From f884cd4c94710f3944e87f05073c65daba8fb890 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 May 2016 21:05:16 +0200 Subject: [PATCH 01/31] chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) --- shadow-4.2.1-manfix.patch | 22 +-- shadow-4.2.1-selinux-perms.patch | 277 +++++++++++++++++++++++++++++++ shadow-utils.spec | 13 +- 3 files changed, 292 insertions(+), 20 deletions(-) create mode 100644 shadow-4.2.1-selinux-perms.patch diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.2.1-manfix.patch index 04fcb4a..2ca84b3 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.2.1-manfix.patch @@ -73,7 +73,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. The following configuration items are provided: -@@ -252,26 +263,6 @@ +@@ -252,16 +263,6 @@ @@ -87,20 +87,10 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. - - - -- chgpasswd -- -- -- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB -- SHA_CRYPT_MAX_ROUNDS -- SHA_CRYPT_MIN_ROUNDS -- -- -- -- - chpasswd + chgpasswd -@@ -282,14 +273,6 @@ +@@ -282,14 +283,6 @@ @@ -115,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +333,6 @@ +@@ -350,34 +342,6 @@ @@ -150,7 +140,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. newgrp / sg -@@ -405,17 +360,6 @@ +@@ -405,17 +370,6 @@ @@ -168,7 +158,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. pwck -@@ -442,32 +386,6 @@ +@@ -442,32 +396,6 @@ diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch new file mode 100644 index 0000000..eb18aeb --- /dev/null +++ b/shadow-4.2.1-selinux-perms.patch @@ -0,0 +1,277 @@ +diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c +--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + #include "pam_defs.h" +@@ -76,6 +83,9 @@ static bool sgr_locked = false; + #endif + static bool gr_locked = false; + ++/* The name of the caller */ ++static char *myname = NULL; ++ + /* local function prototypes */ + static void fail_exit (int code); + static /*@noreturn@*/void usage (int status); +@@ -300,6 +310,62 @@ static void check_perms (void) + #endif /* ACCT_TOOLS_SETUID */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the group databases + */ +@@ -393,6 +459,7 @@ int main (int argc, char **argv) + + const struct group *gr; + struct group newgr; ++ struct passwd *pw = NULL; + int errors = 0; + int line = 0; + +@@ -408,8 +475,29 @@ int main (int argc, char **argv) + + OPENLOG ("chgpasswd"); + ++ /* ++ * Determine the name of the user that invoked this command. This ++ * is really hit or miss because there are so many ways that command ++ * can be executed and so many ways to trip up the routines that ++ * report the user name. ++ */ ++ pw = get_my_pwent (); ++ if (NULL == pw) { ++ fprintf (stderr, _("%s: Cannot determine your user name.\n"), ++ Prog); ++ SYSLOG ((LOG_WARN, ++ "Cannot determine the user name of the caller (UID %lu)", ++ (unsigned long) getuid ())); ++ exit (E_NOPERM); ++ } ++ myname = xstrdup (pw->pw_name); ++ + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); + #endif +@@ -536,6 +624,15 @@ int main (int argc, char **argv) + newgr.gr_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ { ++ ++ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, ++ "change-password", ++ myname, AUDIT_NO_ID, gr->gr_name, ++ SHADOW_AUDIT_SUCCESS); ++ } ++#endif + /* + * The updated group file entry is then put back and will + * be written to the group file later, after all the +diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c +--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 +@@ -39,6 +39,13 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#include ++#endif ++#ifdef WITH_LIBAUDIT ++#include ++#endif + #ifdef USE_PAM + #include "pam_defs.h" + #endif /* USE_PAM */ +@@ -297,6 +304,62 @@ static void check_perms (void) + #endif /* USE_PAM */ + } + ++#ifdef WITH_SELINUX ++static int ++log_callback (int type, const char *fmt, ...) ++{ ++ int audit_fd; ++ va_list ap; ++ ++ va_start(ap, fmt); ++#ifdef WITH_AUDIT ++ audit_fd = audit_open(); ++ ++ if (audit_fd >= 0) { ++ char *buf; ++ ++ if (vasprintf (&buf, fmt, ap) < 0) ++ return 0; ++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, ++ NULL, 0); ++ audit_close(audit_fd); ++ free(buf); ++ return 0; ++ } ++ ++#endif ++ vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ va_end(ap); ++ return 0; ++} ++ ++static void ++selinux_check_root (void) ++{ ++ int status = -1; ++ security_context_t user_context; ++ union selinux_callback old_callback; ++ ++ if (is_selinux_enabled() < 1) ++ return; ++ ++ old_callback = selinux_get_callback(SELINUX_CB_LOG); ++ /* setup callbacks */ ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); ++ if ((status = getprevcon(&user_context)) < 0) { ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ exit(1); ++ } ++ ++ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); ++ ++ selinux_set_callback(SELINUX_CB_LOG, old_callback); ++ freecon(user_context); ++ if (status != 0 && security_getenforce() != 0) ++ exit(1); ++} ++#endif ++ + /* + * open_files - lock and open the password databases + */ +@@ -407,6 +470,10 @@ int main (int argc, char **argv) + + check_perms (); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + #ifdef USE_PAM + if (!use_pam) + #endif /* USE_PAM */ +@@ -566,6 +633,11 @@ int main (int argc, char **argv) + newpw.pw_passwd = cp; + } + ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "updating-password", ++ pw->pw_name, (unsigned int) pw->pw_uid, 1); ++#endif + /* + * The updated password file entry is then put back and will + * be written to the password file later, after all the +diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( + newuidmap_LDADD = $(LDADD) $(LIBSELINUX) + newgidmap_LDADD = $(LDADD) $(LIBSELINUX) + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) ++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) +-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index b47ae15..f8fb4aa 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -35,6 +35,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch +Patch28: shadow-4.2.1-selinux-perms.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -90,6 +91,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy +%patch28 -p1 -b .selinux-perms iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -156,7 +158,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_sbindir}/nologin -rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.* rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.* @@ -185,8 +186,6 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* -rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* -rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* @@ -228,6 +227,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/pwck %{_sbindir}/*conv %{_sbindir}/chpasswd +%{_sbindir}/chgpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr @@ -249,6 +249,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/pwck.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/chpasswd.8* +%{_mandir}/man8/chgpasswd.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/*conv.8* %{_mandir}/man8/lastlog.8* @@ -256,6 +257,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 +- chgpasswd: do not remove it +- chpasswd, chgpasswd: add selinux_check_access call (#1336902) + * Thu Mar 17 2016 Tomáš Mráz - 2:4.2.1-8 - userdel: fix userdel -f with /etc/subuid present (#1316168) From abed79ee4e1d44d64b636bc8e906e50eede4d901 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 May 2016 11:59:54 +0200 Subject: [PATCH 02/31] chpasswd, chgpasswd: open audit when starting --- shadow-4.2.1-selinux-perms.patch | 46 ++++++++++++++++++++------------ shadow-utils.spec | 5 +++- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch index eb18aeb..7e7f70e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.2.1-selinux-perms.patch @@ -1,6 +1,6 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c --- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 ++++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 @@ -39,6 +39,13 @@ #include #include @@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* local function prototypes */ static void fail_exit (int code); static /*@noreturn@*/void usage (int status); -@@ -300,6 +310,62 @@ static void check_perms (void) +@@ -300,6 +310,63 @@ static void check_perms (void) #endif /* ACCT_TOOLS_SETUID */ } @@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * open_files - lock and open the group databases */ -@@ -393,6 +459,7 @@ int main (int argc, char **argv) +@@ -393,6 +460,7 @@ int main (int argc, char **argv) const struct group *gr; struct group newgr; @@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c int errors = 0; int line = 0; -@@ -408,8 +475,29 @@ int main (int argc, char **argv) +@@ -408,8 +476,33 @@ int main (int argc, char **argv) OPENLOG ("chgpasswd"); ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ + /* + * Determine the name of the user that invoked this command. This + * is really hit or miss because there are so many ways that command @@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif -@@ -536,6 +624,15 @@ int main (int argc, char **argv) +@@ -536,6 +629,15 @@ int main (int argc, char **argv) newgr.gr_passwd = cp; } @@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c * be written to the group file later, after all the diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c --- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 ++++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 @@ -39,6 +39,13 @@ #include #include @@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ -@@ -297,6 +304,62 @@ static void check_perms (void) +@@ -297,6 +304,63 @@ static void check_perms (void) #endif /* USE_PAM */ } @@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; ++ goto ret; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); -+ return 0; ++ goto ret; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); ++ret: + va_end(ap); + return 0; +} @@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * open_files - lock and open the password databases */ -@@ -407,6 +470,10 @@ int main (int argc, char **argv) +@@ -405,8 +469,16 @@ int main (int argc, char **argv) + OPENLOG ("chpasswd"); + ++#ifdef WITH_AUDIT ++ audit_help_open (); ++#endif ++ check_perms (); +#ifdef WITH_SELINUX @@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c #ifdef USE_PAM if (!use_pam) #endif /* USE_PAM */ -@@ -566,6 +633,11 @@ int main (int argc, char **argv) +@@ -566,6 +638,11 @@ int main (int argc, char **argv) newpw.pw_passwd = cp; } @@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c * The updated password file entry is then put back and will * be written to the password file later, after all the diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 @@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) @@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 ++++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 @@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-utils.spec b/shadow-utils.spec index f8fb4aa..3444f5b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 +- chpasswd, chgpasswd: open audit when starting + * Thu May 26 2016 Tomáš Mráz - 2:4.2.1-9 - chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902) From c50e17082d12c2ee8735024567cbbf0ad07acb1f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 14 Jun 2016 11:34:10 +0200 Subject: [PATCH 03/31] guard for localtime() and gmtime() failure --- shadow-4.2.1-null-tm.patch | 86 ++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 shadow-4.2.1-null-tm.patch diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch new file mode 100644 index 0000000..15b7720 --- /dev/null +++ b/shadow-4.2.1-null-tm.patch @@ -0,0 +1,86 @@ +diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c +--- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s + } + + tm = localtime (&fl.fail_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); ++ cp = ptime; + #endif ++ } + printf ("%-9s %5d %5d ", + pw->pw_name, fl.fail_cnt, fl.fail_max); + /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c +--- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size + struct tm *tp; + + tp = gmtime (&date); ++ if (tp == NULL) { ++ (void) snprintf (buf, maxsize, "(unknown)"); ++ return; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, maxsize, "%Y-%m-%d", tp); + #else +diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c +--- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s + + ll_time = ll.ll_time; + tm = localtime (&ll_time); ++ if (tm == NULL) { ++ cp = "(unknown)"; ++ } else { + #ifdef HAVE_STRFTIME +- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); +- cp = ptime; ++ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); ++ cp = ptime; + #else +- cp = asctime (tm); +- cp[24] = '\0'; ++ cp = asctime (tm); ++ cp[24] = '\0'; + #endif ++ } + + if (ll.ll_time == (time_t) 0) { + cp = _("**Never logged in**\0"); +diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c +--- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 ++++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to + struct tm *tm; + + tm = gmtime (&t); ++ if (tm == NULL) { ++ return "(unknown)"; ++ } + #ifdef HAVE_STRFTIME + (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); + #else /* !HAVE_STRFTIME */ +diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c +--- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 ++++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ + } else { + time_t t = (time_t) date; + tp = gmtime (&t); ++ if (tp == NULL) { ++ strncpy (buf, "unknown", maxsize); ++ return; ++ } + #ifdef HAVE_STRFTIME + strftime (buf, maxsize, "%Y-%m-%d", tp); + #else diff --git a/shadow-utils.spec b/shadow-utils.spec index 3444f5b..70f0b52 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.2.1 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz @@ -36,6 +36,7 @@ Patch25: shadow-4.2.1-defs-chroot.patch Patch26: shadow-4.2.1-lastlog-unexpire.patch Patch27: shadow-4.2.1-user-busy.patch Patch28: shadow-4.2.1-selinux-perms.patch +Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -92,6 +93,7 @@ are used for managing group accounts. %patch26 -p1 -b .unexpire %patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms +%patch29 -p1 -b .null-tm iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -257,6 +259,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 +- guard for localtime() and gmtime() failure + * Mon May 30 2016 Tomáš Mráz - 2:4.2.1-10 - chpasswd, chgpasswd: open audit when starting From f8ab516d30fa7314792b8f993b439cebecdcb0c2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:03:52 +0200 Subject: [PATCH 04/31] new upstream release fixing low impact security issue --- .gitignore | 1 + shadow-utils.spec | 33 ++++++++++++--------------------- sources | 3 +-- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index e78a553..09b6c9b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.1.5.1.tar.bz2.sig /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig +/shadow-4.3.1.tar.gz diff --git a/shadow-utils.spec b/shadow-utils.spec index 70f0b52..e799786 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,11 +1,10 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.2.1 -Release: 11%{?dist} +Version: 4.3.1 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz -Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig +Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz Source1: shadow-utils.login.defs Source2: shadow-utils.useradd Source4: shadow-bsd.txt @@ -23,19 +22,17 @@ Patch11: shadow-4.1.5.1-logmsg.patch Patch12: shadow-4.1.5.1-errmsg.patch Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.2.1-manfix.patch +Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.2.1-audit-update.patch +Patch22: shadow-4.3.1-audit-update.patch Patch23: shadow-4.2.1-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.2.1-defs-chroot.patch -Patch26: shadow-4.2.1-lastlog-unexpire.patch -Patch27: shadow-4.2.1-user-busy.patch -Patch28: shadow-4.2.1-selinux-perms.patch +Patch25: shadow-4.3.1-defs-chroot.patch +Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch License: BSD and GPLv2+ @@ -90,8 +87,6 @@ are used for managing group accounts. %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch25 -p1 -b .defs-chroot -%patch26 -p1 -b .unexpire -%patch27 -p1 -b .user-busy %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm @@ -100,17 +95,10 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . -rm libmisc/getdate.c - -#rm po/*.gmo -#rm po/stamp-po -#aclocal -#libtoolize --force -#automake -a -#autoconf - %build +./autogen.sh + %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -259,6 +247,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 +- new upstream release fixing low impact security issue + * Tue Jun 14 2016 Tomáš Mráz - 2:4.2.1-11 - guard for localtime() and gmtime() failure diff --git a/sources b/sources index 9a96021..899422e 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz -6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig +b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz From 6c18d5356b64b72ec7c47962d3d06d70a9b6338d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:06:06 +0200 Subject: [PATCH 05/31] Update patches for rebase --- shadow-4.2.1-lastlog-unexpire.patch | 249 ------------------ shadow-4.2.1-user-busy.patch | 48 ---- ...e.patch => shadow-4.3.1-audit-update.patch | 190 ++++++------- ...ot.patch => shadow-4.3.1-defs-chroot.patch | 12 +- ...-manfix.patch => shadow-4.3.1-manfix.patch | 52 ++-- ....patch => shadow-4.3.1-selinux-perms.patch | 35 +-- 6 files changed, 134 insertions(+), 452 deletions(-) delete mode 100644 shadow-4.2.1-lastlog-unexpire.patch delete mode 100644 shadow-4.2.1-user-busy.patch rename shadow-4.2.1-audit-update.patch => shadow-4.3.1-audit-update.patch (92%) rename shadow-4.2.1-defs-chroot.patch => shadow-4.3.1-defs-chroot.patch (60%) rename shadow-4.2.1-manfix.patch => shadow-4.3.1-manfix.patch (81%) rename shadow-4.2.1-selinux-perms.patch => shadow-4.3.1-selinux-perms.patch (79%) diff --git a/shadow-4.2.1-lastlog-unexpire.patch b/shadow-4.2.1-lastlog-unexpire.patch deleted file mode 100644 index 2596820..0000000 --- a/shadow-4.2.1-lastlog-unexpire.patch +++ /dev/null @@ -1,249 +0,0 @@ -diff -up shadow-4.2.1/man/lastlog.8.xml.unexpire shadow-4.2.1/man/lastlog.8.xml ---- shadow-4.2.1/man/lastlog.8.xml.