From 8cfc807e8c10cc67ed8a0709350349adae15b04f Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Fri, 18 May 2007 09:55:31 +0000 Subject: [PATCH 001/151] Initialize branch F-7 for shadow-utils --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..c48525c --- /dev/null +++ b/branch @@ -0,0 +1 @@ +F-7 From b17301efe01e9d652a570b7891d562d530c5184c Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 5 Jun 2007 13:09:03 +0000 Subject: [PATCH 002/151] do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) --- shadow-4.0.18.1-findNewUidOnce.patch | 113 +++++++++++++++++++++++++++ shadow-utils.spec | 6 ++ 2 files changed, 119 insertions(+) create mode 100644 shadow-4.0.18.1-findNewUidOnce.patch diff --git a/shadow-4.0.18.1-findNewUidOnce.patch b/shadow-4.0.18.1-findNewUidOnce.patch new file mode 100644 index 0000000..31287a9 --- /dev/null +++ b/shadow-4.0.18.1-findNewUidOnce.patch @@ -0,0 +1,113 @@ +--- shadow-4.0.18.1/src/useradd.c.findNewUidOnce 2007-05-16 13:16:51.000000000 +0200 ++++ shadow-4.0.18.1/src/useradd.c 2007-05-16 14:12:52.000000000 +0200 +@@ -847,8 +847,9 @@ + * find_new_uid - find the next available UID + * + * find_new_uid() locates the next highest unused UID in the password +- * file, or checks the given user ID against the existing ones for +- * uniqueness. ++ * file. ++ * It doesn't make sense to use find_new_uid(), if UID is specified ++ * via "-u" option. + */ + static void find_new_uid (void) + { +@@ -867,12 +868,7 @@ + memset (index, 0, sizeof (char) * uid_max + 1); + } + +- /* +- * Start with some UID value if the user didn't provide us with +- * one already. +- */ +- if (!uflg) +- user_id = uid_min; ++ user_id = uid_min; + + /* + * Search the entire password file, either looking for this +@@ -886,42 +882,24 @@ + setpwent (); + while ((pwd = getpwent ())) { + #endif +- if (strcmp (user_name, pwd->pw_name) == 0) { +- fprintf (stderr, _("%s: name %s is not unique\n"), +- Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", +- user_name, user_id, 0); +-#endif +- exit (E_NAME_IN_USE); +- } +- if (!oflg && uflg && user_id == pwd->pw_uid) { +- fprintf (stderr, _("%s: UID %u is not unique\n"), +- Prog, (unsigned int) user_id); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", +- user_name, user_id, 0); +-#endif +- exit (E_UID_IN_USE); +- } +- if (!uflg && !rflg && pwd->pw_uid >= user_id) { ++ if (!rflg && pwd->pw_uid >= user_id) { + if (pwd->pw_uid > uid_max) + continue; + user_id = pwd->pw_uid + 1; + } + /* create index of occupied system accounts UIDs */ +- if (!uflg && rflg && (pwd->pw_uid <= uid_max)) ++ if (rflg && (pwd->pw_uid <= uid_max)) + index[pwd->pw_uid] = 1; + + } + + /* find free system account */ +- if(!uflg && rflg) { ++ if(rflg) { + for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); + if ( user_id < uid_min ) { + fprintf (stderr, _("%s: can't get unique UID\n"), Prog); + fail_exit (E_UID_IN_USE); +- } ++ } + } + + /* +@@ -930,7 +908,7 @@ + * free UID starting with UID_MIN (it's O(n*n) but can be avoided + * by not having users with UID equal to UID_MAX). --marekm + */ +- if (!uflg && user_id == uid_max + 1) { ++ if (user_id == uid_max + 1) { + for (user_id = uid_min; user_id < uid_max; user_id++) { + #ifdef NO_GETPWENT + pw_rewind (); +@@ -1590,9 +1568,6 @@ + struct passwd pwent; + struct spwd spent; + +- if (!oflg) +- find_new_uid (); +- + /* + * Fill in the password structure with any new fields, making + * copies of strings. +@@ -1911,7 +1886,17 @@ + /* first, seek for a valid uid to use for this user. + * We do this because later we can use the uid we found as + * gid too ... --gafton */ +- find_new_uid (); ++ if (!uflg) ++ find_new_uid (); ++ else { ++ if (getpwuid (user_id)) { ++ fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); ++#endif ++ exit (E_UID_IN_USE); ++ } ++ } + } + + /* do we have to add a group for that user? This is why we need to diff --git a/shadow-utils.spec b/shadow-utils.spec index cd88bd8..8d72cbb 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -26,6 +26,7 @@ Patch10: shadow-4.0.18.1-overflow.patch Patch11: shadow-4.0.17-useradd.patch Patch12: shadow-4.0.18.1-appendOption.patch Patch13: shadow-4.0.18.1-sysAccount.patch +Patch14: shadow-4.0.18.1-findNewUidOnce.patch License: BSD Group: System Environment/Base @@ -68,6 +69,7 @@ cp %{SOURCE3} lib/nscd.c %patch11 -p1 -b .useradd %patch12 -p1 -b .appendOption %patch13 -p1 -b .sysAccount +%patch14 -p1 -b .findNewUidOnce rm po/*.gmo rm po/stamp-po @@ -223,6 +225,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 +- do not run find_new_uid() twice and use getpwuid() to check + UID uniqueness (#236871) + * Tue Apr 10 2007 Peter Vrabec 2:4.0.18.1-13 - fix useradd dump core when build without WITH_SELINUX (#235641) From 9d9e9cc197a9cc1050ca10c80b243e25ba3784ea Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 5 Jun 2007 13:18:36 +0000 Subject: [PATCH 003/151] fix infinitive loop if there are duplicate entries in /etc/group (#240915) --- shadow-4.0.18.1-groupLoop.patch | 178 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +- 2 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 shadow-4.0.18.1-groupLoop.patch diff --git a/shadow-4.0.18.1-groupLoop.patch b/shadow-4.0.18.1-groupLoop.patch new file mode 100644 index 0000000..28c8c6b --- /dev/null +++ b/shadow-4.0.18.1-groupLoop.patch @@ -0,0 +1,178 @@ +--- shadow-4.0.18.1/src/usermod.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/usermod.c 2007-05-25 11:51:33.000000000 +0200 +@@ -628,7 +628,7 @@ + continue; + + changed = 0; +- if (!gr_update (ngrp)) { ++ if (!gr_update_entry (grp, ngrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + SYSLOG ((LOG_ERR, "error adding group entry")); +@@ -770,7 +770,7 @@ + /* + * Update the group entry to reflect the changes. + */ +- if (!sgr_update (nsgrp)) { ++ if (!sgr_update_entry (sgrp, nsgrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + SYSLOG ((LOG_ERR, "error adding shadow group entry")); +--- shadow-4.0.18.1/src/userdel.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/userdel.c 2007-05-25 11:51:33.000000000 +0200 +@@ -153,7 +153,7 @@ + exit (13); /* XXX */ + } + ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); +- if (!gr_update (ngrp)) ++ if (!gr_update_entry (grp, ngrp)) + fprintf (stderr, + _("%s: error updating group entry\n"), Prog); + +@@ -252,7 +252,7 @@ + if (was_admin) + nsgrp->sg_adm = del_list (nsgrp->sg_adm, user_name); + +- if (!sgr_update (nsgrp)) ++ if (!sgr_update_entry (sgrp, nsgrp)) + fprintf (stderr, + _("%s: error updating group entry\n"), Prog); + #ifdef WITH_AUDIT +--- shadow-4.0.18.1/src/useradd.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/useradd.c 2007-05-25 11:54:28.000000000 +0200 +@@ -727,30 +727,6 @@ + struct sgrp *nsgrp; + #endif + +- /* +- * Test for unique entries of user_groups in /etc/group +- * pvrabec@redhat.com +- */ +- char **user_groups_tmp = user_groups; +- +- while (*user_groups_tmp) { +- int count = 0; +- +- for (gr_rewind (), grp = gr_next (); grp && count < 2; +- grp = gr_next ()) { +- if (strcmp (*user_groups_tmp, grp->gr_name) == 0) { +- count++; +- } +- } +- if (count > 1) { +- fprintf (stderr, +- "%s: error not unique group names in group file\n", +- Prog); +- fail_exit (E_GRP_UPDATE); +- } +- user_groups_tmp++; +- } +- + /* Locking and opening of the group files moved to open_files() --gafton */ + + /* +@@ -780,7 +756,7 @@ + * update the group entry to reflect the change. + */ + ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); +- if (!gr_update (ngrp)) { ++ if (!gr_update_entry (grp, ngrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); +@@ -828,7 +804,7 @@ + * update the group entry to reflect the change. + */ + nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_name); +- if (!sgr_update (nsgrp)) { ++ if (!sgr_update_entry (sgrp, nsgrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); +--- shadow-4.0.18.1/lib/sgroupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 ++++ shadow-4.0.18.1/lib/sgroupio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -146,6 +146,13 @@ + return commonio_update (&gshadow_db, (const void *) sg); + } + ++int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr) ++{ ++ return commonio_update_entry(&gshadow_db, (const void *) oldgr, ++ (const void *) newgr); ++} ++ ++ + int sgr_remove (const char *name) + { + return commonio_remove (&gshadow_db, name); +--- shadow-4.0.18.1/lib/groupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 ++++ shadow-4.0.18.1/lib/groupio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -128,6 +128,12 @@ + return commonio_remove (&group_db, name); + } + ++int gr_update_entry(const struct group *oldgr, const struct group *newgr) ++{ ++ return commonio_update_entry(&group_db, (const void *) oldgr, ++ (const void *) newgr); ++} ++ + int gr_rewind (void) + { + return commonio_rewind (&group_db); +--- shadow-4.0.18.1/lib/sgroupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 ++++ shadow-4.0.18.1/lib/sgroupio.h 2007-05-25 11:51:33.000000000 +0200 +@@ -11,4 +11,5 @@ + extern int sgr_rewind (void); + extern int sgr_unlock (void); + extern int sgr_update (const struct sgrp *); ++extern int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr); + extern int sgr_sort (void); +--- shadow-4.0.18.1/lib/commonio.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/lib/commonio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -826,6 +826,36 @@ + return 1; + } + ++int commonio_update_entry(struct commonio_db *db, const void *oldgr, ++ const void *newgr) ++{ ++ struct commonio_entry *tmp; ++ ++ if (!db->isopen || db->readonly) { ++ errno = EINVAL; ++ return 0; ++ } ++ ++ tmp = db->head; ++ while (tmp != NULL) { ++ if (oldgr == tmp->eptr) ++ break; ++ tmp = tmp->next; ++ } ++ ++ /* Didn't find this in the database; hop out */ ++ if (tmp == NULL) ++ return 0; ++ ++ tmp->eptr = db->ops->dup(newgr); ++ if (tmp->eptr == NULL) ++ return 1; ++ tmp->changed = 1; ++ ++ db->changed = 1; ++ ++ return 1; ++} + + void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p) + { +--- shadow-4.0.18.1/lib/groupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 ++++ shadow-4.0.18.1/lib/groupio.h 2007-05-25 11:51:33.000000000 +0200 +@@ -10,4 +10,6 @@ + extern int gr_rewind (void); + extern int gr_unlock (void); + extern int gr_update (const struct group *); ++extern int gr_update_entry(const struct group *oldgr, const struct group *newgr); + extern int gr_sort (void); ++ diff --git a/shadow-utils.spec b/shadow-utils.spec index 8d72cbb..11da702 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 13%{?dist} +Release: 15%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -27,6 +27,7 @@ Patch11: shadow-4.0.17-useradd.patch Patch12: shadow-4.0.18.1-appendOption.patch Patch13: shadow-4.0.18.1-sysAccount.patch Patch14: shadow-4.0.18.1-findNewUidOnce.patch +Patch15: shadow-4.0.18.1-groupLoop.patch License: BSD Group: System Environment/Base @@ -70,6 +71,7 @@ cp %{SOURCE3} lib/nscd.c %patch12 -p1 -b .appendOption %patch13 -p1 -b .sysAccount %patch14 -p1 -b .findNewUidOnce +%patch15 -p1 -b .groupLoop rm po/*.gmo rm po/stamp-po @@ -225,6 +227,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 +- fix infinitive loop if there are duplicate entries + in /etc/group (#240915) + * Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 - do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) From 9744679f21e05327dd02ae7882bacfa9d622928d Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 5 Jun 2007 14:44:57 +0000 Subject: [PATCH 004/151] do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) --- shadow-4.0.18.1-findNewUidOnce.patch | 113 +++++++++++++++++++++++++++ shadow-utils.spec | 9 ++- 2 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 shadow-4.0.18.1-findNewUidOnce.patch diff --git a/shadow-4.0.18.1-findNewUidOnce.patch b/shadow-4.0.18.1-findNewUidOnce.patch new file mode 100644 index 0000000..31287a9 --- /dev/null +++ b/shadow-4.0.18.1-findNewUidOnce.patch @@ -0,0 +1,113 @@ +--- shadow-4.0.18.1/src/useradd.c.findNewUidOnce 2007-05-16 13:16:51.000000000 +0200 ++++ shadow-4.0.18.1/src/useradd.c 2007-05-16 14:12:52.000000000 +0200 +@@ -847,8 +847,9 @@ + * find_new_uid - find the next available UID + * + * find_new_uid() locates the next highest unused UID in the password +- * file, or checks the given user ID against the existing ones for +- * uniqueness. ++ * file. ++ * It doesn't make sense to use find_new_uid(), if UID is specified ++ * via "-u" option. + */ + static void find_new_uid (void) + { +@@ -867,12 +868,7 @@ + memset (index, 0, sizeof (char) * uid_max + 1); + } + +- /* +- * Start with some UID value if the user didn't provide us with +- * one already. +- */ +- if (!uflg) +- user_id = uid_min; ++ user_id = uid_min; + + /* + * Search the entire password file, either looking for this +@@ -886,42 +882,24 @@ + setpwent (); + while ((pwd = getpwent ())) { + #endif +- if (strcmp (user_name, pwd->pw_name) == 0) { +- fprintf (stderr, _("%s: name %s is not unique\n"), +- Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", +- user_name, user_id, 0); +-#endif +- exit (E_NAME_IN_USE); +- } +- if (!oflg && uflg && user_id == pwd->pw_uid) { +- fprintf (stderr, _("%s: UID %u is not unique\n"), +- Prog, (unsigned int) user_id); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", +- user_name, user_id, 0); +-#endif +- exit (E_UID_IN_USE); +- } +- if (!uflg && !rflg && pwd->pw_uid >= user_id) { ++ if (!rflg && pwd->pw_uid >= user_id) { + if (pwd->pw_uid > uid_max) + continue; + user_id = pwd->pw_uid + 1; + } + /* create index of occupied system accounts UIDs */ +- if (!uflg && rflg && (pwd->pw_uid <= uid_max)) ++ if (rflg && (pwd->pw_uid <= uid_max)) + index[pwd->pw_uid] = 1; + + } + + /* find free system account */ +- if(!uflg && rflg) { ++ if(rflg) { + for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); + if ( user_id < uid_min ) { + fprintf (stderr, _("%s: can't get unique UID\n"), Prog); + fail_exit (E_UID_IN_USE); +- } ++ } + } + + /* +@@ -930,7 +908,7 @@ + * free UID starting with UID_MIN (it's O(n*n) but can be avoided + * by not having users with UID equal to UID_MAX). --marekm + */ +- if (!uflg && user_id == uid_max + 1) { ++ if (user_id == uid_max + 1) { + for (user_id = uid_min; user_id < uid_max; user_id++) { + #ifdef NO_GETPWENT + pw_rewind (); +@@ -1590,9 +1568,6 @@ + struct passwd pwent; + struct spwd spent; + +- if (!oflg) +- find_new_uid (); +- + /* + * Fill in the password structure with any new fields, making + * copies of strings. +@@ -1911,7 +1886,17 @@ + /* first, seek for a valid uid to use for this user. + * We do this because later we can use the uid we found as + * gid too ... --gafton */ +- find_new_uid (); ++ if (!uflg) ++ find_new_uid (); ++ else { ++ if (getpwuid (user_id)) { ++ fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); ++#endif ++ exit (E_UID_IN_USE); ++ } ++ } + } + + /* do we have to add a group for that user? This is why we need to diff --git a/shadow-utils.spec b/shadow-utils.spec index cd88bd8..741f052 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -26,7 +26,7 @@ Patch10: shadow-4.0.18.1-overflow.patch Patch11: shadow-4.0.17-useradd.patch Patch12: shadow-4.0.18.1-appendOption.patch Patch13: shadow-4.0.18.1-sysAccount.patch - +Patch14: shadow-4.0.18.1-findNewUidOnce.patch License: BSD Group: System Environment/Base BuildRequires: autoconf, automake, libtool, gettext-devel @@ -68,6 +68,7 @@ cp %{SOURCE3} lib/nscd.c %patch11 -p1 -b .useradd %patch12 -p1 -b .appendOption %patch13 -p1 -b .sysAccount +%patch14 -p1 -b .findNewUidOnce rm po/*.gmo rm po/stamp-po @@ -223,6 +224,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 +- do not run find_new_uid() twice and use getpwuid() to check + UID uniqueness (#236871) + * Tue Apr 10 2007 Peter Vrabec 2:4.0.18.1-13 - fix useradd dump core when build without WITH_SELINUX (#235641) From b061ab3bdf487fb7be2315fdeec42ce91cd476eb Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 5 Jun 2007 14:50:50 +0000 Subject: [PATCH 005/151] fix infinitive loop if there are duplicate entries in /etc/group (#240915) --- shadow-4.0.18.1-groupLoop.patch | 178 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +- 2 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 shadow-4.0.18.1-groupLoop.patch diff --git a/shadow-4.0.18.1-groupLoop.patch b/shadow-4.0.18.1-groupLoop.patch new file mode 100644 index 0000000..28c8c6b --- /dev/null +++ b/shadow-4.0.18.1-groupLoop.patch @@ -0,0 +1,178 @@ +--- shadow-4.0.18.1/src/usermod.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/usermod.c 2007-05-25 11:51:33.000000000 +0200 +@@ -628,7 +628,7 @@ + continue; + + changed = 0; +- if (!gr_update (ngrp)) { ++ if (!gr_update_entry (grp, ngrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + SYSLOG ((LOG_ERR, "error adding group entry")); +@@ -770,7 +770,7 @@ + /* + * Update the group entry to reflect the changes. + */ +- if (!sgr_update (nsgrp)) { ++ if (!sgr_update_entry (sgrp, nsgrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + SYSLOG ((LOG_ERR, "error adding shadow group entry")); +--- shadow-4.0.18.1/src/userdel.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/userdel.c 2007-05-25 11:51:33.000000000 +0200 +@@ -153,7 +153,7 @@ + exit (13); /* XXX */ + } + ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); +- if (!gr_update (ngrp)) ++ if (!gr_update_entry (grp, ngrp)) + fprintf (stderr, + _("%s: error updating group entry\n"), Prog); + +@@ -252,7 +252,7 @@ + if (was_admin) + nsgrp->sg_adm = del_list (nsgrp->sg_adm, user_name); + +- if (!sgr_update (nsgrp)) ++ if (!sgr_update_entry (sgrp, nsgrp)) + fprintf (stderr, + _("%s: error updating group entry\n"), Prog); + #ifdef WITH_AUDIT +--- shadow-4.0.18.1/src/useradd.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/src/useradd.c 2007-05-25 11:54:28.000000000 +0200 +@@ -727,30 +727,6 @@ + struct sgrp *nsgrp; + #endif + +- /* +- * Test for unique entries of user_groups in /etc/group +- * pvrabec@redhat.com +- */ +- char **user_groups_tmp = user_groups; +- +- while (*user_groups_tmp) { +- int count = 0; +- +- for (gr_rewind (), grp = gr_next (); grp && count < 2; +- grp = gr_next ()) { +- if (strcmp (*user_groups_tmp, grp->gr_name) == 0) { +- count++; +- } +- } +- if (count > 1) { +- fprintf (stderr, +- "%s: error not unique group names in group file\n", +- Prog); +- fail_exit (E_GRP_UPDATE); +- } +- user_groups_tmp++; +- } +- + /* Locking and opening of the group files moved to open_files() --gafton */ + + /* +@@ -780,7 +756,7 @@ + * update the group entry to reflect the change. + */ + ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); +- if (!gr_update (ngrp)) { ++ if (!gr_update_entry (grp, ngrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); +@@ -828,7 +804,7 @@ + * update the group entry to reflect the change. + */ + nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_name); +- if (!sgr_update (nsgrp)) { ++ if (!sgr_update_entry (sgrp, nsgrp)) { + fprintf (stderr, + _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); +--- shadow-4.0.18.1/lib/sgroupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 ++++ shadow-4.0.18.1/lib/sgroupio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -146,6 +146,13 @@ + return commonio_update (&gshadow_db, (const void *) sg); + } + ++int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr) ++{ ++ return commonio_update_entry(&gshadow_db, (const void *) oldgr, ++ (const void *) newgr); ++} ++ ++ + int sgr_remove (const char *name) + { + return commonio_remove (&gshadow_db, name); +--- shadow-4.0.18.1/lib/groupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 ++++ shadow-4.0.18.1/lib/groupio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -128,6 +128,12 @@ + return commonio_remove (&group_db, name); + } + ++int gr_update_entry(const struct group *oldgr, const struct group *newgr) ++{ ++ return commonio_update_entry(&group_db, (const void *) oldgr, ++ (const void *) newgr); ++} ++ + int gr_rewind (void) + { + return commonio_rewind (&group_db); +--- shadow-4.0.18.1/lib/sgroupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 ++++ shadow-4.0.18.1/lib/sgroupio.h 2007-05-25 11:51:33.000000000 +0200 +@@ -11,4 +11,5 @@ + extern int sgr_rewind (void); + extern int sgr_unlock (void); + extern int sgr_update (const struct sgrp *); ++extern int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr); + extern int sgr_sort (void); +--- shadow-4.0.18.1/lib/commonio.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 ++++ shadow-4.0.18.1/lib/commonio.c 2007-05-25 11:51:33.000000000 +0200 +@@ -826,6 +826,36 @@ + return 1; + } + ++int commonio_update_entry(struct commonio_db *db, const void *oldgr, ++ const void *newgr) ++{ ++ struct commonio_entry *tmp; ++ ++ if (!db->isopen || db->readonly) { ++ errno = EINVAL; ++ return 0; ++ } ++ ++ tmp = db->head; ++ while (tmp != NULL) { ++ if (oldgr == tmp->eptr) ++ break; ++ tmp = tmp->next; ++ } ++ ++ /* Didn't find this in the database; hop out */ ++ if (tmp == NULL) ++ return 0; ++ ++ tmp->eptr = db->ops->dup(newgr); ++ if (tmp->eptr == NULL) ++ return 1; ++ tmp->changed = 1; ++ ++ db->changed = 1; ++ ++ return 1; ++} + + void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p) + { +--- shadow-4.0.18.1/lib/groupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 ++++ shadow-4.0.18.1/lib/groupio.h 2007-05-25 11:51:33.000000000 +0200 +@@ -10,4 +10,6 @@ + extern int gr_rewind (void); + extern int gr_unlock (void); + extern int gr_update (const struct group *); ++extern int gr_update_entry(const struct group *oldgr, const struct group *newgr); + extern int gr_sort (void); ++ diff --git a/shadow-utils.spec b/shadow-utils.spec index 741f052..fb494ae 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -27,6 +27,7 @@ Patch11: shadow-4.0.17-useradd.patch Patch12: shadow-4.0.18.1-appendOption.patch Patch13: shadow-4.0.18.1-sysAccount.patch Patch14: shadow-4.0.18.1-findNewUidOnce.patch +Patch15: shadow-4.0.18.1-groupLoop.patch License: BSD Group: System Environment/Base BuildRequires: autoconf, automake, libtool, gettext-devel @@ -69,6 +70,7 @@ cp %{SOURCE3} lib/nscd.c %patch12 -p1 -b .appendOption %patch13 -p1 -b .sysAccount %patch14 -p1 -b .findNewUidOnce +%patch15 -p1 -b .groupLoop rm po/*.gmo rm po/stamp-po @@ -224,6 +226,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 +- fix infinitive loop if there are duplicate entries + in /etc/group (#240915) + * Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 - do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) From 00fc3d1cfbf5362b9aeb370d13b297c3a8e77fac Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 26 Jun 2007 14:22:36 +0000 Subject: [PATCH 006/151] fix "CAVEATS" section of groupadd man page (#245590) --- shadow-4.0.14-goodname.patch | 45 +++++++++++++++++++++++++----------- shadow-utils.spec | 5 +++- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/shadow-4.0.14-goodname.patch b/shadow-4.0.14-goodname.patch index 6b3bc78..e49adbb 100644 --- a/shadow-4.0.14-goodname.patch +++ b/shadow-4.0.14-goodname.patch @@ -1,16 +1,5 @@ ---- shadow-4.0.14/man/useradd.8.goodname 2006-01-05 17:54:26.000000000 +0100 -+++ shadow-4.0.14/man/useradd.8 2006-01-05 18:01:18.000000000 +0100 -@@ -166,8 +166,6 @@ - Similarly, if the username already exists in an external user database such as NIS, - \fBuseradd\fR - will deny the user account creation request. --.PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] - .SH "FILES" - .TP - \fI/etc/passwd\fR ---- shadow-4.0.14/libmisc/chkname.c.goodname 2005-08-31 19:24:57.000000000 +0200 -+++ shadow-4.0.14/libmisc/chkname.c 2006-01-05 17:59:45.000000000 +0100 +--- shadow-4.0.18.1/libmisc/chkname.c.goodname 2005-08-31 19:24:57.000000000 +0200 ++++ shadow-4.0.18.1/libmisc/chkname.c 2007-06-26 16:20:40.000000000 +0200 @@ -18,16 +18,24 @@ static int good_name (const char *name) { @@ -75,3 +64,33 @@ return 0; return good_name (name); +--- shadow-4.0.18.1/man/groupadd.8.goodname 2007-06-26 16:20:40.000000000 +0200 ++++ shadow-4.0.18.1/man/groupadd.8 2007-06-26 16:22:05.000000000 +0200 +@@ -73,15 +73,11 @@ + Shadow password suite configuration. + .SH "CAVEATS" + .PP +-Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] +-.PP +-Groupnames may only be up to 16 characters long. ++Groupnames may only be up to 32 characters long. + .PP + If the groupname already exists in an external group database such as NIS, + \fBgroupadd\fR + will deny the group creation request. +-.PP +-Groupnames may only be up to 16 characters long. + .SH "EXIT VALUES" + .PP + The +--- shadow-4.0.18.1/man/useradd.8.goodname 2007-06-26 16:20:40.000000000 +0200 ++++ shadow-4.0.18.1/man/useradd.8 2007-06-26 16:20:40.000000000 +0200 +@@ -179,8 +179,6 @@ + Similarly, if the username already exists in an external user database such as NIS, + \fBuseradd\fR + will deny the user account creation request. +-.PP +-Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] + .SH "FILES" + .TP 3n + \fI/etc/passwd\fR diff --git a/shadow-utils.spec b/shadow-utils.spec index 11da702..3d853f6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 15%{?dist} +Release: 16%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -227,6 +227,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Tue Jun 26 2007 Peter Vrabec 2:4.0.18.1-16 +- fix "CAVEATS" section of groupadd man page (#245590) + * Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 - fix infinitive loop if there are duplicate entries in /etc/group (#240915) From 86ed9074113cb18edd0d736054539a827efa4cd4 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 22 Aug 2007 15:44:51 +0000 Subject: [PATCH 007/151] rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 3d853f6..c04bef8 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -227,6 +227,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/man8/faillog.8* %changelog +* Wed Aug 22 2007 Peter Vrabec 2:4.0.18.1-17 +- rebuild + * Tue Jun 26 2007 Peter Vrabec 2:4.0.18.1-16 - fix "CAVEATS" section of groupadd man page (#245590) From 85535f3d9738cb5e31db7509d9c54e50248a02c2 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 8 Oct 2007 17:46:20 +0000 Subject: [PATCH 008/151] localized man pages marked with %lang --- shadow-utils.spec | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index c04bef8..b7159d4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -161,6 +161,12 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* %find_lang shadow +find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete +for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do + dir=$(echo $dir | sed -e "s|^$RPM_BUILD_ROOT||") + lang=$(basename $dir) + echo "%%lang($lang) $dir/man*/*" >> shadow.lang +done %clean rm -rf $RPM_BUILD_ROOT @@ -186,47 +192,30 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/chpasswd %{_sbindir}/newusers %{_mandir}/man1/chage.1* -%{_mandir}/*/man1/chage.1* %{_mandir}/man1/gpasswd.1* -%{_mandir}/*/man1/gpasswd.1* %{_mandir}/man1/sg.1* -%{_mandir}/*/man1/sg.1* %{_mandir}/man1/newgrp.1* -%{_mandir}/*/man1/newgrp.1* %{_mandir}/man3/shadow.3* -%{_mandir}/*/man3/shadow.3* %{_mandir}/man3/getspnam.3* -%{_mandir}/*/man3/getspnam.3* %{_mandir}/man5/shadow.5* -%{_mandir}/*/man5/shadow.5* %{_mandir}/man5/login.defs.5* -%{_mandir}/*/man5/login.defs.5* %{_mandir}/man5/gshadow.5* -%{_mandir}/*/man5/gshadow.5* %{_mandir}/man5/faillog.5* -%{_mandir}/*/man5/faillog.5* %{_mandir}/man8/adduser.8* -%{_mandir}/*/man8/adduser.8* %{_mandir}/man8/group*.8* -%{_mandir}/*/man8/group*.8* %{_mandir}/man8/user*.8* -%{_mandir}/*/man8/user*.8* %{_mandir}/man8/pwck.8* -%{_mandir}/*/man8/pwck.8* %{_mandir}/man8/grpck.8* -%{_mandir}/*/man8/grpck.8* %{_mandir}/man8/chpasswd.8* -%{_mandir}/*/man8/chpasswd.8* %{_mandir}/man8/newusers.8* -%{_mandir}/*/man8/newusers.8* %{_mandir}/man8/*conv.8* -%{_mandir}/*/man8/*conv.8* %{_mandir}/man8/lastlog.8* -%{_mandir}/*/man8/lastlog.8* %{_mandir}/man8/faillog.8* -%{_mandir}/*/man8/faillog.8* %changelog +* Mon Oct 08 2007 Peter Vrabec 2:4.0.18.1-18 +- mark localized man pages with %%lang + * Wed Aug 22 2007 Peter Vrabec 2:4.0.18.1-17 - rebuild From 96de9ca62a5a960988ccff642fb3c459fda92e76 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Mon, 15 Oct 2007 19:22:59 +0000 Subject: [PATCH 009/151] makefile update to properly grab makefile.common --- Makefile | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index bb1e7db..d05310b 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,21 @@ # Makefile for source rpm: shadow-utils -# $Id: Makefile,v 1.1 2004/09/09 12:21:12 cvsdist Exp $ +# $Id: Makefile,v 1.3 2005/08/05 11:53:21 pvrabec Exp $ NAME := shadow-utils SPECFILE = $(firstword $(wildcard *.spec)) -include ../common/Makefile.common +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attempt a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) From 7a19049eec8e7228b7220bb51a76abfbd64bcf0d Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 18 Oct 2007 10:38:36 +0000 Subject: [PATCH 010/151] fix timestamps when moving home dirs to another file system (#278571) --- shadow-4.0.18.1-mtime.patch | 117 ++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 ++- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 shadow-4.0.18.1-mtime.patch diff --git a/shadow-4.0.18.1-mtime.patch b/shadow-4.0.18.1-mtime.patch new file mode 100644 index 0000000..d0c94ce --- /dev/null +++ b/shadow-4.0.18.1-mtime.patch @@ -0,0 +1,117 @@ +diff -up shadow-4.0.18.1/libmisc/copydir.c.utime shadow-4.0.18.1/libmisc/copydir.c +--- shadow-4.0.18.1/libmisc/copydir.c.utime 2007-10-16 11:36:54.000000000 +0200 ++++ shadow-4.0.18.1/libmisc/copydir.c 2007-10-18 11:59:22.000000000 +0200 +@@ -33,6 +33,7 @@ + + #include + #include ++#include + #include + #include + #include "prototypes.h" +@@ -154,6 +155,7 @@ int copy_tree (const char *src_root, con + struct DIRECT *ent; + struct stat sb; + struct link_name *lp; ++ struct timeval mt[2]; + DIR *dir; + + /* +@@ -215,6 +217,18 @@ int copy_tree (const char *src_root, con + if (LSTAT (src_name, &sb) == -1) + continue; + ++#if defined(_BSD_SOURCE) || defined(_SVID_SOURCE) ++ mt[0].tv_sec = sb.st_atim.tv_sec; ++ mt[0].tv_usec = sb.st_atim.tv_nsec / 1000; ++ mt[1].tv_sec = sb.st_mtim.tv_sec; ++ mt[1].tv_usec = sb.st_mtim.tv_nsec / 1000; ++#else ++ mt[0].tv_sec = sb.st_atime; ++ mt[0].tv_usec = sb.st_atimensec / 1000; ++ mt[1].tv_sec = sb.st_mtime; ++ mt[1].tv_usec = sb.st_mtimensec / 1000; ++#endif ++ + if (S_ISDIR (sb.st_mode)) { + + /* +@@ -230,10 +244,12 @@ int copy_tree (const char *src_root, con + uid == (uid_t) - 1 ? sb.st_uid : uid, + gid == (gid_t) - 1 ? sb.st_gid : gid) + || chmod (dst_name, sb.st_mode) +- || copy_tree (src_name, dst_name, uid, gid)) { ++ || copy_tree (src_name, dst_name, uid, gid) ++ || utimes (dst_name, mt)) { + err++; + break; + } ++ + continue; + } + #ifdef S_IFLNK +@@ -270,13 +286,21 @@ int copy_tree (const char *src_root, con + #ifdef WITH_SELINUX + selinux_file_context (dst_name); + #endif +- if (symlink (oldlink, dst_name) || +- lchown (dst_name, ++ if (symlink (oldlink, dst_name) ++ || lchown (dst_name, + uid == (uid_t) - 1 ? sb.st_uid : uid, + gid == (gid_t) - 1 ? sb.st_gid : gid)) { + err++; + break; + } ++ ++ /* 2007-10-18: We don't care about ++ * exit status of lutimes because ++ * it returns ENOSYS on many system ++ * - not implemented ++ */ ++ lutimes (dst_name, mt); ++ + continue; + } + #endif +@@ -314,10 +338,12 @@ int copy_tree (const char *src_root, con + || chown (dst_name, + uid == (uid_t) - 1 ? sb.st_uid : uid, + gid == (gid_t) - 1 ? sb.st_gid : gid) +- || chmod (dst_name, sb.st_mode & 07777)) { ++ || chmod (dst_name, sb.st_mode & 07777) ++ || utimes (dst_name, mt)) { + err++; + break; + } ++ + continue; + } + +@@ -343,14 +369,25 @@ int copy_tree (const char *src_root, con + err++; + break; + } ++ + while ((cnt = read (ifd, buf, sizeof buf)) > 0) { + if (write (ofd, buf, cnt) != cnt) { + cnt = -1; + break; + } + } ++ + close (ifd); +- close (ofd); ++ ++ if (futimes (ofd, mt) != 0) { ++ err++; ++ break; ++ } ++ ++ if (close (ofd) != 0) { ++ err++; ++ break; ++ } + + if (cnt == -1) { + err++; diff --git a/shadow-utils.spec b/shadow-utils.spec index b7159d4..b783e2b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -28,6 +28,7 @@ Patch12: shadow-4.0.18.1-appendOption.patch Patch13: shadow-4.0.18.1-sysAccount.patch Patch14: shadow-4.0.18.1-findNewUidOnce.patch Patch15: shadow-4.0.18.1-groupLoop.patch +Patch16: shadow-4.0.18.1-mtime.patch License: BSD Group: System Environment/Base @@ -72,6 +73,7 @@ cp %{SOURCE3} lib/nscd.c %patch13 -p1 -b .sysAccount %patch14 -p1 -b .findNewUidOnce %patch15 -p1 -b .groupLoop +%patch16 -p1 -b .mtime rm po/*.gmo rm po/stamp-po @@ -213,6 +215,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/faillog.8* %changelog +* Thu Oct 18 2007 Peter Vrabec 2:4.0.18.1-19 +- fix timestamps when moving home dirs to another file system (#278571) + * Mon Oct 08 2007 Peter Vrabec 2:4.0.18.1-18 - mark localized man pages with %%lang From 1bed2658979fe788d7d9f6540bc2f61ec4b361a5 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 29 Nov 2007 15:08:46 +0000 Subject: [PATCH 011/151] do not create mail spool entries for system accounts (#402351) --- shadow-4.0.17-redhat.patch | 318 ++++++++++++------------ shadow-4.0.17-useradd.patch | 482 ++++++++++++++++++------------------ shadow-utils.spec | 5 +- 3 files changed, 408 insertions(+), 397 deletions(-) diff --git a/shadow-4.0.17-redhat.patch b/shadow-4.0.17-redhat.patch index 84280c6..455af08 100644 --- a/shadow-4.0.17-redhat.patch +++ b/shadow-4.0.17-redhat.patch @@ -1,5 +1,85 @@ +--- shadow-4.0.18.1/man/newusers.8.redhat 2006-07-30 22:54:08.000000000 +0200 ++++ shadow-4.0.18.1/man/newusers.8 2007-11-29 15:08:49.000000000 +0100 +@@ -35,6 +35,8 @@ This field may be the name of an existin + This field will be checked for existence as a directory and a new directory with the same name will be created if it does not already exist. The ownership of the directory will be set to be that of the user being created or updated. + .PP + This command is intended to be used in a large system environment where many accounts are updated at a single time. ++.PP ++Default encryption algorithm is DES, but this setting can be changed in \fI/etc/login.defs\fR. Red Hat uses MD5 to encrypt passwords by default. + .SH "CAVEATS" + .PP + The input file must be protected since it contains unencrypted passwords. +--- shadow-4.0.18.1/man/useradd.8.redhat 2006-07-30 22:54:26.000000000 +0200 ++++ shadow-4.0.18.1/man/useradd.8 2007-11-29 15:08:49.000000000 +0100 +@@ -25,7 +25,7 @@ When invoked without the + \fB\-D\fR + option, the + \fBuseradd\fR +-command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. ++command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. + .SH "OPTIONS" + .PP + The options which apply to the +@@ -65,7 +65,7 @@ The date on which the user account will + The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of \-1 disables the feature. The default value is \-1. + .TP 3n + \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR +-The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1 or whatever is specified in ++The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. + \fI/etc/default/useradd\fR. + .TP 3n + \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,...\fR[\fI,GROUPN\fR]]] +@@ -76,6 +76,9 @@ option. The default is for the user to b + \fB\-h\fR, \fB\-\-help\fR + Display help message and exit. + .TP 3n ++\fB-M\fR ++The user's home directory will not be created, even if the system wide settings from \fI/etc/login.defs\fR is to create home dirs. ++.TP 3n + \fB\-m\fR, \fB\-\-create\-home\fR + The user's home directory will be created if it does not exist. The files contained in + \fISKEL_DIR\fR +@@ -93,6 +96,9 @@ option is only valid in conjunction with + \fB\-m\fR + option. The default is to not create the directory and to not copy any files. + .TP 3n ++\fB-n\fR ++A group having the same name as the user being added to the system will be created by default. This option will turn off this Red Hat Linux specific behavior. When this option is used, users by default will be placed in whatever group is specified in \fI/etc/default/useradd\fR. If no default group is defined, group 1 will be used. ++.TP 3n + \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR + Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others). + +@@ -118,6 +124,9 @@ Allow the creation of a user account wit + The encrypted password, as returned by + \fBcrypt\fR(3). The default is to disable the account. + .TP 3n ++\fB-r\fR ++This flag is used to create a system account. That is, a user with a UID lower than the value of UID_MIN defined in \fI/etc/login.defs\fR and whose password does not expire. Note that \fBuseradd\fR will not create a home directory for such an user, regardless of the default setting in \fI/etc/login.defs\fR. You have to specify \fB-m\fR option if you want a home directory for a system account to be created. This is an option added by Red Hat ++.TP 3n + \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR + The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell. + .TP 3n +@@ -161,6 +170,8 @@ displays the current default values. + The system administrator is responsible for placing the default user files in the + \fI/etc/skel/\fR + directory. ++.br ++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions. + .SH "CAVEATS" + .PP + You may not add a user to a NIS group. This must be performed on the NIS server. +@@ -181,6 +192,9 @@ Secure user account information. + \fI/etc/group\fR + Group account information. + .TP 3n ++\fI/etc/gshadow\fR ++Secure group account information. ++.TP 3n + \fI/etc/default/useradd\fR + Default values for account creation. + .TP 3n --- shadow-4.0.18.1/man/groupadd.8.redhat 2006-07-30 22:53:48.000000000 +0200 -+++ shadow-4.0.18.1/man/groupadd.8 2006-12-06 16:29:01.000000000 +0100 ++++ shadow-4.0.18.1/man/groupadd.8 2007-11-29 15:08:49.000000000 +0100 @@ -14,7 +14,7 @@ groupadd \- create a new group .SH "SYNOPSIS" @@ -9,7 +89,7 @@ .SH "DESCRIPTION" .PP The -@@ -32,10 +32,13 @@ +@@ -32,10 +32,13 @@ This option causes to just exit with suc \fB\-g\fR is turned off). .TP 3n @@ -24,78 +104,9 @@ .TP 3n \fB\-h\fR, \fB\-\-help\fR Display help message and exit. ---- shadow-4.0.18.1/man/useradd.8.redhat 2006-07-30 22:54:26.000000000 +0200 -+++ shadow-4.0.18.1/man/useradd.8 2006-12-06 16:29:01.000000000 +0100 -@@ -25,7 +25,7 @@ - \fB\-D\fR - option, the - \fBuseradd\fR --command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. -+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. - .SH "OPTIONS" - .PP - The options which apply to the -@@ -65,7 +65,7 @@ - The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of \-1 disables the feature. The default value is \-1. - .TP 3n - \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR --The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1 or whatever is specified in -+The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. - \fI/etc/default/useradd\fR. - .TP 3n - \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,...\fR[\fI,GROUPN\fR]]] -@@ -76,6 +76,9 @@ - \fB\-h\fR, \fB\-\-help\fR - Display help message and exit. - .TP 3n -+\fB-M\fR -+The user's home directory will not be created, even if the system wide settings from \fI/etc/login.defs\fR is to create home dirs. -+.TP 3n - \fB\-m\fR, \fB\-\-create\-home\fR - The user's home directory will be created if it does not exist. The files contained in - \fISKEL_DIR\fR -@@ -93,6 +96,9 @@ - \fB\-m\fR - option. The default is to not create the directory and to not copy any files. - .TP 3n -+\fB-n\fR -+A group having the same name as the user being added to the system will be created by default. This option will turn off this Red Hat Linux specific behavior. When this option is used, users by default will be placed in whatever group is specified in \fI/etc/default/useradd\fR. If no default group is defined, group 1 will be used. -+.TP 3n - \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR - Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others). - -@@ -118,6 +124,9 @@ - The encrypted password, as returned by - \fBcrypt\fR(3). The default is to disable the account. - .TP 3n -+\fB-r\fR -+This flag is used to create a system account. That is, a user with a UID lower than the value of UID_MIN defined in \fI/etc/login.defs\fR and whose password does not expire. Note that \fBuseradd\fR will not create a home directory for such an user, regardless of the default setting in \fI/etc/login.defs\fR. You have to specify \fB-m\fR option if you want a home directory for a system account to be created. This is an option added by Red Hat -+.TP 3n - \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR - The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell. - .TP 3n -@@ -161,6 +170,8 @@ - The system administrator is responsible for placing the default user files in the - \fI/etc/skel/\fR - directory. -+.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions. - .SH "CAVEATS" - .PP - You may not add a user to a NIS group. This must be performed on the NIS server. -@@ -181,6 +192,9 @@ - \fI/etc/group\fR - Group account information. - .TP 3n -+\fI/etc/gshadow\fR -+Secure group account information. -+.TP 3n - \fI/etc/default/useradd\fR - Default values for account creation. - .TP 3n --- shadow-4.0.18.1/man/chpasswd.8.redhat 2006-07-30 22:53:40.000000000 +0200 -+++ shadow-4.0.18.1/man/chpasswd.8 2006-12-06 16:24:59.000000000 +0100 -@@ -24,7 +24,7 @@ ++++ shadow-4.0.18.1/man/chpasswd.8 2007-11-29 15:08:49.000000000 +0100 +@@ -24,7 +24,7 @@ reads a list of user name and password p \fIuser_name\fR:\fIpassword\fR .PP @@ -104,19 +115,64 @@ .PP This command is intended to be used in a large system environment where many accounts are created at a single time. .SH "OPTIONS" ---- shadow-4.0.18.1/man/newusers.8.redhat 2006-07-30 22:54:08.000000000 +0200 -+++ shadow-4.0.18.1/man/newusers.8 2006-12-06 16:24:59.000000000 +0100 -@@ -35,6 +35,8 @@ - This field will be checked for existence as a directory and a new directory with the same name will be created if it does not already exist. The ownership of the directory will be set to be that of the user being created or updated. - .PP - This command is intended to be used in a large system environment where many accounts are updated at a single time. -+.PP -+Default encryption algorithm is DES, but this setting can be changed in \fI/etc/login.defs\fR. Red Hat uses MD5 to encrypt passwords by default. - .SH "CAVEATS" - .PP - The input file must be protected since it contains unencrypted passwords. +--- shadow-4.0.18.1/src/groupadd.c.redhat 2006-07-28 19:38:52.000000000 +0200 ++++ shadow-4.0.18.1/src/groupadd.c 2007-11-29 15:08:49.000000000 +0100 +@@ -74,6 +74,7 @@ static char *Prog; + static int oflg = 0; /* permit non-unique group ID to be specified with -g */ + static int gflg = 0; /* ID value for the new group */ + static int fflg = 0; /* if group already exists, do nothing and exit(0) */ ++static int rflg = 0; /* for adding system accounts (Red Hat) */ + + /* local function prototypes */ + static void usage (void); +@@ -100,6 +101,7 @@ static void usage (void) + "Options:\n" + " -f, --force force exit with success status if the specified\n" + " group already exists\n" ++ " -r, create system account\n" + " -g, --gid GID use GID for the new group\n" + " -h, --help display this help message and exit\n" + " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" +@@ -198,8 +200,13 @@ static void find_new_gid (void) + const struct group *grp; + gid_t gid_min, gid_max; + +- gid_min = getdef_unum ("GID_MIN", 1000); +- gid_max = getdef_unum ("GID_MAX", 60000); ++ if (!rflg) { ++ gid_min = getdef_unum ("GID_MIN", 500); ++ gid_max = getdef_unum ("GID_MAX", 60000); ++ } else { ++ gid_min = 1; ++ gid_max = getdef_unum ("GID_MIN", 500) - 1; ++ } + + /* + * Start with some GID value if the user didn't provide us with +@@ -430,7 +437,7 @@ int main (int argc, char **argv) + }; + + while ((c = +- getopt_long (argc, argv, "fg:hK:o", long_options, ++ getopt_long (argc, argv, "frg:hK:o", long_options, + &option_index)) != -1) { + switch (c) { + case 'f': +@@ -443,6 +450,12 @@ int main (int argc, char **argv) + */ + fflg++; + break; ++ case 'r': ++ /* ++ * create a system group ++ */ ++ rflg++; ++ break; + case 'g': + gflg++; + group_id = get_gid (optarg); --- shadow-4.0.18.1/src/useradd.c.redhat 2006-07-28 19:42:48.000000000 +0200 -+++ shadow-4.0.18.1/src/useradd.c 2006-12-06 16:29:01.000000000 +0100 ++++ shadow-4.0.18.1/src/useradd.c 2007-11-29 15:44:39.000000000 +0100 @@ -81,7 +81,7 @@ static gid_t def_group = 100; static const char *def_gname = "other"; @@ -126,7 +182,7 @@ static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -93,7 +93,7 @@ +@@ -93,7 +93,7 @@ static char def_file[] = USER_DEFAULTS_F #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -135,7 +191,7 @@ static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -124,8 +124,10 @@ +@@ -124,8 +124,10 @@ static int Gflg = 0, /* secondary group set for new account */ kflg = 0, /* specify a directory to fill new user directory */ mflg = 0, /* create user's home directory if it doesn't exist */ @@ -147,7 +203,7 @@ sflg = 0, /* shell program for new account */ uflg = 0; /* specify user ID for new account */ -@@ -633,6 +635,8 @@ +@@ -633,6 +635,8 @@ static void usage (void) " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" " -m, --create-home create home directory for the new user\n" " account\n" @@ -156,7 +212,7 @@ " -o, --non-unique allow create user with duplicate\n" " (non-unique) UID\n" " -p, --password PASSWORD use encrypted password for the new user\n" -@@ -685,11 +689,20 @@ +@@ -685,11 +689,20 @@ static void new_spent (struct spwd *spen spent->sp_namp = (char *) user_name; spent->sp_pwdp = (char *) user_pass; spent->sp_lstchg = time ((time_t *) 0) / SCALE; @@ -182,7 +238,7 @@ spent->sp_flag = -1; } -@@ -837,8 +850,14 @@ +@@ -837,8 +850,14 @@ static void find_new_uid (void) const struct passwd *pwd; uid_t uid_min, uid_max; @@ -199,7 +255,7 @@ /* * Start with some UID value if the user didn't provide us with -@@ -868,7 +887,7 @@ +@@ -868,7 +887,7 @@ static void find_new_uid (void) #endif exit (E_NAME_IN_USE); } @@ -208,7 +264,7 @@ fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); #ifdef WITH_AUDIT -@@ -923,8 +942,13 @@ +@@ -923,8 +942,13 @@ static void find_new_gid () const struct group *grp; gid_t gid_min, gid_max; @@ -224,7 +280,7 @@ /* * Start with some GID value if the user didn't provide us with -@@ -1022,7 +1046,7 @@ +@@ -1022,7 +1046,7 @@ static void process_flags (int argc, cha {NULL, 0, NULL, '\0'} }; while ((c = @@ -233,7 +289,7 @@ long_options, NULL)) != -1) { switch (c) { case 'b': -@@ -1194,6 +1218,15 @@ +@@ -1194,6 +1218,15 @@ static void process_flags (int argc, cha user_id = get_uid (optarg); uflg++; break; @@ -249,7 +305,7 @@ default: usage (); } -@@ -1201,6 +1234,9 @@ +@@ -1201,6 +1234,9 @@ static void process_flags (int argc, cha } } @@ -259,7 +315,7 @@ /* * Certain options are only valid in combination with others. * Check it here so that they can be specified in any order. -@@ -1706,6 +1742,14 @@ +@@ -1706,6 +1742,14 @@ int main (int argc, char **argv) } #endif /* USE_PAM */ @@ -274,7 +330,7 @@ /* * See if we are messing with the defaults file, or creating * a new user. -@@ -1736,7 +1780,7 @@ +@@ -1736,7 +1780,7 @@ int main (int argc, char **argv) * to that group, use useradd -g username username. * --bero */ @@ -283,7 +339,7 @@ if (getgrnam (user_name)) { fprintf (stderr, _ -@@ -1787,25 +1831,18 @@ +@@ -1787,27 +1831,22 @@ int main (int argc, char **argv) ("%s: warning: the home directory already exists.\n" "Not copying any file from skel directory into it.\n"), Prog); @@ -306,6 +362,8 @@ - ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), - Prog); } +- +- create_mail (); + /* Warning removed to protect the innocent. */ + /* + * The whole idea about breaking some stupid scripts by creating a new @@ -317,62 +375,10 @@ + * behavior and they will break, but they were broken anyway to begin + * with --gafton + */ ++ ++ /* Do not create mail directory for system accounts */ ++ if( !rflg ) ++ create_mail (); - create_mail (); - ---- shadow-4.0.18.1/src/groupadd.c.redhat 2006-07-28 19:38:52.000000000 +0200 -+++ shadow-4.0.18.1/src/groupadd.c 2006-12-06 16:29:01.000000000 +0100 -@@ -74,6 +74,7 @@ - static int oflg = 0; /* permit non-unique group ID to be specified with -g */ - static int gflg = 0; /* ID value for the new group */ - static int fflg = 0; /* if group already exists, do nothing and exit(0) */ -+static int rflg = 0; /* for adding system accounts (Red Hat) */ - - /* local function prototypes */ - static void usage (void); -@@ -100,6 +101,7 @@ - "Options:\n" - " -f, --force force exit with success status if the specified\n" - " group already exists\n" -+ " -r, create system account\n" - " -g, --gid GID use GID for the new group\n" - " -h, --help display this help message and exit\n" - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" -@@ -198,8 +200,13 @@ - const struct group *grp; - gid_t gid_min, gid_max; - -- gid_min = getdef_unum ("GID_MIN", 1000); -- gid_max = getdef_unum ("GID_MAX", 60000); -+ if (!rflg) { -+ gid_min = getdef_unum ("GID_MIN", 500); -+ gid_max = getdef_unum ("GID_MAX", 60000); -+ } else { -+ gid_min = 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -430,7 +437,7 @@ - }; - - while ((c = -- getopt_long (argc, argv, "fg:hK:o", long_options, -+ getopt_long (argc, argv, "frg:hK:o", long_options, - &option_index)) != -1) { - switch (c) { - case 'f': -@@ -443,6 +450,12 @@ - */ - fflg++; - break; -+ case 'r': -+ /* -+ * create a system group -+ */ -+ rflg++; -+ break; - case 'g': - gflg++; - group_id = get_gid (optarg); + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); diff --git a/shadow-4.0.17-useradd.patch b/shadow-4.0.17-useradd.patch index a800bea..2e61faa 100644 --- a/shadow-4.0.17-useradd.patch +++ b/shadow-4.0.17-useradd.patch @@ -1,5 +1,15 @@ ---- /dev/null 2007-01-16 10:10:52.644263000 +0100 -+++ shadow-4.0.17/libmisc/system.c 2007-01-16 18:24:34.000000000 +0100 +--- shadow-4.0.18.1/libmisc/Makefile.am.useradd 2005-09-05 18:21:37.000000000 +0200 ++++ shadow-4.0.18.1/libmisc/Makefile.am 2007-11-29 15:47:39.000000000 +0100 +@@ -41,6 +41,7 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ ++ system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +--- shadow-4.0.18.1/libmisc/system.c.useradd 2007-11-29 15:47:39.000000000 +0100 ++++ shadow-4.0.18.1/libmisc/system.c 2007-11-29 15:47:39.000000000 +0100 @@ -0,0 +1,37 @@ +#include + @@ -38,19 +48,9 @@ + exit (-1); +} + ---- shadow-4.0.17/libmisc/Makefile.am.useradd 2005-09-05 18:21:37.000000000 +0200 -+++ shadow-4.0.17/libmisc/Makefile.am 2007-01-16 18:24:34.000000000 +0100 -@@ -41,6 +41,7 @@ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ ---- shadow-4.0.17/libmisc/copydir.c.useradd 2006-07-10 06:35:56.000000000 +0200 -+++ shadow-4.0.17/libmisc/copydir.c 2007-01-16 18:24:34.000000000 +0100 -@@ -54,7 +54,7 @@ +--- shadow-4.0.18.1/libmisc/copydir.c.useradd 2006-07-10 06:35:56.000000000 +0200 ++++ shadow-4.0.18.1/libmisc/copydir.c 2007-11-29 15:47:39.000000000 +0100 +@@ -54,7 +54,7 @@ struct link_name { static struct link_name *links; #ifdef WITH_SELINUX @@ -59,8 +59,8 @@ { security_context_t scontext = NULL; ---- shadow-4.0.17/man/usermod.8.xml.useradd 2006-06-16 18:11:04.000000000 +0200 -+++ shadow-4.0.17/man/usermod.8.xml 2007-01-16 18:24:34.000000000 +0100 +--- shadow-4.0.18.1/man/usermod.8.xml.useradd 2006-07-24 07:48:36.000000000 +0200 ++++ shadow-4.0.18.1/man/usermod.8.xml 2007-11-29 15:47:39.000000000 +0100 @@ -226,6 +226,19 @@ @@ -81,8 +81,33 @@ ---- shadow-4.0.17/man/useradd.8.xml.useradd 2006-06-16 18:11:04.000000000 +0200 -+++ shadow-4.0.17/man/useradd.8.xml 2007-01-16 18:24:34.000000000 +0100 +--- shadow-4.0.18.1/man/usermod.8.useradd 2006-07-30 22:54:28.000000000 +0200 ++++ shadow-4.0.18.1/man/usermod.8 2007-11-29 15:47:39.000000000 +0100 +@@ -92,6 +92,10 @@ Unlock a user's password. This removes t + \fB\-p\fR + or + \fB\-L\fR. ++.TP 3n ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. ++ + .SH "CAVEATS" + .PP + +--- shadow-4.0.18.1/man/useradd.8.useradd 2007-11-29 15:46:24.000000000 +0100 ++++ shadow-4.0.18.1/man/useradd.8 2007-11-29 15:47:39.000000000 +0100 +@@ -137,6 +137,9 @@ The name of the user's login shell. The + The numerical value of the user's ID. This value must be unique, unless the + \fB\-o\fR + option is used. The value must be non\-negative. The default is to use the smallest ID value greater than 999 and greater than every other user. Values between 0 and 999 are typically reserved for system accounts. ++.TP 3n ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. + .SS "Changing the default values" + .PP + When invoked with the +--- shadow-4.0.18.1/man/useradd.8.xml.useradd 2006-07-24 07:48:36.000000000 +0200 ++++ shadow-4.0.18.1/man/useradd.8.xml 2007-11-29 15:47:39.000000000 +0100 @@ -251,6 +251,19 @@ @@ -103,218 +128,9 @@ ---- shadow-4.0.17/man/useradd.8.useradd 2007-01-16 18:24:34.000000000 +0100 -+++ shadow-4.0.17/man/useradd.8 2007-01-16 18:24:34.000000000 +0100 -@@ -137,6 +137,9 @@ - The numerical value of the user's ID. This value must be unique, unless the - \fB\-o\fR - option is used. The value must be non\-negative. The default is to use the smallest ID value greater than 999 and greater than every other user. Values between 0 and 999 are typically reserved for system accounts. -+.TP 3n -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. - .SS "Changing the default values" - .PP - When invoked with the ---- shadow-4.0.17/man/usermod.8.useradd 2007-01-16 18:24:34.000000000 +0100 -+++ shadow-4.0.17/man/usermod.8 2007-01-16 18:24:34.000000000 +0100 -@@ -90,6 +90,10 @@ - \fB\-p\fR - or - \fB\-L\fR. -+.TP 3n -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. -+ - .SH "CAVEATS" - .PP - ---- shadow-4.0.17/lib/prototypes.h.useradd 2006-02-07 17:36:30.000000000 +0100 -+++ shadow-4.0.17/lib/prototypes.h 2007-01-16 18:24:34.000000000 +0100 -@@ -52,6 +52,9 @@ - /* copydir.c */ - extern int copy_tree (const char *, const char *, uid_t, gid_t); - extern int remove_tree (const char *); -+#ifdef WITH_SELINUX -+extern int selinux_file_context (const char *dst_name); -+#endif - - /* encrypt.c */ - extern char *pw_encrypt (const char *, const char *); -@@ -147,6 +150,9 @@ - /* shell.c */ - extern int shell (const char *, const char *, char *const *); - -+/* system.c */ -+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); -+ - /* strtoday.c */ - extern long strtoday (const char *); - ---- shadow-4.0.17/lib/defines.h.useradd 2005-09-05 18:22:03.000000000 +0200 -+++ shadow-4.0.17/lib/defines.h 2007-01-16 18:24:34.000000000 +0100 -@@ -342,4 +342,7 @@ - #include - #endif - -+#ifdef WITH_SELINUX -+#include -+#endif - #endif /* _DEFINES_H_ */ ---- shadow-4.0.17/src/useradd.c.useradd 2007-01-16 18:24:34.000000000 +0100 -+++ shadow-4.0.17/src/useradd.c 2007-01-16 18:24:34.000000000 +0100 -@@ -100,6 +100,7 @@ - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -170,6 +171,7 @@ - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -361,6 +363,7 @@ - def_create_mail_spool = xstrdup (cp); - } - } -+ fclose(fp); - } - - /* -@@ -648,7 +651,10 @@ - " -p, --password PASSWORD use encrypted password for the new user\n" - " account\n" - " -s, --shell SHELL the login shell for the new user account\n" -- " -u, --uid UID force use the UID for the new user account\n" -+ " -u, --uid UID force use the UID for the new user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif - "\n")); - exit (E_USAGE); - } -@@ -1048,11 +1054,18 @@ - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", -+#else -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1236,6 +1249,17 @@ - case 'M': - Mflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1603,6 +1627,33 @@ - grp_update (); - } - -+static void selinux_update_mapping () { -+ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1612,7 +1663,11 @@ - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1840,6 +1895,15 @@ - - usr_update (); - -+ create_mail (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+ close_files (); -+ -+ selinux_update_mapping(); -+ - if (mflg) { - create_home (); - if (home_added) -@@ -1863,13 +1927,6 @@ - * with --gafton - */ - -- create_mail (); -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- close_files (); -- - #ifdef USE_PAM - if (retval == PAM_SUCCESS) - pam_end (pamh, PAM_SUCCESS); ---- shadow-4.0.17/src/userdel.c.useradd 2007-01-16 18:24:34.000000000 +0100 -+++ shadow-4.0.17/src/userdel.c 2007-01-16 18:24:34.000000000 +0100 -@@ -792,6 +792,17 @@ +--- shadow-4.0.18.1/src/userdel.c.useradd 2007-11-29 15:46:24.000000000 +0100 ++++ shadow-4.0.18.1/src/userdel.c 2007-11-29 15:47:39.000000000 +0100 +@@ -792,6 +792,17 @@ int main (int argc, char **argv) #endif } @@ -332,9 +148,9 @@ /* * Cancel any crontabs or at jobs. Have to do this before we remove * the entry from /etc/passwd. ---- shadow-4.0.17/src/usermod.c.useradd 2007-01-16 18:24:34.000000000 +0100 -+++ shadow-4.0.17/src/usermod.c 2007-01-16 18:29:45.000000000 +0100 -@@ -90,6 +90,7 @@ +--- shadow-4.0.18.1/src/usermod.c.useradd 2007-11-29 15:46:24.000000000 +0100 ++++ shadow-4.0.18.1/src/usermod.c 2007-11-29 15:47:39.000000000 +0100 +@@ -90,6 +90,7 @@ static char *user_comment; static char *user_home; static char *user_newhome; static char *user_shell; @@ -342,7 +158,7 @@ static long user_expire; static long user_inactive; static long sys_ngroups; -@@ -132,6 +133,7 @@ +@@ -132,6 +133,7 @@ static int is_shadow_grp; static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); @@ -350,7 +166,7 @@ static void new_spent (struct spwd *); static void fail_exit (int); -@@ -301,6 +303,9 @@ +@@ -294,6 +296,9 @@ static void usage (void) " -s, --shell SHELL new login shell for the user account\n" " -u, --uid UID new UID for the user account\n" " -U, --unlock unlock the user account\n" @@ -360,7 +176,7 @@ "\n")); exit (E_USAGE); } -@@ -925,13 +930,20 @@ +@@ -918,13 +923,20 @@ static void process_flags (int argc, cha {"move-home", no_argument, NULL, 'm'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, @@ -381,7 +197,7 @@ long_options, NULL)) != -1) { switch (c) { case 'a': -@@ -1080,6 +1092,16 @@ +@@ -1073,6 +1085,16 @@ static void process_flags (int argc, cha Uflg++; break; @@ -398,7 +214,7 @@ default: usage (); } -@@ -1549,6 +1571,8 @@ +@@ -1542,6 +1564,8 @@ int main (int argc, char **argv) if (Gflg || lflg) grp_err = grp_update (); @@ -407,7 +223,7 @@ if (mflg) move_home (); -@@ -1580,3 +1604,62 @@ +@@ -1573,3 +1597,62 @@ int main (int argc, char **argv) exit (E_SUCCESS); /* NOT REACHED */ } @@ -470,4 +286,190 @@ + } +#endif +} +--- shadow-4.0.18.1/src/useradd.c.useradd 2007-11-29 15:46:24.000000000 +0100 ++++ shadow-4.0.18.1/src/useradd.c 2007-11-29 15:52:00.000000000 +0100 +@@ -100,6 +100,7 @@ static const char *user_comment = ""; + static const char *user_home = ""; + static const char *user_shell = ""; + static const char *create_mail_spool = ""; ++static const char *user_selinux = ""; + + static long user_expire = -1; + static int is_shadow_pwd; +@@ -170,6 +171,7 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -354,6 +356,7 @@ static void get_defaults (void) + def_create_mail_spool = xstrdup (cp); + } + } ++ fclose(fp); + } + + /* +@@ -641,7 +644,10 @@ static void usage (void) + " -p, --password PASSWORD use encrypted password for the new user\n" + " account\n" + " -s, --shell SHELL the login shell for the new user account\n" +- " -u, --uid UID force use the UID for the new user account\n" ++ " -u, --uid UID force use the UID for the new user account\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" ++#endif + "\n")); + exit (E_USAGE); + } +@@ -1041,11 +1047,18 @@ static void process_flags (int argc, cha + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, + {"shell", required_argument, NULL, 's'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"uid", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", ++#else + getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1229,6 +1242,17 @@ static void process_flags (int argc, cha + case 'M': + Mflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); + ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1596,6 +1620,33 @@ static void usr_update (void) + grp_update (); + } + ++static void selinux_update_mapping () { ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { /* must be done after passwd write() */ ++ const char *argv[7]; ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "adding SELinux user mapping", user_name, user_id, 0); ++#endif ++ } ++ } ++#endif ++ ++} + /* + * create_home - create the user's home directory + * +@@ -1605,7 +1656,11 @@ static void usr_update (void) + */ + static void create_home (void) + { ++ + if (access (user_home, F_OK)) { ++#ifdef WITH_SELINUX ++ selinux_file_context (user_home); ++#endif + /* XXX - create missing parent directories. --marekm */ + if (mkdir (user_home, 0)) { + fprintf (stderr, +@@ -1833,6 +1888,17 @@ int main (int argc, char **argv) + + usr_update (); + ++ /* Do not create mail directory for system accounts */ ++ if( !rflg ) ++ create_mail (); ++ ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ ++ close_files (); ++ ++ selinux_update_mapping(); ++ + if (mflg) { + create_home (); + if (home_added) +@@ -1856,15 +1922,6 @@ int main (int argc, char **argv) + * with --gafton + */ + +- /* Do not create mail directory for system accounts */ +- if( !rflg ) +- create_mail (); +- +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- +- close_files (); +- + #ifdef USE_PAM + if (retval == PAM_SUCCESS) + pam_end (pamh, PAM_SUCCESS); +--- shadow-4.0.18.1/lib/defines.h.useradd 2005-09-05 18:22:03.000000000 +0200 ++++ shadow-4.0.18.1/lib/defines.h 2007-11-29 15:47:39.000000000 +0100 +@@ -342,4 +342,7 @@ extern char *strerror (); + #include + #endif + ++#ifdef WITH_SELINUX ++#include ++#endif + #endif /* _DEFINES_H_ */ +--- shadow-4.0.18.1/lib/prototypes.h.useradd 2006-02-07 17:36:30.000000000 +0100 ++++ shadow-4.0.18.1/lib/prototypes.h 2007-11-29 15:47:39.000000000 +0100 +@@ -52,6 +52,9 @@ extern int is_listed (const char *, cons + /* copydir.c */ + extern int copy_tree (const char *, const char *, uid_t, gid_t); + extern int remove_tree (const char *); ++#ifdef WITH_SELINUX ++extern int selinux_file_context (const char *dst_name); ++#endif + + /* encrypt.c */ + extern char *pw_encrypt (const char *, const char *); +@@ -147,6 +150,9 @@ extern void setup_env (struct passwd *); + /* shell.c */ + extern int shell (const char *, const char *, char *const *); + ++/* system.c */ ++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); ++ + /* strtoday.c */ + extern long strtoday (const char *); + diff --git a/shadow-utils.spec b/shadow-utils.spec index b783e2b..21cace5 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.0.18.1 -Release: 19%{?dist} +Release: 20%{?dist} Epoch: 2 URL: http://shadow.pld.org.pl/ Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 @@ -215,6 +215,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/faillog.8* %changelog +* Thu Nov 29 2007 Peter Vrabec 2:4.0.18.1-20 +- do not create mail spool entries for system accounts (#402351) + * Thu Oct 18 2007 Peter Vrabec 2:4.0.18.1-19 - fix timestamps when moving home dirs to another file system (#278571) From 0b4d54c804390bfb5680353a2f7650b477f0eff0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 12 Dec 2007 15:07:44 +0000 Subject: [PATCH 012/151] - new upgrade release from new upstream - provide vipw and vigr --- .cvsignore | 6 +- shadow-4.0.11.1-vipw.patch | 133 ----- shadow-4.0.13-newgrpPwd.patch | 92 ---- shadow-4.0.16-lOption.patch | 58 -- shadow-4.0.17-auditLogging.patch | 15 - shadow-4.0.17-exitValues.patch | 12 - shadow-4.0.17-notInheritFd.patch | 13 - shadow-4.0.18.1-appendOption.patch | 11 - shadow-4.0.18.1-gid.patch | 32 -- shadow-4.0.18.1-groupLoop.patch | 178 ------ shadow-4.0.18.1-overflow.patch | 36 -- shadow-4.0.18.1-useradd | 9 - ...dname.patch => shadow-4.1.0-goodname.patch | 51 +- shadow-4.1.0-lOption.patch | 66 +++ ...-redhat.patch => shadow-4.1.0-redhat.patch | 410 +++++++------- ...seradd.patch => shadow-4.1.0-selinux.patch | 513 +++++++++--------- shadow-utils.spec | 72 +-- sources | 4 +- 18 files changed, 584 insertions(+), 1127 deletions(-) delete mode 100644 shadow-4.0.11.1-vipw.patch delete mode 100644 shadow-4.0.13-newgrpPwd.patch delete mode 100644 shadow-4.0.16-lOption.patch delete mode 100644 shadow-4.0.17-auditLogging.patch delete mode 100644 shadow-4.0.17-exitValues.patch delete mode 100644 shadow-4.0.17-notInheritFd.patch delete mode 100644 shadow-4.0.18.1-appendOption.patch delete mode 100644 shadow-4.0.18.1-gid.patch delete mode 100644 shadow-4.0.18.1-groupLoop.patch delete mode 100644 shadow-4.0.18.1-overflow.patch delete mode 100644 shadow-4.0.18.1-useradd rename shadow-4.0.14-goodname.patch => shadow-4.1.0-goodname.patch (61%) create mode 100644 shadow-4.1.0-lOption.patch rename shadow-4.0.17-redhat.patch => shadow-4.1.0-redhat.patch (54%) rename shadow-4.0.17-useradd.patch => shadow-4.1.0-selinux.patch (65%) diff --git a/.cvsignore b/.cvsignore index 68b3a95..98c0d68 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,5 +1,3 @@ -shadow-4.0.16.tar.bz2 -shadow-4.0.16-nscd.c -shadow-4.0.17.tar.bz2 shadow-4.0.17-login.defs -shadow-4.0.18.1.tar.bz2 +shadow-4.0.18.1-useradd +shadow-4.1.0.tar.bz2 diff --git a/shadow-4.0.11.1-vipw.patch b/shadow-4.0.11.1-vipw.patch deleted file mode 100644 index 9bc36ee..0000000 --- a/shadow-4.0.11.1-vipw.patch +++ /dev/null @@ -1,133 +0,0 @@ ---- shadow-4.0.11.1/src/groupadd.c.vipw 2005-07-19 11:50:45.000000000 +0000 -+++ shadow-4.0.11.1/src/groupadd.c 2005-08-04 15:14:58.000000000 +0000 -@@ -438,6 +451,7 @@ - - int main (int argc, char **argv) - { -+ struct stat s; - #ifdef USE_PAM - pam_handle_t *pamh = NULL; - struct passwd *pampw; -@@ -492,6 +506,11 @@ - OPENLOG ("groupadd"); - #endif /* USE_PAM */ - -+ if (stat("/etc/gtmp", &s) == 0) { -+ fputs("vigr lockfile (/etc/gtmp) is present.\n", stderr); -+ fail_exit(1); -+ } -+ - #ifdef SHADOWGRP - is_shadow_grp = sgr_file_present (); - #endif ---- shadow-4.0.11.1/src/userdel.c.vipw 2005-08-04 15:16:06.000000000 +0000 -+++ shadow-4.0.11.1/src/userdel.c 2005-08-04 15:18:15.000000000 +0000 -@@ -577,6 +577,7 @@ - struct group *grp; - int arg; - int errors = 0; -+ struct stat s; - - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -637,6 +638,11 @@ - - OPENLOG ("userdel"); - -+ if (stat("/etc/ptmp", &s) == 0) { -+ fputs("vipw lockfile (/etc/ptmp) is present.\n", stderr); -+ fail_exit(1); -+ } -+ - is_shadow_pwd = spw_file_present (); - #ifdef SHADOWGRP - is_shadow_grp = sgr_file_present (); ---- shadow-4.0.11.1/src/groupmod.c.vipw 2005-08-04 15:20:09.000000000 +0000 -+++ shadow-4.0.11.1/src/groupmod.c 2005-08-04 15:21:27.000000000 +0000 -@@ -407,6 +407,7 @@ - int main (int argc, char **argv) - { - struct group *grp; -+ struct stat s; - - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -458,6 +459,11 @@ - } - #endif /* USE_PAM */ - -+ if (stat("/etc/gtmp", &s) == 0) { -+ fputs("vigr lockfile (/etc/gtmp) is present.\n", stderr); -+ exit(1); -+ } -+ - OPENLOG ("groupmod"); - - #ifdef SHADOWGRP ---- shadow-4.0.11.1/src/groupdel.c.vipw 2005-08-04 15:22:00.000000000 +0000 -+++ shadow-4.0.11.1/src/groupdel.c 2005-08-04 15:23:10.000000000 +0000 -@@ -222,6 +222,7 @@ - int main (int argc, char **argv) - { - struct group *grp; -+ struct stat s; - - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -276,6 +277,11 @@ - } - #endif /* USE_PAM */ - -+ if (stat("/etc/gtmp", &s) == 0) { -+ fputs("vigr lockfile (/etc/gtmp) is present.\n", stderr); -+ exit(1); -+ } -+ - OPENLOG ("groupdel"); - - #ifdef SHADOWGRP ---- shadow-4.0.11.1/src/usermod.c.vipw 2005-08-04 15:23:30.000000000 +0000 -+++ shadow-4.0.11.1/src/usermod.c 2005-08-04 15:25:31.000000000 +0000 -@@ -1224,6 +1224,7 @@ - int main (int argc, char **argv) - { - int grp_err = 0; -+ struct stat s; - - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -1245,6 +1246,12 @@ - user_groups[0] = (char *) 0; - - OPENLOG ("usermod"); -+ -+ if (stat("/etc/ptmp", &s) == 0) { -+ fputs("vipw lockfile (/etc/ptmp) is present.\n", stderr); -+ fail_exit(1); -+ } -+ - - is_shadow_pwd = spw_file_present (); - #ifdef SHADOWGRP ---- shadow-4.0.11.1/src/useradd.c.vipw 2005-08-04 15:25:54.000000000 +0000 -+++ shadow-4.0.11.1/src/useradd.c 2005-08-04 15:28:42.000000000 +0000 -@@ -1651,6 +1651,7 @@ - - int main (int argc, char **argv) - { -+ struct stat s; - #ifdef USE_PAM - pam_handle_t *pamh = NULL; - struct passwd *pampw; -@@ -1669,6 +1670,11 @@ - - OPENLOG ("useradd"); - -+ if (stat("/etc/ptmp", &s) == 0) { -+ fputs("vipw lockfile (/etc/ptmp) is present.\n", stderr); -+ fail_exit(1); -+ } -+ - sys_ngroups = sysconf (_SC_NGROUPS_MAX); - user_groups = malloc ((1 + sys_ngroups) * sizeof (char *)); - diff --git a/shadow-4.0.13-newgrpPwd.patch b/shadow-4.0.13-newgrpPwd.patch deleted file mode 100644 index d379973..0000000 --- a/shadow-4.0.13-newgrpPwd.patch +++ /dev/null @@ -1,92 +0,0 @@ ---- shadow-4.0.13/src/newgrp.c.newgrpPwd 2005-09-15 18:44:12.000000000 +0200 -+++ shadow-4.0.13/src/newgrp.c 2005-10-21 16:02:16.000000000 +0200 -@@ -333,25 +333,37 @@ int main (int argc, char **argv) - } - #endif - -- /* -- * see if she is a member of this group. If she isn't a member, she -- * needs to provide the group password. If there is no group -- * password, she will be denied access anyway. -- * -- */ -- if (!is_on_list (grp->gr_mem, name)) -- needspasswd = 1; -+ /* Needn't password: -+ * - default user's GID = group ID -+ * - members of group -+ * - root -+ * Need password: -+ * - all others users -+ * -+ * -- Karel Zak 2004/03/29 -+ */ -+ if (getuid ()!=0) -+ { -+ if (grp->gr_gid==pwd->pw_gid) -+ needspasswd = 0; -+ else if (is_on_list (grp->gr_mem, name)) -+ needspasswd = 0; -+ else -+ needspasswd = 1; - - /* - * If she does not have either a shadowed password, or a regular - * password, and the group has a password, she needs to give the - * group password. - */ -- if ((spwd = getspnam (name))) -- pwd->pw_passwd = spwd->sp_pwdp; -- -- if (pwd->pw_passwd[0] == '\0' && grp->gr_passwd[0]) -- needspasswd = 1; -+ if (!needspasswd) -+ { -+ if ((spwd = getspnam (name))) -+ pwd->pw_passwd = spwd->sp_pwdp; -+ if (pwd->pw_passwd[0] == '\0' && grp->gr_passwd[0]) -+ needspasswd = 1; -+ } -+ } - - /* - * Now i see about letting her into the group she requested. If she -@@ -362,7 +374,21 @@ int main (int argc, char **argv) - * Note that she now has to provide the password to her own group, - * unless she is listed as a member. -- JWP - */ -- if (getuid () != 0 && needspasswd) { -+ if (needspasswd) { -+ -+ /* note: the original util-linux newgrp didn't ask for pasword if -+ * there is no password. It's better directly give up. -+ * -- kzak@redhat.com -+ */ -+ if (grp->gr_passwd==NULL || grp->gr_passwd[0] == '\0') { -+ /* -+ * there is no password, print out "Sorry" and give up -+ */ -+ sleep (1); -+ fputs (_("Sorry.\n"), stderr); -+ goto failure; -+ } -+ - /* - * get the password from her, and set the salt for - * the decryption from the group file. -@@ -378,15 +404,6 @@ int main (int argc, char **argv) - cpasswd = pw_encrypt (cp, grp->gr_passwd); - strzero (cp); - -- if (grp->gr_passwd[0] == '\0') { -- /* -- * there is no password, print out "Sorry" and give up -- */ -- sleep (1); -- fputs (_("Sorry.\n"), stderr); -- goto failure; -- } -- - if (strcmp (cpasswd, grp->gr_passwd) != 0) { - SYSLOG ((LOG_INFO, - "Invalid password for group `%s' from `%s'", diff --git a/shadow-4.0.16-lOption.patch b/shadow-4.0.16-lOption.patch deleted file mode 100644 index 1202cc5..0000000 --- a/shadow-4.0.16-lOption.patch +++ /dev/null @@ -1,58 +0,0 @@ ---- shadow-4.0.17/man/useradd.8.lOption 2006-11-02 18:23:50.000000000 +0100 -+++ shadow-4.0.17/man/useradd.8 2006-11-02 18:23:50.000000000 +0100 -@@ -96,6 +96,9 @@ - \fB\-m\fR - option. The default is to not create the directory and to not copy any files. - .TP 3n -+\fB-l\fR -+Do not add the user to the last login log file. This is an option added by Red Hat. -+.TP 3n - \fB-n\fR - A group having the same name as the user being added to the system will be created by default. This option will turn off this Red Hat Linux specific behavior. When this option is used, users by default will be placed in whatever group is specified in \fI/etc/default/useradd\fR. If no default group is defined, group 1 will be used. - .TP 3n ---- shadow-4.0.17/src/useradd.c.lOption 2006-11-02 18:23:50.000000000 +0100 -+++ shadow-4.0.17/src/useradd.c 2006-11-02 18:26:46.000000000 +0100 -@@ -124,6 +124,7 @@ - Gflg = 0, /* secondary group set for new account */ - kflg = 0, /* specify a directory to fill new user directory */ - mflg = 0, /* create user's home directory if it doesn't exist */ -+ lflg = 0, /* do not add user to lastlog database file */ - Mflg = 0, /* do NOT create user's home directory no matter what */ - nflg = 0, /* do NOT create a group having the same name as the user */ - oflg = 0, /* permit non-unique user ID to be specified with -u */ -@@ -630,6 +631,7 @@ - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -+ " -l, do not add user to lastlog database file\n" - " -M, do not create user's home directory(overrides /etc/login.defs)\n" - " -r, create system account\n" - " -o, --non-unique allow create user with duplicate\n" -@@ -1041,7 +1043,7 @@ - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:", -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1181,6 +1183,9 @@ - case 'm': - mflg++; - break; -+ case 'l': -+ lflg++; -+ break; - case 'o': - oflg++; - break; -@@ -1549,7 +1554,7 @@ - * no user with this UID exists yet (entries for shared UIDs - * are left unchanged). --marekm - */ -- if (!getpwuid (user_id)) { -+ if (!getpwuid (user_id) && !lflg) { - faillog_reset (user_id); - lastlog_reset (user_id); - } diff --git a/shadow-4.0.17-auditLogging.patch b/shadow-4.0.17-auditLogging.patch deleted file mode 100644 index 54d9f61..0000000 --- a/shadow-4.0.17-auditLogging.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -Nurp shadow-4.0.17.orig/src/useradd.c shadow-4.0.17/src/useradd.c ---- shadow-4.0.17.orig/src/useradd.c 2006-10-02 18:25:30.000000000 +0100 -+++ shadow-4.0.17/src/useradd.c 2006-10-02 18:25:43.000000000 +0100 -@@ -1611,6 +1611,10 @@ static void create_home (void) - _ - ("%s: cannot create directory %s\n"), - Prog, user_home); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding home directory", user_name, user_id, 0); -+#endif - fail_exit (E_HOMEDIR); - } - chown (user_home, user_id, user_gid); - diff --git a/shadow-4.0.17-exitValues.patch b/shadow-4.0.17-exitValues.patch deleted file mode 100644 index 6981160..0000000 --- a/shadow-4.0.17-exitValues.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- shadow-4.0.17/man/groupdel.8.exitValues 2006-10-04 22:40:59.000000000 +0200 -+++ shadow-4.0.17/man/groupdel.8 2006-10-04 22:43:51.000000000 +0200 -@@ -45,6 +45,9 @@ - \fI2\fR - invalid command syntax - .TP 3n -+\fI6\fR -+specified group doesn’t exist -+.TP 3n - \fI8\fR - can't remove user's primary group - .TP 3n diff --git a/shadow-4.0.17-notInheritFd.patch b/shadow-4.0.17-notInheritFd.patch deleted file mode 100644 index bf0f600..0000000 --- a/shadow-4.0.17-notInheritFd.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- shadow-4.0.17/lib/commonio.c.fdInherit 2006-08-04 10:56:52.000000000 +0200 -+++ shadow-4.0.17/lib/commonio.c 2006-08-04 11:00:05.000000000 +0200 -@@ -457,6 +457,10 @@ - } - return 0; - } -+ -+ /* not not inherit fd */ -+ fcntl(fileno(db->fp), F_SETFD, FD_CLOEXEC); -+ - #ifdef WITH_SELINUX - db->scontext = NULL; - if ((is_selinux_enabled () > 0) && (!db->readonly)) { diff --git a/shadow-4.0.18.1-appendOption.patch b/shadow-4.0.18.1-appendOption.patch deleted file mode 100644 index f5d8985..0000000 --- a/shadow-4.0.18.1-appendOption.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- shadow-4.0.18.1/src/usermod.c.appendOption 2007-01-14 14:04:29.000000000 +0100 -+++ shadow-4.0.18.1/src/usermod.c 2007-01-14 14:05:04.000000000 +0100 -@@ -905,7 +905,7 @@ - */ - int c; - static struct option long_options[] = { -- {"append", required_argument, NULL, 'a'}, -+ {"append", no_argument, NULL, 'a'}, - {"comment", required_argument, NULL, 'c'}, - {"home", required_argument, NULL, 'd'}, - {"expiredate", required_argument, NULL, 'e'}, diff --git a/shadow-4.0.18.1-gid.patch b/shadow-4.0.18.1-gid.patch deleted file mode 100644 index c622a55..0000000 --- a/shadow-4.0.18.1-gid.patch +++ /dev/null @@ -1,32 +0,0 @@ ---- shadow-4.0.18.1/src/useradd.c.gid 2006-11-04 14:09:53.000000000 +0100 -+++ shadow-4.0.18.1/src/useradd.c 2006-11-04 14:15:09.000000000 +0100 -@@ -207,11 +207,8 @@ - char *errptr; - - gid = strtol (grname, &errptr, 10); -- if (*errptr || errno == ERANGE || gid < 0) { -- fprintf (stderr, -- _("%s: invalid numeric argument '%s'\n"), Prog, grname); -- exit (E_BAD_ARG); -- } -+ if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && gid >= 0) -+ return getgrgid (gid); - return getgrnam (grname); - } - ---- shadow-4.0.18.1/src/usermod.c.gid 2006-11-04 14:15:23.000000000 +0100 -+++ shadow-4.0.18.1/src/usermod.c 2006-11-04 14:16:42.000000000 +0100 -@@ -166,11 +166,8 @@ - char *errptr; - - val = strtol (grname, &errptr, 10); -- if (*errptr || errno == ERANGE || val < 0) { -- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, -- grname); -- exit (E_BAD_ARG); -- } -+ if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && val >= 0) -+ return getgrgid (val); - return getgrnam (grname); - } - diff --git a/shadow-4.0.18.1-groupLoop.patch b/shadow-4.0.18.1-groupLoop.patch deleted file mode 100644 index 28c8c6b..0000000 --- a/shadow-4.0.18.1-groupLoop.patch +++ /dev/null @@ -1,178 +0,0 @@ ---- shadow-4.0.18.1/src/usermod.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 -+++ shadow-4.0.18.1/src/usermod.c 2007-05-25 11:51:33.000000000 +0200 -@@ -628,7 +628,7 @@ - continue; - - changed = 0; -- if (!gr_update (ngrp)) { -+ if (!gr_update_entry (grp, ngrp)) { - fprintf (stderr, - _("%s: error adding new group entry\n"), Prog); - SYSLOG ((LOG_ERR, "error adding group entry")); -@@ -770,7 +770,7 @@ - /* - * Update the group entry to reflect the changes. - */ -- if (!sgr_update (nsgrp)) { -+ if (!sgr_update_entry (sgrp, nsgrp)) { - fprintf (stderr, - _("%s: error adding new group entry\n"), Prog); - SYSLOG ((LOG_ERR, "error adding shadow group entry")); ---- shadow-4.0.18.1/src/userdel.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 -+++ shadow-4.0.18.1/src/userdel.c 2007-05-25 11:51:33.000000000 +0200 -@@ -153,7 +153,7 @@ - exit (13); /* XXX */ - } - ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); -- if (!gr_update (ngrp)) -+ if (!gr_update_entry (grp, ngrp)) - fprintf (stderr, - _("%s: error updating group entry\n"), Prog); - -@@ -252,7 +252,7 @@ - if (was_admin) - nsgrp->sg_adm = del_list (nsgrp->sg_adm, user_name); - -- if (!sgr_update (nsgrp)) -+ if (!sgr_update_entry (sgrp, nsgrp)) - fprintf (stderr, - _("%s: error updating group entry\n"), Prog); - #ifdef WITH_AUDIT ---- shadow-4.0.18.1/src/useradd.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 -+++ shadow-4.0.18.1/src/useradd.c 2007-05-25 11:54:28.000000000 +0200 -@@ -727,30 +727,6 @@ - struct sgrp *nsgrp; - #endif - -- /* -- * Test for unique entries of user_groups in /etc/group -- * pvrabec@redhat.com -- */ -- char **user_groups_tmp = user_groups; -- -- while (*user_groups_tmp) { -- int count = 0; -- -- for (gr_rewind (), grp = gr_next (); grp && count < 2; -- grp = gr_next ()) { -- if (strcmp (*user_groups_tmp, grp->gr_name) == 0) { -- count++; -- } -- } -- if (count > 1) { -- fprintf (stderr, -- "%s: error not unique group names in group file\n", -- Prog); -- fail_exit (E_GRP_UPDATE); -- } -- user_groups_tmp++; -- } -- - /* Locking and opening of the group files moved to open_files() --gafton */ - - /* -@@ -780,7 +756,7 @@ - * update the group entry to reflect the change. - */ - ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); -- if (!gr_update (ngrp)) { -+ if (!gr_update_entry (grp, ngrp)) { - fprintf (stderr, - _("%s: error adding new group entry\n"), Prog); - fail_exit (E_GRP_UPDATE); -@@ -828,7 +804,7 @@ - * update the group entry to reflect the change. - */ - nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_name); -- if (!sgr_update (nsgrp)) { -+ if (!sgr_update_entry (sgrp, nsgrp)) { - fprintf (stderr, - _("%s: error adding new group entry\n"), Prog); - fail_exit (E_GRP_UPDATE); ---- shadow-4.0.18.1/lib/sgroupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 -+++ shadow-4.0.18.1/lib/sgroupio.c 2007-05-25 11:51:33.000000000 +0200 -@@ -146,6 +146,13 @@ - return commonio_update (&gshadow_db, (const void *) sg); - } - -+int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr) -+{ -+ return commonio_update_entry(&gshadow_db, (const void *) oldgr, -+ (const void *) newgr); -+} -+ -+ - int sgr_remove (const char *name) - { - return commonio_remove (&gshadow_db, name); ---- shadow-4.0.18.1/lib/groupio.c.groupLoop 2005-08-31 19:24:56.000000000 +0200 -+++ shadow-4.0.18.1/lib/groupio.c 2007-05-25 11:51:33.000000000 +0200 -@@ -128,6 +128,12 @@ - return commonio_remove (&group_db, name); - } - -+int gr_update_entry(const struct group *oldgr, const struct group *newgr) -+{ -+ return commonio_update_entry(&group_db, (const void *) oldgr, -+ (const void *) newgr); -+} -+ - int gr_rewind (void) - { - return commonio_rewind (&group_db); ---- shadow-4.0.18.1/lib/sgroupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 -+++ shadow-4.0.18.1/lib/sgroupio.h 2007-05-25 11:51:33.000000000 +0200 -@@ -11,4 +11,5 @@ - extern int sgr_rewind (void); - extern int sgr_unlock (void); - extern int sgr_update (const struct sgrp *); -+extern int sgr_update_entry(const struct sgrp *oldgr, const struct sgrp *newgr); - extern int sgr_sort (void); ---- shadow-4.0.18.1/lib/commonio.c.groupLoop 2007-05-25 11:51:33.000000000 +0200 -+++ shadow-4.0.18.1/lib/commonio.c 2007-05-25 11:51:33.000000000 +0200 -@@ -826,6 +826,36 @@ - return 1; - } - -+int commonio_update_entry(struct commonio_db *db, const void *oldgr, -+ const void *newgr) -+{ -+ struct commonio_entry *tmp; -+ -+ if (!db->isopen || db->readonly) { -+ errno = EINVAL; -+ return 0; -+ } -+ -+ tmp = db->head; -+ while (tmp != NULL) { -+ if (oldgr == tmp->eptr) -+ break; -+ tmp = tmp->next; -+ } -+ -+ /* Didn't find this in the database; hop out */ -+ if (tmp == NULL) -+ return 0; -+ -+ tmp->eptr = db->ops->dup(newgr); -+ if (tmp->eptr == NULL) -+ return 1; -+ tmp->changed = 1; -+ -+ db->changed = 1; -+ -+ return 1; -+} - - void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p) - { ---- shadow-4.0.18.1/lib/groupio.h.groupLoop 2005-03-31 07:14:49.000000000 +0200 -+++ shadow-4.0.18.1/lib/groupio.h 2007-05-25 11:51:33.000000000 +0200 -@@ -10,4 +10,6 @@ - extern int gr_rewind (void); - extern int gr_unlock (void); - extern int gr_update (const struct group *); -+extern int gr_update_entry(const struct group *oldgr, const struct group *newgr); - extern int gr_sort (void); -+ diff --git a/shadow-4.0.18.1-overflow.patch b/shadow-4.0.18.1-overflow.patch deleted file mode 100644 index 1fb7a42..0000000 --- a/shadow-4.0.18.1-overflow.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- shadow-4.0.17/src/chpasswd.c.overflow 2006-11-08 11:09:32.000000000 +0100 -+++ shadow-4.0.17/src/chpasswd.c 2006-11-08 13:13:15.000000000 +0100 -@@ -239,9 +239,13 @@ - newpwd = cp; - if (!eflg) { - if (md5flg) { -- char salt[12] = "$1$"; -+ char tmp[12]; -+ char salt[15] = "\0"; - -- strcat (salt, crypt_make_salt ()); -+ strcpy( tmp, crypt_make_salt ()); -+ if( !strncmp( tmp, "$1$", 3) ) -+ strcat( salt, "$1$"); -+ strcat( salt, tmp); - cp = pw_encrypt (newpwd, salt); - } else - cp = pw_encrypt (newpwd, crypt_make_salt ()); ---- shadow-4.0.17/src/chgpasswd.c.overflow 2006-11-08 13:13:40.000000000 +0100 -+++ shadow-4.0.17/src/chgpasswd.c 2006-11-08 13:17:24.000000000 +0100 -@@ -243,9 +243,13 @@ - newpwd = cp; - if (!eflg) { - if (md5flg) { -- char salt[12] = "$1$"; -+ char tmp[12]; -+ char salt[15] = "\0"; - -- strcat (salt, crypt_make_salt ()); -+ strcpy( tmp, crypt_make_salt ()); -+ if( !strncmp( tmp, "$1$", 3) ) -+ strcat( salt, "$1$"); -+ strcat( salt, tmp); - cp = pw_encrypt (newpwd, salt); - } else - cp = pw_encrypt (newpwd, crypt_make_salt ()); diff --git a/shadow-4.0.18.1-useradd b/shadow-4.0.18.1-useradd deleted file mode 100644 index 4e81146..0000000 --- a/shadow-4.0.18.1-useradd +++ /dev/null @@ -1,9 +0,0 @@ -# useradd defaults file -GROUP=100 -HOME=/home -INACTIVE=-1 -EXPIRE= -SHELL=/bin/bash -SKEL=/etc/skel -CREATE_MAIL_SPOOL=yes - diff --git a/shadow-4.0.14-goodname.patch b/shadow-4.1.0-goodname.patch similarity index 61% rename from shadow-4.0.14-goodname.patch rename to shadow-4.1.0-goodname.patch index e49adbb..5456ceb 100644 --- a/shadow-4.0.14-goodname.patch +++ b/shadow-4.1.0-goodname.patch @@ -1,5 +1,6 @@ ---- shadow-4.0.18.1/libmisc/chkname.c.goodname 2005-08-31 19:24:57.000000000 +0200 -+++ shadow-4.0.18.1/libmisc/chkname.c 2007-06-26 16:20:40.000000000 +0200 +diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c +--- shadow-4.1.0/libmisc/chkname.c.goodname 2007-11-11 00:45:59.000000000 +0100 ++++ shadow-4.1.0/libmisc/chkname.c 2007-12-12 13:57:20.000000000 +0100 @@ -18,16 +18,24 @@ static int good_name (const char *name) { @@ -32,7 +33,7 @@ return 0; } -@@ -43,10 +51,9 @@ +@@ -43,10 +51,9 @@ int check_user_name (const char *name) #endif /* @@ -45,7 +46,7 @@ return 0; return good_name (name); -@@ -54,11 +61,13 @@ +@@ -54,11 +61,13 @@ int check_user_name (const char *name) int check_group_name (const char *name) { @@ -64,33 +65,29 @@ return 0; return good_name (name); ---- shadow-4.0.18.1/man/groupadd.8.goodname 2007-06-26 16:20:40.000000000 +0200 -+++ shadow-4.0.18.1/man/groupadd.8 2007-06-26 16:22:05.000000000 +0200 -@@ -73,15 +73,11 @@ - Shadow password suite configuration. +diff -up shadow-4.1.0/man/groupadd.8.goodname shadow-4.1.0/man/groupadd.8 +--- shadow-4.1.0/man/groupadd.8.goodname 2007-12-12 13:51:43.000000000 +0100 ++++ shadow-4.1.0/man/groupadd.8 2007-12-12 14:00:29.000000000 +0100 +@@ -126,9 +126,7 @@ Shadow password suite configuration\. + .RE .SH "CAVEATS" .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] +-Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] -.PP --Groupnames may only be up to 16 characters long. -+Groupnames may only be up to 32 characters long. +-Groupnames may only be up to 16 characters long\. ++Groupnames may only be up to 32 characters long\. .PP - If the groupname already exists in an external group database such as NIS, - \fBgroupadd\fR - will deny the group creation request. --.PP --Groupnames may only be up to 16 characters long. - .SH "EXIT VALUES" + You may not add a NIS or LDAP group\. This must be performed on the corresponding server\. .PP - The ---- shadow-4.0.18.1/man/useradd.8.goodname 2007-06-26 16:20:40.000000000 +0200 -+++ shadow-4.0.18.1/man/useradd.8 2007-06-26 16:20:40.000000000 +0200 -@@ -179,8 +179,6 @@ - Similarly, if the username already exists in an external user database such as NIS, +diff -up shadow-4.1.0/man/useradd.8.goodname shadow-4.1.0/man/useradd.8 +--- shadow-4.1.0/man/useradd.8.goodname 2007-12-12 13:51:43.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8 2007-12-12 14:01:36.000000000 +0100 +@@ -242,8 +242,6 @@ You may not add a user to a NIS or LDAP + Similarly, if the username already exists in an external user database such as NIS or LDAP, \fBuseradd\fR - will deny the user account creation request. + will deny the user account creation request\. -.PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] - .SH "FILES" - .TP 3n - \fI/etc/passwd\fR +-Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] + .SH "CONFIGURATION" + .PP + The following configuration variables in diff --git a/shadow-4.1.0-lOption.patch b/shadow-4.1.0-lOption.patch new file mode 100644 index 0000000..5f6481a --- /dev/null +++ b/shadow-4.1.0-lOption.patch @@ -0,0 +1,66 @@ +diff -up shadow-4.1.0/src/useradd.c.lOption shadow-4.1.0/src/useradd.c +--- shadow-4.1.0/src/useradd.c.lOption 2007-12-12 14:03:22.000000000 +0100 ++++ shadow-4.1.0/src/useradd.c 2007-12-12 14:08:43.000000000 +0100 +@@ -124,6 +124,7 @@ static int + Gflg = 0, /* secondary group set for new account */ + kflg = 0, /* specify a directory to fill new user directory */ + mflg = 0, /* create user's home directory if it doesn't exist */ ++ lflg = 0, /* do not add user to lastlog database file */ + Mflg = 0, /* do NOT create user's home directory no matter what */ + nflg = 0, /* do NOT create a group having the same name as the user */ + oflg = 0, /* permit non-unique user ID to be specified with -u */ +@@ -634,8 +635,9 @@ static void usage (void) + " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" + " -m, --create-home create home directory for the new user\n" + " account\n" +- " -M, do not create user's home directory(overrides /etc/login.defs)\n" +- " -r, create system account\n" ++ " -l, do not add user to lastlog database file\n" ++ " -M, do not create user's home directory(overrides /etc/login.defs)\n" ++ " -r, create system account\n" + " -o, --non-unique allow create user with duplicate\n" + " (non-unique) UID\n" + " -p, --password PASSWORD use encrypted password for the new user\n" +@@ -1032,7 +1034,7 @@ static void process_flags (int argc, cha + {NULL, 0, NULL, '\0'} + }; + while ((c = +- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:", ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1169,6 +1171,9 @@ static void process_flags (int argc, cha + case 'm': + mflg++; + break; ++ case 'l': ++ lflg++; ++ break; + case 'o': + oflg++; + break; +@@ -1538,7 +1543,7 @@ static void usr_update (void) + * are left unchanged). --marekm + */ + /* local, no need for xgetpwuid */ +- if (!getpwuid (user_id)) { ++ if (!getpwuid (user_id) && !lflg) { + faillog_reset (user_id); + lastlog_reset (user_id); + } +diff -up shadow-4.1.0/man/useradd.8.lOption shadow-4.1.0/man/useradd.8 +--- shadow-4.1.0/man/useradd.8.lOption 2007-12-12 14:03:22.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8 2007-12-12 14:06:31.000000000 +0100 +@@ -53,6 +53,11 @@ option is not used, + must exist\. + .RE + .PP ++\fB-l\fR ++.RS 4 ++Do not add the user to the last login log file. This is an option added by Red Hat. ++.RE ++.PP + \fB\-D\fR + .RS 4 + See below, the subsection "Changing the default values"\. diff --git a/shadow-4.0.17-redhat.patch b/shadow-4.1.0-redhat.patch similarity index 54% rename from shadow-4.0.17-redhat.patch rename to shadow-4.1.0-redhat.patch index 455af08..24965b5 100644 --- a/shadow-4.0.17-redhat.patch +++ b/shadow-4.1.0-redhat.patch @@ -1,178 +1,6 @@ ---- shadow-4.0.18.1/man/newusers.8.redhat 2006-07-30 22:54:08.000000000 +0200 -+++ shadow-4.0.18.1/man/newusers.8 2007-11-29 15:08:49.000000000 +0100 -@@ -35,6 +35,8 @@ This field may be the name of an existin - This field will be checked for existence as a directory and a new directory with the same name will be created if it does not already exist. The ownership of the directory will be set to be that of the user being created or updated. - .PP - This command is intended to be used in a large system environment where many accounts are updated at a single time. -+.PP -+Default encryption algorithm is DES, but this setting can be changed in \fI/etc/login.defs\fR. Red Hat uses MD5 to encrypt passwords by default. - .SH "CAVEATS" - .PP - The input file must be protected since it contains unencrypted passwords. ---- shadow-4.0.18.1/man/useradd.8.redhat 2006-07-30 22:54:26.000000000 +0200 -+++ shadow-4.0.18.1/man/useradd.8 2007-11-29 15:08:49.000000000 +0100 -@@ -25,7 +25,7 @@ When invoked without the - \fB\-D\fR - option, the - \fBuseradd\fR --command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. -+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. - .SH "OPTIONS" - .PP - The options which apply to the -@@ -65,7 +65,7 @@ The date on which the user account will - The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of \-1 disables the feature. The default value is \-1. - .TP 3n - \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR --The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1 or whatever is specified in -+The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. - \fI/etc/default/useradd\fR. - .TP 3n - \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,...\fR[\fI,GROUPN\fR]]] -@@ -76,6 +76,9 @@ option. The default is for the user to b - \fB\-h\fR, \fB\-\-help\fR - Display help message and exit. - .TP 3n -+\fB-M\fR -+The user's home directory will not be created, even if the system wide settings from \fI/etc/login.defs\fR is to create home dirs. -+.TP 3n - \fB\-m\fR, \fB\-\-create\-home\fR - The user's home directory will be created if it does not exist. The files contained in - \fISKEL_DIR\fR -@@ -93,6 +96,9 @@ option is only valid in conjunction with - \fB\-m\fR - option. The default is to not create the directory and to not copy any files. - .TP 3n -+\fB-n\fR -+A group having the same name as the user being added to the system will be created by default. This option will turn off this Red Hat Linux specific behavior. When this option is used, users by default will be placed in whatever group is specified in \fI/etc/default/useradd\fR. If no default group is defined, group 1 will be used. -+.TP 3n - \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR - Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others). - -@@ -118,6 +124,9 @@ Allow the creation of a user account wit - The encrypted password, as returned by - \fBcrypt\fR(3). The default is to disable the account. - .TP 3n -+\fB-r\fR -+This flag is used to create a system account. That is, a user with a UID lower than the value of UID_MIN defined in \fI/etc/login.defs\fR and whose password does not expire. Note that \fBuseradd\fR will not create a home directory for such an user, regardless of the default setting in \fI/etc/login.defs\fR. You have to specify \fB-m\fR option if you want a home directory for a system account to be created. This is an option added by Red Hat -+.TP 3n - \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR - The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell. - .TP 3n -@@ -161,6 +170,8 @@ displays the current default values. - The system administrator is responsible for placing the default user files in the - \fI/etc/skel/\fR - directory. -+.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions. - .SH "CAVEATS" - .PP - You may not add a user to a NIS group. This must be performed on the NIS server. -@@ -181,6 +192,9 @@ Secure user account information. - \fI/etc/group\fR - Group account information. - .TP 3n -+\fI/etc/gshadow\fR -+Secure group account information. -+.TP 3n - \fI/etc/default/useradd\fR - Default values for account creation. - .TP 3n ---- shadow-4.0.18.1/man/groupadd.8.redhat 2006-07-30 22:53:48.000000000 +0200 -+++ shadow-4.0.18.1/man/groupadd.8 2007-11-29 15:08:49.000000000 +0100 -@@ -14,7 +14,7 @@ - groupadd \- create a new group - .SH "SYNOPSIS" - .HP 9 --\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR -+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR - .SH "DESCRIPTION" - .PP - The -@@ -32,10 +32,13 @@ This option causes to just exit with suc - \fB\-g\fR - is turned off). - .TP 3n -+\fB-r\fR -+This flag instructs \fBgroupadd\fR to add a system account. The first available \fIgid\fR lower than 499 will be automatically selected unless the \fB-g\fR option is also given on the command line. This is an option added by Red Hat. -+.TP 3n - \fB\-g\fR \fIGID\fR - The numerical value of the group's ID. This value must be unique, unless the - \fB\-o\fR --option is used. The value must be non\-negative. The default is to use the smallest ID value greater than 999 and greater than every other group. Values between 0 and 999 are typically reserved for system accounts. -+option is used. The value must be non\-negative. The default is to use the smallest ID value greater than 500 and greater than every other group. Values between 0 and 499 are typically reserved for system accounts. - .TP 3n - \fB\-h\fR, \fB\-\-help\fR - Display help message and exit. ---- shadow-4.0.18.1/man/chpasswd.8.redhat 2006-07-30 22:53:40.000000000 +0200 -+++ shadow-4.0.18.1/man/chpasswd.8 2007-11-29 15:08:49.000000000 +0100 -@@ -24,7 +24,7 @@ reads a list of user name and password p - - \fIuser_name\fR:\fIpassword\fR - .PP --By default the supplied password must be in clear\-text. Default encryption algorithm is DES. Also the password age will be updated, if present. -+By default the supplied password must be in clear\-text. Default encryption algorithm is DES, but this setting can be changed in \fI/etc/login.defs\fR. Red Hat uses MD5 to encrypt passwords by default. Also the password age will be updated, if present. - .PP - This command is intended to be used in a large system environment where many accounts are created at a single time. - .SH "OPTIONS" ---- shadow-4.0.18.1/src/groupadd.c.redhat 2006-07-28 19:38:52.000000000 +0200 -+++ shadow-4.0.18.1/src/groupadd.c 2007-11-29 15:08:49.000000000 +0100 -@@ -74,6 +74,7 @@ static char *Prog; - static int oflg = 0; /* permit non-unique group ID to be specified with -g */ - static int gflg = 0; /* ID value for the new group */ - static int fflg = 0; /* if group already exists, do nothing and exit(0) */ -+static int rflg = 0; /* for adding system accounts (Red Hat) */ - - /* local function prototypes */ - static void usage (void); -@@ -100,6 +101,7 @@ static void usage (void) - "Options:\n" - " -f, --force force exit with success status if the specified\n" - " group already exists\n" -+ " -r, create system account\n" - " -g, --gid GID use GID for the new group\n" - " -h, --help display this help message and exit\n" - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" -@@ -198,8 +200,13 @@ static void find_new_gid (void) - const struct group *grp; - gid_t gid_min, gid_max; - -- gid_min = getdef_unum ("GID_MIN", 1000); -- gid_max = getdef_unum ("GID_MAX", 60000); -+ if (!rflg) { -+ gid_min = getdef_unum ("GID_MIN", 500); -+ gid_max = getdef_unum ("GID_MAX", 60000); -+ } else { -+ gid_min = 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -430,7 +437,7 @@ int main (int argc, char **argv) - }; - - while ((c = -- getopt_long (argc, argv, "fg:hK:o", long_options, -+ getopt_long (argc, argv, "frg:hK:o", long_options, - &option_index)) != -1) { - switch (c) { - case 'f': -@@ -443,6 +450,12 @@ int main (int argc, char **argv) - */ - fflg++; - break; -+ case 'r': -+ /* -+ * create a system group -+ */ -+ rflg++; -+ break; - case 'g': - gflg++; - group_id = get_gid (optarg); ---- shadow-4.0.18.1/src/useradd.c.redhat 2006-07-28 19:42:48.000000000 +0200 -+++ shadow-4.0.18.1/src/useradd.c 2007-11-29 15:44:39.000000000 +0100 +diff -up shadow-4.1.0/src/useradd.c.redhat shadow-4.1.0/src/useradd.c +--- shadow-4.1.0/src/useradd.c.redhat 2007-12-09 23:43:09.000000000 +0100 ++++ shadow-4.1.0/src/useradd.c 2007-12-12 12:19:34.000000000 +0100 @@ -81,7 +81,7 @@ static gid_t def_group = 100; static const char *def_gname = "other"; @@ -203,16 +31,16 @@ sflg = 0, /* shell program for new account */ uflg = 0; /* specify user ID for new account */ -@@ -633,6 +635,8 @@ static void usage (void) - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -+ " -M, do not create user's home directory(overrides /etc/login.defs)\n" -+ " -r, create system account\n" - " -o, --non-unique allow create user with duplicate\n" - " (non-unique) UID\n" - " -p, --password PASSWORD use encrypted password for the new user\n" -@@ -685,11 +689,20 @@ static void new_spent (struct spwd *spen +@@ -632,6 +634,8 @@ static void usage (void) + " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" + " -m, --create-home create home directory for the new user\n" + " account\n" ++ " -M, do not create user's home directory(overrides /etc/login.defs)\n" ++ " -r, create system account\n" + " -o, --non-unique allow create user with duplicate\n" + " (non-unique) UID\n" + " -p, --password PASSWORD use encrypted password for the new user\n" +@@ -684,11 +688,20 @@ static void new_spent (struct spwd *spen spent->sp_namp = (char *) user_name; spent->sp_pwdp = (char *) user_pass; spent->sp_lstchg = time ((time_t *) 0) / SCALE; @@ -238,7 +66,7 @@ spent->sp_flag = -1; } -@@ -837,8 +850,14 @@ static void find_new_uid (void) +@@ -821,8 +834,14 @@ static void find_new_uid (void) const struct passwd *pwd; uid_t uid_min, uid_max; @@ -255,7 +83,7 @@ /* * Start with some UID value if the user didn't provide us with -@@ -868,7 +887,7 @@ static void find_new_uid (void) +@@ -852,7 +871,7 @@ static void find_new_uid (void) #endif exit (E_NAME_IN_USE); } @@ -264,7 +92,7 @@ fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); #ifdef WITH_AUDIT -@@ -923,8 +942,13 @@ static void find_new_gid () +@@ -908,8 +927,13 @@ static void find_new_gid () const struct group *grp; gid_t gid_min, gid_max; @@ -280,7 +108,7 @@ /* * Start with some GID value if the user didn't provide us with -@@ -1022,7 +1046,7 @@ static void process_flags (int argc, cha +@@ -1008,7 +1032,7 @@ static void process_flags (int argc, cha {NULL, 0, NULL, '\0'} }; while ((c = @@ -289,7 +117,7 @@ long_options, NULL)) != -1) { switch (c) { case 'b': -@@ -1194,6 +1218,15 @@ static void process_flags (int argc, cha +@@ -1177,6 +1201,15 @@ static void process_flags (int argc, cha user_id = get_uid (optarg); uflg++; break; @@ -305,7 +133,7 @@ default: usage (); } -@@ -1201,6 +1234,9 @@ static void process_flags (int argc, cha +@@ -1184,6 +1217,9 @@ static void process_flags (int argc, cha } } @@ -315,7 +143,7 @@ /* * Certain options are only valid in combination with others. * Check it here so that they can be specified in any order. -@@ -1706,6 +1742,14 @@ int main (int argc, char **argv) +@@ -1698,6 +1734,14 @@ int main (int argc, char **argv) } #endif /* USE_PAM */ @@ -330,16 +158,16 @@ /* * See if we are messing with the defaults file, or creating * a new user. -@@ -1736,7 +1780,7 @@ int main (int argc, char **argv) +@@ -1728,7 +1772,7 @@ int main (int argc, char **argv) * to that group, use useradd -g username username. * --bero */ - if (!gflg) { + if ( !(nflg || gflg) ) { - if (getgrnam (user_name)) { + if (getgrnam (user_name)) { /* local, no need for xgetgrnam */ fprintf (stderr, _ -@@ -1787,27 +1831,22 @@ int main (int argc, char **argv) +@@ -1779,27 +1823,22 @@ int main (int argc, char **argv) ("%s: warning: the home directory already exists.\n" "Not copying any file from skel directory into it.\n"), Prog); @@ -380,5 +208,193 @@ + if( !rflg ) + create_mail (); - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); + close_files (); + +diff -up shadow-4.1.0/src/groupadd.c.redhat shadow-4.1.0/src/groupadd.c +--- shadow-4.1.0/src/groupadd.c.redhat 2007-11-24 23:41:19.000000000 +0100 ++++ shadow-4.1.0/src/groupadd.c 2007-12-12 12:15:00.000000000 +0100 +@@ -74,6 +74,7 @@ static char *Prog; + static int oflg = 0; /* permit non-unique group ID to be specified with -g */ + static int gflg = 0; /* ID value for the new group */ + static int fflg = 0; /* if group already exists, do nothing and exit(0) */ ++static int rflg = 0; /* for adding system accounts (Red Hat) */ + + /* local function prototypes */ + static void usage (void); +@@ -100,6 +101,7 @@ static void usage (void) + "Options:\n" + " -f, --force force exit with success status if the\n" + " specified group already exists\n" ++ " -r, create system account\n" + " -g, --gid GID use GID for the new group\n" + " -h, --help display this help message and exit\n" + " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" +@@ -198,8 +200,13 @@ static void find_new_gid (void) + const struct group *grp; + gid_t gid_min, gid_max; + +- gid_min = getdef_unum ("GID_MIN", 1000); +- gid_max = getdef_unum ("GID_MAX", 60000); ++ if (!rflg) { ++ gid_min = getdef_unum ("GID_MIN", 500); ++ gid_max = getdef_unum ("GID_MAX", 60000); ++ } else { ++ gid_min = 1; ++ gid_max = getdef_unum ("GID_MIN", 500) - 1; ++ } + + /* + * Start with some GID value if the user didn't provide us with +@@ -430,7 +437,7 @@ int main (int argc, char **argv) + }; + + while ((c = +- getopt_long (argc, argv, "fg:hK:o", long_options, ++ getopt_long (argc, argv, "frg:hK:o", long_options, + &option_index)) != -1) { + switch (c) { + case 'f': +@@ -443,6 +450,12 @@ int main (int argc, char **argv) + */ + fflg++; + break; ++ case 'r': ++ /* ++ * create a system group ++ */ ++ rflg++; ++ break; + case 'g': + gflg++; + group_id = get_gid (optarg); +diff -up shadow-4.1.0/man/chpasswd.8.redhat shadow-4.1.0/man/chpasswd.8 +diff -up shadow-4.1.0/man/newusers.8.redhat shadow-4.1.0/man/newusers.8 +diff -up shadow-4.1.0/man/useradd.8.redhat shadow-4.1.0/man/useradd.8 +--- shadow-4.1.0/man/useradd.8.redhat 2007-12-10 00:07:10.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8 2007-12-12 12:05:54.000000000 +0100 +@@ -25,9 +25,9 @@ When invoked without the + \fB\-D\fR + option, the + \fBuseradd\fR +-command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the ++command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the + \fBuseradd\fR +-command will update system files and may also create the new user\'s home directory and copy initial files\. ++command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. + .SH "OPTIONS" + .PP + The options which apply to the +@@ -84,7 +84,7 @@ The number of days after a password expi + .PP + \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR + .RS 4 +-The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in ++The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. + \fI/etc/default/useradd\fR\. + .RE + .PP +@@ -100,6 +100,13 @@ option\. The default is for the user to + Display help message and exit\. + .RE + .PP ++\fB-M\fR ++.RS 4 ++The user\'s home directory will not be created, even if the system wide settings from ++\fI/etc/login.defs\fR ++is to create home dirs\. ++.RE ++.PP + \fB\-m\fR, \fB\-\-create\-home\fR + .RS 4 + The user\'s home directory will be created if it does not exist\. The files contained in +@@ -119,6 +126,13 @@ option is only valid in conjunction with + option\. The default is to not create the directory and to not copy any files\. + .RE + .PP ++\fB-n\fR ++.RS 4 ++A group having the same name as the user being added to the system will be created by default\. This option will turn off this Red Hat Linux specific behavior\. When this option is used, users by default will be placed in whatever group is specified in ++\fI/etc/default/useradd\fR\. ++If no default group is defined, group 1 will be used. ++.RE ++.PP + \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR + .RS 4 + Overrides /etc/login\.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others)\. +@@ -150,6 +164,19 @@ The encrypted password, as returned by + \fBcrypt\fR(3)\. The default is to disable the account\. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in ++\fI/etc/login.defs\fR ++and whose password does not expire\. Note that ++\fBuseradd\fR ++will not create a home directory for such an user, regardless of the default setting in ++\fI/etc/login.defs\fR\. ++You have to specify ++\fB-m\fR ++option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR + .RS 4 + The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\. +@@ -206,6 +233,8 @@ The name of a new user\'s login shell\. + The system administrator is responsible for placing the default user files in the + \fI/etc/skel/\fR + directory\. ++.br ++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\. + .SH "CAVEATS" + .PP + You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\. +@@ -315,6 +344,11 @@ Secure user account information\. + Group account information\. + .RE + .PP ++\fI/etc/gshadow\fR ++.RS 4 ++Secure group account information\. ++.RE ++.PP + \fI/etc/default/useradd\fR + .RS 4 + Default values for account creation\. +diff -up shadow-4.1.0/man/groupadd.8.redhat shadow-4.1.0/man/groupadd.8 +--- shadow-4.1.0/man/groupadd.8.redhat 2007-12-10 00:06:00.000000000 +0100 ++++ shadow-4.1.0/man/groupadd.8 2007-12-12 12:11:23.000000000 +0100 +@@ -14,7 +14,7 @@ + groupadd - create a new group + .SH "SYNOPSIS" + .HP 9 +-\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR ++\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR + .SH "DESCRIPTION" + .PP + The +@@ -34,11 +34,22 @@ This option causes the command to simply + is turned off)\. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag instructs ++\fBgroupadd\fR ++to add a system account\. The first available ++\fIgid\fR ++lower than 499 will be automatically selected unless the ++\fB-g\fR ++option is also given on the command line\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-g\fR \fIGID\fR + .RS 4 + The numerical value of the group\'s ID\. This value must be unique, unless the + \fB\-o\fR +-option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\. ++option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 500 and greater than every other group\. Values between 0 and 499 are typically reserved for system accounts\. + .RE + .PP + \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.0.17-useradd.patch b/shadow-4.1.0-selinux.patch similarity index 65% rename from shadow-4.0.17-useradd.patch rename to shadow-4.1.0-selinux.patch index 2e61faa..ec8eed7 100644 --- a/shadow-4.0.17-useradd.patch +++ b/shadow-4.1.0-selinux.patch @@ -1,15 +1,6 @@ ---- shadow-4.0.18.1/libmisc/Makefile.am.useradd 2005-09-05 18:21:37.000000000 +0200 -+++ shadow-4.0.18.1/libmisc/Makefile.am 2007-11-29 15:47:39.000000000 +0100 -@@ -41,6 +41,7 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ ---- shadow-4.0.18.1/libmisc/system.c.useradd 2007-11-29 15:47:39.000000000 +0100 -+++ shadow-4.0.18.1/libmisc/system.c 2007-11-29 15:47:39.000000000 +0100 +diff -up /dev/null shadow-4.1.0/libmisc/system.c +--- /dev/null 2007-12-08 00:31:02.590331462 +0100 ++++ shadow-4.1.0/libmisc/system.c 2007-12-12 14:13:30.000000000 +0100 @@ -0,0 +1,37 @@ +#include + @@ -48,8 +39,9 @@ + exit (-1); +} + ---- shadow-4.0.18.1/libmisc/copydir.c.useradd 2006-07-10 06:35:56.000000000 +0200 -+++ shadow-4.0.18.1/libmisc/copydir.c 2007-11-29 15:47:39.000000000 +0100 +diff -up shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c +--- shadow-4.1.0/libmisc/copydir.c.selinux 2007-11-11 00:45:59.000000000 +0100 ++++ shadow-4.1.0/libmisc/copydir.c 2007-12-12 14:13:30.000000000 +0100 @@ -54,7 +54,7 @@ struct link_name { static struct link_name *links; @@ -59,97 +51,150 @@ { security_context_t scontext = NULL; ---- shadow-4.0.18.1/man/usermod.8.xml.useradd 2006-07-24 07:48:36.000000000 +0200 -+++ shadow-4.0.18.1/man/usermod.8.xml 2007-11-29 15:47:39.000000000 +0100 -@@ -226,6 +226,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field the blank, which causes the system to select the default -+ SELinux user. -+ -+ -+ - - +diff -up shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am +--- shadow-4.1.0/libmisc/Makefile.am.selinux 2007-11-23 10:15:48.000000000 +0100 ++++ shadow-4.1.0/libmisc/Makefile.am 2007-12-12 14:13:30.000000000 +0100 +@@ -42,6 +42,7 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ ++ system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +diff -up shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c +--- shadow-4.1.0/src/useradd.c.selinux 2007-12-12 14:11:41.000000000 +0100 ++++ shadow-4.1.0/src/useradd.c 2007-12-12 14:24:12.000000000 +0100 +@@ -100,6 +100,7 @@ static const char *user_comment = ""; + static const char *user_home = ""; + static const char *user_shell = ""; + static const char *create_mail_spool = ""; ++static const char *user_selinux = ""; ---- shadow-4.0.18.1/man/usermod.8.useradd 2006-07-30 22:54:28.000000000 +0200 -+++ shadow-4.0.18.1/man/usermod.8 2007-11-29 15:47:39.000000000 +0100 -@@ -92,6 +92,10 @@ Unlock a user's password. This removes t - \fB\-p\fR - or - \fB\-L\fR. -+.TP 3n -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. -+ - .SH "CAVEATS" - .PP + static long user_expire = -1; + static int is_shadow_pwd; +@@ -170,6 +171,7 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); ---- shadow-4.0.18.1/man/useradd.8.useradd 2007-11-29 15:46:24.000000000 +0100 -+++ shadow-4.0.18.1/man/useradd.8 2007-11-29 15:47:39.000000000 +0100 -@@ -137,6 +137,9 @@ The name of the user's login shell. The - The numerical value of the user's ID. This value must be unique, unless the - \fB\-o\fR - option is used. The value must be non\-negative. The default is to use the smallest ID value greater than 999 and greater than every other user. Values between 0 and 999 are typically reserved for system accounts. -+.TP 3n -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux user. - .SS "Changing the default values" - .PP - When invoked with the ---- shadow-4.0.18.1/man/useradd.8.xml.useradd 2006-07-24 07:48:36.000000000 +0200 -+++ shadow-4.0.18.1/man/useradd.8.xml 2007-11-29 15:47:39.000000000 +0100 -@@ -251,6 +251,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field blank, which causes the system to select the default SELinux -+ user. -+ -+ -+ - - - ---- shadow-4.0.18.1/src/userdel.c.useradd 2007-11-29 15:46:24.000000000 +0100 -+++ shadow-4.0.18.1/src/userdel.c 2007-11-29 15:47:39.000000000 +0100 -@@ -792,6 +792,17 @@ int main (int argc, char **argv) - #endif + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -356,6 +358,7 @@ static void get_defaults (void) + def_create_mail_spool = xstrdup (cp); + } } ++ fclose(fp); + } + /* +@@ -644,6 +647,10 @@ static void usage (void) + " account\n" + " -s, --shell SHELL the login shell for the new user account\n" + " -u, --uid UID force use the UID for the new user account\n" +#ifdef WITH_SELINUX -+ if (is_selinux_enabled() > 0) { -+ const char *argv[5]; ++ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" ++#endif ++ + "\n")); + exit (E_USAGE); + } +@@ -1030,11 +1037,18 @@ static void process_flags (int argc, cha + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, + {"shell", required_argument, NULL, 's'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"uid", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", ++#else + getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha + case 'M': + Mflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1583,6 +1608,33 @@ static void usr_update (void) + grp_update (); + } + ++static void selinux_update_mapping () { ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { /* must be done after passwd write() */ ++ const char *argv[7]; + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; -+ argv[2] = "-d"; -+ argv[3] = user_name; -+ argv[4] = NULL; -+ safe_system(argv[0], argv, NULL, 1); -+ } ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "adding SELinux user mapping", user_name, user_id, 0); +#endif - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. ---- shadow-4.0.18.1/src/usermod.c.useradd 2007-11-29 15:46:24.000000000 +0100 -+++ shadow-4.0.18.1/src/usermod.c 2007-11-29 15:47:39.000000000 +0100 ++ } ++ } ++#endif ++ ++} + /* + * create_home - create the user's home directory + * +@@ -1592,7 +1644,11 @@ static void usr_update (void) + */ + static void create_home (void) + { ++ + if (access (user_home, F_OK)) { ++#ifdef WITH_SELINUX ++ selinux_file_context (user_home); ++#endif + /* XXX - create missing parent directories. --marekm */ + if (mkdir (user_home, 0)) { + fprintf (stderr, +@@ -1818,6 +1874,8 @@ int main (int argc, char **argv) + + usr_update (); + ++ selinux_update_mapping(); ++ + if (mflg) { + create_home (); + if (home_added) +diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c +--- shadow-4.1.0/src/usermod.c.selinux 2007-11-24 23:41:19.000000000 +0100 ++++ shadow-4.1.0/src/usermod.c 2007-12-12 14:21:44.000000000 +0100 @@ -90,6 +90,7 @@ static char *user_comment; static char *user_home; static char *user_newhome; @@ -158,7 +203,7 @@ static long user_expire; static long user_inactive; static long sys_ngroups; -@@ -132,6 +133,7 @@ static int is_shadow_grp; +@@ -139,6 +140,7 @@ static int sgr_locked = 0; static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); @@ -166,17 +211,17 @@ static void new_spent (struct spwd *); static void fail_exit (int); -@@ -294,6 +296,9 @@ static void usage (void) - " -s, --shell SHELL new login shell for the user account\n" - " -u, --uid UID new UID for the user account\n" - " -U, --unlock unlock the user account\n" +@@ -302,6 +304,9 @@ static void usage (void) + " -s, --shell SHELL new login shell for the user account\n" + " -u, --uid UID new UID for the user account\n" + " -U, --unlock unlock the user account\n" +#ifdef WITH_SELINUX -+ " -Z, --selinux-user new selinux user mapping for the user account\n" ++ " -Z, --selinux-user new selinux user mapping for the user account\n" +#endif "\n")); exit (E_USAGE); } -@@ -918,13 +923,20 @@ static void process_flags (int argc, cha +@@ -888,13 +893,20 @@ static void process_flags (int argc, cha {"move-home", no_argument, NULL, 'm'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, @@ -197,8 +242,8 @@ long_options, NULL)) != -1) { switch (c) { case 'a': -@@ -1073,6 +1085,16 @@ static void process_flags (int argc, cha - +@@ -1028,6 +1040,16 @@ static void process_flags (int argc, cha + case 'U': Uflg++; break; +#ifdef WITH_SELINUX @@ -214,16 +259,16 @@ default: usage (); } -@@ -1542,6 +1564,8 @@ int main (int argc, char **argv) - if (Gflg || lflg) - grp_err = grp_update (); +@@ -1575,6 +1597,8 @@ int main (int argc, char **argv) + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + selinux_update_mapping(); + if (mflg) move_home (); -@@ -1573,3 +1597,62 @@ int main (int argc, char **argv) +@@ -1603,3 +1627,62 @@ int main (int argc, char **argv) exit (E_SUCCESS); /* NOT REACHED */ } @@ -286,163 +331,106 @@ + } +#endif +} ---- shadow-4.0.18.1/src/useradd.c.useradd 2007-11-29 15:46:24.000000000 +0100 -+++ shadow-4.0.18.1/src/useradd.c 2007-11-29 15:52:00.000000000 +0100 -@@ -100,6 +100,7 @@ static const char *user_comment = ""; - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -170,6 +171,7 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -354,6 +356,7 @@ static void get_defaults (void) - def_create_mail_spool = xstrdup (cp); - } +diff -up shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c +--- shadow-4.1.0/src/userdel.c.selinux 2007-11-24 23:41:19.000000000 +0100 ++++ shadow-4.1.0/src/userdel.c 2007-12-12 14:13:30.000000000 +0100 +@@ -809,6 +809,17 @@ int main (int argc, char **argv) + #endif } -+ fclose(fp); - } - /* -@@ -641,7 +644,10 @@ static void usage (void) - " -p, --password PASSWORD use encrypted password for the new user\n" - " account\n" - " -s, --shell SHELL the login shell for the new user account\n" -- " -u, --uid UID force use the UID for the new user account\n" -+ " -u, --uid UID force use the UID for the new user account\n" +#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif - "\n")); - exit (E_USAGE); - } -@@ -1041,11 +1047,18 @@ static void process_flags (int argc, cha - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", -+#else - getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1229,6 +1242,17 @@ static void process_flags (int argc, cha - case 'M': - Mflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1596,6 +1620,33 @@ static void usr_update (void) - grp_update (); - } - -+static void selinux_update_mapping () { -+ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; ++ if (is_selinux_enabled() > 0) { ++ const char *argv[5]; + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); ++ argv[2] = "-d"; ++ argv[3] = user_name; ++ argv[4] = NULL; ++ safe_system(argv[0], argv, NULL, 1); ++ } +#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1605,7 +1656,11 @@ static void usr_update (void) - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1833,6 +1888,17 @@ int main (int argc, char **argv) + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. +diff -up shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8 +--- shadow-4.1.0/man/useradd.8.selinux 2007-12-12 14:11:41.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8 2007-12-12 14:19:21.000000000 +0100 +@@ -163,6 +163,11 @@ doesn\'t work yet\. + Allow the creation of a user account with a duplicate (non\-unique) UID\. + .RE + .PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. ++.RE ++.PP + \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR + .RS 4 + The encrypted password, as returned by +diff -up shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml +--- shadow-4.1.0/man/usermod.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 ++++ shadow-4.1.0/man/usermod.8.xml 2007-12-12 14:13:30.000000000 +0100 +@@ -245,6 +245,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field the blank, which causes the system to select the default ++ SELinux user. ++ ++ ++ + + - usr_update (); +diff -up shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8 +--- shadow-4.1.0/man/usermod.8.selinux 2007-12-10 00:07:16.000000000 +0100 ++++ shadow-4.1.0/man/usermod.8 2007-12-12 14:17:10.000000000 +0100 +@@ -133,6 +133,11 @@ Note: if you wish to unlock the account + value from + \fI/etc/default/useradd\fR)\. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. ++.RE + .SH "CAVEATS" + .PP -+ /* Do not create mail directory for system accounts */ -+ if( !rflg ) -+ create_mail (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+ close_files (); -+ -+ selinux_update_mapping(); -+ - if (mflg) { - create_home (); - if (home_added) -@@ -1856,15 +1922,6 @@ int main (int argc, char **argv) - * with --gafton - */ +diff -up shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml +--- shadow-4.1.0/man/useradd.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8.xml 2007-12-12 14:13:30.000000000 +0100 +@@ -274,6 +274,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field blank, which causes the system to select the default SELinux ++ user. ++ ++ ++ + -- /* Do not create mail directory for system accounts */ -- if( !rflg ) -- create_mail (); -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- close_files (); -- - #ifdef USE_PAM - if (retval == PAM_SUCCESS) - pam_end (pamh, PAM_SUCCESS); ---- shadow-4.0.18.1/lib/defines.h.useradd 2005-09-05 18:22:03.000000000 +0200 -+++ shadow-4.0.18.1/lib/defines.h 2007-11-29 15:47:39.000000000 +0100 + +diff -up shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h +--- shadow-4.1.0/lib/defines.h.selinux 2007-11-24 12:18:35.000000000 +0100 ++++ shadow-4.1.0/lib/defines.h 2007-12-12 14:13:30.000000000 +0100 @@ -342,4 +342,7 @@ extern char *strerror (); #include #endif @@ -451,9 +439,10 @@ +#include +#endif #endif /* _DEFINES_H_ */ ---- shadow-4.0.18.1/lib/prototypes.h.useradd 2006-02-07 17:36:30.000000000 +0100 -+++ shadow-4.0.18.1/lib/prototypes.h 2007-11-29 15:47:39.000000000 +0100 -@@ -52,6 +52,9 @@ extern int is_listed (const char *, cons +diff -up shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h +--- shadow-4.1.0/lib/prototypes.h.selinux 2007-11-23 21:10:52.000000000 +0100 ++++ shadow-4.1.0/lib/prototypes.h 2007-12-12 14:13:30.000000000 +0100 +@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons /* copydir.c */ extern int copy_tree (const char *, const char *, uid_t, gid_t); extern int remove_tree (const char *); @@ -463,7 +452,7 @@ /* encrypt.c */ extern char *pw_encrypt (const char *, const char *); -@@ -147,6 +150,9 @@ extern void setup_env (struct passwd *); +@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *); /* shell.c */ extern int shell (const char *, const char *, char *const *); diff --git a/shadow-utils.spec b/shadow-utils.spec index 21cace5..dbb681b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -4,31 +4,22 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.0.18.1 -Release: 20%{?dist} +Version: 4.1.0 +Release: 1%{?dist} Epoch: 2 -URL: http://shadow.pld.org.pl/ -Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2 +URL: http://pkg-shadow.alioth.debian.org/ +Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Source3: shadow-4.0.16-nscd.c -Patch0: shadow-4.0.17-redhat.patch + +Patch0: shadow-4.1.0-redhat.patch Patch1: shadow-4.0.3-noinst.patch -Patch2: shadow-4.0.11.1-vipw.patch -Patch3: shadow-4.0.14-goodname.patch -Patch4: shadow-4.0.13-newgrpPwd.patch -Patch5: shadow-4.0.16-lOption.patch -Patch6: shadow-4.0.17-notInheritFd.patch -Patch7: shadow-4.0.17-exitValues.patch -Patch8: shadow-4.0.17-auditLogging.patch -Patch9: shadow-4.0.18.1-gid.patch -Patch10: shadow-4.0.18.1-overflow.patch -Patch11: shadow-4.0.17-useradd.patch -Patch12: shadow-4.0.18.1-appendOption.patch -Patch13: shadow-4.0.18.1-sysAccount.patch -Patch14: shadow-4.0.18.1-findNewUidOnce.patch -Patch15: shadow-4.0.18.1-groupLoop.patch -Patch16: shadow-4.0.18.1-mtime.patch +Patch2: shadow-4.1.0-goodname.patch +Patch3: shadow-4.1.0-lOption.patch +Patch4: shadow-4.1.0-selinux.patch +Patch5: shadow-4.0.18.1-sysAccount.patch +Patch6: shadow-4.0.18.1-findNewUidOnce.patch +Patch7: shadow-4.0.18.1-mtime.patch License: BSD Group: System Environment/Base @@ -55,25 +46,12 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .noinst -%patch2 -p1 -b .vipw -%patch3 -p1 -b .goodname -%patch4 -p1 -b .newgrpPwd -%patch5 -p1 -b .lOption - -#replace whole file -cp %{SOURCE3} lib/nscd.c -%patch6 -p1 -b .notInheritFd - -%patch7 -p1 -b .exitValues -%patch8 -p1 -b .auditLogging -%patch9 -p1 -b .gid -%patch10 -p1 -b .overflow -%patch11 -p1 -b .useradd -%patch12 -p1 -b .appendOption -%patch13 -p1 -b .sysAccount -%patch14 -p1 -b .findNewUidOnce -%patch15 -p1 -b .groupLoop -%patch16 -p1 -b .mtime +%patch2 -p1 -b .goodname +%patch3 -p1 -b .lOption +%patch4 -p1 -b .selinux +%patch5 -p1 -b .sysAccount +%patch6 -p1 -b .findNewUidOnce +%patch7 -p1 -b .mtime rm po/*.gmo rm po/stamp-po @@ -123,8 +101,6 @@ rm $RPM_BUILD_ROOT/%{_bindir}/su rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd -rm $RPM_BUILD_ROOT/%{_sbindir}/vipw -rm $RPM_BUILD_ROOT/%{_sbindir}/vigr rm $RPM_BUILD_ROOT/%{_sbindir}/nologin rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* @@ -153,12 +129,8 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/vipw.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/vipw.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/vigr.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/vigr.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* @@ -193,6 +165,8 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/*conv %{_sbindir}/chpasswd %{_sbindir}/newusers +%{_sbindir}/vipw +%{_sbindir}/vigr %{_mandir}/man1/chage.1* %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* @@ -213,8 +187,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* %{_mandir}/man8/faillog.8* +%{_mandir}/man8/vipw.8* +%{_mandir}/man8/vigr.8* %changelog +* Wed Dec 12 2007 Peter Vrabec 2:4.1.0-1 +- new upgrade release from new upstream +- provide vipw and vigr + * Thu Nov 29 2007 Peter Vrabec 2:4.0.18.1-20 - do not create mail spool entries for system accounts (#402351) diff --git a/sources b/sources index 8338a1d..7b7416e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -7ebc6a5cd0207246a6b2c9ebf9b30391 shadow-4.0.16-nscd.c -e7751d46ecf219c07ae0b028ab3335c6 shadow-4.0.18.1.tar.bz2 e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs +ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd +dd6ca3ac424b447962d7a7af923b7bda shadow-4.1.0.tar.bz2 From 2c3e028c8e8b9983fbb950566ae9b4a14a77a7ca Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 13 Feb 2008 12:54:32 +0000 Subject: [PATCH 013/151] fix newgrp audit event --- shadow-4.1.0-audit-newgrp.patch | 122 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.0-audit-newgrp.patch diff --git a/shadow-4.1.0-audit-newgrp.patch b/shadow-4.1.0-audit-newgrp.patch new file mode 100644 index 0000000..a94a3d4 --- /dev/null +++ b/shadow-4.1.0-audit-newgrp.patch @@ -0,0 +1,122 @@ +diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c +--- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500 ++++ shadow-4.1.0/src/newgrp.c 2008-02-12 16:45:20.000000000 -0500 +@@ -122,6 +122,8 @@ int main (int argc, char **argv) + #endif + + #ifdef WITH_AUDIT ++ char audit_buf[80]; ++ + audit_help_open (); + #endif + setlocale (LC_ALL, ""); +@@ -164,7 +166,7 @@ int main (int argc, char **argv) + if (!pwd) { + fprintf (stderr, _("unknown UID: %u\n"), getuid ()); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, ++ audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, + getuid (), 0); + #endif + SYSLOG ((LOG_WARN, "unknown UID %u", getuid ())); +@@ -272,8 +274,14 @@ int main (int argc, char **argv) + if (ngroups < 0) { + perror ("getgroups"); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, +- "changing", NULL, getuid (), 0); ++ if (group) { ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-group=%s", group); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); ++ } else ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ "changing", NULL, getuid (), 0); + #endif + exit (1); + } +@@ -461,8 +469,14 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: failure forking: %s"), + is_newgrp ? "newgrp" : "sg", strerror (errno)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", +- NULL, getuid (), 0); ++ if (group) { ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-group=%s", group); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); ++ } else ++ audit_logger (AUDIT_CHGRP_ID, Prog, "changing", ++ NULL, getuid (), 0); + #endif + exit (1); + } else if (child) { +@@ -531,14 +545,24 @@ int main (int argc, char **argv) + * to the real UID. For root, this also sets the real GID to the + * new group id. + */ +- if (setgid (gid)) ++ if (setgid (gid)) { + perror ("setgid"); ++#ifdef WITH_AUDIT ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-gid=%d", gid); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); ++#endif ++ exit (1); ++ } + + if (setuid (getuid ())) { + perror ("setuid"); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", +- NULL, getuid (), 0); ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-gid=%d", gid); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); + #endif + exit (1); + } +@@ -551,8 +575,10 @@ int main (int argc, char **argv) + closelog (); + execl ("/bin/sh", "sh", "-c", command, (char *) 0); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", +- NULL, getuid (), 0); ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-gid=%d", gid); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); + #endif + perror ("/bin/sh"); + exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); +@@ -618,7 +644,8 @@ int main (int argc, char **argv) + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1); ++ snprintf(audit_buf, sizeof(audit_buf), "changing new-gid=%d", gid); ++ audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1); + #endif + /* + * Exec the login shell and go away. We are trying to get back to +@@ -641,7 +668,14 @@ int main (int argc, char **argv) + */ + closelog (); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0); ++ if (group) { ++ snprintf(audit_buf, sizeof(audit_buf), ++ "changing new-group=%s", group); ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ audit_buf, NULL, getuid (), 0); ++ } else ++ audit_logger (AUDIT_CHGRP_ID, Prog, ++ "changing", NULL, getuid (), 0); + #endif + exit (1); + } diff --git a/shadow-utils.spec b/shadow-utils.spec index dbb681b..a215dd6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -20,6 +20,7 @@ Patch4: shadow-4.1.0-selinux.patch Patch5: shadow-4.0.18.1-sysAccount.patch Patch6: shadow-4.0.18.1-findNewUidOnce.patch Patch7: shadow-4.0.18.1-mtime.patch +Patch8: shadow-4.1.0-audit-newgrp.patch License: BSD Group: System Environment/Base @@ -52,6 +53,7 @@ are used for managing group accounts. %patch5 -p1 -b .sysAccount %patch6 -p1 -b .findNewUidOnce %patch7 -p1 -b .mtime +%patch8 -p1 -b .auditNewgrp rm po/*.gmo rm po/stamp-po @@ -191,6 +193,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 13 2008 Peter Vrabec 2:4.1.0-2 +- fix newgrp audit event + * Wed Dec 12 2007 Peter Vrabec 2:4.1.0-1 - new upgrade release from new upstream - provide vipw and vigr From 37c1b28cf99f2153dcc05e53a40beb96e02214ee Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 19 Feb 2008 12:01:10 +0000 Subject: [PATCH 014/151] fix groupmems segmentation fault (#430813) --- shadow-4.1.0-segfault.patch | 12 ++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.0-segfault.patch diff --git a/shadow-4.1.0-segfault.patch b/shadow-4.1.0-segfault.patch new file mode 100644 index 0000000..c9f6091 --- /dev/null +++ b/shadow-4.1.0-segfault.patch @@ -0,0 +1,12 @@ +diff -up shadow-4.1.0/src/groupmems.c.segfault shadow-4.1.0/src/groupmems.c +--- shadow-4.1.0/src/groupmems.c.segfault 2008-02-19 12:39:23.000000000 +0100 ++++ shadow-4.1.0/src/groupmems.c 2008-02-19 12:55:06.000000000 +0100 +@@ -106,7 +106,7 @@ static void addtogroup (char *user, char + } + } + +- members = (char **) realloc (members, sizeof (char *) * i); ++ members = (char **) realloc (members, sizeof (char *) * (i + 2)); + members[i] = user; + members[i + 1] = NULL; + } diff --git a/shadow-utils.spec b/shadow-utils.spec index a215dd6..4ca5e69 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -21,6 +21,7 @@ Patch5: shadow-4.0.18.1-sysAccount.patch Patch6: shadow-4.0.18.1-findNewUidOnce.patch Patch7: shadow-4.0.18.1-mtime.patch Patch8: shadow-4.1.0-audit-newgrp.patch +Patch9: shadow-4.1.0-segfault.patch License: BSD Group: System Environment/Base @@ -54,6 +55,7 @@ are used for managing group accounts. %patch6 -p1 -b .findNewUidOnce %patch7 -p1 -b .mtime %patch8 -p1 -b .auditNewgrp +%patch9 -p1 -b .segfault rm po/*.gmo rm po/stamp-po @@ -193,6 +195,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 19 2008 Peter Vrabec 2:4.1.0-3 +- fix groupmems segmentation fault (#430813) + * Wed Feb 13 2008 Peter Vrabec 2:4.1.0-2 - fix newgrp audit event From d58e4bd86218404d17345d9874933deaa8749249 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 3 Mar 2008 14:14:07 +0000 Subject: [PATCH 015/151] fix selinux labeling (#433757) --- shadow-4.1.0-selinux.patch | 733 ++++++++++++++++++++++++------------- shadow-utils.spec | 5 +- 2 files changed, 476 insertions(+), 262 deletions(-) diff --git a/shadow-4.1.0-selinux.patch b/shadow-4.1.0-selinux.patch index ec8eed7..adbe90c 100644 --- a/shadow-4.1.0-selinux.patch +++ b/shadow-4.1.0-selinux.patch @@ -1,6 +1,6 @@ -diff -up /dev/null shadow-4.1.0/libmisc/system.c ---- /dev/null 2007-12-08 00:31:02.590331462 +0100 -+++ shadow-4.1.0/libmisc/system.c 2007-12-12 14:13:30.000000000 +0100 +diff -upb shadow-4.1.0/libmisc/system.c.selinux shadow-4.1.0/libmisc/system.c +--- shadow-4.1.0/libmisc/system.c.selinux 2008-03-03 14:18:17.000000000 +0100 ++++ shadow-4.1.0/libmisc/system.c 2008-03-03 14:18:17.000000000 +0100 @@ -0,0 +1,37 @@ +#include + @@ -39,9 +39,20 @@ diff -up /dev/null shadow-4.1.0/libmisc/system.c + exit (-1); +} + -diff -up shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c +diff -upb shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am +--- shadow-4.1.0/libmisc/Makefile.am.selinux 2007-11-23 10:15:48.000000000 +0100 ++++ shadow-4.1.0/libmisc/Makefile.am 2008-03-03 14:18:17.000000000 +0100 +@@ -42,6 +42,7 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ ++ system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +diff -upb shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c --- shadow-4.1.0/libmisc/copydir.c.selinux 2007-11-11 00:45:59.000000000 +0100 -+++ shadow-4.1.0/libmisc/copydir.c 2007-12-12 14:13:30.000000000 +0100 ++++ shadow-4.1.0/libmisc/copydir.c 2008-03-03 14:19:01.000000000 +0100 @@ -54,7 +54,7 @@ struct link_name { static struct link_name *links; @@ -51,150 +62,196 @@ diff -up shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c { security_context_t scontext = NULL; -diff -up shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am ---- shadow-4.1.0/libmisc/Makefile.am.selinux 2007-11-23 10:15:48.000000000 +0100 -+++ shadow-4.1.0/libmisc/Makefile.am 2007-12-12 14:13:30.000000000 +0100 -@@ -42,6 +42,7 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ -diff -up shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c ---- shadow-4.1.0/src/useradd.c.selinux 2007-12-12 14:11:41.000000000 +0100 -+++ shadow-4.1.0/src/useradd.c 2007-12-12 14:24:12.000000000 +0100 -@@ -100,6 +100,7 @@ static const char *user_comment = ""; - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -170,6 +171,7 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -356,6 +358,7 @@ static void get_defaults (void) - def_create_mail_spool = xstrdup (cp); +@@ -199,7 +199,7 @@ int copy_tree (const char *src_root, con + if (strlen (src_root) + strlen (ent->d_name) + 2 > + sizeof src_name) { + err++; +- break; ++ break; } + snprintf (src_name, sizeof src_name, "%s/%s", src_root, + ent->d_name); +@@ -207,7 +207,7 @@ int copy_tree (const char *src_root, con + if (strlen (dst_root) + strlen (ent->d_name) + 2 > + sizeof dst_name) { + err++; +- break; ++ break; + } + snprintf (dst_name, sizeof dst_name, "%s/%s", dst_root, + ent->d_name); +@@ -313,7 +313,7 @@ int copy_tree (const char *src_root, con + if (mknod (dst_name, sb.st_mode & ~07777, sb.st_rdev) + || chown (dst_name, + uid == (uid_t) - 1 ? sb.st_uid : uid, +- gid == (gid_t) - 1 ? sb.st_gid : gid) ++ gid == (gid_t) - 1 ? sb.st_gid : gid) + || chmod (dst_name, sb.st_mode & 07777)) { + err++; + break; +@@ -363,6 +363,10 @@ int copy_tree (const char *src_root, con + src_orig = 0; + dst_orig = 0; } -+ fclose(fp); ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif + return err ? -1 : 0; } - /* -@@ -644,6 +647,10 @@ static void usage (void) - " account\n" - " -s, --shell SHELL the login shell for the new user account\n" - " -u, --uid UID force use the UID for the new user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif -+ - "\n")); - exit (E_USAGE); - } -@@ -1030,11 +1037,18 @@ static void process_flags (int argc, cha - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", -+#else - getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha - case 'M': - Mflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1583,6 +1608,33 @@ static void usr_update (void) - grp_update (); - } +diff -upb shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml +--- shadow-4.1.0/man/usermod.