backup, "w"); -- (void) umask (mask); -+ bkfp = fopen_set_perms (backup, "w", &sb); - if (NULL == bkfp) { - return -1; - } diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch deleted file mode 100644 index 6f3a1d2..0000000 --- a/shadow-4.1.5.1-errmsg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 -@@ -1760,6 +1760,9 @@ static void create_home (void) - if (access (user_home, F_OK) != 0) { - #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home, NULL) != 0) { -+ fprintf (stderr, -+ _("%s: cannot set SELinux context for home directory %s\n"), -+ Prog, user_home); - fail_exit (E_HOMEDIR); - } - #endif -@@ -1789,6 +1792,9 @@ static void create_home (void) - #ifdef WITH_SELINUX - /* Reset SELinux to create files with default contexts */ - if (reset_selinux_file_context () != 0) { -+ fprintf (stderr, -+ _("%s: cannot reset SELinux file creation context\n"), -+ Prog); - fail_exit (E_HOMEDIR); - } - #endif diff --git a/shadow-4.1.5.1-id-alloc.patch b/shadow-4.1.5.1-id-alloc.patch deleted file mode 100644 index df6f89f..0000000 --- a/shadow-4.1.5.1-id-alloc.patch +++ /dev/null @@ -1,1219 +0,0 @@ -Previously, this allocation was optimized for an outdated -deployment style (that of /etc/group alongside nss_db). The issue -here is that this results in extremely poor performance when using -SSSD, Winbind or nss_ldap. - -There were actually three serious bugs here that have been addressed: - -1) Running getgrent() loops won't work in most SSSD or Winbind -environments, as full group enumeration is disabled by default. -This could easily result in auto-allocating a group that was -already in use. (This might result in a security issue as well, if -the shared GID is a privileged group). - -2) For system groups, the loop was always iterating through the -complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this -means hundreds of round-trips to LDAP (unless the GIDs were -specifically configured to be ignored by the SSSD or winbindd). -To a user with a slow connection to their LDAP server, this would -appear as if groupadd -r was hung. (Though it would eventually -complete). - -3) This patch also adds better error-handling for errno from -getgrgid(), since if this function returns an unexpected error, we -should not be treating it as "ID is available". This could result -in assigning a GID that was already in use, with all the same -issues as 1) above. - -This patch changes the algorithm to be more favorable for LDAP -environments, at the expense of some performance when using nss_db. -Given that the DB is a local service, this should have a negligible -effect from a user's perspective. - -With the new algorithm, we simply first iterate through all entries -in the local database with gr_next(), recording the IDs that are in -use. We then start from the highest presumed-available entry and -call getgrgid() to see if it is available. We continue this until -we come to the first unused GID. We then select that and return it. - -If we make it through all the remaining IDs without finding a free -one, we start over from the beginning of the range and try to find -room in one of the gaps in the range. - -The patch was originally written by Stephen Gallagher and applied -identically also to the user allocation by Tomáš Mráz. - -diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c ---- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, -+ gid_t *preferred_min) -+{ -+ gid_t gid_def_max = 0; -+ -+ if (sys_group) { -+ /* System groups */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (gid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); -+ -+ /* -+ * If SYS_GID_MAX is unspecified, we should assume it to be one -+ * less than the GID_MIN (which is reserved for non-system accounts) -+ */ -+ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; -+ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", -+ (unsigned long) gid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " -+ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("GID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system groups */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); -+ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system groups. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: GID_MIN (%lu), " -+ "GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_gid - See if the requested GID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getgrgid() -+ */ -+static int check_gid(const gid_t gid, -+ const gid_t gid_min, -+ const gid_t gid_max, -+ bool *used_gids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (gid < gid_min || gid > gid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this GID -+ * using the gr_next() loop -+ */ -+ if (used_gids != NULL && used_gids[gid]) { -+ return EEXIST; -+ } -+ /* Check if the GID exists according to NSS */ -+ errno = 0; -+ if (getgrgid(gid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getgrgid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the GID must be available */ -+ return 0; -+} -+ -+/* - * find_new_gid - Find a new unused GID. - * - * If successful, find_new_gid provides an unused group ID in the -@@ -48,166 +160,339 @@ - * - * Return 0 on success, -1 if no unused GIDs are available. - */ --int find_new_gid (bool sys_group, -- gid_t *gid, -- /*@null@*/gid_t const *preferred_gid) -+int find_new_gid(bool sys_group, -+ gid_t *gid, -+ /*@null@*/gid_t const *preferred_gid) - { -- const struct group *grp; -- gid_t gid_min, gid_max, group_id; - bool *used_gids; -+ const struct group *grp; -+ gid_t gid_min, gid_max, preferred_min; -+ gid_t group_id, id; -+ gid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - -- assert (gid != NULL); -+ assert(gid != NULL); - -- if (!sys_group) { -- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); -- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, (unsigned long) gid_max); -- return -1; -- } -- } else { -- gid_min = (gid_t) 1; -- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; -- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred GID is available */ -+ if (preferred_gid) { -+ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the GID isn't queued for use already -+ */ -+ if (gr_locate_gid (*preferred_gid) == NULL) { -+ *gid = *preferred_gid; -+ return 0; -+ } -+ /* -+ * gr_locate_gid() found the GID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set a GID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the group creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific GID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred GID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire group file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with gr_rewind/gr_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system groups) or highest (non-system -+ * groups), we will prefer those and avoid potentially reclaiming a -+ * deleted group (which can be a security issue, since it may grant -+ * access to files belonging to that former group). -+ * -+ * If there are no GIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered GIDs */ - used_gids = malloc (sizeof (bool) * (gid_max +1)); - if (NULL == used_gids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_gids, false, sizeof (bool) * (gid_max + 1)); - -- if ( (NULL != preferred_gid) -- && (*preferred_gid >= gid_min) -- && (*preferred_gid <= gid_max) -- /* Check if the user exists according to NSS */ -- && (getgrgid (*preferred_gid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (gr_locate_gid (*preferred_gid) == NULL)) { -- *gid = *preferred_gid; -- free (used_gids); -- return 0; -- } -- -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ /* First look for the lowest and highest value in the local database */ -+ (void) gr_rewind (); -+ highest_found = gid_min; -+ lowest_found = gid_max; -+ while ((grp = gr_next ()) != NULL) { -+ /* -+ * Does this entry have a lower GID than the lowest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { -+ lowest_found = grp->gr_gid - 1; -+ } -+ -+ /* -+ * Does this entry have a higher GID than the highest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { -+ highest_found = grp->gr_gid + 1; -+ } -+ -+ /* create index of used GIDs */ -+ if (grp->gr_gid >= gid_min -+ && grp->gr_gid <= gid_max) { -+ -+ used_gids[grp->gr_gid] = true; -+ } -+ } - -- /* -- * Search the entire group file, -- * looking for the largest unused value. -- * -- * We check the list of groups according to NSS (setgrent/getgrent), -- * but we also check the local database (gr_rewind/gr_next) in case -- * some groups were created but the changes were not committed yet. -- */ - if (sys_group) { -- gid_t id; -- /* setgrent / getgrent / endgrent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getgrgid. -- */ -- group_id = gid_max; -- for (id = gid_max; id >= gid_min; id--) { -- if (getgrgid (id) != NULL) { -- group_id = id - 1; -- used_gids[id] = true; -- } -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MIN - 1. -+ */ -+ if (lowest_found < gid_min) { -+ /* -+ * In this case, a GID is in use at GID_MIN. -+ * -+ * We will reset the search to GID_MAX and proceed down -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ lowest_found = gid_max; - } - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { -- group_id = grp->gr_gid - 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- group_id = gid_min; -- setgrent (); -- while ((grp = getgrent ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * GID_MAX - 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != gid_max) { -+ for (id = gid_max; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ -+ } - } - } -- endgrent (); -+ } else { /* !sys_group */ -+ /* -+ * For non-system groups, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -- } -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MAX + 1. -+ */ -+ if (highest_found > gid_max) { -+ /* -+ * In this case, a GID is in use at GID_MAX. -+ * -+ * We will reset the search to GID_MIN and proceed up -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ highest_found = gid_min; - } -- } - -- /* -- * If a group (resp. system group) with GID equal to GID_MAX (resp. -- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 -- * (resp. GID_MIN-1) even if not unique. Search for the first free -- * GID starting with GID_MIN (resp. GID_MAX). -- */ -- if (sys_group) { -- if (group_id < gid_min) { -- for (group_id = gid_max; group_id >= gid_min; group_id--) { -- if (false == used_gids[group_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (group_id < gid_min) { -- fprintf (stderr, -- _("%s: Can't get unique system GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available GID on the system")); -- free (used_gids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- if (group_id > gid_max) { -- for (group_id = gid_min; group_id <= gid_max; group_id++) { -- if (false == used_gids[group_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * GID_MIN + 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != gid_min) { -+ for (id = gid_min; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- if (group_id > gid_max) { -- fprintf (stderr, -- _("%s: Can't get unique GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available GID on the system")); -- free (used_gids); -- return -1; -- } - } - } - -- free (used_gids); -- *gid = group_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique GID (no more available GIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available GIDs on the system")); -+ free(used_gids); -+ return -1; - } - -diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c ---- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, -+ uid_t *preferred_min) -+{ -+ uid_t uid_def_max = 0; -+ -+ if (sys_user) { -+ /* System users */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (uid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); -+ -+ /* -+ * If SYS_UID_MAX is unspecified, we should assume it to be one -+ * less than the UID_MIN (which is reserved for non-system accounts) -+ */ -+ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; -+ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", -+ (unsigned long) uid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " -+ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("UID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system users */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); -+ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system users. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: UID_MIN (%lu), " -+ "UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_uid - See if the requested UID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getpwuid() -+ */ -+static int check_uid(const uid_t uid, -+ const uid_t uid_min, -+ const uid_t uid_max, -+ bool *used_uids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (uid < uid_min || uid > uid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this UID -+ * using the pw_next() loop -+ */ -+ if (used_uids != NULL && used_uids[uid]) { -+ return EEXIST; -+ } -+ /* Check if the UID exists according to NSS */ -+ errno = 0; -+ if (getpwuid(uid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getpwuid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the UID must be available */ -+ return 0; -+} -+ -+/* - * find_new_uid - Find a new unused UID. - * - * If successful, find_new_uid provides an unused user ID in the -@@ -48,162 +160,339 @@ - * - * Return 0 on success, -1 if no unused UIDs are available. - */ --int find_new_uid (bool sys_user, -- uid_t *uid, -- /*@null@*/uid_t const *preferred_uid) -+int find_new_uid(bool sys_user, -+ uid_t *uid, -+ /*@null@*/uid_t const *preferred_uid) - { -- const struct passwd *pwd; -- uid_t uid_min, uid_max, user_id; - bool *used_uids; -+ const struct passwd *pwd; -+ uid_t uid_min, uid_max, preferred_min; -+ uid_t user_id, id; -+ uid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - - assert (uid != NULL); - -- if (!sys_user) { -- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, (unsigned long) uid_max); -- return -1; -- } -- } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); -- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; -- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred UID is available */ -+ if (preferred_uid) { -+ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the UID isn't queued for use already -+ */ -+ if (pw_locate_uid (*preferred_uid) == NULL) { -+ *uid = *preferred_uid; -+ return 0; -+ } -+ /* -+ * pw_locate_uid() found the UID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set an UID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the user creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific UID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred UID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire passwd file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with pw_rewind/pw_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system users) or highest (non-system -+ * users), we will prefer those and avoid potentially reclaiming a -+ * deleted user (which can be a security issue, since it may grant -+ * access to files belonging to that former user). -+ * -+ * If there are no UIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered UIDs */ - used_uids = malloc (sizeof (bool) * (uid_max +1)); - if (NULL == used_uids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - -- if ( (NULL != preferred_uid) -- && (*preferred_uid >= uid_min) -- && (*preferred_uid <= uid_max) -- /* Check if the user exists according to NSS */ -- && (getpwuid (*preferred_uid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (pw_locate_uid (*preferred_uid) == NULL)) { -- *uid = *preferred_uid; -- free (used_uids); -- return 0; -- } -+ /* First look for the lowest and highest value in the local database */ -+ (void) pw_rewind (); -+ highest_found = uid_min; -+ lowest_found = uid_max; -+ while ((pwd = pw_next ()) != NULL) { -+ /* -+ * Does this entry have a lower UID than the lowest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { -+ lowest_found = pwd->pw_uid - 1; -+ } - -+ /* -+ * Does this entry have a higher UID than the highest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { -+ highest_found = pwd->pw_uid + 1; -+ } -+ -+ /* create index of used UIDs */ -+ if (pwd->pw_uid >= uid_min -+ && pwd->pw_uid <= uid_max) { -+ -+ used_uids[pwd->pw_uid] = true; -+ } -+ } - -- /* -- * Search the entire password file, -- * looking for the largest unused value. -- * -- * We check the list of users according to NSS (setpwent/getpwent), -- * but we also check the local database (pw_rewind/pw_next) in case -- * some users were created but the changes were not committed yet. -- */ - if (sys_user) { -- uid_t id; -- /* setpwent / getpwent / endpwent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getpwuid. -- */ -- user_id = uid_max; -- for (id = uid_max; id >= uid_min; id--) { -- if (getpwuid (id) != NULL) { -- user_id = id - 1; -- used_uids[id] = true; -- } -+ /* -+ * For system users, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MIN - 1. -+ */ -+ if (lowest_found < uid_min) { -+ /* -+ * In this case, an UID is in use at UID_MIN. -+ * -+ * We will reset the search to UID_MAX and proceed down -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ lowest_found = uid_max; - } - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { -- user_id = pwd->pw_uid - 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- user_id = uid_min; -- setpwent (); -- while ((pwd = getpwent ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * UID_MAX - 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != uid_max) { -+ for (id = uid_max; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ -+ } - } - } -- endpwent (); -+ } else { /* !sys_user */ -+ /* -+ * For non-system users, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -- } -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MAX + 1. -+ */ -+ if (highest_found > uid_max) { -+ /* -+ * In this case, a UID is in use at UID_MAX. -+ * -+ * We will reset the search to UID_MIN and proceed up -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ highest_found = uid_min; - } -- } - -- /* -- * If a user (resp. system user) with UID equal to UID_MAX (resp. -- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 -- * (resp. UID_MIN-1) even if not unique. Search for the first free -- * UID starting with UID_MIN (resp. UID_MAX). -- */ -- if (sys_user) { -- if (user_id < uid_min) { -- for (user_id = uid_max; user_id >= uid_min; user_id--) { -- if (false == used_uids[user_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (user_id < uid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique system UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available UID on the system")); -- free (used_uids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- if (user_id > uid_max) { -- for (user_id = uid_min; user_id <= uid_max; user_id++) { -- if (false == used_uids[user_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * UID_MIN + 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != uid_min) { -+ for (id = uid_min; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- if (user_id > uid_max) { -- fprintf (stderr, -- _("%s: Can't get unique UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available UID on the system")); -- free (used_uids); -- return -1; -- } - } - } - -- free (used_uids); -- *uid = user_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available UIDs on the system")); -+ free(used_uids); -+ return -1; - } - diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch deleted file mode 100644 index 4ac32d2..0000000 --- a/shadow-4.1.5.1-selinux.