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/lastlog.8.xml 2016-02-03 11:50:20.481293785 +0100 -@@ -105,6 +105,17 @@ - - - -+ , -+ -+ -+ -+ Clear lastlog record of an user. This option can be used only together -+ with ()). -+ -+ -+ -+ -+ - , - - -@@ -123,6 +134,17 @@ - - - -+ -+ -+ , -+ -+ -+ -+ Set lastlog record of an user to the current time. This option can be -+ used only together with ()). -+ -+ -+ - - - ,  DAYS -diff -up shadow-4.2.1/src/lastlog.c.unexpire shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.unexpire 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/lastlog.c 2016-02-03 11:35:26.971273603 +0100 -@@ -71,6 +71,8 @@ static struct stat statbuf; /* fstat buf - static bool uflg = false; /* print only an user of range of users */ - static bool tflg = false; /* print is restricted to most recent days */ - static bool bflg = false; /* print excludes most recent days */ -+static bool Cflg = false; /* clear record for user */ -+static bool Sflg = false; /* set record for user */ - - #define NOW (time ((time_t *) 0)) - -@@ -83,8 +85,10 @@ static /*@noreturn@*/void usage (int sta - "Options:\n"), - Prog); - (void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); -+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); - (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); - (void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); - (void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); - (void) fputs ("\n", usageout); -@@ -194,6 +198,80 @@ static void print (void) - } - } - -+static void update_one (/*@null@*/const struct passwd *pw) -+{ -+ off_t offset; -+ struct lastlog ll; -+ int err; -+ -+ if (NULL == pw) { -+ return; -+ } -+ -+ offset = (off_t) pw->pw_uid * sizeof (ll); -+ /* fseeko errors are not really relevant for us. */ -+ err = fseeko (lastlogfile, offset, SEEK_SET); -+ assert (0 == err); -+ -+ memzero (&ll, sizeof (ll)); -+ -+ if (Sflg) { -+ ll.ll_time = NOW; -+#ifdef HAVE_LL_HOST -+ strcpy (ll.ll_host, "localhost"); -+#endif -+ strcpy (ll.ll_line, "lastlog"); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "clearing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+#endif -+ } -+#ifdef WITH_AUDIT -+ else { -+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, -+ "refreshing-lastlog", -+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); -+ } -+#endif -+ -+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { -+ fprintf (stderr, -+ _("%s: Failed to update the entry for UID %lu\n"), -+ Prog, (unsigned long int)pw->pw_uid); -+ exit (EXIT_FAILURE); -+ } -+} -+ -+static void update (void) -+{ -+ const struct passwd *pwent; -+ -+ if (!uflg) /* safety measure */ -+ return; -+ -+ if (has_umin && has_umax && (umin == umax)) { -+ update_one (getpwuid ((uid_t)umin)); -+ } else { -+ setpwent (); -+ while ( (pwent = getpwent ()) != NULL ) { -+ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) -+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { -+ continue; -+ } -+ update_one (pwent); -+ } -+ endpwent (); -+ } -+ -+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { -+ fprintf (stderr, -+ _("%s: Failed to update the lastlog file\n"), -+ Prog); -+ exit (EXIT_FAILURE); -+ } -+} -+ - int main (int argc, char **argv) - { - /* -@@ -208,18 +286,24 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -+#ifdef WITH_AUDIT -+ audit_help_open (); -+#endif -+ - { - int c; - static struct option const longopts[] = { - {"before", required_argument, NULL, 'b'}, -+ {"clear", no_argument, NULL, 'C'}, - {"help", no_argument, NULL, 'h'}, - {"root", required_argument, NULL, 'R'}, -+ {"set", no_argument, NULL, 'S'}, - {"time", required_argument, NULL, 't'}, - {"user", required_argument, NULL, 'u'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, -+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, - NULL)) != -1) { - switch (c) { - case 'b': -@@ -235,11 +319,21 @@ int main (int argc, char **argv) - bflg = true; - break; - } -+ case 'C': -+ { -+ Cflg = true; -+ break; -+ } - case 'h': - usage (EXIT_SUCCESS); - /*@notreached@*/break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -+ case 'S': -+ { -+ Sflg = true; -+ break; -+ } - case 't': - { - unsigned long days; -@@ -294,9 +388,21 @@ int main (int argc, char **argv) - Prog, argv[optind]); - usage (EXIT_FAILURE); - } -+ if (Cflg && Sflg) { -+ fprintf (stderr, -+ _("%s: Option -C cannot be used together with option -S\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } -+ if ((Cflg || Sflg) && !uflg) { -+ fprintf (stderr, -+ _("%s: Options -C and -S require option -u to specify the user\n"), -+ Prog); -+ usage (EXIT_FAILURE); -+ } - } - -- lastlogfile = fopen (LASTLOG_FILE, "r"); -+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); - if (NULL == lastlogfile) { - perror (LASTLOG_FILE); - exit (EXIT_FAILURE); -@@ -310,7 +416,10 @@ int main (int argc, char **argv) - exit (EXIT_FAILURE); - } - -- print (); -+ if (Cflg || Sflg) -+ update (); -+ else -+ print (); - - (void) fclose (lastlogfile); - -diff -up shadow-4.2.1/src/Makefile.am.unexpire shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.unexpire 2014-05-08 10:43:11.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-02-03 11:35:26.971273603 +0100 -@@ -95,6 +95,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - login_SOURCES = \ - login.c \ - login_nopam.c -diff -up shadow-4.2.1/src/Makefile.in.unexpire shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.unexpire 2014-05-09 18:49:48.000000000 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-02-03 11:35:26.972273609 +0100 -@@ -197,7 +197,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) - $(top_builddir)/lib/libshadow.la - lastlog_SOURCES = lastlog.c - lastlog_OBJECTS = lastlog.$(OBJEXT) --lastlog_LDADD = $(LDADD) -+lastlog_LDADD = $(LDADD) $(LIBAUDIT) - lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(top_builddir)/libmisc/libmisc.a \ - $(top_builddir)/lib/libshadow.la diff --git a/shadow-4.2.1-user-busy.patch b/shadow-4.2.1-user-busy.patch deleted file mode 100644 index ee7e41a..0000000 --- a/shadow-4.2.1-user-busy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d2fa8c5d4b0b19445562daf78d3a62421fe8d6b8 Mon Sep 17 00:00:00 2001 -From: Bastian Blank -Date: Tue, 17 Nov 2015 10:52:24 -0600 -Subject: [PATCH] Fix user busy errors at userdel - -From: Bastian Blank -Acked-by: Serge Hallyn ---- - libmisc/user_busy.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c -index db7174a..0db32c3 100644 ---- a/libmisc/user_busy.c -+++ b/libmisc/user_busy.c -@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) - if (stat ("/", &sbroot) != 0) { - perror ("stat (\"/\")"); - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - return 0; - } - -@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) - - if (check_status (name, tmp_d_name, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); -@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) - } - if (check_status (name, task_path+6, uid) != 0) { - (void) closedir (proc); -+#ifdef ENABLE_SUBIDS -+ sub_uid_close(); -+#endif - fprintf (stderr, - _("%s: user %s is currently used by process %d\n"), - Prog, name, pid); --- -2.5.0 - diff --git a/shadow-4.2.1-audit-update.patch b/shadow-4.3.1-audit-update.patch similarity index 92% rename from shadow-4.2.1-audit-update.patch rename to shadow-4.3.1-audit-update.patch index 8f2edf8..e708f75 100644 --- a/shadow-4.2.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/audit_help.c ---- shadow-4.2.1/libmisc/audit_help.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/audit_help.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c +--- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +50,9 @@ diff -up shadow-4.2.1/libmisc/audit_help.c.audit-update shadow-4.2.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/cleanup_group.c ---- shadow-4.2.1/libmisc/cleanup_group.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_group.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c +--- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +131,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_group.c.audit-update shadow-4.2.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/cleanup_user.c ---- shadow-4.2.1/libmisc/cleanup_user.c.audit-update 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/cleanup_user.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c +--- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,9 +181,9 @@ diff -up shadow-4.2.1/libmisc/cleanup_user.c.audit-update shadow-4.2.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes.h ---- shadow-4.2.1/lib/prototypes.h.audit-update 2014-11-26 15:06:24.644660498 +0100 -+++ shadow-4.2.1/lib/prototypes.h 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h +--- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 ++++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 @@ -208,12 +208,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -206,9 +206,9 @@ diff -up shadow-4.2.1/lib/prototypes.h.audit-update shadow-4.2.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c ---- shadow-4.2.1/src/gpasswd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/gpasswd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c +--- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -218,7 +218,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c (void) fputs (_(" -R, --restrict restrict access to GROUP to its members\n"), usageout); (void) fputs (_(" -M, --members USER,... set the list of members of GROUP\n"), usageout); #ifdef SHADOWGRP -@@ -397,21 +397,14 @@ static void open_files (void) +@@ -396,21 +396,14 @@ static void open_files (void) static void log_gpasswd_failure (const char *suffix) { @@ -243,7 +243,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (dflg) { -@@ -419,13 +412,9 @@ static void log_gpasswd_failure (const c +@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c "%s failed to remove user %s from group %s%s", myname, user, group, suffix)); #ifdef WITH_AUDIT @@ -260,7 +260,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (rflg) { -@@ -433,13 +422,9 @@ static void log_gpasswd_failure (const c +@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c "%s failed to remove password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -277,7 +277,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Rflg) { -@@ -447,13 +432,9 @@ static void log_gpasswd_failure (const c +@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c "%s failed to restrict access to group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -294,7 +294,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } else if (Aflg || Mflg) { -@@ -463,13 +444,9 @@ static void log_gpasswd_failure (const c +@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c "%s failed to set the administrators of group %s to %s%s", myname, group, admins, suffix)); #ifdef WITH_AUDIT @@ -311,7 +311,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -479,13 +456,9 @@ static void log_gpasswd_failure (const c +@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c "%s failed to set the members of group %s to %s%s", myname, group, members, suffix)); #ifdef WITH_AUDIT @@ -328,7 +328,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -494,13 +467,9 @@ static void log_gpasswd_failure (const c +@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c "%s failed to change password of group %s%s", myname, group, suffix)); #ifdef WITH_AUDIT @@ -345,7 +345,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_FAILURE); #endif } -@@ -531,21 +500,14 @@ static void log_gpasswd_failure_gshadow +@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow static void log_gpasswd_success (const char *suffix) { @@ -370,7 +370,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (dflg) { -@@ -553,13 +515,9 @@ static void log_gpasswd_success (const c +@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c "user %s removed by %s from group %s%s", user, myname, group, suffix)); #ifdef WITH_AUDIT @@ -387,7 +387,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (rflg) { -@@ -567,13 +525,9 @@ static void log_gpasswd_success (const c +@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c "password of group %s removed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -404,7 +404,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Rflg) { -@@ -581,13 +535,9 @@ static void log_gpasswd_success (const c +@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c "access to group %s restricted by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -421,7 +421,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } else if (Aflg || Mflg) { -@@ -597,13 +547,9 @@ static void log_gpasswd_success (const c +@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c "administrators of group %s set by %s to %s%s", group, myname, admins, suffix)); #ifdef WITH_AUDIT @@ -438,7 +438,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -613,13 +559,9 @@ static void log_gpasswd_success (const c +@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c "members of group %s set by %s to %s%s", group, myname, members, suffix)); #ifdef WITH_AUDIT @@ -455,7 +455,7 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -@@ -628,13 +570,9 @@ static void log_gpasswd_success (const c +@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c "password of group %s changed by %s%s", group, myname, suffix)); #ifdef WITH_AUDIT @@ -472,9 +472,9 @@ diff -up shadow-4.2.1/src/gpasswd.c.audit-update shadow-4.2.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c ---- shadow-4.2.1/src/groupadd.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupadd.c 2014-11-26 15:06:24.664660561 +0100 +diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c +--- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -579,7 +579,7 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c add_cleanup (cleanup_unlock_gshadow, NULL); } @@ -349,7 +352,7 @@ static void open_files (void) - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); - exit (E_GRP_UPDATE); @@ -650,10 +650,10 @@ diff -up shadow-4.2.1/src/groupadd.c.audit-update shadow-4.2.1/src/groupadd.c } } -diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c ---- shadow-4.2.1/src/groupdel.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupdel.c 2014-11-26 15:06:24.665660564 +0100 -@@ -100,6 +100,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c +--- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -669,7 +669,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c /* * grp_update - update group file entries * -@@ -126,7 +135,7 @@ static void grp_update (void) +@@ -128,7 +137,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -678,7 +678,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP -@@ -138,7 +147,7 @@ static void grp_update (void) +@@ -140,7 +149,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -687,7 +687,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -157,12 +166,12 @@ static void close_files (void) +@@ -159,12 +168,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -702,7 +702,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -182,12 +191,12 @@ static void close_files (void) +@@ -184,12 +193,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -718,7 +718,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -201,13 +210,6 @@ static void close_files (void) +@@ -203,13 +212,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -732,7 +732,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -224,7 +226,7 @@ static void open_files (void) +@@ -226,7 +228,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -741,7 +741,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -233,7 +235,7 @@ static void open_files (void) +@@ -235,7 +237,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -750,7 +750,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -251,7 +253,7 @@ static void open_files (void) +@@ -253,7 +255,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -759,7 +759,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -260,7 +262,7 @@ static void open_files (void) +@@ -262,7 +264,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -768,7 +768,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -301,7 +303,7 @@ static void group_busy (gid_t gid) +@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -777,7 +777,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } /* -@@ -379,7 +381,7 @@ int main (int argc, char **argv) +@@ -384,7 +386,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -786,7 +786,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } process_flags (argc, argv); -@@ -393,7 +395,7 @@ int main (int argc, char **argv) +@@ -398,7 +400,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -795,7 +795,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -414,7 +416,7 @@ int main (int argc, char **argv) +@@ -419,7 +421,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -804,7 +804,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -434,7 +436,7 @@ int main (int argc, char **argv) +@@ -439,7 +441,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -813,7 +813,7 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } group_id = grp->gr_gid; -@@ -458,7 +460,7 @@ int main (int argc, char **argv) +@@ -463,7 +465,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -822,9 +822,9 @@ diff -up shadow-4.2.1/src/groupdel.c.audit-update shadow-4.2.1/src/groupdel.c } #endif -diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c ---- shadow-4.2.1/src/groupmod.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/groupmod.c 2014-11-26 15:06:24.665660564 +0100 +diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c +--- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1018,9 @@ diff -up shadow-4.2.1/src/groupmod.c.audit-update shadow-4.2.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.audit-update 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chage.c 2014-11-26 15:06:24.663660558 +0100 +diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c +--- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1108,9 @@ diff -up shadow-4.2.1/src/chage.c.audit-update shadow-4.2.