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 ++++ shadow-4.1.0/man/usermod.8.xml 2008-03-03 14:18:17.000000000 +0100 +@@ -245,6 +245,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field the blank, which causes the system to select the default ++ SELinux user. ++ ++ ++ + + -+static void selinux_update_mapping () { -+ +diff -upb shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8 +--- shadow-4.1.0/man/useradd.8.selinux 2008-03-03 14:14:45.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8 2008-03-03 14:18:17.000000000 +0100 +@@ -163,6 +163,11 @@ doesn\'t work yet\. + Allow the creation of a user account with a duplicate (non\-unique) UID\. + .RE + .PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. ++.RE ++.PP + \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR + .RS 4 + The encrypted password, as returned by +diff -upb shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8 +--- shadow-4.1.0/man/usermod.8.selinux 2007-12-10 00:07:16.000000000 +0100 ++++ shadow-4.1.0/man/usermod.8 2008-03-03 14:18:17.000000000 +0100 +@@ -133,6 +133,11 @@ Note: if you wish to unlock the account + value from + \fI/etc/default/useradd\fR)\. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. ++.RE + .SH "CAVEATS" + .PP + +diff -upb shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml +--- shadow-4.1.0/man/useradd.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 ++++ shadow-4.1.0/man/useradd.8.xml 2008-03-03 14:18:17.000000000 +0100 +@@ -273,6 +273,19 @@ + between 0 and 999 are typically reserved for system accounts. + + ++ ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field blank, which causes the system to select the default SELinux ++ user. ++ ++ + + + +@@ -346,7 +359,7 @@ + + + +- ++ + + + +@@ -399,7 +412,7 @@ + + + FILES +- ++ + + /etc/passwd + +diff -upb shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h +--- shadow-4.1.0/lib/prototypes.h.selinux 2007-11-23 21:10:52.000000000 +0100 ++++ shadow-4.1.0/lib/prototypes.h 2008-03-03 14:18:17.000000000 +0100 +@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons + /* copydir.c */ + extern int copy_tree (const char *, const char *, uid_t, gid_t); + extern int remove_tree (const char *); +#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; ++extern int selinux_file_context (const char *dst_name); ++#endif + + /* encrypt.c */ + extern char *pw_encrypt (const char *, const char *); +@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *); + /* shell.c */ + extern int shell (const char *, const char *, char *const *); + ++/* system.c */ ++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); + -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; + /* strtoday.c */ + extern long strtoday (const char *); + +diff -upb shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h +--- shadow-4.1.0/lib/defines.h.selinux 2007-11-24 12:18:35.000000000 +0100 ++++ shadow-4.1.0/lib/defines.h 2008-03-03 14:18:17.000000000 +0100 +@@ -342,4 +342,7 @@ extern char *strerror (); + #include + #endif + ++#ifdef WITH_SELINUX ++#include ++#endif + #endif /* _DEFINES_H_ */ +diff -upb shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c +--- shadow-4.1.0/src/userdel.c.selinux 2007-11-24 23:41:19.000000000 +0100 ++++ shadow-4.1.0/src/userdel.c 2008-03-03 14:18:17.000000000 +0100 +@@ -809,6 +809,17 @@ int main (int argc, char **argv) + #endif + } + ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() > 0) { ++ const char *argv[5]; + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); ++ argv[2] = "-d"; ++ argv[3] = user_name; ++ argv[4] = NULL; ++ safe_system(argv[0], argv, NULL, 1); ++ } +#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1592,7 +1644,11 @@ static void usr_update (void) - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1818,6 +1874,8 @@ int main (int argc, char **argv) - - usr_update (); - -+ selinux_update_mapping(); -+ - if (mflg) { - create_home (); - if (home_added) -diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. +diff -upb shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c --- shadow-4.1.0/src/usermod.c.selinux 2007-11-24 23:41:19.000000000 +0100 -+++ shadow-4.1.0/src/usermod.c 2007-12-12 14:21:44.000000000 +0100 ++++ shadow-4.1.0/src/usermod.c 2008-03-03 14:18:17.000000000 +0100 @@ -90,6 +90,7 @@ static char *user_comment; static char *user_home; static char *user_newhome; @@ -211,6 +268,21 @@ diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c static void new_spent (struct spwd *); static void fail_exit (int); +@@ -250,12 +252,12 @@ static int get_groups (char *list) + #endif + + if (ngroups == sys_ngroups) { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: too many groups specified (max %d).\n"), + Prog, ngroups); + break; +- } ++ } + + /* + * Add the group name to the user's list of groups. @@ -302,6 +304,9 @@ static void usage (void) " -s, --shell SHELL new login shell for the user account\n" " -u, --uid UID new UID for the user account\n" @@ -221,6 +293,33 @@ diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c "\n")); exit (E_USAGE); } +@@ -332,7 +337,7 @@ static char *new_pw_passwd (char *pw_pas + "You should set a password with usermod -p to unlock this user account.\n"), + Prog); + return pw_pass; +- } ++ } + + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password", +@@ -405,7 +410,7 @@ static void new_pwent (struct passwd *pw + #else + pwent->pw_gecos = user_comment; + #endif +- } ++ } + + if (dflg) { + #ifdef WITH_AUDIT +@@ -826,7 +831,7 @@ static void process_flags (int argc, cha + user_comment = xstrdup (pwd->pw_gecos); + user_home = xstrdup (pwd->pw_dir); + user_shell = xstrdup (pwd->pw_shell); +- } ++ } + #ifdef WITH_AUDIT + user_newname = user_name; + user_newid = user_id; @@ -888,13 +893,20 @@ static void process_flags (int argc, cha {"move-home", no_argument, NULL, 'm'}, {"non-unique", no_argument, NULL, 'o'}, @@ -242,6 +341,15 @@ diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c long_options, NULL)) != -1) { switch (c) { case 'a': +@@ -966,7 +978,7 @@ static void process_flags (int argc, cha + fprintf (stderr, + _("%s: unknown group %s\n"), + Prog, optarg); +- exit (E_NOTFOUND); ++ exit (E_NOTFOUND); + } + user_newgid = grp->gr_gid; + gflg++; @@ -1028,6 +1040,16 @@ static void process_flags (int argc, cha case 'U': Uflg++; @@ -259,6 +367,15 @@ diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c default: usage (); } +@@ -1040,7 +1062,7 @@ static void process_flags (int argc, cha + exit (E_USAGE); + } + if (!is_shadow_pwd && (eflg || fflg)) { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: shadow passwords required for -e and -f\n"), + Prog); @@ -1575,6 +1597,8 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); @@ -331,134 +448,228 @@ diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c + } +#endif +} -diff -up shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c ---- shadow-4.1.0/src/userdel.c.selinux 2007-11-24 23:41:19.000000000 +0100 -+++ shadow-4.1.0/src/userdel.c 2007-12-12 14:13:30.000000000 +0100 -@@ -809,6 +809,17 @@ int main (int argc, char **argv) - #endif - } +diff -upb shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c +--- shadow-4.1.0/src/useradd.c.selinux 2008-03-03 14:14:45.000000000 +0100 ++++ shadow-4.1.0/src/useradd.c 2008-03-03 14:19:01.000000000 +0100 +@@ -100,6 +100,7 @@ static const char *user_comment = ""; + static const char *user_home = ""; + static const char *user_shell = ""; + static const char *create_mail_spool = ""; ++static const char *user_selinux = ""; + static long user_expire = -1; + static int is_shadow_pwd; +@@ -170,6 +171,7 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -356,6 +358,7 @@ static void get_defaults (void) + def_create_mail_spool = xstrdup (cp); + } + } ++ fclose(fp); + } + + /* +@@ -586,7 +589,7 @@ static int get_groups (char *list) + #endif + + if (ngroups == sys_ngroups) { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: too many groups specified (max %d).\n"), + Prog, ngroups); +@@ -644,6 +647,10 @@ static void usage (void) + " account\n" + " -s, --shell SHELL the login shell for the new user account\n" + " -u, --uid UID force use the UID for the new user account\n" +#ifdef WITH_SELINUX -+ if (is_selinux_enabled() > 0) { -+ const char *argv[5]; ++ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" ++#endif ++ + "\n")); + exit (E_USAGE); + } +@@ -696,7 +703,7 @@ static void new_spent (struct spwd *spen + spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1)); + spent->sp_inact = scale_age (def_inactive); + spent->sp_expire = scale_age (user_expire); +- } ++ } + else { + spent->sp_min = scale_age(-1); + spent->sp_max = scale_age(-1); +@@ -1030,32 +1037,39 @@ static void process_flags (int argc, cha + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, + {"shell", required_argument, NULL, 's'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"uid", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", ++#else + getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'b': + if (!VALID (optarg) + || optarg[0] != '/') { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: invalid base directory '%s'\n"), + Prog, optarg); +- exit (E_BAD_ARG); ++ exit (E_BAD_ARG); + } + def_home = optarg; + bflg++; + break; + case 'c': + if (!VALID (optarg)) { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: invalid comment '%s'\n"), + Prog, optarg); +- exit (E_BAD_ARG); ++ exit (E_BAD_ARG); + } + user_comment = optarg; + cflg++; +@@ -1063,11 +1077,11 @@ static void process_flags (int argc, cha + case 'd': + if (!VALID (optarg) + || optarg[0] != '/') { +- fprintf (stderr, ++ fprintf (stderr, + _ + ("%s: invalid home directory '%s'\n"), + Prog, optarg); +- exit (E_BAD_ARG); ++ exit (E_BAD_ARG); + } + user_home = optarg; + dflg++; +@@ -1161,7 +1175,7 @@ static void process_flags (int argc, cha + _ + ("%s: -K requires KEY=VALUE\n"), + Prog); +- exit (E_BAD_ARG); ++ exit (E_BAD_ARG); + } + /* terminate name, point to value */ + *cp++ = '\0'; +@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha + case 'M': + Mflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1238,7 +1263,7 @@ static void process_flags (int argc, cha + */ + if (Dflg) { + if (optind != argc) +- usage (); ++ usage (); + + if (uflg || oflg || Gflg || dflg || cflg || mflg) + usage (); +@@ -1253,7 +1278,7 @@ static void process_flags (int argc, cha + ("%s: invalid user name '%s'\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", + user_name, -1, 0); + #endif + exit (E_BAD_ARG); +@@ -1583,6 +1608,33 @@ static void usr_update (void) + grp_update (); + } + ++static void selinux_update_mapping () { ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { /* must be done after passwd write() */ ++ const char *argv[7]; + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; -+ argv[2] = "-d"; -+ argv[3] = user_name; -+ argv[4] = NULL; -+ safe_system(argv[0], argv, NULL, 1); -+ } ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "adding SELinux user mapping", user_name, user_id, 0); +#endif - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. -diff -up shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.selinux 2007-12-12 14:11:41.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2007-12-12 14:19:21.000000000 +0100 -@@ -163,6 +163,11 @@ doesn\'t work yet\. - Allow the creation of a user account with a duplicate (non\-unique) UID\. - .RE - .PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. -+.RE -+.PP - \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR - .RS 4 - The encrypted password, as returned by -diff -up shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml ---- shadow-4.1.0/man/usermod.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 -+++ shadow-4.1.0/man/usermod.8.xml 2007-12-12 14:13:30.000000000 +0100 -@@ -245,6 +245,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field the blank, which causes the system to select the default -+ SELinux user. -+ -+ -+ - - - -diff -up shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8 ---- shadow-4.1.0/man/usermod.8.selinux 2007-12-10 00:07:16.000000000 +0100 -+++ shadow-4.1.0/man/usermod.8 2007-12-12 14:17:10.000000000 +0100 -@@ -133,6 +133,11 @@ Note: if you wish to unlock the account - value from - \fI/etc/default/useradd\fR)\. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. -+.RE - .SH "CAVEATS" - .PP - -diff -up shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml ---- shadow-4.1.0/man/useradd.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8.xml 2007-12-12 14:13:30.000000000 +0100 -@@ -274,6 +274,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field blank, which causes the system to select the default SELinux -+ user. -+ -+ -+ - - - -diff -up shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h ---- shadow-4.1.0/lib/defines.h.selinux 2007-11-24 12:18:35.000000000 +0100 -+++ shadow-4.1.0/lib/defines.h 2007-12-12 14:13:30.000000000 +0100 -@@ -342,4 +342,7 @@ extern char *strerror (); - #include - #endif - -+#ifdef WITH_SELINUX -+#include ++ } ++ } +#endif - #endif /* _DEFINES_H_ */ -diff -up shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h ---- shadow-4.1.0/lib/prototypes.h.selinux 2007-11-23 21:10:52.000000000 +0100 -+++ shadow-4.1.0/lib/prototypes.h 2007-12-12 14:13:30.000000000 +0100 -@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons - /* copydir.c */ - extern int copy_tree (const char *, const char *, uid_t, gid_t); - extern int remove_tree (const char *); -+#ifdef WITH_SELINUX -+extern int selinux_file_context (const char *dst_name); -+#endif - - /* encrypt.c */ - extern char *pw_encrypt (const char *, const char *); -@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *); - /* shell.c */ - extern int shell (const char *, const char *, char *const *); - -+/* system.c */ -+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); + - /* strtoday.c */ - extern long strtoday (const char *); ++} + /* + * create_home - create the user's home directory + * +@@ -1592,7 +1644,11 @@ static void usr_update (void) + */ + static void create_home (void) + { ++ + if (access (user_home, F_OK)) { ++#ifdef WITH_SELINUX ++ selinux_file_context (user_home); ++#endif + /* XXX - create missing parent directories. --marekm */ + if (mkdir (user_home, 0)) { + fprintf (stderr, +@@ -1614,6 +1670,10 @@ static void create_home (void) + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "adding home directory", user_name, user_id, 1); + #endif ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif + } + } + +@@ -1847,6 +1907,8 @@ int main (int argc, char **argv) + + close_files (); + ++ selinux_update_mapping(); ++ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); diff --git a/shadow-utils.spec b/shadow-utils.spec index 4ca5e69..c64135d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.0 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -195,6 +195,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Mar 03 2008 Peter Vrabec 2:4.1.0-4 +- fix selinux labeling (#433757) + * Tue Feb 19 2008 Peter Vrabec 2:4.1.0-3 - fix groupmems segmentation fault (#430813) From b4dd99d31bb0995aabef0ff06cc84f8d9f6ef5f0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 7 Mar 2008 15:06:15 +0000 Subject: [PATCH 016/151] improve newgrp audit patch --- shadow-4.1.0-audit-newgrp.patch | 84 ++++++++++++++++++++++----------- shadow-utils.spec | 7 ++- 2 files changed, 62 insertions(+), 29 deletions(-) diff --git a/shadow-4.1.0-audit-newgrp.patch b/shadow-4.1.0-audit-newgrp.patch index a94a3d4..e7a433a 100644 --- a/shadow-4.1.0-audit-newgrp.patch +++ b/shadow-4.1.0-audit-newgrp.patch @@ -1,7 +1,7 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c --- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500 -+++ shadow-4.1.0/src/newgrp.c 2008-02-12 16:45:20.000000000 -0500 -@@ -122,6 +122,8 @@ int main (int argc, char **argv) ++++ shadow-4.1.0/src/newgrp.c 2008-03-06 10:01:17.000000000 -0500 +@@ -122,6 +123,8 @@ int main (int argc, char **argv) #endif #ifdef WITH_AUDIT @@ -10,7 +10,7 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c audit_help_open (); #endif setlocale (LC_ALL, ""); -@@ -164,7 +166,7 @@ int main (int argc, char **argv) +@@ -164,7 +167,7 @@ int main (int argc, char **argv) if (!pwd) { fprintf (stderr, _("unknown UID: %u\n"), getuid ()); #ifdef WITH_AUDIT @@ -19,41 +19,69 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c getuid (), 0); #endif SYSLOG ((LOG_WARN, "unknown UID %u", getuid ())); -@@ -272,8 +274,14 @@ int main (int argc, char **argv) +@@ -272,7 +275,13 @@ int main (int argc, char **argv) if (ngroups < 0) { perror ("getgroups"); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, -- "changing", NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else + audit_logger (AUDIT_CHGRP_ID, Prog, -+ "changing", NULL, getuid (), 0); + "changing", NULL, getuid (), 0); #endif exit (1); +@@ -394,13 +403,26 @@ int main (int argc, char **argv) + + if (grp->gr_passwd[0] == '\0' || + strcmp (cpasswd, grp->gr_passwd) != 0) { ++#ifdef WITH_AUDIT ++ snprintf (audit_buf, sizeof(audit_buf), ++ "authentication new_gid=%d", ++ grp->gr_gid); ++ audit_logger (AUDIT_GRP_AUTH, Prog, ++ audit_buf, NULL, getuid (), 0); ++#endif + SYSLOG ((LOG_INFO, + "Invalid password for group `%s' from `%s'", + group, name)); + sleep (1); +- fputs (_("Invalid password."), stderr); ++ fputs (_("Invalid password.\n"), stderr); + goto failure; + } ++#ifdef WITH_AUDIT ++ snprintf (audit_buf, sizeof(audit_buf), ++ "authentication new_gid=%d", grp->gr_gid); ++ audit_logger (AUDIT_GRP_AUTH, Prog, ++ audit_buf, NULL, getuid (), 1); ++#endif } -@@ -461,8 +469,14 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: failure forking: %s"), + + /* +@@ -458,10 +480,16 @@ int main (int argc, char **argv) + child = fork (); + if (child < 0) { + /* error in fork() */ +- fprintf (stderr, _("%s: failure forking: %s"), ++ fprintf (stderr, _("%s: failure forking: %s\n"), is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", -- NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else + audit_logger (AUDIT_CHGRP_ID, Prog, "changing", -+ NULL, getuid (), 0); + NULL, getuid (), 0); #endif exit (1); - } else if (child) { -@@ -531,14 +545,24 @@ int main (int argc, char **argv) +@@ -531,14 +559,24 @@ int main (int argc, char **argv) * to the real UID. For root, this also sets the real GID to the * new group id. */ @@ -61,8 +89,8 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c + if (setgid (gid)) { perror ("setgid"); +#ifdef WITH_AUDIT -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); +#endif @@ -74,44 +102,44 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", - NULL, getuid (), 0); -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); #endif exit (1); } -@@ -551,8 +575,10 @@ int main (int argc, char **argv) +@@ -551,8 +589,10 @@ int main (int argc, char **argv) closelog (); execl ("/bin/sh", "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", - NULL, getuid (), 0); -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); #endif perror ("/bin/sh"); exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -618,7 +644,8 @@ int main (int argc, char **argv) +@@ -618,7 +658,8 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1); -+ snprintf(audit_buf, sizeof(audit_buf), "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1); #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -641,7 +668,14 @@ int main (int argc, char **argv) +@@ -641,7 +682,14 @@ int main (int argc, char **argv) */ closelog (); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else diff --git a/shadow-utils.spec b/shadow-utils.spec index c64135d..894b84b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -22,6 +22,7 @@ Patch6: shadow-4.0.18.1-findNewUidOnce.patch Patch7: shadow-4.0.18.1-mtime.patch Patch8: shadow-4.1.0-audit-newgrp.patch Patch9: shadow-4.1.0-segfault.patch +Patch10: shadow-4.1.0-fasterReset.patch License: BSD Group: System Environment/Base @@ -56,6 +57,7 @@ are used for managing group accounts. %patch7 -p1 -b .mtime %patch8 -p1 -b .auditNewgrp %patch9 -p1 -b .segfault +%patch10 -p1 -b .fasterReset rm po/*.gmo rm po/stamp-po @@ -195,6 +197,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Mar 07 2008 Peter Vrabec 2:4.1.0-5 +- improve newgrp audit patch + * Mon Mar 03 2008 Peter Vrabec 2:4.1.0-4 - fix selinux labeling (#433757) From 34e80945bb2b8f3bfa0da5ecdff3dd7fc79a4193 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 7 Mar 2008 15:34:03 +0000 Subject: [PATCH 017/151] add faster reset patch --- shadow-4.1.0-fasterReset.patch | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 shadow-4.1.0-fasterReset.patch diff --git a/shadow-4.1.0-fasterReset.patch b/shadow-4.1.0-fasterReset.patch new file mode 100644 index 0000000..27c7155 --- /dev/null +++ b/shadow-4.1.0-fasterReset.patch @@ -0,0 +1,19 @@ +diff -up shadow-4.1.0/src/faillog.c.fasterReset shadow-4.1.0/src/faillog.c +--- shadow-4.1.0/src/faillog.c.fasterReset 2008-03-04 14:08:55.000000000 +0100 ++++ shadow-4.1.0/src/faillog.c 2008-03-04 14:11:13.000000000 +0100 +@@ -164,8 +164,13 @@ static void reset (void) + + if (uflg) + reset_one (user); +- else +- for (uid = 0; reset_one (uid); uid++); ++ else { ++ struct passwd *pwent; ++ ++ setpwent (); ++ while ( pwent = getpwent () ) ++ reset_one (pwent->pw_uid); ++ } + } + + static void print (void) From b83095da8b302ee7013396424282f9abe0a8962c Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Sat, 5 Apr 2008 13:17:48 +0000 Subject: [PATCH 018/151] upgrade --- .cvsignore | 2 +- shadow-4.0.18.1-findNewUidOnce.patch | 113 ----- shadow-4.0.18.1-mtime.patch | 117 ----- shadow-4.0.18.1-sysAccount.patch | 149 ------ shadow-4.0.3-noinst.patch | 11 - shadow-4.1.0-audit-newgrp.patch | 150 ------ shadow-4.1.0-fasterReset.patch | 19 - shadow-4.1.0-lOption.patch | 66 --- shadow-4.1.0-redhat.patch | 400 --------------- shadow-4.1.0-segfault.patch | 12 - shadow-4.1.0-selinux.patch | 675 -------------------------- shadow-4.1.1-audit.patch | 26 + shadow-4.1.1-redhat.patch | 272 +++++++++++ shadow-4.1.1-selinux.patch | 490 +++++++++++++++++++ shadow-4.1.1-sysAccountDownhill.patch | 94 ++++ shadow-utils.spec | 42 +- sources | 2 +- 17 files changed, 901 insertions(+), 1739 deletions(-) delete mode 100644 shadow-4.0.18.1-findNewUidOnce.patch delete mode 100644 shadow-4.0.18.1-mtime.patch delete mode 100644 shadow-4.0.18.1-sysAccount.patch delete mode 100644 shadow-4.0.3-noinst.patch delete mode 100644 shadow-4.1.0-audit-newgrp.patch delete mode 100644 shadow-4.1.0-fasterReset.patch delete mode 100644 shadow-4.1.0-lOption.patch delete mode 100644 shadow-4.1.0-redhat.patch delete mode 100644 shadow-4.1.0-segfault.patch delete mode 100644 shadow-4.1.0-selinux.patch create mode 100644 shadow-4.1.1-audit.patch create mode 100644 shadow-4.1.1-redhat.patch create mode 100644 shadow-4.1.1-selinux.patch create mode 100644 shadow-4.1.1-sysAccountDownhill.patch diff --git a/.cvsignore b/.cvsignore index 98c0d68..44506c6 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,3 @@ shadow-4.0.17-login.defs shadow-4.0.18.1-useradd -shadow-4.1.0.tar.bz2 +shadow-4.1.1.tar.bz2 diff --git a/shadow-4.0.18.1-findNewUidOnce.patch b/shadow-4.0.18.1-findNewUidOnce.patch deleted file mode 100644 index 31287a9..0000000 --- a/shadow-4.0.18.1-findNewUidOnce.patch +++ /dev/null @@ -1,113 +0,0 @@ ---- shadow-4.0.18.1/src/useradd.c.findNewUidOnce 2007-05-16 13:16:51.000000000 +0200 -+++ shadow-4.0.18.1/src/useradd.c 2007-05-16 14:12:52.000000000 +0200 -@@ -847,8 +847,9 @@ - * find_new_uid - find the next available UID - * - * find_new_uid() locates the next highest unused UID in the password -- * file, or checks the given user ID against the existing ones for -- * uniqueness. -+ * file. -+ * It doesn't make sense to use find_new_uid(), if UID is specified -+ * via "-u" option. - */ - static void find_new_uid (void) - { -@@ -867,12 +868,7 @@ - memset (index, 0, sizeof (char) * uid_max + 1); - } - -- /* -- * Start with some UID value if the user didn't provide us with -- * one already. -- */ -- if (!uflg) -- user_id = uid_min; -+ user_id = uid_min; - - /* - * Search the entire password file, either looking for this -@@ -886,42 +882,24 @@ - setpwent (); - while ((pwd = getpwent ())) { - #endif -- if (strcmp (user_name, pwd->pw_name) == 0) { -- fprintf (stderr, _("%s: name %s is not unique\n"), -- Prog, user_name); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", -- user_name, user_id, 0); --#endif -- exit (E_NAME_IN_USE); -- } -- if (!oflg && uflg && user_id == pwd->pw_uid) { -- fprintf (stderr, _("%s: UID %u is not unique\n"), -- Prog, (unsigned int) user_id); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", -- user_name, user_id, 0); --#endif -- exit (E_UID_IN_USE); -- } -- if (!uflg && !rflg && pwd->pw_uid >= user_id) { -+ if (!rflg && pwd->pw_uid >= user_id) { - if (pwd->pw_uid > uid_max) - continue; - user_id = pwd->pw_uid + 1; - } - /* create index of occupied system accounts UIDs */ -- if (!uflg && rflg && (pwd->pw_uid <= uid_max)) -+ if (rflg && (pwd->pw_uid <= uid_max)) - index[pwd->pw_uid] = 1; - - } - - /* find free system account */ -- if(!uflg && rflg) { -+ if(rflg) { - for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); - if ( user_id < uid_min ) { - fprintf (stderr, _("%s: can't get unique UID\n"), Prog); - fail_exit (E_UID_IN_USE); -- } -+ } - } - - /* -@@ -930,7 +908,7 @@ - * free UID starting with UID_MIN (it's O(n*n) but can be avoided - * by not having users with UID equal to UID_MAX). --marekm - */ -- if (!uflg && user_id == uid_max + 1) { -+ if (user_id == uid_max + 1) { - for (user_id = uid_min; user_id < uid_max; user_id++) { - #ifdef NO_GETPWENT - pw_rewind (); -@@ -1590,9 +1568,6 @@ - struct passwd pwent; - struct spwd spent; - -- if (!oflg) -- find_new_uid (); -- - /* - * Fill in the password structure with any new fields, making - * copies of strings. -@@ -1911,7 +1886,17 @@ - /* first, seek for a valid uid to use for this user. - * We do this because later we can use the uid we found as - * gid too ... --gafton */ -- find_new_uid (); -+ if (!uflg) -+ find_new_uid (); -+ else { -+ if (getpwuid (user_id)) { -+ fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); -+#endif -+ exit (E_UID_IN_USE); -+ } -+ } - } - - /* do we have to add a group for that user? This is why we need to diff --git a/shadow-4.0.18.1-mtime.patch b/shadow-4.0.18.1-mtime.patch deleted file mode 100644 index d0c94ce..0000000 --- a/shadow-4.0.18.1-mtime.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff -up shadow-4.0.18.1/libmisc/copydir.c.utime shadow-4.0.18.1/libmisc/copydir.c ---- shadow-4.0.18.1/libmisc/copydir.c.utime 2007-10-16 11:36:54.000000000 +0200 -+++ shadow-4.0.18.1/libmisc/copydir.c 2007-10-18 11:59:22.000000000 +0200 -@@ -33,6 +33,7 @@ - - #include - #include -+#include - #include - #include - #include "prototypes.h" -@@ -154,6 +155,7 @@ int copy_tree (const char *src_root, con - struct DIRECT *ent; - struct stat sb; - struct link_name *lp; -+ struct timeval mt[2]; - DIR *dir; - - /* -@@ -215,6 +217,18 @@ int copy_tree (const char *src_root, con - if (LSTAT (src_name, &sb) == -1) - continue; - -+#if defined(_BSD_SOURCE) || defined(_SVID_SOURCE) -+ mt[0].tv_sec = sb.st_atim.tv_sec; -+ mt[0].tv_usec = sb.st_atim.tv_nsec / 1000; -+ mt[1].tv_sec = sb.st_mtim.tv_sec; -+ mt[1].tv_usec = sb.st_mtim.tv_nsec / 1000; -+#else -+ mt[0].tv_sec = sb.st_atime; -+ mt[0].tv_usec = sb.st_atimensec / 1000; -+ mt[1].tv_sec = sb.st_mtime; -+ mt[1].tv_usec = sb.st_mtimensec / 1000; -+#endif -+ - if (S_ISDIR (sb.st_mode)) { - - /* -@@ -230,10 +244,12 @@ int copy_tree (const char *src_root, con - uid == (uid_t) - 1 ? sb.st_uid : uid, - gid == (gid_t) - 1 ? sb.st_gid : gid) - || chmod (dst_name, sb.st_mode) -- || copy_tree (src_name, dst_name, uid, gid)) { -+ || copy_tree (src_name, dst_name, uid, gid) -+ || utimes (dst_name, mt)) { - err++; - break; - } -+ - continue; - } - #ifdef S_IFLNK -@@ -270,13 +286,21 @@ int copy_tree (const char *src_root, con - #ifdef WITH_SELINUX - selinux_file_context (dst_name); - #endif -- if (symlink (oldlink, dst_name) || -- lchown (dst_name, -+ if (symlink (oldlink, dst_name) -+ || lchown (dst_name, - uid == (uid_t) - 1 ? sb.st_uid : uid, - gid == (gid_t) - 1 ? sb.st_gid : gid)) { - err++; - break; - } -+ -+ /* 2007-10-18: We don't care about -+ * exit status of lutimes because -+ * it returns ENOSYS on many system -+ * - not implemented -+ */ -+ lutimes (dst_name, mt); -+ - continue; - } - #endif -@@ -314,10 +338,12 @@ int copy_tree (const char *src_root, con - || chown (dst_name, - uid == (uid_t) - 1 ? sb.st_uid : uid, - gid == (gid_t) - 1 ? sb.st_gid : gid) -- || chmod (dst_name, sb.st_mode & 07777)) { -+ || chmod (dst_name, sb.st_mode & 07777) -+ || utimes (dst_name, mt)) { - err++; - break; - } -+ - continue; - } - -@@ -343,14 +369,25 @@ int copy_tree (const char *src_root, con - err++; - break; - } -+ - while ((cnt = read (ifd, buf, sizeof buf)) > 0) { - if (write (ofd, buf, cnt) != cnt) { - cnt = -1; - break; - } - } -+ - close (ifd); -- close (ofd); -+ -+ if (futimes (ofd, mt) != 0) { -+ err++; -+ break; -+ } -+ -+ if (close (ofd) != 0) { -+ err++; -+ break; -+ } - - if (cnt == -1) { - err++; diff --git a/shadow-4.0.18.1-sysAccount.patch b/shadow-4.0.18.1-sysAccount.patch deleted file mode 100644 index 95d46ce..0000000 --- a/shadow-4.0.18.1-sysAccount.patch +++ /dev/null @@ -1,149 +0,0 @@ ---- shadow-4.0.18.1/src/useradd.c.sysAccount 2007-03-12 10:49:14.000000000 +0100 -+++ shadow-4.0.18.1/src/useradd.c 2007-03-12 12:15:57.000000000 +0100 -@@ -854,6 +854,7 @@ - { - const struct passwd *pwd; - uid_t uid_min, uid_max; -+ char * index; - - if (!rflg) { - uid_min = getdef_unum ("UID_MIN", 500); -@@ -862,6 +863,8 @@ - else { - uid_min = 1; - uid_max = getdef_unum ("UID_MIN", 500) - 1; -+ index = alloca (sizeof (char) * uid_max +1); -+ memset (index, 0, sizeof (char) * uid_max + 1); - } - - /* -@@ -901,11 +904,24 @@ - #endif - exit (E_UID_IN_USE); - } -- if (!uflg && pwd->pw_uid >= user_id) { -+ if (!uflg && !rflg && pwd->pw_uid >= user_id) { - if (pwd->pw_uid > uid_max) - continue; - user_id = pwd->pw_uid + 1; - } -+ /* create index of occupied system accounts UIDs */ -+ if (!uflg && rflg && (pwd->pw_uid <= uid_max)) -+ index[pwd->pw_uid] = 1; -+ -+ } -+ -+ /* find free system account */ -+ if(!uflg && rflg) { -+ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); -+ if ( user_id < uid_min ) { -+ fprintf (stderr, _("%s: can't get unique UID\n"), Prog); -+ fail_exit (E_UID_IN_USE); -+ } - } - - /* -@@ -946,6 +962,7 @@ - { - const struct group *grp; - gid_t gid_min, gid_max; -+ char * index; - - if (!rflg) { - gid_min = getdef_unum ("GID_MIN", 500); -@@ -953,7 +970,9 @@ - } else { - gid_min = 1; - gid_max = getdef_unum ("GID_MIN", 500) - 1; -- } -+ index = alloca (sizeof (char) * gid_max +1); -+ memset (index, 0, sizeof (char) * gid_max + 1); -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -978,12 +997,16 @@ - user_gid = grp->gr_gid; - return; - } -- if (grp->gr_gid >= user_gid) { -+ if (!rflg && grp->gr_gid >= user_gid) { - if (grp->gr_gid > gid_max) - continue; - user_gid = grp->gr_gid + 1; - } -+ /* create index of occupied system accounts GIDs */ -+ if (rflg && (grp->gr_gid <= gid_max)) -+ index[grp->gr_gid] = 1; - } -+ - #ifndef NO_GETGRENT /* glibc does have this, so ... */ - /* A quick test gets here: if the UID is available - * as a GID, go ahead and use it */ -@@ -992,6 +1015,18 @@ - return; - } - #endif -+ -+ /* find free system account */ -+ if(rflg) { -+ for( user_gid = gid_max; (user_gid >= gid_min) && index[user_gid]; user_gid--); -+ if ( user_gid < gid_min ) { -+ fprintf (stderr, -+ "%s: can't get unique gid (run out of GIDs)\n", -+ Prog); -+ fail_exit (4); -+ } -+ } -+ - if (user_gid == gid_max + 1) { - for (user_gid = gid_min; user_gid < gid_max; user_gid++) { - #ifdef NO_GETGRENT ---- shadow-4.0.18.1/src/groupadd.c.sysAccount 2007-03-12 10:49:14.000000000 +0100 -+++ shadow-4.0.18.1/src/groupadd.c 2007-03-12 10:49:14.000000000 +0100 -@@ -199,6 +199,7 @@ - { - const struct group *grp; - gid_t gid_min, gid_max; -+ char * index; - - if (!rflg) { - gid_min = getdef_unum ("GID_MIN", 500); -@@ -206,7 +207,9 @@ - } else { - gid_min = 1; - gid_max = getdef_unum ("GID_MIN", 500) - 1; -- } -+ index = alloca (sizeof (char) * gid_max +1); -+ memset (index, 0, sizeof (char) * gid_max + 1); -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -251,12 +254,25 @@ - Prog, (unsigned int) group_id); - fail_exit (E_GID_IN_USE); - } -- if (!gflg && grp->gr_gid >= group_id) { -+ if (!gflg && !rflg && grp->gr_gid >= group_id) { - if (grp->gr_gid > gid_max) - continue; - group_id = grp->gr_gid + 1; - } -+ /* create index of occupied system accounts UIDs */ -+ if (!gflg && rflg && (grp->gr_gid <= gid_max)) -+ index[grp->gr_gid] = 1; -+ } -+ -+ /* find free system account */ -+ if(!gflg && rflg) { -+ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); -+ if ( group_id < gid_min ) { -+ fprintf (stderr, _("%s: can't get unique GID\n"), Prog); -+ fail_exit (E_GID_IN_USE); -+ } - } -+ - if (!gflg && group_id == gid_max + 1) { - for (group_id = gid_min; group_id < gid_max; group_id++) { - #ifdef NO_GETGRENT diff --git a/shadow-4.0.3-noinst.patch b/shadow-4.0.3-noinst.patch deleted file mode 100644 index 103ef56..0000000 --- a/shadow-4.0.3-noinst.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- shadow-4.0.7/lib/Makefile.am.noinst 2005-01-18 01:08:48.000000000 +0100 -+++ shadow-4.0.7/lib/Makefile.am 2005-03-01 16:38:38.018234957 +0100 -@@ -3,7 +3,7 @@ - - DEFS = - --lib_LTLIBRARIES = libshadow.la -+noinst_LTLIBRARIES = libshadow.la - - libshadow_la_LDFLAGS = -version-info 0:0:0 - libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) $(LIBSELINUX) diff --git a/shadow-4.1.0-audit-newgrp.patch b/shadow-4.1.0-audit-newgrp.patch deleted file mode 100644 index e7a433a..0000000 --- a/shadow-4.1.0-audit-newgrp.patch +++ /dev/null @@ -1,150 +0,0 @@ -diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c ---- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500 -+++ shadow-4.1.0/src/newgrp.c 2008-03-06 10:01:17.000000000 -0500 -@@ -122,6 +123,8 @@ int main (int argc, char **argv) - #endif - - #ifdef WITH_AUDIT -+ char audit_buf[80]; -+ - audit_help_open (); - #endif - setlocale (LC_ALL, ""); -@@ -164,7 +167,7 @@ int main (int argc, char **argv) - if (!pwd) { - fprintf (stderr, _("unknown UID: %u\n"), getuid ()); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, -+ audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, - getuid (), 0); - #endif - SYSLOG ((LOG_WARN, "unknown UID %u", getuid ())); -@@ -272,7 +275,13 @@ int main (int argc, char **argv) - if (ngroups < 0) { - perror ("getgroups"); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, -+ if (group) { -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_group=%s", group); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); -+ } else -+ audit_logger (AUDIT_CHGRP_ID, Prog, - "changing", NULL, getuid (), 0); - #endif - exit (1); -@@ -394,13 +403,26 @@ int main (int argc, char **argv) - - if (grp->gr_passwd[0] == '\0' || - strcmp (cpasswd, grp->gr_passwd) != 0) { -+#ifdef WITH_AUDIT -+ snprintf (audit_buf, sizeof(audit_buf), -+ "authentication new_gid=%d", -+ grp->gr_gid); -+ audit_logger (AUDIT_GRP_AUTH, Prog, -+ audit_buf, NULL, getuid (), 0); -+#endif - SYSLOG ((LOG_INFO, - "Invalid password for group `%s' from `%s'", - group, name)); - sleep (1); -- fputs (_("Invalid password."), stderr); -+ fputs (_("Invalid password.\n"), stderr); - goto failure; - } -+#ifdef WITH_AUDIT -+ snprintf (audit_buf, sizeof(audit_buf), -+ "authentication new_gid=%d", grp->gr_gid); -+ audit_logger (AUDIT_GRP_AUTH, Prog, -+ audit_buf, NULL, getuid (), 1); -+#endif - } - - /* -@@ -458,10 +480,16 @@ int main (int argc, char **argv) - child = fork (); - if (child < 0) { - /* error in fork() */ -- fprintf (stderr, _("%s: failure forking: %s"), -+ fprintf (stderr, _("%s: failure forking: %s\n"), - is_newgrp ? "newgrp" : "sg", strerror (errno)); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", -+ if (group) { -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_group=%s", group); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); -+ } else -+ audit_logger (AUDIT_CHGRP_ID, Prog, "changing", - NULL, getuid (), 0); - #endif - exit (1); -@@ -531,14 +559,24 @@ int main (int argc, char **argv) - * to the real UID. For root, this also sets the real GID to the - * new group id. - */ -- if (setgid (gid)) -+ if (setgid (gid)) { - perror ("setgid"); -+#ifdef WITH_AUDIT -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_gid=%d", gid); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); -+#endif -+ exit (1); -+ } - - if (setuid (getuid ())) { - perror ("setuid"); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", -- NULL, getuid (), 0); -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_gid=%d", gid); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); - #endif - exit (1); - } -@@ -551,8 +589,10 @@ int main (int argc, char **argv) - closelog (); - execl ("/bin/sh", "sh", "-c", command, (char *) 0); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", -- NULL, getuid (), 0); -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_gid=%d", gid); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); - #endif - perror ("/bin/sh"); - exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -618,7 +658,8 @@ int main (int argc, char **argv) - } - - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1); -+ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%d", gid); -+ audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1); - #endif - /* - * Exec the login shell and go away. We are trying to get back to -@@ -641,7 +682,14 @@ int main (int argc, char **argv) - */ - closelog (); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0); -+ if (group) { -+ snprintf (audit_buf, sizeof(audit_buf), -+ "changing new_group=%s", group); -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ audit_buf, NULL, getuid (), 0); -+ } else -+ audit_logger (AUDIT_CHGRP_ID, Prog, -+ "changing", NULL, getuid (), 0); - #endif - exit (1); - } diff --git a/shadow-4.1.0-fasterReset.patch b/shadow-4.1.0-fasterReset.patch deleted file mode 100644 index 27c7155..0000000 --- a/shadow-4.1.0-fasterReset.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up shadow-4.1.0/src/faillog.c.fasterReset shadow-4.1.0/src/faillog.c ---- shadow-4.1.0/src/faillog.c.fasterReset 2008-03-04 14:08:55.000000000 +0100 -+++ shadow-4.1.0/src/faillog.c 2008-03-04 14:11:13.000000000 +0100 -@@ -164,8 +164,13 @@ static void reset (void) - - if (uflg) - reset_one (user); -- else -- for (uid = 0; reset_one (uid); uid++); -+ else { -+ struct passwd *pwent; -+ -+ setpwent (); -+ while ( pwent = getpwent () ) -+ reset_one (pwent->pw_uid); -+ } - } - - static void print (void) diff --git a/shadow-4.1.0-lOption.patch b/shadow-4.1.0-lOption.patch deleted file mode 100644 index 5f6481a..0000000 --- a/shadow-4.1.0-lOption.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff -up shadow-4.1.0/src/useradd.c.lOption shadow-4.1.0/src/useradd.c ---- shadow-4.1.0/src/useradd.c.lOption 2007-12-12 14:03:22.000000000 +0100 -+++ shadow-4.1.0/src/useradd.c 2007-12-12 14:08:43.000000000 +0100 -@@ -124,6 +124,7 @@ static int - Gflg = 0, /* secondary group set for new account */ - kflg = 0, /* specify a directory to fill new user directory */ - mflg = 0, /* create user's home directory if it doesn't exist */ -+ lflg = 0, /* do not add user to lastlog database file */ - Mflg = 0, /* do NOT create user's home directory no matter what */ - nflg = 0, /* do NOT create a group having the same name as the user */ - oflg = 0, /* permit non-unique user ID to be specified with -u */ -@@ -634,8 +635,9 @@ static void usage (void) - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -- " -M, do not create user's home directory(overrides /etc/login.defs)\n" -- " -r, create system account\n" -+ " -l, do not add user to lastlog database file\n" -+ " -M, do not create user's home directory(overrides /etc/login.defs)\n" -+ " -r, create system account\n" - " -o, --non-unique allow create user with duplicate\n" - " (non-unique) UID\n" - " -p, --password PASSWORD use encrypted password for the new user\n" -@@ -1032,7 +1034,7 @@ static void process_flags (int argc, cha - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:", -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1169,6 +1171,9 @@ static void process_flags (int argc, cha - case 'm': - mflg++; - break; -+ case 'l': -+ lflg++; -+ break; - case 'o': - oflg++; - break; -@@ -1538,7 +1543,7 @@ static void usr_update (void) - * are left unchanged). --marekm - */ - /* local, no need for xgetpwuid */ -- if (!getpwuid (user_id)) { -+ if (!getpwuid (user_id) && !lflg) { - faillog_reset (user_id); - lastlog_reset (user_id); - } -diff -up shadow-4.1.0/man/useradd.8.lOption shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.lOption 2007-12-12 14:03:22.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2007-12-12 14:06:31.000000000 +0100 -@@ -53,6 +53,11 @@ option is not used, - must exist\. - .RE - .PP -+\fB-l\fR -+.RS 4 -+Do not add the user to the last login log file. This is an option added by Red Hat. -+.RE -+.PP - \fB\-D\fR - .RS 4 - See below, the subsection "Changing the default values"\. diff --git a/shadow-4.1.0-redhat.patch b/shadow-4.1.0-redhat.patch deleted file mode 100644 index 24965b5..0000000 --- a/shadow-4.1.0-redhat.patch +++ /dev/null @@ -1,400 +0,0 @@ -diff -up shadow-4.1.0/src/useradd.c.redhat shadow-4.1.0/src/useradd.c ---- shadow-4.1.0/src/useradd.c.redhat 2007-12-09 23:43:09.000000000 +0100 -+++ shadow-4.1.0/src/useradd.c 2007-12-12 12:19:34.000000000 +0100 -@@ -81,7 +81,7 @@ - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -93,7 +93,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -124,8 +124,10 @@ static int - Gflg = 0, /* secondary group set for new account */ - kflg = 0, /* specify a directory to fill new user directory */ - mflg = 0, /* create user's home directory if it doesn't exist */ -- nflg = 0, /* create a group having the same name as the user */ -+ Mflg = 0, /* do NOT create user's home directory no matter what */ -+ nflg = 0, /* do NOT create a group having the same name as the user */ - oflg = 0, /* permit non-unique user ID to be specified with -u */ -+ rflg = 0, /* create a system account */ - sflg = 0, /* shell program for new account */ - uflg = 0; /* specify user ID for new account */ - -@@ -632,6 +634,8 @@ static void usage (void) - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -+ " -M, do not create user's home directory(overrides /etc/login.defs)\n" -+ " -r, create system account\n" - " -o, --non-unique allow create user with duplicate\n" - " (non-unique) UID\n" - " -p, --password PASSWORD use encrypted password for the new user\n" -@@ -684,11 +688,20 @@ static void new_spent (struct spwd *spen - spent->sp_namp = (char *) user_name; - spent->sp_pwdp = (char *) user_pass; - spent->sp_lstchg = time ((time_t *) 0) / SCALE; -- spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1)); -- spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1)); -- spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1)); -- spent->sp_inact = scale_age (def_inactive); -- spent->sp_expire = scale_age (user_expire); -+ if (!rflg) { -+ spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1)); -+ spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1)); -+ spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1)); -+ spent->sp_inact = scale_age (def_inactive); -+ spent->sp_expire = scale_age (user_expire); -+ } -+ else { -+ spent->sp_min = scale_age(-1); -+ spent->sp_max = scale_age(-1); -+ spent->sp_warn = scale_age(-1); -+ spent->sp_inact = scale_age(-1); -+ spent->sp_expire = scale_age(-1); -+ } - spent->sp_flag = -1; - } - -@@ -821,8 +834,14 @@ static void find_new_uid (void) - const struct passwd *pwd; - uid_t uid_min, uid_max; - -- uid_min = getdef_unum ("UID_MIN", 1000); -- uid_max = getdef_unum ("UID_MAX", 60000); -+ if (!rflg) { -+ uid_min = getdef_unum ("UID_MIN", 500); -+ uid_max = getdef_unum ("UID_MAX", 60000); -+ } -+ else { -+ uid_min = 1; -+ uid_max = getdef_unum ("UID_MIN", 500) - 1; -+ } - - /* - * Start with some UID value if the user didn't provide us with -@@ -852,7 +871,7 @@ static void find_new_uid (void) - #endif - exit (E_NAME_IN_USE); - } -- if (uflg && user_id == pwd->pw_uid) { -+ if (!oflg && uflg && user_id == pwd->pw_uid) { - fprintf (stderr, _("%s: UID %u is not unique\n"), - Prog, (unsigned int) user_id); - #ifdef WITH_AUDIT -@@ -908,8 +927,13 @@ static void find_new_gid () - const struct group *grp; - gid_t gid_min, gid_max; - -- gid_min = getdef_num ("GID_MIN", 500); -- gid_max = getdef_num ("GID_MAX", 60000); -+ if (!rflg) { -+ gid_min = getdef_unum ("GID_MIN", 500); -+ gid_max = getdef_unum ("GID_MAX", 60000); -+ } else { -+ gid_min = 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -1008,7 +1032,7 @@ static void process_flags (int argc, cha - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMop:s:u:", -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:", - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1177,6 +1201,15 @@ static void process_flags (int argc, cha - user_id = get_uid (optarg); - uflg++; - break; -+ case 'n': -+ nflg++; -+ break; -+ case 'r': -+ rflg++; -+ break; -+ case 'M': -+ Mflg++; -+ break; - default: - usage (); - } -@@ -1184,6 +1217,9 @@ static void process_flags (int argc, cha - } - } - -+ if (mflg && Mflg) /* the admin is not decided .. create or not ? */ -+ usage(); -+ - /* - * Certain options are only valid in combination with others. - * Check it here so that they can be specified in any order. -@@ -1698,6 +1734,14 @@ int main (int argc, char **argv) - } - #endif /* USE_PAM */ - -+ if (!rflg) /* for system accounts defaults are ignored and we -+ * do not create a home dir -- gafton */ -+ if (getdef_bool("CREATE_HOME")) -+ mflg = 1; -+ -+ if (Mflg) /* absolutely sure that we do not create home dirs */ -+ mflg = 0; -+ - /* - * See if we are messing with the defaults file, or creating - * a new user. -@@ -1728,7 +1772,7 @@ int main (int argc, char **argv) - * to that group, use useradd -g username username. - * --bero - */ -- if (!gflg) { -+ if ( !(nflg || gflg) ) { - if (getgrnam (user_name)) { /* local, no need for xgetgrnam */ - fprintf (stderr, - _ -@@ -1779,27 +1823,22 @@ int main (int argc, char **argv) - ("%s: warning: the home directory already exists.\n" - "Not copying any file from skel directory into it.\n"), - Prog); -- -- } else if (getdef_str ("CREATE_HOME")) { -- /* -- * RedHat added the CREATE_HOME option in login.defs in their -- * version of shadow-utils (which makes -m the default, with -- * new -M option to turn it off). Unfortunately, this -- * changes the way useradd works (it can be run by scripts -- * expecting some standard behaviour), compared to other -- * Unices and other Linux distributions, and also adds a lot -- * of confusion :-(. -- * So we now recognize CREATE_HOME and give a warning here -- * (better than "configuration error ... notify administrator" -- * errors in every program that reads /etc/login.defs). -MM -- */ -- fprintf (stderr, -- _ -- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), -- Prog); - } -- -- create_mail (); -+ /* Warning removed to protect the innocent. */ -+ /* -+ * The whole idea about breaking some stupid scripts by creating a new -+ * variable is crap - I could care less about the scripts. Historically -+ * adduser type programs have always created the home directories and -+ * I don't like the idea of providing a script when we can fix the -+ * binary itself. And if the scripts are using the right options to the -+ * useradd then they will not break. If not, they depend on unspecified -+ * behavior and they will break, but they were broken anyway to begin -+ * with --gafton -+ */ -+ -+ /* Do not create mail directory for system accounts */ -+ if( !rflg ) -+ create_mail (); - - close_files (); - -diff -up shadow-4.1.0/src/groupadd.c.redhat shadow-4.1.0/src/groupadd.c ---- shadow-4.1.0/src/groupadd.c.redhat 2007-11-24 23:41:19.000000000 +0100 -+++ shadow-4.1.0/src/groupadd.c 2007-12-12 12:15:00.000000000 +0100 -@@ -74,6 +74,7 @@ static char *Prog; - static int oflg = 0; /* permit non-unique group ID to be specified with -g */ - static int gflg = 0; /* ID value for the new group */ - static int fflg = 0; /* if group already exists, do nothing and exit(0) */ -+static int rflg = 0; /* for adding system accounts (Red Hat) */ - - /* local function prototypes */ - static void usage (void); -@@ -100,6 +101,7 @@ static void usage (void) - "Options:\n" - " -f, --force force exit with success status if the\n" - " specified group already exists\n" -+ " -r, create system account\n" - " -g, --gid GID use GID for the new group\n" - " -h, --help display this help message and exit\n" - " -K, --key KEY=VALUE overrides /etc/login.defs defaults\n" -@@ -198,8 +200,13 @@ static void find_new_gid (void) - const struct group *grp; - gid_t gid_min, gid_max; - -- gid_min = getdef_unum ("GID_MIN", 1000); -- gid_max = getdef_unum ("GID_MAX", 60000); -+ if (!rflg) { -+ gid_min = getdef_unum ("GID_MIN", 500); -+ gid_max = getdef_unum ("GID_MAX", 60000); -+ } else { -+ gid_min = 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; -+ } - - /* - * Start with some GID value if the user didn't provide us with -@@ -430,7 +437,7 @@ int main (int argc, char **argv) - }; - - while ((c = -- getopt_long (argc, argv, "fg:hK:o", long_options, -+ getopt_long (argc, argv, "frg:hK:o", long_options, - &option_index)) != -1) { - switch (c) { - case 'f': -@@ -443,6 +450,12 @@ int main (int argc, char **argv) - */ - fflg++; - break; -+ case 'r': -+ /* -+ * create a system group -+ */ -+ rflg++; -+ break; - case 'g': - gflg++; - group_id = get_gid (optarg); -diff -up shadow-4.1.0/man/chpasswd.8.redhat shadow-4.1.0/man/chpasswd.8 -diff -up shadow-4.1.0/man/newusers.8.redhat shadow-4.1.0/man/newusers.8 -diff -up shadow-4.1.0/man/useradd.8.redhat shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.redhat 2007-12-10 00:07:10.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2007-12-12 12:05:54.000000000 +0100 -@@ -25,9 +25,9 @@ When invoked without the - \fB\-D\fR - option, the - \fBuseradd\fR --command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the -+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the - \fBuseradd\fR --command will update system files and may also create the new user\'s home directory and copy initial files\. -+command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. - .SH "OPTIONS" - .PP - The options which apply to the -@@ -84,7 +84,7 @@ The number of days after a password expi - .PP - \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR - .RS 4 --The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in -+The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. - \fI/etc/default/useradd\fR\. - .RE - .PP -@@ -100,6 +100,13 @@ option\. The default is for the user to - Display help message and exit\. - .RE - .PP -+\fB-M\fR -+.RS 4 -+The user\'s home directory will not be created, even if the system wide settings from -+\fI/etc/login.defs\fR -+is to create home dirs\. -+.RE -+.PP - \fB\-m\fR, \fB\-\-create\-home\fR - .RS 4 - The user\'s home directory will be created if it does not exist\. The files contained in -@@ -119,6 +126,13 @@ option is only valid in conjunction with - option\. The default is to not create the directory and to not copy any files\. - .RE - .PP -+\fB-n\fR -+.RS 4 -+A group having the same name as the user being added to the system will be created by default\. This option will turn off this Red Hat Linux specific behavior\. When this option is used, users by default will be placed in whatever group is specified in -+\fI/etc/default/useradd\fR\. -+If no default group is defined, group 1 will be used. -+.RE -+.PP - \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR - .RS 4 - Overrides /etc/login\.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others)\. -@@ -150,6 +164,19 @@ The encrypted password, as returned by - \fBcrypt\fR(3)\. The default is to disable the account\. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in -+\fI/etc/login.defs\fR -+and whose password does not expire\. Note that -+\fBuseradd\fR -+will not create a home directory for such an user, regardless of the default setting in -+\fI/etc/login.defs\fR\. -+You have to specify -+\fB-m\fR -+option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR - .RS 4 - The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\. -@@ -206,6 +233,8 @@ The name of a new user\'s login shell\. - The system administrator is responsible for placing the default user files in the - \fI/etc/skel/\fR - directory\. -+.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\. - .SH "CAVEATS" - .PP - You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\. -@@ -315,6 +344,11 @@ Secure user account information\. - Group account information\. - .RE - .PP -+\fI/etc/gshadow\fR -+.RS 4 -+Secure group account information\. -+.RE -+.PP - \fI/etc/default/useradd\fR - .RS 4 - Default values for account creation\. -diff -up shadow-4.1.0/man/groupadd.8.redhat shadow-4.1.0/man/groupadd.8 ---- shadow-4.1.0/man/groupadd.8.redhat 2007-12-10 00:06:00.000000000 +0100 -+++ shadow-4.1.0/man/groupadd.8 2007-12-12 12:11:23.000000000 +0100 -@@ -14,7 +14,7 @@ - groupadd - create a new group - .SH "SYNOPSIS" - .HP 9 --\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR -+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR - .SH "DESCRIPTION" - .PP - The -@@ -34,11 +34,22 @@ This option causes the command to simply - is turned off)\. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag instructs -+\fBgroupadd\fR -+to add a system account\. The first available -+\fIgid\fR -+lower than 499 will be automatically selected unless the -+\fB-g\fR -+option is also given on the command line\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-g\fR \fIGID\fR - .RS 4 - The numerical value of the group\'s ID\. This value must be unique, unless the - \fB\-o\fR --option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\. -+option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 500 and greater than every other group\. Values between 0 and 499 are typically reserved for system accounts\. - .RE - .PP - \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.0-segfault.patch b/shadow-4.1.0-segfault.patch deleted file mode 100644 index c9f6091..0000000 --- a/shadow-4.1.0-segfault.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up shadow-4.1.0/src/groupmems.c.segfault shadow-4.1.0/src/groupmems.c ---- shadow-4.1.0/src/groupmems.c.segfault 2008-02-19 12:39:23.000000000 +0100 -+++ shadow-4.1.0/src/groupmems.c 2008-02-19 12:55:06.000000000 +0100 -@@ -106,7 +106,7 @@ static void addtogroup (char *user, char - } - } - -- members = (char **) realloc (members, sizeof (char *) * i); -+ members = (char **) realloc (members, sizeof (char *) * (i + 2)); - members[i] = user; - members[i + 1] = NULL; - } diff --git a/shadow-4.1.0-selinux.patch b/shadow-4.1.0-selinux.patch deleted file mode 100644 index adbe90c..0000000 --- a/shadow-4.1.0-selinux.patch +++ /dev/null @@ -1,675 +0,0 @@ -diff -upb shadow-4.1.0/libmisc/system.c.selinux shadow-4.1.0/libmisc/system.c ---- shadow-4.1.0/libmisc/system.c.selinux 2008-03-03 14:18:17.000000000 +0100 -+++ shadow-4.1.0/libmisc/system.c 2008-03-03 14:18:17.000000000 +0100 -@@ -0,0 +1,37 @@ -+#include -+ -+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $" -+ -+#include -+#include -+#include -+#include "prototypes.h" -+#include "defines.h" -+ -+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr) -+{ -+ int status = -1; -+ int fd; -+ pid_t pid; -+ -+ pid = fork(); -+ if (pid < 0) -+ return -1; -+ -+ if (pid) { /* Parent */ -+ waitpid(pid, &status, 0); -+ return status; -+ } -+ -+ fd = open("/dev/null", O_RDWR); -+ /* Child */ -+ dup2(fd,0); // Close Stdin -+ if (ignore_stderr) -+ dup2(fd,2); // Close Stderr -+ -+ execve(command, (char *const *) argv, (char *const *) env); -+ fprintf (stderr, -+ _("Failed to exec '%s'\n"), argv[0]); -+ exit (-1); -+} -+ -diff -upb shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am ---- shadow-4.1.0/libmisc/Makefile.am.selinux 2007-11-23 10:15:48.000000000 +0100 -+++ shadow-4.1.0/libmisc/Makefile.am 2008-03-03 14:18:17.000000000 +0100 -@@ -42,6 +42,7 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ -diff -upb shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c ---- shadow-4.1.0/libmisc/copydir.c.selinux 2007-11-11 00:45:59.000000000 +0100 -+++ shadow-4.1.0/libmisc/copydir.c 2008-03-03 14:19:01.000000000 +0100 -@@ -54,7 +54,7 @@ struct link_name { - static struct link_name *links; - - #ifdef WITH_SELINUX --static int selinux_file_context (const char *dst_name) -+int selinux_file_context (const char *dst_name) - { - security_context_t scontext = NULL; - -@@ -199,7 +199,7 @@ int copy_tree (const char *src_root, con - if (strlen (src_root) + strlen (ent->d_name) + 2 > - sizeof src_name) { - err++; -- break; -+ break; - } - snprintf (src_name, sizeof src_name, "%s/%s", src_root, - ent->d_name); -@@ -207,7 +207,7 @@ int copy_tree (const char *src_root, con - if (strlen (dst_root) + strlen (ent->d_name) + 2 > - sizeof dst_name) { - err++; -- break; -+ break; - } - snprintf (dst_name, sizeof dst_name, "%s/%s", dst_root, - ent->d_name); -@@ -313,7 +313,7 @@ int copy_tree (const char *src_root, con - if (mknod (dst_name, sb.st_mode & ~07777, sb.st_rdev) - || chown (dst_name, - uid == (uid_t) - 1 ? sb.st_uid : uid, -- gid == (gid_t) - 1 ? sb.st_gid : gid) -+ gid == (gid_t) - 1 ? sb.st_gid : gid) - || chmod (dst_name, sb.st_mode & 07777)) { - err++; - break; -@@ -363,6 +363,10 @@ int copy_tree (const char *src_root, con - src_orig = 0; - dst_orig = 0; - } -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif - return err ? -1 : 0; - } - -diff -upb shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml ---- shadow-4.1.0/man/usermod.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 -+++ shadow-4.1.0/man/usermod.8.xml 2008-03-03 14:18:17.000000000 +0100 -@@ -245,6 +245,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field the blank, which causes the system to select the default -+ SELinux user. -+ -+ -+ - - - -diff -upb shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.selinux 2008-03-03 14:14:45.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2008-03-03 14:18:17.000000000 +0100 -@@ -163,6 +163,11 @@ doesn\'t work yet\. - Allow the creation of a user account with a duplicate (non\-unique) UID\. - .RE - .PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. -+.RE -+.PP - \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR - .RS 4 - The encrypted password, as returned by -diff -upb shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8 ---- shadow-4.1.0/man/usermod.8.selinux 2007-12-10 00:07:16.000000000 +0100 -+++ shadow-4.1.0/man/usermod.8 2008-03-03 14:18:17.000000000 +0100 -@@ -133,6 +133,11 @@ Note: if you wish to unlock the account - value from - \fI/etc/default/useradd\fR)\. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. -+.RE - .SH "CAVEATS" - .PP - -diff -upb shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml ---- shadow-4.1.0/man/useradd.8.xml.selinux 2007-12-09 00:24:36.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8.xml 2008-03-03 14:18:17.000000000 +0100 -@@ -273,6 +273,19 @@ - between 0 and 999 are typically reserved for system accounts. - - -+ -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field blank, which causes the system to select the default SELinux -+ user. -+ -+ - - - -@@ -346,7 +359,7 @@ - - - -- -+ - - - -@@ -399,7 +412,7 @@ - - - FILES -- -+ - - /etc/passwd - -diff -upb shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h ---- shadow-4.1.0/lib/prototypes.h.selinux 2007-11-23 21:10:52.000000000 +0100 -+++ shadow-4.1.0/lib/prototypes.h 2008-03-03 14:18:17.000000000 +0100 -@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons - /* copydir.c */ - extern int copy_tree (const char *, const char *, uid_t, gid_t); - extern int remove_tree (const char *); -+#ifdef WITH_SELINUX -+extern int selinux_file_context (const char *dst_name); -+#endif - - /* encrypt.c */ - extern char *pw_encrypt (const char *, const char *); -@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *); - /* shell.c */ - extern int shell (const char *, const char *, char *const *); - -+/* system.c */ -+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); -+ - /* strtoday.c */ - extern long strtoday (const char *); - -diff -upb shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h ---- shadow-4.1.0/lib/defines.h.selinux 2007-11-24 12:18:35.000000000 +0100 -+++ shadow-4.1.0/lib/defines.h 2008-03-03 14:18:17.000000000 +0100 -@@ -342,4 +342,7 @@ extern char *strerror (); - #include - #endif - -+#ifdef WITH_SELINUX -+#include -+#endif - #endif /* _DEFINES_H_ */ -diff -upb shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c ---- shadow-4.1.0/src/userdel.c.selinux 2007-11-24 23:41:19.000000000 +0100 -+++ shadow-4.1.0/src/userdel.c 2008-03-03 14:18:17.000000000 +0100 -@@ -809,6 +809,17 @@ int main (int argc, char **argv) - #endif - } - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() > 0) { -+ const char *argv[5]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-d"; -+ argv[3] = user_name; -+ argv[4] = NULL; -+ safe_system(argv[0], argv, NULL, 1); -+ } -+#endif - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. -diff -upb shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c ---- shadow-4.1.0/src/usermod.c.selinux 2007-11-24 23:41:19.000000000 +0100 -+++ shadow-4.1.0/src/usermod.c 2008-03-03 14:18:17.000000000 +0100 -@@ -90,6 +90,7 @@ static char *user_comment; - static char *user_home; - static char *user_newhome; - static char *user_shell; -+static const char *user_selinux = ""; - static long user_expire; - static long user_inactive; - static long sys_ngroups; -@@ -139,6 +140,7 @@ static int sgr_locked = 0; - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static void new_spent (struct spwd *); - static void fail_exit (int); -@@ -250,12 +252,12 @@ static int get_groups (char *list) - #endif - - if (ngroups == sys_ngroups) { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: too many groups specified (max %d).\n"), - Prog, ngroups); - break; -- } -+ } - - /* - * Add the group name to the user's list of groups. -@@ -302,6 +304,9 @@ static void usage (void) - " -s, --shell SHELL new login shell for the user account\n" - " -u, --uid UID new UID for the user account\n" - " -U, --unlock unlock the user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user new selinux user mapping for the user account\n" -+#endif - "\n")); - exit (E_USAGE); - } -@@ -332,7 +337,7 @@ static char *new_pw_passwd (char *pw_pas - "You should set a password with usermod -p to unlock this user account.\n"), - Prog); - return pw_pass; -- } -+ } - - #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password", -@@ -405,7 +410,7 @@ static void new_pwent (struct passwd *pw - #else - pwent->pw_gecos = user_comment; - #endif -- } -+ } - - if (dflg) { - #ifdef WITH_AUDIT -@@ -826,7 +831,7 @@ static void process_flags (int argc, cha - user_comment = xstrdup (pwd->pw_gecos); - user_home = xstrdup (pwd->pw_dir); - user_shell = xstrdup (pwd->pw_shell); -- } -+ } - #ifdef WITH_AUDIT - user_newname = user_name; - user_newid = user_id; -@@ -888,13 +893,20 @@ static void process_flags (int argc, cha - {"move-home", no_argument, NULL, 'm'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"unlock", no_argument, NULL, 'U'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:", -+#else - getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'a': -@@ -966,7 +978,7 @@ static void process_flags (int argc, cha - fprintf (stderr, - _("%s: unknown group %s\n"), - Prog, optarg); -- exit (E_NOTFOUND); -+ exit (E_NOTFOUND); - } - user_newgid = grp->gr_gid; - gflg++; -@@ -1028,6 +1040,16 @@ static void process_flags (int argc, cha - case 'U': - Uflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1040,7 +1062,7 @@ static void process_flags (int argc, cha - exit (E_USAGE); - } - if (!is_shadow_pwd && (eflg || fflg)) { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: shadow passwords required for -e and -f\n"), - Prog); -@@ -1575,6 +1597,8 @@ int main (int argc, char **argv) - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - -+ selinux_update_mapping(); -+ - if (mflg) - move_home (); - -@@ -1603,3 +1627,62 @@ int main (int argc, char **argv) - exit (E_SUCCESS); - /* NOT REACHED */ - } -+ -+static void selinux_update_mapping () { -+#ifdef WITH_SELINUX -+ const char *argv[7]; -+ -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-m"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 1)) { -+ argv[2] = "-a"; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "modifying User mapping ", user_name, user_id, 0); -+#endif -+ } -+ } -+ } -+ -+ if (dflg || *user_selinux) { -+ argv[0] = "/usr/sbin/genhomedircon"; -+ argv[1] = NULL; -+ if(safe_system(argv[0], argv, NULL,0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ -+ argv[0] = "/sbin/restorecon"; -+ argv[1] = "-F"; -+ argv[2] = "-R"; -+ argv[3] = user_home; -+ argv[4] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+} -diff -upb shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c ---- shadow-4.1.0/src/useradd.c.selinux 2008-03-03 14:14:45.000000000 +0100 -+++ shadow-4.1.0/src/useradd.c 2008-03-03 14:19:01.000000000 +0100 -@@ -100,6 +100,7 @@ static const char *user_comment = ""; - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -170,6 +171,7 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -356,6 +358,7 @@ static void get_defaults (void) - def_create_mail_spool = xstrdup (cp); - } - } -+ fclose(fp); - } - - /* -@@ -586,7 +589,7 @@ static int get_groups (char *list) - #endif - - if (ngroups == sys_ngroups) { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: too many groups specified (max %d).\n"), - Prog, ngroups); -@@ -644,6 +647,10 @@ static void usage (void) - " account\n" - " -s, --shell SHELL the login shell for the new user account\n" - " -u, --uid UID force use the UID for the new user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif -+ - "\n")); - exit (E_USAGE); - } -@@ -696,7 +703,7 @@ static void new_spent (struct spwd *spen - spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1)); - spent->sp_inact = scale_age (def_inactive); - spent->sp_expire = scale_age (user_expire); -- } -+ } - else { - spent->sp_min = scale_age(-1); - spent->sp_max = scale_age(-1); -@@ -1030,32 +1037,39 @@ static void process_flags (int argc, cha - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:", -+#else - getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': - if (!VALID (optarg) - || optarg[0] != '/') { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: invalid base directory '%s'\n"), - Prog, optarg); -- exit (E_BAD_ARG); -+ exit (E_BAD_ARG); - } - def_home = optarg; - bflg++; - break; - case 'c': - if (!VALID (optarg)) { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: invalid comment '%s'\n"), - Prog, optarg); -- exit (E_BAD_ARG); -+ exit (E_BAD_ARG); - } - user_comment = optarg; - cflg++; -@@ -1063,11 +1077,11 @@ static void process_flags (int argc, cha - case 'd': - if (!VALID (optarg) - || optarg[0] != '/') { -- fprintf (stderr, -+ fprintf (stderr, - _ - ("%s: invalid home directory '%s'\n"), - Prog, optarg); -- exit (E_BAD_ARG); -+ exit (E_BAD_ARG); - } - user_home = optarg; - dflg++; -@@ -1161,7 +1175,7 @@ static void process_flags (int argc, cha - _ - ("%s: -K requires KEY=VALUE\n"), - Prog); -- exit (E_BAD_ARG); -+ exit (E_BAD_ARG); - } - /* terminate name, point to value */ - *cp++ = '\0'; -@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha - case 'M': - Mflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1238,7 +1263,7 @@ static void process_flags (int argc, cha - */ - if (Dflg) { - if (optind != argc) -- usage (); -+ usage (); - - if (uflg || oflg || Gflg || dflg || cflg || mflg) - usage (); -@@ -1253,7 +1278,7 @@ static void process_flags (int argc, cha - ("%s: invalid user name '%s'\n"), - Prog, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", - user_name, -1, 0); - #endif - exit (E_BAD_ARG); -@@ -1583,6 +1608,33 @@ static void usr_update (void) - grp_update (); - } - -+static void selinux_update_mapping () { -+ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1592,7 +1644,11 @@ static void usr_update (void) - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1614,6 +1670,10 @@ static void create_home (void) - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "adding home directory", user_name, user_id, 1); - #endif -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif - } - } - -@@ -1847,6 +1907,8 @@ int main (int argc, char **argv) - - close_files (); - -+ selinux_update_mapping(); -+ - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - diff --git a/shadow-4.1.1-audit.patch b/shadow-4.1.1-audit.patch new file mode 100644 index 0000000..964e0c1 --- /dev/null +++ b/shadow-4.1.1-audit.patch @@ -0,0 +1,26 @@ +diff -up shadow-4.1.1/src/newgrp.c.audit shadow-4.1.1/src/newgrp.c +--- shadow-4.1.1/src/newgrp.c.audit 2008-04-03 15:20:25.000000000 +0200 ++++ shadow-4.1.1/src/newgrp.c 2008-04-03 15:22:00.000000000 +0200 +@@ -53,6 +53,10 @@ static GETGROUPS_T *grouplist; + static char *Prog; + static int is_newgrp; + ++#ifdef WITH_AUDIT ++ char audit_buf[80]; ++#endif ++ + /* local function prototypes */ + static void usage (void); + static void check_perms (const struct group *grp, +@@ -349,10 +353,9 @@ int main (int argc, char **argv) + #endif + + #ifdef WITH_AUDIT +- char audit_buf[80]; +- + audit_help_open (); + #endif ++ + setlocale (LC_ALL, ""); + bindtextdomain (PACKAGE, LOCALEDIR); + textdomain (PACKAGE); diff --git a/shadow-4.1.1-redhat.patch b/shadow-4.1.1-redhat.patch new file mode 100644 index 0000000..48ad96a --- /dev/null +++ b/shadow-4.1.1-redhat.patch @@ -0,0 +1,272 @@ +diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_new_ids.c +--- shadow-4.1.1/libmisc/find_new_ids.c.redhat 2008-04-03 12:18:51.000000000 +0200 ++++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-03 13:30:44.000000000 +0200 +@@ -26,11 +26,11 @@ int find_new_uid (int sys_user, uid_t *u + assert (uid != NULL); + + if (sys_user == 0) { +- uid_min = getdef_unum ("UID_MIN", 1000); ++ uid_min = getdef_unum ("UID_MIN", 500); + uid_max = getdef_unum ("UID_MAX", 60000); + } else { + uid_min = getdef_unum ("SYS_UID_MIN", 1); +- uid_max = getdef_unum ("UID_MIN", 1000) - 1; ++ uid_max = getdef_unum ("UID_MIN", 500) - 1; + uid_max = getdef_unum ("SYS_UID_MAX", uid_max); + } + +@@ -108,11 +108,11 @@ int find_new_gid (int sys_group, gid_t * + assert (gid != NULL); + + if (sys_group == 0) { +- gid_min = getdef_unum ("GID_MIN", 1000); ++ gid_min = getdef_unum ("GID_MIN", 500); + gid_max = getdef_unum ("GID_MAX", 60000); + } else { + gid_min = getdef_unum ("SYS_GID_MIN", 1); +- gid_max = getdef_unum ("GID_MIN", 1000) - 1; ++ gid_max = getdef_unum ("GID_MIN", 500) - 1; + gid_max = getdef_unum ("SYS_GID_MAX", gid_max); + } + +diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c +--- shadow-4.1.1/src/useradd.c.redhat 2008-03-08 23:42:05.000000000 +0100 ++++ shadow-4.1.1/src/useradd.c 2008-04-03 14:07:32.000000000 +0200 +@@ -82,7 +82,7 @@ + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -94,7 +94,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -130,6 +130,7 @@ static int + kflg = 0, /* specify a directory to fill new user directory */ + lflg = 0, /* do not add user to lastlog database file */ + mflg = 0, /* create user's home directory if it doesn't exist */ ++ Mflg = 0, /* do NOT create user's home directory no matter what */ + Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */ + oflg = 0, /* permit non-unique user ID to be specified with -u */ + rflg = 0, /* create a system account */ +@@ -653,6 +654,7 @@ static void usage (void) + " faillog databases\n" + " -m, --create-home create home directory for the new user\n" + " account\n" ++ " -M, do not create user's home directory(overrides /etc/login.defs)\n" + " -N, --no-user-group do not create a group with the same name as\n" + " the user\n" + " -o, --non-unique allow create user with duplicate\n" +@@ -883,7 +885,7 @@ static void process_flags (int argc, cha + {NULL, 0, NULL, '\0'} + }; + while ((c = +- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1023,6 +1025,10 @@ static void process_flags (int argc, cha + case 'm': + mflg++; + break; ++ case 'M': ++ Mflg++; ++ break; ++ case 'n': + case 'N': + Nflg++; + break; +@@ -1076,6 +1082,9 @@ static void process_flags (int argc, cha + Uflg = getdef_bool ("USERGROUPS_ENAB"); + } + ++ if (mflg && Mflg) /* the admin is not decided .. create or not ? */ ++ usage(); ++ + /* + * Certain options are only valid in combination with others. + * Check it here so that they can be specified in any order. +@@ -1625,6 +1634,14 @@ int main (int argc, char **argv) + } + #endif /* USE_PAM */ + ++ if (!rflg) /* for system accounts defaults are ignored and we ++ * do not create a home dir -- gafton */ ++ if (getdef_bool("CREATE_HOME")) ++ mflg = 1; ++ ++ if (Mflg) /* absolutely sure that we do not create home dirs */ ++ mflg = 0; ++ + /* + * See if we are messing with the defaults file, or creating + * a new user. +@@ -1724,27 +1741,22 @@ int main (int argc, char **argv) + ("%s: warning: the home directory already exists.\n" + "Not copying any file from skel directory into it.\n"), + Prog); +- +- } else if (getdef_str ("CREATE_HOME")) { +- /* +- * RedHat added the CREATE_HOME option in login.defs in their +- * version of shadow-utils (which makes -m the default, with +- * new -M option to turn it off). Unfortunately, this +- * changes the way useradd works (it can be run by scripts +- * expecting some standard behaviour), compared to other +- * Unices and other Linux distributions, and also adds a lot +- * of confusion :-(. +- * So we now recognize CREATE_HOME and give a warning here +- * (better than "configuration error ... notify administrator" +- * errors in every program that reads /etc/login.defs). -MM +- */ +- fprintf (stderr, +- _ +- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), +- Prog); + } +- +- create_mail (); ++ /* Warning removed to protect the innocent. */ ++ /* ++ * The whole idea about breaking some stupid scripts by creating a new ++ * variable is crap - I could care less about the scripts. Historically ++ * adduser type programs have always created the home directories and ++ * I don't like the idea of providing a script when we can fix the ++ * binary itself. And if the scripts are using the right options to the ++ * useradd then they will not break. If not, they depend on unspecified ++ * behavior and they will break, but they were broken anyway to begin ++ * with --gafton ++ */ ++ ++ /* Do not create mail directory for system accounts */ ++ if( !rflg ) ++ create_mail (); + + close_files (); + +diff -up shadow-4.1.1/src/groupadd.c.redhat shadow-4.1.1/src/groupadd.c +diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 +--- shadow-4.1.1/man/useradd.8.redhat 2008-04-03 00:43:14.000000000 +0200 ++++ shadow-4.1.1/man/useradd.8 2008-04-03 14:20:23.000000000 +0200 +@@ -25,9 +25,9 @@ When invoked without the + \fB\-D\fR + option, the + \fBuseradd\fR +-command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the ++command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the + \fBuseradd\fR +-command will update system files and may also create the new user\'s home directory and copy initial files\. ++command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. + .SH "OPTIONS" + .PP + The options which apply to the +@@ -84,7 +84,7 @@ The number of days after a password expi + .PP + \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR + .RS 4 +-The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in ++The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. + \fI/etc/default/useradd\fR\. + .RE + .PP +@@ -100,6 +100,13 @@ option\. The default is for the user to + Display help message and exit\. + .RE + .PP ++\fB-M\fR ++.RS 4 ++The user\'s home directory will not be created, even if the system wide settings from ++\fI/etc/login.defs\fR ++is to create home dirs\. ++.RE ++.PP + \fB\-m\fR, \fB\-\-create\-home\fR + .RS 4 + The user\'s home directory will be created if it does not exist\. The files contained in +@@ -174,6 +181,19 @@ The encrypted password, as returned by + \fBcrypt\fR(3)\. The default is to disable the account\. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in ++\fI/etc/login.defs\fR ++and whose password does not expire\. Note that ++\fBuseradd\fR ++will not create a home directory for such an user, regardless of the default setting in ++\fI/etc/login.defs\fR\. ++You have to specify ++\fB-m\fR ++option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR + .RS 4 + The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\. +@@ -244,6 +264,8 @@ The name of a new user\'s login shell\. + The system administrator is responsible for placing the default user files in the + \fI/etc/skel/\fR + directory\. ++.br ++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\. + .SH "CAVEATS" + .PP + You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\. +@@ -381,6 +403,11 @@ Secure user account information\. + Group account information\. + .RE + .PP ++\fI/etc/gshadow\fR ++.RS 4 ++Secure group account information\. ++.RE ++.PP + \fI/etc/default/useradd\fR + .RS 4 + Default values for account creation\. +diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8 +--- shadow-4.1.1/man/groupadd.8.redhat 2008-04-03 00:42:54.000000000 +0200 ++++ shadow-4.1.1/man/groupadd.8 2008-04-03 14:27:04.000000000 +0200 +@@ -14,7 +14,7 @@ + groupadd \- create a new group + .SH "SYNOPSIS" + .HP 9 +-\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR ++\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR + .SH "DESCRIPTION" + .PP + The +@@ -34,11 +34,22 @@ This option causes the command to simply + is turned off)\. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag instructs ++\fBgroupadd\fR ++to add a system account\. The first available ++\fIgid\fR ++lower than 499 will be automatically selected unless the ++\fB-g\fR ++option is also given on the command line\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR + .RS 4 + The numerical value of the group\'s ID\. This value must be unique, unless the + \fB\-o\fR +-option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\. ++option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 499 and greater than every other group\. Values between 0 and 500 are typically reserved for system accounts\. + .RE + .PP + \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.1-selinux.patch b/shadow-4.1.1-selinux.patch new file mode 100644 index 0000000..b99ea98 --- /dev/null +++ b/shadow-4.1.1-selinux.patch @@ -0,0 +1,490 @@ +diff -up /dev/null shadow-4.1.1/libmisc/system.c +--- /dev/null 2008-03-19 11:34:26.687502959 +0100 ++++ shadow-4.1.1/libmisc/system.c 2008-04-05 14:55:29.000000000 +0200 +@@ -0,0 +1,37 @@ ++#include ++ ++#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $" ++ ++#include ++#include ++#include ++#include "prototypes.h" ++#include "defines.h" ++ ++int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr) ++{ ++ int status = -1; ++ int fd; ++ pid_t pid; ++ ++ pid = fork(); ++ if (pid < 0) ++ return -1; ++ ++ if (pid) { /* Parent */ ++ waitpid(pid, &status, 0); ++ return status; ++ } ++ ++ fd = open("/dev/null", O_RDWR); ++ /* Child */ ++ dup2(fd,0); // Close Stdin ++ if (ignore_stderr) ++ dup2(fd,2); // Close Stderr ++ ++ execve(command, (char *const *) argv, (char *const *) env); ++ fprintf (stderr, ++ _("Failed to exec '%s'\n"), argv[0]); ++ exit (-1); ++} ++ +diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c +--- shadow-4.1.1/libmisc/copydir.c.selinux 2008-01-06 13:02:04.000000000 +0100 ++++ shadow-4.1.1/libmisc/copydir.c 2008-04-05 14:55:29.000000000 +0200 +@@ -82,7 +82,7 @@ static int copy_file (const char *src, c + * symlink, directory, ... + * + */ +-static int selinux_file_context (const char *dst_name) ++int selinux_file_context (const char *dst_name) + { + security_context_t scontext = NULL; + +@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con + src_orig = 0; + dst_orig = 0; + } ++ ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif ++ + return err; + } + +diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am +--- shadow-4.1.1/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 ++++ shadow-4.1.1/libmisc/Makefile.am 2008-04-05 14:55:29.000000000 +0200 +@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ ++ system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c +--- shadow-4.1.1/src/useradd.c.selinux 2008-04-05 14:55:29.000000000 +0200 ++++ shadow-4.1.1/src/useradd.c 2008-04-05 14:55:29.000000000 +0200 +@@ -101,6 +101,7 @@ static const char *user_comment = ""; + static const char *user_home = ""; + static const char *user_shell = ""; + static const char *create_mail_spool = ""; ++static const char *user_selinux = ""; + + static long user_expire = -1; + static int is_shadow_pwd; +@@ -173,6 +174,7 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -373,6 +375,7 @@ static void get_defaults (void) + def_create_mail_spool = xstrdup (cp); + } + } ++ fclose(fp); + } + + /* +@@ -665,6 +668,9 @@ static void usage (void) + " -s, --shell SHELL the login shell for the new user account\n" + " -u, --uid UID force use the UID for the new user account\n" + " -U, --user-group create a group with the same name as the user\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -880,12 +886,19 @@ static void process_flags (int argc, cha + {"password", required_argument, NULL, 'p'}, + {"system", no_argument, NULL, 'r'}, + {"shell", required_argument, NULL, 's'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"uid", required_argument, NULL, 'u'}, + {"user-group", no_argument, NULL, 'U'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", ++#else + getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha + case 'U': + Uflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1476,6 +1500,33 @@ static void usr_update (void) + grp_update (); + } + ++static void selinux_update_mapping () { ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { /* must be done after passwd write() */ ++ const char *argv[7]; ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "adding SELinux user mapping", user_name, user_id, 0); ++#endif ++ } ++ } ++#endif ++ ++} + /* + * create_home - create the user's home directory + * +@@ -1485,7 +1536,11 @@ static void usr_update (void) + */ + static void create_home (void) + { ++ + if (access (user_home, F_OK)) { ++#ifdef WITH_SELINUX ++ selinux_file_context (user_home); ++#endif + /* XXX - create missing parent directories. --marekm */ + if (mkdir (user_home, 0)) { + fprintf (stderr, +@@ -1507,6 +1562,10 @@ static void create_home (void) + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "adding home directory", user_name, user_id, 1); + #endif ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif + } + } + +@@ -1760,6 +1819,8 @@ int main (int argc, char **argv) + + close_files (); + ++ selinux_update_mapping(); ++ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + +diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c +--- shadow-4.1.1/src/usermod.c.selinux 2008-02-24 13:35:13.000000000 +0100 ++++ shadow-4.1.1/src/usermod.c 2008-04-05 14:55:29.000000000 +0200 +@@ -91,6 +91,7 @@ static char *user_newcomment; + static char *user_home; + static char *user_newhome; + static char *user_shell; ++static const char *user_selinux = ""; + static char *user_newshell; + static long user_expire; + static long user_newexpire; +@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static void new_spent (struct spwd *); + static void fail_exit (int); +@@ -320,6 +322,9 @@ static void usage (void) + " -s, --shell SHELL new login shell for the user account\n" + " -u, --uid UID new UID for the user account\n" + " -U, --unlock unlock the user account\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user new selinux user mapping for the user account\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -846,13 +851,20 @@ static void process_flags (int argc, cha + {"move-home", no_argument, NULL, 'm'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"shell", required_argument, NULL, 's'}, + {"uid", required_argument, NULL, 'u'}, + {"unlock", no_argument, NULL, 'U'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = +- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:", ++#else ++ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'a': +@@ -953,6 +965,16 @@ static void process_flags (int argc, cha + case 'U': + Uflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1530,6 +1552,8 @@ int main (int argc, char **argv) + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + ++ selinux_update_mapping(); ++ + if (mflg) + move_home (); + +@@ -1558,3 +1582,62 @@ int main (int argc, char **argv) + exit (E_SUCCESS); + /* NOT REACHED */ + } ++ ++static void selinux_update_mapping () { ++#ifdef WITH_SELINUX ++ const char *argv[7]; ++ ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-m"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 1)) { ++ argv[2] = "-a"; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "modifying User mapping ", user_name, user_id, 0); ++#endif ++ } ++ } ++ } ++ ++ if (dflg || *user_selinux) { ++ argv[0] = "/usr/sbin/genhomedircon"; ++ argv[1] = NULL; ++ if(safe_system(argv[0], argv, NULL,0)) { ++ fprintf (stderr, ++ _("%s: warning: unable to relabel the homedir %s for %s.\n"), ++ Prog, user_home, user_name); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "relabeling home directory", user_name, user_id, 0); ++#endif ++ } ++ ++ argv[0] = "/sbin/restorecon"; ++ argv[1] = "-F"; ++ argv[2] = "-R"; ++ argv[3] = user_home; ++ argv[4] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: unable to relabel the homedir %s for %s.\n"), ++ Prog, user_home, user_name); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "relabeling home directory", user_name, user_id, 0); ++#endif ++ } ++ } ++#endif ++} +diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c +--- shadow-4.1.1/src/userdel.c.selinux 2008-03-08 21:48:26.000000000 +0100 ++++ shadow-4.1.1/src/userdel.c 2008-04-05 14:55:29.000000000 +0200 +@@ -809,6 +809,17 @@ int main (int argc, char **argv) + #endif + } + ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() > 0) { ++ const char *argv[5]; ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-d"; ++ argv[3] = user_name; ++ argv[4] = NULL; ++ safe_system(argv[0], argv, NULL, 1); ++ } ++#endif + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. +diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8 +--- shadow-4.1.1/man/useradd.8.selinux 2008-04-05 14:55:29.000000000 +0200 ++++ shadow-4.1.1/man/useradd.8 2008-04-05 15:00:03.000000000 +0200 +@@ -219,6 +219,11 @@ options are not specified) is defined by + variable in + \fIlogin\.defs\fR\. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. ++.RE + .SS "Changing the default values" + .PP + When invoked with only the +diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml +--- shadow-4.1.1/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 ++++ shadow-4.1.1/man/usermod.8.xml 2008-04-05 14:55:29.000000000 +0200 +@@ -245,6 +245,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field the blank, which causes the system to select the default ++ SELinux user. ++ ++ ++ + + + +diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8 +--- shadow-4.1.1/man/usermod.8.selinux 2008-04-03 00:43:16.000000000 +0200 ++++ shadow-4.1.1/man/usermod.8 2008-04-05 14:55:29.000000000 +0200 +@@ -133,6 +133,11 @@ Note: if you wish to unlock the account + value from + \fI/etc/default/useradd\fR)\. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. ++.RE + .SH "CAVEATS" + .PP + +diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml +--- shadow-4.1.1/man/useradd.8.xml.selinux 2008-02-25 22:01:23.000000000 +0100 ++++ shadow-4.1.1/man/useradd.8.xml 2008-04-05 14:55:29.000000000 +0200 +@@ -326,6 +326,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field blank, which causes the system to select the default SELinux ++ user. ++ ++ ++ + + + +diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h +--- shadow-4.1.1/lib/defines.h.selinux 2008-02-03 18:52:52.000000000 +0100 ++++ shadow-4.1.1/lib/defines.h 2008-04-05 14:55:29.000000000 +0200 +@@ -321,4 +321,7 @@ extern char *strerror (); + # define unused + #endif + ++#ifdef WITH_SELINUX ++#include ++#endif + #endif /* _DEFINES_H_ */ +diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h +--- shadow-4.1.1/lib/prototypes.h.selinux 2008-03-18 00:01:32.000000000 +0100 ++++ shadow-4.1.1/lib/prototypes.h 2008-04-05 15:03:41.000000000 +0200 +@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro + long int uid, long int gid); + extern int remove_tree (const char *root); + ++#ifdef WITH_SELINUX ++extern int selinux_file_context (const char *dst_name); ++#endif ++ + /* encrypt.c */ + extern char *pw_encrypt (const char *, const char *); + +@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str + /* shell.c */ + extern int shell (const char *, const char *, char *const *); + ++/* system.c */ ++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); ++ + /* strtoday.c */ + extern long strtoday (const char *); + diff --git a/shadow-4.1.1-sysAccountDownhill.patch b/shadow-4.1.1-sysAccountDownhill.patch new file mode 100644 index 0000000..63f6911 --- /dev/null +++ b/shadow-4.1.1-sysAccountDownhill.patch @@ -0,0 +1,94 @@ +diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/libmisc/find_new_ids.c +--- shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill 2008-04-04 21:46:08.000000000 +0200 ++++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-04 21:50:04.000000000 +0200 +@@ -22,6 +22,7 @@ int find_new_uid (int sys_user, uid_t *u + { + const struct passwd *pwd; + uid_t uid_min, uid_max, user_id; ++ char * index; + + assert (uid != NULL); + +@@ -32,6 +33,8 @@ int find_new_uid (int sys_user, uid_t *u + uid_min = getdef_unum ("SYS_UID_MIN", 1); + uid_max = getdef_unum ("UID_MIN", 500) - 1; + uid_max = getdef_unum ("SYS_UID_MAX", uid_max); ++ index = alloca (sizeof (char) * uid_max +1); ++ memset (index, 0, sizeof (char) * uid_max + 1); + } + + if ( (NULL != preferred_uid) +@@ -61,8 +64,24 @@ int find_new_uid (int sys_user, uid_t *u + pw_rewind (); + while ( ((pwd = getpwent ()) != NULL) + || ((pwd = pw_next ()) != NULL)) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; ++ if (sys_user == 0) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ } ++ else { ++ /* create index of occupied system accounts UIDs */ ++ if (pwd->pw_uid <= uid_max) ++ index[pwd->pw_uid] = 1; ++ } ++ } ++ ++ /* find free system account */ ++ if(sys_user) { ++ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); ++ if ( user_id < uid_min ) { ++ fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr); ++ return -1; + } + } + +@@ -104,6 +123,7 @@ int find_new_gid (int sys_group, gid_t * + { + const struct group *grp; + gid_t gid_min, gid_max, group_id; ++ char * index; + + assert (gid != NULL); + +@@ -114,6 +134,8 @@ int find_new_gid (int sys_group, gid_t * + gid_min = getdef_unum ("SYS_GID_MIN", 1); + gid_max = getdef_unum ("GID_MIN", 500) - 1; + gid_max = getdef_unum ("SYS_GID_MAX", gid_max); ++ index = alloca (sizeof (char) * gid_max +1); ++ memset (index, 0, sizeof (char) * gid_max + 1); + } + + if ( (NULL != preferred_gid) +@@ -142,11 +164,27 @@ int find_new_gid (int sys_group, gid_t * + gr_rewind (); + while ( ((grp = getgrent ()) != NULL) + || ((grp = gr_next ()) != NULL)) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; ++ if (sys_group == 0) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ } ++ else { ++ /* create index of occupied system accounts GIDs */ ++ if (grp->gr_gid <= gid_max) ++ index[grp->gr_gid] = 1; + } + } + ++ /* find free system account */ ++ if(sys_group) { ++ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); ++ if ( group_id < gid_min ) { ++ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); ++ return -1; ++ } ++ } ++ + /* + * If a group with GID equal to GID_MAX exists, the above algorithm + * will give us GID_MAX+1 even if not unique. Search for the first diff --git a/shadow-utils.spec b/shadow-utils.spec index 894b84b..7f1b2be 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -4,34 +4,28 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.0 -Release: 5%{?dist} +Version: 4.1.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.0-redhat.patch -Patch1: shadow-4.0.3-noinst.patch -Patch2: shadow-4.1.0-goodname.patch -Patch3: shadow-4.1.0-lOption.patch -Patch4: shadow-4.1.0-selinux.patch -Patch5: shadow-4.0.18.1-sysAccount.patch -Patch6: shadow-4.0.18.1-findNewUidOnce.patch -Patch7: shadow-4.0.18.1-mtime.patch -Patch8: shadow-4.1.0-audit-newgrp.patch -Patch9: shadow-4.1.0-segfault.patch -Patch10: shadow-4.1.0-fasterReset.patch +Patch0: shadow-4.1.1-redhat.patch +Patch1: shadow-4.1.1-audit.patch +Patch3: shadow-4.1.0-goodname.patch +Patch4: shadow-4.1.1-selinux.patch +Patch5: shadow-4.1.1-sysAccountDownhill.patch License: BSD Group: System Environment/Base BuildRequires: autoconf, automake, libtool, gettext-devel BuildRequires: libselinux-devel >= 1.25.2-1 -BuildRequires: audit-libs-devel >= 1.0.10 -Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: audit-libs-devel >= 1.6.5 Requires: libselinux >= 1.25.2-1 -Requires: audit-libs >= 1.0.10 +Requires: audit-libs >= 1.6.5 +Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description The shadow-utils package includes the necessary programs for @@ -48,16 +42,11 @@ are used for managing group accounts. %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat -%patch1 -p1 -b .noinst -%patch2 -p1 -b .goodname -%patch3 -p1 -b .lOption +%patch1 -p1 -b .audit +%patch3 -p1 -b .goodname %patch4 -p1 -b .selinux -%patch5 -p1 -b .sysAccount -%patch6 -p1 -b .findNewUidOnce -%patch7 -p1 -b .mtime -%patch8 -p1 -b .auditNewgrp -%patch9 -p1 -b .segfault -%patch10 -p1 -b .fasterReset +%patch5 -p1 -b .sysAccountDownhill + rm po/*.gmo rm po/stamp-po @@ -197,6 +186,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Apr 07 2008 Peter Vrabec 2:4.1.1-1 +- upgrade + * Fri Mar 07 2008 Peter Vrabec 2:4.1.0-5 - improve newgrp audit patch diff --git a/sources b/sources index 7b7416e..a48c6ec 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd -dd6ca3ac424b447962d7a7af923b7bda shadow-4.1.0.tar.bz2 +b1aa30abb3cce16a37b53e45e1ec70a4 shadow-4.1.1.tar.bz2 From f59529bd6964d47503a95521f606ce398bc31c6b Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 20 May 2008 11:44:16 +0000 Subject: [PATCH 019/151] fix salt size problem (#447136) --- shadow-4.1.1-saltSize.patch | 17 +++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.1-saltSize.patch diff --git a/shadow-4.1.1-saltSize.patch b/shadow-4.1.1-saltSize.patch new file mode 100644 index 0000000..aaf1dec --- /dev/null +++ b/shadow-4.1.1-saltSize.patch @@ -0,0 +1,17 @@ +diff -up shadow-4.1.1/libmisc/salt.c.saltSize shadow-4.1.1/libmisc/salt.c +--- shadow-4.1.1/libmisc/salt.c.saltSize 2008-05-20 13:36:06.000000000 +0200 ++++ shadow-4.1.1/libmisc/salt.c 2008-05-20 13:39:30.000000000 +0200 +@@ -90,9 +90,10 @@ static void seedRNG (void) + */ + static unsigned int SHA_salt_size (void) + { +- double rand_rounds = 9 * random (); +- rand_rounds /= RAND_MAX; +- return 8 + rand_rounds; ++ unsigned int rand_rounds; ++ seedRNG (); ++ rand_rounds = random () % 9; ++ return 8 + rand_rounds; + } + + /* ! Arguments evaluated twice ! */ diff --git a/shadow-utils.spec b/shadow-utils.spec index 7f1b2be..e99796b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -17,6 +17,7 @@ Patch1: shadow-4.1.1-audit.patch Patch3: shadow-4.1.0-goodname.patch Patch4: shadow-4.1.1-selinux.patch Patch5: shadow-4.1.1-sysAccountDownhill.patch +Patch6: shadow-4.1.1-saltSize.patch License: BSD Group: System Environment/Base @@ -46,6 +47,7 @@ are used for managing group accounts. %patch3 -p1 -b .goodname %patch4 -p1 -b .selinux %patch5 -p1 -b .sysAccountDownhill +%patch6 -p1 -b .saltSize rm po/*.gmo @@ -186,6 +188,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue May 20 2008 Peter Vrabec 2:4.1.1-2 +- fix salt size problem (#447136) + * Mon Apr 07 2008 Peter Vrabec 2:4.1.1-1 - upgrade From 79c2e982796c3b23176270d5c27cd22b65c9c28e Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 26 May 2008 13:17:35 +0000 Subject: [PATCH 020/151] upgrade --- .cvsignore | 1 + shadow-4.1.1-audit.patch | 26 ----- shadow-4.1.1-saltSize.patch | 17 --- ...dname.patch => shadow-4.1.2-goodname.patch | 40 +++---- ...-redhat.patch => shadow-4.1.2-redhat.patch | 105 +++++++++--------- ...h => shadow-4.1.2-sysAccountDownhill.patch | 59 +++++----- shadow-utils.spec | 25 ++--- sources | 1 + 8 files changed, 117 insertions(+), 157 deletions(-) delete mode 100644 shadow-4.1.1-audit.patch delete mode 100644 shadow-4.1.1-saltSize.patch rename shadow-4.1.0-goodname.patch => shadow-4.1.2-goodname.patch (64%) rename shadow-4.1.1-redhat.patch => shadow-4.1.2-redhat.patch (65%) rename shadow-4.1.1-sysAccountDownhill.patch => shadow-4.1.2-sysAccountDownhill.patch (61%) diff --git a/.cvsignore b/.cvsignore index 44506c6..1aa7c2d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,4 @@ shadow-4.0.17-login.defs shadow-4.0.18.1-useradd shadow-4.1.1.tar.bz2 +shadow-4.1.2.tar.bz2 diff --git a/shadow-4.1.1-audit.patch b/shadow-4.1.1-audit.patch deleted file mode 100644 index 964e0c1..0000000 --- a/shadow-4.1.1-audit.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up shadow-4.1.1/src/newgrp.c.audit shadow-4.1.1/src/newgrp.c ---- shadow-4.1.1/src/newgrp.c.audit 2008-04-03 15:20:25.000000000 +0200 -+++ shadow-4.1.1/src/newgrp.c 2008-04-03 15:22:00.000000000 +0200 -@@ -53,6 +53,10 @@ static GETGROUPS_T *grouplist; - static char *Prog; - static int is_newgrp; - -+#ifdef WITH_AUDIT -+ char audit_buf[80]; -+#endif -+ - /* local function prototypes */ - static void usage (void); - static void check_perms (const struct group *grp, -@@ -349,10 +353,9 @@ int main (int argc, char **argv) - #endif - - #ifdef WITH_AUDIT -- char audit_buf[80]; -- - audit_help_open (); - #endif -+ - setlocale (LC_ALL, ""); - bindtextdomain (PACKAGE, LOCALEDIR); - textdomain (PACKAGE); diff --git a/shadow-4.1.1-saltSize.patch b/shadow-4.1.1-saltSize.patch deleted file mode 100644 index aaf1dec..0000000 --- a/shadow-4.1.1-saltSize.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up shadow-4.1.1/libmisc/salt.c.saltSize shadow-4.1.1/libmisc/salt.c ---- shadow-4.1.1/libmisc/salt.c.saltSize 2008-05-20 13:36:06.000000000 +0200 -+++ shadow-4.1.1/libmisc/salt.c 2008-05-20 13:39:30.000000000 +0200 -@@ -90,9 +90,10 @@ static void seedRNG (void) - */ - static unsigned int SHA_salt_size (void) - { -- double rand_rounds = 9 * random (); -- rand_rounds /= RAND_MAX; -- return 8 + rand_rounds; -+ unsigned int rand_rounds; -+ seedRNG (); -+ rand_rounds = random () % 9; -+ return 8 + rand_rounds; - } - - /* ! Arguments evaluated twice ! */ diff --git a/shadow-4.1.0-goodname.patch b/shadow-4.1.2-goodname.patch similarity index 64% rename from shadow-4.1.0-goodname.patch rename to shadow-4.1.2-goodname.patch index 5456ceb..273ad2b 100644 --- a/shadow-4.1.0-goodname.patch +++ b/shadow-4.1.2-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c ---- shadow-4.1.0/libmisc/chkname.c.goodname 2007-11-11 00:45:59.000000000 +0100 -+++ shadow-4.1.0/libmisc/chkname.c 2007-12-12 13:57:20.000000000 +0100 -@@ -18,16 +18,24 @@ +diff -up shadow-4.1.2/libmisc/chkname.c.goodname shadow-4.1.2/libmisc/chkname.c +--- shadow-4.1.2/libmisc/chkname.c.goodname 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/libmisc/chkname.c 2008-05-26 14:37:09.000000000 +0200 +@@ -50,16 +50,24 @@ static int good_name (const char *name) { /* @@ -33,7 +33,7 @@ diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c return 0; } -@@ -43,10 +51,9 @@ int check_user_name (const char *name) +@@ -75,10 +83,9 @@ int check_user_name (const char *name) #endif /* @@ -46,7 +46,7 @@ diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c return 0; return good_name (name); -@@ -54,11 +61,13 @@ int check_user_name (const char *name) +@@ -86,11 +93,13 @@ int check_user_name (const char *name) int check_group_name (const char *name) { @@ -65,29 +65,29 @@ diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c return 0; return good_name (name); -diff -up shadow-4.1.0/man/groupadd.8.goodname shadow-4.1.0/man/groupadd.8 ---- shadow-4.1.0/man/groupadd.8.goodname 2007-12-12 13:51:43.000000000 +0100 -+++ shadow-4.1.0/man/groupadd.8 2007-12-12 14:00:29.000000000 +0100 -@@ -126,9 +126,7 @@ Shadow password suite configuration\. +diff -up shadow-4.1.2/man/groupadd.8.goodname shadow-4.1.2/man/groupadd.8 +--- shadow-4.1.2/man/groupadd.8.goodname 2008-05-26 14:37:09.000000000 +0200 ++++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:40:51.000000000 +0200 +@@ -150,9 +150,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] +-Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] -.PP --Groupnames may only be up to 16 characters long\. -+Groupnames may only be up to 32 characters long\. +-Groupnames may only be up to 16 characters long\&. ++Groupnames may only be up to 32 characters long\&. .PP - You may not add a NIS or LDAP group\. This must be performed on the corresponding server\. + You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. .PP -diff -up shadow-4.1.0/man/useradd.8.goodname shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.goodname 2007-12-12 13:51:43.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2007-12-12 14:01:36.000000000 +0100 -@@ -242,8 +242,6 @@ You may not add a user to a NIS or LDAP +diff -up shadow-4.1.2/man/useradd.8.goodname shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.goodname 2008-05-26 14:37:09.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-05-26 14:41:48.000000000 +0200 +@@ -293,8 +293,6 @@ You may not add a user to a NIS or LDAP Similarly, if the username already exists in an external user database such as NIS or LDAP, \fBuseradd\fR - will deny the user account creation request\. + will deny the user account creation request\&. -.PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] +-Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] .SH "CONFIGURATION" .PP The following configuration variables in diff --git a/shadow-4.1.1-redhat.patch b/shadow-4.1.2-redhat.patch similarity index 65% rename from shadow-4.1.1-redhat.patch rename to shadow-4.1.2-redhat.patch index 48ad96a..75c84a8 100644 --- a/shadow-4.1.1-redhat.patch +++ b/shadow-4.1.2-redhat.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_new_ids.c ---- shadow-4.1.1/libmisc/find_new_ids.c.redhat 2008-04-03 12:18:51.000000000 +0200 -+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-03 13:30:44.000000000 +0200 -@@ -26,11 +26,11 @@ int find_new_uid (int sys_user, uid_t *u +diff -up shadow-4.1.2/libmisc/find_new_ids.c.redhat shadow-4.1.2/libmisc/find_new_ids.c +--- shadow-4.1.2/libmisc/find_new_ids.c.redhat 2008-04-22 00:00:19.000000000 +0200 ++++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:18:43.000000000 +0200 +@@ -56,11 +56,11 @@ int find_new_uid (int sys_user, uid_t *u assert (uid != NULL); if (sys_user == 0) { @@ -15,7 +15,7 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_ne uid_max = getdef_unum ("SYS_UID_MAX", uid_max); } -@@ -108,11 +108,11 @@ int find_new_gid (int sys_group, gid_t * +@@ -139,11 +139,11 @@ int find_new_gid (int sys_group, gid_t * assert (gid != NULL); if (sys_group == 0) { @@ -29,10 +29,10 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_ne gid_max = getdef_unum ("SYS_GID_MAX", gid_max); } -diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c ---- shadow-4.1.1/src/useradd.c.redhat 2008-03-08 23:42:05.000000000 +0100 -+++ shadow-4.1.1/src/useradd.c 2008-04-03 14:07:32.000000000 +0200 -@@ -82,7 +82,7 @@ +diff -up shadow-4.1.2/src/useradd.c.redhat shadow-4.1.2/src/useradd.c +--- shadow-4.1.2/src/useradd.c.redhat 2008-05-19 22:31:52.000000000 +0200 ++++ shadow-4.1.2/src/useradd.c 2008-05-26 14:18:43.000000000 +0200 +@@ -85,7 +85,7 @@ static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -41,7 +41,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -94,7 +94,7 @@ static char def_file[] = USER_DEFAULTS_F +@@ -97,7 +97,7 @@ static char def_file[] = USER_DEFAULTS_F #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -50,7 +50,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -130,6 +130,7 @@ static int +@@ -133,6 +133,7 @@ static int kflg = 0, /* specify a directory to fill new user directory */ lflg = 0, /* do not add user to lastlog database file */ mflg = 0, /* create user's home directory if it doesn't exist */ @@ -58,7 +58,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */ oflg = 0, /* permit non-unique user ID to be specified with -u */ rflg = 0, /* create a system account */ -@@ -653,6 +654,7 @@ static void usage (void) +@@ -656,6 +657,7 @@ static void usage (void) " faillog databases\n" " -m, --create-home create home directory for the new user\n" " account\n" @@ -66,7 +66,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c " -N, --no-user-group do not create a group with the same name as\n" " the user\n" " -o, --non-unique allow create user with duplicate\n" -@@ -883,7 +885,7 @@ static void process_flags (int argc, cha +@@ -886,7 +888,7 @@ static void process_flags (int argc, cha {NULL, 0, NULL, '\0'} }; while ((c = @@ -75,7 +75,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c long_options, NULL)) != -1) { switch (c) { case 'b': -@@ -1023,6 +1025,10 @@ static void process_flags (int argc, cha +@@ -1026,6 +1028,10 @@ static void process_flags (int argc, cha case 'm': mflg++; break; @@ -86,7 +86,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c case 'N': Nflg++; break; -@@ -1076,6 +1082,9 @@ static void process_flags (int argc, cha +@@ -1079,6 +1085,9 @@ static void process_flags (int argc, cha Uflg = getdef_bool ("USERGROUPS_ENAB"); } @@ -96,7 +96,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c /* * Certain options are only valid in combination with others. * Check it here so that they can be specified in any order. -@@ -1625,6 +1634,14 @@ int main (int argc, char **argv) +@@ -1628,6 +1637,14 @@ int main (int argc, char **argv) } #endif /* USE_PAM */ @@ -111,7 +111,7 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c /* * See if we are messing with the defaults file, or creating * a new user. -@@ -1724,27 +1741,22 @@ int main (int argc, char **argv) +@@ -1727,27 +1744,22 @@ int main (int argc, char **argv) ("%s: warning: the home directory already exists.\n" "Not copying any file from skel directory into it.\n"), Prog); @@ -154,33 +154,30 @@ diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c close_files (); -diff -up shadow-4.1.1/src/groupadd.c.redhat shadow-4.1.1/src/groupadd.c -diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 ---- shadow-4.1.1/man/useradd.8.redhat 2008-04-03 00:43:14.000000000 +0200 -+++ shadow-4.1.1/man/useradd.8 2008-04-03 14:20:23.000000000 +0200 -@@ -25,9 +25,9 @@ When invoked without the - \fB\-D\fR - option, the +diff -up shadow-4.1.2/man/useradd.8.redhat shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.redhat 2008-05-25 01:20:26.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-05-26 14:26:14.000000000 +0200 +@@ -27,7 +27,7 @@ option, the \fBuseradd\fR --command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the -+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the + command creates a new user account using the values specified on the command line plus the default values from the system\&. Depending on command line options, the \fBuseradd\fR --command will update system files and may also create the new user\'s home directory and copy initial files\. -+command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. +-command will update system files and may also create the new user\'s home directory and copy initial files\&. ++command will update system files and may also create the new user\'s home directory and copy initial files\&. The version provided with Red Hat Linux will create a group for each user added to the system by default\&. .SH "OPTIONS" .PP The options which apply to the -@@ -84,7 +84,7 @@ The number of days after a password expi +@@ -84,8 +84,7 @@ The number of days after a password expi .PP \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR .RS 4 --The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in -+The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. - \fI/etc/default/useradd\fR\. +-The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. The default group number is 1 or whatever is specified in +-\fI/etc/default/useradd\fR\&. ++The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. .RE .PP -@@ -100,6 +100,13 @@ option\. The default is for the user to - Display help message and exit\. + \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,\&.\&.\&.\fR[\fI,GROUPN\fR]]] +@@ -143,6 +142,13 @@ Do not add the user to the lastlog and f + By default, the user\'s entries in the lastlog and faillog databases are resetted to avoid reusing the entry from a previously deleted user\&. .RE .PP +\fB-M\fR @@ -192,9 +189,9 @@ diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 +.PP \fB\-m\fR, \fB\-\-create\-home\fR .RS 4 - The user\'s home directory will be created if it does not exist\. The files contained in -@@ -174,6 +181,19 @@ The encrypted password, as returned by - \fBcrypt\fR(3)\. The default is to disable the account\. + Create the user\'s home directory if it does not exist\&. The files and directories contained in the skeleton directory (which can be defined with the +@@ -195,6 +201,19 @@ range, defined in + counterparts for the creation of groups)\&. .RE .PP +\fB-r\fR @@ -212,18 +209,18 @@ diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 +.PP \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR .RS 4 - The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\. -@@ -244,6 +264,8 @@ The name of a new user\'s login shell\. + The name of the user\'s login shell\&. The default is to leave this field blank, which causes the system to select the default login shell\&. +@@ -265,6 +284,8 @@ The name of a new user\'s login shell\&. The system administrator is responsible for placing the default user files in the \fI/etc/skel/\fR - directory\. + directory\&. +.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\. ++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\&. .SH "CAVEATS" .PP - You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\. -@@ -381,6 +403,11 @@ Secure user account information\. - Group account information\. + You may not add a user to a NIS or LDAP group\&. This must be performed on the corresponding server\&. +@@ -407,6 +428,11 @@ Group account information\&. + Secure group account information\&. .RE .PP +\fI/etc/gshadow\fR @@ -233,10 +230,10 @@ diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 +.PP \fI/etc/default/useradd\fR .RS 4 - Default values for account creation\. -diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8 ---- shadow-4.1.1/man/groupadd.8.redhat 2008-04-03 00:42:54.000000000 +0200 -+++ shadow-4.1.1/man/groupadd.8 2008-04-03 14:27:04.000000000 +0200 + Default values for account creation\&. +diff -up shadow-4.1.2/man/groupadd.8.redhat shadow-4.1.2/man/groupadd.8 +--- shadow-4.1.2/man/groupadd.8.redhat 2008-05-25 01:20:05.000000000 +0200 ++++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:35:49.000000000 +0200 @@ -14,7 +14,7 @@ groupadd \- create a new group .SH "SYNOPSIS" @@ -247,26 +244,26 @@ diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8 .PP The @@ -34,11 +34,22 @@ This option causes the command to simply - is turned off)\. + is turned off)\&. .RE .PP +\fB-r\fR +.RS 4 +This flag instructs +\fBgroupadd\fR -+to add a system account\. The first available ++to add a system account\. The first available +\fIgid\fR -+lower than 499 will be automatically selected unless the ++lower than 500 will be automatically selected unless the +\fB-g\fR +option is also given on the command line\. This is an option added by Red Hat\. +.RE +.PP \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR .RS 4 - The numerical value of the group\'s ID\. This value must be unique, unless the + The numerical value of the group\'s ID\&. This value must be unique, unless the \fB\-o\fR --option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\. -+option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 499 and greater than every other group\. Values between 0 and 500 are typically reserved for system accounts\. +-option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 999 and greater than every other group\&. Values between 0 and 999 are typically reserved for system accounts\&. ++option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 499 and greater than every other group\&. Values between 0 and 500 are typically reserved for system accounts\&. .RE .PP \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.1-sysAccountDownhill.patch b/shadow-4.1.2-sysAccountDownhill.patch similarity index 61% rename from shadow-4.1.1-sysAccountDownhill.patch rename to shadow-4.1.2-sysAccountDownhill.patch index 63f6911..2071190 100644 --- a/shadow-4.1.1-sysAccountDownhill.patch +++ b/shadow-4.1.2-sysAccountDownhill.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/libmisc/find_new_ids.c ---- shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill 2008-04-04 21:46:08.000000000 +0200 -+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-04 21:50:04.000000000 +0200 -@@ -22,6 +22,7 @@ int find_new_uid (int sys_user, uid_t *u +diff -up shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.2/libmisc/find_new_ids.c +--- shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill 2008-05-26 14:52:49.000000000 +0200 ++++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:58:55.000000000 +0200 +@@ -52,6 +52,7 @@ int find_new_uid (int sys_user, uid_t *u { const struct passwd *pwd; uid_t uid_min, uid_max, user_id; @@ -9,7 +9,7 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/lib assert (uid != NULL); -@@ -32,6 +33,8 @@ int find_new_uid (int sys_user, uid_t *u +@@ -62,6 +63,8 @@ int find_new_uid (int sys_user, uid_t *u uid_min = getdef_unum ("SYS_UID_MIN", 1); uid_max = getdef_unum ("UID_MIN", 500) - 1; uid_max = getdef_unum ("SYS_UID_MAX", uid_max); @@ -18,7 +18,7 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/lib } if ( (NULL != preferred_uid) -@@ -61,8 +64,24 @@ int find_new_uid (int sys_user, uid_t *u +@@ -91,12 +94,28 @@ int find_new_uid (int sys_user, uid_t *u pw_rewind (); while ( ((pwd = getpwent ()) != NULL) || ((pwd = pw_next ()) != NULL)) { @@ -33,19 +33,23 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/lib + /* create index of occupied system accounts UIDs */ + if (pwd->pw_uid <= uid_max) + index[pwd->pw_uid] = 1; -+ } -+ } -+ + } + } + endpwent (); + + /* find free system account */ + if(sys_user) { + for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); + if ( user_id < uid_min ) { + fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr); + return -1; - } - } - -@@ -104,6 +123,7 @@ int find_new_gid (int sys_group, gid_t * ++ } ++ } ++ + /* + * If a user with UID equal to UID_MAX exists, the above algorithm + * will give us UID_MAX+1 even if not unique. Search for the first +@@ -135,6 +154,7 @@ int find_new_gid (int sys_group, gid_t * { const struct group *grp; gid_t gid_min, gid_max, group_id; @@ -53,7 +57,7 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/lib assert (gid != NULL); -@@ -114,6 +134,8 @@ int find_new_gid (int sys_group, gid_t * +@@ -145,6 +165,8 @@ int find_new_gid (int sys_group, gid_t * gid_min = getdef_unum ("SYS_GID_MIN", 1); gid_max = getdef_unum ("GID_MIN", 500) - 1; gid_max = getdef_unum ("SYS_GID_MAX", gid_max); @@ -62,31 +66,32 @@ diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/lib } if ( (NULL != preferred_gid) -@@ -142,11 +164,27 @@ int find_new_gid (int sys_group, gid_t * +@@ -173,12 +195,28 @@ int find_new_gid (int sys_group, gid_t * gr_rewind (); while ( ((grp = getgrent ()) != NULL) || ((grp = gr_next ()) != NULL)) { - if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { - group_id = grp->gr_gid + 1; -+ if (sys_group == 0) { -+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -+ group_id = grp->gr_gid + 1; -+ } -+ } -+ else { -+ /* create index of occupied system accounts GIDs */ -+ if (grp->gr_gid <= gid_max) -+ index[grp->gr_gid] = 1; ++ if (sys_group == 0) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ } ++ else { ++ /* create index of occupied system accounts GIDs */ ++ if (grp->gr_gid <= gid_max) ++ index[grp->gr_gid] = 1; } } + endgrent (); + /* find free system account */ + if(sys_group) { + for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); + if ( group_id < gid_min ) { -+ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); -+ return -1; -+ } ++ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); ++ return -1; ++ } + } + /* diff --git a/shadow-utils.spec b/shadow-utils.spec index e99796b..200f07e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -4,20 +4,18 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.1 -Release: 2%{?dist} +Version: 4.1.2 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.1-redhat.patch -Patch1: shadow-4.1.1-audit.patch -Patch3: shadow-4.1.0-goodname.patch -Patch4: shadow-4.1.1-selinux.patch -Patch5: shadow-4.1.1-sysAccountDownhill.patch -Patch6: shadow-4.1.1-saltSize.patch +Patch0: shadow-4.1.2-redhat.patch +Patch1: shadow-4.1.2-goodname.patch +Patch2: shadow-4.1.1-selinux.patch +Patch3: shadow-4.1.2-sysAccountDownhill.patch License: BSD Group: System Environment/Base @@ -43,11 +41,9 @@ are used for managing group accounts. %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat -%patch1 -p1 -b .audit -%patch3 -p1 -b .goodname -%patch4 -p1 -b .selinux -%patch5 -p1 -b .sysAccountDownhill -%patch6 -p1 -b .saltSize +%patch1 -p1 -b .goodname +%patch2 -p1 -b .selinux +%patch3 -p1 -b .sysAccountDownhill rm po/*.gmo @@ -188,6 +184,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon May 26 2008 Peter Vrabec 2:4.1.2-1 +- upgrade + * Tue May 20 2008 Peter Vrabec 2:4.1.1-2 - fix salt size problem (#447136) diff --git a/sources b/sources index a48c6ec..0c72fb3 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd b1aa30abb3cce16a37b53e45e1ec70a4 shadow-4.1.1.tar.bz2 +ce90cbe9cba7f6673cb10cad49083c1c shadow-4.1.2.tar.bz2 From fd27fd21e3ad5fc1f0b8e2c197c4066593948c80 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 22 Jul 2008 10:16:36 +0000 Subject: [PATCH 021/151] provide man getspnam by man-pages --- shadow-utils.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 200f07e..f6c2b91 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -126,6 +126,8 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* +rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* %find_lang shadow find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete @@ -165,7 +167,6 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* %{_mandir}/man3/shadow.3* -%{_mandir}/man3/getspnam.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* %{_mandir}/man5/gshadow.5* @@ -184,6 +185,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jul 22 2008 Peter Vrabec 2:4.1.2-2 +- provide getspnam by man-pages + * Mon May 26 2008 Peter Vrabec 2:4.1.2-1 - upgrade From 543cfc5cc28f9bcfb089b575a5c0378e030dab47 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 23 Jul 2008 14:53:58 +0000 Subject: [PATCH 022/151] increase release number --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index f6c2b91..62095e8 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 From d763ffe596f7bef8a14539928760e9b1892f10b5 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 24 Jul 2008 08:30:14 +0000 Subject: [PATCH 023/151] recreate selinux patch --- ...elinux.patch => shadow-4.1.2-selinux.patch | 124 +++++++++--------- shadow-utils.spec | 7 +- 2 files changed, 67 insertions(+), 64 deletions(-) rename shadow-4.1.1-selinux.patch => shadow-4.1.2-selinux.patch (75%) diff --git a/shadow-4.1.1-selinux.patch b/shadow-4.1.2-selinux.patch similarity index 75% rename from shadow-4.1.1-selinux.patch rename to shadow-4.1.2-selinux.patch index b99ea98..caf43b2 100644 --- a/shadow-4.1.1-selinux.patch +++ b/shadow-4.1.2-selinux.patch @@ -1,6 +1,6 @@ -diff -up /dev/null shadow-4.1.1/libmisc/system.c ---- /dev/null 2008-03-19 11:34:26.687502959 +0100 -+++ shadow-4.1.1/libmisc/system.c 2008-04-05 14:55:29.000000000 +0200 +diff -up /dev/null shadow-4.1.2/libmisc/system.c +--- /dev/null 2008-07-15 12:00:55.602698860 +0200 ++++ shadow-4.1.2/libmisc/system.c 2008-07-24 10:14:24.000000000 +0200 @@ -0,0 +1,37 @@ +#include + @@ -39,10 +39,10 @@ diff -up /dev/null shadow-4.1.1/libmisc/system.c + exit (-1); +} + -diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c ---- shadow-4.1.1/libmisc/copydir.c.selinux 2008-01-06 13:02:04.000000000 +0100 -+++ shadow-4.1.1/libmisc/copydir.c 2008-04-05 14:55:29.000000000 +0200 -@@ -82,7 +82,7 @@ static int copy_file (const char *src, c +diff -up shadow-4.1.2/libmisc/copydir.c.selinux shadow-4.1.2/libmisc/copydir.c +--- shadow-4.1.2/libmisc/copydir.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/libmisc/copydir.c 2008-07-24 10:14:24.000000000 +0200 +@@ -85,7 +85,7 @@ static int copy_file (const char *src, c * symlink, directory, ... * */ @@ -51,7 +51,7 @@ diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c { security_context_t scontext = NULL; -@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con +@@ -256,6 +256,12 @@ int copy_tree (const char *src_root, con src_orig = 0; dst_orig = 0; } @@ -64,9 +64,9 @@ diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c return err; } -diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am ---- shadow-4.1.1/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 -+++ shadow-4.1.1/libmisc/Makefile.am 2008-04-05 14:55:29.000000000 +0200 +diff -up shadow-4.1.2/libmisc/Makefile.am.selinux shadow-4.1.2/libmisc/Makefile.am +--- shadow-4.1.2/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 ++++ shadow-4.1.2/libmisc/Makefile.am 2008-07-24 10:14:24.000000000 +0200 @@ -43,6 +43,7 @@ libmisc_a_SOURCES = \ setugid.c \ setupenv.c \ @@ -75,10 +75,10 @@ diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile. strtoday.c \ sub.c \ sulog.c \ -diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c ---- shadow-4.1.1/src/useradd.c.selinux 2008-04-05 14:55:29.000000000 +0200 -+++ shadow-4.1.1/src/useradd.c 2008-04-05 14:55:29.000000000 +0200 -@@ -101,6 +101,7 @@ static const char *user_comment = ""; +diff -up shadow-4.1.2/src/useradd.c.selinux shadow-4.1.2/src/useradd.c +--- shadow-4.1.2/src/useradd.c.selinux 2008-07-24 10:13:23.000000000 +0200 ++++ shadow-4.1.2/src/useradd.c 2008-07-24 10:14:24.000000000 +0200 +@@ -104,6 +104,7 @@ static const char *user_comment = ""; static const char *user_home = ""; static const char *user_shell = ""; static const char *create_mail_spool = ""; @@ -86,7 +86,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c static long user_expire = -1; static int is_shadow_pwd; -@@ -173,6 +174,7 @@ static int set_defaults (void); +@@ -176,6 +177,7 @@ static int set_defaults (void); static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); @@ -94,7 +94,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c static long scale_age (long); static void new_spent (struct spwd *); -@@ -373,6 +375,7 @@ static void get_defaults (void) +@@ -376,6 +378,7 @@ static void get_defaults (void) def_create_mail_spool = xstrdup (cp); } } @@ -102,7 +102,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c } /* -@@ -665,6 +668,9 @@ static void usage (void) +@@ -668,6 +671,9 @@ static void usage (void) " -s, --shell SHELL the login shell for the new user account\n" " -u, --uid UID force use the UID for the new user account\n" " -U, --user-group create a group with the same name as the user\n" @@ -112,7 +112,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c "\n"), stderr); exit (E_USAGE); } -@@ -880,12 +886,19 @@ static void process_flags (int argc, cha +@@ -883,12 +889,19 @@ static void process_flags (int argc, cha {"password", required_argument, NULL, 'p'}, {"system", no_argument, NULL, 'r'}, {"shell", required_argument, NULL, 's'}, @@ -132,7 +132,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c long_options, NULL)) != -1) { switch (c) { case 'b': -@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha +@@ -1073,6 +1086,17 @@ static void process_flags (int argc, cha case 'U': Uflg++; break; @@ -150,7 +150,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c default: usage (); } -@@ -1476,6 +1500,33 @@ static void usr_update (void) +@@ -1479,6 +1503,33 @@ static void usr_update (void) grp_update (); } @@ -184,7 +184,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c /* * create_home - create the user's home directory * -@@ -1485,7 +1536,11 @@ static void usr_update (void) +@@ -1488,7 +1539,11 @@ static void usr_update (void) */ static void create_home (void) { @@ -196,7 +196,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c /* XXX - create missing parent directories. --marekm */ if (mkdir (user_home, 0)) { fprintf (stderr, -@@ -1507,6 +1562,10 @@ static void create_home (void) +@@ -1510,6 +1565,10 @@ static void create_home (void) audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding home directory", user_name, user_id, 1); #endif @@ -207,7 +207,7 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c } } -@@ -1760,6 +1819,8 @@ int main (int argc, char **argv) +@@ -1763,6 +1822,8 @@ int main (int argc, char **argv) close_files (); @@ -216,10 +216,10 @@ diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); -diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c ---- shadow-4.1.1/src/usermod.c.selinux 2008-02-24 13:35:13.000000000 +0100 -+++ shadow-4.1.1/src/usermod.c 2008-04-05 14:55:29.000000000 +0200 -@@ -91,6 +91,7 @@ static char *user_newcomment; +diff -up shadow-4.1.2/src/usermod.c.selinux shadow-4.1.2/src/usermod.c +--- shadow-4.1.2/src/usermod.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/src/usermod.c 2008-07-24 10:14:24.000000000 +0200 +@@ -94,6 +94,7 @@ static char *user_newcomment; static char *user_home; static char *user_newhome; static char *user_shell; @@ -227,7 +227,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c static char *user_newshell; static long user_expire; static long user_newexpire; -@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size +@@ -141,6 +142,7 @@ static void date_to_str (char *buf, size static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); @@ -235,7 +235,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c static void new_spent (struct spwd *); static void fail_exit (int); -@@ -320,6 +322,9 @@ static void usage (void) +@@ -323,6 +325,9 @@ static void usage (void) " -s, --shell SHELL new login shell for the user account\n" " -u, --uid UID new UID for the user account\n" " -U, --unlock unlock the user account\n" @@ -245,7 +245,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c "\n"), stderr); exit (E_USAGE); } -@@ -846,13 +851,20 @@ static void process_flags (int argc, cha +@@ -849,13 +854,20 @@ static void process_flags (int argc, cha {"move-home", no_argument, NULL, 'm'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, @@ -267,7 +267,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c long_options, NULL)) != -1) { switch (c) { case 'a': -@@ -953,6 +965,16 @@ static void process_flags (int argc, cha +@@ -956,6 +968,16 @@ static void process_flags (int argc, cha case 'U': Uflg++; break; @@ -284,7 +284,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c default: usage (); } -@@ -1530,6 +1552,8 @@ int main (int argc, char **argv) +@@ -1534,6 +1556,8 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); @@ -293,7 +293,7 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c if (mflg) move_home (); -@@ -1558,3 +1582,62 @@ int main (int argc, char **argv) +@@ -1562,3 +1586,62 @@ int main (int argc, char **argv) exit (E_SUCCESS); /* NOT REACHED */ } @@ -356,10 +356,10 @@ diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c + } +#endif +} -diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c ---- shadow-4.1.1/src/userdel.c.selinux 2008-03-08 21:48:26.000000000 +0100 -+++ shadow-4.1.1/src/userdel.c 2008-04-05 14:55:29.000000000 +0200 -@@ -809,6 +809,17 @@ int main (int argc, char **argv) +diff -up shadow-4.1.2/src/userdel.c.selinux shadow-4.1.2/src/userdel.c +--- shadow-4.1.2/src/userdel.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/src/userdel.c 2008-07-24 10:14:24.000000000 +0200 +@@ -811,6 +811,17 @@ int main (int argc, char **argv) #endif } @@ -377,12 +377,12 @@ diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c /* * Cancel any crontabs or at jobs. Have to do this before we remove * the entry from /etc/passwd. -diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8 ---- shadow-4.1.1/man/useradd.8.selinux 2008-04-05 14:55:29.000000000 +0200 -+++ shadow-4.1.1/man/useradd.8 2008-04-05 15:00:03.000000000 +0200 -@@ -219,6 +219,11 @@ options are not specified) is defined by +diff -up shadow-4.1.2/man/useradd.8.selinux shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.selinux 2008-07-24 10:13:23.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-07-24 10:20:27.000000000 +0200 +@@ -239,6 +239,11 @@ options are not specified) is defined by variable in - \fIlogin\.defs\fR\. + \fIlogin\&.defs\fR\&. .RE +.PP +\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR @@ -392,9 +392,9 @@ diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8 .SS "Changing the default values" .PP When invoked with only the -diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml ---- shadow-4.1.1/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 -+++ shadow-4.1.1/man/usermod.8.xml 2008-04-05 14:55:29.000000000 +0200 +diff -up shadow-4.1.2/man/usermod.8.xml.selinux shadow-4.1.2/man/usermod.8.xml +--- shadow-4.1.2/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 ++++ shadow-4.1.2/man/usermod.8.xml 2008-07-24 10:14:24.000000000 +0200 @@ -245,6 +245,19 @@ @@ -415,12 +415,12 @@ diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml -diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8 ---- shadow-4.1.1/man/usermod.8.selinux 2008-04-03 00:43:16.000000000 +0200 -+++ shadow-4.1.1/man/usermod.8 2008-04-05 14:55:29.000000000 +0200 +diff -up shadow-4.1.2/man/usermod.8.selinux shadow-4.1.2/man/usermod.8 +--- shadow-4.1.2/man/usermod.8.selinux 2008-05-25 01:20:28.000000000 +0200 ++++ shadow-4.1.2/man/usermod.8 2008-07-24 10:21:39.000000000 +0200 @@ -133,6 +133,11 @@ Note: if you wish to unlock the account value from - \fI/etc/default/useradd\fR)\. + \fI/etc/default/useradd\fR)\&. .RE +.PP +\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR @@ -430,10 +430,10 @@ diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8 .SH "CAVEATS" .PP -diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml ---- shadow-4.1.1/man/useradd.8.xml.selinux 2008-02-25 22:01:23.000000000 +0100 -+++ shadow-4.1.1/man/useradd.8.xml 2008-04-05 14:55:29.000000000 +0200 -@@ -326,6 +326,19 @@ +diff -up shadow-4.1.2/man/useradd.8.xml.selinux shadow-4.1.2/man/useradd.8.xml +--- shadow-4.1.2/man/useradd.8.xml.selinux 2008-05-20 00:18:17.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8.xml 2008-07-24 10:14:24.000000000 +0200 +@@ -363,6 +363,19 @@ @@ -453,9 +453,9 @@ diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml -diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h ---- shadow-4.1.1/lib/defines.h.selinux 2008-02-03 18:52:52.000000000 +0100 -+++ shadow-4.1.1/lib/defines.h 2008-04-05 14:55:29.000000000 +0200 +diff -up shadow-4.1.2/lib/defines.h.selinux shadow-4.1.2/lib/defines.h +--- shadow-4.1.2/lib/defines.h.selinux 2008-05-24 19:35:54.000000000 +0200 ++++ shadow-4.1.2/lib/defines.h 2008-07-24 10:14:24.000000000 +0200 @@ -321,4 +321,7 @@ extern char *strerror (); # define unused #endif @@ -464,10 +464,10 @@ diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h +#include +#endif #endif /* _DEFINES_H_ */ -diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h ---- shadow-4.1.1/lib/prototypes.h.selinux 2008-03-18 00:01:32.000000000 +0100 -+++ shadow-4.1.1/lib/prototypes.h 2008-04-05 15:03:41.000000000 +0200 -@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro +diff -up shadow-4.1.2/lib/prototypes.h.selinux shadow-4.1.2/lib/prototypes.h +--- shadow-4.1.2/lib/prototypes.h.selinux 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/lib/prototypes.h 2008-07-24 10:14:24.000000000 +0200 +@@ -83,6 +83,10 @@ extern int copy_tree (const char *src_ro long int uid, long int gid); extern int remove_tree (const char *root); @@ -478,7 +478,7 @@ diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h /* encrypt.c */ extern char *pw_encrypt (const char *, const char *); -@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str +@@ -226,6 +230,9 @@ extern struct spwd *__spw_dup (const str /* shell.c */ extern int shell (const char *, const char *, char *const *); diff --git a/shadow-utils.spec b/shadow-utils.spec index 62095e8..36b0310 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -14,7 +14,7 @@ Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.2-redhat.patch Patch1: shadow-4.1.2-goodname.patch -Patch2: shadow-4.1.1-selinux.patch +Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch License: BSD @@ -185,6 +185,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 24 2008 Peter Vrabec 2:4.1.2-3 +- recreate selinux patch + * Tue Jul 22 2008 Peter Vrabec 2:4.1.2-2 - provide getspnam by man-pages From edcb9d8b59c79f769716120d9329210dc01f37f8 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 28 Jul 2008 11:45:33 +0000 Subject: [PATCH 024/151] ix configure options (#456748) --- shadow-utils.spec | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 36b0310..a0cdea3 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -56,16 +56,15 @@ autoconf %build %configure \ - --disable-desrpc \ --enable-shadowgrp \ - --without-libcrack \ - --with-libcrypt \ + --with-audit \ + --with-sha-crypt \ %if %{WITH_SELINUX} --with-selinux \ %endif + --without-libcrack \ --without-libpam \ - --disable-shared \ - --with-libaudit + --disable-shared make %install @@ -185,6 +184,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jul 28 2008 Peter Vrabec 2:4.1.2-4 +- fix configure options (#456748) + * Thu Jul 24 2008 Peter Vrabec 2:4.1.2-3 - recreate selinux patch From 87ffe9ce68e0a626129cadf0977ee62d6e31e74a Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Sep 2008 08:46:52 +0000 Subject: [PATCH 025/151] fix groupmems issues (#459825) --- shadow-4.1.2-gmSEGV.patch | 30 ++++++++++++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.2-gmSEGV.patch diff --git a/shadow-4.1.2-gmSEGV.patch b/shadow-4.1.2-gmSEGV.patch new file mode 100644 index 0000000..848dddb --- /dev/null +++ b/shadow-4.1.2-gmSEGV.patch @@ -0,0 +1,30 @@ +diff -up shadow-4.1.2/src/groupmems.c.gmSEGV shadow-4.1.2/src/groupmems.c +--- shadow-4.1.2/src/groupmems.c.gmSEGV 2008-04-22 22:05:11.000000000 +0200 ++++ shadow-4.1.2/src/groupmems.c 2008-09-02 08:30:52.000000000 +0200 +@@ -95,7 +95,7 @@ static char *whoami (void) + } + } + +-static void addtogroup (char *user, char **members) ++static char **addtogroup (char *user, char **members) + { + int i; + +@@ -109,6 +109,8 @@ static void addtogroup (char *user, char + members = (char **) realloc (members, sizeof (char *) * (i+2)); + members[i] = user; + members[i + 1] = NULL; ++ ++ return members; + } + + static void rmfromgroup (char *user, char **members) +@@ -285,7 +287,7 @@ int main (int argc, char **argv) + grp = (struct group *) gr_locate (name); + + if (NULL != adduser) { +- addtogroup (adduser, grp->gr_mem); ++ grp->gr_mem = addtogroup (adduser, grp->gr_mem); + gr_update (grp); + } else if (NULL != deluser) { + rmfromgroup (deluser, grp->gr_mem); diff --git a/shadow-utils.spec b/shadow-utils.spec index a0cdea3..a76b6c8 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -16,6 +16,7 @@ Patch0: shadow-4.1.2-redhat.patch Patch1: shadow-4.1.2-goodname.patch Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch +Patch4: shadow-4.1.2-gmSEGV.patch License: BSD Group: System Environment/Base @@ -44,6 +45,7 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .selinux %patch3 -p1 -b .sysAccountDownhill +%patch4 -p1 -b .gmSEGV rm po/*.gmo @@ -184,6 +186,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Sep 02 2008 Peter Vrabec 2:4.1.2-5 +- fix groupmems issues (#459825) + * Mon Jul 28 2008 Peter Vrabec 2:4.1.2-4 - fix configure options (#456748) From be8c9d1e9239450665baa17cf8ec659dc6150cf7 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Sep 2008 14:12:30 +0000 Subject: [PATCH 026/151] audit improvements, thnx. to sgrubb@redhat.com --- shadow-4.1.2-audit.patch | 447 +++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 453 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.2-audit.patch diff --git a/shadow-4.1.2-audit.patch b/shadow-4.1.2-audit.patch new file mode 100644 index 0000000..89a53bf --- /dev/null +++ b/shadow-4.1.2-audit.patch @@ -0,0 +1,447 @@ +diff -urp shadow-4.1.2.orig/src/groupadd.c shadow-4.1.2/src/groupadd.c +--- shadow-4.1.2.orig/src/groupadd.