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 -@@ -1850,6 +1850,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) - - usr_update (); - -+ close_files (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+#ifdef WITH_SELINUX -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+#endif /* WITH_AUDIT */ -+ rv = E_SE_UPDATE; -+ } -+ } -+ } -+#endif -+ - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, -+ copy_tree (def_template, user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, -@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) - create_mail (); - } - -- close_files (); -- --#ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); --#endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -- } -- } --#endif /* WITH_SELINUX */ -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch deleted file mode 100644 index 1adcabd..0000000 --- a/shadow-4.2.1-merge-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c ---- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 -+++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 -@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -- new_line[new_line_len] = '\0'; -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - - /* Concatenate the 2 list of members */ - for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.3.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch deleted file mode 100644 index e57fac8..0000000 --- a/shadow-4.3.1-defs-chroot.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 -@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) - #endif /* ACCT_TOOLS_SETUID */ - - #ifdef ENABLE_SUBIDS -- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ uid_t uid_min; -+ uid_t uid_max; - #endif - - /* -@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - -+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ - sys_ngroups = sysconf (_SC_NGROUPS_MAX); - user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); - /* diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch deleted file mode 100644 index b337376..0000000 --- a/shadow-4.3.1-process-defaults.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 -@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) - is_shadow_grp = sgr_file_present (); - #endif - -+ get_defaults (); -+ - process_flags (argc, argv); - - #ifdef ENABLE_SUBIDS -@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) - (!user_id || (user_id <= uid_max && user_id >= uid_min)); - #endif /* ENABLE_SUBIDS */ - -- get_defaults (); -- - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - { diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.5-orig-context.patch similarity index 67% rename from shadow-4.1.5.1-orig-context.patch rename to shadow-4.5-orig-context.patch index c1ddb13..c935658 100644 --- a/shadow-4.1.5.1-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 +diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c +--- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -10,7 +10,7 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * +@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -19,9 +19,9 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c ---- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 -+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 +diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c +--- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,10 +58,10 @@ diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/co return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 -+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 -@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h +--- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -70,9 +70,9 @@ diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototy extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c ---- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 +diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,15 +114,15 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c } /* -diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 -@@ -1759,7 +1759,7 @@ static void create_home (void) +diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +@@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home) != 0) { + if (set_selinux_file_context (user_home, NULL) != 0) { - fail_exit (E_HOMEDIR); - } - #endif + fprintf (stderr, + _("%s: cannot set SELinux context for home directory %s\n"), + Prog, user_home); diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch new file mode 100644 index 0000000..cd190cc --- /dev/null +++ b/shadow-4.5-selinux.patch @@ -0,0 +1,115 @@ +diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c +--- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +@@ -2042,6 +2042,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) + + usr_update (); + +- if (mflg) { +- create_home (); +- if (home_added) { +- copy_tree (def_template, user_home, false, false, +- (uid_t)-1, user_id, (gid_t)-1, user_gid); +- } else { +- fprintf (stderr, +- _("%s: warning: the home directory already exists.\n" +- "Not copying any file from skel directory into it.\n"), +- Prog); +- } +- +- } +- +- /* Do not create mail directory for system accounts */ +- if (!rflg) { +- create_mail (); +- } +- + close_files (); + ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ + /* + * tallylog_reset needs to be able to lookup + * a valid existing user name, +@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) + } + + #ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); ++ rv = E_SE_UPDATE; ++ } + } + } +-#endif /* WITH_SELINUX */ ++#endif + +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); ++ if (mflg) { ++ create_home (); ++ if (home_added) { ++ copy_tree (def_template, user_home, false, true, ++ (uid_t)-1, user_id, (gid_t)-1, user_gid); ++ } else { ++ fprintf (stderr, ++ _("%s: warning: the home directory already exists.\n" ++ "Not copying any file from skel directory into it.\n"), ++ Prog); ++ } ++ ++ } ++ ++ /* Do not create mail directory for system accounts */ ++ if (!rflg) { ++ create_mail (); ++ } + +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch similarity index 86% rename from shadow-4.2.1-usermod-unlock.patch rename to shadow-4.5-usermod-unlock.patch index 19feecb..d37b4aa 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 -+++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c +--- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 ++++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; @@ -60,4 +60,4 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fail_exit(E_PW_UPDATE); if (pflg) { - spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; + spent->sp_lstchg = (long) gettime () / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 5d536e6..7b31676 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,40 +1,33 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.3.1 -Release: 3%{?dist} +Version: 4.5 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz -Source1: shadow-utils.login.defs +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source2: shadow-utils.useradd +Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch3: shadow-4.1.5-uflg.patch -Patch6: shadow-4.1.5.1-selinux.patch +Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch -Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.2.1-merge-group.patch -Patch10: shadow-4.1.5.1-orig-context.patch +Patch10: shadow-4.5-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch -Patch12: shadow-4.1.5.1-errmsg.patch -Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.3.1-audit-update.patch -Patch23: shadow-4.2.1-usermod-unlock.patch +Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -68,29 +61,21 @@ are used for managing group accounts. %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir -%patch3 -p1 -b .uflg %patch6 -p1 -b .selinux %patch7 -p1 -b .2ndskip -%patch8 -p1 -b .backup-mode -%patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg -%patch12 -p1 -b .errmsg -%patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel -%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos -%patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -98,9 +83,6 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . %build - -./autogen.sh - %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -110,6 +92,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +autoreconf %configure \ --enable-shadowgrp \ --enable-man \ @@ -126,7 +109,7 @@ make rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default -install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs +install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -249,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 +- update to current upstream release 4.5 + * Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 899422e..a50063e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz +SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 +SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 From 3a17ec0f47535362c05339090a225e5ddab617e4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 27 Jul 2017 18:30:31 +0000 Subject: [PATCH 44/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 7b31676..d484578 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 - update to current upstream release 4.5 From 46349c33e5aea3baa759cc753cce606c399b0a07 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 08:23:19 +0000 Subject: [PATCH 45/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d484578..adf57c2 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 2c7fd6de84388eda729beee620a06f7bd5e32415 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Aug 2017 11:03:28 +0200 Subject: [PATCH 46/64] allow switching to secondary group without checking the membership (patch from upstream) --- shadow-4.1.5.1-newgrp-grouplist.patch | 70 +++++++++++++++++++++++++++ shadow-utils.spec | 8 ++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch new file mode 100644 index 0000000..8fcfd97 --- /dev/null +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -0,0 +1,70 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 +@@ -382,6 +382,7 @@ int main (int argc, char **argv) + { + bool initflag = false; + int i; ++ bool is_member = false; + bool cflag = false; + int err = 0; + gid_t gid; +@@ -631,22 +632,36 @@ int main (int argc, char **argv) + goto failure; + } + ++#ifdef HAVE_SETGROUPS ++ /* when using pam_group, she will not be listed in the groups ++ * database. However getgroups() will return the group. So ++ * if she is listed there already it is ok to grant membership. ++ */ ++ for (i = 0; i < ngroups; i++) { ++ if (grp->gr_gid == grouplist[i]) { ++ is_member = true; ++ break; ++ } ++ } ++#endif /* HAVE_SETGROUPS */ + /* + * For splitted groups (due to limitations of NIS), check all + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp); +- if (NULL == grp) { +- /* +- * No matching group found. As we already know that +- * the group exists, this happens only in the case +- * of a requested group where the user is not member. +- * +- * Re-read the group entry for further processing. +- */ +- grp = xgetgrnam (group); +- assert (NULL != grp); ++ if (!is_member) { ++ grp = find_matching_group (name, grp); ++ if (NULL == grp) { ++ /* ++ * No matching group found. As we already know that ++ * the group exists, this happens only in the case ++ * of a requested group where the user is not member. ++ * ++ * Re-read the group entry for further processing. ++ */ ++ grp = xgetgrnam (group); ++ assert (NULL != grp); ++ } + } + #ifdef SHADOWGRP + sgrp = getsgnam (group); +@@ -659,7 +674,9 @@ int main (int argc, char **argv) + /* + * Check if the user is allowed to access this group. + */ +- check_perms (grp, pwd, group); ++ if (!is_member) { ++ check_perms (grp, pwd, group); ++ } + + /* + * all successful validations pass through this point. The group id diff --git a/shadow-utils.spec b/shadow-utils.spec index adf57c2..a8e6b48 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -28,6 +28,7 @@ Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.1.5.1-newgrp-grouplist.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -76,6 +77,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .grouplist iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 +- allow switching to secondary group without checking the membership + explicitly (patch from upstream) + * Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild From b90f1c39125212300e95934f7c9f932e9fe784d9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 17:54:22 +0200 Subject: [PATCH 47/64] do not allow "." and ".." user names --- ...oodname.patch => shadow-4.5-goodname.patch | 69 +++++++++++-------- shadow-utils.spec | 7 +- 2 files changed, 47 insertions(+), 29 deletions(-) rename shadow-4.1.5.1-goodname.patch => shadow-4.5-goodname.patch (53%) diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.5-goodname.patch similarity index 53% rename from shadow-4.1.5.1-goodname.patch rename to shadow-4.5-goodname.patch index 15c98a7..72f1492 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c ---- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 -@@ -47,27 +47,42 @@ +diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c +--- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +@@ -47,27 +47,46 @@ #include "chkname.h" static bool is_valid_name (const char *name) @@ -18,16 +18,18 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * -+ * Also do not allow fully numeric names. ++ * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; + -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { ++ if ('\0' == *name || ++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || ++ '\0' == name[1])) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.')) { return false; } @@ -39,13 +41,14 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { ++ if (!((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.' || ++ *name == '-' || ++ (*name == '$' && name[1] == '\0') + )) { return false; } + numeric &= isdigit(*name); @@ -56,10 +59,10 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam } bool is_valid_user_name (const char *name) -diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml ---- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -259,12 +259,6 @@ +diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml +--- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +@@ -256,12 +256,6 @@ CAVEATS @@ -72,10 +75,22 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -366,7 +366,7 @@ +diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml +--- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 ++++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +@@ -347,6 +347,11 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + +@@ -355,7 +360,7 @@ @@ -84,7 +99,7 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8. wide setting from /etc/login.defs () is set to yes. -@@ -654,12 +654,6 @@ +@@ -633,12 +638,6 @@ diff --git a/shadow-utils.spec b/shadow-utils.spec index a8e6b48..4b030dd 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -11,7 +11,7 @@ Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch -Patch1: shadow-4.1.5.1-goodname.patch +Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch @@ -234,6 +234,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 +- do not allow "." and ".." user names + * Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 - allow switching to secondary group without checking the membership explicitly (patch from upstream) From 9659143d385aa40f5b94664f6ea215e66fa9eac3 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 18:00:17 +0200 Subject: [PATCH 48/64] Remove incorrect hunks from the goodname patch. --- shadow-4.5-goodname.patch | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index 72f1492..bf02257 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -78,28 +78,7 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml --- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 +++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 -@@ -347,6 +347,11 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - -@@ -355,7 +360,7 @@ - - - -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from /etc/login.defs - () is set to - yes. -@@ -633,12 +638,6 @@ +@@ -633,12 +633,6 @@ From 8633999acfd789cb9e61ba40011761a08729d36c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 2 Nov 2017 11:50:59 +0100 Subject: [PATCH 49/64] fix userdel in chroot (#1316168) add useful chage -E example to chage manpage --- shadow-4.3.1-manfix.patch | 14 +++++ shadow-4.5-userdel-chroot.patch | 108 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 9 ++- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 shadow-4.5-userdel-chroot.patch diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 2aeb0a8..4ca6054 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -38,6 +38,20 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +@@ -119,6 +122,13 @@ + system again. + + ++ For example the following can be used to set an account to expire ++ in 180 days: ++ ++ ++ chage -E $(date -d +180days +%Y-%m-%d) ++ ++ + Passing the number -1 as the + EXPIRE_DATE will remove an account + expiration date. diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 --- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 +++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch new file mode 100644 index 0000000..e5cf287 --- /dev/null +++ b/shadow-4.5-userdel-chroot.patch @@ -0,0 +1,108 @@ +diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } +diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +@@ -96,6 +96,7 @@ static char *user_home; + static bool fflg = false; + static bool rflg = false; + static bool Zflg = false; ++static bool Rflg = false; + + static bool is_shadow_pwd; + +@@ -958,6 +959,7 @@ int main (int argc, char **argv) + rflg = true; + break; + case 'R': /* no-op, handled in process_root_flag () */ ++ Rflg = true; + break; + #ifdef WITH_SELINUX + case 'Z': +@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) + * Start with a quick check to see if the user exists. + */ + user_name = argv[argc - 1]; ++ open_files (); ++ + { +- struct passwd *pwd; +- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ ++ const struct passwd *pwd; ++ pwd = pw_locate (user_name); /* we care only about local users */ + if (NULL == pwd) { + fprintf (stderr, _("%s: user '%s' does not exist\n"), + Prog, user_name); +@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + user_id = pwd->pw_uid; + user_gid = pwd->pw_gid; +@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + } + #ifdef WITH_TCB + if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* WITH_TCB */ + #ifdef USE_NIS +@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* USE_NIS */ + /* +@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) + * Note: This is a best effort basis. The user may log in between, + * a cron job may be started on her behalf, etc. + */ +- if (user_busy (user_name, user_id) != 0) { ++ if (!Rflg && user_busy (user_name, user_id) != 0) { + if (!fflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_USER_BUSY); ++ fail_exit (E_USER_BUSY); + } + } + + /* +- * Do the hard stuff - open the files, create the user entries, ++ * Do the hard stuff - create the user entries, + * create the home directory, then close and update the files. + */ +- open_files (); + update_user (); + update_groups (); + diff --git a/shadow-utils.spec b/shadow-utils.spec index 4b030dd..32f70ce 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -29,6 +29,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch +Patch31: shadow-4.5-userdel-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -78,6 +79,7 @@ are used for managing group accounts. %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist +%patch31 -p1 -b .userdel-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -116,7 +118,6 @@ install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser -#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 @@ -234,6 +235,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 +- fix userdel in chroot (#1316168) +- add useful chage -E example to chage manpage + * Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 - do not allow "." and ".." user names From 95d0ea68802bd99efcc45e42c992cc483153e22e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 6 Nov 2017 15:31:26 +0100 Subject: [PATCH 50/64] fix regression caused by the userdel-chroot patch (#1509978) --- shadow-4.5-userdel-chroot.patch | 62 +++++++-------------------------- shadow-utils.spec | 5 ++- 2 files changed, 17 insertions(+), 50 deletions(-) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index e5cf287..37700c3 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,6 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -20,8 +20,8 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c } } diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; @@ -38,48 +38,30 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c break; #ifdef WITH_SELINUX case 'Z': -@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) - * Start with a quick check to see if the user exists. +@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) */ user_name = argv[argc - 1]; -+ open_files (); -+ { - struct passwd *pwd; - pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ + const struct passwd *pwd; ++ ++ pw_open(O_RDONLY); + pwd = pw_locate (user_name); /* we care only about local users */ if (NULL == pwd) { ++ pw_close(); fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, user_name); -@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } + #ifdef WITH_AUDIT +@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) user_id = pwd->pw_uid; user_gid = pwd->pw_gid; -@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + user_home = xstrdup (pwd->pw_dir); ++ pw_close(); } #ifdef WITH_TCB if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* WITH_TCB */ - #ifdef USE_NIS -@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) - _("%s: %s is the NIS master\n"), - Prog, nis_master); - } -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* USE_NIS */ - /* -@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) * Note: This is a best effort basis. The user may log in between, * a cron job may be started on her behalf, etc. */ @@ -88,21 +70,3 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, -@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_USER_BUSY); -+ fail_exit (E_USER_BUSY); - } - } - - /* -- * Do the hard stuff - open the files, create the user entries, -+ * Do the hard stuff - create the user entries, - * create the home directory, then close and update the files. - */ -- open_files (); - update_user (); - update_groups (); - diff --git a/shadow-utils.spec b/shadow-utils.spec index 32f70ce..feb6499 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 +- fix regression caused by the userdel-chroot patch (#1509978) + * Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 - fix userdel in chroot (#1316168) - add useful chage -E example to chage manpage From a6650f241ccb63c9b4fe23cddb585d536a5bb0cf Mon Sep 17 00:00:00 2001 From: esakaiev Date: Fri, 5 Jan 2018 20:39:59 +0200 Subject: [PATCH 51/64] Adding tests to the new_tests branch --- tests/sanity/Makefile | 77 +++ tests/sanity/PURPOSE | 10 + tests/sanity/runtest.sh | 24 + tests/sanity/sanity_test.py | 1013 +++++++++++++++++++++++++++++++++++ tests/tests.yml | 13 + 5 files changed, 1137 insertions(+) create mode 100644 tests/sanity/Makefile create mode 100644 tests/sanity/PURPOSE create mode 100755 tests/sanity/runtest.sh create mode 100755 tests/sanity/sanity_test.py create mode 100644 tests/tests.yml diff --git a/tests/sanity/Makefile b/tests/sanity/Makefile new file mode 100644 index 0000000..386221b --- /dev/null +++ b/tests/sanity/Makefile @@ -0,0 +1,77 @@ +# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material +# is made available to anyone wishing to use, modify, copy, or +# redistribute it subject to the terms and conditions of the GNU General +# Public License v.2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Jakub Hrozek + +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# +# Example Makefile for RHTS # +# This example is geared towards a test for a specific package # +# It does most of the work for you, but may require further coding # +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# + +# The toplevel namespace within which the test lives. +TOPLEVEL_NAMESPACE=CoreOS + +# The name of the package under test: +PACKAGE_NAME=shadow-utils + +# The path of the test below the package: +RELATIVE_PATH=sanity + +# Version of the Test. Used with make tag. +export TESTVERSION=1.1 + +# The combined namespace of the test. +export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH) + +# A phony target is one that is not really the name of a file. +# It is just a name for some commands to be executed when you +# make an explicit request. There are two reasons to use a +# phony target: to avoid a conflict with a file of the same +# name, and to improve performance. +.PHONY: all install download clean + +# Executables to be built should be added here, they will be generated on the system under test. +BUILT_FILES= + +# Data files, .c files, scripts anything needed to either compile the test and/or run it. +FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x ./sanity_test.py + chmod a+x ./runtest.sh + +clean: + rm -f *~ *.rpm $(BUILT_FILES) + +# Include Common Makefile +include /usr/share/rhts/lib/rhts-make.include + +# Generate the testinfo.desc here: +$(METADATA): Makefile + @touch $(METADATA) + @echo "Owner: Jakub Hrozek " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "License: GNU GPL" >> $(METADATA) + @echo "Description: Basic sanity test for shadow-utils" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: python" >> $(METADATA) + rhts-lint $(METADATA) + diff --git a/tests/sanity/PURPOSE b/tests/sanity/PURPOSE new file mode 100644 index 0000000..27062e1 --- /dev/null +++ b/tests/sanity/PURPOSE @@ -0,0 +1,10 @@ +This is a basic sanity test for the shadow-utils package. It is implemented +in python on top of the unittesting.py module. + +Its purpose is to ensure that the binaries in the shadow-utils package behave +as expected and its switches/options work correctly. + +For the most part, every binary in the shadow-utils package is represented by +a single class named Test, i.e. TestUsermod etc. There are some +exceptions, like TestUseraddWeirdNameTest though. + diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh new file mode 100755 index 0000000..cb2a2b5 --- /dev/null +++ b/tests/sanity/runtest.sh @@ -0,0 +1,24 @@ +#!/bin/bash +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart +rlFileBackup --clean /etc/default/useradd- /etc/default/useradd +setenforce 0 +python sanity_test.py -v +setenforce 1 +rlFileRestore + +EXIT=$? +if [[ $EXIT -eq 0 ]]; then + RESULT="PASS" +else + RESULT="FAIL" +fi + + +rlJournalEnd + +echo "Result: $RESULT" +echo "Exit: $EXIT" +report_result $TEST $RESULT $EXIT diff --git a/tests/sanity/sanity_test.py b/tests/sanity/sanity_test.py new file mode 100755 index 0000000..e9c45c2 --- /dev/null +++ b/tests/sanity/sanity_test.py @@ -0,0 +1,1013 @@ +#!/usr/bin/env python +""" +A script that tests functionality of the shadow-utils package. + +Author: Jakub Hrozek, +License: GNU GPL v2 +Date: 2007 + +TODO: + * tests for password aging + * if something fails, print out the command issued for easier debugging + * test long options variants along with the short ones +""" + +import unittest +import pwd +import grp +import commands +import os +import os.path +import sys +import copy +import tempfile +import rpm +import shutil + +from UserDict import UserDict + +class RedHatVersion(object): + def __init__(self, type=None, version=None, release=None): + self.type = type + self.version = version + self.release = release + self.rhel = False + + def __eq__( self, other): + """ + Don't compare if either of the values is None + so we can do comparisons like 'is it fedora?' or 'is it rhel4?' + """ + ok = (self.type == other.type) + if ok == False: return False + + if self.version and other.version: + ok = (self.version == other.version) + if ok == False: return False + + if (self.release == other.release): + ok = (self.release == other.release) + + return ok + + def __ne__( self, other): + return not self.__eq__(other) + + def __get_fedora_info(self, mi): + return [ (h['version'],h['release']) for h in mi ][0] + + def __get_rhel_info(self, mi): + # The rules for RHEL versions are braindead..releases even more + ver_rpm, rel_rpm = [ (h['version'],h['release']) for h in mi ][0] + rhel_versions = { '3AS' : 3, '4AS' : 4, '5Server' : 5, '5Client' : 5, '6' : 6 } + if ver_rpm[:3] == '5.9' or ver_rpm[:1] == '6': # rhel6 prerelease and release hack + rhel_versions[ver_rpm] = 6 + if ver_rpm in rhel_versions.keys(): + return (rhel_versions[ver_rpm], rel_rpm) + + def is_rhel(self): + return self.rhel + + def get_info(self): + """ + Returns a tuple containing (type, version, release) of RHEL or Fedora. + Type is either RHEL or Fedora. + Returns None if it cannot parse the info + """ + + ts = rpm.TransactionSet() + mi = ts.dbMatch() + mi.pattern('name', rpm.RPMMIRE_GLOB, 'redhat-release*') + + if mi: + self.rhel = True + return ('RHEL',) + self.__get_rhel_info(mi) + else: + mi = ts.dbMatch('name','fedora-release') + self.rhel = False + if mi.count() != 0: + return ('Fedora',) + self.__get_fedora_info(mi) + + return None + + +class UserInfo(UserDict): + fields = { "pw_name" : 0, "pw_passwd" : 1, "pw_uid" : 2, "pw_gid" : 3, + "pw_gecos" : 4, "pw_dir" : 5, "pw_shell" : 6 } + + def __init__(self): + UserDict.__init__(self) + for f in UserInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in UserInfo.fields: + self[f] = struct[UserInfo.fields[f]] + + def get_info_uid(self, uid): + self.__parse_info(pwd.getpwuid(uid)) + + def get_info_name(self, name): + try: + self.__parse_info(pwd.getpwnam(name)) + except KeyError: + return None + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in UserInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class GroupInfo(UserDict): + fields = { "gr_name" : 0, "gr_passwd" : 1, + "gr_gid" : 2, "gr_mem" : 3} + + def __init__(self): + UserDict.__init__(self) + for f in GroupInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in GroupInfo.fields: + self[f] = struct[GroupInfo.fields[f]] + + def get_info_gid(self, gid): + self.__parse_info(grp.getgrgid(gid)) + + def get_info_name(self, name): + self.__parse_info(grp.getgrnam(name)) + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in GroupInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class LoginDefsParser(UserDict): + "A quick-n-dirty way how to fetch the defaults from /etc/login.defs into a dictionary" + + def __getitem__(self, key): + try: + return UserDict.__getitem__(self, key) + except KeyError: + # if a name-value is not defined in the config file, return defaults + if key == "CREATE_MAIL_SPOOL": + return "yes" + if key == "UMASK": + return "077" + + def __init__(self, path="/etc/login.defs",split=None): + self.path = path + UserDict.__init__(self) + try: + defs = open(path) + except IOError: + print "Could not open the config file %s" % (path) + + for line in defs: + if line.startswith('#'): continue + fields = line.split(split) + if len(fields) != 2: continue # yeah, we're dirty + self.data[fields[0]] = fields[1] + + def serialize(self): + output = open(self.path, "w+") + for k,v in self.data.items(): + output.write("%s=%s" % (k, v)) + + output.write("\n") + output.close() + +class TestUserInfo(unittest.TestCase): + def testLazyCompare(self): + """ (test sanity): Test comparing two UserInfo records """ + a = UserInfo() + a["pw_name"] = "foo" + a["pw_uid"] = 555 + b = copy.deepcopy(a) + c = UserInfo() + + self.assertEqual(a.lazy_compare(b), True) + self.assertEqual(a.lazy_compare(c), True) + + c["pw_name"] = "foo" + c["pw_uid"] = None + self.assertEqual(a.lazy_compare(c), True) + self.assertEqual(c.lazy_compare(a), False) + + c["pw_name"] = "bar" + self.assertNotEqual(a.lazy_compare(c), True) + + def testGetInfoUid(self): + """ (test sanity): Test getting user info based on his UID """ + a = UserInfo() + a.get_info_uid(0) + self.assertEqual(a["pw_name"], "root") + + def testGetInfoName(self): + """ (test sanity): Test getting user info based on his name """ + a = UserInfo() + a.get_info_name("root") + self.assertEqual(a["pw_uid"], 0) + +class ShadowUtilsTestBase: + """ Handy routines """ + def getDefaults(self): + # get the default values for so we can compare against that + (status, defaults_str) = commands.getstatusoutput('useradd -D') + if status != 0: + raise RuntimeError("Could not get the default values for useradd") + return dict([ rec.split("=") for rec in defaults_str.split("\n") ]) + + def getDefaultUserInfo(self, username): + expected = UserInfo() + defaults = self.getDefaults() + + expected["pw_name"] = username + expected["pw_dir"] = defaults["HOME"] + "/" + username + expected["pw_shell"] = defaults["SHELL"] + + return expected + +class TestUseradd(ShadowUtilsTestBase, unittest.TestCase): + def setUp(self): + self.username = "test-shadow-utils-useradd" + + def tearDown(self): + commands.getstatusoutput("userdel -r %s" % (self.username)) + + def testBasicAdd(self): + """ useradd: Tests basic adding of a user """ + expected = self.getDefaultUserInfo(self.username) + + runme = "useradd %s" % (self.username) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user\nIssued command: %s" % (runme)) + + def testExistingUser(self): + """ useradd: Test that user with an existing name cannot be added """ + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(commands.getstatusoutput("useradd %s" % (self.username))[0], 0, "FAIL: User that already exists added") + + def testCustomUID(self): + """ useradd: Adding an user with a specific UID """ + UID = 23456 # FIXME - test for a free UID slot first + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + runme = "useradd %s -u %d" % (self.username, UID) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, "Issued command: %s\n" % (runme) + "Got from useradd: %s\n" % (output)) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific UID\nIssued command: %s" % (runme)) + + def testNegativeUID(self): + """ useradd: Tests that user cannot have a negative UID assigned """ + self.assertNotEqual(commands.getstatusoutput("useradd %s --uid -5" % (self.username))[0], 0, "FAIL: User with UID < 0 added") + + def testCustomExistingUID(self): + """ useradd: Adding a user with a specific existing UID """ + UID = 32112 + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + (status_u, output_u) = commands.getstatusoutput("useradd %s -u %d" % (self.username, UID)) + + # must fail without -o flag + (status_u_no_o, output_u_no_o) = commands.getstatusoutput("useradd foo -u %d" % (UID)) + + # must pass with -o flag + (status_o, output_o) = commands.getstatusoutput("useradd foo -u %d -o" % (UID)) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r foo") + + self.failUnlessEqual(status_u, 0, "FAIL: cannot add an user with a specified UID\n"+output_u) + self.assertEqual(status_o, 0, "FAIL: cannot add an user with an existing UID using the -o flag\n"+output_o) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(status_u_no_o, 0, "FAIL: user with an existing UID added\n"+output_u_no_o) + + def testCustomGID(self): + """ useradd: Adding an user with a specific GID """ + GID = 100 # users group should be everywhere - should we test before? + expected = self.getDefaultUserInfo(self.username) + expected["pw_gid"] = GID + + (status, output) = commands.getstatusoutput("useradd %s -g %d" % (self.username, GID)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific GID") + + def testCustomShell(self): + """ useradd: Adding an user with a specific login shell """ + shell = "/bin/ksh" + expected = self.getDefaultUserInfo(self.username) + expected["pw_shell"] = shell + + (status, output) = commands.getstatusoutput("useradd %s -s %s" % (self.username, shell)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific shell") + + def testCustomHome(self): + """ useradd: Adding an user with a specific home directory """ + home = "/tmp/useradd-test" + os.mkdir(home) + expected = self.getDefaultUserInfo(self.username) + expected["pw_dir"] = home + + (status, output) = commands.getstatusoutput("useradd %s -d %s" % (self.username, home)) + shutil.rmtree(home) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific home") + + def testSystemAccount(self): + """ useradd: Adding a system user (UID < UID_MIN from /etc/login.defs) """ + defaults = LoginDefsParser() + + # system account with no home dir + expected = self.getDefaultUserInfo(self.username) + + (status, output) = commands.getstatusoutput("useradd -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(os.path.exists(created["pw_dir"]), False, "FAIL: System user has a home dir created") + self.assertEqual(created["pw_uid"] < defaults['UID_MIN'], True, "FAIL: System user has UID > UID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system user") + + def testAddToMoreGroups(self): + """ useradd: Creating an user that belongs to more than one group """ + (status, output) = commands.getstatusoutput("useradd -G bin %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + gr_bin = GroupInfo() + gr_bin.get_info_name("bin") + self.assertEqual(self.username in gr_bin["gr_mem"], True, "FAIL: User not in supplementary group after usermod -G -a") + + + def testAddWithCommonName(self): + """ useradd: Specifying a comment (user for account name) """ + comment = "zzzzzz" + (status, output) = commands.getstatusoutput("useradd -c %s %s" % (comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_gecos"], comment, "FAIL: failed to create a user with a GECOS comment") + + def testHomePermissions(self): + """ useradd: Check if permissions on newly created home dir match the umask """ + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + import stat + perm = os.stat(created["pw_dir"])[stat.ST_MODE] + mode = int(oct(perm & 0777)) + + self.assertEqual(defaults["UMASK"], "077", "FAIL: umask setting is not sane - is %s, should be 077" % (defaults["UMASK"])) + self.assertEqual(int(defaults["UMASK"]) + mode , 777, "FAIL: newly-created home dir does not match the umask") + + def testCreateMailSpool(self): + """ useradd: Check whether the mail spool gets created when told to""" + # set up creating of mail spool + defaults = LoginDefsParser("/etc/default/useradd", split="=") + + create_mail = defaults["CREATE_MAIL_SPOOL"] + defaults["CREATE_MAIL_SPOOL"] = "yes" + defaults.serialize() + + login_defs = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # clean up + defaults["CREATE_MAIL_SPOOL"] = create_mail + defaults.serialize() + self.assertEqual(os.path.exists(login_defs["MAIL_DIR"] + "/" + self.username), True, "FAIL: useradd did not create mail spool") + + def testDefaultMailSettings(self): + """ useradd: Check whether the mail spool is on by default""" + defaults = LoginDefsParser("/etc/default/useradd", split="=") + self.assertEqual(defaults["CREATE_MAIL_SPOOL"], "yes\n") + + def testNoLastlog(self): + """ useradd: Check if the -l option prevents from being added to the lastlog """ + pass # FIXME - add some code here + + +class TestUseraddWeirdNameTest(unittest.TestCase, ShadowUtilsTestBase): + """ Tests addition/removal of usernames that have proven to be problematic in the past. + The reason to separate these from the main useradd test suite is to not run the setUp + and tearDown methods """ + + def addAndRemove(self, username, success=True): + expected = self.getDefaultUserInfo(username) + expected["pw_name"] = username + + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + if success: + self.failUnlessEqual(status, 0, output) + else: + self.failIfEqual(status, 0, output) + return True + + created = UserInfo() + created.get_info_name(username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: TestUseraddWeirdName::addAndRemove - could not add a user") + + # the cleanup method won't help this time + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + + def testNumericName(self): + """ useradd: Test if an user with a purely numerical name can be added (123) """ + return self.addAndRemove("123") + + def testSambaName(self): + """ useradd: Test if an user with a name with a dollar at the end can be added (joepublic$ ) """ + return self.addAndRemove("joepublic$") + + def testDotInName(self): + """ useradd: Test if an user with a name with a dot in it can be added (joe.public ) """ + return self.addAndRemove("joe.public") + + def testAtInName(self): + """ useradd: Test if an user with an '@' in name can be added (joe@public.com) - should fail """ + return self.addAndRemove("joe@public.com", False) + + def testUppercase(self): + """ useradd: Test if an user with UPPERCASE or Uppercase name can be added """ + return self.addAndRemove("JOEPUBLIC") + return self.addAndRemove("Joepublic") + +class TestUseraddDefaultsChange(unittest.TestCase, ShadowUtilsTestBase): + def testDefaultsChange(self): + """ useradd: Test overriding default settings (shell, home dir, group) with a -D option """ + save = self.getDefaults() + + new_defs = dict() + new_defs["SHELL"] = "/bin/ksh" + new_defs["GROUP"] = "1" + new_defs["HOME"] = "/tmp" + + command = "useradd -D -s%s -g%s -b%s" % (new_defs["SHELL"], new_defs["GROUP"], new_defs["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + overriden = self.getDefaults() + [ self.assertEqual(overriden[k], new_defs[k]) for k in new_defs.keys() ] + + command = "useradd -D -s%s -g%s -b%s" % (save["SHELL"], save["GROUP"], save["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + +class TestUserdel(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-userdel" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testRemoveUserGroup(self): + """ userdel: test if userdel removes user's group when he's deleted - regression test for #201379 """ + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # This would fail if we did not have the group removed + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + +class TestUsermod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-usermod" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testAppendToSupplementaryGroup(self): + """ usermod: Test if a user can be added to a supplementary group """ + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod -a -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testAppendToSupplementaryGroupLongOption(self): + """ usermod: Test if a user can be added to a supplementary group via --append rather that -a (regression test for 222540) """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + type, release, version = RedHatVersion().get_info() + if RedHatVersion().is_rhel(): + if release < 5 or (release == 5 and version < 2): + print "This test makes sense for RHEL 5.2+" + return + + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod --append -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testNameChange(self): + """ usermod: Test if the comment field (used as the Common Name) can be changed """ + new_comment = "zzzzzz" + + (status, output) = commands.getstatusoutput("usermod -c %s %s" % (new_comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + self.assertEqual(created["pw_gecos"], new_comment) + + def testHomeChange(self): + """ usermod: Test if user's home directory can be changed """ + new_home = "/tmp" + created = UserInfo() + created.get_info_name(self.username) + old_home = created["pw_dir"] + + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (new_home, self.username)) + self.failUnlessEqual(status, 0, output) + + created.get_info_name(self.username) + self.assertEqual(created["pw_dir"], new_home) + + # revert to old home so we can userdel -r in tearDown + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (old_home, self.username)) + self.failUnlessEqual(status, 0, output) + + # FIXME - test if contents of /home directories are transferred with the -m option + # FIXME - test if new home is created if does not exist before + + def testGIDChange(self): + """ usermod: Test if user's gid can be changed. """ + new_group = "root" + # test non-existing group + (status_fail, output_fail) = commands.getstatusoutput("usermod -g no-such-group %s" % (self.username)) + (status, output) = commands.getstatusoutput("usermod -g %s %s" % (new_group, self.username)) + + created = UserInfo() + created.get_info_name(self.username) + + left = GroupInfo() + if left.get_info_name(self.username) == None: + (status_del, output_del) = commands.getstatusoutput("groupdel %s" % (self.username)) + self.failUnlessEqual(status_del, 0, output_del) + + self.failIfEqual(status_fail, 0, output_fail) + self.failUnlessEqual(status, 0, output) + self.assertEqual(created["pw_gid"], 0) #0 is root group + + def testLoginChange(self): + """ usermod: Test if user's login can be changed """ + new_login = "usermod-login-change" + user = UserInfo() + user.get_info_name(self.username) + uid = user["pw_uid"] # UID won't change even when login does + + # test changing to an existing user name + (status, output) = commands.getstatusoutput("usermod -l root %s" % (self.username)) + self.failIfEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (new_login, self.username)) + self.failUnlessEqual(status, 0, output) + user.get_info_name(new_login) + self.assertEqual(user["pw_uid"], uid) + + # revert so we can userdel -r on tearDown + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (self.username, new_login)) + self.failUnlessEqual(status, 0, output) + + def testShellChange(self): + """ usermod: Test if user's shell can be changed """ + new_shell = "/bin/sh" + + (status, output) = commands.getstatusoutput("usermod -s %s %s" % (new_shell, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_shell"], new_shell) + +class TestGroupadd(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testAddGroup(self): + """ groupadd: Basic adding of a group """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a group") + + def testAddSystemGroup(self): + """ groupadd: Adding a system group with gid < MIN_GID """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("groupadd -r %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created["gr_gid"] < defaults["GID_MIN"], True, "FAIL: System group has gid >= GID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system group") + + def testAddExistingGid(self): + """ groupadd: Test if we group with an existing GID can be added """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + gname = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + # no -o option -> this should fail + (status, output) = commands.getstatusoutput("groupadd -g%s %s" % (created["gr_gid"], gname)) + self.failIfEqual(status, 0, output) + + # override with -o option, should pass now + (status, output) = commands.getstatusoutput("groupadd -g%s -o %s" % (created["gr_gid"], gname)) + self.failUnlessEqual(status, 0, output) + + # test if the new GID is really the same + same_gid = GroupInfo() + same_gid.get_info_name(gname) + self.assertEqual(same_gid["gr_gid"], created["gr_gid"]) + + # clean up + (status, output) = commands.getstatusoutput("groupdel %s" % (gname)) + self.failUnlessEqual(status, 0, output) + + + def testOverrideDefaults(self): + """ groupadd: Test if the defaults can be overriden with the -K option """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + + GID_MIN = 600 + GID_MAX = 625 + + (status, output) = commands.getstatusoutput("groupadd -K GID_MIN=%d -K GID_MAX=%d %s" % + (GID_MIN, GID_MAX, self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(GID_MIN <= created["gr_gid"] <= GID_MAX, True, "FAIL: created an user with UID of %d" % (created["gr_gid"])) + + + def testFOption(self): + """ groupadd: Tests the -f option of groupadd """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupadd -f %s" % (self.groupname)) + self.assertEqual(status, 0, output) + +class TestGroupaddInvalidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddInvalidName(self): + """ groupadd: Test adding of a group with an invalid name """ + (status, output) = commands.getstatusoutput("groupadd foo?") + self.assertNotEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffggg") #33 chars + self.assertNotEqual(status, 0, output) + +class TestGroupaddValidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddValidName(self): + """ groupadd: Test adding and removing of groups with maximal valid name and name ending with $ """ + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + + +class TestGroupmod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testChangeGID(self): + """ groupmod: Test changing a gid of a group """ + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = 54321 + + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (expected["gr_gid"], self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group") + + def testChangeGIDToExistingValue(self): + """ groupmod: Test changing GID to an existing value """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = created["gr_gid"] + + (status, output) = commands.getstatusoutput("groupadd %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + # try to assingn GID of the first group to the second - this should fail without the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (created["gr_gid"], second_name)) + self.failIfEqual(status, 0, output) + + # should pass with the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d -o %s" % (created["gr_gid"], second_name)) + self.failUnlessEqual(status, 0, output) + + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group to an existing one") + + # clean up + commands.getstatusoutput("groupdel %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupName(self): + """ groupmod: Test changing a group's name """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (second_name, self.groupname)) + self.failUnlessEqual(status, 0, output) + + changed = GroupInfo() + changed.get_info_gid(created["gr_gid"]) + self.assertEqual(changed["gr_name"], second_name) + self.assertEqual(changed["gr_gid"], created["gr_gid"]) + + # change back, so the group could be deleted by tearDown + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (self.groupname, second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupNameExisting(self): + """ groupmod: Test changing a group's name to an existing one """ + existing = "bin" + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (existing, self.groupname)) + self.assertNotEqual(status, 0, output) # man groupmod -> 9: group name already in use + + def testChangeNonExistingGroup(self): + """ groupmod: Test properties of a non-existing group """ + nonexistent = "foobar" + (status, output) = commands.getstatusoutput("groupmod -nspameggs %s" % (nonexistent)) + self.assertNotEqual(status, 0, status) # man groupmod -> 6: specified group doesn't exist + +class TestGroupdel(unittest.TestCase, ShadowUtilsTestBase): + def testCorrectGroupdel(self): + """ groupdel: Basic usage of groupdel """ + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel %s" % (self.groupname)) + self.assertEqual(status, 0, output) + + def testGroupdelNoSuchGroup(self): + """ groupdel: Remove non-existing group """ + (status, output) = commands.getstatusoutput("groupdel foobar") + self.assertNotEqual(status, 0, output) + + def testRemovePrimaryGroup(self): + """ groupdel: Remove a primary group of an user """ + username = "test-groupdel-primary" + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupdel %s" % (username)) + self.assertNotEqual(status, 0, output) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + +class TestPwckGrpck(unittest.TestCase): + def setUp(self): + self.passwd_path = tempfile.mktemp(suffix="test-pwck-passwd") + self.passwd_file = open(self.passwd_path, "w") + self.group_path = tempfile.mktemp(suffix="test-pwck-grp") + self.group_file = open(self.group_path, "w") + self.gshadow_path = tempfile.mktemp(suffix="test-pwck-gshadow") + self.gshadow_file = open(self.gshadow_path, "w") + + def tearDown(self): + self.passwd_file.close() + self.group_file.close() + self.gshadow_file.close() + + os.remove(self.passwd_path) + os.remove(self.group_path) + os.remove(self.gshadow_path) + + def runPwckCheck(self, passwd, group): + self.passwd_file.truncate() + self.group_file.truncate() + + self.passwd_file.write(passwd) + self.passwd_file.flush() + self.group_file.write(group) + self.group_file.flush() + + command = "pwck -r %s %s" % (self.passwd_path, self.group_path) + return commands.getstatusoutput(command) + + def runGrpCheck(self, group, gshadow): + self.group_file.truncate() + self.gshadow_file.truncate() + + self.gshadow_file.write(gshadow) + self.gshadow_file.flush() + + self.group_file.write(group) + self.group_file.flush() + + command = "grpck -r %s %s" % (self.group_path, self.gshadow_path) + return commands.getstatusoutput(command) + + + def testValidEntries(self): + """ pwck: a valid entry """ + status, output = self.runPwckCheck("foo:x:685:0::/dev/null:/bin/bash", "") + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 6: + self.assertEqual(status, 0, output) + else: + self.assertNotEqual(status, 0, output) + + def testNumberOfFields(self): + """ pwck: invalid number of fields in the record """ + not_enough = "foo:x:685:685::/dev/null" + too_many = "foo:x:685:685::/dev/null:/bin/bash:comment" + status, output = self.runPwckCheck(not_enough, "") + self.assertNotEqual(status, 0, output) + + status, output = self.runPwckCheck(too_many, "") + self.assertNotEqual(status, 0, output) + + def testUniqueUserName(self): + """ pwck: unique user name in the record """ + duplicate_username = "foo:x:685:685::/dev/null:/bin/bash\nfoo:x:686:686::/dev/null:/bin/bash" + status, output = self.runPwckCheck(duplicate_username, "") + self.assertNotEqual(status, 0, output) + + def testValidID(self): + """ pwck: invalid UID in the records """ + invalid_ids = [ "foo:x:-1:685::/dev/null:/bin/bash", "foo:x:blah:685::/dev/null:/bin/bash", "foo:x:1234567890:685::/dev/null:/bin/bash" ] + for record in invalid_ids: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, record) + + + def testValidPrimaryGroup(self): + """ pwck: invalid primary group """ + invalid_groups = [ "foo:x:685:-1::/dev/null:/bin/bash", "foo:x:685:blah::/dev/null:/bin/bash", "foo:x:685:1234567890::/dev/null:/bin/bash" ] + for record in invalid_groups: + status, output = self.runPwckCheck("", record) + self.assertNotEqual(status, 0, output) + + def testValidHomeDir(self): + """ pwck: invalid home dir """ + for record in [ "foo:x:685:685::123:/bin/bash", "foo:x:685:685::/path/to/nowhere:/bin/bash", "foo:x:685:1234567890::!:/bin/bash" ]: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, output) + + def testBZ164954(self): + """ grpck: regression test for BZ164954 """ + record = "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon" + status, output = self.runGrpCheck("", record) + self.assertNotEqual(status, 0, output) + +if __name__ == "__main__": + broken_on_rhel4 = { "TestUseradd" : [ "testCustomUID", "testCustomGID" ] } + + if os.getuid() != 0: + print "This test must be run as root" + sys.exit(1) + + unittest.main() + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..09f4769 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - atomic + tests: + - sanity + required_packages: + - shadow-utils # sanity test needs shadow-utils + - python # sanity test needs python From 2d4f6e1972db0c808301bf6ce628e46bfbb13008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 20 Jan 2018 23:08:33 +0100 Subject: [PATCH 52/64] Rebuilt for switch to libxcrypt --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index feb6499..25ccdb1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Jan 20 2018 Björn Esser - 2:4.5-8 +- Rebuilt for switch to libxcrypt + * Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 - fix regression caused by the userdel-chroot patch (#1509978) From 41955fa9abba5665b7e3d4668c750dc899e63de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Tue, 6 Feb 2018 11:33:37 +0100 Subject: [PATCH 53/64] Add patch to include crypt.h, if present Use %%make_{build,install} macros Refresh other patches for proper alignment --- shadow-4.1.5-2ndskip.patch | 14 ++- shadow-4.1.5-redhat.patch | 16 +-- shadow-4.1.5.1-default-range.patch | 7 +- shadow-4.1.5.1-info-parent-dir.patch | 9 +- shadow-4.1.5.1-ingroup.patch | 9 +- shadow-4.1.5.1-logmsg.patch | 9 +- shadow-4.1.5.1-move-home.patch | 9 +- shadow-4.1.5.1-newgrp-grouplist.patch | 13 ++- shadow-4.1.5.1-userdel-helpfix.patch | 9 +- shadow-4.2.1-date-parsing.patch | 7 +- shadow-4.2.1-no-lock-dos.patch | 7 +- shadow-4.2.1-null-tm.patch | 35 +++--- shadow-4.3.1-audit-update.patch | 153 ++++++++++++++------------ shadow-4.3.1-manfix.patch | 51 +++++---- shadow-4.3.1-selinux-perms.patch | 21 ++-- shadow-4.5-crypt_h.patch | 41 +++++++ shadow-4.5-goodname.patch | 21 ++-- shadow-4.5-orig-context.patch | 35 +++--- shadow-4.5-selinux.patch | 14 ++- shadow-4.5-userdel-chroot.patch | 14 ++- shadow-4.5-usermod-unlock.patch | 7 +- shadow-utils.spec | 13 ++- 22 files changed, 307 insertions(+), 207 deletions(-) create mode 100644 shadow-4.5-crypt_h.patch diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch index 8a9cf68..5a8e444 100644 --- a/shadow-4.1.5-2ndskip.patch +++ b/shadow-4.1.5-2ndskip.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c ---- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 -+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 +Index: shadow-4.5/src/grpconv.c +=================================================================== +--- shadow-4.5.orig/src/grpconv.c ++++ shadow-4.5/src/grpconv.c @@ -143,6 +143,7 @@ int main (int argc, char **argv) struct group grent; const struct sgrp *sg; @@ -48,9 +49,10 @@ diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c } /* -diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c ---- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 -+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 +Index: shadow-4.5/src/pwconv.c +=================================================================== +--- shadow-4.5.orig/src/pwconv.c ++++ shadow-4.5/src/pwconv.c @@ -173,6 +173,7 @@ int main (int argc, char **argv) struct passwd pwent; const struct spwd *sp; diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.1.5-redhat.patch index a785b29..ef26cbd 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.1.5-redhat.patch @@ -1,8 +1,8 @@ -diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 -diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c ---- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 -+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 -@@ -93,7 +93,7 @@ const char *Prog; +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -11,7 +11,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -103,7 +103,7 @@ static const char *def_expire = ""; +@@ -108,7 +108,7 @@ static const char *def_expire = ""; #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -20,7 +20,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha +@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX @@ -32,7 +32,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha +@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch index 45c677a..2a9d640 100644 --- a/shadow-4.1.5.1-default-range.patch +++ b/shadow-4.1.5.1-default-range.