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c ---- shadow-4.2.1/src/newgrp.c.audit-update 2014-11-26 15:06:24.660660548 +0100 -+++ shadow-4.2.1/src/newgrp.c 2014-11-26 15:06:24.666660567 +0100 +diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c +--- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 ++++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1161,7 +1161,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c exit (EXIT_FAILURE); } -@@ -317,15 +306,27 @@ static void syslog_sg (const char *name, +@@ -320,15 +309,27 @@ static void syslog_sg (const char *name, is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT if (group) { @@ -1193,7 +1193,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -451,7 +452,7 @@ int main (int argc, char **argv) +@@ -456,7 +457,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1202,7 +1202,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -567,15 +568,26 @@ int main (int argc, char **argv) +@@ -572,15 +573,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1233,7 +1233,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -716,10 +728,10 @@ int main (int argc, char **argv) +@@ -721,10 +733,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1246,7 +1246,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -728,10 +740,10 @@ int main (int argc, char **argv) +@@ -733,10 +745,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1259,7 +1259,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -745,10 +757,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1272,7 +1272,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -812,11 +824,11 @@ int main (int argc, char **argv) +@@ -817,11 +829,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1286,7 +1286,7 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -840,15 +852,24 @@ int main (int argc, char **argv) +@@ -845,15 +857,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1315,9 +1315,9 @@ diff -up shadow-4.2.1/src/newgrp.c.audit-update shadow-4.2.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.audit-update 2014-11-26 15:06:24.648660511 +0100 -+++ shadow-4.2.1/src/useradd.c 2014-11-26 15:14:02.446087183 +0100 +diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 @@ -222,6 +222,8 @@ static void create_mail (void); */ static void fail_exit (int code) @@ -1636,7 +1636,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2098,12 +2034,6 @@ int main (int argc, char **argv) +@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1649,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2119,12 +2049,6 @@ int main (int argc, char **argv) +@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1662,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2154,12 +2078,6 @@ int main (int argc, char **argv) +@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1675,7 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2223,9 +2141,10 @@ int main (int argc, char **argv) +@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1689,9 @@ diff -up shadow-4.2.1/src/useradd.c.audit-update shadow-4.2.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c ---- shadow-4.2.1/src/userdel.c.audit-update 2014-11-26 15:06:24.655660533 +0100 -+++ shadow-4.2.1/src/userdel.c 2014-11-26 15:16:01.892459425 +0100 +diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c +--- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 ++++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -1766,7 +1766,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); -#ifdef WITH_AUDIT @@ -1817,7 +1817,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); -#ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, @@ -1841,7 +1841,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); -#ifdef WITH_AUDIT @@ -1866,7 +1866,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); -#ifdef WITH_AUDIT @@ -1891,7 +1891,7 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); -#ifdef WITH_AUDIT @@ -2019,9 +2019,9 @@ diff -up shadow-4.2.1/src/userdel.c.audit-update shadow-4.2.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.audit-update 2014-11-26 15:06:24.661660551 +0100 -+++ shadow-4.2.1/src/usermod.c 2014-11-26 15:17:38.580760741 +0100 +diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c +--- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 ++++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT @@ -2256,7 +2256,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1810,8 +1821,8 @@ static void move_home (void) +@@ -1758,8 +1769,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2267,7 +2267,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1829,8 +1840,8 @@ static void move_home (void) +@@ -1777,8 +1788,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2278,7 +2278,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1849,9 +1860,9 @@ static void move_home (void) +@@ -1797,9 +1808,9 @@ static void move_home (void) Prog, user_home); } #ifdef WITH_AUDIT @@ -2290,7 +2290,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2055,8 +2066,8 @@ static void move_mailbox (void) +@@ -2003,8 +2014,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2301,7 +2301,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2074,8 +2085,8 @@ static void move_mailbox (void) +@@ -2022,8 +2033,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2312,7 +2312,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2217,8 +2228,8 @@ int main (int argc, char **argv) +@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2323,7 +2323,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2230,8 +2241,8 @@ int main (int argc, char **argv) +@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2334,7 +2334,7 @@ diff -up shadow-4.2.1/src/usermod.c.audit-update shadow-4.2.1/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2269,8 +2280,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch similarity index 60% rename from shadow-4.2.1-defs-chroot.patch rename to shadow-4.3.1-defs-chroot.patch index 827ad40..e57fac8 100644 --- a/shadow-4.2.1-defs-chroot.patch +++ b/shadow-4.3.1-defs-chroot.patch @@ -1,18 +1,18 @@ -diff -up shadow-4.2.1/src/useradd.c.defs-chroot shadow-4.2.1/src/useradd.c ---- shadow-4.2.1/src/useradd.c.defs-chroot 2014-12-01 15:14:58.000000000 +0100 -+++ shadow-4.2.1/src/useradd.c 2015-08-27 15:46:21.935698862 +0200 +diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 @@ -1938,8 +1938,8 @@ int main (int argc, char **argv) #endif /* ACCT_TOOLS_SETUID */ - /* Needed for userns check */ + #ifdef ENABLE_SUBIDS - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + uid_t uid_min; + uid_t uid_max; + #endif /* - * Get my name so that I can use it to report errors. -@@ -1957,6 +1957,9 @@ int main (int argc, char **argv) +@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) audit_help_open (); #endif diff --git a/shadow-4.2.1-manfix.patch b/shadow-4.3.1-manfix.patch similarity index 81% rename from shadow-4.2.1-manfix.patch rename to shadow-4.3.1-manfix.patch index 2ca84b3..2aeb0a8 100644 --- a/shadow-4.2.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xml ---- shadow-4.2.1/man/groupmems.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/groupmems.8.xml 2015-11-06 14:21:03.013060324 +0100 +diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml +--- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 @@ -179,20 +179,10 @@ SETUP @@ -25,9 +25,9 @@ diff -up shadow-4.2.1/man/groupmems.8.xml.manfix shadow-4.2.1/man/groupmems.8.xm -diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml ---- shadow-4.2.1/man/chage.1.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/chage.1.xml 2014-11-26 15:34:51.256978960 +0100 +diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +--- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -38,9 +38,9 @@ diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml -diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/login.defs.5 ---- shadow-4.2.1/man/ja/man5/login.defs.5.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/ja/man5/login.defs.5 2016-01-08 09:58:29.591702354 +0100 +diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 +--- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 @@ -147,10 +147,6 @@ 以下の参照表は、 shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 @@ -52,9 +52,9 @@ diff -up shadow-4.2.1/man/ja/man5/login.defs.5.manfix shadow-4.2.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml ---- shadow-4.2.1/man/login.defs.5.xml.manfix 2014-03-13 06:52:55.000000000 +0100 -+++ shadow-4.2.1/man/login.defs.5.xml 2016-01-08 09:59:35.854169787 +0100 +diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml +--- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -105,7 +105,7 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. -@@ -350,34 +342,6 @@ +@@ -350,34 +343,6 @@ @@ -191,9 +191,9 @@ diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5. useradd -diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml ---- shadow-4.2.1/man/shadow.5.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/shadow.5.xml 2015-10-27 16:54:29.304231353 +0100 +diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml +--- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 @@ -208,8 +208,8 @@ @@ -205,10 +205,10 @@ diff -up shadow-4.2.1/man/shadow.5.xml.manfix shadow-4.2.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml ---- shadow-4.2.1/man/useradd.8.xml.manfix 2014-11-26 15:34:51.234978891 +0100 -+++ shadow-4.2.1/man/useradd.8.xml 2014-11-26 15:34:51.257978963 +0100 -@@ -347,11 +347,16 @@ +diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml +--- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 ++++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +@@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -220,15 +220,9 @@ diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml - -- -+ , - - - -diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml ---- shadow-4.2.1/man/usermod.8.xml.manfix 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/man/usermod.8.xml 2014-11-26 15:34:51.257978963 +0100 +diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml +--- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch similarity index 79% rename from shadow-4.2.1-selinux-perms.patch rename to shadow-4.3.1-selinux-perms.patch index 7e7f70e..9469a7e 100644 --- a/shadow-4.2.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c ---- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200 +diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c +--- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -147,9 +147,9 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c ---- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200 +diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c +--- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 @@ -39,6 +39,13 @@ #include #include @@ -257,10 +257,10 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am ---- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200 -@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) +diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am +--- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 ++++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +@@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) @@ -272,18 +272,3 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in ---- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200 -+++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200 -@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( - newuidmap_LDADD = $(LDADD) $(LIBSELINUX) - newgidmap_LDADD = $(LDADD) $(LIBSELINUX) - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) From 86cbf7e19d07d19e68d992aa94dc844a05d4f57f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:30:57 +0200 Subject: [PATCH 06/31] Add proper buildrequires for autotools. --- shadow-utils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e799786..fffefc9 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -42,7 +42,7 @@ BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel BuildRequires: libacl-devel libattr-devel BuildRequires: bison flex gnome-doc-utils -#BuildRequires: autoconf, automake, libtool, gettext-devel +BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 Requires: setup From 457acab6b41318deb60951e7c687b372e8aba07a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 23 Aug 2016 16:51:22 +0200 Subject: [PATCH 07/31] Add buildrequires for docbook. --- shadow-utils.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index fffefc9..a42dc34 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -40,8 +40,8 @@ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel libattr-devel -BuildRequires: bison flex gnome-doc-utils +BuildRequires: libacl-devel, libattr-devel +BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds BuildRequires: autoconf, automake, libtool, gettext-devel Requires: libselinux >= 1.25.2-1 Requires: audit-libs >= 1.6.5 From bb62fd7837348eb8b277051626ad4af0db7f3741 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 25 Aug 2016 11:24:38 +0200 Subject: [PATCH 08/31] fix regression in useradd - not processing defaults properly (#1369979) --- shadow-4.3.1-process-defaults.patch | 21 +++++++++++++++++++++ shadow-utils.spec | 7 ++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 shadow-4.3.1-process-defaults.patch diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch new file mode 100644 index 0000000..b337376 --- /dev/null +++ b/shadow-4.3.1-process-defaults.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c +--- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 ++++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 +@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) + is_shadow_grp = sgr_file_present (); + #endif + ++ get_defaults (); ++ + process_flags (argc, argv); + + #ifdef ENABLE_SUBIDS +@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) + (!user_id || (user_id <= uid_max && user_id >= uid_min)); + #endif /* ENABLE_SUBIDS */ + +- get_defaults (); +- + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + { diff --git a/shadow-utils.spec b/shadow-utils.spec index a42dc34..d748e24 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -34,6 +34,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -89,6 +90,7 @@ are used for managing group accounts. %patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -247,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 +- fix regression in useradd - not processing defaults properly (#1369979) + * Tue Aug 23 2016 Tomáš Mráz - 2:4.3.1-1 - new upstream release fixing low impact security issue From ba9340caf5a3f86043659dd5dc83d9280cd38185 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 11 Feb 2017 13:21:56 +0000 Subject: [PATCH 09/31] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d748e24..5d536e6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.3.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz @@ -249,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Thu Aug 25 2016 Tomáš Mráz - 2:4.3.1-2 - fix regression in useradd - not processing defaults properly (#1369979) From ec99eade4e4fc141e2c55581ecc913cde348296c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 21 Jul 2017 14:04:11 +0200 Subject: [PATCH 10/31] update to current upstream release 4.5 --- .gitignore | 2 + shadow-4.1.5-uflg.patch | 23 - shadow-4.1.5.1-audit-owner.patch | 32 - shadow-4.1.5.1-backup-mode.patch | 20 - shadow-4.1.5.1-errmsg.patch | 23 - shadow-4.1.5.1-id-alloc.patch | 1219 ----------------- shadow-4.1.5.1-selinux.patch | 99 -- shadow-4.2.1-merge-group.patch | 13 - shadow-4.3.1-defs-chroot.patch | 24 - shadow-4.3.1-process-defaults.patch | 21 - ...ext.patch => shadow-4.5-orig-context.patch | 42 +- shadow-4.5-selinux.patch | 115 ++ ...k.patch => shadow-4.5-usermod-unlock.patch | 8 +- shadow-utils.spec | 40 +- sources | 3 +- 15 files changed, 157 insertions(+), 1527 deletions(-) delete mode 100644 shadow-4.1.5-uflg.patch delete mode 100644 shadow-4.1.5.1-audit-owner.patch delete mode 100644 shadow-4.1.5.1-backup-mode.patch delete mode 100644 shadow-4.1.5.1-errmsg.patch delete mode 100644 shadow-4.1.5.1-id-alloc.patch delete mode 100644 shadow-4.1.5.1-selinux.patch delete mode 100644 shadow-4.2.1-merge-group.patch delete mode 100644 shadow-4.3.1-defs-chroot.patch delete mode 100644 shadow-4.3.1-process-defaults.patch rename shadow-4.1.5.1-orig-context.patch => shadow-4.5-orig-context.patch (67%) create mode 100644 shadow-4.5-selinux.patch rename shadow-4.2.1-usermod-unlock.patch => shadow-4.5-usermod-unlock.patch (86%) diff --git a/.gitignore b/.gitignore index 09b6c9b..d1e7d76 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.2.1.tar.xz /shadow-4.2.1.tar.xz.sig /shadow-4.3.1.tar.gz +/shadow-4.5.tar.xz +/shadow-4.5.tar.xz.asc diff --git a/shadow-4.1.5-uflg.patch b/shadow-4.1.5-uflg.patch deleted file mode 100644 index f72bca3..0000000 --- a/shadow-4.1.5-uflg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c ---- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 -+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 -@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, - return -1; - } - } else { -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ gid_min = (gid_t) 1; - gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; - gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); - if (gid_max < gid_min) { -@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, - return 0; - } - -+ /* if we did not find free preffered system gid, we start to look for -+ * one in the range assigned to dynamic system IDs */ -+ if (sys_group) -+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); - - /* - * Search the entire group file, diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch deleted file mode 100644 index 6fbbdbf..0000000 --- a/shadow-4.1.5.1-audit-owner.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 -+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 -@@ -1513,6 +1513,14 @@ static void move_home (void) - fail_exit (E_HOMEDIR); - } - -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif -+ - if (rename (user_home, user_newhome) == 0) { - /* FIXME: rename above may have broken symlinks - * pointing to the user's home directory -@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) - * ownership. - * - */ -+#ifdef WITH_AUDIT -+ if (uflg || gflg) { -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "changing home directory owner", -+ user_newname, (unsigned int) user_newid, 1); -+ } -+#endif - if (chown_tree (dflg ? user_newhome : user_home, - user_id, - uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch deleted file mode 100644 index 7366b86..0000000 --- a/shadow-4.1.5.1-backup-mode.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba - struct utimbuf ub; - FILE *bkfp; - int c; -- mode_t mask; - - if (fstat (fileno (fp), &sb) != 0) { - return -1; - } - -- mask = umask (077); -- bkfp = fopen (backup, "w"); -- (void) umask (mask); -+ bkfp = fopen_set_perms (backup, "w", &sb); - if (NULL == bkfp) { - return -1; - } diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch deleted file mode 100644 index 6f3a1d2..0000000 --- a/shadow-4.1.5.1-errmsg.