diff --git a/.gitignore b/.gitignore index 3b04b1e..e78a553 100644 --- a/.gitignore +++ b/.gitignore @@ -5,8 +5,3 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig -/shadow-4.3.1.tar.gz -/shadow-4.5.tar.xz -/shadow-4.5.tar.xz.asc -/shadow-4.6.tar.xz -/shadow-4.6.tar.xz.asc diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch new file mode 100644 index 0000000..8a9cf68 --- /dev/null +++ b/shadow-4.1.5-2ndskip.patch @@ -0,0 +1,100 @@ +diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c +--- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 ++++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 +@@ -143,6 +143,7 @@ int main (int argc, char **argv) + struct group grent; + const struct sgrp *sg; + struct sgrp sgent; ++ char *np; + + Prog = Basename (argv[0]); + +@@ -184,20 +185,25 @@ int main (int argc, char **argv) + * Remove /etc/gshadow entries for groups not in /etc/group. + */ + (void) sgr_rewind (); +- while ((sg = sgr_next ()) != NULL) { +- if (gr_locate (sg->sg_name) != NULL) { +- continue; +- } +- +- if (sgr_remove (sg->sg_name) == 0) { +- /* +- * This shouldn't happen (the entry exists) but... +- */ +- fprintf (stderr, +- _("%s: cannot remove entry '%s' from %s\n"), +- Prog, sg->sg_name, sgr_dbname ()); +- fail_exit (3); ++ sg = sgr_next (); ++ np=NULL; ++ while (sg != NULL) { ++ np = strdup(sg->sg_name); ++ sg = sgr_next (); ++ ++ if(gr_locate (np) == NULL) { ++ if (sgr_remove (np) == 0) { ++ /* ++ * This shouldn't happen (the entry exists) but... ++ */ ++ fprintf (stderr, ++ _("%s: cannot remove entry '%s' from %s\n"), ++ Prog, np, sgr_dbname ()); ++ free(np); ++ fail_exit (3); ++ } + } ++ free(np); + } + + /* +diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c +--- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 ++++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 +@@ -173,6 +173,7 @@ int main (int argc, char **argv) + struct passwd pwent; + const struct spwd *sp; + struct spwd spent; ++ char *np; + + Prog = Basename (argv[0]); + +@@ -223,20 +224,25 @@ int main (int argc, char **argv) + * Remove /etc/shadow entries for users not in /etc/passwd. + */ + (void) spw_rewind (); +- while ((sp = spw_next ()) != NULL) { +- if (pw_locate (sp->sp_namp) != NULL) { +- continue; +- } +- +- if (spw_remove (sp->sp_namp) == 0) { +- /* +- * This shouldn't happen (the entry exists) but... +- */ +- fprintf (stderr, +- _("%s: cannot remove entry '%s' from %s\n"), +- Prog, sp->sp_namp, spw_dbname ()); +- fail_exit (E_FAILURE); ++ sp = spw_next (); ++ np = NULL; ++ while (sp != NULL) { ++ np = strdup(sp->sp_namp); ++ sp = spw_next (); ++ ++ if (pw_locate (np) == NULL) { ++ if (spw_remove (np) == 0) { ++ /* ++ * This shouldn't happen (the entry exists) but... ++ */ ++ fprintf (stderr, ++ _("%s: cannot remove entry '%s' from %s\n"), ++ Prog, np, spw_dbname ()); ++ free(np); ++ fail_exit (E_FAILURE); ++ } + } ++ free(np); + } + + /* diff --git a/shadow-4.6-redhat.patch b/shadow-4.1.5-redhat.patch similarity index 52% rename from shadow-4.6-redhat.patch rename to shadow-4.1.5-redhat.patch index 7a8be2e..a785b29 100644 --- a/shadow-4.6-redhat.patch +++ b/shadow-4.1.5-redhat.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 -@@ -98,7 +98,7 @@ const char *Prog; +diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 +diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c +--- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 ++++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 +@@ -93,7 +93,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -10,7 +11,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -108,7 +108,7 @@ static const char *def_expire = ""; +@@ -103,7 +103,7 @@ static const char *def_expire = ""; #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -19,19 +20,19 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha +@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha +@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.1.5-uflg.patch b/shadow-4.1.5-uflg.patch new file mode 100644 index 0000000..f72bca3 --- /dev/null +++ b/shadow-4.1.5-uflg.patch @@ -0,0 +1,23 @@ +diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c +--- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 ++++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 +@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, + return -1; + } + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ gid_min = (gid_t) 1; + gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + if (gid_max < gid_min) { +@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, + return 0; + } + ++ /* if we did not find free preffered system gid, we start to look for ++ * one in the range assigned to dynamic system IDs */ ++ if (sys_group) ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + + /* + * Search the entire group file, diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch new file mode 100644 index 0000000..6fbbdbf --- /dev/null +++ b/shadow-4.1.5.1-audit-owner.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 ++++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 +@@ -1513,6 +1513,14 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif ++ + if (rename (user_home, user_newhome) == 0) { + /* FIXME: rename above may have broken symlinks + * pointing to the user's home directory +@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) + * ownership. + * + */ ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif + if (chown_tree (dflg ? user_newhome : user_home, + user_id, + uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch new file mode 100644 index 0000000..7366b86 --- /dev/null +++ b/shadow-4.1.5.1-backup-mode.patch @@ -0,0 +1,20 @@ +diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c +--- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 ++++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 +@@ -301,15 +301,12 @@ static int create_backup (const char *ba + struct utimbuf ub; + FILE *bkfp; + int c; +- mode_t mask; + + if (fstat (fileno (fp), &sb) != 0) { + return -1; + } + +- mask = umask (077); +- bkfp = fopen (backup, "w"); +- (void) umask (mask); ++ bkfp = fopen_set_perms (backup, "w", &sb); + if (NULL == bkfp) { + return -1; + } diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch index 2a9d640..45c677a 100644 --- a/shadow-4.1.5.1-default-range.patch +++ b/shadow-4.1.5.1-default-range.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/lib/semanage.c -=================================================================== ---- shadow-4.5.orig/lib/semanage.c -+++ shadow-4.5/lib/semanage.c +diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h goto done; } diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch new file mode 100644 index 0000000..6f3a1d2 --- /dev/null +++ b/shadow-4.1.5.1-errmsg.patch @@ -0,0 +1,23 @@ +diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 ++++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 +@@ -1760,6 +1760,9 @@ static void create_home (void) + if (access (user_home, F_OK) != 0) { + #ifdef WITH_SELINUX + if (set_selinux_file_context (user_home, NULL) != 0) { ++ fprintf (stderr, ++ _("%s: cannot set SELinux context for home directory %s\n"), ++ Prog, user_home); + fail_exit (E_HOMEDIR); + } + #endif +@@ -1789,6 +1792,9 @@ static void create_home (void) + #ifdef WITH_SELINUX + /* Reset SELinux to create files with default contexts */ + if (reset_selinux_file_context () != 0) { ++ fprintf (stderr, ++ _("%s: cannot reset SELinux file creation context\n"), ++ Prog); + fail_exit (E_HOMEDIR); + } + #endif diff --git a/shadow-4.5-goodname.patch b/shadow-4.1.5.1-goodname.patch similarity index 50% rename from shadow-4.5-goodname.patch rename to shadow-4.1.5.1-goodname.patch index 215f658..15c98a7 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.1.5.1-goodname.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/libmisc/chkname.c -=================================================================== ---- shadow-4.5.orig/libmisc/chkname.c -+++ shadow-4.5/libmisc/chkname.c -@@ -47,27 +47,46 @@ +diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c +--- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 +@@ -47,27 +47,42 @@ #include "chkname.h" static bool is_valid_name (const char *name) @@ -19,18 +18,16 @@ Index: shadow-4.5/libmisc/chkname.c + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * -+ * Also do not allow fully numeric names or just "." or "..". ++ * Also do not allow fully numeric names. + */ + int numeric; + -+ if ('\0' == *name || -+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || -+ '\0' == name[1])) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.')) { ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { return false; } @@ -42,14 +39,13 @@ Index: shadow-4.5/libmisc/chkname.c - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) -+ if (!((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.' || -+ *name == '-' || -+ (*name == '$' && name[1] == '\0') - )) { +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { return false; } + numeric &= isdigit(*name); @@ -60,11 +56,10 @@ Index: shadow-4.5/libmisc/chkname.c } bool is_valid_user_name (const char *name) -Index: shadow-4.5/man/groupadd.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupadd.8.xml -+++ shadow-4.5/man/groupadd.8.xml -@@ -256,12 +256,6 @@ +diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml +--- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 ++++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 +@@ -259,12 +259,6 @@ CAVEATS @@ -77,11 +72,19 @@ Index: shadow-4.5/man/groupadd.8.xml Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -633,12 +633,6 @@ +diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml +--- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 +@@ -366,7 +366,7 @@ + + + +- Do no create the user's home directory, even if the system ++ Do not create the user's home directory, even if the system + wide setting from /etc/login.defs + () is set to + yes. +@@ -654,12 +654,6 @@ diff --git a/shadow-4.1.5.1-id-alloc.patch b/shadow-4.1.5.1-id-alloc.patch new file mode 100644 index 0000000..df6f89f --- /dev/null +++ b/shadow-4.1.5.1-id-alloc.patch @@ -0,0 +1,1219 @@ +Previously, this allocation was optimized for an outdated +deployment style (that of /etc/group alongside nss_db). The issue +here is that this results in extremely poor performance when using +SSSD, Winbind or nss_ldap. + +There were actually three serious bugs here that have been addressed: + +1) Running getgrent() loops won't work in most SSSD or Winbind +environments, as full group enumeration is disabled by default. +This could easily result in auto-allocating a group that was +already in use. (This might result in a security issue as well, if +the shared GID is a privileged group). + +2) For system groups, the loop was always iterating through the +complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this +means hundreds of round-trips to LDAP (unless the GIDs were +specifically configured to be ignored by the SSSD or winbindd). +To a user with a slow connection to their LDAP server, this would +appear as if groupadd -r was hung. (Though it would eventually +complete). + +3) This patch also adds better error-handling for errno from +getgrgid(), since if this function returns an unexpected error, we +should not be treating it as "ID is available". This could result +in assigning a GID that was already in use, with all the same +issues as 1) above. + +This patch changes the algorithm to be more favorable for LDAP +environments, at the expense of some performance when using nss_db. +Given that the DB is a local service, this should have a negligible +effect from a user's perspective. + +With the new algorithm, we simply first iterate through all entries +in the local database with gr_next(), recording the IDs that are in +use. We then start from the highest presumed-available entry and +call getgrgid() to see if it is available. We continue this until +we come to the first unused GID. We then select that and return it. + +If we make it through all the remaining IDs without finding a free +one, we start over from the beginning of the range and try to find +room in one of the gaps in the range. + +The patch was originally written by Stephen Gallagher and applied +identically also to the user allocation by Tomáš Mráz. + +diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c +--- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, ++ gid_t *preferred_min) ++{ ++ gid_t gid_def_max = 0; ++ ++ if (sys_group) { ++ /* System groups */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (gid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); ++ ++ /* ++ * If SYS_GID_MAX is unspecified, we should assume it to be one ++ * less than the GID_MIN (which is reserved for non-system accounts) ++ */ ++ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; ++ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", ++ (unsigned long) gid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " ++ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("GID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system groups */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); ++ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system groups. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: GID_MIN (%lu), " ++ "GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_gid - See if the requested GID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getgrgid() ++ */ ++static int check_gid(const gid_t gid, ++ const gid_t gid_min, ++ const gid_t gid_max, ++ bool *used_gids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (gid < gid_min || gid > gid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this GID ++ * using the gr_next() loop ++ */ ++ if (used_gids != NULL && used_gids[gid]) { ++ return EEXIST; ++ } ++ /* Check if the GID exists according to NSS */ ++ errno = 0; ++ if (getgrgid(gid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getgrgid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ /* ignore errors for now * if (errno != 0) { ++ return errno; ++ } */ ++ } ++ ++ /* If we've made it here, the GID must be available */ ++ return 0; ++} ++ ++/* + * find_new_gid - Find a new unused GID. + * + * If successful, find_new_gid provides an unused group ID in the +@@ -48,166 +160,339 @@ + * + * Return 0 on success, -1 if no unused GIDs are available. + */ +-int find_new_gid (bool sys_group, +- gid_t *gid, +- /*@null@*/gid_t const *preferred_gid) ++int find_new_gid(bool sys_group, ++ gid_t *gid, ++ /*@null@*/gid_t const *preferred_gid) + { +- const struct group *grp; +- gid_t gid_min, gid_max, group_id; + bool *used_gids; ++ const struct group *grp; ++ gid_t gid_min, gid_max, preferred_min; ++ gid_t group_id, id; ++ gid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + +- assert (gid != NULL); ++ assert(gid != NULL); + +- if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); +- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, (unsigned long) gid_max); +- return -1; +- } +- } else { +- gid_min = (gid_t) 1; +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; +- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred GID is available */ ++ if (preferred_gid) { ++ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the GID isn't queued for use already ++ */ ++ if (gr_locate_gid (*preferred_gid) == NULL) { ++ *gid = *preferred_gid; ++ return 0; ++ } ++ /* ++ * gr_locate_gid() found the GID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set a GID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the group creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific GID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred GID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire group file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with gr_rewind/gr_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system groups) or highest (non-system ++ * groups), we will prefer those and avoid potentially reclaiming a ++ * deleted group (which can be a security issue, since it may grant ++ * access to files belonging to that former group). ++ * ++ * If there are no GIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered GIDs */ + used_gids = malloc (sizeof (bool) * (gid_max +1)); + if (NULL == used_gids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_gids, false, sizeof (bool) * (gid_max + 1)); + +- if ( (NULL != preferred_gid) +- && (*preferred_gid >= gid_min) +- && (*preferred_gid <= gid_max) +- /* Check if the user exists according to NSS */ +- && (getgrgid (*preferred_gid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (gr_locate_gid (*preferred_gid) == NULL)) { +- *gid = *preferred_gid; +- free (used_gids); +- return 0; +- } +- +- /* if we did not find free preffered system gid, we start to look for +- * one in the range assigned to dynamic system IDs */ +- if (sys_group) +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ /* First look for the lowest and highest value in the local database */ ++ (void) gr_rewind (); ++ highest_found = gid_min; ++ lowest_found = gid_max; ++ while ((grp = gr_next ()) != NULL) { ++ /* ++ * Does this entry have a lower GID than the lowest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { ++ lowest_found = grp->gr_gid - 1; ++ } ++ ++ /* ++ * Does this entry have a higher GID than the highest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { ++ highest_found = grp->gr_gid + 1; ++ } ++ ++ /* create index of used GIDs */ ++ if (grp->gr_gid >= gid_min ++ && grp->gr_gid <= gid_max) { ++ ++ used_gids[grp->gr_gid] = true; ++ } ++ } + +- /* +- * Search the entire group file, +- * looking for the largest unused value. +- * +- * We check the list of groups according to NSS (setgrent/getgrent), +- * but we also check the local database (gr_rewind/gr_next) in case +- * some groups were created but the changes were not committed yet. +- */ + if (sys_group) { +- gid_t id; +- /* setgrent / getgrent / endgrent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getgrgid. +- */ +- group_id = gid_max; +- for (id = gid_max; id >= gid_min; id--) { +- if (getgrgid (id) != NULL) { +- group_id = id - 1; +- used_gids[id] = true; +- } ++ /* ++ * For system groups, we want to start from the ++ * top of the range and work downwards. ++ */ ++ ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MIN - 1. ++ */ ++ if (lowest_found < gid_min) { ++ /* ++ * In this case, a GID is in use at GID_MIN. ++ * ++ * We will reset the search to GID_MAX and proceed down ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ lowest_found = gid_max; + } + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { +- group_id = grp->gr_gid - 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- group_id = gid_min; +- setgrent (); +- while ((grp = getgrent ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * GID_MAX - 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != gid_max) { ++ for (id = gid_max; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ ++ } + } + } +- endgrent (); ++ } else { /* !sys_group */ ++ /* ++ * For non-system groups, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; +- } ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MAX + 1. ++ */ ++ if (highest_found > gid_max) { ++ /* ++ * In this case, a GID is in use at GID_MAX. ++ * ++ * We will reset the search to GID_MIN and proceed up ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ highest_found = gid_min; + } +- } + +- /* +- * If a group (resp. system group) with GID equal to GID_MAX (resp. +- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 +- * (resp. GID_MIN-1) even if not unique. Search for the first free +- * GID starting with GID_MIN (resp. GID_MAX). +- */ +- if (sys_group) { +- if (group_id < gid_min) { +- for (group_id = gid_max; group_id >= gid_min; group_id--) { +- if (false == used_gids[group_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (group_id < gid_min) { +- fprintf (stderr, +- _("%s: Can't get unique system GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available GID on the system")); +- free (used_gids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- if (group_id > gid_max) { +- for (group_id = gid_min; group_id <= gid_max; group_id++) { +- if (false == used_gids[group_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * GID_MIN + 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != gid_min) { ++ for (id = gid_min; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- if (group_id > gid_max) { +- fprintf (stderr, +- _("%s: Can't get unique GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available GID on the system")); +- free (used_gids); +- return -1; +- } + } + } + +- free (used_gids); +- *gid = group_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique GID (no more available GIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available GIDs on the system")); ++ free(used_gids); ++ return -1; + } + +diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c +--- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, ++ uid_t *preferred_min) ++{ ++ uid_t uid_def_max = 0; ++ ++ if (sys_user) { ++ /* System users */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (uid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); ++ ++ /* ++ * If SYS_UID_MAX is unspecified, we should assume it to be one ++ * less than the UID_MIN (which is reserved for non-system accounts) ++ */ ++ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; ++ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", ++ (unsigned long) uid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " ++ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("UID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system users */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); ++ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system users. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: UID_MIN (%lu), " ++ "UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_uid - See if the requested UID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getpwuid() ++ */ ++static int check_uid(const uid_t uid, ++ const uid_t uid_min, ++ const uid_t uid_max, ++ bool *used_uids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (uid < uid_min || uid > uid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this UID ++ * using the pw_next() loop ++ */ ++ if (used_uids != NULL && used_uids[uid]) { ++ return EEXIST; ++ } ++ /* Check if the UID exists according to NSS */ ++ errno = 0; ++ if (getpwuid(uid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getpwuid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ /* ignore errors for now * if (errno != 0) { ++ return errno; ++ } */ ++ } ++ ++ /* If we've made it here, the UID must be available */ ++ return 0; ++} ++ ++/* + * find_new_uid - Find a new unused UID. + * + * If successful, find_new_uid provides an unused user ID in the +@@ -48,162 +160,339 @@ + * + * Return 0 on success, -1 if no unused UIDs are available. + */ +-int find_new_uid (bool sys_user, +- uid_t *uid, +- /*@null@*/uid_t const *preferred_uid) ++int find_new_uid(bool sys_user, ++ uid_t *uid, ++ /*@null@*/uid_t const *preferred_uid) + { +- const struct passwd *pwd; +- uid_t uid_min, uid_max, user_id; + bool *used_uids; ++ const struct passwd *pwd; ++ uid_t uid_min, uid_max, preferred_min; ++ uid_t user_id, id; ++ uid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + + assert (uid != NULL); + +- if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, (unsigned long) uid_max); +- return -1; +- } +- } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; +- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred UID is available */ ++ if (preferred_uid) { ++ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the UID isn't queued for use already ++ */ ++ if (pw_locate_uid (*preferred_uid) == NULL) { ++ *uid = *preferred_uid; ++ return 0; ++ } ++ /* ++ * pw_locate_uid() found the UID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set an UID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the user creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific UID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred UID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire passwd file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with pw_rewind/pw_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system users) or highest (non-system ++ * users), we will prefer those and avoid potentially reclaiming a ++ * deleted user (which can be a security issue, since it may grant ++ * access to files belonging to that former user). ++ * ++ * If there are no UIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered UIDs */ + used_uids = malloc (sizeof (bool) * (uid_max +1)); + if (NULL == used_uids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_uids, false, sizeof (bool) * (uid_max + 1)); + +- if ( (NULL != preferred_uid) +- && (*preferred_uid >= uid_min) +- && (*preferred_uid <= uid_max) +- /* Check if the user exists according to NSS */ +- && (getpwuid (*preferred_uid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (pw_locate_uid (*preferred_uid) == NULL)) { +- *uid = *preferred_uid; +- free (used_uids); +- return 0; +- } ++ /* First look for the lowest and highest value in the local database */ ++ (void) pw_rewind (); ++ highest_found = uid_min; ++ lowest_found = uid_max; ++ while ((pwd = pw_next ()) != NULL) { ++ /* ++ * Does this entry have a lower UID than the lowest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { ++ lowest_found = pwd->pw_uid - 1; ++ } + ++ /* ++ * Does this entry have a higher UID than the highest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { ++ highest_found = pwd->pw_uid + 1; ++ } ++ ++ /* create index of used UIDs */ ++ if (pwd->pw_uid >= uid_min ++ && pwd->pw_uid <= uid_max) { ++ ++ used_uids[pwd->pw_uid] = true; ++ } ++ } + +- /* +- * Search the entire password file, +- * looking for the largest unused value. +- * +- * We check the list of users according to NSS (setpwent/getpwent), +- * but we also check the local database (pw_rewind/pw_next) in case +- * some users were created but the changes were not committed yet. +- */ + if (sys_user) { +- uid_t id; +- /* setpwent / getpwent / endpwent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getpwuid. +- */ +- user_id = uid_max; +- for (id = uid_max; id >= uid_min; id--) { +- if (getpwuid (id) != NULL) { +- user_id = id - 1; +- used_uids[id] = true; +- } ++ /* ++ * For system users, we want to start from the ++ * top of the range and work downwards. ++ */ ++ ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MIN - 1. ++ */ ++ if (lowest_found < uid_min) { ++ /* ++ * In this case, an UID is in use at UID_MIN. ++ * ++ * We will reset the search to UID_MAX and proceed down ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ lowest_found = uid_max; + } + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { +- user_id = pwd->pw_uid - 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- user_id = uid_min; +- setpwent (); +- while ((pwd = getpwent ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * UID_MAX - 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != uid_max) { ++ for (id = uid_max; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ ++ } + } + } +- endpwent (); ++ } else { /* !sys_user */ ++ /* ++ * For non-system users, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; +- } ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MAX + 1. ++ */ ++ if (highest_found > uid_max) { ++ /* ++ * In this case, a UID is in use at UID_MAX. ++ * ++ * We will reset the search to UID_MIN and proceed up ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ highest_found = uid_min; + } +- } + +- /* +- * If a user (resp. system user) with UID equal to UID_MAX (resp. +- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 +- * (resp. UID_MIN-1) even if not unique. Search for the first free +- * UID starting with UID_MIN (resp. UID_MAX). +- */ +- if (sys_user) { +- if (user_id < uid_min) { +- for (user_id = uid_max; user_id >= uid_min; user_id--) { +- if (false == used_uids[user_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (user_id < uid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique system UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available UID on the system")); +- free (used_uids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- if (user_id > uid_max) { +- for (user_id = uid_min; user_id <= uid_max; user_id++) { +- if (false == used_uids[user_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * UID_MIN + 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != uid_min) { ++ for (id = uid_min; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- if (user_id > uid_max) { +- fprintf (stderr, +- _("%s: Can't get unique UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available UID on the system")); +- free (used_uids); +- return -1; +- } + } + } + +- free (used_uids); +- *uid = user_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available UIDs on the system")); ++ free(used_uids); ++ return -1; + } + diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index b3a525b..b05e5bb 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/man/newusers.8.xml -=================================================================== ---- shadow-4.5.orig/man/newusers.8.xml -+++ shadow-4.5/man/newusers.8.xml -@@ -218,7 +218,15 @@ +diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml +--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 ++++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 +@@ -216,7 +216,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch new file mode 100644 index 0000000..e440431 --- /dev/null +++ b/shadow-4.1.5.1-ingroup.patch @@ -0,0 +1,63 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +@@ -83,15 +83,29 @@ static void usage (void) + } + } + ++static bool ingroup(const char *name, struct group *gr) ++{ ++ char **look; ++ bool notfound = true; ++ ++ look = gr->gr_mem; ++ while (*look && notfound) ++ notfound = strcmp (*look++, name); ++ ++ return !notfound; ++} ++ + /* +- * find_matching_group - search all groups of a given group id for ++ * find_matching_group - search all groups of a gr's group id for + * membership of a given username ++ * but check gr itself first + */ +-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) ++static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) + { +- struct group *gr; +- char **look; +- bool notfound = true; ++ gid_t gid = gr->gr_gid; ++ ++ if (ingroup(name, gr)) ++ return gr; + + setgrent (); + while ((gr = getgrent ()) != NULL) { +@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc + * A group with matching GID was found. + * Test for membership of 'name'. + */ +- look = gr->gr_mem; +- while ((NULL != *look) && notfound) { +- notfound = (strcmp (*look, name) != 0); +- look++; +- } +- if (!notfound) { ++ if (ingroup(name, gr)) + break; +- } + } + endgrent (); + return gr; +@@ -616,7 +624,7 @@ int main (int argc, char **argv) + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp->gr_gid); ++ grp = find_matching_group (name, grp); + if (NULL == grp) { + /* + * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index ca7e57b..7d5cbc8 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -323,7 +323,7 @@ static void fail_exit (int code) +diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 ++++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 +@@ -275,7 +275,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch new file mode 100644 index 0000000..c87e232 --- /dev/null +++ b/shadow-4.1.5.1-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 +@@ -1571,6 +1571,11 @@ static void move_home (void) + Prog, user_home, user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, user_home); + } + } + diff --git a/shadow-4.6-orig-context.patch b/shadow-4.1.5.1-orig-context.patch similarity index 62% rename from shadow-4.6-orig-context.patch rename to shadow-4.1.5.1-orig-context.patch index ea522e7..c1ddb13 100644 --- a/shadow-4.6-orig-context.patch +++ b/shadow-4.1.5.1-orig-context.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c ---- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 -@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * +diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c +--- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 ++++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 +@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX @@ -10,7 +10,7 @@ diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c errors++; } #endif -@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * +@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -19,9 +19,9 @@ diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c errors++; } #endif -diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c ---- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 +diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c +--- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 ++++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,10 +58,10 @@ diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h ---- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 -@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h +--- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 ++++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 +@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -70,9 +70,9 @@ diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c ---- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 +diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c +--- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,15 +114,15 @@ diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c } /* -diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 -@@ -2020,7 +2020,7 @@ static void create_home (void) +diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 +@@ -1759,7 +1759,7 @@ static void create_home (void) { - if (access (prefix_user_home, F_OK) != 0) { + if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX -- if (set_selinux_file_context (prefix_user_home) != 0) { -+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { - fprintf (stderr, - _("%s: cannot set SELinux context for home directory %s\n"), - Prog, user_home); +- if (set_selinux_file_context (user_home) != 0) { ++ if (set_selinux_file_context (user_home, NULL) != 0) { + fail_exit (E_HOMEDIR); + } + #endif diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch new file mode 100644 index 0000000..4ac32d2 --- /dev/null +++ b/shadow-4.1.5.1-selinux.patch @@ -0,0 +1,99 @@ +diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 +@@ -1850,6 +1850,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) + + usr_update (); + ++ close_files (); ++ ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ ++#ifdef WITH_SELINUX ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++#endif /* WITH_AUDIT */ ++ rv = E_SE_UPDATE; ++ } ++ } ++ } ++#endif ++ + if (mflg) { + create_home (); + if (home_added) { +- copy_tree (def_template, user_home, false, false, ++ copy_tree (def_template, user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, +@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) + create_mail (); + } + +- close_files (); +- +-#ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); +-#endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); +- } +- } +-#endif /* WITH_SELINUX */ +- +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index 075f482..b79baee 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -143,8 +143,9 @@ static void usage (int status) +diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c +--- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 ++++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 +@@ -130,8 +130,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); diff --git a/shadow-4.6-audit-update.patch b/shadow-4.2.1-audit-update.patch similarity index 86% rename from shadow-4.6-audit-update.patch rename to shadow-4.2.1-audit-update.patch index b9d0a67..8f2edf8 100644 --- a/shadow-4.6-audit-update.patch +++ b/shadow-4.2.1-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c ---- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c +--- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_h void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c ---- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c +--- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/clea SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c ---- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 +diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c +--- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +181,10 @@ diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/clean SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h ---- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 -+++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 -@@ -211,12 +211,21 @@ extern int audit_fd; +diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h +--- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 ++++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +@@ -208,12 +208,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,9 +206,9 @@ diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c ---- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 +diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c +--- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -218,7 +218,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -396,21 +396,14 @@ static void open_files (void) +@@ -397,21 +397,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +243,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c +@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +260,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c +@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +277,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c +@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +294,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c +@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +311,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c +@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +328,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c +@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +345,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow +@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +370,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c +@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +387,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c +@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +404,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c +@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +421,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c +@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +438,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c +@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +455,7 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c +@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,10 +472,10 @@ diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c ---- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 -@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c +--- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 +@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -491,7 +491,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -213,7 +222,7 @@ static void grp_update (void) +@@ -210,7 +219,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -500,7 +500,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -223,7 +232,7 @@ static void grp_update (void) +@@ -220,7 +229,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -509,7 +509,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -247,7 +256,7 @@ static void check_new_name (void) +@@ -244,7 +253,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -518,7 +518,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } /* -@@ -263,11 +272,11 @@ static void close_files (void) +@@ -260,11 +269,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -532,7 +532,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -285,11 +294,11 @@ static void close_files (void) +@@ -282,11 +291,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -547,7 +547,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -303,12 +312,6 @@ static void close_files (void) +@@ -300,12 +309,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -560,7 +560,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -326,7 +329,7 @@ static void open_files (void) +@@ -323,7 +326,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -569,7 +569,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -336,7 +339,7 @@ static void open_files (void) +@@ -333,7 +336,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -578,8 +578,8 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -352,7 +355,7 @@ static void open_files (void) - if (gr_open (O_CREAT | O_RDWR) == 0) { +@@ -349,7 +352,7 @@ static void open_files (void) + if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); - exit (E_GRP_UPDATE); @@ -587,7 +587,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } #ifdef SHADOWGRP -@@ -362,7 +365,7 @@ static void open_files (void) +@@ -359,7 +362,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -596,7 +596,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -495,7 +498,7 @@ static void check_flags (void) +@@ -489,7 +492,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -604,8 +604,8 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c + fail_exit (E_NAME_IN_USE); } - if (gflg && (prefix_getgrgid (group_id) != NULL)) { -@@ -514,7 +517,7 @@ static void check_flags (void) + if (gflg && (getgrgid (group_id) != NULL)) { +@@ -508,7 +511,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -614,7 +614,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } } -@@ -542,7 +545,7 @@ static void check_perms (void) +@@ -536,7 +539,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -623,7 +623,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -562,7 +565,7 @@ static void check_perms (void) +@@ -556,7 +559,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -632,7 +632,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -595,7 +598,7 @@ int main (int argc, char **argv) +@@ -588,7 +591,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -641,7 +641,7 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } /* -@@ -617,7 +620,7 @@ int main (int argc, char **argv) +@@ -610,7 +613,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -650,10 +650,10 @@ diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c } } -diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c ---- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 -@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c +--- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 +@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +669,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c /* * grp_update - update group file entries * -@@ -131,7 +140,7 @@ static void grp_update (void) +@@ -126,7 +135,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +678,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #ifdef SHADOWGRP -@@ -143,7 +152,7 @@ static void grp_update (void) +@@ -138,7 +147,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +687,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -162,12 +171,12 @@ static void close_files (void) +@@ -157,12 +166,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +702,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -187,12 +196,12 @@ static void close_files (void) +@@ -182,12 +191,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +718,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -206,13 +215,6 @@ static void close_files (void) +@@ -201,13 +210,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +732,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -229,7 +231,7 @@ static void open_files (void) +@@ -224,7 +226,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +741,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -238,7 +240,7 @@ static void open_files (void) +@@ -233,7 +235,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +750,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -256,7 +258,7 @@ static void open_files (void) +@@ -251,7 +253,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +759,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -265,7 +267,7 @@ static void open_files (void) +@@ -260,7 +262,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +768,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) +@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +777,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } /* -@@ -391,7 +393,7 @@ int main (int argc, char **argv) +@@ -379,7 +381,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +786,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } process_flags (argc, argv); -@@ -405,7 +407,7 @@ int main (int argc, char **argv) +@@ -393,7 +395,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +795,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -426,7 +428,7 @@ int main (int argc, char **argv) +@@ -414,7 +416,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +804,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -446,7 +448,7 @@ int main (int argc, char **argv) +@@ -434,7 +436,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +813,7 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } group_id = grp->gr_gid; -@@ -470,7 +472,7 @@ int main (int argc, char **argv) +@@ -458,7 +460,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,10 +822,10 @@ diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c } #endif -diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c ---- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 -@@ -449,7 +449,7 @@ static void close_files (void) +diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c +--- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 +@@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -834,7 +834,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -472,7 +472,7 @@ static void close_files (void) +@@ -461,7 +461,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -843,7 +843,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -495,7 +495,7 @@ static void close_files (void) +@@ -484,7 +484,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -852,7 +852,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -510,8 +510,8 @@ static void close_files (void) +@@ -499,8 +499,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -863,7 +863,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -523,6 +523,8 @@ static void close_files (void) +@@ -512,6 +512,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -872,7 +872,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi +@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1006,7 +1006,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi +@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1018,9 +1018,9 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c ---- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 +diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1108,9 @@ diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c ---- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 +diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c +--- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 ++++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1161,7 +1161,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c exit (EXIT_FAILURE); } -@@ -320,15 +309,27 @@ static void syslog_sg (const char *name, +@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -457,7 +458,7 @@ int main (int argc, char **argv) +@@ -451,7 +452,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -573,15 +574,26 @@ int main (int argc, char **argv) +@@ -567,15 +568,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -738,10 +750,10 @@ int main (int argc, char **argv) +@@ -716,10 +728,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -750,10 +762,10 @@ int main (int argc, char **argv) +@@ -728,10 +740,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -767,10 +779,10 @@ int main (int argc, char **argv) +@@ -745,10 +757,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -834,11 +846,11 @@ int main (int argc, char **argv) +@@ -812,11 +824,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -862,15 +874,24 @@ int main (int argc, char **argv) +@@ -840,15 +852,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,19 +1315,19 @@ diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 -@@ -229,6 +229,8 @@ static void create_mail (void); +diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 ++++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +@@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) { + int type; + if (home_added) { - if (rmdir (prefix_user_home) != 0) { + if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -242,12 +244,6 @@ static void fail_exit (int code) +@@ -235,12 +237,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1340,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -255,12 +251,6 @@ static void fail_exit (int code) +@@ -248,12 +244,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1353,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -268,12 +258,6 @@ static void fail_exit (int code) +@@ -261,12 +251,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1366,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -282,12 +266,6 @@ static void fail_exit (int code) +@@ -275,12 +259,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1379,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -297,12 +275,6 @@ static void fail_exit (int code) +@@ -290,12 +268,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1392,7 +1392,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c /* continue */ } } -@@ -310,20 +282,19 @@ static void fail_exit (int code) +@@ -303,20 +275,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1420,7 +1420,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -673,7 +644,7 @@ static int set_defaults (void) +@@ -623,7 +594,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1429,7 +1429,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -950,12 +921,6 @@ static void grp_update (void) +@@ -893,12 +864,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1442,7 +1442,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -969,18 +934,12 @@ static void grp_update (void) +@@ -912,18 +877,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1464,7 +1464,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1025,12 +984,6 @@ static void grp_update (void) +@@ -968,12 +927,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1477,7 +1477,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -1044,18 +997,13 @@ static void grp_update (void) +@@ -987,18 +940,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1500,7 +1500,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha +@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1509,7 +1509,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1522,7 +1470,7 @@ static void close_files (void) +@@ -1444,7 +1392,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1518,7 +1518,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1535,7 +1483,7 @@ static void close_files (void) +@@ -1457,7 +1405,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1527,7 +1527,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1547,7 +1495,7 @@ static void close_files (void) +@@ -1469,7 +1417,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1536,7 +1536,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1561,7 +1509,7 @@ static void close_files (void) +@@ -1483,7 +1431,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1545,7 +1545,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1577,7 +1525,7 @@ static void close_files (void) +@@ -1499,7 +1447,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1554,7 +1554,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1591,7 +1539,7 @@ static void close_files (void) +@@ -1513,7 +1461,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1563,7 +1563,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1783,7 +1731,7 @@ static void grp_add (void) +@@ -1705,7 +1653,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1572,7 +1572,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1799,7 +1747,7 @@ static void grp_add (void) +@@ -1721,7 +1669,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1581,7 +1581,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1809,7 +1757,7 @@ static void grp_add (void) +@@ -1731,7 +1679,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1590,7 +1590,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1970,12 +1918,6 @@ static void usr_update (void) +@@ -1846,12 +1794,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1603,7 +1603,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1997,7 +1939,7 @@ static void usr_update (void) +@@ -1873,7 +1815,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1612,10 +1612,10 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2032,12 +1974,6 @@ static void create_home (void) +@@ -1908,12 +1850,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), - Prog, prefix_user_home); + Prog, user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", @@ -1624,8 +1624,8 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c -#endif fail_exit (E_HOMEDIR); } - (void) chown (prefix_user_home, user_id, user_gid); -@@ -2045,8 +1981,8 @@ static void create_home (void) + chown (user_home, user_id, user_gid); +@@ -1921,8 +1857,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1636,9 +1636,9 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) +@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) */ - if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1649,7 +1649,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) +@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1662,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) +@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1675,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) +@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,10 +1689,10 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c ---- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 -+++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 -@@ -219,9 +219,9 @@ static void update_groups (void) +diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c +--- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 ++++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +@@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1705,7 +1705,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -281,9 +281,9 @@ static void update_groups (void) +@@ -276,9 +276,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1718,7 +1718,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -360,9 +360,9 @@ static void remove_usergroup (void) +@@ -355,9 +355,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1731,7 +1731,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -378,9 +378,9 @@ static void remove_usergroup (void) +@@ -373,9 +373,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1744,7 +1744,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -542,7 +542,7 @@ static void fail_exit (int code) +@@ -537,7 +537,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1753,7 +1753,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -562,24 +562,12 @@ static void open_files (void) +@@ -557,24 +557,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1766,7 +1766,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_CREAT | O_RDWR) == 0) { + if (pw_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT @@ -1778,7 +1778,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -587,12 +575,6 @@ static void open_files (void) +@@ -582,12 +570,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1791,7 +1791,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -600,12 +582,6 @@ static void open_files (void) +@@ -595,12 +577,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1804,7 +1804,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -613,23 +589,11 @@ static void open_files (void) +@@ -608,23 +584,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1817,7 +1817,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_CREAT | O_RDWR) == 0) { + if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, @@ -1828,7 +1828,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -638,24 +602,12 @@ static void open_files (void) +@@ -633,24 +597,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1841,7 +1841,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_CREAT | O_RDWR) == 0) { + if (sgr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT @@ -1853,7 +1853,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -666,24 +618,12 @@ static void open_files (void) +@@ -661,24 +613,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1866,7 +1866,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_CREAT | O_RDWR) == 0) { + if (sub_uid_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT @@ -1878,7 +1878,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -692,24 +632,12 @@ static void open_files (void) +@@ -687,24 +627,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1891,7 +1891,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_CREAT | O_RDWR) == 0) { + if (sub_gid_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT @@ -1903,7 +1903,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -754,7 +682,7 @@ static void update_user (void) +@@ -749,7 +677,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1912,7 +1912,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -862,7 +790,7 @@ static int remove_mailbox (void) +@@ -843,7 +771,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1921,7 +1921,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -879,7 +807,7 @@ static int remove_mailbox (void) +@@ -859,7 +787,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1930,7 +1930,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -889,8 +817,8 @@ static int remove_mailbox (void) +@@ -869,8 +797,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1941,7 +1941,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -908,7 +836,7 @@ static int remove_mailbox (void) +@@ -887,7 +815,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1950,7 +1950,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -925,7 +853,7 @@ static int remove_mailbox (void) +@@ -902,7 +830,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1959,7 +1959,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -935,8 +863,8 @@ static int remove_mailbox (void) +@@ -912,8 +840,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1970,7 +1970,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) +@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1979,7 +1979,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) +@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1988,7 +1988,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) +@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -1999,7 +1999,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) +@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2008,7 +2008,7 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) +@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2019,10 +2019,10 @@ diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 -+++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 -@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 ++++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2033,7 +2033,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2044,7 +2044,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2053,7 +2053,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw +@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2064,7 +2064,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw +@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2075,7 +2075,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw +@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2086,7 +2086,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw +@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2097,7 +2097,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw +@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2108,7 +2108,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw +@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2119,7 +2119,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen +@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2130,7 +2130,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen +@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2141,7 +2141,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2154,7 +2154,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif exit (code); } -@@ -765,9 +765,12 @@ static void update_group (void) +@@ -759,9 +759,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2170,7 +2170,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -781,9 +784,11 @@ static void update_group (void) +@@ -775,9 +778,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2185,7 +2185,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -796,9 +801,11 @@ static void update_group (void) +@@ -790,9 +795,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2200,7 +2200,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -873,9 +880,10 @@ static void update_gshadow (void) +@@ -867,9 +874,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2214,7 +2214,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -895,9 +903,10 @@ static void update_gshadow (void) +@@ -889,9 +897,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2228,7 +2228,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -911,9 +920,10 @@ static void update_gshadow (void) +@@ -905,9 +914,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2242,7 +2242,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -926,9 +936,10 @@ static void update_gshadow (void) +@@ -920,9 +930,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2256,7 +2256,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1789,8 +1800,8 @@ static void move_home (void) +@@ -1810,8 +1821,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2267,7 +2267,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1808,8 +1819,8 @@ static void move_home (void) +@@ -1829,8 +1840,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2278,8 +2278,8 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1828,9 +1839,9 @@ static void move_home (void) - Prog, prefix_user_home); +@@ -1849,9 +1860,9 @@ static void move_home (void) + Prog, user_home); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, @@ -2290,7 +2290,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2045,8 +2056,8 @@ static void move_mailbox (void) +@@ -2055,8 +2066,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2301,7 +2301,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2072,8 +2083,8 @@ static void move_mailbox (void) +@@ -2074,8 +2085,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2312,7 +2312,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) +@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2323,7 +2323,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) +@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2334,7 +2334,7 @@ diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) +@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch index 2a798d0..91a85ac 100644 --- a/shadow-4.2.1-date-parsing.patch +++ b/shadow-4.2.1-date-parsing.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/libmisc/getdate.y -=================================================================== ---- shadow-4.5.orig/libmisc/getdate.y -+++ shadow-4.5/libmisc/getdate.y +diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y +--- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 @@ -152,6 +152,7 @@ static int yyHaveDay; static int yyHaveRel; static int yyHaveTime; diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch new file mode 100644 index 0000000..827ad40 --- /dev/null +++ b/shadow-4.2.1-defs-chroot.patch @@ -0,0 +1,24 @@ +diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) + #endif /* ACCT_TOOLS_SETUID */ + + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; + + /* + * Get my name so that I can use it to report errors. +@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ + sys_ngroups = sysconf (_SC_NGROUPS_MAX); + user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); + /* diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch new file mode 100644 index 0000000..2596820 --- /dev/null +++ b/shadow-4.2.1-lastlog-unexpire.patch @@ -0,0 +1,249 @@ +diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml +--- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 +@@ -105,6 +105,17 @@ + + + ++ , ++ ++ ++ ++ Clear lastlog record of an user. This option can be used only together ++ with ()). ++ ++ ++ ++ ++ + , + + +@@ -123,6 +134,17 @@ + + + ++ ++ ++ , ++ ++ ++ ++ Set lastlog record of an user to the current time. This option can be ++ used only together with ()). ++ ++ ++ + + + ,  DAYS +diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 +@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf + static bool uflg = false; /* print only an user of range of users */ + static bool tflg = false; /* print is restricted to most recent days */ + static bool bflg = false; /* print excludes most recent days */ ++static bool Cflg = false; /* clear record for user */ ++static bool Sflg = false; /* set record for user */ + + #define NOW (time ((time_t *) 0)) + +@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta + "Options:\n"), + Prog); + (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); ++ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); ++ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); + (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); + (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); + (void) fputs ("\n", usageout); +@@ -194,6 +198,80 @@ static void print (void) + } + } + ++static void update_one (/*@null@*/const struct passwd *pw) ++{ ++ off_t offset; ++ struct lastlog ll; ++ int err; ++ ++ if (NULL == pw) { ++ return; ++ } ++ ++ offset = (off_t) pw->pw_uid * sizeof (ll); ++ /* fseeko errors are not really relevant for us. */ ++ err = fseeko (lastlogfile, offset, SEEK_SET); ++ assert (0 == err); ++ ++ memzero (&ll, sizeof (ll)); ++ ++ if (Sflg) { ++ ll.ll_time = NOW; ++#ifdef HAVE_LL_HOST ++ strcpy (ll.ll_host, "localhost"); ++#endif ++ strcpy (ll.ll_line, "lastlog"); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "clearing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++#endif ++ } ++#ifdef WITH_AUDIT ++ else { ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "refreshing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++ } ++#endif ++ ++ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { ++ fprintf (stderr, ++ _("%s: Failed to update the entry for UID %lu\n"), ++ Prog, (unsigned long int)pw->pw_uid); ++ exit (EXIT_FAILURE); ++ } ++} ++ ++static void update (void) ++{ ++ const struct passwd *pwent; ++ ++ if (!uflg) /* safety measure */ ++ return; ++ ++ if (has_umin && has_umax && (umin == umax)) { ++ update_one (getpwuid ((uid_t)umin)); ++ } else { ++ setpwent (); ++ while ( (pwent = getpwent ()) != NULL ) { ++ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) ++ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { ++ continue; ++ } ++ update_one (pwent); ++ } ++ endpwent (); ++ } ++ ++ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { ++ fprintf (stderr, ++ _("%s: Failed to update the lastlog file\n"), ++ Prog); ++ exit (EXIT_FAILURE); ++ } ++} ++ + int main (int argc, char **argv) + { + /* +@@ -208,18 +286,24 @@ int main (int argc, char **argv) + + process_root_flag ("-R", argc, argv); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + { + int c; + static struct option const longopts[] = { + {"before", required_argument, NULL, 'b'}, ++ {"clear", no_argument, NULL, 'C'}, + {"help", no_argument, NULL, 'h'}, + {"root", required_argument, NULL, 'R'}, ++ {"set", no_argument, NULL, 'S'}, + {"time", required_argument, NULL, 't'}, + {"user", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + +- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, ++ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, + NULL)) != -1) { + switch (c) { + case 'b': +@@ -235,11 +319,21 @@ int main (int argc, char **argv) + bflg = true; + break; + } ++ case 'C': ++ { ++ Cflg = true; ++ break; ++ } + case 'h': + usage (EXIT_SUCCESS); + /*@notreached@*/break; + case 'R': /* no-op, handled in process_root_flag () */ + break; ++ case 'S': ++ { ++ Sflg = true; ++ break; ++ } + case 't': + { + unsigned long days; +@@ -294,9 +388,21 @@ int main (int argc, char **argv) + Prog, argv[optind]); + usage (EXIT_FAILURE); + } ++ if (Cflg && Sflg) { ++ fprintf (stderr, ++ _("%s: Option -C cannot be used together with option -S\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } ++ if ((Cflg || Sflg) && !uflg) { ++ fprintf (stderr, ++ _("%s: Options -C and -S require option -u to specify the user\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } + } + +- lastlogfile = fopen (LASTLOG_FILE, "r"); ++ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); + if (NULL == lastlogfile) { + perror (LASTLOG_FILE); + exit (EXIT_FAILURE); +@@ -310,7 +416,10 @@ int main (int argc, char **argv) + exit (EXIT_FAILURE); + } + +- print (); ++ if (Cflg || Sflg) ++ update (); ++ else ++ print (); + + (void) fclose (lastlogfile); + +diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 +@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) + grpck_LDADD = $(LDADD) $(LIBSELINUX) + grpconv_LDADD = $(LDADD) $(LIBSELINUX) + grpunconv_LDADD = $(LDADD) $(LIBSELINUX) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + login_SOURCES = \ + login.c \ + login_nopam.c +diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 +@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) + $(top_builddir)/lib/libshadow.la + lastlog_SOURCES = lastlog.c + lastlog_OBJECTS = lastlog.