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h goto done; } diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index b05e5bb..b3a525b 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml ---- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 -@@ -216,7 +216,15 @@ +Index: shadow-4.5/man/newusers.8.xml +=================================================================== +--- shadow-4.5.orig/man/newusers.8.xml ++++ shadow-4.5/man/newusers.8.xml +@@ -218,7 +218,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch index e440431..1c30198 100644 --- a/shadow-4.1.5.1-ingroup.patch +++ b/shadow-4.1.5.1-ingroup.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -83,15 +83,29 @@ static void usage (void) } } @@ -52,7 +53,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c } endgrent (); return gr; -@@ -616,7 +624,7 @@ int main (int argc, char **argv) +@@ -630,7 +638,7 @@ int main (int argc, char **argv) * groups of the same GID like the requested group for * membership of the current user. */ diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index 7d5cbc8..ca7e57b 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -323,7 +323,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch index c87e232..f1790e2 100644 --- a/shadow-4.1.5.1-move-home.patch +++ b/shadow-4.1.5.1-move-home.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 -@@ -1571,6 +1571,11 @@ static void move_home (void) +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c +@@ -1814,6 +1814,11 @@ static void move_home (void) Prog, user_home, user_newhome); fail_exit (E_HOMEDIR); } diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch index 8fcfd97..47eb6f6 100644 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 -@@ -382,6 +382,7 @@ int main (int argc, char **argv) +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c +@@ -396,6 +396,7 @@ int main (int argc, char **argv) { bool initflag = false; int i; @@ -9,7 +10,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c bool cflag = false; int err = 0; gid_t gid; -@@ -631,22 +632,36 @@ int main (int argc, char **argv) +@@ -645,22 +646,36 @@ int main (int argc, char **argv) goto failure; } @@ -57,7 +58,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c } #ifdef SHADOWGRP sgrp = getsgnam (group); -@@ -659,7 +674,9 @@ int main (int argc, char **argv) +@@ -673,7 +688,9 @@ int main (int argc, char **argv) /* * Check if the user is allowed to access this group. */ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index b79baee..075f482 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 -+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 -@@ -130,8 +130,9 @@ static void usage (int status) +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c +@@ -143,8 +143,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch index 91a85ac..2a798d0 100644 --- a/shadow-4.2.1-date-parsing.patch +++ b/shadow-4.2.1-date-parsing.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y ---- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +Index: shadow-4.5/libmisc/getdate.y +=================================================================== +--- shadow-4.5.orig/libmisc/getdate.y ++++ shadow-4.5/libmisc/getdate.y @@ -152,6 +152,7 @@ static int yyHaveDay; static int yyHaveRel; static int yyHaveTime; diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch index 58fd605..c6873e9 100644 --- a/shadow-4.2.1-no-lock-dos.patch +++ b/shadow-4.2.1-no-lock-dos.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c ---- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 -+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -140,7 +140,10 @@ static int do_lock_file (const char *fil int retval; char buf[32]; diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch index 15b7720..b1dd1c4 100644 --- a/shadow-4.2.1-null-tm.patch +++ b/shadow-4.2.1-null-tm.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c ---- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +Index: shadow-4.5/src/faillog.c +=================================================================== +--- shadow-4.5.orig/src/faillog.c ++++ shadow-4.5/src/faillog.c @@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s } @@ -18,9 +19,10 @@ diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c printf ("%-9s %5d %5d ", pw->pw_name, fl.fail_cnt, fl.fail_max); /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -168,6 +168,10 @@ static void date_to_str (char *buf, size struct tm *tp; @@ -32,9 +34,10 @@ diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c #ifdef HAVE_STRFTIME (void) strftime (buf, maxsize, "%Y-%m-%d", tp); #else -diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +Index: shadow-4.5/src/lastlog.c +=================================================================== +--- shadow-4.5.orig/src/lastlog.c ++++ shadow-4.5/src/lastlog.c @@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s ll_time = ll.ll_time; @@ -57,9 +60,10 @@ diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c if (ll.ll_time == (time_t) 0) { cp = _("**Never logged in**\0"); -diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c ---- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +Index: shadow-4.5/src/passwd.c +=================================================================== +--- shadow-4.5.orig/src/passwd.c ++++ shadow-4.5/src/passwd.c @@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to struct tm *tm; @@ -70,9 +74,10 @@ diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c #ifdef HAVE_STRFTIME (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); #else /* !HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ } else { time_t t = (time_t) date; diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.3.1-audit-update.patch index e708f75..8c72cf3 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c ---- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 +Index: shadow-4.5/libmisc/audit_help.c +=================================================================== +--- shadow-4.5.orig/libmisc/audit_help.c ++++ shadow-4.5/libmisc/audit_help.c @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +51,10 @@ diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c ---- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_group.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_group.c ++++ shadow-4.5/libmisc/cleanup_group.c @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +133,10 @@ diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c ---- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_user.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_user.c ++++ shadow-4.5/libmisc/cleanup_user.c @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +184,11 @@ diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h ---- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 -+++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 -@@ -208,12 +208,21 @@ extern int audit_fd; +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h +@@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,9 +210,10 @@ diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c ---- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/gpasswd.c +=================================================================== +--- shadow-4.5.orig/src/gpasswd.c ++++ shadow-4.5/src/gpasswd.c @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -472,9 +477,10 @@ diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c ---- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/groupadd.c +=================================================================== +--- shadow-4.5.orig/src/groupadd.c ++++ shadow-4.5/src/groupadd.c @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -650,9 +656,10 @@ diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c } } -diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c ---- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupdel.c +=================================================================== +--- shadow-4.5.orig/src/groupdel.c ++++ shadow-4.5/src/groupdel.c @@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -822,9 +829,10 @@ diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c } #endif -diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c ---- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupmod.c +=================================================================== +--- shadow-4.5.orig/src/groupmod.c ++++ shadow-4.5/src/groupmod.c @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1026,10 @@ diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c ---- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1117,10 @@ diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c ---- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 -+++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1315,10 +1325,11 @@ diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 -@@ -222,6 +222,8 @@ static void create_mail (void); +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -225,6 +225,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1327,7 +1338,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c if (home_added) { if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -235,12 +237,6 @@ static void fail_exit (int code) +@@ -238,12 +240,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1351,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -248,12 +244,6 @@ static void fail_exit (int code) +@@ -251,12 +247,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1364,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -261,12 +251,6 @@ static void fail_exit (int code) +@@ -264,12 +254,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1377,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -275,12 +259,6 @@ static void fail_exit (int code) +@@ -278,12 +262,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1390,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -290,12 +268,6 @@ static void fail_exit (int code) +@@ -293,12 +271,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1392,7 +1403,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -303,20 +275,19 @@ static void fail_exit (int code) +@@ -306,20 +278,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1420,7 +1431,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -623,7 +594,7 @@ static int set_defaults (void) +@@ -626,7 +597,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1429,7 +1440,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -893,12 +864,6 @@ static void grp_update (void) +@@ -896,12 +867,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1442,7 +1453,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -912,18 +877,12 @@ static void grp_update (void) +@@ -915,18 +880,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1464,7 +1475,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -968,12 +927,6 @@ static void grp_update (void) +@@ -971,12 +930,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1477,7 +1488,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -987,18 +940,13 @@ static void grp_update (void) +@@ -990,18 +943,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1500,7 +1511,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha +@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1509,7 +1520,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1444,7 +1392,7 @@ static void close_files (void) +@@ -1447,7 +1395,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1518,7 +1529,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1457,7 +1405,7 @@ static void close_files (void) +@@ -1460,7 +1408,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1527,7 +1538,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1469,7 +1417,7 @@ static void close_files (void) +@@ -1472,7 +1420,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1536,7 +1547,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1483,7 +1431,7 @@ static void close_files (void) +@@ -1486,7 +1434,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1545,7 +1556,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1499,7 +1447,7 @@ static void close_files (void) +@@ -1502,7 +1450,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1554,7 +1565,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1513,7 +1461,7 @@ static void close_files (void) +@@ -1516,7 +1464,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1563,7 +1574,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1705,7 +1653,7 @@ static void grp_add (void) +@@ -1708,7 +1656,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1572,7 +1583,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1721,7 +1669,7 @@ static void grp_add (void) +@@ -1724,7 +1672,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1581,7 +1592,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1731,7 +1679,7 @@ static void grp_add (void) +@@ -1734,7 +1682,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1590,7 +1601,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1846,12 +1794,6 @@ static void usr_update (void) +@@ -1895,12 +1843,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1603,7 +1614,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1873,7 +1815,7 @@ static void usr_update (void) +@@ -1922,7 +1864,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1612,7 +1623,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1908,12 +1850,6 @@ static void create_home (void) +@@ -1957,12 +1899,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), Prog, user_home); @@ -1625,7 +1636,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_HOMEDIR); } chown (user_home, user_id, user_gid); -@@ -1921,8 +1857,8 @@ static void create_home (void) +@@ -1970,8 +1906,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1636,7 +1647,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) +@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1660,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) +@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1673,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) +@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1686,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) +@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1700,10 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c ---- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 -+++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -2019,9 +2031,10 @@ diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c ---- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 -+++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 4ca6054..cc62a86 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml ---- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/groupmems.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupmems.8.xml ++++ shadow-4.5/man/groupmems.8.xml @@ -179,20 +179,10 @@ SETUP @@ -25,9 +26,10 @@ diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xm -diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml ---- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/chage.1.xml +=================================================================== +--- shadow-4.5.orig/man/chage.1.xml ++++ shadow-4.5/man/chage.1.xml @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -52,10 +54,11 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. -diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 ---- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 -@@ -147,10 +147,6 @@ 以下の参照表は、 +Index: shadow-4.5/man/ja/man5/login.defs.5 +=================================================================== +--- shadow-4.5.orig/man/ja/man5/login.defs.5 ++++ shadow-4.5/man/ja/man5/login.defs.5 +@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -66,9 +69,10 @@ diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml ---- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/login.defs.5.xml +=================================================================== +--- shadow-4.5.orig/man/login.defs.5.xml ++++ shadow-4.5/man/login.defs.5.xml @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -205,9 +209,10 @@ diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5. useradd -diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml ---- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/shadow.5.xml +=================================================================== +--- shadow-4.5.orig/man/shadow.5.xml ++++ shadow-4.5/man/shadow.5.xml @@ -208,8 +208,8 @@ @@ -219,9 +224,10 @@ diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml ---- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 -+++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -234,9 +240,10 @@ diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml -diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml ---- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/usermod.8.xml +=================================================================== +--- shadow-4.5.orig/man/usermod.8.xml ++++ shadow-4.5/man/usermod.8.xml @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch index 9469a7e..8550150 100644 --- a/shadow-4.3.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c ---- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chgpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chgpasswd.c ++++ shadow-4.5/src/chgpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -147,9 +148,10 @@ diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c ---- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chpasswd.c ++++ shadow-4.5/src/chpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -257,9 +259,10 @@ diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am ---- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/Makefile.am +=================================================================== +--- shadow-4.5.orig/src/Makefile.am ++++ shadow-4.5/src/Makefile.am @@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch new file mode 100644 index 0000000..c8d19e4 --- /dev/null +++ b/shadow-4.5-crypt_h.patch @@ -0,0 +1,41 @@ +Index: shadow-4.5/configure.ac +=================================================================== +--- shadow-4.5.orig/configure.ac ++++ shadow-4.5/configure.ac +@@ -32,9 +32,9 @@ AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_HEADER_STDBOOL + +-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ +- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ +- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ ++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ ++ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ ++ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ + locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ + attr/error_context.h) + +Index: shadow-4.5/lib/defines.h +=================================================================== +--- shadow-4.5.orig/lib/defines.h ++++ shadow-4.5/lib/defines.h +@@ -4,6 +4,8 @@ + #ifndef _DEFINES_H_ + #define _DEFINES_H_ + ++#include "config.h" ++ + #if HAVE_STDBOOL_H + # include + #else +@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () + # include + #endif + ++#if HAVE_CRYPT_H ++# include /* crypt(3) may be defined in here */ ++#endif ++ + #if TIME_WITH_SYS_TIME + # include + # include diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index bf02257..215f658 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c ---- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +Index: shadow-4.5/libmisc/chkname.c +=================================================================== +--- shadow-4.5.orig/libmisc/chkname.c ++++ shadow-4.5/libmisc/chkname.c @@ -47,27 +47,46 @@ #include "chkname.h" @@ -59,9 +60,10 @@ diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c } bool is_valid_user_name (const char *name) -diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml ---- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +Index: shadow-4.5/man/groupadd.