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 -@@ -1760,6 +1760,9 @@ static void create_home (void) - if (access (user_home, F_OK) != 0) { - #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home, NULL) != 0) { -+ fprintf (stderr, -+ _("%s: cannot set SELinux context for home directory %s\n"), -+ Prog, user_home); - fail_exit (E_HOMEDIR); - } - #endif -@@ -1789,6 +1792,9 @@ static void create_home (void) - #ifdef WITH_SELINUX - /* Reset SELinux to create files with default contexts */ - if (reset_selinux_file_context () != 0) { -+ fprintf (stderr, -+ _("%s: cannot reset SELinux file creation context\n"), -+ Prog); - fail_exit (E_HOMEDIR); - } - #endif diff --git a/shadow-4.1.5.1-id-alloc.patch b/shadow-4.1.5.1-id-alloc.patch deleted file mode 100644 index df6f89f..0000000 --- a/shadow-4.1.5.1-id-alloc.patch +++ /dev/null @@ -1,1219 +0,0 @@ -Previously, this allocation was optimized for an outdated -deployment style (that of /etc/group alongside nss_db). The issue -here is that this results in extremely poor performance when using -SSSD, Winbind or nss_ldap. - -There were actually three serious bugs here that have been addressed: - -1) Running getgrent() loops won't work in most SSSD or Winbind -environments, as full group enumeration is disabled by default. -This could easily result in auto-allocating a group that was -already in use. (This might result in a security issue as well, if -the shared GID is a privileged group). - -2) For system groups, the loop was always iterating through the -complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this -means hundreds of round-trips to LDAP (unless the GIDs were -specifically configured to be ignored by the SSSD or winbindd). -To a user with a slow connection to their LDAP server, this would -appear as if groupadd -r was hung. (Though it would eventually -complete). - -3) This patch also adds better error-handling for errno from -getgrgid(), since if this function returns an unexpected error, we -should not be treating it as "ID is available". This could result -in assigning a GID that was already in use, with all the same -issues as 1) above. - -This patch changes the algorithm to be more favorable for LDAP -environments, at the expense of some performance when using nss_db. -Given that the DB is a local service, this should have a negligible -effect from a user's perspective. - -With the new algorithm, we simply first iterate through all entries -in the local database with gr_next(), recording the IDs that are in -use. We then start from the highest presumed-available entry and -call getgrgid() to see if it is available. We continue this until -we come to the first unused GID. We then select that and return it. - -If we make it through all the remaining IDs without finding a free -one, we start over from the beginning of the range and try to find -room in one of the gaps in the range. - -The patch was originally written by Stephen Gallagher and applied -identically also to the user allocation by Tomáš Mráz. - -diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c ---- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_group, gid_t *min_id, gid_t *max_id, -+ gid_t *preferred_min) -+{ -+ gid_t gid_def_max = 0; -+ -+ if (sys_group) { -+ /* System groups */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (gid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (gid_t) getdef_ulong("SYS_GID_MIN", 101UL); -+ -+ /* -+ * If SYS_GID_MAX is unspecified, we should assume it to be one -+ * less than the GID_MIN (which is reserved for non-system accounts) -+ */ -+ gid_def_max = (gid_t) getdef_ulong("GID_MIN", 1000UL) - 1; -+ *max_id = (gid_t) getdef_ulong("SYS_GID_MAX", -+ (unsigned long) gid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_GID_MIN (%lu), " -+ "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("GID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system groups */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (gid_t) getdef_ulong("GID_MIN", 1000UL); -+ *max_id = (gid_t) getdef_ulong("GID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system groups. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: GID_MIN (%lu), " -+ "GID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_gid - See if the requested GID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getgrgid() -+ */ -+static int check_gid(const gid_t gid, -+ const gid_t gid_min, -+ const gid_t gid_max, -+ bool *used_gids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (gid < gid_min || gid > gid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this GID -+ * using the gr_next() loop -+ */ -+ if (used_gids != NULL && used_gids[gid]) { -+ return EEXIST; -+ } -+ /* Check if the GID exists according to NSS */ -+ errno = 0; -+ if (getgrgid(gid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getgrgid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the GID must be available */ -+ return 0; -+} -+ -+/* - * find_new_gid - Find a new unused GID. - * - * If successful, find_new_gid provides an unused group ID in the -@@ -48,166 +160,339 @@ - * - * Return 0 on success, -1 if no unused GIDs are available. - */ --int find_new_gid (bool sys_group, -- gid_t *gid, -- /*@null@*/gid_t const *preferred_gid) -+int find_new_gid(bool sys_group, -+ gid_t *gid, -+ /*@null@*/gid_t const *preferred_gid) - { -- const struct group *grp; -- gid_t gid_min, gid_max, group_id; - bool *used_gids; -+ const struct group *grp; -+ gid_t gid_min, gid_max, preferred_min; -+ gid_t group_id, id; -+ gid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - -- assert (gid != NULL); -+ assert(gid != NULL); - -- if (!sys_group) { -- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); -- gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, (unsigned long) gid_max); -- return -1; -- } -- } else { -- gid_min = (gid_t) 1; -- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; -- gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); -- if (gid_max < gid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"), -- Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_group, &gid_min, &gid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred GID is available */ -+ if (preferred_gid) { -+ result = check_gid(*preferred_gid, preferred_min, gid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the GID isn't queued for use already -+ */ -+ if (gr_locate_gid (*preferred_gid) == NULL) { -+ *gid = *preferred_gid; -+ return 0; -+ } -+ /* -+ * gr_locate_gid() found the GID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set a GID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the group creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific GID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred GID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire group file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with gr_rewind/gr_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system groups) or highest (non-system -+ * groups), we will prefer those and avoid potentially reclaiming a -+ * deleted group (which can be a security issue, since it may grant -+ * access to files belonging to that former group). -+ * -+ * If there are no GIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered GIDs */ - used_gids = malloc (sizeof (bool) * (gid_max +1)); - if (NULL == used_gids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_gids, false, sizeof (bool) * (gid_max + 1)); - -- if ( (NULL != preferred_gid) -- && (*preferred_gid >= gid_min) -- && (*preferred_gid <= gid_max) -- /* Check if the user exists according to NSS */ -- && (getgrgid (*preferred_gid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (gr_locate_gid (*preferred_gid) == NULL)) { -- *gid = *preferred_gid; -- free (used_gids); -- return 0; -- } -- -- /* if we did not find free preffered system gid, we start to look for -- * one in the range assigned to dynamic system IDs */ -- if (sys_group) -- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); -+ /* First look for the lowest and highest value in the local database */ -+ (void) gr_rewind (); -+ highest_found = gid_min; -+ lowest_found = gid_max; -+ while ((grp = gr_next ()) != NULL) { -+ /* -+ * Does this entry have a lower GID than the lowest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) { -+ lowest_found = grp->gr_gid - 1; -+ } -+ -+ /* -+ * Does this entry have a higher GID than the highest we've found -+ * so far? -+ */ -+ if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) { -+ highest_found = grp->gr_gid + 1; -+ } -+ -+ /* create index of used GIDs */ -+ if (grp->gr_gid >= gid_min -+ && grp->gr_gid <= gid_max) { -+ -+ used_gids[grp->gr_gid] = true; -+ } -+ } - -- /* -- * Search the entire group file, -- * looking for the largest unused value. -- * -- * We check the list of groups according to NSS (setgrent/getgrent), -- * but we also check the local database (gr_rewind/gr_next) in case -- * some groups were created but the changes were not committed yet. -- */ - if (sys_group) { -- gid_t id; -- /* setgrent / getgrent / endgrent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getgrgid. -- */ -- group_id = gid_max; -- for (id = gid_max; id >= gid_min; id--) { -- if (getgrgid (id) != NULL) { -- group_id = id - 1; -- used_gids[id] = true; -- } -+ /* -+ * For system groups, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MIN - 1. -+ */ -+ if (lowest_found < gid_min) { -+ /* -+ * In this case, a GID is in use at GID_MIN. -+ * -+ * We will reset the search to GID_MAX and proceed down -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ lowest_found = gid_max; - } - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) { -- group_id = grp->gr_gid - 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- group_id = gid_min; -- setgrent (); -- while ((grp = getgrent ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * GID_MAX - 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != gid_max) { -+ for (id = gid_max; id >= gid_min; id--) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ -+ } - } - } -- endgrent (); -+ } else { /* !sys_group */ -+ /* -+ * For non-system groups, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) gr_rewind (); -- while ((grp = gr_next ()) != NULL) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -- } -- /* create index of used GIDs */ -- if (grp->gr_gid <= gid_max) { -- used_gids[grp->gr_gid] = true; -- } -+ /* -+ * At the conclusion of the gr_next() search, we will either -+ * have a presumed-free GID or we will be at GID_MAX + 1. -+ */ -+ if (highest_found > gid_max) { -+ /* -+ * In this case, a GID is in use at GID_MAX. -+ * -+ * We will reset the search to GID_MIN and proceed up -+ * through all the GIDs (skipping those we detected with -+ * used_gids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted GID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign GIDs -+ * explicitly). -+ */ -+ highest_found = gid_min; - } -- } - -- /* -- * If a group (resp. system group) with GID equal to GID_MAX (resp. -- * GID_MIN) exists, the above algorithm will give us GID_MAX+1 -- * (resp. GID_MIN-1) even if not unique. Search for the first free -- * GID starting with GID_MIN (resp. GID_MAX). -- */ -- if (sys_group) { -- if (group_id < gid_min) { -- for (group_id = gid_max; group_id >= gid_min; group_id--) { -- if (false == used_gids[group_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (group_id < gid_min) { -- fprintf (stderr, -- _("%s: Can't get unique system GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available GID on the system")); -- free (used_gids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- } else { -- if (group_id > gid_max) { -- for (group_id = gid_min; group_id <= gid_max; group_id++) { -- if (false == used_gids[group_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from GID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (GID_MAX - GID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * GID_MIN + 1, all groups in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != gid_min) { -+ for (id = gid_min; id <= gid_max; id++) { -+ result = check_gid(id, gid_min, gid_max, used_gids); -+ if (result == 0) { -+ /* This GID is available. Return it. */ -+ *gid = id; -+ free(used_gids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This GID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique GID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available GIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later GID -+ * will work properly. -+ */ - } - } -- if (group_id > gid_max) { -- fprintf (stderr, -- _("%s: Can't get unique GID (no more available GIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available GID on the system")); -- free (used_gids); -- return -1; -- } - } - } - -- free (used_gids); -- *gid = group_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique GID (no more available GIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available GIDs on the system")); -+ free(used_gids); -+ return -1; - } - -diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c ---- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200 -@@ -39,6 +39,118 @@ - #include "getdef.h" - - /* -+ * get_ranges - Get the minimum and maximum ID ranges for the search -+ * -+ * This function will return the minimum and maximum ranges for IDs -+ * -+ * 0: The function completed successfully -+ * EINVAL: The provided ranges are impossible (such as maximum < minimum) -+ * -+ * preferred_min: The special-case minimum value for a specifically- -+ * requested ID, which may be lower than the standard min_id -+ */ -+static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id, -+ uid_t *preferred_min) -+{ -+ uid_t uid_def_max = 0; -+ -+ if (sys_user) { -+ /* System users */ -+ -+ /* A requested ID is allowed to be below the autoselect range */ -+ *preferred_min = (uid_t) 1; -+ -+ /* Get the minimum ID range from login.defs or default to 101 */ -+ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL); -+ -+ /* -+ * If SYS_UID_MAX is unspecified, we should assume it to be one -+ * less than the UID_MIN (which is reserved for non-system accounts) -+ */ -+ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1; -+ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX", -+ (unsigned long) uid_def_max); -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf (stderr, -+ _("%s: Invalid configuration: SYS_UID_MIN (%lu), " -+ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ getdef_ulong ("UID_MIN", 1000UL), -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } else { -+ /* Non-system users */ -+ -+ /* Get the values from login.defs or use reasonable defaults */ -+ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL); -+ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL); -+ -+ /* -+ * The preferred minimum should match the standard ID minimum -+ * for non-system users. -+ */ -+ *preferred_min = *min_id; -+ -+ /* Check that the ranges make sense */ -+ if (*max_id < *min_id) { -+ (void) fprintf(stderr, -+ _("%s: Invalid configuration: UID_MIN (%lu), " -+ "UID_MAX (%lu)\n"), -+ Prog, (unsigned long) *min_id, -+ (unsigned long) *max_id); -+ return EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ -+/* -+ * check_uid - See if the requested UID is available -+ * -+ * On success, return 0 -+ * If the ID is in use, return EEXIST -+ * If the ID is outside the range, return ERANGE -+ * In other cases, return errno from getpwuid() -+ */ -+static int check_uid(const uid_t uid, -+ const uid_t uid_min, -+ const uid_t uid_max, -+ bool *used_uids) -+{ -+ /* First test that the preferred ID is in the range */ -+ if (uid < uid_min || uid > uid_max) { -+ return ERANGE; -+ } -+ -+ /* -+ * Check whether we already detected this UID -+ * using the pw_next() loop -+ */ -+ if (used_uids != NULL && used_uids[uid]) { -+ return EEXIST; -+ } -+ /* Check if the UID exists according to NSS */ -+ errno = 0; -+ if (getpwuid(uid) != NULL) { -+ return EEXIST; -+ } else { -+ /* getpwuid() was NULL, check whether this was -+ * due to an error, so we can report it. -+ */ -+ /* ignore errors for now * if (errno != 0) { -+ return errno; -+ } */ -+ } -+ -+ /* If we've made it here, the UID must be available */ -+ return 0; -+} -+ -+/* - * find_new_uid - Find a new unused UID. - * - * If successful, find_new_uid provides an unused user ID in the -@@ -48,162 +160,339 @@ - * - * Return 0 on success, -1 if no unused UIDs are available. - */ --int find_new_uid (bool sys_user, -- uid_t *uid, -- /*@null@*/uid_t const *preferred_uid) -+int find_new_uid(bool sys_user, -+ uid_t *uid, -+ /*@null@*/uid_t const *preferred_uid) - { -- const struct passwd *pwd; -- uid_t uid_min, uid_max, user_id; - bool *used_uids; -+ const struct passwd *pwd; -+ uid_t uid_min, uid_max, preferred_min; -+ uid_t user_id, id; -+ uid_t lowest_found, highest_found; -+ int result; -+ int nospam = 0; - - assert (uid != NULL); - -- if (!sys_user) { -- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, (unsigned long) uid_max); -- return -1; -- } -- } else { -- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); -- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; -- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); -- if (uid_max < uid_min) { -- (void) fprintf (stderr, -- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"), -- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max); -+ /* -+ * First, figure out what ID range is appropriate for -+ * automatic assignment -+ */ -+ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min); -+ if (result == EINVAL) { -+ return -1; -+ } -+ -+ /* Check if the preferred UID is available */ -+ if (preferred_uid) { -+ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL); -+ if (result == 0) { -+ /* -+ * Make sure the UID isn't queued for use already -+ */ -+ if (pw_locate_uid (*preferred_uid) == NULL) { -+ *uid = *preferred_uid; -+ return 0; -+ } -+ /* -+ * pw_locate_uid() found the UID in an as-yet uncommitted -+ * entry. We'll proceed below and auto-set an UID. -+ */ -+ } else if (result == EEXIST || result == ERANGE) { -+ /* -+ * Continue on below. At this time, we won't -+ * treat these two cases differently. -+ */ -+ } else { -+ /* -+ * An unexpected error occurred. We should report -+ * this and fail the user creation. -+ * This differs from the automatic creation -+ * behavior below, since if a specific UID was -+ * requested and generated an error, the user is -+ * more likely to want to stop and address the -+ * issue. -+ */ -+ fprintf(stderr, -+ _("%s: Encountered error attempting to use " -+ "preferred UID: %s\n"), -+ Prog, strerror(result)); - return -1; - } - } -+ -+ /* -+ * Search the entire passwd file, -+ * looking for the next unused value. -+ * -+ * We first check the local database with pw_rewind/pw_next to find -+ * all local values that are in use. -+ * -+ * We then compare the next free value to all databases (local and -+ * remote) and iterate until we find a free one. If there are free -+ * values beyond the lowest (system users) or highest (non-system -+ * users), we will prefer those and avoid potentially reclaiming a -+ * deleted user (which can be a security issue, since it may grant -+ * access to files belonging to that former user). -+ * -+ * If there are no UIDs available at the end of the search, we will -+ * have no choice but to iterate through the range looking for gaps. -+ * -+ */ -+ -+ /* Create an array to hold all of the discovered UIDs */ - used_uids = malloc (sizeof (bool) * (uid_max +1)); - if (NULL == used_uids) { - fprintf (stderr, -- _("%s: failed to allocate memory: %s\n"), -- Prog, strerror (errno)); -+ _("%s: failed to allocate memory: %s\n"), -+ Prog, strerror (errno)); - return -1; - } - memset (used_uids, false, sizeof (bool) * (uid_max + 1)); - -- if ( (NULL != preferred_uid) -- && (*preferred_uid >= uid_min) -- && (*preferred_uid <= uid_max) -- /* Check if the user exists according to NSS */ -- && (getpwuid (*preferred_uid) == NULL) -- /* Check also the local database in case of uncommitted -- * changes */ -- && (pw_locate_uid (*preferred_uid) == NULL)) { -- *uid = *preferred_uid; -- free (used_uids); -- return 0; -- } -+ /* First look for the lowest and highest value in the local database */ -+ (void) pw_rewind (); -+ highest_found = uid_min; -+ lowest_found = uid_max; -+ while ((pwd = pw_next ()) != NULL) { -+ /* -+ * Does this entry have a lower UID than the lowest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) { -+ lowest_found = pwd->pw_uid - 1; -+ } - -+ /* -+ * Does this entry have a higher UID than the highest we've found -+ * so far? -+ */ -+ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) { -+ highest_found = pwd->pw_uid + 1; -+ } -+ -+ /* create index of used UIDs */ -+ if (pwd->pw_uid >= uid_min -+ && pwd->pw_uid <= uid_max) { -+ -+ used_uids[pwd->pw_uid] = true; -+ } -+ } - -- /* -- * Search the entire password file, -- * looking for the largest unused value. -- * -- * We check the list of users according to NSS (setpwent/getpwent), -- * but we also check the local database (pw_rewind/pw_next) in case -- * some users were created but the changes were not committed yet. -- */ - if (sys_user) { -- uid_t id; -- /* setpwent / getpwent / endpwent can be very slow with -- * LDAP configurations (and many accounts). -- * Since there is a limited amount of IDs to be tested -- * for system accounts, we just check the existence -- * of IDs with getpwuid. -- */ -- user_id = uid_max; -- for (id = uid_max; id >= uid_min; id--) { -- if (getpwuid (id) != NULL) { -- user_id = id - 1; -- used_uids[id] = true; -- } -+ /* -+ * For system users, we want to start from the -+ * top of the range and work downwards. -+ */ -+ -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MIN - 1. -+ */ -+ if (lowest_found < uid_min) { -+ /* -+ * In this case, an UID is in use at UID_MIN. -+ * -+ * We will reset the search to UID_MAX and proceed down -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ lowest_found = uid_max; - } - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) { -- user_id = pwd->pw_uid - 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ /* Search through all of the IDs in the range */ -+ for (id = lowest_found; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- user_id = uid_min; -- setpwent (); -- while ((pwd = getpwent ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MAX, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with lowest_found as -+ * UID_MAX - 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (lowest_found != uid_max) { -+ for (id = uid_max; id >= uid_min; id--) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique system UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ -+ } - } - } -- endpwent (); -+ } else { /* !sys_user */ -+ /* -+ * For non-system users, we want to start from the -+ * bottom of the range and work upwards. -+ */ - -- (void) pw_rewind (); -- while ((pwd = pw_next ()) != NULL) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -- } -- /* create index of used UIDs */ -- if (pwd->pw_uid <= uid_max) { -- used_uids[pwd->pw_uid] = true; -- } -+ /* -+ * At the conclusion of the pw_next() search, we will either -+ * have a presumed-free UID or we will be at UID_MAX + 1. -+ */ -+ if (highest_found > uid_max) { -+ /* -+ * In this case, a UID is in use at UID_MAX. -+ * -+ * We will reset the search to UID_MIN and proceed up -+ * through all the UIDs (skipping those we detected with -+ * used_uids) for a free one. It is a known issue that -+ * this may result in reusing a previously-deleted UID, -+ * so administrators should be instructed to use this -+ * auto-detection with care (and prefer to assign UIDs -+ * explicitly). -+ */ -+ highest_found = uid_min; - } -- } - -- /* -- * If a user (resp. system user) with UID equal to UID_MAX (resp. -- * UID_MIN) exists, the above algorithm will give us UID_MAX+1 -- * (resp. UID_MIN-1) even if not unique. Search for the first free -- * UID starting with UID_MIN (resp. UID_MAX). -- */ -- if (sys_user) { -- if (user_id < uid_min) { -- for (user_id = uid_max; user_id >= uid_min; user_id--) { -- if (false == used_uids[user_id]) { -- break; -+ /* Search through all of the IDs in the range */ -+ for (id = highest_found; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; - } -- } -- if (user_id < uid_min ) { -- fprintf (stderr, -- _("%s: Can't get unique system UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, -- "no more available UID on the system")); -- free (used_uids); -- return -1; -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- } else { -- if (user_id > uid_max) { -- for (user_id = uid_min; user_id <= uid_max; user_id++) { -- if (false == used_uids[user_id]) { -- break; -+ -+ /* -+ * If we get all the way through the loop, try again from UID_MIN, -+ * unless that was where we previously started. (NOTE: the worst-case -+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1) -+ * cycles *again* if we fall into this case with highest_found as -+ * UID_MIN + 1, all users in the range in use and maintained by -+ * network services such as LDAP.) -+ */ -+ if (highest_found != uid_min) { -+ for (id = uid_min; id <= uid_max; id++) { -+ result = check_uid(id, uid_min, uid_max, used_uids); -+ if (result == 0) { -+ /* This UID is available. Return it. */ -+ *uid = id; -+ free(used_uids); -+ return 0; -+ } else if (result == EEXIST) { -+ /* This UID is in use, we'll continue to the next */ -+ } else { -+ /* -+ * An unexpected error occurred. -+ * -+ * Only report it the first time to avoid spamming -+ * the logs -+ * -+ */ -+ if (!nospam) { -+ fprintf(stderr, -+ _("%s: Can't get unique UID (%s). " -+ "Suppressing additional messages.\n"), -+ Prog, strerror(result)); -+ SYSLOG((LOG_ERR, -+ "Error checking available UIDs: %s", -+ strerror(result))); -+ nospam = 1; -+ } -+ /* -+ * We will continue anyway. Hopefully a later UID -+ * will work properly. -+ */ - } - } -- if (user_id > uid_max) { -- fprintf (stderr, -- _("%s: Can't get unique UID (no more available UIDs)\n"), -- Prog); -- SYSLOG ((LOG_WARN, "no more available UID on the system")); -- free (used_uids); -- return -1; -- } - } - } - -- free (used_uids); -- *uid = user_id; -- return 0; -+ /* The code reached here and found no available IDs in the range */ -+ fprintf(stderr, -+ _("%s: Can't get unique UID (no more available UIDs)\n"), -+ Prog); -+ SYSLOG((LOG_WARN, "no more available UIDs on the system")); -+ free(used_uids); -+ return -1; - } - diff --git a/shadow-4.1.5.1-selinux.patch b/shadow-4.1.5.1-selinux.patch deleted file mode 100644 index 4ac32d2..0000000 --- a/shadow-4.1.5.1-selinux.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 -@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, - - ret = 0; - -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_seuser_key_free (key); - semanage_handle_destroy (handle); -@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) - } - - ret = 0; -+ -+ /* drop obsolete matchpathcon cache */ -+ matchpathcon_fini(); -+ - done: - semanage_handle_destroy (handle); - return ret; -diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 -@@ -1850,6 +1850,7 @@ static void create_mail (void) - */ - int main (int argc, char **argv) - { -+ int rv = E_SUCCESS; - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - pam_handle_t *pamh = NULL; -@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) - - usr_update (); - -+ close_files (); -+ -+ nscd_flush_cache ("passwd"); -+ nscd_flush_cache ("group"); -+ -+#ifdef WITH_SELINUX -+ if (Zflg && *user_selinux) { -+ if (is_selinux_enabled () > 0) { -+ if (set_seuser (user_name, user_selinux) != 0) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding SELinux user mapping", -+ user_name, (unsigned int) user_id, 0); -+#endif /* WITH_AUDIT */ -+ rv = E_SE_UPDATE; -+ } -+ } -+ } -+#endif -+ - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, -+ copy_tree (def_template, user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, -@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) - create_mail (); - } - -- close_files (); -- --#ifdef WITH_SELINUX -- if (Zflg) { -- if (set_seuser (user_name, user_selinux) != 0) { -- fprintf (stderr, -- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -- Prog, user_name, user_selinux); --#ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding SELinux user mapping", -- user_name, (unsigned int) user_id, 0); --#endif /* WITH_AUDIT */ -- fail_exit (E_SE_UPDATE); -- } -- } --#endif /* WITH_SELINUX */ -- -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- -- return E_SUCCESS; -+ return rv; - } - diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch deleted file mode 100644 index 1adcabd..0000000 --- a/shadow-4.2.1-merge-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c ---- shadow-4.2.1/lib/groupio.c.merge-group 2014-11-26 14:33:54.039581662 +0100 -+++ shadow-4.2.1/lib/groupio.c 2014-11-26 14:46:02.841852886 +0100 -@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry * - errno = ENOMEM; - return NULL; - } -- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); -- new_line[new_line_len] = '\0'; -+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); - - /* Concatenate the 2 list of members */ - for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.3.1-defs-chroot.patch b/shadow-4.3.1-defs-chroot.patch deleted file mode 100644 index e57fac8..0000000 --- a/shadow-4.3.1-defs-chroot.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.defs-chroot shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.defs-chroot 2016-08-22 17:13:29.420068883 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:15:14.040343275 +0200 -@@ -1938,8 +1938,8 @@ int main (int argc, char **argv) - #endif /* ACCT_TOOLS_SETUID */ - - #ifdef ENABLE_SUBIDS -- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ uid_t uid_min; -+ uid_t uid_max; - #endif - - /* -@@ -1958,6 +1958,9 @@ int main (int argc, char **argv) - audit_help_open (); - #endif - -+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); -+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); -+ - sys_ngroups = sysconf (_SC_NGROUPS_MAX); - user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); - /* diff --git a/shadow-4.3.1-process-defaults.patch b/shadow-4.3.1-process-defaults.patch deleted file mode 100644 index b337376..0000000 --- a/shadow-4.3.1-process-defaults.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up shadow-4.3.1/src/useradd.c.process-defaults shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.process-defaults 2016-08-22 17:30:01.000000000 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-25 09:49:51.454720951 +0200 -@@ -1974,6 +1974,8 @@ int main (int argc, char **argv) - is_shadow_grp = sgr_file_present (); - #endif - -+ get_defaults (); -+ - process_flags (argc, argv); - - #ifdef ENABLE_SUBIDS -@@ -1983,8 +1985,6 @@ int main (int argc, char **argv) - (!user_id || (user_id <= uid_max && user_id >= uid_min)); - #endif /* ENABLE_SUBIDS */ - -- get_defaults (); -- - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - { diff --git a/shadow-4.1.5.1-orig-context.patch b/shadow-4.5-orig-context.patch similarity index 67% rename from shadow-4.1.5.1-orig-context.patch rename to shadow-4.5-orig-context.patch index c1ddb13..c935658 100644 --- a/shadow-4.1.5.1-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 +diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c +--- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -10,7 +10,7 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * +@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -19,9 +19,9 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio. errors++; } #endif -diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c ---- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 -+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 +diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c +--- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,10 +58,10 @@ diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/co return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h ---- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 -+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 -@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h +--- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 ++++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -70,9 +70,9 @@ diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototy extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c ---- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 +diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,15 +114,15 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c } /* -diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 -+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 -@@ -1759,7 +1759,7 @@ static void create_home (void) +diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +@@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX - if (set_selinux_file_context (user_home) != 0) { + if (set_selinux_file_context (user_home, NULL) != 0) { - fail_exit (E_HOMEDIR); - } - #endif + fprintf (stderr, + _("%s: cannot set SELinux context for home directory %s\n"), + Prog, user_home); diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch new file mode 100644 index 0000000..cd190cc --- /dev/null +++ b/shadow-4.5-selinux.patch @@ -0,0 +1,115 @@ +diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c +--- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, + + ret = 0; + ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_seuser_key_free (key); + semanage_handle_destroy (handle); +@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) + } + + ret = 0; ++ ++ /* drop obsolete matchpathcon cache */ ++ matchpathcon_fini(); ++ + done: + semanage_handle_destroy (handle); + return ret; +diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c +--- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 ++++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +@@ -2042,6 +2042,7 @@ static void create_mail (void) + */ + int main (int argc, char **argv) + { ++ int rv = E_SUCCESS; + #ifdef ACCT_TOOLS_SETUID + #ifdef USE_PAM + pam_handle_t *pamh = NULL; +@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) + + usr_update (); + +- if (mflg) { +- create_home (); +- if (home_added) { +- copy_tree (def_template, user_home, false, false, +- (uid_t)-1, user_id, (gid_t)-1, user_gid); +- } else { +- fprintf (stderr, +- _("%s: warning: the home directory already exists.\n" +- "Not copying any file from skel directory into it.\n"), +- Prog); +- } +- +- } +- +- /* Do not create mail directory for system accounts */ +- if (!rflg) { +- create_mail (); +- } +- + close_files (); + ++ nscd_flush_cache ("passwd"); ++ nscd_flush_cache ("group"); ++ + /* + * tallylog_reset needs to be able to lookup + * a valid existing user name, +@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) + } + + #ifdef WITH_SELINUX +- if (Zflg) { +- if (set_seuser (user_name, user_selinux) != 0) { ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); +@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif /* WITH_AUDIT */ +- fail_exit (E_SE_UPDATE); ++ rv = E_SE_UPDATE; ++ } + } + } +-#endif /* WITH_SELINUX */ ++#endif + +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); ++ if (mflg) { ++ create_home (); ++ if (home_added) { ++ copy_tree (def_template, user_home, false, true, ++ (uid_t)-1, user_id, (gid_t)-1, user_gid); ++ } else { ++ fprintf (stderr, ++ _("%s: warning: the home directory already exists.\n" ++ "Not copying any file from skel directory into it.\n"), ++ Prog); ++ } ++ ++ } ++ ++ /* Do not create mail directory for system accounts */ ++ if (!rflg) { ++ create_mail (); ++ } + +- return E_SUCCESS; ++ return rv; + } + diff --git a/shadow-4.2.1-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch similarity index 86% rename from shadow-4.2.1-usermod-unlock.patch rename to shadow-4.5-usermod-unlock.patch index 19feecb..d37b4aa 100644 --- a/shadow-4.2.1-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,6 @@ -diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.unlock 2016-02-03 11:54:14.977664838 +0100 -+++ shadow-4.2.1/src/usermod.c 2016-02-09 11:52:08.244957222 +0100 +diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c +--- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 ++++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; @@ -60,4 +60,4 @@ diff -up shadow-4.2.1/src/usermod.c.unlock shadow-4.2.1/src/usermod.c + fail_exit(E_PW_UPDATE); if (pflg) { - spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; + spent->sp_lstchg = (long) gettime () / SCALE; diff --git a/shadow-utils.spec b/shadow-utils.spec index 5d536e6..7b31676 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,40 +1,33 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.3.1 -Release: 3%{?dist} +Version: 4.5 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ -Source0: https://github.com/shadow-maint/shadow/archive/%{version}.tar.gz#/shadow-%{version}.tar.gz -Source1: shadow-utils.login.defs +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source2: shadow-utils.useradd +Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch Patch1: shadow-4.1.5.1-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch3: shadow-4.1.5-uflg.patch -Patch6: shadow-4.1.5.1-selinux.patch +Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch -Patch8: shadow-4.1.5.1-backup-mode.patch -Patch9: shadow-4.2.1-merge-group.patch -Patch10: shadow-4.1.5.1-orig-context.patch +Patch10: shadow-4.5-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch -Patch12: shadow-4.1.5.1-errmsg.patch -Patch13: shadow-4.1.5.1-audit-owner.