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/groupadd.c 2008-09-02 09:05:14.000000000 -0400 +@@ -205,7 +205,7 @@ static void grp_update (void) + } + #endif /* SHADOWGRP */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", group_name, ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", group_name, + group_id, 1); + #endif + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", +@@ -269,7 +269,7 @@ static void open_files (void) + if (!gr_lock ()) { + fprintf (stderr, _("%s: unable to lock group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "locking group file", + group_name, -1, 0); + #endif + exit (E_GRP_UPDATE); +@@ -277,7 +277,7 @@ static void open_files (void) + if (!gr_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "opening group file", + group_name, -1, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -310,7 +310,7 @@ static void fail_exit (int code) + + #ifdef WITH_AUDIT + if (code != E_SUCCESS) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", + group_name, -1, 0); + } + #endif +diff -urp shadow-4.1.2.orig/src/groupdel.c shadow-4.1.2/src/groupdel.c +--- shadow-4.1.2.orig/src/groupdel.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/groupdel.c 2008-09-02 09:04:18.000000000 -0400 +@@ -100,7 +100,7 @@ static void fail_exit (int code) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", + group_name, -1, 0); + #endif + +@@ -143,7 +143,7 @@ static void grp_update (void) + static void close_files (void) + { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", group_name, ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", group_name, + group_id, 1); + #endif + SYSLOG ((LOG_INFO, "remove group `%s'\n", group_name)); +@@ -316,7 +316,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: group %s does not exist\n"), + Prog, group_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_GROUP, Prog, + "deleting group", + group_name, -1, 0); + #endif +@@ -338,7 +338,7 @@ int main (int argc, char **argv) + Prog, group_name); + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", + group_name, -1, 0); + #endif + if (!yp_get_default_domain (&nis_domain) && +diff -urp shadow-4.1.2.orig/src/useradd.c shadow-4.1.2/src/useradd.c +--- shadow-4.1.2.orig/src/useradd.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/useradd.c 2008-09-02 08:47:31.000000000 -0400 +@@ -216,7 +216,7 @@ static void fail_exit (int code) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, -1, ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, -1, + 0); + #endif + SYSLOG ((LOG_INFO, "failed adding user `%s', data deleted", user_name)); +@@ -793,7 +793,7 @@ static void grp_update (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", user_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, "add `%s' to group `%s'", +@@ -844,7 +844,7 @@ static void grp_update (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding user to shadow group", user_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, "add `%s' to shadow group `%s'", +@@ -1162,7 +1162,7 @@ static void process_flags (int argc, cha + ("%s: invalid user name '%s'\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", + user_name, -1, 0); + #endif + exit (E_BAD_ARG); +@@ -1251,7 +1251,7 @@ static void open_files (void) + if (!pw_lock ()) { + fprintf (stderr, _("%s: unable to lock password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "locking password file", user_name, user_id, 0); + #endif + exit (E_PW_UPDATE); +@@ -1260,7 +1260,7 @@ static void open_files (void) + if (!pw_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "opening password file", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); +@@ -1271,7 +1271,7 @@ static void open_files (void) + _("%s: cannot lock shadow password file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "locking shadow password file", user_name, + user_id, 0); + #endif +@@ -1283,7 +1283,7 @@ static void open_files (void) + _("%s: cannot open shadow password file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "opening shadow password file", user_name, + user_id, 0); + #endif +@@ -1385,6 +1385,10 @@ static void grp_add (void) + * Write out the new group file entry. + */ + if (!gr_update (&grp)) { ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, ++ "adding group", grp.gr_name, -1, 0); ++#endif + fprintf (stderr, _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); + } +@@ -1393,11 +1397,19 @@ static void grp_add (void) + * Write out the new shadow group entries as well. + */ + if (is_shadow_grp && !sgr_update (&sgrp)) { ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, ++ "adding group", grp.gr_name, -1, 0); ++#endif + fprintf (stderr, _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); + } + #endif /* SHADOWGRP */ + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", ++ grp.gr_name, -1, 1); ++#endif + do_grp_update++; + } + +@@ -1486,13 +1498,13 @@ static void usr_update (void) + ("%s: error adding new shadow password entry\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding shadow password", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, + user_id, 1); + #endif + +@@ -1522,7 +1534,7 @@ static void selinux_update_mapping () { + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding SELinux user mapping", user_name, user_id, 0); + #endif + } +@@ -1551,7 +1563,7 @@ static void create_home (void) + ("%s: cannot create directory %s\n"), + Prog, user_home); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", user_name, + user_id, 0); + #endif +@@ -1562,7 +1574,7 @@ static void create_home (void) + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); + home_added++; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", user_name, user_id, 1); + #endif + #ifdef WITH_SELINUX +@@ -1722,7 +1734,7 @@ int main (int argc, char **argv) + if (getpwnam (user_name)) { /* local, no need for xgetpwnam */ + fprintf (stderr, _("%s: user %s exists\n"), Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", + user_name, -1, 0); + #endif + fail_exit (E_NAME_IN_USE); +@@ -1741,7 +1753,7 @@ int main (int argc, char **argv) + ("%s: group %s exists - if you want to add this user to that group, use -g.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_GROUP, Prog, + "adding group", user_name, -1, 0); + #endif + fail_exit (E_NAME_IN_USE); +@@ -1772,7 +1784,7 @@ int main (int argc, char **argv) + if (getpwuid (user_id) != NULL) { + fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, user_id, 0); + #endif + fail_exit (E_UID_IN_USE); + } +diff -urp shadow-4.1.2.orig/src/userdel.c shadow-4.1.2/src/userdel.c +--- shadow-4.1.2.orig/src/userdel.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/userdel.c 2008-09-02 09:03:20.000000000 -0400 +@@ -170,7 +170,7 @@ static void update_groups (void) + * Update the DBM group file with the new entry as well. + */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user from group", user_name, user_id, + 0); + #endif +@@ -220,8 +220,8 @@ static void update_groups (void) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "deleting group", user_name, user_id, 0); ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", ++ grp->gr_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, + "removed group `%s' owned by `%s'\n", +@@ -270,7 +270,7 @@ static void update_groups (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user from shadow group", user_name, + user_id, 0); + #endif +@@ -327,7 +327,7 @@ static void fail_exit (int code) + sgr_unlock (); + #endif + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user", user_name, ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting user", user_name, + user_id, 0); + #endif + exit (code); +@@ -344,7 +344,7 @@ static void open_files (void) + if (!pw_lock ()) { + fprintf (stderr, _("%s: unable to lock password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking password file", user_name, user_id, 0); + #endif + exit (E_PW_UPDATE); +@@ -352,7 +352,7 @@ static void open_files (void) + if (!pw_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening password file", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); +@@ -361,7 +361,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock shadow password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking shadow password file", user_name, + user_id, 0); + #endif +@@ -371,7 +371,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot open shadow password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening shadow password file", user_name, + user_id, 0); + #endif +@@ -380,7 +380,7 @@ static void open_files (void) + if (!gr_lock ()) { + fprintf (stderr, _("%s: unable to lock group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", ++ audit_logger (AUDIT_DEL_USER, Prog, "locking group file", + user_name, user_id, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -388,7 +388,7 @@ static void open_files (void) + if (!gr_open (O_RDWR)) { + fprintf (stderr, _("%s: cannot open group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", ++ audit_logger (AUDIT_DEL_USER, Prog, "opening group file", + user_name, user_id, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -398,7 +398,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: unable to lock shadow group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking shadow group file", user_name, user_id, + 0); + #endif +@@ -408,7 +408,7 @@ static void open_files (void) + fprintf (stderr, _("%s: cannot open shadow group file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening shadow group file", user_name, user_id, + 0); + #endif +@@ -436,7 +436,7 @@ static void update_user (void) + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user entries", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting user entries", + user_name, user_id, 1); + #endif + SYSLOG ((LOG_INFO, "delete user `%s'\n", user_name)); +@@ -476,7 +476,7 @@ static void user_busy (const char *name, + _("%s: user %s is currently logged in\n"), Prog, name); + if (!fflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user logged in", name, -1, 0); + #endif + exit (E_USER_BUSY); +@@ -577,7 +577,7 @@ static void remove_mailbox (void) + if (fflg) { + unlink (mailfile); /* always remove, ignore errors */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 1); + #endif + return; +@@ -589,7 +589,7 @@ static void remove_mailbox (void) + ("%s: %s not owned by %s, not removing\n"), + Prog, mailfile, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 0); + #endif + return; +@@ -601,7 +601,7 @@ static void remove_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 1); + } + #endif +@@ -713,7 +713,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: user %s does not exist\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user not found", user_name, -1, 0); + #endif + exit (E_NOTFOUND); +@@ -799,14 +799,14 @@ int main (int argc, char **argv) + _("%s: error removing directory %s\n"), + Prog, user_home); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, + user_id, 1); + #endif + errors++; + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, user_id, 1); + #endif + } +@@ -838,7 +838,7 @@ int main (int argc, char **argv) + #endif /* USE_PAM */ + #ifdef WITH_AUDIT + if (errors) +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, -1, 0); + #endif + exit (errors ? E_HOMEDIR : E_SUCCESS); diff --git a/shadow-utils.spec b/shadow-utils.spec index a76b6c8..bb91134 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -17,6 +17,7 @@ Patch1: shadow-4.1.2-goodname.patch Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch Patch4: shadow-4.1.2-gmSEGV.patch +Patch5: shadow-4.1.2-audit.patch License: BSD Group: System Environment/Base @@ -46,6 +47,7 @@ are used for managing group accounts. %patch2 -p1 -b .selinux %patch3 -p1 -b .sysAccountDownhill %patch4 -p1 -b .gmSEGV +%patch5 -p1 -b .audit rm po/*.gmo @@ -186,6 +188,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Sep 02 2008 Peter Vrabec 2:4.1.2-6 +- audit improvements, thnx. to sgrubb@redhat.com + * Thu Sep 02 2008 Peter Vrabec 2:4.1.2-5 - fix groupmems issues (#459825) From 60ae26e9e9a4a47c91b1a623e56ab77de09d6d8c Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 11 Sep 2008 11:47:39 +0000 Subject: [PATCH 027/151] fix usermod SELinux user mappings change (#458766) --- shadow-4.1.1-selinuxUserMappings.patch | 33 ++++++++++++++++++++++++++ shadow-utils.spec | 11 ++++++--- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 shadow-4.1.1-selinuxUserMappings.patch diff --git a/shadow-4.1.1-selinuxUserMappings.patch b/shadow-4.1.1-selinuxUserMappings.patch new file mode 100644 index 0000000..a6f1df6 --- /dev/null +++ b/shadow-4.1.1-selinuxUserMappings.patch @@ -0,0 +1,33 @@ +diff -up shadow-4.1.1/src/usermod.c.selinux-user shadow-4.1.1/src/usermod.c +--- shadow-4.1.1/src/usermod.c.selinux-user 2008-09-09 17:28:45.673915250 +0200 ++++ shadow-4.1.1/src/usermod.c 2008-09-09 17:35:39.000000000 +0200 +@@ -116,6 +116,7 @@ static int + oflg = 0, /* permit non-unique user ID to be specified with -u */ + pflg = 0, /* new encrypted password */ + sflg = 0, /* new shell program */ ++ Sflg = 0, /* new selinux user */ + uflg = 0, /* specify new user ID */ + Uflg = 0; /* unlock the password */ + +@@ -967,8 +968,10 @@ static void process_flags (int argc, cha + break; + #ifdef WITH_SELINUX + case 'Z': +- if (is_selinux_enabled() > 0) +- user_selinux = optarg; ++ if (is_selinux_enabled() > 0) { ++ user_selinux = optarg; ++ Sflg++; ++ } + else { + fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); + exit (E_BAD_ARG); +@@ -1015,7 +1018,7 @@ static void process_flags (int argc, cha + } + + if (Uflg + uflg + sflg + pflg + oflg + mflg + Lflg + lflg + Gflg + +- gflg + fflg + eflg + dflg + cflg == 0) { ++ gflg + fflg + eflg + dflg + cflg + Sflg == 0) { + fprintf (stderr, _("%s: no changes\n"), Prog); + exit (E_SUCCESS); + } diff --git a/shadow-utils.spec b/shadow-utils.spec index bb91134..a15ac42 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -18,6 +18,7 @@ Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch Patch4: shadow-4.1.2-gmSEGV.patch Patch5: shadow-4.1.2-audit.patch +Patch6: shadow-4.1.1-selinuxUserMappings.patch License: BSD Group: System Environment/Base @@ -48,6 +49,7 @@ are used for managing group accounts. %patch3 -p1 -b .sysAccountDownhill %patch4 -p1 -b .gmSEGV %patch5 -p1 -b .audit +%patch6 -p1 -b .selinuxUserMappings rm po/*.gmo @@ -188,10 +190,13 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog -* Thu Sep 02 2008 Peter Vrabec 2:4.1.2-6 +* Thu Sep 11 2008 Peter Vrabec 2:4.1.2-7 +- fix usermod SELinux user mappings change (#458766) + +* Tue Sep 02 2008 Peter Vrabec 2:4.1.2-6 - audit improvements, thnx. to sgrubb@redhat.com -* Thu Sep 02 2008 Peter Vrabec 2:4.1.2-5 +* Tue Sep 02 2008 Peter Vrabec 2:4.1.2-5 - fix groupmems issues (#459825) * Mon Jul 28 2008 Peter Vrabec 2:4.1.2-4 From 53b6c2ec17437ec1f6a6f0ec08684525c0dea2f0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 24 Sep 2008 13:26:18 +0000 Subject: [PATCH 028/151] - groupmems: check username for valid character (#455603) - groupmems: don't segfault on nonexistent group (#456088) --- shadow-4.1.2-checkName.patch | 32 ++++++++++++++++++++++++++++++++ shadow-4.1.2-gmNoGroup.patch | 22 ++++++++++++++++++++++ shadow-utils.spec | 10 +++++++++- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.2-checkName.patch create mode 100644 shadow-4.1.2-gmNoGroup.patch diff --git a/shadow-4.1.2-checkName.patch b/shadow-4.1.2-checkName.patch new file mode 100644 index 0000000..321bdba --- /dev/null +++ b/shadow-4.1.2-checkName.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.2/src/groupmems.c.checkName shadow-4.1.2/src/groupmems.c +--- shadow-4.1.2/src/groupmems.c.checkName 2008-09-24 11:17:02.000000000 +0200 ++++ shadow-4.1.2/src/groupmems.c 2008-09-24 14:03:01.000000000 +0200 +@@ -43,6 +43,7 @@ + #include + #include "defines.h" + #include "groupio.h" ++#include "chkname.h" + + /* Exit Status Values */ + +@@ -54,6 +55,7 @@ + #define EXIT_NOT_PRIMARY 5 /* not primary owner of group */ + #define EXIT_NOT_MEMBER 6 /* member of group does not exist */ + #define EXIT_MEMBER_EXISTS 7 /* member of group already exists */ ++#define E_BAD_ARG 8 /* invalid argument to option */ + + #define TRUE 1 + #define FALSE 0 +@@ -225,6 +227,12 @@ int main (int argc, char **argv) + usage (); + } + ++ /* check if user names is valid */ ++ if ( adduser && !check_user_name (adduser)) { ++ fprintf (stderr, _("%s is not a valid user name\n"), adduser); ++ exit (E_BAD_ARG); ++ } ++ + if (!isroot () && NULL != thisgroup) { + fputs (_("Only root can add members to different groups\n"), + stderr); diff --git a/shadow-4.1.2-gmNoGroup.patch b/shadow-4.1.2-gmNoGroup.patch new file mode 100644 index 0000000..67e14ea --- /dev/null +++ b/shadow-4.1.2-gmNoGroup.patch @@ -0,0 +1,22 @@ +diff -up shadow-4.1.2/src/groupmems.c.gmNoGroup shadow-4.1.2/src/groupmems.c +--- shadow-4.1.2/src/groupmems.c.gmNoGroup 2008-09-24 15:00:30.000000000 +0200 ++++ shadow-4.1.2/src/groupmems.c 2008-09-24 15:07:20.000000000 +0200 +@@ -56,6 +56,7 @@ + #define EXIT_NOT_MEMBER 6 /* member of group does not exist */ + #define EXIT_MEMBER_EXISTS 7 /* member of group already exists */ + #define E_BAD_ARG 8 /* invalid argument to option */ ++#define EXIT_NOT_GROUP 8 /* group does not exist */ + + #define TRUE 1 + #define FALSE 0 +@@ -293,6 +294,10 @@ int main (int argc, char **argv) + } + + grp = (struct group *) gr_locate (name); ++ if (NULL == grp) { ++ fputs (_("Specified group does not exist\n"), stderr); ++ exit (EXIT_NOT_GROUP); ++ } + + if (NULL != adduser) { + grp->gr_mem = addtogroup (adduser, grp->gr_mem); diff --git a/shadow-utils.spec b/shadow-utils.spec index a15ac42..9b9129c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -19,6 +19,8 @@ Patch3: shadow-4.1.2-sysAccountDownhill.patch Patch4: shadow-4.1.2-gmSEGV.patch Patch5: shadow-4.1.2-audit.patch Patch6: shadow-4.1.1-selinuxUserMappings.patch +Patch7: shadow-4.1.2-checkName.patch +Patch8: shadow-4.1.2-gmNoGroup.patch License: BSD Group: System Environment/Base @@ -50,6 +52,8 @@ are used for managing group accounts. %patch4 -p1 -b .gmSEGV %patch5 -p1 -b .audit %patch6 -p1 -b .selinuxUserMappings +%patch7 -p1 -b .checkName +%patch8 -p1 -b .gmNoGroup rm po/*.gmo @@ -190,6 +194,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Sep 24 2008 Peter Vrabec 2:4.1.2-8 +- groupmems: check username for valid character (#455603) +- groupmems: don't segfault on nonexistent group (#456088) + * Thu Sep 11 2008 Peter Vrabec 2:4.1.2-7 - fix usermod SELinux user mappings change (#458766) From 306f53c11b9bd2eabede31ed596d272dac160ef8 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sun, 21 Dec 2008 16:54:46 +0000 Subject: [PATCH 029/151] - Add setup as a Requires. Perhaps this should be a files requires. (#477529) --- shadow-utils.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9b9129c..48c5caa 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -29,6 +29,7 @@ BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 +Requires: setup Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -194,6 +195,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sun Dec 21 2008 Jesse Keating - 2:4.1.2-9 +- Add setup as a Requires. Perhaps this should be a files requires. (#477529) + * Wed Sep 24 2008 Peter Vrabec 2:4.1.2-8 - groupmems: check username for valid character (#455603) - groupmems: don't segfault on nonexistent group (#456088) From 8e69e8df3818a8387149a752a92ae45b9d8b26a4 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 5 Jan 2009 12:57:44 +0000 Subject: [PATCH 030/151] Add policycoreutils as Requires, because of restorecon (#478494) --- shadow-utils.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 48c5caa..f0efa77 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -29,7 +29,7 @@ BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 -Requires: setup +Requires: setup policycoreutils Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -195,6 +195,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jan 05 2009 Peter Vrabec 2:4.1.2-10 +- Add policycoreutils as Requires, because of restorecon (#478494) + * Sun Dec 21 2008 Jesse Keating - 2:4.1.2-9 - Add setup as a Requires. Perhaps this should be a files requires. (#477529) From 333b6be1e7b150469955cf2b75b384580e5b0366 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 19 Jan 2009 13:48:19 +0000 Subject: [PATCH 031/151] - fix license tag (#226416) - get rid of tabs in spec file (#226416) - convert HOWTO to UTF8 (#226416) --- shadow-utils.spec | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index f0efa77..173ac99 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -22,7 +22,7 @@ Patch6: shadow-4.1.1-selinuxUserMappings.patch Patch7: shadow-4.1.2-checkName.patch Patch8: shadow-4.1.2-gmNoGroup.patch -License: BSD +License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: autoconf, automake, libtool, gettext-devel BuildRequires: libselinux-devel >= 1.25.2-1 @@ -56,6 +56,8 @@ are used for managing group accounts. %patch7 -p1 -b .checkName %patch8 -p1 -b .gmNoGroup +iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 +cp -f doc/HOWTO.utf8 doc/HOWTO rm po/*.gmo rm po/stamp-po @@ -67,16 +69,16 @@ autoconf %build %configure \ - --enable-shadowgrp \ - --with-audit \ - --with-sha-crypt \ + --enable-shadowgrp \ + --with-audit \ + --with-sha-crypt \ %if %{WITH_SELINUX} - --with-selinux \ + --with-selinux \ %endif - --without-libcrack \ - --without-libpam \ - --disable-shared -make + --without-libcrack \ + --without-libpam \ + --disable-shared +make %install rm -rf $RPM_BUILD_ROOT @@ -90,7 +92,7 @@ ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser #ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do - test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 + test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 done # Remove binaries we don't use. @@ -154,8 +156,8 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) %doc NEWS doc/HOWTO README %dir %{_sysconfdir}/default -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg %{_bindir}/chage %{_bindir}/faillog @@ -163,8 +165,8 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/lastlog %{_bindir}/newgrp %{_sbindir}/adduser -%attr(0750,root,root) %{_sbindir}/user* -%attr(0750,root,root) %{_sbindir}/group* +%attr(0750,root,root) %{_sbindir}/user* +%attr(0750,root,root) %{_sbindir}/group* %{_sbindir}/grpck %{_sbindir}/pwck %{_sbindir}/*conv @@ -195,6 +197,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jan 19 2009 Peter Vrabec 2:4.1.2-11 +- fix license tag (#226416) +- get rid of tabs in spec file (#226416) +- convert HOWTO to UTF8 (#226416) + * Mon Jan 05 2009 Peter Vrabec 2:4.1.2-10 - Add policycoreutils as Requires, because of restorecon (#478494) From e72eda630fa02a8724a55445e50d8e4c8f8f7b73 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Thu, 26 Feb 2009 00:46:27 +0000 Subject: [PATCH 032/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 173ac99..f2bed82 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -197,6 +197,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 25 2009 Fedora Release Engineering - 2:4.1.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + * Mon Jan 19 2009 Peter Vrabec 2:4.1.2-11 - fix license tag (#226416) - get rid of tabs in spec file (#226416) From eab8b438609b86d0d65c19b71b1d3e69ed09cbb4 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 24 Mar 2009 16:09:09 +0000 Subject: [PATCH 033/151] increase release number --- shadow-4.1.2-uid.patch | 532 +++++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 538 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.2-uid.patch diff --git a/shadow-4.1.2-uid.patch b/shadow-4.1.2-uid.patch new file mode 100644 index 0000000..96b04e3 --- /dev/null +++ b/shadow-4.1.2-uid.patch @@ -0,0 +1,532 @@ +diff -up /dev/null shadow-4.1.2/lib/get_gid.c +--- /dev/null 2009-03-16 11:03:38.574001227 +0100 ++++ shadow-4.1.2/lib/get_gid.c 2009-03-23 18:45:59.000000000 +0100 +@@ -0,0 +1,54 @@ ++/* ++ * Copyright (c) 2009 , Nicolas François ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the copyright holders or contributors may not be used to ++ * endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A ++ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include ++ ++#ident "$Id$" ++ ++#include "prototypes.h" ++#include "defines.h" ++ ++int get_gid (const char *gidstr, gid_t *gid) ++{ ++ long long int val; ++ char *endptr; ++ ++ errno = 0; ++ val = strtoll (gidstr, &endptr, 10); ++ if ( ('\0' == gidstr) ++ || ('\0' != *endptr) ++ || (ERANGE == errno) ++ || (val != (gid_t)val)) { ++ return 0; ++ } ++ ++ *gid = (gid_t)val; ++ return 1; ++} ++ +diff -up /dev/null shadow-4.1.2/lib/get_uid.c +--- /dev/null 2009-03-16 11:03:38.574001227 +0100 ++++ shadow-4.1.2/lib/get_uid.c 2009-03-23 18:45:59.000000000 +0100 +@@ -0,0 +1,55 @@ ++/* ++ * Copyright (c) 2009 , Nicolas François ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the copyright holders or contributors may not be used to ++ * endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A ++ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include ++ ++#ident "$Id$" ++ ++#include "prototypes.h" ++#include "defines.h" ++ ++int get_uid (const char *uidstr, uid_t *uid) ++{ ++ long long int val; ++ char *endptr; ++ ++ errno = 0; ++ val = strtoll (uidstr, &endptr, 10); ++ if ( ('\0' == uidstr) ++ || ('\0' != *endptr) ++ || (ERANGE == errno) ++ || (val != (uid_t)val)) { ++ return 0; ++ } ++ ++ *uid = (uid_t)val; ++ return 1; ++} ++ ++ +diff -up shadow-4.1.2/lib/Makefile.am.uid shadow-4.1.2/lib/Makefile.am +--- shadow-4.1.2/lib/Makefile.am.uid 2008-01-06 14:57:28.000000000 +0100 ++++ shadow-4.1.2/lib/Makefile.am 2009-03-23 18:45:59.000000000 +0100 +@@ -17,6 +17,8 @@ libshadow_la_SOURCES = \ + fputsx.c \ + getdef.c \ + getdef.h \ ++ get_gid.c \ ++ get_uid.c \ + groupio.c \ + groupmem.c \ + groupio.h \ +diff -up shadow-4.1.2/lib/prototypes.h.uid shadow-4.1.2/lib/prototypes.h +--- shadow-4.1.2/lib/prototypes.h.uid 2009-03-23 18:45:59.000000000 +0100 ++++ shadow-4.1.2/lib/prototypes.h 2009-03-23 18:45:59.000000000 +0100 +@@ -110,6 +110,12 @@ extern int find_new_gid (int sys_group, + /* getlong.c */ + extern int getlong(const char *numstr, long int *result); + ++/* get_gid.c */ ++extern int get_gid (const char *gidstr, gid_t *gid); ++ ++/* get_uid.c */ ++extern int get_uid (const char *uidstr, uid_t *uid); ++ + /* fputsx.c */ + extern char *fgetsx (char *, int, FILE *); + extern int fputsx (const char *, FILE *); +diff -up shadow-4.1.2/src/groupadd.c.uid shadow-4.1.2/src/groupadd.c +--- shadow-4.1.2/src/groupadd.c.uid 2009-03-23 18:45:59.000000000 +0100 ++++ shadow-4.1.2/src/groupadd.c 2009-03-23 18:45:59.000000000 +0100 +@@ -98,7 +98,6 @@ static void check_new_name (void); + static void close_files (void); + static void open_files (void); + static void fail_exit (int code); +-static gid_t get_gid (const char *gidstr); + static void process_flags (int argc, char **argv); + static void check_flags (void); + static void check_perms (void); +@@ -326,22 +325,6 @@ static void fail_exit (int code) + exit (code); + } + +-/* +- * get_id - validate and get group ID +- */ +-static gid_t get_gid (const char *gidstr) +-{ +- long val; +- char *errptr; +- +- val = strtol (gidstr, &errptr, 10); +- if (('\0' != *errptr) || (errno == ERANGE) || (val < 0)) { +- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), +- Prog, gidstr); +- exit (E_BAD_ARG); +- } +- return val; +-} + + /* + * process_flags - parse the command line options +@@ -383,7 +366,13 @@ static void process_flags (int argc, cha + break; + case 'g': + gflg++; +- group_id = get_gid (optarg); ++ if ( (get_gid (optarg, &group_id) == 0) ++ || (group_id == (gid_t)-1)) { ++ fprintf (stderr, ++ _("%s: invalid group ID '%s'\n"), ++ Prog, optarg); ++ exit (E_BAD_ARG); ++ } + break; + case 'h': + usage (); +diff -up shadow-4.1.2/src/groupmod.c.uid shadow-4.1.2/src/groupmod.c +--- shadow-4.1.2/src/groupmod.c.uid 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/src/groupmod.c 2009-03-23 18:45:59.000000000 +0100 +@@ -100,7 +100,6 @@ static void check_new_name (void); + static void process_flags (int, char **); + static void close_files (void); + static void open_files (void); +-static gid_t get_gid (const char *gidstr); + static void update_primary_groups (gid_t ogid, gid_t ngid); + + /* +@@ -361,23 +360,6 @@ static void check_new_name (void) + } + + /* +- * get_id - validate and get group ID +- */ +-static gid_t get_gid (const char *gidstr) +-{ +- long val; +- char *errptr; +- +- val = strtol (gidstr, &errptr, 10); +- if (*errptr || errno == ERANGE || val < 0) { +- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, +- gidstr); +- fail_exit (E_BAD_ARG); +- } +- return val; +-} +- +-/* + * process_flags - perform command line argument setting + * + * process_flags() interprets the command line arguments and sets the +@@ -404,7 +386,13 @@ static void process_flags (int argc, cha + switch (c) { + case 'g': + gflg++; +- group_newid = get_gid (optarg); ++ if ( (get_gid (optarg, &group_newid) == 0) ++ || (group_newid == (gid_t)-1)) { ++ fprintf (stderr, ++ _("%s: invalid group ID '%s'\n"), ++ Prog, optarg); ++ exit (E_BAD_ARG); ++ } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, + Prog, "modifying group", +diff -up shadow-4.1.2/src/newusers.c.uid shadow-4.1.2/src/newusers.c +--- shadow-4.1.2/src/newusers.c.uid 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/src/newusers.c 2009-03-23 18:45:59.000000000 +0100 +@@ -90,7 +90,7 @@ static pam_handle_t *pamh = NULL; + static void usage (void); + static void fail_exit (int); + static int add_group (const char *, const char *, gid_t *, gid_t); +-static int get_uid (const char *, uid_t *); ++static int get_user_id (const char *, uid_t *); + static int add_user (const char *, uid_t, gid_t); + static void update_passwd (struct passwd *, const char *); + static int add_passwd (struct passwd *, const char *); +@@ -178,22 +178,26 @@ static int add_group (const char *name, + * The GID is a number, which means either this is a brand + * new group, or an existing group. + */ +- char *endptr; +- long int i = strtoul (gid, &endptr, 10); +- if ((*endptr != '\0') && (errno != ERANGE)) { ++ if (get_gid (gid, &grent.gr_gid) == 0) { + fprintf (stderr, +- _("%s: group ID `%s' is not valid\n"), ++ _("%s: invalid group ID '%s'\n"), + Prog, gid); + return -1; + } +- if ( (getgrgid (i) != NULL) +- || (gr_locate_gid (i) != NULL)) { ++ if ( (getgrgid ((gid_t) grent.gr_gid) != NULL) ++ || (gr_locate_gid ((gid_t) grent.gr_gid) != NULL)) { + /* The user will use this ID for her + * primary group */ +- *ngid = i; ++ *ngid = (gid_t) grent.gr_gid; + return 0; + } +- grent.gr_gid = i; ++ /* Do not create groups with GID == (gid_t)-1 */ ++ if (grent.gr_gid == (gid_t)-1) { ++ fprintf (stderr, ++ _("%s: invalid group ID '%s'\n"), ++ Prog, gid); ++ return -1; ++ } + } else { + /* The gid parameter can be "" or a name which is not + * already the name of an existing group. +@@ -267,7 +271,7 @@ static int add_group (const char *name, + return 0; + } + +-static int get_uid (const char *uid, uid_t *nuid) { ++static int get_user_id (const char *uid, uid_t *nuid) { + const struct passwd *pwd = NULL; + + /* +@@ -275,15 +279,11 @@ static int get_uid (const char *uid, uid + * caller provided, or the next available UID. + */ + if (isdigit (uid[0])) { +- char *endptr; +- long int i = strtoul (uid, &endptr, 10); +- if ((*endptr != '\0') && (errno != ERANGE)) { +- fprintf (stderr, +- _("%s: user ID `%s' is not valid\n"), ++ if ((get_uid (uid, nuid) == 0) || (*nuid == (uid_t)-1)) { ++ fprintf (stderr, _("%s: invalid user ID '%s'\n"), + Prog, uid); + return -1; + } +- *nuid = i; + } else { + if ('\0' != uid[0]) { + /* local, no need for xgetpwnam */ +@@ -740,7 +740,7 @@ int main (int argc, char **argv) + } + + if ( (NULL == pw) +- && (get_uid (fields[2], &uid) != 0)) { ++ && (get_user_id (fields[2], &uid) != 0)) { + fprintf (stderr, + _("%s: line %d: can't create user\n"), + Prog, line); +diff -up shadow-4.1.2/src/useradd.c.uid shadow-4.1.2/src/useradd.c +--- shadow-4.1.2/src/useradd.c.uid 2009-03-23 18:45:59.000000000 +0100 ++++ shadow-4.1.2/src/useradd.c 2009-03-23 18:45:59.000000000 +0100 +@@ -170,7 +170,6 @@ static int home_added; + static void fail_exit (int); + static struct group *getgr_nam_gid (const char *); + static long get_number (const char *); +-static uid_t get_uid (const char *); + static void get_defaults (void); + static void show_defaults (void); + static int set_defaults (void); +@@ -225,39 +224,30 @@ static void fail_exit (int code) + + static struct group *getgr_nam_gid (const char *grname) + { +- long gid; +- char *errptr; +- +- gid = strtol (grname, &errptr, 10); +- if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && gid >= 0) ++ long long int gid; ++ char *endptr; ++ ++ errno = 0; ++ gid = strtoll (grname, &endptr, 10); ++ if ( ('\0' != *grname) ++ && ('\0' == *endptr) ++ && (ERANGE != errno) ++ && (gid == (gid_t)gid)) { + return xgetgrgid (gid); ++ } + return xgetgrnam (grname); + } + + static long get_number (const char *numstr) + { + long val; +- char *errptr; ++ char *endptr; + +- val = strtol (numstr, &errptr, 10); +- if (*errptr || errno == ERANGE) { +- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, +- numstr); +- exit (E_BAD_ARG); +- } +- return val; +-} +- +-static uid_t get_uid (const char *uidstr) +-{ +- long val; +- char *errptr; +- +- val = strtol (uidstr, &errptr, 10); +- if (*errptr || errno == ERANGE || val < 0) { +- fprintf (stderr, +- _("%s: invalid numeric argument '%s'\n"), Prog, +- uidstr); ++ errno = 0; ++ val = strtol (numstr, &endptr, 10); ++ if (('\0' == *numstr) || ('\0' != *endptr) || (ERANGE == errno)) { ++ fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), ++ Prog, numstr); + exit (E_BAD_ARG); + } + return val; +@@ -302,26 +292,13 @@ static void get_defaults (void) + * Primary GROUP identifier + */ + if (MATCH (buf, DGROUP)) { +- unsigned int val = (unsigned int) strtoul (cp, &ep, 10); +- const struct group *grp; +- +- if (*cp != '\0' && *ep == '\0') { /* valid number */ +- def_group = val; +- /* local, no need for xgetgrgid */ +- if ((grp = getgrgid (def_group))) { +- def_gname = xstrdup (grp->gr_name); +- } else { +- fprintf (stderr, +- _("%s: unknown GID %s\n"), +- Prog, cp); +- } +- /* local, no need for xgetgrnam */ +- } else if ((grp = getgrnam (cp))) { +- def_group = grp->gr_gid; +- def_gname = xstrdup (cp); ++ const struct group *grp = getgr_nam_gid (cp); ++ if (NULL == grp) { ++ fprintf (stderr, _("%s: unknown GID %s\n"), ++ Prog, cp); + } else { +- fprintf (stderr, +- _("%s: unknown group %s\n"), Prog, cp); ++ def_group = grp->gr_gid; ++ def_gname = xstrdup (grp->gr_name); + } + } + +@@ -343,12 +320,17 @@ static void get_defaults (void) + * Default Password Inactive value + */ + else if (MATCH (buf, INACT)) { ++ errno = 0; + long val = strtol (cp, &ep, 10); + +- if (*cp || errno == ERANGE) ++ if ( ('\0' != *cp) ++ && ('\0' == *ep) ++ && (ERANGE != errno) ++ && (val >= 0)) { + def_inactive = val; +- else ++ } else { + def_inactive = -1; ++ } + } + + /* +@@ -1080,7 +1062,13 @@ static void process_flags (int argc, cha + sflg++; + break; + case 'u': +- user_id = get_uid (optarg); ++ if ( (get_uid (optarg, &user_id) == 0) ++ || (user_id == (gid_t)-1)) { ++ fprintf (stderr, ++ _("%s: invalid user ID '%s'\n"), ++ Prog, optarg); ++ exit (E_BAD_ARG); ++ } + uflg++; + break; + case 'U': +diff -up shadow-4.1.2/src/usermod.c.uid shadow-4.1.2/src/usermod.c +--- shadow-4.1.2/src/usermod.c.uid 2009-03-23 18:45:59.000000000 +0100 ++++ shadow-4.1.2/src/usermod.c 2009-03-23 18:48:36.000000000 +0100 +@@ -155,7 +155,6 @@ static void update_gshadow (void); + static void grp_update (void); + + static long get_number (const char *); +-static uid_t get_id (const char *); + static void process_flags (int, char **); + static void close_files (void); + static void open_files (void); +@@ -193,12 +192,17 @@ static void date_to_str (char *buf, size + */ + static struct group *getgr_nam_gid (const char *grname) + { +- long val; +- char *errptr; +- +- val = strtol (grname, &errptr, 10); +- if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && val >= 0) ++ long long int val; ++ char *endptr; ++ ++ errno = 0; ++ val = strtoll (grname, &endptr, 10); ++ if ( ('\0' != *grname) ++ && ('\0' == *endptr) ++ && (ERANGE != errno) ++ && (val == (gid_t)val)) { + return xgetgrgid (val); ++ } + return xgetgrnam (grname); + } + +@@ -752,20 +756,6 @@ static long get_number (const char *nums + return val; + } + +-static uid_t get_id (const char *uidstr) +-{ +- long val; +- char *errptr; +- +- val = strtol (uidstr, &errptr, 10); +- if (*errptr || errno == ERANGE || val < 0) { +- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, +- uidstr); +- exit (E_BAD_ARG); +- } +- return val; +-} +- + /* + * process_flags - perform command line argument setting + * +@@ -963,7 +953,13 @@ static void process_flags (int argc, cha + sflg++; + break; + case 'u': +- user_newid = get_id (optarg); ++ if ( (get_uid (optarg, &user_newid) ==0) ++ || (user_newid == (uid_t)-1)) { ++ fprintf (stderr, ++ _("%s: invalid user ID '%s'\n"), ++ Prog, optarg); ++ exit (E_BAD_ARG); ++ } + uflg++; + break; + case 'U': diff --git a/shadow-utils.spec b/shadow-utils.spec index f2bed82..cc3fa54 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 12%{?dist} +Release: 13%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -21,6 +21,7 @@ Patch5: shadow-4.1.2-audit.patch Patch6: shadow-4.1.1-selinuxUserMappings.patch Patch7: shadow-4.1.2-checkName.patch Patch8: shadow-4.1.2-gmNoGroup.patch +Patch9: shadow-4.1.2-uid.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -55,6 +56,7 @@ are used for managing group accounts. %patch6 -p1 -b .selinuxUserMappings %patch7 -p1 -b .checkName %patch8 -p1 -b .gmNoGroup +%patch9 -p1 -b .uid iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -197,6 +199,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Mar 24 2009 Peter Vrabec 2:4.1.2-13 +- do not allow UID/GID = 4294967295 (#484040,#133664) + * Wed Feb 25 2009 Fedora Release Engineering - 2:4.1.2-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild From ea53f7cab29dd53ca984299cbf99d10e42d49aae Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 14 Apr 2009 10:19:14 +0000 Subject: [PATCH 034/151] upgrade --- .cvsignore | 3 +- shadow-4.0.17-login.defs | 58 --- shadow-4.1.1-selinuxUserMappings.patch | 33 -- shadow-4.1.2-audit.patch | 447 --------------------- shadow-4.1.2-checkName.patch | 32 -- shadow-4.1.2-gmNoGroup.patch | 22 - shadow-4.1.2-gmSEGV.patch | 30 -- shadow-4.1.2-goodname.patch | 93 ----- shadow-4.1.2-redhat.patch | 269 ------------- shadow-4.1.2-selinux.patch | 490 ----------------------- shadow-4.1.2-sysAccountDownhill.patch | 99 ----- shadow-4.1.2-uid.patch | 532 ------------------------- shadow-4.1.3-goodname.patch | 68 ++++ shadow-4.1.3-redhat.patch | 55 +++ shadow-utils.spec | 57 +-- sources | 3 +- 16 files changed, 141 insertions(+), 2150 deletions(-) delete mode 100644 shadow-4.0.17-login.defs delete mode 100644 shadow-4.1.1-selinuxUserMappings.patch delete mode 100644 shadow-4.1.2-audit.patch delete mode 100644 shadow-4.1.2-checkName.patch delete mode 100644 shadow-4.1.2-gmNoGroup.patch delete mode 100644 shadow-4.1.2-gmSEGV.patch delete mode 100644 shadow-4.1.2-goodname.patch delete mode 100644 shadow-4.1.2-redhat.patch delete mode 100644 shadow-4.1.2-selinux.patch delete mode 100644 shadow-4.1.2-sysAccountDownhill.patch delete mode 100644 shadow-4.1.2-uid.patch create mode 100644 shadow-4.1.3-goodname.patch create mode 100644 shadow-4.1.3-redhat.patch diff --git a/.cvsignore b/.cvsignore index 1aa7c2d..5e650b5 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,4 +1,3 @@ shadow-4.0.17-login.defs shadow-4.0.18.1-useradd -shadow-4.1.1.tar.bz2 -shadow-4.1.2.tar.bz2 +shadow-4.1.3.tar.bz2 diff --git a/shadow-4.0.17-login.defs b/shadow-4.0.17-login.defs deleted file mode 100644 index 18733bf..0000000 --- a/shadow-4.0.17-login.defs +++ /dev/null @@ -1,58 +0,0 @@ -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# QMAIL_DIR is for Qmail -# -#QMAIL_DIR Maildir -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 500 -UID_MAX 60000 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 500 -GID_MAX 60000 - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# If useradd should create home directories for users by default -# On RH systems, we do. This option is overridden with the -m flag on -# useradd command line. -# -CREATE_HOME yes - -# The permission mask is initialized to this value. If not specified, -# the permission mask will be initialized to 022. -UMASK 077 - -# This enables userdel to remove user groups if no members exist. -# -USERGROUPS_ENAB yes - -# Use MD5 or DES to encrypt password? Red Hat use MD5 by default. -MD5_CRYPT_ENAB yes - diff --git a/shadow-4.1.1-selinuxUserMappings.patch b/shadow-4.1.1-selinuxUserMappings.patch deleted file mode 100644 index a6f1df6..0000000 --- a/shadow-4.1.1-selinuxUserMappings.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up shadow-4.1.1/src/usermod.c.selinux-user shadow-4.1.1/src/usermod.c ---- shadow-4.1.1/src/usermod.c.selinux-user 2008-09-09 17:28:45.673915250 +0200 -+++ shadow-4.1.1/src/usermod.c 2008-09-09 17:35:39.000000000 +0200 -@@ -116,6 +116,7 @@ static int - oflg = 0, /* permit non-unique user ID to be specified with -u */ - pflg = 0, /* new encrypted password */ - sflg = 0, /* new shell program */ -+ Sflg = 0, /* new selinux user */ - uflg = 0, /* specify new user ID */ - Uflg = 0; /* unlock the password */ - -@@ -967,8 +968,10 @@ static void process_flags (int argc, cha - break; - #ifdef WITH_SELINUX - case 'Z': -- if (is_selinux_enabled() > 0) -- user_selinux = optarg; -+ if (is_selinux_enabled() > 0) { -+ user_selinux = optarg; -+ Sflg++; -+ } - else { - fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); - exit (E_BAD_ARG); -@@ -1015,7 +1018,7 @@ static void process_flags (int argc, cha - } - - if (Uflg + uflg + sflg + pflg + oflg + mflg + Lflg + lflg + Gflg + -- gflg + fflg + eflg + dflg + cflg == 0) { -+ gflg + fflg + eflg + dflg + cflg + Sflg == 0) { - fprintf (stderr, _("%s: no changes\n"), Prog); - exit (E_SUCCESS); - } diff --git a/shadow-4.1.2-audit.patch b/shadow-4.1.2-audit.patch deleted file mode 100644 index 89a53bf..0000000 --- a/shadow-4.1.2-audit.patch +++ /dev/null @@ -1,447 +0,0 @@ -diff -urp shadow-4.1.2.orig/src/groupadd.c shadow-4.1.2/src/groupadd.c ---- shadow-4.1.2.orig/src/groupadd.c 2008-09-02 08:31:11.000000000 -0400 -+++ shadow-4.1.2/src/groupadd.c 2008-09-02 09:05:14.000000000 -0400 -@@ -205,7 +205,7 @@ static void grp_update (void) - } - #endif /* SHADOWGRP */ - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", group_name, -+ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", group_name, - group_id, 1); - #endif - SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", -@@ -269,7 +269,7 @@ static void open_files (void) - if (!gr_lock ()) { - fprintf (stderr, _("%s: unable to lock group file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", -+ audit_logger (AUDIT_ADD_GROUP, Prog, "locking group file", - group_name, -1, 0); - #endif - exit (E_GRP_UPDATE); -@@ -277,7 +277,7 @@ static void open_files (void) - if (!gr_open (O_RDWR)) { - fprintf (stderr, _("%s: unable to open group file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", -+ audit_logger (AUDIT_ADD_GROUP, Prog, "opening group file", - group_name, -1, 0); - #endif - fail_exit (E_GRP_UPDATE); -@@ -310,7 +310,7 @@ static void fail_exit (int code) - - #ifdef WITH_AUDIT - if (code != E_SUCCESS) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", -+ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", - group_name, -1, 0); - } - #endif -diff -urp shadow-4.1.2.orig/src/groupdel.c shadow-4.1.2/src/groupdel.c ---- shadow-4.1.2.orig/src/groupdel.c 2008-09-02 08:31:11.000000000 -0400 -+++ shadow-4.1.2/src/groupdel.c 2008-09-02 09:04:18.000000000 -0400 -@@ -100,7 +100,7 @@ static void fail_exit (int code) - #endif - - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", -+ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", - group_name, -1, 0); - #endif - -@@ -143,7 +143,7 @@ static void grp_update (void) - static void close_files (void) - { - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", group_name, -+ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", group_name, - group_id, 1); - #endif - SYSLOG ((LOG_INFO, "remove group `%s'\n", group_name)); -@@ -316,7 +316,7 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: group %s does not exist\n"), - Prog, group_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_GROUP, Prog, - "deleting group", - group_name, -1, 0); - #endif -@@ -338,7 +338,7 @@ int main (int argc, char **argv) - Prog, group_name); - - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", -+ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", - group_name, -1, 0); - #endif - if (!yp_get_default_domain (&nis_domain) && -diff -urp shadow-4.1.2.orig/src/useradd.c shadow-4.1.2/src/useradd.c ---- shadow-4.1.2.orig/src/useradd.c 2008-09-02 08:31:11.000000000 -0400 -+++ shadow-4.1.2/src/useradd.c 2008-09-02 08:47:31.000000000 -0400 -@@ -216,7 +216,7 @@ static void fail_exit (int code) - #endif - - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, -1, -+ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, -1, - 0); - #endif - SYSLOG ((LOG_INFO, "failed adding user `%s', data deleted", user_name)); -@@ -793,7 +793,7 @@ static void grp_update (void) - fail_exit (E_GRP_UPDATE); - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding user to group", user_name, -1, 1); - #endif - SYSLOG ((LOG_INFO, "add `%s' to group `%s'", -@@ -844,7 +844,7 @@ static void grp_update (void) - fail_exit (E_GRP_UPDATE); - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding user to shadow group", user_name, -1, 1); - #endif - SYSLOG ((LOG_INFO, "add `%s' to shadow group `%s'", -@@ -1162,7 +1162,7 @@ static void process_flags (int argc, cha - ("%s: invalid user name '%s'\n"), - Prog, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", -+ audit_logger (AUDIT_ADD_USER, Prog, "adding user", - user_name, -1, 0); - #endif - exit (E_BAD_ARG); -@@ -1251,7 +1251,7 @@ static void open_files (void) - if (!pw_lock ()) { - fprintf (stderr, _("%s: unable to lock password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "locking password file", user_name, user_id, 0); - #endif - exit (E_PW_UPDATE); -@@ -1260,7 +1260,7 @@ static void open_files (void) - if (!pw_open (O_RDWR)) { - fprintf (stderr, _("%s: unable to open password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "opening password file", user_name, user_id, 0); - #endif - fail_exit (E_PW_UPDATE); -@@ -1271,7 +1271,7 @@ static void open_files (void) - _("%s: cannot lock shadow password file\n"), - Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "locking shadow password file", user_name, - user_id, 0); - #endif -@@ -1283,7 +1283,7 @@ static void open_files (void) - _("%s: cannot open shadow password file\n"), - Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "opening shadow password file", user_name, - user_id, 0); - #endif -@@ -1385,6 +1385,10 @@ static void grp_add (void) - * Write out the new group file entry. - */ - if (!gr_update (&grp)) { -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_GROUP, Prog, -+ "adding group", grp.gr_name, -1, 0); -+#endif - fprintf (stderr, _("%s: error adding new group entry\n"), Prog); - fail_exit (E_GRP_UPDATE); - } -@@ -1393,11 +1397,19 @@ static void grp_add (void) - * Write out the new shadow group entries as well. - */ - if (is_shadow_grp && !sgr_update (&sgrp)) { -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_GROUP, Prog, -+ "adding group", grp.gr_name, -1, 0); -+#endif - fprintf (stderr, _("%s: error adding new group entry\n"), Prog); - fail_exit (E_GRP_UPDATE); - } - #endif /* SHADOWGRP */ - SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", -+ grp.gr_name, -1, 1); -+#endif - do_grp_update++; - } - -@@ -1486,13 +1498,13 @@ static void usr_update (void) - ("%s: error adding new shadow password entry\n"), - Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding shadow password", user_name, user_id, 0); - #endif - fail_exit (E_PW_UPDATE); - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, -+ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, - user_id, 1); - #endif - -@@ -1522,7 +1534,7 @@ static void selinux_update_mapping () { - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding SELinux user mapping", user_name, user_id, 0); - #endif - } -@@ -1551,7 +1563,7 @@ static void create_home (void) - ("%s: cannot create directory %s\n"), - Prog, user_home); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", user_name, - user_id, 0); - #endif -@@ -1562,7 +1574,7 @@ static void create_home (void) - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); - home_added++; - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", user_name, user_id, 1); - #endif - #ifdef WITH_SELINUX -@@ -1722,7 +1734,7 @@ int main (int argc, char **argv) - if (getpwnam (user_name)) { /* local, no need for xgetpwnam */ - fprintf (stderr, _("%s: user %s exists\n"), Prog, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", -+ audit_logger (AUDIT_ADD_USER, Prog, "adding user", - user_name, -1, 0); - #endif - fail_exit (E_NAME_IN_USE); -@@ -1741,7 +1753,7 @@ int main (int argc, char **argv) - ("%s: group %s exists - if you want to add this user to that group, use -g.\n"), - Prog, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_ADD_GROUP, Prog, - "adding group", user_name, -1, 0); - #endif - fail_exit (E_NAME_IN_USE); -@@ -1772,7 +1784,7 @@ int main (int argc, char **argv) - if (getpwuid (user_id) != NULL) { - fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); -+ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, user_id, 0); - #endif - fail_exit (E_UID_IN_USE); - } -diff -urp shadow-4.1.2.orig/src/userdel.c shadow-4.1.2/src/userdel.c ---- shadow-4.1.2.orig/src/userdel.c 2008-09-02 08:31:11.000000000 -0400 -+++ shadow-4.1.2/src/userdel.c 2008-09-02 09:03:20.000000000 -0400 -@@ -170,7 +170,7 @@ static void update_groups (void) - * Update the DBM group file with the new entry as well. - */ - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting user from group", user_name, user_id, - 0); - #endif -@@ -220,8 +220,8 @@ static void update_groups (void) - #endif - - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "deleting group", user_name, user_id, 0); -+ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", -+ grp->gr_name, -1, 1); - #endif - SYSLOG ((LOG_INFO, - "removed group `%s' owned by `%s'\n", -@@ -270,7 +270,7 @@ static void update_groups (void) - exit (E_GRP_UPDATE); - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting user from shadow group", user_name, - user_id, 0); - #endif -@@ -327,7 +327,7 @@ static void fail_exit (int code) - sgr_unlock (); - #endif - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user", user_name, -+ audit_logger (AUDIT_DEL_USER, Prog, "deleting user", user_name, - user_id, 0); - #endif - exit (code); -@@ -344,7 +344,7 @@ static void open_files (void) - if (!pw_lock ()) { - fprintf (stderr, _("%s: unable to lock password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "locking password file", user_name, user_id, 0); - #endif - exit (E_PW_UPDATE); -@@ -352,7 +352,7 @@ static void open_files (void) - if (!pw_open (O_RDWR)) { - fprintf (stderr, _("%s: unable to open password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "opening password file", user_name, user_id, 0); - #endif - fail_exit (E_PW_UPDATE); -@@ -361,7 +361,7 @@ static void open_files (void) - fprintf (stderr, - _("%s: cannot lock shadow password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "locking shadow password file", user_name, - user_id, 0); - #endif -@@ -371,7 +371,7 @@ static void open_files (void) - fprintf (stderr, - _("%s: cannot open shadow password file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "opening shadow password file", user_name, - user_id, 0); - #endif -@@ -380,7 +380,7 @@ static void open_files (void) - if (!gr_lock ()) { - fprintf (stderr, _("%s: unable to lock group file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", -+ audit_logger (AUDIT_DEL_USER, Prog, "locking group file", - user_name, user_id, 0); - #endif - fail_exit (E_GRP_UPDATE); -@@ -388,7 +388,7 @@ static void open_files (void) - if (!gr_open (O_RDWR)) { - fprintf (stderr, _("%s: cannot open group file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", -+ audit_logger (AUDIT_DEL_USER, Prog, "opening group file", - user_name, user_id, 0); - #endif - fail_exit (E_GRP_UPDATE); -@@ -398,7 +398,7 @@ static void open_files (void) - fprintf (stderr, - _("%s: unable to lock shadow group file\n"), Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "locking shadow group file", user_name, user_id, - 0); - #endif -@@ -408,7 +408,7 @@ static void open_files (void) - fprintf (stderr, _("%s: cannot open shadow group file\n"), - Prog); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "opening shadow group file", user_name, user_id, - 0); - #endif -@@ -436,7 +436,7 @@ static void update_user (void) - fail_exit (E_PW_UPDATE); - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user entries", -+ audit_logger (AUDIT_DEL_USER, Prog, "deleting user entries", - user_name, user_id, 1); - #endif - SYSLOG ((LOG_INFO, "delete user `%s'\n", user_name)); -@@ -476,7 +476,7 @@ static void user_busy (const char *name, - _("%s: user %s is currently logged in\n"), Prog, name); - if (!fflg) { - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting user logged in", name, -1, 0); - #endif - exit (E_USER_BUSY); -@@ -577,7 +577,7 @@ static void remove_mailbox (void) - if (fflg) { - unlink (mailfile); /* always remove, ignore errors */ - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", -+ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", - user_name, user_id, 1); - #endif - return; -@@ -589,7 +589,7 @@ static void remove_mailbox (void) - ("%s: %s not owned by %s, not removing\n"), - Prog, mailfile, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", -+ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", - user_name, user_id, 0); - #endif - return; -@@ -601,7 +601,7 @@ static void remove_mailbox (void) - } - #ifdef WITH_AUDIT - else { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", -+ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", - user_name, user_id, 1); - } - #endif -@@ -713,7 +713,7 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: user %s does not exist\n"), - Prog, user_name); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting user not found", user_name, -1, 0); - #endif - exit (E_NOTFOUND); -@@ -799,14 +799,14 @@ int main (int argc, char **argv) - _("%s: error removing directory %s\n"), - Prog, user_home); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting home directory", user_name, - user_id, 1); - #endif - errors++; - } - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting home directory", user_name, user_id, 1); - #endif - } -@@ -838,7 +838,7 @@ int main (int argc, char **argv) - #endif /* USE_PAM */ - #ifdef WITH_AUDIT - if (errors) -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ audit_logger (AUDIT_DEL_USER, Prog, - "deleting home directory", user_name, -1, 0); - #endif - exit (errors ? E_HOMEDIR : E_SUCCESS); diff --git a/shadow-4.1.2-checkName.patch b/shadow-4.1.2-checkName.patch deleted file mode 100644 index 321bdba..0000000 --- a/shadow-4.1.2-checkName.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.2/src/groupmems.c.checkName shadow-4.1.2/src/groupmems.c ---- shadow-4.1.2/src/groupmems.c.checkName 2008-09-24 11:17:02.000000000 +0200 -+++ shadow-4.1.2/src/groupmems.c 2008-09-24 14:03:01.000000000 +0200 -@@ -43,6 +43,7 @@ - #include - #include "defines.h" - #include "groupio.h" -+#include "chkname.h" - - /* Exit Status Values */ - -@@ -54,6 +55,7 @@ - #define EXIT_NOT_PRIMARY 5 /* not primary owner of group */ - #define EXIT_NOT_MEMBER 6 /* member of group does not exist */ - #define EXIT_MEMBER_EXISTS 7 /* member of group already exists */ -+#define E_BAD_ARG 8 /* invalid argument to option */ - - #define TRUE 1 - #define FALSE 0 -@@ -225,6 +227,12 @@ int main (int argc, char **argv) - usage (); - } - -+ /* check if user names is valid */ -+ if ( adduser && !check_user_name (adduser)) { -+ fprintf (stderr, _("%s is not a valid user name\n"), adduser); -+ exit (E_BAD_ARG); -+ } -+ - if (!isroot () && NULL != thisgroup) { - fputs (_("Only root can add members to different groups\n"), - stderr); diff --git a/shadow-4.1.2-gmNoGroup.patch b/shadow-4.1.2-gmNoGroup.patch deleted file mode 100644 index 67e14ea..0000000 --- a/shadow-4.1.2-gmNoGroup.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up shadow-4.1.2/src/groupmems.c.gmNoGroup shadow-4.1.2/src/groupmems.c ---- shadow-4.1.2/src/groupmems.c.gmNoGroup 2008-09-24 15:00:30.000000000 +0200 -+++ shadow-4.1.2/src/groupmems.c 2008-09-24 15:07:20.000000000 +0200 -@@ -56,6 +56,7 @@ - #define EXIT_NOT_MEMBER 6 /* member of group does not exist */ - #define EXIT_MEMBER_EXISTS 7 /* member of group already exists */ - #define E_BAD_ARG 8 /* invalid argument to option */ -+#define EXIT_NOT_GROUP 8 /* group does not exist */ - - #define TRUE 1 - #define FALSE 0 -@@ -293,6 +294,10 @@ int main (int argc, char **argv) - } - - grp = (struct group *) gr_locate (name); -+ if (NULL == grp) { -+ fputs (_("Specified group does not exist\n"), stderr); -+ exit (EXIT_NOT_GROUP); -+ } - - if (NULL != adduser) { - grp->gr_mem = addtogroup (adduser, grp->gr_mem); diff --git a/shadow-4.1.2-gmSEGV.patch b/shadow-4.1.2-gmSEGV.patch deleted file mode 100644 index 848dddb..0000000 --- a/shadow-4.1.2-gmSEGV.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up shadow-4.1.2/src/groupmems.c.gmSEGV shadow-4.1.2/src/groupmems.c ---- shadow-4.1.2/src/groupmems.c.gmSEGV 2008-04-22 22:05:11.000000000 +0200 -+++ shadow-4.1.2/src/groupmems.c 2008-09-02 08:30:52.000000000 +0200 -@@ -95,7 +95,7 @@ static char *whoami (void) - } - } - --static void addtogroup (char *user, char **members) -+static char **addtogroup (char *user, char **members) - { - int i; - -@@ -109,6 +109,8 @@ static void addtogroup (char *user, char - members = (char **) realloc (members, sizeof (char *) * (i+2)); - members[i] = user; - members[i + 1] = NULL; -+ -+ return members; - } - - static void rmfromgroup (char *user, char **members) -@@ -285,7 +287,7 @@ int main (int argc, char **argv) - grp = (struct group *) gr_locate (name); - - if (NULL != adduser) { -- addtogroup (adduser, grp->gr_mem); -+ grp->gr_mem = addtogroup (adduser, grp->gr_mem); - gr_update (grp); - } else if (NULL != deluser) { - rmfromgroup (deluser, grp->gr_mem); diff --git a/shadow-4.1.2-goodname.patch b/shadow-4.1.2-goodname.patch deleted file mode 100644 index 273ad2b..0000000 --- a/shadow-4.1.2-goodname.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff -up shadow-4.1.2/libmisc/chkname.c.goodname shadow-4.1.2/libmisc/chkname.c ---- shadow-4.1.2/libmisc/chkname.c.goodname 2008-04-27 02:40:13.000000000 +0200 -+++ shadow-4.1.2/libmisc/chkname.c 2008-05-26 14:37:09.000000000 +0200 -@@ -50,16 +50,24 @@ - static int good_name (const char *name) - { - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (!*name || !((*name >= 'a' && *name <= 'z') || *name == '_')) -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if (!*name || !((*name >= 'a' && *name <= 'z') -+ || (*name >= 'A' && *name <= 'Z') -+ || (*name >= '0' && *name <= '9') -+ || *name == '_' || *name == '.')) - return 0; - - while (*++name) { -- if (!((*name >= 'a' && *name <= 'z') || -- (*name >= '0' && *name <= '9') || -- *name == '_' || *name == '-' || -- (*name == '$' && *(name + 1) == '\0'))) -+ if (!( (*name >= 'a' && *name <= 'z') -+ || (*name >= 'A' && *name <= 'Z') -+ || (*name >= '0' && *name <= '9') -+ || *name == '_' || *name == '.' || *name == '-' -+ || (*name == '$' && *(name + 1) == '\0'))) - return 0; - } - -@@ -75,10 +83,9 @@ int check_user_name (const char *name) - #endif - - /* -- * User names are limited by whatever utmp can -- * handle (usually max 8 characters). -+ * User names are limited by whatever utmp can handle. - */ -- if (strlen (name) > sizeof (ut.ut_user)) -+ if (strlen(name) + 1 > sizeof(ut.ut_user)) - return 0; - - return good_name (name); -@@ -86,11 +93,13 @@ int check_user_name (const char *name) - - int check_group_name (const char *name) - { -- /* -- * Arbitrary limit for group names - max 16 -- * characters (same as on HP-UX 10). -- */ -- if (strlen (name) > 16) -+#if HAVE_UTMPX_H -+ struct utmpx ut; -+#else -+ struct utmp ut; -+#endif -+ -+ if (strlen(name) + 1 > sizeof(ut.ut_user)) - return 0; - - return good_name (name); -diff -up shadow-4.1.2/man/groupadd.8.goodname shadow-4.1.2/man/groupadd.8 ---- shadow-4.1.2/man/groupadd.8.goodname 2008-05-26 14:37:09.000000000 +0200 -+++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:40:51.000000000 +0200 -@@ -150,9 +150,7 @@ Shadow password suite configuration\&. - .RE - .SH "CAVEATS" - .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] --.PP --Groupnames may only be up to 16 characters long\&. -+Groupnames may only be up to 32 characters long\&. - .PP - You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. - .PP -diff -up shadow-4.1.2/man/useradd.8.goodname shadow-4.1.2/man/useradd.8 ---- shadow-4.1.2/man/useradd.8.goodname 2008-05-26 14:37:09.000000000 +0200 -+++ shadow-4.1.2/man/useradd.8 2008-05-26 14:41:48.000000000 +0200 -@@ -293,8 +293,6 @@ You may not add a user to a NIS or LDAP - Similarly, if the username already exists in an external user database such as NIS or LDAP, - \fBuseradd\fR - will deny the user account creation request\&. --.PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] - .SH "CONFIGURATION" - .PP - The following configuration variables in diff --git a/shadow-4.1.2-redhat.patch b/shadow-4.1.2-redhat.patch deleted file mode 100644 index 75c84a8..0000000 --- a/shadow-4.1.2-redhat.patch +++ /dev/null @@ -1,269 +0,0 @@ -diff -up shadow-4.1.2/libmisc/find_new_ids.c.redhat shadow-4.1.2/libmisc/find_new_ids.c ---- shadow-4.1.2/libmisc/find_new_ids.c.redhat 2008-04-22 00:00:19.000000000 +0200 -+++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:18:43.000000000 +0200 -@@ -56,11 +56,11 @@ int find_new_uid (int sys_user, uid_t *u - assert (uid != NULL); - - if (sys_user == 0) { -- uid_min = getdef_unum ("UID_MIN", 1000); -+ uid_min = getdef_unum ("UID_MIN", 500); - uid_max = getdef_unum ("UID_MAX", 60000); - } else { - uid_min = getdef_unum ("SYS_UID_MIN", 1); -- uid_max = getdef_unum ("UID_MIN", 1000) - 1; -+ uid_max = getdef_unum ("UID_MIN", 500) - 1; - uid_max = getdef_unum ("SYS_UID_MAX", uid_max); - } - -@@ -139,11 +139,11 @@ int find_new_gid (int sys_group, gid_t * - assert (gid != NULL); - - if (sys_group == 0) { -- gid_min = getdef_unum ("GID_MIN", 1000); -+ gid_min = getdef_unum ("GID_MIN", 500); - gid_max = getdef_unum ("GID_MAX", 60000); - } else { - gid_min = getdef_unum ("SYS_GID_MIN", 1); -- gid_max = getdef_unum ("GID_MIN", 1000) - 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; - gid_max = getdef_unum ("SYS_GID_MAX", gid_max); - } - -diff -up shadow-4.1.2/src/useradd.c.redhat shadow-4.1.2/src/useradd.c ---- shadow-4.1.2/src/useradd.c.redhat 2008-05-19 22:31:52.000000000 +0200 -+++ shadow-4.1.2/src/useradd.c 2008-05-26 14:18:43.000000000 +0200 -@@ -85,7 +85,7 @@ - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -97,7 +97,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -133,6 +133,7 @@ static int - kflg = 0, /* specify a directory to fill new user directory */ - lflg = 0, /* do not add user to lastlog database file */ - mflg = 0, /* create user's home directory if it doesn't exist */ -+ Mflg = 0, /* do NOT create user's home directory no matter what */ - Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */ - oflg = 0, /* permit non-unique user ID to be specified with -u */ - rflg = 0, /* create a system account */ -@@ -656,6 +657,7 @@ static void usage (void) - " faillog databases\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -+ " -M, do not create user's home directory(overrides /etc/login.defs)\n" - " -N, --no-user-group do not create a group with the same name as\n" - " the user\n" - " -o, --non-unique allow create user with duplicate\n" -@@ -886,7 +888,7 @@ static void process_flags (int argc, cha - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1026,6 +1028,10 @@ static void process_flags (int argc, cha - case 'm': - mflg++; - break; -+ case 'M': -+ Mflg++; -+ break; -+ case 'n': - case 'N': - Nflg++; - break; -@@ -1079,6 +1085,9 @@ static void process_flags (int argc, cha - Uflg = getdef_bool ("USERGROUPS_ENAB"); - } - -+ if (mflg && Mflg) /* the admin is not decided .. create or not ? */ -+ usage(); -+ - /* - * Certain options are only valid in combination with others. - * Check it here so that they can be specified in any order. -@@ -1628,6 +1637,14 @@ int main (int argc, char **argv) - } - #endif /* USE_PAM */ - -+ if (!rflg) /* for system accounts defaults are ignored and we -+ * do not create a home dir -- gafton */ -+ if (getdef_bool("CREATE_HOME")) -+ mflg = 1; -+ -+ if (Mflg) /* absolutely sure that we do not create home dirs */ -+ mflg = 0; -+ - /* - * See if we are messing with the defaults file, or creating - * a new user. -@@ -1727,27 +1744,22 @@ int main (int argc, char **argv) - ("%s: warning: the home directory already exists.\n" - "Not copying any file from skel directory into it.\n"), - Prog); -- -- } else if (getdef_str ("CREATE_HOME")) { -- /* -- * RedHat added the CREATE_HOME option in login.defs in their -- * version of shadow-utils (which makes -m the default, with -- * new -M option to turn it off). Unfortunately, this -- * changes the way useradd works (it can be run by scripts -- * expecting some standard behaviour), compared to other -- * Unices and other Linux distributions, and also adds a lot -- * of confusion :-(. -- * So we now recognize CREATE_HOME and give a warning here -- * (better than "configuration error ... notify administrator" -- * errors in every program that reads /etc/login.defs). -MM -- */ -- fprintf (stderr, -- _ -- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), -- Prog); - } -- -- create_mail (); -+ /* Warning removed to protect the innocent. */ -+ /* -+ * The whole idea about breaking some stupid scripts by creating a new -+ * variable is crap - I could care less about the scripts. Historically -+ * adduser type programs have always created the home directories and -+ * I don't like the idea of providing a script when we can fix the -+ * binary itself. And if the scripts are using the right options to the -+ * useradd then they will not break. If not, they depend on unspecified -+ * behavior and they will break, but they were broken anyway to begin -+ * with --gafton -+ */ -+ -+ /* Do not create mail directory for system accounts */ -+ if( !rflg ) -+ create_mail (); - - close_files (); - -diff -up shadow-4.1.2/man/useradd.8.redhat shadow-4.1.2/man/useradd.8 ---- shadow-4.1.2/man/useradd.8.redhat 2008-05-25 01:20:26.000000000 +0200 -+++ shadow-4.1.2/man/useradd.8 2008-05-26 14:26:14.000000000 +0200 -@@ -27,7 +27,7 @@ option, the - \fBuseradd\fR - command creates a new user account using the values specified on the command line plus the default values from the system\&. Depending on command line options, the - \fBuseradd\fR --command will update system files and may also create the new user\'s home directory and copy initial files\&. -+command will update system files and may also create the new user\'s home directory and copy initial files\&. The version provided with Red Hat Linux will create a group for each user added to the system by default\&. - .SH "OPTIONS" - .PP - The options which apply to the -@@ -84,8 +84,7 @@ The number of days after a password expi - .PP - \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR - .RS 4 --The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. The default group number is 1 or whatever is specified in --\fI/etc/default/useradd\fR\&. -+The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. - .RE - .PP - \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,\&.\&.\&.\fR[\fI,GROUPN\fR]]] -@@ -143,6 +142,13 @@ Do not add the user to the lastlog and f - By default, the user\'s entries in the lastlog and faillog databases are resetted to avoid reusing the entry from a previously deleted user\&. - .RE - .PP -+\fB-M\fR -+.RS 4 -+The user\'s home directory will not be created, even if the system wide settings from -+\fI/etc/login.defs\fR -+is to create home dirs\. -+.RE -+.PP - \fB\-m\fR, \fB\-\-create\-home\fR - .RS 4 - Create the user\'s home directory if it does not exist\&. The files and directories contained in the skeleton directory (which can be defined with the -@@ -195,6 +201,19 @@ range, defined in - counterparts for the creation of groups)\&. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in -+\fI/etc/login.defs\fR -+and whose password does not expire\. Note that -+\fBuseradd\fR -+will not create a home directory for such an user, regardless of the default setting in -+\fI/etc/login.defs\fR\. -+You have to specify -+\fB-m\fR -+option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR - .RS 4 - The name of the user\'s login shell\&. The default is to leave this field blank, which causes the system to select the default login shell\&. -@@ -265,6 +284,8 @@ The name of a new user\'s login shell\&. - The system administrator is responsible for placing the default user files in the - \fI/etc/skel/\fR - directory\&. -+.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\&. - .SH "CAVEATS" - .PP - You may not add a user to a NIS or LDAP group\&. This must be performed on the corresponding server\&. -@@ -407,6 +428,11 @@ Group account information\&. - Secure group account information\&. - .RE - .PP -+\fI/etc/gshadow\fR -+.RS 4 -+Secure group account information\. -+.RE -+.PP - \fI/etc/default/useradd\fR - .RS 4 - Default values for account creation\&. -diff -up shadow-4.1.2/man/groupadd.8.redhat shadow-4.1.2/man/groupadd.8 ---- shadow-4.1.2/man/groupadd.8.redhat 2008-05-25 01:20:05.000000000 +0200 -+++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:35:49.000000000 +0200 -@@ -14,7 +14,7 @@ - groupadd \- create a new group - .SH "SYNOPSIS" - .HP 9 --\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR -+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR - .SH "DESCRIPTION" - .PP - The -@@ -34,11 +34,22 @@ This option causes the command to simply - is turned off)\&. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag instructs -+\fBgroupadd\fR -+to add a system account\. The first available -+\fIgid\fR -+lower than 500 will be automatically selected unless the -+\fB-g\fR -+option is also given on the command line\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR - .RS 4 - The numerical value of the group\'s ID\&. This value must be unique, unless the - \fB\-o\fR --option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 999 and greater than every other group\&. Values between 0 and 999 are typically reserved for system accounts\&. -+option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 499 and greater than every other group\&. Values between 0 and 500 are typically reserved for system accounts\&. - .RE - .PP - \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.2-selinux.patch b/shadow-4.1.2-selinux.patch deleted file mode 100644 index caf43b2..0000000 --- a/shadow-4.1.2-selinux.patch +++ /dev/null @@ -1,490 +0,0 @@ -diff -up /dev/null shadow-4.1.2/libmisc/system.c ---- /dev/null 2008-07-15 12:00:55.602698860 +0200 -+++ shadow-4.1.2/libmisc/system.c 2008-07-24 10:14:24.000000000 +0200 -@@ -0,0 +1,37 @@ -+#include -+ -+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $" -+ -+#include -+#include -+#include -+#include "prototypes.h" -+#include "defines.h" -+ -+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr) -+{ -+ int status = -1; -+ int fd; -+ pid_t pid; -+ -+ pid = fork(); -+ if (pid < 0) -+ return -1; -+ -+ if (pid) { /* Parent */ -+ waitpid(pid, &status, 0); -+ return status; -+ } -+ -+ fd = open("/dev/null", O_RDWR); -+ /* Child */ -+ dup2(fd,0); // Close Stdin -+ if (ignore_stderr) -+ dup2(fd,2); // Close Stderr -+ -+ execve(command, (char *const *) argv, (char *const *) env); -+ fprintf (stderr, -+ _("Failed to exec '%s'\n"), argv[0]); -+ exit (-1); -+} -+ -diff -up shadow-4.1.2/libmisc/copydir.c.selinux shadow-4.1.2/libmisc/copydir.c ---- shadow-4.1.2/libmisc/copydir.c.selinux 2008-05-24 17:35:17.000000000 +0200 -+++ shadow-4.1.2/libmisc/copydir.c 2008-07-24 10:14:24.000000000 +0200 -@@ -85,7 +85,7 @@ static int copy_file (const char *src, c - * symlink, directory, ... - * - */ --static int selinux_file_context (const char *dst_name) -+int selinux_file_context (const char *dst_name) - { - security_context_t scontext = NULL; - -@@ -256,6 +256,12 @@ int copy_tree (const char *src_root, con - src_orig = 0; - dst_orig = 0; - } -+ -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif -+ - return err; - } - -diff -up shadow-4.1.2/libmisc/Makefile.am.selinux shadow-4.1.2/libmisc/Makefile.am ---- shadow-4.1.2/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 -+++ shadow-4.1.2/libmisc/Makefile.am 2008-07-24 10:14:24.000000000 +0200 -@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ -diff -up shadow-4.1.2/src/useradd.c.selinux shadow-4.1.2/src/useradd.c ---- shadow-4.1.2/src/useradd.c.selinux 2008-07-24 10:13:23.000000000 +0200 -+++ shadow-4.1.2/src/useradd.c 2008-07-24 10:14:24.000000000 +0200 -@@ -104,6 +104,7 @@ static const char *user_comment = ""; - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -176,6 +177,7 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -376,6 +378,7 @@ static void get_defaults (void) - def_create_mail_spool = xstrdup (cp); - } - } -+ fclose(fp); - } - - /* -@@ -668,6 +671,9 @@ static void usage (void) - " -s, --shell SHELL the login shell for the new user account\n" - " -u, --uid UID force use the UID for the new user account\n" - " -U, --user-group create a group with the same name as the user\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif - "\n"), stderr); - exit (E_USAGE); - } -@@ -883,12 +889,19 @@ static void process_flags (int argc, cha - {"password", required_argument, NULL, 'p'}, - {"system", no_argument, NULL, 'r'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {"user-group", no_argument, NULL, 'U'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", -+#else - getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1073,6 +1086,17 @@ static void process_flags (int argc, cha - case 'U': - Uflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1479,6 +1503,33 @@ static void usr_update (void) - grp_update (); - } - -+static void selinux_update_mapping () { -+ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1488,7 +1539,11 @@ static void usr_update (void) - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1510,6 +1565,10 @@ static void create_home (void) - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "adding home directory", user_name, user_id, 1); - #endif -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif - } - } - -@@ -1763,6 +1822,8 @@ int main (int argc, char **argv) - - close_files (); - -+ selinux_update_mapping(); -+ - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - -diff -up shadow-4.1.2/src/usermod.c.selinux shadow-4.1.2/src/usermod.c ---- shadow-4.1.2/src/usermod.c.selinux 2008-05-24 17:35:17.000000000 +0200 -+++ shadow-4.1.2/src/usermod.c 2008-07-24 10:14:24.000000000 +0200 -@@ -94,6 +94,7 @@ static char *user_newcomment; - static char *user_home; - static char *user_newhome; - static char *user_shell; -+static const char *user_selinux = ""; - static char *user_newshell; - static long user_expire; - static long user_newexpire; -@@ -141,6 +142,7 @@ static void date_to_str (char *buf, size - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static void new_spent (struct spwd *); - static void fail_exit (int); -@@ -323,6 +325,9 @@ static void usage (void) - " -s, --shell SHELL new login shell for the user account\n" - " -u, --uid UID new UID for the user account\n" - " -U, --unlock unlock the user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user new selinux user mapping for the user account\n" -+#endif - "\n"), stderr); - exit (E_USAGE); - } -@@ -849,13 +854,20 @@ static void process_flags (int argc, cha - {"move-home", no_argument, NULL, 'm'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"unlock", no_argument, NULL, 'U'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:", -+#else -+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'a': -@@ -956,6 +968,16 @@ static void process_flags (int argc, cha - case 'U': - Uflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1534,6 +1556,8 @@ int main (int argc, char **argv) - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - -+ selinux_update_mapping(); -+ - if (mflg) - move_home (); - -@@ -1562,3 +1586,62 @@ int main (int argc, char **argv) - exit (E_SUCCESS); - /* NOT REACHED */ - } -+ -+static void selinux_update_mapping () { -+#ifdef WITH_SELINUX -+ const char *argv[7]; -+ -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-m"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 1)) { -+ argv[2] = "-a"; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "modifying User mapping ", user_name, user_id, 0); -+#endif -+ } -+ } -+ } -+ -+ if (dflg || *user_selinux) { -+ argv[0] = "/usr/sbin/genhomedircon"; -+ argv[1] = NULL; -+ if(safe_system(argv[0], argv, NULL,0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ -+ argv[0] = "/sbin/restorecon"; -+ argv[1] = "-F"; -+ argv[2] = "-R"; -+ argv[3] = user_home; -+ argv[4] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+} -diff -up shadow-4.1.2/src/userdel.c.selinux shadow-4.1.2/src/userdel.c ---- shadow-4.1.2/src/userdel.c.selinux 2008-05-24 17:35:17.000000000 +0200 -+++ shadow-4.1.2/src/userdel.c 2008-07-24 10:14:24.000000000 +0200 -@@ -811,6 +811,17 @@ int main (int argc, char **argv) - #endif - } - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() > 0) { -+ const char *argv[5]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-d"; -+ argv[3] = user_name; -+ argv[4] = NULL; -+ safe_system(argv[0], argv, NULL, 1); -+ } -+#endif - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. -diff -up shadow-4.1.2/man/useradd.8.selinux shadow-4.1.2/man/useradd.8 ---- shadow-4.1.2/man/useradd.8.selinux 2008-07-24 10:13:23.000000000 +0200 -+++ shadow-4.1.2/man/useradd.8 2008-07-24 10:20:27.000000000 +0200 -@@ -239,6 +239,11 @@ options are not specified) is defined by - variable in - \fIlogin\&.defs\fR\&. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. -+.RE - .SS "Changing the default values" - .PP - When invoked with only the -diff -up shadow-4.1.2/man/usermod.8.xml.selinux shadow-4.1.2/man/usermod.8.xml ---- shadow-4.1.2/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 -+++ shadow-4.1.2/man/usermod.8.xml 2008-07-24 10:14:24.000000000 +0200 -@@ -245,6 +245,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field the blank, which causes the system to select the default -+ SELinux user. -+ -+ -+ - - - -diff -up shadow-4.1.2/man/usermod.8.selinux shadow-4.1.2/man/usermod.8 ---- shadow-4.1.2/man/usermod.8.selinux 2008-05-25 01:20:28.000000000 +0200 -+++ shadow-4.1.2/man/usermod.8 2008-07-24 10:21:39.000000000 +0200 -@@ -133,6 +133,11 @@ Note: if you wish to unlock the account - value from - \fI/etc/default/useradd\fR)\&. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. -+.RE - .SH "CAVEATS" - .PP - -diff -up shadow-4.1.2/man/useradd.8.xml.selinux shadow-4.1.2/man/useradd.8.xml ---- shadow-4.1.2/man/useradd.8.xml.selinux 2008-05-20 00:18:17.000000000 +0200 -+++ shadow-4.1.2/man/useradd.8.xml 2008-07-24 10:14:24.000000000 +0200 -@@ -363,6 +363,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field blank, which causes the system to select the default SELinux -+ user. -+ -+ -+ - - - -diff -up shadow-4.1.2/lib/defines.h.selinux shadow-4.1.2/lib/defines.h ---- shadow-4.1.2/lib/defines.h.selinux 2008-05-24 19:35:54.000000000 +0200 -+++ shadow-4.1.2/lib/defines.h 2008-07-24 10:14:24.000000000 +0200 -@@ -321,4 +321,7 @@ extern char *strerror (); - # define unused - #endif - -+#ifdef WITH_SELINUX -+#include -+#endif - #endif /* _DEFINES_H_ */ -diff -up shadow-4.1.2/lib/prototypes.h.selinux shadow-4.1.2/lib/prototypes.h ---- shadow-4.1.2/lib/prototypes.h.selinux 2008-04-27 02:40:13.000000000 +0200 -+++ shadow-4.1.2/lib/prototypes.h 2008-07-24 10:14:24.000000000 +0200 -@@ -83,6 +83,10 @@ extern int copy_tree (const char *src_ro - long int uid, long int gid); - extern int remove_tree (const char *root); - -+#ifdef WITH_SELINUX -+extern int selinux_file_context (const char *dst_name); -+#endif -+ - /* encrypt.c */ - extern char *pw_encrypt (const char *, const char *); - -@@ -226,6 +230,9 @@ extern struct spwd *__spw_dup (const str - /* shell.c */ - extern int shell (const char *, const char *, char *const *); - -+/* system.c */ -+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); -+ - /* strtoday.c */ - extern long strtoday (const char *); - diff --git a/shadow-4.1.2-sysAccountDownhill.patch b/shadow-4.1.2-sysAccountDownhill.patch deleted file mode 100644 index 2071190..0000000 --- a/shadow-4.1.2-sysAccountDownhill.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.2/libmisc/find_new_ids.c ---- shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill 2008-05-26 14:52:49.000000000 +0200 -+++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:58:55.000000000 +0200 -@@ -52,6 +52,7 @@ int find_new_uid (int sys_user, uid_t *u - { - const struct passwd *pwd; - uid_t uid_min, uid_max, user_id; -+ char * index; - - assert (uid != NULL); - -@@ -62,6 +63,8 @@ int find_new_uid (int sys_user, uid_t *u - uid_min = getdef_unum ("SYS_UID_MIN", 1); - uid_max = getdef_unum ("UID_MIN", 500) - 1; - uid_max = getdef_unum ("SYS_UID_MAX", uid_max); -+ index = alloca (sizeof (char) * uid_max +1); -+ memset (index, 0, sizeof (char) * uid_max + 1); - } - - if ( (NULL != preferred_uid) -@@ -91,12 +94,28 @@ int find_new_uid (int sys_user, uid_t *u - pw_rewind (); - while ( ((pwd = getpwent ()) != NULL) - || ((pwd = pw_next ()) != NULL)) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -+ if (sys_user == 0) { -+ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -+ user_id = pwd->pw_uid + 1; -+ } -+ } -+ else { -+ /* create index of occupied system accounts UIDs */ -+ if (pwd->pw_uid <= uid_max) -+ index[pwd->pw_uid] = 1; - } - } - endpwent (); - -+ /* find free system account */ -+ if(sys_user) { -+ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); -+ if ( user_id < uid_min ) { -+ fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr); -+ return -1; -+ } -+ } -+ - /* - * If a user with UID equal to UID_MAX exists, the above algorithm - * will give us UID_MAX+1 even if not unique. Search for the first -@@ -135,6 +154,7 @@ int find_new_gid (int sys_group, gid_t * - { - const struct group *grp; - gid_t gid_min, gid_max, group_id; -+ char * index; - - assert (gid != NULL); - -@@ -145,6 +165,8 @@ int find_new_gid (int sys_group, gid_t * - gid_min = getdef_unum ("SYS_GID_MIN", 1); - gid_max = getdef_unum ("GID_MIN", 500) - 1; - gid_max = getdef_unum ("SYS_GID_MAX", gid_max); -+ index = alloca (sizeof (char) * gid_max +1); -+ memset (index, 0, sizeof (char) * gid_max + 1); - } - - if ( (NULL != preferred_gid) -@@ -173,12 +195,28 @@ int find_new_gid (int sys_group, gid_t * - gr_rewind (); - while ( ((grp = getgrent ()) != NULL) - || ((grp = gr_next ()) != NULL)) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -+ if (sys_group == 0) { -+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -+ group_id = grp->gr_gid + 1; -+ } -+ } -+ else { -+ /* create index of occupied system accounts GIDs */ -+ if (grp->gr_gid <= gid_max) -+ index[grp->gr_gid] = 1; - } - } - endgrent (); - -+ /* find free system account */ -+ if(sys_group) { -+ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); -+ if ( group_id < gid_min ) { -+ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); -+ return -1; -+ } -+ } -+ - /* - * If a group with GID equal to GID_MAX exists, the above algorithm - * will give us GID_MAX+1 even if not unique. Search for the first diff --git a/shadow-4.1.2-uid.patch b/shadow-4.1.2-uid.patch deleted file mode 100644 index 96b04e3..0000000 --- a/shadow-4.1.2-uid.patch +++ /dev/null @@ -1,532 +0,0 @@ -diff -up /dev/null shadow-4.1.2/lib/get_gid.c ---- /dev/null 2009-03-16 11:03:38.574001227 +0100 -+++ shadow-4.1.2/lib/get_gid.c 2009-03-23 18:45:59.000000000 +0100 -@@ -0,0 +1,54 @@ -+/* -+ * Copyright (c) 2009 , Nicolas François -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the copyright holders or contributors may not be used to -+ * endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ident "$Id$" -+ -+#include "prototypes.h" -+#include "defines.h" -+ -+int get_gid (const char *gidstr, gid_t *gid) -+{ -+ long long int val; -+ char *endptr; -+ -+ errno = 0; -+ val = strtoll (gidstr, &endptr, 10); -+ if ( ('\0' == gidstr) -+ || ('\0' != *endptr) -+ || (ERANGE == errno) -+ || (val != (gid_t)val)) { -+ return 0; -+ } -+ -+ *gid = (gid_t)val; -+ return 1; -+} -+ -diff -up /dev/null shadow-4.1.2/lib/get_uid.c ---- /dev/null 2009-03-16 11:03:38.574001227 +0100 -+++ shadow-4.1.2/lib/get_uid.c 2009-03-23 18:45:59.000000000 +0100 -@@ -0,0 +1,55 @@ -+/* -+ * Copyright (c) 2009 , Nicolas François -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the copyright holders or contributors may not be used to -+ * endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ident "$Id$" -+ -+#include "prototypes.h" -+#include "defines.h" -+ -+int get_uid (const char *uidstr, uid_t *uid) -+{ -+ long long int val; -+ char *endptr; -+ -+ errno = 0; -+ val = strtoll (uidstr, &endptr, 10); -+ if ( ('\0' == uidstr) -+ || ('\0' != *endptr) -+ || (ERANGE == errno) -+ || (val != (uid_t)val)) { -+ return 0; -+ } -+ -+ *uid = (uid_t)val; -+ return 1; -+} -+ -+ -diff -up shadow-4.1.2/lib/Makefile.am.uid shadow-4.1.2/lib/Makefile.am ---- shadow-4.1.2/lib/Makefile.am.uid 2008-01-06 14:57:28.000000000 +0100 -+++ shadow-4.1.2/lib/Makefile.am 2009-03-23 18:45:59.000000000 +0100 -@@ -17,6 +17,8 @@ libshadow_la_SOURCES = \ - fputsx.c \ - getdef.c \ - getdef.h \ -+ get_gid.c \ -+ get_uid.c \ - groupio.c \ - groupmem.c \ - groupio.h \ -diff -up shadow-4.1.2/lib/prototypes.h.uid shadow-4.1.2/lib/prototypes.h ---- shadow-4.1.2/lib/prototypes.h.uid 2009-03-23 18:45:59.000000000 +0100 -+++ shadow-4.1.2/lib/prototypes.h 2009-03-23 18:45:59.000000000 +0100 -@@ -110,6 +110,12 @@ extern int find_new_gid (int sys_group, - /* getlong.c */ - extern int getlong(const char *numstr, long int *result); - -+/* get_gid.c */ -+extern int get_gid (const char *gidstr, gid_t *gid); -+ -+/* get_uid.c */ -+extern int get_uid (const char *uidstr, uid_t *uid); -+ - /* fputsx.c */ - extern char *fgetsx (char *, int, FILE *); - extern int fputsx (const char *, FILE *); -diff -up shadow-4.1.2/src/groupadd.c.uid shadow-4.1.2/src/groupadd.c ---- shadow-4.1.2/src/groupadd.c.uid 2009-03-23 18:45:59.000000000 +0100 -+++ shadow-4.1.2/src/groupadd.c 2009-03-23 18:45:59.000000000 +0100 -@@ -98,7 +98,6 @@ static void check_new_name (void); - static void close_files (void); - static void open_files (void); - static void fail_exit (int code); --static gid_t get_gid (const char *gidstr); - static void process_flags (int argc, char **argv); - static void check_flags (void); - static void check_perms (void); -@@ -326,22 +325,6 @@ static void fail_exit (int code) - exit (code); - } - --/* -- * get_id - validate and get group ID -- */ --static gid_t get_gid (const char *gidstr) --{ -- long val; -- char *errptr; -- -- val = strtol (gidstr, &errptr, 10); -- if (('\0' != *errptr) || (errno == ERANGE) || (val < 0)) { -- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), -- Prog, gidstr); -- exit (E_BAD_ARG); -- } -- return val; --} - - /* - * process_flags - parse the command line options -@@ -383,7 +366,13 @@ static void process_flags (int argc, cha - break; - case 'g': - gflg++; -- group_id = get_gid (optarg); -+ if ( (get_gid (optarg, &group_id) == 0) -+ || (group_id == (gid_t)-1)) { -+ fprintf (stderr, -+ _("%s: invalid group ID '%s'\n"), -+ Prog, optarg); -+ exit (E_BAD_ARG); -+ } - break; - case 'h': - usage (); -diff -up shadow-4.1.2/src/groupmod.c.uid shadow-4.1.2/src/groupmod.c ---- shadow-4.1.2/src/groupmod.c.uid 2008-04-27 02:40:13.000000000 +0200 -+++ shadow-4.1.2/src/groupmod.c 2009-03-23 18:45:59.000000000 +0100 -@@ -100,7 +100,6 @@ static void check_new_name (void); - static void process_flags (int, char **); - static void close_files (void); - static void open_files (void); --static gid_t get_gid (const char *gidstr); - static void update_primary_groups (gid_t ogid, gid_t ngid); - - /* -@@ -361,23 +360,6 @@ static void check_new_name (void) - } - - /* -- * get_id - validate and get group ID -- */ --static gid_t get_gid (const char *gidstr) --{ -- long val; -- char *errptr; -- -- val = strtol (gidstr, &errptr, 10); -- if (*errptr || errno == ERANGE || val < 0) { -- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, -- gidstr); -- fail_exit (E_BAD_ARG); -- } -- return val; --} -- --/* - * process_flags - perform command line argument setting - * - * process_flags() interprets the command line arguments and sets the -@@ -404,7 +386,13 @@ static void process_flags (int argc, cha - switch (c) { - case 'g': - gflg++; -- group_newid = get_gid (optarg); -+ if ( (get_gid (optarg, &group_newid) == 0) -+ || (group_newid == (gid_t)-1)) { -+ fprintf (stderr, -+ _("%s: invalid group ID '%s'\n"), -+ Prog, optarg); -+ exit (E_BAD_ARG); -+ } - #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, - Prog, "modifying group", -diff -up shadow-4.1.2/src/newusers.c.uid shadow-4.1.2/src/newusers.c ---- shadow-4.1.2/src/newusers.c.uid 2008-04-27 02:40:13.000000000 +0200 -+++ shadow-4.1.2/src/newusers.c 2009-03-23 18:45:59.000000000 +0100 -@@ -90,7 +90,7 @@ static pam_handle_t *pamh = NULL; - static void usage (void); - static void fail_exit (int); - static int add_group (const char *, const char *, gid_t *, gid_t); --static int get_uid (const char *, uid_t *); -+static int get_user_id (const char *, uid_t *); - static int add_user (const char *, uid_t, gid_t); - static void update_passwd (struct passwd *, const char *); - static int add_passwd (struct passwd *, const char *); -@@ -178,22 +178,26 @@ static int add_group (const char *name, - * The GID is a number, which means either this is a brand - * new group, or an existing group. - */ -- char *endptr; -- long int i = strtoul (gid, &endptr, 10); -- if ((*endptr != '\0') && (errno != ERANGE)) { -+ if (get_gid (gid, &grent.gr_gid) == 0) { - fprintf (stderr, -- _("%s: group ID `%s' is not valid\n"), -+ _("%s: invalid group ID '%s'\n"), - Prog, gid); - return -1; - } -- if ( (getgrgid (i) != NULL) -- || (gr_locate_gid (i) != NULL)) { -+ if ( (getgrgid ((gid_t) grent.gr_gid) != NULL) -+ || (gr_locate_gid ((gid_t) grent.gr_gid) != NULL)) { - /* The user will use this ID for her - * primary group */ -- *ngid = i; -+ *ngid = (gid_t) grent.gr_gid; - return 0; - } -- grent.gr_gid = i; -+ /* Do not create groups with GID == (gid_t)-1 */ -+ if (grent.gr_gid == (gid_t)-1) { -+ fprintf (stderr, -+ _("%s: invalid group ID '%s'\n"), -+ Prog, gid); -+ return -1; -+ } - } else { - /* The gid parameter can be "" or a name which is not - * already the name of an existing group. -@@ -267,7 +271,7 @@ static int add_group (const char *name, - return 0; - } - --static int get_uid (const char *uid, uid_t *nuid) { -+static int get_user_id (const char *uid, uid_t *nuid) { - const struct passwd *pwd = NULL; - - /* -@@ -275,15 +279,11 @@ static int get_uid (const char *uid, uid - * caller provided, or the next available UID. - */ - if (isdigit (uid[0])) { -- char *endptr; -- long int i = strtoul (uid, &endptr, 10); -- if ((*endptr != '\0') && (errno != ERANGE)) { -- fprintf (stderr, -- _("%s: user ID `%s' is not valid\n"), -+ if ((get_uid (uid, nuid) == 0) || (*nuid == (uid_t)-1)) { -+ fprintf (stderr, _("%s: invalid user ID '%s'\n"), - Prog, uid); - return -1; - } -- *nuid = i; - } else { - if ('\0' != uid[0]) { - /* local, no need for xgetpwnam */ -@@ -740,7 +740,7 @@ int main (int argc, char **argv) - } - - if ( (NULL == pw) -- && (get_uid (fields[2], &uid) != 0)) { -+ && (get_user_id (fields[2], &uid) != 0)) { - fprintf (stderr, - _("%s: line %d: can't create user\n"), - Prog, line); -diff -up shadow-4.1.2/src/useradd.c.uid shadow-4.1.2/src/useradd.c ---- shadow-4.1.2/src/useradd.c.uid 2009-03-23 18:45:59.000000000 +0100 -+++ shadow-4.1.2/src/useradd.c 2009-03-23 18:45:59.000000000 +0100 -@@ -170,7 +170,6 @@ static int home_added; - static void fail_exit (int); - static struct group *getgr_nam_gid (const char *); - static long get_number (const char *); --static uid_t get_uid (const char *); - static void get_defaults (void); - static void show_defaults (void); - static int set_defaults (void); -@@ -225,39 +224,30 @@ static void fail_exit (int code) - - static struct group *getgr_nam_gid (const char *grname) - { -- long gid; -- char *errptr; -- -- gid = strtol (grname, &errptr, 10); -- if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && gid >= 0) -+ long long int gid; -+ char *endptr; -+ -+ errno = 0; -+ gid = strtoll (grname, &endptr, 10); -+ if ( ('\0' != *grname) -+ && ('\0' == *endptr) -+ && (ERANGE != errno) -+ && (gid == (gid_t)gid)) { - return xgetgrgid (gid); -+ } - return xgetgrnam (grname); - } - - static long get_number (const char *numstr) - { - long val; -- char *errptr; -+ char *endptr; - -- val = strtol (numstr, &errptr, 10); -- if (*errptr || errno == ERANGE) { -- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, -- numstr); -- exit (E_BAD_ARG); -- } -- return val; --} -- --static uid_t get_uid (const char *uidstr) --{ -- long val; -- char *errptr; -- -- val = strtol (uidstr, &errptr, 10); -- if (*errptr || errno == ERANGE || val < 0) { -- fprintf (stderr, -- _("%s: invalid numeric argument '%s'\n"), Prog, -- uidstr); -+ errno = 0; -+ val = strtol (numstr, &endptr, 10); -+ if (('\0' == *numstr) || ('\0' != *endptr) || (ERANGE == errno)) { -+ fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), -+ Prog, numstr); - exit (E_BAD_ARG); - } - return val; -@@ -302,26 +292,13 @@ static void get_defaults (void) - * Primary GROUP identifier - */ - if (MATCH (buf, DGROUP)) { -- unsigned int val = (unsigned int) strtoul (cp, &ep, 10); -- const struct group *grp; -- -- if (*cp != '\0' && *ep == '\0') { /* valid number */ -- def_group = val; -- /* local, no need for xgetgrgid */ -- if ((grp = getgrgid (def_group))) { -- def_gname = xstrdup (grp->gr_name); -- } else { -- fprintf (stderr, -- _("%s: unknown GID %s\n"), -- Prog, cp); -- } -- /* local, no need for xgetgrnam */ -- } else if ((grp = getgrnam (cp))) { -- def_group = grp->gr_gid; -- def_gname = xstrdup (cp); -+ const struct group *grp = getgr_nam_gid (cp); -+ if (NULL == grp) { -+ fprintf (stderr, _("%s: unknown GID %s\n"), -+ Prog, cp); - } else { -- fprintf (stderr, -- _("%s: unknown group %s\n"), Prog, cp); -+ def_group = grp->gr_gid; -+ def_gname = xstrdup (grp->gr_name); - } - } - -@@ -343,12 +320,17 @@ static void get_defaults (void) - * Default Password Inactive value - */ - else if (MATCH (buf, INACT)) { -+ errno = 0; - long val = strtol (cp, &ep, 10); - -- if (*cp || errno == ERANGE) -+ if ( ('\0' != *cp) -+ && ('\0' == *ep) -+ && (ERANGE != errno) -+ && (val >= 0)) { - def_inactive = val; -- else -+ } else { - def_inactive = -1; -+ } - } - - /* -@@ -1080,7 +1062,13 @@ static void process_flags (int argc, cha - sflg++; - break; - case 'u': -- user_id = get_uid (optarg); -+ if ( (get_uid (optarg, &user_id) == 0) -+ || (user_id == (gid_t)-1)) { -+ fprintf (stderr, -+ _("%s: invalid user ID '%s'\n"), -+ Prog, optarg); -+ exit (E_BAD_ARG); -+ } - uflg++; - break; - case 'U': -diff -up shadow-4.1.2/src/usermod.c.uid shadow-4.1.2/src/usermod.c ---- shadow-4.1.2/src/usermod.c.uid 2009-03-23 18:45:59.000000000 +0100 -+++ shadow-4.1.2/src/usermod.c 2009-03-23 18:48:36.000000000 +0100 -@@ -155,7 +155,6 @@ static void update_gshadow (void); - static void grp_update (void); - - static long get_number (const char *); --static uid_t get_id (const char *); - static void process_flags (int, char **); - static void close_files (void); - static void open_files (void); -@@ -193,12 +192,17 @@ static void date_to_str (char *buf, size - */ - static struct group *getgr_nam_gid (const char *grname) - { -- long val; -- char *errptr; -- -- val = strtol (grname, &errptr, 10); -- if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && val >= 0) -+ long long int val; -+ char *endptr; -+ -+ errno = 0; -+ val = strtoll (grname, &endptr, 10); -+ if ( ('\0' != *grname) -+ && ('\0' == *endptr) -+ && (ERANGE != errno) -+ && (val == (gid_t)val)) { - return xgetgrgid (val); -+ } - return xgetgrnam (grname); - } - -@@ -752,20 +756,6 @@ static long get_number (const char *nums - return val; - } - --static uid_t get_id (const char *uidstr) --{ -- long val; -- char *errptr; -- -- val = strtol (uidstr, &errptr, 10); -- if (*errptr || errno == ERANGE || val < 0) { -- fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, -- uidstr); -- exit (E_BAD_ARG); -- } -- return val; --} -- - /* - * process_flags - perform command line argument setting - * -@@ -963,7 +953,13 @@ static void process_flags (int argc, cha - sflg++; - break; - case 'u': -- user_newid = get_id (optarg); -+ if ( (get_uid (optarg, &user_newid) ==0) -+ || (user_newid == (uid_t)-1)) { -+ fprintf (stderr, -+ _("%s: invalid user ID '%s'\n"), -+ Prog, optarg); -+ exit (E_BAD_ARG); -+ } - uflg++; - break; - case 'U': diff --git a/shadow-4.1.3-goodname.patch b/shadow-4.1.3-goodname.patch new file mode 100644 index 0000000..43b933f --- /dev/null +++ b/shadow-4.1.3-goodname.patch @@ -0,0 +1,68 @@ +diff -up shadow-4.1.3/libmisc/chkname.c.goodname shadow-4.1.3/libmisc/chkname.c +--- shadow-4.1.3/libmisc/chkname.c.goodname 2008-12-23 23:42:21.000000000 +0100 ++++ shadow-4.1.3/libmisc/chkname.c 2009-04-14 11:46:21.000000000 +0200 +@@ -54,20 +54,28 @@ + static bool is_valid_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { + return false; + } + + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { + return false; + } + } +diff -up shadow-4.1.3/man/groupadd.8.goodname shadow-4.1.3/man/groupadd.8 +--- shadow-4.1.3/man/groupadd.8.goodname 2009-04-12 04:46:15.000000000 +0200 ++++ shadow-4.1.3/man/groupadd.8 2009-04-14 11:45:13.000000000 +0200 +@@ -139,9 +139,7 @@ Shadow password suite configuration\&. + .RE + .SH "CAVEATS" + .PP +-Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP +-Groupnames may only be up to 16 characters long\&. ++Groupnames may only be up to 32 characters long\&. + .PP + You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. + .PP +diff -up shadow-4.1.3/man/useradd.8.goodname shadow-4.1.3/man/useradd.8 +--- shadow-4.1.3/man/useradd.8.goodname 2009-04-12 04:46:35.000000000 +0200 ++++ shadow-4.1.3/man/useradd.8 2009-04-14 11:45:13.000000000 +0200 +@@ -385,8 +385,6 @@ Similarly, if the username already exist + \fBuseradd\fR + will deny the user account creation request\&. + .PP +-Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP + Usernames may only be up to 32 characters long\&. + .SH "CONFIGURATION" + .PP diff --git a/shadow-4.1.3-redhat.patch b/shadow-4.1.3-redhat.patch new file mode 100644 index 0000000..2b0ce43 --- /dev/null +++ b/shadow-4.1.3-redhat.patch @@ -0,0 +1,55 @@ +diff -up shadow-4.1.3-rc1/libmisc/find_new_gid.c.redhat shadow-4.1.3-rc1/libmisc/find_new_gid.c +--- shadow-4.1.3-rc1/libmisc/find_new_gid.c.redhat 2009-04-06 15:46:43.000000000 +0200 ++++ shadow-4.1.3-rc1/libmisc/find_new_gid.c 2009-04-06 15:48:29.000000000 +0200 +@@ -56,11 +56,11 @@ int find_new_gid (bool sys_group, gid_t + assert (gid != NULL); + + if (!sys_group) { +- gid_min = getdef_ulong ("GID_MIN", 1000L); ++ gid_min = getdef_ulong ("GID_MIN", 500L); + gid_max = getdef_ulong ("GID_MAX", 60000L); + } else { + gid_min = getdef_ulong ("SYS_GID_MIN", 1L); +- gid_max = getdef_ulong ("GID_MIN", 1000L) - 1; ++ gid_max = getdef_ulong ("GID_MIN", 500L) - 1; + gid_max = getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } + used_gids = alloca (sizeof (char) * gid_max +1); +diff -up shadow-4.1.3-rc1/libmisc/find_new_uid.c.redhat shadow-4.1.3-rc1/libmisc/find_new_uid.c +--- shadow-4.1.3-rc1/libmisc/find_new_uid.c.redhat 2009-04-06 15:46:49.000000000 +0200 ++++ shadow-4.1.3-rc1/libmisc/find_new_uid.c 2009-04-06 15:48:46.000000000 +0200 +@@ -56,11 +56,11 @@ int find_new_uid (bool sys_user, uid_t * + assert (uid != NULL); + + if (!sys_user) { +- uid_min = getdef_ulong ("UID_MIN", 1000L); ++ uid_min = getdef_ulong ("UID_MIN", 500L); + uid_max = getdef_ulong ("UID_MAX", 60000L); + } else { + uid_min = getdef_ulong ("SYS_UID_MIN", 1L); +- uid_max = getdef_ulong ("UID_MIN", 1000L) - 1; ++ uid_max = getdef_ulong ("UID_MIN", 500L) - 1; + uid_max = getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } + used_uids = alloca (sizeof (char) * uid_max +1); +diff -up shadow-4.1.3-rc1/src/useradd.c.redhat shadow-4.1.3-rc1/src/useradd.c +--- shadow-4.1.3-rc1/src/useradd.c.redhat 2009-04-06 15:49:02.000000000 +0200 ++++ shadow-4.1.3-rc1/src/useradd.c 2009-04-06 15:55:22.000000000 +0200 +@@ -89,7 +89,7 @@ char *Prog; + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -101,7 +101,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; diff --git a/shadow-utils.spec b/shadow-utils.spec index cc3fa54..186c57c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,36 +1,22 @@ -%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} -%define WITH_SELINUX 1 -%endif - Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.2 -Release: 13%{?dist} +Version: 4.1.3 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd - -Patch0: shadow-4.1.2-redhat.patch -Patch1: shadow-4.1.2-goodname.patch -Patch2: shadow-4.1.2-selinux.patch -Patch3: shadow-4.1.2-sysAccountDownhill.patch -Patch4: shadow-4.1.2-gmSEGV.patch -Patch5: shadow-4.1.2-audit.patch -Patch6: shadow-4.1.1-selinuxUserMappings.patch -Patch7: shadow-4.1.2-checkName.patch -Patch8: shadow-4.1.2-gmNoGroup.patch -Patch9: shadow-4.1.2-uid.patch - +Patch0: shadow-4.1.3-redhat.patch +Patch1: shadow-4.1.3-goodname.patch License: BSD and GPLv2+ Group: System Environment/Base -BuildRequires: autoconf, automake, libtool, gettext-devel BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 +#BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 -Requires: setup policycoreutils +Requires: setup Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -49,34 +35,23 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .selinux -%patch3 -p1 -b .sysAccountDownhill -%patch4 -p1 -b .gmSEGV -%patch5 -p1 -b .audit -%patch6 -p1 -b .selinuxUserMappings -%patch7 -p1 -b .checkName -%patch8 -p1 -b .gmNoGroup -%patch9 -p1 -b .uid iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO -rm po/*.gmo -rm po/stamp-po - -aclocal -libtoolize --force -automake -a -autoconf +#rm po/*.gmo +#rm po/stamp-po +#aclocal +#libtoolize --force +#automake -a +#autoconf %build %configure \ --enable-shadowgrp \ --with-audit \ --with-sha-crypt \ -%if %{WITH_SELINUX} --with-selinux \ -%endif --without-libcrack \ --without-libpam \ --disable-shared @@ -199,11 +174,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog -* Tue Mar 24 2009 Peter Vrabec 2:4.1.2-13 -- do not allow UID/GID = 4294967295 (#484040,#133664) +* Tue Apr 14 2009 Peter Vrabec 2:4.1.3-1 +- upgrade -* Wed Feb 25 2009 Fedora Release Engineering - 2:4.1.2-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild +* Tue Mar 24 2009 Peter Vrabec 2:4.1.2-12 +- don not allow UID/GID = 4294967295 (#484040) * Mon Jan 19 2009 Peter Vrabec 2:4.1.2-11 - fix license tag (#226416) diff --git a/sources b/sources index 0c72fb3..beeb25f 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd -b1aa30abb3cce16a37b53e45e1ec70a4 shadow-4.1.1.tar.bz2 -ce90cbe9cba7f6673cb10cad49083c1c shadow-4.1.2.tar.bz2 +d222bd50f64d52a32882c82ab1e85f28 shadow-4.1.3.tar.bz2 From 70078f8ff6f0b48dbbca24bf288149b86f7930f8 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 14 Apr 2009 14:12:16 +0000 Subject: [PATCH 035/151] - get "-n" option back - fix selinux issues --- shadow-4.1.3-redhat.patch | 38 ++++++++++++++++++++------- shadow-4.1.3-selinux.patch | 54 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +++++- 3 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 shadow-4.1.3-selinux.patch diff --git a/shadow-4.1.3-redhat.patch b/shadow-4.1.3-redhat.patch index 2b0ce43..92ea691 100644 --- a/shadow-4.1.3-redhat.patch +++ b/shadow-4.1.3-redhat.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.3-rc1/libmisc/find_new_gid.c.redhat shadow-4.1.3-rc1/libmisc/find_new_gid.c ---- shadow-4.1.3-rc1/libmisc/find_new_gid.c.redhat 2009-04-06 15:46:43.000000000 +0200 -+++ shadow-4.1.3-rc1/libmisc/find_new_gid.c 2009-04-06 15:48:29.000000000 +0200 +diff -up shadow-4.1.3/libmisc/find_new_gid.c.redhat shadow-4.1.3/libmisc/find_new_gid.c +--- shadow-4.1.3/libmisc/find_new_gid.c.redhat 2009-04-11 17:55:13.000000000 +0200 ++++ shadow-4.1.3/libmisc/find_new_gid.c 2009-04-14 14:49:34.000000000 +0200 @@ -56,11 +56,11 @@ int find_new_gid (bool sys_group, gid_t assert (gid != NULL); @@ -15,9 +15,9 @@ diff -up shadow-4.1.3-rc1/libmisc/find_new_gid.c.redhat shadow-4.1.3-rc1/libmisc gid_max = getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); } used_gids = alloca (sizeof (char) * gid_max +1); -diff -up shadow-4.1.3-rc1/libmisc/find_new_uid.c.redhat shadow-4.1.3-rc1/libmisc/find_new_uid.c ---- shadow-4.1.3-rc1/libmisc/find_new_uid.c.redhat 2009-04-06 15:46:49.000000000 +0200 -+++ shadow-4.1.3-rc1/libmisc/find_new_uid.c 2009-04-06 15:48:46.000000000 +0200 +diff -up shadow-4.1.3/libmisc/find_new_uid.c.redhat shadow-4.1.3/libmisc/find_new_uid.c +--- shadow-4.1.3/libmisc/find_new_uid.c.redhat 2009-04-11 17:53:19.000000000 +0200 ++++ shadow-4.1.3/libmisc/find_new_uid.c 2009-04-14 14:49:34.000000000 +0200 @@ -56,11 +56,11 @@ int find_new_uid (bool sys_user, uid_t * assert (uid != NULL); @@ -32,9 +32,9 @@ diff -up shadow-4.1.3-rc1/libmisc/find_new_uid.c.redhat shadow-4.1.3-rc1/libmisc uid_max = getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); } used_uids = alloca (sizeof (char) * uid_max +1); -diff -up shadow-4.1.3-rc1/src/useradd.c.redhat shadow-4.1.3-rc1/src/useradd.c ---- shadow-4.1.3-rc1/src/useradd.c.redhat 2009-04-06 15:49:02.000000000 +0200 -+++ shadow-4.1.3-rc1/src/useradd.c 2009-04-06 15:55:22.000000000 +0200 +diff -up shadow-4.1.3/src/useradd.c.redhat shadow-4.1.3/src/useradd.c +--- shadow-4.1.3/src/useradd.c.redhat 2009-04-11 20:39:52.000000000 +0200 ++++ shadow-4.1.3/src/useradd.c 2009-04-14 14:58:17.000000000 +0200 @@ -89,7 +89,7 @@ char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; @@ -53,3 +53,23 @@ diff -up shadow-4.1.3-rc1/src/useradd.c.redhat shadow-4.1.3-rc1/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; +@@ -978,9 +978,9 @@ static void process_flags (int argc, cha + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", + #else +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + #endif + long_options, NULL)) != -1) { + switch (c) { +@@ -1130,6 +1130,7 @@ static void process_flags (int argc, cha + case 'M': + Mflg = true; + break; ++ case 'n': + case 'N': + Nflg = true; + break; diff --git a/shadow-4.1.3-selinux.patch b/shadow-4.1.3-selinux.patch new file mode 100644 index 0000000..97dc317 --- /dev/null +++ b/shadow-4.1.3-selinux.patch @@ -0,0 +1,54 @@ +diff -up shadow-4.1.3/src/useradd.c.selinux shadow-4.1.3/src/useradd.c +--- shadow-4.1.3/src/useradd.c.selinux 2009-04-14 15:55:44.000000000 +0200 ++++ shadow-4.1.3/src/useradd.c 2009-04-14 15:55:44.000000000 +0200 +@@ -2011,9 +2011,7 @@ int main (int argc, char **argv) + close_files (); + + #ifdef WITH_SELINUX +- if (Zflg) { +- selinux_update_mapping (); +- } ++ selinux_update_mapping (); + #endif + + nscd_flush_cache ("passwd"); +diff -up shadow-4.1.3/src/userdel.c.selinux shadow-4.1.3/src/userdel.c +--- shadow-4.1.3/src/userdel.c.selinux 2009-04-11 18:52:42.000000000 +0200 ++++ shadow-4.1.3/src/userdel.c 2009-04-14 16:01:10.000000000 +0200 +@@ -797,17 +797,6 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + +-#ifdef WITH_SELINUX +- if (is_selinux_enabled () > 0) { +- const char *args[5]; +- args[0] = "/usr/sbin/semanage"; +- args[1] = "login"; +- args[2] = "-d"; +- args[3] = user_name; +- args[4] = NULL; +- safe_system (args[0], args, NULL, 1); +- } +-#endif + /* + * Get my name so that I can use it to report errors. + */ +@@ -1010,6 +999,18 @@ int main (int argc, char **argv) + } + #endif + ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled () > 0) { ++ const char *args[5]; ++ args[0] = "/usr/sbin/semanage"; ++ args[1] = "login"; ++ args[2] = "-d"; ++ args[3] = user_name; ++ args[4] = NULL; ++ safe_system (args[0], args, NULL, 1); ++ } ++#endif ++ + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. diff --git a/shadow-utils.spec b/shadow-utils.spec index 186c57c..f3a6a7c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.3 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -9,6 +9,7 @@ Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.3-redhat.patch Patch1: shadow-4.1.3-goodname.patch +Patch2: shadow-4.1.3-selinux.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -35,6 +36,7 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname +%patch2 -p1 -b .selinux iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -174,6 +176,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Apr 14 2009 Peter Vrabec 2:4.1.3-2 +- get "-n" option back +- fix selinux issues + * Tue Apr 14 2009 Peter Vrabec 2:4.1.3-1 - upgrade From da96b3d14b5f3d145cdc2a1a9b2dd0b789abef74 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 20 Apr 2009 09:47:31 +0000 Subject: [PATCH 036/151] upgrade --- .cvsignore | 4 +-- shadow-4.0.17-login.defs | 58 ++++++++++++++++++++++++++++++++++++++ shadow-4.0.18.1-useradd | 9 ++++++ shadow-4.1.3-selinux.patch | 54 ----------------------------------- shadow-utils.spec | 11 ++++---- sources | 4 +-- 6 files changed, 75 insertions(+), 65 deletions(-) create mode 100644 shadow-4.0.17-login.defs create mode 100644 shadow-4.0.18.1-useradd delete mode 100644 shadow-4.1.3-selinux.patch diff --git a/.cvsignore b/.cvsignore index 5e650b5..e47192e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1 @@ -shadow-4.0.17-login.defs -shadow-4.0.18.1-useradd -shadow-4.1.3.tar.bz2 +shadow-4.1.3.1.tar.gz diff --git a/shadow-4.0.17-login.defs b/shadow-4.0.17-login.defs new file mode 100644 index 0000000..18733bf --- /dev/null +++ b/shadow-4.0.17-login.defs @@ -0,0 +1,58 @@ +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# QMAIL_DIR is for Qmail +# +#QMAIL_DIR Maildir +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 500 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 500 +GID_MAX 60000 + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If useradd should create home directories for users by default +# On RH systems, we do. This option is overridden with the -m flag on +# useradd command line. +# +CREATE_HOME yes + +# The permission mask is initialized to this value. If not specified, +# the permission mask will be initialized to 022. +UMASK 077 + +# This enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# Use MD5 or DES to encrypt password? Red Hat use MD5 by default. +MD5_CRYPT_ENAB yes + diff --git a/shadow-4.0.18.1-useradd b/shadow-4.0.18.1-useradd new file mode 100644 index 0000000..4e81146 --- /dev/null +++ b/shadow-4.0.18.1-useradd @@ -0,0 +1,9 @@ +# useradd defaults file +GROUP=100 +HOME=/home +INACTIVE=-1 +EXPIRE= +SHELL=/bin/bash +SKEL=/etc/skel +CREATE_MAIL_SPOOL=yes + diff --git a/shadow-4.1.3-selinux.patch b/shadow-4.1.3-selinux.patch deleted file mode 100644 index 97dc317..0000000 --- a/shadow-4.1.3-selinux.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up shadow-4.1.3/src/useradd.c.selinux shadow-4.1.3/src/useradd.c ---- shadow-4.1.3/src/useradd.c.selinux 2009-04-14 15:55:44.000000000 +0200 -+++ shadow-4.1.3/src/useradd.c 2009-04-14 15:55:44.000000000 +0200 -@@ -2011,9 +2011,7 @@ int main (int argc, char **argv) - close_files (); - - #ifdef WITH_SELINUX -- if (Zflg) { -- selinux_update_mapping (); -- } -+ selinux_update_mapping (); - #endif - - nscd_flush_cache ("passwd"); -diff -up shadow-4.1.3/src/userdel.c.selinux shadow-4.1.3/src/userdel.c ---- shadow-4.1.3/src/userdel.c.selinux 2009-04-11 18:52:42.000000000 +0200 -+++ shadow-4.1.3/src/userdel.c 2009-04-14 16:01:10.000000000 +0200 -@@ -797,17 +797,6 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - --#ifdef WITH_SELINUX -- if (is_selinux_enabled () > 0) { -- const char *args[5]; -- args[0] = "/usr/sbin/semanage"; -- args[1] = "login"; -- args[2] = "-d"; -- args[3] = user_name; -- args[4] = NULL; -- safe_system (args[0], args, NULL, 1); -- } --#endif - /* - * Get my name so that I can use it to report errors. - */ -@@ -1010,6 +999,18 @@ int main (int argc, char **argv) - } - #endif - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled () > 0) { -+ const char *args[5]; -+ args[0] = "/usr/sbin/semanage"; -+ args[1] = "login"; -+ args[2] = "-d"; -+ args[3] = user_name; -+ args[4] = NULL; -+ safe_system (args[0], args, NULL, 1); -+ } -+#endif -+ - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. diff --git a/shadow-utils.spec b/shadow-utils.spec index f3a6a7c..a9f2d97 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,15 +1,14 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.3 -Release: 2%{?dist} +Version: 4.1.3.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 +Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.gz Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.3-redhat.patch Patch1: shadow-4.1.3-goodname.patch -Patch2: shadow-4.1.3-selinux.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -36,7 +35,6 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .selinux iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -176,6 +174,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Apr 17 2009 Peter Vrabec 2:4.1.3.1-1 +- upgrade + * Tue Apr 14 2009 Peter Vrabec 2:4.1.3-2 - get "-n" option back - fix selinux issues diff --git a/sources b/sources index beeb25f..9e11f2e 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs -ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd -d222bd50f64d52a32882c82ab1e85f28 shadow-4.1.3.tar.bz2 +dd22f2ad8f7550bc1177ddcca49877ff shadow-4.1.3.1.tar.gz From d4689ff3b260e887140f57b80f7b0ded58c01bf5 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 22 Apr 2009 08:58:31 +0000 Subject: [PATCH 037/151] lastlog fix --- shadow-4.1.3-lastlog.patch | 21 +++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.3-lastlog.patch diff --git a/shadow-4.1.3-lastlog.patch b/shadow-4.1.3-lastlog.patch new file mode 100644 index 0000000..0ef23ca --- /dev/null +++ b/shadow-4.1.3-lastlog.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.1.3.1/src/lastlog.c.lastlog shadow-4.1.3.1/src/lastlog.c +--- shadow-4.1.3.1/src/lastlog.c.lastlog 2009-04-22 10:29:53.000000000 +0200 ++++ shadow-4.1.3.1/src/lastlog.c 2009-04-22 10:30:40.000000000 +0200 +@@ -266,8 +266,7 @@ int main (int argc, char **argv) + exit (1); + } + +- print (); +- /* Get the laslog size */ ++ /* Get the lastlog size */ + if (fstat (fileno (lastlogfile), &statbuf) != 0) { + fprintf (stderr, + _("lastlog: Cannot get the size of %s: %s\n"), +@@ -275,6 +274,7 @@ int main (int argc, char **argv) + exit (1); + } + ++ print (); + fclose (lastlogfile); + exit (0); + } diff --git a/shadow-utils.spec b/shadow-utils.spec index a9f2d97..39cc565 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.gz @@ -9,6 +9,7 @@ Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.3-redhat.patch Patch1: shadow-4.1.3-goodname.patch +Patch2: shadow-4.1.3-lastlog.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -35,6 +36,7 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname +%patch2 -p1 -b .lastlog iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -174,6 +176,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Apr 22 2009 Peter Vrabec 2:4.1.3.1-2 +- lastlog fix + * Fri Apr 17 2009 Peter Vrabec 2:4.1.3.1-1 - upgrade From c28651e7a422deae97c081fe37e2eaaa95f3e697 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 15 May 2009 10:46:55 +0000 Subject: [PATCH 038/151] upgrade --- .cvsignore | 2 +- shadow-4.1.3-lastlog.patch | 21 ----------- shadow-4.1.3-redhat.patch | 75 -------------------------------------- shadow-4.1.4-redhat.patch | 75 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 11 +++--- sources | 2 +- 6 files changed, 83 insertions(+), 103 deletions(-) delete mode 100644 shadow-4.1.3-lastlog.patch delete mode 100644 shadow-4.1.3-redhat.patch create mode 100644 shadow-4.1.4-redhat.patch diff --git a/.cvsignore b/.cvsignore index e47192e..119a0d7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -shadow-4.1.3.1.tar.gz +shadow-4.1.4.tar.gz diff --git a/shadow-4.1.3-lastlog.patch b/shadow-4.1.3-lastlog.patch deleted file mode 100644 index 0ef23ca..0000000 --- a/shadow-4.1.3-lastlog.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up shadow-4.1.3.1/src/lastlog.c.lastlog shadow-4.1.3.1/src/lastlog.c ---- shadow-4.1.3.1/src/lastlog.c.lastlog 2009-04-22 10:29:53.000000000 +0200 -+++ shadow-4.1.3.1/src/lastlog.c 2009-04-22 10:30:40.000000000 +0200 -@@ -266,8 +266,7 @@ int main (int argc, char **argv) - exit (1); - } - -- print (); -- /* Get the laslog size */ -+ /* Get the lastlog size */ - if (fstat (fileno (lastlogfile), &statbuf) != 0) { - fprintf (stderr, - _("lastlog: Cannot get the size of %s: %s\n"), -@@ -275,6 +274,7 @@ int main (int argc, char **argv) - exit (1); - } - -+ print (); - fclose (lastlogfile); - exit (0); - } diff --git a/shadow-4.1.3-redhat.patch b/shadow-4.1.3-redhat.patch deleted file mode 100644 index 92ea691..0000000 --- a/shadow-4.1.3-redhat.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff -up shadow-4.1.3/libmisc/find_new_gid.c.redhat shadow-4.1.3/libmisc/find_new_gid.c ---- shadow-4.1.3/libmisc/find_new_gid.c.redhat 2009-04-11 17:55:13.000000000 +0200 -+++ shadow-4.1.3/libmisc/find_new_gid.c 2009-04-14 14:49:34.000000000 +0200 -@@ -56,11 +56,11 @@ int find_new_gid (bool sys_group, gid_t - assert (gid != NULL); - - if (!sys_group) { -- gid_min = getdef_ulong ("GID_MIN", 1000L); -+ gid_min = getdef_ulong ("GID_MIN", 500L); - gid_max = getdef_ulong ("GID_MAX", 60000L); - } else { - gid_min = getdef_ulong ("SYS_GID_MIN", 1L); -- gid_max = getdef_ulong ("GID_MIN", 1000L) - 1; -+ gid_max = getdef_ulong ("GID_MIN", 500L) - 1; - gid_max = getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } - used_gids = alloca (sizeof (char) * gid_max +1); -diff -up shadow-4.1.3/libmisc/find_new_uid.c.redhat shadow-4.1.3/libmisc/find_new_uid.c ---- shadow-4.1.3/libmisc/find_new_uid.c.redhat 2009-04-11 17:53:19.000000000 +0200 -+++ shadow-4.1.3/libmisc/find_new_uid.c 2009-04-14 14:49:34.000000000 +0200 -@@ -56,11 +56,11 @@ int find_new_uid (bool sys_user, uid_t * - assert (uid != NULL); - - if (!sys_user) { -- uid_min = getdef_ulong ("UID_MIN", 1000L); -+ uid_min = getdef_ulong ("UID_MIN", 500L); - uid_max = getdef_ulong ("UID_MAX", 60000L); - } else { - uid_min = getdef_ulong ("SYS_UID_MIN", 1L); -- uid_max = getdef_ulong ("UID_MIN", 1000L) - 1; -+ uid_max = getdef_ulong ("UID_MIN", 500L) - 1; - uid_max = getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); - } - used_uids = alloca (sizeof (char) * uid_max +1); -diff -up shadow-4.1.3/src/useradd.c.redhat shadow-4.1.3/src/useradd.c ---- shadow-4.1.3/src/useradd.c.redhat 2009-04-11 20:39:52.000000000 +0200 -+++ shadow-4.1.3/src/useradd.c 2009-04-14 14:58:17.000000000 +0200 -@@ -89,7 +89,7 @@ char *Prog; - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -101,7 +101,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -978,9 +978,9 @@ static void process_flags (int argc, cha - }; - while ((c = getopt_long (argc, argv, - #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", - #else -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", - #endif - long_options, NULL)) != -1) { - switch (c) { -@@ -1130,6 +1130,7 @@ static void process_flags (int argc, cha - case 'M': - Mflg = true; - break; -+ case 'n': - case 'N': - Nflg = true; - break; diff --git a/shadow-4.1.4-redhat.patch b/shadow-4.1.4-redhat.patch new file mode 100644 index 0000000..3143c21 --- /dev/null +++ b/shadow-4.1.4-redhat.patch @@ -0,0 +1,75 @@ +diff -up shadow-4.1.4/libmisc/find_new_gid.c.redhat shadow-4.1.4/libmisc/find_new_gid.c +--- shadow-4.1.4/libmisc/find_new_gid.c.redhat 2009-04-23 19:36:42.000000000 +0200 ++++ shadow-4.1.4/libmisc/find_new_gid.c 2009-05-15 12:01:18.000000000 +0200 +@@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, + assert (gid != NULL); + + if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); ++ gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { + gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; ++ gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } + used_gids = alloca (sizeof (bool) * (gid_max +1)); +diff -up shadow-4.1.4/libmisc/find_new_uid.c.redhat shadow-4.1.4/libmisc/find_new_uid.c +--- shadow-4.1.4/libmisc/find_new_uid.c.redhat 2009-04-23 19:37:12.000000000 +0200 ++++ shadow-4.1.4/libmisc/find_new_uid.c 2009-05-15 12:01:39.000000000 +0200 +@@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, + assert (uid != NULL); + + if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + } else { + uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; ++ uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } + used_uids = alloca (sizeof (bool) * (uid_max +1)); +diff -up shadow-4.1.4/src/useradd.c.redhat shadow-4.1.4/src/useradd.c +--- shadow-4.1.4/src/useradd.c.redhat 2009-05-10 20:26:35.000000000 +0200 ++++ shadow-4.1.4/src/useradd.c 2009-05-15 11:59:40.000000000 +0200 +@@ -90,7 +90,7 @@ char *Prog; + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -996,9 +996,9 @@ static void process_flags (int argc, cha + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", + #else +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + #endif + long_options, NULL)) != -1) { + switch (c) { +@@ -1148,6 +1148,7 @@ static void process_flags (int argc, cha + case 'M': + Mflg = true; + break; ++ case 'n': + case 'N': + Nflg = true; + break; diff --git a/shadow-utils.spec b/shadow-utils.spec index 39cc565..67d71fd 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,15 +1,14 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.3.1 -Release: 2%{?dist} +Version: 4.1.4 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.gz Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.3-redhat.patch +Patch0: shadow-4.1.4-redhat.patch Patch1: shadow-4.1.3-goodname.patch -Patch2: shadow-4.1.3-lastlog.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -36,7 +35,6 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .lastlog iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -176,6 +174,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri May 15 2009 Peter Vrabec 2:4.1.4-1 +- upgrade + * Wed Apr 22 2009 Peter Vrabec 2:4.1.3.1-2 - lastlog fix diff --git a/sources b/sources index 9e11f2e..fada83e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -dd22f2ad8f7550bc1177ddcca49877ff shadow-4.1.3.1.tar.gz +e1072df927bfb4410ee4dfe26dd81a17 shadow-4.1.4.tar.gz From f556cf968e74cf1f3395b832bc35df4ad18f7bd5 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 16 Jun 2009 13:23:28 +0000 Subject: [PATCH 039/151] upgrade --- .cvsignore | 2 +- ...ame.patch => shadow-4.1.4.1-goodname.patch | 28 +-- shadow-4.1.4.1-largeGroup.patch | 230 ++++++++++++++++++ shadow-utils.spec | 11 +- sources | 2 +- 5 files changed, 254 insertions(+), 19 deletions(-) rename shadow-4.1.3-goodname.patch => shadow-4.1.4.1-goodname.patch (57%) create mode 100644 shadow-4.1.4.1-largeGroup.patch diff --git a/.cvsignore b/.cvsignore index 119a0d7..0fb2454 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -shadow-4.1.4.tar.gz +shadow-4.1.4.1.tar.bz2 diff --git a/shadow-4.1.3-goodname.patch b/shadow-4.1.4.1-goodname.patch similarity index 57% rename from shadow-4.1.3-goodname.patch rename to shadow-4.1.4.1-goodname.patch index 43b933f..7ba4c2c 100644 --- a/shadow-4.1.3-goodname.patch +++ b/shadow-4.1.4.1-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.3/libmisc/chkname.c.goodname shadow-4.1.3/libmisc/chkname.c ---- shadow-4.1.3/libmisc/chkname.c.goodname 2008-12-23 23:42:21.000000000 +0100 -+++ shadow-4.1.3/libmisc/chkname.c 2009-04-14 11:46:21.000000000 +0200 -@@ -54,20 +54,28 @@ +diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chkname.c +--- shadow-4.1.4.1/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/chkname.c 2009-06-16 13:47:08.000000000 +0200 +@@ -49,20 +49,28 @@ static bool is_valid_name (const char *name) { /* @@ -40,28 +40,28 @@ diff -up shadow-4.1.3/libmisc/chkname.c.goodname shadow-4.1.3/libmisc/chkname.c return false; } } -diff -up shadow-4.1.3/man/groupadd.8.goodname shadow-4.1.3/man/groupadd.8 ---- shadow-4.1.3/man/groupadd.8.goodname 2009-04-12 04:46:15.000000000 +0200 -+++ shadow-4.1.3/man/groupadd.8 2009-04-14 11:45:13.000000000 +0200 -@@ -139,9 +139,7 @@ Shadow password suite configuration\&. +diff -up shadow-4.1.4.1/man/groupadd.8.goodname shadow-4.1.4.1/man/groupadd.8 +--- shadow-4.1.4.1/man/groupadd.8.goodname 2009-05-22 15:56:08.000000000 +0200 ++++ shadow-4.1.4.1/man/groupadd.8 2009-06-16 13:50:41.000000000 +0200 +@@ -153,9 +153,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP -Groupnames may only be up to 16 characters long\&. +Groupnames may only be up to 32 characters long\&. .PP You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. .PP -diff -up shadow-4.1.3/man/useradd.8.goodname shadow-4.1.3/man/useradd.8 ---- shadow-4.1.3/man/useradd.8.goodname 2009-04-12 04:46:35.000000000 +0200 -+++ shadow-4.1.3/man/useradd.8 2009-04-14 11:45:13.000000000 +0200 -@@ -385,8 +385,6 @@ Similarly, if the username already exist +diff -up shadow-4.1.4.1/man/useradd.8.goodname shadow-4.1.4.1/man/useradd.8 +--- shadow-4.1.4.1/man/useradd.8.goodname 2009-05-22 15:56:28.000000000 +0200 ++++ shadow-4.1.4.1/man/useradd.8 2009-06-16 13:51:17.000000000 +0200 +@@ -405,8 +405,6 @@ Similarly, if the username already exist \fBuseradd\fR will deny the user account creation request\&. .PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP Usernames may only be up to 32 characters long\&. .SH "CONFIGURATION" diff --git a/shadow-4.1.4.1-largeGroup.patch b/shadow-4.1.4.1-largeGroup.patch new file mode 100644 index 0000000..8777e24 --- /dev/null +++ b/shadow-4.1.4.1-largeGroup.patch @@ -0,0 +1,230 @@ +diff -U0 shadow-4.1.4.1/ChangeLog.large_group shadow-4.1.4.1/ChangeLog +diff -up shadow-4.1.4.1/lib/gshadow.c.large_group shadow-4.1.4.1/lib/gshadow.c +--- shadow-4.1.4.1/lib/gshadow.c.large_group 2009-04-23 13:53:56.000000000 +0200 ++++ shadow-4.1.4.1/lib/gshadow.c 2009-06-16 14:47:08.000000000 +0200 +@@ -2,7 +2,7 @@ + * Copyright (c) 1990 - 1994, Julianne Frances Haugh + * Copyright (c) 1996 - 1998, Marek Michałkiewicz + * Copyright (c) 2005 , Tomasz Kłoczko +- * Copyright (c) 2008 , Nicolas François ++ * Copyright (c) 2008 - 2009, Nicolas François + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -41,7 +41,6 @@ + #include "prototypes.h" + #include "defines.h" + static /*@null@*/FILE *shadow; +-static char sgrbuf[BUFSIZ * 4]; + static /*@null@*//*@only@*/char **members = NULL; + static size_t nmembers = 0; + static /*@null@*//*@only@*/char **admins = NULL; +@@ -131,12 +130,25 @@ void endsgent (void) + + /*@observer@*//*@null@*/struct sgrp *sgetsgent (const char *string) + { ++ static char *sgrbuf = NULL; ++ static size_t sgrbuflen = 0; ++ + char *fields[FIELDS]; + char *cp; + int i; ++ size_t len = strlen (string) + 1; ++ ++ if (len > sgrbuflen) { ++ char *buf = (char *) realloc (sgrbuf, sizeof (char) * len); ++ if (NULL == buf) { ++ return NULL; ++ } ++ sgrbuf = buf; ++ sgrbuflen = len; ++ } + +- strncpy (sgrbuf, string, sizeof sgrbuf - 1); +- sgrbuf[sizeof sgrbuf - 1] = '\0'; ++ strncpy (sgrbuf, string, len); ++ sgrbuf[len-1] = '\0'; + + cp = strrchr (sgrbuf, '\n'); + if (NULL != cp) { +@@ -161,7 +173,7 @@ void endsgent (void) + * the line is invalid. + */ + +- if ((NULL != cp) || (i != FIELDS)) ++ if ((NULL != cp) || (i != FIELDS)) { + #ifdef USE_NIS + if (!IS_NISCHAR (fields[0][0])) { + return 0; +@@ -171,6 +183,7 @@ void endsgent (void) + #else + return 0; + #endif ++ } + + sgroup.sg_name = fields[0]; + sgroup.sg_passwd = fields[1]; +@@ -199,20 +212,48 @@ void endsgent (void) + + /*@observer@*//*@null@*/struct sgrp *fgetsgent (/*@null@*/FILE * fp) + { +- char buf[sizeof sgrbuf]; ++ static size_t buflen = 0; ++ static char *buf = NULL; ++ + char *cp; ++ struct sgrp *ret; ++ ++ if (0 == buflen) { ++ buf = (char *) malloc (BUFSIZ); ++ if (NULL == buf) { ++ return NULL; ++ } ++ } + + if (NULL == fp) { +- return (0); ++ return NULL; + } + + #ifdef USE_NIS +- while (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) ++ while (fgetsx (buf, (int) sizeof buf, fp) == buf) + #else +- if (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) ++ if (fgetsx (buf, (int) sizeof buf, fp) == buf) + #endif + { +- cp = strchr (buf, '\n'); ++ while ( ((cp = strrchr (buf, '\n')) == NULL) ++ && (feof (fp) == 0)) { ++ size_t len; ++ ++ cp = (char *) realloc (buf, buflen*2); ++ if (NULL == cp) { ++ return NULL; ++ } ++ buf = cp; ++ buflen *= 2; ++ ++ len = strlen (buf); ++ if (fgetsx (&buf[len], ++ (int) (buflen - len), ++ fp) != &buf[len]) { ++ return NULL; ++ } ++ } ++ cp = strrchr (buf, '\n'); + if (NULL != cp) { + *cp = '\0'; + } +@@ -223,7 +264,7 @@ void endsgent (void) + #endif + return (sgetsgent (buf)); + } +- return 0; ++ return NULL; + } + + /* +@@ -235,7 +276,6 @@ void endsgent (void) + #ifdef USE_NIS + bool nis_1_group = false; + struct sgrp *val; +- char buf[BUFSIZ]; + #endif + if (NULL == shadow) { + setsgent (); +@@ -334,7 +374,6 @@ void endsgent (void) + struct sgrp *sgrp; + + #ifdef USE_NIS +- char buf[BUFSIZ]; + static char save_name[16]; + int nis_disabled = 0; + #endif +diff -up shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group shadow-4.1.4.1/libmisc/xgetgrgid.c +--- shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group 2008-09-06 16:56:51.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetgrgid.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE gid_t + #define ARG_NAME gid + #define DUP_FUNCTION __gr_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETGRGID_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group shadow-4.1.4.1/libmisc/xgetgrnam.c +--- shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group 2008-09-06 16:56:57.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetgrnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __gr_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETGRNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group shadow-4.1.4.1/libmisc/xgetpwnam.c +--- shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group 2008-09-06 16:57:05.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetpwnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __pw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETPWNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group shadow-4.1.4.1/libmisc/xgetpwuid.c +--- shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group 2008-09-06 16:57:11.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetpwuid.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE uid_t + #define ARG_NAME uid + #define DUP_FUNCTION __pw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETPWUID_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetspnam.c.large_group shadow-4.1.4.1/libmisc/xgetspnam.c +--- shadow-4.1.4.1/libmisc/xgetspnam.c.large_group 2008-09-06 16:57:17.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetspnam.c 2009-06-16 14:15:08.000000000 +0200 +@@ -58,7 +58,6 @@ + #define ARG_TYPE const char * + #define ARG_NAME name + #define DUP_FUNCTION __spw_dup +-#define MAX_LENGTH 0x8000 + #define HAVE_FUNCTION_R (defined HAVE_GETSPNAM_R) + + #include "xgetXXbyYY.c" +diff -up shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group shadow-4.1.4.1/libmisc/xgetXXbyYY.c +--- shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group 2009-04-23 11:15:53.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/xgetXXbyYY.c 2009-06-16 14:15:08.000000000 +0200 +@@ -79,7 +79,7 @@ + exit (13); + } + +- do { ++ while (true) { + int status; + LOOKUP_TYPE *resbuf = NULL; + buffer = (char *)realloc (buffer, length); +@@ -106,8 +106,14 @@ + return NULL; + } + +- length *= 4; +- } while (length < MAX_LENGTH); ++ if (length <= ((size_t)-1 / 4)) { ++ length *= 4; ++ } else if (length == (size_t) -1) { ++ break; ++ } else { ++ length = (size_t) -1; ++ } ++ } + + free(buffer); + free(result); +diff -up shadow-4.1.4.1/NEWS.large_group shadow-4.1.4.1/NEWS diff --git a/shadow-utils.spec b/shadow-utils.spec index 67d71fd..4adf658 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,14 +1,15 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.4 +Version: 4.1.4.1 Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.gz +Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.4-redhat.patch -Patch1: shadow-4.1.3-goodname.patch +Patch1: shadow-4.1.4.1-goodname.patch +Patch2: shadow-4.1.4.1-largeGroup.