diff --git a/.gitignore b/.gitignore index e78a553..3b04b1e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,8 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig +/shadow-4.3.1.tar.gz +/shadow-4.5.tar.xz +/shadow-4.5.tar.xz.asc +/shadow-4.6.tar.xz +/shadow-4.6.tar.xz.asc diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch deleted file mode 100644 index 8a9cf68..0000000 --- a/shadow-4.1.5-2ndskip.patch +++ /dev/null @@ -1,100 +0,0 @@ -diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c ---- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 -+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 -@@ -143,6 +143,7 @@ int main (int argc, char **argv) - struct group grent; - const struct sgrp *sg; - struct sgrp sgent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -184,20 +185,25 @@ int main (int argc, char **argv) - * Remove /etc/gshadow entries for groups not in /etc/group. - */ - (void) sgr_rewind (); -- while ((sg = sgr_next ()) != NULL) { -- if (gr_locate (sg->sg_name) != NULL) { -- continue; -- } -- -- if (sgr_remove (sg->sg_name) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sg->sg_name, sgr_dbname ()); -- fail_exit (3); -+ sg = sgr_next (); -+ np=NULL; -+ while (sg != NULL) { -+ np = strdup(sg->sg_name); -+ sg = sgr_next (); -+ -+ if(gr_locate (np) == NULL) { -+ if (sgr_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, sgr_dbname ()); -+ free(np); -+ fail_exit (3); -+ } - } -+ free(np); - } - - /* -diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c ---- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 -+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 -@@ -173,6 +173,7 @@ int main (int argc, char **argv) - struct passwd pwent; - const struct spwd *sp; - struct spwd spent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -223,20 +224,25 @@ int main (int argc, char **argv) - * Remove /etc/shadow entries for users not in /etc/passwd. - */ - (void) spw_rewind (); -- while ((sp = spw_next ()) != NULL) { -- if (pw_locate (sp->sp_namp) != NULL) { -- continue; -- } -- -- if (spw_remove (sp->sp_namp) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sp->sp_namp, spw_dbname ()); -- fail_exit (E_FAILURE); -+ sp = spw_next (); -+ np = NULL; -+ while (sp != NULL) { -+ np = strdup(sp->sp_namp); -+ sp = spw_next (); -+ -+ if (pw_locate (np) == NULL) { -+ if (spw_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, spw_dbname ()); -+ free(np); -+ fail_exit (E_FAILURE); -+ } - } -+ free(np); - } - - /* diff --git a/shadow-4.1.5-uflg.patch b/shadow-4.1.5-uflg.patch deleted file mode 100644 index f72bca3..0000000 --- a/shadow-4.1.5-uflg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c ---- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 -+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 -@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, - return -1; - } - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ gid_min = (gid_t) 1; - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - if (gid_max < gid_min) { -@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, - return 0; - } - -+ /* if we did not find free preffered system gid, we start to look for -+ * one in the range assigned to dynamic system IDs */ -+ if (sys_group) -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - - /* - * Search the entire group file, diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch deleted file mode 100644 index 6fbbdbf..0000000 --- a/shadow-4.1.5.1-audit-owner.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 -+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 -@@ -1513,6 +1513,14 @@ static void move_home (void) - fail_exit (E_HOMEDIR); - } - -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif -+ - if (rename (user_home, user_newhome) == 0) { - /* FIXME: rename above may have broken symlinks - * pointing to the user's home directory -@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) - * ownership. - * - */ -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif - if (chown_tree (dflg ? user_newhome : user_home, - user_id, - uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch deleted file mode 100644 index 7366b86..0000000 --- a/shadow-4.1.5.1-backup-mode.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba - struct utimbuf ub; - FILE *bkfp; - int c; -- mode_t mask; - - if (fstat (fileno (fp), &sb) != 0) { - return -1; - } - -- mask = umask (077); -- bkfp = fopen (backup, "w"); -- (void) umask (mask); -+ bkfp = fopen_set_perms (backup, "w", &sb); - if (NULL == bkfp) { - return -1; - } diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch index 45c677a..2a9d640 100644 --- a/shadow-4.1.5.1-default-range.patch +++ b/shadow-4.1.5.1-default-range.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h goto done; } diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch deleted file mode 100644 index 6f3a1d2..0000000 --- a/shadow-4.1.5.1-errmsg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 -@@ -1760,6 +1760,9 @@ static void create_home (void) - if (access (user_home, F_OK) != 0) { - #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home, NULL) != 0) { -+ fprintf (stderr, -+ _("%s: cannot set SELinux context for home directory %s\n"), -+ Prog, user_home); - fail_exit (E_HOMEDIR); - } - #endif -@@ -1789,6 +1792,9 @@ static void create_home (void) - #ifdef WITH_SELINUX - /* Reset SELinux to create files with default contexts */ - if (reset_selinux_file_context () != 0) { -+ fprintf (stderr, -+ _("%s: cannot reset SELinux file creation context\n"), -+ Prog); - fail_exit (E_HOMEDIR); - } - #endif diff --git a/shadow-4.1.5.1-id-alloc.patch b/shadow-4.1.5.1-id-alloc.patch deleted file mode 100644 index df6f89f..0000000 --- a/shadow-4.1.5.1-id-alloc.patch +++ /dev/null @@ -1,1219 +0,0 @@ -Previously, this allocation was optimized for an outdated -deployment style (that of /etc/group alongside nss_db). The issue -here is that this results in extremely poor performance when using -SSSD, Winbind or nss_ldap. - -There were actually three serious bugs here that have been addressed: - -1) Running getgrent() loops won't work in most SSSD or Winbind -environments, as full group enumeration is disabled by default. -This could easily result in auto-allocating a group that was -already in use. (This might result in a security issue as well, if -the shared GID is a privileged group). - -2) For system groups, the loop was always iterating through the -complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this -means hundreds of round-trips to LDAP (unless the GIDs were -specifically configured to be ignored by the SSSD or winbindd). -To a user with a slow connection to their LDAP server, this would -appear as if groupadd -r was hung. (Though it would eventually -complete). - -3) This patch also adds better error-handling for errno from -getgrgid(), since if this function returns an unexpected error, we -should not be treating it as "ID is available". This could result -in assigning a GID that was already in use, with all the same -issues as 1) above. - -This patch changes the algorithm to be more favorable for LDAP -environments, at the expense of some performance when using nss_db. -Given that the DB is a local service, this should have a negligible -effect from a user's perspective. - -With the new algorithm, we simply first iterate through all entries -in the local database with gr_next(), recording the IDs that are in -use. We then start from the highest presumed-available entry and -call getgrgid() to see if it is available. We continue this until -we come to the first unused GID. We then select that and return it. - -If we make it through all the remaining IDs without finding a free -one, we start over from the beginning of the range and try to find -room in one of the gaps in the range. - -The patch was originally written by Stephen Gallagher and applied -identically also to the user allocation by Tomáš Mráz. - -diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c ---- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, -+ gid_t *preferred_min) -+{ -+ gid_t gid_def_max = 0; -+ -+ if (sys_group) { -+ /* System groups */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (gid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); -+ -+ /* -+ * If SYS_GID_MAX is unspecified, we should assume it to be one -+ * less than the GID_MIN (which is reserved for non-system accounts) -+ */ -+ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; -+ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", -+ (unsigned long) gid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " -+ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("GID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system groups */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); -+ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system groups. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: GID_MIN (%lu), " -+ "GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_gid - See if the requested GID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getgrgid() -+ */ -+static int check_gid(const gid_t gid, -+ const gid_t gid_min, -+ const gid_t gid_max, -+ bool *used_gids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (gid < gid_min || gid > gid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this GID -+ * using the gr_next() loop -+ */ -+ if (used_gids != NULL && used_gids[gid]) { -+ return EEXIST; -+ } -+ /* Check if the GID exists according to NSS */ -+ errno = 0; -+ if (getgrgid(gid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getgrgid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the GID must be available */ -+ return 0; -+} -+ -+/* - * find_new_gid - Find a new unused GID. - * - * If successful, find_new_gid provides an unused group ID in the -@@ -48,166 +160,339 @@ - * - * Return 0 on success, -1 if no unused GIDs are available. - */ --int find_new_gid (bool sys_group, -- gid_t *gid, -- /*@null@*/gid_t const *preferred_gid) -+int find_new_gid(bool sys_group, -+ gid_t *gid, -+ /*@null@*/gid_t const *preferred_gid) - { -- const struct group *grp; -- gid_t gid_min, gid_max, group_id; - bool *used_gids; -+ const struct group *grp; -+ gid_t gid_min, gid_max, preferred_min; -+ gid_t group_id, id; -+ gid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - -- assert (gid != NULL); -+ assert(gid != NULL); - -- if (!sys_group) { -- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); -- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, (unsigned long) gid_max); -- return -1; -- } -- } else { -- gid_min = (gid_t) 1; -- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; -- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred GID is available */ -+ if (preferred_gid) { -+ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the GID isn't queued for use already -+ */ -+ if (gr_locate_gid (*preferred_gid) == NULL) { -+ *gid = *preferred_gid; -+ return 0; -+ } -+ /* -+ * gr_locate_gid() found the GID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set a GID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the group creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific GID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred GID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire group file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with gr_rewind/gr_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system groups) or highest (non-system -+ * groups), we will prefer those and avoid potentially reclaiming a -+ * deleted group (which can be a security issue, since it may grant -+ * access to files belonging to that former group). -+ * -+ * If there are no GIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered GIDs */ - used_gids = malloc (sizeof (bool) * (gid_max +1)); - if (NULL == used_gids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_gids, false, sizeof (bool) * (gid_max + 1)); - -- if ( (NULL != preferred_gid) -- && (*preferred_gid >= gid_min) -- && (*preferred_gid <= gid_max) -- /* Check if the user exists according to NSS */ -- && (getgrgid (*preferred_gid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (gr_locate_gid (*preferred_gid) == NULL)) { -- *gid = *preferred_gid; -- free (used_gids); -- return 0; -- } -- -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ /* First look for the lowest and highest value in the local database */ -+ (void) gr_rewind (); -+ highest_found = gid_min; -+ lowest_found = gid_max; -+ while ((grp = gr_next ()) != NULL) { -+ /* -+ * Does this entry have a lower GID than the lowest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { -+ lowest_found = grp->gr_gid - 1; -+ } -+ -+ /* -+ * Does this entry have a higher GID than the highest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { -+ highest_found = grp->gr_gid + 1; -+ } -+ -+ /* create index of used GIDs */ -+ if (grp->gr_gid >= gid_min -+ && grp->gr_gid <= gid_max) { -+ -+ used_gids[grp->gr_gid] = true; -+ } -+ } - -- /* -- * Search the entire group file, -- * looking for the largest unused value. -- * -- * We check the list of groups according to NSS (setgrent/getgrent), -- * but we also check the local database (gr_rewind/gr_next) in case -- * some groups were created but the changes were not committed yet. -- */ - if (sys_group) { -- gid_t id; -- /* setgrent / getgrent / endgrent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getgrgid. -- */ -- group_id = gid_max; -- for (id = gid_max; id >= gid_min; id--) { -- if (getgrgid (id) != NULL) { -- group_id = id - 1; -- used_gids[id] = true; -- } -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MIN - 1. -+ */ -+ if (lowest_found < gid_min) { -+ /* -+ * In this case, a GID is in use at GID_MIN. -+ * -+ * We will reset the search to GID_MAX and proceed down -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ lowest_found = gid_max; - } - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { -- group_id = grp->gr_gid - 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- group_id = gid_min; -- setgrent (); -- while ((grp = getgrent ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * GID_MAX - 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != gid_max) { -+ for (id = gid_max; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ -+ } - } - } -- endgrent (); -+ } else { /* !sys_group */ -+ /* -+ * For non-system groups, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -- } -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MAX + 1. -+ */ -+ if (highest_found > gid_max) { -+ /* -+ * In this case, a GID is in use at GID_MAX. -+ * -+ * We will reset the search to GID_MIN and proceed up -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ highest_found = gid_min; - } -- } - -- /* -- * If a group (resp. system group) with GID equal to GID_MAX (resp. -- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 -- * (resp. GID_MIN-1) even if not unique. Search for the first free -- * GID starting with GID_MIN (resp. GID_MAX). -- */ -- if (sys_group) { -- if (group_id < gid_min) { -- for (group_id = gid_max; group_id >= gid_min; group_id--) { -- if (false == used_gids[group_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (group_id < gid_min) { -- fprintf (stderr, -- _("%s: Can't get unique system GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available GID on the system")); -- free (used_gids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- if (group_id > gid_max) { -- for (group_id = gid_min; group_id <= gid_max; group_id++) { -- if (false == used_gids[group_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * GID_MIN + 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != gid_min) { -+ for (id = gid_min; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- if (group_id > gid_max) { -- fprintf (stderr, -- _("%s: Can't get unique GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available GID on the system")); -- free (used_gids); -- return -1; -- } - } - } - -- free (used_gids); -- *gid = group_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique GID (no more available GIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available GIDs on the system")); -+ free(used_gids); -+ return -1; - } - -diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c ---- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, -+ uid_t *preferred_min) -+{ -+ uid_t uid_def_max = 0; -+ -+ if (sys_user) { -+ /* System users */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (uid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); -+ -+ /* -+ * If SYS_UID_MAX is unspecified, we should assume it to be one -+ * less than the UID_MIN (which is reserved for non-system accounts) -+ */ -+ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; -+ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", -+ (unsigned long) uid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " -+ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("UID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system users */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); -+ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system users. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: UID_MIN (%lu), " -+ "UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_uid - See if the requested UID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getpwuid() -+ */ -+static int check_uid(const uid_t uid, -+ const uid_t uid_min, -+ const uid_t uid_max, -+ bool *used_uids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (uid < uid_min || uid > uid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this UID -+ * using the pw_next() loop -+ */ -+ if (used_uids != NULL && used_uids[uid]) { -+ return EEXIST; -+ } -+ /* Check if the UID exists according to NSS */ -+ errno = 0; -+ if (getpwuid(uid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getpwuid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the UID must be available */ -+ return 0; -+} -+ -+/* - * find_new_uid - Find a new unused UID. - * - * If successful, find_new_uid provides an unused user ID in the -@@ -48,162 +160,339 @@ - * - * Return 0 on success, -1 if no unused UIDs are available. - */ --int find_new_uid (bool sys_user, -- uid_t *uid, -- /*@null@*/uid_t const *preferred_uid) -+int find_new_uid(bool sys_user, -+ uid_t *uid, -+ /*@null@*/uid_t const *preferred_uid) - { -- const struct passwd *pwd; -- uid_t uid_min, uid_max, user_id; - bool *used_uids; -+ const struct passwd *pwd; -+ uid_t uid_min, uid_max, preferred_min; -+ uid_t user_id, id; -+ uid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - - assert (uid != NULL); - -- if (!sys_user) { -- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, (unsigned long) uid_max); -- return -1; -- } -- } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); -- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; -- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred UID is available */ -+ if (preferred_uid) { -+ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the UID isn't queued for use already -+ */ -+ if (pw_locate_uid (*preferred_uid) == NULL) { -+ *uid = *preferred_uid; -+ return 0; -+ } -+ /* -+ * pw_locate_uid() found the UID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set an UID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the user creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific UID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred UID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire passwd file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with pw_rewind/pw_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system users) or highest (non-system -+ * users), we will prefer those and avoid potentially reclaiming a -+ * deleted user (which can be a security issue, since it may grant -+ * access to files belonging to that former user). -+ * -+ * If there are no UIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered UIDs */ - used_uids = malloc (sizeof (bool) * (uid_max +1)); - if (NULL == used_uids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - -- if ( (NULL != preferred_uid) -- && (*preferred_uid >= uid_min) -- && (*preferred_uid <= uid_max) -- /* Check if the user exists according to NSS */ -- && (getpwuid (*preferred_uid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (pw_locate_uid (*preferred_uid) == NULL)) { -- *uid = *preferred_uid; -- free (used_uids); -- return 0; -- } -+ /* First look for the lowest and highest value in the local database */ -+ (void) pw_rewind (); -+ highest_found = uid_min; -+ lowest_found = uid_max; -+ while ((pwd = pw_next ()) != NULL) { -+ /* -+ * Does this entry have a lower UID than the lowest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { -+ lowest_found = pwd->pw_uid - 1; -+ } - -+ /* -+ * Does this entry have a higher UID than the highest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { -+ highest_found = pwd->pw_uid + 1; -+ } -+ -+ /* create index of used UIDs */ -+ if (pwd->pw_uid >= uid_min -+ && pwd->pw_uid <= uid_max) { -+ -+ used_uids[pwd->pw_uid] = true; -+ } -+ } - -- /* -- * Search the entire password file, -- * looking for the largest unused value. -- * -- * We check the list of users according to NSS (setpwent/getpwent), -- * but we also check the local database (pw_rewind/pw_next) in case -- * some users were created but the changes were not committed yet. -- */ - if (sys_user) { -- uid_t id; -- /* setpwent / getpwent / endpwent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getpwuid. -- */ -- user_id = uid_max; -- for (id = uid_max; id >= uid_min; id--) { -- if (getpwuid (id) != NULL) { -- user_id = id - 1; -- used_uids[id] = true; -- } -+ /* -+ * For system users, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MIN - 1. -+ */ -+ if (lowest_found < uid_min) { -+ /* -+ * In this case, an UID is in use at UID_MIN. -+ * -+ * We will reset the search to UID_MAX and proceed down -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ lowest_found = uid_max; - } - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { -- user_id = pwd->pw_uid - 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- user_id = uid_min; -- setpwent (); -- while ((pwd = getpwent ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * UID_MAX - 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != uid_max) { -+ for (id = uid_max; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ -+ } - } - } -- endpwent (); -+ } else { /* !sys_user */ -+ /* -+ * For non-system users, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -- } -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MAX + 1. -+ */ -+ if (highest_found > uid_max) { -+ /* -+ * In this case, a UID is in use at UID_MAX. -+ * -+ * We will reset the search to UID_MIN and proceed up -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ highest_found = uid_min; - } -- } - -- /* -- * If a user (resp. system user) with UID equal to UID_MAX (resp. -- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 -- * (resp. UID_MIN-1) even if not unique. Search for the first free -- * UID starting with UID_MIN (resp. UID_MAX). -- */ -- if (sys_user) { -- if (user_id < uid_min) { -- for (user_id = uid_max; user_id >= uid_min; user_id--) { -- if (false == used_uids[user_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (user_id < uid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique system UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available UID on the system")); -- free (used_uids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- if (user_id > uid_max) { -- for (user_id = uid_min; user_id <= uid_max; user_id++) { -- if (false == used_uids[user_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * UID_MIN + 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != uid_min) { -+ for (id = uid_min; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- if (user_id > uid_max) { -- fprintf (stderr, -- _("%s: Can't get unique UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available UID on the system")); -- free (used_uids); -- return -1; -- } - } - } - -- free (used_uids); -- *uid = user_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available UIDs on the system")); -+ free(used_uids); -+ return -1; - } - diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index b05e5bb..b3a525b 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml ---- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 -@@ -216,7 +216,15 @@ +Index: shadow-4.5/man/newusers.8.xml +=================================================================== +--- shadow-4.5.orig/man/newusers.8.xml ++++ shadow-4.5/man/newusers.8.xml +@@ -218,7 +218,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch deleted file mode 100644 index e440431..0000000 --- a/shadow-4.1.5.1-ingroup.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 -@@ -83,15 +83,29 @@ static void usage (void) - } - } - -+static bool ingroup(const char *name, struct group *gr) -+{ -+ char **look; -+ bool notfound = true; -+ -+ look = gr->gr_mem; -+ while (*look && notfound) -+ notfound = strcmp (*look++, name); -+ -+ return !notfound; -+} -+ - /* -- * find_matching_group - search all groups of a given group id for -+ * find_matching_group - search all groups of a gr's group id for - * membership of a given username -+ * but check gr itself first - */ --static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) -+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) - { -- struct group *gr; -- char **look; -- bool notfound = true; -+ gid_t gid = gr->gr_gid; -+ -+ if (ingroup(name, gr)) -+ return gr; - - setgrent (); - while ((gr = getgrent ()) != NULL) { -@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc - * A group with matching GID was found. - * Test for membership of 'name'. - */ -- look = gr->gr_mem; -- while ((NULL != *look) && notfound) { -- notfound = (strcmp (*look, name) != 0); -- look++; -- } -- if (!notfound) { -+ if (ingroup(name, gr)) - break; -- } - } - endgrent (); - return gr; -@@ -616,7 +624,7 @@ int main (int argc, char **argv) - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp->gr_gid); -+ grp = find_matching_group (name, grp); - if (NULL == grp) { - /* - * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index 7d5cbc8..ca7e57b 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -323,7 +323,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch deleted file mode 100644 index c87e232..0000000 --- a/shadow-4.1.5.1-move-home.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 -@@ -1571,6 +1571,11 @@ static void move_home (void) - Prog, user_home, user_newhome); - fail_exit (E_HOMEDIR); - } -+ } else { -+ fprintf (stderr, -+ _("%s: The previous home directory (%s) does " -+ "not exist or is inaccessible. Move cannot be completed.\n"), -+ Prog, user_home); - } - } - diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch deleted file mode 100644 index 4ac32d2..0000000 --- a/shadow-4.1.5.1-selinux.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 -@@ -1850,6 +1850,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) - - usr_update (); - -+ close_files (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+#ifdef WITH_SELINUX -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+#endif /* WITH_AUDIT */ -+ rv = E_SE_UPDATE; -+ } -+ } -+ } -+#endif -+ - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, -+ copy_tree (def_template, user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, -@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) - create_mail (); - } - -- close_files (); -- --#ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); --#endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -- } -- } --#endif /* WITH_SELINUX */ -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index b79baee..075f482 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 -+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 -@@ -130,8 +130,9 @@ static void usage (int status) +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c +@@ -143,8 +143,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch index 91a85ac..2a798d0 100644 --- a/shadow-4.2.1-date-parsing.patch +++ b/shadow-4.2.1-date-parsing.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y ---- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +Index: shadow-4.5/libmisc/getdate.y +=================================================================== +--- shadow-4.5.orig/libmisc/getdate.y ++++ shadow-4.5/libmisc/getdate.y @@ -152,6 +152,7 @@ static int yyHaveDay; static int yyHaveRel; static int yyHaveTime; diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch deleted file mode 100644 index 827ad40..0000000 --- a/shadow-4.2.1-defs-chroot.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 -@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) - #endif /* ACCT_TOOLS_SETUID */ - - /* Needed for userns check */ -- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ uid_t uid_min; -+ uid_t uid_max; - - /* - * Get my name so that I can use it to report errors. -@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - -+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ - sys_ngroups = sysconf (_SC_NGROUPS_MAX); - user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); - /* diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch deleted file mode 100644 index 2596820..0000000 --- a/shadow-4.2.1-lastlog-unexpire.patch +++ /dev/null @@ -1,249 +0,0 @@ -diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml ---- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 -@@ -105,6 +105,17 @@ - - - -+ , -+ -+ -+ -+ Clear lastlog record of an user. This option can be used only together -+ with ()). -+ -+ -+ -+ -+ - , - - -@@ -123,6 +134,17 @@ - - - -+ -+ -+ , -+ -+ -+ -+ Set lastlog record of an user to the current time. This option can be -+ used only together with ()). -+ -+ -+ - - - ,  DAYS -diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 -@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf - static bool uflg = false; /* print only an user of range of users */ - static bool tflg = false; /* print is restricted to most recent days */ - static bool bflg = false; /* print excludes most recent days */ -+static bool Cflg = false; /* clear record for user */ -+static bool Sflg = false; /* set record for user */ - - #define NOW (time ((time_t *) 0)) - -@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta - "Options:\n"), - Prog); - (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); -+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); - (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); - (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); - (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); - (void) fputs ("\n", usageout); -@@ -194,6 +198,80 @@ static void print (void) - } - } - -+static void update_one (/*@null@*/const struct passwd *pw) -+{ -+ off_t offset; -+ struct lastlog ll; -+ int err; -+ -+ if (NULL == pw) { -+ return; -+ } -+ -+ offset = (off_t) pw->pw_uid * sizeof (ll); -+ /* fseeko errors are not really relevant for us. */ -+ err = fseeko (lastlogfile, offset, SEEK_SET); -+ assert (0 == err); -+ -+ memzero (&ll, sizeof (ll)); -+ -+ if (Sflg) { -+ ll.ll_time = NOW; -+#ifdef HAVE_LL_HOST -+ strcpy (ll.ll_host, "localhost"); -+#endif -+ strcpy (ll.ll_line, "lastlog"); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "clearing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+#endif -+ } -+#ifdef WITH_AUDIT -+ else { -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "refreshing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+ } -+#endif -+ -+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { -+ fprintf (stderr, -+ _("%s: Failed to update the entry for UID %lu\n"), -+ Prog, (unsigned long int)pw->pw_uid); -+ exit (EXIT_FAILURE); -+ } -+} -+ -+static void update (void) -+{ -+ const struct passwd *pwent; -+ -+ if (!uflg) /* safety measure */ -+ return; -+ -+ if (has_umin && has_umax && (umin == umax)) { -+ update_one (getpwuid ((uid_t)umin)); -+ } else { -+ setpwent (); -+ while ( (pwent = getpwent ()) != NULL ) { -+ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) -+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { -+ continue; -+ } -+ update_one (pwent); -+ } -+ endpwent (); -+ } -+ -+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { -+ fprintf (stderr, -+ _("%s: Failed to update the lastlog file\n"), -+ Prog); -+ exit (EXIT_FAILURE); -+ } -+} -+ - int main (int argc, char **argv) - { - /* -@@ -208,18 +286,24 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - { - int c; - static struct option const longopts[] = { - {"before", required_argument, NULL, 'b'}, -+ {"clear", no_argument, NULL, 'C'}, - {"help", no_argument, NULL, 'h'}, - {"root", required_argument, NULL, 'R'}, -+ {"set", no_argument, NULL, 'S'}, - {"time", required_argument, NULL, 't'}, - {"user", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, -+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, - NULL)) != -1) { - switch (c) { - case 'b': -@@ -235,11 +319,21 @@ int main (int argc, char **argv) - bflg = true; - break; - } -+ case 'C': -+ { -+ Cflg = true; -+ break; -+ } - case 'h': - usage (EXIT_SUCCESS); - /*@notreached@*/break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -+ case 'S': -+ { -+ Sflg = true; -+ break; -+ } - case 't': - { - unsigned long days; -@@ -294,9 +388,21 @@ int main (int argc, char **argv) - Prog, argv[optind]); - usage (EXIT_FAILURE); - } -+ if (Cflg && Sflg) { -+ fprintf (stderr, -+ _("%s: Option -C cannot be used together with option -S\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } -+ if ((Cflg || Sflg) && !uflg) { -+ fprintf (stderr, -+ _("%s: Options -C and -S require option -u to specify the user\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } - } - -- lastlogfile = fopen (LASTLOG_FILE, "r"); -+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); - if (NULL == lastlogfile) { - perror (LASTLOG_FILE); - exit (EXIT_FAILURE); -@@ -310,7 +416,10 @@ int main (int argc, char **argv) - exit (EXIT_FAILURE); - } - -- print (); -+ if (Cflg || Sflg) -+ update (); -+ else -+ print (); - - (void) fclose (lastlogfile); - -diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 -@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - login_SOURCES = \ - login.c \ - login_nopam.c -diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 -@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) - $(top_builddir)/lib/libshadow.la - lastlog_SOURCES = lastlog.c - lastlog_OBJECTS = lastlog.$(OBJEXT) --lastlog_LDADD = $(LDADD) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/libmisc/libmisc.a \ - $(top_builddir)/lib/libshadow.la diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch deleted file mode 100644 index 1adcabd..0000000 --- a/shadow-4.2.1-merge-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c ---- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 -+++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 -@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -- new_line[new_line_len] = '\0'; -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - - /* Concatenate the 2 list of members */ - for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch index 58fd605..c6873e9 100644 --- a/shadow-4.2.1-no-lock-dos.patch +++ b/shadow-4.2.1-no-lock-dos.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c ---- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 -+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -140,7 +140,10 @@ static int do_lock_file (const char *fil int retval; char buf[32]; diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch new file mode 100644 index 0000000..b1dd1c4 --- /dev/null +++ b/shadow-4.2.1-null-tm.patch @@ -0,0 +1,91 @@ +Index: shadow-4.5/src/faillog.c +=================================================================== +--- shadow-4.5.orig/src/faillog.c ++++ shadow-4.5/src/faillog.c +@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s + } + + tm = localtime (&fl.fail_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); ++ cp = ptime; + #endif ++ } + printf ("%-9s %5d %5d ", + pw->pw_name, fl.fail_cnt, fl.fail_max); + /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c +@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size + struct tm *tp; + + tp = gmtime (&date); ++ if (tp == NULL) { ++ (void) snprintf (buf, maxsize, "(unknown)"); ++ return; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, maxsize, "%Y-%m-%d", tp); + #else +Index: shadow-4.5/src/lastlog.c +=================================================================== +--- shadow-4.5.orig/src/lastlog.c ++++ shadow-4.5/src/lastlog.c +@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s + + ll_time = ll.ll_time; + tm = localtime (&ll_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); ++ cp = ptime; + #else +- cp = asctime (tm); +- cp[24] = '\0'; ++ cp = asctime (tm); ++ cp[24] = '\0'; + #endif ++ } + + if (ll.ll_time == (time_t) 0) { + cp = _("**Never logged in**\0"); +Index: shadow-4.5/src/passwd.c +=================================================================== +--- shadow-4.5.orig/src/passwd.c ++++ shadow-4.5/src/passwd.c +@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to + struct tm *tm; + + tm = gmtime (&t); ++ if (tm == NULL) { ++ return "(unknown)"; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); + #else /* !HAVE_STRFTIME */ +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c +@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ + } else { + time_t t = (time_t) date; + tp = gmtime (&t); ++ if (tp == NULL) { ++ strncpy (buf, "unknown", maxsize); ++ return; ++ } + #ifdef HAVE_STRFTIME + strftime (buf, maxsize, "%Y-%m-%d", tp); + #else diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch deleted file mode 100644 index ee7e41a..0000000 --- a/shadow-4.2.1-user-busy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 -From: Bastian Blank -Date: Tue, 17 Nov 2015 10:52:24 -0600 -Subject: [PATCH] Fix user busy errors at userdel - -From: Bastian Blank -Acked-by: Serge Hallyn ---- - libmisc/user_busy.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c -index db7174a..0db32c3 100644 ---- a/libmisc/user_busy.c -+++ b/libmisc/user_busy.c -@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) - if (stat ("/", &sbroot) != 0) { - perror ("stat (\"/\")"); - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - return 0; - } - -@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) - - if (check_status (name, tmp_d_name, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); -@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) - } - if (check_status (name, task_path+6, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); --- -2.5.0 - diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.3.1-manfix.patch similarity index 76% rename from shadow-4.2.1-manfix.patch rename to shadow-4.3.1-manfix.patch index 04fcb4a..cc62a86 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml ---- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +Index: shadow-4.5/man/groupmems.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupmems.8.xml ++++ shadow-4.5/man/groupmems.8.xml @@ -179,20 +179,10 @@ SETUP @@ -25,9 +26,10 @@ diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xm -diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml ---- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +Index: shadow-4.5/man/chage.1.xml +=================================================================== +--- shadow-4.5.orig/man/chage.1.xml ++++ shadow-4.5/man/chage.1.xml @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -38,10 +40,25 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml -diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 ---- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 -@@ -147,10 +147,6 @@ 以下の参照表は、 +@@ -119,6 +122,13 @@ + system again. + + ++ For example the following can be used to set an account to expire ++ in 180 days: ++ ++ ++ chage -E $(date -d +180days +%Y-%m-%d) ++ ++ + Passing the number -1 as the + EXPIRE_DATE will remove an account + expiration date. +Index: shadow-4.5/man/ja/man5/login.defs.5 +=================================================================== +--- shadow-4.5.orig/man/ja/man5/login.defs.5 ++++ shadow-4.5/man/ja/man5/login.defs.5 +@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -52,9 +69,10 @@ diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml ---- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 +Index: shadow-4.5/man/login.defs.5.xml +=================================================================== +--- shadow-4.5.orig/man/login.defs.5.xml ++++ shadow-4.5/man/login.defs.5.xml @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -73,7 +91,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: -@@ -252,26 +263,6 @@ +@@ -252,16 +263,6 @@ @@ -87,20 +105,10 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. - - - -- chgpasswd -- -- -- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -- SHA_CRYPT_MAX_ROUNDS -- SHA_CRYPT_MIN_ROUNDS -- -- -- -- - chpasswd + chgpasswd -@@ -282,14 +273,6 @@ +@@ -282,14 +283,6 @@ @@ -115,7 +123,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +333,6 @@ +@@ -350,34 +343,6 @@ @@ -150,7 +158,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. newgrp / sg -@@ -405,17 +360,6 @@ +@@ -405,17 +370,6 @@ @@ -168,7 +176,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. pwck -@@ -442,32 +386,6 @@ +@@ -442,32 +396,6 @@ @@ -201,9 +209,10 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. useradd -diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml ---- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +Index: shadow-4.5/man/shadow.5.xml +=================================================================== +--- shadow-4.5.orig/man/shadow.5.xml ++++ shadow-4.5/man/shadow.5.xml @@ -208,8 +208,8 @@ @@ -215,10 +224,11 @@ diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml ---- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 -+++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 -@@ -347,11 +347,16 @@ +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml +@@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -230,15 +240,10 @@ diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml - -- -+ , - - - -diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml ---- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +Index: shadow-4.5/man/usermod.8.xml +=================================================================== +--- shadow-4.5.orig/man/usermod.8.xml ++++ shadow-4.5/man/usermod.8.xml @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch new file mode 100644 index 0000000..8550150 --- /dev/null +++ b/shadow-4.3.1-selinux-perms.patch @@ -0,0 +1,277 @@ +Index: shadow-4.5/src/chgpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chgpasswd.c ++++ shadow-4.5/src/chgpasswd.c +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + #include "pam_defs.h" +@@ -76,6 +83,9 @@ static bool sgr_locked = false; + #endif + static bool gr_locked = false; + ++/* The name of the caller */ ++static char *myname = NULL; ++ + /* local function prototypes */ + static void fail_exit (int code); + static /*@noreturn@*/void usage (int status); +@@ -300,6 +310,63 @@ static void check_perms (void) + #endif /* ACCT_TOOLS_SETUID */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ goto ret; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ goto ret; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the group databases + */ +@@ -393,6 +460,7 @@ int main (int argc, char **argv) + + const struct group *gr; + struct group newgr; ++ struct passwd *pw = NULL; + int errors = 0; + int line = 0; + +@@ -408,8 +476,33 @@ int main (int argc, char **argv) + + OPENLOG ("chgpasswd"); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ ++ /* ++ * Determine the name of the user that invoked this command. This ++ * is really hit or miss because there are so many ways that command ++ * can be executed and so many ways to trip up the routines that ++ * report the user name. ++ */ ++ pw = get_my_pwent (); ++ if (NULL == pw) { ++ fprintf (stderr, _("%s: Cannot determine your user name.\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "Cannot determine the user name of the caller (UID %lu)", ++ (unsigned long) getuid ())); ++ exit (E_NOPERM); ++ } ++ myname = xstrdup (pw->pw_name); ++ + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); + #endif +@@ -536,6 +629,15 @@ int main (int argc, char **argv) + newgr.gr_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ { ++ ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, gr->gr_name, ++ SHADOW_AUDIT_SUCCESS); ++ } ++#endif + /* + * The updated group file entry is then put back and will + * be written to the group file later, after all the +Index: shadow-4.5/src/chpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chpasswd.c ++++ shadow-4.5/src/chpasswd.c +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef USE_PAM + #include "pam_defs.h" + #endif /* USE_PAM */ +@@ -297,6 +304,63 @@ static void check_perms (void) + #endif /* USE_PAM */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ goto ret; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ goto ret; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the password databases + */ +@@ -405,8 +469,16 @@ int main (int argc, char **argv) + + OPENLOG ("chpasswd"); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef USE_PAM + if (!use_pam) + #endif /* USE_PAM */ +@@ -566,6 +638,11 @@ int main (int argc, char **argv) + newpw.pw_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "updating-password", ++ pw->pw_name, (unsigned int) pw->pw_uid, 1); ++#endif + /* + * The updated password file entry is then put back and will + * be written to the password file later, after all the +Index: shadow-4.5/src/Makefile.am +=================================================================== +--- shadow-4.5.orig/src/Makefile.am ++++ shadow-4.5/src/Makefile.am +@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch new file mode 100644 index 0000000..c8d19e4 --- /dev/null +++ b/shadow-4.5-crypt_h.patch @@ -0,0 +1,41 @@ +Index: shadow-4.5/configure.ac +=================================================================== +--- shadow-4.5.orig/configure.ac ++++ shadow-4.5/configure.ac +@@ -32,9 +32,9 @@ AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_HEADER_STDBOOL + +-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ +- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ +- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ ++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ ++ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ ++ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ + locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ + attr/error_context.h) + +Index: shadow-4.5/lib/defines.h +=================================================================== +--- shadow-4.5.orig/lib/defines.h ++++ shadow-4.5/lib/defines.h +@@ -4,6 +4,8 @@ + #ifndef _DEFINES_H_ + #define _DEFINES_H_ + ++#include "config.h" ++ + #if HAVE_STDBOOL_H + # include + #else +@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () + # include + #endif + ++#if HAVE_CRYPT_H ++# include /* crypt(3) may be defined in here */ ++#endif ++ + #if TIME_WITH_SYS_TIME + # include + # include diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.5-goodname.patch similarity index 50% rename from shadow-4.1.5.1-goodname.patch rename to shadow-4.5-goodname.patch index 15c98a7..215f658 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c ---- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 -@@ -47,27 +47,42 @@ +Index: shadow-4.5/libmisc/chkname.c +=================================================================== +--- shadow-4.5.orig/libmisc/chkname.c ++++ shadow-4.5/libmisc/chkname.c +@@ -47,27 +47,46 @@ #include "chkname.h" static bool is_valid_name (const char *name) @@ -18,16 +19,18 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * -+ * Also do not allow fully numeric names. ++ * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; + -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { ++ if ('\0' == *name || ++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || ++ '\0' == name[1])) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.')) { return false; } @@ -39,13 +42,14 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { ++ if (!