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch -Patch18: shadow-4.1.5.1-id-alloc.patch Patch19: shadow-4.2.1-date-parsing.patch Patch20: shadow-4.1.5.1-ingroup.patch Patch21: shadow-4.1.5.1-move-home.patch Patch22: shadow-4.3.1-audit-update.patch -Patch23: shadow-4.2.1-usermod-unlock.patch +Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch -Patch25: shadow-4.3.1-defs-chroot.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.3.1-process-defaults.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -68,29 +61,21 @@ are used for managing group accounts. %patch0 -p1 -b .redhat %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir -%patch3 -p1 -b .uflg %patch6 -p1 -b .selinux %patch7 -p1 -b .2ndskip -%patch8 -p1 -b .backup-mode -%patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg -%patch12 -p1 -b .errmsg -%patch13 -p1 -b .audit-owner %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel -%patch18 -p1 -b .id-alloc %patch19 -p1 -b .date-parsing %patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos -%patch25 -p1 -b .defs-chroot %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .process-defaults iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -98,9 +83,6 @@ cp -f doc/HOWTO.utf8 doc/HOWTO cp -a %{SOURCE4} %{SOURCE5} . %build - -./autogen.sh - %ifarch sparc64 #sparc64 need big PIE export CFLAGS="$RPM_OPT_FLAGS -fPIE" @@ -110,6 +92,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +autoreconf %configure \ --enable-shadowgrp \ --enable-man \ @@ -126,7 +109,7 @@ make rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default -install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs +install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -249,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 +- update to current upstream release 4.5 + * Sat Feb 11 2017 Fedora Release Engineering - 2:4.3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 899422e..a50063e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -b6b48ef1af4eb088937c8cc47e317009 shadow-4.3.1.tar.gz +SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 +SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 From 3a17ec0f47535362c05339090a225e5ddab617e4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 27 Jul 2017 18:30:31 +0000 Subject: [PATCH 11/31] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 7b31676..d484578 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Fri Jul 21 2017 Tomáš Mráz - 2:4.5-1 - update to current upstream release 4.5 From 46349c33e5aea3baa759cc753cce606c399b0a07 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 08:23:19 +0000 Subject: [PATCH 12/31] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index d484578..adf57c2 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Thu Jul 27 2017 Fedora Release Engineering - 2:4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 2c7fd6de84388eda729beee620a06f7bd5e32415 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 14 Aug 2017 11:03:28 +0200 Subject: [PATCH 13/31] allow switching to secondary group without checking the membership (patch from upstream) --- shadow-4.1.5.1-newgrp-grouplist.patch | 70 +++++++++++++++++++++++++++ shadow-utils.spec | 8 ++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch new file mode 100644 index 0000000..8fcfd97 --- /dev/null +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -0,0 +1,70 @@ +diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c +--- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 ++++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 +@@ -382,6 +382,7 @@ int main (int argc, char **argv) + { + bool initflag = false; + int i; ++ bool is_member = false; + bool cflag = false; + int err = 0; + gid_t gid; +@@ -631,22 +632,36 @@ int main (int argc, char **argv) + goto failure; + } + ++#ifdef HAVE_SETGROUPS ++ /* when using pam_group, she will not be listed in the groups ++ * database. However getgroups() will return the group. So ++ * if she is listed there already it is ok to grant membership. ++ */ ++ for (i = 0; i < ngroups; i++) { ++ if (grp->gr_gid == grouplist[i]) { ++ is_member = true; ++ break; ++ } ++ } ++#endif /* HAVE_SETGROUPS */ + /* + * For splitted groups (due to limitations of NIS), check all + * groups of the same GID like the requested group for + * membership of the current user. + */ +- grp = find_matching_group (name, grp); +- if (NULL == grp) { +- /* +- * No matching group found. As we already know that +- * the group exists, this happens only in the case +- * of a requested group where the user is not member. +- * +- * Re-read the group entry for further processing. +- */ +- grp = xgetgrnam (group); +- assert (NULL != grp); ++ if (!is_member) { ++ grp = find_matching_group (name, grp); ++ if (NULL == grp) { ++ /* ++ * No matching group found. As we already know that ++ * the group exists, this happens only in the case ++ * of a requested group where the user is not member. ++ * ++ * Re-read the group entry for further processing. ++ */ ++ grp = xgetgrnam (group); ++ assert (NULL != grp); ++ } + } + #ifdef SHADOWGRP + sgrp = getsgnam (group); +@@ -659,7 +674,9 @@ int main (int argc, char **argv) + /* + * Check if the user is allowed to access this group. + */ +- check_perms (grp, pwd, group); ++ if (!is_member) { ++ check_perms (grp, pwd, group); ++ } + + /* + * all successful validations pass through this point. The group id diff --git a/shadow-utils.spec b/shadow-utils.spec index adf57c2..a8e6b48 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -28,6 +28,7 @@ Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch +Patch30: shadow-4.1.5.1-newgrp-grouplist.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -76,6 +77,7 @@ are used for managing group accounts. %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm +%patch30 -p1 -b .grouplist iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 +- allow switching to secondary group without checking the membership + explicitly (patch from upstream) + * Thu Aug 03 2017 Fedora Release Engineering - 2:4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild From b90f1c39125212300e95934f7c9f932e9fe784d9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 17:54:22 +0200 Subject: [PATCH 14/31] do not allow "." and ".." user names --- ...oodname.patch => shadow-4.5-goodname.patch | 69 +++++++++++-------- shadow-utils.spec | 7 +- 2 files changed, 47 insertions(+), 29 deletions(-) rename shadow-4.1.5.1-goodname.patch => shadow-4.5-goodname.patch (53%) diff --git a/shadow-4.1.5.1-goodname.patch b/shadow-4.5-goodname.patch similarity index 53% rename from shadow-4.1.5.1-goodname.patch rename to shadow-4.5-goodname.patch index 15c98a7..72f1492 100644 --- a/shadow-4.1.5.1-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,7 +1,7 @@ -diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c ---- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 -+++ shadow-4.1.5.1/libmisc/chkname.c 2014-09-09 17:35:17.207303124 +0200 -@@ -47,27 +47,42 @@ +diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c +--- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +@@ -47,27 +47,46 @@ #include "chkname.h" static bool is_valid_name (const char *name) @@ -18,16 +18,18 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam + * as a non-POSIX, extension, allow "$" as the last char for + * sake of Samba 3.x "add machine script" + * -+ * Also do not allow fully numeric names. ++ * Also do not allow fully numeric names or just "." or "..". + */ + int numeric; + -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { ++ if ('\0' == *name || ++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || ++ '\0' == name[1])) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.')) { return false; } @@ -39,13 +41,14 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { ++ if (!((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.' || ++ *name == '-' || ++ (*name == '$' && name[1] == '\0') + )) { return false; } + numeric &= isdigit(*name); @@ -56,10 +59,10 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam } bool is_valid_user_name (const char *name) -diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml ---- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 -+++ shadow-4.1.5.1/man/groupadd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -259,12 +259,6 @@ +diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml +--- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +@@ -256,12 +256,6 @@ CAVEATS @@ -72,10 +75,22 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd. Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2014-09-09 17:28:46.330300342 +0200 -@@ -366,7 +366,7 @@ +diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml +--- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 ++++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +@@ -347,6 +347,11 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + +@@ -355,7 +360,7 @@ @@ -84,7 +99,7 @@ diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8. wide setting from /etc/login.defs () is set to yes. -@@ -654,12 +654,6 @@ +@@ -633,12 +638,6 @@ diff --git a/shadow-utils.spec b/shadow-utils.spec index a8e6b48..4b030dd 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -11,7 +11,7 @@ Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.1.5-redhat.patch -Patch1: shadow-4.1.5.1-goodname.patch +Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch6: shadow-4.5-selinux.patch Patch7: shadow-4.1.5-2ndskip.patch @@ -234,6 +234,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 +- do not allow "." and ".." user names + * Mon Aug 14 2017 Tomáš Mráz - 2:4.5-4 - allow switching to secondary group without checking the membership explicitly (patch from upstream) From 9659143d385aa40f5b94664f6ea215e66fa9eac3 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Sep 2017 18:00:17 +0200 Subject: [PATCH 15/31] Remove incorrect hunks from the goodname patch. --- shadow-4.5-goodname.patch | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index 72f1492..bf02257 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -78,28 +78,7 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml --- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 +++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 -@@ -347,6 +347,11 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - -@@ -355,7 +360,7 @@ - - - -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from /etc/login.defs - () is set to - yes. -@@ -633,12 +638,6 @@ +@@ -633,12 +633,6 @@ From 8633999acfd789cb9e61ba40011761a08729d36c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 2 Nov 2017 11:50:59 +0100 Subject: [PATCH 16/31] fix userdel in chroot (#1316168) add useful chage -E example to chage manpage --- shadow-4.3.1-manfix.patch | 14 +++++ shadow-4.5-userdel-chroot.patch | 108 ++++++++++++++++++++++++++++++++ shadow-utils.spec | 9 ++- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 shadow-4.5-userdel-chroot.patch diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 2aeb0a8..4ca6054 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -38,6 +38,20 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml +@@ -119,6 +122,13 @@ + system again. + + ++ For example the following can be used to set an account to expire ++ in 180 days: ++ ++ ++ chage -E $(date -d +180days +%Y-%m-%d) ++ ++ + Passing the number -1 as the + EXPIRE_DATE will remove an account + expiration date. diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 --- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 +++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch new file mode 100644 index 0000000..e5cf287 --- /dev/null +++ b/shadow-4.5-userdel-chroot.patch @@ -0,0 +1,108 @@ +diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } +diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +@@ -96,6 +96,7 @@ static char *user_home; + static bool fflg = false; + static bool rflg = false; + static bool Zflg = false; ++static bool Rflg = false; + + static bool is_shadow_pwd; + +@@ -958,6 +959,7 @@ int main (int argc, char **argv) + rflg = true; + break; + case 'R': /* no-op, handled in process_root_flag () */ ++ Rflg = true; + break; + #ifdef WITH_SELINUX + case 'Z': +@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) + * Start with a quick check to see if the user exists. + */ + user_name = argv[argc - 1]; ++ open_files (); ++ + { +- struct passwd *pwd; +- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ ++ const struct passwd *pwd; ++ pwd = pw_locate (user_name); /* we care only about local users */ + if (NULL == pwd) { + fprintf (stderr, _("%s: user '%s' does not exist\n"), + Prog, user_name); +@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + user_id = pwd->pw_uid; + user_gid = pwd->pw_gid; +@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + } + #ifdef WITH_TCB + if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* WITH_TCB */ + #ifdef USE_NIS +@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } +- exit (E_NOTFOUND); ++ fail_exit (E_NOTFOUND); + } + #endif /* USE_NIS */ + /* +@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) + * Note: This is a best effort basis. The user may log in between, + * a cron job may be started on her behalf, etc. + */ +- if (user_busy (user_name, user_id) != 0) { ++ if (!Rflg && user_busy (user_name, user_id) != 0) { + if (!fflg) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) + user_name, AUDIT_NO_ID, + SHADOW_AUDIT_FAILURE); + #endif /* WITH_AUDIT */ +- exit (E_USER_BUSY); ++ fail_exit (E_USER_BUSY); + } + } + + /* +- * Do the hard stuff - open the files, create the user entries, ++ * Do the hard stuff - create the user entries, + * create the home directory, then close and update the files. + */ +- open_files (); + update_user (); + update_groups (); + diff --git a/shadow-utils.spec b/shadow-utils.spec index 4b030dd..32f70ce 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -29,6 +29,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch +Patch31: shadow-4.5-userdel-chroot.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -78,6 +79,7 @@ are used for managing group accounts. %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist +%patch31 -p1 -b .userdel-chroot iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -116,7 +118,6 @@ install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser -#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8 @@ -234,6 +235,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 +- fix userdel in chroot (#1316168) +- add useful chage -E example to chage manpage + * Fri Sep 15 2017 Tomáš Mráz - 2:4.5-5 - do not allow "." and ".." user names From 95d0ea68802bd99efcc45e42c992cc483153e22e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 6 Nov 2017 15:31:26 +0100 Subject: [PATCH 17/31] fix regression caused by the userdel-chroot patch (#1509978) --- shadow-4.5-userdel-chroot.patch | 62 +++++++-------------------------- shadow-utils.spec | 5 ++- 2 files changed, 17 insertions(+), 50 deletions(-) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index e5cf287..37700c3 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,6 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-02 10:19:11.886588281 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-02 11:38:32.029906306 +0100 +--- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 ++++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -20,8 +20,8 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c } } diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-02 10:19:11.899588578 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-02 11:16:07.437048450 +0100 +--- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 ++++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; @@ -38,48 +38,30 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c break; #ifdef WITH_SELINUX case 'Z': -@@ -1031,9 +1033,11 @@ int main (int argc, char **argv) - * Start with a quick check to see if the user exists. +@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) */ user_name = argv[argc - 1]; -+ open_files (); -+ { - struct passwd *pwd; - pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ + const struct passwd *pwd; ++ ++ pw_open(O_RDONLY); + pwd = pw_locate (user_name); /* we care only about local users */ if (NULL == pwd) { ++ pw_close(); fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, user_name); -@@ -1043,7 +1047,7 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } + #ifdef WITH_AUDIT +@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) user_id = pwd->pw_uid; user_gid = pwd->pw_gid; -@@ -1051,7 +1055,7 @@ int main (int argc, char **argv) + user_home = xstrdup (pwd->pw_dir); ++ pw_close(); } #ifdef WITH_TCB if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* WITH_TCB */ - #ifdef USE_NIS -@@ -1071,7 +1075,7 @@ int main (int argc, char **argv) - _("%s: %s is the NIS master\n"), - Prog, nis_master); - } -- exit (E_NOTFOUND); -+ fail_exit (E_NOTFOUND); - } - #endif /* USE_NIS */ - /* -@@ -1079,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) * Note: This is a best effort basis. The user may log in between, * a cron job may be started on her behalf, etc. */ @@ -88,21 +70,3 @@ diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, -@@ -1087,15 +1091,14 @@ int main (int argc, char **argv) - user_name, AUDIT_NO_ID, - SHADOW_AUDIT_FAILURE); - #endif /* WITH_AUDIT */ -- exit (E_USER_BUSY); -+ fail_exit (E_USER_BUSY); - } - } - - /* -- * Do the hard stuff - open the files, create the user entries, -+ * Do the hard stuff - create the user entries, - * create the home directory, then close and update the files. - */ -- open_files (); - update_user (); - update_groups (); - diff --git a/shadow-utils.spec b/shadow-utils.spec index 32f70ce..feb6499 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 +- fix regression caused by the userdel-chroot patch (#1509978) + * Thu