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -35,6 +36,7 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname +%patch2 -p1 -b .largeGroup iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -174,6 +176,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jun 16 2009 Peter Vrabec 2:4.1.4.1-1 +- upgrade + * Fri May 15 2009 Peter Vrabec 2:4.1.4-1 - upgrade diff --git a/sources b/sources index fada83e..13714cc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e1072df927bfb4410ee4dfe26dd81a17 shadow-4.1.4.tar.gz +62f7dae4cb54fa84e478c4602d58cbe8 shadow-4.1.4.1.tar.bz2 From abc277db5652f445fe8b9398bfde02f7c2b5b687 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 16 Jul 2009 13:41:55 +0000 Subject: [PATCH 040/151] - fix a list of owned directories (#510366) - reduce the reuse of system IDs - speed up sys users look up on LDAP boxes (#511813) --- shadow-4.1.4.1-ldap.patch | 85 ++++++++++ shadow-4.1.4.1-sysacc.patch | 300 ++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 19 ++- 3 files changed, 402 insertions(+), 2 deletions(-) create mode 100644 shadow-4.1.4.1-ldap.patch create mode 100644 shadow-4.1.4.1-sysacc.patch diff --git a/shadow-4.1.4.1-ldap.patch b/shadow-4.1.4.1-ldap.patch new file mode 100644 index 0000000..9d97188 --- /dev/null +++ b/shadow-4.1.4.1-ldap.patch @@ -0,0 +1,85 @@ +diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.ldap shadow-4.1.4.1/libmisc/find_new_gid.c +--- shadow-4.1.4.1/libmisc/find_new_gid.c.ldap 2009-07-16 10:37:41.653798746 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 10:44:14.482808945 +0200 +@@ -90,17 +90,26 @@ int find_new_gid (bool sys_group, + * but we also check the local database (gr_rewind/gr_next) in case + * some groups were created but the changes were not committed yet. + */ +- setgrent (); +- while ((grp = getgrent ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; ++ if (sys_group ) { ++ for(group_id = gid_min; group_id<=gid_max; group_id++) { ++ grp = getgrgid(group_id); ++ if(grp) ++ used_gids[grp->gr_gid] = true; + } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ } ++ else { ++ setgrent (); ++ while ((grp = getgrent ()) != NULL) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; ++ } + } ++ endgrent (); + } +- endgrent (); + gr_rewind (); + while ((grp = gr_next ()) != NULL) { + if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.ldap shadow-4.1.4.1/libmisc/find_new_uid.c +--- shadow-4.1.4.1/libmisc/find_new_uid.c.ldap 2009-07-16 10:37:41.653798746 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 10:37:41.668798323 +0200 +@@ -91,17 +91,27 @@ int find_new_uid (bool sys_user, + * but we also check the local database (pw_rewind/pw_next) in case + * some users were created but the changes were not committed yet. + */ +- setpwent (); +- while ((pwd = getpwent ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; ++ /* speed up sys users look up on LDAP boxes */ ++ if (sys_user) { ++ for (user_id = uid_min; user_id<=uid_max; user_id++) { ++ pwd = getpwuid(user_id); ++ if(pwd) ++ used_uids[user_id] = true; + } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ } ++ else { ++ setpwent (); ++ while ((pwd = getpwent ()) != NULL) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; ++ } + } ++ endpwent (); + } +- endpwent (); + pw_rewind (); + while ((pwd = pw_next ()) != NULL) { + if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +@@ -113,6 +123,7 @@ int find_new_uid (bool sys_user, + } + } + ++ + /* find free system account in reverse order */ + if (sys_user) { + for (user_id = uid_max; user_id >= uid_min; user_id--) { diff --git a/shadow-4.1.4.1-sysacc.patch b/shadow-4.1.4.1-sysacc.patch new file mode 100644 index 0000000..3e204bd --- /dev/null +++ b/shadow-4.1.4.1-sysacc.patch @@ -0,0 +1,300 @@ +diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc shadow-4.1.4.1/libmisc/find_new_gid.c +--- shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 14:19:08.678798578 +0200 +@@ -52,7 +52,7 @@ int find_new_gid (bool sys_group, + /*@null@*/gid_t const *preferred_gid) + { + const struct group *grp; +- gid_t gid_min, gid_max, group_id; ++ gid_t gid_min, gid_max, group_id, id; + bool *used_gids; + + assert (gid != NULL); +@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, + gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } +@@ -80,7 +80,6 @@ int find_new_gid (bool sys_group, + return 0; + } + +- group_id = gid_min; + + /* + * Search the entire group file, +@@ -91,13 +90,28 @@ int find_new_gid (bool sys_group, + * some groups were created but the changes were not committed yet. + */ + if (sys_group ) { +- for(group_id = gid_min; group_id<=gid_max; group_id++) { +- grp = getgrgid(group_id); +- if(grp) ++ group_id = gid_max; ++ for(id = gid_max; id>=gid_min; id--) { ++ grp = getgrgid(id); ++ if(grp) { ++ group_id = id - 1; + used_gids[grp->gr_gid] = true; ++ } ++ } ++ ++ gr_rewind (); ++ while ((grp = gr_next ()) != NULL) { ++ if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { ++ group_id = grp->gr_gid - 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; ++ } + } + } + else { ++ group_id = gid_min; + setgrent (); + while ((grp = getgrent ()) != NULL) { + if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +@@ -109,32 +123,16 @@ int find_new_gid (bool sys_group, + } + } + endgrent (); +- } +- gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; +- } +- } + +- /* find free system account in reverse order */ +- if (sys_group) { +- for (group_id = gid_max; group_id >= gid_min; group_id--) { +- if (false == used_gids[group_id]) { +- break; ++ gr_rewind (); ++ while ((grp = gr_next ()) != NULL) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ /* create index of used GIDs */ ++ if (grp->gr_gid <= gid_max) { ++ used_gids[grp->gr_gid] = true; + } +- } +- if ( group_id < gid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available GID on the system")); +- return -1; + } + } + +@@ -143,16 +141,35 @@ int find_new_gid (bool sys_group, + * will give us GID_MAX+1 even if not unique. Search for the first + * free GID starting with GID_MIN. + */ +- if (group_id == gid_max + 1) { +- for (group_id = gid_min; group_id < gid_max; group_id++) { +- if (false == used_gids[group_id]) { +- break; ++ if (sys_group) { ++ if (group_id == gid_min - 1) { ++ for (group_id = gid_max; group_id >= gid_min; group_id--) { ++ if (false == used_gids[group_id]) { ++ break; ++ } ++ } ++ if ( group_id < gid_min ) { ++ fprintf (stderr, ++ _("%s: Can't get unique GID (no more available GIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "no more available GID on the system")); ++ return -1; + } + } +- if (group_id == gid_max) { +- fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); +- SYSLOG ((LOG_WARN, "no more available GID on the system")); +- return -1; ++ } ++ else { ++ if (group_id == gid_max + 1) { ++ for (group_id = gid_min; group_id < gid_max; group_id++) { ++ if (false == used_gids[group_id]) { ++ break; ++ } ++ } ++ if (group_id == gid_max) { ++ fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); ++ SYSLOG ((LOG_WARN, "no more available GID on the system")); ++ return -1; ++ } + } + } + +diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc shadow-4.1.4.1/libmisc/find_new_uid.c +--- shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 ++++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 14:13:38.120798526 +0200 +@@ -52,7 +52,7 @@ int find_new_uid (bool sys_user, + /*@null@*/uid_t const *preferred_uid) + { + const struct passwd *pwd; +- uid_t uid_min, uid_max, user_id; ++ uid_t uid_min, uid_max, user_id, id; + bool *used_uids; + + assert (uid != NULL); +@@ -61,7 +61,7 @@ int find_new_uid (bool sys_user, + uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); ++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); + uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } +@@ -81,8 +81,6 @@ int find_new_uid (bool sys_user, + } + + +- user_id = uid_min; +- + /* + * Search the entire password file, + * looking for the largest unused value. +@@ -91,15 +89,30 @@ int find_new_uid (bool sys_user, + * but we also check the local database (pw_rewind/pw_next) in case + * some users were created but the changes were not committed yet. + */ +- /* speed up sys users look up on LDAP boxes */ + if (sys_user) { +- for (user_id = uid_min; user_id<=uid_max; user_id++) { +- pwd = getpwuid(user_id); +- if(pwd) ++ user_id = uid_max; ++ for (id = uid_max; id>=uid_min; id--) { ++ pwd = getpwuid(id); ++ if(pwd) { ++ user_id = id - 1; + used_uids[user_id] = true; ++ } + } ++ ++ pw_rewind (); ++ while ((pwd = pw_next ()) != NULL) { ++ if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { ++ user_id = pwd->pw_uid - 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; ++ } ++ } ++ + } + else { ++ user_id = uid_min; + setpwent (); + while ((pwd = getpwent ()) != NULL) { + if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +@@ -111,51 +124,55 @@ int find_new_uid (bool sys_user, + } + } + endpwent (); +- } +- pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; +- } +- } +- + +- /* find free system account in reverse order */ +- if (sys_user) { +- for (user_id = uid_max; user_id >= uid_min; user_id--) { +- if (false == used_uids[user_id]) { +- break; ++ pw_rewind (); ++ while ((pwd = pw_next ()) != NULL) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ /* create index of used UIDs */ ++ if (pwd->pw_uid <= uid_max) { ++ used_uids[pwd->pw_uid] = true; + } +- } +- if (user_id < uid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique system UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available UID on the system")); +- return -1; + } + } + ++ + /* + * If a user with UID equal to UID_MAX exists, the above algorithm + * will give us UID_MAX+1 even if not unique. Search for the first + * free UID starting with UID_MIN. + */ +- if (user_id == uid_max + 1) { +- for (user_id = uid_min; user_id < uid_max; user_id++) { +- if (false == used_uids[user_id]) { +- break; ++ if (sys_user) { ++ if (user_id == uid_min - 1) { ++ for (user_id = uid_max; user_id >= uid_min; user_id--) { ++ if (false == used_uids[user_id]) { ++ break; ++ } ++ } ++ if (user_id < uid_min ) { ++ fprintf (stderr, ++ _("%s: Can't get unique system UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "no more available UID on the system")); ++ return -1; + } + } +- if (user_id == uid_max) { +- fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), Prog); +- SYSLOG ((LOG_WARN, "no more available UID on the system")); +- return -1; ++ } ++ else { ++ if (user_id == uid_max + 1) { ++ for (user_id = uid_min; user_id < uid_max; user_id++) { ++ if (false == used_uids[user_id]) { ++ break; ++ } ++ } ++ if (user_id == uid_max) { ++ fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, "no more available UID on the system")); ++ return -1; ++ } + } + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index 4adf658..ffd2846 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.1 -Release: 1%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -10,6 +10,8 @@ Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.4-redhat.patch Patch1: shadow-4.1.4.1-goodname.patch Patch2: shadow-4.1.4.1-largeGroup.patch +Patch3: shadow-4.1.4.1-ldap.patch +Patch4: shadow-4.1.4.1-sysacc.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -37,6 +39,8 @@ are used for managing group accounts. %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .largeGroup +%patch3 -p1 -b .ldap +%patch4 -p1 -b .sysacc iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -125,7 +129,9 @@ find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do dir=$(echo $dir | sed -e "s|^$RPM_BUILD_ROOT||") lang=$(basename $dir) - echo "%%lang($lang) $dir/man*/*" >> shadow.lang + echo "%%lang($lang) $dir" >> shadow.lang + echo "%%lang($lang) $dir/man*" >> shadow.lang +# echo "%%lang($lang) $dir/man*/*" >> shadow.lang done %clean @@ -176,6 +182,15 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 16 2009 Peter Vrabec 2:4.1.4.1-4 +- fix a list of owned directories (#510366) + +* Thu Jul 16 2009 Peter Vrabec 2:4.1.4.1-3 +- reduce the reuse of system IDs + +* Wed Jul 15 2009 Peter Vrabec 2:4.1.4.1-2 +- speed up sys users look up on LDAP boxes (#511813) + * Tue Jun 16 2009 Peter Vrabec 2:4.1.4.1-1 - upgrade From ea26d8a6465cb703a7ac4bba6ee8b19102c99ebe Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Mon, 27 Jul 2009 04:15:11 +0000 Subject: [PATCH 041/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index ffd2846..1f0778c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -182,6 +182,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sun Jul 26 2009 Fedora Release Engineering - 2:4.1.4.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + * Thu Jul 16 2009 Peter Vrabec 2:4.1.4.1-4 - fix a list of owned directories (#510366) From 2b93b0c13a5991032175a07ccb07862bf40be8e6 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 5 Aug 2009 11:50:03 +0000 Subject: [PATCH 042/151] increase threshold for uid/gid reservations to 200 (#515667) --- shadow-4.1.4.1-sysacc.patch | 4 ++-- shadow-utils.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/shadow-4.1.4.1-sysacc.patch b/shadow-4.1.4.1-sysacc.patch index 3e204bd..8a6de17 100644 --- a/shadow-4.1.4.1-sysacc.patch +++ b/shadow-4.1.4.1-sysacc.patch @@ -15,7 +15,7 @@ diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc shadow-4.1.4.1/libmisc/fin gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); } else { - gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); } @@ -161,7 +161,7 @@ diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc shadow-4.1.4.1/libmisc/fin uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); } else { - uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); -+ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); ++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL); uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); } diff --git a/shadow-utils.spec b/shadow-utils.spec index 1f0778c..d363f46 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -182,6 +182,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Aug 05 2009 Peter Vrabec 2:4.1.4.1-6 +- increase threshold for uid/gid reservations to 200 (#515667) + * Sun Jul 26 2009 Fedora Release Engineering - 2:4.1.4.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild From 8c5573deab942d420298329ffe721e736818cf0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Fri, 21 Aug 2009 11:18:13 +0000 Subject: [PATCH 043/151] - rebuilt with new audit --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d363f46..f0c816d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -182,6 +182,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Aug 21 2009 Tomas Mraz - 2:4.1.4.1-7 +- rebuilt with new audit + * Wed Aug 05 2009 Peter Vrabec 2:4.1.4.1-6 - increase threshold for uid/gid reservations to 200 (#515667) From cdd12ed1d1ba88f062bd9d6707f14b40e792ebd1 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 7 Sep 2009 14:56:09 +0000 Subject: [PATCH 044/151] upgrade --- .cvsignore | 2 +- shadow-4.1.4.1-largeGroup.patch | 230 -------------- shadow-4.1.4.1-ldap.patch | 85 ----- shadow-4.1.4.1-sysacc.patch | 300 ------------------ shadow-4.1.4.2-fixes.patch | 65 ++++ shadow-4.1.4.2-leak.patch | 108 +++++++ ...edhat.patch => shadow-4.1.4.2-redhat.patch | 28 +- shadow-utils.spec | 21 +- sources | 2 +- 9 files changed, 201 insertions(+), 640 deletions(-) delete mode 100644 shadow-4.1.4.1-largeGroup.patch delete mode 100644 shadow-4.1.4.1-ldap.patch delete mode 100644 shadow-4.1.4.1-sysacc.patch create mode 100644 shadow-4.1.4.2-fixes.patch create mode 100644 shadow-4.1.4.2-leak.patch rename shadow-4.1.4-redhat.patch => shadow-4.1.4.2-redhat.patch (67%) diff --git a/.cvsignore b/.cvsignore index 0fb2454..ccacfb0 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -shadow-4.1.4.1.tar.bz2 +shadow-4.1.4.2.tar.bz2 diff --git a/shadow-4.1.4.1-largeGroup.patch b/shadow-4.1.4.1-largeGroup.patch deleted file mode 100644 index 8777e24..0000000 --- a/shadow-4.1.4.1-largeGroup.patch +++ /dev/null @@ -1,230 +0,0 @@ -diff -U0 shadow-4.1.4.1/ChangeLog.large_group shadow-4.1.4.1/ChangeLog -diff -up shadow-4.1.4.1/lib/gshadow.c.large_group shadow-4.1.4.1/lib/gshadow.c ---- shadow-4.1.4.1/lib/gshadow.c.large_group 2009-04-23 13:53:56.000000000 +0200 -+++ shadow-4.1.4.1/lib/gshadow.c 2009-06-16 14:47:08.000000000 +0200 -@@ -2,7 +2,7 @@ - * Copyright (c) 1990 - 1994, Julianne Frances Haugh - * Copyright (c) 1996 - 1998, Marek Michałkiewicz - * Copyright (c) 2005 , Tomasz Kłoczko -- * Copyright (c) 2008 , Nicolas François -+ * Copyright (c) 2008 - 2009, Nicolas François - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without -@@ -41,7 +41,6 @@ - #include "prototypes.h" - #include "defines.h" - static /*@null@*/FILE *shadow; --static char sgrbuf[BUFSIZ * 4]; - static /*@null@*//*@only@*/char **members = NULL; - static size_t nmembers = 0; - static /*@null@*//*@only@*/char **admins = NULL; -@@ -131,12 +130,25 @@ void endsgent (void) - - /*@observer@*//*@null@*/struct sgrp *sgetsgent (const char *string) - { -+ static char *sgrbuf = NULL; -+ static size_t sgrbuflen = 0; -+ - char *fields[FIELDS]; - char *cp; - int i; -+ size_t len = strlen (string) + 1; -+ -+ if (len > sgrbuflen) { -+ char *buf = (char *) realloc (sgrbuf, sizeof (char) * len); -+ if (NULL == buf) { -+ return NULL; -+ } -+ sgrbuf = buf; -+ sgrbuflen = len; -+ } - -- strncpy (sgrbuf, string, sizeof sgrbuf - 1); -- sgrbuf[sizeof sgrbuf - 1] = '\0'; -+ strncpy (sgrbuf, string, len); -+ sgrbuf[len-1] = '\0'; - - cp = strrchr (sgrbuf, '\n'); - if (NULL != cp) { -@@ -161,7 +173,7 @@ void endsgent (void) - * the line is invalid. - */ - -- if ((NULL != cp) || (i != FIELDS)) -+ if ((NULL != cp) || (i != FIELDS)) { - #ifdef USE_NIS - if (!IS_NISCHAR (fields[0][0])) { - return 0; -@@ -171,6 +183,7 @@ void endsgent (void) - #else - return 0; - #endif -+ } - - sgroup.sg_name = fields[0]; - sgroup.sg_passwd = fields[1]; -@@ -199,20 +212,48 @@ void endsgent (void) - - /*@observer@*//*@null@*/struct sgrp *fgetsgent (/*@null@*/FILE * fp) - { -- char buf[sizeof sgrbuf]; -+ static size_t buflen = 0; -+ static char *buf = NULL; -+ - char *cp; -+ struct sgrp *ret; -+ -+ if (0 == buflen) { -+ buf = (char *) malloc (BUFSIZ); -+ if (NULL == buf) { -+ return NULL; -+ } -+ } - - if (NULL == fp) { -- return (0); -+ return NULL; - } - - #ifdef USE_NIS -- while (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) -+ while (fgetsx (buf, (int) sizeof buf, fp) == buf) - #else -- if (fgetsx (buf, (int) sizeof buf, fp) != (char *) 0) -+ if (fgetsx (buf, (int) sizeof buf, fp) == buf) - #endif - { -- cp = strchr (buf, '\n'); -+ while ( ((cp = strrchr (buf, '\n')) == NULL) -+ && (feof (fp) == 0)) { -+ size_t len; -+ -+ cp = (char *) realloc (buf, buflen*2); -+ if (NULL == cp) { -+ return NULL; -+ } -+ buf = cp; -+ buflen *= 2; -+ -+ len = strlen (buf); -+ if (fgetsx (&buf[len], -+ (int) (buflen - len), -+ fp) != &buf[len]) { -+ return NULL; -+ } -+ } -+ cp = strrchr (buf, '\n'); - if (NULL != cp) { - *cp = '\0'; - } -@@ -223,7 +264,7 @@ void endsgent (void) - #endif - return (sgetsgent (buf)); - } -- return 0; -+ return NULL; - } - - /* -@@ -235,7 +276,6 @@ void endsgent (void) - #ifdef USE_NIS - bool nis_1_group = false; - struct sgrp *val; -- char buf[BUFSIZ]; - #endif - if (NULL == shadow) { - setsgent (); -@@ -334,7 +374,6 @@ void endsgent (void) - struct sgrp *sgrp; - - #ifdef USE_NIS -- char buf[BUFSIZ]; - static char save_name[16]; - int nis_disabled = 0; - #endif -diff -up shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group shadow-4.1.4.1/libmisc/xgetgrgid.c ---- shadow-4.1.4.1/libmisc/xgetgrgid.c.large_group 2008-09-06 16:56:51.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetgrgid.c 2009-06-16 14:15:08.000000000 +0200 -@@ -58,7 +58,6 @@ - #define ARG_TYPE gid_t - #define ARG_NAME gid - #define DUP_FUNCTION __gr_dup --#define MAX_LENGTH 0x8000 - #define HAVE_FUNCTION_R (defined HAVE_GETGRGID_R) - - #include "xgetXXbyYY.c" -diff -up shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group shadow-4.1.4.1/libmisc/xgetgrnam.c ---- shadow-4.1.4.1/libmisc/xgetgrnam.c.large_group 2008-09-06 16:56:57.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetgrnam.c 2009-06-16 14:15:08.000000000 +0200 -@@ -58,7 +58,6 @@ - #define ARG_TYPE const char * - #define ARG_NAME name - #define DUP_FUNCTION __gr_dup --#define MAX_LENGTH 0x8000 - #define HAVE_FUNCTION_R (defined HAVE_GETGRNAM_R) - - #include "xgetXXbyYY.c" -diff -up shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group shadow-4.1.4.1/libmisc/xgetpwnam.c ---- shadow-4.1.4.1/libmisc/xgetpwnam.c.large_group 2008-09-06 16:57:05.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetpwnam.c 2009-06-16 14:15:08.000000000 +0200 -@@ -58,7 +58,6 @@ - #define ARG_TYPE const char * - #define ARG_NAME name - #define DUP_FUNCTION __pw_dup --#define MAX_LENGTH 0x8000 - #define HAVE_FUNCTION_R (defined HAVE_GETPWNAM_R) - - #include "xgetXXbyYY.c" -diff -up shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group shadow-4.1.4.1/libmisc/xgetpwuid.c ---- shadow-4.1.4.1/libmisc/xgetpwuid.c.large_group 2008-09-06 16:57:11.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetpwuid.c 2009-06-16 14:15:08.000000000 +0200 -@@ -58,7 +58,6 @@ - #define ARG_TYPE uid_t - #define ARG_NAME uid - #define DUP_FUNCTION __pw_dup --#define MAX_LENGTH 0x8000 - #define HAVE_FUNCTION_R (defined HAVE_GETPWUID_R) - - #include "xgetXXbyYY.c" -diff -up shadow-4.1.4.1/libmisc/xgetspnam.c.large_group shadow-4.1.4.1/libmisc/xgetspnam.c ---- shadow-4.1.4.1/libmisc/xgetspnam.c.large_group 2008-09-06 16:57:17.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetspnam.c 2009-06-16 14:15:08.000000000 +0200 -@@ -58,7 +58,6 @@ - #define ARG_TYPE const char * - #define ARG_NAME name - #define DUP_FUNCTION __spw_dup --#define MAX_LENGTH 0x8000 - #define HAVE_FUNCTION_R (defined HAVE_GETSPNAM_R) - - #include "xgetXXbyYY.c" -diff -up shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group shadow-4.1.4.1/libmisc/xgetXXbyYY.c ---- shadow-4.1.4.1/libmisc/xgetXXbyYY.c.large_group 2009-04-23 11:15:53.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/xgetXXbyYY.c 2009-06-16 14:15:08.000000000 +0200 -@@ -79,7 +79,7 @@ - exit (13); - } - -- do { -+ while (true) { - int status; - LOOKUP_TYPE *resbuf = NULL; - buffer = (char *)realloc (buffer, length); -@@ -106,8 +106,14 @@ - return NULL; - } - -- length *= 4; -- } while (length < MAX_LENGTH); -+ if (length <= ((size_t)-1 / 4)) { -+ length *= 4; -+ } else if (length == (size_t) -1) { -+ break; -+ } else { -+ length = (size_t) -1; -+ } -+ } - - free(buffer); - free(result); -diff -up shadow-4.1.4.1/NEWS.large_group shadow-4.1.4.1/NEWS diff --git a/shadow-4.1.4.1-ldap.patch b/shadow-4.1.4.1-ldap.patch deleted file mode 100644 index 9d97188..0000000 --- a/shadow-4.1.4.1-ldap.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.ldap shadow-4.1.4.1/libmisc/find_new_gid.c ---- shadow-4.1.4.1/libmisc/find_new_gid.c.ldap 2009-07-16 10:37:41.653798746 +0200 -+++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 10:44:14.482808945 +0200 -@@ -90,17 +90,26 @@ int find_new_gid (bool sys_group, - * but we also check the local database (gr_rewind/gr_next) in case - * some groups were created but the changes were not committed yet. - */ -- setgrent (); -- while ((grp = getgrent ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -+ if (sys_group ) { -+ for(group_id = gid_min; group_id<=gid_max; group_id++) { -+ grp = getgrgid(group_id); -+ if(grp) -+ used_gids[grp->gr_gid] = true; - } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ } -+ else { -+ setgrent (); -+ while ((grp = getgrent ()) != NULL) { -+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -+ group_id = grp->gr_gid + 1; -+ } -+ /* create index of used GIDs */ -+ if (grp->gr_gid <= gid_max) { -+ used_gids[grp->gr_gid] = true; -+ } - } -+ endgrent (); - } -- endgrent (); - gr_rewind (); - while ((grp = gr_next ()) != NULL) { - if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.ldap shadow-4.1.4.1/libmisc/find_new_uid.c ---- shadow-4.1.4.1/libmisc/find_new_uid.c.ldap 2009-07-16 10:37:41.653798746 +0200 -+++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 10:37:41.668798323 +0200 -@@ -91,17 +91,27 @@ int find_new_uid (bool sys_user, - * but we also check the local database (pw_rewind/pw_next) in case - * some users were created but the changes were not committed yet. - */ -- setpwent (); -- while ((pwd = getpwent ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -+ /* speed up sys users look up on LDAP boxes */ -+ if (sys_user) { -+ for (user_id = uid_min; user_id<=uid_max; user_id++) { -+ pwd = getpwuid(user_id); -+ if(pwd) -+ used_uids[user_id] = true; - } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ } -+ else { -+ setpwent (); -+ while ((pwd = getpwent ()) != NULL) { -+ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -+ user_id = pwd->pw_uid + 1; -+ } -+ /* create index of used UIDs */ -+ if (pwd->pw_uid <= uid_max) { -+ used_uids[pwd->pw_uid] = true; -+ } - } -+ endpwent (); - } -- endpwent (); - pw_rewind (); - while ((pwd = pw_next ()) != NULL) { - if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -@@ -113,6 +123,7 @@ int find_new_uid (bool sys_user, - } - } - -+ - /* find free system account in reverse order */ - if (sys_user) { - for (user_id = uid_max; user_id >= uid_min; user_id--) { diff --git a/shadow-4.1.4.1-sysacc.patch b/shadow-4.1.4.1-sysacc.patch deleted file mode 100644 index 8a6de17..0000000 --- a/shadow-4.1.4.1-sysacc.patch +++ /dev/null @@ -1,300 +0,0 @@ -diff -up shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc shadow-4.1.4.1/libmisc/find_new_gid.c ---- shadow-4.1.4.1/libmisc/find_new_gid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 -+++ shadow-4.1.4.1/libmisc/find_new_gid.c 2009-07-16 14:19:08.678798578 +0200 -@@ -52,7 +52,7 @@ int find_new_gid (bool sys_group, - /*@null@*/gid_t const *preferred_gid) - { - const struct group *grp; -- gid_t gid_min, gid_max, group_id; -+ gid_t gid_min, gid_max, group_id, id; - bool *used_gids; - - assert (gid != NULL); -@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, - gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); - gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); - gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } -@@ -80,7 +80,6 @@ int find_new_gid (bool sys_group, - return 0; - } - -- group_id = gid_min; - - /* - * Search the entire group file, -@@ -91,13 +90,28 @@ int find_new_gid (bool sys_group, - * some groups were created but the changes were not committed yet. - */ - if (sys_group ) { -- for(group_id = gid_min; group_id<=gid_max; group_id++) { -- grp = getgrgid(group_id); -- if(grp) -+ group_id = gid_max; -+ for(id = gid_max; id>=gid_min; id--) { -+ grp = getgrgid(id); -+ if(grp) { -+ group_id = id - 1; - used_gids[grp->gr_gid] = true; -+ } -+ } -+ -+ gr_rewind (); -+ while ((grp = gr_next ()) != NULL) { -+ if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { -+ group_id = grp->gr_gid - 1; -+ } -+ /* create index of used GIDs */ -+ if (grp->gr_gid <= gid_max) { -+ used_gids[grp->gr_gid] = true; -+ } - } - } - else { -+ group_id = gid_min; - setgrent (); - while ((grp = getgrent ()) != NULL) { - if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -@@ -109,32 +123,16 @@ int find_new_gid (bool sys_group, - } - } - endgrent (); -- } -- gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -- } -- } - -- /* find free system account in reverse order */ -- if (sys_group) { -- for (group_id = gid_max; group_id >= gid_min; group_id--) { -- if (false == used_gids[group_id]) { -- break; -+ gr_rewind (); -+ while ((grp = gr_next ()) != NULL) { -+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -+ group_id = grp->gr_gid + 1; -+ } -+ /* create index of used GIDs */ -+ if (grp->gr_gid <= gid_max) { -+ used_gids[grp->gr_gid] = true; - } -- } -- if ( group_id < gid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available GID on the system")); -- return -1; - } - } - -@@ -143,16 +141,35 @@ int find_new_gid (bool sys_group, - * will give us GID_MAX+1 even if not unique. Search for the first - * free GID starting with GID_MIN. - */ -- if (group_id == gid_max + 1) { -- for (group_id = gid_min; group_id < gid_max; group_id++) { -- if (false == used_gids[group_id]) { -- break; -+ if (sys_group) { -+ if (group_id == gid_min - 1) { -+ for (group_id = gid_max; group_id >= gid_min; group_id--) { -+ if (false == used_gids[group_id]) { -+ break; -+ } -+ } -+ if ( group_id < gid_min ) { -+ fprintf (stderr, -+ _("%s: Can't get unique GID (no more available GIDs)\n"), -+ Prog); -+ SYSLOG ((LOG_WARN, -+ "no more available GID on the system")); -+ return -1; - } - } -- if (group_id == gid_max) { -- fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); -- SYSLOG ((LOG_WARN, "no more available GID on the system")); -- return -1; -+ } -+ else { -+ if (group_id == gid_max + 1) { -+ for (group_id = gid_min; group_id < gid_max; group_id++) { -+ if (false == used_gids[group_id]) { -+ break; -+ } -+ } -+ if (group_id == gid_max) { -+ fprintf (stderr, _("%s: Can't get unique GID (no more available GIDs)\n"), Prog); -+ SYSLOG ((LOG_WARN, "no more available GID on the system")); -+ return -1; -+ } - } - } - -diff -up shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc shadow-4.1.4.1/libmisc/find_new_uid.c ---- shadow-4.1.4.1/libmisc/find_new_uid.c.sysacc 2009-07-16 11:51:34.807860808 +0200 -+++ shadow-4.1.4.1/libmisc/find_new_uid.c 2009-07-16 14:13:38.120798526 +0200 -@@ -52,7 +52,7 @@ int find_new_uid (bool sys_user, - /*@null@*/uid_t const *preferred_uid) - { - const struct passwd *pwd; -- uid_t uid_min, uid_max, user_id; -+ uid_t uid_min, uid_max, user_id, id; - bool *used_uids; - - assert (uid != NULL); -@@ -61,7 +61,7 @@ int find_new_uid (bool sys_user, - uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); - uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); - } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); -+ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL); - uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; - uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); - } -@@ -81,8 +81,6 @@ int find_new_uid (bool sys_user, - } - - -- user_id = uid_min; -- - /* - * Search the entire password file, - * looking for the largest unused value. -@@ -91,15 +89,30 @@ int find_new_uid (bool sys_user, - * but we also check the local database (pw_rewind/pw_next) in case - * some users were created but the changes were not committed yet. - */ -- /* speed up sys users look up on LDAP boxes */ - if (sys_user) { -- for (user_id = uid_min; user_id<=uid_max; user_id++) { -- pwd = getpwuid(user_id); -- if(pwd) -+ user_id = uid_max; -+ for (id = uid_max; id>=uid_min; id--) { -+ pwd = getpwuid(id); -+ if(pwd) { -+ user_id = id - 1; - used_uids[user_id] = true; -+ } - } -+ -+ pw_rewind (); -+ while ((pwd = pw_next ()) != NULL) { -+ if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { -+ user_id = pwd->pw_uid - 1; -+ } -+ /* create index of used UIDs */ -+ if (pwd->pw_uid <= uid_max) { -+ used_uids[pwd->pw_uid] = true; -+ } -+ } -+ - } - else { -+ user_id = uid_min; - setpwent (); - while ((pwd = getpwent ()) != NULL) { - if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -@@ -111,51 +124,55 @@ int find_new_uid (bool sys_user, - } - } - endpwent (); -- } -- pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -- } -- } -- - -- /* find free system account in reverse order */ -- if (sys_user) { -- for (user_id = uid_max; user_id >= uid_min; user_id--) { -- if (false == used_uids[user_id]) { -- break; -+ pw_rewind (); -+ while ((pwd = pw_next ()) != NULL) { -+ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -+ user_id = pwd->pw_uid + 1; -+ } -+ /* create index of used UIDs */ -+ if (pwd->pw_uid <= uid_max) { -+ used_uids[pwd->pw_uid] = true; - } -- } -- if (user_id < uid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique system UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available UID on the system")); -- return -1; - } - } - -+ - /* - * If a user with UID equal to UID_MAX exists, the above algorithm - * will give us UID_MAX+1 even if not unique. Search for the first - * free UID starting with UID_MIN. - */ -- if (user_id == uid_max + 1) { -- for (user_id = uid_min; user_id < uid_max; user_id++) { -- if (false == used_uids[user_id]) { -- break; -+ if (sys_user) { -+ if (user_id == uid_min - 1) { -+ for (user_id = uid_max; user_id >= uid_min; user_id--) { -+ if (false == used_uids[user_id]) { -+ break; -+ } -+ } -+ if (user_id < uid_min ) { -+ fprintf (stderr, -+ _("%s: Can't get unique system UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG ((LOG_WARN, -+ "no more available UID on the system")); -+ return -1; - } - } -- if (user_id == uid_max) { -- fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), Prog); -- SYSLOG ((LOG_WARN, "no more available UID on the system")); -- return -1; -+ } -+ else { -+ if (user_id == uid_max + 1) { -+ for (user_id = uid_min; user_id < uid_max; user_id++) { -+ if (false == used_uids[user_id]) { -+ break; -+ } -+ } -+ if (user_id == uid_max) { -+ fprintf (stderr, _("%s: Can't get unique UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG ((LOG_WARN, "no more available UID on the system")); -+ return -1; -+ } - } - } - diff --git a/shadow-4.1.4.2-fixes.patch b/shadow-4.1.4.2-fixes.patch new file mode 100644 index 0000000..a7ab5b4 --- /dev/null +++ b/shadow-4.1.4.2-fixes.patch @@ -0,0 +1,65 @@ +diff -up shadow-4.1.4.2/lib/commonio.c.fixes shadow-4.1.4.2/lib/commonio.c +--- shadow-4.1.4.2/lib/commonio.c.fixes 2009-09-07 15:51:28.312139467 +0200 ++++ shadow-4.1.4.2/lib/commonio.c 2009-09-07 15:52:00.788140456 +0200 +@@ -710,7 +710,7 @@ commonio_sort (struct commonio_db *db, i + db->tail->prev = entries[n - 1]; + db->tail->next = NULL; + +- for (i = 1; i < n; i++) { ++ for (i = 1; i < (n-1); i++) { + entries[i]->prev = entries[i - 1]; + entries[i]->next = entries[i + 1]; + } +diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c +--- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200 ++++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200 +@@ -107,7 +107,7 @@ void del_cleanup (cleanup_function pcf) + assert (i limit) { +- SYSLOG ((LOG_WARN, "Too many logins (max %d) for %s\n", ++ SYSLOG ((LOG_WARN, "Too many logins (max %lu) for %s\n", + limit, name)); + return LOGIN_ERROR_LOGIN; + } +diff -up shadow-4.1.4.2/libmisc/utmp.c.fixes shadow-4.1.4.2/libmisc/utmp.c +--- shadow-4.1.4.2/libmisc/utmp.c.fixes 2009-09-07 15:56:30.534033865 +0200 ++++ shadow-4.1.4.2/libmisc/utmp.c 2009-09-07 16:11:23.049069289 +0200 +@@ -56,7 +56,7 @@ static bool is_my_tty (const char *tty) + /* full_tty shall be at least sizeof utmp.ut_line + 5 */ + char full_tty[200]; + /* tmptty shall be bigger than full_tty */ +- static char tmptty[sizeof (full_tty)+1]; ++ static char tmptty[sizeof (full_tty)+1] = ""; + + if ('/' != *tty) { + (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty); +@@ -71,7 +71,7 @@ static bool is_my_tty (const char *tty) + } + } + +- if (NULL == tmptty) { ++ if ('\0' == tmptty[0]) { + (void) puts (_("Unable to determine your tty name.")); + exit (EXIT_FAILURE); + } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) { +@@ -200,7 +200,6 @@ static void updwtmpx (const char *filena + strcpy (hostname, host); + #ifdef HAVE_STRUCT_UTMP_UT_HOST + } else if ( (NULL != ut) +- && (NULL != ut->ut_host) + && ('\0' != ut->ut_host[0])) { + hostname = (char *) xmalloc (sizeof (ut->ut_host) + 1); + strncpy (hostname, ut->ut_host, sizeof (ut->ut_host)); diff --git a/shadow-4.1.4.2-leak.patch b/shadow-4.1.4.2-leak.patch new file mode 100644 index 0000000..0d6aa09 --- /dev/null +++ b/shadow-4.1.4.2-leak.patch @@ -0,0 +1,108 @@ +diff -up shadow-4.1.4.2/lib/groupmem.c.leak shadow-4.1.4.2/lib/groupmem.c +--- shadow-4.1.4.2/lib/groupmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/groupmem.c 2009-09-07 15:43:23.314129427 +0200 +@@ -51,10 +51,13 @@ + *gr = *grent; + gr->gr_name = strdup (grent->gr_name); + if (NULL == gr->gr_name) { ++ free(gr); + return NULL; + } + gr->gr_passwd = strdup (grent->gr_passwd); + if (NULL == gr->gr_passwd) { ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + +@@ -62,11 +65,21 @@ + + gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *)); + if (NULL == gr->gr_mem) { ++ free(gr->gr_passwd); ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + for (i = 0; grent->gr_mem[i]; i++) { + gr->gr_mem[i] = strdup (grent->gr_mem[i]); + if (NULL == gr->gr_mem[i]) { ++ int j; ++ for (j=0; jgr_mem[j]); ++ free(gr->gr_mem); ++ free(gr->gr_passwd); ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + } +diff -up shadow-4.1.4.2/libmisc/copydir.c.leak shadow-4.1.4.2/libmisc/copydir.c +--- shadow-4.1.4.2/libmisc/copydir.c.leak 2009-05-22 12:16:14.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/copydir.c 2009-09-07 15:41:49.217192095 +0200 +@@ -443,6 +443,7 @@ static char *readlink_malloc (const char + nchars = readlink (filename, buffer, size); + + if (nchars < 0) { ++ free(buffer); + return NULL; + } + +diff -up shadow-4.1.4.2/lib/pwmem.c.leak shadow-4.1.4.2/lib/pwmem.c +--- shadow-4.1.4.2/lib/pwmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/pwmem.c 2009-09-07 15:41:49.218203063 +0200 +@@ -51,22 +51,37 @@ + *pw = *pwent; + pw->pw_name = strdup (pwent->pw_name); + if (NULL == pw->pw_name) { ++ free(pw); + return NULL; + } + pw->pw_passwd = strdup (pwent->pw_passwd); + if (NULL == pw->pw_passwd) { ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_gecos = strdup (pwent->pw_gecos); + if (NULL == pw->pw_gecos) { ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_dir = strdup (pwent->pw_dir); + if (NULL == pw->pw_dir) { ++ free(pw->pw_gecos); ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_shell = strdup (pwent->pw_shell); + if (NULL == pw->pw_shell) { ++ free(pw->pw_dir); ++ free(pw->pw_gecos); ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + +diff -up shadow-4.1.4.2/lib/shadowmem.c.leak shadow-4.1.4.2/lib/shadowmem.c +--- shadow-4.1.4.2/lib/shadowmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/shadowmem.c 2009-09-07 15:41:49.218203063 +0200 +@@ -52,10 +52,13 @@ + *sp = *spent; + sp->sp_namp = strdup (spent->sp_namp); + if (NULL == sp->sp_namp) { ++ free(sp); + return NULL; + } + sp->sp_pwdp = strdup (spent->sp_pwdp); + if (NULL == sp->sp_pwdp) { ++ free(sp->sp_namp); ++ free(sp); + return NULL; + } + diff --git a/shadow-4.1.4-redhat.patch b/shadow-4.1.4.2-redhat.patch similarity index 67% rename from shadow-4.1.4-redhat.patch rename to shadow-4.1.4.2-redhat.patch index 3143c21..2b9e334 100644 --- a/shadow-4.1.4-redhat.patch +++ b/shadow-4.1.4.2-redhat.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.4/libmisc/find_new_gid.c.redhat shadow-4.1.4/libmisc/find_new_gid.c ---- shadow-4.1.4/libmisc/find_new_gid.c.redhat 2009-04-23 19:36:42.000000000 +0200 -+++ shadow-4.1.4/libmisc/find_new_gid.c 2009-05-15 12:01:18.000000000 +0200 +diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/find_new_gid.c +--- shadow-4.1.4.2/libmisc/find_new_gid.c.redhat 2009-07-18 01:53:42.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_gid.c 2009-09-07 16:34:26.640814090 +0200 @@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, assert (gid != NULL); @@ -9,15 +9,16 @@ diff -up shadow-4.1.4/libmisc/find_new_gid.c.redhat shadow-4.1.4/libmisc/find_ne + gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); } else { - gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); + gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); } used_gids = alloca (sizeof (bool) * (gid_max +1)); -diff -up shadow-4.1.4/libmisc/find_new_uid.c.redhat shadow-4.1.4/libmisc/find_new_uid.c ---- shadow-4.1.4/libmisc/find_new_uid.c.redhat 2009-04-23 19:37:12.000000000 +0200 -+++ shadow-4.1.4/libmisc/find_new_uid.c 2009-05-15 12:01:39.000000000 +0200 +diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/find_new_uid.c +--- shadow-4.1.4.2/libmisc/find_new_uid.c.redhat 2009-07-18 01:53:43.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_uid.c 2009-09-07 16:34:19.695877000 +0200 @@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, assert (uid != NULL); @@ -26,15 +27,16 @@ diff -up shadow-4.1.4/libmisc/find_new_uid.c.redhat shadow-4.1.4/libmisc/find_ne + uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); } else { - uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL); +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); - uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; ++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL); + uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); } used_uids = alloca (sizeof (bool) * (uid_max +1)); -diff -up shadow-4.1.4/src/useradd.c.redhat shadow-4.1.4/src/useradd.c ---- shadow-4.1.4/src/useradd.c.redhat 2009-05-10 20:26:35.000000000 +0200 -+++ shadow-4.1.4/src/useradd.c 2009-05-15 11:59:40.000000000 +0200 +diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c +--- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200 ++++ shadow-4.1.4.2/src/useradd.c 2009-09-07 16:34:01.402878101 +0200 @@ -90,7 +90,7 @@ char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; @@ -53,7 +55,7 @@ diff -up shadow-4.1.4/src/useradd.c.redhat shadow-4.1.4/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -996,9 +996,9 @@ static void process_flags (int argc, cha +@@ -989,9 +989,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX @@ -65,7 +67,7 @@ diff -up shadow-4.1.4/src/useradd.c.redhat shadow-4.1.4/src/useradd.c #endif long_options, NULL)) != -1) { switch (c) { -@@ -1148,6 +1148,7 @@ static void process_flags (int argc, cha +@@ -1141,6 +1141,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-utils.spec b/shadow-utils.spec index f0c816d..4d13a7c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,17 +1,16 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.4.1 -Release: 7%{?dist} +Version: 4.1.4.2 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.4-redhat.patch +Patch0: shadow-4.1.4.2-redhat.patch Patch1: shadow-4.1.4.1-goodname.patch -Patch2: shadow-4.1.4.1-largeGroup.patch -Patch3: shadow-4.1.4.1-ldap.patch -Patch4: shadow-4.1.4.1-sysacc.patch +Patch2: shadow-4.1.4.2-leak.patch +Patch3: shadow-4.1.4.2-fixes.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -37,10 +36,9 @@ are used for managing group accounts. %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat -%patch1 -p1 -b .goodname -%patch2 -p1 -b .largeGroup -%patch3 -p1 -b .ldap -%patch4 -p1 -b .sysacc +#%patch1 -p1 -b .goodname +#%patch2 -p1 -b .leak +#%patch3 -p1 -b .fixes iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -182,6 +180,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Sep 07 2009 Peter Vrabec - 2:4.1.4.2-1 +- upgrade + * Fri Aug 21 2009 Tomas Mraz - 2:4.1.4.1-7 - rebuilt with new audit diff --git a/sources b/sources index 13714cc..1922174 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -62f7dae4cb54fa84e478c4602d58cbe8 shadow-4.1.4.1.tar.bz2 +d593a9cab93c48ee0a6ba056db8c1997 shadow-4.1.4.2.tar.bz2 From 446ad2234af8913fd260ee4c4ae2d47920df4696 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 18 Nov 2009 09:33:28 +0000 Subject: [PATCH 045/151] - apply patches{1,2,3} - enable SHA512 in /etc/login.defs --- ...-4.0.17-login.defs => shadow-utils.login.defs | 4 ++-- shadow-utils.spec | 16 ++++++++++------ shadow-4.0.18.1-useradd => shadow-utils.useradd | 0 3 files changed, 12 insertions(+), 8 deletions(-) rename shadow-4.0.17-login.defs => shadow-utils.login.defs (94%) rename shadow-4.0.18.1-useradd => shadow-utils.useradd (100%) diff --git a/shadow-4.0.17-login.defs b/shadow-utils.login.defs similarity index 94% rename from shadow-4.0.17-login.defs rename to shadow-utils.login.defs index 18733bf..b24946d 100644 --- a/shadow-4.0.17-login.defs +++ b/shadow-utils.login.defs @@ -53,6 +53,6 @@ UMASK 077 # USERGROUPS_ENAB yes -# Use MD5 or DES to encrypt password? Red Hat use MD5 by default. -MD5_CRYPT_ENAB yes +# Use SHA512 to encrypt password. +ENCRYPT_METHOD SHA512 diff --git a/shadow-utils.spec b/shadow-utils.spec index 4d13a7c..770c7bc 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,12 +1,12 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 -Source1: shadow-4.0.17-login.defs -Source2: shadow-4.0.18.1-useradd +Source1: shadow-utils.login.defs +Source2: shadow-utils.useradd Patch0: shadow-4.1.4.2-redhat.patch Patch1: shadow-4.1.4.1-goodname.patch Patch2: shadow-4.1.4.2-leak.patch @@ -36,9 +36,9 @@ are used for managing group accounts. %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat -#%patch1 -p1 -b .goodname -#%patch2 -p1 -b .leak -#%patch3 -p1 -b .fixes +%patch1 -p1 -b .goodname +%patch2 -p1 -b .leak +%patch3 -p1 -b .fixes iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -180,6 +180,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Nov 18 2009 Peter Vrabec - 2:4.1.4.2-2 +- apply patches{1,2,3} +- enable SHA512 in /etc/login.defs + * Mon Sep 07 2009 Peter Vrabec - 2:4.1.4.2-1 - upgrade diff --git a/shadow-4.0.18.1-useradd b/shadow-utils.useradd similarity index 100% rename from shadow-4.0.18.1-useradd rename to shadow-utils.useradd From 0f8ceb4603c42040f6247f5fe03718e73efba564 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:15:30 +0000 Subject: [PATCH 046/151] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d05310b..cd725e9 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: shadow-utils -# $Id: Makefile,v 1.3 2005/08/05 11:53:21 pvrabec Exp $ +# $Id: Makefile,v 1.4 2007/10/15 19:22:59 notting Exp $ NAME := shadow-utils SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From e772ed6ecf59a7e90a3ecf6953676e03e00a7951 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 26 Mar 2010 13:55:46 +0000 Subject: [PATCH 047/151] max group name length set to 32 characters --- shadow-utils.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 770c7bc..eb42b48 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -58,7 +58,8 @@ cp -f doc/HOWTO.utf8 doc/HOWTO --with-selinux \ --without-libcrack \ --without-libpam \ - --disable-shared + --disable-shared \ + --with-group-name-max-length=32 make %install @@ -180,6 +181,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Mar 26 2010 Peter Vrabec - 2:4.1.4.2-3 +- max group name length set to 32 characters + * Wed Nov 18 2009 Peter Vrabec - 2:4.1.4.2-2 - apply patches{1,2,3} - enable SHA512 in /etc/login.defs From 0ffcb199d606c3f2eb33ac0011f8298acc582c05 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 1 Apr 2010 13:16:46 +0000 Subject: [PATCH 048/151] fix man directories ownership (#569418) --- shadow-utils.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index eb42b48..9254cc5 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -123,14 +123,14 @@ rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* -%find_lang shadow find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete +%find_lang shadow for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do dir=$(echo $dir | sed -e "s|^$RPM_BUILD_ROOT||") lang=$(basename $dir) - echo "%%lang($lang) $dir" >> shadow.lang - echo "%%lang($lang) $dir/man*" >> shadow.lang -# echo "%%lang($lang) $dir/man*/*" >> shadow.lang +# echo "%%lang($lang) $dir" >> shadow.lang +# echo "%%lang($lang) $dir/man*" >> shadow.lang + echo "%%lang($lang) $dir/man*/*" >> shadow.lang done %clean @@ -181,6 +181,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Apr 01 2010 Peter Vrabec - 2:4.1.4.2-4 +- fix man directories ownership (#569418) + * Fri Mar 26 2010 Peter Vrabec - 2:4.1.4.2-3 - max group name length set to 32 characters From d787a9d254bc267b8bc5d13eca4fa920db5e4199 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 28 Apr 2010 13:13:13 +0000 Subject: [PATCH 049/151] - newusers man page more informative - userdel should not need to run semanage Resolves: #586330 #586408 --- shadow-4.1.4.2-infoParentDir.patch | 32 ++++++++++++++++++++++++++++++ shadow-4.1.4.2-semange.patch | 22 ++++++++++++++++++++ shadow-utils.spec | 11 +++++++++- 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.4.2-infoParentDir.patch create mode 100644 shadow-4.1.4.2-semange.patch diff --git a/shadow-4.1.4.2-infoParentDir.patch b/shadow-4.1.4.2-infoParentDir.patch new file mode 100644 index 0000000..5a83f6a --- /dev/null +++ b/shadow-4.1.4.2-infoParentDir.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers.8 +--- shadow-4.1.4.2/man/newusers.8.infoParentDir 2010-04-28 13:44:04.634870854 +0200 ++++ shadow-4.1.4.2/man/newusers.8 2010-04-28 13:46:07.190866220 +0200 +@@ -88,7 +88,7 @@ This field is copied in the GECOS field + .RS 4 + This field is used to define the home directory of the user\&. + .sp +-If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. ++If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&.Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. + .sp + If the home directory of an existing user is changed, + \fBnewusers\fR +diff -up shadow-4.1.4.2/man/newusers.8.xml.infoParentDir shadow-4.1.4.2/man/newusers.8.xml +--- shadow-4.1.4.2/man/newusers.8.xml.infoParentDir 2010-04-28 13:48:01.419238133 +0200 ++++ shadow-4.1.4.2/man/newusers.8.xml 2010-04-28 13:55:40.499663030 +0200 +@@ -192,7 +192,15 @@ + + If this field does not specify an existing directory, the + specified directory is created, with ownership set to the +- user being created or updated and its primary group. ++ user being created or updated and its primary group. Note ++ that newusers does not create parent directories of the new ++ user's home directory. The newusers command will fail to ++ create the home directory if the parent directories do not ++ exist, and will send a message to stderr informing the user ++ of the failure. The newusers command will not halt or return ++ a failure to the calling shell if it fails to create the home ++ directory, it will continue to process the batch of new users ++ specified. + + + If the home directory of an existing user is changed, diff --git a/shadow-4.1.4.2-semange.patch b/shadow-4.1.4.2-semange.patch new file mode 100644 index 0000000..d4427e6 --- /dev/null +++ b/shadow-4.1.4.2-semange.patch @@ -0,0 +1,22 @@ +diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c +--- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200 ++++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200 +@@ -974,18 +974,6 @@ int main (int argc, char **argv) + } + #endif + +-#ifdef WITH_SELINUX +- if (is_selinux_enabled () > 0) { +- const char *args[5]; +- args[0] = "/usr/sbin/semanage"; +- args[1] = "login"; +- args[2] = "-d"; +- args[3] = user_name; +- args[4] = NULL; +- safe_system (args[0], args, NULL, 1); +- } +-#endif +- + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. diff --git a/shadow-utils.spec b/shadow-utils.spec index 9254cc5..b40ed70 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -11,6 +11,8 @@ Patch0: shadow-4.1.4.2-redhat.patch Patch1: shadow-4.1.4.1-goodname.patch Patch2: shadow-4.1.4.2-leak.patch Patch3: shadow-4.1.4.2-fixes.patch +Patch4: shadow-4.1.4.2-infoParentDir.patch +Patch5: shadow-4.1.4.2-semange.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -39,6 +41,8 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .leak %patch3 -p1 -b .fixes +%patch4 -p1 -b .infoParentDir +%patch5 -p1 -b .semange iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -181,6 +185,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Apr 28 2010 Peter Vrabec - 2:4.1.4.2-5 +- newusers man page more informative +- userdel should not need to run semanage + Resolves: #586330 #586408 + * Thu Apr 01 2010 Peter Vrabec - 2:4.1.4.2-4 - fix man directories ownership (#569418) From 4f86795e64d955151c33275dbfb7334e61c0f99d Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 29 Apr 2010 15:09:49 +0000 Subject: [PATCH 050/151] - preserve ACL's on files in /etc/skel Resolves: #513055 --- shadow-4.1.4.2-acl.patch | 121 +++++++++++++++++++++++++++++ shadow-4.1.4.2-infoParentDir.patch | 2 +- shadow-utils.spec | 8 +- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 shadow-4.1.4.2-acl.patch diff --git a/shadow-4.1.4.2-acl.patch b/shadow-4.1.4.2-acl.patch new file mode 100644 index 0000000..9af543c --- /dev/null +++ b/shadow-4.1.4.2-acl.patch @@ -0,0 +1,121 @@ +diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c +--- shadow-4.1.4.2/libmisc/copydir.c.acl 2010-04-29 15:55:26.949959971 +0200 ++++ shadow-4.1.4.2/libmisc/copydir.c 2010-04-29 15:55:26.956960471 +0200 +@@ -45,6 +45,9 @@ + #ifdef WITH_SELINUX + #include + #endif ++#include ++#include ++ + static /*@null@*/const char *src_orig; + static /*@null@*/const char *dst_orig; + +@@ -70,7 +73,7 @@ static int copy_symlink (const char *src + #endif + static int copy_hardlink (const char *src, const char *dst, + struct link_name *lp); +-static int copy_special (const char *dst, ++static int copy_special (const char *src, const char *dst, + const struct stat *statp, const struct timeval mt[], + long int uid, long int gid); + static int copy_file (const char *src, const char *dst, +@@ -78,6 +81,24 @@ static int copy_file (const char *src, c + long int uid, long int gid); + + #ifdef WITH_SELINUX ++ ++void error (struct error_context *ctx, const char *fmt, ...) ++{ ++ va_list ap; ++ ++ va_start (ap, fmt); ++ (void) fprintf (stderr, _("%s: "), Prog); ++ if (vfprintf (stderr, fmt, ap) != 0) { ++ (void) fputs (_(": "), stderr); ++ } ++ (void) fprintf (stderr, "%s\n", strerror (errno)); ++ va_end (ap); ++} ++ ++struct error_context ctx = { ++ error ++}; ++ + /* + * selinux_file_context - Set the security context before any file or + * directory creation. +@@ -369,7 +390,7 @@ static int copy_entry (const char *src, + */ + + else if (!S_ISREG (sb.st_mode)) { +- err = copy_special (dst, &sb, mt, uid, gid); ++ err = copy_special (src, dst, &sb, mt, uid, gid); + } + + /* +@@ -413,6 +434,7 @@ static int copy_dir (const char *src, co + || (chown (dst, + (uid == - 1) ? statp->st_uid : (uid_t) uid, + (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0) ++ || (perm_copy_file (src, dst, &ctx) != 0) + || (chmod (dst, statp->st_mode) != 0) + || (copy_tree (src, dst, uid, gid) != 0) + || (utimes (dst, mt) != 0)) { +@@ -514,6 +536,13 @@ static int copy_symlink (const char *src + || (lchown (dst, + (uid == -1) ? statp->st_uid : (uid_t) uid, + (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) { ++ /* FIXME: there are no modes on symlinks, right? ++ * ACL could be copied, but this would be much more ++ * complex than calling perm_copy_file. ++ * Ditto for Extended Attributes. ++ * We currently only document that ACL and Extended ++ * Attributes are not copied. ++ */ + free (oldlink); + return -1; + } +@@ -542,7 +571,7 @@ static int copy_symlink (const char *src + static int copy_hardlink (const char *src, const char *dst, + struct link_name *lp) + { +- /* TODO: selinux needed? */ ++ /* TODO: selinux, ACL, Extended Attributes needed? */ + + if (link (lp->ln_name, dst) != 0) { + return -1; +@@ -574,7 +603,7 @@ static int copy_hardlink (const char *sr + * + * Return 0 on success, -1 on error. + */ +-static int copy_special (const char *dst, ++static int copy_special (const char *src, const char *dst, + const struct stat *statp, const struct timeval mt[], + long int uid, long int gid) + { +@@ -628,7 +657,7 @@ static int copy_file (const char *src, c + || (fchown (ofd, + (uid == -1) ? statp->st_uid : (uid_t) uid, + (gid == -1) ? statp->st_gid : (gid_t) gid) != 0) +- || (fchmod (ofd, statp->st_mode & 07777) != 0)) { ++ || (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) ) { + (void) close (ifd); + return -1; + } +diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in +--- shadow-4.1.4.2/src/Makefile.in.acl 2009-07-24 03:16:00.000000000 +0200 ++++ shadow-4.1.4.2/src/Makefile.in 2010-04-29 16:08:34.347960372 +0200 +@@ -430,9 +430,9 @@ su_SOURCES = \ + + su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + sulogin_LDADD = $(LDADD) $(LIBCRYPT) +-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl ++userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl ++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl + vipw_LDADD = $(LDADD) $(LIBSELINUX) + all: all-am + diff --git a/shadow-4.1.4.2-infoParentDir.patch b/shadow-4.1.4.2-infoParentDir.patch index 5a83f6a..da260bf 100644 --- a/shadow-4.1.4.2-infoParentDir.patch +++ b/shadow-4.1.4.2-infoParentDir.patch @@ -6,7 +6,7 @@ diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers This field is used to define the home directory of the user\&. .sp -If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. -+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&.Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. ++If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. .sp If the home directory of an existing user is changed, \fBnewusers\fR diff --git a/shadow-utils.spec b/shadow-utils.spec index b40ed70..4b1c2c0 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -13,6 +13,7 @@ Patch2: shadow-4.1.4.2-leak.patch Patch3: shadow-4.1.4.2-fixes.patch Patch4: shadow-4.1.4.2-infoParentDir.patch Patch5: shadow-4.1.4.2-semange.patch +Patch6: shadow-4.1.4.2-acl.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -43,6 +44,7 @@ are used for managing group accounts. %patch3 -p1 -b .fixes %patch4 -p1 -b .infoParentDir %patch5 -p1 -b .semange +%patch6 -p1 -b .acl iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -185,6 +187,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Apr 29 2010 Peter Vrabec - 2:4.1.4.2-6 +- preserve ACL's on files in /etc/skel + Resolves: #513055 + * Wed Apr 28 2010 Peter Vrabec - 2:4.1.4.2-5 - newusers man page more informative - userdel should not need to run semanage From 6631e0269cba716e2de642b42a7395d3340c8811 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 29 Apr 2010 15:26:31 +0000 Subject: [PATCH 051/151] add missing buildrequires --- shadow-utils.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 4b1c2c0..78bdef5 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -18,6 +18,7 @@ License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 +BuildRequires: libacl-devel libattr-devel #BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 From 59e397ee423c12547e8fecbe810da4873b15cc17 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 14 Jun 2010 11:15:21 +0000 Subject: [PATCH 052/151] - fix integer underflow in faillog (#603683) - use preferred GID for reserved static IDs --- shadow-4.1.4.2-uflg.patch | 25 ++++++++++++++++++++ shadow-4.1.4.2-underflow.patch | 43 ++++++++++++++++++++++++++++++++++ shadow-utils.spec | 10 +++++++- 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.4.2-uflg.patch create mode 100644 shadow-4.1.4.2-underflow.patch diff --git a/shadow-4.1.4.2-uflg.patch b/shadow-4.1.4.2-uflg.patch new file mode 100644 index 0000000..be1a73e --- /dev/null +++ b/shadow-4.1.4.2-uflg.patch @@ -0,0 +1,25 @@ +diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.uflg shadow-4.1.4.2/libmisc/find_new_gid.c +--- shadow-4.1.4.2/libmisc/find_new_gid.c.uflg 2010-05-21 11:31:36.069929199 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_gid.c 2010-05-21 11:31:47.600963338 +0200 +@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, + gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); + gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } +@@ -79,7 +79,11 @@ int find_new_gid (bool sys_group, + *gid = *preferred_gid; + return 0; + } +- ++ ++ /* if we did not find free preffered system gid, we start to look for ++ * one in the range assigned to dynamic system IDs */ ++ if (sys_group) ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); + + /* + * Search the entire group file, diff --git a/shadow-4.1.4.2-underflow.patch b/shadow-4.1.4.2-underflow.patch new file mode 100644 index 0000000..87f8931 --- /dev/null +++ b/shadow-4.1.4.2-underflow.patch @@ -0,0 +1,43 @@ +diff -up shadow-4.1.4.2/src/faillog.c.overflow shadow-4.1.4.2/src/faillog.c +--- shadow-4.1.4.2/src/faillog.c.overflow 2010-06-14 10:40:28.023030897 +0200 ++++ shadow-4.1.4.2/src/faillog.c 2010-06-14 10:53:10.884034750 +0200 +@@ -106,8 +106,8 @@ static void print_one (/*@null@*/const s + return; + } + +- offset = pw->pw_uid * sizeof (fl); +- if (offset <= (statbuf.st_size - sizeof (fl))) { ++ offset = (off_t) pw->pw_uid * sizeof (fl); ++ if (offset + sizeof (fl) <= statbuf.st_size) { + /* fseeko errors are not really relevant for us. */ + int err = fseeko (fail, offset, SEEK_SET); + assert (0 == err); +@@ -206,8 +206,8 @@ static bool reset_one (uid_t uid) + off_t offset; + struct faillog fl; + +- offset = uid * sizeof (fl); +- if (offset <= (statbuf.st_size - sizeof (fl))) { ++ offset = (off_t) uid * sizeof (fl); ++ if (offset + sizeof (fl) <= statbuf.st_size) { + /* fseeko errors are not really relevant for us. */ + int err = fseeko (fail, offset, SEEK_SET); + assert (0 == err); +@@ -294,7 +294,7 @@ static bool setmax_one (uid_t uid, int m + struct faillog fl; + + offset = (off_t) uid * sizeof (fl); +- if (offset <= (statbuf.st_size - sizeof (fl))) { ++ if (offset + sizeof (fl) <= statbuf.st_size) { + /* fseeko errors are not really relevant for us. */ + int err = fseeko (fail, offset, SEEK_SET); + assert (0 == err); +@@ -385,7 +385,7 @@ static bool set_locktime_one (uid_t uid, + struct faillog fl; + + offset = (off_t) uid * sizeof (fl); +- if (offset <= (statbuf.st_size - sizeof (fl))) { ++ if (offset + sizeof (fl) <= statbuf.st_size) { + /* fseeko errors are not really relevant for us. */ + int err = fseeko (fail, offset, SEEK_SET); + assert (0 == err); diff --git a/shadow-utils.spec b/shadow-utils.spec index 78bdef5..ec06437 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -14,6 +14,8 @@ Patch3: shadow-4.1.4.2-fixes.patch Patch4: shadow-4.1.4.2-infoParentDir.patch Patch5: shadow-4.1.4.2-semange.patch Patch6: shadow-4.1.4.2-acl.patch +Patch7: shadow-4.1.4.2-underflow.patch +Patch8: shadow-4.1.4.2-uflg.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -46,6 +48,8 @@ are used for managing group accounts. %patch4 -p1 -b .infoParentDir %patch5 -p1 -b .semange %patch6 -p1 -b .acl +%patch7 -p1 -b .underflow +%patch8 -p1 -b .uflg iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -188,6 +192,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 14 2010 Peter Vrabec - 2:4.1.4.2-7 +- fix integer underflow in faillog (#603683) +- use preferred GID for reserved static IDs + * Thu Apr 29 2010 Peter Vrabec - 2:4.1.4.2-6 - preserve ACL's on files in /etc/skel Resolves: #513055 From 30f3024f752e3003570e39fe89af80bbfad74d1c Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 20 Jul 2010 09:20:10 +0000 Subject: [PATCH 053/151] fix pwck/grpck hang --- shadow-4.1.4.2-fixes.patch | 12 ------------ shadow-utils.spec | 6 +++++- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/shadow-4.1.4.2-fixes.patch b/shadow-4.1.4.2-fixes.patch index a7ab5b4..8451675 100644 --- a/shadow-4.1.4.2-fixes.patch +++ b/shadow-4.1.4.2-fixes.patch @@ -1,15 +1,3 @@ -diff -up shadow-4.1.4.2/lib/commonio.c.fixes shadow-4.1.4.2/lib/commonio.c ---- shadow-4.1.4.2/lib/commonio.c.fixes 2009-09-07 15:51:28.312139467 +0200 -+++ shadow-4.1.4.2/lib/commonio.c 2009-09-07 15:52:00.788140456 +0200 -@@ -710,7 +710,7 @@ commonio_sort (struct commonio_db *db, i - db->tail->prev = entries[n - 1]; - db->tail->next = NULL; - -- for (i = 1; i < n; i++) { -+ for (i = 1; i < (n-1); i++) { - entries[i]->prev = entries[i - 1]; - entries[i]->next = entries[i + 1]; - } diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c --- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200 +++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200 diff --git a/shadow-utils.spec b/shadow-utils.spec index ec06437..a09e6d8 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -192,6 +192,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jul 20 2010 Peter Vrabec - 2:4.1.4.2-8 +- fix pwck/grpck hang + Resolves: #586322 + * Mon Jun 14 2010 Peter Vrabec - 2:4.1.4.2-7 - fix integer underflow in faillog (#603683) - use preferred GID for reserved static IDs From 3c657e4c60801ed072db461aaa7dd5126f9478b5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 12:41:51 +0000 Subject: [PATCH 054/151] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 6 ------ branch | 1 - 3 files changed, 7 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index bb1e7db..0000000 --- a/Makefile +++ /dev/null @@ -1,6 +0,0 @@ -# Makefile for source rpm: shadow-utils -# $Id: Makefile,v 1.1 2004/09/09 12:21:12 cvsdist Exp $ -NAME := shadow-utils -SPECFILE = $(firstword $(wildcard *.spec)) - -include ../common/Makefile.common diff --git a/branch b/branch deleted file mode 100644 index c48525c..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -F-7 From 11d8bcbcab3235819fde0409106f20e90bf999e8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 12:42:28 +0000 Subject: [PATCH 055/151] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- 2 files changed, 21 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index cd725e9..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: shadow-utils -# $Id: Makefile,v 1.4 2007/10/15 19:22:59 notting Exp $ -NAME := shadow-utils -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attempt a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) From 8d9482059f10642c789fb668526996a1d2eafdb1 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 6 Jan 2011 09:41:43 +0100 Subject: [PATCH 056/151] fix Bug #665780 - fix gshadow functions from shadow utils - make shadow utils use gshadow functions from glibc --- shadow-4.1.4.2-gshadow.patch | 49 ++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 9 ++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.4.2-gshadow.patch diff --git a/shadow-4.1.4.2-gshadow.patch b/shadow-4.1.4.2-gshadow.patch new file mode 100644 index 0000000..6e4e911 --- /dev/null +++ b/shadow-4.1.4.2-gshadow.patch @@ -0,0 +1,49 @@ +diff -up shadow-4.1.4.2/configure.gshadow shadow-4.1.4.2/configure +--- shadow-4.1.4.2/configure.gshadow 2011-01-05 16:29:33.355695459 +0100 ++++ shadow-4.1.4.2/configure 2011-01-05 16:29:58.322687480 +0100 +@@ -18220,7 +18220,7 @@ cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + +- #include ++ #include + main() + { + struct sgrp *sg = sgetsgent("test:x::"); +diff -up shadow-4.1.4.2/lib/defines.h.gshadow shadow-4.1.4.2/lib/defines.h +--- shadow-4.1.4.2/lib/defines.h.gshadow 2011-01-05 16:29:21.914687787 +0100 ++++ shadow-4.1.4.2/lib/defines.h 2011-01-05 16:29:58.323739225 +0100 +@@ -134,6 +134,10 @@ char *strchr (), *strrchr (), *strtok () + * - /usr/include/shadow.h exists, but we use our own gshadow.h. + */ + #include ++#if defined(HAVE_SHADOWGRP) ++#include ++#define sg_name sg_namp ++#endif + #if defined(SHADOWGRP) && !defined(GSHADOW) + #include "gshadow_.h" + #endif +diff -up shadow-4.1.4.2/lib/gshadow.c.gshadow shadow-4.1.4.2/lib/gshadow.c +--- shadow-4.1.4.2/lib/gshadow.c.gshadow 2009-06-12 19:50:23.000000000 +0200 ++++ shadow-4.1.4.2/lib/gshadow.c 2011-01-05 16:28:55.207685148 +0100 +@@ -223,6 +223,7 @@ void endsgent (void) + if (NULL == buf) { + return NULL; + } ++ buflen = BUFSIZ; + } + + if (NULL == fp) { +@@ -230,9 +231,9 @@ void endsgent (void) + } + + #ifdef USE_NIS +- while (fgetsx (buf, (int) sizeof buf, fp) == buf) ++ while (fgetsx (buf, (int) buflen, fp) == buf) + #else +- if (fgetsx (buf, (int) sizeof buf, fp) == buf) ++ if (fgetsx (buf, (int) buflen, fp) == buf) + #endif + { + while ( ((cp = strrchr (buf, '\n')) == NULL) diff --git a/shadow-utils.spec b/shadow-utils.spec index a09e6d8..1afc5c5 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -16,6 +16,7 @@ Patch5: shadow-4.1.4.2-semange.patch Patch6: shadow-4.1.4.2-acl.patch Patch7: shadow-4.1.4.2-underflow.patch Patch8: shadow-4.1.4.2-uflg.patch +Patch9: shadow-4.1.4.2-gshadow.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -50,6 +51,7 @@ are used for managing group accounts. %patch6 -p1 -b .acl %patch7 -p1 -b .underflow %patch8 -p1 -b .uflg +%patch9 -p1 -b .gshadow iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -192,6 +194,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Jan 05 2011 Peter Vrabec - 2:4.1.4.2-9 +- fix gshadow functions from shadow utils +- make shadow utils use gshadow functions from glibc + Resolves: #665780 + * Tue Jul 20 2010 Peter Vrabec - 2:4.1.4.2-8 - fix pwck/grpck hang Resolves: #586322 From b76f93c25bde652f47319783dfc5da6167422ecf Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 1 Feb 2011 17:10:35 +0100 Subject: [PATCH 057/151] - do not use gshadow functions from glibc(#674234) --- shadow-4.1.4.2-gshadow.patch | 26 -------------------------- shadow-utils.spec | 7 ++++++- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/shadow-4.1.4.2-gshadow.patch b/shadow-4.1.4.2-gshadow.patch index 6e4e911..1cf5ba6 100644 --- a/shadow-4.1.4.2-gshadow.patch +++ b/shadow-4.1.4.2-gshadow.patch @@ -1,29 +1,3 @@ -diff -up shadow-4.1.4.2/configure.gshadow shadow-4.1.4.2/configure ---- shadow-4.1.4.2/configure.gshadow 2011-01-05 16:29:33.355695459 +0100 -+++ shadow-4.1.4.2/configure 2011-01-05 16:29:58.322687480 +0100 -@@ -18220,7 +18220,7 @@ cat confdefs.h >>conftest.$ac_ext - cat >>conftest.$ac_ext <<_ACEOF - /* end confdefs.h. */ - -- #include -+ #include - main() - { - struct sgrp *sg = sgetsgent("test:x::"); -diff -up shadow-4.1.4.2/lib/defines.h.gshadow shadow-4.1.4.2/lib/defines.h ---- shadow-4.1.4.2/lib/defines.h.gshadow 2011-01-05 16:29:21.914687787 +0100 -+++ shadow-4.1.4.2/lib/defines.h 2011-01-05 16:29:58.323739225 +0100 -@@ -134,6 +134,10 @@ char *strchr (), *strrchr (), *strtok () - * - /usr/include/shadow.h exists, but we use our own gshadow.h. - */ - #include -+#if defined(HAVE_SHADOWGRP) -+#include -+#define sg_name sg_namp -+#endif - #if defined(SHADOWGRP) && !defined(GSHADOW) - #include "gshadow_.h" - #endif diff -up shadow-4.1.4.2/lib/gshadow.c.gshadow shadow-4.1.4.2/lib/gshadow.c --- shadow-4.1.4.2/lib/gshadow.c.gshadow 2009-06-12 19:50:23.000000000 +0200 +++ shadow-4.1.4.2/lib/gshadow.c 2011-01-05 16:28:55.207685148 +0100 diff --git a/shadow-utils.spec b/shadow-utils.spec index 1afc5c5..bc9b61f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -194,6 +194,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 01 2011 Peter Vrabec - 2:4.1.4.2-10 +- do not use gshadow functions from glibc, there is a bug + in glibc sgetsgent(#674361) + Resolves: #674234 + * Wed Jan 05 2011 Peter Vrabec - 2:4.1.4.2-9 - fix gshadow functions from shadow utils - make shadow utils use gshadow functions from glibc From ca4ecc57a635f7bbb24689d18440f6dcefa22e1d Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 9 Feb 2011 11:07:44 +0100 Subject: [PATCH 058/151] useradd man page (-m option) #523265 --- shadow-4.1.4.2-redhat.patch | 18 +++++++++++++++--- shadow-utils.spec | 6 +++++- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/shadow-4.1.4.2-redhat.patch b/shadow-4.1.4.2-redhat.patch index 2b9e334..da39e65 100644 --- a/shadow-4.1.4.2-redhat.patch +++ b/shadow-4.1.4.2-redhat.patch @@ -1,6 +1,6 @@ diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/find_new_gid.c --- shadow-4.1.4.2/libmisc/find_new_gid.c.redhat 2009-07-18 01:53:42.000000000 +0200 -+++ shadow-4.1.4.2/libmisc/find_new_gid.c 2009-09-07 16:34:26.640814090 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_gid.c 2011-02-09 11:04:06.009400412 +0100 @@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, assert (gid != NULL); @@ -18,7 +18,7 @@ diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/fin used_gids = alloca (sizeof (bool) * (gid_max +1)); diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/find_new_uid.c --- shadow-4.1.4.2/libmisc/find_new_uid.c.redhat 2009-07-18 01:53:43.000000000 +0200 -+++ shadow-4.1.4.2/libmisc/find_new_uid.c 2009-09-07 16:34:19.695877000 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_uid.c 2011-02-09 11:04:06.009400412 +0100 @@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, assert (uid != NULL); @@ -34,9 +34,21 @@ diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/fin uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); } used_uids = alloca (sizeof (bool) * (uid_max +1)); +diff -up shadow-4.1.4.2/man/useradd.8.redhat shadow-4.1.4.2/man/useradd.8 +--- shadow-4.1.4.2/man/useradd.8.redhat 2009-07-24 03:16:44.000000000 +0200 ++++ shadow-4.1.4.2/man/useradd.8 2011-02-09 11:04:24.851151246 +0100 +@@ -211,7 +211,7 @@ Create the user\'s home directory if it + \fB\-k\fR + option) will be copied to the home directory\&. + .sp +-By default, no home directories are created\&. ++The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&. + .RE + .PP + \fB\-M\fR diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c --- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200 -+++ shadow-4.1.4.2/src/useradd.c 2009-09-07 16:34:01.402878101 +0200 ++++ shadow-4.1.4.2/src/useradd.c 2011-02-09 11:04:06.031036886 +0100 @@ -90,7 +90,7 @@ char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; diff --git a/shadow-utils.spec b/shadow-utils.spec index bc9b61f..17f1aed 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -194,6 +194,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 09 2011 Peter Vrabec - 2:4.1.4.2-11 +- useradd man page (-m option) + Resolves: #523265 + * Tue Feb 01 2011 Peter Vrabec - 2:4.1.4.2-10 - do not use gshadow functions from glibc, there is a bug in glibc sgetsgent(#674361) From e997448056adfbcbe9c38ddc0f9e50b104ab6743 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 10 Feb 2011 11:23:21 +0100 Subject: [PATCH 059/151] home directory on fs with noacl + remove faillog --- shadow-4.1.4.2-acl.patch | 58 ++++++++++++++++++++++++++++++---------- shadow-utils.spec | 12 ++++++--- 2 files changed, 52 insertions(+), 18 deletions(-) diff --git a/shadow-4.1.4.2-acl.patch b/shadow-4.1.4.2-acl.patch index 9af543c..0071c31 100644 --- a/shadow-4.1.4.2-acl.patch +++ b/shadow-4.1.4.2-acl.patch @@ -1,6 +1,6 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c ---- shadow-4.1.4.2/libmisc/copydir.c.acl 2010-04-29 15:55:26.949959971 +0200 -+++ shadow-4.1.4.2/libmisc/copydir.c 2010-04-29 15:55:26.956960471 +0200 +--- shadow-4.1.4.2/libmisc/copydir.c.acl 2011-02-09 17:35:23.455413575 +0100 ++++ shadow-4.1.4.2/libmisc/copydir.c 2011-02-09 17:49:17.606330202 +0100 @@ -45,6 +45,9 @@ #ifdef WITH_SELINUX #include @@ -20,7 +20,7 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c const struct stat *statp, const struct timeval mt[], long int uid, long int gid); static int copy_file (const char *src, const char *dst, -@@ -78,6 +81,24 @@ static int copy_file (const char *src, c +@@ -78,6 +81,28 @@ static int copy_file (const char *src, c long int uid, long int gid); #ifdef WITH_SELINUX @@ -28,6 +28,10 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c +void error (struct error_context *ctx, const char *fmt, ...) +{ + va_list ap; ++ ++ /* ignore the case when destination does not support ACLs */ ++ if(errno==EOPNOTSUPP) ++ return; + + va_start (ap, fmt); + (void) fprintf (stderr, _("%s: "), Prog); @@ -45,7 +49,7 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c /* * selinux_file_context - Set the security context before any file or * directory creation. -@@ -369,7 +390,7 @@ static int copy_entry (const char *src, +@@ -369,7 +394,7 @@ static int copy_entry (const char *src, */ else if (!S_ISREG (sb.st_mode)) { @@ -54,15 +58,30 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c } /* -@@ -413,6 +434,7 @@ static int copy_dir (const char *src, co +@@ -413,8 +438,20 @@ static int copy_dir (const char *src, co || (chown (dst, (uid == - 1) ? statp->st_uid : (uid_t) uid, (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0) -+ || (perm_copy_file (src, dst, &ctx) != 0) - || (chmod (dst, statp->st_mode) != 0) - || (copy_tree (src, dst, uid, gid) != 0) +- || (chmod (dst, statp->st_mode) != 0) +- || (copy_tree (src, dst, uid, gid) != 0) ++ || (chmod (dst, statp->st_mode) != 0)) { ++ err = -1; ++ return err; ++ } ++ ++ /* ignore the case when destination does not support ACLs */ ++ if (perm_copy_file (src, dst, &ctx) != 0) { ++ if (errno!=EOPNOTSUPP) { ++ err = -1; ++ return err; ++ } ++ } ++ ++ if ((copy_tree (src, dst, uid, gid) != 0) || (utimes (dst, mt) != 0)) { -@@ -514,6 +536,13 @@ static int copy_symlink (const char *src + err = -1; + } +@@ -514,6 +551,13 @@ static int copy_symlink (const char *src || (lchown (dst, (uid == -1) ? statp->st_uid : (uid_t) uid, (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) { @@ -76,7 +95,7 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c free (oldlink); return -1; } -@@ -542,7 +571,7 @@ static int copy_symlink (const char *src +@@ -542,7 +586,7 @@ static int copy_symlink (const char *src static int copy_hardlink (const char *src, const char *dst, struct link_name *lp) { @@ -85,7 +104,7 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c if (link (lp->ln_name, dst) != 0) { return -1; -@@ -574,7 +603,7 @@ static int copy_hardlink (const char *sr +@@ -574,7 +618,7 @@ static int copy_hardlink (const char *sr * * Return 0 on success, -1 on error. */ @@ -94,18 +113,29 @@ diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c const struct stat *statp, const struct timeval mt[], long int uid, long int gid) { -@@ -628,7 +657,7 @@ static int copy_file (const char *src, c +@@ -628,11 +672,18 @@ static int copy_file (const char *src, c || (fchown (ofd, (uid == -1) ? statp->st_uid : (uid_t) uid, (gid == -1) ? statp->st_gid : (gid_t) gid) != 0) - || (fchmod (ofd, statp->st_mode & 07777) != 0)) { -+ || (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) ) { ++ || (fchmod (ofd, statp->st_mode & 07777) != 0)) { (void) close (ifd); return -1; } + ++ if (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) { ++ if (errno!=EOPNOTSUPP) { ++ (void) close (ifd); ++ return -1; ++ } ++ } ++ + while ((cnt = read (ifd, buf, sizeof buf)) > 0) { + if (write (ofd, buf, (size_t)cnt) != cnt) { + return -1; diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in --- shadow-4.1.4.2/src/Makefile.in.acl 2009-07-24 03:16:00.000000000 +0200 -+++ shadow-4.1.4.2/src/Makefile.in 2010-04-29 16:08:34.347960372 +0200 ++++ shadow-4.1.4.2/src/Makefile.in 2011-02-09 17:35:23.470411800 +0100 @@ -430,9 +430,9 @@ su_SOURCES = \ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) diff --git a/shadow-utils.spec b/shadow-utils.spec index 17f1aed..a797592 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -98,6 +98,7 @@ rm $RPM_BUILD_ROOT/%{_bindir}/groups rm $RPM_BUILD_ROOT/%{_bindir}/login rm $RPM_BUILD_ROOT/%{_bindir}/passwd rm $RPM_BUILD_ROOT/%{_bindir}/su +rm $RPM_BUILD_ROOT/%{_bindir}/faillog rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd @@ -135,6 +136,10 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* +rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.* find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete %find_lang shadow @@ -157,7 +162,6 @@ rm -rf $RPM_BUILD_ROOT %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg %{_bindir}/chage -%{_bindir}/faillog %{_bindir}/gpasswd %{_bindir}/lastlog %{_bindir}/newgrp @@ -179,7 +183,6 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* %{_mandir}/man5/gshadow.5* -%{_mandir}/man5/faillog.5* %{_mandir}/man8/adduser.8* %{_mandir}/man8/group*.8* %{_mandir}/man8/user*.8* @@ -189,14 +192,15 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* -%{_mandir}/man8/faillog.8* %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* %changelog * Wed Feb 09 2011 Peter Vrabec - 2:4.1.4.2-11 - useradd man page (-m option) - Resolves: #523265 +- create home directory on fs with noacl +- remove faillog app (pam_tally.so is no longer shipped) + Resolves: #523265, #622320 * Tue Feb 01 2011 Peter Vrabec - 2:4.1.4.2-10 - do not use gshadow functions from glibc, there is a bug From 5d7612da5b7be0c7ce8bad72c4d69a8f347696db Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 23 May 2011 14:58:07 +0200 Subject: [PATCH 060/151] upgrade --- .gitignore | 1 + shadow-4.1.4.2-redhat.patch | 36 ------------ shadow-4.1.4.2-uflg.patch | 25 -------- shadow-4.1.4.3-IDs.patch | 58 +++++++++++++++++++ ...ame.patch => shadow-4.1.4.3-goodname.patch | 24 ++++---- shadow-4.1.4.3-nopam.patch | 32 ++++++++++ shadow-4.1.4.3-uflg.patch | 23 ++++++++ shadow-utils.login.defs | 14 +++-- shadow-utils.spec | 17 ++++-- sources | 2 +- 10 files changed, 150 insertions(+), 82 deletions(-) delete mode 100644 shadow-4.1.4.2-uflg.patch create mode 100644 shadow-4.1.4.3-IDs.patch rename shadow-4.1.4.1-goodname.patch => shadow-4.1.4.3-goodname.patch (72%) create mode 100644 shadow-4.1.4.3-nopam.patch create mode 100644 shadow-4.1.4.3-uflg.patch diff --git a/.gitignore b/.gitignore index ccacfb0..d99615d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ shadow-4.1.4.2.tar.bz2 +/shadow-4.1.4.3.tar.bz2 diff --git a/shadow-4.1.4.2-redhat.patch b/shadow-4.1.4.2-redhat.patch index da39e65..fb2a437 100644 --- a/shadow-4.1.4.2-redhat.patch +++ b/shadow-4.1.4.2-redhat.patch @@ -1,39 +1,3 @@ -diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/find_new_gid.c ---- shadow-4.1.4.2/libmisc/find_new_gid.c.redhat 2009-07-18 01:53:42.000000000 +0200 -+++ shadow-4.1.4.2/libmisc/find_new_gid.c 2011-02-09 11:04:06.009400412 +0100 -@@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, - assert (gid != NULL); - - if (!sys_group) { -- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); -+ gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); - gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); -+ gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } - used_gids = alloca (sizeof (bool) * (gid_max +1)); -diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/find_new_uid.c ---- shadow-4.1.4.2/libmisc/find_new_uid.c.redhat 2009-07-18 01:53:43.000000000 +0200 -+++ shadow-4.1.4.2/libmisc/find_new_uid.c 2011-02-09 11:04:06.009400412 +0100 -@@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, - assert (uid != NULL); - - if (!sys_user) { -- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); - uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); - } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); -- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; -+ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL); -+ uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; - uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); - } - used_uids = alloca (sizeof (bool) * (uid_max +1)); diff -up shadow-4.1.4.2/man/useradd.8.redhat shadow-4.1.4.2/man/useradd.8 --- shadow-4.1.4.2/man/useradd.8.redhat 2009-07-24 03:16:44.000000000 +0200 +++ shadow-4.1.4.2/man/useradd.8 2011-02-09 11:04:24.851151246 +0100 diff --git a/shadow-4.1.4.2-uflg.patch b/shadow-4.1.4.2-uflg.patch deleted file mode 100644 index be1a73e..0000000 --- a/shadow-4.1.4.2-uflg.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.uflg shadow-4.1.4.2/libmisc/find_new_gid.c ---- shadow-4.1.4.2/libmisc/find_new_gid.c.uflg 2010-05-21 11:31:36.069929199 +0200 -+++ shadow-4.1.4.2/libmisc/find_new_gid.c 2010-05-21 11:31:47.600963338 +0200 -@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, - gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); - gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 1UL); - gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } -@@ -79,7 +79,11 @@ int find_new_gid (bool sys_group, - *gid = *preferred_gid; - return 0; - } -- -+ -+ /* if we did not find free preffered system gid, we start to look for -+ * one in the range assigned to dynamic system IDs */ -+ if (sys_group) -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); - - /* - * Search the entire group file, diff --git a/shadow-4.1.4.3-IDs.patch b/shadow-4.1.4.3-IDs.patch new file mode 100644 index 0000000..3e5ea23 --- /dev/null +++ b/shadow-4.1.4.3-IDs.patch @@ -0,0 +1,58 @@ +diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.IDs shadow-4.1.4.3/libmisc/find_new_gid.c +--- shadow-4.1.4.3/libmisc/find_new_gid.c.IDs 2011-05-20 22:45:27.852146758 +0200 ++++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-05-20 22:47:45.977909798 +0200 +@@ -32,6 +32,7 @@ + + #include + #include ++#include + + #include "prototypes.h" + #include "groupio.h" +@@ -65,7 +66,12 @@ int find_new_gid (bool sys_group, + gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } +- used_gids = alloca (sizeof (bool) * (gid_max +1)); ++ used_gids = malloc (sizeof (bool) * (gid_max +1)); ++ if(used_gids==NULL) { ++ fprintf (stderr, ++ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); ++ return -1; ++ } + memset (used_gids, false, sizeof (bool) * (gid_max + 1)); + + if ( (NULL != preferred_gid) +diff -up shadow-4.1.4.3/libmisc/find_new_uid.c.IDs shadow-4.1.4.3/libmisc/find_new_uid.c +--- shadow-4.1.4.3/libmisc/find_new_uid.c.IDs 2011-02-13 18:58:11.000000000 +0100 ++++ shadow-4.1.4.3/libmisc/find_new_uid.c 2011-05-20 22:47:45.977909798 +0200 +@@ -32,6 +32,7 @@ + + #include + #include ++#include + + #include "prototypes.h" + #include "pwio.h" +@@ -65,7 +66,12 @@ int find_new_uid (bool sys_user, + uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } +- used_uids = alloca (sizeof (bool) * (uid_max +1)); ++ used_uids = malloc (sizeof (bool) * (uid_max +1)); ++ if(used_uids==NULL) { ++ fprintf (stderr, ++ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); ++ return -1; ++ } + memset (used_uids, false, sizeof (bool) * (uid_max + 1)); + + if ( (NULL != preferred_uid) +@@ -178,6 +184,7 @@ int find_new_uid (bool sys_user, + } + } + ++ free(used_uids); + *uid = user_id; + return 0; + } diff --git a/shadow-4.1.4.1-goodname.patch b/shadow-4.1.4.3-goodname.patch similarity index 72% rename from shadow-4.1.4.1-goodname.patch rename to shadow-4.1.4.3-goodname.patch index 7ba4c2c..7e1ba24 100644 --- a/shadow-4.1.4.1-goodname.patch +++ b/shadow-4.1.4.3-goodname.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chkname.c ---- shadow-4.1.4.1/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 -+++ shadow-4.1.4.1/libmisc/chkname.c 2009-06-16 13:47:08.000000000 +0200 +diff -up shadow-4.1.4.3/libmisc/chkname.c.goodname shadow-4.1.4.3/libmisc/chkname.c +--- shadow-4.1.4.3/libmisc/chkname.c.goodname 2011-02-13 18:58:11.000000000 +0100 ++++ shadow-4.1.4.3/libmisc/chkname.c 2011-05-18 20:38:50.639341048 +0200 @@ -49,20 +49,28 @@ static bool is_valid_name (const char *name) { @@ -40,24 +40,24 @@ diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chknam return false; } } -diff -up shadow-4.1.4.1/man/groupadd.8.goodname shadow-4.1.4.1/man/groupadd.8 ---- shadow-4.1.4.1/man/groupadd.8.goodname 2009-05-22 15:56:08.000000000 +0200 -+++ shadow-4.1.4.1/man/groupadd.8 2009-06-16 13:50:41.000000000 +0200 -@@ -153,9 +153,7 @@ Shadow password suite configuration\&. +diff -up shadow-4.1.4.3/man/groupadd.8.goodname shadow-4.1.4.3/man/groupadd.8 +--- shadow-4.1.4.3/man/groupadd.8.goodname 2011-02-16 00:12:34.000000000 +0100 ++++ shadow-4.1.4.3/man/groupadd.8 2011-05-18 20:42:53.204324534 +0200 +@@ -162,9 +162,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" .PP -Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP --Groupnames may only be up to 16 characters long\&. +-Groupnames may only be up to characters long\&. +Groupnames may only be up to 32 characters long\&. .PP You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. .PP -diff -up shadow-4.1.4.1/man/useradd.8.goodname shadow-4.1.4.1/man/useradd.8 ---- shadow-4.1.4.1/man/useradd.8.goodname 2009-05-22 15:56:28.000000000 +0200 -+++ shadow-4.1.4.1/man/useradd.8 2009-06-16 13:51:17.000000000 +0200 -@@ -405,8 +405,6 @@ Similarly, if the username already exist +diff -up shadow-4.1.4.3/man/useradd.8.goodname shadow-4.1.4.3/man/useradd.8 +--- shadow-4.1.4.3/man/useradd.8.goodname 2011-05-18 20:38:50.635376546 +0200 ++++ shadow-4.1.4.3/man/useradd.8 2011-05-18 20:38:50.641332694 +0200 +@@ -414,8 +414,6 @@ Similarly, if the username already exist \fBuseradd\fR will deny the user account creation request\&. .PP diff --git a/shadow-4.1.4.3-nopam.patch b/shadow-4.1.4.3-nopam.patch new file mode 100644 index 0000000..8307f7e --- /dev/null +++ b/shadow-4.1.4.3-nopam.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.4.3/man/ru/Makefile.in.nopam shadow-4.1.4.3/man/ru/Makefile.in +--- shadow-4.1.4.3/man/ru/Makefile.in.nopam 2011-05-20 22:42:23.145018292 +0200 ++++ shadow-4.1.4.3/man/ru/Makefile.in 2011-05-20 22:43:56.654017229 +0200 +@@ -150,7 +150,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + PACKAGE_NAME = @PACKAGE_NAME@ + PACKAGE_STRING = @PACKAGE_STRING@ + PACKAGE_TARNAME = @PACKAGE_TARNAME@ +-PACKAGE_URL = @PACKAGE_URL@ + PACKAGE_VERSION = @PACKAGE_VERSION@ + PATH_SEPARATOR = @PATH_SEPARATOR@ + POSUB = @POSUB@ +@@ -222,13 +221,13 @@ target_alias = @target_alias@ + top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ +-man_MANS = $(man_nopam) chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 \ +- expiry.1 faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 \ +- groupdel.8 groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 \ +- grpunconv.8 gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 \ +- newgrp.1 newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 \ +- pwconv.8 pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 \ +- useradd.8 userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1) ++man_MANS = chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 expiry.1 \ ++ faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 groupdel.8 \ ++ groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 grpunconv.8 \ ++ gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 newgrp.1 \ ++ newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 pwconv.8 \ ++ pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 useradd.8 \ ++ userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1) + man_nopam = \ + limits.5 \ + login.access.5 \ diff --git a/shadow-4.1.4.3-uflg.patch b/shadow-4.1.4.3-uflg.patch new file mode 100644 index 0000000..1c9f58f --- /dev/null +++ b/shadow-4.1.4.3-uflg.patch @@ -0,0 +1,23 @@ +diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.uflg shadow-4.1.4.3/libmisc/find_new_gid.c +--- shadow-4.1.4.3/libmisc/find_new_gid.c.uflg 2011-05-20 21:18:24.474018778 +0200 ++++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-05-20 21:18:43.178018729 +0200 +@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, + gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ gid_min = (gid_t) 1; + gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } +@@ -80,6 +80,10 @@ int find_new_gid (bool sys_group, + return 0; + } + ++ /* if we did not find free preffered system gid, we start to look for ++ * one in the range assigned to dynamic system IDs */ ++ if (sys_group) ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + + /* + * Search the entire group file, diff --git a/shadow-utils.login.defs b/shadow-utils.login.defs index b24946d..5b56cd3 100644 --- a/shadow-utils.login.defs +++ b/shadow-utils.login.defs @@ -22,14 +22,20 @@ PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # -UID_MIN 500 -UID_MAX 60000 +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 201 +SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # -GID_MIN 500 -GID_MAX 60000 +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 201 +SYS_GID_MAX 999 # # If defined, this command is run when removing a user. diff --git a/shadow-utils.spec b/shadow-utils.spec index a797592..c8edc0f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,22 +1,24 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.4.2 -Release: 11%{?dist} +Version: 4.1.4.3 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Patch0: shadow-4.1.4.2-redhat.patch -Patch1: shadow-4.1.4.1-goodname.patch +Patch1: shadow-4.1.4.3-goodname.patch Patch2: shadow-4.1.4.2-leak.patch Patch3: shadow-4.1.4.2-fixes.patch Patch4: shadow-4.1.4.2-infoParentDir.patch Patch5: shadow-4.1.4.2-semange.patch Patch6: shadow-4.1.4.2-acl.patch Patch7: shadow-4.1.4.2-underflow.patch -Patch8: shadow-4.1.4.2-uflg.patch +Patch8: shadow-4.1.4.3-uflg.patch Patch9: shadow-4.1.4.2-gshadow.patch +Patch10: shadow-4.1.4.3-nopam.patch +Patch11: shadow-4.1.4.3-IDs.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -52,6 +54,8 @@ are used for managing group accounts. %patch7 -p1 -b .underflow %patch8 -p1 -b .uflg %patch9 -p1 -b .gshadow +%patch10 -p1 -b .nopam +%patch11 -p1 -b .IDs iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -196,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri May 20 2011 Peter Vrabec - 2:4.1.4.3-1 +- upgrade +- change UID/GID_MIN to #1000 +- fix find_new_uid/gid for big UID/GID_MAX + * Wed Feb 09 2011 Peter Vrabec - 2:4.1.4.2-11 - useradd man page (-m option) - create home directory on fs with noacl diff --git a/sources b/sources index 1922174..d82ed7b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d593a9cab93c48ee0a6ba056db8c1997 shadow-4.1.4.2.tar.bz2 +b8608d8294ac88974f27b20f991c0e79 shadow-4.1.4.3.tar.bz2 From 6e8f6080320a989fe4494aadc81bfdd5d4901315 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 31 May 2011 10:00:39 +0200 Subject: [PATCH 061/151] fix integer underflow in laslog (#706321) --- shadow-4.1.4.2-underflow.patch | 21 ++++++++++++++++++--- shadow-utils.spec | 5 ++++- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/shadow-4.1.4.2-underflow.patch b/shadow-4.1.4.2-underflow.patch index 87f8931..a3c0d47 100644 --- a/shadow-4.1.4.2-underflow.patch +++ b/shadow-4.1.4.2-underflow.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.4.2/src/faillog.c.overflow shadow-4.1.4.2/src/faillog.c ---- shadow-4.1.4.2/src/faillog.c.overflow 2010-06-14 10:40:28.023030897 +0200 -+++ shadow-4.1.4.2/src/faillog.c 2010-06-14 10:53:10.884034750 +0200 +diff -up shadow-4.1.4.3/src/faillog.c.underflow shadow-4.1.4.3/src/faillog.c +--- shadow-4.1.4.3/src/faillog.c.underflow 2011-02-13 12:58:16.000000000 -0500 ++++ shadow-4.1.4.3/src/faillog.c 2011-05-30 17:48:55.000000000 -0400 @@ -106,8 +106,8 @@ static void print_one (/*@null@*/const s return; } @@ -41,3 +41,18 @@ diff -up shadow-4.1.4.2/src/faillog.c.overflow shadow-4.1.4.2/src/faillog.c /* fseeko errors are not really relevant for us. */ int err = fseeko (fail, offset, SEEK_SET); assert (0 == err); +diff -up shadow-4.1.4.3/src/lastlog.c.underflow shadow-4.1.4.3/src/lastlog.c +--- shadow-4.1.4.3/src/lastlog.c.underflow 2011-05-31 03:52:25.000000000 -0400 ++++ shadow-4.1.4.3/src/lastlog.c 2011-05-31 03:53:32.000000000 -0400 +@@ -102,9 +102,8 @@ static void print_one (/*@null@*/const s + } + + +- offset = pw->pw_uid * sizeof (ll); +- +- if (offset <= (statbuf.st_size - sizeof (ll))) { ++ offset = (off_t) pw->pw_uid * sizeof (ll); ++ if (offset + sizeof (ll) <= statbuf.st_size - sizeof (ll)) { + /* fseeko errors are not really relevant for us. */ + int err = fseeko (lastlogfile, offset, SEEK_SET); + assert (0 == err); diff --git a/shadow-utils.spec b/shadow-utils.spec index c8edc0f..38f119b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -200,6 +200,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue May 31 2011 Peter Vrabec - 2:4.1.4.3-2 +- fix integer underflow in laslog (#706321) + * Fri May 20 2011 Peter Vrabec - 2:4.1.4.3-1 - upgrade - change UID/GID_MIN to #1000 From 4d00d717846228af1750f7a6461bdd610252fd18 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 6 Jun 2011 09:07:51 +0200 Subject: [PATCH 062/151] fix shadow-4.1.4.2-underflow.patch --- shadow-4.1.4.2-underflow.patch | 2 +- shadow-utils.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/shadow-4.1.4.2-underflow.patch b/shadow-4.1.4.2-underflow.patch index a3c0d47..8553f8f 100644 --- a/shadow-4.1.4.2-underflow.patch +++ b/shadow-4.1.4.2-underflow.patch @@ -52,7 +52,7 @@ diff -up shadow-4.1.4.3/src/lastlog.c.underflow shadow-4.1.4.3/src/lastlog.c - - if (offset <= (statbuf.st_size - sizeof (ll))) { + offset = (off_t) pw->pw_uid * sizeof (ll); -+ if (offset + sizeof (ll) <= statbuf.st_size - sizeof (ll)) { ++ if (offset + sizeof (ll) <= statbuf.st_size) { /* fseeko errors are not really relevant for us. */ int err = fseeko (lastlogfile, offset, SEEK_SET); assert (0 == err); diff --git a/shadow-utils.spec b/shadow-utils.spec index 38f119b..de49399 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -200,6 +200,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 06 2011 Peter Vrabec - 2:4.1.4.3-3 +- fix shadow-4.1.4.2-underflow.patch + * Tue May 31 2011 Peter Vrabec - 2:4.1.4.3-2 - fix integer underflow in laslog (#706321) From f7bb2ec63f86a0fe61dee2edb4ca4e6c60a88d55 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 27 Jun 2011 16:12:59 +0200 Subject: [PATCH 063/151] refer to PAM in /etc/login.defs --- shadow-utils.login.defs | 8 ++++++++ shadow-utils.spec | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/shadow-utils.login.defs b/shadow-utils.login.defs index 5b56cd3..3f27f88 100644 --- a/shadow-utils.login.defs +++ b/shadow-utils.login.defs @@ -1,3 +1,11 @@ +# +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. diff --git a/shadow-utils.spec b/shadow-utils.spec index de49399..704eddc 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -200,6 +200,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 27 2011 Peter Vrabec - 2:4.1.4.3-4 +- refer to PAM in /etc/login.defs (#629277) + * Mon Jun 06 2011 Peter Vrabec - 2:4.1.4.3-3 - fix shadow-4.1.4.2-underflow.patch From 46dd21926b32abe38fc25a303d5dacd4418ca030 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 28 Jun 2011 16:32:18 +0200 Subject: [PATCH 064/151] - fixing Linux login <-> SELinux login mapping (#639900), (#639975), (#639976) --- shadow-4.1.4.2-semange.patch | 22 --- shadow-4.1.4.3-semange.patch | 301 +++++++++++++++++++++++++++++++++++ shadow-utils.spec | 9 +- 3 files changed, 308 insertions(+), 24 deletions(-) delete mode 100644 shadow-4.1.4.2-semange.patch create mode 100644 shadow-4.1.4.3-semange.patch diff --git a/shadow-4.1.4.2-semange.patch b/shadow-4.1.4.2-semange.patch deleted file mode 100644 index d4427e6..0000000 --- a/shadow-4.1.4.2-semange.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c ---- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200 -+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200 -@@ -974,18 +974,6 @@ int main (int argc, char **argv) - } - #endif - --#ifdef WITH_SELINUX -- if (is_selinux_enabled () > 0) { -- const char *args[5]; -- args[0] = "/usr/sbin/semanage"; -- args[1] = "login"; -- args[2] = "-d"; -- args[3] = user_name; -- args[4] = NULL; -- safe_system (args[0], args, NULL, 1); -- } --#endif -- - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch new file mode 100644 index 0000000..6a8a4f6 --- /dev/null +++ b/shadow-4.1.4.3-semange.patch @@ -0,0 +1,301 @@ +diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8 +--- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200 ++++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200 +@@ -640,6 +640,11 @@ can\*(Aqt create home directory + .RS 4 + can\*(Aqt create mail spool + .RE ++.PP ++\fI14\fR ++.RS 4 ++can\'t update SELinux user mapping ++.RE + .SH "SEE ALSO" + .PP + +diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8 +--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100 ++++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200 +@@ -76,6 +76,11 @@ variable in the + login\&.defs + file\&. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR ++.RS 4 ++Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed. ++.RE + .SH "CONFIGURATION" + .PP + The following configuration variables in +diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c +--- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200 ++++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200 +@@ -164,6 +164,7 @@ static bool home_added = false; + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't create home directory */ + #define E_MAIL_SPOOL 13 /* can't create mail spool */ ++#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ + + #define DGROUP "GROUP=" + #define HOME "HOME=" +@@ -181,9 +182,6 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void); +-#endif + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -1710,32 +1708,6 @@ static void usr_update (void) + } + } + +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void) { +- if (is_selinux_enabled () <= 0) return; +- +- if (*user_selinux) { /* must be done after passwd write() */ +- const char *argv[7]; +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-a"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 0)) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); +-#endif +- } +- } +-} +-#endif + /* + * create_home - create the user's home directory + * +@@ -2022,12 +1994,35 @@ int main (int argc, char **argv) + create_mail (); + } + +- close_files (); +- + #ifdef WITH_SELINUX +- selinux_update_mapping (); ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ const char *argv[7]; ++ ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system (argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++ #ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++ #endif ++ fail_exit (E_SE_UPDATE); ++ } ++ } ++ } + #endif + ++ close_files (); ++ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + +diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c +--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100 ++++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200 +@@ -82,6 +82,7 @@ static char *user_home; + + static bool fflg = false; + static bool rflg = false; ++static bool Zflg = false; + + static bool is_shadow_pwd; + +@@ -120,6 +121,9 @@ static void usage (void) + " even if not owned by user\n" + " -h, --help display this help message and exit\n" + " -r, --remove remove home directory and mail spool\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -766,9 +770,17 @@ int main (int argc, char **argv) + {"force", no_argument, NULL, 'f'}, + {"help", no_argument, NULL, 'h'}, + {"remove", no_argument, NULL, 'r'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {NULL, 0, NULL, '\0'} + }; +- while ((c = getopt_long (argc, argv, "fhr", ++ while ((c = getopt_long (argc, argv, ++#ifdef WITH_SELINUX ++ "fhrZ", ++#else ++ "fhr", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'f': /* force remove even if not owned by user */ +@@ -777,6 +789,19 @@ int main (int argc, char **argv) + case 'r': /* remove home dir and mailbox */ + rflg = true; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled () > 0) { ++ Zflg = true; ++ } else { ++ fprintf (stderr, ++ _("%s: -Z requires SELinux enabled kernel\n"), ++ Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -975,14 +1000,16 @@ int main (int argc, char **argv) + #endif + + #ifdef WITH_SELINUX +- if (is_selinux_enabled () > 0) { +- const char *args[5]; +- args[0] = "/usr/sbin/semanage"; +- args[1] = "login"; +- args[2] = "-d"; +- args[3] = user_name; +- args[4] = NULL; +- safe_system (args[0], args, NULL, 1); ++ if (Zflg) { ++ if (is_selinux_enabled () > 0) { ++ const char *args[5]; ++ args[0] = "/usr/sbin/semanage"; ++ args[1] = "login"; ++ args[2] = "-d"; ++ args[3] = user_name; ++ args[4] = NULL; ++ safe_system (args[0], args, NULL, 1); ++ } + } + #endif + +diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c +--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100 ++++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200 +@@ -82,6 +82,9 @@ + #define E_GRP_UPDATE 10 /* can't update group file */ + /* #define E_NOSPACE 11 insufficient space to move home dir */ + #define E_HOMEDIR 12 /* unable to complete home dir move */ ++#define E_SE_UPDATE 13 /* can't update SELinux user mapping */ ++ ++ + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + /* + * Global variables +@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void); +-#endif + + static void new_spent (struct spwd *); + static void fail_exit (int); +@@ -1785,8 +1785,32 @@ int main (int argc, char **argv) + nscd_flush_cache ("group"); + + #ifdef WITH_SELINUX +- if (Zflg) { +- selinux_update_mapping (); ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ const char *argv[7]; ++ ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-m"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system (argv[0], argv, NULL, 1)) { ++ argv[2] = "-a"; ++ if (safe_system (argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++ #ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "modifying User mapping ", ++ user_name, (unsigned int) user_id, 0); ++ #endif ++ fail_exit (E_SE_UPDATE); ++ } ++ } ++ } + } + #endif + +@@ -1816,34 +1840,3 @@ int main (int argc, char **argv) + return E_SUCCESS; + } + +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void) { +- const char *argv[7]; +- +- if (is_selinux_enabled () <= 0) return; +- +- if (*user_selinux) { +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-m"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 1)) { +- argv[2] = "-a"; +- if (safe_system (argv[0], argv, NULL, 0)) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying User mapping ", +- user_name, (unsigned int) user_id, 0); +-#endif +- } +- } +- } +-} +-#endif +- diff --git a/shadow-utils.spec b/shadow-utils.spec index 704eddc..58c0069 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch Patch2: shadow-4.1.4.2-leak.patch Patch3: shadow-4.1.4.2-fixes.patch Patch4: shadow-4.1.4.2-infoParentDir.patch -Patch5: shadow-4.1.4.2-semange.patch +Patch5: shadow-4.1.4.3-semange.patch Patch6: shadow-4.1.4.2-acl.patch Patch7: shadow-4.1.4.2-underflow.patch Patch8: shadow-4.1.4.3-uflg.patch @@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jun 28 2011 Peter Vrabec - 2:4.1.4.3-5 +- userdel option to remove Linux login <-> SELinux login mapping (#639900) +- useradd special exit value if SELinux user mapping is invalid (#639975) +- usermod special exit value if SELinux user mapping is invalid (#639976) + * Mon Jun 27 2011 Peter Vrabec - 2:4.1.4.3-4 - refer to PAM in /etc/login.defs (#629277) From 8c0da063a2ee3e39fba0501df8ea8a487b828715 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 28 Jun 2011 17:21:30 +0200 Subject: [PATCH 065/151] spec file fixes --- shadow-utils.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 58c0069..f9ddc45 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -4,7 +4,7 @@ Version: 4.1.4.3 Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 +Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Patch0: shadow-4.1.4.2-redhat.patch @@ -35,7 +35,7 @@ The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command -unconverts shadow passwords and generates an npasswd file (a standard +unconverts shadow passwords and generates a passwd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel, and usermod commands are used for From d41022497159e81e7c7c24650f6f6d7dc5d81186 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 29 Jun 2011 10:14:51 +0200 Subject: [PATCH 066/151] man page fixes --- shadow-4.1.4.3-man.patch | 18 ++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.4.3-man.patch diff --git a/shadow-4.1.4.3-man.patch b/shadow-4.1.4.3-man.patch new file mode 100644 index 0000000..ed588b6 --- /dev/null +++ b/shadow-4.1.4.3-man.patch @@ -0,0 +1,18 @@ +diff -up shadow-4.1.4.3/man/useradd.8.man shadow-4.1.4.3/man/useradd.8 +--- shadow-4.1.4.3/man/useradd.8.man 2011-06-29 10:08:18.000000000 +0200 ++++ shadow-4.1.4.3/man/useradd.8 2011-06-29 10:12:16.990478081 +0200 +@@ -220,12 +220,12 @@ Create the user\*(Aqs home directory if + \fB\-k\fR + option) will be copied to the home directory\&. + .sp +-The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&. ++useradd will create the home directory unless \fBCREATE_HOME\fR in /etc/login.defs is set to no\&. + .RE + .PP + \fB\-M\fR + .RS 4 +-Do no create the user\*(Aqs home directory, even if the system wide setting from ++Do not create the user\*(Aqs home directory, even if the system wide setting from + /etc/login\&.defs + (\fBCREATE_HOME\fR) is set to + \fIyes\fR\&. diff --git a/shadow-utils.spec b/shadow-utils.spec index f9ddc45..1e86e10 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -19,6 +19,7 @@ Patch8: shadow-4.1.4.3-uflg.patch Patch9: shadow-4.1.4.2-gshadow.patch Patch10: shadow-4.1.4.3-nopam.patch Patch11: shadow-4.1.4.3-IDs.patch +Patch12: shadow-4.1.4.3-man.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -56,6 +57,7 @@ are used for managing group accounts. %patch9 -p1 -b .gshadow %patch10 -p1 -b .nopam %patch11 -p1 -b .IDs +%patch12 -p1 -b .man iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -200,6 +202,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Jun 29 2011 Peter Vrabec - 2:4.1.4.3-6 +- man page fixes (#696213 #674878) + * Tue Jun 28 2011 Peter Vrabec - 2:4.1.4.3-5 - userdel option to remove Linux login <-> SELinux login mapping (#639900) - useradd special exit value if SELinux user mapping is invalid (#639975) From 8e39d10d316d9100ff3b1e9cde76b377feaf265e Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 25 Jul 2011 15:06:13 +0200 Subject: [PATCH 067/151] do not replace /etc/login.defs on upgrade (temporary) --- shadow-utils.spec | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 1e86e10..d0a3c7f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -29,6 +29,8 @@ BuildRequires: libacl-devel libattr-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup +Requires(pre): coreutils +Requires(post): coreutils Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -157,6 +159,23 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done +# Make sure old configuration files specifying UID_MIN=500 are not overwritten +# on upgrades. Remove the scriptlets after upgrades from Fedora 15 are no +# longer supported. +%pre +if [ "$1" -gt 1 ]; then + hash=$(md5sum %{_sysconfdir}/login.defs | cut -d ' ' -f 1) + if [ "$hash" = 111354806cbbee33a73fa4d538055510 ]; then + cp -a %{_sysconfdir}/login.defs{,.rpm-saved-in-pre} + fi +fi + +%post +if [ -e %{_sysconfdir}/login.defs.rpm-saved-in-pre ]; then + mv %{_sysconfdir}/login.defs{,.rpmnew} + mv %{_sysconfdir}/login.defs{.rpm-saved-in-pre,} +fi + %clean rm -rf $RPM_BUILD_ROOT @@ -202,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 22 2011 Miloslav Trmač - 2:4.1.4.3-7 +- Make sure /etc/login.defs is not changed on upgrades from Fedora 1[345]. + * Wed Jun 29 2011 Peter Vrabec - 2:4.1.4.3-6 - man page fixes (#696213 #674878) From 3a495606883d27c9eec932c477b13c69b583caba Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Aug 2011 13:07:03 +0200 Subject: [PATCH 068/151] fixing semanage issue (#701355) --- shadow-4.1.4.3-semange.patch | 25 +++++++++---------------- shadow-utils.spec | 5 ++++- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch index 6a8a4f6..63e1b49 100644 --- a/shadow-4.1.4.3-semange.patch +++ b/shadow-4.1.4.3-semange.patch @@ -1,6 +1,6 @@ diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8 ---- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200 -+++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200 +--- shadow-4.1.4.3/man/useradd.8.semange 2011-08-02 12:57:47.971838218 +0200 ++++ shadow-4.1.4.3/man/useradd.8 2011-08-02 12:57:47.985838145 +0200 @@ -640,6 +640,11 @@ can\*(Aqt create home directory .RS 4 can\*(Aqt create mail spool @@ -15,7 +15,7 @@ diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8 diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8 --- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100 -+++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200 ++++ shadow-4.1.4.3/man/userdel.8 2011-08-02 12:57:47.985838145 +0200 @@ -76,6 +76,11 @@ variable in the login\&.defs file\&. @@ -29,8 +29,8 @@ diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8 .PP The following configuration variables in diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c ---- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200 -+++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200 +--- shadow-4.1.4.3/src/useradd.c.semange 2011-08-02 12:57:47.968838234 +0200 ++++ shadow-4.1.4.3/src/useradd.c 2011-08-02 12:58:17.626684439 +0200 @@ -164,6 +164,7 @@ static bool home_added = false; #define E_GRP_UPDATE 10 /* can't update group file */ #define E_HOMEDIR 12 /* can't create home directory */ @@ -82,12 +82,9 @@ diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c /* * create_home - create the user's home directory * -@@ -2022,12 +1994,35 @@ int main (int argc, char **argv) - create_mail (); - } +@@ -2025,7 +1997,30 @@ int main (int argc, char **argv) + close_files (); -- close_files (); -- #ifdef WITH_SELINUX - selinux_update_mapping (); + if (Zflg && *user_selinux) { @@ -116,14 +113,10 @@ diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c + } #endif -+ close_files (); -+ nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c --- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100 -+++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200 ++++ shadow-4.1.4.3/src/userdel.c 2011-08-02 12:57:47.988838130 +0200 @@ -82,6 +82,7 @@ static char *user_home; static bool fflg = false; @@ -208,7 +201,7 @@ diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c --- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100 -+++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200 ++++ shadow-4.1.4.3/src/usermod.c 2011-08-02 12:57:47.989838125 +0200 @@ -82,6 +82,9 @@ #define E_GRP_UPDATE 10 /* can't update group file */ /* #define E_NOSPACE 11 insufficient space to move home dir */ diff --git a/shadow-utils.spec b/shadow-utils.spec index d0a3c7f..4c87c96 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -221,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 02 2011 Peter Vrabec - 2:4.1.4.3-8 +- fixing semanage issue (#701355) + * Fri Jul 22 2011 Miloslav Trmač - 2:4.1.4.3-7 - Make sure /etc/login.defs is not changed on upgrades from Fedora 1[345]. From 4897d3d6b7fc757790a6afc641b3d05e296a4826 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Aug 2011 14:09:56 +0200 Subject: [PATCH 069/151] man page adjustment (userdel -Z) --- shadow-4.1.4.3-semange.patch | 2 +- shadow-utils.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch index 63e1b49..b10efd0 100644 --- a/shadow-4.1.4.3-semange.patch +++ b/shadow-4.1.4.3-semange.patch @@ -23,7 +23,7 @@ diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8 +.PP +\fB\-Z\fR, \fB\-\-selinux-user\fR +.RS 4 -+Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed. ++Remove SELinux user assigned to the user´s login from SELinux login mapping. +.RE .SH "CONFIGURATION" .PP diff --git a/shadow-utils.spec b/shadow-utils.spec index 4c87c96..931a9ac 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -221,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 02 2011 Peter Vrabec - 2:4.1.4.3-9 +- man page adjustment (userdel -Z) + * Tue Aug 02 2011 Peter Vrabec - 2:4.1.4.3-8 - fixing semanage issue (#701355) From 22f8cbe3bf3c051b03b92a2d363baa78e5823e2c Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 10 Nov 2011 17:16:04 +0100 Subject: [PATCH 070/151] - replace semanage call by library call - useradd man page (#739147) --- shadow-4.1.4.3-libsemanage.patch | 640 +++++++++++++++++++++++++++++++ shadow-4.1.4.3-man.patch | 13 +- shadow-utils.spec | 11 +- 3 files changed, 661 insertions(+), 3 deletions(-) create mode 100644 shadow-4.1.4.3-libsemanage.patch diff --git a/shadow-4.1.4.3-libsemanage.patch b/shadow-4.1.4.3-libsemanage.patch new file mode 100644 index 0000000..8323e1f --- /dev/null +++ b/shadow-4.1.4.3-libsemanage.patch @@ -0,0 +1,640 @@ +diff -up shadow-4.1.4.3/lib/Makefile.in.libsemanage shadow-4.1.4.3/lib/Makefile.in +--- shadow-4.1.4.3/lib/Makefile.in.libsemanage 2011-02-15 23:18:15.000000000 +0100 ++++ shadow-4.1.4.3/lib/Makefile.in 2011-11-09 14:11:26.455362101 +0100 +@@ -52,7 +52,7 @@ am_libshadow_la_OBJECTS = commonio.lo en + groupio.lo groupmem.lo gshadow.lo lockpw.lo nscd.lo port.lo \ + pwauth.lo pwio.lo pwmem.lo sgetgrent.lo sgetpwent.lo \ + sgetspent.lo sgroupio.lo shadow.lo shadowio.lo shadowmem.lo \ +- utent.lo ++ utent.lo selinux.lo + libshadow_la_OBJECTS = $(am_libshadow_la_OBJECTS) + libshadow_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ +@@ -202,7 +202,6 @@ libdir = @libdir@ + libexecdir = @libexecdir@ + localedir = @localedir@ + localstatedir = @localstatedir@ +-lt_ECHO = @lt_ECHO@ + mandir = @mandir@ + mkdir_p = @mkdir_p@ + oldincludedir = @oldincludedir@ +@@ -261,7 +260,8 @@ libshadow_la_SOURCES = \ + shadowio.c \ + shadowio.h \ + shadowmem.c \ +- utent.c ++ utent.c \ ++ selinux.c + + + # These files are unneeded for some reason, listed in +@@ -349,6 +349,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadow.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowio.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowmem.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selinux.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utent.Plo@am__quote@ + + .c.o: +diff -up shadow-4.1.4.3/libmisc/Makefile.in.libsemanage shadow-4.1.4.3/libmisc/Makefile.in +--- shadow-4.1.4.3/libmisc/Makefile.in.libsemanage 2011-02-15 23:18:16.000000000 +0100 ++++ shadow-4.1.4.3/libmisc/Makefile.in 2011-11-09 14:11:26.456362098 +0100 +@@ -64,7 +64,7 @@ am_libmisc_a_OBJECTS = addgrps.$(OBJEXT) + pam_pass_non_interractive.$(OBJEXT) pwd2spwd.$(OBJEXT) \ + pwdcheck.$(OBJEXT) pwd_init.$(OBJEXT) rlogin.$(OBJEXT) \ + salt.$(OBJEXT) setugid.$(OBJEXT) setupenv.$(OBJEXT) \ +- shell.$(OBJEXT) system.$(OBJEXT) strtoday.$(OBJEXT) \ ++ shell.$(OBJEXT) strtoday.$(OBJEXT) \ + sub.$(OBJEXT) sulog.$(OBJEXT) ttytype.$(OBJEXT) tz.$(OBJEXT) \ + ulimit.$(OBJEXT) user_busy.$(OBJEXT) utmp.$(OBJEXT) \ + valid.$(OBJEXT) xgetpwnam.$(OBJEXT) xgetpwuid.$(OBJEXT) \ +@@ -284,7 +284,6 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ +- system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +@@ -394,7 +393,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strtoday.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sub.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sulog.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttytype.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tz.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ulimit.Po@am__quote@ +diff -up shadow-4.1.4.3/libmisc/system.c.libsemanage shadow-4.1.4.3/libmisc/system.c +--- shadow-4.1.4.3/libmisc/system.c.libsemanage 2011-02-13 18:58:11.000000000 +0100 ++++ shadow-4.1.4.3/libmisc/system.c 2011-11-09 14:11:26.457362095 +0100 +@@ -1,72 +0,0 @@ +-/* +- * Copyright (c) 2009 , Dan Walsh +- * All rights reserved. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. The name of the copyright holders or contributors may not be used to +- * endorse or promote products derived from this software without +- * specific prior written permission. +- * +- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +- */ +-#include +- +-#ident "$Id: system.c 2849 2009-04-30 21:08:49Z nekral-guest $" +- +-#include +-#include +-#include +-#include "prototypes.h" +-#include "defines.h" +- +-int safe_system (const char *command, +- const char *argv[], +- const char *env[], +- int ignore_stderr) +-{ +- int status = -1; +- int fd; +- pid_t pid; +- +- pid = fork(); +- if (pid < 0) { +- return -1; +- } +- +- if (pid) { /* Parent */ +- if (waitpid (pid, &status, 0) > 0) { +- return status; +- } else { +- return -1; +- } +- } +- +- fd = open ("/dev/null", O_RDWR); +- /* Child */ +- dup2 (fd, 0); // Close Stdin +- if (ignore_stderr) { +- dup2 (fd, 2); // Close Stderr +- } +- +- execve (command, (char *const *) argv, (char *const *) env); +- fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]); +- exit (EXIT_FAILURE); +-} +- +diff -up shadow-4.1.4.3/lib/prototypes.h.libsemanage shadow-4.1.4.3/lib/prototypes.h +--- shadow-4.1.4.3/lib/prototypes.h.libsemanage 2011-02-13 18:58:23.000000000 +0100 ++++ shadow-4.1.4.3/lib/prototypes.h 2011-11-09 14:11:26.457362095 +0100 +@@ -331,12 +331,6 @@ extern void spw_free (/*@out@*/ /*@only@ + /* shell.c */ + extern int shell (const char *file, /*@null@*/const char *arg, char *const envp[]); + +-/* system.c */ +-extern int safe_system (const char *command, +- const char *argv[], +- const char *env[], +- int ignore_stderr); +- + /* strtoday.c */ + extern long strtoday (const char *); + +@@ -403,4 +397,8 @@ extern /*@null@*/ /*@only@*/struct spwd + /* yesno.c */ + extern bool yes_or_no (bool read_only); + ++/* selinux.c */ ++int set_seuser(const char *login_name, const char *seuser_name); ++int del_seuser(const char *login_name); ++ + #endif /* _PROTOTYPES_H */ +diff -up shadow-4.1.4.3/lib/selinux.c.libsemanage shadow-4.1.4.3/lib/selinux.c +--- shadow-4.1.4.3/lib/selinux.c.libsemanage 2011-11-09 14:11:26.458362092 +0100 ++++ shadow-4.1.4.3/lib/selinux.c 2011-11-09 14:11:26.458362092 +0100 +@@ -0,0 +1,341 @@ ++/* ++ shadow-utils ++ ++ su-selinux.c ++ ++ Copyright (C) Jakub Hrozek 2010 ++ Copyright (C) Peter Vrabec 2011 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++ ++#include "defines.h" ++ ++#include ++#include ++#include ++ ++ ++#ifndef DEFAULT_SERANGE ++#define DEFAULT_SERANGE "s0" ++#endif ++ ++ ++static void semanage_error_callback(void *varg, ++ semanage_handle_t *handle, ++ const char *fmt, ...) ++{ ++ int ret; ++ char * message = NULL; ++ va_list ap; ++ ++ ++ va_start(ap, fmt); ++ ret = vasprintf(&message, fmt, ap); ++ va_end(ap); ++ if (ret < 0) { ++ /* ENOMEM */ ++ return; ++ } ++ ++ switch (semanage_msg_get_level(handle)) { ++ case SEMANAGE_MSG_ERR: ++ case SEMANAGE_MSG_WARN: ++ fprintf(stderr, "[libsemanage]: %s\n", message); ++ break; ++ case SEMANAGE_MSG_INFO: ++ /* nop */ ++ break; ++ } ++ ++ free(message); ++} ++ ++ ++static semanage_handle_t *semanage_init(void) ++{ ++ int ret; ++ semanage_handle_t *handle = NULL; ++ ++ handle = semanage_handle_create(); ++ if (!handle) { ++ fprintf(stderr, _("Cannot create SELinux management handle\n")); ++ return NULL; ++ } ++ ++ semanage_msg_set_callback(handle, semanage_error_callback, NULL); ++ ++ ret = semanage_is_managed(handle); ++ if (ret != 1) { ++ fprintf(stderr, _("SELinux policy not managed\n")); ++ goto fail; ++ } ++ ++ ret = semanage_access_check(handle); ++ if (ret < SEMANAGE_CAN_READ) { ++ fprintf(stderr, _("Cannot read SELinux policy store\n")); ++ goto fail; ++ } ++ ++ ret = semanage_connect(handle); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot estabilish SELinux management connection\n")); ++ goto fail; ++ } ++ ++ ret = semanage_begin_transaction(handle); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot begin SELinux transaction\n")); ++ goto fail; ++ } ++ ++ return handle; ++fail: ++ semanage_handle_destroy(handle); ++ return NULL; ++} ++ ++ ++static int semanage_user_mod(semanage_handle_t *handle, ++ semanage_seuser_key_t *key, ++ const char *login_name, ++ const char *seuser_name) ++{ ++ int ret; ++ semanage_seuser_t *seuser = NULL; ++ ++ semanage_seuser_query(handle, key, &seuser); ++ if (seuser == NULL) { ++ fprintf(stderr, _("Could not query seuser for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_set_sename(handle, seuser, seuser_name); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not set sename for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_modify_local(handle, key, seuser); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not modify login mapping for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = 0; ++done: ++ semanage_seuser_free(seuser); ++ return ret; ++} ++ ++ ++static int semanage_user_add(semanage_handle_t *handle, ++ semanage_seuser_key_t *key, ++ const char *login_name, ++ const char *seuser_name) ++{ ++ int ret; ++ semanage_seuser_t *seuser = NULL; ++ ++ ret = semanage_seuser_create(handle, &seuser); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot create SELinux login mapping for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_set_name(handle, seuser, login_name); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not set name for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_set_sename(handle, seuser, seuser_name); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not set SELinux user for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_modify_local(handle, key, seuser); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not add login mapping for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = 0; ++done: ++ semanage_seuser_free(seuser); ++ return ret; ++} ++ ++ ++int set_seuser(const char *login_name, const char *seuser_name) ++{ ++ semanage_handle_t *handle = NULL; ++ semanage_seuser_key_t *key = NULL; ++ int ret; ++ int seuser_exists = 0; ++ ++ if (seuser_name == NULL) { ++ /* don't care, just let system pick the defaults */ ++ return 0; ++ } ++ ++ handle = semanage_init(); ++ if (!handle) { ++ fprintf(stderr, _("Cannot init SELinux management\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_key_create(handle, login_name, &key); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot create SELinux user key\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_exists(handle, key, &seuser_exists); ++ if (ret < 0) { ++ fprintf(stderr, _("Cannot verify the SELinux user\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ if (seuser_exists) { ++ ret = semanage_user_mod(handle, key, login_name, seuser_name); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot modify SELinux user mapping\n")); ++ ret = 1; ++ goto done; ++ } ++ } else { ++ ret = semanage_user_add(handle, key, login_name, seuser_name); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot add SELinux user mapping\n")); ++ ret = 1; ++ goto done; ++ } ++ } ++ ++ ret = semanage_commit(handle); ++ if (ret < 0) { ++ fprintf(stderr,_("Cannot commit SELinux transaction\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = 0; ++ ++done: ++ semanage_seuser_key_free(key); ++ semanage_handle_destroy(handle); ++ return ret; ++} ++ ++ ++ ++ ++ ++int del_seuser(const char *login_name) ++{ ++ semanage_handle_t *handle = NULL; ++ semanage_seuser_key_t *key = NULL; ++ int ret; ++ int exists = 0; ++ ++ handle = semanage_init(); ++ if (!handle) { ++ fprintf(stderr, _("Cannot init SELinux management\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_key_create(handle, login_name, &key); ++ if (ret != 0) { ++ fprintf(stderr, _("Cannot create SELinux user key\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_seuser_exists(handle, key, &exists); ++ if (ret < 0) { ++ fprintf(stderr, _("Cannot verify the SELinux user\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ if (!exists) { ++ fprintf(stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"), ++ login_name); ++ ret = 0; /* probably default mapping */ ++ goto done; ++ } ++ ++ ret = semanage_seuser_exists_local(handle, key, &exists); ++ if (ret < 0) { ++ fprintf(stderr, _("Cannot verify the SELinux user\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ if (!exists) { ++ fprintf(stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"), ++ login_name); ++ ret = 0; /* Login mapping defined in policy can't be deleted */ ++ goto done; ++ } ++ ++ ret = semanage_seuser_del_local(handle, key); ++ if (ret != 0) { ++ fprintf(stderr, _("Could not delete login mapping for %s"), login_name); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = semanage_commit(handle); ++ if (ret < 0) { ++ fprintf(stderr, _("Cannot commit SELinux transaction\n")); ++ ret = 1; ++ goto done; ++ } ++ ++ ret = 0; ++done: ++ semanage_handle_destroy(handle); ++ return ret; ++} ++ +diff -up shadow-4.1.4.3/man/userdel.8.libsemanage shadow-4.1.4.3/man/userdel.8 +--- shadow-4.1.4.3/man/userdel.8.libsemanage 2011-11-09 14:19:27.772753117 +0100 ++++ shadow-4.1.4.3/man/userdel.8 2011-11-09 14:21:13.947365740 +0100 +@@ -243,6 +243,11 @@ can\*(Aqt update group file + .RS 4 + can\*(Aqt remove home directory + .RE ++.PP ++\fI14\fR ++.RS 4 ++can\*(Aqt update SELinux user mapping ++.PP + .SH "CAVEATS" + .PP + +diff -up shadow-4.1.4.3/src/Makefile.in.libsemanage shadow-4.1.4.3/src/Makefile.in +--- shadow-4.1.4.3/src/Makefile.in.libsemanage 2011-11-09 14:11:26.431362175 +0100 ++++ shadow-4.1.4.3/src/Makefile.in 2011-11-09 14:11:26.459362089 +0100 +@@ -431,9 +431,9 @@ su_SOURCES = \ + + su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + sulogin_LDADD = $(LDADD) $(LIBCRYPT) +-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl +-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl +-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl ++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage ++userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage ++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage + vipw_LDADD = $(LDADD) $(LIBSELINUX) + all: all-am + +diff -up shadow-4.1.4.3/src/useradd.c.libsemanage shadow-4.1.4.3/src/useradd.c +--- shadow-4.1.4.3/src/useradd.c.libsemanage 2011-11-09 14:11:26.424362196 +0100 ++++ shadow-4.1.4.3/src/useradd.c 2011-11-09 14:11:26.460362086 +0100 +@@ -1999,16 +1999,7 @@ int main (int argc, char **argv) + #ifdef WITH_SELINUX + if (Zflg && *user_selinux) { + if (is_selinux_enabled () > 0) { +- const char *argv[7]; +- +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-a"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 0)) { ++ if (set_seuser(user_name, user_selinux)) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +diff -up shadow-4.1.4.3/src/userdel.c.libsemanage shadow-4.1.4.3/src/userdel.c +--- shadow-4.1.4.3/src/userdel.c.libsemanage 2011-11-09 14:11:26.425362193 +0100 ++++ shadow-4.1.4.3/src/userdel.c 2011-11-09 14:18:59.274855167 +0100 +@@ -70,6 +70,7 @@ + #define E_USER_BUSY 8 /* user currently logged in */ + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't remove home directory */ ++#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ + + /* + * Global variables +@@ -1002,13 +1003,17 @@ int main (int argc, char **argv) + #ifdef WITH_SELINUX + if (Zflg) { + if (is_selinux_enabled () > 0) { +- const char *args[5]; +- args[0] = "/usr/sbin/semanage"; +- args[1] = "login"; +- args[2] = "-d"; +- args[3] = user_name; +- args[4] = NULL; +- safe_system (args[0], args, NULL, 1); ++ if (del_seuser(user_name)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), ++ Prog, user_name); ++ #ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "removing SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++ #endif ++ fail_exit (E_SE_UPDATE); ++ } + } + } + #endif +diff -up shadow-4.1.4.3/src/usermod.c.libsemanage shadow-4.1.4.3/src/usermod.c +--- shadow-4.1.4.3/src/usermod.c.libsemanage 2011-11-09 14:11:26.426362190 +0100 ++++ shadow-4.1.4.3/src/usermod.c 2011-11-09 14:11:26.463362076 +0100 +@@ -1787,28 +1787,16 @@ int main (int argc, char **argv) + #ifdef WITH_SELINUX + if (Zflg && *user_selinux) { + if (is_selinux_enabled () > 0) { +- const char *argv[7]; +- +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-m"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 1)) { +- argv[2] = "-a"; +- if (safe_system (argv[0], argv, NULL, 0)) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); ++ if (set_seuser(user_name, user_selinux)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying User mapping ", +- user_name, (unsigned int) user_id, 0); ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "modifying User mapping ", ++ user_name, (unsigned int) user_id, 0); + #endif +- fail_exit (E_SE_UPDATE); +- } ++ fail_exit (E_SE_UPDATE); + } + } + } diff --git a/shadow-4.1.4.3-man.patch b/shadow-4.1.4.3-man.patch index ed588b6..8bca143 100644 --- a/shadow-4.1.4.3-man.patch +++ b/shadow-4.1.4.3-man.patch @@ -1,6 +1,6 @@ diff -up shadow-4.1.4.3/man/useradd.8.man shadow-4.1.4.3/man/useradd.8 ---- shadow-4.1.4.3/man/useradd.8.man 2011-06-29 10:08:18.000000000 +0200 -+++ shadow-4.1.4.3/man/useradd.8 2011-06-29 10:12:16.990478081 +0200 +--- shadow-4.1.4.3/man/useradd.8.man 2011-11-09 14:30:51.402072168 +0100 ++++ shadow-4.1.4.3/man/useradd.8 2011-11-10 11:09:14.266810444 +0100 @@ -220,12 +220,12 @@ Create the user\*(Aqs home directory if \fB\-k\fR option) will be copied to the home directory\&. @@ -16,3 +16,12 @@ diff -up shadow-4.1.4.3/man/useradd.8.man shadow-4.1.4.3/man/useradd.8 /etc/login\&.defs (\fBCREATE_HOME\fR) is set to \fIyes\fR\&. +@@ -255,7 +255,7 @@ variable in + Allow the creation of a user account with a duplicate (non\-unique) UID\&. + .sp + This option is only valid in combination with the +-\fB\-o\fR ++\fB\-u\fR + option\&. + .RE + .PP diff --git a/shadow-utils.spec b/shadow-utils.spec index 931a9ac..4ccde41 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -19,11 +19,15 @@ Patch8: shadow-4.1.4.3-uflg.patch Patch9: shadow-4.1.4.2-gshadow.patch Patch10: shadow-4.1.4.3-nopam.patch Patch11: shadow-4.1.4.3-IDs.patch +#696213 #674878 #739147 Patch12: shadow-4.1.4.3-man.patch +#749205 +Patch13: shadow-4.1.4.3-libsemanage.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 +BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel #BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 @@ -60,6 +64,7 @@ are used for managing group accounts. %patch10 -p1 -b .nopam %patch11 -p1 -b .IDs %patch12 -p1 -b .man +%patch13 -p1 -b .libsemanage iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -221,6 +226,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Nov 09 2011 Peter Vrabec - 2:4.1.4.3-10 +- replace semanage call by library call +- useradd man page (#739147) + * Tue Aug 02 2011 Peter Vrabec - 2:4.1.4.3-9 - man page adjustment (userdel -Z) From 20341fa20129ee96be28324ee42963bfe64511d9 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 16 Nov 2011 17:17:29 +0100 Subject: [PATCH 071/151] free memory associated with SELinux security context --- shadow-4.1.4.3-selinux.patch | 15 +++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.4.3-selinux.patch diff --git a/shadow-4.1.4.3-selinux.patch b/shadow-4.1.4.3-selinux.patch new file mode 100644 index 0000000..25404b3 --- /dev/null +++ b/shadow-4.1.4.3-selinux.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.4.3/lib/commonio.c.selinux shadow-4.1.4.3/lib/commonio.c +--- shadow-4.1.4.3/lib/commonio.c.selinux 2011-02-13 18:58:23.000000000 +0100 ++++ shadow-4.1.4.3/lib/commonio.c 2011-11-16 17:09:46.615837659 +0100 +@@ -921,10 +921,10 @@ int commonio_close (struct commonio_db * + + #ifdef WITH_SELINUX + if (db->scontext != NULL) { +- if (NULL != old_context) { + if (setfscreatecon (old_context) < 0) { + errors++; + } ++ if (NULL != old_context) { + freecon (old_context); + old_context = NULL; + } diff --git a/shadow-utils.spec b/shadow-utils.spec index 4ccde41..18a1090 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -23,6 +23,7 @@ Patch11: shadow-4.1.4.3-IDs.patch Patch12: shadow-4.1.4.3-man.patch #749205 Patch13: shadow-4.1.4.3-libsemanage.patch +Patch14: shadow-4.1.4.3-selinux.