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupadd.8.xml ++++ shadow-4.5/man/groupadd.8.xml @@ -256,12 +256,6 @@ CAVEATS @@ -75,9 +77,10 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml ---- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 -+++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -633,12 +633,6 @@ diff --git a/shadow-4.5-orig-context.patch b/shadow-4.5-orig-context.patch index c935658..a1c2235 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c ---- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c errors++; } #endif -diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c ---- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/libmisc/copydir.c +=================================================================== +--- shadow-4.5.orig/libmisc/copydir.c ++++ shadow-4.5/libmisc/copydir.c @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,9 +60,10 @@ diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h ---- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h @@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ @@ -70,9 +73,10 @@ diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,9 +118,10 @@ diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c } /* -diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch index cd190cc..cd1a3b4 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.5-selinux.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c ---- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -22,9 +23,10 @@ diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -2042,6 +2042,7 @@ static void create_mail (void) */ int main (int argc, char **argv) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index 37700c3..7d170fa 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c return 1; } } -diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; diff --git a/shadow-4.5-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch index d37b4aa..e2d70b5 100644 --- a/shadow-4.5-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c ---- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 -+++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; diff --git a/shadow-utils.spec b/shadow-utils.spec index 25ccdb1..4d8e3f7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -30,6 +30,7 @@ Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch +Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +81,7 @@ are used for managing group accounts. %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot +%patch32 -p1 -b .crypt_h iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -107,11 +109,11 @@ autoreconf --without-libpam \ --disable-shared \ --with-group-name-max-length=32 -make +%make_build %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -235,6 +237,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 06 2018 Björn Esser - 2:4.5-9 +- Add patch to include crypt.h, if present +- Use %%make_{build,install} macros +- Refresh other patches for proper alignment + * Sat Jan 20 2018 Björn Esser - 2:4.5-8 - Rebuilt for switch to libxcrypt From eb66bf0ca58367e34d70d32a9409e23b9471bc11 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Wed, 14 Feb 2018 08:49:44 +0100 Subject: [PATCH 54/64] Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko --- shadow-utils.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 4d8e3f7..dc69b3f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,9 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done -%clean -rm -rf $RPM_BUILD_ROOT - %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README From 8d62f944dd9b0145014a181f95d1b9aedb25a19b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 1 Mar 2018 13:11:34 +0100 Subject: [PATCH 55/64] Add gcc buildrequires --- shadow-utils.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index dc69b3f..c0020f6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -34,6 +34,7 @@ Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base +BuildRequires: gcc BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel From 4cb5077b6837710a35e77801194b4e6e5ed50a7a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 20 Apr 2018 16:23:31 +0200 Subject: [PATCH 56/64] Raise limit for passwd and shadow entry length - also prevent writing longer entries (#1422497) --- shadow-4.5-long-entry.patch | 84 +++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +++- 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.5-long-entry.patch diff --git a/shadow-4.5-long-entry.patch b/shadow-4.5-long-entry.patch new file mode 100644 index 0000000..8670e75 --- /dev/null +++ b/shadow-4.5-long-entry.patch @@ -0,0 +1,84 @@ +diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h +--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 +@@ -382,4 +382,7 @@ extern char *strerror (); + # endif + #endif + ++/* Maximum length of passwd entry */ ++#define PASSWD_ENTRY_MAX_LENGTH 32768 ++ + #endif /* _DEFINES_H_ */ +diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c +--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 ++++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 +@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, + || (pw->pw_gid == (gid_t)-1) + || (valid_field (pw->pw_gecos, ":\n") == -1) + || (valid_field (pw->pw_dir, ":\n") == -1) +- || (valid_field (pw->pw_shell, ":\n") == -1)) { ++ || (valid_field (pw->pw_shell, ":\n") == -1) ++ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + ++ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + ++ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + +diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c +--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +@@ -57,7 +57,7 @@ + struct passwd *sgetpwent (const char *buf) + { + static struct passwd pwent; +- static char pwdbuf[1024]; ++ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; + register int i; + register char *cp; + char *fields[NFIELDS]; +@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu + * the password structure remain valid. + */ + +- if (strlen (buf) >= sizeof pwdbuf) ++ if (strlen (buf) >= sizeof pwdbuf) { ++ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); + return 0; /* fail if too long */ ++ } + strcpy (pwdbuf, buf); + + /* +diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c +--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +@@ -48,7 +48,7 @@ + */ + struct spwd *sgetspent (const char *string) + { +- static char spwbuf[1024]; ++ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; + static struct spwd spwd; + char *fields[FIELDS]; + char *cp; +@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri + */ + + if (strlen (string) >= sizeof spwbuf) { ++ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); + return 0; /* fail if too long */ + } + strcpy (spwbuf, string); +diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c +--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 ++++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, + + if ( (NULL == sp) + || (valid_field (sp->sp_namp, ":\n") == -1) +- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { ++ || (valid_field (sp->sp_pwdp, ":\n") == -1) ++ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + ++ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index c0020f6..883e02c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -31,6 +31,7 @@ Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch Patch32: shadow-4.5-crypt_h.patch +Patch33: shadow-4.5-long-entry.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -83,6 +84,7 @@ are used for managing group accounts. %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot %patch32 -p1 -b .crypt_h +%patch33 -p1 -b .long-entry iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -235,6 +237,10 @@ done %{_mandir}/man8/vigr.8* %changelog +* Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 +- Raise limit for passwd and shadow entry length but also prevent + writing longer entries (#1422497) + * Tue Feb 06 2018 Björn Esser - 2:4.5-9 - Add patch to include crypt.h, if present - Use %%make_{build,install} macros From 38a12ac864a9292512ca74dc0f00b88ef71f371b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2018 15:25:08 +0200 Subject: [PATCH 57/64] update to current upstream release 4.6 --- .gitignore | 2 + shadow-4.1.5-2ndskip.patch | 102 ----- shadow-4.1.5.1-ingroup.patch | 64 ---- shadow-4.1.5.1-move-home.patch | 16 - shadow-4.1.5.1-newgrp-grouplist.patch | 71 ---- shadow-4.5-userdel-chroot.patch | 74 ---- ...ate.patch => shadow-4.6-audit-update.patch | 359 +++++++++--------- shadow-4.6-getenforce.patch | 21 + shadow-4.6-move-home.patch | 15 + ...ext.patch => shadow-4.6-orig-context.patch | 49 ++- ....5-redhat.patch => shadow-4.6-redhat.patch | 19 +- ...-selinux.patch => shadow-4.6-selinux.patch | 26 +- shadow-4.6-usermod-crash.patch | 42 ++ shadow-utils.spec | 29 +- sources | 4 +- 15 files changed, 312 insertions(+), 581 deletions(-) delete mode 100644 shadow-4.1.5-2ndskip.patch delete mode 100644 shadow-4.1.5.1-ingroup.patch delete mode 100644 shadow-4.1.5.1-move-home.patch delete mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch delete mode 100644 shadow-4.5-userdel-chroot.patch rename shadow-4.3.1-audit-update.patch => shadow-4.6-audit-update.patch (88%) create mode 100644 shadow-4.6-getenforce.patch create mode 100644 shadow-4.6-move-home.patch rename shadow-4.5-orig-context.patch => shadow-4.6-orig-context.patch (65%) rename shadow-4.1.5-redhat.patch => shadow-4.6-redhat.patch (60%) rename shadow-4.5-selinux.patch => shadow-4.6-selinux.patch (75%) create mode 100644 shadow-4.6-usermod-crash.patch diff --git a/.gitignore b/.gitignore index d1e7d76..3b04b1e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.3.1.tar.gz /shadow-4.5.tar.xz /shadow-4.5.tar.xz.asc +/shadow-4.6.tar.xz +/shadow-4.6.tar.xz.asc diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch deleted file mode 100644 index 5a8e444..0000000 --- a/shadow-4.1.5-2ndskip.patch +++ /dev/null @@ -1,102 +0,0 @@ -Index: shadow-4.5/src/grpconv.c -=================================================================== ---- shadow-4.5.orig/src/grpconv.c -+++ shadow-4.5/src/grpconv.c -@@ -143,6 +143,7 @@ int main (int argc, char **argv) - struct group grent; - const struct sgrp *sg; - struct sgrp sgent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -184,20 +185,25 @@ int main (int argc, char **argv) - * Remove /etc/gshadow entries for groups not in /etc/group. - */ - (void) sgr_rewind (); -- while ((sg = sgr_next ()) != NULL) { -- if (gr_locate (sg->sg_name) != NULL) { -- continue; -- } -- -- if (sgr_remove (sg->sg_name) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sg->sg_name, sgr_dbname ()); -- fail_exit (3); -+ sg = sgr_next (); -+ np=NULL; -+ while (sg != NULL) { -+ np = strdup(sg->sg_name); -+ sg = sgr_next (); -+ -+ if(gr_locate (np) == NULL) { -+ if (sgr_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, sgr_dbname ()); -+ free(np); -+ fail_exit (3); -+ } - } -+ free(np); - } - - /* -Index: shadow-4.5/src/pwconv.c -=================================================================== ---- shadow-4.5.orig/src/pwconv.c -+++ shadow-4.5/src/pwconv.c -@@ -173,6 +173,7 @@ int main (int argc, char **argv) - struct passwd pwent; - const struct spwd *sp; - struct spwd spent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -223,20 +224,25 @@ int main (int argc, char **argv) - * Remove /etc/shadow entries for users not in /etc/passwd. - */ - (void) spw_rewind (); -- while ((sp = spw_next ()) != NULL) { -- if (pw_locate (sp->sp_namp) != NULL) { -- continue; -- } -- -- if (spw_remove (sp->sp_namp) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sp->sp_namp, spw_dbname ()); -- fail_exit (E_FAILURE); -+ sp = spw_next (); -+ np = NULL; -+ while (sp != NULL) { -+ np = strdup(sp->sp_namp); -+ sp = spw_next (); -+ -+ if (pw_locate (np) == NULL) { -+ if (spw_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, spw_dbname ()); -+ free(np); -+ fail_exit (E_FAILURE); -+ } - } -+ free(np); - } - - /* diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch deleted file mode 100644 index 1c30198..0000000 --- a/shadow-4.1.5.1-ingroup.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -83,15 +83,29 @@ static void usage (void) - } - } - -+static bool ingroup(const char *name, struct group *gr) -+{ -+ char **look; -+ bool notfound = true; -+ -+ look = gr->gr_mem; -+ while (*look && notfound) -+ notfound = strcmp (*look++, name); -+ -+ return !notfound; -+} -+ - /* -- * find_matching_group - search all groups of a given group id for -+ * find_matching_group - search all groups of a gr's group id for - * membership of a given username -+ * but check gr itself first - */ --static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) -+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) - { -- struct group *gr; -- char **look; -- bool notfound = true; -+ gid_t gid = gr->gr_gid; -+ -+ if (ingroup(name, gr)) -+ return gr; - - setgrent (); - while ((gr = getgrent ()) != NULL) { -@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc - * A group with matching GID was found. - * Test for membership of 'name'. - */ -- look = gr->gr_mem; -- while ((NULL != *look) && notfound) { -- notfound = (strcmp (*look, name) != 0); -- look++; -- } -- if (!notfound) { -+ if (ingroup(name, gr)) - break; -- } - } - endgrent (); - return gr; -@@ -630,7 +638,7 @@ int main (int argc, char **argv) - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp->gr_gid); -+ grp = find_matching_group (name, grp); - if (NULL == grp) { - /* - * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch deleted file mode 100644 index f1790e2..0000000 --- a/shadow-4.1.5.1-move-home.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -1814,6 +1814,11 @@ static void move_home (void) - Prog, user_home, user_newhome); - fail_exit (E_HOMEDIR); - } -+ } else { -+ fprintf (stderr, -+ _("%s: The previous home directory (%s) does " -+ "not exist or is inaccessible. Move cannot be completed.\n"), -+ Prog, user_home); - } - } - diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch deleted file mode 100644 index 47eb6f6..0000000 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ /dev/null @@ -1,71 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -396,6 +396,7 @@ int main (int argc, char **argv) - { - bool initflag = false; - int i; -+ bool is_member = false; - bool cflag = false; - int err = 0; - gid_t gid; -@@ -645,22 +646,36 @@ int main (int argc, char **argv) - goto failure; - } - -+#ifdef HAVE_SETGROUPS -+ /* when using pam_group, she will not be listed in the groups -+ * database. However getgroups() will return the group. So -+ * if she is listed there already it is ok to grant membership. -+ */ -+ for (i = 0; i < ngroups; i++) { -+ if (grp->gr_gid == grouplist[i]) { -+ is_member = true; -+ break; -+ } -+ } -+#endif /* HAVE_SETGROUPS */ - /* - * For splitted groups (due to limitations of NIS), check all - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp); -- if (NULL == grp) { -- /* -- * No matching group found. As we already know that -- * the group exists, this happens only in the case -- * of a requested group where the user is not member. -- * -- * Re-read the group entry for further processing. -- */ -- grp = xgetgrnam (group); -- assert (NULL != grp); -+ if (!is_member) { -+ grp = find_matching_group (name, grp); -+ if (NULL == grp) { -+ /* -+ * No matching group found. As we already know that -+ * the group exists, this happens only in the case -+ * of a requested group where the user is not member. -+ * -+ * Re-read the group entry for further processing. -+ */ -+ grp = xgetgrnam (group); -+ assert (NULL != grp); -+ } - } - #ifdef SHADOWGRP - sgrp = getsgnam (group); -@@ -673,7 +688,9 @@ int main (int argc, char **argv) - /* - * Check if the user is allowed to access this group. - */ -- check_perms (grp, pwd, group); -+ if (!is_member) { -+ check_perms (grp, pwd, group); -+ } - - /* - * all successful validations pass through this point. The group id diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch deleted file mode 100644 index 7d170fa..0000000 --- a/shadow-4.5-userdel-chroot.patch +++ /dev/null @@ -1,74 +0,0 @@ -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c -@@ -75,7 +75,7 @@ int set_selinux_file_context (const char - } - return 0; - error: -- if (security_getenforce () != 0) { -+ if (security_getenforce () > 0) { - return 1; - } - return 0; -@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) - selinux_checked = true; - } - if (selinux_enabled) { -- if (setfscreatecon (NULL) != 0) { -+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { - return 1; - } - } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -96,6 +96,7 @@ static char *user_home; - static bool fflg = false; - static bool rflg = false; - static bool Zflg = false; -+static bool Rflg = false; - - static bool is_shadow_pwd; - -@@ -958,6 +959,7 @@ int main (int argc, char **argv) - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ -+ Rflg = true; - break; - #ifdef WITH_SELINUX - case 'Z': -@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) - */ - user_name = argv[argc - 1]; - { -- struct passwd *pwd; -- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ -+ const struct passwd *pwd; -+ -+ pw_open(O_RDONLY); -+ pwd = pw_locate (user_name); /* we care only about local users */ - if (NULL == pwd) { -+ pw_close(); - fprintf (stderr, _("%s: user '%s' does not exist\n"), - Prog, user_name); - #ifdef WITH_AUDIT -@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) - user_id = pwd->pw_uid; - user_gid = pwd->pw_gid; - user_home = xstrdup (pwd->pw_dir); -+ pw_close(); - } - #ifdef WITH_TCB - if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) - * Note: This is a best effort basis. The user may log in between, - * a cron job may be started on her behalf, etc. - */ -- if (user_busy (user_name, user_id) != 0) { -+ if (!Rflg && user_busy (user_name, user_id) != 0) { - if (!fflg) { - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.6-audit-update.patch similarity index 88% rename from shadow-4.3.1-audit-update.patch rename to shadow-4.6-audit-update.patch index 8c72cf3..b9d0a67 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.6-audit-update.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/libmisc/audit_help.c -=================================================================== ---- shadow-4.5.orig/libmisc/audit_help.c -+++ shadow-4.5/libmisc/audit_help.c +diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c +--- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -51,10 +50,9 @@ Index: shadow-4.5/libmisc/audit_help.c void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -Index: shadow-4.5/libmisc/cleanup_group.