Nov 2 2017 Tomáš Mráz - 2:4.5-6 - fix userdel in chroot (#1316168) - add useful chage -E example to chage manpage From a6650f241ccb63c9b4fe23cddb585d536a5bb0cf Mon Sep 17 00:00:00 2001 From: esakaiev Date: Fri, 5 Jan 2018 20:39:59 +0200 Subject: [PATCH 18/31] Adding tests to the new_tests branch --- tests/sanity/Makefile | 77 +++ tests/sanity/PURPOSE | 10 + tests/sanity/runtest.sh | 24 + tests/sanity/sanity_test.py | 1013 +++++++++++++++++++++++++++++++++++ tests/tests.yml | 13 + 5 files changed, 1137 insertions(+) create mode 100644 tests/sanity/Makefile create mode 100644 tests/sanity/PURPOSE create mode 100755 tests/sanity/runtest.sh create mode 100755 tests/sanity/sanity_test.py create mode 100644 tests/tests.yml diff --git a/tests/sanity/Makefile b/tests/sanity/Makefile new file mode 100644 index 0000000..386221b --- /dev/null +++ b/tests/sanity/Makefile @@ -0,0 +1,77 @@ +# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material +# is made available to anyone wishing to use, modify, copy, or +# redistribute it subject to the terms and conditions of the GNU General +# Public License v.2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Jakub Hrozek + +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# +# Example Makefile for RHTS # +# This example is geared towards a test for a specific package # +# It does most of the work for you, but may require further coding # +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# + +# The toplevel namespace within which the test lives. +TOPLEVEL_NAMESPACE=CoreOS + +# The name of the package under test: +PACKAGE_NAME=shadow-utils + +# The path of the test below the package: +RELATIVE_PATH=sanity + +# Version of the Test. Used with make tag. +export TESTVERSION=1.1 + +# The combined namespace of the test. +export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH) + +# A phony target is one that is not really the name of a file. +# It is just a name for some commands to be executed when you +# make an explicit request. There are two reasons to use a +# phony target: to avoid a conflict with a file of the same +# name, and to improve performance. +.PHONY: all install download clean + +# Executables to be built should be added here, they will be generated on the system under test. +BUILT_FILES= + +# Data files, .c files, scripts anything needed to either compile the test and/or run it. +FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x ./sanity_test.py + chmod a+x ./runtest.sh + +clean: + rm -f *~ *.rpm $(BUILT_FILES) + +# Include Common Makefile +include /usr/share/rhts/lib/rhts-make.include + +# Generate the testinfo.desc here: +$(METADATA): Makefile + @touch $(METADATA) + @echo "Owner: Jakub Hrozek " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "License: GNU GPL" >> $(METADATA) + @echo "Description: Basic sanity test for shadow-utils" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: $(PACKAGE_NAME)" >> $(METADATA) + @echo "Requires: python" >> $(METADATA) + rhts-lint $(METADATA) + diff --git a/tests/sanity/PURPOSE b/tests/sanity/PURPOSE new file mode 100644 index 0000000..27062e1 --- /dev/null +++ b/tests/sanity/PURPOSE @@ -0,0 +1,10 @@ +This is a basic sanity test for the shadow-utils package. It is implemented +in python on top of the unittesting.py module. + +Its purpose is to ensure that the binaries in the shadow-utils package behave +as expected and its switches/options work correctly. + +For the most part, every binary in the shadow-utils package is represented by +a single class named Test, i.e. TestUsermod etc. There are some +exceptions, like TestUseraddWeirdNameTest though. + diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh new file mode 100755 index 0000000..cb2a2b5 --- /dev/null +++ b/tests/sanity/runtest.sh @@ -0,0 +1,24 @@ +#!/bin/bash +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart +rlFileBackup --clean /etc/default/useradd- /etc/default/useradd +setenforce 0 +python sanity_test.py -v +setenforce 1 +rlFileRestore + +EXIT=$? +if [[ $EXIT -eq 0 ]]; then + RESULT="PASS" +else + RESULT="FAIL" +fi + + +rlJournalEnd + +echo "Result: $RESULT" +echo "Exit: $EXIT" +report_result $TEST $RESULT $EXIT diff --git a/tests/sanity/sanity_test.py b/tests/sanity/sanity_test.py new file mode 100755 index 0000000..e9c45c2 --- /dev/null +++ b/tests/sanity/sanity_test.py @@ -0,0 +1,1013 @@ +#!/usr/bin/env python +""" +A script that tests functionality of the shadow-utils package. + +Author: Jakub Hrozek, +License: GNU GPL v2 +Date: 2007 + +TODO: + * tests for password aging + * if something fails, print out the command issued for easier debugging + * test long options variants along with the short ones +""" + +import unittest +import pwd +import grp +import commands +import os +import os.path +import sys +import copy +import tempfile +import rpm +import shutil + +from UserDict import UserDict + +class RedHatVersion(object): + def __init__(self, type=None, version=None, release=None): + self.type = type + self.version = version + self.release = release + self.rhel = False + + def __eq__( self, other): + """ + Don't compare if either of the values is None + so we can do comparisons like 'is it fedora?' or 'is it rhel4?' + """ + ok = (self.type == other.type) + if ok == False: return False + + if self.version and other.version: + ok = (self.version == other.version) + if ok == False: return False + + if (self.release == other.release): + ok = (self.release == other.release) + + return ok + + def __ne__( self, other): + return not self.__eq__(other) + + def __get_fedora_info(self, mi): + return [ (h['version'],h['release']) for h in mi ][0] + + def __get_rhel_info(self, mi): + # The rules for RHEL versions are braindead..releases even more + ver_rpm, rel_rpm = [ (h['version'],h['release']) for h in mi ][0] + rhel_versions = { '3AS' : 3, '4AS' : 4, '5Server' : 5, '5Client' : 5, '6' : 6 } + if ver_rpm[:3] == '5.9' or ver_rpm[:1] == '6': # rhel6 prerelease and release hack + rhel_versions[ver_rpm] = 6 + if ver_rpm in rhel_versions.keys(): + return (rhel_versions[ver_rpm], rel_rpm) + + def is_rhel(self): + return self.rhel + + def get_info(self): + """ + Returns a tuple containing (type, version, release) of RHEL or Fedora. + Type is either RHEL or Fedora. + Returns None if it cannot parse the info + """ + + ts = rpm.TransactionSet() + mi = ts.dbMatch() + mi.pattern('name', rpm.RPMMIRE_GLOB, 'redhat-release*') + + if mi: + self.rhel = True + return ('RHEL',) + self.__get_rhel_info(mi) + else: + mi = ts.dbMatch('name','fedora-release') + self.rhel = False + if mi.count() != 0: + return ('Fedora',) + self.__get_fedora_info(mi) + + return None + + +class UserInfo(UserDict): + fields = { "pw_name" : 0, "pw_passwd" : 1, "pw_uid" : 2, "pw_gid" : 3, + "pw_gecos" : 4, "pw_dir" : 5, "pw_shell" : 6 } + + def __init__(self): + UserDict.__init__(self) + for f in UserInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in UserInfo.fields: + self[f] = struct[UserInfo.fields[f]] + + def get_info_uid(self, uid): + self.__parse_info(pwd.getpwuid(uid)) + + def get_info_name(self, name): + try: + self.__parse_info(pwd.getpwnam(name)) + except KeyError: + return None + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in UserInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class GroupInfo(UserDict): + fields = { "gr_name" : 0, "gr_passwd" : 1, + "gr_gid" : 2, "gr_mem" : 3} + + def __init__(self): + UserDict.__init__(self) + for f in GroupInfo.fields: self[f] = None + + def __getitem__(self, key): + return UserDict.__getitem__(self, key) + + def __setitem__(self, key, value): + UserDict.__setitem__(self, key, value) + + def __cmp__(self, other): + return UserDict.__cmp__(self, other) + + def __repr__(self): + return " ; ".join( [ "%s => %s" % (k, v) for k, v in self.data.items() ] ) + + def __parse_info(self, struct): + for f in GroupInfo.fields: + self[f] = struct[GroupInfo.fields[f]] + + def get_info_gid(self, gid): + self.__parse_info(grp.getgrgid(gid)) + + def get_info_name(self, name): + self.__parse_info(grp.getgrnam(name)) + + def lazy_compare(self, pattern): + """ Compare pattern against self. If any field in pattern is set + to None, it is automatically considered equal with the corresponding + field in self. """ + for field in GroupInfo.fields: + if pattern[field] and pattern[field] != self[field]: + return False + + return True + +class LoginDefsParser(UserDict): + "A quick-n-dirty way how to fetch the defaults from /etc/login.defs into a dictionary" + + def __getitem__(self, key): + try: + return UserDict.__getitem__(self, key) + except KeyError: + # if a name-value is not defined in the config file, return defaults + if key == "CREATE_MAIL_SPOOL": + return "yes" + if key == "UMASK": + return "077" + + def __init__(self, path="/etc/login.defs",split=None): + self.path = path + UserDict.__init__(self) + try: + defs = open(path) + except IOError: + print "Could not open the config file %s" % (path) + + for line in defs: + if line.startswith('#'): continue + fields = line.split(split) + if len(fields) != 2: continue # yeah, we're dirty + self.data[fields[0]] = fields[1] + + def serialize(self): + output = open(self.path, "w+") + for k,v in self.data.items(): + output.write("%s=%s" % (k, v)) + + output.write("\n") + output.close() + +class TestUserInfo(unittest.TestCase): + def testLazyCompare(self): + """ (test sanity): Test comparing two UserInfo records """ + a = UserInfo() + a["pw_name"] = "foo" + a["pw_uid"] = 555 + b = copy.deepcopy(a) + c = UserInfo() + + self.assertEqual(a.lazy_compare(b), True) + self.assertEqual(a.lazy_compare(c), True) + + c["pw_name"] = "foo" + c["pw_uid"] = None + self.assertEqual(a.lazy_compare(c), True) + self.assertEqual(c.lazy_compare(a), False) + + c["pw_name"] = "bar" + self.assertNotEqual(a.lazy_compare(c), True) + + def testGetInfoUid(self): + """ (test sanity): Test getting user info based on his UID """ + a = UserInfo() + a.get_info_uid(0) + self.assertEqual(a["pw_name"], "root") + + def testGetInfoName(self): + """ (test sanity): Test getting user info based on his name """ + a = UserInfo() + a.get_info_name("root") + self.assertEqual(a["pw_uid"], 0) + +class ShadowUtilsTestBase: + """ Handy routines """ + def getDefaults(self): + # get the default values for so we can compare against that + (status, defaults_str) = commands.getstatusoutput('useradd -D') + if status != 0: + raise RuntimeError("Could not get the default values for useradd") + return dict([ rec.split("=") for rec in defaults_str.split("\n") ]) + + def getDefaultUserInfo(self, username): + expected = UserInfo() + defaults = self.getDefaults() + + expected["pw_name"] = username + expected["pw_dir"] = defaults["HOME"] + "/" + username + expected["pw_shell"] = defaults["SHELL"] + + return expected + +class TestUseradd(ShadowUtilsTestBase, unittest.TestCase): + def setUp(self): + self.username = "test-shadow-utils-useradd" + + def tearDown(self): + commands.getstatusoutput("userdel -r %s" % (self.username)) + + def testBasicAdd(self): + """ useradd: Tests basic adding of a user """ + expected = self.getDefaultUserInfo(self.username) + + runme = "useradd %s" % (self.username) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user\nIssued command: %s" % (runme)) + + def testExistingUser(self): + """ useradd: Test that user with an existing name cannot be added """ + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(commands.getstatusoutput("useradd %s" % (self.username))[0], 0, "FAIL: User that already exists added") + + def testCustomUID(self): + """ useradd: Adding an user with a specific UID """ + UID = 23456 # FIXME - test for a free UID slot first + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + runme = "useradd %s -u %d" % (self.username, UID) + (status, output) = commands.getstatusoutput(runme) + self.failUnlessEqual(status, 0, "Issued command: %s\n" % (runme) + "Got from useradd: %s\n" % (output)) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific UID\nIssued command: %s" % (runme)) + + def testNegativeUID(self): + """ useradd: Tests that user cannot have a negative UID assigned """ + self.assertNotEqual(commands.getstatusoutput("useradd %s --uid -5" % (self.username))[0], 0, "FAIL: User with UID < 0 added") + + def testCustomExistingUID(self): + """ useradd: Adding a user with a specific existing UID """ + UID = 32112 + + expected = self.getDefaultUserInfo(self.username) + expected["pw_uid"] = UID + + (status_u, output_u) = commands.getstatusoutput("useradd %s -u %d" % (self.username, UID)) + + # must fail without -o flag + (status_u_no_o, output_u_no_o) = commands.getstatusoutput("useradd foo -u %d" % (UID)) + + # must pass with -o flag + (status_o, output_o) = commands.getstatusoutput("useradd foo -u %d -o" % (UID)) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r foo") + + self.failUnlessEqual(status_u, 0, "FAIL: cannot add an user with a specified UID\n"+output_u) + self.assertEqual(status_o, 0, "FAIL: cannot add an user with an existing UID using the -o flag\n"+output_o) + self.failUnlessEqual(status, 0, output) + self.assertNotEqual(status_u_no_o, 0, "FAIL: user with an existing UID added\n"+output_u_no_o) + + def testCustomGID(self): + """ useradd: Adding an user with a specific GID """ + GID = 100 # users group should be everywhere - should we test before? + expected = self.getDefaultUserInfo(self.username) + expected["pw_gid"] = GID + + (status, output) = commands.getstatusoutput("useradd %s -g %d" % (self.username, GID)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific GID") + + def testCustomShell(self): + """ useradd: Adding an user with a specific login shell """ + shell = "/bin/ksh" + expected = self.getDefaultUserInfo(self.username) + expected["pw_shell"] = shell + + (status, output) = commands.getstatusoutput("useradd %s -s %s" % (self.username, shell)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific shell") + + def testCustomHome(self): + """ useradd: Adding an user with a specific home directory """ + home = "/tmp/useradd-test" + os.mkdir(home) + expected = self.getDefaultUserInfo(self.username) + expected["pw_dir"] = home + + (status, output) = commands.getstatusoutput("useradd %s -d %s" % (self.username, home)) + shutil.rmtree(home) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a user with a specific home") + + def testSystemAccount(self): + """ useradd: Adding a system user (UID < UID_MIN from /etc/login.defs) """ + defaults = LoginDefsParser() + + # system account with no home dir + expected = self.getDefaultUserInfo(self.username) + + (status, output) = commands.getstatusoutput("useradd -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(os.path.exists(created["pw_dir"]), False, "FAIL: System user has a home dir created") + self.assertEqual(created["pw_uid"] < defaults['UID_MIN'], True, "FAIL: System user has UID > UID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system user") + + def testAddToMoreGroups(self): + """ useradd: Creating an user that belongs to more than one group """ + (status, output) = commands.getstatusoutput("useradd -G bin %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + gr_bin = GroupInfo() + gr_bin.get_info_name("bin") + self.assertEqual(self.username in gr_bin["gr_mem"], True, "FAIL: User not in supplementary group after usermod -G -a") + + + def testAddWithCommonName(self): + """ useradd: Specifying a comment (user for account name) """ + comment = "zzzzzz" + (status, output) = commands.getstatusoutput("useradd -c %s %s" % (comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_gecos"], comment, "FAIL: failed to create a user with a GECOS comment") + + def testHomePermissions(self): + """ useradd: Check if permissions on newly created home dir match the umask """ + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + import stat + perm = os.stat(created["pw_dir"])[stat.ST_MODE] + mode = int(oct(perm & 0777)) + + self.assertEqual(defaults["UMASK"], "077", "FAIL: umask setting is not sane - is %s, should be 077" % (defaults["UMASK"])) + self.assertEqual(int(defaults["UMASK"]) + mode , 777, "FAIL: newly-created home dir does not match the umask") + + def testCreateMailSpool(self): + """ useradd: Check whether the mail spool gets created when told to""" + # set up creating of mail spool + defaults = LoginDefsParser("/etc/default/useradd", split="=") + + create_mail = defaults["CREATE_MAIL_SPOOL"] + defaults["CREATE_MAIL_SPOOL"] = "yes" + defaults.serialize() + + login_defs = LoginDefsParser() + + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # clean up + defaults["CREATE_MAIL_SPOOL"] = create_mail + defaults.serialize() + self.assertEqual(os.path.exists(login_defs["MAIL_DIR"] + "/" + self.username), True, "FAIL: useradd did not create mail spool") + + def testDefaultMailSettings(self): + """ useradd: Check whether the mail spool is on by default""" + defaults = LoginDefsParser("/etc/default/useradd", split="=") + self.assertEqual(defaults["CREATE_MAIL_SPOOL"], "yes\n") + + def testNoLastlog(self): + """ useradd: Check if the -l option prevents from being added to the lastlog """ + pass # FIXME - add some code here + + +class TestUseraddWeirdNameTest(unittest.TestCase, ShadowUtilsTestBase): + """ Tests addition/removal of usernames that have proven to be problematic in the past. + The reason to separate these from the main useradd test suite is to not run the setUp + and tearDown methods """ + + def addAndRemove(self, username, success=True): + expected = self.getDefaultUserInfo(username) + expected["pw_name"] = username + + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + if success: + self.failUnlessEqual(status, 0, output) + else: + self.failIfEqual(status, 0, output) + return True + + created = UserInfo() + created.get_info_name(username) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: TestUseraddWeirdName::addAndRemove - could not add a user") + + # the cleanup method won't help this time + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + + def testNumericName(self): + """ useradd: Test if an user with a purely numerical name can be added (123) """ + return self.addAndRemove("123") + + def testSambaName(self): + """ useradd: Test if an user with a name with a dollar at the end can be added (joepublic$ ) """ + return self.addAndRemove("joepublic$") + + def testDotInName(self): + """ useradd: Test if an user with a name with a dot in it can be added (joe.public ) """ + return self.addAndRemove("joe.public") + + def testAtInName(self): + """ useradd: Test if an user with an '@' in name