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -65,6 +66,7 @@ are used for managing group accounts. %patch11 -p1 -b .IDs %patch12 -p1 -b .man %patch13 -p1 -b .libsemanage +%patch14 -p1 -b .selinux iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -226,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Nov 16 2011 Peter Vrabec - 2:4.1.4.3-11 +- free memory associated with SELinux security contexts + * Wed Nov 09 2011 Peter Vrabec - 2:4.1.4.3-10 - replace semanage call by library call - useradd man page (#739147) From 5f231e7c3776c218583c41a9925a3d22f77f5d26 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 20 Dec 2011 13:53:56 +0100 Subject: [PATCH 072/151] fix leaks in .IDs patch (#734340) --- shadow-4.1.4.3-IDs.patch | 79 ++++++++++++++++++++++++++++++++++------ shadow-utils.spec | 5 ++- 2 files changed, 72 insertions(+), 12 deletions(-) diff --git a/shadow-4.1.4.3-IDs.patch b/shadow-4.1.4.3-IDs.patch index 3e5ea23..6d26f74 100644 --- a/shadow-4.1.4.3-IDs.patch +++ b/shadow-4.1.4.3-IDs.patch @@ -1,6 +1,6 @@ diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.IDs shadow-4.1.4.3/libmisc/find_new_gid.c ---- shadow-4.1.4.3/libmisc/find_new_gid.c.IDs 2011-05-20 22:45:27.852146758 +0200 -+++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-05-20 22:47:45.977909798 +0200 +--- shadow-4.1.4.3/libmisc/find_new_gid.c.IDs 2011-12-20 13:28:13.042668305 +0100 ++++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-12-20 13:35:40.011817589 +0100 @@ -32,6 +32,7 @@ #include @@ -9,23 +9,56 @@ diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.IDs shadow-4.1.4.3/libmisc/find_n #include "prototypes.h" #include "groupio.h" -@@ -65,7 +66,12 @@ int find_new_gid (bool sys_group, +@@ -65,8 +66,6 @@ int find_new_gid (bool sys_group, gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); } - used_gids = alloca (sizeof (bool) * (gid_max +1)); +- memset (used_gids, false, sizeof (bool) * (gid_max + 1)); + + if ( (NULL != preferred_gid) + && (*preferred_gid >= gid_min) +@@ -80,6 +79,14 @@ int find_new_gid (bool sys_group, + return 0; + } + + used_gids = malloc (sizeof (bool) * (gid_max +1)); + if(used_gids==NULL) { + fprintf (stderr, + _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); + return -1; + } - memset (used_gids, false, sizeof (bool) * (gid_max + 1)); ++ memset (used_gids, false, sizeof (bool) * (gid_max + 1)); ++ + /* if we did not find free preffered system gid, we start to look for + * one in the range assigned to dynamic system IDs */ + if (sys_group) +@@ -162,6 +169,7 @@ int find_new_gid (bool sys_group, + Prog); + SYSLOG ((LOG_WARN, + "no more available GID on the system")); ++ free(used_gids); + return -1; + } + } +@@ -177,12 +185,14 @@ int find_new_gid (bool sys_group, + _("%s: Can't get unique GID (no more available GIDs)\n"), + Prog); + SYSLOG ((LOG_WARN, "no more available GID on the system")); ++ free(used_gids); + return -1; + } + } + } + + *gid = group_id; ++ free(used_gids); + return 0; + } - if ( (NULL != preferred_gid) diff -up shadow-4.1.4.3/libmisc/find_new_uid.c.IDs shadow-4.1.4.3/libmisc/find_new_uid.c --- shadow-4.1.4.3/libmisc/find_new_uid.c.IDs 2011-02-13 18:58:11.000000000 +0100 -+++ shadow-4.1.4.3/libmisc/find_new_uid.c 2011-05-20 22:47:45.977909798 +0200 ++++ shadow-4.1.4.3/libmisc/find_new_uid.c 2011-12-20 13:37:27.415023688 +0100 @@ -32,6 +32,7 @@ #include @@ -34,25 +67,49 @@ diff -up shadow-4.1.4.3/libmisc/find_new_uid.c.IDs shadow-4.1.4.3/libmisc/find_n #include "prototypes.h" #include "pwio.h" -@@ -65,7 +66,12 @@ int find_new_uid (bool sys_user, +@@ -65,8 +66,6 @@ int find_new_uid (bool sys_user, uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); } - used_uids = alloca (sizeof (bool) * (uid_max +1)); +- memset (used_uids, false, sizeof (bool) * (uid_max + 1)); + + if ( (NULL != preferred_uid) + && (*preferred_uid >= uid_min) +@@ -80,6 +79,13 @@ int find_new_uid (bool sys_user, + return 0; + } + + used_uids = malloc (sizeof (bool) * (uid_max +1)); + if(used_uids==NULL) { + fprintf (stderr, + _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); + return -1; + } - memset (used_uids, false, sizeof (bool) * (uid_max + 1)); ++ memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - if ( (NULL != preferred_uid) -@@ -178,6 +184,7 @@ int find_new_uid (bool sys_user, + /* + * Search the entire password file, +@@ -158,6 +164,7 @@ int find_new_uid (bool sys_user, + Prog); + SYSLOG ((LOG_WARN, + "no more available UID on the system")); ++ free(used_uids); + return -1; + } + } +@@ -173,12 +180,14 @@ int find_new_uid (bool sys_user, + _("%s: Can't get unique UID (no more available UIDs)\n"), + Prog); + SYSLOG ((LOG_WARN, "no more available UID on the system")); ++ free(used_uids); + return -1; + } } } -+ free(used_uids); *uid = user_id; ++ free(used_uids); return 0; } + diff --git a/shadow-utils.spec b/shadow-utils.spec index 18a1090..afe5104 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -228,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Dec 20 2011 Peter Vrabec - 2:4.1.4.3-12 +- fix leaks in .IDs patch (#734340) + * Wed Nov 16 2011 Peter Vrabec - 2:4.1.4.3-11 - free memory associated with SELinux security contexts From f6601735512a0d803715869a0e78c1f77d8226b9 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 21:52:35 -0600 Subject: [PATCH 073/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index afe5104..1d7227e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 12%{?dist} +Release: 13%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -228,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Jan 14 2012 Fedora Release Engineering - 2:4.1.4.3-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Tue Dec 20 2011 Peter Vrabec - 2:4.1.4.3-12 - fix leaks in .IDs patch (#734340) From c2e7e463a19c6a5eae243c6277e7b505360d204e Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 7 Feb 2012 18:04:27 +0100 Subject: [PATCH 074/151] compile with PIE and RELRO flags (#784349) --- shadow-utils.spec | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 1d7227e..e1c6054 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.3 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -79,6 +79,16 @@ cp -f doc/HOWTO.utf8 doc/HOWTO #autoconf %build + +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpie" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%endif + %configure \ --enable-shadowgrp \ --with-audit \ @@ -228,6 +238,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 07 2012 Peter Vrabec - 2:4.1.4.3-14 +- compile with PIE and RELRO flags (#784349) + * Sat Jan 14 2012 Fedora Release Engineering - 2:4.1.4.3-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild From 4c8c5284144c23ed4311dfbdc5b7dc1be7656463 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 20 Mar 2012 17:39:28 +0100 Subject: [PATCH 075/151] upgrade --- .gitignore | 1 + shadow-4.1.4.2-acl.patch | 151 ----- shadow-4.1.4.2-fixes.patch | 53 -- shadow-4.1.4.2-gshadow.patch | 23 - shadow-4.1.4.2-leak.patch | 108 --- shadow-4.1.4.2-redhat.patch | 53 -- shadow-4.1.4.2-underflow.patch | 58 -- shadow-4.1.4.3-IDs.patch | 115 ---- shadow-4.1.4.3-libsemanage.patch | 640 ------------------ shadow-4.1.4.3-man.patch | 27 - shadow-4.1.4.3-nopam.patch | 32 - shadow-4.1.4.3-selinux.patch | 15 - shadow-4.1.4.3-semange.patch | 294 -------- ...dname.patch => shadow-4.1.5-goodname.patch | 24 +- shadow-4.1.5-grremove.patch | 45 ++ shadow-4.1.5-man.patch | 12 + shadow-4.1.5-redhat.patch | 42 ++ ....4.3-uflg.patch => shadow-4.1.5-uflg.patch | 16 +- shadow-utils.spec | 65 +- sources | 2 +- 20 files changed, 137 insertions(+), 1639 deletions(-) delete mode 100644 shadow-4.1.4.2-acl.patch delete mode 100644 shadow-4.1.4.2-fixes.patch delete mode 100644 shadow-4.1.4.2-gshadow.patch delete mode 100644 shadow-4.1.4.2-leak.patch delete mode 100644 shadow-4.1.4.2-redhat.patch delete mode 100644 shadow-4.1.4.2-underflow.patch delete mode 100644 shadow-4.1.4.3-IDs.patch delete mode 100644 shadow-4.1.4.3-libsemanage.patch delete mode 100644 shadow-4.1.4.3-man.patch delete mode 100644 shadow-4.1.4.3-nopam.patch delete mode 100644 shadow-4.1.4.3-selinux.patch delete mode 100644 shadow-4.1.4.3-semange.patch rename shadow-4.1.4.3-goodname.patch => shadow-4.1.5-goodname.patch (71%) create mode 100644 shadow-4.1.5-grremove.patch create mode 100644 shadow-4.1.5-man.patch create mode 100644 shadow-4.1.5-redhat.patch rename shadow-4.1.4.3-uflg.patch => shadow-4.1.5-uflg.patch (52%) diff --git a/.gitignore b/.gitignore index d99615d..5e224dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.4.3.tar.bz2 +/shadow-4.1.5.tar.bz2 diff --git a/shadow-4.1.4.2-acl.patch b/shadow-4.1.4.2-acl.patch deleted file mode 100644 index 0071c31..0000000 --- a/shadow-4.1.4.2-acl.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff -up shadow-4.1.4.2/libmisc/copydir.c.acl shadow-4.1.4.2/libmisc/copydir.c ---- shadow-4.1.4.2/libmisc/copydir.c.acl 2011-02-09 17:35:23.455413575 +0100 -+++ shadow-4.1.4.2/libmisc/copydir.c 2011-02-09 17:49:17.606330202 +0100 -@@ -45,6 +45,9 @@ - #ifdef WITH_SELINUX - #include - #endif -+#include -+#include -+ - static /*@null@*/const char *src_orig; - static /*@null@*/const char *dst_orig; - -@@ -70,7 +73,7 @@ static int copy_symlink (const char *src - #endif - static int copy_hardlink (const char *src, const char *dst, - struct link_name *lp); --static int copy_special (const char *dst, -+static int copy_special (const char *src, const char *dst, - const struct stat *statp, const struct timeval mt[], - long int uid, long int gid); - static int copy_file (const char *src, const char *dst, -@@ -78,6 +81,28 @@ static int copy_file (const char *src, c - long int uid, long int gid); - - #ifdef WITH_SELINUX -+ -+void error (struct error_context *ctx, const char *fmt, ...) -+{ -+ va_list ap; -+ -+ /* ignore the case when destination does not support ACLs */ -+ if(errno==EOPNOTSUPP) -+ return; -+ -+ va_start (ap, fmt); -+ (void) fprintf (stderr, _("%s: "), Prog); -+ if (vfprintf (stderr, fmt, ap) != 0) { -+ (void) fputs (_(": "), stderr); -+ } -+ (void) fprintf (stderr, "%s\n", strerror (errno)); -+ va_end (ap); -+} -+ -+struct error_context ctx = { -+ error -+}; -+ - /* - * selinux_file_context - Set the security context before any file or - * directory creation. -@@ -369,7 +394,7 @@ static int copy_entry (const char *src, - */ - - else if (!S_ISREG (sb.st_mode)) { -- err = copy_special (dst, &sb, mt, uid, gid); -+ err = copy_special (src, dst, &sb, mt, uid, gid); - } - - /* -@@ -413,8 +438,20 @@ static int copy_dir (const char *src, co - || (chown (dst, - (uid == - 1) ? statp->st_uid : (uid_t) uid, - (gid == - 1) ? statp->st_gid : (gid_t) gid) != 0) -- || (chmod (dst, statp->st_mode) != 0) -- || (copy_tree (src, dst, uid, gid) != 0) -+ || (chmod (dst, statp->st_mode) != 0)) { -+ err = -1; -+ return err; -+ } -+ -+ /* ignore the case when destination does not support ACLs */ -+ if (perm_copy_file (src, dst, &ctx) != 0) { -+ if (errno!=EOPNOTSUPP) { -+ err = -1; -+ return err; -+ } -+ } -+ -+ if ((copy_tree (src, dst, uid, gid) != 0) - || (utimes (dst, mt) != 0)) { - err = -1; - } -@@ -514,6 +551,13 @@ static int copy_symlink (const char *src - || (lchown (dst, - (uid == -1) ? statp->st_uid : (uid_t) uid, - (gid == -1) ? statp->st_gid : (gid_t) gid) != 0)) { -+ /* FIXME: there are no modes on symlinks, right? -+ * ACL could be copied, but this would be much more -+ * complex than calling perm_copy_file. -+ * Ditto for Extended Attributes. -+ * We currently only document that ACL and Extended -+ * Attributes are not copied. -+ */ - free (oldlink); - return -1; - } -@@ -542,7 +586,7 @@ static int copy_symlink (const char *src - static int copy_hardlink (const char *src, const char *dst, - struct link_name *lp) - { -- /* TODO: selinux needed? */ -+ /* TODO: selinux, ACL, Extended Attributes needed? */ - - if (link (lp->ln_name, dst) != 0) { - return -1; -@@ -574,7 +618,7 @@ static int copy_hardlink (const char *sr - * - * Return 0 on success, -1 on error. - */ --static int copy_special (const char *dst, -+static int copy_special (const char *src, const char *dst, - const struct stat *statp, const struct timeval mt[], - long int uid, long int gid) - { -@@ -628,11 +672,18 @@ static int copy_file (const char *src, c - || (fchown (ofd, - (uid == -1) ? statp->st_uid : (uid_t) uid, - (gid == -1) ? statp->st_gid : (gid_t) gid) != 0) -- || (fchmod (ofd, statp->st_mode & 07777) != 0)) { -+ || (fchmod (ofd, statp->st_mode & 07777) != 0)) { - (void) close (ifd); - return -1; - } - -+ if (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0) { -+ if (errno!=EOPNOTSUPP) { -+ (void) close (ifd); -+ return -1; -+ } -+ } -+ - while ((cnt = read (ifd, buf, sizeof buf)) > 0) { - if (write (ofd, buf, (size_t)cnt) != cnt) { - return -1; -diff -up shadow-4.1.4.2/src/Makefile.in.acl shadow-4.1.4.2/src/Makefile.in ---- shadow-4.1.4.2/src/Makefile.in.acl 2009-07-24 03:16:00.000000000 +0200 -+++ shadow-4.1.4.2/src/Makefile.in 2011-02-09 17:35:23.470411800 +0100 -@@ -430,9 +430,9 @@ su_SOURCES = \ - - su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) - sulogin_LDADD = $(LDADD) $(LIBCRYPT) --useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) --userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) --usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl - vipw_LDADD = $(LDADD) $(LIBSELINUX) - all: all-am - diff --git a/shadow-4.1.4.2-fixes.patch b/shadow-4.1.4.2-fixes.patch deleted file mode 100644 index 8451675..0000000 --- a/shadow-4.1.4.2-fixes.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c ---- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200 -+++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200 -@@ -107,7 +107,7 @@ void del_cleanup (cleanup_function pcf) - assert (i limit) { -- SYSLOG ((LOG_WARN, "Too many logins (max %d) for %s\n", -+ SYSLOG ((LOG_WARN, "Too many logins (max %lu) for %s\n", - limit, name)); - return LOGIN_ERROR_LOGIN; - } -diff -up shadow-4.1.4.2/libmisc/utmp.c.fixes shadow-4.1.4.2/libmisc/utmp.c ---- shadow-4.1.4.2/libmisc/utmp.c.fixes 2009-09-07 15:56:30.534033865 +0200 -+++ shadow-4.1.4.2/libmisc/utmp.c 2009-09-07 16:11:23.049069289 +0200 -@@ -56,7 +56,7 @@ static bool is_my_tty (const char *tty) - /* full_tty shall be at least sizeof utmp.ut_line + 5 */ - char full_tty[200]; - /* tmptty shall be bigger than full_tty */ -- static char tmptty[sizeof (full_tty)+1]; -+ static char tmptty[sizeof (full_tty)+1] = ""; - - if ('/' != *tty) { - (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty); -@@ -71,7 +71,7 @@ static bool is_my_tty (const char *tty) - } - } - -- if (NULL == tmptty) { -+ if ('\0' == tmptty[0]) { - (void) puts (_("Unable to determine your tty name.")); - exit (EXIT_FAILURE); - } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) { -@@ -200,7 +200,6 @@ static void updwtmpx (const char *filena - strcpy (hostname, host); - #ifdef HAVE_STRUCT_UTMP_UT_HOST - } else if ( (NULL != ut) -- && (NULL != ut->ut_host) - && ('\0' != ut->ut_host[0])) { - hostname = (char *) xmalloc (sizeof (ut->ut_host) + 1); - strncpy (hostname, ut->ut_host, sizeof (ut->ut_host)); diff --git a/shadow-4.1.4.2-gshadow.patch b/shadow-4.1.4.2-gshadow.patch deleted file mode 100644 index 1cf5ba6..0000000 --- a/shadow-4.1.4.2-gshadow.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.4.2/lib/gshadow.c.gshadow shadow-4.1.4.2/lib/gshadow.c ---- shadow-4.1.4.2/lib/gshadow.c.gshadow 2009-06-12 19:50:23.000000000 +0200 -+++ shadow-4.1.4.2/lib/gshadow.c 2011-01-05 16:28:55.207685148 +0100 -@@ -223,6 +223,7 @@ void endsgent (void) - if (NULL == buf) { - return NULL; - } -+ buflen = BUFSIZ; - } - - if (NULL == fp) { -@@ -230,9 +231,9 @@ void endsgent (void) - } - - #ifdef USE_NIS -- while (fgetsx (buf, (int) sizeof buf, fp) == buf) -+ while (fgetsx (buf, (int) buflen, fp) == buf) - #else -- if (fgetsx (buf, (int) sizeof buf, fp) == buf) -+ if (fgetsx (buf, (int) buflen, fp) == buf) - #endif - { - while ( ((cp = strrchr (buf, '\n')) == NULL) diff --git a/shadow-4.1.4.2-leak.patch b/shadow-4.1.4.2-leak.patch deleted file mode 100644 index 0d6aa09..0000000 --- a/shadow-4.1.4.2-leak.patch +++ /dev/null @@ -1,108 +0,0 @@ -diff -up shadow-4.1.4.2/lib/groupmem.c.leak shadow-4.1.4.2/lib/groupmem.c ---- shadow-4.1.4.2/lib/groupmem.c.leak 2009-04-23 19:43:27.000000000 +0200 -+++ shadow-4.1.4.2/lib/groupmem.c 2009-09-07 15:43:23.314129427 +0200 -@@ -51,10 +51,13 @@ - *gr = *grent; - gr->gr_name = strdup (grent->gr_name); - if (NULL == gr->gr_name) { -+ free(gr); - return NULL; - } - gr->gr_passwd = strdup (grent->gr_passwd); - if (NULL == gr->gr_passwd) { -+ free(gr->gr_name); -+ free(gr); - return NULL; - } - -@@ -62,11 +65,21 @@ - - gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *)); - if (NULL == gr->gr_mem) { -+ free(gr->gr_passwd); -+ free(gr->gr_name); -+ free(gr); - return NULL; - } - for (i = 0; grent->gr_mem[i]; i++) { - gr->gr_mem[i] = strdup (grent->gr_mem[i]); - if (NULL == gr->gr_mem[i]) { -+ int j; -+ for (j=0; jgr_mem[j]); -+ free(gr->gr_mem); -+ free(gr->gr_passwd); -+ free(gr->gr_name); -+ free(gr); - return NULL; - } - } -diff -up shadow-4.1.4.2/libmisc/copydir.c.leak shadow-4.1.4.2/libmisc/copydir.c ---- shadow-4.1.4.2/libmisc/copydir.c.leak 2009-05-22 12:16:14.000000000 +0200 -+++ shadow-4.1.4.2/libmisc/copydir.c 2009-09-07 15:41:49.217192095 +0200 -@@ -443,6 +443,7 @@ static char *readlink_malloc (const char - nchars = readlink (filename, buffer, size); - - if (nchars < 0) { -+ free(buffer); - return NULL; - } - -diff -up shadow-4.1.4.2/lib/pwmem.c.leak shadow-4.1.4.2/lib/pwmem.c ---- shadow-4.1.4.2/lib/pwmem.c.leak 2009-04-23 19:43:27.000000000 +0200 -+++ shadow-4.1.4.2/lib/pwmem.c 2009-09-07 15:41:49.218203063 +0200 -@@ -51,22 +51,37 @@ - *pw = *pwent; - pw->pw_name = strdup (pwent->pw_name); - if (NULL == pw->pw_name) { -+ free(pw); - return NULL; - } - pw->pw_passwd = strdup (pwent->pw_passwd); - if (NULL == pw->pw_passwd) { -+ free(pw->pw_name); -+ free(pw); - return NULL; - } - pw->pw_gecos = strdup (pwent->pw_gecos); - if (NULL == pw->pw_gecos) { -+ free(pw->pw_passwd); -+ free(pw->pw_name); -+ free(pw); - return NULL; - } - pw->pw_dir = strdup (pwent->pw_dir); - if (NULL == pw->pw_dir) { -+ free(pw->pw_gecos); -+ free(pw->pw_passwd); -+ free(pw->pw_name); -+ free(pw); - return NULL; - } - pw->pw_shell = strdup (pwent->pw_shell); - if (NULL == pw->pw_shell) { -+ free(pw->pw_dir); -+ free(pw->pw_gecos); -+ free(pw->pw_passwd); -+ free(pw->pw_name); -+ free(pw); - return NULL; - } - -diff -up shadow-4.1.4.2/lib/shadowmem.c.leak shadow-4.1.4.2/lib/shadowmem.c ---- shadow-4.1.4.2/lib/shadowmem.c.leak 2009-04-23 19:43:27.000000000 +0200 -+++ shadow-4.1.4.2/lib/shadowmem.c 2009-09-07 15:41:49.218203063 +0200 -@@ -52,10 +52,13 @@ - *sp = *spent; - sp->sp_namp = strdup (spent->sp_namp); - if (NULL == sp->sp_namp) { -+ free(sp); - return NULL; - } - sp->sp_pwdp = strdup (spent->sp_pwdp); - if (NULL == sp->sp_pwdp) { -+ free(sp->sp_namp); -+ free(sp); - return NULL; - } - diff --git a/shadow-4.1.4.2-redhat.patch b/shadow-4.1.4.2-redhat.patch deleted file mode 100644 index fb2a437..0000000 --- a/shadow-4.1.4.2-redhat.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up shadow-4.1.4.2/man/useradd.8.redhat shadow-4.1.4.2/man/useradd.8 ---- shadow-4.1.4.2/man/useradd.8.redhat 2009-07-24 03:16:44.000000000 +0200 -+++ shadow-4.1.4.2/man/useradd.8 2011-02-09 11:04:24.851151246 +0100 -@@ -211,7 +211,7 @@ Create the user\'s home directory if it - \fB\-k\fR - option) will be copied to the home directory\&. - .sp --By default, no home directories are created\&. -+The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&. - .RE - .PP - \fB\-M\fR -diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c ---- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200 -+++ shadow-4.1.4.2/src/useradd.c 2011-02-09 11:04:06.031036886 +0100 -@@ -90,7 +90,7 @@ char *Prog; - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -989,9 +989,9 @@ static void process_flags (int argc, cha - }; - while ((c = getopt_long (argc, argv, - #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", - #else -- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", -+ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", - #endif - long_options, NULL)) != -1) { - switch (c) { -@@ -1141,6 +1141,7 @@ static void process_flags (int argc, cha - case 'M': - Mflg = true; - break; -+ case 'n': - case 'N': - Nflg = true; - break; diff --git a/shadow-4.1.4.2-underflow.patch b/shadow-4.1.4.2-underflow.patch deleted file mode 100644 index 8553f8f..0000000 --- a/shadow-4.1.4.2-underflow.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -up shadow-4.1.4.3/src/faillog.c.underflow shadow-4.1.4.3/src/faillog.c ---- shadow-4.1.4.3/src/faillog.c.underflow 2011-02-13 12:58:16.000000000 -0500 -+++ shadow-4.1.4.3/src/faillog.c 2011-05-30 17:48:55.000000000 -0400 -@@ -106,8 +106,8 @@ static void print_one (/*@null@*/const s - return; - } - -- offset = pw->pw_uid * sizeof (fl); -- if (offset <= (statbuf.st_size - sizeof (fl))) { -+ offset = (off_t) pw->pw_uid * sizeof (fl); -+ if (offset + sizeof (fl) <= statbuf.st_size) { - /* fseeko errors are not really relevant for us. */ - int err = fseeko (fail, offset, SEEK_SET); - assert (0 == err); -@@ -206,8 +206,8 @@ static bool reset_one (uid_t uid) - off_t offset; - struct faillog fl; - -- offset = uid * sizeof (fl); -- if (offset <= (statbuf.st_size - sizeof (fl))) { -+ offset = (off_t) uid * sizeof (fl); -+ if (offset + sizeof (fl) <= statbuf.st_size) { - /* fseeko errors are not really relevant for us. */ - int err = fseeko (fail, offset, SEEK_SET); - assert (0 == err); -@@ -294,7 +294,7 @@ static bool setmax_one (uid_t uid, int m - struct faillog fl; - - offset = (off_t) uid * sizeof (fl); -- if (offset <= (statbuf.st_size - sizeof (fl))) { -+ if (offset + sizeof (fl) <= statbuf.st_size) { - /* fseeko errors are not really relevant for us. */ - int err = fseeko (fail, offset, SEEK_SET); - assert (0 == err); -@@ -385,7 +385,7 @@ static bool set_locktime_one (uid_t uid, - struct faillog fl; - - offset = (off_t) uid * sizeof (fl); -- if (offset <= (statbuf.st_size - sizeof (fl))) { -+ if (offset + sizeof (fl) <= statbuf.st_size) { - /* fseeko errors are not really relevant for us. */ - int err = fseeko (fail, offset, SEEK_SET); - assert (0 == err); -diff -up shadow-4.1.4.3/src/lastlog.c.underflow shadow-4.1.4.3/src/lastlog.c ---- shadow-4.1.4.3/src/lastlog.c.underflow 2011-05-31 03:52:25.000000000 -0400 -+++ shadow-4.1.4.3/src/lastlog.c 2011-05-31 03:53:32.000000000 -0400 -@@ -102,9 +102,8 @@ static void print_one (/*@null@*/const s - } - - -- offset = pw->pw_uid * sizeof (ll); -- -- if (offset <= (statbuf.st_size - sizeof (ll))) { -+ offset = (off_t) pw->pw_uid * sizeof (ll); -+ if (offset + sizeof (ll) <= statbuf.st_size) { - /* fseeko errors are not really relevant for us. */ - int err = fseeko (lastlogfile, offset, SEEK_SET); - assert (0 == err); diff --git a/shadow-4.1.4.3-IDs.patch b/shadow-4.1.4.3-IDs.patch deleted file mode 100644 index 6d26f74..0000000 --- a/shadow-4.1.4.3-IDs.patch +++ /dev/null @@ -1,115 +0,0 @@ -diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.IDs shadow-4.1.4.3/libmisc/find_new_gid.c ---- shadow-4.1.4.3/libmisc/find_new_gid.c.IDs 2011-12-20 13:28:13.042668305 +0100 -+++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-12-20 13:35:40.011817589 +0100 -@@ -32,6 +32,7 @@ - - #include - #include -+#include - - #include "prototypes.h" - #include "groupio.h" -@@ -65,8 +66,6 @@ int find_new_gid (bool sys_group, - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } -- used_gids = alloca (sizeof (bool) * (gid_max +1)); -- memset (used_gids, false, sizeof (bool) * (gid_max + 1)); - - if ( (NULL != preferred_gid) - && (*preferred_gid >= gid_min) -@@ -80,6 +79,14 @@ int find_new_gid (bool sys_group, - return 0; - } - -+ used_gids = malloc (sizeof (bool) * (gid_max +1)); -+ if(used_gids==NULL) { -+ fprintf (stderr, -+ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); -+ return -1; -+ } -+ memset (used_gids, false, sizeof (bool) * (gid_max + 1)); -+ - /* if we did not find free preffered system gid, we start to look for - * one in the range assigned to dynamic system IDs */ - if (sys_group) -@@ -162,6 +169,7 @@ int find_new_gid (bool sys_group, - Prog); - SYSLOG ((LOG_WARN, - "no more available GID on the system")); -+ free(used_gids); - return -1; - } - } -@@ -177,12 +185,14 @@ int find_new_gid (bool sys_group, - _("%s: Can't get unique GID (no more available GIDs)\n"), - Prog); - SYSLOG ((LOG_WARN, "no more available GID on the system")); -+ free(used_gids); - return -1; - } - } - } - - *gid = group_id; -+ free(used_gids); - return 0; - } - -diff -up shadow-4.1.4.3/libmisc/find_new_uid.c.IDs shadow-4.1.4.3/libmisc/find_new_uid.c ---- shadow-4.1.4.3/libmisc/find_new_uid.c.IDs 2011-02-13 18:58:11.000000000 +0100 -+++ shadow-4.1.4.3/libmisc/find_new_uid.c 2011-12-20 13:37:27.415023688 +0100 -@@ -32,6 +32,7 @@ - - #include - #include -+#include - - #include "prototypes.h" - #include "pwio.h" -@@ -65,8 +66,6 @@ int find_new_uid (bool sys_user, - uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; - uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); - } -- used_uids = alloca (sizeof (bool) * (uid_max +1)); -- memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - - if ( (NULL != preferred_uid) - && (*preferred_uid >= uid_min) -@@ -80,6 +79,13 @@ int find_new_uid (bool sys_user, - return 0; - } - -+ used_uids = malloc (sizeof (bool) * (uid_max +1)); -+ if(used_uids==NULL) { -+ fprintf (stderr, -+ _("%s: failed to allocate memory. %s\n"), Prog, strerror (errno)); -+ return -1; -+ } -+ memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - - /* - * Search the entire password file, -@@ -158,6 +164,7 @@ int find_new_uid (bool sys_user, - Prog); - SYSLOG ((LOG_WARN, - "no more available UID on the system")); -+ free(used_uids); - return -1; - } - } -@@ -173,12 +180,14 @@ int find_new_uid (bool sys_user, - _("%s: Can't get unique UID (no more available UIDs)\n"), - Prog); - SYSLOG ((LOG_WARN, "no more available UID on the system")); -+ free(used_uids); - return -1; - } - } - } - - *uid = user_id; -+ free(used_uids); - return 0; - } - diff --git a/shadow-4.1.4.3-libsemanage.patch b/shadow-4.1.4.3-libsemanage.patch deleted file mode 100644 index 8323e1f..0000000 --- a/shadow-4.1.4.3-libsemanage.patch +++ /dev/null @@ -1,640 +0,0 @@ -diff -up shadow-4.1.4.3/lib/Makefile.in.libsemanage shadow-4.1.4.3/lib/Makefile.in ---- shadow-4.1.4.3/lib/Makefile.in.libsemanage 2011-02-15 23:18:15.000000000 +0100 -+++ shadow-4.1.4.3/lib/Makefile.in 2011-11-09 14:11:26.455362101 +0100 -@@ -52,7 +52,7 @@ am_libshadow_la_OBJECTS = commonio.lo en - groupio.lo groupmem.lo gshadow.lo lockpw.lo nscd.lo port.lo \ - pwauth.lo pwio.lo pwmem.lo sgetgrent.lo sgetpwent.lo \ - sgetspent.lo sgroupio.lo shadow.lo shadowio.lo shadowmem.lo \ -- utent.lo -+ utent.lo selinux.lo - libshadow_la_OBJECTS = $(am_libshadow_la_OBJECTS) - libshadow_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ -@@ -202,7 +202,6 @@ libdir = @libdir@ - libexecdir = @libexecdir@ - localedir = @localedir@ - localstatedir = @localstatedir@ --lt_ECHO = @lt_ECHO@ - mandir = @mandir@ - mkdir_p = @mkdir_p@ - oldincludedir = @oldincludedir@ -@@ -261,7 +260,8 @@ libshadow_la_SOURCES = \ - shadowio.c \ - shadowio.h \ - shadowmem.c \ -- utent.c -+ utent.c \ -+ selinux.c - - - # These files are unneeded for some reason, listed in -@@ -349,6 +349,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadow.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowio.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowmem.Plo@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selinux.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utent.Plo@am__quote@ - - .c.o: -diff -up shadow-4.1.4.3/libmisc/Makefile.in.libsemanage shadow-4.1.4.3/libmisc/Makefile.in ---- shadow-4.1.4.3/libmisc/Makefile.in.libsemanage 2011-02-15 23:18:16.000000000 +0100 -+++ shadow-4.1.4.3/libmisc/Makefile.in 2011-11-09 14:11:26.456362098 +0100 -@@ -64,7 +64,7 @@ am_libmisc_a_OBJECTS = addgrps.$(OBJEXT) - pam_pass_non_interractive.$(OBJEXT) pwd2spwd.$(OBJEXT) \ - pwdcheck.$(OBJEXT) pwd_init.$(OBJEXT) rlogin.$(OBJEXT) \ - salt.$(OBJEXT) setugid.$(OBJEXT) setupenv.$(OBJEXT) \ -- shell.$(OBJEXT) system.$(OBJEXT) strtoday.$(OBJEXT) \ -+ shell.$(OBJEXT) strtoday.$(OBJEXT) \ - sub.$(OBJEXT) sulog.$(OBJEXT) ttytype.$(OBJEXT) tz.$(OBJEXT) \ - ulimit.$(OBJEXT) user_busy.$(OBJEXT) utmp.$(OBJEXT) \ - valid.$(OBJEXT) xgetpwnam.$(OBJEXT) xgetpwuid.$(OBJEXT) \ -@@ -284,7 +284,6 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -- system.c \ - strtoday.c \ - sub.c \ - sulog.c \ -@@ -394,7 +393,6 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strtoday.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sub.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sulog.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttytype.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tz.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ulimit.Po@am__quote@ -diff -up shadow-4.1.4.3/libmisc/system.c.libsemanage shadow-4.1.4.3/libmisc/system.c ---- shadow-4.1.4.3/libmisc/system.c.libsemanage 2011-02-13 18:58:11.000000000 +0100 -+++ shadow-4.1.4.3/libmisc/system.c 2011-11-09 14:11:26.457362095 +0100 -@@ -1,72 +0,0 @@ --/* -- * Copyright (c) 2009 , Dan Walsh -- * All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in the -- * documentation and/or other materials provided with the distribution. -- * 3. The name of the copyright holders or contributors may not be used to -- * endorse or promote products derived from this software without -- * specific prior written permission. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- */ --#include -- --#ident "$Id: system.c 2849 2009-04-30 21:08:49Z nekral-guest $" -- --#include --#include --#include --#include "prototypes.h" --#include "defines.h" -- --int safe_system (const char *command, -- const char *argv[], -- const char *env[], -- int ignore_stderr) --{ -- int status = -1; -- int fd; -- pid_t pid; -- -- pid = fork(); -- if (pid < 0) { -- return -1; -- } -- -- if (pid) { /* Parent */ -- if (waitpid (pid, &status, 0) > 0) { -- return status; -- } else { -- return -1; -- } -- } -- -- fd = open ("/dev/null", O_RDWR); -- /* Child */ -- dup2 (fd, 0); // Close Stdin -- if (ignore_stderr) { -- dup2 (fd, 2); // Close Stderr -- } -- -- execve (command, (char *const *) argv, (char *const *) env); -- fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]); -- exit (EXIT_FAILURE); --} -- -diff -up shadow-4.1.4.3/lib/prototypes.h.libsemanage shadow-4.1.4.3/lib/prototypes.h ---- shadow-4.1.4.3/lib/prototypes.h.libsemanage 2011-02-13 18:58:23.000000000 +0100 -+++ shadow-4.1.4.3/lib/prototypes.h 2011-11-09 14:11:26.457362095 +0100 -@@ -331,12 +331,6 @@ extern void spw_free (/*@out@*/ /*@only@ - /* shell.c */ - extern int shell (const char *file, /*@null@*/const char *arg, char *const envp[]); - --/* system.c */ --extern int safe_system (const char *command, -- const char *argv[], -- const char *env[], -- int ignore_stderr); -- - /* strtoday.c */ - extern long strtoday (const char *); - -@@ -403,4 +397,8 @@ extern /*@null@*/ /*@only@*/struct spwd - /* yesno.c */ - extern bool yes_or_no (bool read_only); - -+/* selinux.c */ -+int set_seuser(const char *login_name, const char *seuser_name); -+int del_seuser(const char *login_name); -+ - #endif /* _PROTOTYPES_H */ -diff -up shadow-4.1.4.3/lib/selinux.c.libsemanage shadow-4.1.4.3/lib/selinux.c ---- shadow-4.1.4.3/lib/selinux.c.libsemanage 2011-11-09 14:11:26.458362092 +0100 -+++ shadow-4.1.4.3/lib/selinux.c 2011-11-09 14:11:26.458362092 +0100 -@@ -0,0 +1,341 @@ -+/* -+ shadow-utils -+ -+ su-selinux.c -+ -+ Copyright (C) Jakub Hrozek 2010 -+ Copyright (C) Peter Vrabec 2011 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+ -+#include "defines.h" -+ -+#include -+#include -+#include -+ -+ -+#ifndef DEFAULT_SERANGE -+#define DEFAULT_SERANGE "s0" -+#endif -+ -+ -+static void semanage_error_callback(void *varg, -+ semanage_handle_t *handle, -+ const char *fmt, ...) -+{ -+ int ret; -+ char * message = NULL; -+ va_list ap; -+ -+ -+ va_start(ap, fmt); -+ ret = vasprintf(&message, fmt, ap); -+ va_end(ap); -+ if (ret < 0) { -+ /* ENOMEM */ -+ return; -+ } -+ -+ switch (semanage_msg_get_level(handle)) { -+ case SEMANAGE_MSG_ERR: -+ case SEMANAGE_MSG_WARN: -+ fprintf(stderr, "[libsemanage]: %s\n", message); -+ break; -+ case SEMANAGE_MSG_INFO: -+ /* nop */ -+ break; -+ } -+ -+ free(message); -+} -+ -+ -+static semanage_handle_t *semanage_init(void) -+{ -+ int ret; -+ semanage_handle_t *handle = NULL; -+ -+ handle = semanage_handle_create(); -+ if (!handle) { -+ fprintf(stderr, _("Cannot create SELinux management handle\n")); -+ return NULL; -+ } -+ -+ semanage_msg_set_callback(handle, semanage_error_callback, NULL); -+ -+ ret = semanage_is_managed(handle); -+ if (ret != 1) { -+ fprintf(stderr, _("SELinux policy not managed\n")); -+ goto fail; -+ } -+ -+ ret = semanage_access_check(handle); -+ if (ret < SEMANAGE_CAN_READ) { -+ fprintf(stderr, _("Cannot read SELinux policy store\n")); -+ goto fail; -+ } -+ -+ ret = semanage_connect(handle); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot estabilish SELinux management connection\n")); -+ goto fail; -+ } -+ -+ ret = semanage_begin_transaction(handle); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot begin SELinux transaction\n")); -+ goto fail; -+ } -+ -+ return handle; -+fail: -+ semanage_handle_destroy(handle); -+ return NULL; -+} -+ -+ -+static int semanage_user_mod(semanage_handle_t *handle, -+ semanage_seuser_key_t *key, -+ const char *login_name, -+ const char *seuser_name) -+{ -+ int ret; -+ semanage_seuser_t *seuser = NULL; -+ -+ semanage_seuser_query(handle, key, &seuser); -+ if (seuser == NULL) { -+ fprintf(stderr, _("Could not query seuser for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not set serange for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not set sename for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_modify_local(handle, key, seuser); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not modify login mapping for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = 0; -+done: -+ semanage_seuser_free(seuser); -+ return ret; -+} -+ -+ -+static int semanage_user_add(semanage_handle_t *handle, -+ semanage_seuser_key_t *key, -+ const char *login_name, -+ const char *seuser_name) -+{ -+ int ret; -+ semanage_seuser_t *seuser = NULL; -+ -+ ret = semanage_seuser_create(handle, &seuser); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot create SELinux login mapping for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_set_name(handle, seuser, login_name); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not set name for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not set serange for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not set SELinux user for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_modify_local(handle, key, seuser); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not add login mapping for %s\n"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = 0; -+done: -+ semanage_seuser_free(seuser); -+ return ret; -+} -+ -+ -+int set_seuser(const char *login_name, const char *seuser_name) -+{ -+ semanage_handle_t *handle = NULL; -+ semanage_seuser_key_t *key = NULL; -+ int ret; -+ int seuser_exists = 0; -+ -+ if (seuser_name == NULL) { -+ /* don't care, just let system pick the defaults */ -+ return 0; -+ } -+ -+ handle = semanage_init(); -+ if (!handle) { -+ fprintf(stderr, _("Cannot init SELinux management\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_key_create(handle, login_name, &key); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot create SELinux user key\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_exists(handle, key, &seuser_exists); -+ if (ret < 0) { -+ fprintf(stderr, _("Cannot verify the SELinux user\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ if (seuser_exists) { -+ ret = semanage_user_mod(handle, key, login_name, seuser_name); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot modify SELinux user mapping\n")); -+ ret = 1; -+ goto done; -+ } -+ } else { -+ ret = semanage_user_add(handle, key, login_name, seuser_name); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot add SELinux user mapping\n")); -+ ret = 1; -+ goto done; -+ } -+ } -+ -+ ret = semanage_commit(handle); -+ if (ret < 0) { -+ fprintf(stderr,_("Cannot commit SELinux transaction\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = 0; -+ -+done: -+ semanage_seuser_key_free(key); -+ semanage_handle_destroy(handle); -+ return ret; -+} -+ -+ -+ -+ -+ -+int del_seuser(const char *login_name) -+{ -+ semanage_handle_t *handle = NULL; -+ semanage_seuser_key_t *key = NULL; -+ int ret; -+ int exists = 0; -+ -+ handle = semanage_init(); -+ if (!handle) { -+ fprintf(stderr, _("Cannot init SELinux management\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_key_create(handle, login_name, &key); -+ if (ret != 0) { -+ fprintf(stderr, _("Cannot create SELinux user key\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_seuser_exists(handle, key, &exists); -+ if (ret < 0) { -+ fprintf(stderr, _("Cannot verify the SELinux user\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ if (!exists) { -+ fprintf(stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"), -+ login_name); -+ ret = 0; /* probably default mapping */ -+ goto done; -+ } -+ -+ ret = semanage_seuser_exists_local(handle, key, &exists); -+ if (ret < 0) { -+ fprintf(stderr, _("Cannot verify the SELinux user\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ if (!exists) { -+ fprintf(stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"), -+ login_name); -+ ret = 0; /* Login mapping defined in policy can't be deleted */ -+ goto done; -+ } -+ -+ ret = semanage_seuser_del_local(handle, key); -+ if (ret != 0) { -+ fprintf(stderr, _("Could not delete login mapping for %s"), login_name); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = semanage_commit(handle); -+ if (ret < 0) { -+ fprintf(stderr, _("Cannot commit SELinux transaction\n")); -+ ret = 1; -+ goto done; -+ } -+ -+ ret = 0; -+done: -+ semanage_handle_destroy(handle); -+ return ret; -+} -+ -diff -up shadow-4.1.4.3/man/userdel.8.libsemanage shadow-4.1.4.3/man/userdel.8 ---- shadow-4.1.4.3/man/userdel.8.libsemanage 2011-11-09 14:19:27.772753117 +0100 -+++ shadow-4.1.4.3/man/userdel.8 2011-11-09 14:21:13.947365740 +0100 -@@ -243,6 +243,11 @@ can\*(Aqt update group file - .RS 4 - can\*(Aqt remove home directory - .RE -+.PP -+\fI14\fR -+.RS 4 -+can\*(Aqt update SELinux user mapping -+.PP - .SH "CAVEATS" - .PP - -diff -up shadow-4.1.4.3/src/Makefile.in.libsemanage shadow-4.1.4.3/src/Makefile.in ---- shadow-4.1.4.3/src/Makefile.in.libsemanage 2011-11-09 14:11:26.431362175 +0100 -+++ shadow-4.1.4.3/src/Makefile.in 2011-11-09 14:11:26.459362089 +0100 -@@ -431,9 +431,9 @@ su_SOURCES = \ - - su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) - sulogin_LDADD = $(LDADD) $(LIBCRYPT) --useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl --userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl --usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage -+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage -+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage - vipw_LDADD = $(LDADD) $(LIBSELINUX) - all: all-am - -diff -up shadow-4.1.4.3/src/useradd.c.libsemanage shadow-4.1.4.3/src/useradd.c ---- shadow-4.1.4.3/src/useradd.c.libsemanage 2011-11-09 14:11:26.424362196 +0100 -+++ shadow-4.1.4.3/src/useradd.c 2011-11-09 14:11:26.460362086 +0100 -@@ -1999,16 +1999,7 @@ int main (int argc, char **argv) - #ifdef WITH_SELINUX - if (Zflg && *user_selinux) { - if (is_selinux_enabled () > 0) { -- const char *argv[7]; -- -- argv[0] = "/usr/sbin/semanage"; -- argv[1] = "login"; -- argv[2] = "-a"; -- argv[3] = "-s"; -- argv[4] = user_selinux; -- argv[5] = user_name; -- argv[6] = NULL; -- if (safe_system (argv[0], argv, NULL, 0)) { -+ if (set_seuser(user_name, user_selinux)) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); -diff -up shadow-4.1.4.3/src/userdel.c.libsemanage shadow-4.1.4.3/src/userdel.c ---- shadow-4.1.4.3/src/userdel.c.libsemanage 2011-11-09 14:11:26.425362193 +0100 -+++ shadow-4.1.4.3/src/userdel.c 2011-11-09 14:18:59.274855167 +0100 -@@ -70,6 +70,7 @@ - #define E_USER_BUSY 8 /* user currently logged in */ - #define E_GRP_UPDATE 10 /* can't update group file */ - #define E_HOMEDIR 12 /* can't remove home directory */ -+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ - - /* - * Global variables -@@ -1002,13 +1003,17 @@ int main (int argc, char **argv) - #ifdef WITH_SELINUX - if (Zflg) { - if (is_selinux_enabled () > 0) { -- const char *args[5]; -- args[0] = "/usr/sbin/semanage"; -- args[1] = "login"; -- args[2] = "-d"; -- args[3] = user_name; -- args[4] = NULL; -- safe_system (args[0], args, NULL, 1); -+ if (del_seuser(user_name)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), -+ Prog, user_name); -+ #ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "removing SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+ #endif -+ fail_exit (E_SE_UPDATE); -+ } - } - } - #endif -diff -up shadow-4.1.4.3/src/usermod.c.libsemanage shadow-4.1.4.3/src/usermod.c ---- shadow-4.1.4.3/src/usermod.c.libsemanage 2011-11-09 14:11:26.426362190 +0100 -+++ shadow-4.1.4.3/src/usermod.c 2011-11-09 14:11:26.463362076 +0100 -@@ -1787,28 +1787,16 @@ int main (int argc, char **argv) - #ifdef WITH_SELINUX - if (Zflg && *user_selinux) { - if (is_selinux_enabled () > 0) { -- const char *argv[7]; -- -- argv[0] = "/usr/sbin/semanage"; -- argv[1] = "login"; -- argv[2] = "-m"; -- argv[3] = "-s"; -- argv[4] = user_selinux; -- argv[5] = user_name; -- argv[6] = NULL; -- if (safe_system (argv[0], argv, NULL, 1)) { -- argv[2] = "-a"; -- if (safe_system (argv[0], argv, NULL, 0)) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); -+ if (set_seuser(user_name, user_selinux)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); - #ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "modifying User mapping ", -- user_name, (unsigned int) user_id, 0); -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "modifying User mapping ", -+ user_name, (unsigned int) user_id, 0); - #endif -- fail_exit (E_SE_UPDATE); -- } -+ fail_exit (E_SE_UPDATE); - } - } - } diff --git a/shadow-4.1.4.3-man.patch b/shadow-4.1.4.3-man.patch deleted file mode 100644 index 8bca143..0000000 --- a/shadow-4.1.4.3-man.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up shadow-4.1.4.3/man/useradd.8.man shadow-4.1.4.3/man/useradd.8 ---- shadow-4.1.4.3/man/useradd.8.man 2011-11-09 14:30:51.402072168 +0100 -+++ shadow-4.1.4.3/man/useradd.8 2011-11-10 11:09:14.266810444 +0100 -@@ -220,12 +220,12 @@ Create the user\*(Aqs home directory if - \fB\-k\fR - option) will be copied to the home directory\&. - .sp --The home directories are created by default on RHEL/Fedora systems because of /etc/login.defs (\fBCREATE_HOME\fR) setting\&. -+useradd will create the home directory unless \fBCREATE_HOME\fR in /etc/login.defs is set to no\&. - .RE - .PP - \fB\-M\fR - .RS 4 --Do no create the user\*(Aqs home directory, even if the system wide setting from -+Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs - (\fBCREATE_HOME\fR) is set to - \fIyes\fR\&. -@@ -255,7 +255,7 @@ variable in - Allow the creation of a user account with a duplicate (non\-unique) UID\&. - .sp - This option is only valid in combination with the --\fB\-o\fR -+\fB\-u\fR - option\&. - .RE - .PP diff --git a/shadow-4.1.4.3-nopam.patch b/shadow-4.1.4.3-nopam.patch deleted file mode 100644 index 8307f7e..0000000 --- a/shadow-4.1.4.3-nopam.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.4.3/man/ru/Makefile.in.nopam shadow-4.1.4.3/man/ru/Makefile.in ---- shadow-4.1.4.3/man/ru/Makefile.in.nopam 2011-05-20 22:42:23.145018292 +0200 -+++ shadow-4.1.4.3/man/ru/Makefile.in 2011-05-20 22:43:56.654017229 +0200 -@@ -150,7 +150,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ - PACKAGE_NAME = @PACKAGE_NAME@ - PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ --PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - POSUB = @POSUB@ -@@ -222,13 +221,13 @@ target_alias = @target_alias@ - top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ --man_MANS = $(man_nopam) chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 \ -- expiry.1 faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 \ -- groupdel.8 groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 \ -- grpunconv.8 gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 \ -- newgrp.1 newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 \ -- pwconv.8 pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 \ -- useradd.8 userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1) -+man_MANS = chage.1 chfn.1 chgpasswd.8 chpasswd.8 chsh.1 expiry.1 \ -+ faillog.5 faillog.8 getspnam.3 gpasswd.1 groupadd.8 groupdel.8 \ -+ groupmems.8 groupmod.8 groups.1 grpck.8 grpconv.8 grpunconv.8 \ -+ gshadow.5 lastlog.8 login.1 login.defs.5 logoutd.8 newgrp.1 \ -+ newusers.8 nologin.8 passwd.1 passwd.5 pwck.8 pwconv.8 \ -+ pwunconv.8 sg.1 shadow.3 shadow.5 su.1 suauth.5 useradd.8 \ -+ userdel.8 usermod.8 vigr.8 vipw.8 $(am__append_1) - man_nopam = \ - limits.5 \ - login.access.5 \ diff --git a/shadow-4.1.4.3-selinux.patch b/shadow-4.1.4.3-selinux.patch deleted file mode 100644 index 25404b3..0000000 --- a/shadow-4.1.4.3-selinux.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up shadow-4.1.4.3/lib/commonio.c.selinux shadow-4.1.4.3/lib/commonio.c ---- shadow-4.1.4.3/lib/commonio.c.selinux 2011-02-13 18:58:23.000000000 +0100 -+++ shadow-4.1.4.3/lib/commonio.c 2011-11-16 17:09:46.615837659 +0100 -@@ -921,10 +921,10 @@ int commonio_close (struct commonio_db * - - #ifdef WITH_SELINUX - if (db->scontext != NULL) { -- if (NULL != old_context) { - if (setfscreatecon (old_context) < 0) { - errors++; - } -+ if (NULL != old_context) { - freecon (old_context); - old_context = NULL; - } diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch deleted file mode 100644 index b10efd0..0000000 --- a/shadow-4.1.4.3-semange.patch +++ /dev/null @@ -1,294 +0,0 @@ -diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8 ---- shadow-4.1.4.3/man/useradd.8.semange 2011-08-02 12:57:47.971838218 +0200 -+++ shadow-4.1.4.3/man/useradd.8 2011-08-02 12:57:47.985838145 +0200 -@@ -640,6 +640,11 @@ can\*(Aqt create home directory - .RS 4 - can\*(Aqt create mail spool - .RE -+.PP -+\fI14\fR -+.RS 4 -+can\'t update SELinux user mapping -+.RE - .SH "SEE ALSO" - .PP - -diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8 ---- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100 -+++ shadow-4.1.4.3/man/userdel.8 2011-08-02 12:57:47.985838145 +0200 -@@ -76,6 +76,11 @@ variable in the - login\&.defs - file\&. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR -+.RS 4 -+Remove SELinux user assigned to the user´s login from SELinux login mapping. -+.RE - .SH "CONFIGURATION" - .PP - The following configuration variables in -diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c ---- shadow-4.1.4.3/src/useradd.c.semange 2011-08-02 12:57:47.968838234 +0200 -+++ shadow-4.1.4.3/src/useradd.c 2011-08-02 12:58:17.626684439 +0200 -@@ -164,6 +164,7 @@ static bool home_added = false; - #define E_GRP_UPDATE 10 /* can't update group file */ - #define E_HOMEDIR 12 /* can't create home directory */ - #define E_MAIL_SPOOL 13 /* can't create mail spool */ -+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ - - #define DGROUP "GROUP=" - #define HOME "HOME=" -@@ -181,9 +182,6 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); --#ifdef WITH_SELINUX --static void selinux_update_mapping (void); --#endif - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -1710,32 +1708,6 @@ static void usr_update (void) - } - } - --#ifdef WITH_SELINUX --static void selinux_update_mapping (void) { -- if (is_selinux_enabled () <= 0) return; -- -- if (*user_selinux) { /* must be done after passwd write() */ -- const char *argv[7]; -- argv[0] = "/usr/sbin/semanage"; -- argv[1] = "login"; -- argv[2] = "-a"; -- argv[3] = "-s"; -- argv[4] = user_selinux; -- argv[5] = user_name; -- argv[6] = NULL; -- if (safe_system (argv[0], argv, NULL, 0)) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); --#endif -- } -- } --} --#endif - /* - * create_home - create the user's home directory - * -@@ -2025,7 +1997,30 @@ int main (int argc, char **argv) - close_files (); - - #ifdef WITH_SELINUX -- selinux_update_mapping (); -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ const char *argv[7]; -+ -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system (argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+ #ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+ #endif -+ fail_exit (E_SE_UPDATE); -+ } -+ } -+ } - #endif - - nscd_flush_cache ("passwd"); -diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c ---- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100 -+++ shadow-4.1.4.3/src/userdel.c 2011-08-02 12:57:47.988838130 +0200 -@@ -82,6 +82,7 @@ static char *user_home; - - static bool fflg = false; - static bool rflg = false; -+static bool Zflg = false; - - static bool is_shadow_pwd; - -@@ -120,6 +121,9 @@ static void usage (void) - " even if not owned by user\n" - " -h, --help display this help message and exit\n" - " -r, --remove remove home directory and mail spool\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n" -+#endif - "\n"), stderr); - exit (E_USAGE); - } -@@ -766,9 +770,17 @@ int main (int argc, char **argv) - {"force", no_argument, NULL, 'f'}, - {"help", no_argument, NULL, 'h'}, - {"remove", no_argument, NULL, 'r'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {NULL, 0, NULL, '\0'} - }; -- while ((c = getopt_long (argc, argv, "fhr", -+ while ((c = getopt_long (argc, argv, -+#ifdef WITH_SELINUX -+ "fhrZ", -+#else -+ "fhr", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'f': /* force remove even if not owned by user */ -@@ -777,6 +789,19 @@ int main (int argc, char **argv) - case 'r': /* remove home dir and mailbox */ - rflg = true; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled () > 0) { -+ Zflg = true; -+ } else { -+ fprintf (stderr, -+ _("%s: -Z requires SELinux enabled kernel\n"), -+ Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -975,14 +1000,16 @@ int main (int argc, char **argv) - #endif - - #ifdef WITH_SELINUX -- if (is_selinux_enabled () > 0) { -- const char *args[5]; -- args[0] = "/usr/sbin/semanage"; -- args[1] = "login"; -- args[2] = "-d"; -- args[3] = user_name; -- args[4] = NULL; -- safe_system (args[0], args, NULL, 1); -+ if (Zflg) { -+ if (is_selinux_enabled () > 0) { -+ const char *args[5]; -+ args[0] = "/usr/sbin/semanage"; -+ args[1] = "login"; -+ args[2] = "-d"; -+ args[3] = user_name; -+ args[4] = NULL; -+ safe_system (args[0], args, NULL, 1); -+ } - } - #endif - -diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c ---- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100 -+++ shadow-4.1.4.3/src/usermod.c 2011-08-02 12:57:47.989838125 +0200 -@@ -82,6 +82,9 @@ - #define E_GRP_UPDATE 10 /* can't update group file */ - /* #define E_NOSPACE 11 insufficient space to move home dir */ - #define E_HOMEDIR 12 /* unable to complete home dir move */ -+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */ -+ -+ - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - /* - * Global variables -@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); --#ifdef WITH_SELINUX --static void selinux_update_mapping (void); --#endif - - static void new_spent (struct spwd *); - static void fail_exit (int); -@@ -1785,8 +1785,32 @@ int main (int argc, char **argv) - nscd_flush_cache ("group"); - - #ifdef WITH_SELINUX -- if (Zflg) { -- selinux_update_mapping (); -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ const char *argv[7]; -+ -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-m"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system (argv[0], argv, NULL, 1)) { -+ argv[2] = "-a"; -+ if (safe_system (argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+ #ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "modifying User mapping ", -+ user_name, (unsigned int) user_id, 0); -+ #endif -+ fail_exit (E_SE_UPDATE); -+ } -+ } -+ } - } - #endif - -@@ -1816,34 +1840,3 @@ int main (int argc, char **argv) - return E_SUCCESS; - } - --#ifdef WITH_SELINUX --static void selinux_update_mapping (void) { -- const char *argv[7]; -- -- if (is_selinux_enabled () <= 0) return; -- -- if (*user_selinux) { -- argv[0] = "/usr/sbin/semanage"; -- argv[1] = "login"; -- argv[2] = "-m"; -- argv[3] = "-s"; -- argv[4] = user_selinux; -- argv[5] = user_name; -- argv[6] = NULL; -- if (safe_system (argv[0], argv, NULL, 1)) { -- argv[2] = "-a"; -- if (safe_system (argv[0], argv, NULL, 0)) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "modifying User mapping ", -- user_name, (unsigned int) user_id, 0); --#endif -- } -- } -- } --} --#endif -- diff --git a/shadow-4.1.4.3-goodname.patch b/shadow-4.1.5-goodname.patch similarity index 71% rename from shadow-4.1.4.3-goodname.patch rename to shadow-4.1.5-goodname.patch index 7e1ba24..81f27b0 100644 --- a/shadow-4.1.4.3-goodname.patch +++ b/shadow-4.1.5-goodname.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.4.3/libmisc/chkname.c.goodname shadow-4.1.4.3/libmisc/chkname.c ---- shadow-4.1.4.3/libmisc/chkname.c.goodname 2011-02-13 18:58:11.000000000 +0100 -+++ shadow-4.1.4.3/libmisc/chkname.c 2011-05-18 20:38:50.639341048 +0200 +diff -up shadow-4.1.5/libmisc/chkname.c.goodname shadow-4.1.5/libmisc/chkname.c +--- shadow-4.1.5/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 ++++ shadow-4.1.5/libmisc/chkname.c 2012-03-19 09:52:12.910605026 +0100 @@ -49,20 +49,28 @@ static bool is_valid_name (const char *name) { @@ -40,24 +40,24 @@ diff -up shadow-4.1.4.3/libmisc/chkname.c.goodname shadow-4.1.4.3/libmisc/chknam return false; } } -diff -up shadow-4.1.4.3/man/groupadd.8.goodname shadow-4.1.4.3/man/groupadd.8 ---- shadow-4.1.4.3/man/groupadd.8.goodname 2011-02-16 00:12:34.000000000 +0100 -+++ shadow-4.1.4.3/man/groupadd.8 2011-05-18 20:42:53.204324534 +0200 -@@ -162,9 +162,7 @@ Shadow password suite configuration\&. +diff -up shadow-4.1.5/man/groupadd.8.goodname shadow-4.1.5/man/groupadd.8 +--- shadow-4.1.5/man/groupadd.8.goodname 2012-02-12 22:27:42.000000000 +0100 ++++ shadow-4.1.5/man/groupadd.8 2012-03-19 09:56:17.113723732 +0100 +@@ -181,9 +181,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" .PP -Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? -.PP --Groupnames may only be up to characters long\&. +-Groupnames may only be up to 16 characters long\&. +Groupnames may only be up to 32 characters long\&. .PP You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. .PP -diff -up shadow-4.1.4.3/man/useradd.8.goodname shadow-4.1.4.3/man/useradd.8 ---- shadow-4.1.4.3/man/useradd.8.goodname 2011-05-18 20:38:50.635376546 +0200 -+++ shadow-4.1.4.3/man/useradd.8 2011-05-18 20:38:50.641332694 +0200 -@@ -414,8 +414,6 @@ Similarly, if the username already exist +diff -up shadow-4.1.5/man/useradd.8.goodname shadow-4.1.5/man/useradd.8 +--- shadow-4.1.5/man/useradd.8.goodname 2012-02-12 22:28:02.000000000 +0100 ++++ shadow-4.1.5/man/useradd.8 2012-03-19 09:52:12.911605018 +0100 +@@ -421,8 +421,6 @@ Similarly, if the username already exist \fBuseradd\fR will deny the user account creation request\&. .PP diff --git a/shadow-4.1.5-grremove.patch b/shadow-4.1.5-grremove.patch new file mode 100644 index 0000000..09e673a --- /dev/null +++ b/shadow-4.1.5-grremove.patch @@ -0,0 +1,45 @@ +diff -up shadow-4.1.5/src/userdel.c.grremove shadow-4.1.5/src/userdel.c +--- shadow-4.1.5/src/userdel.c.grremove 2012-03-20 12:19:13.260854838 +0100 ++++ shadow-4.1.5/src/userdel.c 2012-03-20 12:38:26.235622957 +0100 +@@ -333,22 +333,22 @@ static void remove_usergroup (void) + * We can remove this group, it is not the primary + * group of any remaining user. + */ +- if (gr_remove (grp->gr_name) == 0) { ++ if (gr_remove (user_name) == 0) { + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), +- Prog, grp->gr_name, gr_dbname ()); ++ Prog, user_name, gr_dbname ()); + fail_exit (E_GRP_UPDATE); + } + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, + "deleting group", +- grp->gr_name, AUDIT_NO_ID, ++ user_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, + "removed group '%s' owned by '%s'\n", +- grp->gr_name, user_name)); ++ user_name, user_name)); + + #ifdef SHADOWGRP + if (sgr_locate (user_name) != NULL) { +@@ -361,12 +361,12 @@ static void remove_usergroup (void) + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, + "deleting shadow group", +- grp->gr_name, AUDIT_NO_ID, ++ user_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, + "removed shadow group '%s' owned by '%s'\n", +- grp->gr_name, user_name)); ++ user_name, user_name)); + + } + #endif /* SHADOWGRP */ diff --git a/shadow-4.1.5-man.patch b/shadow-4.1.5-man.patch new file mode 100644 index 0000000..f0fa089 --- /dev/null +++ b/shadow-4.1.5-man.patch @@ -0,0 +1,12 @@ +diff -up shadow-4.1.5/man/useradd.8.man shadow-4.1.5/man/useradd.8 +--- shadow-4.1.5/man/useradd.8.man 2012-03-19 13:06:48.000000000 +0100 ++++ shadow-4.1.5/man/useradd.8 2012-03-19 13:07:44.540169270 +0100 +@@ -215,7 +215,7 @@ is not enabled, no home directories are + .PP + \fB\-M\fR + .RS 4 +-Do no create the user\*(Aqs home directory, even if the system wide setting from ++Do not create the user\*(Aqs home directory, even if the system wide setting from + /etc/login\&.defs + (\fBCREATE_HOME\fR) is set to + \fIyes\fR\&. diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.1.5-redhat.patch new file mode 100644 index 0000000..a785b29 --- /dev/null +++ b/shadow-4.1.5-redhat.patch @@ -0,0 +1,42 @@ +diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 +diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c +--- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 ++++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 +@@ -93,7 +93,7 @@ const char *Prog; + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -103,7 +103,7 @@ static const char *def_expire = ""; + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", + #else /* !WITH_SELINUX */ +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", + #endif /* !WITH_SELINUX */ + long_options, NULL)) != -1) { + switch (c) { +@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha + case 'M': + Mflg = true; + break; ++ case 'n': + case 'N': + Nflg = true; + break; diff --git a/shadow-4.1.4.3-uflg.patch b/shadow-4.1.5-uflg.patch similarity index 52% rename from shadow-4.1.4.3-uflg.patch rename to shadow-4.1.5-uflg.patch index 1c9f58f..f72bca3 100644 --- a/shadow-4.1.4.3-uflg.patch +++ b/shadow-4.1.5-uflg.patch @@ -1,16 +1,16 @@ -diff -up shadow-4.1.4.3/libmisc/find_new_gid.c.uflg shadow-4.1.4.3/libmisc/find_new_gid.c ---- shadow-4.1.4.3/libmisc/find_new_gid.c.uflg 2011-05-20 21:18:24.474018778 +0200 -+++ shadow-4.1.4.3/libmisc/find_new_gid.c 2011-05-20 21:18:43.178018729 +0200 -@@ -61,7 +61,7 @@ int find_new_gid (bool sys_group, - gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); - gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); +diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c +--- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 ++++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 +@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, + return -1; + } } else { - gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + gid_min = (gid_t) 1; gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - } -@@ -80,6 +80,10 @@ int find_new_gid (bool sys_group, + if (gid_max < gid_min) { +@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, return 0; } diff --git a/shadow-utils.spec b/shadow-utils.spec index e1c6054..11c5f0e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,29 +1,18 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.4.3 -Release: 14%{?dist} +Version: 4.1.5 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source1: shadow-utils.login.defs Source2: shadow-utils.useradd -Patch0: shadow-4.1.4.2-redhat.patch -Patch1: shadow-4.1.4.3-goodname.patch -Patch2: shadow-4.1.4.2-leak.patch -Patch3: shadow-4.1.4.2-fixes.patch -Patch4: shadow-4.1.4.2-infoParentDir.patch -Patch5: shadow-4.1.4.3-semange.patch -Patch6: shadow-4.1.4.2-acl.patch -Patch7: shadow-4.1.4.2-underflow.patch -Patch8: shadow-4.1.4.3-uflg.patch -Patch9: shadow-4.1.4.2-gshadow.patch -Patch10: shadow-4.1.4.3-nopam.patch -Patch11: shadow-4.1.4.3-IDs.patch -#696213 #674878 #739147 -Patch12: shadow-4.1.4.3-man.patch -#749205 -Patch13: shadow-4.1.4.3-libsemanage.patch -Patch14: shadow-4.1.4.3-selinux.patch +Patch0: shadow-4.1.5-redhat.patch +Patch1: shadow-4.1.5-goodname.patch +Patch2: shadow-4.1.4.2-infoParentDir.patch +Patch3: shadow-4.1.5-uflg.patch +Patch4: shadow-4.1.5-man.patch +Patch5: shadow-4.1.5-grremove.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -54,19 +43,11 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .leak -%patch3 -p1 -b .fixes -%patch4 -p1 -b .infoParentDir -%patch5 -p1 -b .semange -%patch6 -p1 -b .acl -%patch7 -p1 -b .underflow -%patch8 -p1 -b .uflg -%patch9 -p1 -b .gshadow -%patch10 -p1 -b .nopam -%patch11 -p1 -b .IDs -%patch12 -p1 -b .man -%patch13 -p1 -b .libsemanage -%patch14 -p1 -b .selinux +%patch2 -p1 -b .infoParentDir +%patch3 -p1 -b .uflg +%patch4 -p1 -b .man +%patch5 -p1 -b .grremove + iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -176,23 +157,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done -# Make sure old configuration files specifying UID_MIN=500 are not overwritten -# on upgrades. Remove the scriptlets after upgrades from Fedora 15 are no -# longer supported. -%pre -if [ "$1" -gt 1 ]; then - hash=$(md5sum %{_sysconfdir}/login.defs | cut -d ' ' -f 1) - if [ "$hash" = 111354806cbbee33a73fa4d538055510 ]; then - cp -a %{_sysconfdir}/login.defs{,.rpm-saved-in-pre} - fi -fi - -%post -if [ -e %{_sysconfdir}/login.defs.rpm-saved-in-pre ]; then - mv %{_sysconfdir}/login.defs{,.rpmnew} - mv %{_sysconfdir}/login.defs{.rpm-saved-in-pre,} -fi - %clean rm -rf $RPM_BUILD_ROOT @@ -238,6 +202,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Mar 19 2012 Peter Vrabec - 2:4.1.5-1 +- upgrade + * Tue Feb 07 2012 Peter Vrabec - 2:4.1.4.3-14 - compile with PIE and RELRO flags (#784349) diff --git a/sources b/sources index d82ed7b..0afb6c5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b8608d8294ac88974f27b20f991c0e79 shadow-4.1.4.3.tar.bz2 +d5f7a588fadb79faeb4b08b1eee82e9a shadow-4.1.5.tar.bz2 From 8994f4c05c66aa363cf443dbc69a8b60025965b2 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 22 Mar 2012 16:51:40 +0100 Subject: [PATCH 076/151] - fix selinux context handling - reset selinux context on files copied from skel --- shadow-4.1.5-selinux.patch | 41 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5-selinux.patch diff --git a/shadow-4.1.5-selinux.patch b/shadow-4.1.5-selinux.patch new file mode 100644 index 0000000..d138e58 --- /dev/null +++ b/shadow-4.1.5-selinux.patch @@ -0,0 +1,41 @@ +diff -up shadow-4.1.5/lib/commonio.c.selinux shadow-4.1.5/lib/commonio.c +--- shadow-4.1.5/lib/commonio.c.selinux 2011-12-09 23:23:16.000000000 +0100 ++++ shadow-4.1.5/lib/commonio.c 2012-03-22 16:42:00.952464092 +0100 +@@ -977,6 +977,12 @@ int commonio_close (struct commonio_db * + + snprintf (buf, sizeof buf, "%s+", db->filename); + ++#ifdef WITH_SELINUX ++ if (set_selinux_file_context (buf) != 0) { ++ errors++; ++ } ++#endif ++ + db->fp = fopen_set_perms (buf, "w", &sb); + if (NULL == db->fp) { + goto fail; +@@ -1011,6 +1017,12 @@ int commonio_close (struct commonio_db * + goto fail; + } + ++#ifdef WITH_SELINUX ++ if (reset_selinux_file_context () != 0) { ++ goto fail; ++ } ++#endif ++ + nscd_need_reload = true; + goto success; + fail: +diff -up shadow-4.1.5/src/useradd.c.selinux shadow-4.1.5/src/useradd.c +--- shadow-4.1.5/src/useradd.c.selinux 2012-03-22 16:46:11.007377548 +0100 ++++ shadow-4.1.5/src/useradd.c 2012-03-22 16:46:35.037251897 +0100 +@@ -2040,7 +2040,7 @@ int main (int argc, char **argv) + if (mflg) { + create_home (); + if (home_added) { +- copy_tree (def_template, user_home, false, false, ++ copy_tree (def_template, user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/shadow-utils.spec b/shadow-utils.spec index 11c5f0e..269fb40 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -13,6 +13,7 @@ Patch2: shadow-4.1.4.2-infoParentDir.patch Patch3: shadow-4.1.5-uflg.patch Patch4: shadow-4.1.5-man.patch Patch5: shadow-4.1.5-grremove.patch +Patch6: shadow-4.1.5-selinux.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -47,6 +48,7 @@ are used for managing group accounts. %patch3 -p1 -b .uflg %patch4 -p1 -b .man %patch5 -p1 -b .grremove +%patch6 -p1 -b .selinux iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 @@ -202,6 +204,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Mar 22 2012 Peter Vrabec - 2:4.1.5-2 +- fix selinux context handling +- reset selinux context on files copied from skel + * Mon Mar 19 2012 Peter Vrabec - 2:4.1.5-1 - upgrade From 8cd7b2fcb7fb397ba0bebebdc5e25c4f0afa1cc0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 18 Jun 2012 13:38:31 +0200 Subject: [PATCH 077/151] pwconv/grpconv skipped 2nd of consecutive failures (#832995) --- shadow-4.1.5-2ndskip.patch | 100 +++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 ++- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5-2ndskip.patch diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch new file mode 100644 index 0000000..8a9cf68 --- /dev/null +++ b/shadow-4.1.5-2ndskip.patch @@ -0,0 +1,100 @@ +diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c +--- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 ++++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 +@@ -143,6 +143,7 @@ int main (int argc, char **argv) + struct group grent; + const struct sgrp *sg; + struct sgrp sgent; ++ char *np; + + Prog = Basename (argv[0]); + +@@ -184,20 +185,25 @@ int main (int argc, char **argv) + * Remove /etc/gshadow entries for groups not in /etc/group. + */ + (void) sgr_rewind (); +- while ((sg = sgr_next ()) != NULL) { +- if (gr_locate (sg->sg_name) != NULL) { +- continue; +- } +- +- if (sgr_remove (sg->sg_name) == 0) { +- /* +- * This shouldn't happen (the entry exists) but... +- */ +- fprintf (stderr, +- _("%s: cannot remove entry '%s' from %s\n"), +- Prog, sg->sg_name, sgr_dbname ()); +- fail_exit (3); ++ sg = sgr_next (); ++ np=NULL; ++ while (sg != NULL) { ++ np = strdup(sg->sg_name); ++ sg = sgr_next (); ++ ++ if(gr_locate (np) == NULL) { ++ if (sgr_remove (np) == 0) { ++ /* ++ * This shouldn't happen (the entry exists) but... ++ */ ++ fprintf (stderr, ++ _("%s: cannot remove entry '%s' from %s\n"), ++ Prog, np, sgr_dbname ()); ++ free(np); ++ fail_exit (3); ++ } + } ++ free(np); + } + + /* +diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c +--- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 ++++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 +@@ -173,6 +173,7 @@ int main (int argc, char **argv) + struct passwd pwent; + const struct spwd *sp; + struct spwd spent; ++ char *np; + + Prog = Basename (argv[0]); + +@@ -223,20 +224,25 @@ int main (int argc, char **argv) + * Remove /etc/shadow entries for users not in /etc/passwd. + */ + (void) spw_rewind (); +- while ((sp = spw_next ()) != NULL) { +- if (pw_locate (sp->sp_namp) != NULL) { +- continue; +- } +- +- if (spw_remove (sp->sp_namp) == 0) { +- /* +- * This shouldn't happen (the entry exists) but... +- */ +- fprintf (stderr, +- _("%s: cannot remove entry '%s' from %s\n"), +- Prog, sp->sp_namp, spw_dbname ()); +- fail_exit (E_FAILURE); ++ sp = spw_next (); ++ np = NULL; ++ while (sp != NULL) { ++ np = strdup(sp->sp_namp); ++ sp = spw_next (); ++ ++ if (pw_locate (np) == NULL) { ++ if (spw_remove (np) == 0) { ++ /* ++ * This shouldn't happen (the entry exists) but... ++ */ ++ fprintf (stderr, ++ _("%s: cannot remove entry '%s' from %s\n"), ++ Prog, np, spw_dbname ()); ++ free(np); ++ fail_exit (E_FAILURE); ++ } + } ++ free(np); + } + + /* diff --git a/shadow-utils.spec b/shadow-utils.spec index 269fb40..9106674 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -14,6 +14,7 @@ Patch3: shadow-4.1.5-uflg.patch Patch4: shadow-4.1.5-man.patch Patch5: shadow-4.1.5-grremove.patch Patch6: shadow-4.1.5-selinux.patch +Patch7: shadow-4.1.5-2ndskip.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -49,6 +50,7 @@ are used for managing group accounts. %patch4 -p1 -b .man %patch5 -p1 -b .grremove %patch6 -p1 -b .selinux +%patch7 -p1 -b .2ndskip iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 @@ -204,6 +206,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 18 2012 Peter Vrabec - 2:4.1.5-3 +- pwconv/grpconv skipped 2nd of consecutive failures (#832995) + * Wed Mar 22 2012 Peter Vrabec - 2:4.1.5-2 - fix selinux context handling - reset selinux context on files copied from skel From 3481ee2a8f2d842420ffa9ee85e558baca563593 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 21 Jul 2012 14:29:08 -0500 Subject: [PATCH 078/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9106674..7449e6b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -206,6 +206,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Jul 21 2012 Fedora Release Engineering - 2:4.1.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + * Mon Jun 18 2012 Peter Vrabec - 2:4.1.5-3 - pwconv/grpconv skipped 2nd of consecutive failures (#832995) From cae35b95ab2c443b103ca0c47b16a2471038b7a0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 25 Jul 2012 12:44:17 +0200 Subject: [PATCH 079/151] make /etc/default/useradd world-readable (#835137) --- shadow-utils.spec | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 7449e6b..761ac88 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,11 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 -Source1: shadow-utils.login.defs +Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5-goodname.patch @@ -169,7 +169,7 @@ rm -rf $RPM_BUILD_ROOT %doc NEWS doc/HOWTO README %dir %{_sysconfdir}/default %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg %{_bindir}/chage %{_bindir}/gpasswd @@ -206,6 +206,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Jul 25 2012 Peter Vrabec - 2:4.1.5-5 +- make /etc/default/useradd world-readable (#835137) + * Sat Jul 21 2012 Fedora Release Engineering - 2:4.1.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild @@ -229,7 +232,7 @@ rm -rf $RPM_BUILD_ROOT - fix leaks in .IDs patch (#734340) * Wed Nov 16 2011 Peter Vrabec - 2:4.1.4.3-11 -- free memory associated with SELinux security contexts +- free memory associated with SELinux security contexts * Wed Nov 09 2011 Peter Vrabec - 2:4.1.4.3-10 - replace semanage call by library call @@ -267,7 +270,7 @@ rm -rf $RPM_BUILD_ROOT - fix find_new_uid/gid for big UID/GID_MAX * Wed Feb 09 2011 Peter Vrabec - 2:4.1.4.2-11 -- useradd man page (-m option) +- useradd man page (-m option) - create home directory on fs with noacl - remove faillog app (pam_tally.so is no longer shipped) Resolves: #523265, #622320 @@ -278,7 +281,7 @@ rm -rf $RPM_BUILD_ROOT Resolves: #674234 * Wed Jan 05 2011 Peter Vrabec - 2:4.1.4.2-9 -- fix gshadow functions from shadow utils +- fix gshadow functions from shadow utils - make shadow utils use gshadow functions from glibc Resolves: #665780 @@ -291,8 +294,8 @@ rm -rf $RPM_BUILD_ROOT - use preferred GID for reserved static IDs * Thu Apr 29 2010 Peter Vrabec - 2:4.1.4.2-6 -- preserve ACL's on files in /etc/skel - Resolves: #513055 +- preserve ACL's on files in /etc/skel + Resolves: #513055 * Wed Apr 28 2010 Peter Vrabec - 2:4.1.4.2-5 - newusers man page more informative @@ -444,7 +447,7 @@ rm -rf $RPM_BUILD_ROOT * Wed Feb 28 2007 Peter Vrabec 2:4.0.18.1-10 - spec file fixes to meet fedora standarts. -- fix useless call of restorecon(). (#222159) +- fix useless call of restorecon(). (#222159) * Sun Jan 14 2007 Peter Vrabec 2:4.0.18.1-9 - fix append option in usermod (#222540). @@ -471,7 +474,7 @@ rm -rf $RPM_BUILD_ROOT * Fri Nov 03 2006 Peter Vrabec 2:4.0.18.1-2 - improve audit logging (#211659) - improve "-l" option. Do not reset faillog if it's used (#213450). - + * Wed Nov 01 2006 Peter Vrabec 2:4.0.18.1-1 - upgrade @@ -479,7 +482,7 @@ rm -rf $RPM_BUILD_ROOT - add dist-tag * Wed Oct 04 2006 Peter Vrabec 2:4.0.17-6 -- fix regression. Permissions on user* group* binaries +- fix regression. Permissions on user* group* binaries should be 0750, because of CAPP/LSPP certification - fix groupdel man page @@ -564,7 +567,7 @@ rm -rf $RPM_BUILD_ROOT - audit support * Sat Aug 27 2005 Peter Vrabec 2:4.0.12-1 -- upgrade +- upgrade * Sat Aug 13 2005 Dan Walsh 2:4.0.11.1-5 - Change to use new selinux api for selinux_check_passwd_access @@ -578,11 +581,11 @@ rm -rf $RPM_BUILD_ROOT - fix useradd man page(#97131) * Mon Aug 08 2005 Peter Vrabec 2:4.0.11.1-2 -- do not copy files from skel directory if home directory +- do not copy files from skel directory if home directory already exist (#89591,#80242) * Fri Aug 05 2005 Peter Vrabec 2:4.0.11.1-1 -- upgrade +- upgrade * Mon May 23 2005 Peter Vrabec 2:4.0.7-9 - remove vigr binary @@ -597,13 +600,13 @@ rm -rf $RPM_BUILD_ROOT - fix chage -l option (#109499, #137498) * Mon Apr 04 2005 Peter Vrabec 2:4.0.7-5 -- fix memory leak, and CPU spinning when grp_update() and +- fix memory leak, and CPU spinning when grp_update() and duplicate group entries in /etc/group (#151484) * Mon Mar 29 2005 Peter Vrabec 2:4.0.7-4 - use newgrp binary - newgrp don't ask for password if user's default GID = group ID, - ask for password if there is some in /etc/gshadow + ask for password if there is some in /etc/gshadow and in /etc/group is 'x' (#149997) * Mon Mar 14 2005 Peter Vrabec @@ -893,7 +896,7 @@ rm -rf $RPM_BUILD_ROOT * Tue Mar 23 1999 Preston Brown - edit out unused CHFN fields from login.defs. -* Sun Mar 21 1999 Cristian Gafton +* Sun Mar 21 1999 Cristian Gafton - auto rebuild in the new build environment (release 7) * Wed Jan 13 1999 Bill Nottingham From 44a40b2f4ee043be419a9843e5ecfea98922a43d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 19 Sep 2012 20:33:30 +0200 Subject: [PATCH 080/151] new upstream version - use the original file permissions when creating backup (#853102) --- .gitignore | 2 + shadow-4.1.5-goodname.patch | 68 ---------- shadow-4.1.5-man.patch | 12 -- shadow-4.1.5-selinux.patch | 41 ------ shadow-4.1.5.1-backup-mode.patch | 20 +++ shadow-4.1.5.1-goodname.patch | 118 ++++++++++++++++++ ...ch => shadow-4.1.5.1-info-parent-dir.patch | 16 +-- shadow-4.1.5.1-selinux.patch | 12 ++ shadow-utils.spec | 24 ++-- sources | 3 +- 10 files changed, 175 insertions(+), 141 deletions(-) delete mode 100644 shadow-4.1.5-goodname.patch delete mode 100644 shadow-4.1.5-man.patch delete mode 100644 shadow-4.1.5-selinux.patch create mode 100644 shadow-4.1.5.1-backup-mode.patch create mode 100644 shadow-4.1.5.1-goodname.patch rename shadow-4.1.4.2-infoParentDir.patch => shadow-4.1.5.1-info-parent-dir.patch (75%) create mode 100644 shadow-4.1.5.1-selinux.patch diff --git a/.gitignore b/.gitignore index 5e224dd..f5997c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.4.3.tar.bz2 /shadow-4.1.5.tar.bz2 +/shadow-4.1.5.1.tar.bz2 +/shadow-4.1.5.1.tar.bz2.sig diff --git a/shadow-4.1.5-goodname.patch b/shadow-4.1.5-goodname.patch deleted file mode 100644 index 81f27b0..0000000 --- a/shadow-4.1.5-goodname.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff -up shadow-4.1.5/libmisc/chkname.c.goodname shadow-4.1.5/libmisc/chkname.c ---- shadow-4.1.5/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 -+++ shadow-4.1.5/libmisc/chkname.c 2012-03-19 09:52:12.910605026 +0100 -@@ -49,20 +49,28 @@ - static bool is_valid_name (const char *name) - { - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { - return false; - } - - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { - return false; - } - } -diff -up shadow-4.1.5/man/groupadd.8.goodname shadow-4.1.5/man/groupadd.8 ---- shadow-4.1.5/man/groupadd.8.goodname 2012-02-12 22:27:42.000000000 +0100 -+++ shadow-4.1.5/man/groupadd.8 2012-03-19 09:56:17.113723732 +0100 -@@ -181,9 +181,7 @@ Shadow password suite configuration\&. - .RE - .SH "CAVEATS" - .PP --Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP --Groupnames may only be up to 16 characters long\&. -+Groupnames may only be up to 32 characters long\&. - .PP - You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. - .PP -diff -up shadow-4.1.5/man/useradd.8.goodname shadow-4.1.5/man/useradd.8 ---- shadow-4.1.5/man/useradd.8.goodname 2012-02-12 22:28:02.000000000 +0100 -+++ shadow-4.1.5/man/useradd.8 2012-03-19 09:52:12.911605018 +0100 -@@ -421,8 +421,6 @@ Similarly, if the username already exist - \fBuseradd\fR - will deny the user account creation request\&. - .PP --Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP - Usernames may only be up to 32 characters long\&. - .SH "CONFIGURATION" - .PP diff --git a/shadow-4.1.5-man.patch b/shadow-4.1.5-man.patch deleted file mode 100644 index f0fa089..0000000 --- a/shadow-4.1.5-man.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up shadow-4.1.5/man/useradd.8.man shadow-4.1.5/man/useradd.8 ---- shadow-4.1.5/man/useradd.8.man 2012-03-19 13:06:48.000000000 +0100 -+++ shadow-4.1.5/man/useradd.8 2012-03-19 13:07:44.540169270 +0100 -@@ -215,7 +215,7 @@ is not enabled, no home directories are - .PP - \fB\-M\fR - .RS 4 --Do no create the user\*(Aqs home directory, even if the system wide setting from -+Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs - (\fBCREATE_HOME\fR) is set to - \fIyes\fR\&. diff --git a/shadow-4.1.5-selinux.patch b/shadow-4.1.5-selinux.patch deleted file mode 100644 index d138e58..0000000 --- a/shadow-4.1.5-selinux.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up shadow-4.1.5/lib/commonio.c.selinux shadow-4.1.5/lib/commonio.c ---- shadow-4.1.5/lib/commonio.c.selinux 2011-12-09 23:23:16.000000000 +0100 -+++ shadow-4.1.5/lib/commonio.c 2012-03-22 16:42:00.952464092 +0100 -@@ -977,6 +977,12 @@ int commonio_close (struct commonio_db * - - snprintf (buf, sizeof buf, "%s+", db->filename); - -+#ifdef WITH_SELINUX -+ if (set_selinux_file_context (buf) != 0) { -+ errors++; -+ } -+#endif -+ - db->fp = fopen_set_perms (buf, "w", &sb); - if (NULL == db->fp) { - goto fail; -@@ -1011,6 +1017,12 @@ int commonio_close (struct commonio_db * - goto fail; - } - -+#ifdef WITH_SELINUX -+ if (reset_selinux_file_context () != 0) { -+ goto fail; -+ } -+#endif -+ - nscd_need_reload = true; - goto success; - fail: -diff -up shadow-4.1.5/src/useradd.c.selinux shadow-4.1.5/src/useradd.c ---- shadow-4.1.5/src/useradd.c.selinux 2012-03-22 16:46:11.007377548 +0100 -+++ shadow-4.1.5/src/useradd.c 2012-03-22 16:46:35.037251897 +0100 -@@ -2040,7 +2040,7 @@ int main (int argc, char **argv) - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, -+ copy_tree (def_template, user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch new file mode 100644 index 0000000..7366b86 --- /dev/null +++ b/shadow-4.1.5.1-backup-mode.patch @@ -0,0 +1,20 @@ +diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c +--- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 ++++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 +@@ -301,15 +301,12 @@ static int create_backup (const char *ba + struct utimbuf ub; + FILE *bkfp; + int c; +- mode_t mask; + + if (fstat (fileno (fp), &sb) != 0) { + return -1; + } + +- mask = umask (077); +- bkfp = fopen (backup, "w"); +- (void) umask (mask); ++ bkfp = fopen_set_perms (backup, "w", &sb); + if (NULL == bkfp) { + return -1; + } diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.1.5.1-goodname.patch new file mode 100644 index 0000000..1fdd84f --- /dev/null +++ b/shadow-4.1.5.1-goodname.patch @@ -0,0 +1,118 @@ +diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c +--- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/chkname.c 2012-09-19 18:43:53.492160653 +0200 +@@ -49,20 +49,28 @@ + static bool is_valid_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { + return false; + } + + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { + return false; + } + } +diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml +--- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 ++++ shadow-4.1.5.1/man/groupadd.8.xml 2012-09-19 18:43:53.492160653 +0200 +@@ -259,12 +259,6 @@ + + CAVEATS + +- Groupnames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- +- + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + + +diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8 +--- shadow-4.1.5.1/man/man8/groupadd.8.goodname 2012-05-25 13:58:40.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/groupadd.8 2012-09-19 18:44:42.175123079 +0200 +@@ -190,9 +190,7 @@ Shadow password suite configuration\&. + .RE + .SH "CAVEATS" + .PP +-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP +-Groupnames may only be up to 16 characters long\&. ++Groupnames may only be up to 32 characters long\&. + .PP + You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. + .PP +diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8 +--- shadow-4.1.5.1/man/man8/useradd.8.goodname 2012-05-25 13:59:28.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2012-09-19 18:46:09.249033949 +0200 +@@ -224,7 +224,7 @@ is not enabled, no home directories are + .PP + \fB\-M\fR + .RS 4 +-Do no create the user\*(Aqs home directory, even if the system wide setting from ++Do not create the user\*(Aqs home directory, even if the system wide setting from + /etc/login\&.defs + (\fBCREATE_HOME\fR) is set to + \fIyes\fR\&. +@@ -430,8 +430,6 @@ Similarly, if the username already exist + \fBuseradd\fR + will deny the user account creation request\&. + .PP +-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP + Usernames may only be up to 32 characters long\&. + .SH "CONFIGURATION" + .PP +diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml +--- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2012-09-19 18:43:53.493160675 +0200 +@@ -366,7 +366,7 @@ + + + +- Do no create the user's home directory, even if the system ++ Do not create the user's home directory, even if the system + wide setting from /etc/login.defs + () is set to + yes. +@@ -654,12 +654,6 @@ + + + +- Usernames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- +- + Usernames may only be up to 32 characters long. + + diff --git a/shadow-4.1.4.2-infoParentDir.patch b/shadow-4.1.5.1-info-parent-dir.patch similarity index 75% rename from shadow-4.1.4.2-infoParentDir.patch rename to shadow-4.1.5.1-info-parent-dir.patch index da260bf..d2bc009 100644 --- a/shadow-4.1.4.2-infoParentDir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers.8 ---- shadow-4.1.4.2/man/newusers.8.infoParentDir 2010-04-28 13:44:04.634870854 +0200 -+++ shadow-4.1.4.2/man/newusers.8 2010-04-28 13:46:07.190866220 +0200 -@@ -88,7 +88,7 @@ This field is copied in the GECOS field +diff -up shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir shadow-4.1.5.1/man/man8/newusers.8 +--- shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir 2012-05-25 13:59:09.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/newusers.8 2012-09-19 18:47:17.203525237 +0200 +@@ -99,7 +99,7 @@ This field is copied in the GECOS field .RS 4 This field is used to define the home directory of the user\&. .sp @@ -10,10 +10,10 @@ diff -up shadow-4.1.4.2/man/newusers.8.infoParentDir shadow-4.1.4.2/man/newusers .sp If the home directory of an existing user is changed, \fBnewusers\fR -diff -up shadow-4.1.4.2/man/newusers.8.xml.infoParentDir shadow-4.1.4.2/man/newusers.8.xml ---- shadow-4.1.4.2/man/newusers.8.xml.infoParentDir 2010-04-28 13:48:01.419238133 +0200 -+++ shadow-4.1.4.2/man/newusers.8.xml 2010-04-28 13:55:40.499663030 +0200 -@@ -192,7 +192,15 @@ +diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml +--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 ++++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 +@@ -216,7 +216,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch new file mode 100644 index 0000000..773fd60 --- /dev/null +++ b/shadow-4.1.5.1-selinux.patch @@ -0,0 +1,12 @@ +diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.selinux 2012-09-19 18:28:37.662060468 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2012-09-19 18:28:37.672060688 +0200 +@@ -2040,7 +2040,7 @@ int main (int argc, char **argv) + if (mflg) { + create_home (); + if (home_added) { +- copy_tree (def_template, user_home, false, false, ++ copy_tree (def_template, user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/shadow-utils.spec b/shadow-utils.spec index 761ac88..96497bb 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,20 +1,20 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.5 -Release: 5%{?dist} +Version: 4.1.5.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 +Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Patch0: shadow-4.1.5-redhat.patch -Patch1: shadow-4.1.5-goodname.patch -Patch2: shadow-4.1.4.2-infoParentDir.patch +Patch1: shadow-4.1.5.1-goodname.patch +Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch3: shadow-4.1.5-uflg.patch -Patch4: shadow-4.1.5-man.patch -Patch5: shadow-4.1.5-grremove.patch -Patch6: shadow-4.1.5-selinux.patch +Patch6: shadow-4.1.5.1-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch +Patch8: shadow-4.1.5.1-backup-mode.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -45,13 +45,11 @@ are used for managing group accounts. %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname -%patch2 -p1 -b .infoParentDir +%patch2 -p1 -b .info-parent-dir %patch3 -p1 -b .uflg -%patch4 -p1 -b .man -%patch5 -p1 -b .grremove %patch6 -p1 -b .selinux %patch7 -p1 -b .2ndskip - +%patch8 -p1 -b .backup-mode iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -206,6 +204,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Sep 19 2012 Tomas Mraz - 2:4.1.5.1-1 +- new upstream version +- use the original file permissions when creating backup (#853102) + * Wed Jul 25 2012 Peter Vrabec - 2:4.1.5-5 - make /etc/default/useradd world-readable (#835137) diff --git a/sources b/sources index 0afb6c5..888eac7 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -d5f7a588fadb79faeb4b08b1eee82e9a shadow-4.1.5.tar.bz2 +a00449aa439c69287b6d472191dc2247 shadow-4.1.5.1.tar.bz2 +f16f31f6f5a607b1ffb1aa1aac4c37f2 shadow-4.1.5.1.tar.bz2.sig From 6a8565830d5b6f8b2a7f7e0dc5801e4138a12dd4 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 11 Jan 2013 10:45:13 +0100 Subject: [PATCH 081/151] /etc/default is owned by glibc-common now (#894194) --- shadow-utils.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 96497bb..e47c351 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -165,7 +165,6 @@ rm -rf $RPM_BUILD_ROOT %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README -%dir %{_sysconfdir}/default %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg @@ -204,6 +203,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jan 11 2013 Tomas Mraz - 2:4.1.5.1-2 +- /etc/default is owned by glibc-common now (#894194) + * Wed Sep 19 2012 Tomas Mraz - 2:4.1.5.1-1 - new upstream version - use the original file permissions when creating backup (#853102) From 778c4c228d29d248a3f3d4e30c350cd1a981d450 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Jan 2013 14:17:57 +0100 Subject: [PATCH 082/151] fix bugs in merge_group_entries() --- shadow-4.1.5.1-merge-group.patch | 27 +++++++++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-merge-group.patch diff --git a/shadow-4.1.5.1-merge-group.patch b/shadow-4.1.5.1-merge-group.patch new file mode 100644 index 0000000..f5cea10 --- /dev/null +++ b/shadow-4.1.5.1-merge-group.patch @@ -0,0 +1,27 @@ +diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c +--- shadow-4.1.5.1/lib/groupio.c.merge-group 2011-02-16 21:32:24.000000000 +0100 ++++ shadow-4.1.5.1/lib/groupio.c 2013-01-29 13:56:43.049275513 +0100 +@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry * + + /* Concatenate the 2 lines */ + new_line_len = strlen (gr1->line) + strlen (gr2->line) +1; +- new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*)); ++ new_line = (char *)malloc (new_line_len + 1); + if (NULL == new_line) { + errno = ENOMEM; + return NULL; + } +- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); ++ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); + new_line[new_line_len] = '\0'; + + /* Concatenate the 2 list of members */ +@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry * + members++; + } + } +- new_members = (char **)malloc ( (members+1) * sizeof(char*) ); ++ new_members = (char **)calloc (members+1, sizeof(char*)); + if (NULL == new_members) { + free (new_line); + errno = ENOMEM; diff --git a/shadow-utils.spec b/shadow-utils.spec index e47c351..d654df3 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -15,6 +15,7 @@ Patch3: shadow-4.1.5-uflg.patch Patch6: shadow-4.1.5.1-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch Patch8: shadow-4.1.5.1-backup-mode.patch +Patch9: shadow-4.1.5.1-merge-group.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -50,6 +51,7 @@ are used for managing group accounts. %patch6 -p1 -b .selinux %patch7 -p1 -b .2ndskip %patch8 -p1 -b .backup-mode +%patch9 -p1 -b .merge-group iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -203,6 +205,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jan 29 2013 Tomas Mraz - 2:4.1.5.1-3 +- fix bugs in merge_group_entries() + * Fri Jan 11 2013 Tomas Mraz - 2:4.1.5.1-2 - /etc/default is owned by glibc-common now (#894194) From c85c93b88e2d86056ee6cfb9ead2cbbdaf88932f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 20 Feb 2013 15:30:31 +0100 Subject: [PATCH 083/151] keep the original context if matchpathcon() fails (#912399) --- shadow-4.1.5.1-orig-context.patch | 128 ++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-orig-context.patch diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.1.5.1-orig-context.patch new file mode 100644 index 0000000..63523df --- /dev/null +++ b/shadow-4.1.5.1-orig-context.patch @@ -0,0 +1,128 @@ +diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c +--- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 ++++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 +@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * + snprintf (buf, sizeof buf, "%s-", db->filename); + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (buf) != 0) { ++ if (set_selinux_file_context (buf, db->filename) != 0) { + errors++; + } + #endif +@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * + snprintf (buf, sizeof buf, "%s+", db->filename); + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (buf) != 0) { ++ if (set_selinux_file_context (buf, db->filename) != 0) { + errors++; + } + #endif +diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c +--- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 ++++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 +@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co + */ + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +@@ -605,7 +605,7 @@ static int copy_symlink (const char *src + } + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + free (oldlink); + return -1; + } +@@ -684,7 +684,7 @@ static int copy_special (const char *src + int err = 0; + + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +@@ -744,7 +744,7 @@ static int copy_file (const char *src, c + return -1; + } + #ifdef WITH_SELINUX +- if (set_selinux_file_context (dst) != 0) { ++ if (set_selinux_file_context (dst, NULL) != 0) { + return -1; + } + #endif /* WITH_SELINUX */ +diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h +--- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 ++++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 +@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m + + /* selinux.c */ + #ifdef WITH_SELINUX +-extern int set_selinux_file_context (const char *dst_name); ++extern int set_selinux_file_context (const char *dst_name, const char *orig_name); + extern int reset_selinux_file_context (void); + #endif + +diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c +--- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 +@@ -50,7 +50,7 @@ static bool selinux_enabled; + * Callers may have to Reset SELinux to create files with default + * contexts with reset_selinux_file_context + */ +-int set_selinux_file_context (const char *dst_name) ++int set_selinux_file_context (const char *dst_name, const char *orig_name) + { + /*@null@*/security_context_t scontext = NULL; + +@@ -62,19 +62,23 @@ int set_selinux_file_context (const char + if (selinux_enabled) { + /* Get the default security context for this file */ + if (matchpathcon (dst_name, 0, &scontext) < 0) { +- if (security_getenforce () != 0) { +- return 1; +- } ++ /* We could not get the default, copy the original */ ++ if (orig_name == NULL) ++ goto error; ++ if (getfilecon (orig_name, &scontext) < 0) ++ goto error; + } + /* Set the security context for the next created file */ +- if (setfscreatecon (scontext) < 0) { +- if (security_getenforce () != 0) { +- return 1; +- } +- } ++ if (setfscreatecon (scontext) < 0) ++ goto errror; + freecon (scontext); + } + return 0; ++ error: ++ if (security_getenforce () != 0) { ++ return 1; ++ } ++ return 0; + } + + /* +diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 +@@ -1759,7 +1759,7 @@ static void create_home (void) + { + if (access (user_home, F_OK) != 0) { + #ifdef WITH_SELINUX +- if (set_selinux_file_context (user_home) != 0) { ++ if (set_selinux_file_context (user_home, NULL) != 0) { + fail_exit (E_HOMEDIR); + } + #endif diff --git a/shadow-utils.spec b/shadow-utils.spec index d654df3..266aaec 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -16,6 +16,7 @@ Patch6: shadow-4.1.5.1-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch Patch8: shadow-4.1.5.1-backup-mode.patch Patch9: shadow-4.1.5.1-merge-group.patch +Patch10: shadow-4.1.5.1-orig-context.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -52,6 +53,7 @@ are used for managing group accounts. %patch7 -p1 -b .2ndskip %patch8 -p1 -b .backup-mode %patch9 -p1 -b .merge-group +%patch10 -p1 -b .orig-context iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -205,6 +207,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 20 2013 Tomas Mraz - 2:4.1.5.1-4 +- keep the original context if matchpathcon() fails (#912399) + * Tue Jan 29 2013 Tomas Mraz - 2:4.1.5.1-3 - fix bugs in merge_group_entries() From 257f1c1652d7e445c6453973467d23fc3d5ab6ae Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 20 Feb 2013 15:42:28 +0100 Subject: [PATCH 084/151] Fix a typo. --- shadow-4.1.5.1-orig-context.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.1.5.1-orig-context.patch index 63523df..c1ddb13 100644 --- a/shadow-4.1.5.1-orig-context.patch +++ b/shadow-4.1.5.1-orig-context.patch @@ -102,7 +102,7 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c - } - } + if (setfscreatecon (scontext) < 0) -+ goto errror; ++ goto error; freecon (scontext); } return 0; From 0bdf7eb7a5a93b66ad7deaf86fcaaacf3b2f908a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 19 Mar 2013 18:43:43 +0100 Subject: [PATCH 085/151] improve the failure syslog message in useradd (#830617) --- shadow-utils.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 266aaec..2b214d3 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -17,6 +17,7 @@ Patch7: shadow-4.1.5-2ndskip.patch Patch8: shadow-4.1.5.1-backup-mode.patch Patch9: shadow-4.1.5.1-merge-group.patch Patch10: shadow-4.1.5.1-orig-context.patch +Patch11: shadow-4.1.5.1-logmsg.patch License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -54,6 +55,7 @@ are used for managing group accounts. %patch8 -p1 -b .backup-mode %patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context +%patch11 -p1 -b .logmsg iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -207,6 +209,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Mar 19 2013 Tomas Mraz - 2:4.1.5.1-5 +- improve the failure syslog message in useradd (#830617) + * Wed Feb 20 2013 Tomas Mraz - 2:4.1.5.1-4 - keep the original context if matchpathcon() fails (#912399) From a253a4a28b36f248a58a23addcd5333509810bd7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 19 Mar 2013 18:46:14 +0100 Subject: [PATCH 086/151] improve the failure syslog message in useradd (#830617) --- shadow-4.1.5.1-logmsg.patch | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shadow-4.1.5.1-logmsg.patch diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch new file mode 100644 index 0000000..7d5cbc8 --- /dev/null +++ b/shadow-4.1.5.1-logmsg.patch @@ -0,0 +1,12 @@ +diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 ++++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 +@@ -275,7 +275,7 @@ static void fail_exit (int code) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name)); ++ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code)); + exit (code); + } + From 32f6a7815739e283e02319ff3ce2e8c0d16e7697 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 14 Jun 2013 15:27:20 +0200 Subject: [PATCH 087/151] report error to stdout when SELinux context for home directory cannot be determined (#973647) - audit the changing home directory owner (#885797) - do not set the default SELinux MLS range (#852676) --- shadow-4.1.5.1-audit-owner.patch | 32 +++++++++++++++++++++++++++ shadow-4.1.5.1-default-range.patch | 35 ++++++++++++++++++++++++++++++ shadow-4.1.5.1-errmsg.patch | 23 ++++++++++++++++++++ shadow-utils.spec | 15 ++++++++++++- 4 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-audit-owner.patch create mode 100644 shadow-4.1.5.1-default-range.patch create mode 100644 shadow-4.1.5.1-errmsg.patch diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch new file mode 100644 index 0000000..6fbbdbf --- /dev/null +++ b/shadow-4.1.5.1-audit-owner.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 ++++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 +@@ -1513,6 +1513,14 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif ++ + if (rename (user_home, user_newhome) == 0) { + /* FIXME: rename above may have broken symlinks + * pointing to the user's home directory +@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) + * ownership. + * + */ ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif + if (chown_tree (dflg ? user_newhome : user_home, + user_id, + uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch new file mode 100644 index 0000000..45c677a --- /dev/null +++ b/shadow-4.1.5.1-default-range.patch @@ -0,0 +1,35 @@ +diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h + goto done; + } + ++#if 0 + ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf (stderr, +@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h + ret = 1; + goto done; + } ++#endif + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); + if (ret != 0) { +@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h + goto done; + } + ++#if 0 + ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf (stderr, +@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h + ret = 1; + goto done; + } ++#endif + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); + if (ret != 0) { diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch new file mode 100644 index 0000000..6f3a1d2 --- /dev/null +++ b/shadow-4.1.5.1-errmsg.patch @@ -0,0 +1,23 @@ +diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 ++++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 +@@ -1760,6 +1760,9 @@ static void create_home (void) + if (access (user_home, F_OK) != 0) { + #ifdef WITH_SELINUX + if (set_selinux_file_context (user_home, NULL) != 0) { ++ fprintf (stderr, ++ _("%s: cannot set SELinux context for home directory %s\n"), ++ Prog, user_home); + fail_exit (E_HOMEDIR); + } + #endif +@@ -1789,6 +1792,9 @@ static void create_home (void) + #ifdef WITH_SELINUX + /* Reset SELinux to create files with default contexts */ + if (reset_selinux_file_context () != 0) { ++ fprintf (stderr, ++ _("%s: cannot reset SELinux file creation context\n"), ++ Prog); + fail_exit (E_HOMEDIR); + } + #endif diff --git a/shadow-utils.spec b/shadow-utils.spec index 2b214d3..a7b86c6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -18,6 +18,10 @@ Patch8: shadow-4.1.5.1-backup-mode.patch Patch9: shadow-4.1.5.1-merge-group.patch Patch10: shadow-4.1.5.1-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch +Patch12: shadow-4.1.5.1-errmsg.patch +Patch13: shadow-4.1.5.1-audit-owner.patch +Patch14: shadow-4.1.5.1-default-range.patch + License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -56,6 +60,9 @@ are used for managing group accounts. %patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg +%patch12 -p1 -b .errmsg +%patch13 -p1 -b .audit-owner +%patch14 -p1 -b .default-range iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -209,6 +216,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jun 14 2013 Tomas Mraz - 2:4.1.5.1-6 +- report error to stdout when SELinux context for home directory + cannot be determined (#973647) +- audit the changing home directory owner (#885797) +- do not set the default SELinux MLS range (#852676) + * Tue Mar 19 2013 Tomas Mraz - 2:4.1.5.1-5 - improve the failure syslog message in useradd (#830617) From 4eaf9cda612ae39fbf137e516f0c39ae690cd184 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 19 Jul 2013 07:44:18 +0200 Subject: [PATCH 088/151] fix useradd man page bugs --- shadow-utils.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index a7b86c6..f3f054b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -21,6 +21,7 @@ Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch +Patch15: shadow-4.1.5.1-manfix.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -63,6 +64,7 @@ are used for managing group accounts. %patch12 -p1 -b .errmsg %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range +%patch15 -p1 -b .manfix iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -216,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 19 2013 Tomas Mraz - 2:4.1.5.1-7 +- fix useradd man page bugs + * Fri Jun 14 2013 Tomas Mraz - 2:4.1.5.1-6 - report error to stdout when SELinux context for home directory cannot be determined (#973647) From 047af921d9c464a0ffa3195d0a7e45201e14382a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 19 Jul 2013 08:08:10 +0200 Subject: [PATCH 089/151] fix useradd man page bugs --- shadow-4.1.5.1-manfix.patch | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 shadow-4.1.5.1-manfix.patch diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch new file mode 100644 index 0000000..ef023dc --- /dev/null +++ b/shadow-4.1.5.1-manfix.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 +@@ -161,7 +161,7 @@ + + + +- , ++ , + HOME_DIR + + +@@ -362,7 +362,7 @@ + + + +- ++ , + + + From a451dc3d55537561abfedfd482249e18324b3d52 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Jul 2013 13:26:18 +0200 Subject: [PATCH 090/151] slightly more meaningful error messages if crypt() returns NULL (#988184) - explicit suid permissions --- shadow-4.1.5.1-crypt-null.patch | 195 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++- 2 files changed, 205 insertions(+), 4 deletions(-) create mode 100644 shadow-4.1.5.1-crypt-null.patch diff --git a/shadow-4.1.5.1-crypt-null.patch b/shadow-4.1.5.1-crypt-null.patch new file mode 100644 index 0000000..fba72e7 --- /dev/null +++ b/shadow-4.1.5.1-crypt-null.patch @@ -0,0 +1,195 @@ +diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c +--- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200 ++++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200 +@@ -49,11 +49,10 @@ + if (!cp) { + /* + * Single Unix Spec: crypt() may return a null pointer, +- * and set errno to indicate an error. The caller doesn't +- * expect us to return NULL, so... ++ * and set errno to indicate an error. In this case return ++ * the NULL so the caller can handle appropriately. + */ +- perror ("crypt"); +- exit (EXIT_FAILURE); ++ return cp; + } + + /* The GNU crypt does not return NULL if the algorithm is not +diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c +--- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200 +@@ -95,6 +95,7 @@ bool valid (const char *password, const + */ + + if ( (NULL != ent->pw_name) ++ && (NULL != encrypted) + && (strcmp (encrypted, ent->pw_passwd) == 0)) { + return true; + } else { +diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c +--- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200 ++++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200 +@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, + char prompt[1024]; + char *clear = NULL; + const char *cp; ++ const char *encrypted; + int retval; + + #ifdef SKEY +@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, + * the results there as well. + */ + +- retval = strcmp (pw_encrypt (input, cipher), cipher); ++ encrypted = pw_encrypt (input, cipher); ++ if (encrypted!=NULL) ++ retval = strcmp (encrypted, cipher); ++ else ++ retval = -1; + + #ifdef SKEY + /* +diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c +--- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200 +@@ -469,6 +469,10 @@ int main (int argc, char **argv) + #endif + cp = pw_encrypt (newpwd, + crypt_make_salt (crypt_method, arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + } + + /* +diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c +--- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200 +@@ -492,6 +492,10 @@ int main (int argc, char **argv) + #endif + cp = pw_encrypt (newpwd, + crypt_make_salt(crypt_method, arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + } + + /* +diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c +--- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100 ++++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200 +@@ -939,6 +939,10 @@ static void change_passwd (struct group + } + + cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); ++ if (cp==NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + memzero (pass, sizeof pass); + #ifdef SHADOWGRP + if (is_shadowgrp) { +diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200 +@@ -184,7 +184,8 @@ static void check_perms (const struct gr + cpasswd = pw_encrypt (cp, grp->gr_passwd); + strzero (cp); + +- if (grp->gr_passwd[0] == '\0' || ++ if (cpasswd == NULL || ++ grp->gr_passwd[0] == '\0' || + strcmp (cpasswd, grp->gr_passwd) != 0) { + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c +--- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 ++++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200 +@@ -387,6 +387,7 @@ static int add_user (const char *name, u + static void update_passwd (struct passwd *pwd, const char *password) + { + void *crypt_arg = NULL; ++ char *cp; + if (crypt_method != NULL) { + #ifdef USE_SHA_CRYPT + if (sflg) { +@@ -398,9 +399,13 @@ static void update_passwd (struct passwd + if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { + pwd->pw_passwd = (char *)password; + } else { +- pwd->pw_passwd = pw_encrypt (password, +- crypt_make_salt (crypt_method, +- crypt_arg)); ++ cp=pw_encrypt (password, crypt_make_salt (crypt_method, ++ crypt_arg)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ pwd->pw_passwd = cp; + } + } + #endif /* !USE_PAM */ +@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw + { + const struct spwd *sp; + struct spwd spent; ++ char *cp; + + #ifndef USE_PAM + void *crypt_arg = NULL; +@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw + } else { + const char *salt = crypt_make_salt (crypt_method, + crypt_arg); +- spent.sp_pwdp = pw_encrypt (password, salt); ++ cp = pw_encrypt (password, salt); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ spent.sp_pwdp = cp; + } + spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; + if (0 == spent.sp_lstchg) { +@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw + spent.sp_pwdp = (char *)password; + } else { + const char *salt = crypt_make_salt (crypt_method, crypt_arg); +- spent.sp_pwdp = pw_encrypt (password, salt); ++ cp = pw_encrypt (password, salt); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } ++ spent.sp_pwdp = cp; + } + #else + /* +diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c +--- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100 ++++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200 +@@ -242,7 +242,7 @@ static int new_password (const struct pa + } + + cipher = pw_encrypt (clear, crypt_passwd); +- if (strcmp (cipher, crypt_passwd) != 0) { ++ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) { + strzero (clear); + strzero (cipher); + SYSLOG ((LOG_WARN, "incorrect password for %s", +@@ -349,6 +349,10 @@ static int new_password (const struct pa + * Encrypt the password, then wipe the cleartext password. + */ + cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); ++ if (cp == NULL) { ++ perror ("crypt"); ++ exit (EXIT_FAILURE); ++ } + memzero (pass, sizeof pass); + + #ifdef HAVE_LIBCRACK_HIST diff --git a/shadow-utils.spec b/shadow-utils.spec index f3f054b..56f8a3f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -22,6 +22,7 @@ Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch +Patch16: shadow-4.1.5.1-crypt-null.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -65,6 +66,7 @@ are used for managing group accounts. %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix +%patch16 -p1 -b .crypt-null iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -183,10 +185,10 @@ rm -rf $RPM_BUILD_ROOT %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg -%{_bindir}/chage -%{_bindir}/gpasswd +%attr(4755,root,root) %{_bindir}/chage +%attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog -%{_bindir}/newgrp +%attr(4755,root,root) %{_bindir}/newgrp %{_sbindir}/adduser %attr(0750,root,root) %{_sbindir}/user* %attr(0750,root,root) %{_sbindir}/group* @@ -218,6 +220,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 25 2013 Tomas Mraz - 2:4.1.5.1-8 +- slightly more meaningful error messages if crypt() returns NULL (#988184) +- explicit suid permissions + * Fri Jul 19 2013 Tomas Mraz - 2:4.1.5.1-7 - fix useradd man page bugs From 462b4b2f45f6da8d7737a19b1f3cff55e74f2492 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Jul 2013 14:30:32 +0200 Subject: [PATCH 091/151] Fix bogus dates in changelog --- shadow-utils.spec | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 56f8a3f..1d4ff2e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -258,7 +258,7 @@ rm -rf $RPM_BUILD_ROOT * Mon Jun 18 2012 Peter Vrabec - 2:4.1.5-3 - pwconv/grpconv skipped 2nd of consecutive failures (#832995) -* Wed Mar 22 2012 Peter Vrabec - 2:4.1.5-2 +* Thu Mar 22 2012 Peter Vrabec - 2:4.1.5-2 - fix selinux context handling - reset selinux context on files copied from skel @@ -471,11 +471,11 @@ rm -rf $RPM_BUILD_ROOT * Tue Jun 26 2007 Peter Vrabec 2:4.0.18.1-16 - fix "CAVEATS" section of groupadd man page (#245590) -* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 +* Wed Jun 06 2007 Peter Vrabec 2:4.0.18.1-15 - fix infinitive loop if there are duplicate entries in /etc/group (#240915) -* Tue Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 +* Wed Jun 06 2007 Peter Vrabec 2:4.0.18.1-14 - do not run find_new_uid() twice and use getpwuid() to check UID uniqueness (#236871) @@ -646,7 +646,7 @@ rm -rf $RPM_BUILD_ROOT - fix memory leak, and CPU spinning when grp_update() and duplicate group entries in /etc/group (#151484) -* Mon Mar 29 2005 Peter Vrabec 2:4.0.7-4 +* Tue Mar 29 2005 Peter Vrabec 2:4.0.7-4 - use newgrp binary - newgrp don't ask for password if user's default GID = group ID, ask for password if there is some in /etc/gshadow @@ -756,7 +756,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Sep 4 2003 Dan Walsh 4.0.3-11.sel - build with SELinux support -* Fri Jul 28 2003 Dan Walsh 4.0.3-10 +* Mon Jul 28 2003 Dan Walsh 4.0.3-10 - Add SELinux support * Wed Jun 04 2003 Elliot Lee @@ -980,7 +980,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Nov 06 1997 Cristian Gafton - added forgot lastlog command to the spec file -* Mon Oct 26 1997 Cristian Gafton +* Mon Oct 27 1997 Cristian Gafton - obsoletes adduser * Thu Oct 23 1997 Cristian Gafton From 317fc748b31cde3da89a9191d39f8c422ddd750c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 18 Oct 2013 16:33:21 +0200 Subject: [PATCH 092/151] document that the directory where user's home is created must exist --- shadow-4.1.5.1-manfix.patch | 42 ++++++++++++++++++++++++++++++++++--- shadow-utils.spec | 7 +++++-- 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index ef023dc..c66d7c9 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,33 @@ +diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-07-25 10:39:00.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2013-10-18 16:29:41.003281715 +0200 +@@ -85,7 +85,7 @@ by default\&. + Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. + .RE + .PP +-\fB\-d\fR, \fB\-\-home\fR \fIHOME_DIR\fR ++\fB\-d\fR, \fB\-\-home\-dir\fR \fIHOME_DIR\fR + .RS 4 + The new user will be created using + \fIHOME_DIR\fR +@@ -220,9 +220,13 @@ option) will be copied to the home direc + By default, if this option is not specified and + \fBCREATE_HOME\fR + is not enabled, no home directories are created\&. ++.sp ++The directory where the user\*(Aqs home directory is created must ++exist and have proper SELinux context and permissions\&. Otherwise ++the user\*(Aqs home directory cannot be created or accessed\&. + .RE + .PP +-\fB\-M\fR ++\fB\-M\fR, \fB\-\-no\-create\-home\fR + .RS 4 + Do not create the user\*(Aqs home directory, even if the system wide setting from + /etc/login\&.defs diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-07-25 10:39:00.115637664 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-10-18 16:22:13.151437562 +0200 @@ -161,7 +161,7 @@ @@ -10,7 +37,16 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xm HOME_DIR -@@ -362,7 +362,7 @@ +@@ -358,11 +358,16 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + diff --git a/shadow-utils.spec b/shadow-utils.spec index 1d4ff2e..cf80b64 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -97,7 +97,7 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --without-libcrack \ --without-libpam \ --disable-shared \ - --with-group-name-max-length=32 + --with-group-name-max-length=32 make %install @@ -220,6 +220,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Oct 18 2013 Tomas Mraz - 2:4.1.5.1-9 +- document that the directory where user's home is created must exist + * Thu Jul 25 2013 Tomas Mraz - 2:4.1.5.1-8 - slightly more meaningful error messages if crypt() returns NULL (#988184) - explicit suid permissions From 8d1ef4078b086d9a417f102c8cb6f94e08b363d5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 12 Feb 2014 11:43:04 +0100 Subject: [PATCH 093/151] clean up login.defs manpage - properly document userdel -f behavior --- shadow-4.1.5.1-manfix.patch | 150 ++++++++++++++++++++++++++- shadow-4.1.5.1-userdel-helpfix.patch | 15 +++ shadow-utils.spec | 8 +- 3 files changed, 168 insertions(+), 5 deletions(-) create mode 100644 shadow-4.1.5.1-userdel-helpfix.patch diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index c66d7c9..00b792f 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,148 @@ +diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml +--- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 ++++ shadow-4.1.5.1/man/login.defs.5.xml 2014-02-12 11:18:36.126334872 +0100 +@@ -160,6 +160,17 @@ + long numeric parameters is machine-dependent. + + ++ ++ Please note that the parameters in this configuration file control the ++ behavior of the tools from the shadow-utils component. None of these ++ tools uses the PAM mechanism, and the utilities that use PAM (such as the ++ passwd command) should be configured elsewhere. The only values that ++ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS ++ for pam_unix module, FAIL_DELAY for pam_faildelay module, ++ and UMASK for pam_umask module. Refer to ++ pam(8) for more information. ++ ++ + The following configuration items are provided: + + +diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 +--- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 ++++ shadow-4.1.5.1/man/man5/login.defs.5 2014-02-12 11:26:27.159851843 +0100 +@@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) + \fI0\fR) or hexadecimal values (precede the value with + \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. + .PP ++Please note that the parameters in this configuration file control the ++behavior of the tools from the shadow-utils component\&. None of these ++tools uses the PAM mechanism, and the utilities that use PAM (such as the ++passwd command) should be configured elsewhere\&. The only values that ++affect PAM modules are \fBENCRYPT_METHOD\fR and \fBSHA_CRYPT_MAX_ROUNDS\fR for pam_unix module, ++\fBFAIL_DELAY\fR for pam_faildelay module, and \fBUMASK\fR for pam_umask module\&. Refer to ++pam(8) for more information\&. ++.PP + The following configuration items are provided: + .PP + \fBCHFN_AUTH\fR (boolean) +@@ -625,20 +633,6 @@ will create by default a group with the + .PP + The following cross references show which programs in the shadow password suite use which parameters\&. + .PP +-chfn +-.RS 4 +- +-CHFN_AUTH +-CHFN_RESTRICT +-LOGIN_STRING +-.RE +-.PP +-chgpasswd +-.RS 4 +-ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +-SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS +-.RE +-.PP + chpasswd + .RS 4 + +@@ -646,11 +640,6 @@ ENCRYPT_METHOD MD5_CRYPT_ENAB + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS + .RE + .PP +-chsh +-.RS 4 +-CHSH_AUTH LOGIN_STRING +-.RE +-.PP + gpasswd + .RS 4 + ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +@@ -692,29 +681,6 @@ grpunconv + MAX_MEMBERS_PER_GROUP + .RE + .PP +-login +-.RS 4 +- +-CONSOLE +-CONSOLE_GROUPS DEFAULT_HOME +-ENV_HZ ENV_PATH ENV_SUPATH ENV_TZ ENVIRON_FILE +-ERASECHAR FAIL_DELAY +-FAILLOG_ENAB +-FAKE_SHELL +-FTMP_FILE +-HUSHLOGIN_FILE +-ISSUE_FILE +-KILLCHAR +-LASTLOG_ENAB +-LOGIN_RETRIES +-LOGIN_STRING +-LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +-MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB +-TTYGROUP TTYPERM TTYTYPE_FILE +-ULIMIT UMASK +-USERGROUPS_ENAB +-.RE +-.PP + newgrp / sg + .RS 4 + SYSLOG_SG_ENAB +@@ -727,12 +693,6 @@ SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUND + SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK + .RE + .PP +-passwd +-.RS 4 +-ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN +-SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS +-.RE +-.PP + pwck + .RS 4 + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE +@@ -743,26 +703,6 @@ pwconv + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + .RE + .PP +-su +-.RS 4 +- +-CONSOLE +-CONSOLE_GROUPS DEFAULT_HOME +-ENV_HZ ENVIRON_FILE +-ENV_PATH ENV_SUPATH +-ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE QUOTAS_ENAB +-SULOG_FILE SU_NAME +-SU_WHEEL_ONLY +-SYSLOG_SU_ENAB +-USERGROUPS_ENAB +-.RE +-.PP +-sulogin +-.RS 4 +-ENV_HZ +-ENV_TZ +-.RE +-.PP + useradd + .RS 4 + CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-07-25 10:39:00.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2013-10-18 16:29:41.003281715 +0200 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-11-27 10:25:34.740049650 +0100 ++++ shadow-4.1.5.1/man/man8/useradd.8 2013-11-27 10:25:34.758050045 +0100 @@ -85,7 +85,7 @@ by default\&. Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. .RE @@ -26,8 +168,8 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/userad Do not create the user\*(Aqs home directory, even if the system wide setting from /etc/login\&.defs diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-07-25 10:39:00.115637664 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-10-18 16:22:13.151437562 +0200 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-11-27 10:25:34.740049650 +0100 ++++ shadow-4.1.5.1/man/useradd.8.xml 2013-11-27 10:25:34.759050067 +0100 @@ -161,7 +161,7 @@ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch new file mode 100644 index 0000000..03f53bc --- /dev/null +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c +--- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 ++++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 +@@ -130,8 +130,9 @@ static void usage (int status) + "\n" + "Options:\n"), + Prog); +- (void) fputs (_(" -f, --force force removal of files,\n" +- " even if not owned by user\n"), ++ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" ++ " e.g. removal of user still logged in\n ++ " or files, even if not owned by the user\n"), + usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout); diff --git a/shadow-utils.spec b/shadow-utils.spec index cf80b64..9f0e00d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -23,6 +23,7 @@ Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch +Patch17: shadow-4.1.5.1-userdel-helpfix.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -67,6 +68,7 @@ are used for managing group accounts. %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null +%patch17 -p1 -b .userdel iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -220,6 +222,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 12 2014 Tomas Mraz - 2:4.1.5.1-10 +- clean up login.defs manpage +- properly document userdel -f behavior + * Fri Oct 18 2013 Tomas Mraz - 2:4.1.5.1-9 - document that the directory where user's home is created must exist From a8136ba211aacf1e845a61dbbd6982cac5f548ac Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 12 Feb 2014 11:50:55 +0100 Subject: [PATCH 094/151] clean up login.defs manpage - properly document userdel -f behavior --- shadow-4.1.5.1-userdel-helpfix.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index 03f53bc..b79baee 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -8,7 +8,7 @@ diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c - (void) fputs (_(" -f, --force force removal of files,\n" - " even if not owned by user\n"), + (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" -+ " e.g. removal of user still logged in\n ++ " e.g. removal of user still logged in\n" + " or files, even if not owned by the user\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); From c509d20844f05c92752b3f42efc5080d38b7d729 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sun, 8 Jun 2014 01:14:33 -0500 Subject: [PATCH 095/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9f0e00d..1585a51 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -222,6 +222,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sun Jun 08 2014 Fedora Release Engineering - 2:4.1.5.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + * Wed Feb 12 2014 Tomas Mraz - 2:4.1.5.1-10 - clean up login.defs manpage - properly document userdel -f behavior From dad42cc2f595d9a4d02d832e9f1c70be64b97393 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Jun 2014 15:22:33 +0200 Subject: [PATCH 096/151] improve group allocation algorithm - patch by Stephen Gallager (#1089738) --- shadow-4.1.5.1-group-alloc.patch | 642 +++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 648 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-group-alloc.patch diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-group-alloc.patch new file mode 100644 index 0000000..892ae7d --- /dev/null +++ b/shadow-4.1.5.1-group-alloc.patch @@ -0,0 +1,642 @@ +From e551be23be24508ecf5c8afdf74fd69b88832ecd Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 9 Jun 2014 10:34:02 -0400 +Subject: [PATCH] Redesign automatic GID allocation + +Previously, this allocation was optimized for an outdated +deployment style (that of /etc/group alongside nss_db). The issue +here is that this results in extremely poor performance when using +SSSD, Winbind or nss_ldap. + +There were actually three serious bugs here that have been addressed: + +1) Running getgrent() loops won't work in most SSSD or Winbind +environments, as full group enumeration is disabled by default. +This could easily result in auto-allocating a group that was +already in use. (This might result in a security issue as well, if +the shared GID is a privileged group). + +2) For system groups, the loop was always iterating through the +complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this +means hundreds of round-trips to LDAP (unless the GIDs were +specifically configured to be ignored by the SSSD or winbindd). +To a user with a slow connection to their LDAP server, this would +appear as if groupadd -r was hung. (Though it would eventually +complete). + +3) This patch also adds better error-handling for errno from +getgrgid(), since if this function returns an unexpected error, we +should not be treating it as "ID is available". This could result +in assigning a GID that was already in use, with all the same +issues as 1) above. + +This patch changes the algorithm to be more favorable for LDAP +environments, at the expense of some performance when using nss_db. +Given that the DB is a local service, this should have a negligible +effect from a user's perspective. + +With the new algorithm, we simply first iterate through all entries +in the local database with gr_next(), recording the IDs that are in +use. We then start from the highest presumed-available entry and +call getgrgid() to see if it is available. We continue this until +we come to the first unused GID. We then select that and return it. + +If we make it through all the remaining IDs without finding a free +one, we start over from the beginning of the range and try to find +room in one of the gaps in the range. +--- + libmisc/find_new_gid.c | 533 +++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 407 insertions(+), 126 deletions(-) + +diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c +index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b814763a16 100644 +--- a/libmisc/find_new_gid.c ++++ b/libmisc/find_new_gid.c +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, ++ gid_t *preferred_min) ++{ ++ gid_t gid_def_max = 0; ++ ++ if (sys_group) { ++ /* System groups */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (gid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); ++ ++ /* ++ * If SYS_GID_MAX is unspecified, we should assume it to be one ++ * less than the GID_MIN (which is reserved for non-system accounts) ++ */ ++ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; ++ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", ++ (unsigned long) gid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " ++ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("GID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system groups */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); ++ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system groups. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: GID_MIN (%lu), " ++ "GID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_gid - See if the requested GID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getgrgid() ++ */ ++static int check_gid(const gid_t gid, ++ const gid_t gid_min, ++ const gid_t gid_max, ++ bool *used_gids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (gid < gid_min || gid > gid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this GID ++ * using the gr_next() loop ++ */ ++ if (used_gids != NULL && used_gids[gid]) { ++ return EEXIST; ++ } ++ /* Check if the GID exists according to NSS */ ++ errno = 0; ++ if (getgrgid(gid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getgrgid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ if (errno != 0) { ++ return errno; ++ } ++ } ++ ++ /* If we've made it here, the GID must be available */ ++ return 0; ++} ++ ++/* + * find_new_gid - Find a new unused GID. + * + * If successful, find_new_gid provides an unused group ID in the +@@ -48,166 +160,339 @@ + * + * Return 0 on success, -1 if no unused GIDs are available. + */ +-int find_new_gid (bool sys_group, +- gid_t *gid, +- /*@null@*/gid_t const *preferred_gid) ++int find_new_gid(bool sys_group, ++ gid_t *gid, ++ /*@null@*/gid_t const *preferred_gid) + { +- const struct group *grp; +- gid_t gid_min, gid_max, group_id; + bool *used_gids; ++ const struct group *grp; ++ gid_t gid_min, gid_max, preferred_min; ++ gid_t group_id, id; ++ gid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + +- assert (gid != NULL); ++ assert(gid != NULL); + +- if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); +- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, (unsigned long) gid_max); +- return -1; +- } +- } else { +- gid_min = (gid_t) 1; +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; +- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); +- if (gid_max < gid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), +- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred GID is available */ ++ if (preferred_gid) { ++ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the GID isn't queued for use already ++ */ ++ if (gr_locate_gid (preferred_gid) == NULL) { ++ *gid = *preferred_gid; ++ return 0; ++ } ++ /* ++ * gr_locate_gid() found the GID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set a GID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the group creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific GID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred GID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire group file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with gr_rewind/gr_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system groups) or highest (non-system ++ * groups), we will prefer those and avoid potentially reclaiming a ++ * deleted group (which can be a security issue, since it may grant ++ * access to files belonging to that former group). ++ * ++ * If there are no GIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered GIDs */ + used_gids = malloc (sizeof (bool) * (gid_max +1)); + if (NULL == used_gids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_gids, false, sizeof (bool) * (gid_max + 1)); + +- if ( (NULL != preferred_gid) +- && (*preferred_gid >= gid_min) +- && (*preferred_gid <= gid_max) +- /* Check if the user exists according to NSS */ +- && (getgrgid (*preferred_gid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (gr_locate_gid (*preferred_gid) == NULL)) { +- *gid = *preferred_gid; +- free (used_gids); +- return 0; +- } ++ /* First look for the lowest and highest value in the local database */ ++ (void) gr_rewind (); ++ highest_found = gid_min; ++ lowest_found = gid_max; ++ while ((grp = gr_next ()) != NULL) { ++ /* ++ * Does this entry have a lower GID than the lowest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { ++ lowest_found = grp->gr_gid - 1; ++ } ++ ++ /* ++ * Does this entry have a higher GID than the highest we've found ++ * so far? ++ */ ++ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { ++ highest_found = grp->gr_gid + 1; ++ } ++ ++ /* create index of used GIDs */ ++ if (grp->gr_gid >= gid_min ++ && grp->gr_gid <= gid_max) { + +- /* if we did not find free preffered system gid, we start to look for +- * one in the range assigned to dynamic system IDs */ +- if (sys_group) +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ used_gids[grp->gr_gid] = true; ++ } ++ } + +- /* +- * Search the entire group file, +- * looking for the largest unused value. +- * +- * We check the list of groups according to NSS (setgrent/getgrent), +- * but we also check the local database (gr_rewind/gr_next) in case +- * some groups were created but the changes were not committed yet. +- */ + if (sys_group) { +- gid_t id; +- /* setgrent / getgrent / endgrent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getgrgid. ++ /* ++ * For system groups, we want to start from the ++ * top of the range and work downwards. + */ +- group_id = gid_max; +- for (id = gid_max; id >= gid_min; id--) { +- if (getgrgid (id) != NULL) { +- group_id = id - 1; +- used_gids[id] = true; +- } ++ ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MIN - 1. ++ */ ++ if (lowest_found < gid_min) { ++ /* ++ * In this case, a GID is in use at GID_MIN. ++ * ++ * We will reset the search to GID_MAX and proceed down ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ lowest_found = gid_max; + } + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { +- group_id = grp->gr_gid - 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- group_id = gid_min; +- setgrent (); +- while ((grp = getgrent ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * GID_MAX - 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != gid_max) { ++ for (id = gid_max; id >= gid_min; id--) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ ++ } + } + } +- endgrent (); ++ } else { /* !sys_group */ ++ /* ++ * For non-system groups, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) gr_rewind (); +- while ((grp = gr_next ()) != NULL) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; +- } +- /* create index of used GIDs */ +- if (grp->gr_gid <= gid_max) { +- used_gids[grp->gr_gid] = true; +- } ++ /* ++ * At the conclusion of the gr_next() search, we will either ++ * have a presumed-free GID or we will be at GID_MAX + 1. ++ */ ++ if (highest_found > gid_max) { ++ /* ++ * In this case, a GID is in use at GID_MAX. ++ * ++ * We will reset the search to GID_MIN and proceed up ++ * through all the GIDs (skipping those we detected with ++ * used_gids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted GID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign GIDs ++ * explicitly). ++ */ ++ highest_found = gid_min; + } +- } + +- /* +- * If a group (resp. system group) with GID equal to GID_MAX (resp. +- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 +- * (resp. GID_MIN-1) even if not unique. Search for the first free +- * GID starting with GID_MIN (resp. GID_MAX). +- */ +- if (sys_group) { +- if (group_id < gid_min) { +- for (group_id = gid_max; group_id >= gid_min; group_id--) { +- if (false == used_gids[group_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (group_id < gid_min) { +- fprintf (stderr, +- _("%s: Can't get unique system GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available GID on the system")); +- free (used_gids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- } else { +- if (group_id > gid_max) { +- for (group_id = gid_min; group_id <= gid_max; group_id++) { +- if (false == used_gids[group_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from GID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * GID_MIN + 1, all groups in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != gid_min) { ++ for (id = gid_min; id <= gid_max; id++) { ++ result = check_gid(id, gid_min, gid_max, used_gids); ++ if (result == 0) { ++ /* This GID is available. Return it. */ ++ *gid = id; ++ free(used_gids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This GID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique GID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available GIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later GID ++ * will work properly. ++ */ + } + } +- if (group_id > gid_max) { +- fprintf (stderr, +- _("%s: Can't get unique GID (no more available GIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available GID on the system")); +- free (used_gids); +- return -1; +- } + } + } + +- free (used_gids); +- *gid = group_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique GID (no more available GIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available GIDs on the system")); ++ free(used_gids); ++ return -1; + } + +-- +1.9.3 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 1585a51..138872f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -24,6 +24,7 @@ Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch +Patch18: shadow-4.1.5.1-group-alloc.