$(OBJEXT) +-lastlog_LDADD = $(LDADD) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(top_builddir)/libmisc/libmisc.a \ + $(top_builddir)/lib/libshadow.la diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.2.1-manfix.patch similarity index 76% rename from shadow-4.3.1-manfix.patch rename to shadow-4.2.1-manfix.patch index cc62a86..04fcb4a 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/man/groupmems.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupmems.8.xml -+++ shadow-4.5/man/groupmems.8.xml +diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml +--- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 @@ -179,20 +179,10 @@ SETUP @@ -26,10 +25,9 @@ Index: shadow-4.5/man/groupmems.8.xml -Index: shadow-4.5/man/chage.1.xml -=================================================================== ---- shadow-4.5.orig/man/chage.1.xml -+++ shadow-4.5/man/chage.1.xml +diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml +--- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -40,25 +38,10 @@ Index: shadow-4.5/man/chage.1.xml -@@ -119,6 +122,13 @@ - system again. - - -+ For example the following can be used to set an account to expire -+ in 180 days: -+ -+ -+ chage -E $(date -d +180days +%Y-%m-%d) -+ -+ - Passing the number -1 as the - EXPIRE_DATE will remove an account - expiration date. -Index: shadow-4.5/man/ja/man5/login.defs.5 -=================================================================== ---- shadow-4.5.orig/man/ja/man5/login.defs.5 -+++ shadow-4.5/man/ja/man5/login.defs.5 -@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ +diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 +--- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +@@ -147,10 +147,6 @@ 以下の参照表は、 shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -69,10 +52,9 @@ Index: shadow-4.5/man/ja/man5/login.defs.5 .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -Index: shadow-4.5/man/login.defs.5.xml -=================================================================== ---- shadow-4.5.orig/man/login.defs.5.xml -+++ shadow-4.5/man/login.defs.5.xml +diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml +--- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 ++++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -91,7 +73,7 @@ Index: shadow-4.5/man/login.defs.5.xml The following configuration items are provided: -@@ -252,16 +263,6 @@ +@@ -252,26 +263,6 @@ @@ -105,10 +87,20 @@ Index: shadow-4.5/man/login.defs.5.xml - - - - chgpasswd +- chgpasswd +- +- +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- +- + chpasswd -@@ -282,14 +283,6 @@ +@@ -282,14 +273,6 @@ @@ -123,7 +115,7 @@ Index: shadow-4.5/man/login.defs.5.xml -@@ -350,34 +343,6 @@ +@@ -350,34 +333,6 @@ @@ -158,7 +150,7 @@ Index: shadow-4.5/man/login.defs.5.xml newgrp / sg -@@ -405,17 +370,6 @@ +@@ -405,17 +360,6 @@ @@ -176,7 +168,7 @@ Index: shadow-4.5/man/login.defs.5.xml pwck -@@ -442,32 +396,6 @@ +@@ -442,32 +386,6 @@ @@ -209,10 +201,9 @@ Index: shadow-4.5/man/login.defs.5.xml useradd -Index: shadow-4.5/man/shadow.5.xml -=================================================================== ---- shadow-4.5.orig/man/shadow.5.xml -+++ shadow-4.5/man/shadow.5.xml +diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml +--- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 @@ -208,8 +208,8 @@ @@ -224,11 +215,10 @@ Index: shadow-4.5/man/shadow.5.xml An empty field means that there are no enforcement of an -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -347,6 +347,11 @@ +diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml +--- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 ++++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -347,11 +347,16 @@ is not enabled, no home directories are created. @@ -240,10 +230,15 @@ Index: shadow-4.5/man/useradd.8.xml -Index: shadow-4.5/man/usermod.8.xml -=================================================================== ---- shadow-4.5.orig/man/usermod.8.xml -+++ shadow-4.5/man/usermod.8.xml + +- ++ , + + + +diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml +--- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch new file mode 100644 index 0000000..1adcabd --- /dev/null +++ b/shadow-4.2.1-merge-group.patch @@ -0,0 +1,13 @@ +diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c +--- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 ++++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 +@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * + errno = ENOMEM; + return NULL; + } +- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); +- new_line[new_line_len] = '\0'; ++ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); + + /* Concatenate the 2 list of members */ + for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch index c6873e9..58fd605 100644 --- a/shadow-4.2.1-no-lock-dos.patch +++ b/shadow-4.2.1-no-lock-dos.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/lib/commonio.c -=================================================================== ---- shadow-4.5.orig/lib/commonio.c -+++ shadow-4.5/lib/commonio.c +diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c +--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 ++++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 @@ -140,7 +140,10 @@ static int do_lock_file (const char *fil int retval; char buf[32]; diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch deleted file mode 100644 index b1dd1c4..0000000 --- a/shadow-4.2.1-null-tm.patch +++ /dev/null @@ -1,91 +0,0 @@ -Index: shadow-4.5/src/faillog.c -=================================================================== ---- shadow-4.5.orig/src/faillog.c -+++ shadow-4.5/src/faillog.c -@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s - } - - tm = localtime (&fl.fail_time); -+ if (tm == NULL) { -+ cp = "(unknown)"; -+ } else { - #ifdef HAVE_STRFTIME -- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); -- cp = ptime; -+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); -+ cp = ptime; - #endif -+ } - printf ("%-9s %5d %5d ", - pw->pw_name, fl.fail_cnt, fl.fail_max); - /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ -Index: shadow-4.5/src/chage.c -=================================================================== ---- shadow-4.5.orig/src/chage.c -+++ shadow-4.5/src/chage.c -@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size - struct tm *tp; - - tp = gmtime (&date); -+ if (tp == NULL) { -+ (void) snprintf (buf, maxsize, "(unknown)"); -+ return; -+ } - #ifdef HAVE_STRFTIME - (void) strftime (buf, maxsize, "%Y-%m-%d", tp); - #else -Index: shadow-4.5/src/lastlog.c -=================================================================== ---- shadow-4.5.orig/src/lastlog.c -+++ shadow-4.5/src/lastlog.c -@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s - - ll_time = ll.ll_time; - tm = localtime (&ll_time); -+ if (tm == NULL) { -+ cp = "(unknown)"; -+ } else { - #ifdef HAVE_STRFTIME -- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); -- cp = ptime; -+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); -+ cp = ptime; - #else -- cp = asctime (tm); -- cp[24] = '\0'; -+ cp = asctime (tm); -+ cp[24] = '\0'; - #endif -+ } - - if (ll.ll_time == (time_t) 0) { - cp = _("**Never logged in**\0"); -Index: shadow-4.5/src/passwd.c -=================================================================== ---- shadow-4.5.orig/src/passwd.c -+++ shadow-4.5/src/passwd.c -@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to - struct tm *tm; - - tm = gmtime (&t); -+ if (tm == NULL) { -+ return "(unknown)"; -+ } - #ifdef HAVE_STRFTIME - (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); - #else /* !HAVE_STRFTIME */ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ - } else { - time_t t = (time_t) date; - tp = gmtime (&t); -+ if (tp == NULL) { -+ strncpy (buf, "unknown", maxsize); -+ return; -+ } - #ifdef HAVE_STRFTIME - strftime (buf, maxsize, "%Y-%m-%d", tp); - #else diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch new file mode 100644 index 0000000..ee7e41a --- /dev/null +++ b/shadow-4.2.1-user-busy.patch @@ -0,0 +1,48 @@ +From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 +From: Bastian Blank +Date: Tue, 17 Nov 2015 10:52:24 -0600 +Subject: [PATCH] Fix user busy errors at userdel + +From: Bastian Blank +Acked-by: Serge Hallyn +--- + libmisc/user_busy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c +index db7174a..0db32c3 100644 +--- a/libmisc/user_busy.c ++++ b/libmisc/user_busy.c +@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) + if (stat ("/", &sbroot) != 0) { + perror ("stat (\"/\")"); + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + return 0; + } + +@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) + + if (check_status (name, tmp_d_name, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) + } + if (check_status (name, task_path+6, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +-- +2.5.0 + diff --git a/shadow-4.5-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch similarity index 86% rename from shadow-4.5-usermod-unlock.patch rename to shadow-4.2.1-usermod-unlock.patch index e2d70b5..19feecb 100644 --- a/shadow-4.5-usermod-unlock.patch +++ b/shadow-4.2.1-usermod-unlock.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c +diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 ++++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; @@ -61,4 +60,4 @@ Index: shadow-4.5/src/usermod.c + fail_exit(E_PW_UPDATE); if (pflg) { - spent->sp_lstchg = (long) gettime () / SCALE; + spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch deleted file mode 100644 index 8550150..0000000 --- a/shadow-4.3.1-selinux-perms.patch +++ /dev/null @@ -1,277 +0,0 @@ -Index: shadow-4.5/src/chgpasswd.c -=================================================================== ---- shadow-4.5.orig/src/chgpasswd.c -+++ shadow-4.5/src/chgpasswd.c -@@ -39,6 +39,13 @@ - #include - #include - #include -+#ifdef WITH_SELINUX -+#include -+#include -+#endif -+#ifdef WITH_LIBAUDIT -+#include -+#endif - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - #include "pam_defs.h" -@@ -76,6 +83,9 @@ static bool sgr_locked = false; - #endif - static bool gr_locked = false; - -+/* The name of the caller */ -+static char *myname = NULL; -+ - /* local function prototypes */ - static void fail_exit (int code); - static /*@noreturn@*/void usage (int status); -@@ -300,6 +310,63 @@ static void check_perms (void) - #endif /* ACCT_TOOLS_SETUID */ - } - -+#ifdef WITH_SELINUX -+static int -+log_callback (int type, const char *fmt, ...) -+{ -+ int audit_fd; -+ va_list ap; -+ -+ va_start(ap, fmt); -+#ifdef WITH_AUDIT -+ audit_fd = audit_open(); -+ -+ if (audit_fd >= 0) { -+ char *buf; -+ -+ if (vasprintf (&buf, fmt, ap) < 0) -+ goto ret; -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -+ NULL, 0); -+ audit_close(audit_fd); -+ free(buf); -+ goto ret; -+ } -+ -+#endif -+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); -+ret: -+ va_end(ap); -+ return 0; -+} -+ -+static void -+selinux_check_root (void) -+{ -+ int status = -1; -+ security_context_t user_context; -+ union selinux_callback old_callback; -+ -+ if (is_selinux_enabled() < 1) -+ return; -+ -+ old_callback = selinux_get_callback(SELINUX_CB_LOG); -+ /* setup callbacks */ -+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); -+ if ((status = getprevcon(&user_context)) < 0) { -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ exit(1); -+ } -+ -+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); -+ -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ freecon(user_context); -+ if (status != 0 && security_getenforce() != 0) -+ exit(1); -+} -+#endif -+ - /* - * open_files - lock and open the group databases - */ -@@ -393,6 +460,7 @@ int main (int argc, char **argv) - - const struct group *gr; - struct group newgr; -+ struct passwd *pw = NULL; - int errors = 0; - int line = 0; - -@@ -408,8 +476,33 @@ int main (int argc, char **argv) - - OPENLOG ("chgpasswd"); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ -+ /* -+ * Determine the name of the user that invoked this command. This -+ * is really hit or miss because there are so many ways that command -+ * can be executed and so many ways to trip up the routines that -+ * report the user name. -+ */ -+ pw = get_my_pwent (); -+ if (NULL == pw) { -+ fprintf (stderr, _("%s: Cannot determine your user name.\n"), -+ Prog); -+ SYSLOG ((LOG_WARN, -+ "Cannot determine the user name of the caller (UID %lu)", -+ (unsigned long) getuid ())); -+ exit (E_NOPERM); -+ } -+ myname = xstrdup (pw->pw_name); -+ - check_perms (); - -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ - #ifdef SHADOWGRP - is_shadow_grp = sgr_file_present (); - #endif -@@ -536,6 +629,15 @@ int main (int argc, char **argv) - newgr.gr_passwd = cp; - } - -+#ifdef WITH_AUDIT -+ { -+ -+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, -+ "change-password", -+ myname, AUDIT_NO_ID, gr->gr_name, -+ SHADOW_AUDIT_SUCCESS); -+ } -+#endif - /* - * The updated group file entry is then put back and will - * be written to the group file later, after all the -Index: shadow-4.5/src/chpasswd.c -=================================================================== ---- shadow-4.5.orig/src/chpasswd.c -+++ shadow-4.5/src/chpasswd.c -@@ -39,6 +39,13 @@ - #include - #include - #include -+#ifdef WITH_SELINUX -+#include -+#include -+#endif -+#ifdef WITH_LIBAUDIT -+#include -+#endif - #ifdef USE_PAM - #include "pam_defs.h" - #endif /* USE_PAM */ -@@ -297,6 +304,63 @@ static void check_perms (void) - #endif /* USE_PAM */ - } - -+#ifdef WITH_SELINUX -+static int -+log_callback (int type, const char *fmt, ...) -+{ -+ int audit_fd; -+ va_list ap; -+ -+ va_start(ap, fmt); -+#ifdef WITH_AUDIT -+ audit_fd = audit_open(); -+ -+ if (audit_fd >= 0) { -+ char *buf; -+ -+ if (vasprintf (&buf, fmt, ap) < 0) -+ goto ret; -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -+ NULL, 0); -+ audit_close(audit_fd); -+ free(buf); -+ goto ret; -+ } -+ -+#endif -+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); -+ret: -+ va_end(ap); -+ return 0; -+} -+ -+static void -+selinux_check_root (void) -+{ -+ int status = -1; -+ security_context_t user_context; -+ union selinux_callback old_callback; -+ -+ if (is_selinux_enabled() < 1) -+ return; -+ -+ old_callback = selinux_get_callback(SELINUX_CB_LOG); -+ /* setup callbacks */ -+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); -+ if ((status = getprevcon(&user_context)) < 0) { -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ exit(1); -+ } -+ -+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); -+ -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ freecon(user_context); -+ if (status != 0 && security_getenforce() != 0) -+ exit(1); -+} -+#endif -+ - /* - * open_files - lock and open the password databases - */ -@@ -405,8 +469,16 @@ int main (int argc, char **argv) - - OPENLOG ("chpasswd"); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - check_perms (); - -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ - #ifdef USE_PAM - if (!use_pam) - #endif /* USE_PAM */ -@@ -566,6 +638,11 @@ int main (int argc, char **argv) - newpw.pw_passwd = cp; - } - -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "updating-password", -+ pw->pw_name, (unsigned int) pw->pw_uid, 1); -+#endif - /* - * The updated password file entry is then put back and will - * be written to the password file later, after all the -Index: shadow-4.5/src/Makefile.am -=================================================================== ---- shadow-4.5.orig/src/Makefile.am -+++ shadow-4.5/src/Makefile.am -@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) - newuidmap_LDADD = $(LDADD) $(LIBSELINUX) - newgidmap_LDADD = $(LDADD) $(LIBSELINUX) - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch deleted file mode 100644 index c8d19e4..0000000 --- a/shadow-4.5-crypt_h.