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_group.c -+++ shadow-4.5/libmisc/cleanup_group.c +diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c +--- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -133,10 +131,9 @@ Index: shadow-4.5/libmisc/cleanup_group.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/libmisc/cleanup_user.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_user.c -+++ shadow-4.5/libmisc/cleanup_user.c +diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c +--- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -184,10 +181,9 @@ Index: shadow-4.5/libmisc/cleanup_user.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h +diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 @@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -210,10 +206,9 @@ Index: shadow-4.5/lib/prototypes.h void audit_logger_message (const char *message, shadow_audit_result result); #endif -Index: shadow-4.5/src/gpasswd.c -=================================================================== ---- shadow-4.5.orig/src/gpasswd.c -+++ shadow-4.5/src/gpasswd.c +diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c +--- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -477,11 +472,10 @@ Index: shadow-4.5/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -Index: shadow-4.5/src/groupadd.c -=================================================================== ---- shadow-4.5.orig/src/groupadd.c -+++ shadow-4.5/src/groupadd.c -@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c +--- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 +@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -497,7 +491,7 @@ Index: shadow-4.5/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -210,7 +219,7 @@ static void grp_update (void) +@@ -213,7 +222,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -506,7 +500,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -220,7 +229,7 @@ static void grp_update (void) +@@ -223,7 +232,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -515,7 +509,7 @@ Index: shadow-4.5/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -244,7 +253,7 @@ static void check_new_name (void) +@@ -247,7 +256,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -524,7 +518,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -260,11 +269,11 @@ static void close_files (void) +@@ -263,11 +272,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -538,7 +532,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -282,11 +291,11 @@ static void close_files (void) +@@ -285,11 +294,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -553,7 +547,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -300,12 +309,6 @@ static void close_files (void) +@@ -303,12 +312,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -566,7 +560,7 @@ Index: shadow-4.5/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -323,7 +326,7 @@ static void open_files (void) +@@ -326,7 +329,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -575,7 +569,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -333,7 +336,7 @@ static void open_files (void) +@@ -336,7 +339,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -584,7 +578,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -349,7 +352,7 @@ static void open_files (void) +@@ -352,7 +355,7 @@ static void open_files (void) if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -593,7 +587,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP -@@ -359,7 +362,7 @@ static void open_files (void) +@@ -362,7 +365,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -602,7 +596,7 @@ Index: shadow-4.5/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -489,7 +492,7 @@ static void check_flags (void) +@@ -495,7 +498,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -610,8 +604,8 @@ Index: shadow-4.5/src/groupadd.c + fail_exit (E_NAME_IN_USE); } - if (gflg && (getgrgid (group_id) != NULL)) { -@@ -508,7 +511,7 @@ static void check_flags (void) + if (gflg && (prefix_getgrgid (group_id) != NULL)) { +@@ -514,7 +517,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -620,7 +614,7 @@ Index: shadow-4.5/src/groupadd.c } } } -@@ -536,7 +539,7 @@ static void check_perms (void) +@@ -542,7 +545,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -629,7 +623,7 @@ Index: shadow-4.5/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -556,7 +559,7 @@ static void check_perms (void) +@@ -562,7 +565,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -638,7 +632,7 @@ Index: shadow-4.5/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -588,7 +591,7 @@ int main (int argc, char **argv) +@@ -595,7 +598,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -647,7 +641,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -610,7 +613,7 @@ int main (int argc, char **argv) +@@ -617,7 +620,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -656,11 +650,10 @@ Index: shadow-4.5/src/groupadd.c } } -Index: shadow-4.5/src/groupdel.c -=================================================================== ---- shadow-4.5.orig/src/groupdel.c -+++ shadow-4.5/src/groupdel.c -@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c +--- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 +@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -676,7 +669,7 @@ Index: shadow-4.5/src/groupdel.c /* * grp_update - update group file entries * -@@ -128,7 +137,7 @@ static void grp_update (void) +@@ -131,7 +140,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -685,7 +678,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP -@@ -140,7 +149,7 @@ static void grp_update (void) +@@ -143,7 +152,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -694,7 +687,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -159,12 +168,12 @@ static void close_files (void) +@@ -162,12 +171,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -709,7 +702,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -184,12 +193,12 @@ static void close_files (void) +@@ -187,12 +196,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -725,7 +718,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -203,13 +212,6 @@ static void close_files (void) +@@ -206,13 +215,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -739,7 +732,7 @@ Index: shadow-4.5/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -226,7 +228,7 @@ static void open_files (void) +@@ -229,7 +231,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -748,7 +741,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -235,7 +237,7 @@ static void open_files (void) +@@ -238,7 +240,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -757,7 +750,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -253,7 +255,7 @@ static void open_files (void) +@@ -256,7 +258,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -766,7 +759,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -262,7 +264,7 @@ static void open_files (void) +@@ -265,7 +267,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -775,7 +768,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) +@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -784,7 +777,7 @@ Index: shadow-4.5/src/groupdel.c } /* -@@ -384,7 +386,7 @@ int main (int argc, char **argv) +@@ -391,7 +393,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -793,7 +786,7 @@ Index: shadow-4.5/src/groupdel.c } process_flags (argc, argv); -@@ -398,7 +400,7 @@ int main (int argc, char **argv) +@@ -405,7 +407,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -802,7 +795,7 @@ Index: shadow-4.5/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -419,7 +421,7 @@ int main (int argc, char **argv) +@@ -426,7 +428,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -811,7 +804,7 @@ Index: shadow-4.5/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -439,7 +441,7 @@ int main (int argc, char **argv) +@@ -446,7 +448,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -820,7 +813,7 @@ Index: shadow-4.5/src/groupdel.c } group_id = grp->gr_gid; -@@ -463,7 +465,7 @@ int main (int argc, char **argv) +@@ -470,7 +472,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -829,11 +822,10 @@ Index: shadow-4.5/src/groupdel.c } #endif -Index: shadow-4.5/src/groupmod.c -=================================================================== ---- shadow-4.5.orig/src/groupmod.c -+++ shadow-4.5/src/groupmod.c -@@ -438,7 +438,7 @@ static void close_files (void) +diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c +--- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 +@@ -449,7 +449,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -842,7 +834,7 @@ Index: shadow-4.5/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -461,7 +461,7 @@ static void close_files (void) +@@ -472,7 +472,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -851,7 +843,7 @@ Index: shadow-4.5/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -484,7 +484,7 @@ static void close_files (void) +@@ -495,7 +495,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -860,7 +852,7 @@ Index: shadow-4.5/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -499,8 +499,8 @@ static void close_files (void) +@@ -510,8 +510,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -871,7 +863,7 @@ Index: shadow-4.5/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -512,6 +512,8 @@ static void close_files (void) +@@ -523,6 +523,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -880,7 +872,7 @@ Index: shadow-4.5/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi +@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1014,7 +1006,7 @@ Index: shadow-4.5/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi +@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1026,10 +1018,9 @@ Index: shadow-4.5/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -Index: shadow-4.5/src/chage.c -=================================================================== ---- shadow-4.5.orig/src/chage.c -+++ shadow-4.5/src/chage.c +diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c +--- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1117,10 +1108,9 @@ Index: shadow-4.5/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c +diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c +--- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1203,7 +1193,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -456,7 +457,7 @@ int main (int argc, char **argv) +@@ -457,7 +458,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1212,7 +1202,7 @@ Index: shadow-4.5/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -572,15 +573,26 @@ int main (int argc, char **argv) +@@ -573,15 +574,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1243,7 +1233,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -721,10 +733,10 @@ int main (int argc, char **argv) +@@ -738,10 +750,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1256,7 +1246,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -733,10 +745,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1269,7 +1259,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -750,10 +762,10 @@ int main (int argc, char **argv) +@@ -767,10 +779,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1282,7 +1272,7 @@ Index: shadow-4.5/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -817,11 +829,11 @@ int main (int argc, char **argv) +@@ -834,11 +846,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1296,7 +1286,7 @@ Index: shadow-4.5/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -845,15 +857,24 @@ int main (int argc, char **argv) +@@ -862,15 +874,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1325,20 +1315,19 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -225,6 +225,8 @@ static void create_mail (void); +diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 +@@ -229,6 +229,8 @@ static void create_mail (void); */ static void fail_exit (int code) { + int type; + if (home_added) { - if (rmdir (user_home) != 0) { + if (rmdir (prefix_user_home) != 0) { fprintf (stderr, -@@ -238,12 +240,6 @@ static void fail_exit (int code) +@@ -242,12 +244,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1351,7 +1340,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -251,12 +247,6 @@ static void fail_exit (int code) +@@ -255,12 +251,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1364,7 +1353,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -264,12 +254,6 @@ static void fail_exit (int code) +@@ -268,12 +258,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1377,7 +1366,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -278,12 +262,6 @@ static void fail_exit (int code) +@@ -282,12 +266,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1390,7 +1379,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -293,12 +271,6 @@ static void fail_exit (int code) +@@ -297,12 +275,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1403,7 +1392,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -306,20 +278,19 @@ static void fail_exit (int code) +@@ -310,20 +282,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1431,7 +1420,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -626,7 +597,7 @@ static int set_defaults (void) +@@ -673,7 +644,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1440,7 +1429,7 @@ Index: shadow-4.5/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -896,12 +867,6 @@ static void grp_update (void) +@@ -950,12 +921,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1453,7 +1442,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -915,18 +880,12 @@ static void grp_update (void) +@@ -969,18 +934,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1475,7 +1464,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -971,12 +930,6 @@ static void grp_update (void) +@@ -1025,12 +984,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1488,7 +1477,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -990,18 +943,13 @@ static void grp_update (void) +@@ -1044,18 +997,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1511,7 +1500,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha +@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1520,7 +1509,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1447,7 +1395,7 @@ static void close_files (void) +@@ -1522,7 +1470,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1529,7 +1518,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1460,7 +1408,7 @@ static void close_files (void) +@@ -1535,7 +1483,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1538,7 +1527,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1472,7 +1420,7 @@ static void close_files (void) +@@ -1547,7 +1495,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1547,7 +1536,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1486,7 +1434,7 @@ static void close_files (void) +@@ -1561,7 +1509,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1556,7 +1545,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1502,7 +1450,7 @@ static void close_files (void) +@@ -1577,7 +1525,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1565,7 +1554,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1516,7 +1464,7 @@ static void close_files (void) +@@ -1591,7 +1539,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1574,7 +1563,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1708,7 +1656,7 @@ static void grp_add (void) +@@ -1783,7 +1731,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1583,7 +1572,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1724,7 +1672,7 @@ static void grp_add (void) +@@ -1799,7 +1747,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1592,7 +1581,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1734,7 +1682,7 @@ static void grp_add (void) +@@ -1809,7 +1757,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1601,7 +1590,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1895,12 +1843,6 @@ static void usr_update (void) +@@ -1970,12 +1918,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1614,7 +1603,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1922,7 +1864,7 @@ static void usr_update (void) +@@ -1997,7 +1939,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1623,10 +1612,10 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1957,12 +1899,6 @@ static void create_home (void) +@@ -2032,12 +1974,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), - Prog, user_home); + Prog, prefix_user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", @@ -1635,8 +1624,8 @@ Index: shadow-4.5/src/useradd.c -#endif fail_exit (E_HOMEDIR); } - chown (user_home, user_id, user_gid); -@@ -1970,8 +1906,8 @@ static void create_home (void) + (void) chown (prefix_user_home, user_id, user_gid); +@@ -2045,8 +1981,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1647,9 +1636,9 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) +@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) */ - if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1660,7 +1649,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) +@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1673,7 +1662,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) +@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1686,7 +1675,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) +@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1700,11 +1689,10 @@ Index: shadow-4.5/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -214,9 +214,9 @@ static void update_groups (void) +diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c +--- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 ++++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 +@@ -219,9 +219,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1717,7 +1705,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -276,9 +276,9 @@ static void update_groups (void) +@@ -281,9 +281,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1730,7 +1718,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -355,9 +355,9 @@ static void remove_usergroup (void) +@@ -360,9 +360,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1743,7 +1731,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -373,9 +373,9 @@ static void remove_usergroup (void) +@@ -378,9 +378,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1756,7 +1744,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -537,7 +537,7 @@ static void fail_exit (int code) +@@ -542,7 +542,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1765,7 +1753,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -557,24 +557,12 @@ static void open_files (void) +@@ -562,24 +562,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1790,7 +1778,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -582,12 +570,6 @@ static void open_files (void) +@@ -587,12 +575,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1803,7 +1791,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -595,12 +577,6 @@ static void open_files (void) +@@ -600,12 +582,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1816,7 +1804,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -608,23 +584,11 @@ static void open_files (void) +@@ -613,23 +589,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1840,7 +1828,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -633,24 +597,12 @@ static void open_files (void) +@@ -638,24 +602,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1865,7 +1853,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -661,24 +613,12 @@ static void open_files (void) +@@ -666,24 +618,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1890,7 +1878,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -687,24 +627,12 @@ static void open_files (void) +@@ -692,24 +632,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1915,7 +1903,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -749,7 +677,7 @@ static void update_user (void) +@@ -754,7 +682,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1924,7 +1912,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -843,7 +771,7 @@ static int remove_mailbox (void) +@@ -862,7 +790,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1933,7 +1921,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -859,7 +787,7 @@ static int remove_mailbox (void) +@@ -879,7 +807,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1942,7 +1930,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -869,8 +797,8 @@ static int remove_mailbox (void) +@@ -889,8 +817,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1953,7 +1941,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -887,7 +815,7 @@ static int remove_mailbox (void) +@@ -908,7 +836,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1962,7 +1950,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -902,7 +830,7 @@ static int remove_mailbox (void) +@@ -925,7 +853,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1971,7 +1959,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -912,8 +840,8 @@ static int remove_mailbox (void) +@@ -935,8 +863,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1982,7 +1970,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) +@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1991,7 +1979,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -2000,7 +1988,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) +@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -2011,7 +1999,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) +@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2020,7 +2008,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) +@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2031,11 +2019,10 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 +@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2046,7 +2033,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2057,7 +2044,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2066,7 +2053,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw +@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2077,7 +2064,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw +@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2088,7 +2075,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw +@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2099,7 +2086,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw +@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2110,7 +2097,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw +@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2121,7 +2108,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw +@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2132,7 +2119,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen +@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2143,7 +2130,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen +@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2154,7 +2141,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2167,7 +2154,7 @@ Index: shadow-4.5/src/usermod.c #endif exit (code); } -@@ -759,9 +759,12 @@ static void update_group (void) +@@ -765,9 +765,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2183,7 +2170,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -775,9 +778,11 @@ static void update_group (void) +@@ -781,9 +784,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2198,7 +2185,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -790,9 +795,11 @@ static void update_group (void) +@@ -796,9 +801,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2213,7 +2200,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -867,9 +874,10 @@ static void update_gshadow (void) +@@ -873,9 +880,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2227,7 +2214,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -889,9 +897,10 @@ static void update_gshadow (void) +@@ -895,9 +903,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2241,7 +2228,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -905,9 +914,10 @@ static void update_gshadow (void) +@@ -911,9 +920,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2255,7 +2242,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -920,9 +930,10 @@ static void update_gshadow (void) +@@ -926,9 +936,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2269,7 +2256,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1758,8 +1769,8 @@ static void move_home (void) +@@ -1789,8 +1800,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2280,7 +2267,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1777,8 +1788,8 @@ static void move_home (void) +@@ -1808,8 +1819,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2291,8 +2278,8 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1797,9 +1808,9 @@ static void move_home (void) - Prog, user_home); +@@ -1828,9 +1839,9 @@ static void move_home (void) + Prog, prefix_user_home); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, @@ -2303,7 +2290,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2003,8 +2014,8 @@ static void move_mailbox (void) +@@ -2045,8 +2056,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2314,7 +2301,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2022,8 +2033,8 @@ static void move_mailbox (void) +@@ -2072,8 +2083,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2325,7 +2312,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2336,7 +2323,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) +@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2347,7 +2334,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) +@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.6-getenforce.patch b/shadow-4.6-getenforce.patch new file mode 100644 index 0000000..8a55bf5 --- /dev/null +++ b/shadow-4.6-getenforce.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } diff --git a/shadow-4.6-move-home.patch b/shadow-4.6-move-home.patch new file mode 100644 index 0000000..cff9561 --- /dev/null +++ b/shadow-4.6-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200 +@@ -1845,6 +1845,11 @@ static void move_home (void) + Prog, prefix_user_home, prefix_user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, prefix_user_home); + } + } + diff --git a/shadow-4.5-orig-context.patch b/shadow-4.6-orig-context.patch similarity index 65% rename from shadow-4.5-orig-context.patch rename to shadow-4.6-orig-context.patch index a1c2235..ea522e7 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.6-orig-context.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/lib/commonio.c -=================================================================== ---- shadow-4.5.orig/lib/commonio.c -+++ shadow-4.5/lib/commonio.c -@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * +diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c +--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 +@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX @@ -11,7 +10,7 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * +@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -20,10 +19,9 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -Index: shadow-4.5/libmisc/copydir.c -=================================================================== ---- shadow-4.5.orig/libmisc/copydir.c -+++ shadow-4.5/libmisc/copydir.c +diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c +--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -60,11 +58,10 @@ Index: shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h -@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 +@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -73,10 +70,9 @@ Index: shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c +diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -118,16 +114,15 @@ Index: shadow-4.5/lib/selinux.c } /* -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -1945,7 +1945,7 @@ static void create_home (void) +diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 +@@ -2020,7 +2020,7 @@ static void create_home (void) { - if (access (user_home, F_OK) != 0) { + if (access (prefix_user_home, F_OK) != 0) { #ifdef WITH_SELINUX -- if (set_selinux_file_context (user_home) != 0) { -+ if (set_selinux_file_context (user_home, NULL) != 0) { +- if (set_selinux_file_context (prefix_user_home) != 0) { ++ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { fprintf (stderr, _("%s: cannot set SELinux context for home directory %s\n"), Prog, user_home); diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.6-redhat.patch similarity index 60% rename from shadow-4.1.5-redhat.patch rename to shadow-4.6-redhat.patch index ef26cbd..7a8be2e 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.6-redhat.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c +diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 @@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; @@ -20,19 +19,19 @@ Index: shadow-4.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha +@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:", #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha +@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.5-selinux.patch b/shadow-4.6-selinux.patch similarity index 75% rename from shadow-4.5-selinux.patch rename to shadow-4.6-selinux.patch index cd1a3b4..dfd5140 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.6-selinux.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/lib/semanage.c -=================================================================== ---- shadow-4.5.orig/lib/semanage.c -+++ shadow-4.5/lib/semanage.c +diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c +--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -23,11 +22,10 @@ Index: shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -2042,6 +2042,7 @@ static void create_mail (void) +diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 +@@ -2120,6 +2120,7 @@ static void create_mail (void) */ int main (int argc, char **argv) { @@ -35,14 +33,14 @@ Index: shadow-4.5/src/useradd.c #ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; -@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) +@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) usr_update (); - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, +- copy_tree (def_template, prefix_user_home, false, false, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, @@ -66,7 +64,7 @@ Index: shadow-4.5/src/useradd.c /* * tallylog_reset needs to be able to lookup * a valid existing user name, -@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) +@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) } #ifdef WITH_SELINUX @@ -78,7 +76,7 @@ Index: shadow-4.5/src/useradd.c fprintf (stderr, _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); -@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) +@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) "adding SELinux user mapping", user_name, (unsigned int) user_id, 0); #endif /* WITH_AUDIT */ @@ -95,7 +93,7 @@ Index: shadow-4.5/src/useradd.c + if (mflg) { + create_home (); + if (home_added) { -+ copy_tree (def_template, user_home, false, true, ++ copy_tree (def_template, prefix_user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch new file mode 100644 index 0000000..d2861b3 --- /dev/null +++ b/shadow-4.6-usermod-crash.patch @@ -0,0 +1,42 @@ +diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c +--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 +@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi + { + long long int gid; + char *endptr; ++ struct group *g; + + if (NULL == grname) { + return NULL; +@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi + && (gid == (gid_t)gid)) { + return prefix_getgrgid ((gid_t) gid); + } +- return prefix_getgrnam (grname); ++ g = prefix_getgrnam (grname); ++ return g ? __gr_dup(g) : NULL; + } + else + return getgr_nam_gid(grname); +diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 +@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha + prefix_user_home = xmalloc(len); + wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); + assert (wlen == (int) len -1); ++ if (user_newhome) { ++ len = strlen(prefix) + strlen(user_newhome) + 2; ++ prefix_user_newhome = xmalloc(len); ++ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); ++ assert (wlen == (int) len -1); ++ } + +- len = strlen(prefix) + strlen(user_newhome) + 2; +- prefix_user_newhome = xmalloc(len); +- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); +- assert (wlen == (int) len -1); + } + else { + prefix_user_home = user_home; diff --git a/shadow-utils.spec b/shadow-utils.spec index 883e02c..35732ac 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.5 -Release: 10%{?dist} +Version: 4.6 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -10,28 +10,26 @@ Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0: shadow-4.1.5-redhat.patch +Patch0: shadow-4.6-redhat.patch Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch6: shadow-4.5-selinux.patch -Patch7: shadow-4.1.5-2ndskip.patch -Patch10: shadow-4.5-orig-context.patch +Patch6: shadow-4.6-selinux.patch +Patch10: shadow-4.6-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch19: shadow-4.2.1-date-parsing.patch -Patch20: shadow-4.1.5.1-ingroup.patch -Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.3.1-audit-update.patch +Patch21: shadow-4.6-move-home.patch +Patch22: shadow-4.6-audit-update.patch Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.1.5.1-newgrp-grouplist.patch -Patch31: shadow-4.5-userdel-chroot.patch +Patch31: shadow-4.6-getenforce.patch Patch32: shadow-4.5-crypt_h.patch Patch33: shadow-4.5-long-entry.patch +Patch34: shadow-4.6-usermod-crash.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -67,24 +65,22 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir %patch6 -p1 -b .selinux -%patch7 -p1 -b .2ndskip %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel %patch19 -p1 -b .date-parsing -%patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .grouplist -%patch31 -p1 -b .userdel-chroot +%patch31 -p1 -b .getenforce %patch32 -p1 -b .crypt_h %patch33 -p1 -b .long-entry +%patch34 -p1 -b .usermod-crash iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -237,6 +233,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Mon May 28 2018 Tomáš Mráz - 2:4.6-1 +- update to current upstream release 4.6 + * Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 - Raise limit for passwd and shadow entry length but also prevent writing longer entries (#1422497) diff --git a/sources b/sources index a50063e..2093465 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 -SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 +SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 +SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed From 0aa80600347bf2cf430a3017b26ad495a40eb628 Mon Sep 17 00:00:00 2001 From: Jason Tibbitts Date: Tue, 10 Jul 2018 01:20:51 -0500 Subject: [PATCH 58/64] Remove needless use of %defattr --- shadow-utils.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 35732ac..509265c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,7 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do done %files -f shadow.lang -%defattr(-,root,root) %doc NEWS doc/HOWTO README %{!?_licensedir:%global license %%doc} %license gpl-2.0.txt shadow-bsd.txt From 8362f15341f867d3bdd5a6d09eb53b4752bf3b34 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 14 Jul 2018 06:02:14 +0000 Subject: [PATCH 59/64] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 509265c..8587c71 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Mon May 28 2018 Tomáš Mráz - 2:4.6-1 - update to current upstream release 4.6 From f0fc249a12652b4b7b83e2c504187ce6352f2ecb Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:12:27 -0400 Subject: [PATCH 60/64] initial build steps for the package on centos7 Signed-off-by: Vincent Batts --- shadow-utils.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 8587c71..9b9e883 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -97,6 +97,10 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +rm aclocal.m4 +aclocal +libtoolize --force + autoreconf %configure \ --enable-shadowgrp \ From 6a08374eef51fdd1f9e882c7e9a47d893ab53e12 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:14:39 -0400 Subject: [PATCH 61/64] spec: fetch sources from github if needed there is the 'sources' file that fedpkg uses, but for now allow fetching from the source URLs to build. Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9b9e883..1ab546d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,3 +1,6 @@ +# they warn against doing this ... +%define _disable_source_fetch 0 + Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 From 354422003508b31a08c8779b5e3851cc1ed97133 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:35:53 -0400 Subject: [PATCH 62/64] spec: subpackage of newuidmap and newgidmap and have the main package depend on them for consistent experience. Though this may hae the side effect of yum wanting to use the main shadow as an upgrade to the shadow 4.1 that centos/rhel are using ... Built local rpm with: ```shell rpmbuild \ --define "_sourcedir $(pwd)" \ --define "_specdir $(pwd)" \ --define "_builddir $(pwd)" \ --define "_srcrpmdir $(pwd)" \ --define "_rpmdir $(pwd)" \ --nodeps \ -ba \ shadow-utils.spec ``` Signed-off-by: Vincent Batts --- shadow-utils.spec | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 1ab546d..e8bc3a4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -48,6 +48,7 @@ Requires: audit-libs >= 1.6.5 Requires: setup Requires(pre): coreutils Requires(post): coreutils +Requires: %{name}-newxidmap = %{version}-%{release} Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -62,6 +63,11 @@ for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts. +%package newxidmap +Summary: only the newuidmapp and newgidmap from shadow-utils +%description newxidmap +%{summary}. + %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat @@ -200,8 +206,6 @@ done %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -217,8 +221,6 @@ done %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* -%{_mandir}/man1/newgidmap.1* -%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* @@ -238,6 +240,12 @@ done %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* +%files newxidmap +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* + %changelog * Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 7f73f07a1aea7eadfb9f74c5c262e3ebad9d69b9 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:49:10 -0400 Subject: [PATCH 63/64] source file is confusing the lookaside on copr Signed-off-by: Vincent Batts --- sources => sources.bak | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources => sources.bak (100%) diff --git a/sources b/sources.bak similarity index 100% rename from sources rename to sources.bak From 3815c0b5ba14330979f63089b7d44cd95b25f38a Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 9 Oct 2018 10:15:32 -0400 Subject: [PATCH 64/64] change package name so "shadow-utils" won't attempt to update Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e8bc3a4..40be79a 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,8 +1,9 @@ # they warn against doing this ... %define _disable_source_fetch 0 +%define srcname shadow-utils Summary: Utilities for managing accounts and shadow password files -Name: shadow-utils +Name: %{srcname}46 Version: 4.6 Release: 2%{?dist} Epoch: 2