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -69,6 +70,7 @@ are used for managing group accounts. %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel +%patch18 -p1 -b .group-alloc iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -222,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-12 +- improve group allocation algorithm - patch by Stephen Gallager (#1089738) + * Sun Jun 08 2014 Fedora Release Engineering - 2:4.1.5.1-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild From efff9fe79f2cd8ca2d6336c29b71a7f7432079b2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 2 Jul 2014 13:30:31 +0200 Subject: [PATCH 097/151] ignore getgrgid() errors for now --- shadow-4.1.5.1-group-alloc.patch | 6 +++--- shadow-utils.spec | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-group-alloc.patch index 892ae7d..0ac336b 100644 --- a/shadow-4.1.5.1-group-alloc.patch +++ b/shadow-4.1.5.1-group-alloc.patch @@ -158,9 +158,9 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* getgrgid() was NULL, check whether this was + * due to an error, so we can report it. + */ -+ if (errno != 0) { ++ /* ignore errors for now * if (errno != 0) { + return errno; -+ } ++ } */ + } + + /* If we've made it here, the GID must be available */ @@ -228,7 +228,7 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* + * Make sure the GID isn't queued for use already + */ -+ if (gr_locate_gid (preferred_gid) == NULL) { ++ if (gr_locate_gid (*preferred_gid) == NULL) { + *gid = *preferred_gid; + return 0; + } diff --git a/shadow-utils.spec b/shadow-utils.spec index 138872f..0d186a4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 12%{?dist} +Release: 13%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -224,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-13 +- ignore getgrgid() errors for now + * Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-12 - improve group allocation algorithm - patch by Stephen Gallager (#1089738) From 6a7e42e7e913612c911bf2baf286e1db763cf173 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 10 Jul 2014 17:06:38 +0200 Subject: [PATCH 098/151] put system users and groups into /usr/lib/{passwd,group} if the files exist and SHADOW_USE_USRLIB environment variable is set Patch by Colin Walters --- shadow-4.1.5.1-usr-lib.patch | 706 +++++++++++++++++++++++++++++++++++ shadow-utils.spec | 11 +- 2 files changed, 716 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-usr-lib.patch diff --git a/shadow-4.1.5.1-usr-lib.patch b/shadow-4.1.5.1-usr-lib.patch new file mode 100644 index 0000000..b9c7af0 --- /dev/null +++ b/shadow-4.1.5.1-usr-lib.patch @@ -0,0 +1,706 @@ +From 43f9ae51f2629b7c42a5a0e664cf62907b1f1276 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Tue, 17 Dec 2013 18:48:48 -0500 +Subject: [PATCH] Use /usr/lib/passwd for system users (if it exists, and + SHADOW_USE_USRLIB) + +See https://sourceware.org/bugzilla/show_bug.cgi?id=16142 + +This allows OSTree/Atomic to write usernames to /usr/lib/passwd (and +/usr/lib/group). +--- + lib/defines.h | 8 +++++ + lib/groupio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- + lib/groupio.h | 7 +++++ + lib/pwio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- + lib/pwio.h | 7 +++++ + libmisc/cleanup_group.c | 2 +- + src/groupadd.c | 24 +++++++-------- + src/newusers.c | 18 +++++------ + src/useradd.c | 68 ++++++++++++++++++++--------------------- + 9 files changed, 230 insertions(+), 66 deletions(-) + +diff --git a/lib/defines.h b/lib/defines.h +index c5d84a8..27ad429 100644 +--- a/lib/defines.h ++++ b/lib/defines.h +@@ -302,10 +302,18 @@ char *strchr (), *strrchr (), *strtok (); + #define PASSWD_FILE "/etc/passwd" + #endif + ++#ifndef USRLIB_PASSWD_FILE ++#define USRLIB_PASSWD_FILE "/usr/lib/passwd" ++#endif ++ + #ifndef GROUP_FILE + #define GROUP_FILE "/etc/group" + #endif + ++#ifndef USRLIB_GROUP_FILE ++#define USRLIB_GROUP_FILE "/usr/lib/group" ++#endif ++ + #ifndef SHADOW_FILE + #define SHADOW_FILE "/etc/shadow" + #endif +diff --git a/lib/groupio.c b/lib/groupio.c +index e0bb030..d9c01c1 100644 +--- a/lib/groupio.c ++++ b/lib/groupio.c +@@ -139,6 +139,42 @@ static /*@owned@*/struct commonio_db group_db = { + false /* readonly */ + }; + ++static struct commonio_db usrlib_group_db = { ++ USRLIB_GROUP_FILE, /* filename */ ++ &group_ops, /* ops */ ++ NULL, /* fp */ ++#ifdef WITH_SELINUX ++ NULL, /* scontext */ ++#endif ++ NULL, /* head */ ++ NULL, /* tail */ ++ NULL, /* cursor */ ++ false, /* changed */ ++ false, /* isopen */ ++ false, /* locked */ ++ false /* readonly */ ++}; ++ ++static struct commonio_db * ++get_db (int usrlib) ++{ ++ static int checked_usrlib; ++ static int have_usrlib; ++ ++ if (!usrlib) ++ return &group_db; ++ ++ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { ++ struct stat stbuf; ++ checked_usrlib = 1; ++ have_usrlib = lstat (usrlib_group_db.filename, &stbuf) == 0; ++ } ++ ++ if (have_usrlib) ++ return &usrlib_group_db; ++ return &group_db; ++} ++ + int gr_setdbname (const char *filename) + { + return commonio_setname (&group_db, filename); +@@ -149,14 +185,29 @@ int gr_setdbname (const char *filename) + return group_db.filename; + } + ++/*@observer@*/const char *gr_dbname_extended (int usrlib) ++{ ++ return get_db (usrlib)->filename; ++} ++ + int gr_lock (void) + { +- return commonio_lock (&group_db); ++ return gr_lock_extended (0); ++} ++ ++int gr_lock_extended (int usrlib) ++{ ++ return commonio_lock (get_db (usrlib)); + } + + int gr_open (int mode) + { +- return commonio_open (&group_db, mode); ++ return gr_open_extended (0, mode); ++} ++ ++int gr_open_extended (int usrlib, int mode) ++{ ++ return commonio_open (get_db (usrlib), mode); + } + + /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name) +@@ -178,7 +229,12 @@ int gr_open (int mode) + + int gr_update (const struct group *gr) + { +- return commonio_update (&group_db, (const void *) gr); ++ return gr_update_extended (0, gr); ++} ++ ++int gr_update_extended (int usrlib, const struct group *gr) ++{ ++ return commonio_update (get_db (usrlib), (const void *) gr); + } + + int gr_remove (const char *name) +@@ -186,6 +242,11 @@ int gr_remove (const char *name) + return commonio_remove (&group_db, name); + } + ++int gr_remove_extended (int usrlib, const char *name) ++{ ++ return commonio_remove (get_db (usrlib), name); ++} ++ + int gr_rewind (void) + { + return commonio_rewind (&group_db); +@@ -198,12 +259,22 @@ int gr_rewind (void) + + int gr_close (void) + { +- return commonio_close (&group_db); ++ return gr_close_extended (0); ++} ++ ++int gr_close_extended (int usrlib) ++{ ++ return commonio_close (get_db (usrlib)); + } + + int gr_unlock (void) + { +- return commonio_unlock (&group_db); ++ return gr_unlock_extended (0); ++} ++ ++int gr_unlock_extended (int usrlib) ++{ ++ return commonio_unlock (get_db (usrlib)); + } + + void __gr_set_changed (void) +diff --git a/lib/groupio.h b/lib/groupio.h +index 6440523..01f66d5 100644 +--- a/lib/groupio.h ++++ b/lib/groupio.h +@@ -39,17 +39,24 @@ + #include + + extern int gr_close (void); ++extern int gr_close_extended (int usrlib); + extern /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name); + extern /*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid); + extern int gr_lock (void); ++extern int gr_lock_extended (int usrlib); + extern int gr_setdbname (const char *filename); + extern /*@observer@*/const char *gr_dbname (void); ++extern /*@observer@*/const char *gr_dbname_extended (int rflg); + extern /*@observer@*/ /*@null@*/const struct group *gr_next (void); + extern int gr_open (int mode); ++extern int gr_open_extended (int usrlib, int mode); + extern int gr_remove (const char *name); ++extern int gr_remove_extended (int usrlib, const char *name); + extern int gr_rewind (void); + extern int gr_unlock (void); ++extern int gr_unlock_extended (int usrlib); + extern int gr_update (const struct group *gr); ++extern int gr_update_extended (int usrlib, const struct group *gr); + extern int gr_sort (void); + + #endif +diff --git a/lib/pwio.c b/lib/pwio.c +index d63d15d..1ce005f 100644 +--- a/lib/pwio.c ++++ b/lib/pwio.c +@@ -114,6 +114,42 @@ static struct commonio_db passwd_db = { + false /* readonly */ + }; + ++static struct commonio_db usrlib_passwd_db = { ++ USRLIB_PASSWD_FILE, /* filename */ ++ &passwd_ops, /* ops */ ++ NULL, /* fp */ ++#ifdef WITH_SELINUX ++ NULL, /* scontext */ ++#endif ++ NULL, /* head */ ++ NULL, /* tail */ ++ NULL, /* cursor */ ++ false, /* changed */ ++ false, /* isopen */ ++ false, /* locked */ ++ false /* readonly */ ++}; ++ ++static struct commonio_db * ++get_db (int usrlib) ++{ ++ static int checked_usrlib; ++ static int have_usrlib; ++ ++ if (!usrlib) ++ return &passwd_db; ++ ++ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { ++ struct stat stbuf; ++ checked_usrlib = 1; ++ have_usrlib = lstat (usrlib_passwd_db.filename, &stbuf) == 0; ++ } ++ ++ if (have_usrlib) ++ return &usrlib_passwd_db; ++ return &passwd_db; ++} ++ + int pw_setdbname (const char *filename) + { + return commonio_setname (&passwd_db, filename); +@@ -124,9 +160,19 @@ int pw_setdbname (const char *filename) + return passwd_db.filename; + } + ++/*@observer@*/const char *pw_dbname_extended (int usrlib) ++{ ++ return get_db (usrlib)->filename; ++} ++ + int pw_lock (void) + { +- return commonio_lock (&passwd_db); ++ return pw_lock_extended (0); ++} ++ ++int pw_lock_extended (int usrlib) ++{ ++ return commonio_lock (get_db (usrlib)); + } + + int pw_open (int mode) +@@ -134,6 +180,11 @@ int pw_open (int mode) + return commonio_open (&passwd_db, mode); + } + ++int pw_open_extended (int usrlib, int mode) ++{ ++ return commonio_open (get_db (usrlib), mode); ++} ++ + /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name) + { + return commonio_locate (&passwd_db, name); +@@ -153,12 +204,22 @@ int pw_open (int mode) + + int pw_update (const struct passwd *pw) + { +- return commonio_update (&passwd_db, (const void *) pw); ++ return pw_update_extended (0, pw); ++} ++ ++int pw_update_extended (int usrlib, const struct passwd *pw) ++{ ++ return commonio_update (get_db (usrlib), (const void *) pw); + } + + int pw_remove (const char *name) + { +- return commonio_remove (&passwd_db, name); ++ return pw_remove_extended (0, name); ++} ++ ++int pw_remove_extended (int usrlib, const char *name) ++{ ++ return commonio_remove (get_db (usrlib), name); + } + + int pw_rewind (void) +@@ -173,12 +234,22 @@ int pw_rewind (void) + + int pw_close (void) + { +- return commonio_close (&passwd_db); ++ return pw_close_extended (0); ++} ++ ++int pw_close_extended (int usrlib) ++{ ++ return commonio_close (get_db (usrlib)); + } + + int pw_unlock (void) + { +- return commonio_unlock (&passwd_db); ++ return pw_unlock_extended (0); ++} ++ ++int pw_unlock_extended (int usrlib) ++{ ++ return commonio_unlock (get_db (usrlib)); + } + + /*@null@*/struct commonio_entry *__pw_get_head (void) +diff --git a/lib/pwio.h b/lib/pwio.h +index 0ee961d..ca73361 100644 +--- a/lib/pwio.h ++++ b/lib/pwio.h +@@ -39,17 +39,24 @@ + #include + + extern int pw_close (void); ++extern int pw_close_extended (int usrlib); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate_uid (uid_t uid); + extern int pw_lock (void); ++extern int pw_lock_extended (int usrlib); + extern int pw_setdbname (const char *filename); + extern /*@observer@*/const char *pw_dbname (void); ++extern /*@observer@*/const char *pw_dbname_extended (int rflg); + extern /*@observer@*/ /*@null@*/const struct passwd *pw_next (void); + extern int pw_open (int mode); ++extern int pw_open_extended (int usrlib, int mode); + extern int pw_remove (const char *name); ++extern int pw_remove_extended (int usrlib, const char *name); + extern int pw_rewind (void); + extern int pw_unlock (void); ++extern int pw_unlock_extended (int usrlib); + extern int pw_update (const struct passwd *pw); ++extern int pw_update_extended (int usrlib, const struct passwd *pw); + extern int pw_sort (void); + + #endif +diff --git a/libmisc/cleanup_group.c b/libmisc/cleanup_group.c +index d07adc7..cbfc2c6 100644 +--- a/libmisc/cleanup_group.c ++++ b/libmisc/cleanup_group.c +@@ -202,7 +202,7 @@ void cleanup_report_del_group_gshadow (void *group_name) + */ + void cleanup_unlock_group (unused void *arg) + { +- if (gr_unlock () == 0) { ++ if (gr_unlock_extended ((intptr_t)arg) == 0) { + fprintf (stderr, + _("%s: failed to unlock %s\n"), + Prog, gr_dbname ()); +diff --git a/src/groupadd.c b/src/groupadd.c +index 84ff55e..f6079aa 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -206,10 +206,10 @@ static void grp_update (void) + /* + * Write out the new group file entry. + */ +- if (gr_update (&grp) == 0) { ++ if (gr_update_extended (rflg, &grp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), grp.gr_name); ++ Prog, gr_dbname_extended (rflg), grp.gr_name); + exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -256,10 +256,10 @@ static void check_new_name (void) + static void close_files (void) + { + /* First, write the changes in the regular group database */ +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +@@ -269,10 +269,10 @@ static void close_files (void) + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", +- gr_dbname (), group_name, (unsigned int) group_id)); ++ gr_dbname_extended (rflg), group_name, (unsigned int) group_id)); + del_cleanup (cleanup_report_add_group_group); + +- cleanup_unlock_group (NULL); ++ cleanup_unlock_group ((void*)rflg); + del_cleanup (cleanup_unlock_group); + + /* Now, write the changes in the shadow database */ +@@ -319,13 +319,13 @@ static void close_files (void) + static void open_files (void) + { + /* First, lock the databases */ +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + exit (E_GRP_UPDATE); + } +- add_cleanup (cleanup_unlock_group, NULL); ++ add_cleanup (cleanup_unlock_group, (void*)rflg); + + #ifdef SHADOWGRP + if (is_shadow_grp) { +@@ -346,9 +346,9 @@ static void open_files (void) + add_cleanup (cleanup_report_add_group, group_name); + + /* And now open the databases */ +- if (gr_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); ++ if (gr_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname_extended (rflg))); + exit (E_GRP_UPDATE); + } + +diff --git a/src/newusers.c b/src/newusers.c +index ac6f538..136926b 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -380,7 +380,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid) + pwent.pw_dir = ""; /* XXX warning: const */ + pwent.pw_shell = ""; /* XXX warning: const */ + +- return (pw_update (&pwent) == 0) ? -1 : 0; ++ return (pw_update_extended (rflg, &pwent) == 0) ? -1 : 0; + } + + #ifndef USE_PAM +@@ -714,7 +714,7 @@ static void open_files (void) + * modified, or new entries added. The password file is the key - if + * it gets locked, assume the others can be locked right away. + */ +- if (pw_lock () == 0) { ++ if (pw_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, pw_dbname ()); +@@ -730,7 +730,7 @@ static void open_files (void) + } + spw_locked = true; + } +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +@@ -749,7 +749,7 @@ static void open_files (void) + } + #endif + +- if (pw_open (O_RDWR) == 0) { ++ if (pw_open_extended (rflg, O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); + fail_exit (EXIT_FAILURE); + } +@@ -757,7 +757,7 @@ static void open_files (void) + fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); + fail_exit (EXIT_FAILURE); + } +- if (gr_open (O_RDWR) == 0) { ++ if (gr_open_extended (rflg, O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); + fail_exit (EXIT_FAILURE); + } +@@ -774,12 +774,12 @@ static void open_files (void) + */ + static void close_files (void) + { +- if (pw_close () == 0) { ++ if (pw_close_extended (rflg) == 0) { + fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); + fail_exit (EXIT_FAILURE); + } +- if (pw_unlock () == 0) { ++ if (pw_unlock_extended (rflg) == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + /* continue */ +@@ -804,14 +804,14 @@ static void close_files (void) + spw_locked = false; + } + +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); + fail_exit (EXIT_FAILURE); + } +- if (gr_unlock () == 0) { ++ if (gr_unlock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: failed to unlock %s\n"), + Prog, gr_dbname ()); +diff --git a/src/useradd.c b/src/useradd.c +index b686f14..78979ab 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -228,9 +228,9 @@ static void fail_exit (int code) + } + } + if (pw_locked) { +- if (pw_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); ++ if (pw_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking passwd file", +@@ -241,9 +241,9 @@ static void fail_exit (int code) + } + } + if (gr_locked) { +- if (gr_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); ++ if (gr_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking group file", +@@ -847,7 +847,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: Out of memory. Cannot update %s.\n"), + Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); ++ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", +@@ -862,11 +862,11 @@ static void grp_update (void) + * update the group entry to reflect the change. + */ + ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); +- if (gr_update (ngrp) == 0) { ++ if (gr_update_extended (rflg, ngrp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), ngrp->gr_name); +- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); ++ Prog, gr_dbname_extended (rflg), ngrp->gr_name); ++ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", +@@ -1351,9 +1351,9 @@ static void process_flags (int argc, char **argv) + */ + static void close_files (void) + { +- if (pw_close () == 0) { +- fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); ++ if (pw_close_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname_extended (rflg))); + fail_exit (E_PW_UPDATE); + } + if (is_shadow_pwd && (spw_close () == 0)) { +@@ -1363,10 +1363,10 @@ static void close_files (void) + fail_exit (E_PW_UPDATE); + } + if (do_grp_update) { +- if (gr_close () == 0) { ++ if (gr_close_extended (rflg) == 0) { + fprintf (stderr, +- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); ++ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname_extended (rflg))); + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -1393,9 +1393,9 @@ static void close_files (void) + } + spw_locked = false; + } +- if (pw_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); ++ if (pw_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking passwd file", +@@ -1405,9 +1405,9 @@ static void close_files (void) + /* continue */ + } + pw_locked = false; +- if (gr_unlock () == 0) { +- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); +- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); ++ if (gr_unlock_extended (rflg) == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "unlocking group file", +@@ -1442,15 +1442,15 @@ static void close_files (void) + */ + static void open_files (void) + { +- if (pw_lock () == 0) { ++ if (pw_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, pw_dbname ()); ++ Prog, pw_dbname_extended (rflg)); + exit (E_PW_UPDATE); + } + pw_locked = true; +- if (pw_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); ++ if (pw_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname_extended (rflg)); + fail_exit (E_PW_UPDATE); + } + +@@ -1459,15 +1459,15 @@ static void open_files (void) + /* + * Lock and open the group file. + */ +- if (gr_lock () == 0) { ++ if (gr_lock_extended (rflg) == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), +- Prog, gr_dbname ()); ++ Prog, gr_dbname_extended (rflg)); + fail_exit (E_GRP_UPDATE); + } + gr_locked = true; +- if (gr_open (O_RDWR) == 0) { +- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); ++ if (gr_open_extended (rflg, O_RDWR) == 0) { ++ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -1578,10 +1578,10 @@ static void grp_add (void) + /* + * Write out the new group file entry. + */ +- if (gr_update (&grp) == 0) { ++ if (gr_update_extended (rflg, &grp) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, gr_dbname (), grp.gr_name); ++ Prog, gr_dbname_extended (rflg), grp.gr_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, + "adding group", +@@ -1711,10 +1711,10 @@ static void usr_update (void) + /* + * Put the new (struct passwd) in the table. + */ +- if (pw_update (&pwent) == 0) { ++ if (pw_update_extended (rflg, &pwent) == 0) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), +- Prog, pw_dbname (), pwent.pw_name); ++ Prog, pw_dbname_extended (rflg), pwent.pw_name); + fail_exit (E_PW_UPDATE); + } + +-- +1.8.3.1 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 0d186a4..729c255 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -25,6 +25,9 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch +# This is needed for Fedora Atomic project and might be dropped if less +# hackish way to create system users and groups is designed. +Patch19: shadow-4.1.5.1-usr-lib.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -71,6 +74,7 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc +%patch19 -p1 -b .usr-lib iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -224,6 +228,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 10 2014 Tomas Mraz - 2:4.1.5.1-14 +- put system users and groups into /usr/lib/{passwd,group} if + the files exist and SHADOW_USE_USRLIB environment variable is set + Patch by Colin Walters + * Mon Jun 30 2014 Tomas Mraz - 2:4.1.5.1-13 - ignore getgrgid() errors for now From fd2973e24f58f8dbd0f65b25a117a105b6f2290f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Jul 2014 10:34:08 +0200 Subject: [PATCH 099/151] revert the last change as it is not really needed --- shadow-4.1.5.1-usr-lib.patch | 706 ----------------------------------- shadow-utils.spec | 9 +- 2 files changed, 4 insertions(+), 711 deletions(-) delete mode 100644 shadow-4.1.5.1-usr-lib.patch diff --git a/shadow-4.1.5.1-usr-lib.patch b/shadow-4.1.5.1-usr-lib.patch deleted file mode 100644 index b9c7af0..0000000 --- a/shadow-4.1.5.1-usr-lib.patch +++ /dev/null @@ -1,706 +0,0 @@ -From 43f9ae51f2629b7c42a5a0e664cf62907b1f1276 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Tue, 17 Dec 2013 18:48:48 -0500 -Subject: [PATCH] Use /usr/lib/passwd for system users (if it exists, and - SHADOW_USE_USRLIB) - -See https://sourceware.org/bugzilla/show_bug.cgi?id=16142 - -This allows OSTree/Atomic to write usernames to /usr/lib/passwd (and -/usr/lib/group). ---- - lib/defines.h | 8 +++++ - lib/groupio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- - lib/groupio.h | 7 +++++ - lib/pwio.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++--- - lib/pwio.h | 7 +++++ - libmisc/cleanup_group.c | 2 +- - src/groupadd.c | 24 +++++++-------- - src/newusers.c | 18 +++++------ - src/useradd.c | 68 ++++++++++++++++++++--------------------- - 9 files changed, 230 insertions(+), 66 deletions(-) - -diff --git a/lib/defines.h b/lib/defines.h -index c5d84a8..27ad429 100644 ---- a/lib/defines.h -+++ b/lib/defines.h -@@ -302,10 +302,18 @@ char *strchr (), *strrchr (), *strtok (); - #define PASSWD_FILE "/etc/passwd" - #endif - -+#ifndef USRLIB_PASSWD_FILE -+#define USRLIB_PASSWD_FILE "/usr/lib/passwd" -+#endif -+ - #ifndef GROUP_FILE - #define GROUP_FILE "/etc/group" - #endif - -+#ifndef USRLIB_GROUP_FILE -+#define USRLIB_GROUP_FILE "/usr/lib/group" -+#endif -+ - #ifndef SHADOW_FILE - #define SHADOW_FILE "/etc/shadow" - #endif -diff --git a/lib/groupio.c b/lib/groupio.c -index e0bb030..d9c01c1 100644 ---- a/lib/groupio.c -+++ b/lib/groupio.c -@@ -139,6 +139,42 @@ static /*@owned@*/struct commonio_db group_db = { - false /* readonly */ - }; - -+static struct commonio_db usrlib_group_db = { -+ USRLIB_GROUP_FILE, /* filename */ -+ &group_ops, /* ops */ -+ NULL, /* fp */ -+#ifdef WITH_SELINUX -+ NULL, /* scontext */ -+#endif -+ NULL, /* head */ -+ NULL, /* tail */ -+ NULL, /* cursor */ -+ false, /* changed */ -+ false, /* isopen */ -+ false, /* locked */ -+ false /* readonly */ -+}; -+ -+static struct commonio_db * -+get_db (int usrlib) -+{ -+ static int checked_usrlib; -+ static int have_usrlib; -+ -+ if (!usrlib) -+ return &group_db; -+ -+ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { -+ struct stat stbuf; -+ checked_usrlib = 1; -+ have_usrlib = lstat (usrlib_group_db.filename, &stbuf) == 0; -+ } -+ -+ if (have_usrlib) -+ return &usrlib_group_db; -+ return &group_db; -+} -+ - int gr_setdbname (const char *filename) - { - return commonio_setname (&group_db, filename); -@@ -149,14 +185,29 @@ int gr_setdbname (const char *filename) - return group_db.filename; - } - -+/*@observer@*/const char *gr_dbname_extended (int usrlib) -+{ -+ return get_db (usrlib)->filename; -+} -+ - int gr_lock (void) - { -- return commonio_lock (&group_db); -+ return gr_lock_extended (0); -+} -+ -+int gr_lock_extended (int usrlib) -+{ -+ return commonio_lock (get_db (usrlib)); - } - - int gr_open (int mode) - { -- return commonio_open (&group_db, mode); -+ return gr_open_extended (0, mode); -+} -+ -+int gr_open_extended (int usrlib, int mode) -+{ -+ return commonio_open (get_db (usrlib), mode); - } - - /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name) -@@ -178,7 +229,12 @@ int gr_open (int mode) - - int gr_update (const struct group *gr) - { -- return commonio_update (&group_db, (const void *) gr); -+ return gr_update_extended (0, gr); -+} -+ -+int gr_update_extended (int usrlib, const struct group *gr) -+{ -+ return commonio_update (get_db (usrlib), (const void *) gr); - } - - int gr_remove (const char *name) -@@ -186,6 +242,11 @@ int gr_remove (const char *name) - return commonio_remove (&group_db, name); - } - -+int gr_remove_extended (int usrlib, const char *name) -+{ -+ return commonio_remove (get_db (usrlib), name); -+} -+ - int gr_rewind (void) - { - return commonio_rewind (&group_db); -@@ -198,12 +259,22 @@ int gr_rewind (void) - - int gr_close (void) - { -- return commonio_close (&group_db); -+ return gr_close_extended (0); -+} -+ -+int gr_close_extended (int usrlib) -+{ -+ return commonio_close (get_db (usrlib)); - } - - int gr_unlock (void) - { -- return commonio_unlock (&group_db); -+ return gr_unlock_extended (0); -+} -+ -+int gr_unlock_extended (int usrlib) -+{ -+ return commonio_unlock (get_db (usrlib)); - } - - void __gr_set_changed (void) -diff --git a/lib/groupio.h b/lib/groupio.h -index 6440523..01f66d5 100644 ---- a/lib/groupio.h -+++ b/lib/groupio.h -@@ -39,17 +39,24 @@ - #include - - extern int gr_close (void); -+extern int gr_close_extended (int usrlib); - extern /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name); - extern /*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid); - extern int gr_lock (void); -+extern int gr_lock_extended (int usrlib); - extern int gr_setdbname (const char *filename); - extern /*@observer@*/const char *gr_dbname (void); -+extern /*@observer@*/const char *gr_dbname_extended (int rflg); - extern /*@observer@*/ /*@null@*/const struct group *gr_next (void); - extern int gr_open (int mode); -+extern int gr_open_extended (int usrlib, int mode); - extern int gr_remove (const char *name); -+extern int gr_remove_extended (int usrlib, const char *name); - extern int gr_rewind (void); - extern int gr_unlock (void); -+extern int gr_unlock_extended (int usrlib); - extern int gr_update (const struct group *gr); -+extern int gr_update_extended (int usrlib, const struct group *gr); - extern int gr_sort (void); - - #endif -diff --git a/lib/pwio.c b/lib/pwio.c -index d63d15d..1ce005f 100644 ---- a/lib/pwio.c -+++ b/lib/pwio.c -@@ -114,6 +114,42 @@ static struct commonio_db passwd_db = { - false /* readonly */ - }; - -+static struct commonio_db usrlib_passwd_db = { -+ USRLIB_PASSWD_FILE, /* filename */ -+ &passwd_ops, /* ops */ -+ NULL, /* fp */ -+#ifdef WITH_SELINUX -+ NULL, /* scontext */ -+#endif -+ NULL, /* head */ -+ NULL, /* tail */ -+ NULL, /* cursor */ -+ false, /* changed */ -+ false, /* isopen */ -+ false, /* locked */ -+ false /* readonly */ -+}; -+ -+static struct commonio_db * -+get_db (int usrlib) -+{ -+ static int checked_usrlib; -+ static int have_usrlib; -+ -+ if (!usrlib) -+ return &passwd_db; -+ -+ if (getenv ("SHADOW_USE_USRLIB") && !checked_usrlib) { -+ struct stat stbuf; -+ checked_usrlib = 1; -+ have_usrlib = lstat (usrlib_passwd_db.filename, &stbuf) == 0; -+ } -+ -+ if (have_usrlib) -+ return &usrlib_passwd_db; -+ return &passwd_db; -+} -+ - int pw_setdbname (const char *filename) - { - return commonio_setname (&passwd_db, filename); -@@ -124,9 +160,19 @@ int pw_setdbname (const char *filename) - return passwd_db.filename; - } - -+/*@observer@*/const char *pw_dbname_extended (int usrlib) -+{ -+ return get_db (usrlib)->filename; -+} -+ - int pw_lock (void) - { -- return commonio_lock (&passwd_db); -+ return pw_lock_extended (0); -+} -+ -+int pw_lock_extended (int usrlib) -+{ -+ return commonio_lock (get_db (usrlib)); - } - - int pw_open (int mode) -@@ -134,6 +180,11 @@ int pw_open (int mode) - return commonio_open (&passwd_db, mode); - } - -+int pw_open_extended (int usrlib, int mode) -+{ -+ return commonio_open (get_db (usrlib), mode); -+} -+ - /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name) - { - return commonio_locate (&passwd_db, name); -@@ -153,12 +204,22 @@ int pw_open (int mode) - - int pw_update (const struct passwd *pw) - { -- return commonio_update (&passwd_db, (const void *) pw); -+ return pw_update_extended (0, pw); -+} -+ -+int pw_update_extended (int usrlib, const struct passwd *pw) -+{ -+ return commonio_update (get_db (usrlib), (const void *) pw); - } - - int pw_remove (const char *name) - { -- return commonio_remove (&passwd_db, name); -+ return pw_remove_extended (0, name); -+} -+ -+int pw_remove_extended (int usrlib, const char *name) -+{ -+ return commonio_remove (get_db (usrlib), name); - } - - int pw_rewind (void) -@@ -173,12 +234,22 @@ int pw_rewind (void) - - int pw_close (void) - { -- return commonio_close (&passwd_db); -+ return pw_close_extended (0); -+} -+ -+int pw_close_extended (int usrlib) -+{ -+ return commonio_close (get_db (usrlib)); - } - - int pw_unlock (void) - { -- return commonio_unlock (&passwd_db); -+ return pw_unlock_extended (0); -+} -+ -+int pw_unlock_extended (int usrlib) -+{ -+ return commonio_unlock (get_db (usrlib)); - } - - /*@null@*/struct commonio_entry *__pw_get_head (void) -diff --git a/lib/pwio.h b/lib/pwio.h -index 0ee961d..ca73361 100644 ---- a/lib/pwio.h -+++ b/lib/pwio.h -@@ -39,17 +39,24 @@ - #include - - extern int pw_close (void); -+extern int pw_close_extended (int usrlib); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate_uid (uid_t uid); - extern int pw_lock (void); -+extern int pw_lock_extended (int usrlib); - extern int pw_setdbname (const char *filename); - extern /*@observer@*/const char *pw_dbname (void); -+extern /*@observer@*/const char *pw_dbname_extended (int rflg); - extern /*@observer@*/ /*@null@*/const struct passwd *pw_next (void); - extern int pw_open (int mode); -+extern int pw_open_extended (int usrlib, int mode); - extern int pw_remove (const char *name); -+extern int pw_remove_extended (int usrlib, const char *name); - extern int pw_rewind (void); - extern int pw_unlock (void); -+extern int pw_unlock_extended (int usrlib); - extern int pw_update (const struct passwd *pw); -+extern int pw_update_extended (int usrlib, const struct passwd *pw); - extern int pw_sort (void); - - #endif -diff --git a/libmisc/cleanup_group.c b/libmisc/cleanup_group.c -index d07adc7..cbfc2c6 100644 ---- a/libmisc/cleanup_group.c -+++ b/libmisc/cleanup_group.c -@@ -202,7 +202,7 @@ void cleanup_report_del_group_gshadow (void *group_name) - */ - void cleanup_unlock_group (unused void *arg) - { -- if (gr_unlock () == 0) { -+ if (gr_unlock_extended ((intptr_t)arg) == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, gr_dbname ()); -diff --git a/src/groupadd.c b/src/groupadd.c -index 84ff55e..f6079aa 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -206,10 +206,10 @@ static void grp_update (void) - /* - * Write out the new group file entry. - */ -- if (gr_update (&grp) == 0) { -+ if (gr_update_extended (rflg, &grp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), grp.gr_name); -+ Prog, gr_dbname_extended (rflg), grp.gr_name); - exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -256,10 +256,10 @@ static void check_new_name (void) - static void close_files (void) - { - /* First, write the changes in the regular group database */ -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failure while writing changes to %s\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - exit (E_GRP_UPDATE); - } - #ifdef WITH_AUDIT -@@ -269,10 +269,10 @@ static void close_files (void) - SHADOW_AUDIT_SUCCESS); - #endif - SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", -- gr_dbname (), group_name, (unsigned int) group_id)); -+ gr_dbname_extended (rflg), group_name, (unsigned int) group_id)); - del_cleanup (cleanup_report_add_group_group); - -- cleanup_unlock_group (NULL); -+ cleanup_unlock_group ((void*)rflg); - del_cleanup (cleanup_unlock_group); - - /* Now, write the changes in the shadow database */ -@@ -319,13 +319,13 @@ static void close_files (void) - static void open_files (void) - { - /* First, lock the databases */ -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - exit (E_GRP_UPDATE); - } -- add_cleanup (cleanup_unlock_group, NULL); -+ add_cleanup (cleanup_unlock_group, (void*)rflg); - - #ifdef SHADOWGRP - if (is_shadow_grp) { -@@ -346,9 +346,9 @@ static void open_files (void) - add_cleanup (cleanup_report_add_group, group_name); - - /* And now open the databases */ -- if (gr_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); -+ if (gr_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname_extended (rflg))); - exit (E_GRP_UPDATE); - } - -diff --git a/src/newusers.c b/src/newusers.c -index ac6f538..136926b 100644 ---- a/src/newusers.c -+++ b/src/newusers.c -@@ -380,7 +380,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid) - pwent.pw_dir = ""; /* XXX warning: const */ - pwent.pw_shell = ""; /* XXX warning: const */ - -- return (pw_update (&pwent) == 0) ? -1 : 0; -+ return (pw_update_extended (rflg, &pwent) == 0) ? -1 : 0; - } - - #ifndef USE_PAM -@@ -714,7 +714,7 @@ static void open_files (void) - * modified, or new entries added. The password file is the key - if - * it gets locked, assume the others can be locked right away. - */ -- if (pw_lock () == 0) { -+ if (pw_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), - Prog, pw_dbname ()); -@@ -730,7 +730,7 @@ static void open_files (void) - } - spw_locked = true; - } -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), - Prog, gr_dbname ()); -@@ -749,7 +749,7 @@ static void open_files (void) - } - #endif - -- if (pw_open (O_RDWR) == 0) { -+ if (pw_open_extended (rflg, O_RDWR) == 0) { - fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); - fail_exit (EXIT_FAILURE); - } -@@ -757,7 +757,7 @@ static void open_files (void) - fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); - fail_exit (EXIT_FAILURE); - } -- if (gr_open (O_RDWR) == 0) { -+ if (gr_open_extended (rflg, O_RDWR) == 0) { - fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); - fail_exit (EXIT_FAILURE); - } -@@ -774,12 +774,12 @@ static void open_files (void) - */ - static void close_files (void) - { -- if (pw_close () == 0) { -+ if (pw_close_extended (rflg) == 0) { - fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); - SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); - fail_exit (EXIT_FAILURE); - } -- if (pw_unlock () == 0) { -+ if (pw_unlock_extended (rflg) == 0) { - fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); - SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); - /* continue */ -@@ -804,14 +804,14 @@ static void close_files (void) - spw_locked = false; - } - -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failure while writing changes to %s\n"), - Prog, gr_dbname ()); - SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); - fail_exit (EXIT_FAILURE); - } -- if (gr_unlock () == 0) { -+ if (gr_unlock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, gr_dbname ()); -diff --git a/src/useradd.c b/src/useradd.c -index b686f14..78979ab 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -228,9 +228,9 @@ static void fail_exit (int code) - } - } - if (pw_locked) { -- if (pw_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); -+ if (pw_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking passwd file", -@@ -241,9 +241,9 @@ static void fail_exit (int code) - } - } - if (gr_locked) { -- if (gr_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); -+ if (gr_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking group file", -@@ -847,7 +847,7 @@ static void grp_update (void) - fprintf (stderr, - _("%s: Out of memory. Cannot update %s.\n"), - Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); -+ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding user to group", -@@ -862,11 +862,11 @@ static void grp_update (void) - * update the group entry to reflect the change. - */ - ngrp->gr_mem = add_list (ngrp->gr_mem, user_name); -- if (gr_update (ngrp) == 0) { -+ if (gr_update_extended (rflg, ngrp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), ngrp->gr_name); -- SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); -+ Prog, gr_dbname_extended (rflg), ngrp->gr_name); -+ SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname_extended (rflg), user_name)); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding user to group", -@@ -1351,9 +1351,9 @@ static void process_flags (int argc, char **argv) - */ - static void close_files (void) - { -- if (pw_close () == 0) { -- fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); -+ if (pw_close_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname_extended (rflg))); - fail_exit (E_PW_UPDATE); - } - if (is_shadow_pwd && (spw_close () == 0)) { -@@ -1363,10 +1363,10 @@ static void close_files (void) - fail_exit (E_PW_UPDATE); - } - if (do_grp_update) { -- if (gr_close () == 0) { -+ if (gr_close_extended (rflg) == 0) { - fprintf (stderr, -- _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); -+ _("%s: failure while writing changes to %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname_extended (rflg))); - fail_exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -1393,9 +1393,9 @@ static void close_files (void) - } - spw_locked = false; - } -- if (pw_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); -+ if (pw_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking passwd file", -@@ -1405,9 +1405,9 @@ static void close_files (void) - /* continue */ - } - pw_locked = false; -- if (gr_unlock () == 0) { -- fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); -- SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); -+ if (gr_unlock_extended (rflg) == 0) { -+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname_extended (rflg)); -+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname_extended (rflg))); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "unlocking group file", -@@ -1442,15 +1442,15 @@ static void close_files (void) - */ - static void open_files (void) - { -- if (pw_lock () == 0) { -+ if (pw_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, pw_dbname ()); -+ Prog, pw_dbname_extended (rflg)); - exit (E_PW_UPDATE); - } - pw_locked = true; -- if (pw_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -+ if (pw_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname_extended (rflg)); - fail_exit (E_PW_UPDATE); - } - -@@ -1459,15 +1459,15 @@ static void open_files (void) - /* - * Lock and open the group file. - */ -- if (gr_lock () == 0) { -+ if (gr_lock_extended (rflg) == 0) { - fprintf (stderr, - _("%s: cannot lock %s; try again later.\n"), -- Prog, gr_dbname ()); -+ Prog, gr_dbname_extended (rflg)); - fail_exit (E_GRP_UPDATE); - } - gr_locked = true; -- if (gr_open (O_RDWR) == 0) { -- fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -+ if (gr_open_extended (rflg, O_RDWR) == 0) { -+ fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname_extended (rflg)); - fail_exit (E_GRP_UPDATE); - } - #ifdef SHADOWGRP -@@ -1578,10 +1578,10 @@ static void grp_add (void) - /* - * Write out the new group file entry. - */ -- if (gr_update (&grp) == 0) { -+ if (gr_update_extended (rflg, &grp) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, gr_dbname (), grp.gr_name); -+ Prog, gr_dbname_extended (rflg), grp.gr_name); - #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_GROUP, Prog, - "adding group", -@@ -1711,10 +1711,10 @@ static void usr_update (void) - /* - * Put the new (struct passwd) in the table. - */ -- if (pw_update (&pwent) == 0) { -+ if (pw_update_extended (rflg, &pwent) == 0) { - fprintf (stderr, - _("%s: failed to prepare the new %s entry '%s'\n"), -- Prog, pw_dbname (), pwent.pw_name); -+ Prog, pw_dbname_extended (rflg), pwent.pw_name); - fail_exit (E_PW_UPDATE); - } - --- -1.8.3.1 - diff --git a/shadow-utils.spec b/shadow-utils.spec index 729c255..bab180f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -25,9 +25,6 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch -# This is needed for Fedora Atomic project and might be dropped if less -# hackish way to create system users and groups is designed. -Patch19: shadow-4.1.5.1-usr-lib.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -74,7 +71,6 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc -%patch19 -p1 -b .usr-lib iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -228,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Jul 14 2014 Tomas Mraz - 2:4.1.5.1-15 +- revert the last change as it is not really needed + * Thu Jul 10 2014 Tomas Mraz - 2:4.1.5.1-14 - put system users and groups into /usr/lib/{passwd,group} if the files exist and SHADOW_USE_USRLIB environment variable is set From 1e95b5b47956cb3a09a51920b0eb60d7c5de3bfd Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:55:45 -0400 Subject: [PATCH 100/151] fix license handling --- gpl-2.0.txt | 339 ++++++++++++++++++++++++++++++++++++++++++++++ shadow-bsd.txt | 32 +++++ shadow-utils.spec | 9 ++ 3 files changed, 380 insertions(+) create mode 100644 gpl-2.0.txt create mode 100644 shadow-bsd.txt diff --git a/gpl-2.0.txt b/gpl-2.0.txt new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/gpl-2.0.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/shadow-bsd.txt b/shadow-bsd.txt new file mode 100644 index 0000000..a2c1609 --- /dev/null +++ b/shadow-bsd.txt @@ -0,0 +1,32 @@ +/* + * Copyright (c) 1990 - 1994, Julianne Frances Haugh + * Copyright (c) 1996 - 2000, Marek Michałkiewicz + * Copyright (c) 2000 - 2006, Tomasz Kłoczko + * Copyright (c) 2007 - 2011, Nicolas François + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the copyright holders or contributors may not be used to + * endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + diff --git a/shadow-utils.spec b/shadow-utils.spec index bab180f..fce3bd3 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -8,6 +8,8 @@ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd +Source3: shadow-bsd.txt +Source4: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch @@ -75,6 +77,8 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO +cp -a %{SOURCE3} %{SOURCE4} + #rm po/*.gmo #rm po/stamp-po #aclocal @@ -186,6 +190,8 @@ rm -rf $RPM_BUILD_ROOT %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README +%{!?_licensedir:%global license %%doc} +%license gpl-2.0.txt shadow-bsd.txt %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %{_bindir}/sg @@ -224,6 +230,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 5 2014 Tom Callaway - 2:4.1.5.1-16 +- fix license handling + * Mon Jul 14 2014 Tomas Mraz - 2:4.1.5.1-15 - revert the last change as it is not really needed From 5ac7a63576eeb7c6e05eaf37d15d9b2e7f8ed45a Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:57:03 -0400 Subject: [PATCH 101/151] fix license handling --- shadow-utils.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index fce3bd3..f536ff6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -8,8 +8,8 @@ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd -Source3: shadow-bsd.txt -Source4: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt +Source4: shadow-bsd.txt +Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch @@ -77,7 +77,7 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO -cp -a %{SOURCE3} %{SOURCE4} +cp -a %{SOURCE4} %{SOURCE5} #rm po/*.gmo #rm po/stamp-po From 9120a44c3f50d85dc6f2ffe1a7c5046f758b706f Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 08:57:58 -0400 Subject: [PATCH 102/151] fix license handling --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index f536ff6..8b00f66 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 15%{?dist} +Release: 16%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 From 972907741deb9f6f02a7e8c3ddffad976fc1539b Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 5 Aug 2014 10:56:28 -0400 Subject: [PATCH 103/151] fix license handling --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 8b00f66..07548d6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -77,7 +77,7 @@ are used for managing group accounts. iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO -cp -a %{SOURCE4} %{SOURCE5} +cp -a %{SOURCE4} %{SOURCE5} . #rm po/*.gmo #rm po/stamp-po From 183c8697037ecc82934fff0e1e9ce2d5886e9476 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 18 Aug 2014 02:08:56 +0000 Subject: [PATCH 104/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 07548d6..98a549b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -230,6 +230,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 18 2014 Fedora Release Engineering - 2:4.1.5.1-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Tue Aug 5 2014 Tom Callaway - 2:4.1.5.1-16 - fix license handling From 4c1ef1cd215d36e73ea9eb4e5acd826e50c8b8a5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Aug 2014 14:28:48 +0200 Subject: [PATCH 105/151] Multiple fixes - label the newly created home dir correctly (#1077809) - mention that chage -d 0 forces password change (#1135010) - improve date parsing and error detecting in chage - avoid full group database scanning in newgrp in most common case - report error if usermod asked for moving homedir and it does not exist --- shadow-4.1.5.1-date-parsing.patch | 138 ++++++++++++++++++++++++++++++ shadow-4.1.5.1-ingroup.patch | 63 ++++++++++++++ shadow-4.1.5.1-manfix.patch | 85 ++++++++++++++++-- shadow-4.1.5.1-move-home.patch | 15 ++++ shadow-4.1.5.1-selinux.patch | 69 ++++++++++++++- shadow-utils.spec | 15 +++- 6 files changed, 375 insertions(+), 10 deletions(-) create mode 100644 shadow-4.1.5.1-date-parsing.patch create mode 100644 shadow-4.1.5.1-ingroup.patch create mode 100644 shadow-4.1.5.1-move-home.patch diff --git a/shadow-4.1.5.1-date-parsing.patch b/shadow-4.1.5.1-date-parsing.patch new file mode 100644 index 0000000..38ec091 --- /dev/null +++ b/shadow-4.1.5.1-date-parsing.patch @@ -0,0 +1,138 @@ +diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c +--- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200 +@@ -261,6 +261,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -1730,6 +1731,7 @@ yyreduce: + yyDay = (yyvsp[(3) - (5)].Number); + yyYear = (yyvsp[(5) - (5)].Number); + } ++ yyHaveYear++; + } + break; + +@@ -1740,6 +1742,7 @@ yyreduce: + yyYear = (yyvsp[(1) - (3)].Number); + yyMonth = -(yyvsp[(2) - (3)].Number); + yyDay = -(yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1750,6 +1753,7 @@ yyreduce: + yyDay = (yyvsp[(1) - (3)].Number); + yyMonth = (yyvsp[(2) - (3)].Number); + yyYear = -(yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1767,6 +1771,7 @@ yyreduce: + yyMonth = (yyvsp[(1) - (4)].Number); + yyDay = (yyvsp[(2) - (4)].Number); + yyYear = (yyvsp[(4) - (4)].Number); ++ yyHaveYear++; + } + break; + +@@ -1784,6 +1789,7 @@ yyreduce: + yyMonth = (yyvsp[(2) - (3)].Number); + yyDay = (yyvsp[(1) - (3)].Number); + yyYear = (yyvsp[(3) - (3)].Number); ++ yyHaveYear++; + } + break; + +@@ -1928,7 +1934,8 @@ yyreduce: + case 49: + #line 397 "getdate.y" + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = (yyvsp[(1) - (1)].Number); + else + { +@@ -2556,7 +2563,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { +diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y +--- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200 +@@ -152,6 +152,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { + yyDay = $3; + yyYear = $5; + } ++ yyHaveYear++; + } + | tUNUMBER tSNUMBER tSNUMBER { + /* ISO 8601 format. yyyy-mm-dd. */ + yyYear = $1; + yyMonth = -$2; + yyDay = -$3; ++ yyHaveYear++; + } + | tUNUMBER tMONTH tSNUMBER { + /* e.g. 17-JUN-1992. */ + yyDay = $1; + yyMonth = $2; + yyYear = -$3; ++ yyHaveYear++; + } + | tMONTH tUNUMBER { + yyMonth = $1; +@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $1; + yyDay = $2; + yyYear = $4; ++ yyHaveYear++; + } + | tUNUMBER tMONTH { + yyMonth = $2; +@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $2; + yyDay = $1; + yyYear = $3; ++ yyHaveYear++; + } + ; + +@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { + + number : tUNUMBER + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = $1; + else + { +@@ -802,7 +809,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch new file mode 100644 index 0000000..e440431 --- /dev/null +++ b/shadow-4.1.5.1-ingroup.patch @@ -0,0 +1,63 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +@@ -83,15 +83,29 @@ static void usage (void) + } + } + ++static bool ingroup(const char *name, struct group *gr) ++{ ++ char **look; ++ bool notfound = true; ++ ++ look = gr->gr_mem; ++ while (*look && notfound) ++ notfound = strcmp (*look++, name); ++ ++ return !notfound; ++} ++ + /* +- * find_matching_group - search all groups of a given group id for ++ * find_matching_group - search all groups of a gr's group id for + * membership of a given username ++ * but check gr itself first + */ +-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) ++static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) + { +- struct group *gr; +- char **look; +- bool notfound = true; ++ gid_t gid = gr->gr_gid; ++ ++ if (ingroup(name, gr)) ++ return gr; + + setgrent (); + while ((gr = getgrent ()) != NULL) { +@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc + * A group with matching GID was found. + * Test for membership of 'name'. + */ +- look = gr->gr_mem; +- while ((NULL != *look) && notfound) { +- notfound = (strcmp (*look, name) != 0); +- look++; +- } +- if (!notfound) { ++ if (ingroup(name, gr)) + break; +- } + } + endgrent (); + return gr; +@@ -616,7 +624,7 @@ int main (int argc, char **argv) + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp->gr_gid); ++ grp = find_matching_group (name, grp); + if (NULL == grp) { + /* + * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index 00b792f..2963c98 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,6 +1,19 @@ +diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml +--- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200 ++++ shadow-4.1.5.1/man/chage.1.xml 2014-08-29 13:36:57.713167654 +0200 +@@ -102,6 +102,9 @@ + Set the number of days since January 1st, 1970 when the password + was last changed. The date may also be expressed in the format + YYYY-MM-DD (or the format more commonly used in your area). ++ If the LAST_DAY is set to ++ 0 the user is forced to change his password ++ on the next log on. + + + diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml --- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-02-12 11:18:36.126334872 +0100 ++++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200 @@ -160,6 +160,17 @@ long numeric parameters is machine-dependent. @@ -19,9 +32,25 @@ diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.def The following configuration items are provided: +diff -up shadow-4.1.5.1/man/man1/chage.1.manfix shadow-4.1.5.1/man/man1/chage.1 +--- shadow-4.1.5.1/man/man1/chage.1.manfix 2012-05-25 13:58:18.000000000 +0200 ++++ shadow-4.1.5.1/man/man1/chage.1 2014-08-29 13:36:31.303559366 +0200 +@@ -45,7 +45,11 @@ command are: + .PP + \fB\-d\fR, \fB\-\-lastday\fR \fILAST_DAY\fR + .RS 4 +-Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. ++Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. If the ++\fILAST_DAY\fR ++is set to ++\fB0\fR ++the user is forced to change his password on the next log on\&. + .RE + .PP + \fB\-E\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 --- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 -+++ shadow-4.1.5.1/man/man5/login.defs.5 2014-02-12 11:26:27.159851843 +0100 ++++ shadow-4.1.5.1/man/man5/login.defs.5 2014-08-29 13:31:38.364812323 +0200 @@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) \fI0\fR) or hexadecimal values (precede the value with \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. @@ -141,8 +170,8 @@ diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/log .RS 4 CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2013-11-27 10:25:34.740049650 +0100 -+++ shadow-4.1.5.1/man/man8/useradd.8 2013-11-27 10:25:34.758050045 +0100 +--- shadow-4.1.5.1/man/man8/useradd.8.manfix 2014-08-29 13:31:38.347811932 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2014-08-29 13:31:38.364812323 +0200 @@ -85,7 +85,7 @@ by default\&. Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. .RE @@ -167,9 +196,30 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/userad .RS 4 Do not create the user\*(Aqs home directory, even if the system wide setting from /etc/login\&.defs +diff -up shadow-4.1.5.1/man/man8/usermod.8.manfix shadow-4.1.5.1/man/man8/usermod.8 +--- shadow-4.1.5.1/man/man8/usermod.8.manfix 2012-05-25 13:59:33.000000000 +0200 ++++ shadow-4.1.5.1/man/man8/usermod.8 2014-08-29 13:35:27.343086211 +0200 +@@ -63,7 +63,7 @@ The user\*(Aqs new login directory\&. + .sp + If the + \fB\-m\fR +-option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. ++option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. If the current home directory does not exist the new home directory will not be created\&. + .RE + .PP + \fB\-e\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR +@@ -143,7 +143,7 @@ Move the content of the user\*(Aqs home + This option is only valid in combination with the + \fB\-d\fR + (or +-\fB\-\-home\fR) option\&. ++\fB\-\-home\fR) option\&. If the current home directory does not exist the new home directory will not be created\&. + .sp + + \fBusermod\fR diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-11-27 10:25:34.740049650 +0100 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-11-27 10:25:34.759050067 +0100 +--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2014-08-29 13:31:38.347811932 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2014-08-29 13:31:38.364812323 +0200 @@ -161,7 +161,7 @@ @@ -197,3 +247,26 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xm +diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml +--- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200 ++++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200 +@@ -132,7 +132,8 @@ + If the + option is given, the contents of the current home directory will + be moved to the new home directory, which is created if it does +- not already exist. ++ not already exist. If the current home directory does not exist ++ the new home directory will not be created. + + + +@@ -261,7 +262,8 @@ + + + Move the content of the user's home directory to the new +- location. ++ location. If the current home directory does not exist ++ the new home directory will not be created. + + + This option is only valid in combination with the diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch new file mode 100644 index 0000000..c87e232 --- /dev/null +++ b/shadow-4.1.5.1-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 ++++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 +@@ -1571,6 +1571,11 @@ static void move_home (void) + Prog, user_home, user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, user_home); + } + } + diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch index 773fd60..adedf0f 100644 --- a/shadow-4.1.5.1-selinux.patch +++ b/shadow-4.1.5.1-selinux.patch @@ -1,7 +1,41 @@ diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2012-09-19 18:28:37.662060468 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2012-09-19 18:28:37.672060688 +0200 -@@ -2040,7 +2040,7 @@ int main (int argc, char **argv) +--- shadow-4.1.5.1/src/useradd.c.selinux 2014-08-28 16:36:09.889422103 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2014-08-28 17:28:04.828166192 +0200 +@@ -1850,6 +1850,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) + + usr_update (); + ++ close_files (); ++ ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ ++#ifdef WITH_SELINUX ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++#endif /* WITH_AUDIT */ ++ rv = E_SE_UPDATE; ++ } ++ } ++ } ++#endif ++ if (mflg) { create_home (); if (home_added) { @@ -10,3 +44,32 @@ diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c (uid_t)-1, user_id, (gid_t)-1, user_gid); } else { fprintf (stderr, +@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) + create_mail (); + } + +- close_files (); +- +-#ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); +-#endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); +- } +- } +-#endif /* WITH_SELINUX */ +- +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index 98a549b..a546b6d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -27,6 +27,9 @@ Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-group-alloc.patch +Patch19: shadow-4.1.5.1-date-parsing.patch +Patch20: shadow-4.1.5.1-ingroup.patch +Patch21: shadow-4.1.5.1-move-home.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -73,6 +76,9 @@ are used for managing group accounts. %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .group-alloc +%patch19 -p1 -b .date-parsing +%patch20 -p1 -b .ingroup +%patch21 -p1 -b .move-home iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -230,6 +236,13 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Aug 29 2014 Tomas Mraz - 2:4.1.5.1-18 +- label the newly created home dir correctly (#1077809) +- mention that chage -d 0 forces password change (#1135010) +- improve date parsing and error detecting in chage +- avoid full group database scanning in newgrp in most common case +- report error if usermod asked for moving homedir and it does not exist + * Mon Aug 18 2014 Fedora Release Engineering - 2:4.1.5.1-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From d29b2a8defd58dfbc0015704d97432db33fcd201 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 9 Sep 2014 17:39:08 +0200 Subject: [PATCH 106/151] disallow all-numeric user and group names (#1139318) --- shadow-4.1.5.1-goodname.patch | 30 +++++++++++++++++++++++------- shadow-utils.spec | 5 ++++- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.1.5.1-goodname.patch index 1fdd84f..06c0de6 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.1.5.1-goodname.patch @@ -1,9 +1,12 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c --- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2012-09-19 18:43:53.492160653 +0200 -@@ -49,20 +49,28 @@ ++++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 +@@ -47,27 +47,42 @@ + #include "chkname.h" + static bool is_valid_name (const char *name) - { +-{ ++{ /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ @@ -14,7 +17,11 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" ++ * ++ * Also do not allow fully numeric names. + */ ++ int numeric; ++ + if ( ('\0' == *name) || + !((*name >= 'a' && *name <= 'z') || + (*name >= 'A' && *name <= 'Z') || @@ -24,6 +31,8 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam return false; } ++ numeric = isdigit(*name); ++ while ('\0' != *++name) { - if (!(( ('a' <= *name) && ('z' >= *name) ) || - ( ('0' <= *name) && ('9' >= *name) ) || @@ -39,10 +48,17 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + )) { return false; } ++ numeric &= isdigit(*name); } + +- return true; ++ return !numeric; + } + + bool is_valid_user_name (const char *name) diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml --- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2012-09-19 18:43:53.492160653 +0200 ++++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 @@ -259,12 +259,6 @@ CAVEATS @@ -58,7 +74,7 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8 --- shadow-4.1.5.1/man/man8/groupadd.8.goodname 2012-05-25 13:58:40.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/groupadd.8 2012-09-19 18:44:42.175123079 +0200 ++++ shadow-4.1.5.1/man/man8/groupadd.8 2014-09-09 17:28:46.330300342 +0200 @@ -190,9 +190,7 @@ Shadow password suite configuration\&. .RE .SH "CAVEATS" @@ -72,7 +88,7 @@ diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/gro .PP diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8 --- shadow-4.1.5.1/man/man8/useradd.8.goodname 2012-05-25 13:59:28.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2012-09-19 18:46:09.249033949 +0200 ++++ shadow-4.1.5.1/man/man8/useradd.8 2014-09-09 17:28:46.330300342 +0200 @@ -224,7 +224,7 @@ is not enabled, no home directories are .PP \fB\-M\fR @@ -93,7 +109,7 @@ diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/user .PP diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml --- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2012-09-19 18:43:53.493160675 +0200 ++++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 @@ -366,7 +366,7 @@ diff --git a/shadow-utils.spec b/shadow-utils.spec index a546b6d..97923b7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -236,6 +236,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Sep 9 2014 Tomas Mraz - 2:4.1.5.1-19 +- disallow all-numeric user and group names (#1139318) + * Fri Aug 29 2014 Tomas Mraz - 2:4.1.5.1-18 - label the newly created home dir correctly (#1077809) - mention that chage -d 0 forces password change (#1135010) From af13db915f24164d6326927f9b7a3a50599f6079 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 10 Sep 2014 10:28:53 +0200 Subject: [PATCH 107/151] discard obsolete matchpathcon cache after semanage_commit() --- shadow-4.1.5.1-selinux.patch | 28 ++++++++++++++++++++++++++-- shadow-utils.spec | 5 ++++- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch index adedf0f..4ac32d2 100644 --- a/shadow-4.1.5.1-selinux.patch +++ b/shadow-4.1.5.1-selinux.patch @@ -1,6 +1,30 @@ +diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-08-28 16:36:09.889422103 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-08-28 17:28:04.828166192 +0200 +--- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 ++++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 @@ -1850,6 +1850,7 @@ static void create_mail (void) */ int main (int argc, char **argv) diff --git a/shadow-utils.spec b/shadow-utils.spec index 97923b7..e3d6b90 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 19%{?dist} +Release: 20%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -236,6 +236,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Sep 10 2014 Tomas Mraz - 2:4.1.5.1-20 +- discard obsolete matchpathcon cache after semanage_commit() + * Tue Sep 9 2014 Tomas Mraz - 2:4.1.5.1-19 - disallow all-numeric user and group names (#1139318) From e1ce821d4521d7ede777a6cd51f4cbcfeb1b5d9a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 17 Oct 2014 17:03:29 +0200 Subject: [PATCH 108/151] update auditing to cover more events and fix some incorrect audit records (auditing patch by Steve Grubb (#1151580)) - apply the same new allocation algorithm to uids as for gids --- shadow-4.1.5.1-audit-update.patch | 2250 +++++++++++++++++ ...loc.patch => shadow-4.1.5.1-id-alloc.patch | 625 ++++- shadow-utils.spec | 13 +- 3 files changed, 2861 insertions(+), 27 deletions(-) create mode 100644 shadow-4.1.5.1-audit-update.patch rename shadow-4.1.5.1-group-alloc.patch => shadow-4.1.5.1-id-alloc.patch (52%) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch new file mode 100644 index 0000000..c25db61 --- /dev/null +++ b/shadow-4.1.5.1-audit-update.patch @@ -0,0 +1,2250 @@ +diff -urp shadow-4.1.5.1.orig/lib/prototypes.h shadow-4.1.5.1/lib/prototypes.h +--- shadow-4.1.5.1.orig/lib/prototypes.h 2014-09-13 15:45:54.953829562 -0400 ++++ shadow-4.1.5.1/lib/prototypes.h 2014-10-14 08:39:23.785884075 -0400 +@@ -195,12 +195,21 @@ extern int audit_fd; + extern void audit_help_open (void); + /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ + #define AUDIT_NO_ID ((unsigned int) -1) ++#ifndef AUDIT_GRP_MGMT ++#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ ++#endif ++#ifndef AUDIT_GRP_CHAUTHTOK ++#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ ++#endif + typedef enum { + SHADOW_AUDIT_FAILURE = 0, + SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; + extern void audit_logger (int type, const char *pgname, const char *op, + const char *name, unsigned int id, + shadow_audit_result result); ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result); + void audit_logger_message (const char *message, shadow_audit_result result); + #endif + +diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_help.c +--- shadow-4.1.5.1.orig/libmisc/audit_help.c 2010-08-21 07:41:28.000000000 -0400 ++++ shadow-4.1.5.1/libmisc/audit_help.c 2014-10-14 08:39:23.785884075 -0400 +@@ -68,7 +68,7 @@ void audit_help_open (void) + * This function will log a message to the audit system using a predefined + * message format. Parameter usage is as follows: + * +- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account ++ * type - type of message: AUDIT_USER_MGMT for changing any account + * attributes. + * pgname - program's name + * op - operation. "adding user", "changing finger info", "deleting group" +@@ -88,6 +88,39 @@ void audit_logger (int type, unused cons + } + } + ++/* ++ * This function will log a message to the audit system using a predefined ++ * message format. Parameter usage is as follows: ++ * ++ * type - type of message: AUDIT_USER_MGMT for changing any account ++ * attributes. ++ * pgname - program's name ++ * op - operation. "adding user", "changing finger info", "deleting group" ++ * name - user's account or group name. If not available use NULL. ++ * id - uid or gid that the operation is being performed on. This is used ++ * only when user is NULL. ++ * grp - group name associated with event ++ */ ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result) ++{ ++ int len; ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1], buf[1024]; ++ if (audit_fd < 0) { ++ return; ++ } ++ len = strnlen(grp, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(grp, len)) { ++ snprintf(buf, sizeof(buf), "%s grp=%s", op, ++ audit_encode_value(enc_group, grp, len)); ++ } else { ++ snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp); ++ } ++ audit_log_acct_message (audit_fd, type, NULL, buf, name, id, ++ NULL, NULL, NULL, (int) result); ++} ++ + void audit_logger_message (const char *message, shadow_audit_result result) + { + if (audit_fd < 0) { +diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cleanup_group.c +--- shadow-4.1.5.1.orig/libmisc/cleanup_group.c 2008-12-23 17:45:18.000000000 -0500 ++++ shadow-4.1.5.1/libmisc/cleanup_group.c 2014-10-14 09:00:33.594753105 -0400 +@@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle + gr_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -101,7 +101,7 @@ void cleanup_report_mod_gshadow (void *c + sgr_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -122,7 +122,7 @@ void cleanup_report_add_group_group (voi + SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/group", ++ "adding-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -141,8 +141,8 @@ void cleanup_report_add_group_gshadow (v + + SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "adding-shadow-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -164,8 +164,8 @@ void cleanup_report_del_group_group (voi + "failed to remove group %s from %s", + name, gr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "removing group from /etc/group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, ++ "removing-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -187,8 +187,8 @@ void cleanup_report_del_group_gshadow (v + "failed to remove group %s from %s", + name, sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "removing group from /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "removing-shadow-group", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -208,7 +208,7 @@ void cleanup_unlock_group (unused void * + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking group file", ++ audit_logger_message ("unlocking-group", + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -228,7 +228,7 @@ void cleanup_unlock_gshadow (unused void + Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking gshadow file", ++ audit_logger_message ("unlocking-gshadow", + SHADOW_AUDIT_FAILURE); + #endif + } +diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/cleanup_user.c +--- shadow-4.1.5.1.orig/libmisc/cleanup_user.c 2008-12-23 17:45:18.000000000 -0500 ++++ shadow-4.1.5.1/libmisc/cleanup_user.c 2014-10-14 09:01:51.878745031 -0400 +@@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl + pw_dbname (), + info->action)); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_USER_MGMT, Prog, + info->audit_msg, + info->name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); +@@ -86,7 +86,7 @@ void cleanup_report_add_user_passwd (voi + SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to /etc/passwd", ++ "adding-user", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -105,8 +105,8 @@ void cleanup_report_add_user_shadow (voi + + SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to /etc/shadow", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "adding-shadow-user", + name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -125,7 +125,7 @@ void cleanup_unlock_passwd (unused void + Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking passwd file", ++ audit_logger_message ("unlocking-passwd", + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -144,7 +144,7 @@ void cleanup_unlock_shadow (unused void + Prog, spw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); + #ifdef WITH_AUDIT +- audit_logger_message ("unlocking shadow file", ++ audit_logger_message ("unlocking-shadow", + SHADOW_AUDIT_FAILURE); + #endif + } +diff -urp shadow-4.1.5.1.orig/src/chage.c shadow-4.1.5.1/src/chage.c +--- shadow-4.1.5.1.orig/src/chage.c 2011-11-19 17:54:47.000000000 -0500 ++++ shadow-4.1.5.1/src/chage.c 2014-10-14 08:39:23.787884075 -0400 +@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int + + #ifdef WITH_AUDIT + if (E_SUCCESS != code) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change age", +- user_name, (unsigned int) user_uid, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_FAILURE); + } + #endif + +@@ -873,11 +874,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: Permission denied.\n"), Prog); + fail_exit (E_NOPERM); + } +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "display aging info", +- user_name, (unsigned int) user_uid, 1); +-#endif ++ /* Displaying fields is not of interest to audit */ + list_fields (); + fail_exit (E_SUCCESS); + } +@@ -896,41 +893,43 @@ int main (int argc, char **argv) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change all aging information", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-all-aging-information", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + #endif + } else { + #ifdef WITH_AUDIT + if (Mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change max age", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-max-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + if (mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change min age", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-min-age", + user_name, (unsigned int) user_uid, 1); + } + if (dflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change last change date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-last-change-date", + user_name, (unsigned int) user_uid, 1); + } + if (Wflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd warning", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-warning", + user_name, (unsigned int) user_uid, 1); + } + if (Iflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-inactive-days", + user_name, (unsigned int) user_uid, 1); + } + if (Eflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd expiration", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-expiration", + user_name, (unsigned int) user_uid, 1); + } + #endif +diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c +--- shadow-4.1.5.1.orig/src/gpasswd.c 2014-09-13 15:45:54.989829559 -0400 ++++ shadow-4.1.5.1/src/gpasswd.c 2014-10-14 08:43:07.393861012 -0400 +@@ -137,7 +137,7 @@ static void usage (int status) + (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -Q, --root CHROOT_DIR directory to chroot into\n"), usageout); +- (void) fputs (_(" -r, --remove-password remove the GROUP's password\n"), usageout); ++ (void) fputs (_(" -r, --delete-password remove the GROUP's password\n"), usageout); + (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); + (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); + #ifdef SHADOWGRP +@@ -397,21 +397,14 @@ static void open_files (void) + + static void log_gpasswd_failure (const char *suffix) + { +-#ifdef WITH_AUDIT +- char buf[1024]; +-#endif + if (aflg) { + SYSLOG ((LOG_ERR, + "%s failed to add user %s to group %s%s", + myname, user, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to add user %s to group %s%s", +- myname, user, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (dflg) { +@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c + "%s failed to remove user %s from group %s%s", + myname, user, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to remove user %s from group %s%s", +- myname, user, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (rflg) { +@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c + "%s failed to remove password of group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to remove password of group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "delete-group-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (Rflg) { +@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c + "%s failed to restrict access to group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to restrict access to group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "restrict-group", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } else if (Aflg || Mflg) { +@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c + "%s failed to set the administrators of group %s to %s%s", + myname, group, admins, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to set the administrators of group %s to %s%s", +- myname, group, admins, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "set-admins-of-group", ++ admins, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c + "%s failed to set the members of group %s to %s%s", + myname, group, members, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to set the members of group %s to %s%s", +- myname, group, members, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-users-to-group", ++ members, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c + "%s failed to change password of group %s%s", + myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "%s failed to change password of group %s%s", +- myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_FAILURE); + #endif + } +@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow + + static void log_gpasswd_success (const char *suffix) + { +-#ifdef WITH_AUDIT +- char buf[1024]; +-#endif + if (aflg) { + SYSLOG ((LOG_INFO, + "user %s added by %s to group %s%s", + user, myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "user %s added by %s to group %s%s", +- user, myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (dflg) { +@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c + "user %s removed by %s from group %s%s", + user, myname, group, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "user %s removed by %s from group %s%s", +- user, myname, group, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (rflg) { +@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c + "password of group %s removed by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "password of group %s removed by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "delete-group-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (Rflg) { +@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c + "access to group %s restricted by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "access to group %s restricted by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "restrict-group", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } else if (Aflg || Mflg) { +@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c + "administrators of group %s set by %s to %s%s", + group, myname, admins, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "administrators of group %s set by %s to %s%s", +- group, myname, admins, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "set-admins-of-group", ++ admins, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c + "members of group %s set by %s to %s%s", + group, myname, members, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "members of group %s set by %s to %s%s", +- group, myname, members, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_ACCT, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-users-to-group", ++ members, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c + "password of group %s changed by %s%s", + group, myname, suffix)); + #ifdef WITH_AUDIT +- snprintf (buf, 1023, +- "password of group %s changed by %s%s", +- group, myname, suffix); +- buf[1023] = '\0'; +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- buf, +- group, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, group, + SHADOW_AUDIT_SUCCESS); + #endif + } +diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c +--- shadow-4.1.5.1.orig/src/groupadd.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupadd.c 2014-10-14 08:39:23.800884073 -0400 +@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta + exit (status); + } + ++static void fail_exit(int status) ++{ ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_ADD_GROUP, Prog, "add-group", group_name, ++ AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); ++#endif ++ exit (status); ++} ++ + /* + * new_grent - initialize the values in a group file entry + * +@@ -210,7 +219,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, gr_dbname (), grp.gr_name); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP + /* +@@ -220,7 +229,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, sgr_dbname (), sgrp.sg_name); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #endif /* SHADOWGRP */ + } +@@ -244,7 +253,7 @@ static void check_new_name (void) + fprintf (stderr, _("%s: '%s' is not a valid group name\n"), + Prog, group_name); + +- exit (E_BAD_ARG); ++ fail_exit (E_BAD_ARG); + } + + /* +@@ -260,11 +269,11 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/group", ++ "add-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -282,11 +291,11 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group to /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "add-shadow-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -300,12 +309,6 @@ static void close_files (void) + #endif /* SHADOWGRP */ + + /* Report success at the system level */ +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_GROUP, Prog, +- "", +- group_name, (unsigned int) group_id, +- SHADOW_AUDIT_SUCCESS); +-#endif + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", + group_name, (unsigned int) group_id)); + del_cleanup (cleanup_report_add_group); +@@ -323,7 +326,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_group, NULL); + +@@ -333,7 +336,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_gshadow, NULL); + } +@@ -349,7 +352,7 @@ static void open_files (void) + if (gr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef SHADOWGRP +@@ -359,7 +362,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -489,7 +492,7 @@ static void check_flags (void) + fprintf (stderr, + _("%s: group '%s' already exists\n"), + Prog, group_name); +- exit (E_NAME_IN_USE); ++ fail_exit (E_NAME_IN_USE); + } + + if (gflg && (getgrgid (group_id) != NULL)) { +@@ -508,7 +511,7 @@ static void check_flags (void) + fprintf (stderr, + _("%s: GID '%lu' already exists\n"), + Prog, (unsigned long int) group_id); +- exit (E_GID_IN_USE); ++ fail_exit (E_GID_IN_USE); + } + } + } +@@ -536,7 +539,7 @@ static void check_perms (void) + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); +@@ -556,7 +559,7 @@ static void check_perms (void) + if (NULL != pamh) { + (void) pam_end (pamh, retval); + } +- exit (1); ++ fail_exit (1); + } + (void) pam_end (pamh, retval); + #endif /* USE_PAM */ +@@ -588,7 +591,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot setup cleanup service.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + /* +@@ -610,7 +613,7 @@ int main (int argc, char **argv) + + if (!gflg) { + if (find_new_gid (rflg, &group_id, NULL) < 0) { +- exit (E_GID_IN_USE); ++ fail_exit (E_GID_IN_USE); + } + } + +diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c +--- shadow-4.1.5.1.orig/src/groupdel.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupdel.c 2014-10-14 08:39:23.801884073 -0400 +@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta + exit (status); + } + ++static void fail_exit(int status) ++{ ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_GRP_MGMT, Prog, "delete-group", group_name, ++ AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); ++#endif ++ exit (status); ++} ++ + /* + * grp_update - update group file entries + * +@@ -126,7 +135,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef SHADOWGRP +@@ -138,7 +147,7 @@ static void grp_update (void) + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -157,12 +166,12 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, +- "removing group from /etc/group", ++ "delete-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -182,12 +191,12 @@ static void close_files (void) + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "removing group from /etc/gshadow", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "delete-shadow-group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -201,13 +210,6 @@ static void close_files (void) + } + #endif /* SHADOWGRP */ + +- /* Report success at the system level */ +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "", +- group_name, (unsigned int) group_id, +- SHADOW_AUDIT_SUCCESS); +-#endif + SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); + del_cleanup (cleanup_report_del_group); + } +@@ -224,7 +226,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_group, NULL); + #ifdef SHADOWGRP +@@ -233,7 +235,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_gshadow, NULL); + } +@@ -251,7 +253,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP + if (is_shadow_grp) { +@@ -260,7 +262,7 @@ static void open_files (void) + _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); +- exit (E_GRP_UPDATE); ++ fail_exit (E_GRP_UPDATE); + } + } + #endif /* SHADOWGRP */ +@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) + fprintf (stderr, + _("%s: cannot remove the primary group of user '%s'\n"), + Prog, pwd->pw_name); +- exit (E_GROUP_BUSY); ++ fail_exit (E_GROUP_BUSY); + } + + /* +@@ -379,7 +381,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot setup cleanup service.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + process_flags (argc, argv); +@@ -393,7 +395,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); +- exit (1); ++ fail_exit (1); + } + + retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); +@@ -414,7 +416,7 @@ int main (int argc, char **argv) + if (NULL != pamh) { + (void) pam_end (pamh, retval); + } +- exit (1); ++ fail_exit (1); + } + (void) pam_end (pamh, retval); + #endif /* USE_PAM */ +@@ -434,7 +436,7 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: group '%s' does not exist\n"), + Prog, group_name); +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + + group_id = grp->gr_gid; +@@ -458,7 +460,7 @@ int main (int argc, char **argv) + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif + +diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c +--- shadow-4.1.5.1.orig/src/groupmod.c 2011-11-18 16:23:30.000000000 -0500 ++++ shadow-4.1.5.1/src/groupmod.c 2014-10-14 08:49:28.517821702 -0400 +@@ -438,7 +438,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_group.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -461,7 +461,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_gshadow.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -484,7 +484,7 @@ static void close_files (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, ++ audit_logger (AUDIT_GRP_MGMT, Prog, + info_passwd.audit_msg, + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); +@@ -499,8 +499,8 @@ static void close_files (void) + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_ACCT, Prog, +- "modifying group", ++ audit_logger (AUDIT_GRP_MGMT, Prog, ++ "modify-group", + group_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -512,6 +512,8 @@ static void close_files (void) + */ + static void prepare_failure_reports (void) + { ++ char *nv_pair, nv[64]; ++ + info_group.name = group_name; + #ifdef SHADOWGRP + info_gshadow.name = group_name; +@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi + #endif + info_passwd.audit_msg = xmalloc (512); + +- (void) snprintf (info_group.audit_msg, 511, +- "changing %s; ", gr_dbname ()); ++ info_group.action = xmalloc (512); + #ifdef SHADOWGRP +- (void) snprintf (info_gshadow.audit_msg, 511, +- "changing %s; ", sgr_dbname ()); ++ info_gshadow.action = xmalloc (512); + #endif +- (void) snprintf (info_passwd.audit_msg, 511, +- "changing %s; ", pw_dbname ()); ++ info_passwd.action = xmalloc (512); + +- info_group.action = info_group.audit_msg +- + strlen (info_group.audit_msg); ++ (void) snprintf (info_group.audit_msg, 511, ++ "changing-group"); + #ifdef SHADOWGRP +- info_gshadow.action = info_gshadow.audit_msg +- + strlen (info_gshadow.audit_msg); ++ (void) snprintf (info_gshadow.audit_msg, 511, ++ "changing-shadow-group"); + #endif +- info_passwd.action = info_passwd.audit_msg +- + strlen (info_passwd.audit_msg); ++ (void) snprintf (info_passwd.audit_msg, 511, ++ "changing-group-passwd"); + ++ nv_pair = audit_encode_nv_string(" grp", group_name, ++ strlen(group_name)); ++ if(nv_pair) { ++ strncat(info_group.audit_msg, nv_pair, ++ 511 - strlen(info_group.audit_msg)); ++#ifdef SHADOWGRP ++ strncat(info_gshadow.audit_msg, nv_pair, ++ 511 - strlen(info_gshadow.audit_msg)); ++#endif ++ strncat(info_passwd.audit_msg, nv_pair, ++ 511 - strlen(info_passwd.audit_msg)); ++ free(nv_pair); ++ } ++ snprintf(nv, sizeof(nv), " gid=%lu", group_id); ++ strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg)); ++ strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg)); ++ + (void) snprintf (info_group.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s/%lu", + group_name, (unsigned long int) group_id); + #ifdef SHADOWGRP + (void) snprintf (info_gshadow.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s", group_name); + #endif + (void) snprintf (info_passwd.action, +- 511 - strlen (info_group.audit_msg), ++ 511, + "group %s/%lu", + group_name, (unsigned long int) group_id); + + if (nflg) { ++ nv_pair = audit_encode_nv_string(" new_group", group_newname, ++ strlen(group_newname)); ++ strncat(info_group.audit_msg, nv_pair, ++ 511 - strlen(info_group.audit_msg)); + strncat (info_group.action, ", new name: ", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + strncat (info_group.action, group_newname, +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + + #ifdef SHADOWGRP ++ strncat(info_gshadow.audit_msg, nv_pair, ++ 511 - strlen(info_gshadow.audit_msg)); + strncat (info_gshadow.action, ", new name: ", +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + strncat (info_gshadow.action, group_newname, +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + #endif + ++ strncat(info_passwd.audit_msg, nv_pair, ++ 511 - strlen(info_passwd.audit_msg)); + strncat (info_passwd.action, ", new name: ", +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); + strncat (info_passwd.action, group_newname, +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); ++ free(nv_pair); + } + if (pflg) { ++ /* Note: audit doesn't want this value recorded */ + strncat (info_group.action, ", new password", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + + #ifdef SHADOWGRP + strncat (info_gshadow.action, ", new password", +- 511 - strlen (info_gshadow.audit_msg)); ++ 511 - strlen (info_gshadow.action)); + #endif + } + if (gflg) { ++ snprintf(nv, sizeof(nv), " new_gid=%lu", group_newid); ++ strncat(info_group.audit_msg, nv, ++ 511 - strlen(info_group.audit_msg)); ++ strncat(info_passwd.audit_msg, nv, ++ 511 - strlen(info_passwd.audit_msg)); ++ + strncat (info_group.action, ", new gid: ", +- 511 - strlen (info_group.audit_msg)); ++ 511 - strlen (info_group.action)); + (void) snprintf (info_group.action+strlen (info_group.action), +- 511 - strlen (info_group.audit_msg), ++ 511 - strlen (info_group.action), + "%lu", (unsigned long int) group_newid); + + strncat (info_passwd.action, ", new gid: ", +- 511 - strlen (info_passwd.audit_msg)); ++ 511 - strlen (info_passwd.action)); + (void) snprintf (info_passwd.action+strlen (info_passwd.action), +- 511 - strlen (info_passwd.audit_msg), ++ 511 - strlen (info_passwd.action), + "%lu", (unsigned long int) group_newid); + } + info_group.audit_msg[511] = '\0'; +@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi + info_gshadow.audit_msg[511] = '\0'; + #endif + info_passwd.audit_msg[511] = '\0'; ++ info_group.action[511] = '\0'; ++#ifdef SHADOWGRP ++ info_gshadow.action[511] = '\0'; ++#endif ++ info_passwd.action[511] = '\0'; + + // FIXME: add a system cleanup + add_cleanup (cleanup_report_mod_group, &info_group); +diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1.orig/src/newgrp.c 2014-09-13 15:45:55.010829557 -0400 ++++ shadow-4.1.5.1/src/newgrp.c 2014-10-14 08:39:23.802884073 -0400 +@@ -197,11 +197,12 @@ static void check_perms (const struct gr + strcmp (cpasswd, grp->gr_passwd) != 0) { + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "authentication new-gid=%lu", ++ "authentication new_gid=%lu", + (unsigned long) grp->gr_gid); + audit_logger (AUDIT_GRP_AUTH, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + #endif + SYSLOG ((LOG_INFO, + "Invalid password for group '%s' from '%s'", +@@ -212,11 +213,12 @@ static void check_perms (const struct gr + } + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "authentication new-gid=%lu", ++ "authentication new_gid=%lu", + (unsigned long) grp->gr_gid); + audit_logger (AUDIT_GRP_AUTH, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 1); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_SUCCESS); + #endif + } + +@@ -227,19 +229,6 @@ failure: + * harm. -- JWP + */ + closelog (); +-#ifdef WITH_AUDIT +- if (groupname) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", groupname); +- audit_logger (AUDIT_CHGRP_ID, Prog, +- audit_buf, NULL, +- (unsigned int) getuid (), 0); +- } else { +- audit_logger (AUDIT_CHGRP_ID, Prog, +- "changing", NULL, +- (unsigned int) getuid (), 0); +- } +-#endif + exit (EXIT_FAILURE); + } + +@@ -308,15 +297,27 @@ static void syslog_sg (const char *name, + is_newgrp ? "newgrp" : "sg", strerror (errno)); + #ifdef WITH_AUDIT + if (group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", ++ group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +@@ -442,7 +443,7 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", + (unsigned long) getuid ())); +@@ -558,15 +559,26 @@ int main (int argc, char **argv) + perror ("getgroups"); + #ifdef WITH_AUDIT + if (group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), ++ SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +@@ -707,10 +719,10 @@ int main (int argc, char **argv) + perror ("setgid"); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + exit (EXIT_FAILURE); + } +@@ -719,10 +731,10 @@ int main (int argc, char **argv) + perror ("setuid"); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + exit (EXIT_FAILURE); + } +@@ -736,10 +748,10 @@ int main (int argc, char **argv) + execl (SHELL, "sh", "-c", command, (char *) 0); + #ifdef WITH_AUDIT + snprintf (audit_buf, sizeof(audit_buf), +- "changing new-gid=%lu", (unsigned long) gid); ++ "changing new_gid=%lu", (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + #endif + perror (SHELL); + exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); +@@ -803,11 +815,11 @@ int main (int argc, char **argv) + } + + #ifdef WITH_AUDIT +- snprintf (audit_buf, sizeof(audit_buf), "changing new-gid=%lu", ++ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%lu", + (unsigned long) gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 1); ++ (unsigned int) getuid (), SHADOW_AUDIT_SUCCESS); + #endif + /* + * Exec the login shell and go away. We are trying to get back to +@@ -831,15 +843,24 @@ int main (int argc, char **argv) + closelog (); + #ifdef WITH_AUDIT + if (NULL != group) { +- snprintf (audit_buf, sizeof(audit_buf), +- "changing new-group=%s", group); ++ char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1]; ++ int len = strnlen(group, sizeof(enc_group)/2); ++ if (audit_value_needs_encoding(group, len)) { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", ++ audit_encode_value(enc_group, ++ group, len)); ++ } else { ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=\"%s\"", group); ++ } + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + } else { + audit_logger (AUDIT_CHGRP_ID, Prog, + "changing", NULL, +- (unsigned int) getuid (), 0); ++ (unsigned int) getuid (), SHADOW_AUDIT_FAILURE); + } + #endif + exit (EXIT_FAILURE); +diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1.orig/src/useradd.c 2014-09-13 15:45:54.957829561 -0400 ++++ shadow-4.1.5.1/src/useradd.c 2014-10-14 08:52:53.066800605 -0400 +@@ -205,6 +205,8 @@ static void create_mail (void); + */ + static void fail_exit (int code) + { ++ int type; ++ + if (home_added) { + if (rmdir (user_home) != 0) { + fprintf (stderr, +@@ -218,12 +220,6 @@ static void fail_exit (int code) + if (spw_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking shadow file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -231,12 +227,6 @@ static void fail_exit (int code) + if (pw_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking passwd file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -244,12 +234,6 @@ static void fail_exit (int code) + if (gr_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking group file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -258,20 +242,19 @@ static void fail_exit (int code) + if (sgr_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking gshadow file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ if (code == E_PW_UPDATE || code >= E_GRP_UPDATE) ++ type = AUDIT_USER_MGMT; ++ else ++ type = AUDIT_ADD_USER; ++ ++ audit_logger (type, Prog, ++ "add-user", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -578,7 +561,7 @@ static int set_defaults (void) + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USYS_CONFIG, Prog, +- "changing useradd defaults", ++ "changing-useradd-defaults", + NULL, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -848,12 +831,6 @@ static void grp_update (void) + _("%s: Out of memory. Cannot update %s.\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); /* XXX */ + } + +@@ -867,18 +844,12 @@ static void grp_update (void) + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, gr_dbname (), ngrp->gr_name); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_name, AUDIT_NO_ID, ngrp->gr_name, + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, +@@ -923,12 +894,6 @@ static void grp_update (void) + _("%s: Out of memory. Cannot update %s.\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_GRP_UPDATE); /* XXX */ + } + +@@ -942,18 +907,13 @@ static void grp_update (void) + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, sgr_dbname (), nsgrp->sg_name); + SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif ++ + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user to shadow group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-to-shadow-group", ++ user_name, AUDIT_NO_ID, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, +@@ -1296,7 +1256,7 @@ static void process_flags (int argc, cha + Prog, user_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ "add-user", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1385,7 +1345,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking shadow file", ++ "unlocking-shadow-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1398,7 +1358,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking passwd file", ++ "unlocking-passwd-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1410,7 +1370,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking group file", ++ "unlocking-group-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1424,7 +1384,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking gshadow file", ++ "unlocking-gshadow-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1584,7 +1544,7 @@ static void grp_add (void) + Prog, gr_dbname (), grp.gr_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1600,7 +1560,7 @@ static void grp_add (void) + Prog, sgr_dbname (), sgrp.sg_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1610,7 +1570,7 @@ static void grp_add (void) + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_GROUP, Prog, +- "adding group", ++ "add-group", + grp.gr_name, AUDIT_NO_ID, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1725,17 +1685,11 @@ static void usr_update (void) + fprintf (stderr, + _("%s: failed to prepare the new %s entry '%s'\n"), + Prog, spw_dbname (), spent.sp_namp); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding shadow password", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", ++ "add-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1771,12 +1725,6 @@ static void create_home (void) + fprintf (stderr, + _("%s: cannot create directory %s\n"), + Prog, user_home); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_HOMEDIR); + } + chown (user_home, user_id, user_gid); +@@ -1784,8 +1732,8 @@ static void create_home (void) + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); + home_added = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "add-home-dir", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif +@@ -1951,12 +1899,6 @@ int main (int argc, char **argv) + */ + if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_NAME_IN_USE); + } + +@@ -1972,12 +1914,6 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), + Prog, user_name); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding group", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_NAME_IN_USE); + } + } +@@ -2007,12 +1943,6 @@ int main (int argc, char **argv) + fprintf (stderr, + _("%s: UID %lu is not unique\n"), + Prog, (unsigned long) user_id); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding user", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif + fail_exit (E_UID_IN_USE); + } + } +@@ -2057,9 +1987,10 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); ++ audit_logger (AUDIT_ROLE_ASSIGN, Prog, ++ "add-selinux-user-mapping", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ + rv = E_SE_UPDATE; + } +diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c +--- shadow-4.1.5.1.orig/src/userdel.c 2014-09-13 15:45:55.001829558 -0400 ++++ shadow-4.1.5.1/src/userdel.c 2014-10-14 08:44:52.714850149 -0400 +@@ -201,9 +201,9 @@ static void update_groups (void) + * Update the DBM group file with the new entry as well. + */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user from group", +- user_name, (unsigned int) user_id, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "deleting-user-from-group", ++ user_name, (unsigned int) user_id, ngrp->gr_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", +@@ -263,9 +263,9 @@ static void update_groups (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user from shadow group", +- user_name, (unsigned int) user_id, ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "deleting-user-from-shadow-group", ++ user_name, (unsigned int) user_id, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", +@@ -342,9 +342,9 @@ static void remove_usergroup (void) + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "deleting group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_DEL_GROUP, Prog, ++ "delete-group", ++ user_name, AUDIT_NO_ID, user_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, +@@ -360,9 +360,9 @@ static void remove_usergroup (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_GROUP, Prog, +- "deleting shadow group", +- user_name, AUDIT_NO_ID, ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "delete-shadow-group", ++ user_name, AUDIT_NO_ID, user_name, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ + SYSLOG ((LOG_INFO, +@@ -478,7 +478,7 @@ static void fail_exit (int code) + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user", ++ "delete-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -498,24 +498,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, pw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + pw_locked = true; + if (pw_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, pw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + if (is_shadow_pwd) { +@@ -523,12 +511,6 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, spw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking shadow password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + spw_locked = true; +@@ -536,12 +518,6 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot open %s\n"), + Prog, spw_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening shadow password file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_PW_UPDATE); + } + } +@@ -549,23 +525,11 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + gr_locked = true; + if (gr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + #ifdef SHADOWGRP +@@ -574,24 +538,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking shadow group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + sgr_locked= true; + if (sgr_open (O_RDWR) == 0) { + fprintf (stderr, _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening shadow group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_GRP_UPDATE); + } + } +@@ -622,7 +574,7 @@ static void update_user (void) + } + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user entries", ++ "delete-user", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + #endif /* WITH_AUDIT */ +@@ -716,7 +668,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -732,7 +684,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -742,8 +694,8 @@ static int remove_mailbox (void) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -760,7 +712,7 @@ static int remove_mailbox (void) + mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -775,7 +727,7 @@ static int remove_mailbox (void) + SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -785,8 +737,8 @@ static int remove_mailbox (void) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting mail file", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "delete-mail-file", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -980,7 +932,7 @@ int main (int argc, char **argv) + Prog, user_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user not found", ++ "deleting-user-not-found", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1024,7 +976,7 @@ int main (int argc, char **argv) + if (!fflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting user logged in", ++ "deleting-user-logged-in", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1101,8 +1053,8 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + else + { +- audit_logger (AUDIT_DEL_USER, Prog, +- "deleting home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "deleting-home-directory", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); + } +@@ -1111,7 +1063,7 @@ int main (int argc, char **argv) + #ifdef WITH_AUDIT + if (0 != errors) { + audit_logger (AUDIT_DEL_USER, Prog, +- "deleting home directory", ++ "deleting-home-directory", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + } +@@ -1124,8 +1076,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "removing SELinux user mapping", ++ audit_logger (AUDIT_ROLE_REMOVE, Prog, ++ "delete-selinux-user-mapping", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1.orig/src/usermod.c 2014-09-13 15:45:55.013829557 -0400 ++++ shadow-4.1.5.1/src/usermod.c 2014-10-14 08:50:05.817817855 -0400 +@@ -352,8 +352,8 @@ static char *new_pw_passwd (char *pw_pas + + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "updating passwd", +- user_newname, (unsigned int) user_newid, 0); ++ "updating-password", ++ user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); + strcpy (buf, "!"); +@@ -372,8 +372,8 @@ static char *new_pw_passwd (char *pw_pas + + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "updating password", +- user_newname, (unsigned int) user_newid, 0); ++ "updating-password", ++ user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); + s = pw_pass; +@@ -384,7 +384,7 @@ static char *new_pw_passwd (char *pw_pas + } else if (pflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing password", ++ "updating-password", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); +@@ -413,8 +413,8 @@ static void new_pwent (struct passwd *pw + fail_exit (E_NAME_IN_USE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing name", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-name", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -434,8 +434,8 @@ static void new_pwent (struct passwd *pw + + if (uflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing uid", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-uid", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -445,8 +445,8 @@ static void new_pwent (struct passwd *pw + } + if (gflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing primary group", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-primary-group", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -456,8 +456,8 @@ static void new_pwent (struct passwd *pw + } + if (cflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing comment", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-comment", + user_newname, (unsigned int) user_newid, 1); + #endif + pwent->pw_gecos = user_newcomment; +@@ -465,8 +465,8 @@ static void new_pwent (struct passwd *pw + + if (dflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-home-dir", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -476,8 +476,8 @@ static void new_pwent (struct passwd *pw + } + if (sflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing user shell", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-shell", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -507,8 +507,8 @@ static void new_spent (struct spwd *spen + + if (fflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-inactive-days", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -524,8 +524,8 @@ static void new_spent (struct spwd *spen + date_to_str (old_exp, sizeof(old_exp), + user_expire * DAY); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing expiration date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "changing-expiration-date", + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, +@@ -592,9 +592,9 @@ static /*@noreturn@*/void fail_exit (int + } + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying account", +- user_name, AUDIT_NO_ID, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "modify-account", ++ user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); + #endif + exit (code); + } +@@ -648,9 +648,12 @@ static void update_group (void) + user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing group member", +- user_newname, AUDIT_NO_ID, 1); ++ audit_logger_with_group ( ++ AUDIT_USER_MGMT, Prog, ++ "update-member-in-group", ++ user_newname, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "change '%s' to '%s' in group '%s'", +@@ -664,9 +667,11 @@ static void update_group (void) + ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "removing group member", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user_name, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "delete '%s' from group '%s'", +@@ -679,9 +684,11 @@ static void update_group (void) + ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "adding user to group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_name, AUDIT_NO_ID, ++ ngrp->gr_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, "add '%s' to group '%s'", + user_newname, ngrp->gr_name)); +@@ -756,9 +763,10 @@ static void update_gshadow (void) + nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing admin name in shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_GRP_MGMT, Prog, ++ "update-admin-name-in-group", ++ user_name, AUDIT_NO_ID, nsgrp->sg_name, ++ SHADOW_AUDIT_SUCCESS); + #endif + SYSLOG ((LOG_INFO, + "change admin '%s' to '%s' in shadow group '%s'", +@@ -778,9 +786,10 @@ static void update_gshadow (void) + user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing member in shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "update-member-in-group", ++ user_name, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, + "change '%s' to '%s' in shadow group '%s'", +@@ -794,9 +803,10 @@ static void update_gshadow (void) + nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "removing user from shadow group", +- user_name, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "delete-user-from-group", ++ user_name, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, + "delete '%s' from shadow group '%s'", +@@ -809,9 +819,10 @@ static void update_gshadow (void) + nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); + changed = true; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "adding user to shadow group", +- user_newname, AUDIT_NO_ID, 1); ++ audit_logger_with_group (AUDIT_USER_MGMT, Prog, ++ "add-user-to-group", ++ user_newname, AUDIT_NO_ID, ++ nsgrp->sg_name, 1); + #endif + SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", + user_newname, nsgrp->sg_name)); +@@ -1515,8 +1526,8 @@ static void move_home (void) + + #ifdef WITH_AUDIT + if (uflg || gflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-home-dir-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1534,8 +1545,8 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "moving home directory", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "moving-home-dir", + user_newname, (unsigned int) user_newid, + 1); + #endif +@@ -1554,9 +1565,9 @@ static void move_home (void) + Prog, user_home); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, ++ audit_logger (AUDIT_USER_MGMT, + Prog, +- "moving home directory", ++ "moving-home-dir", + user_newname, + (unsigned int) user_newid, + 1); +@@ -1760,8 +1771,8 @@ static void move_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing mail file owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-mail-file-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1779,8 +1790,8 @@ static void move_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing mail file name", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-mail-file-name", + user_newname, (unsigned int) user_newid, 1); + } + #endif +@@ -1910,8 +1921,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying User mapping ", ++ audit_logger (AUDIT_ROLE_ASSIGN, Prog, ++ "changing-selinux-user-mapping ", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1923,8 +1934,8 @@ int main (int argc, char **argv) + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "removing SELinux user mapping", ++ audit_logger (AUDIT_ROLE_REMOVE, Prog, ++ "delete-selinux-user-mapping", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +@@ -1962,8 +1973,8 @@ int main (int argc, char **argv) + */ + #ifdef WITH_AUDIT + if (uflg || gflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "changing home directory owner", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "updating-home-dir-owner", + user_newname, (unsigned int) user_newid, 1); + } + #endif diff --git a/shadow-4.1.5.1-group-alloc.patch b/shadow-4.1.5.1-id-alloc.patch similarity index 52% rename from shadow-4.1.5.1-group-alloc.patch rename to shadow-4.1.5.1-id-alloc.patch index 0ac336b..df6f89f 100644 --- a/shadow-4.1.5.1-group-alloc.patch +++ b/shadow-4.1.5.1-id-alloc.patch @@ -1,8 +1,3 @@ -From e551be23be24508ecf5c8afdf74fd69b88832ecd Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 9 Jun 2014 10:34:02 -0400 -Subject: [PATCH] Redesign automatic GID allocation - Previously, this allocation was optimized for an outdated deployment style (that of /etc/group alongside nss_db). The issue here is that this results in extremely poor performance when using @@ -44,14 +39,13 @@ we come to the first unused GID. We then select that and return it. If we make it through all the remaining IDs without finding a free one, we start over from the beginning of the range and try to find room in one of the gaps in the range. ---- - libmisc/find_new_gid.c | 533 +++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 407 insertions(+), 126 deletions(-) -diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c -index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b814763a16 100644 ---- a/libmisc/find_new_gid.c -+++ b/libmisc/find_new_gid.c +The patch was originally written by Stephen Gallagher and applied +identically also to the user allocation by Tomáš Mráz. + +diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c +--- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 @@ -39,6 +39,118 @@ #include "getdef.h" @@ -302,6 +296,11 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 - free (used_gids); - return 0; - } +- +- /* if we did not find free preffered system gid, we start to look for +- * one in the range assigned to dynamic system IDs */ +- if (sys_group) +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); + /* First look for the lowest and highest value in the local database */ + (void) gr_rewind (); + highest_found = gid_min; @@ -326,11 +325,7 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + /* create index of used GIDs */ + if (grp->gr_gid >= gid_min + && grp->gr_gid <= gid_max) { - -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); ++ + used_gids[grp->gr_gid] = true; + } + } @@ -350,16 +345,17 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 - * Since there is a limited amount of IDs to be tested - * for system accounts, we just check the existence - * of IDs with getgrgid. -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. - */ +- */ - group_id = gid_max; - for (id = gid_max; id >= gid_min; id--) { - if (getgrgid (id) != NULL) { - group_id = id - 1; - used_gids[id] = true; - } ++ /* ++ * For system groups, we want to start from the ++ * top of the range and work downwards. ++ */ + + /* + * At the conclusion of the gr_next() search, we will either @@ -637,6 +633,587 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8 + return -1; } --- -1.9.3 - +diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c +--- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 ++++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 +@@ -39,6 +39,118 @@ + #include "getdef.h" + + /* ++ * get_ranges - Get the minimum and maximum ID ranges for the search ++ * ++ * This function will return the minimum and maximum ranges for IDs ++ * ++ * 0: The function completed successfully ++ * EINVAL: The provided ranges are impossible (such as maximum < minimum) ++ * ++ * preferred_min: The special-case minimum value for a specifically- ++ * requested ID, which may be lower than the standard min_id ++ */ ++static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, ++ uid_t *preferred_min) ++{ ++ uid_t uid_def_max = 0; ++ ++ if (sys_user) { ++ /* System users */ ++ ++ /* A requested ID is allowed to be below the autoselect range */ ++ *preferred_min = (uid_t) 1; ++ ++ /* Get the minimum ID range from login.defs or default to 101 */ ++ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); ++ ++ /* ++ * If SYS_UID_MAX is unspecified, we should assume it to be one ++ * less than the UID_MIN (which is reserved for non-system accounts) ++ */ ++ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; ++ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", ++ (unsigned long) uid_def_max); ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf (stderr, ++ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " ++ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ getdef_ulong ("UID_MIN", 1000UL), ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } else { ++ /* Non-system users */ ++ ++ /* Get the values from login.defs or use reasonable defaults */ ++ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); ++ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); ++ ++ /* ++ * The preferred minimum should match the standard ID minimum ++ * for non-system users. ++ */ ++ *preferred_min = *min_id; ++ ++ /* Check that the ranges make sense */ ++ if (*max_id < *min_id) { ++ (void) fprintf(stderr, ++ _("%s: Invalid configuration: UID_MIN (%lu), " ++ "UID_MAX (%lu)\n"), ++ Prog, (unsigned long) *min_id, ++ (unsigned long) *max_id); ++ return EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++/* ++ * check_uid - See if the requested UID is available ++ * ++ * On success, return 0 ++ * If the ID is in use, return EEXIST ++ * If the ID is outside the range, return ERANGE ++ * In other cases, return errno from getpwuid() ++ */ ++static int check_uid(const uid_t uid, ++ const uid_t uid_min, ++ const uid_t uid_max, ++ bool *used_uids) ++{ ++ /* First test that the preferred ID is in the range */ ++ if (uid < uid_min || uid > uid_max) { ++ return ERANGE; ++ } ++ ++ /* ++ * Check whether we already detected this UID ++ * using the pw_next() loop ++ */ ++ if (used_uids != NULL && used_uids[uid]) { ++ return EEXIST; ++ } ++ /* Check if the UID exists according to NSS */ ++ errno = 0; ++ if (getpwuid(uid) != NULL) { ++ return EEXIST; ++ } else { ++ /* getpwuid() was NULL, check whether this was ++ * due to an error, so we can report it. ++ */ ++ /* ignore errors for now * if (errno != 0) { ++ return errno; ++ } */ ++ } ++ ++ /* If we've made it here, the UID must be available */ ++ return 0; ++} ++ ++/* + * find_new_uid - Find a new unused UID. + * + * If successful, find_new_uid provides an unused user ID in the +@@ -48,162 +160,339 @@ + * + * Return 0 on success, -1 if no unused UIDs are available. + */ +-int find_new_uid (bool sys_user, +- uid_t *uid, +- /*@null@*/uid_t const *preferred_uid) ++int find_new_uid(bool sys_user, ++ uid_t *uid, ++ /*@null@*/uid_t const *preferred_uid) + { +- const struct passwd *pwd; +- uid_t uid_min, uid_max, user_id; + bool *used_uids; ++ const struct passwd *pwd; ++ uid_t uid_min, uid_max, preferred_min; ++ uid_t user_id, id; ++ uid_t lowest_found, highest_found; ++ int result; ++ int nospam = 0; + + assert (uid != NULL); + +- if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, (unsigned long) uid_max); +- return -1; +- } +- } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; +- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); +- if (uid_max < uid_min) { +- (void) fprintf (stderr, +- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), +- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); ++ /* ++ * First, figure out what ID range is appropriate for ++ * automatic assignment ++ */ ++ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); ++ if (result == EINVAL) { ++ return -1; ++ } ++ ++ /* Check if the preferred UID is available */ ++ if (preferred_uid) { ++ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); ++ if (result == 0) { ++ /* ++ * Make sure the UID isn't queued for use already ++ */ ++ if (pw_locate_uid (*preferred_uid) == NULL) { ++ *uid = *preferred_uid; ++ return 0; ++ } ++ /* ++ * pw_locate_uid() found the UID in an as-yet uncommitted ++ * entry. We'll proceed below and auto-set an UID. ++ */ ++ } else if (result == EEXIST || result == ERANGE) { ++ /* ++ * Continue on below. At this time, we won't ++ * treat these two cases differently. ++ */ ++ } else { ++ /* ++ * An unexpected error occurred. We should report ++ * this and fail the user creation. ++ * This differs from the automatic creation ++ * behavior below, since if a specific UID was ++ * requested and generated an error, the user is ++ * more likely to want to stop and address the ++ * issue. ++ */ ++ fprintf(stderr, ++ _("%s: Encountered error attempting to use " ++ "preferred UID: %s\n"), ++ Prog, strerror(result)); + return -1; + } + } ++ ++ /* ++ * Search the entire passwd file, ++ * looking for the next unused value. ++ * ++ * We first check the local database with pw_rewind/pw_next to find ++ * all local values that are in use. ++ * ++ * We then compare the next free value to all databases (local and ++ * remote) and iterate until we find a free one. If there are free ++ * values beyond the lowest (system users) or highest (non-system ++ * users), we will prefer those and avoid potentially reclaiming a ++ * deleted user (which can be a security issue, since it may grant ++ * access to files belonging to that former user). ++ * ++ * If there are no UIDs available at the end of the search, we will ++ * have no choice but to iterate through the range looking for gaps. ++ * ++ */ ++ ++ /* Create an array to hold all of the discovered UIDs */ + used_uids = malloc (sizeof (bool) * (uid_max +1)); + if (NULL == used_uids) { + fprintf (stderr, +- _("%s: failed to allocate memory: %s\n"), +- Prog, strerror (errno)); ++ _("%s: failed to allocate memory: %s\n"), ++ Prog, strerror (errno)); + return -1; + } + memset (used_uids, false, sizeof (bool) * (uid_max + 1)); + +- if ( (NULL != preferred_uid) +- && (*preferred_uid >= uid_min) +- && (*preferred_uid <= uid_max) +- /* Check if the user exists according to NSS */ +- && (getpwuid (*preferred_uid) == NULL) +- /* Check also the local database in case of uncommitted +- * changes */ +- && (pw_locate_uid (*preferred_uid) == NULL)) { +- *uid = *preferred_uid; +- free (used_uids); +- return 0; +- } ++ /* First look for the lowest and highest value in the local database */ ++ (void) pw_rewind (); ++ highest_found = uid_min; ++ lowest_found = uid_max; ++ while ((pwd = pw_next ()) != NULL) { ++ /* ++ * Does this entry have a lower UID than the lowest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { ++ lowest_found = pwd->pw_uid - 1; ++ } + ++ /* ++ * Does this entry have a higher UID than the highest we've found ++ * so far? ++ */ ++ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { ++ highest_found = pwd->pw_uid + 1; ++ } ++ ++ /* create index of used UIDs */ ++ if (pwd->pw_uid >= uid_min ++ && pwd->pw_uid <= uid_max) { ++ ++ used_uids[pwd->pw_uid] = true; ++ } ++ } + +- /* +- * Search the entire password file, +- * looking for the largest unused value. +- * +- * We check the list of users according to NSS (setpwent/getpwent), +- * but we also check the local database (pw_rewind/pw_next) in case +- * some users were created but the changes were not committed yet. +- */ + if (sys_user) { +- uid_t id; +- /* setpwent / getpwent / endpwent can be very slow with +- * LDAP configurations (and many accounts). +- * Since there is a limited amount of IDs to be tested +- * for system accounts, we just check the existence +- * of IDs with getpwuid. +- */ +- user_id = uid_max; +- for (id = uid_max; id >= uid_min; id--) { +- if (getpwuid (id) != NULL) { +- user_id = id - 1; +- used_uids[id] = true; +- } ++ /* ++ * For system users, we want to start from the ++ * top of the range and work downwards. ++ */ ++ ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MIN - 1. ++ */ ++ if (lowest_found < uid_min) { ++ /* ++ * In this case, an UID is in use at UID_MIN. ++ * ++ * We will reset the search to UID_MAX and proceed down ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ lowest_found = uid_max; + } + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { +- user_id = pwd->pw_uid - 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ /* Search through all of the IDs in the range */ ++ for (id = lowest_found; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- user_id = uid_min; +- setpwent (); +- while ((pwd = getpwent ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MAX, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with lowest_found as ++ * UID_MAX - 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (lowest_found != uid_max) { ++ for (id = uid_max; id >= uid_min; id--) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique system UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ ++ } + } + } +- endpwent (); ++ } else { /* !sys_user */ ++ /* ++ * For non-system users, we want to start from the ++ * bottom of the range and work upwards. ++ */ + +- (void) pw_rewind (); +- while ((pwd = pw_next ()) != NULL) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; +- } +- /* create index of used UIDs */ +- if (pwd->pw_uid <= uid_max) { +- used_uids[pwd->pw_uid] = true; +- } ++ /* ++ * At the conclusion of the pw_next() search, we will either ++ * have a presumed-free UID or we will be at UID_MAX + 1. ++ */ ++ if (highest_found > uid_max) { ++ /* ++ * In this case, a UID is in use at UID_MAX. ++ * ++ * We will reset the search to UID_MIN and proceed up ++ * through all the UIDs (skipping those we detected with ++ * used_uids) for a free one. It is a known issue that ++ * this may result in reusing a previously-deleted UID, ++ * so administrators should be instructed to use this ++ * auto-detection with care (and prefer to assign UIDs ++ * explicitly). ++ */ ++ highest_found = uid_min; + } +- } + +- /* +- * If a user (resp. system user) with UID equal to UID_MAX (resp. +- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 +- * (resp. UID_MIN-1) even if not unique. Search for the first free +- * UID starting with UID_MIN (resp. UID_MAX). +- */ +- if (sys_user) { +- if (user_id < uid_min) { +- for (user_id = uid_max; user_id >= uid_min; user_id--) { +- if (false == used_uids[user_id]) { +- break; ++ /* Search through all of the IDs in the range */ ++ for (id = highest_found; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; + } +- } +- if (user_id < uid_min ) { +- fprintf (stderr, +- _("%s: Can't get unique system UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, +- "no more available UID on the system")); +- free (used_uids); +- return -1; ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- } else { +- if (user_id > uid_max) { +- for (user_id = uid_min; user_id <= uid_max; user_id++) { +- if (false == used_uids[user_id]) { +- break; ++ ++ /* ++ * If we get all the way through the loop, try again from UID_MIN, ++ * unless that was where we previously started. (NOTE: the worst-case ++ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) ++ * cycles *again* if we fall into this case with highest_found as ++ * UID_MIN + 1, all users in the range in use and maintained by ++ * network services such as LDAP.) ++ */ ++ if (highest_found != uid_min) { ++ for (id = uid_min; id <= uid_max; id++) { ++ result = check_uid(id, uid_min, uid_max, used_uids); ++ if (result == 0) { ++ /* This UID is available. Return it. */ ++ *uid = id; ++ free(used_uids); ++ return 0; ++ } else if (result == EEXIST) { ++ /* This UID is in use, we'll continue to the next */ ++ } else { ++ /* ++ * An unexpected error occurred. ++ * ++ * Only report it the first time to avoid spamming ++ * the logs ++ * ++ */ ++ if (!nospam) { ++ fprintf(stderr, ++ _("%s: Can't get unique UID (%s). " ++ "Suppressing additional messages.\n"), ++ Prog, strerror(result)); ++ SYSLOG((LOG_ERR, ++ "Error checking available UIDs: %s", ++ strerror(result))); ++ nospam = 1; ++ } ++ /* ++ * We will continue anyway. Hopefully a later UID ++ * will work properly. ++ */ + } + } +- if (user_id > uid_max) { +- fprintf (stderr, +- _("%s: Can't get unique UID (no more available UIDs)\n"), +- Prog); +- SYSLOG ((LOG_WARN, "no more available UID on the system")); +- free (used_uids); +- return -1; +- } + } + } + +- free (used_uids); +- *uid = user_id; +- return 0; ++ /* The code reached here and found no available IDs in the range */ ++ fprintf(stderr, ++ _("%s: Can't get unique UID (no more available UIDs)\n"), ++ Prog); ++ SYSLOG((LOG_WARN, "no more available UIDs on the system")); ++ free(used_uids); ++ return -1; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index e3d6b90..f1edde1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 20%{?dist} +Release: 21%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -26,10 +26,11 @@ Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.1.5.1-manfix.patch Patch16: shadow-4.1.5.1-crypt-null.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-group-alloc.patch +Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.1.5.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch +Patch22: shadow-4.1.5.1-audit-update.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -75,10 +76,11 @@ are used for managing group accounts. %patch15 -p1 -b .manfix %patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel -%patch18 -p1 -b .group-alloc +%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home +%patch22 -p1 -b .audit-update iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -236,6 +238,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Oct 17 2014 Tomáš Mráz - 2:4.1.5.1-21 +- update auditing to cover more events and fix some incorrect audit + records - patch by Steve Grubb (#1151580) +- apply the same new allocation algorithm to uids as for gids + * Wed Sep 10 2014 Tomas Mraz - 2:4.1.5.1-20 - discard obsolete matchpathcon cache after semanage_commit() From e77fc2805ecf0c47db1b8dd4b4ce797d57fec20d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 20 Oct 2014 13:49:44 +0200 Subject: [PATCH 109/151] Cast gid_t to unsigned long when printing. --- shadow-4.1.5.1-audit-update.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch index c25db61..75964de 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.1.5.1-audit-update.patch @@ -1006,7 +1006,7 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c + 511 - strlen(info_passwd.audit_msg)); + free(nv_pair); + } -+ snprintf(nv, sizeof(nv), " gid=%lu", group_id); ++ snprintf(nv, sizeof(nv), " gid=%lu", (unsigned long)group_id); + strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg)); + strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg)); + @@ -1073,7 +1073,7 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c #endif } if (gflg) { -+ snprintf(nv, sizeof(nv), " new_gid=%lu", group_newid); ++ snprintf(nv, sizeof(nv), " new_gid=%lu", (unsigned long)group_newid); + strncat(info_group.audit_msg, nv, + 511 - strlen(info_group.audit_msg)); + strncat(info_passwd.audit_msg, nv, From 04260e2340ced2cf2fbda7a1234707d8cee549eb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 25 Nov 2014 11:58:16 +0100 Subject: [PATCH 110/151] small adjustments to the audit patch --- shadow-4.1.5.1-audit-update.patch | 8 ++++---- shadow-utils.spec | 5 ++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.1.5.1-audit-update.patch index 75964de..17930bf 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.1.5.1-audit-update.patch @@ -2111,7 +2111,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "changing admin name in shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_GRP_MGMT, Prog, -+ "update-admin-name-in-group", ++ "update-admin-name-in-shadow-group", + user_name, AUDIT_NO_ID, nsgrp->sg_name, + SHADOW_AUDIT_SUCCESS); #endif @@ -2125,7 +2125,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "changing member in shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "update-member-in-group", ++ "update-member-in-shadow-group", + user_name, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif @@ -2139,7 +2139,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "removing user from shadow group", - user_name, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "delete-user-from-group", ++ "delete-user-from-shadow-group", + user_name, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif @@ -2153,7 +2153,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c - "adding user to shadow group", - user_newname, AUDIT_NO_ID, 1); + audit_logger_with_group (AUDIT_USER_MGMT, Prog, -+ "add-user-to-group", ++ "add-user-to-shadow-group", + user_newname, AUDIT_NO_ID, + nsgrp->sg_name, 1); #endif diff --git a/shadow-utils.spec b/shadow-utils.spec index f1edde1..faf9749 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 21%{?dist} +Release: 22%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -238,6 +238,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Nov 25 2014 Tomáš Mráz - 2:4.1.5.1-22 +- small adjustments to the audit patch + * Fri Oct 17 2014 Tomáš Mráz - 2:4.1.5.1-21 - update auditing to cover more events and fix some incorrect audit records - patch by Steve Grubb (#1151580) From 8b4e03b99440f35550118f0d102b3ffc1622586f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 26 Nov 2014 15:58:28 +0100 Subject: [PATCH 111/151] new upstream release with support for subordinate uids and gids --- .gitignore | 2 + shadow-4.1.5.1-crypt-null.patch | 195 ------ shadow-4.1.5.1-date-parsing.patch | 138 ----- shadow-4.1.5.1-goodname.patch | 35 -- shadow-4.1.5.1-info-parent-dir.patch | 12 - shadow-4.1.5.1-manfix.patch | 272 --------- shadow-4.1.5.1-merge-group.patch | 27 - ...e.patch => shadow-4.2.1-audit-update.patch | 563 ++++++++++-------- shadow-4.2.1-date-parsing.patch | 68 +++ shadow-4.2.1-manfix.patch | 78 +++ shadow-4.2.1-merge-group.patch | 13 + shadow-utils.spec | 31 +- sources | 4 +- 13 files changed, 514 insertions(+), 924 deletions(-) delete mode 100644 shadow-4.1.5.1-crypt-null.patch delete mode 100644 shadow-4.1.5.1-date-parsing.patch delete mode 100644 shadow-4.1.5.1-manfix.patch delete mode 100644 shadow-4.1.5.1-merge-group.patch rename shadow-4.1.5.1-audit-update.patch => shadow-4.2.1-audit-update.patch (86%) create mode 100644 shadow-4.2.1-date-parsing.patch create mode 100644 shadow-4.2.1-manfix.patch create mode 100644 shadow-4.2.1-merge-group.patch diff --git a/.gitignore b/.gitignore index f5997c1..e78a553 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.tar.bz2 /shadow-4.1.5.1.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig +/shadow-4.2.1.tar.xz +/shadow-4.2.1.tar.xz.sig diff --git a/shadow-4.1.5.1-crypt-null.patch b/shadow-4.1.5.1-crypt-null.patch deleted file mode 100644 index fba72e7..0000000 --- a/shadow-4.1.5.1-crypt-null.patch +++ /dev/null @@ -1,195 +0,0 @@ -diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c ---- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200 -+++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200 -@@ -49,11 +49,10 @@ - if (!cp) { - /* - * Single Unix Spec: crypt() may return a null pointer, -- * and set errno to indicate an error. The caller doesn't -- * expect us to return NULL, so... -+ * and set errno to indicate an error. In this case return -+ * the NULL so the caller can handle appropriately. - */ -- perror ("crypt"); -- exit (EXIT_FAILURE); -+ return cp; - } - - /* The GNU crypt does not return NULL if the algorithm is not -diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c ---- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200 -@@ -95,6 +95,7 @@ bool valid (const char *password, const - */ - - if ( (NULL != ent->pw_name) -+ && (NULL != encrypted) - && (strcmp (encrypted, ent->pw_passwd) == 0)) { - return true; - } else { -diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c ---- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200 -+++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200 -@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, - char prompt[1024]; - char *clear = NULL; - const char *cp; -+ const char *encrypted; - int retval; - - #ifdef SKEY -@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, - * the results there as well. - */ - -- retval = strcmp (pw_encrypt (input, cipher), cipher); -+ encrypted = pw_encrypt (input, cipher); -+ if (encrypted!=NULL) -+ retval = strcmp (encrypted, cipher); -+ else -+ retval = -1; - - #ifdef SKEY - /* -diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c ---- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200 -@@ -469,6 +469,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt (crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c ---- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200 -@@ -492,6 +492,10 @@ int main (int argc, char **argv) - #endif - cp = pw_encrypt (newpwd, - crypt_make_salt(crypt_method, arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - } - - /* -diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c ---- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100 -+++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200 -@@ -939,6 +939,10 @@ static void change_passwd (struct group - } - - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp==NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - #ifdef SHADOWGRP - if (is_shadowgrp) { -diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200 -@@ -184,7 +184,8 @@ static void check_perms (const struct gr - cpasswd = pw_encrypt (cp, grp->gr_passwd); - strzero (cp); - -- if (grp->gr_passwd[0] == '\0' || -+ if (cpasswd == NULL || -+ grp->gr_passwd[0] == '\0' || - strcmp (cpasswd, grp->gr_passwd) != 0) { - #ifdef WITH_AUDIT - snprintf (audit_buf, sizeof(audit_buf), -diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c ---- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 -+++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200 -@@ -387,6 +387,7 @@ static int add_user (const char *name, u - static void update_passwd (struct passwd *pwd, const char *password) - { - void *crypt_arg = NULL; -+ char *cp; - if (crypt_method != NULL) { - #ifdef USE_SHA_CRYPT - if (sflg) { -@@ -398,9 +399,13 @@ static void update_passwd (struct passwd - if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { - pwd->pw_passwd = (char *)password; - } else { -- pwd->pw_passwd = pw_encrypt (password, -- crypt_make_salt (crypt_method, -- crypt_arg)); -+ cp=pw_encrypt (password, crypt_make_salt (crypt_method, -+ crypt_arg)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ pwd->pw_passwd = cp; - } - } - #endif /* !USE_PAM */ -@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw - { - const struct spwd *sp; - struct spwd spent; -+ char *cp; - - #ifndef USE_PAM - void *crypt_arg = NULL; -@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw - } else { - const char *salt = crypt_make_salt (crypt_method, - crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; - if (0 == spent.sp_lstchg) { -@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw - spent.sp_pwdp = (char *)password; - } else { - const char *salt = crypt_make_salt (crypt_method, crypt_arg); -- spent.sp_pwdp = pw_encrypt (password, salt); -+ cp = pw_encrypt (password, salt); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } -+ spent.sp_pwdp = cp; - } - #else - /* -diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c ---- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100 -+++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200 -@@ -242,7 +242,7 @@ static int new_password (const struct pa - } - - cipher = pw_encrypt (clear, crypt_passwd); -- if (strcmp (cipher, crypt_passwd) != 0) { -+ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) { - strzero (clear); - strzero (cipher); - SYSLOG ((LOG_WARN, "incorrect password for %s", -@@ -349,6 +349,10 @@ static int new_password (const struct pa - * Encrypt the password, then wipe the cleartext password. - */ - cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); -+ if (cp == NULL) { -+ perror ("crypt"); -+ exit (EXIT_FAILURE); -+ } - memzero (pass, sizeof pass); - - #ifdef HAVE_LIBCRACK_HIST diff --git a/shadow-4.1.5.1-date-parsing.patch b/shadow-4.1.5.1-date-parsing.patch deleted file mode 100644 index 38ec091..0000000 --- a/shadow-4.1.5.1-date-parsing.patch +++ /dev/null @@ -1,138 +0,0 @@ -diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c ---- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200 -@@ -261,6 +261,7 @@ static int yyHaveDay; - static int yyHaveRel; - static int yyHaveTime; - static int yyHaveZone; -+static int yyHaveYear; - static int yyTimezone; - static int yyDay; - static int yyHour; -@@ -1730,6 +1731,7 @@ yyreduce: - yyDay = (yyvsp[(3) - (5)].Number); - yyYear = (yyvsp[(5) - (5)].Number); - } -+ yyHaveYear++; - } - break; - -@@ -1740,6 +1742,7 @@ yyreduce: - yyYear = (yyvsp[(1) - (3)].Number); - yyMonth = -(yyvsp[(2) - (3)].Number); - yyDay = -(yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1750,6 +1753,7 @@ yyreduce: - yyDay = (yyvsp[(1) - (3)].Number); - yyMonth = (yyvsp[(2) - (3)].Number); - yyYear = -(yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1767,6 +1771,7 @@ yyreduce: - yyMonth = (yyvsp[(1) - (4)].Number); - yyDay = (yyvsp[(2) - (4)].Number); - yyYear = (yyvsp[(4) - (4)].Number); -+ yyHaveYear++; - } - break; - -@@ -1784,6 +1789,7 @@ yyreduce: - yyMonth = (yyvsp[(2) - (3)].Number); - yyDay = (yyvsp[(1) - (3)].Number); - yyYear = (yyvsp[(3) - (3)].Number); -+ yyHaveYear++; - } - break; - -@@ -1928,7 +1934,8 @@ yyreduce: - case 49: - #line 397 "getdate.y" - { -- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) -+ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear -+ && (yyHaveDate != 0) && (yyHaveRel == 0)) - yyYear = (yyvsp[(1) - (1)].Number); - else - { -@@ -2556,7 +2563,7 @@ yylex (void) - return LookupWord (buff); - } - if (c != '(') -- return *yyInput++; -+ return (unsigned char)*yyInput++; - Count = 0; - do - { -diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y ---- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200 -@@ -152,6 +152,7 @@ static int yyHaveDay; - static int yyHaveRel; - static int yyHaveTime; - static int yyHaveZone; -+static int yyHaveYear; - static int yyTimezone; - static int yyDay; - static int yyHour; -@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { - yyDay = $3; - yyYear = $5; - } -+ yyHaveYear++; - } - | tUNUMBER tSNUMBER tSNUMBER { - /* ISO 8601 format. yyyy-mm-dd. */ - yyYear = $1; - yyMonth = -$2; - yyDay = -$3; -+ yyHaveYear++; - } - | tUNUMBER tMONTH tSNUMBER { - /* e.g. 17-JUN-1992. */ - yyDay = $1; - yyMonth = $2; - yyYear = -$3; -+ yyHaveYear++; - } - | tMONTH tUNUMBER { - yyMonth = $1; -@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { - yyMonth = $1; - yyDay = $2; - yyYear = $4; -+ yyHaveYear++; - } - | tUNUMBER tMONTH { - yyMonth = $2; -@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { - yyMonth = $2; - yyDay = $1; - yyYear = $3; -+ yyHaveYear++; - } - ; - -@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { - - number : tUNUMBER - { -- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) -+ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear -+ && (yyHaveDate != 0) && (yyHaveRel == 0)) - yyYear = $1; - else - { -@@ -802,7 +809,7 @@ yylex (void) - return LookupWord (buff); - } - if (c != '(') -- return *yyInput++; -+ return (unsigned char)*yyInput++; - Count = 0; - do - { diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.1.5.1-goodname.patch index 06c0de6..15c98a7 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.1.5.1-goodname.patch @@ -72,41 +72,6 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8 ---- shadow-4.1.5.1/man/man8/groupadd.8.goodname 2012-05-25 13:58:40.