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: shadow-4.5/configure.ac -=================================================================== ---- shadow-4.5.orig/configure.ac -+++ shadow-4.5/configure.ac -@@ -32,9 +32,9 @@ AC_HEADER_STDC - AC_HEADER_SYS_WAIT - AC_HEADER_STDBOOL - --AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ -- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ -- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ -+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ -+ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ -+ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ - locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ - attr/error_context.h) - -Index: shadow-4.5/lib/defines.h -=================================================================== ---- shadow-4.5.orig/lib/defines.h -+++ shadow-4.5/lib/defines.h -@@ -4,6 +4,8 @@ - #ifndef _DEFINES_H_ - #define _DEFINES_H_ - -+#include "config.h" -+ - #if HAVE_STDBOOL_H - # include - #else -@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () - # include - #endif - -+#if HAVE_CRYPT_H -+# include /* crypt(3) may be defined in here */ -+#endif -+ - #if TIME_WITH_SYS_TIME - # include - # include diff --git a/shadow-4.5-long-entry.patch b/shadow-4.5-long-entry.patch deleted file mode 100644 index 8670e75..0000000 --- a/shadow-4.5-long-entry.patch +++ /dev/null @@ -1,84 +0,0 @@ -diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h ---- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 -@@ -382,4 +382,7 @@ extern char *strerror (); - # endif - #endif - -+/* Maximum length of passwd entry */ -+#define PASSWD_ENTRY_MAX_LENGTH 32768 -+ - #endif /* _DEFINES_H_ */ -diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c ---- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 -+++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 -@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, - || (pw->pw_gid == (gid_t)-1) - || (valid_field (pw->pw_gecos, ":\n") == -1) - || (valid_field (pw->pw_dir, ":\n") == -1) -- || (valid_field (pw->pw_shell, ":\n") == -1)) { -+ || (valid_field (pw->pw_shell, ":\n") == -1) -+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + -+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + -+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { - return -1; - } - -diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c ---- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 -@@ -57,7 +57,7 @@ - struct passwd *sgetpwent (const char *buf) - { - static struct passwd pwent; -- static char pwdbuf[1024]; -+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; - register int i; - register char *cp; - char *fields[NFIELDS]; -@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu - * the password structure remain valid. - */ - -- if (strlen (buf) >= sizeof pwdbuf) -+ if (strlen (buf) >= sizeof pwdbuf) { -+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); - return 0; /* fail if too long */ -+ } - strcpy (pwdbuf, buf); - - /* -diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c ---- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 -@@ -48,7 +48,7 @@ - */ - struct spwd *sgetspent (const char *string) - { -- static char spwbuf[1024]; -+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; - static struct spwd spwd; - char *fields[FIELDS]; - char *cp; -@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri - */ - - if (strlen (string) >= sizeof spwbuf) { -+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); - return 0; /* fail if too long */ - } - strcpy (spwbuf, string); -diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c ---- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 -+++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 -@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, - - if ( (NULL == sp) - || (valid_field (sp->sp_namp, ":\n") == -1) -- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { -+ || (valid_field (sp->sp_pwdp, ":\n") == -1) -+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + -+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { - return -1; - } - diff --git a/shadow-4.6-getenforce.patch b/shadow-4.6-getenforce.patch deleted file mode 100644 index 8a55bf5..0000000 --- a/shadow-4.6-getenforce.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c ---- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200 -+++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200 -@@ -75,7 +75,7 @@ int set_selinux_file_context (const char - } - return 0; - error: -- if (security_getenforce () != 0) { -+ if (security_getenforce () > 0) { - return 1; - } - return 0; -@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) - selinux_checked = true; - } - if (selinux_enabled) { -- if (setfscreatecon (NULL) != 0) { -+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { - return 1; - } - } diff --git a/shadow-4.6-move-home.patch b/shadow-4.6-move-home.patch deleted file mode 100644 index cff9561..0000000 --- a/shadow-4.6-move-home.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200 -+++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200 -@@ -1845,6 +1845,11 @@ static void move_home (void) - Prog, prefix_user_home, prefix_user_newhome); - fail_exit (E_HOMEDIR); - } -+ } else { -+ fprintf (stderr, -+ _("%s: The previous home directory (%s) does " -+ "not exist or is inaccessible. Move cannot be completed.\n"), -+ Prog, prefix_user_home); - } - } - diff --git a/shadow-4.6-selinux.patch b/shadow-4.6-selinux.patch deleted file mode 100644 index dfd5140..0000000 --- a/shadow-4.6-selinux.patch +++ /dev/null @@ -1,115 +0,0 @@ -diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c ---- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c ---- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 -+++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 -@@ -2120,6 +2120,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) - - usr_update (); - -- if (mflg) { -- create_home (); -- if (home_added) { -- copy_tree (def_template, prefix_user_home, false, false, -- (uid_t)-1, user_id, (gid_t)-1, user_gid); -- } else { -- fprintf (stderr, -- _("%s: warning: the home directory already exists.\n" -- "Not copying any file from skel directory into it.\n"), -- Prog); -- } -- -- } -- -- /* Do not create mail directory for system accounts */ -- if (!rflg) { -- create_mail (); -- } -- - close_files (); - -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ - /* - * tallylog_reset needs to be able to lookup - * a valid existing user name, -@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) - } - - #ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); -@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) - "adding SELinux user mapping", - user_name, (unsigned int) user_id, 0); - #endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -+ rv = E_SE_UPDATE; -+ } - } - } --#endif /* WITH_SELINUX */ -+#endif - -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -+ if (mflg) { -+ create_home (); -+ if (home_added) { -+ copy_tree (def_template, prefix_user_home, false, true, -+ (uid_t)-1, user_id, (gid_t)-1, user_gid); -+ } else { -+ fprintf (stderr, -+ _("%s: warning: the home directory already exists.\n" -+ "Not copying any file from skel directory into it.\n"), -+ Prog); -+ } -+ -+ } -+ -+ /* Do not create mail directory for system accounts */ -+ if (!rflg) { -+ create_mail (); -+ } - -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch deleted file mode 100644 index d2861b3..0000000 --- a/shadow-4.6-usermod-crash.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c ---- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 -@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi - { - long long int gid; - char *endptr; -+ struct group *g; - - if (NULL == grname) { - return NULL; -@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi - && (gid == (gid_t)gid)) { - return prefix_getgrgid ((gid_t) gid); - } -- return prefix_getgrnam (grname); -+ g = prefix_getgrnam (grname); -+ return g ? __gr_dup(g) : NULL; - } - else - return getgr_nam_gid(grname); -diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c ---- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 -+++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 -@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha - prefix_user_home = xmalloc(len); - wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); - assert (wlen == (int) len -1); -+ if (user_newhome) { -+ len = strlen(prefix) + strlen(user_newhome) + 2; -+ prefix_user_newhome = xmalloc(len); -+ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); -+ assert (wlen == (int) len -1); -+ } - -- len = strlen(prefix) + strlen(user_newhome) + 2; -- prefix_user_newhome = xmalloc(len); -- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); -- assert (wlen == (int) len -1); - } - else { - prefix_user_home = user_home; diff --git a/shadow-utils.spec b/shadow-utils.spec index 40be79a..b47ae15 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,55 +1,54 @@ -# they warn against doing this ... -%define _disable_source_fetch 0 -%define srcname shadow-utils - Summary: Utilities for managing accounts and shadow password files -Name: %{srcname}46 -Version: 4.6 -Release: 2%{?dist} +Name: shadow-utils +Version: 4.2.1 +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz -Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz +Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig +Source1: shadow-utils.login.defs Source2: shadow-utils.useradd -Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0: shadow-4.6-redhat.patch -Patch1: shadow-4.5-goodname.patch +Patch0: shadow-4.1.5-redhat.patch +Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch6: shadow-4.6-selinux.patch -Patch10: shadow-4.6-orig-context.patch +Patch3: shadow-4.1.5-uflg.patch +Patch6: shadow-4.1.5.1-selinux.patch +Patch7: shadow-4.1.5-2ndskip.patch +Patch8: shadow-4.1.5.1-backup-mode.patch +Patch9: shadow-4.2.1-merge-group.patch +Patch10: shadow-4.1.5.1-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch +Patch12: shadow-4.1.5.1-errmsg.patch +Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.3.1-manfix.patch +Patch15: shadow-4.2.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch +Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch -Patch21: shadow-4.6-move-home.patch -Patch22: shadow-4.6-audit-update.patch -Patch23: shadow-4.5-usermod-unlock.patch +Patch20: shadow-4.1.5.1-ingroup.patch +Patch21: shadow-4.1.5.1-move-home.patch +Patch22: shadow-4.2.1-audit-update.patch +Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch28: shadow-4.3.1-selinux-perms.patch -Patch29: shadow-4.2.1-null-tm.patch -Patch31: shadow-4.6-getenforce.patch -Patch32: shadow-4.5-crypt_h.patch -Patch33: shadow-4.5-long-entry.patch -Patch34: shadow-4.6-usermod-crash.patch +Patch25: shadow-4.2.1-defs-chroot.patch +Patch26: shadow-4.2.1-lastlog-unexpire.patch +Patch27: shadow-4.2.1-user-busy.patch License: BSD and GPLv2+ Group: System Environment/Base -BuildRequires: gcc BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel, libattr-devel -BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds -BuildRequires: autoconf, automake, libtool, gettext-devel +BuildRequires: libacl-devel libattr-devel +BuildRequires: bison flex gnome-doc-utils +#BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup Requires(pre): coreutils Requires(post): coreutils -Requires: %{name}-newxidmap = %{version}-%{release} Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -64,40 +63,50 @@ for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts. -%package newxidmap -Summary: only the newuidmapp and newgidmap from shadow-utils -%description newxidmap -%{summary}. - %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir +%patch3 -p1 -b .uflg %patch6 -p1 -b .selinux +%patch7 -p1 -b .2ndskip +%patch8 -p1 -b .backup-mode +%patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg +%patch12 -p1 -b .errmsg +%patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel +%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing +%patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos -%patch28 -p1 -b .selinux-perms -%patch29 -p1 -b .null-tm -%patch31 -p1 -b .getenforce -%patch32 -p1 -b .crypt_h -%patch33 -p1 -b .long-entry -%patch34 -p1 -b .usermod-crash +%patch25 -p1 -b .defs-chroot +%patch26 -p1 -b .unexpire +%patch27 -p1 -b .user-busy iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . +rm libmisc/getdate.c + +#rm po/*.gmo +#rm po/stamp-po +#aclocal +#libtoolize --force +#automake -a +#autoconf + %build + %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -107,11 +116,6 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif -rm aclocal.m4 -aclocal -libtoolize --force - -autoreconf %configure \ --enable-shadowgrp \ --enable-man \ @@ -122,17 +126,18 @@ autoreconf --without-libpam \ --disable-shared \ --with-group-name-max-length=32 -%make_build +make %install rm -rf $RPM_BUILD_ROOT -%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default -install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs +install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser +#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 @@ -151,6 +156,7 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_sbindir}/nologin +rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* @@ -179,6 +185,8 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* +rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* @@ -196,7 +204,11 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done +%clean +rm -rf $RPM_BUILD_ROOT + %files -f shadow.lang +%defattr(-,root,root) %doc NEWS doc/HOWTO README %{!?_licensedir:%global license %%doc} %license gpl-2.0.txt shadow-bsd.txt @@ -207,6 +219,8 @@ done %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -214,7 +228,6 @@ done %{_sbindir}/pwck %{_sbindir}/*conv %{_sbindir}/chpasswd -%{_sbindir}/chgpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr @@ -222,6 +235,8 @@ done %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* @@ -234,80 +249,13 @@ done %{_mandir}/man8/pwck.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/chpasswd.8* -%{_mandir}/man8/chgpasswd.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* -%files newxidmap -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap -%{_mandir}/man1/newgidmap.1* -%{_mandir}/man1/newuidmap.1* - %changelog -* Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon May 28 2018 Tomáš Mráz - 2:4.6-1 -- update to current upstream release 4.6 - -* Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 -- Raise limit for passwd and shadow entry length but also prevent - writing longer entries (#1422497) - -* Tue Feb 06 2018 Björn Esser - 2:4.5-9 -- Add patch to include crypt.h, if present -- Use %%make_{build,install} macros -- Refresh other patches for proper alignment - -* Sat Jan 20 2018 Björn Esser - 2:4.5-8 -- Rebuilt for switch to libxcrypt - -* Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 -- fix regression caused by the userdel-chroot patch (#1509978) - -* Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 -- fix userdel in chroot (#1316168) -- add useful chage -E example to chage manpage - -* Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 -- do not allow "." and ".." user names - -* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 -- allow switching to secondary group without checking the membership - explicitly (patch from upstream) - -* Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 -- update to current upstream release 4.5 - -* Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 -- fix regression in useradd - not processing defaults properly (#1369979) - -* Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 -- new upstream release fixing low impact security issue - -* Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 -- guard for localtime() and gmtime() failure - -* Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 -- chpasswd, chgpasswd: open audit when starting - -* Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 -- chgpasswd: do not remove it -- chpasswd, chgpasswd: add selinux_check_access call (#1336902) - * Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 - userdel: fix userdel -f with /etc/subuid present (#1316168) diff --git a/sources b/sources new file mode 100644 index 0000000..9a96021 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz +6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig diff --git a/sources.bak b/sources.bak deleted file mode 100644 index 2093465..0000000 --- a/sources.bak +++ /dev/null @@ -1,2 +0,0 @@ -SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 -SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed diff --git a/tests/sanity/Makefile b/tests/sanity/Makefile deleted file mode 100644 index 386221b..0000000 --- a/tests/sanity/Makefile +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material -# is made available to anyone wishing to use, modify, copy, or -# redistribute it subject to the terms and conditions of the GNU General -# Public License v.2. -# -# This program is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# Author: Jakub Hrozek - -#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# -# Example Makefile for RHTS # -# This example is geared towards a test for a specific package # -# It does most of the work for you, but may require further coding # -#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# - -# The toplevel namespace within which the test lives. -TOPLEVEL_NAMESPACE=CoreOS - -# The name of the package under test: -PACKAGE_NAME=shadow-utils - -# The path of the test below the package: -RELATIVE_PATH=sanity - -# Version of the Test. Used with make tag. -export TESTVERSION=1.1 - -# The combined namespace of the test. -export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH) - -# A phony target is one that is not really the name of a file. -# It is just a name for some commands to be executed when you -# make an explicit request. There are two reasons to use a -# phony target: to avoid a conflict with a file of the same -# name, and to improve performance. -.PHONY: all install download clean - -# Executables to be built should be added here, they will be generated on the system under test. -BUILT_FILES= - -# Data files, .c files, scripts anything needed to either compile the test and/or run it. -FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - chmod a+x ./sanity_test.py - chmod a+x ./runtest.sh - -clean: - rm -f *~ *.rpm $(BUILT_FILES) - -# Include Common Makefile -include /usr/share/rhts/lib/rhts-make.include - -# Generate the testinfo.desc here: -$(METADATA): Makefile - @touch $(METADATA) - @echo "Owner: Jakub Hrozek " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "License: GNU GPL" >> $(METADATA) - @echo "Description: Basic sanity test for shadow-utils" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA) - @echo "Requires: $(PACKAGE_NAME)" >> $(METADATA) - @echo "Requires: python" >> $(METADATA) - rhts-lint $(METADATA) - diff --git a/tests/sanity/PURPOSE b/tests/sanity/PURPOSE deleted file mode 100644 index 27062e1..0000000 --- a/tests/sanity/PURPOSE +++ /dev/null @@ -1,10 +0,0 @@ -This is a basic sanity test for the shadow-utils package. It is implemented -in python on top of the unittesting.py module. - -Its purpose is to ensure that the binaries in the shadow-utils package behave -as expected and its switches/options work correctly. - -For the most part, every binary in the shadow-utils package is represented by -a single class named Test, i.e. TestUsermod etc. There are some -exceptions, like TestUseraddWeirdNameTest though. - diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh deleted file mode 100755 index cb2a2b5..0000000 --- a/tests/sanity/runtest.