((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.' || ++ *name == '-' || ++ (*name == '$' && name[1] == '\0') + )) { return false; } + numeric &= isdigit(*name); @@ -56,10 +60,11 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam } bool is_valid_user_name (const char *name) -diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml ---- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -259,12 +259,6 @@ +Index: shadow-4.5/man/groupadd.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupadd.8.xml ++++ shadow-4.5/man/groupadd.8.xml +@@ -256,12 +256,6 @@ CAVEATS @@ -72,19 +77,11 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -366,7 +366,7 @@ - - - -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from /etc/login.defs - () is set to - yes. -@@ -654,12 +654,6 @@ +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml +@@ -633,12 +633,6 @@ diff --git a/shadow-4.5-long-entry.patch b/shadow-4.5-long-entry.patch new file mode 100644 index 0000000..8670e75 --- /dev/null +++ b/shadow-4.5-long-entry.patch @@ -0,0 +1,84 @@ +diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h +--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 +@@ -382,4 +382,7 @@ extern char *strerror (); + # endif + #endif + ++/* Maximum length of passwd entry */ ++#define PASSWD_ENTRY_MAX_LENGTH 32768 ++ + #endif /* _DEFINES_H_ */ +diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c +--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 ++++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 +@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, + || (pw->pw_gid == (gid_t)-1) + || (valid_field (pw->pw_gecos, ":\n") == -1) + || (valid_field (pw->pw_dir, ":\n") == -1) +- || (valid_field (pw->pw_shell, ":\n") == -1)) { ++ || (valid_field (pw->pw_shell, ":\n") == -1) ++ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + ++ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + ++ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + +diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c +--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +@@ -57,7 +57,7 @@ + struct passwd *sgetpwent (const char *buf) + { + static struct passwd pwent; +- static char pwdbuf[1024]; ++ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; + register int i; + register char *cp; + char *fields[NFIELDS]; +@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu + * the password structure remain valid. + */ + +- if (strlen (buf) >= sizeof pwdbuf) ++ if (strlen (buf) >= sizeof pwdbuf) { ++ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); + return 0; /* fail if too long */ ++ } + strcpy (pwdbuf, buf); + + /* +diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c +--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +@@ -48,7 +48,7 @@ + */ + struct spwd *sgetspent (const char *string) + { +- static char spwbuf[1024]; ++ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; + static struct spwd spwd; + char *fields[FIELDS]; + char *cp; +@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri + */ + + if (strlen (string) >= sizeof spwbuf) { ++ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); + return 0; /* fail if too long */ + } + strcpy (spwbuf, string); +diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c +--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 ++++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, + + if ( (NULL == sp) + || (valid_field (sp->sp_namp, ":\n") == -1) +- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { ++ || (valid_field (sp->sp_pwdp, ":\n") == -1) ++ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + ++ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch similarity index 86% rename from shadow-4.2.1-usermod-unlock.patch rename to shadow-4.5-usermod-unlock.patch index 19feecb..e2d70b5 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 -+++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; @@ -60,4 +61,4 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fail_exit(E_PW_UPDATE); if (pflg) { - spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; + spent->sp_lstchg = (long) gettime () / SCALE; diff --git a/shadow-4.2.1-audit-update.patch b/shadow-4.6-audit-update.patch similarity index 86% rename from shadow-4.2.1-audit-update.patch rename to shadow-4.6-audit-update.patch index 8f2edf8..b9d0a67 100644 --- a/shadow-4.2.1-audit-update.patch +++ b/shadow-4.6-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c ---- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c +--- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c ---- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c +--- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c ---- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c +--- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +181,10 @@ diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h ---- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 -+++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 -@@ -208,12 +208,21 @@ extern int audit_fd; +diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 +@@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,9 +206,9 @@ diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c ---- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c +--- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -218,7 +218,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -397,21 +397,14 @@ static void open_files (void) +@@ -396,21 +396,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +243,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c +@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +260,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c +@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +277,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c +@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +294,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c +@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +311,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c +@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +328,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c +@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +345,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow +@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +370,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c +@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +387,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c +@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +404,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c +@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +421,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c +@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +438,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c +@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +455,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c +@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,10 +472,10 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c ---- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 -@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c +--- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 +@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -491,7 +491,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -210,7 +219,7 @@ static void grp_update (void) +@@ -213,7 +222,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -500,7 +500,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -220,7 +229,7 @@ static void grp_update (void) +@@ -223,7 +232,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -509,7 +509,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -244,7 +253,7 @@ static void check_new_name (void) +@@ -247,7 +256,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -518,7 +518,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } /* -@@ -260,11 +269,11 @@ static void close_files (void) +@@ -263,11 +272,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -532,7 +532,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -282,11 +291,11 @@ static void close_files (void) +@@ -285,11 +294,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -547,7 +547,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -300,12 +309,6 @@ static void close_files (void) +@@ -303,12 +312,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -560,7 +560,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -323,7 +326,7 @@ static void open_files (void) +@@ -326,7 +329,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -569,7 +569,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -333,7 +336,7 @@ static void open_files (void) +@@ -336,7 +339,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -578,8 +578,8 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -349,7 +352,7 @@ static void open_files (void) - if (gr_open (O_RDWR) == 0) { +@@ -352,7 +355,7 @@ static void open_files (void) + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); - exit (E_GRP_UPDATE); @@ -587,7 +587,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } #ifdef SHADOWGRP -@@ -359,7 +362,7 @@ static void open_files (void) +@@ -362,7 +365,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -596,7 +596,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -489,7 +492,7 @@ static void check_flags (void) +@@ -495,7 +498,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -604,8 +604,8 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c + fail_exit (E_NAME_IN_USE); } - if (gflg && (getgrgid (group_id) != NULL)) { -@@ -508,7 +511,7 @@ static void check_flags (void) + if (gflg && (prefix_getgrgid (group_id) != NULL)) { +@@ -514,7 +517,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -614,7 +614,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } } -@@ -536,7 +539,7 @@ static void check_perms (void) +@@ -542,7 +545,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -623,7 +623,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -556,7 +559,7 @@ static void check_perms (void) +@@ -562,7 +565,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -632,7 +632,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -588,7 +591,7 @@ int main (int argc, char **argv) +@@ -595,7 +598,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -641,7 +641,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } /* -@@ -610,7 +613,7 @@ int main (int argc, char **argv) +@@ -617,7 +620,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -650,10 +650,10 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } -diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c ---- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 -@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c +--- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 +@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +669,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c /* * grp_update - update group file entries * -@@ -126,7 +135,7 @@ static void grp_update (void) +@@ -131,7 +140,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +678,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP -@@ -138,7 +147,7 @@ static void grp_update (void) +@@ -143,7 +152,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +687,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -157,12 +166,12 @@ static void close_files (void) +@@ -162,12 +171,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +702,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -182,12 +191,12 @@ static void close_files (void) +@@ -187,12 +196,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +718,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -201,13 +210,6 @@ static void close_files (void) +@@ -206,13 +215,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +732,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -224,7 +226,7 @@ static void open_files (void) +@@ -229,7 +231,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +741,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -233,7 +235,7 @@ static void open_files (void) +@@ -238,7 +240,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +750,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -251,7 +253,7 @@ static void open_files (void) +@@ -256,7 +258,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +759,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -260,7 +262,7 @@ static void open_files (void) +@@ -265,7 +267,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +768,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) +@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +777,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } /* -@@ -379,7 +381,7 @@ int main (int argc, char **argv) +@@ -391,7 +393,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +786,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } process_flags (argc, argv); -@@ -393,7 +395,7 @@ int main (int argc, char **argv) +@@ -405,7 +407,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +795,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -414,7 +416,7 @@ int main (int argc, char **argv) +@@ -426,7 +428,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +804,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -434,7 +436,7 @@ int main (int argc, char **argv) +@@ -446,7 +448,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +813,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } group_id = grp->gr_gid; -@@ -458,7 +460,7 @@ int main (int argc, char **argv) +@@ -470,7 +472,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,10 +822,10 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #endif -diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c ---- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 -@@ -438,7 +438,7 @@ static void close_files (void) +diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c +--- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 +@@ -449,7 +449,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -834,7 +834,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -461,7 +461,7 @@ static void close_files (void) +@@ -472,7 +472,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -843,7 +843,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -484,7 +484,7 @@ static void close_files (void) +@@ -495,7 +495,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -852,7 +852,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -499,8 +499,8 @@ static void close_files (void) +@@ -510,8 +510,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -863,7 +863,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -512,6 +512,8 @@ static void close_files (void) +@@ -523,6 +523,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -872,7 +872,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi +@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1006,7 +1006,7 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi +@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1018,9 +1018,9 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c +--- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1108,9 @@ diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c ---- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 -+++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c +--- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1161,7 +1161,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, +@@ -320,15 +309,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -451,7 +452,7 @@ int main (int argc, char **argv) +@@ -457,7 +458,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -567,15 +568,26 @@ int main (int argc, char **argv) +@@ -573,15 +574,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -716,10 +728,10 @@ int main (int argc, char **argv) +@@ -738,10 +750,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -728,10 +740,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -745,10 +757,10 @@ int main (int argc, char **argv) +@@ -767,10 +779,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -812,11 +824,11 @@ int main (int argc, char **argv) +@@ -834,11 +846,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -840,15 +852,24 @@ int main (int argc, char **argv) +@@ -862,15 +874,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,19 +1315,19 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 -+++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 -@@ -222,6 +222,8 @@ static void create_mail (void); +diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 +@@ -229,6 +229,8 @@ static void create_mail (void); */ static void fail_exit (int code) { + int type; + if (home_added) { - if (rmdir (user_home) != 0) { + if (rmdir (prefix_user_home) != 0) { fprintf (stderr, -@@ -235,12 +237,6 @@ static void fail_exit (int code) +@@ -242,12 +244,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1340,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c /* continue */ } } -@@ -248,12 +244,6 @@ static void fail_exit (int code) +@@ -255,12 +251,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1353,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c /* continue */ } } -@@ -261,12 +251,6 @@ static void fail_exit (int code) +@@ -268,12 +258,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1366,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c /* continue */ } } -@@ -275,12 +259,6 @@ static void fail_exit (int code) +@@ -282,12 +266,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1379,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c /* continue */ } } -@@ -290,12 +268,6 @@ static void fail_exit (int code) +@@ -297,12 +275,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1392,7 +1392,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c /* continue */ } } -@@ -303,20 +275,19 @@ static void fail_exit (int code) +@@ -310,20 +282,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1420,7 +1420,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -623,7 +594,7 @@ static int set_defaults (void) +@@ -673,7 +644,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1429,7 +1429,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -893,12 +864,6 @@ static void grp_update (void) +@@ -950,12 +921,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1442,7 +1442,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -912,18 +877,12 @@ static void grp_update (void) +@@ -969,18 +934,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1464,7 +1464,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -968,12 +927,6 @@ static void grp_update (void) +@@ -1025,12 +984,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1477,7 +1477,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -987,18 +940,13 @@ static void grp_update (void) +@@ -1044,18 +997,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1500,7 +1500,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha +@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1509,7 +1509,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1444,7 +1392,7 @@ static void close_files (void) +@@ -1522,7 +1470,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1518,7 +1518,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1457,7 +1405,7 @@ static void close_files (void) +@@ -1535,7 +1483,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1527,7 +1527,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1469,7 +1417,7 @@ static void close_files (void) +@@ -1547,7 +1495,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1536,7 +1536,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1483,7 +1431,7 @@ static void close_files (void) +@@ -1561,7 +1509,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1545,7 +1545,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1499,7 +1447,7 @@ static void close_files (void) +@@ -1577,7 +1525,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1554,7 +1554,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1513,7 +1461,7 @@ static void close_files (void) +@@ -1591,7 +1539,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1563,7 +1563,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1705,7 +1653,7 @@ static void grp_add (void) +@@ -1783,7 +1731,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1572,7 +1572,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1721,7 +1669,7 @@ static void grp_add (void) +@@ -1799,7 +1747,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1581,7 +1581,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1731,7 +1679,7 @@ static void grp_add (void) +@@ -1809,7 +1757,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1590,7 +1590,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1846,12 +1794,6 @@ static void usr_update (void) +@@ -1970,12 +1918,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1603,7 +1603,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1873,7 +1815,7 @@ static void usr_update (void) +@@ -1997,7 +1939,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1612,10 +1612,10 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1908,12 +1850,6 @@ static void create_home (void) +@@ -2032,12 +1974,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), - Prog, user_home); + Prog, prefix_user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", @@ -1624,8 +1624,8 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c -#endif fail_exit (E_HOMEDIR); } - chown (user_home, user_id, user_gid); -@@ -1921,8 +1857,8 @@ static void create_home (void) + (void) chown (prefix_user_home, user_id, user_gid); +@@ -2045,8 +1981,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1636,9 +1636,9 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) +@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) */ - if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1649,7 +1649,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) +@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1662,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) +@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1675,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) +@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,10 +1689,10 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c ---- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 -+++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 -@@ -214,9 +214,9 @@ static void update_groups (void) +diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c +--- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 ++++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 +@@ -219,9 +219,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1705,7 +1705,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -276,9 +276,9 @@ static void update_groups (void) +@@ -281,9 +281,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1718,7 +1718,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -355,9 +355,9 @@ static void remove_usergroup (void) +@@ -360,9 +360,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1731,7 +1731,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -373,9 +373,9 @@ static void remove_usergroup (void) +@@ -378,9 +378,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1744,7 +1744,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -537,7 +537,7 @@ static void fail_exit (int code) +@@ -542,7 +542,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1753,7 +1753,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -557,24 +557,12 @@ static void open_files (void) +@@ -562,24 +562,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1766,7 +1766,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT @@ -1778,7 +1778,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -582,12 +570,6 @@ static void open_files (void) +@@ -587,12 +575,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1791,7 +1791,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -595,12 +577,6 @@ static void open_files (void) +@@ -600,12 +582,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1804,7 +1804,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -608,23 +584,11 @@ static void open_files (void) +@@ -613,23 +589,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1817,7 +1817,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, @@ -1828,7 +1828,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -633,24 +597,12 @@ static void open_files (void) +@@ -638,24 +602,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1841,7 +1841,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT @@ -1853,7 +1853,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -661,24 +613,12 @@ static void open_files (void) +@@ -666,24 +618,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1866,7 +1866,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT @@ -1878,7 +1878,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -687,24 +627,12 @@ static void open_files (void) +@@ -692,24 +632,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1891,7 +1891,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT @@ -1903,7 +1903,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -749,7 +677,7 @@ static void update_user (void) +@@ -754,7 +682,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1912,7 +1912,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -843,7 +771,7 @@ static int remove_mailbox (void) +@@ -862,7 +790,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1921,7 +1921,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -859,7 +787,7 @@ static int remove_mailbox (void) +@@ -879,7 +807,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1930,7 +1930,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -869,8 +797,8 @@ static int remove_mailbox (void) +@@ -889,8 +817,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1941,7 +1941,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -887,7 +815,7 @@ static int remove_mailbox (void) +@@ -908,7 +836,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1950,7 +1950,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -902,7 +830,7 @@ static int remove_mailbox (void) +@@ -925,7 +853,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1959,7 +1959,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -912,8 +840,8 @@ static int remove_mailbox (void) +@@ -935,8 +863,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1970,7 +1970,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) +@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1979,7 +1979,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1988,7 +1988,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) +@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -1999,7 +1999,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) +@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2008,7 +2008,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) +@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2019,10 +2019,10 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 -+++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 -@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 +@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2033,7 +2033,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2044,7 +2044,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2053,7 +2053,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw +@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2064,7 +2064,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw +@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2075,7 +2075,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw +@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2086,7 +2086,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw +@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2097,7 +2097,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw +@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2108,7 +2108,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw +@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2119,7 +2119,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen +@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2130,7 +2130,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen +@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2141,7 +2141,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2154,7 +2154,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif exit (code); } -@@ -759,9 +759,12 @@ static void update_group (void) +@@ -765,9 +765,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2170,7 +2170,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -775,9 +778,11 @@ static void update_group (void) +@@ -781,9 +784,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2185,7 +2185,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -790,9 +795,11 @@ static void update_group (void) +@@ -796,9 +801,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2200,7 +2200,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -867,9 +874,10 @@ static void update_gshadow (void) +@@ -873,9 +880,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2214,7 +2214,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -889,9 +897,10 @@ static void update_gshadow (void) +@@ -895,9 +903,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2228,7 +2228,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -905,9 +914,10 @@ static void update_gshadow (void) +@@ -911,9 +920,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2242,7 +2242,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -920,9 +930,10 @@ static void update_gshadow (void) +@@ -926,9 +936,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2256,7 +2256,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1810,8 +1821,8 @@ static void move_home (void) +@@ -1789,8 +1800,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2267,7 +2267,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1829,8 +1840,8 @@ static void move_home (void) +@@ -1808,8 +1819,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2278,8 +2278,8 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1849,9 +1860,9 @@ static void move_home (void) - Prog, user_home); +@@ -1828,9 +1839,9 @@ static void move_home (void) + Prog, prefix_user_home); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, @@ -2290,7 +2290,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2055,8 +2066,8 @@ static void move_mailbox (void) +@@ -2045,8 +2056,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2301,7 +2301,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2074,8 +2085,8 @@ static void move_mailbox (void) +@@ -2072,8 +2083,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2312,7 +2312,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2323,7 +2323,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) +@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2334,7 +2334,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) +@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.6-getenforce.patch b/shadow-4.6-getenforce.patch new file mode 100644 index 0000000..8a55bf5 --- /dev/null +++ b/shadow-4.6-getenforce.