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/groupadd.8 2014-09-09 17:28:46.330300342 +0200 -@@ -190,9 +190,7 @@ Shadow password suite configuration\&. - .RE - .SH "CAVEATS" - .PP --Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP --Groupnames may only be up to 16 characters long\&. -+Groupnames may only be up to 32 characters long\&. - .PP - You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. - .PP -diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.goodname 2012-05-25 13:59:28.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2014-09-09 17:28:46.330300342 +0200 -@@ -224,7 +224,7 @@ is not enabled, no home directories are - .PP - \fB\-M\fR - .RS 4 --Do no create the user\*(Aqs home directory, even if the system wide setting from -+Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs - (\fBCREATE_HOME\fR) is set to - \fIyes\fR\&. -@@ -430,8 +430,6 @@ Similarly, if the username already exist - \fBuseradd\fR - will deny the user account creation request\&. - .PP --Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? --.PP - Usernames may only be up to 32 characters long\&. - .SH "CONFIGURATION" - .PP diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml --- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 +++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index d2bc009..b05e5bb 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,15 +1,3 @@ -diff -up shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir shadow-4.1.5.1/man/man8/newusers.8 ---- shadow-4.1.5.1/man/man8/newusers.8.info-parent-dir 2012-05-25 13:59:09.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/newusers.8 2012-09-19 18:47:17.203525237 +0200 -@@ -99,7 +99,7 @@ This field is copied in the GECOS field - .RS 4 - This field is used to define the home directory of the user\&. - .sp --If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. -+If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. - .sp - If the home directory of an existing user is changed, - \fBnewusers\fR diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml --- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 +++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch deleted file mode 100644 index 2963c98..0000000 --- a/shadow-4.1.5.1-manfix.patch +++ /dev/null @@ -1,272 +0,0 @@ -diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml ---- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/chage.1.xml 2014-08-29 13:36:57.713167654 +0200 -@@ -102,6 +102,9 @@ - Set the number of days since January 1st, 1970 when the password - was last changed. The date may also be expressed in the format - YYYY-MM-DD (or the format more commonly used in your area). -+ If the LAST_DAY is set to -+ 0 the user is forced to change his password -+ on the next log on. - - - -diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml ---- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200 -@@ -160,6 +160,17 @@ - long numeric parameters is machine-dependent. - - -+ -+ Please note that the parameters in this configuration file control the -+ behavior of the tools from the shadow-utils component. None of these -+ tools uses the PAM mechanism, and the utilities that use PAM (such as the -+ passwd command) should be configured elsewhere. The only values that -+ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS -+ for pam_unix module, FAIL_DELAY for pam_faildelay module, -+ and UMASK for pam_umask module. Refer to -+ pam(8) for more information. -+ -+ - The following configuration items are provided: - - -diff -up shadow-4.1.5.1/man/man1/chage.1.manfix shadow-4.1.5.1/man/man1/chage.1 ---- shadow-4.1.5.1/man/man1/chage.1.manfix 2012-05-25 13:58:18.000000000 +0200 -+++ shadow-4.1.5.1/man/man1/chage.1 2014-08-29 13:36:31.303559366 +0200 -@@ -45,7 +45,11 @@ command are: - .PP - \fB\-d\fR, \fB\-\-lastday\fR \fILAST_DAY\fR - .RS 4 --Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. -+Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. If the -+\fILAST_DAY\fR -+is set to -+\fB0\fR -+the user is forced to change his password on the next log on\&. - .RE - .PP - \fB\-E\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR -diff -up shadow-4.1.5.1/man/man5/login.defs.5.manfix shadow-4.1.5.1/man/man5/login.defs.5 ---- shadow-4.1.5.1/man/man5/login.defs.5.manfix 2012-05-25 13:59:03.000000000 +0200 -+++ shadow-4.1.5.1/man/man5/login.defs.5 2014-08-29 13:31:38.364812323 +0200 -@@ -46,6 +46,14 @@ value\&. Numbers (both regular and long) - \fI0\fR) or hexadecimal values (precede the value with - \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&. - .PP -+Please note that the parameters in this configuration file control the -+behavior of the tools from the shadow-utils component\&. None of these -+tools uses the PAM mechanism, and the utilities that use PAM (such as the -+passwd command) should be configured elsewhere\&. The only values that -+affect PAM modules are \fBENCRYPT_METHOD\fR and \fBSHA_CRYPT_MAX_ROUNDS\fR for pam_unix module, -+\fBFAIL_DELAY\fR for pam_faildelay module, and \fBUMASK\fR for pam_umask module\&. Refer to -+pam(8) for more information\&. -+.PP - The following configuration items are provided: - .PP - \fBCHFN_AUTH\fR (boolean) -@@ -625,20 +633,6 @@ will create by default a group with the - .PP - The following cross references show which programs in the shadow password suite use which parameters\&. - .PP --chfn --.RS 4 -- --CHFN_AUTH --CHFN_RESTRICT --LOGIN_STRING --.RE --.PP --chgpasswd --.RS 4 --ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB --SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS --.RE --.PP - chpasswd - .RS 4 - -@@ -646,11 +640,6 @@ ENCRYPT_METHOD MD5_CRYPT_ENAB - SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS - .RE - .PP --chsh --.RS 4 --CHSH_AUTH LOGIN_STRING --.RE --.PP - gpasswd - .RS 4 - ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -@@ -692,29 +681,6 @@ grpunconv - MAX_MEMBERS_PER_GROUP - .RE - .PP --login --.RS 4 -- --CONSOLE --CONSOLE_GROUPS DEFAULT_HOME --ENV_HZ ENV_PATH ENV_SUPATH ENV_TZ ENVIRON_FILE --ERASECHAR FAIL_DELAY --FAILLOG_ENAB --FAKE_SHELL --FTMP_FILE --HUSHLOGIN_FILE --ISSUE_FILE --KILLCHAR --LASTLOG_ENAB --LOGIN_RETRIES --LOGIN_STRING --LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB --MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB --TTYGROUP TTYPERM TTYTYPE_FILE --ULIMIT UMASK --USERGROUPS_ENAB --.RE --.PP - newgrp / sg - .RS 4 - SYSLOG_SG_ENAB -@@ -727,12 +693,6 @@ SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUND - SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK - .RE - .PP --passwd --.RS 4 --ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN --SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS --.RE --.PP - pwck - .RS 4 - PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE -@@ -743,26 +703,6 @@ pwconv - PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE - .RE - .PP --su --.RS 4 -- --CONSOLE --CONSOLE_GROUPS DEFAULT_HOME --ENV_HZ ENVIRON_FILE --ENV_PATH ENV_SUPATH --ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE QUOTAS_ENAB --SULOG_FILE SU_NAME --SU_WHEEL_ONLY --SYSLOG_SU_ENAB --USERGROUPS_ENAB --.RE --.PP --sulogin --.RS 4 --ENV_HZ --ENV_TZ --.RE --.PP - useradd - .RS 4 - CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK -diff -up shadow-4.1.5.1/man/man8/useradd.8.manfix shadow-4.1.5.1/man/man8/useradd.8 ---- shadow-4.1.5.1/man/man8/useradd.8.manfix 2014-08-29 13:31:38.347811932 +0200 -+++ shadow-4.1.5.1/man/man8/useradd.8 2014-08-29 13:31:38.364812323 +0200 -@@ -85,7 +85,7 @@ by default\&. - Any text string\&. It is generally a short description of the login, and is currently used as the field for the user\*(Aqs full name\&. - .RE - .PP --\fB\-d\fR, \fB\-\-home\fR \fIHOME_DIR\fR -+\fB\-d\fR, \fB\-\-home\-dir\fR \fIHOME_DIR\fR - .RS 4 - The new user will be created using - \fIHOME_DIR\fR -@@ -220,9 +220,13 @@ option) will be copied to the home direc - By default, if this option is not specified and - \fBCREATE_HOME\fR - is not enabled, no home directories are created\&. -+.sp -+The directory where the user\*(Aqs home directory is created must -+exist and have proper SELinux context and permissions\&. Otherwise -+the user\*(Aqs home directory cannot be created or accessed\&. - .RE - .PP --\fB\-M\fR -+\fB\-M\fR, \fB\-\-no\-create\-home\fR - .RS 4 - Do not create the user\*(Aqs home directory, even if the system wide setting from - /etc/login\&.defs -diff -up shadow-4.1.5.1/man/man8/usermod.8.manfix shadow-4.1.5.1/man/man8/usermod.8 ---- shadow-4.1.5.1/man/man8/usermod.8.manfix 2012-05-25 13:59:33.000000000 +0200 -+++ shadow-4.1.5.1/man/man8/usermod.8 2014-08-29 13:35:27.343086211 +0200 -@@ -63,7 +63,7 @@ The user\*(Aqs new login directory\&. - .sp - If the - \fB\-m\fR --option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. -+option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. If the current home directory does not exist the new home directory will not be created\&. - .RE - .PP - \fB\-e\fR, \fB\-\-expiredate\fR \fIEXPIRE_DATE\fR -@@ -143,7 +143,7 @@ Move the content of the user\*(Aqs home - This option is only valid in combination with the - \fB\-d\fR - (or --\fB\-\-home\fR) option\&. -+\fB\-\-home\fR) option\&. If the current home directory does not exist the new home directory will not be created\&. - .sp - - \fBusermod\fR -diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2014-08-29 13:31:38.347811932 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-08-29 13:31:38.364812323 +0200 -@@ -161,7 +161,7 @@ - - - -- , -+ , - HOME_DIR - - -@@ -358,11 +358,16 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - - -- -+ , - - - -diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml ---- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200 -@@ -132,7 +132,8 @@ - If the - option is given, the contents of the current home directory will - be moved to the new home directory, which is created if it does -- not already exist. -+ not already exist. If the current home directory does not exist -+ the new home directory will not be created. - - - -@@ -261,7 +262,8 @@ - - - Move the content of the user's home directory to the new -- location. -+ location. If the current home directory does not exist -+ the new home directory will not be created. - - - This option is only valid in combination with the diff --git a/shadow-4.1.5.1-merge-group.patch b/shadow-4.1.5.1-merge-group.patch deleted file mode 100644 index f5cea10..0000000 --- a/shadow-4.1.5.1-merge-group.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c ---- shadow-4.1.5.1/lib/groupio.c.merge-group 2011-02-16 21:32:24.000000000 +0100 -+++ shadow-4.1.5.1/lib/groupio.c 2013-01-29 13:56:43.049275513 +0100 -@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry * - - /* Concatenate the 2 lines */ - new_line_len = strlen (gr1->line) + strlen (gr2->line) +1; -- new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*)); -+ new_line = (char *)malloc (new_line_len + 1); - if (NULL == new_line) { - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - new_line[new_line_len] = '\0'; - - /* Concatenate the 2 list of members */ -@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry * - members++; - } - } -- new_members = (char **)malloc ( (members+1) * sizeof(char*) ); -+ new_members = (char **)calloc (members+1, sizeof(char*)); - if (NULL == new_members) { - free (new_line); - errno = ENOMEM; diff --git a/shadow-4.1.5.1-audit-update.patch b/shadow-4.2.1-audit-update.patch similarity index 86% rename from shadow-4.1.5.1-audit-update.patch rename to shadow-4.2.1-audit-update.patch index 17930bf..8f2edf8 100644 --- a/shadow-4.1.5.1-audit-update.patch +++ b/shadow-4.2.1-audit-update.patch @@ -1,31 +1,6 @@ -diff -urp shadow-4.1.5.1.orig/lib/prototypes.h shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1.orig/lib/prototypes.h 2014-09-13 15:45:54.953829562 -0400 -+++ shadow-4.1.5.1/lib/prototypes.h 2014-10-14 08:39:23.785884075 -0400 -@@ -195,12 +195,21 @@ extern int audit_fd; - extern void audit_help_open (void); - /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ - #define AUDIT_NO_ID ((unsigned int) -1) -+#ifndef AUDIT_GRP_MGMT -+#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ -+#endif -+#ifndef AUDIT_GRP_CHAUTHTOK -+#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ -+#endif - typedef enum { - SHADOW_AUDIT_FAILURE = 0, - SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; - extern void audit_logger (int type, const char *pgname, const char *op, - const char *name, unsigned int id, - shadow_audit_result result); -+void audit_logger_with_group (int type, unused const char *pgname, -+ const char *op, const char *name, unsigned int id, -+ const char *grp, shadow_audit_result result); - void audit_logger_message (const char *message, shadow_audit_result result); - #endif - -diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_help.c ---- shadow-4.1.5.1.orig/libmisc/audit_help.c 2010-08-21 07:41:28.000000000 -0400 -+++ shadow-4.1.5.1/libmisc/audit_help.c 2014-10-14 08:39:23.785884075 -0400 +diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c +--- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -75,9 +50,9 @@ diff -urp shadow-4.1.5.1.orig/libmisc/audit_help.c shadow-4.1.5.1/libmisc/audit_ void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cleanup_group.c ---- shadow-4.1.5.1.orig/libmisc/cleanup_group.c 2008-12-23 17:45:18.000000000 -0500 -+++ shadow-4.1.5.1/libmisc/cleanup_group.c 2014-10-14 09:00:33.594753105 -0400 +diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c +--- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -156,9 +131,9 @@ diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_group.c shadow-4.1.5.1/libmisc/cle SHADOW_AUDIT_FAILURE); #endif } -diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/cleanup_user.c ---- shadow-4.1.5.1.orig/libmisc/cleanup_user.c 2008-12-23 17:45:18.000000000 -0500 -+++ shadow-4.1.5.1/libmisc/cleanup_user.c 2014-10-14 09:01:51.878745031 -0400 +diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c +--- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -206,99 +181,34 @@ diff -urp shadow-4.1.5.1.orig/libmisc/cleanup_user.c shadow-4.1.5.1/libmisc/clea SHADOW_AUDIT_FAILURE); #endif } -diff -urp shadow-4.1.5.1.orig/src/chage.c shadow-4.1.5.1/src/chage.c ---- shadow-4.1.5.1.orig/src/chage.c 2011-11-19 17:54:47.000000000 -0500 -+++ shadow-4.1.5.1/src/chage.c 2014-10-14 08:39:23.787884075 -0400 -@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int - - #ifdef WITH_AUDIT - if (E_SUCCESS != code) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change age", -- user_name, (unsigned int) user_uid, 0); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_FAILURE); - } +diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h +--- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 ++++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +@@ -208,12 +208,21 @@ extern int audit_fd; + extern void audit_help_open (void); + /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ + #define AUDIT_NO_ID ((unsigned int) -1) ++#ifndef AUDIT_GRP_MGMT ++#define AUDIT_GRP_MGMT 1132 /* Group account was modified */ ++#endif ++#ifndef AUDIT_GRP_CHAUTHTOK ++#define AUDIT_GRP_CHAUTHTOK 1133 /* Group account password was changed */ ++#endif + typedef enum { + SHADOW_AUDIT_FAILURE = 0, + SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result; + extern void audit_logger (int type, const char *pgname, const char *op, + const char *name, unsigned int id, + shadow_audit_result result); ++void audit_logger_with_group (int type, unused const char *pgname, ++ const char *op, const char *name, unsigned int id, ++ const char *grp, shadow_audit_result result); + void audit_logger_message (const char *message, shadow_audit_result result); #endif -@@ -873,11 +874,7 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: Permission denied.\n"), Prog); - fail_exit (E_NOPERM); - } --#ifdef WITH_AUDIT -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "display aging info", -- user_name, (unsigned int) user_uid, 1); --#endif -+ /* Displaying fields is not of interest to audit */ - list_fields (); - fail_exit (E_SUCCESS); - } -@@ -896,41 +893,43 @@ int main (int argc, char **argv) - } - #ifdef WITH_AUDIT - else { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change all aging information", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-all-aging-information", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - #endif - } else { - #ifdef WITH_AUDIT - if (Mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change max age", -- user_name, (unsigned int) user_uid, 1); -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-max-age", -+ user_name, (unsigned int) user_uid, -+ SHADOW_AUDIT_SUCCESS); - } - if (mflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change min age", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-min-age", - user_name, (unsigned int) user_uid, 1); - } - if (dflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change last change date", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-last-change-date", - user_name, (unsigned int) user_uid, 1); - } - if (Wflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd warning", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-warning", - user_name, (unsigned int) user_uid, 1); - } - if (Iflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change inactive days", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-inactive-days", - user_name, (unsigned int) user_uid, 1); - } - if (Eflg) { -- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -- "change passwd expiration", -+ audit_logger (AUDIT_USER_MGMT, Prog, -+ "change-passwd-expiration", - user_name, (unsigned int) user_uid, 1); - } - #endif -diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c ---- shadow-4.1.5.1.orig/src/gpasswd.c 2014-09-13 15:45:54.989829559 -0400 -+++ shadow-4.1.5.1/src/gpasswd.c 2014-10-14 08:43:07.393861012 -0400 +diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c +--- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -562,9 +472,9 @@ diff -urp shadow-4.1.5.1.orig/src/gpasswd.c shadow-4.1.5.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c ---- shadow-4.1.5.1.orig/src/groupadd.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupadd.c 2014-10-14 08:39:23.800884073 -0400 +diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c +--- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -740,9 +650,9 @@ diff -urp shadow-4.1.5.1.orig/src/groupadd.c shadow-4.1.5.1/src/groupadd.c } } -diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c ---- shadow-4.1.5.1.orig/src/groupdel.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupdel.c 2014-10-14 08:39:23.801884073 -0400 +diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c +--- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 @@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -912,9 +822,9 @@ diff -urp shadow-4.1.5.1.orig/src/groupdel.c shadow-4.1.5.1/src/groupdel.c } #endif -diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c ---- shadow-4.1.5.1.orig/src/groupmod.c 2011-11-18 16:23:30.000000000 -0500 -+++ shadow-4.1.5.1/src/groupmod.c 2014-10-14 08:49:28.517821702 -0400 +diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c +--- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1108,10 +1018,100 @@ diff -urp shadow-4.1.5.1.orig/src/groupmod.c shadow-4.1.5.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1.orig/src/newgrp.c 2014-09-13 15:45:55.010829557 -0400 -+++ shadow-4.1.5.1/src/newgrp.c 2014-10-14 08:39:23.802884073 -0400 -@@ -197,11 +197,12 @@ static void check_perms (const struct gr +diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int + + #ifdef WITH_AUDIT + if (E_SUCCESS != code) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change age", +- user_name, (unsigned int) user_uid, 0); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_FAILURE); + } + #endif + +@@ -873,11 +874,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: Permission denied.\n"), Prog); + fail_exit (E_NOPERM); + } +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "display aging info", +- user_name, (unsigned int) user_uid, 1); +-#endif ++ /* Displaying fields is not of interest to audit */ + list_fields (); + fail_exit (E_SUCCESS); + } +@@ -896,41 +893,43 @@ int main (int argc, char **argv) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change all aging information", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-all-aging-information", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + #endif + } else { + #ifdef WITH_AUDIT + if (Mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change max age", +- user_name, (unsigned int) user_uid, 1); ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-max-age", ++ user_name, (unsigned int) user_uid, ++ SHADOW_AUDIT_SUCCESS); + } + if (mflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change min age", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-min-age", + user_name, (unsigned int) user_uid, 1); + } + if (dflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change last change date", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-last-change-date", + user_name, (unsigned int) user_uid, 1); + } + if (Wflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd warning", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-warning", + user_name, (unsigned int) user_uid, 1); + } + if (Iflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change inactive days", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-inactive-days", + user_name, (unsigned int) user_uid, 1); + } + if (Eflg) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "change passwd expiration", ++ audit_logger (AUDIT_USER_MGMT, Prog, ++ "change-passwd-expiration", + user_name, (unsigned int) user_uid, 1); + } + #endif +diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c +--- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 ++++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +@@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1126,7 +1126,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif SYSLOG ((LOG_INFO, "Invalid password for group '%s' from '%s'", -@@ -212,11 +213,12 @@ static void check_perms (const struct gr +@@ -221,11 +222,12 @@ static void check_perms (const struct gr } #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1141,7 +1141,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif } -@@ -227,19 +229,6 @@ failure: +@@ -236,19 +238,6 @@ failure: * harm. -- JWP */ closelog (); @@ -1161,7 +1161,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -308,15 +297,27 @@ static void syslog_sg (const char *name, +@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -442,7 +443,7 @@ int main (int argc, char **argv) +@@ -451,7 +452,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -558,15 +559,26 @@ int main (int argc, char **argv) +@@ -567,15 +568,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -707,10 +719,10 @@ int main (int argc, char **argv) +@@ -716,10 +728,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -719,10 +731,10 @@ int main (int argc, char **argv) +@@ -728,10 +740,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -736,10 +748,10 @@ int main (int argc, char **argv) +@@ -745,10 +757,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -803,11 +815,11 @@ int main (int argc, char **argv) +@@ -812,11 +824,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -831,15 +843,24 @@ int main (int argc, char **argv) +@@ -840,15 +852,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,10 +1315,10 @@ diff -urp shadow-4.1.5.1.orig/src/newgrp.c shadow-4.1.5.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1.orig/src/useradd.c 2014-09-13 15:45:54.957829561 -0400 -+++ shadow-4.1.5.1/src/useradd.c 2014-10-14 08:52:53.066800605 -0400 -@@ -205,6 +205,8 @@ static void create_mail (void); +diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 ++++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +@@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1327,7 +1327,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c if (home_added) { if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -218,12 +220,6 @@ static void fail_exit (int code) +@@ -235,12 +237,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1340,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -231,12 +227,6 @@ static void fail_exit (int code) +@@ -248,12 +244,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1353,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -244,12 +234,6 @@ static void fail_exit (int code) +@@ -261,12 +251,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1366,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } -@@ -258,20 +242,19 @@ static void fail_exit (int code) +@@ -275,12 +259,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1379,33 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c /* continue */ } } - #endif +@@ -290,12 +268,6 @@ static void fail_exit (int code) + if (sub_uid_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate user file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } +@@ -303,20 +275,19 @@ static void fail_exit (int code) + if (sub_gid_unlock () == 0) { + fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate group file", +- user_name, AUDIT_NO_ID, +- SHADOW_AUDIT_FAILURE); +-#endif + /* continue */ + } + } + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1394,7 +1420,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -578,7 +561,7 @@ static int set_defaults (void) +@@ -623,7 +594,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1403,7 +1429,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -848,12 +831,6 @@ static void grp_update (void) +@@ -893,12 +864,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1416,7 +1442,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -867,18 +844,12 @@ static void grp_update (void) +@@ -912,18 +877,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1438,7 +1464,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -923,12 +894,6 @@ static void grp_update (void) +@@ -968,12 +927,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1451,7 +1477,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -942,18 +907,13 @@ static void grp_update (void) +@@ -987,18 +940,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1474,7 +1500,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1296,7 +1256,7 @@ static void process_flags (int argc, cha +@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1483,7 +1509,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1385,7 +1345,7 @@ static void close_files (void) +@@ -1444,7 +1392,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1492,7 +1518,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1398,7 +1358,7 @@ static void close_files (void) +@@ -1457,7 +1405,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1501,7 +1527,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1410,7 +1370,7 @@ static void close_files (void) +@@ -1469,7 +1417,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1510,7 +1536,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1424,7 +1384,7 @@ static void close_files (void) +@@ -1483,7 +1431,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1519,7 +1545,25 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1584,7 +1544,7 @@ static void grp_add (void) +@@ -1499,7 +1447,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate user file", ++ "unlocking-subordinate-user-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1513,7 +1461,7 @@ static void close_files (void) + SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "unlocking subordinate group file", ++ "unlocking-subordinate-group-file", + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif +@@ -1705,7 +1653,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1528,7 +1572,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1600,7 +1560,7 @@ static void grp_add (void) +@@ -1721,7 +1669,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1537,7 +1581,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1610,7 +1570,7 @@ static void grp_add (void) +@@ -1731,7 +1679,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1546,7 +1590,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1725,17 +1685,11 @@ static void usr_update (void) +@@ -1846,12 +1794,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1558,6 +1602,9 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c -#endif fail_exit (E_PW_UPDATE); } + #ifdef ENABLE_SUBIDS +@@ -1873,7 +1815,7 @@ static void usr_update (void) + #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, - "adding user", @@ -1565,7 +1612,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1771,12 +1725,6 @@ static void create_home (void) +@@ -1908,12 +1850,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), Prog, user_home); @@ -1578,7 +1625,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_HOMEDIR); } chown (user_home, user_id, user_gid); -@@ -1784,8 +1732,8 @@ static void create_home (void) +@@ -1921,8 +1857,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1589,7 +1636,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1951,12 +1899,6 @@ int main (int argc, char **argv) +@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1602,7 +1649,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -1972,12 +1914,6 @@ int main (int argc, char **argv) +@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1615,7 +1662,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2007,12 +1943,6 @@ int main (int argc, char **argv) +@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1628,7 +1675,7 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2057,9 +1987,10 @@ int main (int argc, char **argv) +@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1642,10 +1689,10 @@ diff -urp shadow-4.1.5.1.orig/src/useradd.c shadow-4.1.5.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1.orig/src/userdel.c 2014-09-13 15:45:55.001829558 -0400 -+++ shadow-4.1.5.1/src/userdel.c 2014-10-14 08:44:52.714850149 -0400 -@@ -201,9 +201,9 @@ static void update_groups (void) +diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c +--- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 ++++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +@@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1658,7 +1705,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -263,9 +263,9 @@ static void update_groups (void) +@@ -276,9 +276,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1671,7 +1718,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -342,9 +342,9 @@ static void remove_usergroup (void) +@@ -355,9 +355,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1684,7 +1731,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -360,9 +360,9 @@ static void remove_usergroup (void) +@@ -373,9 +373,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1697,7 +1744,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -478,7 +478,7 @@ static void fail_exit (int code) +@@ -537,7 +537,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1706,7 +1753,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -498,24 +498,12 @@ static void open_files (void) +@@ -557,24 +557,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1731,7 +1778,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -523,12 +511,6 @@ static void open_files (void) +@@ -582,12 +570,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1744,7 +1791,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -536,12 +518,6 @@ static void open_files (void) +@@ -595,12 +577,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1757,7 +1804,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -549,23 +525,11 @@ static void open_files (void) +@@ -608,23 +584,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1781,7 +1828,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -574,24 +538,12 @@ static void open_files (void) +@@ -633,24 +597,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1806,8 +1853,58 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -622,7 +574,7 @@ static void update_user (void) +@@ -661,24 +613,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sub_uid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking subordinate user file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_UID_UPDATE); + } + sub_uid_locked = true; + if (sub_uid_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening subordinate user file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_UID_UPDATE); + } } +@@ -687,24 +627,12 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sub_gid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "locking subordinate group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_GID_UPDATE); + } + sub_gid_locked = true; + if (sub_gid_open (O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_DEL_USER, Prog, +- "opening subordinate group file", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif /* WITH_AUDIT */ + fail_exit (E_SUB_GID_UPDATE); + } + } +@@ -749,7 +677,7 @@ static void update_user (void) + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, - "deleting user entries", @@ -1815,7 +1912,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -716,7 +668,7 @@ static int remove_mailbox (void) +@@ -843,7 +771,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1824,7 +1921,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -732,7 +684,7 @@ static int remove_mailbox (void) +@@ -859,7 +787,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1833,7 +1930,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -742,8 +694,8 @@ static int remove_mailbox (void) +@@ -869,8 +797,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1844,7 +1941,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -760,7 +712,7 @@ static int remove_mailbox (void) +@@ -887,7 +815,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1853,7 +1950,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -775,7 +727,7 @@ static int remove_mailbox (void) +@@ -902,7 +830,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1862,7 +1959,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -785,8 +737,8 @@ static int remove_mailbox (void) +@@ -912,8 +840,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1873,7 +1970,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -980,7 +932,7 @@ int main (int argc, char **argv) +@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1882,7 +1979,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1024,7 +976,7 @@ int main (int argc, char **argv) +@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1891,7 +1988,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1101,8 +1053,8 @@ int main (int argc, char **argv) +@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -1902,7 +1999,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1063,7 @@ int main (int argc, char **argv) +@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -1911,7 +2008,7 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1124,8 +1076,8 @@ int main (int argc, char **argv) +@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -1922,10 +2019,10 @@ diff -urp shadow-4.1.5.1.orig/src/userdel.c shadow-4.1.5.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1.orig/src/usermod.c 2014-09-13 15:45:55.013829557 -0400 -+++ shadow-4.1.5.1/src/usermod.c 2014-10-14 08:50:05.817817855 -0400 -@@ -352,8 +352,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 ++++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1936,7 +2033,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -372,8 +372,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1947,7 +2044,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -384,7 +384,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -1956,7 +2053,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -413,8 +413,8 @@ static void new_pwent (struct passwd *pw +@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -1967,7 +2064,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -434,8 +434,8 @@ static void new_pwent (struct passwd *pw +@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -1978,7 +2075,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -445,8 +445,8 @@ static void new_pwent (struct passwd *pw +@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -1989,7 +2086,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -456,8 +456,8 @@ static void new_pwent (struct passwd *pw +@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2000,7 +2097,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -465,8 +465,8 @@ static void new_pwent (struct passwd *pw +@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2011,7 +2108,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -476,8 +476,8 @@ static void new_pwent (struct passwd *pw +@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2022,7 +2119,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -507,8 +507,8 @@ static void new_spent (struct spwd *spen +@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2033,7 +2130,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -524,8 +524,8 @@ static void new_spent (struct spwd *spen +@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2044,8 +2141,8 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -592,9 +592,9 @@ static /*@noreturn@*/void fail_exit (int - } +@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int + #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2057,7 +2154,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif exit (code); } -@@ -648,9 +648,12 @@ static void update_group (void) +@@ -759,9 +759,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2073,7 +2170,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -664,9 +667,11 @@ static void update_group (void) +@@ -775,9 +778,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2088,7 +2185,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -679,9 +684,11 @@ static void update_group (void) +@@ -790,9 +795,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2103,7 +2200,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -756,9 +763,10 @@ static void update_gshadow (void) +@@ -867,9 +874,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2117,7 +2214,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -778,9 +786,10 @@ static void update_gshadow (void) +@@ -889,9 +897,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2131,7 +2228,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -794,9 +803,10 @@ static void update_gshadow (void) +@@ -905,9 +914,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2145,7 +2242,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -809,9 +819,10 @@ static void update_gshadow (void) +@@ -920,9 +930,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2159,7 +2256,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1515,8 +1526,8 @@ static void move_home (void) +@@ -1810,8 +1821,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2170,7 +2267,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1534,8 +1545,8 @@ static void move_home (void) +@@ -1829,8 +1840,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2181,7 +2278,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1554,9 +1565,9 @@ static void move_home (void) +@@ -1849,9 +1860,9 @@ static void move_home (void) Prog, user_home); } #ifdef WITH_AUDIT @@ -2193,7 +2290,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -1760,8 +1771,8 @@ static void move_mailbox (void) +@@ -2055,8 +2066,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2204,7 +2301,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1779,8 +1790,8 @@ static void move_mailbox (void) +@@ -2074,8 +2085,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2215,7 +2312,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1910,8 +1921,8 @@ int main (int argc, char **argv) +@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2226,7 +2323,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1923,8 +1934,8 @@ int main (int argc, char **argv) +@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2237,7 +2334,7 @@ diff -urp shadow-4.1.5.1.orig/src/usermod.c shadow-4.1.5.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1962,8 +1973,8 @@ int main (int argc, char **argv) +@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch new file mode 100644 index 0000000..91a85ac --- /dev/null +++ b/shadow-4.2.1-date-parsing.patch @@ -0,0 +1,68 @@ +diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y +--- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 ++++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +@@ -152,6 +152,7 @@ static int yyHaveDay; + static int yyHaveRel; + static int yyHaveTime; + static int yyHaveZone; ++static int yyHaveYear; + static int yyTimezone; + static int yyDay; + static int yyHour; +@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { + yyDay = $3; + yyYear = $5; + } ++ yyHaveYear++; + } + | tUNUMBER tSNUMBER tSNUMBER { + /* ISO 8601 format. yyyy-mm-dd. */ + yyYear = $1; + yyMonth = -$2; + yyDay = -$3; ++ yyHaveYear++; + } + | tUNUMBER tMONTH tSNUMBER { + /* e.g. 17-JUN-1992. */ + yyDay = $1; + yyMonth = $2; + yyYear = -$3; ++ yyHaveYear++; + } + | tMONTH tUNUMBER { + yyMonth = $1; +@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $1; + yyDay = $2; + yyYear = $4; ++ yyHaveYear++; + } + | tUNUMBER tMONTH { + yyMonth = $2; +@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { + yyMonth = $2; + yyDay = $1; + yyYear = $3; ++ yyHaveYear++; + } + ; + +@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { + + number : tUNUMBER + { +- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) ++ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear ++ && (yyHaveDate != 0) && (yyHaveRel == 0)) + yyYear = $1; + else + { +@@ -802,7 +809,7 @@ yylex (void) + return LookupWord (buff); + } + if (c != '(') +- return *yyInput++; ++ return (unsigned char)*yyInput++; + Count = 0; + do + { diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch new file mode 100644 index 0000000..4c6520e --- /dev/null +++ b/shadow-4.2.1-manfix.patch @@ -0,0 +1,78 @@ +diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml +--- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +@@ -102,6 +102,9 @@ + Set the number of days since January 1st, 1970 when the password + was last changed. The date may also be expressed in the format + YYYY-MM-DD (or the format more commonly used in your area). ++ If the LAST_DAY is set to ++ 0 the user is forced to change his password ++ on the next log on. + + + +diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml +--- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 ++++ shadow-4.2.1/man/login.defs.5.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -162,6 +162,17 @@ + long numeric parameters is machine-dependent. + + ++ ++ Please note that the parameters in this configuration file control the ++ behavior of the tools from the shadow-utils component. None of these ++ tools uses the PAM mechanism, and the utilities that use PAM (such as the ++ passwd command) should be configured elsewhere. The only values that ++ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS ++ for pam_unix module, FAIL_DELAY for pam_faildelay module, ++ and UMASK for pam_umask module. Refer to ++ pam(8) for more information. ++ ++ + The following configuration items are provided: + + +diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml +--- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 ++++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -347,11 +347,16 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + + +- ++ , + + + +diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml +--- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +@@ -132,7 +132,8 @@ + If the + option is given, the contents of the current home directory will + be moved to the new home directory, which is created if it does +- not already exist. ++ not already exist. If the current home directory does not exist ++ the new home directory will not be created. + + + +@@ -256,7 +257,8 @@ + + + Move the content of the user's home directory to the new +- location. ++ location. If the current home directory does not exist ++ the new home directory will not be created. + + + This option is only valid in combination with the diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch new file mode 100644 index 0000000..1adcabd --- /dev/null +++ b/shadow-4.2.1-merge-group.patch @@ -0,0 +1,13 @@ +diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c +--- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 ++++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 +@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * + errno = ENOMEM; + return NULL; + } +- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); +- new_line[new_line_len] = '\0'; ++ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); + + /* Concatenate the 2 list of members */ + for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-utils.spec b/shadow-utils.spec index faf9749..0e04237 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,11 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.5.1 -Release: 22%{?dist} +Version: 4.2.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2.sig +Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz +Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Source4: shadow-bsd.txt @@ -17,20 +17,19 @@ Patch3: shadow-4.1.5-uflg.patch Patch6: shadow-4.1.5.1-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.1.5.1-merge-group.patch +Patch9: shadow-4.2.1-merge-group.patch Patch10: shadow-4.1.5.1-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.1.5.1-manfix.patch -Patch16: shadow-4.1.5.1-crypt-null.patch +Patch15: shadow-4.2.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-id-alloc.patch -Patch19: shadow-4.1.5.1-date-parsing.patch +Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.1.5.1-audit-update.patch +Patch22: shadow-4.2.1-audit-update.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -38,6 +37,7 @@ BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel +BuildRequires: bison flex gnome-doc-utils #BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 @@ -74,7 +74,6 @@ are used for managing group accounts. %patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix -%patch16 -p1 -b .crypt-null %patch17 -p1 -b .userdel %patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing @@ -87,6 +86,8 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . +rm libmisc/getdate.c + #rm po/*.gmo #rm po/stamp-po #aclocal @@ -107,6 +108,7 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %configure \ --enable-shadowgrp \ + --enable-man \ --with-audit \ --with-sha-crypt \ --with-selinux \ @@ -207,6 +209,8 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0750,root,root) %{_sbindir}/user* %attr(0750,root,root) %{_sbindir}/group* @@ -221,10 +225,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* %{_mandir}/man5/gshadow.5* +%{_mandir}/man5/subuid.5* +%{_mandir}/man5/subgid.5* %{_mandir}/man8/adduser.8* %{_mandir}/man8/group*.8* %{_mandir}/man8/user*.8* @@ -238,6 +246,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Nov 26 2014 Tomáš Mráz - 2:4.2.1-1 +- new upstream release with support for subordinate uids and gids + * Tue Nov 25 2014 Tomáš Mráz - 2:4.1.5.1-22 - small adjustments to the audit patch diff --git a/sources b/sources index 888eac7..9a96021 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -a00449aa439c69287b6d472191dc2247 shadow-4.1.5.1.tar.bz2 -f16f31f6f5a607b1ffb1aa1aac4c37f2 shadow-4.1.5.1.tar.bz2.sig +2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz +6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig From 283bf24723e0f61dbe631e3997d030fd6802353d Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 19 Jun 2015 00:44:03 +0000 Subject: [PATCH 112/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 0e04237..26569bb 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -246,6 +246,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jun 19 2015 Fedora Release Engineering - 2:4.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Wed Nov 26 2014 Tomáš Mráz - 2:4.2.1-1 - new upstream release with support for subordinate uids and gids From 25899fefb05e983b4403720125a756665943cf13 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 27 Aug 2015 15:53:13 +0200 Subject: [PATCH 113/151] Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd --- shadow-4.2.1-defs-chroot.patch | 24 +++++++++++++++++++ shadow-4.2.1-no-lock-dos.patch | 15 ++++++++++++ shadow-4.2.1-usermod-unlock.patch | 39 +++++++++++++++++++++++++++++++ shadow-utils.spec | 14 ++++++++++- 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-defs-chroot.patch create mode 100644 shadow-4.2.1-no-lock-dos.patch create mode 100644 shadow-4.2.1-usermod-unlock.patch diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch new file mode 100644 index 0000000..827ad40 --- /dev/null +++ b/shadow-4.2.1-defs-chroot.patch @@ -0,0 +1,24 @@ +diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c +--- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) + #endif /* ACCT_TOOLS_SETUID */ + + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; + + /* + * Get my name so that I can use it to report errors. +@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ + sys_ngroups = sysconf (_SC_NGROUPS_MAX); + user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); + /* diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch new file mode 100644 index 0000000..58fd605 --- /dev/null +++ b/shadow-4.2.1-no-lock-dos.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c +--- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 ++++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil + int retval; + char buf[32]; + +- fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600); ++ /* We depend here on the fact, that the file name is pid-specific. ++ * So no O_EXCL here and no DoS. ++ */ ++ fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600); + if (-1 == fd) { + if (log) { + (void) fprintf (stderr, diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch new file mode 100644 index 0000000..85403cd --- /dev/null +++ b/shadow-4.2.1-usermod-unlock.patch @@ -0,0 +1,39 @@ +diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100 ++++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200 +@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas + strcat (buf, pw_pass); + pw_pass = buf; + } else if (Uflg && pw_pass[0] == '!') { +- char *s; ++ char *s = pw_pass; + +- if (pw_pass[1] == '\0') { ++ while ('!' == *s) ++ ++s; ++ ++ if (*s == '\0') { + fprintf (stderr, + _("%s: unlocking the user's password would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock this user's password.\n"), +@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas + user_newname, (unsigned int) user_newid, 1); + #endif + SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); +- s = pw_pass; +- while ('\0' != *s) { +- *s = *(s + 1); +- s++; +- } ++ memmove (pw_pass, s, strlen (s) + 1); + } else if (pflg) { ++ if (strchr (user_pass, ':') != NULL) { ++ fprintf (stderr, ++ _("%s: The password field cannot contain a colon character.\n"), ++ Prog); ++ return pw_pass; ++ ++ } + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "updating-password", diff --git a/shadow-utils.spec b/shadow-utils.spec index 26569bb..48d0f8b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -30,6 +30,9 @@ Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.2.1-audit-update.patch +Patch23: shadow-4.2.1-usermod-unlock.patch +Patch24: shadow-4.2.1-no-lock-dos.patch +Patch25: shadow-4.2.1-defs-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +83,9 @@ are used for managing group accounts. %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update +%patch23 -p1 -b .unlock +%patch24 -p1 -b .no-lock-dos +%patch25 -p1 -b .defs-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -246,6 +252,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 27 2015 Tomáš Mráz - 2:4.2.1-3 +- unlock also passwords locked with passwd -l +- prevent breaking user entry by entering a password containing colon +- fix possible DoS when locking the database files for update +- properly use login.defs from the chroot in useradd + * Fri Jun 19 2015 Fedora Release Engineering - 2:4.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From c2f1a1c502a09dc27d80637e6c730ab7f0ef525d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 6 Nov 2015 14:34:35 +0100 Subject: [PATCH 114/151] document that groupmems is not setuid root - document that expiration of the password after inactivity period locks the user account completely --- shadow-4.2.1-manfix.patch | 41 +++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 4c6520e..0a26db8 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -1,3 +1,30 @@ +diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml +--- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +@@ -179,20 +179,10 @@ + + SETUP + +- The groupmems executable should be in mode +- 2770 as user root and in group +- groups. The system administrator can add users to +- group groups to allow or disallow them using the +- groupmems utility to manage their own group +- membership list. ++ In this operating system the groupmems executable ++ is not setuid and regular users cannot use it to manipulate ++ the membership of their own group. + +- +- +- $ groupadd -r groups +- $ chmod 2770 groupmems +- $ chown root.groups groupmems +- $ groupmems -g groups -a gk4 +- + + + diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml --- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 +++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 @@ -32,6 +59,20 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: +diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml +--- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +@@ -208,8 +208,8 @@ + + + After expiration of the password and this expiration period is +- elapsed, no login is possible using the current user's +- password. The user should contact her administrator. ++ elapsed, no login is possible for the user. ++ The user should contact her administrator. + + + An empty field means that there are no enforcement of an diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml --- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 +++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 diff --git a/shadow-utils.spec b/shadow-utils.spec index 48d0f8b..691f414 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -252,6 +252,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Nov 6 2015 Tomáš Mráz - 2:4.2.1-4 +- document that groupmems is not setuid root +- document that expiration of the password after inactivity period + locks the user account completely + * Thu Aug 27 2015 Tomáš Mráz - 2:4.2.1-3 - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon From 4e08f5dd0a44e73017bc6753aacfb0c3ab4ca124 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Dec 2015 17:57:58 +0100 Subject: [PATCH 115/151] Remove obsolete patch. --- shadow-4.1.5-grremove.patch | 45 ------------------------------------- 1 file changed, 45 deletions(-) delete mode 100644 shadow-4.1.5-grremove.patch diff --git a/shadow-4.1.5-grremove.patch b/shadow-4.1.5-grremove.patch deleted file mode 100644 index 09e673a..0000000 --- a/shadow-4.1.5-grremove.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up shadow-4.1.5/src/userdel.c.grremove shadow-4.1.5/src/userdel.c ---- shadow-4.1.5/src/userdel.c.grremove 2012-03-20 12:19:13.260854838 +0100 -+++ shadow-4.1.5/src/userdel.c 2012-03-20 12:38:26.235622957 +0100 -@@ -333,22 +333,22 @@ static void remove_usergroup (void) - * We can remove this group, it is not the primary - * group of any remaining user. - */ -- if (gr_remove (grp->gr_name) == 0) { -+ if (gr_remove (user_name) == 0) { - fprintf (stderr, - _("%s: cannot remove entry '%s' from %s\n"), -- Prog, grp->gr_name, gr_dbname ()); -+ Prog, user_name, gr_dbname ()); - fail_exit (E_GRP_UPDATE); - } - - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_GROUP, Prog, - "deleting group", -- grp->gr_name, AUDIT_NO_ID, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif /* WITH_AUDIT */ - SYSLOG ((LOG_INFO, - "removed group '%s' owned by '%s'\n", -- grp->gr_name, user_name)); -+ user_name, user_name)); - - #ifdef SHADOWGRP - if (sgr_locate (user_name) != NULL) { -@@ -361,12 +361,12 @@ static void remove_usergroup (void) - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_GROUP, Prog, - "deleting shadow group", -- grp->gr_name, AUDIT_NO_ID, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif /* WITH_AUDIT */ - SYSLOG ((LOG_INFO, - "removed shadow group '%s' owned by '%s'\n", -- grp->gr_name, user_name)); -+ user_name, user_name)); - - } - #endif /* SHADOWGRP */ From 904910f545376a3d17ae736976623aa1af764f09 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Jan 2016 10:02:12 +0100 Subject: [PATCH 116/151] do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference --- shadow-4.2.1-manfix.patch | 144 +++++++++++++++++++++++++++++++++++++- shadow-utils.spec | 10 ++- 2 files changed, 150 insertions(+), 4 deletions(-) diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 0a26db8..04fcb4a 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -38,9 +38,23 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml +diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 +--- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +@@ -147,10 +147,6 @@ 以下の参照表は、 + shadow パスワード機能のどのプログラムが + どのパラメータを使用するかを示したものである。 + .na +-.IP chfn 12 +-CHFN_AUTH CHFN_RESTRICT +-.IP chsh 12 +-CHFN_AUTH + .IP groupadd 12 + GID_MAX GID_MIN + .IP newusers 12 diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml --- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2014-11-26 15:34:51.257978963 +0100 ++++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -59,6 +73,134 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: +@@ -252,26 +263,6 @@ + + + +- chfn +- +- +- CHFN_AUTH +- CHFN_RESTRICT +- LOGIN_STRING +- +- +- +- +- chgpasswd +- +- +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- +- + chpasswd + + +@@ -282,14 +273,6 @@ + + + +- +- chsh +- +- +- CHSH_AUTH LOGIN_STRING +- +- +- + + + +@@ -350,34 +333,6 @@ + + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- + + + newgrp / sg +@@ -405,17 +360,6 @@ + + + +- +- passwd +- +- +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- + + pwck + +@@ -442,32 +386,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml --- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 +++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 diff --git a/shadow-utils.spec b/shadow-utils.spec index 691f414..a10460b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -218,8 +218,8 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) %{_bindir}/newgidmap %attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser -%attr(0750,root,root) %{_sbindir}/user* -%attr(0750,root,root) %{_sbindir}/group* +%attr(0755,root,root) %{_sbindir}/user* +%attr(0755,root,root) %{_sbindir}/group* %{_sbindir}/grpck %{_sbindir}/pwck %{_sbindir}/*conv @@ -252,6 +252,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jan 8 2015 Tomáš Mráz - 2:4.2.1-5 +- do not use obscure permissions for binaries +- remove unused commands from login.defs(5) cross-reference + * Fri Nov 6 2015 Tomáš Mráz - 2:4.2.1-4 - document that groupmems is not setuid root - document that expiration of the password after inactivity period From 05ccc5cb0bc2d9987857c647eda1267315e8cfcf Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Jan 2016 10:02:44 +0100 Subject: [PATCH 117/151] Correct changelog date. --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index a10460b..21eb936 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -252,7 +252,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog -* Fri Jan 8 2015 Tomáš Mráz - 2:4.2.1-5 +* Fri Jan 8 2016 Tomáš Mráz - 2:4.2.1-5 - do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference From b1dccbc445d9c9d8db3ae105b3f835a493be7da9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 3 Feb 2016 14:01:19 +0100 Subject: [PATCH 118/151] add possibility to clear or set lastlog record for user via lastlog --- shadow-4.2.1-lastlog-unexpire.patch | 249 ++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-lastlog-unexpire.patch diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch new file mode 100644 index 0000000..2596820 --- /dev/null +++ b/shadow-4.2.1-lastlog-unexpire.patch @@ -0,0 +1,249 @@ +diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml +--- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 +@@ -105,6 +105,17 @@ + + + ++ , ++ ++ ++ ++ Clear lastlog record of an user. This option can be used only together ++ with ()). ++ ++ ++ ++ ++ + , + + +@@ -123,6 +134,17 @@ + + + ++ ++ ++ , ++ ++ ++ ++ Set lastlog record of an user to the current time. This option can be ++ used only together with ()). ++ ++ ++ + + + ,  DAYS +diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 +@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf + static bool uflg = false; /* print only an user of range of users */ + static bool tflg = false; /* print is restricted to most recent days */ + static bool bflg = false; /* print excludes most recent days */ ++static bool Cflg = false; /* clear record for user */ ++static bool Sflg = false; /* set record for user */ + + #define NOW (time ((time_t *) 0)) + +@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta + "Options:\n"), + Prog); + (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); ++ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); ++ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); + (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); + (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); + (void) fputs ("\n", usageout); +@@ -194,6 +198,80 @@ static void print (void) + } + } + ++static void update_one (/*@null@*/const struct passwd *pw) ++{ ++ off_t offset; ++ struct lastlog ll; ++ int err; ++ ++ if (NULL == pw) { ++ return; ++ } ++ ++ offset = (off_t) pw->pw_uid * sizeof (ll); ++ /* fseeko errors are not really relevant for us. */ ++ err = fseeko (lastlogfile, offset, SEEK_SET); ++ assert (0 == err); ++ ++ memzero (&ll, sizeof (ll)); ++ ++ if (Sflg) { ++ ll.ll_time = NOW; ++#ifdef HAVE_LL_HOST ++ strcpy (ll.ll_host, "localhost"); ++#endif ++ strcpy (ll.ll_line, "lastlog"); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "clearing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++#endif ++ } ++#ifdef WITH_AUDIT ++ else { ++ audit_logger (AUDIT_ACCT_UNLOCK, Prog, ++ "refreshing-lastlog", ++ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); ++ } ++#endif ++ ++ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { ++ fprintf (stderr, ++ _("%s: Failed to update the entry for UID %lu\n"), ++ Prog, (unsigned long int)pw->pw_uid); ++ exit (EXIT_FAILURE); ++ } ++} ++ ++static void update (void) ++{ ++ const struct passwd *pwent; ++ ++ if (!uflg) /* safety measure */ ++ return; ++ ++ if (has_umin && has_umax && (umin == umax)) { ++ update_one (getpwuid ((uid_t)umin)); ++ } else { ++ setpwent (); ++ while ( (pwent = getpwent ()) != NULL ) { ++ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) ++ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { ++ continue; ++ } ++ update_one (pwent); ++ } ++ endpwent (); ++ } ++ ++ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { ++ fprintf (stderr, ++ _("%s: Failed to update the lastlog file\n"), ++ Prog); ++ exit (EXIT_FAILURE); ++ } ++} ++ + int main (int argc, char **argv) + { + /* +@@ -208,18 +286,24 @@ int main (int argc, char **argv) + + process_root_flag ("-R", argc, argv); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + { + int c; + static struct option const longopts[] = { + {"before", required_argument, NULL, 'b'}, ++ {"clear", no_argument, NULL, 'C'}, + {"help", no_argument, NULL, 'h'}, + {"root", required_argument, NULL, 'R'}, ++ {"set", no_argument, NULL, 'S'}, + {"time", required_argument, NULL, 't'}, + {"user", required_argument, NULL, 'u'}, + {NULL, 0, NULL, '\0'} + }; + +- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, ++ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, + NULL)) != -1) { + switch (c) { + case 'b': +@@ -235,11 +319,21 @@ int main (int argc, char **argv) + bflg = true; + break; + } ++ case 'C': ++ { ++ Cflg = true; ++ break; ++ } + case 'h': + usage (EXIT_SUCCESS); + /*@notreached@*/break; + case 'R': /* no-op, handled in process_root_flag () */ + break; ++ case 'S': ++ { ++ Sflg = true; ++ break; ++ } + case 't': + { + unsigned long days; +@@ -294,9 +388,21 @@ int main (int argc, char **argv) + Prog, argv[optind]); + usage (EXIT_FAILURE); + } ++ if (Cflg && Sflg) { ++ fprintf (stderr, ++ _("%s: Option -C cannot be used together with option -S\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } ++ if ((Cflg || Sflg) && !uflg) { ++ fprintf (stderr, ++ _("%s: Options -C and -S require option -u to specify the user\n"), ++ Prog); ++ usage (EXIT_FAILURE); ++ } + } + +- lastlogfile = fopen (LASTLOG_FILE, "r"); ++ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); + if (NULL == lastlogfile) { + perror (LASTLOG_FILE); + exit (EXIT_FAILURE); +@@ -310,7 +416,10 @@ int main (int argc, char **argv) + exit (EXIT_FAILURE); + } + +- print (); ++ if (Cflg || Sflg) ++ update (); ++ else ++ print (); + + (void) fclose (lastlogfile); + +diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 +@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) + grpck_LDADD = $(LDADD) $(LIBSELINUX) + grpconv_LDADD = $(LDADD) $(LIBSELINUX) + grpunconv_LDADD = $(LDADD) $(LIBSELINUX) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + login_SOURCES = \ + login.c \ + login_nopam.c +diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 +@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) + $(top_builddir)/lib/libshadow.la + lastlog_SOURCES = lastlog.c + lastlog_OBJECTS = lastlog.$(OBJEXT) +-lastlog_LDADD = $(LDADD) ++lastlog_LDADD = $(LDADD) $(LIBAUDIT) + lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(top_builddir)/libmisc/libmisc.a \ + $(top_builddir)/lib/libshadow.la diff --git a/shadow-utils.spec b/shadow-utils.spec index 21eb936..404d754 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -33,6 +33,7 @@ Patch22: shadow-4.2.1-audit-update.patch Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch +Patch26: shadow-4.2.1-lastlog-unexpire.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -86,6 +87,7 @@ are used for managing group accounts. %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot +%patch26 -p1 -b .unexpire iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -252,6 +254,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Feb 3 2016 Tomáš Mráz - 2:4.2.1-6 +- add possibility to clear or set lastlog record for user via lastlog + * Fri Jan 8 2016 Tomáš Mráz - 2:4.2.1-5 - do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference From 1bf254df986df2ead06c2739e7c47ac89e3f0537 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 9 Feb 2016 11:54:02 +0100 Subject: [PATCH 119/151] usermod: properly return error during password manipulation --- shadow-4.2.1-usermod-unlock.patch | 32 +++++++++++++++++++++++++++---- shadow-utils.spec | 5 ++++- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.2.1-usermod-unlock.patch index 85403cd..19feecb 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.2.1-usermod-unlock.patch @@ -1,7 +1,7 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/usermod.c 2015-08-27 14:31:50.899712180 +0200 -@@ -455,9 +455,12 @@ static char *new_pw_passwd (char *pw_pas +--- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 ++++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; } else if (Uflg && pw_pass[0] == '!') { @@ -16,6 +16,12 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c fprintf (stderr, _("%s: unlocking the user's password would result in a passwordless account.\n" "You should set a password with usermod -p to unlock this user's password.\n"), + Prog); +- return pw_pass; ++ return NULL; + } + + #ifdef WITH_AUDIT @@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas user_newname, (unsigned int) user_newid, 1); #endif @@ -31,9 +37,27 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fprintf (stderr, + _("%s: The password field cannot contain a colon character.\n"), + Prog); -+ return pw_pass; ++ return NULL; + + } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating-password", +@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw + if ( (!is_shadow_pwd) + || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) { + pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd); ++ if (pwent->pw_passwd == NULL) ++ fail_exit (E_PW_UPDATE); + } + + if (uflg) { +@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen + * + aging has been requested + */ + spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp); ++ if (spent->sp_pwdp == NULL) ++ fail_exit(E_PW_UPDATE); + + if (pflg) { + spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 404d754..786443e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -254,6 +254,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 9 2016 Tomáš Mráz - 2:4.2.1-7 +- usermod: properly return error during password manipulation + * Wed Feb 3 2016 Tomáš Mráz - 2:4.2.1-6 - add possibility to clear or set lastlog record for user via lastlog From a359c84a6ee4a0c9e75b406ff868c1efac7ceeaa Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 17 Mar 2016 17:40:43 +0100 Subject: [PATCH 120/151] userdel: fix userdel -f with /etc/subuid present (#1316168) --- shadow-4.2.1-user-busy.patch | 48 ++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-user-busy.patch diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch new file mode 100644 index 0000000..ee7e41a --- /dev/null +++ b/shadow-4.2.1-user-busy.patch @@ -0,0 +1,48 @@ +From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 +From: Bastian Blank +Date: Tue, 17 Nov 2015 10:52:24 -0600 +Subject: [PATCH] Fix user busy errors at userdel + +From: Bastian Blank +Acked-by: Serge Hallyn +--- + libmisc/user_busy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c +index db7174a..0db32c3 100644 +--- a/libmisc/user_busy.c ++++ b/libmisc/user_busy.c +@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) + if (stat ("/", &sbroot) != 0) { + perror ("stat (\"/\")"); + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + return 0; + } + +@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) + + if (check_status (name, tmp_d_name, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) + } + if (check_status (name, task_path+6, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +-- +2.5.0 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 786443e..b47ae15 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -34,6 +34,7 @@ Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch +Patch27: shadow-4.2.1-user-busy.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -88,6 +89,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot %patch26 -p1 -b .unexpire +%patch27 -p1 -b .user-busy iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -254,6 +256,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 +- userdel: fix userdel -f with /etc/subuid present (#1316168) + * Tue Feb 9 2016 Tomáš Mráz - 2:4.2.1-7 - usermod: properly return error during password manipulation From f884cd4c94710f3944e87f05073c65daba8fb890 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 May 2016 21:05:16 +0200 Subject: [PATCH 121/151] chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) --- shadow-4.2.1-manfix.patch | 22 +-- shadow-4.2.1-selinux-perms.patch | 277 +++++++++++++++++++++++++++++++ shadow-utils.spec | 13 +- 3 files changed, 292 insertions(+), 20 deletions(-) create mode 100644 shadow-4.2.1-selinux-perms.patch diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 04fcb4a..2ca84b3 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -73,7 +73,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: -@@ -252,26 +263,6 @@ +@@ -252,16 +263,6 @@ @@ -87,20 +87,10 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. - - - -- chgpasswd -- -- -- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -- SHA_CRYPT_MAX_ROUNDS -- SHA_CRYPT_MIN_ROUNDS -- -- -- -- - chpasswd + chgpasswd -@@ -282,14 +273,6 @@ +@@ -282,14 +283,6 @@ @@ -115,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +333,6 @@ +@@ -350,34 +342,6 @@ @@ -150,7 +140,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. newgrp / sg -@@ -405,17 +360,6 @@ +@@ -405,17 +370,6 @@ @@ -168,7 +158,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. pwck -@@ -442,32 +386,6 @@ +@@ -442,32 +396,6 @@ diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch new file mode 100644 index 0000000..eb18aeb --- /dev/null +++ b/shadow-4.2.1-selinux-perms.patch @@ -0,0 +1,277 @@ +diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c +--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + #include "pam_defs.h" +@@ -76,6 +83,9 @@ static bool sgr_locked = false; + #endif + static bool gr_locked = false; + ++/* The name of the caller */ ++static char *myname = NULL; ++ + /* local function prototypes */ + static void fail_exit (int code); + static /*@noreturn@*/void usage (int status); +@@ -300,6 +310,62 @@ static void check_perms (void) + #endif /* ACCT_TOOLS_SETUID */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the group databases + */ +@@ -393,6 +459,7 @@ int main (int argc, char **argv) + + const struct group *gr; + struct group newgr; ++ struct passwd *pw = NULL; + int errors = 0; + int line = 0; + +@@ -408,8 +475,29 @@ int main (int argc, char **argv) + + OPENLOG ("chgpasswd"); + ++ /* ++ * Determine the name of the user that invoked this command. This ++ * is really hit or miss because there are so many ways that command ++ * can be executed and so many ways to trip up the routines that ++ * report the user name. ++ */ ++ pw = get_my_pwent (); ++ if (NULL == pw) { ++ fprintf (stderr, _("%s: Cannot determine your user name.\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "Cannot determine the user name of the caller (UID %lu)", ++ (unsigned long) getuid ())); ++ exit (E_NOPERM); ++ } ++ myname = xstrdup (pw->pw_name); ++ + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); + #endif +@@ -536,6 +624,15 @@ int main (int argc, char **argv) + newgr.gr_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ { ++ ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, gr->gr_name, ++ SHADOW_AUDIT_SUCCESS); ++ } ++#endif + /* + * The updated group file entry is then put back and will + * be written to the group file later, after all the +diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c +--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef USE_PAM + #include "pam_defs.h" + #endif /* USE_PAM */ +@@ -297,6 +304,62 @@ static void check_perms (void) + #endif /* USE_PAM */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the password databases + */ +@@ -407,6 +470,10 @@ int main (int argc, char **argv) + + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef USE_PAM + if (!use_pam) + #endif /* USE_PAM */ +@@ -566,6 +633,11 @@ int main (int argc, char **argv) + newpw.pw_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "updating-password", ++ pw->pw_name, (unsigned int) pw->pw_uid, 1); ++#endif + /* + * The updated password file entry is then put back and will + * be written to the password file later, after all the +diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index b47ae15..f8fb4aa 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -35,6 +35,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch +Patch28: shadow-4.2.1-selinux-perms.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -90,6 +91,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy +%patch28 -p1 -b .selinux-perms iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -156,7 +158,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_sbindir}/nologin -rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* @@ -185,8 +186,6 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* @@ -228,6 +227,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/pwck %{_sbindir}/*conv %{_sbindir}/chpasswd +%{_sbindir}/chgpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr @@ -249,6 +249,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/pwck.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/chpasswd.8* +%{_mandir}/man8/chgpasswd.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* @@ -256,6 +257,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 +- chgpasswd: do not remove it +- chpasswd, chgpasswd: add selinux_check_access call (#1336902) + * Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 - userdel: fix userdel -f with /etc/subuid present (#1316168) From abed79ee4e1d44d64b636bc8e906e50eede4d901 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 May 2016 11:59:54 +0200 Subject: [PATCH 122/151] chpasswd, chgpasswd: open audit when starting --- shadow-4.2.1-selinux-perms.patch | 46 ++++++++++++++++++++------------ shadow-utils.spec | 5 +++- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch index eb18aeb..7e7f70e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.2.1-selinux-perms.patch @@ -1,6 +1,6 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c --- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 @@ -39,6 +39,13 @@ #include #include @@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* local function prototypes */ static void fail_exit (int code); static /*@noreturn@*/void usage (int status); -@@ -300,6 +310,62 @@ static void check_perms (void) +@@ -300,6 +310,63 @@ static void check_perms (void) #endif /* ACCT_TOOLS_SETUID */ } @@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * open_files - lock and open the group databases */ -@@ -393,6 +459,7 @@ int main (int argc, char **argv) +@@ -393,6 +460,7 @@ int main (int argc, char **argv) const struct group *gr; struct group newgr; @@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c int errors = 0; int line = 0; -@@ -408,8 +475,29 @@ int main (int argc, char **argv) +@@ -408,8 +476,33 @@ int main (int argc, char **argv) OPENLOG ("chgpasswd"); ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + /* + * Determine the name of the user that invoked this command. This + * is really hit or miss because there are so many ways that command @@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif -@@ -536,6 +624,15 @@ int main (int argc, char **argv) +@@ -536,6 +629,15 @@ int main (int argc, char **argv) newgr.gr_passwd = cp; } @@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c * be written to the group file later, after all the diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c --- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 @@ -39,6 +39,13 @@ #include #include @@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ -@@ -297,6 +304,62 @@ static void check_perms (void) +@@ -297,6 +304,63 @@ static void check_perms (void) #endif /* USE_PAM */ } @@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * open_files - lock and open the password databases */ -@@ -407,6 +470,10 @@ int main (int argc, char **argv) +@@ -405,8 +469,16 @@ int main (int argc, char **argv) + OPENLOG ("chpasswd"); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ check_perms (); +#ifdef WITH_SELINUX @@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM if (!use_pam) #endif /* USE_PAM */ -@@ -566,6 +633,11 @@ int main (int argc, char **argv) +@@ -566,6 +638,11 @@ int main (int argc, char **argv) newpw.pw_passwd = cp; } @@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c * The updated password file entry is then put back and will * be written to the password file later, after all the diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 @@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) @@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 @@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index f8fb4aa..3444f5b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 +- chpasswd, chgpasswd: open audit when starting + * Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 - chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) From c50e17082d12c2ee8735024567cbbf0ad07acb1f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 14 Jun 2016 11:34:10 +0200 Subject: [PATCH 123/151] guard for localtime() and gmtime() failure --- shadow-4.2.1-null-tm.patch | 86 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-null-tm.patch diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch new file mode 100644 index 0000000..15b7720 --- /dev/null +++ b/shadow-4.2.1-null-tm.patch @@ -0,0 +1,86 @@ +diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c +--- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s + } + + tm = localtime (&fl.fail_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); ++ cp = ptime; + #endif ++ } + printf ("%-9s %5d %5d ", + pw->pw_name, fl.fail_cnt, fl.fail_max); + /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size + struct tm *tp; + + tp = gmtime (&date); ++ if (tp == NULL) { ++ (void) snprintf (buf, maxsize, "(unknown)"); ++ return; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, maxsize, "%Y-%m-%d", tp); + #else +diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s + + ll_time = ll.ll_time; + tm = localtime (&ll_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); ++ cp = ptime; + #else +- cp = asctime (tm); +- cp[24] = '\0'; ++ cp = asctime (tm); ++ cp[24] = '\0'; + #endif ++ } + + if (ll.ll_time == (time_t) 0) { + cp = _("**Never logged in**\0"); +diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c +--- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to + struct tm *tm; + + tm = gmtime (&t); ++ if (tm == NULL) { ++ return "(unknown)"; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); + #else /* !HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ + } else { + time_t t = (time_t) date; + tp = gmtime (&t); ++ if (tp == NULL) { ++ strncpy (buf, "unknown", maxsize); ++ return; ++ } + #ifdef HAVE_STRFTIME + strftime (buf, maxsize, "%Y-%m-%d", tp); + #else diff --git a/shadow-utils.spec b/shadow-utils.spec index 3444f5b..70f0b52 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -36,6 +36,7 @@ Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch Patch28: shadow-4.2.1-selinux-perms.patch +Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -92,6 +93,7 @@ are used for managing group accounts. %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms +%patch29 -p1 -b .null-tm iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -257,6 +259,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 +- guard for localtime() and gmtime() failure + * Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 - chpasswd, chgpasswd: open audit when starting From f8ab516d30fa7314792b8f993b439cebecdcb0c2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:03:52 +0200 Subject: [PATCH 124/151] new upstream release fixing low impact security issue --- .gitignore | 1 + shadow-utils.spec | 33 ++++++++++++--------------------- sources | 3 +-- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index e78a553..09b6c9b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig +/shadow-4.3.1.tar.gz diff --git a/shadow-utils.spec b/shadow-utils.spec index 70f0b52..e799786 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,10 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.2.1 -Release: 11%{?dist} +Version: 4.3.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig +Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Source4: shadow-bsd.txt @@ -23,19 +22,17 @@ Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.2.1-manfix.patch +Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.2.1-audit-update.patch +Patch22: shadow-4.3.1-audit-update.patch Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.2.1-defs-chroot.patch -Patch26: shadow-4.2.1-lastlog-unexpire.patch -Patch27: shadow-4.2.1-user-busy.patch -Patch28: shadow-4.2.1-selinux-perms.patch +Patch25: shadow-4.3.1-defs-chroot.patch +Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ @@ -90,8 +87,6 @@ are used for managing group accounts. %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot -%patch26 -p1 -b .unexpire -%patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm @@ -100,17 +95,10 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . -rm libmisc/getdate.c - -#rm po/*.gmo -#rm po/stamp-po -#aclocal -#libtoolize --force -#automake -a -#autoconf - %build +./autogen.sh + %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -259,6 +247,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 +- new upstream release fixing low impact security issue + * Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 - guard for localtime() and gmtime() failure diff --git a/sources b/sources index 9a96021..899422e 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz -6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig +b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz From 6c18d5356b64b72ec7c47962d3d06d70a9b6338d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:06:06 +0200 Subject: [PATCH 125/151] Update patches for rebase --- shadow-4.2.1-lastlog-unexpire.patch | 249 ------------------ shadow-4.2.1-user-busy.patch | 48 ---- ...e.patch => shadow-4.3.1-audit-update.patch | 190 ++++++------- ...ot.patch => shadow-4.3.1-defs-chroot.patch | 12 +- ...-manfix.patch => shadow-4.3.1-manfix.patch | 52 ++-- ....patch => shadow-4.3.1-selinux-perms.patch | 35 +-- 6 files changed, 134 insertions(+), 452 deletions(-) delete mode 100644 shadow-4.2.1-lastlog-unexpire.patch delete mode 100644 shadow-4.2.1-user-busy.patch rename shadow-4.2.1-audit-update.patch => shadow-4.3.1-audit-update.patch (92%) rename shadow-4.2.1-defs-chroot.patch => shadow-4.3.1-defs-chroot.patch (60%) rename shadow-4.2.1-manfix.patch => shadow-4.3.1-manfix.patch (81%) rename shadow-4.2.1-selinux-perms.patch => shadow-4.3.1-selinux-perms.patch (79%) diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch deleted file mode 100644 index 2596820..0000000 --- a/shadow-4.2.1-lastlog-unexpire.patch +++ /dev/null @@ -1,249 +0,0 @@ -diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml ---- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 -@@ -105,6 +105,17 @@ - - - -+ , -+ -+ -+ -+ Clear lastlog record of an user. This option can be used only together -+ with ()). -+ -+ -+ -+ -+ - , - - -@@ -123,6 +134,17 @@ - - - -+ -+ -+ , -+ -+ -+ -+ Set lastlog record of an user to the current time. This option can be -+ used only together with ()). -+ -+ -+ - - - ,  DAYS -diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 -@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf - static bool uflg = false; /* print only an user of range of users */ - static bool tflg = false; /* print is restricted to most recent days */ - static bool bflg = false; /* print excludes most recent days */ -+static bool Cflg = false; /* clear record for user */ -+static bool Sflg = false; /* set record for user */ - - #define NOW (time ((time_t *) 0)) - -@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta - "Options:\n"), - Prog); - (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); -+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); - (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); - (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); - (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); - (void) fputs ("\n", usageout); -@@ -194,6 +198,80 @@ static void print (void) - } - } - -+static void update_one (/*@null@*/const struct passwd *pw) -+{ -+ off_t offset; -+ struct lastlog ll; -+ int err; -+ -+ if (NULL == pw) { -+ return; -+ } -+ -+ offset = (off_t) pw->pw_uid * sizeof (ll); -+ /* fseeko errors are not really relevant for us. */ -+ err = fseeko (lastlogfile, offset, SEEK_SET); -+ assert (0 == err); -+ -+ memzero (&ll, sizeof (ll)); -+ -+ if (Sflg) { -+ ll.ll_time = NOW; -+#ifdef HAVE_LL_HOST -+ strcpy (ll.ll_host, "localhost"); -+#endif -+ strcpy (ll.ll_line, "lastlog"); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "clearing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+#endif -+ } -+#ifdef WITH_AUDIT -+ else { -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "refreshing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+ } -+#endif -+ -+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { -+ fprintf (stderr, -+ _("%s: Failed to update the entry for UID %lu\n"), -+ Prog, (unsigned long int)pw->pw_uid); -+ exit (EXIT_FAILURE); -+ } -+} -+ -+static void update (void) -+{ -+ const struct passwd *pwent; -+ -+ if (!uflg) /* safety measure */ -+ return; -+ -+ if (has_umin && has_umax && (umin == umax)) { -+ update_one (getpwuid ((uid_t)umin)); -+ } else { -+ setpwent (); -+ while ( (pwent = getpwent ()) != NULL ) { -+ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) -+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { -+ continue; -+ } -+ update_one (pwent); -+ } -+ endpwent (); -+ } -+ -+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { -+ fprintf (stderr, -+ _("%s: Failed to update the lastlog file\n"), -+ Prog); -+ exit (EXIT_FAILURE); -+ } -+} -+ - int main (int argc, char **argv) - { - /* -@@ -208,18 +286,24 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - { - int c; - static struct option const longopts[] = { - {"before", required_argument, NULL, 'b'}, -+ {"clear", no_argument, NULL, 'C'}, - {"help", no_argument, NULL, 'h'}, - {"root", required_argument, NULL, 'R'}, -+ {"set", no_argument, NULL, 'S'}, - {"time", required_argument, NULL, 't'}, - {"user", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, -+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, - NULL)) != -1) { - switch (c) { - case 'b': -@@ -235,11 +319,21 @@ int main (int argc, char **argv) - bflg = true; - break; - } -+ case 'C': -+ { -+ Cflg = true; -+ break; -+ } - case 'h': - usage (EXIT_SUCCESS); - /*@notreached@*/break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -+ case 'S': -+ { -+ Sflg = true; -+ break; -+ } - case 't': - { - unsigned long days; -@@ -294,9 +388,21 @@ int main (int argc, char **argv) - Prog, argv[optind]); - usage (EXIT_FAILURE); - } -+ if (Cflg && Sflg) { -+ fprintf (stderr, -+ _("%s: Option -C cannot be used together with option -S\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } -+ if ((Cflg || Sflg) && !uflg) { -+ fprintf (stderr, -+ _("%s: Options -C and -S require option -u to specify the user\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } - } - -- lastlogfile = fopen (LASTLOG_FILE, "r"); -+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); - if (NULL == lastlogfile) { - perror (LASTLOG_FILE); - exit (EXIT_FAILURE); -@@ -310,7 +416,10 @@ int main (int argc, char **argv) - exit (EXIT_FAILURE); - } - -- print (); -+ if (Cflg || Sflg) -+ update (); -+ else -+ print (); - - (void) fclose (lastlogfile); - -diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 -@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - login_SOURCES = \ - login.c \ - login_nopam.c -diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 -@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) - $(top_builddir)/lib/libshadow.la - lastlog_SOURCES = lastlog.c - lastlog_OBJECTS = lastlog.$(OBJEXT) --lastlog_LDADD = $(LDADD) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/libmisc/libmisc.a \ - $(top_builddir)/lib/libshadow.la diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch deleted file mode 100644 index ee7e41a..0000000 --- a/shadow-4.2.1-user-busy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 -From: Bastian Blank -Date: Tue, 17 Nov 2015 10:52:24 -0600 -Subject: [PATCH] Fix user busy errors at userdel - -From: Bastian Blank -Acked-by: Serge Hallyn ---- - libmisc/user_busy.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c -index db7174a..0db32c3 100644 ---- a/libmisc/user_busy.c -+++ b/libmisc/user_busy.c -@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) - if (stat ("/", &sbroot) != 0) { - perror ("stat (\"/\")"); - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - return 0; - } - -@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) - - if (check_status (name, tmp_d_name, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); -@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) - } - if (check_status (name, task_path+6, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); --- -2.5.0 - diff --git a/shadow-4.2.1-audit-update.patch b/shadow-4.3.1-audit-update.patch similarity index 92% rename from shadow-4.2.1-audit-update.patch rename to shadow-4.3.1-audit-update.patch index 8f2edf8..e708f75 100644 --- a/shadow-4.2.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c ---- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c +--- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c ---- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c +--- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c ---- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c +--- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,9 +181,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h ---- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 -+++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h +--- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 ++++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 @@ -208,12 +208,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -206,9 +206,9 @@ diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c ---- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c +--- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -218,7 +218,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -397,21 +397,14 @@ static void open_files (void) +@@ -396,21 +396,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +243,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c +@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +260,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c +@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +277,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c +@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +294,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c +@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +311,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c +@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +328,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c +@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +345,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow +@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +370,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c +@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +387,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c +@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +404,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c +@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +421,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c +@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +438,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c +@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +455,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c +@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,9 +472,9 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c ---- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c +--- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -579,7 +579,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c add_cleanup (cleanup_unlock_gshadow, NULL); } @@ -349,7 +352,7 @@ static void open_files (void) - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); - exit (E_GRP_UPDATE); @@ -650,10 +650,10 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } -diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c ---- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 -@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c +--- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +669,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c /* * grp_update - update group file entries * -@@ -126,7 +135,7 @@ static void grp_update (void) +@@ -128,7 +137,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +678,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP -@@ -138,7 +147,7 @@ static void grp_update (void) +@@ -140,7 +149,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +687,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -157,12 +166,12 @@ static void close_files (void) +@@ -159,12 +168,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +702,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -182,12 +191,12 @@ static void close_files (void) +@@ -184,12 +193,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +718,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -201,13 +210,6 @@ static void close_files (void) +@@ -203,13 +212,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +732,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -224,7 +226,7 @@ static void open_files (void) +@@ -226,7 +228,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +741,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -233,7 +235,7 @@ static void open_files (void) +@@ -235,7 +237,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +750,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -251,7 +253,7 @@ static void open_files (void) +@@ -253,7 +255,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +759,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -260,7 +262,7 @@ static void open_files (void) +@@ -262,7 +264,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +768,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) +@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +777,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } /* -@@ -379,7 +381,7 @@ int main (int argc, char **argv) +@@ -384,7 +386,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +786,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } process_flags (argc, argv); -@@ -393,7 +395,7 @@ int main (int argc, char **argv) +@@ -398,7 +400,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +795,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -414,7 +416,7 @@ int main (int argc, char **argv) +@@ -419,7 +421,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +804,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -434,7 +436,7 @@ int main (int argc, char **argv) +@@ -439,7 +441,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +813,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } group_id = grp->gr_gid; -@@ -458,7 +460,7 @@ int main (int argc, char **argv) +@@ -463,7 +465,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,9 +822,9 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #endif -diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c ---- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 +diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c +--- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1018,9 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c +--- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1108,9 @@ diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c ---- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 -+++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c +--- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 ++++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1161,7 +1161,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, +@@ -320,15 +309,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -451,7 +452,7 @@ int main (int argc, char **argv) +@@ -456,7 +457,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -567,15 +568,26 @@ int main (int argc, char **argv) +@@ -572,15 +573,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -716,10 +728,10 @@ int main (int argc, char **argv) +@@ -721,10 +733,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -728,10 +740,10 @@ int main (int argc, char **argv) +@@ -733,10 +745,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -745,10 +757,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -812,11 +824,11 @@ int main (int argc, char **argv) +@@ -817,11 +829,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -840,15 +852,24 @@ int main (int argc, char **argv) +@@ -845,15 +857,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,9 +1315,9 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 -+++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 @@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) @@ -1636,7 +1636,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) +@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1649,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) +@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1662,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) +@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1675,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) +@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1689,9 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c ---- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 -+++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c +--- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 ++++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -1766,7 +1766,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT @@ -1817,7 +1817,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, @@ -1841,7 +1841,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT @@ -1866,7 +1866,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT @@ -1891,7 +1891,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT @@ -2019,9 +2019,9 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 -+++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c +--- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 ++++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT @@ -2256,7 +2256,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1810,8 +1821,8 @@ static void move_home (void) +@@ -1758,8 +1769,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2267,7 +2267,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1829,8 +1840,8 @@ static void move_home (void) +@@ -1777,8 +1788,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2278,7 +2278,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1849,9 +1860,9 @@ static void move_home (void) +@@ -1797,9 +1808,9 @@ static void move_home (void) Prog, user_home); } #ifdef WITH_AUDIT @@ -2290,7 +2290,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2055,8 +2066,8 @@ static void move_mailbox (void) +@@ -2003,8 +2014,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2301,7 +2301,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2074,8 +2085,8 @@ static void move_mailbox (void) +@@ -2022,8 +2033,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2312,7 +2312,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) +@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2323,7 +2323,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) +@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2334,7 +2334,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch similarity index 60% rename from shadow-4.2.1-defs-chroot.patch rename to shadow-4.3.1-defs-chroot.patch index 827ad40..e57fac8 100644 --- a/shadow-4.2.1-defs-chroot.patch +++ b/shadow-4.3.1-defs-chroot.patch @@ -1,18 +1,18 @@ -diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 @@ -1938,8 +1938,8 @@ int main (int argc, char **argv) #endif /* ACCT_TOOLS_SETUID */ - /* Needed for userns check */ + #ifdef ENABLE_SUBIDS - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + uid_t uid_min; + uid_t uid_max; + #endif /* - * Get my name so that I can use it to report errors. -@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) +@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) audit_help_open (); #endif diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.3.1-manfix.patch similarity index 81% rename from shadow-4.2.1-manfix.patch rename to shadow-4.3.1-manfix.patch index 2ca84b3..2aeb0a8 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml ---- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml +--- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 @@ -179,20 +179,10 @@ SETUP @@ -25,9 +25,9 @@ diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xm -diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml ---- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +--- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -38,9 +38,9 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml -diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 ---- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 +--- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 @@ -147,10 +147,6 @@ 以下の参照表は、 shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 @@ -52,9 +52,9 @@ diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml ---- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 +diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml +--- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -105,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +342,6 @@ +@@ -350,34 +343,6 @@ @@ -191,9 +191,9 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. useradd -diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml ---- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml +--- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -208,8 +208,8 @@ @@ -205,10 +205,10 @@ diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml ---- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 -+++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 -@@ -347,11 +347,16 @@ +diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml +--- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 ++++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +@@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -220,15 +220,9 @@ diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml - -- -+ , - - - -diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml ---- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml +--- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch similarity index 79% rename from shadow-4.2.1-selinux-perms.patch rename to shadow-4.3.1-selinux-perms.patch index 7e7f70e..9469a7e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c ---- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 +diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c +--- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -147,9 +147,9 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c ---- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 +diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c +--- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -257,10 +257,10 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 -@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) +diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am +--- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) @@ -272,18 +272,3 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 -@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( - newuidmap_LDADD = $(LDADD) $(LIBSELINUX) - newgidmap_LDADD = $(LDADD) $(LIBSELINUX) - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) From 86cbf7e19d07d19e68d992aa94dc844a05d4f57f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:30:57 +0200 Subject: [PATCH 126/151] Add proper buildrequires for autotools. --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e799786..fffefc9 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -42,7 +42,7 @@ BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel BuildRequires: bison flex gnome-doc-utils -#BuildRequires: autoconf, automake, libtool, gettext-devel +BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup From 457acab6b41318deb60951e7c687b372e8aba07a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:51:22 +0200 Subject: [PATCH 127/151] Add buildrequires for docbook. --- shadow-utils.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index fffefc9..a42dc34 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -40,8 +40,8 @@ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel libattr-devel -BuildRequires: bison flex gnome-doc-utils +BuildRequires: libacl-devel, libattr-devel +BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 From bb62fd7837348eb8b277051626ad4af0db7f3741 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Aug 2016 11:24:38 +0200 Subject: [PATCH 128/151] fix regression in useradd - not processing defaults properly (#1369979) --- shadow-4.3.1-process-defaults.patch | 21 +++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 shadow-4.3.1-process-defaults.patch diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch new file mode 100644 index 0000000..b337376 --- /dev/null +++ b/shadow-4.3.1-process-defaults.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 +@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) + is_shadow_grp = sgr_file_present (); + #endif + ++ get_defaults (); ++ + process_flags (argc, argv); + + #ifdef ENABLE_SUBIDS +@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) + (!user_id || (user_id <= uid_max && user_id >= uid_min)); + #endif /* ENABLE_SUBIDS */ + +- get_defaults (); +- + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + { diff --git a/shadow-utils.spec b/shadow-utils.spec index a42dc34..d748e24 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -34,6 +34,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -89,6 +90,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -247,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 +- fix regression in useradd - not processing defaults properly (#1369979) + * Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 - new upstream release fixing low impact security issue From ba9340caf5a3f86043659dd5dc83d9280cd38185 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 11 Feb 2017 13:21:56 +0000 Subject: [PATCH 129/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d748e24..5d536e6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -249,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 - fix regression in useradd - not processing defaults properly (#1369979) From ec99eade4e4fc141e2c55581ecc913cde348296c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 21 Jul 2017 14:04:11 +0200 Subject: [PATCH 130/151] update to current upstream release 4.5 --- .gitignore | 2 + shadow-4.1.5-uflg.patch | 23 - shadow-4.1.5.1-audit-owner.patch | 32 - shadow-4.1.5.1-backup-mode.patch | 20 - shadow-4.1.5.1-errmsg.patch | 23 - shadow-4.1.5.1-id-alloc.patch | 1219 ----------------- shadow-4.1.5.1-selinux.patch | 99 -- shadow-4.2.1-merge-group.patch | 13 - shadow-4.3.1-defs-chroot.patch | 24 - shadow-4.3.1-process-defaults.patch | 21 - ...ext.patch => shadow-4.5-orig-context.patch | 42 +- shadow-4.5-selinux.patch | 115 ++ ...k.patch => shadow-4.5-usermod-unlock.patch | 8 +- shadow-utils.spec | 40 +- sources | 3 +- 15 files changed, 157 insertions(+), 1527 deletions(-) delete mode 100644 shadow-4.1.5-uflg.patch delete mode 100644 shadow-4.1.5.1-audit-owner.patch delete mode 100644 shadow-4.1.5.1-backup-mode.patch delete mode 100644 shadow-4.1.5.1-errmsg.patch delete mode 100644 shadow-4.1.5.1-id-alloc.patch delete mode 100644 shadow-4.1.5.1-selinux.patch delete mode 100644 shadow-4.2.1-merge-group.patch delete mode 100644 shadow-4.3.1-defs-chroot.patch delete mode 100644 shadow-4.3.1-process-defaults.patch rename shadow-4.1.5.1-orig-context.patch => shadow-4.5-orig-context.patch (67%) create mode 100644 shadow-4.5-selinux.patch rename shadow-4.2.1-usermod-unlock.patch => shadow-4.5-usermod-unlock.patch (86%) diff --git a/.gitignore b/.gitignore index 09b6c9b..d1e7d76 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig /shadow-4.3.1.tar.gz +/shadow-4.5.tar.xz +/shadow-4.5.tar.xz.asc diff --git a/shadow-4.1.5-uflg.patch b/shadow-4.1.5-uflg.patch deleted file mode 100644 index f72bca3..0000000 --- a/shadow-4.1.5-uflg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c ---- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 -+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 -@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, - return -1; - } - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ gid_min = (gid_t) 1; - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - if (gid_max < gid_min) { -@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, - return 0; - } - -+ /* if we did not find free preffered system gid, we start to look for -+ * one in the range assigned to dynamic system IDs */ -+ if (sys_group) -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - - /* - * Search the entire group file, diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch deleted file mode 100644 index 6fbbdbf..0000000 --- a/shadow-4.1.5.1-audit-owner.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 -+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 -@@ -1513,6 +1513,14 @@ static void move_home (void) - fail_exit (E_HOMEDIR); - } - -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif -+ - if (rename (user_home, user_newhome) == 0) { - /* FIXME: rename above may have broken symlinks - * pointing to the user's home directory -@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) - * ownership. - * - */ -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif - if (chown_tree (dflg ? user_newhome : user_home, - user_id, - uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch deleted file mode 100644 index 7366b86..0000000 --- a/shadow-4.1.5.1-backup-mode.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba - struct utimbuf ub; - FILE *bkfp; - int c; -- mode_t mask; - - if (fstat (fileno (fp), &sb) != 0) { - return -1; - } - -- mask = umask (077); -- bkfp = fopen (backup, "w"); -- (void) umask (mask); -+ bkfp = fopen_set_perms (backup, "w", &sb); - if (NULL == bkfp) { - return -1; - } diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch deleted file mode 100644 index 6f3a1d2..0000000 --- a/shadow-4.1.5.1-errmsg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 -@@ -1760,6 +1760,9 @@ static void create_home (void) - if (access (user_home, F_OK) != 0) { - #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home, NULL) != 0) { -+ fprintf (stderr, -+ _("%s: cannot set SELinux context for home directory %s\n"), -+ Prog, user_home); - fail_exit (E_HOMEDIR); - } - #endif -@@ -1789,6 +1792,9 @@ static void create_home (void) - #ifdef WITH_SELINUX - /* Reset SELinux to create files with default contexts */ - if (reset_selinux_file_context () != 0) { -+ fprintf (stderr, -+ _("%s: cannot reset SELinux file creation context\n"), -+ Prog); - fail_exit (E_HOMEDIR); - } - #endif diff --git a/shadow-4.1.5.1-id-alloc.patch b/shadow-4.1.5.1-id-alloc.patch deleted file mode 100644 index df6f89f..0000000 --- a/shadow-4.1.5.1-id-alloc.patch +++ /dev/null @@ -1,1219 +0,0 @@ -Previously, this allocation was optimized for an outdated -deployment style (that of /etc/group alongside nss_db). The issue -here is that this results in extremely poor performance when using -SSSD, Winbind or nss_ldap. - -There were actually three serious bugs here that have been addressed: - -1) Running getgrent() loops won't work in most SSSD or Winbind -environments, as full group enumeration is disabled by default. -This could easily result in auto-allocating a group that was -already in use. (This might result in a security issue as well, if -the shared GID is a privileged group). - -2) For system groups, the loop was always iterating through the -complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this -means hundreds of round-trips to LDAP (unless the GIDs were -specifically configured to be ignored by the SSSD or winbindd). -To a user with a slow connection to their LDAP server, this would -appear as if groupadd -r was hung. (Though it would eventually -complete). - -3) This patch also adds better error-handling for errno from -getgrgid(), since if this function returns an unexpected error, we -should not be treating it as "ID is available". This could result -in assigning a GID that was already in use, with all the same -issues as 1) above. - -This patch changes the algorithm to be more favorable for LDAP -environments, at the expense of some performance when using nss_db. -Given that the DB is a local service, this should have a negligible -effect from a user's perspective. - -With the new algorithm, we simply first iterate through all entries -in the local database with gr_next(), recording the IDs that are in -use. We then start from the highest presumed-available entry and -call getgrgid() to see if it is available. We continue this until -we come to the first unused GID. We then select that and return it. - -If we make it through all the remaining IDs without finding a free -one, we start over from the beginning of the range and try to find -room in one of the gaps in the range. - -The patch was originally written by Stephen Gallagher and applied -identically also to the user allocation by Tomáš Mráz. - -diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c ---- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, -+ gid_t *preferred_min) -+{ -+ gid_t gid_def_max = 0; -+ -+ if (sys_group) { -+ /* System groups */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (gid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); -+ -+ /* -+ * If SYS_GID_MAX is unspecified, we should assume it to be one -+ * less than the GID_MIN (which is reserved for non-system accounts) -+ */ -+ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; -+ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", -+ (unsigned long) gid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " -+ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("GID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system groups */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); -+ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system groups. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: GID_MIN (%lu), " -+ "GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_gid - See if the requested GID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getgrgid() -+ */ -+static int check_gid(const gid_t gid, -+ const gid_t gid_min, -+ const gid_t gid_max, -+ bool *used_gids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (gid < gid_min || gid > gid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this GID -+ * using the gr_next() loop -+ */ -+ if (used_gids != NULL && used_gids[gid]) { -+ return EEXIST; -+ } -+ /* Check if the GID exists according to NSS */ -+ errno = 0; -+ if (getgrgid(gid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getgrgid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the GID must be available */ -+ return 0; -+} -+ -+/* - * find_new_gid - Find a new unused GID. - * - * If successful, find_new_gid provides an unused group ID in the -@@ -48,166 +160,339 @@ - * - * Return 0 on success, -1 if no unused GIDs are available. - */ --int find_new_gid (bool sys_group, -- gid_t *gid, -- /*@null@*/gid_t const *preferred_gid) -+int find_new_gid(bool sys_group, -+ gid_t *gid, -+ /*@null@*/gid_t const *preferred_gid) - { -- const struct group *grp; -- gid_t gid_min, gid_max, group_id; - bool *used_gids; -+ const struct group *grp; -+ gid_t gid_min, gid_max, preferred_min; -+ gid_t group_id, id; -+ gid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - -- assert (gid != NULL); -+ assert(gid != NULL); - -- if (!sys_group) { -- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); -- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, (unsigned long) gid_max); -- return -1; -- } -- } else { -- gid_min = (gid_t) 1; -- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; -- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred GID is available */ -+ if (preferred_gid) { -+ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the GID isn't queued for use already -+ */ -+ if (gr_locate_gid (*preferred_gid) == NULL) { -+ *gid = *preferred_gid; -+ return 0; -+ } -+ /* -+ * gr_locate_gid() found the GID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set a GID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the group creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific GID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred GID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire group file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with gr_rewind/gr_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system groups) or highest (non-system -+ * groups), we will prefer those and avoid potentially reclaiming a -+ * deleted group (which can be a security issue, since it may grant -+ * access to files belonging to that former group). -+ * -+ * If there are no GIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered GIDs */ - used_gids = malloc (sizeof (bool) * (gid_max +1)); - if (NULL == used_gids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_gids, false, sizeof (bool) * (gid_max + 1)); - -- if ( (NULL != preferred_gid) -- && (*preferred_gid >= gid_min) -- && (*preferred_gid <= gid_max) -- /* Check if the user exists according to NSS */ -- && (getgrgid (*preferred_gid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (gr_locate_gid (*preferred_gid) == NULL)) { -- *gid = *preferred_gid; -- free (used_gids); -- return 0; -- } -- -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ /* First look for the lowest and highest value in the local database */ -+ (void) gr_rewind (); -+ highest_found = gid_min; -+ lowest_found = gid_max; -+ while ((grp = gr_next ()) != NULL) { -+ /* -+ * Does this entry have a lower GID than the lowest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { -+ lowest_found = grp->gr_gid - 1; -+ } -+ -+ /* -+ * Does this entry have a higher GID than the highest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { -+ highest_found = grp->gr_gid + 1; -+ } -+ -+ /* create index of used GIDs */ -+ if (grp->gr_gid >= gid_min -+ && grp->gr_gid <= gid_max) { -+ -+ used_gids[grp->gr_gid] = true; -+ } -+ } - -- /* -- * Search the entire group file, -- * looking for the largest unused value. -- * -- * We check the list of groups according to NSS (setgrent/getgrent), -- * but we also check the local database (gr_rewind/gr_next) in case -- * some groups were created but the changes were not committed yet. -- */ - if (sys_group) { -- gid_t id; -- /* setgrent / getgrent / endgrent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getgrgid. -- */ -- group_id = gid_max; -- for (id = gid_max; id >= gid_min; id--) { -- if (getgrgid (id) != NULL) { -- group_id = id - 1; -- used_gids[id] = true; -- } -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MIN - 1. -+ */ -+ if (lowest_found < gid_min) { -+ /* -+ * In this case, a GID is in use at GID_MIN. -+ * -+ * We will reset the search to GID_MAX and proceed down -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ lowest_found = gid_max; - } - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { -- group_id = grp->gr_gid - 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- group_id = gid_min; -- setgrent (); -- while ((grp = getgrent ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * GID_MAX - 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != gid_max) { -+ for (id = gid_max; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ -+ } - } - } -- endgrent (); -+ } else { /* !sys_group */ -+ /* -+ * For non-system groups, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -- } -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MAX + 1. -+ */ -+ if (highest_found > gid_max) { -+ /* -+ * In this case, a GID is in use at GID_MAX. -+ * -+ * We will reset the search to GID_MIN and proceed up -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ highest_found = gid_min; - } -- } - -- /* -- * If a group (resp. system group) with GID equal to GID_MAX (resp. -- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 -- * (resp. GID_MIN-1) even if not unique. Search for the first free -- * GID starting with GID_MIN (resp. GID_MAX). -- */ -- if (sys_group) { -- if (group_id < gid_min) { -- for (group_id = gid_max; group_id >= gid_min; group_id--) { -- if (false == used_gids[group_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (group_id < gid_min) { -- fprintf (stderr, -- _("%s: Can't get unique system GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available GID on the system")); -- free (used_gids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- if (group_id > gid_max) { -- for (group_id = gid_min; group_id <= gid_max; group_id++) { -- if (false == used_gids[group_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * GID_MIN + 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != gid_min) { -+ for (id = gid_min; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- if (group_id > gid_max) { -- fprintf (stderr, -- _("%s: Can't get unique GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available GID on the system")); -- free (used_gids); -- return -1; -- } - } - } - -- free (used_gids); -- *gid = group_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique GID (no more available GIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available GIDs on the system")); -+ free(used_gids); -+ return -1; - } - -diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c ---- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, -+ uid_t *preferred_min) -+{ -+ uid_t uid_def_max = 0; -+ -+ if (sys_user) { -+ /* System users */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (uid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); -+ -+ /* -+ * If SYS_UID_MAX is unspecified, we should assume it to be one -+ * less than the UID_MIN (which is reserved for non-system accounts) -+ */ -+ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; -+ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", -+ (unsigned long) uid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " -+ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("UID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system users */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); -+ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system users. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: UID_MIN (%lu), " -+ "UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_uid - See if the requested UID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getpwuid() -+ */ -+static int check_uid(const uid_t uid, -+ const uid_t uid_min, -+ const uid_t uid_max, -+ bool *used_uids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (uid < uid_min || uid > uid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this UID -+ * using the pw_next() loop -+ */ -+ if (used_uids != NULL && used_uids[uid]) { -+ return EEXIST; -+ } -+ /* Check if the UID exists according to NSS */ -+ errno = 0; -+ if (getpwuid(uid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getpwuid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the UID must be available */ -+ return 0; -+} -+ -+/* - * find_new_uid - Find a new unused UID. - * - * If successful, find_new_uid provides an unused user ID in the -@@ -48,162 +160,339 @@ - * - * Return 0 on success, -1 if no unused UIDs are available. - */ --int find_new_uid (bool sys_user, -- uid_t *uid, -- /*@null@*/uid_t const *preferred_uid) -+int find_new_uid(bool sys_user, -+ uid_t *uid, -+ /*@null@*/uid_t const *preferred_uid) - { -- const struct passwd *pwd; -- uid_t uid_min, uid_max, user_id; - bool *used_uids; -+ const struct passwd *pwd; -+ uid_t uid_min, uid_max, preferred_min; -+ uid_t user_id, id; -+ uid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - - assert (uid != NULL); - -- if (!sys_user) { -- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, (unsigned long) uid_max); -- return -1; -- } -- } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); -- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; -- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred UID is available */ -+ if (preferred_uid) { -+ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the UID isn't queued for use already -+ */ -+ if (pw_locate_uid (*preferred_uid) == NULL) { -+ *uid = *preferred_uid; -+ return 0; -+ } -+ /* -+ * pw_locate_uid() found the UID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set an UID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the user creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific UID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred UID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire passwd file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with pw_rewind/pw_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system users) or highest (non-system -+ * users), we will prefer those and avoid potentially reclaiming a -+ * deleted user (which can be a security issue, since it may grant -+ * access to files belonging to that former user). -+ * -+ * If there are no UIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered UIDs */ - used_uids = malloc (sizeof (bool) * (uid_max +1)); - if (NULL == used_uids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - -- if ( (NULL != preferred_uid) -- && (*preferred_uid >= uid_min) -- && (*preferred_uid <= uid_max) -- /* Check if the user exists according to NSS */ -- && (getpwuid (*preferred_uid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (pw_locate_uid (*preferred_uid) == NULL)) { -- *uid = *preferred_uid; -- free (used_uids); -- return 0; -- } -+ /* First look for the lowest and highest value in the local database */ -+ (void) pw_rewind (); -+ highest_found = uid_min; -+ lowest_found = uid_max; -+ while ((pwd = pw_next ()) != NULL) { -+ /* -+ * Does this entry have a lower UID than the lowest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { -+ lowest_found = pwd->pw_uid - 1; -+ } - -+ /* -+ * Does this entry have a higher UID than the highest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { -+ highest_found = pwd->pw_uid + 1; -+ } -+ -+ /* create index of used UIDs */ -+ if (pwd->pw_uid >= uid_min -+ && pwd->pw_uid <= uid_max) { -+ -+ used_uids[pwd->pw_uid] = true; -+ } -+ } - -- /* -- * Search the entire password file, -- * looking for the largest unused value. -- * -- * We check the list of users according to NSS (setpwent/getpwent), -- * but we also check the local database (pw_rewind/pw_next) in case -- * some users were created but the changes were not committed yet. -- */ - if (sys_user) { -- uid_t id; -- /* setpwent / getpwent / endpwent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getpwuid. -- */ -- user_id = uid_max; -- for (id = uid_max; id >= uid_min; id--) { -- if (getpwuid (id) != NULL) { -- user_id = id - 1; -- used_uids[id] = true; -- } -+ /* -+ * For system users, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MIN - 1. -+ */ -+ if (lowest_found < uid_min) { -+ /* -+ * In this case, an UID is in use at UID_MIN. -+ * -+ * We will reset the search to UID_MAX and proceed down -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ lowest_found = uid_max; - } - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { -- user_id = pwd->pw_uid - 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- user_id = uid_min; -- setpwent (); -- while ((pwd = getpwent ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * UID_MAX - 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != uid_max) { -+ for (id = uid_max; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ -+ } - } - } -- endpwent (); -+ } else { /* !sys_user */ -+ /* -+ * For non-system users, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -- } -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MAX + 1. -+ */ -+ if (highest_found > uid_max) { -+ /* -+ * In this case, a UID is in use at UID_MAX. -+ * -+ * We will reset the search to UID_MIN and proceed up -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ highest_found = uid_min; - } -- } - -- /* -- * If a user (resp. system user) with UID equal to UID_MAX (resp. -- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 -- * (resp. UID_MIN-1) even if not unique. Search for the first free -- * UID starting with UID_MIN (resp. UID_MAX). -- */ -- if (sys_user) { -- if (user_id < uid_min) { -- for (user_id = uid_max; user_id >= uid_min; user_id--) { -- if (false == used_uids[user_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (user_id < uid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique system UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available UID on the system")); -- free (used_uids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- if (user_id > uid_max) { -- for (user_id = uid_min; user_id <= uid_max; user_id++) { -- if (false == used_uids[user_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * UID_MIN + 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != uid_min) { -+ for (id = uid_min; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- if (user_id > uid_max) { -- fprintf (stderr, -- _("%s: Can't get unique UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available UID on the system")); -- free (used_uids); -- return -1; -- } - } - } - -- free (used_uids); -- *uid = user_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available UIDs on the system")); -+ free(used_uids); -+ return -1; - } - diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch deleted file mode 100644 index 4ac32d2..0000000 --- a/shadow-4.1.5.1-selinux.