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -. /usr/bin/rhts-environment.sh -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -rlJournalStart -rlFileBackup --clean /etc/default/useradd- /etc/default/useradd -setenforce 0 -python sanity_test.py -v -setenforce 1 -rlFileRestore - -EXIT=$? -if [[ $EXIT -eq 0 ]]; then - RESULT="PASS" -else - RESULT="FAIL" -fi - - -rlJournalEnd - -echo "Result: $RESULT" -echo "Exit: $EXIT" -report_result $TEST $RESULT $EXIT diff --git a/tests/sanity/sanity_test.py b/tests/sanity/sanity_test.py deleted file mode 100755 index e9c45c2..0000000 --- a/tests/sanity/sanity_test.py +++ /dev/null @@ -1,1013 +0,0 @@ -#!/usr/bin/env python -""" -A script that tests functionality of the shadow-utils package. - -Author: Jakub Hrozek, -License: GNU GPL v2 -Date: 2007 - -TODO: - * tests for password aging - * if something fails, print out the command issued for easier debugging - * test long options variants along with the short ones -""" - -import unittest -import pwd -import grp -import commands -import os -import os.path -import sys -import copy -import tempfile -import rpm -import shutil - -from UserDict import UserDict - -class RedHatVersion(object): - def __init__(self, type=None, version=None, release=None): - self.type = type - self.version = version - self.release = release - self.rhel = False - - def __eq__( self, other): - """ - Don't compare if either of the values is None - so we can do comparisons like 'is it fedora?' or 'is it rhel4?' - """ - ok = (self.type == other.type) - if ok == False: return False - - if self.version and other.version: - ok = (self.version == other.version) - if ok == False: return False - - if (self.release == other.release): - ok = (self.release == other.release) - - return ok - - def __ne__( self, other): - return not self.__eq__(other) - - def __get_fedora_info(self, mi): - return [ (h['version'],h['release']) for h in mi ][0] - - def __get_rhel_info(self, mi): - # The rules for RHEL versions are braindead..releases even more - ver_rpm, rel_rpm = [ (h['version'],h['release']) for h in mi ][0] - rhel_versions = { '3AS' : 3, '4AS' : 4, '5Server' : 5, '5Client' : 5, '6' : 6 } - if ver_rpm[:3] == '5.9' or ver_rpm[:1] == '6': # rhel6 prerelease and release hack - rhel_versions[ver_rpm] = 6 - if ver_rpm in rhel_versions.keys(): - return (rhel_versions[ver_rpm], rel_rpm) - - def is_rhel(self): - return self.rhel - - def get_info(self): - """ - Returns a tuple containing (type, version, release) of RHEL or Fedora. - Type is either RHEL or Fedora. - Returns None if it cannot parse the info - """ - - ts = rpm.TransactionSet() - mi = ts.dbMatch() - mi.pattern('name', rpm.RPMMIRE_GLOB, 'redhat-release*') - - if mi: - self.rhel = True - return ('RHEL',) + self.__get_rhel_info(mi) - else: - mi = ts.dbMatch('name','fedora-release') - self.rhel = False - if mi.count() != 0: - return ('Fedora',) + self.__get_fedora_info(mi) - - return None - - -class UserInfo(UserDict): - fields = { "pw_name" : 0, "pw_passwd" : 1, "pw_uid" : 2, "pw_gid" : 3, - "pw_gecos" : 4, "pw_dir" : 5, "pw_shell" : 6 } - - def __init__(self): - UserDict.__init__(self) - for f in UserInfo.fields: self[f] = None - - def __getitem__(self, key): - return UserDict.__getitem__(self, key) - - def __setitem__(self, key, value): - UserDict.__setitem__(self, key, value) - - def __cmp__(self, other): - return UserDict.__cmp__(self, other) - - def __repr__(self): - return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) - - def __parse_info(self, struct): - for f in UserInfo.fields: - self[f] = struct[UserInfo.fields[f]] - - def get_info_uid(self, uid): - self.__parse_info(pwd.getpwuid(uid)) - - def get_info_name(self, name): - try: - self.__parse_info(pwd.getpwnam(name)) - except KeyError: - return None - - def lazy_compare(self, pattern): - """ Compare pattern against self. If any field in pattern is set - to None, it is automatically considered equal with the corresponding - field in self. """ - for field in UserInfo.fields: - if pattern[field] and pattern[field] != self[field]: - return False - - return True - -class GroupInfo(UserDict): - fields = { "gr_name" : 0, "gr_passwd" : 1, - "gr_gid" : 2, "gr_mem" : 3} - - def __init__(self): - UserDict.__init__(self) - for f in GroupInfo.fields: self[f] = None - - def __getitem__(self, key): - return UserDict.__getitem__(self, key) - - def __setitem__(self, key, value): - UserDict.__setitem__(self, key, value) - - def __cmp__(self, other): - return UserDict.__cmp__(self, other) - - def __repr__(self): - return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) - - def __parse_info(self, struct): - for f in GroupInfo.fields: - self[f] = struct[GroupInfo.fields[f]] - - def get_info_gid(self, gid): - self.__parse_info(grp.getgrgid(gid)) - - def get_info_name(self, name): - self.__parse_info(grp.getgrnam(name)) - - def lazy_compare(self, pattern): - """ Compare pattern against self. If any field in pattern is set - to None, it is automatically considered equal with the corresponding - field in self. """ - for field in GroupInfo.fields: - if pattern[field] and pattern[field] != self[field]: - return False - - return True - -class LoginDefsParser(UserDict): - "A quick-n-dirty way how to fetch the defaults from /etc/login.defs into a dictionary" - - def __getitem__(self, key): - try: - return UserDict.__getitem__(self, key) - except KeyError: - # if a name-value is not defined in the config file, return defaults - if key == "CREATE_MAIL_SPOOL": - return "yes" - if key == "UMASK": - return "077" - - def __init__(self, path="/etc/login.defs",split=None): - self.path = path - UserDict.__init__(self) - try: - defs = open(path) - except IOError: - print "Could not open the config file %s" % (path) - - for line in defs: - if line.startswith('#'): continue - fields = line.split(split) - if len(fields) != 2: continue # yeah, we're dirty - self.data[fields[0]] = fields[1] - - def serialize(self): - output = open(self.path, "w+") - for k,v in self.data.items(): - output.write("%s=%s" % (k, v)) - - output.write("\n") - output.close() - -class TestUserInfo(unittest.TestCase): - def testLazyCompare(self): - """ (test sanity): Test comparing two UserInfo records """ - a = UserInfo() - a["pw_name"] = "foo" - a["pw_uid"] = 555 - b = copy.deepcopy(a) - c = UserInfo() - - self.assertEqual(a.lazy_compare(b), True) - self.assertEqual(a.lazy_compare(c), True) - - c["pw_name"] = "foo" - c["pw_uid"] = None - self.assertEqual(a.lazy_compare(c), True) - self.assertEqual(c.lazy_compare(a), False) - - c["pw_name"] = "bar" - self.assertNotEqual(a.lazy_compare(c), True) - - def testGetInfoUid(self): - """ (test sanity): Test getting user info based on his UID """ - a = UserInfo() - a.get_info_uid(0) - self.assertEqual(a["pw_name"], "root") - - def testGetInfoName(self): - """ (test sanity): Test getting user info based on his name """ - a = UserInfo() - a.get_info_name("root") - self.assertEqual(a["pw_uid"], 0) - -class ShadowUtilsTestBase: - """ Handy routines """ - def getDefaults(self): - # get the default values for so we can compare against that - (status, defaults_str) = commands.getstatusoutput('useradd -D') - if status != 0: - raise RuntimeError("Could not get the default values for useradd") - return dict([ rec.split("=") for rec in defaults_str.split("\n") ]) - - def getDefaultUserInfo(self, username): - expected = UserInfo() - defaults = self.getDefaults() - - expected["pw_name"] = username - expected["pw_dir"] = defaults["HOME"] + "/" + username - expected["pw_shell"] = defaults["SHELL"] - - return expected - -class TestUseradd(ShadowUtilsTestBase, unittest.TestCase): - def setUp(self): - self.username = "test-shadow-utils-useradd" - - def tearDown(self): - commands.getstatusoutput("userdel -r %s" % (self.username)) - - def testBasicAdd(self): - """ useradd: Tests basic adding of a user """ - expected = self.getDefaultUserInfo(self.username) - - runme = "useradd %s" % (self.username) - (status, output) = commands.getstatusoutput(runme) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user\nIssued command: %s" % (runme)) - - def testExistingUser(self): - """ useradd: Test that user with an existing name cannot be added """ - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - self.assertNotEqual(commands.getstatusoutput("useradd %s" % (self.username))[0], 0, "FAIL: User that already exists added") - - def testCustomUID(self): - """ useradd: Adding an user with a specific UID """ - UID = 23456 # FIXME - test for a free UID slot first - - expected = self.getDefaultUserInfo(self.username) - expected["pw_uid"] = UID - - runme = "useradd %s -u %d" % (self.username, UID) - (status, output) = commands.getstatusoutput(runme) - self.failUnlessEqual(status, 0, "Issued command: %s\n" % (runme) + "Got from useradd: %s\n" % (output)) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific UID\nIssued command: %s" % (runme)) - - def testNegativeUID(self): - """ useradd: Tests that user cannot have a negative UID assigned """ - self.assertNotEqual(commands.getstatusoutput("useradd %s --uid -5" % (self.username))[0], 0, "FAIL: User with UID < 0 added") - - def testCustomExistingUID(self): - """ useradd: Adding a user with a specific existing UID """ - UID = 32112 - - expected = self.getDefaultUserInfo(self.username) - expected["pw_uid"] = UID - - (status_u, output_u) = commands.getstatusoutput("useradd %s -u %d" % (self.username, UID)) - - # must fail without -o flag - (status_u_no_o, output_u_no_o) = commands.getstatusoutput("useradd foo -u %d" % (UID)) - - # must pass with -o flag - (status_o, output_o) = commands.getstatusoutput("useradd foo -u %d -o" % (UID)) - - # clean up - (status, output) = commands.getstatusoutput("userdel -r foo") - - self.failUnlessEqual(status_u, 0, "FAIL: cannot add an user with a specified UID\n"+output_u) - self.assertEqual(status_o, 0, "FAIL: cannot add an user with an existing UID using the -o flag\n"+output_o) - self.failUnlessEqual(status, 0, output) - self.assertNotEqual(status_u_no_o, 0, "FAIL: user with an existing UID added\n"+output_u_no_o) - - def testCustomGID(self): - """ useradd: Adding an user with a specific GID """ - GID = 100 # users group should be everywhere - should we test before? - expected = self.getDefaultUserInfo(self.username) - expected["pw_gid"] = GID - - (status, output) = commands.getstatusoutput("useradd %s -g %d" % (self.username, GID)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific GID") - - def testCustomShell(self): - """ useradd: Adding an user with a specific login shell """ - shell = "/bin/ksh" - expected = self.getDefaultUserInfo(self.username) - expected["pw_shell"] = shell - - (status, output) = commands.getstatusoutput("useradd %s -s %s" % (self.username, shell)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific shell") - - def testCustomHome(self): - """ useradd: Adding an user with a specific home directory """ - home = "/tmp/useradd-test" - os.mkdir(home) - expected = self.getDefaultUserInfo(self.username) - expected["pw_dir"] = home - - (status, output) = commands.getstatusoutput("useradd %s -d %s" % (self.username, home)) - shutil.rmtree(home) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific home") - - def testSystemAccount(self): - """ useradd: Adding a system user (UID < UID_MIN from /etc/login.defs) """ - defaults = LoginDefsParser() - - # system account with no home dir - expected = self.getDefaultUserInfo(self.username) - - (status, output) = commands.getstatusoutput("useradd -r %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(os.path.exists(created["pw_dir"]), False, "FAIL: System user has a home dir created") - self.assertEqual(created["pw_uid"] < defaults['UID_MIN'], True, "FAIL: System user has UID > UID_MIN") - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system user") - - def testAddToMoreGroups(self): - """ useradd: Creating an user that belongs to more than one group """ - (status, output) = commands.getstatusoutput("useradd -G bin %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - gr_bin = GroupInfo() - gr_bin.get_info_name("bin") - self.assertEqual(self.username in gr_bin["gr_mem"], True, "FAIL: User not in supplementary group after usermod -G -a") - - - def testAddWithCommonName(self): - """ useradd: Specifying a comment (user for account name) """ - comment = "zzzzzz" - (status, output) = commands.getstatusoutput("useradd -c %s %s" % (comment, self.username)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created["pw_gecos"], comment, "FAIL: failed to create a user with a GECOS comment") - - def testHomePermissions(self): - """ useradd: Check if permissions on newly created home dir match the umask """ - defaults = LoginDefsParser() - - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - - import stat - perm = os.stat(created["pw_dir"])[stat.ST_MODE] - mode = int(oct(perm & 0777)) - - self.assertEqual(defaults["UMASK"], "077", "FAIL: umask setting is not sane - is %s, should be 077" % (defaults["UMASK"])) - self.assertEqual(int(defaults["UMASK"]) + mode , 777, "FAIL: newly-created home dir does not match the umask") - - def testCreateMailSpool(self): - """ useradd: Check whether the mail spool gets created when told to""" - # set up creating of mail spool - defaults = LoginDefsParser("/etc/default/useradd", split="=") - - create_mail = defaults["CREATE_MAIL_SPOOL"] - defaults["CREATE_MAIL_SPOOL"] = "yes" - defaults.serialize() - - login_defs = LoginDefsParser() - - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - # clean up - defaults["CREATE_MAIL_SPOOL"] = create_mail - defaults.serialize() - self.assertEqual(os.path.exists(login_defs["MAIL_DIR"] + "/" + self.username), True, "FAIL: useradd did not create mail spool") - - def testDefaultMailSettings(self): - """ useradd: Check whether the mail spool is on by default""" - defaults = LoginDefsParser("/etc/default/useradd", split="=") - self.assertEqual(defaults["CREATE_MAIL_SPOOL"], "yes\n") - - def testNoLastlog(self): - """ useradd: Check if the -l option prevents from being added to the lastlog """ - pass # FIXME - add some code here - - -class TestUseraddWeirdNameTest(unittest.TestCase, ShadowUtilsTestBase): - """ Tests addition/removal of usernames that have proven to be problematic in the past. - The reason to separate these from the main useradd test suite is to not run the setUp - and tearDown methods """ - - def addAndRemove(self, username, success=True): - expected = self.getDefaultUserInfo(username) - expected["pw_name"] = username - - (status, output) = commands.getstatusoutput("useradd %s" % (username)) - if success: - self.failUnlessEqual(status, 0, output) - else: - self.failIfEqual(status, 0, output) - return True - - created = UserInfo() - created.get_info_name(username) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: TestUseraddWeirdName::addAndRemove - could not add a user") - - # the cleanup method won't help this time - (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) - self.failUnlessEqual(status, 0, output) - - def testNumericName(self): - """ useradd: Test if an user with a purely numerical name can be added (123) """ - return self.addAndRemove("123") - - def testSambaName(self): - """ useradd: Test if an user with a name with a dollar at the end can be added (joepublic$ ) """ - return self.addAndRemove("joepublic$") - - def testDotInName(self): - """ useradd: Test if an user with a name with a dot in it can be added (joe.public ) """ - return self.addAndRemove("joe.public") - - def testAtInName(self): - """ useradd: Test if an user with an '@' in name can be added (joe@public.com) - should fail """ - return self.addAndRemove("joe@public.com", False) - - def testUppercase(self): - """ useradd: Test if an user with UPPERCASE or Uppercase name can be added """ - return self.addAndRemove("JOEPUBLIC") - return self.addAndRemove("Joepublic") - -class TestUseraddDefaultsChange(unittest.TestCase, ShadowUtilsTestBase): - def testDefaultsChange(self): - """ useradd: Test overriding default settings (shell, home dir, group) with a -D option """ - save = self.getDefaults() - - new_defs = dict() - new_defs["SHELL"] = "/bin/ksh" - new_defs["GROUP"] = "1" - new_defs["HOME"] = "/tmp" - - command = "useradd -D -s%s -g%s -b%s" % (new_defs["SHELL"], new_defs["GROUP"], new_defs["HOME"]) - (status, output) = commands.getstatusoutput(command) - self.failUnlessEqual(status, 0, output) - - overriden = self.getDefaults() - [ self.assertEqual(overriden[k], new_defs[k]) for k in new_defs.keys() ] - - command = "useradd -D -s%s -g%s -b%s" % (save["SHELL"], save["GROUP"], save["HOME"]) - (status, output) = commands.getstatusoutput(command) - self.failUnlessEqual(status, 0, output) - - -class TestUserdel(unittest.TestCase, ShadowUtilsTestBase): - def setUp(self): - self.username = "test-shadow-utils-userdel" - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - def testRemoveUserGroup(self): - """ userdel: test if userdel removes user's group when he's deleted - regression test for #201379 """ - (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - # This would fail if we did not have the group removed - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - -class TestUsermod(unittest.TestCase, ShadowUtilsTestBase): - def setUp(self): - self.username = "test-shadow-utils-usermod" - (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - def tearDown(self): - (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) - self.failUnlessEqual(status, 0, output) - - def testAppendToSupplementaryGroup(self): - """ usermod: Test if a user can be added to a supplementary group """ - add_group = "additional_group" - (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) - self.failUnlessEqual(status, 0, output) - - (status_mod, output_mod) = commands.getstatusoutput("usermod -a -G %s %s" % (add_group, self.username)) - add_group_info = GroupInfo() - add_group_info.get_info_name(add_group) - (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) - - self.failUnlessEqual(status, 0, output) - self.failUnlessEqual(status_mod, 0, output_mod) - self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") - - - def testAppendToSupplementaryGroupLongOption(self): - """ usermod: Test if a user can be added to a supplementary group via --append rather that -a (regression test for 222540) """ - # this is known to not work on older RHELs - test what we are running - rhv = RedHatVersion() - runs = rhv.get_info() - if rhv.is_rhel(): - if runs[1] < 5: - print "This test makes sense for RHEL5+" - return - else: - if runs[1] < 6: - print "This test makes sense for Fedora 6+" - return - - type, release, version = RedHatVersion().get_info() - if RedHatVersion().is_rhel(): - if release < 5 or (release == 5 and version < 2): - print "This test makes sense for RHEL 5.2+" - return - - add_group = "additional_group" - (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) - self.failUnlessEqual(status, 0, output) - - (status_mod, output_mod) = commands.getstatusoutput("usermod --append -G %s %s" % (add_group, self.username)) - add_group_info = GroupInfo() - add_group_info.get_info_name(add_group) - (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) - - self.failUnlessEqual(status, 0, output) - self.failUnlessEqual(status_mod, 0, output_mod) - self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") - - - def testNameChange(self): - """ usermod: Test if the comment field (used as the Common Name) can be changed """ - new_comment = "zzzzzz" - - (status, output) = commands.getstatusoutput("usermod -c %s %s" % (new_comment, self.username)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - - self.assertEqual(created["pw_gecos"], new_comment) - - def testHomeChange(self): - """ usermod: Test if user's home directory can be changed """ - new_home = "/tmp" - created = UserInfo() - created.get_info_name(self.username) - old_home = created["pw_dir"] - - (status, output) = commands.getstatusoutput("usermod -d %s %s" % (new_home, self.username)) - self.failUnlessEqual(status, 0, output) - - created.get_info_name(self.username) - self.assertEqual(created["pw_dir"], new_home) - - # revert to old home so we can userdel -r in tearDown - (status, output) = commands.getstatusoutput("usermod -d %s %s" % (old_home, self.username)) - self.failUnlessEqual(status, 0, output) - - # FIXME - test if contents of /home directories are transferred with the -m option - # FIXME - test if new home is created if does not exist before - - def testGIDChange(self): - """ usermod: Test if user's gid can be changed. """ - new_group = "root" - # test non-existing group - (status_fail, output_fail) = commands.getstatusoutput("usermod -g no-such-group %s" % (self.username)) - (status, output) = commands.getstatusoutput("usermod -g %s %s" % (new_group, self.username)) - - created = UserInfo() - created.get_info_name(self.username) - - left = GroupInfo() - if left.get_info_name(self.username) == None: - (status_del, output_del) = commands.getstatusoutput("groupdel %s" % (self.username)) - self.failUnlessEqual(status_del, 0, output_del) - - self.failIfEqual(status_fail, 0, output_fail) - self.failUnlessEqual(status, 0, output) - self.assertEqual(created["pw_gid"], 0) #0 is root group - - def testLoginChange(self): - """ usermod: Test if user's login can be changed """ - new_login = "usermod-login-change" - user = UserInfo() - user.get_info_name(self.username) - uid = user["pw_uid"] # UID won't change even when login does - - # test changing to an existing user name - (status, output) = commands.getstatusoutput("usermod -l root %s" % (self.username)) - self.failIfEqual(status, 0, output) - - (status, output) = commands.getstatusoutput("usermod -l %s %s" % (new_login, self.username)) - self.failUnlessEqual(status, 0, output) - user.get_info_name(new_login) - self.assertEqual(user["pw_uid"], uid) - - # revert so we can userdel -r on tearDown - (status, output) = commands.getstatusoutput("usermod -l %s %s" % (self.username, new_login)) - self.failUnlessEqual(status, 0, output) - - def testShellChange(self): - """ usermod: Test if user's shell can be changed """ - new_shell = "/bin/sh" - - (status, output) = commands.getstatusoutput("usermod -s %s %s" % (new_shell, self.username)) - self.failUnlessEqual(status, 0, output) - - created = UserInfo() - created.get_info_name(self.username) - self.assertEqual(created["pw_shell"], new_shell) - -class TestGroupadd(unittest.TestCase, ShadowUtilsTestBase): - def setUp(self): - self.groupname = "test-shadow-utils-groups" - - def tearDown(self): - commands.getstatusoutput("groupdel %s" % (self.groupname)) - - def testAddGroup(self): - """ groupadd: Basic adding of a group """ - - expected = GroupInfo() - expected["gr_name"] = self.groupname - - (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - - created = GroupInfo() - created.get_info_name(self.groupname) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a group") - - def testAddSystemGroup(self): - """ groupadd: Adding a system group with gid < MIN_GID """ - - expected = GroupInfo() - expected["gr_name"] = self.groupname - defaults = LoginDefsParser() - - (status, output) = commands.getstatusoutput("groupadd -r %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - - created = GroupInfo() - created.get_info_name(self.groupname) - self.assertEqual(created["gr_gid"] < defaults["GID_MIN"], True, "FAIL: System group has gid >= GID_MIN") - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system group") - - def testAddExistingGid(self): - """ groupadd: Test if we group with an existing GID can be added """ - (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - - gname = "%s-2" % (self.groupname) - - created = GroupInfo() - created.get_info_name(self.groupname) - - # no -o option -> this should fail - (status, output) = commands.getstatusoutput("groupadd -g%s %s" % (created["gr_gid"], gname)) - self.failIfEqual(status, 0, output) - - # override with -o option, should pass now - (status, output) = commands.getstatusoutput("groupadd -g%s -o %s" % (created["gr_gid"], gname)) - self.failUnlessEqual(status, 0, output) - - # test if the new GID is really the same - same_gid = GroupInfo() - same_gid.get_info_name(gname) - self.assertEqual(same_gid["gr_gid"], created["gr_gid"]) - - # clean up - (status, output) = commands.getstatusoutput("groupdel %s" % (gname)) - self.failUnlessEqual(status, 0, output) - - - def testOverrideDefaults(self): - """ groupadd: Test if the defaults can be overriden with the -K option """ - # this is known to not work on older RHELs - test what we are running - rhv = RedHatVersion() - runs = rhv.get_info() - if rhv.is_rhel(): - if runs[1] < 5: - print "This test makes sense for RHEL5+" - return - else: - if runs[1] < 6: - print "This test makes sense for Fedora 6+" - return - - - GID_MIN = 600 - GID_MAX = 625 - - (status, output) = commands.getstatusoutput("groupadd -K GID_MIN=%d -K GID_MAX=%d %s" % - (GID_MIN, GID_MAX, self.groupname)) - self.failUnlessEqual(status, 0, output) - - created = GroupInfo() - created.get_info_name(self.groupname) - self.assertEqual(GID_MIN <= created["gr_gid"] <= GID_MAX, True, "FAIL: created an user with UID of %d" % (created["gr_gid"])) - - - def testFOption(self): - """ groupadd: Tests the -f option of groupadd """ - (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - - (status, output) = commands.getstatusoutput("groupadd -f %s" % (self.groupname)) - self.assertEqual(status, 0, output) - -class TestGroupaddInvalidName(unittest.TestCase, ShadowUtilsTestBase): - def testGroupaddInvalidName(self): - """ groupadd: Test adding of a group with an invalid name """ - (status, output) = commands.getstatusoutput("groupadd foo?") - self.assertNotEqual(status, 0, output) - (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffggg") #33 chars - self.assertNotEqual(status, 0, output) - -class TestGroupaddValidName(unittest.TestCase, ShadowUtilsTestBase): - def testGroupaddValidName(self): - """ groupadd: Test adding and removing of groups with maximal valid name and name ending with $ """ - (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars - self.assertEqual(status, 0, output) - (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars - self.assertEqual(status, 0, output) - (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars - self.assertEqual(status, 0, output) - (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars - self.assertEqual(status, 0, output) - - -class TestGroupmod(unittest.TestCase, ShadowUtilsTestBase): - def setUp(self): - self.groupname = "test-shadow-utils-groups" - (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - - def tearDown(self): - commands.getstatusoutput("groupdel %s" % (self.groupname)) - - def testChangeGID(self): - """ groupmod: Test changing a gid of a group """ - expected = GroupInfo() - expected["gr_name"] = self.groupname - expected["gr_gid"] = 54321 - - (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (expected["gr_gid"], self.groupname)) - self.failUnlessEqual(status, 0, output) - - created = GroupInfo() - created.get_info_name(self.groupname) - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group") - - def testChangeGIDToExistingValue(self): - """ groupmod: Test changing GID to an existing value """ - second_name = "%s-2" % (self.groupname) - - created = GroupInfo() - created.get_info_name(self.groupname) - - expected = GroupInfo() - expected["gr_name"] = self.groupname - expected["gr_gid"] = created["gr_gid"] - - (status, output) = commands.getstatusoutput("groupadd %s" % (second_name)) - self.failUnlessEqual(status, 0, output) - - # try to assingn GID of the first group to the second - this should fail without the -o option - (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (created["gr_gid"], second_name)) - self.failIfEqual(status, 0, output) - - # should pass with the -o option - (status, output) = commands.getstatusoutput("groupmod -g%d -o %s" % (created["gr_gid"], second_name)) - self.failUnlessEqual(status, 0, output) - - self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group to an existing one") - - # clean up - commands.getstatusoutput("groupdel %s" % (second_name)) - self.failUnlessEqual(status, 0, output) - - def testChangeGroupName(self): - """ groupmod: Test changing a group's name """ - second_name = "%s-2" % (self.groupname) - - created = GroupInfo() - created.get_info_name(self.groupname) - - (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (second_name, self.groupname)) - self.failUnlessEqual(status, 0, output) - - changed = GroupInfo() - changed.get_info_gid(created["gr_gid"]) - self.assertEqual(changed["gr_name"], second_name) - self.assertEqual(changed["gr_gid"], created["gr_gid"]) - - # change back, so the group could be deleted by tearDown - (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (self.groupname, second_name)) - self.failUnlessEqual(status, 0, output) - - def testChangeGroupNameExisting(self): - """ groupmod: Test changing a group's name to an existing one """ - existing = "bin" - (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (existing, self.groupname)) - self.assertNotEqual(status, 0, output) # man groupmod -> 9: group name already in use - - def testChangeNonExistingGroup(self): - """ groupmod: Test properties of a non-existing group """ - nonexistent = "foobar" - (status, output) = commands.getstatusoutput("groupmod -nspameggs %s" % (nonexistent)) - self.assertNotEqual(status, 0, status) # man groupmod -> 6: specified group doesn't exist - -class TestGroupdel(unittest.TestCase, ShadowUtilsTestBase): - def testCorrectGroupdel(self): - """ groupdel: Basic usage of groupdel """ - self.groupname = "test-shadow-utils-groups" - (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) - self.failUnlessEqual(status, 0, output) - (status, output) = commands.getstatusoutput("groupdel %s" % (self.groupname)) - self.assertEqual(status, 0, output) - - def testGroupdelNoSuchGroup(self): - """ groupdel: Remove non-existing group """ - (status, output) = commands.getstatusoutput("groupdel foobar") - self.assertNotEqual(status, 0, output) - - def testRemovePrimaryGroup(self): - """ groupdel: Remove a primary group of an user """ - username = "test-groupdel-primary" - (status, output) = commands.getstatusoutput("useradd %s" % (username)) - self.failUnlessEqual(status, 0, output) - - (status, output) = commands.getstatusoutput("groupdel %s" % (username)) - self.assertNotEqual(status, 0, output) - - # clean up - (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) - self.failUnlessEqual(status, 0, output) - -class TestPwckGrpck(unittest.TestCase): - def setUp(self): - self.passwd_path = tempfile.mktemp(suffix="test-pwck-passwd") - self.passwd_file = open(self.passwd_path, "w") - self.group_path = tempfile.mktemp(suffix="test-pwck-grp") - self.group_file = open(self.group_path, "w") - self.gshadow_path = tempfile.mktemp(suffix="test-pwck-gshadow") - self.gshadow_file = open(self.gshadow_path, "w") - - def tearDown(self): - self.passwd_file.close() - self.group_file.close() - self.gshadow_file.close() - - os.remove(self.passwd_path) - os.remove(self.group_path) - os.remove(self.gshadow_path) - - def runPwckCheck(self, passwd, group): - self.passwd_file.truncate() - self.group_file.truncate() - - self.passwd_file.write(passwd) - self.passwd_file.flush() - self.group_file.write(group) - self.group_file.flush() - - command = "pwck -r %s %s" % (self.passwd_path, self.group_path) - return commands.getstatusoutput(command) - - def runGrpCheck(self, group, gshadow): - self.group_file.truncate() - self.gshadow_file.truncate() - - self.gshadow_file.write(gshadow) - self.gshadow_file.flush() - - self.group_file.write(group) - self.group_file.flush() - - command = "grpck -r %s %s" % (self.group_path, self.gshadow_path) - return commands.getstatusoutput(command) - - - def testValidEntries(self): - """ pwck: a valid entry """ - status, output = self.runPwckCheck("foo:x:685:0::/dev/null:/bin/bash", "") - rhv = RedHatVersion() - runs = rhv.get_info() - if rhv.is_rhel(): - if runs[1] < 6: - self.assertEqual(status, 0, output) - else: - self.assertNotEqual(status, 0, output) - - def testNumberOfFields(self): - """ pwck: invalid number of fields in the record """ - not_enough = "foo:x:685:685::/dev/null" - too_many = "foo:x:685:685::/dev/null:/bin/bash:comment" - status, output = self.runPwckCheck(not_enough, "") - self.assertNotEqual(status, 0, output) - - status, output = self.runPwckCheck(too_many, "") - self.assertNotEqual(status, 0, output) - - def testUniqueUserName(self): - """ pwck: unique user name in the record """ - duplicate_username = "foo:x:685:685::/dev/null:/bin/bash\nfoo:x:686:686::/dev/null:/bin/bash" - status, output = self.runPwckCheck(duplicate_username, "") - self.assertNotEqual(status, 0, output) - - def testValidID(self): - """ pwck: invalid UID in the records """ - invalid_ids = [ "foo:x:-1:685::/dev/null:/bin/bash", "foo:x:blah:685::/dev/null:/bin/bash", "foo:x:1234567890:685::/dev/null:/bin/bash" ] - for record in invalid_ids: - status, output = self.runPwckCheck(record, "") - self.assertNotEqual(status, 0, record) - - - def testValidPrimaryGroup(self): - """ pwck: invalid primary group """ - invalid_groups = [ "foo:x:685:-1::/dev/null:/bin/bash", "foo:x:685:blah::/dev/null:/bin/bash", "foo:x:685:1234567890::/dev/null:/bin/bash" ] - for record in invalid_groups: - status, output = self.runPwckCheck("", record) - self.assertNotEqual(status, 0, output) - - def testValidHomeDir(self): - """ pwck: invalid home dir """ - for record in [ "foo:x:685:685::123:/bin/bash", "foo:x:685:685::/path/to/nowhere:/bin/bash", "foo:x:685:1234567890::!:/bin/bash" ]: - status, output = self.runPwckCheck(record, "") - self.assertNotEqual(status, 0, output) - - def testBZ164954(self): - """ grpck: regression test for BZ164954 """ - record = "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon" - status, output = self.runGrpCheck("", record) - self.assertNotEqual(status, 0, output) - -if __name__ == "__main__": - broken_on_rhel4 = { "TestUseradd" : [ "testCustomUID", "testCustomGID" ] } - - if os.getuid() != 0: - print "This test must be run as root" - sys.exit(1) - - unittest.main() - diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 09f4769..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# This first play always runs on the local staging system -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - - atomic - tests: - - sanity - required_packages: - - shadow-utils # sanity test needs shadow-utils - - python # sanity test needs python