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } diff --git a/shadow-4.6-move-home.patch b/shadow-4.6-move-home.patch new file mode 100644 index 0000000..cff9561 --- /dev/null +++ b/shadow-4.6-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200 +@@ -1845,6 +1845,11 @@ static void move_home (void) + Prog, prefix_user_home, prefix_user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, prefix_user_home); + } + } + diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.6-orig-context.patch similarity index 62% rename from shadow-4.1.5.1-orig-context.patch rename to shadow-4.6-orig-context.patch index c1ddb13..ea522e7 100644 --- a/shadow-4.1.5.1-orig-context.patch +++ b/shadow-4.6-orig-context.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 -@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * +diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c +--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 +@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX @@ -10,7 +10,7 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * +@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -19,9 +19,9 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c ---- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 -+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 +diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c +--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,10 +58,10 @@ diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/co return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 -+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 -@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 +@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -70,9 +70,9 @@ diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototy extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c ---- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 +diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,15 +114,15 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c } /* -diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 -@@ -1759,7 +1759,7 @@ static void create_home (void) +diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 +@@ -2020,7 +2020,7 @@ static void create_home (void) { - if (access (user_home, F_OK) != 0) { + if (access (prefix_user_home, F_OK) != 0) { #ifdef WITH_SELINUX -- if (set_selinux_file_context (user_home) != 0) { -+ if (set_selinux_file_context (user_home, NULL) != 0) { - fail_exit (E_HOMEDIR); - } - #endif +- if (set_selinux_file_context (prefix_user_home) != 0) { ++ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { + fprintf (stderr, + _("%s: cannot set SELinux context for home directory %s\n"), + Prog, user_home); diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.6-redhat.patch similarity index 52% rename from shadow-4.1.5-redhat.patch rename to shadow-4.6-redhat.patch index a785b29..7a8be2e 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.6-redhat.patch @@ -1,8 +1,7 @@ -diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 -diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c ---- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 -+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 -@@ -93,7 +93,7 @@ const char *Prog; +diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 +@@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -11,7 +10,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -103,7 +103,7 @@ static const char *def_expire = ""; +@@ -108,7 +108,7 @@ static const char *def_expire = ""; #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -20,19 +19,19 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha +@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:", #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha +@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.6-selinux.patch b/shadow-4.6-selinux.patch new file mode 100644 index 0000000..dfd5140 --- /dev/null +++ b/shadow-4.6-selinux.patch @@ -0,0 +1,115 @@ +diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c +--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 +@@ -2120,6 +2120,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) + + usr_update (); + +- if (mflg) { +- create_home (); +- if (home_added) { +- copy_tree (def_template, prefix_user_home, false, false, +- (uid_t)-1, user_id, (gid_t)-1, user_gid); +- } else { +- fprintf (stderr, +- _("%s: warning: the home directory already exists.\n" +- "Not copying any file from skel directory into it.\n"), +- Prog); +- } +- +- } +- +- /* Do not create mail directory for system accounts */ +- if (!rflg) { +- create_mail (); +- } +- + close_files (); + ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ + /* + * tallylog_reset needs to be able to lookup + * a valid existing user name, +@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) + } + + #ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); ++ rv = E_SE_UPDATE; ++ } + } + } +-#endif /* WITH_SELINUX */ ++#endif + +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); ++ if (mflg) { ++ create_home (); ++ if (home_added) { ++ copy_tree (def_template, prefix_user_home, false, true, ++ (uid_t)-1, user_id, (gid_t)-1, user_gid); ++ } else { ++ fprintf (stderr, ++ _("%s: warning: the home directory already exists.\n" ++ "Not copying any file from skel directory into it.\n"), ++ Prog); ++ } ++ ++ } ++ ++ /* Do not create mail directory for system accounts */ ++ if (!rflg) { ++ create_mail (); ++ } + +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch new file mode 100644 index 0000000..d2861b3 --- /dev/null +++ b/shadow-4.6-usermod-crash.patch @@ -0,0 +1,42 @@ +diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c +--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 +@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi + { + long long int gid; + char *endptr; ++ struct group *g; + + if (NULL == grname) { + return NULL; +@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi + && (gid == (gid_t)gid)) { + return prefix_getgrgid ((gid_t) gid); + } +- return prefix_getgrnam (grname); ++ g = prefix_getgrnam (grname); ++ return g ? __gr_dup(g) : NULL; + } + else + return getgr_nam_gid(grname); +diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 +@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha + prefix_user_home = xmalloc(len); + wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); + assert (wlen == (int) len -1); ++ if (user_newhome) { ++ len = strlen(prefix) + strlen(user_newhome) + 2; ++ prefix_user_newhome = xmalloc(len); ++ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); ++ assert (wlen == (int) len -1); ++ } + +- len = strlen(prefix) + strlen(user_newhome) + 2; +- prefix_user_newhome = xmalloc(len); +- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); +- assert (wlen == (int) len -1); + } + else { + prefix_user_home = user_home; diff --git a/shadow-utils.spec b/shadow-utils.spec index b47ae15..40be79a 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,54 +1,55 @@ +# they warn against doing this ... +%define _disable_source_fetch 0 +%define srcname shadow-utils + Summary: Utilities for managing accounts and shadow password files -Name: shadow-utils -Version: 4.2.1 -Release: 8%{?dist} +Name: %{srcname}46 +Version: 4.6 +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig -Source1: shadow-utils.login.defs +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source2: shadow-utils.useradd +Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0: shadow-4.1.5-redhat.patch -Patch1: shadow-4.1.5.1-goodname.patch +Patch0: shadow-4.6-redhat.patch +Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch3: shadow-4.1.5-uflg.patch -Patch6: shadow-4.1.5.1-selinux.patch -Patch7: shadow-4.1.5-2ndskip.patch -Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.2.1-merge-group.patch -Patch10: shadow-4.1.5.1-orig-context.patch +Patch6: shadow-4.6-selinux.patch +Patch10: shadow-4.6-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch -Patch12: shadow-4.1.5.1-errmsg.patch -Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.2.1-manfix.patch +Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch -Patch20: shadow-4.1.5.1-ingroup.patch -Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.2.1-audit-update.patch -Patch23: shadow-4.2.1-usermod-unlock.patch +Patch21: shadow-4.6-move-home.patch +Patch22: shadow-4.6-audit-update.patch +Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.2.1-defs-chroot.patch -Patch26: shadow-4.2.1-lastlog-unexpire.patch -Patch27: shadow-4.2.1-user-busy.patch +Patch28: shadow-4.3.1-selinux-perms.patch +Patch29: shadow-4.2.1-null-tm.patch +Patch31: shadow-4.6-getenforce.patch +Patch32: shadow-4.5-crypt_h.patch +Patch33: shadow-4.5-long-entry.patch +Patch34: shadow-4.6-usermod-crash.patch License: BSD and GPLv2+ Group: System Environment/Base +BuildRequires: gcc BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel libattr-devel -BuildRequires: bison flex gnome-doc-utils -#BuildRequires: autoconf, automake, libtool, gettext-devel +BuildRequires: libacl-devel, libattr-devel +BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds +BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup Requires(pre): coreutils Requires(post): coreutils +Requires: %{name}-newxidmap = %{version}-%{release} Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -63,50 +64,40 @@ for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts. +%package newxidmap +Summary: only the newuidmapp and newgidmap from shadow-utils +%description newxidmap +%{summary}. + %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir -%patch3 -p1 -b .uflg %patch6 -p1 -b .selinux -%patch7 -p1 -b .2ndskip -%patch8 -p1 -b .backup-mode -%patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg -%patch12 -p1 -b .errmsg -%patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel -%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing -%patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos -%patch25 -p1 -b .defs-chroot -%patch26 -p1 -b .unexpire -%patch27 -p1 -b .user-busy +%patch28 -p1 -b .selinux-perms +%patch29 -p1 -b .null-tm +%patch31 -p1 -b .getenforce +%patch32 -p1 -b .crypt_h +%patch33 -p1 -b .long-entry +%patch34 -p1 -b .usermod-crash iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . -rm libmisc/getdate.c - -#rm po/*.gmo -#rm po/stamp-po -#aclocal -#libtoolize --force -#automake -a -#autoconf - %build - %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -116,6 +107,11 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +rm aclocal.m4 +aclocal +libtoolize --force + +autoreconf %configure \ --enable-shadowgrp \ --enable-man \ @@ -126,18 +122,17 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --without-libpam \ --disable-shared \ --with-group-name-max-length=32 -make +%make_build %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default -install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs +install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser -#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 @@ -156,7 +151,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_sbindir}/nologin -rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* @@ -185,8 +179,6 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* @@ -204,11 +196,7 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done -%clean -rm -rf $RPM_BUILD_ROOT - %files -f shadow.lang -%defattr(-,root,root) %doc NEWS doc/HOWTO README %{!?_licensedir:%global license %%doc} %license gpl-2.0.txt shadow-bsd.txt @@ -219,8 +207,6 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -228,6 +214,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/pwck %{_sbindir}/*conv %{_sbindir}/chpasswd +%{_sbindir}/chgpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr @@ -235,8 +222,6 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* -%{_mandir}/man1/newgidmap.1* -%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* @@ -249,13 +234,80 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/pwck.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/chpasswd.8* +%{_mandir}/man8/chgpasswd.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* +%files newxidmap +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* + %changelog +* Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon May 28 2018 Tomáš Mráz - 2:4.6-1 +- update to current upstream release 4.6 + +* Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 +- Raise limit for passwd and shadow entry length but also prevent + writing longer entries (#1422497) + +* Tue Feb 06 2018 Björn Esser - 2:4.5-9 +- Add patch to include crypt.h, if present +- Use %%make_{build,install} macros +- Refresh other patches for proper alignment + +* Sat Jan 20 2018 Björn Esser - 2:4.5-8 +- Rebuilt for switch to libxcrypt + +* Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 +- fix regression caused by the userdel-chroot patch (#1509978) + +* Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 +- fix userdel in chroot (#1316168) +- add useful chage -E example to chage manpage + +* Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 +- do not allow "." and ".." user names + +* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 +- allow switching to secondary group without checking the membership + explicitly (patch from upstream) + +* Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 +- update to current upstream release 4.5 + +* Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 +- fix regression in useradd - not processing defaults properly (#1369979) + +* Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 +- new upstream release fixing low impact security issue + +* Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 +- guard for localtime() and gmtime() failure + +* Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 +- chpasswd, chgpasswd: open audit when starting + +* Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 +- chgpasswd: do not remove it +- chpasswd, chgpasswd: add selinux_check_access call (#1336902) + * Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 - userdel: fix userdel -f with /etc/subuid present (#1316168) diff --git a/sources b/sources deleted file mode 100644 index 9a96021..