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 -@@ -1850,6 +1850,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) - - usr_update (); - -+ close_files (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+#ifdef WITH_SELINUX -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+#endif /* WITH_AUDIT */ -+ rv = E_SE_UPDATE; -+ } -+ } -+ } -+#endif -+ - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, -+ copy_tree (def_template, user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, -@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) - create_mail (); - } - -- close_files (); -- --#ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); --#endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -- } -- } --#endif /* WITH_SELINUX */ -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch deleted file mode 100644 index 1adcabd..0000000 --- a/shadow-4.2.1-merge-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c ---- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 -+++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 -@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -- new_line[new_line_len] = '\0'; -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - - /* Concatenate the 2 list of members */ - for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.3.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch deleted file mode 100644 index e57fac8..0000000 --- a/shadow-4.3.1-defs-chroot.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 -@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) - #endif /* ACCT_TOOLS_SETUID */ - - #ifdef ENABLE_SUBIDS -- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ uid_t uid_min; -+ uid_t uid_max; - #endif - - /* -@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - -+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ - sys_ngroups = sysconf (_SC_NGROUPS_MAX); - user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); - /* diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch deleted file mode 100644 index b337376..0000000 --- a/shadow-4.3.1-process-defaults.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 -@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) - is_shadow_grp = sgr_file_present (); - #endif - -+ get_defaults (); -+ - process_flags (argc, argv); - - #ifdef ENABLE_SUBIDS -@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) - (!user_id || (user_id <= uid_max && user_id >= uid_min)); - #endif /* ENABLE_SUBIDS */ - -- get_defaults (); -- - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - { diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.5-orig-context.patch similarity index 67% rename from shadow-4.1.5.1-orig-context.patch rename to shadow-4.5-orig-context.patch index c1ddb13..c935658 100644 --- a/shadow-4.1.5.1-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 +diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c +--- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -10,7 +10,7 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * +@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -19,9 +19,9 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c ---- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 -+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 +diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c +--- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,10 +58,10 @@ diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/co return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 -+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 -@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h +--- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -70,9 +70,9 @@ diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototy extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c ---- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 +diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,15 +114,15 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c } /* -diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 -@@ -1759,7 +1759,7 @@ static void create_home (void) +diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +@@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home) != 0) { + if (set_selinux_file_context (user_home, NULL) != 0) { - fail_exit (E_HOMEDIR); - } - #endif + fprintf (stderr, + _("%s: cannot set SELinux context for home directory %s\n"), + Prog, user_home); diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch new file mode 100644 index 0000000..cd190cc --- /dev/null +++ b/shadow-4.5-selinux.patch @@ -0,0 +1,115 @@ +diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c +--- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +@@ -2042,6 +2042,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) + + usr_update (); + +- if (mflg) { +- create_home (); +- if (home_added) { +- copy_tree (def_template, user_home, false, false, +- (uid_t)-1, user_id, (gid_t)-1, user_gid); +- } else { +- fprintf (stderr, +- _("%s: warning: the home directory already exists.\n" +- "Not copying any file from skel directory into it.\n"), +- Prog); +- } +- +- } +- +- /* Do not create mail directory for system accounts */ +- if (!rflg) { +- create_mail (); +- } +- + close_files (); + ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ + /* + * tallylog_reset needs to be able to lookup + * a valid existing user name, +@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) + } + + #ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); ++ rv = E_SE_UPDATE; ++ } + } + } +-#endif /* WITH_SELINUX */ ++#endif + +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); ++ if (mflg) { ++ create_home (); ++ if (home_added) { ++ copy_tree (def_template, user_home, false, true, ++ (uid_t)-1, user_id, (gid_t)-1, user_gid); ++ } else { ++ fprintf (stderr, ++ _("%s: warning: the home directory already exists.\n" ++ "Not copying any file from skel directory into it.\n"), ++ Prog); ++ } ++ ++ } ++ ++ /* Do not create mail directory for system accounts */ ++ if (!rflg) { ++ create_mail (); ++ } + +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch similarity index 86% rename from shadow-4.2.1-usermod-unlock.patch rename to shadow-4.5-usermod-unlock.patch index 19feecb..d37b4aa 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 -+++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c +--- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 ++++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; @@ -60,4 +60,4 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fail_exit(E_PW_UPDATE); if (pflg) { - spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; + spent->sp_lstchg = (long) gettime () / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 5d536e6..7b31676 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,40 +1,33 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.3.1 -Release: 3%{?dist} +Version: 4.5 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz -Source1: shadow-utils.login.defs +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source2: shadow-utils.useradd +Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch3: shadow-4.1.5-uflg.patch -Patch6: shadow-4.1.5.1-selinux.patch +Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch -Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.2.1-merge-group.patch -Patch10: shadow-4.1.5.1-orig-context.patch +Patch10: shadow-4.5-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch -Patch12: shadow-4.1.5.1-errmsg.patch -Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.3.1-audit-update.patch -Patch23: shadow-4.2.1-usermod-unlock.patch +Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -68,29 +61,21 @@ are used for managing group accounts. %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir -%patch3 -p1 -b .uflg %patch6 -p1 -b .selinux %patch7 -p1 -b .2ndskip -%patch8 -p1 -b .backup-mode -%patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg -%patch12 -p1 -b .errmsg -%patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel -%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos -%patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -98,9 +83,6 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . %build - -./autogen.sh - %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -110,6 +92,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +autoreconf %configure \ --enable-shadowgrp \ --enable-man \ @@ -126,7 +109,7 @@ make rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default -install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs +install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -249,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 +- update to current upstream release 4.5 + * Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 899422e..a50063e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz +SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 +SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 From 3a17ec0f47535362c05339090a225e5ddab617e4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 27 Jul 2017 18:30:31 +0000 Subject: [PATCH 131/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 7b31676..d484578 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 - update to current upstream release 4.5 From 46349c33e5aea3baa759cc753cce606c399b0a07 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 08:23:19 +0000 Subject: [PATCH 132/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d484578..adf57c2 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 2c7fd6de84388eda729beee620a06f7bd5e32415 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Aug 2017 11:03:28 +0200 Subject: [PATCH 133/151] allow switching to secondary group without checking the membership (patch from upstream) --- shadow-4.1.5.1-newgrp-grouplist.patch | 70 +++++++++++++++++++++++++++ shadow-utils.spec | 8 ++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch new file mode 100644 index 0000000..8fcfd97 --- /dev/null +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -0,0 +1,70 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 +@@ -382,6 +382,7 @@ int main (int argc, char **argv) + { + bool initflag = false; + int i; ++ bool is_member = false; + bool cflag = false; + int err = 0; + gid_t gid; +@@ -631,22 +632,36 @@ int main (int argc, char **argv) + goto failure; + } + ++#ifdef HAVE_SETGROUPS ++ /* when using pam_group, she will not be listed in the groups ++ * database. However getgroups() will return the group. So ++ * if she is listed there already it is ok to grant membership. ++ */ ++ for (i = 0; i < ngroups; i++) { ++ if (grp->gr_gid == grouplist[i]) { ++ is_member = true; ++ break; ++ } ++ } ++#endif /* HAVE_SETGROUPS */ + /* + * For splitted groups (due to limitations of NIS), check all + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp); +- if (NULL == grp) { +- /* +- * No matching group found. As we already know that +- * the group exists, this happens only in the case +- * of a requested group where the user is not member. +- * +- * Re-read the group entry for further processing. +- */ +- grp = xgetgrnam (group); +- assert (NULL != grp); ++ if (!is_member) { ++ grp = find_matching_group (name, grp); ++ if (NULL == grp) { ++ /* ++ * No matching group found. As we already know that ++ * the group exists, this happens only in the case ++ * of a requested group where the user is not member. ++ * ++ * Re-read the group entry for further processing. ++ */ ++ grp = xgetgrnam (group); ++ assert (NULL != grp); ++ } + } + #ifdef SHADOWGRP + sgrp = getsgnam (group); +@@ -659,7 +674,9 @@ int main (int argc, char **argv) + /* + * Check if the user is allowed to access this group. + */ +- check_perms (grp, pwd, group); ++ if (!is_member) { ++ check_perms (grp, pwd, group); ++ } + + /* + * all successful validations pass through this point. The group id diff --git a/shadow-utils.spec b/shadow-utils.spec index adf57c2..a8e6b48 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -28,6 +28,7 @@ Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.1.5.1-newgrp-grouplist.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -76,6 +77,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .grouplist iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 +- allow switching to secondary group without checking the membership + explicitly (patch from upstream) + * Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild From b90f1c39125212300e95934f7c9f932e9fe784d9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 17:54:22 +0200 Subject: [PATCH 134/151] do not allow "." and ".." user names --- ...oodname.patch => shadow-4.5-goodname.patch | 69 +++++++++++-------- shadow-utils.spec | 7 +- 2 files changed, 47 insertions(+), 29 deletions(-) rename shadow-4.1.5.1-goodname.patch => shadow-4.5-goodname.patch (53%) diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.5-goodname.patch similarity index 53% rename from shadow-4.1.5.1-goodname.patch rename to shadow-4.5-goodname.patch index 15c98a7..72f1492 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c ---- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 -@@ -47,27 +47,42 @@ +diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c +--- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +@@ -47,27 +47,46 @@ #include "chkname.h" static bool is_valid_name (const char *name) @@ -18,16 +18,18 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * -+ * Also do not allow fully numeric names. ++ * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; + -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { ++ if ('\0' == *name || ++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || ++ '\0' == name[1])) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.')) { return false; } @@ -39,13 +41,14 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { ++ if (!((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.' || ++ *name == '-' || ++ (*name == '$' && name[1] == '\0') + )) { return false; } + numeric &= isdigit(*name); @@ -56,10 +59,10 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam } bool is_valid_user_name (const char *name) -diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml ---- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -259,12 +259,6 @@ +diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml +--- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +@@ -256,12 +256,6 @@ CAVEATS @@ -72,10 +75,22 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -366,7 +366,7 @@ +diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml +--- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 ++++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +@@ -347,6 +347,11 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + +@@ -355,7 +360,7 @@ @@ -84,7 +99,7 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8. wide setting from /etc/login.defs () is set to yes. -@@ -654,12 +654,6 @@ +@@ -633,12 +638,6 @@ diff --git a/shadow-utils.spec b/shadow-utils.spec index a8e6b48..4b030dd 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -11,7 +11,7 @@ Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch -Patch1: shadow-4.1.5.1-goodname.patch +Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch @@ -234,6 +234,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 +- do not allow "." and ".." user names + * Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 - allow switching to secondary group without checking the membership explicitly (patch from upstream) From 9659143d385aa40f5b94664f6ea215e66fa9eac3 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 18:00:17 +0200 Subject: [PATCH 135/151] Remove incorrect hunks from the goodname patch. --- shadow-4.5-goodname.patch | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index 72f1492..bf02257 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -78,28 +78,7 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml --- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 +++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 -@@ -347,6 +347,11 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - -@@ -355,7 +360,7 @@ - - - -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from /etc/login.defs - () is set to - yes. -@@ -633,12 +638,6 @@ +@@ -633,12 +633,6 @@ From 8633999acfd789cb9e61ba40011761a08729d36c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 2 Nov 2017 11:50:59 +0100 Subject: [PATCH 136/151] fix userdel in chroot (#1316168) add useful chage -E example to chage manpage --- shadow-4.3.1-manfix.patch | 14 +++++ shadow-4.5-userdel-chroot.patch | 108 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 9 ++- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 shadow-4.5-userdel-chroot.patch diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 2aeb0a8..4ca6054 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -38,6 +38,20 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +@@ -119,6 +122,13 @@ + system again. + + ++ For example the following can be used to set an account to expire ++ in 180 days: ++ ++ ++ chage -E $(date -d +180days +%Y-%m-%d) ++ ++ + Passing the number -1 as the + EXPIRE_DATE will remove an account + expiration date. diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 --- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 +++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch new file mode 100644 index 0000000..e5cf287 --- /dev/null +++ b/shadow-4.5-userdel-chroot.patch @@ -0,0 +1,108 @@ +diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } +diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +@@ -96,6 +96,7 @@ static char *user_home; + static bool fflg = false; + static bool rflg = false; + static bool Zflg = false; ++static bool Rflg = false; + + static bool is_shadow_pwd; + +@@ -958,6 +959,7 @@ int main (int argc, char **argv) + rflg = true; + break; + case 'R': /* no-op, handled in process_root_flag () */ ++ Rflg = true; + break; + #ifdef WITH_SELINUX + case 'Z': +@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) + * Start with a quick check to see if the user exists. + */ + user_name = argv[argc - 1]; ++ open_files (); ++ + { +- struct passwd *pwd; +- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ ++ const struct passwd *pwd; ++ pwd = pw_locate (user_name); /* we care only about local users */ + if (NULL == pwd) { + fprintf (stderr, _("%s: user '%s' does not exist\n"), + Prog, user_name); +@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + user_id = pwd->pw_uid; + user_gid = pwd->pw_gid; +@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + } + #ifdef WITH_TCB + if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* WITH_TCB */ + #ifdef USE_NIS +@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* USE_NIS */ + /* +@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) + * Note: This is a best effort basis. The user may log in between, + * a cron job may be started on her behalf, etc. + */ +- if (user_busy (user_name, user_id) != 0) { ++ if (!Rflg && user_busy (user_name, user_id) != 0) { + if (!fflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_USER_BUSY); ++ fail_exit (E_USER_BUSY); + } + } + + /* +- * Do the hard stuff - open the files, create the user entries, ++ * Do the hard stuff - create the user entries, + * create the home directory, then close and update the files. + */ +- open_files (); + update_user (); + update_groups (); + diff --git a/shadow-utils.spec b/shadow-utils.spec index 4b030dd..32f70ce 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -29,6 +29,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch +Patch31: shadow-4.5-userdel-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -78,6 +79,7 @@ are used for managing group accounts. %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist +%patch31 -p1 -b .userdel-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -116,7 +118,6 @@ install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser -#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 @@ -234,6 +235,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 +- fix userdel in chroot (#1316168) +- add useful chage -E example to chage manpage + * Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 - do not allow "." and ".." user names From 95d0ea68802bd99efcc45e42c992cc483153e22e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 6 Nov 2017 15:31:26 +0100 Subject: [PATCH 137/151] fix regression caused by the userdel-chroot patch (#1509978) --- shadow-4.5-userdel-chroot.patch | 62 +++++++-------------------------- shadow-utils.spec | 5 ++- 2 files changed, 17 insertions(+), 50 deletions(-) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index e5cf287..37700c3 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,6 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -20,8 +20,8 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c } } diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; @@ -38,48 +38,30 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c break; #ifdef WITH_SELINUX case 'Z': -@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) - * Start with a quick check to see if the user exists. +@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) */ user_name = argv[argc - 1]; -+ open_files (); -+ { - struct passwd *pwd; - pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ + const struct passwd *pwd; ++ ++ pw_open(O_RDONLY); + pwd = pw_locate (user_name); /* we care only about local users */ if (NULL == pwd) { ++ pw_close(); fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, user_name); -@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } + #ifdef WITH_AUDIT +@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) user_id = pwd->pw_uid; user_gid = pwd->pw_gid; -@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + user_home = xstrdup (pwd->pw_dir); ++ pw_close(); } #ifdef WITH_TCB if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* WITH_TCB */ - #ifdef USE_NIS -@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) - _("%s: %s is the NIS master\n"), - Prog, nis_master); - } -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* USE_NIS */ - /* -@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) * Note: This is a best effort basis. The user may log in between, * a cron job may be started on her behalf, etc. */ @@ -88,21 +70,3 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, -@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_USER_BUSY); -+ fail_exit (E_USER_BUSY); - } - } - - /* -- * Do the hard stuff - open the files, create the user entries, -+ * Do the hard stuff - create the user entries, - * create the home directory, then close and update the files. - */ -- open_files (); - update_user (); - update_groups (); - diff --git a/shadow-utils.spec b/shadow-utils.spec index 32f70ce..feb6499 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 +- fix regression caused by the userdel-chroot patch (#1509978) + * Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 - fix userdel in chroot (#1316168) - add useful chage -E example to chage manpage From a6650f241ccb63c9b4fe23cddb585d536a5bb0cf Mon Sep 17 00:00:00 2001 From: esakaiev Date: Fri, 5 Jan 2018 20:39:59 +0200 Subject: [PATCH 138/151] Adding tests to the new_tests branch --- tests/sanity/Makefile | 77 +++ tests/sanity/PURPOSE | 10 + tests/sanity/runtest.sh | 24 + tests/sanity/sanity_test.py | 1013 +++++++++++++++++++++++++++++++++++ tests/tests.yml | 13 + 5 files changed, 1137 insertions(+) create mode 100644 tests/sanity/Makefile create mode 100644 tests/sanity/PURPOSE create mode 100755 tests/sanity/runtest.sh create mode 100755 tests/sanity/sanity_test.py create mode 100644 tests/tests.yml diff --git a/tests/sanity/Makefile b/tests/sanity/Makefile new file mode 100644 index 0000000..386221b --- /dev/null +++ b/tests/sanity/Makefile @@ -0,0 +1,77 @@ +# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material +# is made available to anyone wishing to use, modify, copy, or +# redistribute it subject to the terms and conditions of the GNU General +# Public License v.2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Jakub Hrozek + +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# +# Example Makefile for RHTS # +# This example is geared towards a test for a specific package # +# It does most of the work for you, but may require further coding # +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# + +# The toplevel namespace within which the test lives. +TOPLEVEL_NAMESPACE=CoreOS + +# The name of the package under test: +PACKAGE_NAME=shadow-utils + +# The path of the test below the package: +RELATIVE_PATH=sanity + +# Version of the Test. Used with make tag. +export TESTVERSION=1.1 + +# The combined namespace of the test. +export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH) + +# A phony target is one that is not really the name of a file. +# It is just a name for some commands to be executed when you +# make an explicit request. There are two reasons to use a +# phony target: to avoid a conflict with a file of the same +# name, and to improve performance. +.PHONY: all install download clean + +# Executables to be built should be added here, they will be generated on the system under test. +BUILT_FILES= + +# Data files, .c files, scripts anything needed to either compile the test and/or run it. +FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x ./sanity_test.py + chmod a+x ./runtest.sh + +clean: + rm -f *~ *.rpm $(BUILT_FILES) + +# Include Common Makefile +include /usr/share/rhts/lib/rhts-make.include + +# Generate the testinfo.desc here: +$(METADATA): Makefile + @touch $(METADATA) + @echo "Owner: Jakub Hrozek " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "License: GNU GPL" >> $(METADATA) + @echo "Description: Basic sanity test for shadow-utils" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: python" >> $(METADATA) + rhts-lint $(METADATA) + diff --git a/tests/sanity/PURPOSE b/tests/sanity/PURPOSE new file mode 100644 index 0000000..27062e1 --- /dev/null +++ b/tests/sanity/PURPOSE @@ -0,0 +1,10 @@ +This is a basic sanity test for the shadow-utils package. It is implemented +in python on top of the unittesting.py module. + +Its purpose is to ensure that the binaries in the shadow-utils package behave +as expected and its switches/options work correctly. + +For the most part, every binary in the shadow-utils package is represented by +a single class named Test, i.e. TestUsermod etc. There are some +exceptions, like TestUseraddWeirdNameTest though. + diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh new file mode 100755 index 0000000..cb2a2b5 --- /dev/null +++ b/tests/sanity/runtest.sh @@ -0,0 +1,24 @@ +#!/bin/bash +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart +rlFileBackup --clean /etc/default/useradd- /etc/default/useradd +setenforce 0 +python sanity_test.py -v +setenforce 1 +rlFileRestore + +EXIT=$? +if [[ $EXIT -eq 0 ]]; then + RESULT="PASS" +else + RESULT="FAIL" +fi + + +rlJournalEnd + +echo "Result: $RESULT" +echo "Exit: $EXIT" +report_result $TEST $RESULT $EXIT diff --git a/tests/sanity/sanity_test.py b/tests/sanity/sanity_test.py new file mode 100755 index 0000000..e9c45c2 --- /dev/null +++ b/tests/sanity/sanity_test.py @@ -0,0 +1,1013 @@ +#!/usr/bin/env python +""" +A script that tests functionality of the shadow-utils package. + +Author: Jakub Hrozek, +License: GNU GPL v2 +Date: 2007 + +TODO: + * tests for password aging + * if something fails, print out the command issued for easier debugging + * test long options variants along with the short ones +""" + +import unittest +import pwd +import grp +import commands +import os +import os.path +import sys +import copy +import tempfile +import rpm +import shutil + +from UserDict import UserDict + +class RedHatVersion(object): + def __init__(self, type=None, version=None, release=None): + self.type = type + self.version = version + self.release = release + self.rhel = False + + def __eq__( self, other): + """ + Don't compare if either of the values is None + so we can do comparisons like 'is it fedora?' or 'is it rhel4?' + """ + ok = (self.type == other.type) + if ok == False: return False + + if self.version and other.version: + ok = (self.version == other.version) + if ok == False: return False + + if (self.release == other.release): + ok = (self.release == other.release) + + return ok + + def __ne__( self, other): + return not self.__eq__(other) + + def __get_fedora_info(self, mi): + return [ (h['version'],h['release']) for h in mi ][0] + + def __get_rhel_info(self, mi): + # The rules for RHEL versions are braindead..releases even more + ver_rpm, rel_rpm = [ (h['version'],h['release']) for h in mi ][0] + rhel_versions = { '3AS' : 3, '4AS' : 4, '5Server' : 5, '5Client' : 5, '6' : 6 } + if ver_rpm[:3] == '5.9' or ver_rpm[:1] == '6': # rhel6 prerelease and release hack + rhel_versions[ver_rpm] = 6 + if ver_rpm in rhel_versions.keys(): + return (rhel_versions[ver_rpm], rel_rpm) + + def is_rhel(self): + return self.rhel + + def get_info(self): + """ + Returns a tuple containing (type, version, release) of RHEL or Fedora. + Type is either RHEL or Fedora. + Returns None if it cannot parse the info + """ + + ts = rpm.TransactionSet() + mi = ts.dbMatch() + mi.pattern('name', rpm.RPMMIRE_GLOB, 'redhat-release*') + + if mi: + self.rhel = True + return ('RHEL',) + self.__get_rhel_info(mi) + else: + mi = ts.dbMatch('name','fedora-release') + self.rhel = False + if mi.count() != 0: + return ('Fedora',) + self.__get_fedora_info(mi) + + return None + + +class UserInfo(UserDict): + fields = { "pw_name" : 0, "pw_passwd" : 1, "pw_uid" : 2, "pw_gid" : 3, + "pw_gecos" : 4, "pw_dir" : 5, "pw_shell" : 6 } + + def __init__(self): + UserDict.__init__(self) + for f in UserInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in UserInfo.fields: + self[f] = struct[UserInfo.fields[f]] + + def get_info_uid(self, uid): + self.__parse_info(pwd.getpwuid(uid)) + + def get_info_name(self, name): + try: + self.__parse_info(pwd.getpwnam(name)) + except KeyError: + return None + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in UserInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class GroupInfo(UserDict): + fields = { "gr_name" : 0, "gr_passwd" : 1, + "gr_gid" : 2, "gr_mem" : 3} + + def __init__(self): + UserDict.__init__(self) + for f in GroupInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in GroupInfo.fields: + self[f] = struct[GroupInfo.fields[f]] + + def get_info_gid(self, gid): + self.__parse_info(grp.getgrgid(gid)) + + def get_info_name(self, name): + self.__parse_info(grp.getgrnam(name)) + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in GroupInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class LoginDefsParser(UserDict): + "A quick-n-dirty way how to fetch the defaults from /etc/login.defs into a dictionary" + + def __getitem__(self, key): + try: + return UserDict.__getitem__(self, key) + except KeyError: + # if a name-value is not defined in the config file, return defaults + if key == "CREATE_MAIL_SPOOL": + return "yes" + if key == "UMASK": + return "077" + + def __init__(self, path="/etc/login.defs",split=None): + self.path = path + UserDict.__init__(self) + try: + defs = open(path) + except IOError: + print "Could not open the config file %s" % (path) + + for line in defs: + if line.startswith('#'): continue + fields = line.split(split) + if len(fields) != 2: continue # yeah, we're dirty + self.data[fields[0]] = fields[1] + + def serialize(self): + output = open(self.path, "w+") + for k,v in self.data.items(): + output.write("%s=%s" % (k, v)) + + output.write("\n") + output.close() + +class TestUserInfo(unittest.TestCase): + def testLazyCompare(self): + """ (test sanity): Test comparing two UserInfo records """ + a = UserInfo() + a["pw_name"] = "foo" + a["pw_uid"] = 555 + b = copy.deepcopy(a) + c = UserInfo() + + self.assertEqual(a.lazy_compare(b), True) + self.assertEqual(a.lazy_compare(c), True) + + c["pw_name"] = "foo" + c["pw_uid"] = None + self.assertEqual(a.lazy_compare(c), True) + self.assertEqual(c.lazy_compare(a), False) + + c["pw_name"] = "bar" + self.assertNotEqual(a.lazy_compare(c), True) + + def testGetInfoUid(self): + """ (test sanity): Test getting user info based on his UID """ + a = UserInfo() + a.get_info_uid(0) + self.assertEqual(a["pw_name"], "root") + + def testGetInfoName(self): + """ (test sanity): Test getting user info based on his name """ + a = UserInfo() + a.get_info_name("root") + self.assertEqual(a["pw_uid"], 0) + +class ShadowUtilsTestBase: + """ Handy routines """ + def getDefaults(self): + # get the default values for so we can compare against that + (status, defaults_str) = commands.getstatusoutput('useradd -D') + if status != 0: + raise RuntimeError("Could not get the default values for useradd") + return dict([ rec.split("=") for rec in defaults_str.split("\n") ]) + + def getDefaultUserInfo(self, username): + expected = UserInfo() + defaults = self.getDefaults() + + expected["pw_name"] = username + expected["pw_dir"] = defaults["HOME"] + "/" + username + expected["pw_shell"] = defaults["SHELL"] + + return expected + +class TestUseradd(ShadowUtilsTestBase, unittest.TestCase): + def setUp(self): + self.username = "test-shadow-utils-useradd" + + def tearDown(self): + commands.getstatusoutput("userdel -r %s" % (self.username)) + + def testBasicAdd(self): + """ useradd: Tests basic adding of a user """ + expected = self.getDefaultUserInfo(self.username) + + runme = "useradd %s" % (self.username) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user\nIssued command: %s" % (runme)) + + def testExistingUser(self): + """ useradd: Test that user with an existing name cannot be added """ + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(commands.getstatusoutput("useradd %s" % (self.username))[0], 0, "FAIL: User that already exists added") + + def testCustomUID(self): + """ useradd: Adding an user with a specific UID """ + UID = 23456 # FIXME - test for a free UID slot first + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + runme = "useradd %s -u %d" % (self.username, UID) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, "Issued command: %s\n" % (runme) + "Got from useradd: %s\n" % (output)) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific UID\nIssued command: %s" % (runme)) + + def testNegativeUID(self): + """ useradd: Tests that user cannot have a negative UID assigned """ + self.assertNotEqual(commands.getstatusoutput("useradd %s --uid -5" % (self.username))[0], 0, "FAIL: User with UID < 0 added") + + def testCustomExistingUID(self): + """ useradd: Adding a user with a specific existing UID """ + UID = 32112 + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + (status_u, output_u) = commands.getstatusoutput("useradd %s -u %d" % (self.username, UID)) + + # must fail without -o flag + (status_u_no_o, output_u_no_o) = commands.getstatusoutput("useradd foo -u %d" % (UID)) + + # must pass with -o flag + (status_o, output_o) = commands.getstatusoutput("useradd foo -u %d -o" % (UID)) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r foo") + + self.failUnlessEqual(status_u, 0, "FAIL: cannot add an user with a specified UID\n"+output_u) + self.assertEqual(status_o, 0, "FAIL: cannot add an user with an existing UID using the -o flag\n"+output_o) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(status_u_no_o, 0, "FAIL: user with an existing UID added\n"+output_u_no_o) + + def testCustomGID(self): + """ useradd: Adding an user with a specific GID """ + GID = 100 # users group should be everywhere - should we test before? + expected = self.getDefaultUserInfo(self.username) + expected["pw_gid"] = GID + + (status, output) = commands.getstatusoutput("useradd %s -g %d" % (self.username, GID)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific GID") + + def testCustomShell(self): + """ useradd: Adding an user with a specific login shell """ + shell = "/bin/ksh" + expected = self.getDefaultUserInfo(self.username) + expected["pw_shell"] = shell + + (status, output) = commands.getstatusoutput("useradd %s -s %s" % (self.username, shell)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific shell") + + def testCustomHome(self): + """ useradd: Adding an user with a specific home directory """ + home = "/tmp/useradd-test" + os.mkdir(home) + expected = self.getDefaultUserInfo(self.username) + expected["pw_dir"] = home + + (status, output) = commands.getstatusoutput("useradd %s -d %s" % (self.username, home)) + shutil.rmtree(home) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific home") + + def testSystemAccount(self): + """ useradd: Adding a system user (UID < UID_MIN from /etc/login.defs) """ + defaults = LoginDefsParser() + + # system account with no home dir + expected = self.getDefaultUserInfo(self.username) + + (status, output) = commands.getstatusoutput("useradd -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(os.path.exists(created["pw_dir"]), False, "FAIL: System user has a home dir created") + self.assertEqual(created["pw_uid"] < defaults['UID_MIN'], True, "FAIL: System user has UID > UID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system user") + + def testAddToMoreGroups(self): + """ useradd: Creating an user that belongs to more than one group """ + (status, output) = commands.getstatusoutput("useradd -G bin %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + gr_bin = GroupInfo() + gr_bin.get_info_name("bin") + self.assertEqual(self.username in gr_bin["gr_mem"], True, "FAIL: User not in supplementary group after usermod -G -a") + + + def testAddWithCommonName(self): + """ useradd: Specifying a comment (user for account name) """ + comment = "zzzzzz" + (status, output) = commands.getstatusoutput("useradd -c %s %s" % (comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_gecos"], comment, "FAIL: failed to create a user with a GECOS comment") + + def testHomePermissions(self): + """ useradd: Check if permissions on newly created home dir match the umask """ + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + import stat + perm = os.stat(created["pw_dir"])[stat.ST_MODE] + mode = int(oct(perm & 0777)) + + self.assertEqual(defaults["UMASK"], "077", "FAIL: umask setting is not sane - is %s, should be 077" % (defaults["UMASK"])) + self.assertEqual(int(defaults["UMASK"]) + mode , 777, "FAIL: newly-created home dir does not match the umask") + + def testCreateMailSpool(self): + """ useradd: Check whether the mail spool gets created when told to""" + # set up creating of mail spool + defaults = LoginDefsParser("/etc/default/useradd", split="=") + + create_mail = defaults["CREATE_MAIL_SPOOL"] + defaults["CREATE_MAIL_SPOOL"] = "yes" + defaults.serialize() + + login_defs = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # clean up + defaults["CREATE_MAIL_SPOOL"] = create_mail + defaults.serialize() + self.assertEqual(os.path.exists(login_defs["MAIL_DIR"] + "/" + self.username), True, "FAIL: useradd did not create mail spool") + + def testDefaultMailSettings(self): + """ useradd: Check whether the mail spool is on by default""" + defaults = LoginDefsParser("/etc/default/useradd", split="=") + self.assertEqual(defaults["CREATE_MAIL_SPOOL"], "yes\n") + + def testNoLastlog(self): + """ useradd: Check if the -l option prevents from being added to the lastlog """ + pass # FIXME - add some code here + + +class TestUseraddWeirdNameTest(unittest.TestCase, ShadowUtilsTestBase): + """ Tests addition/removal of usernames that have proven to be problematic in the past. + The reason to separate these from the main useradd test suite is to not run the setUp + and tearDown methods """ + + def addAndRemove(self, username, success=True): + expected = self.getDefaultUserInfo(username) + expected["pw_name"] = username + + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + if success: + self.failUnlessEqual(status, 0, output) + else: + self.failIfEqual(status, 0, output) + return True + + created = UserInfo() + created.get_info_name(username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: TestUseraddWeirdName::addAndRemove - could not add a user") + + # the cleanup method won't help this time + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + + def testNumericName(self): + """ useradd: Test if an user with a purely numerical name can be added (123) """ + return self.addAndRemove("123") + + def testSambaName(self): + """ useradd: Test if an user with a name with a dollar at the end can be added (joepublic$ ) """ + return self.addAndRemove("joepublic$") + + def testDotInName(self): + """ useradd: Test if an user with a name with a dot in it can be added (joe.public ) """ + return self.addAndRemove("joe.public") + + def testAtInName(self): + """ useradd: Test if an user with an '@' in name can be added (joe@public.com) - should fail """ + return self.addAndRemove("joe@public.com", False) + + def testUppercase(self): + """ useradd: Test if an user with UPPERCASE or Uppercase name can be added """ + return self.addAndRemove("JOEPUBLIC") + return self.addAndRemove("Joepublic") + +class TestUseraddDefaultsChange(unittest.TestCase, ShadowUtilsTestBase): + def testDefaultsChange(self): + """ useradd: Test overriding default settings (shell, home dir, group) with a -D option """ + save = self.getDefaults() + + new_defs = dict() + new_defs["SHELL"] = "/bin/ksh" + new_defs["GROUP"] = "1" + new_defs["HOME"] = "/tmp" + + command = "useradd -D -s%s -g%s -b%s" % (new_defs["SHELL"], new_defs["GROUP"], new_defs["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + overriden = self.getDefaults() + [ self.assertEqual(overriden[k], new_defs[k]) for k in new_defs.keys() ] + + command = "useradd -D -s%s -g%s -b%s" % (save["SHELL"], save["GROUP"], save["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + +class TestUserdel(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-userdel" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testRemoveUserGroup(self): + """ userdel: test if userdel removes user's group when he's deleted - regression test for #201379 """ + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # This would fail if we did not have the group removed + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + +class TestUsermod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-usermod" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testAppendToSupplementaryGroup(self): + """ usermod: Test if a user can be added to a supplementary group """ + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod -a -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testAppendToSupplementaryGroupLongOption(self): + """ usermod: Test if a user can be added to a supplementary group via --append rather that -a (regression test for 222540) """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + type, release, version = RedHatVersion().get_info() + if RedHatVersion().is_rhel(): + if release < 5 or (release == 5 and version < 2): + print "This test makes sense for RHEL 5.2+" + return + + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod --append -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testNameChange(self): + """ usermod: Test if the comment field (used as the Common Name) can be changed """ + new_comment = "zzzzzz" + + (status, output) = commands.getstatusoutput("usermod -c %s %s" % (new_comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + self.assertEqual(created["pw_gecos"], new_comment) + + def testHomeChange(self): + """ usermod: Test if user's home directory can be changed """ + new_home = "/tmp" + created = UserInfo() + created.get_info_name(self.username) + old_home = created["pw_dir"] + + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (new_home, self.username)) + self.failUnlessEqual(status, 0, output) + + created.get_info_name(self.username) + self.assertEqual(created["pw_dir"], new_home) + + # revert to old home so we can userdel -r in tearDown + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (old_home, self.username)) + self.failUnlessEqual(status, 0, output) + + # FIXME - test if contents of /home directories are transferred with the -m option + # FIXME - test if new home is created if does not exist before + + def testGIDChange(self): + """ usermod: Test if user's gid can be changed. """ + new_group = "root" + # test non-existing group + (status_fail, output_fail) = commands.getstatusoutput("usermod -g no-such-group %s" % (self.username)) + (status, output) = commands.getstatusoutput("usermod -g %s %s" % (new_group, self.username)) + + created = UserInfo() + created.get_info_name(self.username) + + left = GroupInfo() + if left.get_info_name(self.username) == None: + (status_del, output_del) = commands.getstatusoutput("groupdel %s" % (self.username)) + self.failUnlessEqual(status_del, 0, output_del) + + self.failIfEqual(status_fail, 0, output_fail) + self.failUnlessEqual(status, 0, output) + self.assertEqual(created["pw_gid"], 0) #0 is root group + + def testLoginChange(self): + """ usermod: Test if user's login can be changed """ + new_login = "usermod-login-change" + user = UserInfo() + user.get_info_name(self.username) + uid = user["pw_uid"] # UID won't change even when login does + + # test changing to an existing user name + (status, output) = commands.getstatusoutput("usermod -l root %s" % (self.username)) + self.failIfEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (new_login, self.username)) + self.failUnlessEqual(status, 0, output) + user.get_info_name(new_login) + self.assertEqual(user["pw_uid"], uid) + + # revert so we can userdel -r on tearDown + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (self.username, new_login)) + self.failUnlessEqual(status, 0, output) + + def testShellChange(self): + """ usermod: Test if user's shell can be changed """ + new_shell = "/bin/sh" + + (status, output) = commands.getstatusoutput("usermod -s %s %s" % (new_shell, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_shell"], new_shell) + +class TestGroupadd(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testAddGroup(self): + """ groupadd: Basic adding of a group """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a group") + + def testAddSystemGroup(self): + """ groupadd: Adding a system group with gid < MIN_GID """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("groupadd -r %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created["gr_gid"] < defaults["GID_MIN"], True, "FAIL: System group has gid >= GID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system group") + + def testAddExistingGid(self): + """ groupadd: Test if we group with an existing GID can be added """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + gname = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + # no -o option -> this should fail + (status, output) = commands.getstatusoutput("groupadd -g%s %s" % (created["gr_gid"], gname)) + self.failIfEqual(status, 0, output) + + # override with -o option, should pass now + (status, output) = commands.getstatusoutput("groupadd -g%s -o %s" % (created["gr_gid"], gname)) + self.failUnlessEqual(status, 0, output) + + # test if the new GID is really the same + same_gid = GroupInfo() + same_gid.get_info_name(gname) + self.assertEqual(same_gid["gr_gid"], created["gr_gid"]) + + # clean up + (status, output) = commands.getstatusoutput("groupdel %s" % (gname)) + self.failUnlessEqual(status, 0, output) + + + def testOverrideDefaults(self): + """ groupadd: Test if the defaults can be overriden with the -K option """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + + GID_MIN = 600 + GID_MAX = 625 + + (status, output) = commands.getstatusoutput("groupadd -K GID_MIN=%d -K GID_MAX=%d %s" % + (GID_MIN, GID_MAX, self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(GID_MIN <= created["gr_gid"] <= GID_MAX, True, "FAIL: created an user with UID of %d" % (created["gr_gid"])) + + + def testFOption(self): + """ groupadd: Tests the -f option of groupadd """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupadd -f %s" % (self.groupname)) + self.assertEqual(status, 0, output) + +class TestGroupaddInvalidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddInvalidName(self): + """ groupadd: Test adding of a group with an invalid name """ + (status, output) = commands.getstatusoutput("groupadd foo?") + self.assertNotEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffggg") #33 chars + self.assertNotEqual(status, 0, output) + +class TestGroupaddValidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddValidName(self): + """ groupadd: Test adding and removing of groups with maximal valid name and name ending with $ """ + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + + +class TestGroupmod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testChangeGID(self): + """ groupmod: Test changing a gid of a group """ + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = 54321 + + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (expected["gr_gid"], self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group") + + def testChangeGIDToExistingValue(self): + """ groupmod: Test changing GID to an existing value """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = created["gr_gid"] + + (status, output) = commands.getstatusoutput("groupadd %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + # try to assingn GID of the first group to the second - this should fail without the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (created["gr_gid"], second_name)) + self.failIfEqual(status, 0, output) + + # should pass with the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d -o %s" % (created["gr_gid"], second_name)) + self.failUnlessEqual(status, 0, output) + + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group to an existing one") + + # clean up + commands.getstatusoutput("groupdel %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupName(self): + """ groupmod: Test changing a group's name """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (second_name, self.groupname)) + self.failUnlessEqual(status, 0, output) + + changed = GroupInfo() + changed.get_info_gid(created["gr_gid"]) + self.assertEqual(changed["gr_name"], second_name) + self.assertEqual(changed["gr_gid"], created["gr_gid"]) + + # change back, so the group could be deleted by tearDown + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (self.groupname, second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupNameExisting(self): + """ groupmod: Test changing a group's name to an existing one """ + existing = "bin" + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (existing, self.groupname)) + self.assertNotEqual(status, 0, output) # man groupmod -> 9: group name already in use + + def testChangeNonExistingGroup(self): + """ groupmod: Test properties of a non-existing group """ + nonexistent = "foobar" + (status, output) = commands.getstatusoutput("groupmod -nspameggs %s" % (nonexistent)) + self.assertNotEqual(status, 0, status) # man groupmod -> 6: specified group doesn't exist + +class TestGroupdel(unittest.TestCase, ShadowUtilsTestBase): + def testCorrectGroupdel(self): + """ groupdel: Basic usage of groupdel """ + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel %s" % (self.groupname)) + self.assertEqual(status, 0, output) + + def testGroupdelNoSuchGroup(self): + """ groupdel: Remove non-existing group """ + (status, output) = commands.getstatusoutput("groupdel foobar") + self.assertNotEqual(status, 0, output) + + def testRemovePrimaryGroup(self): + """ groupdel: Remove a primary group of an user """ + username = "test-groupdel-primary" + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupdel %s" % (username)) + self.assertNotEqual(status, 0, output) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + +class TestPwckGrpck(unittest.TestCase): + def setUp(self): + self.passwd_path = tempfile.mktemp(suffix="test-pwck-passwd") + self.passwd_file = open(self.passwd_path, "w") + self.group_path = tempfile.mktemp(suffix="test-pwck-grp") + self.group_file = open(self.group_path, "w") + self.gshadow_path = tempfile.mktemp(suffix="test-pwck-gshadow") + self.gshadow_file = open(self.gshadow_path, "w") + + def tearDown(self): + self.passwd_file.close() + self.group_file.close() + self.gshadow_file.close() + + os.remove(self.passwd_path) + os.remove(self.group_path) + os.remove(self.gshadow_path) + + def runPwckCheck(self, passwd, group): + self.passwd_file.truncate() + self.group_file.truncate() + + self.passwd_file.write(passwd) + self.passwd_file.flush() + self.group_file.write(group) + self.group_file.flush() + + command = "pwck -r %s %s" % (self.passwd_path, self.group_path) + return commands.getstatusoutput(command) + + def runGrpCheck(self, group, gshadow): + self.group_file.truncate() + self.gshadow_file.truncate() + + self.gshadow_file.write(gshadow) + self.gshadow_file.flush() + + self.group_file.write(group) + self.group_file.flush() + + command = "grpck -r %s %s" % (self.group_path, self.gshadow_path) + return commands.getstatusoutput(command) + + + def testValidEntries(self): + """ pwck: a valid entry """ + status, output = self.runPwckCheck("foo:x:685:0::/dev/null:/bin/bash", "") + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 6: + self.assertEqual(status, 0, output) + else: + self.assertNotEqual(status, 0, output) + + def testNumberOfFields(self): + """ pwck: invalid number of fields in the record """ + not_enough = "foo:x:685:685::/dev/null" + too_many = "foo:x:685:685::/dev/null:/bin/bash:comment" + status, output = self.runPwckCheck(not_enough, "") + self.assertNotEqual(status, 0, output) + + status, output = self.runPwckCheck(too_many, "") + self.assertNotEqual(status, 0, output) + + def testUniqueUserName(self): + """ pwck: unique user name in the record """ + duplicate_username = "foo:x:685:685::/dev/null:/bin/bash\nfoo:x:686:686::/dev/null:/bin/bash" + status, output = self.runPwckCheck(duplicate_username, "") + self.assertNotEqual(status, 0, output) + + def testValidID(self): + """ pwck: invalid UID in the records """ + invalid_ids = [ "foo:x:-1:685::/dev/null:/bin/bash", "foo:x:blah:685::/dev/null:/bin/bash", "foo:x:1234567890:685::/dev/null:/bin/bash" ] + for record in invalid_ids: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, record) + + + def testValidPrimaryGroup(self): + """ pwck: invalid primary group """ + invalid_groups = [ "foo:x:685:-1::/dev/null:/bin/bash", "foo:x:685:blah::/dev/null:/bin/bash", "foo:x:685:1234567890::/dev/null:/bin/bash" ] + for record in invalid_groups: + status, output = self.runPwckCheck("", record) + self.assertNotEqual(status, 0, output) + + def testValidHomeDir(self): + """ pwck: invalid home dir """ + for record in [ "foo:x:685:685::123:/bin/bash", "foo:x:685:685::/path/to/nowhere:/bin/bash", "foo:x:685:1234567890::!:/bin/bash" ]: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, output) + + def testBZ164954(self): + """ grpck: regression test for BZ164954 """ + record = "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon" + status, output = self.runGrpCheck("", record) + self.assertNotEqual(status, 0, output) + +if __name__ == "__main__": + broken_on_rhel4 = { "TestUseradd" : [ "testCustomUID", "testCustomGID" ] } + + if os.getuid() != 0: + print "This test must be run as root" + sys.exit(1) + + unittest.main() + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..09f4769 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - atomic + tests: + - sanity + required_packages: + - shadow-utils # sanity test needs shadow-utils + - python # sanity test needs python From 2d4f6e1972db0c808301bf6ce628e46bfbb13008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 20 Jan 2018 23:08:33 +0100 Subject: [PATCH 139/151] Rebuilt for switch to libxcrypt --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index feb6499..25ccdb1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Jan 20 2018 Björn Esser - 2:4.5-8 +- Rebuilt for switch to libxcrypt + * Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 - fix regression caused by the userdel-chroot patch (#1509978) From 41955fa9abba5665b7e3d4668c750dc899e63de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Tue, 6 Feb 2018 11:33:37 +0100 Subject: [PATCH 140/151] Add patch to include crypt.h, if present Use %%make_{build,install} macros Refresh other patches for proper alignment --- shadow-4.1.5-2ndskip.patch | 14 ++- shadow-4.1.5-redhat.patch | 16 +-- shadow-4.1.5.1-default-range.patch | 7 +- shadow-4.1.5.1-info-parent-dir.patch | 9 +- shadow-4.1.5.1-ingroup.patch | 9 +- shadow-4.1.5.1-logmsg.patch | 9 +- shadow-4.1.5.1-move-home.patch | 9 +- shadow-4.1.5.1-newgrp-grouplist.patch | 13 ++- shadow-4.1.5.1-userdel-helpfix.patch | 9 +- shadow-4.2.1-date-parsing.patch | 7 +- shadow-4.2.1-no-lock-dos.patch | 7 +- shadow-4.2.1-null-tm.patch | 35 +++--- shadow-4.3.1-audit-update.patch | 153 ++++++++++++++------------ shadow-4.3.1-manfix.patch | 51 +++++---- shadow-4.3.1-selinux-perms.patch | 21 ++-- shadow-4.5-crypt_h.patch | 41 +++++++ shadow-4.5-goodname.patch | 21 ++-- shadow-4.5-orig-context.patch | 35 +++--- shadow-4.5-selinux.patch | 14 ++- shadow-4.5-userdel-chroot.patch | 14 ++- shadow-4.5-usermod-unlock.patch | 7 +- shadow-utils.spec | 13 ++- 22 files changed, 307 insertions(+), 207 deletions(-) create mode 100644 shadow-4.5-crypt_h.patch diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch index 8a9cf68..5a8e444 100644 --- a/shadow-4.1.5-2ndskip.patch +++ b/shadow-4.1.5-2ndskip.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c ---- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 -+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 +Index: shadow-4.5/src/grpconv.c +=================================================================== +--- shadow-4.5.orig/src/grpconv.c ++++ shadow-4.5/src/grpconv.c @@ -143,6 +143,7 @@ int main (int argc, char **argv) struct group grent; const struct sgrp *sg; @@ -48,9 +49,10 @@ diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c } /* -diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c ---- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 -+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 +Index: shadow-4.5/src/pwconv.c +=================================================================== +--- shadow-4.5.orig/src/pwconv.c ++++ shadow-4.5/src/pwconv.c @@ -173,6 +173,7 @@ int main (int argc, char **argv) struct passwd pwent; const struct spwd *sp; diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.1.5-redhat.patch index a785b29..ef26cbd 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.1.5-redhat.patch @@ -1,8 +1,8 @@ -diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 -diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c ---- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 -+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 -@@ -93,7 +93,7 @@ const char *Prog; +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -11,7 +11,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -103,7 +103,7 @@ static const char *def_expire = ""; +@@ -108,7 +108,7 @@ static const char *def_expire = ""; #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -20,7 +20,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha +@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX @@ -32,7 +32,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha +@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch index 45c677a..2a9d640 100644 --- a/shadow-4.1.5.1-default-range.patch +++ b/shadow-4.1.5.1-default-range.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h goto done; } diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index b05e5bb..b3a525b 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml ---- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 -@@ -216,7 +216,15 @@ +Index: shadow-4.5/man/newusers.8.xml +=================================================================== +--- shadow-4.5.orig/man/newusers.8.xml ++++ shadow-4.5/man/newusers.8.xml +@@ -218,7 +218,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch index e440431..1c30198 100644 --- a/shadow-4.1.5.1-ingroup.patch +++ b/shadow-4.1.5.1-ingroup.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -83,15 +83,29 @@ static void usage (void) } } @@ -52,7 +53,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c } endgrent (); return gr; -@@ -616,7 +624,7 @@ int main (int argc, char **argv) +@@ -630,7 +638,7 @@ int main (int argc, char **argv) * groups of the same GID like the requested group for * membership of the current user. */ diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index 7d5cbc8..ca7e57b 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -323,7 +323,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch index c87e232..f1790e2 100644 --- a/shadow-4.1.5.1-move-home.patch +++ b/shadow-4.1.5.1-move-home.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 -@@ -1571,6 +1571,11 @@ static void move_home (void) +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c +@@ -1814,6 +1814,11 @@ static void move_home (void) Prog, user_home, user_newhome); fail_exit (E_HOMEDIR); } diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch index 8fcfd97..47eb6f6 100644 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 -@@ -382,6 +382,7 @@ int main (int argc, char **argv) +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c +@@ -396,6 +396,7 @@ int main (int argc, char **argv) { bool initflag = false; int i; @@ -9,7 +10,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c bool cflag = false; int err = 0; gid_t gid; -@@ -631,22 +632,36 @@ int main (int argc, char **argv) +@@ -645,22 +646,36 @@ int main (int argc, char **argv) goto failure; } @@ -57,7 +58,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c } #ifdef SHADOWGRP sgrp = getsgnam (group); -@@ -659,7 +674,9 @@ int main (int argc, char **argv) +@@ -673,7 +688,9 @@ int main (int argc, char **argv) /* * Check if the user is allowed to access this group. */ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index b79baee..075f482 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 -+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 -@@ -130,8 +130,9 @@ static void usage (int status) +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c +@@ -143,8 +143,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch index 91a85ac..2a798d0 100644 --- a/shadow-4.2.1-date-parsing.patch +++ b/shadow-4.2.1-date-parsing.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y ---- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +Index: shadow-4.5/libmisc/getdate.y +=================================================================== +--- shadow-4.5.orig/libmisc/getdate.y ++++ shadow-4.5/libmisc/getdate.y @@ -152,6 +152,7 @@ static int yyHaveDay; static int yyHaveRel; static int yyHaveTime; diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch index 58fd605..c6873e9 100644 --- a/shadow-4.2.1-no-lock-dos.patch +++ b/shadow-4.2.1-no-lock-dos.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c ---- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 -+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -140,7 +140,10 @@ static int do_lock_file (const char *fil int retval; char buf[32]; diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch index 15b7720..b1dd1c4 100644 --- a/shadow-4.2.1-null-tm.patch +++ b/shadow-4.2.1-null-tm.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c ---- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +Index: shadow-4.5/src/faillog.c +=================================================================== +--- shadow-4.5.orig/src/faillog.c ++++ shadow-4.5/src/faillog.c @@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s } @@ -18,9 +19,10 @@ diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c printf ("%-9s %5d %5d ", pw->pw_name, fl.fail_cnt, fl.fail_max); /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -168,6 +168,10 @@ static void date_to_str (char *buf, size struct tm *tp; @@ -32,9 +34,10 @@ diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c #ifdef HAVE_STRFTIME (void) strftime (buf, maxsize, "%Y-%m-%d", tp); #else -diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +Index: shadow-4.5/src/lastlog.c +=================================================================== +--- shadow-4.5.orig/src/lastlog.c ++++ shadow-4.5/src/lastlog.c @@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s ll_time = ll.ll_time; @@ -57,9 +60,10 @@ diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c if (ll.ll_time == (time_t) 0) { cp = _("**Never logged in**\0"); -diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c ---- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +Index: shadow-4.5/src/passwd.c +=================================================================== +--- shadow-4.5.orig/src/passwd.c ++++ shadow-4.5/src/passwd.c @@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to struct tm *tm; @@ -70,9 +74,10 @@ diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c #ifdef HAVE_STRFTIME (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); #else /* !HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ } else { time_t t = (time_t) date; diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.3.1-audit-update.patch index e708f75..8c72cf3 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c ---- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 +Index: shadow-4.5/libmisc/audit_help.c +=================================================================== +--- shadow-4.5.orig/libmisc/audit_help.c ++++ shadow-4.5/libmisc/audit_help.c @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +51,10 @@ diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c ---- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_group.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_group.c ++++ shadow-4.5/libmisc/cleanup_group.c @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +133,10 @@ diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c ---- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_user.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_user.c ++++ shadow-4.5/libmisc/cleanup_user.c @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +184,11 @@ diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h ---- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 -+++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 -@@ -208,12 +208,21 @@ extern int audit_fd; +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h +@@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,9 +210,10 @@ diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c ---- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/gpasswd.c +=================================================================== +--- shadow-4.5.orig/src/gpasswd.c ++++ shadow-4.5/src/gpasswd.c @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -472,9 +477,10 @@ diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c ---- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/groupadd.c +=================================================================== +--- shadow-4.5.orig/src/groupadd.c ++++ shadow-4.5/src/groupadd.c @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -650,9 +656,10 @@ diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c } } -diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c ---- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupdel.c +=================================================================== +--- shadow-4.5.orig/src/groupdel.c ++++ shadow-4.5/src/groupdel.c @@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -822,9 +829,10 @@ diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c } #endif -diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c ---- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupmod.c +=================================================================== +--- shadow-4.5.orig/src/groupmod.c ++++ shadow-4.5/src/groupmod.c @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1026,10 @@ diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c ---- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1117,10 @@ diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c ---- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 -+++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1315,10 +1325,11 @@ diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 -@@ -222,6 +222,8 @@ static void create_mail (void); +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -225,6 +225,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1327,7 +1338,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c if (home_added) { if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -235,12 +237,6 @@ static void fail_exit (int code) +@@ -238,12 +240,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1351,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -248,12 +244,6 @@ static void fail_exit (int code) +@@ -251,12 +247,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1364,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -261,12 +251,6 @@ static void fail_exit (int code) +@@ -264,12 +254,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1377,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -275,12 +259,6 @@ static void fail_exit (int code) +@@ -278,12 +262,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1390,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -290,12 +268,6 @@ static void fail_exit (int code) +@@ -293,12 +271,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1392,7 +1403,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -303,20 +275,19 @@ static void fail_exit (int code) +@@ -306,20 +278,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1420,7 +1431,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -623,7 +594,7 @@ static int set_defaults (void) +@@ -626,7 +597,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1429,7 +1440,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -893,12 +864,6 @@ static void grp_update (void) +@@ -896,12 +867,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1442,7 +1453,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -912,18 +877,12 @@ static void grp_update (void) +@@ -915,18 +880,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1464,7 +1475,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -968,12 +927,6 @@ static void grp_update (void) +@@ -971,12 +930,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1477,7 +1488,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -987,18 +940,13 @@ static void grp_update (void) +@@ -990,18 +943,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1500,7 +1511,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha +@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1509,7 +1520,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1444,7 +1392,7 @@ static void close_files (void) +@@ -1447,7 +1395,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1518,7 +1529,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1457,7 +1405,7 @@ static void close_files (void) +@@ -1460,7 +1408,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1527,7 +1538,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1469,7 +1417,7 @@ static void close_files (void) +@@ -1472,7 +1420,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1536,7 +1547,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1483,7 +1431,7 @@ static void close_files (void) +@@ -1486,7 +1434,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1545,7 +1556,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1499,7 +1447,7 @@ static void close_files (void) +@@ -1502,7 +1450,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1554,7 +1565,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1513,7 +1461,7 @@ static void close_files (void) +@@ -1516,7 +1464,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1563,7 +1574,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1705,7 +1653,7 @@ static void grp_add (void) +@@ -1708,7 +1656,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1572,7 +1583,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1721,7 +1669,7 @@ static void grp_add (void) +@@ -1724,7 +1672,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1581,7 +1592,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1731,7 +1679,7 @@ static void grp_add (void) +@@ -1734,7 +1682,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1590,7 +1601,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1846,12 +1794,6 @@ static void usr_update (void) +@@ -1895,12 +1843,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1603,7 +1614,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1873,7 +1815,7 @@ static void usr_update (void) +@@ -1922,7 +1864,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1612,7 +1623,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1908,12 +1850,6 @@ static void create_home (void) +@@ -1957,12 +1899,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), Prog, user_home); @@ -1625,7 +1636,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_HOMEDIR); } chown (user_home, user_id, user_gid); -@@ -1921,8 +1857,8 @@ static void create_home (void) +@@ -1970,8 +1906,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1636,7 +1647,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) +@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1660,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) +@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1673,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) +@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1686,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) +@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1700,10 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c ---- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 -+++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -2019,9 +2031,10 @@ diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c ---- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 -+++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 4ca6054..cc62a86 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml ---- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/groupmems.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupmems.8.xml ++++ shadow-4.5/man/groupmems.8.xml @@ -179,20 +179,10 @@ SETUP @@ -25,9 +26,10 @@ diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xm -diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml ---- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/chage.1.xml +=================================================================== +--- shadow-4.5.orig/man/chage.1.xml ++++ shadow-4.5/man/chage.1.xml @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -52,10 +54,11 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. -diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 ---- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 -@@ -147,10 +147,6 @@ 以下の参照表は、 +Index: shadow-4.5/man/ja/man5/login.defs.5 +=================================================================== +--- shadow-4.5.orig/man/ja/man5/login.defs.5 ++++ shadow-4.5/man/ja/man5/login.defs.5 +@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -66,9 +69,10 @@ diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml ---- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/login.defs.5.xml +=================================================================== +--- shadow-4.5.orig/man/login.defs.5.xml ++++ shadow-4.5/man/login.defs.5.xml @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -205,9 +209,10 @@ diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5. useradd -diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml ---- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/shadow.5.xml +=================================================================== +--- shadow-4.5.orig/man/shadow.5.xml ++++ shadow-4.5/man/shadow.5.xml @@ -208,8 +208,8 @@ @@ -219,9 +224,10 @@ diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml ---- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 -+++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -234,9 +240,10 @@ diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml -diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml ---- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/usermod.8.xml +=================================================================== +--- shadow-4.5.orig/man/usermod.8.xml ++++ shadow-4.5/man/usermod.8.xml @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch index 9469a7e..8550150 100644 --- a/shadow-4.3.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c ---- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chgpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chgpasswd.c ++++ shadow-4.5/src/chgpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -147,9 +148,10 @@ diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c ---- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chpasswd.c ++++ shadow-4.5/src/chpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -257,9 +259,10 @@ diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am ---- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/Makefile.am +=================================================================== +--- shadow-4.5.orig/src/Makefile.am ++++ shadow-4.5/src/Makefile.am @@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch new file mode 100644 index 0000000..c8d19e4 --- /dev/null +++ b/shadow-4.5-crypt_h.patch @@ -0,0 +1,41 @@ +Index: shadow-4.5/configure.ac +=================================================================== +--- shadow-4.5.orig/configure.ac ++++ shadow-4.5/configure.ac +@@ -32,9 +32,9 @@ AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_HEADER_STDBOOL + +-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ +- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ +- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ ++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ ++ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ ++ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ + locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ + attr/error_context.h) + +Index: shadow-4.5/lib/defines.h +=================================================================== +--- shadow-4.5.orig/lib/defines.h ++++ shadow-4.5/lib/defines.h +@@ -4,6 +4,8 @@ + #ifndef _DEFINES_H_ + #define _DEFINES_H_ + ++#include "config.h" ++ + #if HAVE_STDBOOL_H + # include + #else +@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () + # include + #endif + ++#if HAVE_CRYPT_H ++# include /* crypt(3) may be defined in here */ ++#endif ++ + #if TIME_WITH_SYS_TIME + # include + # include diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index bf02257..215f658 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c ---- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +Index: shadow-4.5/libmisc/chkname.c +=================================================================== +--- shadow-4.5.orig/libmisc/chkname.c ++++ shadow-4.5/libmisc/chkname.c @@ -47,27 +47,46 @@ #include "chkname.h" @@ -59,9 +60,10 @@ diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c } bool is_valid_user_name (const char *name) -diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml ---- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +Index: shadow-4.5/man/groupadd.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupadd.8.xml ++++ shadow-4.5/man/groupadd.8.xml @@ -256,12 +256,6 @@ CAVEATS @@ -75,9 +77,10 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml ---- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 -+++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -633,12 +633,6 @@ diff --git a/shadow-4.5-orig-context.patch b/shadow-4.5-orig-context.patch index c935658..a1c2235 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c ---- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c errors++; } #endif -diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c ---- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/libmisc/copydir.c +=================================================================== +--- shadow-4.5.orig/libmisc/copydir.c ++++ shadow-4.5/libmisc/copydir.c @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,9 +60,10 @@ diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h ---- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h @@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ @@ -70,9 +73,10 @@ diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,9 +118,10 @@ diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c } /* -diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch index cd190cc..cd1a3b4 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.5-selinux.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c ---- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -22,9 +23,10 @@ diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -2042,6 +2042,7 @@ static void create_mail (void) */ int main (int argc, char **argv) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index 37700c3..7d170fa 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c return 1; } } -diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; diff --git a/shadow-4.5-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch index d37b4aa..e2d70b5 100644 --- a/shadow-4.5-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c ---- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 -+++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; diff --git a/shadow-utils.spec b/shadow-utils.spec index 25ccdb1..4d8e3f7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -30,6 +30,7 @@ Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch +Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +81,7 @@ are used for managing group accounts. %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot +%patch32 -p1 -b .crypt_h iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -107,11 +109,11 @@ autoreconf --without-libpam \ --disable-shared \ --with-group-name-max-length=32 -make +%make_build %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -235,6 +237,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 06 2018 Björn Esser - 2:4.5-9 +- Add patch to include crypt.h, if present +- Use %%make_{build,install} macros +- Refresh other patches for proper alignment + * Sat Jan 20 2018 Björn Esser - 2:4.5-8 - Rebuilt for switch to libxcrypt From eb66bf0ca58367e34d70d32a9409e23b9471bc11 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Wed, 14 Feb 2018 08:49:44 +0100 Subject: [PATCH 141/151] Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko --- shadow-utils.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 4d8e3f7..dc69b3f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,9 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done -%clean -rm -rf $RPM_BUILD_ROOT - %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README From 8d62f944dd9b0145014a181f95d1b9aedb25a19b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 1 Mar 2018 13:11:34 +0100 Subject: [PATCH 142/151] Add gcc buildrequires --- shadow-utils.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index dc69b3f..c0020f6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -34,6 +34,7 @@ Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base +BuildRequires: gcc BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel From 4cb5077b6837710a35e77801194b4e6e5ed50a7a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 20 Apr 2018 16:23:31 +0200 Subject: [PATCH 143/151] Raise limit for passwd and shadow entry length - also prevent writing longer entries (#1422497) --- shadow-4.5-long-entry.patch | 84 +++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +++- 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.5-long-entry.patch diff --git a/shadow-4.5-long-entry.patch b/shadow-4.5-long-entry.patch new file mode 100644 index 0000000..8670e75 --- /dev/null +++ b/shadow-4.5-long-entry.patch @@ -0,0 +1,84 @@ +diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h +--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 +@@ -382,4 +382,7 @@ extern char *strerror (); + # endif + #endif + ++/* Maximum length of passwd entry */ ++#define PASSWD_ENTRY_MAX_LENGTH 32768 ++ + #endif /* _DEFINES_H_ */ +diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c +--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 ++++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 +@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, + || (pw->pw_gid == (gid_t)-1) + || (valid_field (pw->pw_gecos, ":\n") == -1) + || (valid_field (pw->pw_dir, ":\n") == -1) +- || (valid_field (pw->pw_shell, ":\n") == -1)) { ++ || (valid_field (pw->pw_shell, ":\n") == -1) ++ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + ++ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + ++ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + +diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c +--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +@@ -57,7 +57,7 @@ + struct passwd *sgetpwent (const char *buf) + { + static struct passwd pwent; +- static char pwdbuf[1024]; ++ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; + register int i; + register char *cp; + char *fields[NFIELDS]; +@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu + * the password structure remain valid. + */ + +- if (strlen (buf) >= sizeof pwdbuf) ++ if (strlen (buf) >= sizeof pwdbuf) { ++ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); + return 0; /* fail if too long */ ++ } + strcpy (pwdbuf, buf); + + /* +diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c +--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +@@ -48,7 +48,7 @@ + */ + struct spwd *sgetspent (const char *string) + { +- static char spwbuf[1024]; ++ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; + static struct spwd spwd; + char *fields[FIELDS]; + char *cp; +@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri + */ + + if (strlen (string) >= sizeof spwbuf) { ++ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); + return 0; /* fail if too long */ + } + strcpy (spwbuf, string); +diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c +--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 ++++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, + + if ( (NULL == sp) + || (valid_field (sp->sp_namp, ":\n") == -1) +- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { ++ || (valid_field (sp->sp_pwdp, ":\n") == -1) ++ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + ++ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index c0020f6..883e02c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -31,6 +31,7 @@ Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch Patch32: shadow-4.5-crypt_h.patch +Patch33: shadow-4.5-long-entry.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -83,6 +84,7 @@ are used for managing group accounts. %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot %patch32 -p1 -b .crypt_h +%patch33 -p1 -b .long-entry iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -235,6 +237,10 @@ done %{_mandir}/man8/vigr.8* %changelog +* Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 +- Raise limit for passwd and shadow entry length but also prevent + writing longer entries (#1422497) + * Tue Feb 06 2018 Björn Esser - 2:4.5-9 - Add patch to include crypt.h, if present - Use %%make_{build,install} macros From 38a12ac864a9292512ca74dc0f00b88ef71f371b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2018 15:25:08 +0200 Subject: [PATCH 144/151] update to current upstream release 4.6 --- .gitignore | 2 + shadow-4.1.5-2ndskip.patch | 102 ----- shadow-4.1.5.1-ingroup.patch | 64 ---- shadow-4.1.5.1-move-home.patch | 16 - shadow-4.1.5.1-newgrp-grouplist.patch | 71 ---- shadow-4.5-userdel-chroot.patch | 74 ---- ...ate.patch => shadow-4.6-audit-update.patch | 359 +++++++++--------- shadow-4.6-getenforce.patch | 21 + shadow-4.6-move-home.patch | 15 + ...ext.patch => shadow-4.6-orig-context.patch | 49 ++- ....5-redhat.patch => shadow-4.6-redhat.patch | 19 +- ...-selinux.patch => shadow-4.6-selinux.patch | 26 +- shadow-4.6-usermod-crash.patch | 42 ++ shadow-utils.spec | 29 +- sources | 4 +- 15 files changed, 312 insertions(+), 581 deletions(-) delete mode 100644 shadow-4.1.5-2ndskip.patch delete mode 100644 shadow-4.1.5.1-ingroup.patch delete mode 100644 shadow-4.1.5.1-move-home.patch delete mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch delete mode 100644 shadow-4.5-userdel-chroot.patch rename shadow-4.3.1-audit-update.patch => shadow-4.6-audit-update.patch (88%) create mode 100644 shadow-4.6-getenforce.patch create mode 100644 shadow-4.6-move-home.patch rename shadow-4.5-orig-context.patch => shadow-4.6-orig-context.patch (65%) rename shadow-4.1.5-redhat.patch => shadow-4.6-redhat.patch (60%) rename shadow-4.5-selinux.patch => shadow-4.6-selinux.patch (75%) create mode 100644 shadow-4.6-usermod-crash.patch diff --git a/.gitignore b/.gitignore index d1e7d76..3b04b1e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.3.1.tar.gz /shadow-4.5.tar.xz /shadow-4.5.tar.xz.asc +/shadow-4.6.tar.xz +/shadow-4.6.tar.xz.asc diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch deleted file mode 100644 index 5a8e444..0000000 --- a/shadow-4.1.5-2ndskip.patch +++ /dev/null @@ -1,102 +0,0 @@ -Index: shadow-4.5/src/grpconv.c -=================================================================== ---- shadow-4.5.orig/src/grpconv.c -+++ shadow-4.5/src/grpconv.c -@@ -143,6 +143,7 @@ int main (int argc, char **argv) - struct group grent; - const struct sgrp *sg; - struct sgrp sgent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -184,20 +185,25 @@ int main (int argc, char **argv) - * Remove /etc/gshadow entries for groups not in /etc/group. - */ - (void) sgr_rewind (); -- while ((sg = sgr_next ()) != NULL) { -- if (gr_locate (sg->sg_name) != NULL) { -- continue; -- } -- -- if (sgr_remove (sg->sg_name) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sg->sg_name, sgr_dbname ()); -- fail_exit (3); -+ sg = sgr_next (); -+ np=NULL; -+ while (sg != NULL) { -+ np = strdup(sg->sg_name); -+ sg = sgr_next (); -+ -+ if(gr_locate (np) == NULL) { -+ if (sgr_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, sgr_dbname ()); -+ free(np); -+ fail_exit (3); -+ } - } -+ free(np); - } - - /* -Index: shadow-4.5/src/pwconv.c -=================================================================== ---- shadow-4.5.orig/src/pwconv.c -+++ shadow-4.5/src/pwconv.c -@@ -173,6 +173,7 @@ int main (int argc, char **argv) - struct passwd pwent; - const struct spwd *sp; - struct spwd spent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -223,20 +224,25 @@ int main (int argc, char **argv) - * Remove /etc/shadow entries for users not in /etc/passwd. - */ - (void) spw_rewind (); -- while ((sp = spw_next ()) != NULL) { -- if (pw_locate (sp->sp_namp) != NULL) { -- continue; -- } -- -- if (spw_remove (sp->sp_namp) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sp->sp_namp, spw_dbname ()); -- fail_exit (E_FAILURE); -+ sp = spw_next (); -+ np = NULL; -+ while (sp != NULL) { -+ np = strdup(sp->sp_namp); -+ sp = spw_next (); -+ -+ if (pw_locate (np) == NULL) { -+ if (spw_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, spw_dbname ()); -+ free(np); -+ fail_exit (E_FAILURE); -+ } - } -+ free(np); - } - - /* diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch deleted file mode 100644 index 1c30198..0000000 --- a/shadow-4.1.5.1-ingroup.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -83,15 +83,29 @@ static void usage (void) - } - } - -+static bool ingroup(const char *name, struct group *gr) -+{ -+ char **look; -+ bool notfound = true; -+ -+ look = gr->gr_mem; -+ while (*look && notfound) -+ notfound = strcmp (*look++, name); -+ -+ return !notfound; -+} -+ - /* -- * find_matching_group - search all groups of a given group id for -+ * find_matching_group - search all groups of a gr's group id for - * membership of a given username -+ * but check gr itself first - */ --static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) -+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) - { -- struct group *gr; -- char **look; -- bool notfound = true; -+ gid_t gid = gr->gr_gid; -+ -+ if (ingroup(name, gr)) -+ return gr; - - setgrent (); - while ((gr = getgrent ()) != NULL) { -@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc - * A group with matching GID was found. - * Test for membership of 'name'. - */ -- look = gr->gr_mem; -- while ((NULL != *look) && notfound) { -- notfound = (strcmp (*look, name) != 0); -- look++; -- } -- if (!notfound) { -+ if (ingroup(name, gr)) - break; -- } - } - endgrent (); - return gr; -@@ -630,7 +638,7 @@ int main (int argc, char **argv) - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp->gr_gid); -+ grp = find_matching_group (name, grp); - if (NULL == grp) { - /* - * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch deleted file mode 100644 index f1790e2..0000000 --- a/shadow-4.1.5.1-move-home.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -1814,6 +1814,11 @@ static void move_home (void) - Prog, user_home, user_newhome); - fail_exit (E_HOMEDIR); - } -+ } else { -+ fprintf (stderr, -+ _("%s: The previous home directory (%s) does " -+ "not exist or is inaccessible. Move cannot be completed.\n"), -+ Prog, user_home); - } - } - diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch deleted file mode 100644 index 47eb6f6..0000000 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ /dev/null @@ -1,71 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -396,6 +396,7 @@ int main (int argc, char **argv) - { - bool initflag = false; - int i; -+ bool is_member = false; - bool cflag = false; - int err = 0; - gid_t gid; -@@ -645,22 +646,36 @@ int main (int argc, char **argv) - goto failure; - } - -+#ifdef HAVE_SETGROUPS -+ /* when using pam_group, she will not be listed in the groups -+ * database. However getgroups() will return the group. So -+ * if she is listed there already it is ok to grant membership. -+ */ -+ for (i = 0; i < ngroups; i++) { -+ if (grp->gr_gid == grouplist[i]) { -+ is_member = true; -+ break; -+ } -+ } -+#endif /* HAVE_SETGROUPS */ - /* - * For splitted groups (due to limitations of NIS), check all - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp); -- if (NULL == grp) { -- /* -- * No matching group found. As we already know that -- * the group exists, this happens only in the case -- * of a requested group where the user is not member. -- * -- * Re-read the group entry for further processing. -- */ -- grp = xgetgrnam (group); -- assert (NULL != grp); -+ if (!is_member) { -+ grp = find_matching_group (name, grp); -+ if (NULL == grp) { -+ /* -+ * No matching group found. As we already know that -+ * the group exists, this happens only in the case -+ * of a requested group where the user is not member. -+ * -+ * Re-read the group entry for further processing. -+ */ -+ grp = xgetgrnam (group); -+ assert (NULL != grp); -+ } - } - #ifdef SHADOWGRP - sgrp = getsgnam (group); -@@ -673,7 +688,9 @@ int main (int argc, char **argv) - /* - * Check if the user is allowed to access this group. - */ -- check_perms (grp, pwd, group); -+ if (!is_member) { -+ check_perms (grp, pwd, group); -+ } - - /* - * all successful validations pass through this point. The group id diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch deleted file mode 100644 index 7d170fa..0000000 --- a/shadow-4.5-userdel-chroot.patch +++ /dev/null @@ -1,74 +0,0 @@ -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c -@@ -75,7 +75,7 @@ int set_selinux_file_context (const char - } - return 0; - error: -- if (security_getenforce () != 0) { -+ if (security_getenforce () > 0) { - return 1; - } - return 0; -@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) - selinux_checked = true; - } - if (selinux_enabled) { -- if (setfscreatecon (NULL) != 0) { -+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { - return 1; - } - } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -96,6 +96,7 @@ static char *user_home; - static bool fflg = false; - static bool rflg = false; - static bool Zflg = false; -+static bool Rflg = false; - - static bool is_shadow_pwd; - -@@ -958,6 +959,7 @@ int main (int argc, char **argv) - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ -+ Rflg = true; - break; - #ifdef WITH_SELINUX - case 'Z': -@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) - */ - user_name = argv[argc - 1]; - { -- struct passwd *pwd; -- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ -+ const struct passwd *pwd; -+ -+ pw_open(O_RDONLY); -+ pwd = pw_locate (user_name); /* we care only about local users */ - if (NULL == pwd) { -+ pw_close(); - fprintf (stderr, _("%s: user '%s' does not exist\n"), - Prog, user_name); - #ifdef WITH_AUDIT -@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) - user_id = pwd->pw_uid; - user_gid = pwd->pw_gid; - user_home = xstrdup (pwd->pw_dir); -+ pw_close(); - } - #ifdef WITH_TCB - if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) - * Note: This is a best effort basis. The user may log in between, - * a cron job may be started on her behalf, etc. - */ -- if (user_busy (user_name, user_id) != 0) { -+ if (!Rflg && user_busy (user_name, user_id) != 0) { - if (!fflg) { - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.6-audit-update.patch similarity index 88% rename from shadow-4.3.1-audit-update.patch rename to shadow-4.6-audit-update.patch index 8c72cf3..b9d0a67 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.6-audit-update.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/libmisc/audit_help.c -=================================================================== ---- shadow-4.5.orig/libmisc/audit_help.c -+++ shadow-4.5/libmisc/audit_help.c +diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c +--- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -51,10 +50,9 @@ Index: shadow-4.5/libmisc/audit_help.c void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -Index: shadow-4.5/libmisc/cleanup_group.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_group.c -+++ shadow-4.5/libmisc/cleanup_group.c +diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c +--- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -133,10 +131,9 @@ Index: shadow-4.5/libmisc/cleanup_group.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/libmisc/cleanup_user.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_user.c -+++ shadow-4.5/libmisc/cleanup_user.c +diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c +--- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -184,10 +181,9 @@ Index: shadow-4.5/libmisc/cleanup_user.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h +diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 @@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -210,10 +206,9 @@ Index: shadow-4.5/lib/prototypes.h void audit_logger_message (const char *message, shadow_audit_result result); #endif -Index: shadow-4.5/src/gpasswd.c -=================================================================== ---- shadow-4.5.orig/src/gpasswd.c -+++ shadow-4.5/src/gpasswd.c +diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c +--- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -477,11 +472,10 @@ Index: shadow-4.5/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -Index: shadow-4.5/src/groupadd.c -=================================================================== ---- shadow-4.5.orig/src/groupadd.c -+++ shadow-4.5/src/groupadd.c -@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c +--- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 +@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -497,7 +491,7 @@ Index: shadow-4.5/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -210,7 +219,7 @@ static void grp_update (void) +@@ -213,7 +222,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -506,7 +500,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -220,7 +229,7 @@ static void grp_update (void) +@@ -223,7 +232,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -515,7 +509,7 @@ Index: shadow-4.5/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -244,7 +253,7 @@ static void check_new_name (void) +@@ -247,7 +256,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -524,7 +518,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -260,11 +269,11 @@ static void close_files (void) +@@ -263,11 +272,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -538,7 +532,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -282,11 +291,11 @@ static void close_files (void) +@@ -285,11 +294,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -553,7 +547,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -300,12 +309,6 @@ static void close_files (void) +@@ -303,12 +312,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -566,7 +560,7 @@ Index: shadow-4.5/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -323,7 +326,7 @@ static void open_files (void) +@@ -326,7 +329,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -575,7 +569,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -333,7 +336,7 @@ static void open_files (void) +@@ -336,7 +339,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -584,7 +578,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -349,7 +352,7 @@ static void open_files (void) +@@ -352,7 +355,7 @@ static void open_files (void) if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -593,7 +587,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP -@@ -359,7 +362,7 @@ static void open_files (void) +@@ -362,7 +365,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -602,7 +596,7 @@ Index: shadow-4.5/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -489,7 +492,7 @@ static void check_flags (void) +@@ -495,7 +498,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -610,8 +604,8 @@ Index: shadow-4.5/src/groupadd.c + fail_exit (E_NAME_IN_USE); } - if (gflg && (getgrgid (group_id) != NULL)) { -@@ -508,7 +511,7 @@ static void check_flags (void) + if (gflg && (prefix_getgrgid (group_id) != NULL)) { +@@ -514,7 +517,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -620,7 +614,7 @@ Index: shadow-4.5/src/groupadd.c } } } -@@ -536,7 +539,7 @@ static void check_perms (void) +@@ -542,7 +545,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -629,7 +623,7 @@ Index: shadow-4.5/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -556,7 +559,7 @@ static void check_perms (void) +@@ -562,7 +565,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -638,7 +632,7 @@ Index: shadow-4.5/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -588,7 +591,7 @@ int main (int argc, char **argv) +@@ -595,7 +598,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -647,7 +641,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -610,7 +613,7 @@ int main (int argc, char **argv) +@@ -617,7 +620,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -656,11 +650,10 @@ Index: shadow-4.5/src/groupadd.c } } -Index: shadow-4.5/src/groupdel.c -=================================================================== ---- shadow-4.5.orig/src/groupdel.c -+++ shadow-4.5/src/groupdel.c -@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c +--- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 +@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -676,7 +669,7 @@ Index: shadow-4.5/src/groupdel.c /* * grp_update - update group file entries * -@@ -128,7 +137,7 @@ static void grp_update (void) +@@ -131,7 +140,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -685,7 +678,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP -@@ -140,7 +149,7 @@ static void grp_update (void) +@@ -143,7 +152,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -694,7 +687,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -159,12 +168,12 @@ static void close_files (void) +@@ -162,12 +171,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -709,7 +702,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -184,12 +193,12 @@ static void close_files (void) +@@ -187,12 +196,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -725,7 +718,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -203,13 +212,6 @@ static void close_files (void) +@@ -206,13 +215,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -739,7 +732,7 @@ Index: shadow-4.5/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -226,7 +228,7 @@ static void open_files (void) +@@ -229,7 +231,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -748,7 +741,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -235,7 +237,7 @@ static void open_files (void) +@@ -238,7 +240,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -757,7 +750,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -253,7 +255,7 @@ static void open_files (void) +@@ -256,7 +258,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -766,7 +759,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -262,7 +264,7 @@ static void open_files (void) +@@ -265,7 +267,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -775,7 +768,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) +@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -784,7 +777,7 @@ Index: shadow-4.5/src/groupdel.c } /* -@@ -384,7 +386,7 @@ int main (int argc, char **argv) +@@ -391,7 +393,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -793,7 +786,7 @@ Index: shadow-4.5/src/groupdel.c } process_flags (argc, argv); -@@ -398,7 +400,7 @@ int main (int argc, char **argv) +@@ -405,7 +407,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -802,7 +795,7 @@ Index: shadow-4.5/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -419,7 +421,7 @@ int main (int argc, char **argv) +@@ -426,7 +428,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -811,7 +804,7 @@ Index: shadow-4.5/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -439,7 +441,7 @@ int main (int argc, char **argv) +@@ -446,7 +448,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -820,7 +813,7 @@ Index: shadow-4.5/src/groupdel.c } group_id = grp->gr_gid; -@@ -463,7 +465,7 @@ int main (int argc, char **argv) +@@ -470,7 +472,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -829,11 +822,10 @@ Index: shadow-4.5/src/groupdel.c } #endif -Index: shadow-4.5/src/groupmod.c -=================================================================== ---- shadow-4.5.orig/src/groupmod.c -+++ shadow-4.5/src/groupmod.c -@@ -438,7 +438,7 @@ static void close_files (void) +diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c +--- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 +@@ -449,7 +449,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -842,7 +834,7 @@ Index: shadow-4.5/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -461,7 +461,7 @@ static void close_files (void) +@@ -472,7 +472,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -851,7 +843,7 @@ Index: shadow-4.5/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -484,7 +484,7 @@ static void close_files (void) +@@ -495,7 +495,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -860,7 +852,7 @@ Index: shadow-4.5/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -499,8 +499,8 @@ static void close_files (void) +@@ -510,8 +510,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -871,7 +863,7 @@ Index: shadow-4.5/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -512,6 +512,8 @@ static void close_files (void) +@@ -523,6 +523,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -880,7 +872,7 @@ Index: shadow-4.5/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi +@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1014,7 +1006,7 @@ Index: shadow-4.5/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi +@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1026,10 +1018,9 @@ Index: shadow-4.5/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -Index: shadow-4.5/src/chage.c -=================================================================== ---- shadow-4.5.orig/src/chage.c -+++ shadow-4.5/src/chage.c +diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c +--- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1117,10 +1108,9 @@ Index: shadow-4.5/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c +diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c +--- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1203,7 +1193,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -456,7 +457,7 @@ int main (int argc, char **argv) +@@ -457,7 +458,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1212,7 +1202,7 @@ Index: shadow-4.5/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -572,15 +573,26 @@ int main (int argc, char **argv) +@@ -573,15 +574,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1243,7 +1233,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -721,10 +733,10 @@ int main (int argc, char **argv) +@@ -738,10 +750,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1256,7 +1246,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -733,10 +745,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1269,7 +1259,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -750,10 +762,10 @@ int main (int argc, char **argv) +@@ -767,10 +779,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1282,7 +1272,7 @@ Index: shadow-4.5/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -817,11 +829,11 @@ int main (int argc, char **argv) +@@ -834,11 +846,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1296,7 +1286,7 @@ Index: shadow-4.5/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -845,15 +857,24 @@ int main (int argc, char **argv) +@@ -862,15 +874,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1325,20 +1315,19 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -225,6 +225,8 @@ static void create_mail (void); +diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 +@@ -229,6 +229,8 @@ static void create_mail (void); */ static void fail_exit (int code) { + int type; + if (home_added) { - if (rmdir (user_home) != 0) { + if (rmdir (prefix_user_home) != 0) { fprintf (stderr, -@@ -238,12 +240,6 @@ static void fail_exit (int code) +@@ -242,12 +244,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1351,7 +1340,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -251,12 +247,6 @@ static void fail_exit (int code) +@@ -255,12 +251,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1364,7 +1353,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -264,12 +254,6 @@ static void fail_exit (int code) +@@ -268,12 +258,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1377,7 +1366,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -278,12 +262,6 @@ static void fail_exit (int code) +@@ -282,12 +266,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1390,7 +1379,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -293,12 +271,6 @@ static void fail_exit (int code) +@@ -297,12 +275,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1403,7 +1392,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -306,20 +278,19 @@ static void fail_exit (int code) +@@ -310,20 +282,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1431,7 +1420,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -626,7 +597,7 @@ static int set_defaults (void) +@@ -673,7 +644,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1440,7 +1429,7 @@ Index: shadow-4.5/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -896,12 +867,6 @@ static void grp_update (void) +@@ -950,12 +921,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1453,7 +1442,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -915,18 +880,12 @@ static void grp_update (void) +@@ -969,18 +934,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1475,7 +1464,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -971,12 +930,6 @@ static void grp_update (void) +@@ -1025,12 +984,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1488,7 +1477,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -990,18 +943,13 @@ static void grp_update (void) +@@ -1044,18 +997,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1511,7 +1500,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha +@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1520,7 +1509,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1447,7 +1395,7 @@ static void close_files (void) +@@ -1522,7 +1470,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1529,7 +1518,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1460,7 +1408,7 @@ static void close_files (void) +@@ -1535,7 +1483,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1538,7 +1527,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1472,7 +1420,7 @@ static void close_files (void) +@@ -1547,7 +1495,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1547,7 +1536,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1486,7 +1434,7 @@ static void close_files (void) +@@ -1561,7 +1509,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1556,7 +1545,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1502,7 +1450,7 @@ static void close_files (void) +@@ -1577,7 +1525,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1565,7 +1554,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1516,7 +1464,7 @@ static void close_files (void) +@@ -1591,7 +1539,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1574,7 +1563,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1708,7 +1656,7 @@ static void grp_add (void) +@@ -1783,7 +1731,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1583,7 +1572,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1724,7 +1672,7 @@ static void grp_add (void) +@@ -1799,7 +1747,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1592,7 +1581,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1734,7 +1682,7 @@ static void grp_add (void) +@@ -1809,7 +1757,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1601,7 +1590,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1895,12 +1843,6 @@ static void usr_update (void) +@@ -1970,12 +1918,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1614,7 +1603,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1922,7 +1864,7 @@ static void usr_update (void) +@@ -1997,7 +1939,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1623,10 +1612,10 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1957,12 +1899,6 @@ static void create_home (void) +@@ -2032,12 +1974,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), - Prog, user_home); + Prog, prefix_user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", @@ -1635,8 +1624,8 @@ Index: shadow-4.5/src/useradd.c -#endif fail_exit (E_HOMEDIR); } - chown (user_home, user_id, user_gid); -@@ -1970,8 +1906,8 @@ static void create_home (void) + (void) chown (prefix_user_home, user_id, user_gid); +@@ -2045,8 +1981,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1647,9 +1636,9 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) +@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) */ - if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1660,7 +1649,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) +@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1673,7 +1662,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) +@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1686,7 +1675,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) +@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1700,11 +1689,10 @@ Index: shadow-4.5/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -214,9 +214,9 @@ static void update_groups (void) +diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c +--- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 ++++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 +@@ -219,9 +219,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1717,7 +1705,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -276,9 +276,9 @@ static void update_groups (void) +@@ -281,9 +281,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1730,7 +1718,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -355,9 +355,9 @@ static void remove_usergroup (void) +@@ -360,9 +360,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1743,7 +1731,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -373,9 +373,9 @@ static void remove_usergroup (void) +@@ -378,9 +378,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1756,7 +1744,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -537,7 +537,7 @@ static void fail_exit (int code) +@@ -542,7 +542,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1765,7 +1753,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -557,24 +557,12 @@ static void open_files (void) +@@ -562,24 +562,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1790,7 +1778,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -582,12 +570,6 @@ static void open_files (void) +@@ -587,12 +575,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1803,7 +1791,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -595,12 +577,6 @@ static void open_files (void) +@@ -600,12 +582,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1816,7 +1804,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -608,23 +584,11 @@ static void open_files (void) +@@ -613,23 +589,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1840,7 +1828,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -633,24 +597,12 @@ static void open_files (void) +@@ -638,24 +602,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1865,7 +1853,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -661,24 +613,12 @@ static void open_files (void) +@@ -666,24 +618,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1890,7 +1878,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -687,24 +627,12 @@ static void open_files (void) +@@ -692,24 +632,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1915,7 +1903,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -749,7 +677,7 @@ static void update_user (void) +@@ -754,7 +682,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1924,7 +1912,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -843,7 +771,7 @@ static int remove_mailbox (void) +@@ -862,7 +790,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1933,7 +1921,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -859,7 +787,7 @@ static int remove_mailbox (void) +@@ -879,7 +807,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1942,7 +1930,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -869,8 +797,8 @@ static int remove_mailbox (void) +@@ -889,8 +817,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1953,7 +1941,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -887,7 +815,7 @@ static int remove_mailbox (void) +@@ -908,7 +836,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1962,7 +1950,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -902,7 +830,7 @@ static int remove_mailbox (void) +@@ -925,7 +853,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1971,7 +1959,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -912,8 +840,8 @@ static int remove_mailbox (void) +@@ -935,8 +863,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1982,7 +1970,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) +@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1991,7 +1979,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -2000,7 +1988,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) +@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -2011,7 +1999,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) +@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2020,7 +2008,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) +@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2031,11 +2019,10 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 +@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2046,7 +2033,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2057,7 +2044,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2066,7 +2053,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw +@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2077,7 +2064,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw +@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2088,7 +2075,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw +@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2099,7 +2086,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw +@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2110,7 +2097,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw +@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2121,7 +2108,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw +@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2132,7 +2119,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen +@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2143,7 +2130,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen +@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2154,7 +2141,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2167,7 +2154,7 @@ Index: shadow-4.5/src/usermod.c #endif exit (code); } -@@ -759,9 +759,12 @@ static void update_group (void) +@@ -765,9 +765,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2183,7 +2170,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -775,9 +778,11 @@ static void update_group (void) +@@ -781,9 +784,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2198,7 +2185,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -790,9 +795,11 @@ static void update_group (void) +@@ -796,9 +801,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2213,7 +2200,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -867,9 +874,10 @@ static void update_gshadow (void) +@@ -873,9 +880,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2227,7 +2214,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -889,9 +897,10 @@ static void update_gshadow (void) +@@ -895,9 +903,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2241,7 +2228,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -905,9 +914,10 @@ static void update_gshadow (void) +@@ -911,9 +920,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2255,7 +2242,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -920,9 +930,10 @@ static void update_gshadow (void) +@@ -926,9 +936,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2269,7 +2256,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1758,8 +1769,8 @@ static void move_home (void) +@@ -1789,8 +1800,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2280,7 +2267,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1777,8 +1788,8 @@ static void move_home (void) +@@ -1808,8 +1819,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2291,8 +2278,8 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1797,9 +1808,9 @@ static void move_home (void) - Prog, user_home); +@@ -1828,9 +1839,9 @@ static void move_home (void) + Prog, prefix_user_home); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, @@ -2303,7 +2290,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2003,8 +2014,8 @@ static void move_mailbox (void) +@@ -2045,8 +2056,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2314,7 +2301,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2022,8 +2033,8 @@ static void move_mailbox (void) +@@ -2072,8 +2083,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2325,7 +2312,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2336,7 +2323,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) +@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2347,7 +2334,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) +@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.6-getenforce.patch b/shadow-4.6-getenforce.patch new file mode 100644 index 0000000..8a55bf5 --- /dev/null +++ b/shadow-4.6-getenforce.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } diff --git a/shadow-4.6-move-home.patch b/shadow-4.6-move-home.patch new file mode 100644 index 0000000..cff9561 --- /dev/null +++ b/shadow-4.6-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200 +@@ -1845,6 +1845,11 @@ static void move_home (void) + Prog, prefix_user_home, prefix_user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, prefix_user_home); + } + } + diff --git a/shadow-4.5-orig-context.patch b/shadow-4.6-orig-context.patch similarity index 65% rename from shadow-4.5-orig-context.patch rename to shadow-4.6-orig-context.patch index a1c2235..ea522e7 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.6-orig-context.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/lib/commonio.c -=================================================================== ---- shadow-4.5.orig/lib/commonio.c -+++ shadow-4.5/lib/commonio.c -@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * +diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c +--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 +@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX @@ -11,7 +10,7 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * +@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -20,10 +19,9 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -Index: shadow-4.5/libmisc/copydir.c -=================================================================== ---- shadow-4.5.orig/libmisc/copydir.c -+++ shadow-4.5/libmisc/copydir.c +diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c +--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -60,11 +58,10 @@ Index: shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h -@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 +@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -73,10 +70,9 @@ Index: shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c +diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -118,16 +114,15 @@ Index: shadow-4.5/lib/selinux.c } /* -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -1945,7 +1945,7 @@ static void create_home (void) +diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 +@@ -2020,7 +2020,7 @@ static void create_home (void) { - if (access (user_home, F_OK) != 0) { + if (access (prefix_user_home, F_OK) != 0) { #ifdef WITH_SELINUX -- if (set_selinux_file_context (user_home) != 0) { -+ if (set_selinux_file_context (user_home, NULL) != 0) { +- if (set_selinux_file_context (prefix_user_home) != 0) { ++ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { fprintf (stderr, _("%s: cannot set SELinux context for home directory %s\n"), Prog, user_home); diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.6-redhat.patch similarity index 60% rename from shadow-4.1.5-redhat.patch rename to shadow-4.6-redhat.patch index ef26cbd..7a8be2e 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.6-redhat.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c +diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 @@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; @@ -20,19 +19,19 @@ Index: shadow-4.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha +@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:", #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha +@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.5-selinux.patch b/shadow-4.6-selinux.patch similarity index 75% rename from shadow-4.5-selinux.patch rename to shadow-4.6-selinux.patch index cd1a3b4..dfd5140 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.6-selinux.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/lib/semanage.c -=================================================================== ---- shadow-4.5.orig/lib/semanage.c -+++ shadow-4.5/lib/semanage.c +diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c +--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -23,11 +22,10 @@ Index: shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -2042,6 +2042,7 @@ static void create_mail (void) +diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 +@@ -2120,6 +2120,7 @@ static void create_mail (void) */ int main (int argc, char **argv) { @@ -35,14 +33,14 @@ Index: shadow-4.5/src/useradd.c #ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; -@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) +@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) usr_update (); - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, +- copy_tree (def_template, prefix_user_home, false, false, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, @@ -66,7 +64,7 @@ Index: shadow-4.5/src/useradd.c /* * tallylog_reset needs to be able to lookup * a valid existing user name, -@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) +@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) } #ifdef WITH_SELINUX @@ -78,7 +76,7 @@ Index: shadow-4.5/src/useradd.c fprintf (stderr, _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); -@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) +@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) "adding SELinux user mapping", user_name, (unsigned int) user_id, 0); #endif /* WITH_AUDIT */ @@ -95,7 +93,7 @@ Index: shadow-4.5/src/useradd.c + if (mflg) { + create_home (); + if (home_added) { -+ copy_tree (def_template, user_home, false, true, ++ copy_tree (def_template, prefix_user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch new file mode 100644 index 0000000..d2861b3 --- /dev/null +++ b/shadow-4.6-usermod-crash.patch @@ -0,0 +1,42 @@ +diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c +--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 +@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi + { + long long int gid; + char *endptr; ++ struct group *g; + + if (NULL == grname) { + return NULL; +@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi + && (gid == (gid_t)gid)) { + return prefix_getgrgid ((gid_t) gid); + } +- return prefix_getgrnam (grname); ++ g = prefix_getgrnam (grname); ++ return g ? __gr_dup(g) : NULL; + } + else + return getgr_nam_gid(grname); +diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 +@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha + prefix_user_home = xmalloc(len); + wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); + assert (wlen == (int) len -1); ++ if (user_newhome) { ++ len = strlen(prefix) + strlen(user_newhome) + 2; ++ prefix_user_newhome = xmalloc(len); ++ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); ++ assert (wlen == (int) len -1); ++ } + +- len = strlen(prefix) + strlen(user_newhome) + 2; +- prefix_user_newhome = xmalloc(len); +- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); +- assert (wlen == (int) len -1); + } + else { + prefix_user_home = user_home; diff --git a/shadow-utils.spec b/shadow-utils.spec index 883e02c..35732ac 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.5 -Release: 10%{?dist} +Version: 4.6 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -10,28 +10,26 @@ Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0: shadow-4.1.5-redhat.patch +Patch0: shadow-4.6-redhat.patch Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch6: shadow-4.5-selinux.patch -Patch7: shadow-4.1.5-2ndskip.patch -Patch10: shadow-4.5-orig-context.patch +Patch6: shadow-4.6-selinux.patch +Patch10: shadow-4.6-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch19: shadow-4.2.1-date-parsing.patch -Patch20: shadow-4.1.5.1-ingroup.patch -Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.3.1-audit-update.patch +Patch21: shadow-4.6-move-home.patch +Patch22: shadow-4.6-audit-update.patch Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.1.5.1-newgrp-grouplist.patch -Patch31: shadow-4.5-userdel-chroot.patch +Patch31: shadow-4.6-getenforce.patch Patch32: shadow-4.5-crypt_h.patch Patch33: shadow-4.5-long-entry.patch +Patch34: shadow-4.6-usermod-crash.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -67,24 +65,22 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir %patch6 -p1 -b .selinux -%patch7 -p1 -b .2ndskip %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel %patch19 -p1 -b .date-parsing -%patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .grouplist -%patch31 -p1 -b .userdel-chroot +%patch31 -p1 -b .getenforce %patch32 -p1 -b .crypt_h %patch33 -p1 -b .long-entry +%patch34 -p1 -b .usermod-crash iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -237,6 +233,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Mon May 28 2018 Tomáš Mráz - 2:4.6-1 +- update to current upstream release 4.6 + * Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 - Raise limit for passwd and shadow entry length but also prevent writing longer entries (#1422497) diff --git a/sources b/sources index a50063e..2093465 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 -SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 +SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 +SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed From 0aa80600347bf2cf430a3017b26ad495a40eb628 Mon Sep 17 00:00:00 2001 From: Jason Tibbitts Date: Tue, 10 Jul 2018 01:20:51 -0500 Subject: [PATCH 145/151] Remove needless use of %defattr --- shadow-utils.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 35732ac..509265c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,7 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do done %files -f shadow.lang -%defattr(-,root,root) %doc NEWS doc/HOWTO README %{!?_licensedir:%global license %%doc} %license gpl-2.0.txt shadow-bsd.txt From 8362f15341f867d3bdd5a6d09eb53b4752bf3b34 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 14 Jul 2018 06:02:14 +0000 Subject: [PATCH 146/151] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 509265c..8587c71 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Mon May 28 2018 Tomáš Mráz - 2:4.6-1 - update to current upstream release 4.6 From f0fc249a12652b4b7b83e2c504187ce6352f2ecb Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:12:27 -0400 Subject: [PATCH 147/151] initial build steps for the package on centos7 Signed-off-by: Vincent Batts --- shadow-utils.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 8587c71..9b9e883 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -97,6 +97,10 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +rm aclocal.m4 +aclocal +libtoolize --force + autoreconf %configure \ --enable-shadowgrp \ From 6a08374eef51fdd1f9e882c7e9a47d893ab53e12 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:14:39 -0400 Subject: [PATCH 148/151] spec: fetch sources from github if needed there is the 'sources' file that fedpkg uses, but for now allow fetching from the source URLs to build. Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9b9e883..1ab546d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,3 +1,6 @@ +# they warn against doing this ... +%define _disable_source_fetch 0 + Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 From 354422003508b31a08c8779b5e3851cc1ed97133 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:35:53 -0400 Subject: [PATCH 149/151] spec: subpackage of newuidmap and newgidmap and have the main package depend on them for consistent experience. Though this may hae the side effect of yum wanting to use the main shadow as an upgrade to the shadow 4.1 that centos/rhel are using ... Built local rpm with: ```shell rpmbuild \ --define "_sourcedir $(pwd)" \ --define "_specdir $(pwd)" \ --define "_builddir $(pwd)" \ --define "_srcrpmdir $(pwd)" \ --define "_rpmdir $(pwd)" \ --nodeps \ -ba \ shadow-utils.spec ``` Signed-off-by: Vincent Batts --- shadow-utils.spec | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 1ab546d..e8bc3a4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -48,6 +48,7 @@ Requires: audit-libs >= 1.6.5 Requires: setup Requires(pre): coreutils Requires(post): coreutils +Requires: %{name}-newxidmap = %{version}-%{release} Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -62,6 +63,11 @@ for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts. +%package newxidmap +Summary: only the newuidmapp and newgidmap from shadow-utils +%description newxidmap +%{summary}. + %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat @@ -200,8 +206,6 @@ done %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -217,8 +221,6 @@ done %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* -%{_mandir}/man1/newgidmap.1* -%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* @@ -238,6 +240,12 @@ done %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* +%files newxidmap +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* + %changelog * Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 7f73f07a1aea7eadfb9f74c5c262e3ebad9d69b9 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:49:10 -0400 Subject: [PATCH 150/151] source file is confusing the lookaside on copr Signed-off-by: Vincent Batts --- sources => sources.bak | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources => sources.bak (100%) diff --git a/sources b/sources.bak similarity index 100% rename from sources rename to sources.bak From 3815c0b5ba14330979f63089b7d44cd95b25f38a Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 9 Oct 2018 10:15:32 -0400 Subject: [PATCH 151/151] change package name so "shadow-utils" won't attempt to update Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e8bc3a4..40be79a 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,8 +1,9 @@ # they warn against doing this ... %define _disable_source_fetch 0 +%define srcname shadow-utils Summary: Utilities for managing accounts and shadow password files -Name: shadow-utils +Name: %{srcname}46 Version: 4.6 Release: 2%{?dist} Epoch: 2