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz -6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig diff --git a/sources.bak b/sources.bak new file mode 100644 index 0000000..2093465 --- /dev/null +++ b/sources.bak @@ -0,0 +1,2 @@ +SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 +SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed diff --git a/tests/sanity/Makefile b/tests/sanity/Makefile new file mode 100644 index 0000000..386221b --- /dev/null +++ b/tests/sanity/Makefile @@ -0,0 +1,77 @@ +# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material +# is made available to anyone wishing to use, modify, copy, or +# redistribute it subject to the terms and conditions of the GNU General +# Public License v.2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Jakub Hrozek + +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# +# Example Makefile for RHTS # +# This example is geared towards a test for a specific package # +# It does most of the work for you, but may require further coding # +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# + +# The toplevel namespace within which the test lives. +TOPLEVEL_NAMESPACE=CoreOS + +# The name of the package under test: +PACKAGE_NAME=shadow-utils + +# The path of the test below the package: +RELATIVE_PATH=sanity + +# Version of the Test. Used with make tag. +export TESTVERSION=1.1 + +# The combined namespace of the test. +export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH) + +# A phony target is one that is not really the name of a file. +# It is just a name for some commands to be executed when you +# make an explicit request. There are two reasons to use a +# phony target: to avoid a conflict with a file of the same +# name, and to improve performance. +.PHONY: all install download clean + +# Executables to be built should be added here, they will be generated on the system under test. +BUILT_FILES= + +# Data files, .c files, scripts anything needed to either compile the test and/or run it. +FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x ./sanity_test.py + chmod a+x ./runtest.sh + +clean: + rm -f *~ *.rpm $(BUILT_FILES) + +# Include Common Makefile +include /usr/share/rhts/lib/rhts-make.include + +# Generate the testinfo.desc here: +$(METADATA): Makefile + @touch $(METADATA) + @echo "Owner: Jakub Hrozek " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "License: GNU GPL" >> $(METADATA) + @echo "Description: Basic sanity test for shadow-utils" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: python" >> $(METADATA) + rhts-lint $(METADATA) + diff --git a/tests/sanity/PURPOSE b/tests/sanity/PURPOSE new file mode 100644 index 0000000..27062e1 --- /dev/null +++ b/tests/sanity/PURPOSE @@ -0,0 +1,10 @@ +This is a basic sanity test for the shadow-utils package. It is implemented +in python on top of the unittesting.py module. + +Its purpose is to ensure that the binaries in the shadow-utils package behave +as expected and its switches/options work correctly. + +For the most part, every binary in the shadow-utils package is represented by +a single class named Test, i.e. TestUsermod etc. There are some +exceptions, like TestUseraddWeirdNameTest though. + diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh new file mode 100755 index 0000000..cb2a2b5 --- /dev/null +++ b/tests/sanity/runtest.sh @@ -0,0 +1,24 @@ +#!/bin/bash +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart +rlFileBackup --clean /etc/default/useradd- /etc/default/useradd +setenforce 0 +python sanity_test.py -v +setenforce 1 +rlFileRestore + +EXIT=$? +if [[ $EXIT -eq 0 ]]; then + RESULT="PASS" +else + RESULT="FAIL" +fi + + +rlJournalEnd + +echo "Result: $RESULT" +echo "Exit: $EXIT" +report_result $TEST $RESULT $EXIT diff --git a/tests/sanity/sanity_test.py b/tests/sanity/sanity_test.py new file mode 100755 index 0000000..e9c45c2 --- /dev/null +++ b/tests/sanity/sanity_test.py @@ -0,0 +1,1013 @@ +#!/usr/bin/env python +""" +A script that tests functionality of the shadow-utils package. + +Author: Jakub Hrozek, +License: GNU GPL v2 +Date: 2007 + +TODO: + * tests for password aging + * if something fails, print out the command issued for easier debugging + * test long options variants along with the short ones +""" + +import unittest +import pwd +import grp +import commands +import os +import os.path +import sys +import copy +import tempfile +import rpm +import shutil + +from UserDict import UserDict + +class RedHatVersion(object): + def __init__(self, type=None, version=None, release=None): + self.type = type + self.version = version + self.release = release + self.rhel = False + + def __eq__( self, other): + """ + Don't compare if either of the values is None + so we can do comparisons like 'is it fedora?' or 'is it rhel4?' + """ + ok = (self.type == other.type) + if ok == False: return False + + if self.version and other.version: + ok = (self.version == other.version) + if ok == False: return False + + if (self.release == other.release): + ok = (self.release == other.release) + + return ok + + def __ne__( self, other): + return not self.__eq__(other) + + def __get_fedora_info(self, mi): + return [ (h['version'],h['release']) for h in mi ][0] + + def __get_rhel_info(self, mi): + # The rules for RHEL versions are braindead..releases even more + ver_rpm, rel_rpm = [ (h['version'],h['release']) for h in mi ][0] + rhel_versions = { '3AS' : 3, '4AS' : 4, '5Server' : 5, '5Client' : 5, '6' : 6 } + if ver_rpm[:3] == '5.9' or ver_rpm[:1] == '6': # rhel6 prerelease and release hack + rhel_versions[ver_rpm] = 6 + if ver_rpm in rhel_versions.keys(): + return (rhel_versions[ver_rpm], rel_rpm) + + def is_rhel(self): + return self.rhel + + def get_info(self): + """ + Returns a tuple containing (type, version, release) of RHEL or Fedora. + Type is either RHEL or Fedora. + Returns None if it cannot parse the info + """ + + ts = rpm.TransactionSet() + mi = ts.dbMatch() + mi.pattern('name', rpm.RPMMIRE_GLOB, 'redhat-release*') + + if mi: + self.rhel = True + return ('RHEL',) + self.__get_rhel_info(mi) + else: + mi = ts.dbMatch('name','fedora-release') + self.rhel = False + if mi.count() != 0: + return ('Fedora',) + self.__get_fedora_info(mi) + + return None + + +class UserInfo(UserDict): + fields = { "pw_name" : 0, "pw_passwd" : 1, "pw_uid" : 2, "pw_gid" : 3, + "pw_gecos" : 4, "pw_dir" : 5, "pw_shell" : 6 } + + def __init__(self): + UserDict.__init__(self) + for f in UserInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in UserInfo.fields: + self[f] = struct[UserInfo.fields[f]] + + def get_info_uid(self, uid): + self.__parse_info(pwd.getpwuid(uid)) + + def get_info_name(self, name): + try: + self.__parse_info(pwd.getpwnam(name)) + except KeyError: + return None + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in UserInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class GroupInfo(UserDict): + fields = { "gr_name" : 0, "gr_passwd" : 1, + "gr_gid" : 2, "gr_mem" : 3} + + def __init__(self): + UserDict.__init__(self) + for f in GroupInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in GroupInfo.fields: + self[f] = struct[GroupInfo.fields[f]] + + def get_info_gid(self, gid): + self.__parse_info(grp.getgrgid(gid)) + + def get_info_name(self, name): + self.__parse_info(grp.getgrnam(name)) + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in GroupInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class LoginDefsParser(UserDict): + "A quick-n-dirty way how to fetch the defaults from /etc/login.defs into a dictionary" + + def __getitem__(self, key): + try: + return UserDict.__getitem__(self, key) + except KeyError: + # if a name-value is not defined in the config file, return defaults + if key == "CREATE_MAIL_SPOOL": + return "yes" + if key == "UMASK": + return "077" + + def __init__(self, path="/etc/login.defs",split=None): + self.path = path + UserDict.__init__(self) + try: + defs = open(path) + except IOError: + print "Could not open the config file %s" % (path) + + for line in defs: + if line.startswith('#'): continue + fields = line.split(split) + if len(fields) != 2: continue # yeah, we're dirty + self.data[fields[0]] = fields[1] + + def serialize(self): + output = open(self.path, "w+") + for k,v in self.data.items(): + output.write("%s=%s" % (k, v)) + + output.write("\n") + output.close() + +class TestUserInfo(unittest.TestCase): + def testLazyCompare(self): + """ (test sanity): Test comparing two UserInfo records """ + a = UserInfo() + a["pw_name"] = "foo" + a["pw_uid"] = 555 + b = copy.deepcopy(a) + c = UserInfo() + + self.assertEqual(a.lazy_compare(b), True) + self.assertEqual(a.lazy_compare(c), True) + + c["pw_name"] = "foo" + c["pw_uid"] = None + self.assertEqual(a.lazy_compare(c), True) + self.assertEqual(c.lazy_compare(a), False) + + c["pw_name"] = "bar" + self.assertNotEqual(a.lazy_compare(c), True) + + def testGetInfoUid(self): + """ (test sanity): Test getting user info based on his UID """ + a = UserInfo() + a.get_info_uid(0) + self.assertEqual(a["pw_name"], "root") + + def testGetInfoName(self): + """ (test sanity): Test getting user info based on his name """ + a = UserInfo() + a.get_info_name("root") + self.assertEqual(a["pw_uid"], 0) + +class ShadowUtilsTestBase: + """ Handy routines """ + def getDefaults(self): + # get the default values for so we can compare against that + (status, defaults_str) = commands.getstatusoutput('useradd -D') + if status != 0: + raise RuntimeError("Could not get the default values for useradd") + return dict([ rec.split("=") for rec in defaults_str.split("\n") ]) + + def getDefaultUserInfo(self, username): + expected = UserInfo() + defaults = self.getDefaults() + + expected["pw_name"] = username + expected["pw_dir"] = defaults["HOME"] + "/" + username + expected["pw_shell"] = defaults["SHELL"] + + return expected + +class TestUseradd(ShadowUtilsTestBase, unittest.TestCase): + def setUp(self): + self.username = "test-shadow-utils-useradd" + + def tearDown(self): + commands.getstatusoutput("userdel -r %s" % (self.username)) + + def testBasicAdd(self): + """ useradd: Tests basic adding of a user """ + expected = self.getDefaultUserInfo(self.username) + + runme = "useradd %s" % (self.username) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user\nIssued command: %s" % (runme)) + + def testExistingUser(self): + """ useradd: Test that user with an existing name cannot be added """ + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(commands.getstatusoutput("useradd %s" % (self.username))[0], 0, "FAIL: User that already exists added") + + def testCustomUID(self): + """ useradd: Adding an user with a specific UID """ + UID = 23456 # FIXME - test for a free UID slot first + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + runme = "useradd %s -u %d" % (self.username, UID) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, "Issued command: %s\n" % (runme) + "Got from useradd: %s\n" % (output)) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific UID\nIssued command: %s" % (runme)) + + def testNegativeUID(self): + """ useradd: Tests that user cannot have a negative UID assigned """ + self.assertNotEqual(commands.getstatusoutput("useradd %s --uid -5" % (self.username))[0], 0, "FAIL: User with UID < 0 added") + + def testCustomExistingUID(self): + """ useradd: Adding a user with a specific existing UID """ + UID = 32112 + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + (status_u, output_u) = commands.getstatusoutput("useradd %s -u %d" % (self.username, UID)) + + # must fail without -o flag + (status_u_no_o, output_u_no_o) = commands.getstatusoutput("useradd foo -u %d" % (UID)) + + # must pass with -o flag + (status_o, output_o) = commands.getstatusoutput("useradd foo -u %d -o" % (UID)) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r foo") + + self.failUnlessEqual(status_u, 0, "FAIL: cannot add an user with a specified UID\n"+output_u) + self.assertEqual(status_o, 0, "FAIL: cannot add an user with an existing UID using the -o flag\n"+output_o) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(status_u_no_o, 0, "FAIL: user with an existing UID added\n"+output_u_no_o) + + def testCustomGID(self): + """ useradd: Adding an user with a specific GID """ + GID = 100 # users group should be everywhere - should we test before? + expected = self.getDefaultUserInfo(self.username) + expected["pw_gid"] = GID + + (status, output) = commands.getstatusoutput("useradd %s -g %d" % (self.username, GID)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific GID") + + def testCustomShell(self): + """ useradd: Adding an user with a specific login shell """ + shell = "/bin/ksh" + expected = self.getDefaultUserInfo(self.username) + expected["pw_shell"] = shell + + (status, output) = commands.getstatusoutput("useradd %s -s %s" % (self.username, shell)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific shell") + + def testCustomHome(self): + """ useradd: Adding an user with a specific home directory """ + home = "/tmp/useradd-test" + os.mkdir(home) + expected = self.getDefaultUserInfo(self.username) + expected["pw_dir"] = home + + (status, output) = commands.getstatusoutput("useradd %s -d %s" % (self.username, home)) + shutil.rmtree(home) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific home") + + def testSystemAccount(self): + """ useradd: Adding a system user (UID < UID_MIN from /etc/login.defs) """ + defaults = LoginDefsParser() + + # system account with no home dir + expected = self.getDefaultUserInfo(self.username) + + (status, output) = commands.getstatusoutput("useradd -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(os.path.exists(created["pw_dir"]), False, "FAIL: System user has a home dir created") + self.assertEqual(created["pw_uid"] < defaults['UID_MIN'], True, "FAIL: System user has UID > UID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system user") + + def testAddToMoreGroups(self): + """ useradd: Creating an user that belongs to more than one group """ + (status, output) = commands.getstatusoutput("useradd -G bin %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + gr_bin = GroupInfo() + gr_bin.get_info_name("bin") + self.assertEqual(self.username in gr_bin["gr_mem"], True, "FAIL: User not in supplementary group after usermod -G -a") + + + def testAddWithCommonName(self): + """ useradd: Specifying a comment (user for account name) """ + comment = "zzzzzz" + (status, output) = commands.getstatusoutput("useradd -c %s %s" % (comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_gecos"], comment, "FAIL: failed to create a user with a GECOS comment") + + def testHomePermissions(self): + """ useradd: Check if permissions on newly created home dir match the umask """ + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + import stat + perm = os.stat(created["pw_dir"])[stat.ST_MODE] + mode = int(oct(perm & 0777)) + + self.assertEqual(defaults["UMASK"], "077", "FAIL: umask setting is not sane - is %s, should be 077" % (defaults["UMASK"])) + self.assertEqual(int(defaults["UMASK"]) + mode , 777, "FAIL: newly-created home dir does not match the umask") + + def testCreateMailSpool(self): + """ useradd: Check whether the mail spool gets created when told to""" + # set up creating of mail spool + defaults = LoginDefsParser("/etc/default/useradd", split="=") + + create_mail = defaults["CREATE_MAIL_SPOOL"] + defaults["CREATE_MAIL_SPOOL"] = "yes" + defaults.serialize() + + login_defs = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # clean up + defaults["CREATE_MAIL_SPOOL"] = create_mail + defaults.serialize() + self.assertEqual(os.path.exists(login_defs["MAIL_DIR"] + "/" + self.username), True, "FAIL: useradd did not create mail spool") + + def testDefaultMailSettings(self): + """ useradd: Check whether the mail spool is on by default""" + defaults = LoginDefsParser("/etc/default/useradd", split="=") + self.assertEqual(defaults["CREATE_MAIL_SPOOL"], "yes\n") + + def testNoLastlog(self): + """ useradd: Check if the -l option prevents from being added to the lastlog """ + pass # FIXME - add some code here + + +class TestUseraddWeirdNameTest(unittest.TestCase, ShadowUtilsTestBase): + """ Tests addition/removal of usernames that have proven to be problematic in the past. + The reason to separate these from the main useradd test suite is to not run the setUp + and tearDown methods """ + + def addAndRemove(self, username, success=True): + expected = self.getDefaultUserInfo(username) + expected["pw_name"] = username + + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + if success: + self.failUnlessEqual(status, 0, output) + else: + self.failIfEqual(status, 0, output) + return True + + created = UserInfo() + created.get_info_name(username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: TestUseraddWeirdName::addAndRemove - could not add a user") + + # the cleanup method won't help this time + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + + def testNumericName(self): + """ useradd: Test if an user with a purely numerical name can be added (123) """ + return self.addAndRemove("123") + + def testSambaName(self): + """ useradd: Test if an user with a name with a dollar at the end can be added (joepublic$ ) """ + return self.addAndRemove("joepublic$") + + def testDotInName(self): + """ useradd: Test if an user with a name with a dot in it can be added (joe.public ) """ + return self.addAndRemove("joe.public") + + def testAtInName(self): + """ useradd: Test if an user with an '@' in name can be added (joe@public.com) - should fail """ + return self.addAndRemove("joe@public.com", False) + + def testUppercase(self): + """ useradd: Test if an user with UPPERCASE or Uppercase name can be added """ + return self.addAndRemove("JOEPUBLIC") + return self.addAndRemove("Joepublic") + +class TestUseraddDefaultsChange(unittest.TestCase, ShadowUtilsTestBase): + def testDefaultsChange(self): + """ useradd: Test overriding default settings (shell, home dir, group) with a -D option """ + save = self.getDefaults() + + new_defs = dict() + new_defs["SHELL"] = "/bin/ksh" + new_defs["GROUP"] = "1" + new_defs["HOME"] = "/tmp" + + command = "useradd -D -s%s -g%s -b%s" % (new_defs["SHELL"], new_defs["GROUP"], new_defs["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + overriden = self.getDefaults() + [ self.assertEqual(overriden[k], new_defs[k]) for k in new_defs.keys() ] + + command = "useradd -D -s%s -g%s -b%s" % (save["SHELL"], save["GROUP"], save["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + +class TestUserdel(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-userdel" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testRemoveUserGroup(self): + """ userdel: test if userdel removes user's group when he's deleted - regression test for #201379 """ + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # This would fail if we did not have the group removed + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + +class TestUsermod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-usermod" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testAppendToSupplementaryGroup(self): + """ usermod: Test if a user can be added to a supplementary group """ + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod -a -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testAppendToSupplementaryGroupLongOption(self): + """ usermod: Test if a user can be added to a supplementary group via --append rather that -a (regression test for 222540) """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + type, release, version = RedHatVersion().get_info() + if RedHatVersion().is_rhel(): + if release < 5 or (release == 5 and version < 2): + print "This test makes sense for RHEL 5.2+" + return + + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod --append -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testNameChange(self): + """ usermod: Test if the comment field (used as the Common Name) can be changed """ + new_comment = "zzzzzz" + + (status, output) = commands.getstatusoutput("usermod -c %s %s" % (new_comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + self.assertEqual(created["pw_gecos"], new_comment) + + def testHomeChange(self): + """ usermod: Test if user's home directory can be changed """ + new_home = "/tmp" + created = UserInfo() + created.get_info_name(self.username) + old_home = created["pw_dir"] + + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (new_home, self.username)) + self.failUnlessEqual(status, 0, output) + + created.get_info_name(self.username) + self.assertEqual(created["pw_dir"], new_home) + + # revert to old home so we can userdel -r in tearDown + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (old_home, self.username)) + self.failUnlessEqual(status, 0, output) + + # FIXME - test if contents of /home directories are transferred with the -m option + # FIXME - test if new home is created if does not exist before + + def testGIDChange(self): + """ usermod: Test if user's gid can be changed. """ + new_group = "root" + # test non-existing group + (status_fail, output_fail) = commands.getstatusoutput("usermod -g no-such-group %s" % (self.username)) + (status, output) = commands.getstatusoutput("usermod -g %s %s" % (new_group, self.username)) + + created = UserInfo() + created.get_info_name(self.username) + + left = GroupInfo() + if left.get_info_name(self.username) == None: + (status_del, output_del) = commands.getstatusoutput("groupdel %s" % (self.username)) + self.failUnlessEqual(status_del, 0, output_del) + + self.failIfEqual(status_fail, 0, output_fail) + self.failUnlessEqual(status, 0, output) + self.assertEqual(created["pw_gid"], 0) #0 is root group + + def testLoginChange(self): + """ usermod: Test if user's login can be changed """ + new_login = "usermod-login-change" + user = UserInfo() + user.get_info_name(self.username) + uid = user["pw_uid"] # UID won't change even when login does + + # test changing to an existing user name + (status, output) = commands.getstatusoutput("usermod -l root %s" % (self.username)) + self.failIfEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (new_login, self.username)) + self.failUnlessEqual(status, 0, output) + user.get_info_name(new_login) + self.assertEqual(user["pw_uid"], uid) + + # revert so we can userdel -r on tearDown + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (self.username, new_login)) + self.failUnlessEqual(status, 0, output) + + def testShellChange(self): + """ usermod: Test if user's shell can be changed """ + new_shell = "/bin/sh" + + (status, output) = commands.getstatusoutput("usermod -s %s %s" % (new_shell, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_shell"], new_shell) + +class TestGroupadd(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testAddGroup(self): + """ groupadd: Basic adding of a group """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a group") + + def testAddSystemGroup(self): + """ groupadd: Adding a system group with gid < MIN_GID """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("groupadd -r %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created["gr_gid"] < defaults["GID_MIN"], True, "FAIL: System group has gid >= GID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system group") + + def testAddExistingGid(self): + """ groupadd: Test if we group with an existing GID can be added """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + gname = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + # no -o option -> this should fail + (status, output) = commands.getstatusoutput("groupadd -g%s %s" % (created["gr_gid"], gname)) + self.failIfEqual(status, 0, output) + + # override with -o option, should pass now + (status, output) = commands.getstatusoutput("groupadd -g%s -o %s" % (created["gr_gid"], gname)) + self.failUnlessEqual(status, 0, output) + + # test if the new GID is really the same + same_gid = GroupInfo() + same_gid.get_info_name(gname) + self.assertEqual(same_gid["gr_gid"], created["gr_gid"]) + + # clean up + (status, output) = commands.getstatusoutput("groupdel %s" % (gname)) + self.failUnlessEqual(status, 0, output) + + + def testOverrideDefaults(self): + """ groupadd: Test if the defaults can be overriden with the -K option """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + + GID_MIN = 600 + GID_MAX = 625 + + (status, output) = commands.getstatusoutput("groupadd -K GID_MIN=%d -K GID_MAX=%d %s" % + (GID_MIN, GID_MAX, self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(GID_MIN <= created["gr_gid"] <= GID_MAX, True, "FAIL: created an user with UID of %d" % (created["gr_gid"])) + + + def testFOption(self): + """ groupadd: Tests the -f option of groupadd """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupadd -f %s" % (self.groupname)) + self.assertEqual(status, 0, output) + +class TestGroupaddInvalidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddInvalidName(self): + """ groupadd: Test adding of a group with an invalid name """ + (status, output) = commands.getstatusoutput("groupadd foo?") + self.assertNotEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffggg") #33 chars + self.assertNotEqual(status, 0, output) + +class TestGroupaddValidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddValidName(self): + """ groupadd: Test adding and removing of groups with maximal valid name and name ending with $ """ + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + + +class TestGroupmod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testChangeGID(self): + """ groupmod: Test changing a gid of a group """ + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = 54321 + + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (expected["gr_gid"], self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group") + + def testChangeGIDToExistingValue(self): + """ groupmod: Test changing GID to an existing value """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = created["gr_gid"] + + (status, output) = commands.getstatusoutput("groupadd %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + # try to assingn GID of the first group to the second - this should fail without the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (created["gr_gid"], second_name)) + self.failIfEqual(status, 0, output) + + # should pass with the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d -o %s" % (created["gr_gid"], second_name)) + self.failUnlessEqual(status, 0, output) + + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group to an existing one") + + # clean up + commands.getstatusoutput("groupdel %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupName(self): + """ groupmod: Test changing a group's name """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (second_name, self.groupname)) + self.failUnlessEqual(status, 0, output) + + changed = GroupInfo() + changed.get_info_gid(created["gr_gid"]) + self.assertEqual(changed["gr_name"], second_name) + self.assertEqual(changed["gr_gid"], created["gr_gid"]) + + # change back, so the group could be deleted by tearDown + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (self.groupname, second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupNameExisting(self): + """ groupmod: Test changing a group's name to an existing one """ + existing = "bin" + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (existing, self.groupname)) + self.assertNotEqual(status, 0, output) # man groupmod -> 9: group name already in use + + def testChangeNonExistingGroup(self): + """ groupmod: Test properties of a non-existing group """ + nonexistent = "foobar" + (status, output) = commands.getstatusoutput("groupmod -nspameggs %s" % (nonexistent)) + self.assertNotEqual(status, 0, status) # man groupmod -> 6: specified group doesn't exist + +class TestGroupdel(unittest.TestCase, ShadowUtilsTestBase): + def testCorrectGroupdel(self): + """ groupdel: Basic usage of groupdel """ + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel %s" % (self.groupname)) + self.assertEqual(status, 0, output) + + def testGroupdelNoSuchGroup(self): + """ groupdel: Remove non-existing group """ + (status, output) = commands.getstatusoutput("groupdel foobar") + self.assertNotEqual(status, 0, output) + + def testRemovePrimaryGroup(self): + """ groupdel: Remove a primary group of an user """ + username = "test-groupdel-primary" + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupdel %s" % (username)) + self.assertNotEqual(status, 0, output) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + +class TestPwckGrpck(unittest.TestCase): + def setUp(self): + self.passwd_path = tempfile.mktemp(suffix="test-pwck-passwd") + self.passwd_file = open(self.passwd_path, "w") + self.group_path = tempfile.mktemp(suffix="test-pwck-grp") + self.group_file = open(self.group_path, "w") + self.gshadow_path = tempfile.mktemp(suffix="test-pwck-gshadow") + self.gshadow_file = open(self.gshadow_path, "w") + + def tearDown(self): + self.passwd_file.close() + self.group_file.close() + self.gshadow_file.close() + + os.remove(self.passwd_path) + os.remove(self.group_path) + os.remove(self.gshadow_path) + + def runPwckCheck(self, passwd, group): + self.passwd_file.truncate() + self.group_file.truncate() + + self.passwd_file.write(passwd) + self.passwd_file.flush() + self.group_file.write(group) + self.group_file.flush() + + command = "pwck -r %s %s" % (self.passwd_path, self.group_path) + return commands.getstatusoutput(command) + + def runGrpCheck(self, group, gshadow): + self.group_file.truncate() + self.gshadow_file.truncate() + + self.gshadow_file.write(gshadow) + self.gshadow_file.flush() + + self.group_file.write(group) + self.group_file.flush() + + command = "grpck -r %s %s" % (self.group_path, self.gshadow_path) + return commands.getstatusoutput(command) + + + def testValidEntries(self): + """ pwck: a valid entry """ + status, output = self.runPwckCheck("foo:x:685:0::/dev/null:/bin/bash", "") + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 6: + self.assertEqual(status, 0, output) + else: + self.assertNotEqual(status, 0, output) + + def testNumberOfFields(self): + """ pwck: invalid number of fields in the record """ + not_enough = "foo:x:685:685::/dev/null" + too_many = "foo:x:685:685::/dev/null:/bin/bash:comment" + status, output = self.runPwckCheck(not_enough, "") + self.assertNotEqual(status, 0, output) + + status, output = self.runPwckCheck(too_many, "") + self.assertNotEqual(status, 0, output) + + def testUniqueUserName(self): + """ pwck: unique user name in the record """ + duplicate_username = "foo:x:685:685::/dev/null:/bin/bash\nfoo:x:686:686::/dev/null:/bin/bash" + status, output = self.runPwckCheck(duplicate_username, "") + self.assertNotEqual(status, 0, output) + + def testValidID(self): + """ pwck: invalid UID in the records """ + invalid_ids = [ "foo:x:-1:685::/dev/null:/bin/bash", "foo:x:blah:685::/dev/null:/bin/bash", "foo:x:1234567890:685::/dev/null:/bin/bash" ] + for record in invalid_ids: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, record) + + + def testValidPrimaryGroup(self): + """ pwck: invalid primary group """ + invalid_groups = [ "foo:x:685:-1::/dev/null:/bin/bash", "foo:x:685:blah::/dev/null:/bin/bash", "foo:x:685:1234567890::/dev/null:/bin/bash" ] + for record in invalid_groups: + status, output = self.runPwckCheck("", record) + self.assertNotEqual(status, 0, output) + + def testValidHomeDir(self): + """ pwck: invalid home dir """ + for record in [ "foo:x:685:685::123:/bin/bash", "foo:x:685:685::/path/to/nowhere:/bin/bash", "foo:x:685:1234567890::!:/bin/bash" ]: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, output) + + def testBZ164954(self): + """ grpck: regression test for BZ164954 """ + record = "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon" + status, output = self.runGrpCheck("", record) + self.assertNotEqual(status, 0, output) + +if __name__ == "__main__": + broken_on_rhel4 = { "TestUseradd" : [ "testCustomUID", "testCustomGID" ] } + + if os.getuid() != 0: + print "This test must be run as root" + sys.exit(1) + + unittest.main() + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..09f4769 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - atomic + tests: + - sanity + required_packages: + - shadow-utils # sanity test needs shadow-utils + - python # sanity test needs python