can be added (joe@public.com) - should fail """ + return self.addAndRemove("joe@public.com", False) + + def testUppercase(self): + """ useradd: Test if an user with UPPERCASE or Uppercase name can be added """ + return self.addAndRemove("JOEPUBLIC") + return self.addAndRemove("Joepublic") + +class TestUseraddDefaultsChange(unittest.TestCase, ShadowUtilsTestBase): + def testDefaultsChange(self): + """ useradd: Test overriding default settings (shell, home dir, group) with a -D option """ + save = self.getDefaults() + + new_defs = dict() + new_defs["SHELL"] = "/bin/ksh" + new_defs["GROUP"] = "1" + new_defs["HOME"] = "/tmp" + + command = "useradd -D -s%s -g%s -b%s" % (new_defs["SHELL"], new_defs["GROUP"], new_defs["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + overriden = self.getDefaults() + [ self.assertEqual(overriden[k], new_defs[k]) for k in new_defs.keys() ] + + command = "useradd -D -s%s -g%s -b%s" % (save["SHELL"], save["GROUP"], save["HOME"]) + (status, output) = commands.getstatusoutput(command) + self.failUnlessEqual(status, 0, output) + + +class TestUserdel(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-userdel" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testRemoveUserGroup(self): + """ userdel: test if userdel removes user's group when he's deleted - regression test for #201379 """ + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + # This would fail if we did not have the group removed + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + +class TestUsermod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.username = "test-shadow-utils-usermod" + (status, output) = commands.getstatusoutput("useradd %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + (status, output) = commands.getstatusoutput("userdel -r %s" % (self.username)) + self.failUnlessEqual(status, 0, output) + + def testAppendToSupplementaryGroup(self): + """ usermod: Test if a user can be added to a supplementary group """ + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod -a -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testAppendToSupplementaryGroupLongOption(self): + """ usermod: Test if a user can be added to a supplementary group via --append rather that -a (regression test for 222540) """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + type, release, version = RedHatVersion().get_info() + if RedHatVersion().is_rhel(): + if release < 5 or (release == 5 and version < 2): + print "This test makes sense for RHEL 5.2+" + return + + add_group = "additional_group" + (status, output) = commands.getstatusoutput("groupadd %s" % (add_group)) + self.failUnlessEqual(status, 0, output) + + (status_mod, output_mod) = commands.getstatusoutput("usermod --append -G %s %s" % (add_group, self.username)) + add_group_info = GroupInfo() + add_group_info.get_info_name(add_group) + (status, output) = commands.getstatusoutput("groupdel %s" % (add_group)) + + self.failUnlessEqual(status, 0, output) + self.failUnlessEqual(status_mod, 0, output_mod) + self.assertEqual(self.username in add_group_info["gr_mem"], True, "User not in supplementary group after usermod -G --append") + + + def testNameChange(self): + """ usermod: Test if the comment field (used as the Common Name) can be changed """ + new_comment = "zzzzzz" + + (status, output) = commands.getstatusoutput("usermod -c %s %s" % (new_comment, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + + self.assertEqual(created["pw_gecos"], new_comment) + + def testHomeChange(self): + """ usermod: Test if user's home directory can be changed """ + new_home = "/tmp" + created = UserInfo() + created.get_info_name(self.username) + old_home = created["pw_dir"] + + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (new_home, self.username)) + self.failUnlessEqual(status, 0, output) + + created.get_info_name(self.username) + self.assertEqual(created["pw_dir"], new_home) + + # revert to old home so we can userdel -r in tearDown + (status, output) = commands.getstatusoutput("usermod -d %s %s" % (old_home, self.username)) + self.failUnlessEqual(status, 0, output) + + # FIXME - test if contents of /home directories are transferred with the -m option + # FIXME - test if new home is created if does not exist before + + def testGIDChange(self): + """ usermod: Test if user's gid can be changed. """ + new_group = "root" + # test non-existing group + (status_fail, output_fail) = commands.getstatusoutput("usermod -g no-such-group %s" % (self.username)) + (status, output) = commands.getstatusoutput("usermod -g %s %s" % (new_group, self.username)) + + created = UserInfo() + created.get_info_name(self.username) + + left = GroupInfo() + if left.get_info_name(self.username) == None: + (status_del, output_del) = commands.getstatusoutput("groupdel %s" % (self.username)) + self.failUnlessEqual(status_del, 0, output_del) + + self.failIfEqual(status_fail, 0, output_fail) + self.failUnlessEqual(status, 0, output) + self.assertEqual(created["pw_gid"], 0) #0 is root group + + def testLoginChange(self): + """ usermod: Test if user's login can be changed """ + new_login = "usermod-login-change" + user = UserInfo() + user.get_info_name(self.username) + uid = user["pw_uid"] # UID won't change even when login does + + # test changing to an existing user name + (status, output) = commands.getstatusoutput("usermod -l root %s" % (self.username)) + self.failIfEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (new_login, self.username)) + self.failUnlessEqual(status, 0, output) + user.get_info_name(new_login) + self.assertEqual(user["pw_uid"], uid) + + # revert so we can userdel -r on tearDown + (status, output) = commands.getstatusoutput("usermod -l %s %s" % (self.username, new_login)) + self.failUnlessEqual(status, 0, output) + + def testShellChange(self): + """ usermod: Test if user's shell can be changed """ + new_shell = "/bin/sh" + + (status, output) = commands.getstatusoutput("usermod -s %s %s" % (new_shell, self.username)) + self.failUnlessEqual(status, 0, output) + + created = UserInfo() + created.get_info_name(self.username) + self.assertEqual(created["pw_shell"], new_shell) + +class TestGroupadd(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testAddGroup(self): + """ groupadd: Basic adding of a group """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a group") + + def testAddSystemGroup(self): + """ groupadd: Adding a system group with gid < MIN_GID """ + + expected = GroupInfo() + expected["gr_name"] = self.groupname + defaults = LoginDefsParser() + + (status, output) = commands.getstatusoutput("groupadd -r %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created["gr_gid"] < defaults["GID_MIN"], True, "FAIL: System group has gid >= GID_MIN") + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not add a system group") + + def testAddExistingGid(self): + """ groupadd: Test if we group with an existing GID can be added """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + gname = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + # no -o option -> this should fail + (status, output) = commands.getstatusoutput("groupadd -g%s %s" % (created["gr_gid"], gname)) + self.failIfEqual(status, 0, output) + + # override with -o option, should pass now + (status, output) = commands.getstatusoutput("groupadd -g%s -o %s" % (created["gr_gid"], gname)) + self.failUnlessEqual(status, 0, output) + + # test if the new GID is really the same + same_gid = GroupInfo() + same_gid.get_info_name(gname) + self.assertEqual(same_gid["gr_gid"], created["gr_gid"]) + + # clean up + (status, output) = commands.getstatusoutput("groupdel %s" % (gname)) + self.failUnlessEqual(status, 0, output) + + + def testOverrideDefaults(self): + """ groupadd: Test if the defaults can be overriden with the -K option """ + # this is known to not work on older RHELs - test what we are running + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 5: + print "This test makes sense for RHEL5+" + return + else: + if runs[1] < 6: + print "This test makes sense for Fedora 6+" + return + + + GID_MIN = 600 + GID_MAX = 625 + + (status, output) = commands.getstatusoutput("groupadd -K GID_MIN=%d -K GID_MAX=%d %s" % + (GID_MIN, GID_MAX, self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(GID_MIN <= created["gr_gid"] <= GID_MAX, True, "FAIL: created an user with UID of %d" % (created["gr_gid"])) + + + def testFOption(self): + """ groupadd: Tests the -f option of groupadd """ + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupadd -f %s" % (self.groupname)) + self.assertEqual(status, 0, output) + +class TestGroupaddInvalidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddInvalidName(self): + """ groupadd: Test adding of a group with an invalid name """ + (status, output) = commands.getstatusoutput("groupadd foo?") + self.assertNotEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffggg") #33 chars + self.assertNotEqual(status, 0, output) + +class TestGroupaddValidName(unittest.TestCase, ShadowUtilsTestBase): + def testGroupaddValidName(self): + """ groupadd: Test adding and removing of groups with maximal valid name and name ending with $ """ + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupadd aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffgg") #32 chars + self.assertEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel aaaaabbbbbcccccdddddeeeeefffffg\$") #32 chars + self.assertEqual(status, 0, output) + + +class TestGroupmod(unittest.TestCase, ShadowUtilsTestBase): + def setUp(self): + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + + def tearDown(self): + commands.getstatusoutput("groupdel %s" % (self.groupname)) + + def testChangeGID(self): + """ groupmod: Test changing a gid of a group """ + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = 54321 + + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (expected["gr_gid"], self.groupname)) + self.failUnlessEqual(status, 0, output) + + created = GroupInfo() + created.get_info_name(self.groupname) + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group") + + def testChangeGIDToExistingValue(self): + """ groupmod: Test changing GID to an existing value """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + expected = GroupInfo() + expected["gr_name"] = self.groupname + expected["gr_gid"] = created["gr_gid"] + + (status, output) = commands.getstatusoutput("groupadd %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + # try to assingn GID of the first group to the second - this should fail without the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d %s" % (created["gr_gid"], second_name)) + self.failIfEqual(status, 0, output) + + # should pass with the -o option + (status, output) = commands.getstatusoutput("groupmod -g%d -o %s" % (created["gr_gid"], second_name)) + self.failUnlessEqual(status, 0, output) + + self.assertEqual(created.lazy_compare(expected), True, "FAIL: Could not change GID of an existing group to an existing one") + + # clean up + commands.getstatusoutput("groupdel %s" % (second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupName(self): + """ groupmod: Test changing a group's name """ + second_name = "%s-2" % (self.groupname) + + created = GroupInfo() + created.get_info_name(self.groupname) + + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (second_name, self.groupname)) + self.failUnlessEqual(status, 0, output) + + changed = GroupInfo() + changed.get_info_gid(created["gr_gid"]) + self.assertEqual(changed["gr_name"], second_name) + self.assertEqual(changed["gr_gid"], created["gr_gid"]) + + # change back, so the group could be deleted by tearDown + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (self.groupname, second_name)) + self.failUnlessEqual(status, 0, output) + + def testChangeGroupNameExisting(self): + """ groupmod: Test changing a group's name to an existing one """ + existing = "bin" + (status, output) = commands.getstatusoutput("groupmod -n%s %s" % (existing, self.groupname)) + self.assertNotEqual(status, 0, output) # man groupmod -> 9: group name already in use + + def testChangeNonExistingGroup(self): + """ groupmod: Test properties of a non-existing group """ + nonexistent = "foobar" + (status, output) = commands.getstatusoutput("groupmod -nspameggs %s" % (nonexistent)) + self.assertNotEqual(status, 0, status) # man groupmod -> 6: specified group doesn't exist + +class TestGroupdel(unittest.TestCase, ShadowUtilsTestBase): + def testCorrectGroupdel(self): + """ groupdel: Basic usage of groupdel """ + self.groupname = "test-shadow-utils-groups" + (status, output) = commands.getstatusoutput("groupadd %s" % (self.groupname)) + self.failUnlessEqual(status, 0, output) + (status, output) = commands.getstatusoutput("groupdel %s" % (self.groupname)) + self.assertEqual(status, 0, output) + + def testGroupdelNoSuchGroup(self): + """ groupdel: Remove non-existing group """ + (status, output) = commands.getstatusoutput("groupdel foobar") + self.assertNotEqual(status, 0, output) + + def testRemovePrimaryGroup(self): + """ groupdel: Remove a primary group of an user """ + username = "test-groupdel-primary" + (status, output) = commands.getstatusoutput("useradd %s" % (username)) + self.failUnlessEqual(status, 0, output) + + (status, output) = commands.getstatusoutput("groupdel %s" % (username)) + self.assertNotEqual(status, 0, output) + + # clean up + (status, output) = commands.getstatusoutput("userdel -r %s" % (username)) + self.failUnlessEqual(status, 0, output) + +class TestPwckGrpck(unittest.TestCase): + def setUp(self): + self.passwd_path = tempfile.mktemp(suffix="test-pwck-passwd") + self.passwd_file = open(self.passwd_path, "w") + self.group_path = tempfile.mktemp(suffix="test-pwck-grp") + self.group_file = open(self.group_path, "w") + self.gshadow_path = tempfile.mktemp(suffix="test-pwck-gshadow") + self.gshadow_file = open(self.gshadow_path, "w") + + def tearDown(self): + self.passwd_file.close() + self.group_file.close() + self.gshadow_file.close() + + os.remove(self.passwd_path) + os.remove(self.group_path) + os.remove(self.gshadow_path) + + def runPwckCheck(self, passwd, group): + self.passwd_file.truncate() + self.group_file.truncate() + + self.passwd_file.write(passwd) + self.passwd_file.flush() + self.group_file.write(group) + self.group_file.flush() + + command = "pwck -r %s %s" % (self.passwd_path, self.group_path) + return commands.getstatusoutput(command) + + def runGrpCheck(self, group, gshadow): + self.group_file.truncate() + self.gshadow_file.truncate() + + self.gshadow_file.write(gshadow) + self.gshadow_file.flush() + + self.group_file.write(group) + self.group_file.flush() + + command = "grpck -r %s %s" % (self.group_path, self.gshadow_path) + return commands.getstatusoutput(command) + + + def testValidEntries(self): + """ pwck: a valid entry """ + status, output = self.runPwckCheck("foo:x:685:0::/dev/null:/bin/bash", "") + rhv = RedHatVersion() + runs = rhv.get_info() + if rhv.is_rhel(): + if runs[1] < 6: + self.assertEqual(status, 0, output) + else: + self.assertNotEqual(status, 0, output) + + def testNumberOfFields(self): + """ pwck: invalid number of fields in the record """ + not_enough = "foo:x:685:685::/dev/null" + too_many = "foo:x:685:685::/dev/null:/bin/bash:comment" + status, output = self.runPwckCheck(not_enough, "") + self.assertNotEqual(status, 0, output) + + status, output = self.runPwckCheck(too_many, "") + self.assertNotEqual(status, 0, output) + + def testUniqueUserName(self): + """ pwck: unique user name in the record """ + duplicate_username = "foo:x:685:685::/dev/null:/bin/bash\nfoo:x:686:686::/dev/null:/bin/bash" + status, output = self.runPwckCheck(duplicate_username, "") + self.assertNotEqual(status, 0, output) + + def testValidID(self): + """ pwck: invalid UID in the records """ + invalid_ids = [ "foo:x:-1:685::/dev/null:/bin/bash", "foo:x:blah:685::/dev/null:/bin/bash", "foo:x:1234567890:685::/dev/null:/bin/bash" ] + for record in invalid_ids: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, record) + + + def testValidPrimaryGroup(self): + """ pwck: invalid primary group """ + invalid_groups = [ "foo:x:685:-1::/dev/null:/bin/bash", "foo:x:685:blah::/dev/null:/bin/bash", "foo:x:685:1234567890::/dev/null:/bin/bash" ] + for record in invalid_groups: + status, output = self.runPwckCheck("", record) + self.assertNotEqual(status, 0, output) + + def testValidHomeDir(self): + """ pwck: invalid home dir """ + for record in [ "foo:x:685:685::123:/bin/bash", "foo:x:685:685::/path/to/nowhere:/bin/bash", "foo:x:685:1234567890::!:/bin/bash" ]: + status, output = self.runPwckCheck(record, "") + self.assertNotEqual(status, 0, output) + + def testBZ164954(self): + """ grpck: regression test for BZ164954 """ + record = "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon" + status, output = self.runGrpCheck("", record) + self.assertNotEqual(status, 0, output) + +if __name__ == "__main__": + broken_on_rhel4 = { "TestUseradd" : [ "testCustomUID", "testCustomGID" ] } + + if os.getuid() != 0: + print "This test must be run as root" + sys.exit(1) + + unittest.main() + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..09f4769 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - atomic + tests: + - sanity + required_packages: + - shadow-utils # sanity test needs shadow-utils + - python # sanity test needs python From 2d4f6e1972db0c808301bf6ce628e46bfbb13008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 20 Jan 2018 23:08:33 +0100 Subject: [PATCH 19/31] Rebuilt for switch to libxcrypt --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index feb6499..25ccdb1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -235,6 +235,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Sat Jan 20 2018 Björn Esser - 2:4.5-8 +- Rebuilt for switch to libxcrypt + * Mon Nov 6 2017 Tomáš Mráz - 2:4.5-7 - fix regression caused by the userdel-chroot patch (#1509978) From 41955fa9abba5665b7e3d4668c750dc899e63de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Tue, 6 Feb 2018 11:33:37 +0100 Subject: [PATCH 20/31] Add patch to include crypt.h, if present Use %%make_{build,install} macros Refresh other patches for proper alignment --- shadow-4.1.5-2ndskip.patch | 14 ++- shadow-4.1.5-redhat.patch | 16 +-- shadow-4.1.5.1-default-range.patch | 7 +- shadow-4.1.5.1-info-parent-dir.patch | 9 +- shadow-4.1.5.1-ingroup.patch | 9 +- shadow-4.1.5.1-logmsg.patch | 9 +- shadow-4.1.5.1-move-home.patch | 9 +- shadow-4.1.5.1-newgrp-grouplist.patch | 13 ++- shadow-4.1.5.1-userdel-helpfix.patch | 9 +- shadow-4.2.1-date-parsing.patch | 7 +- shadow-4.2.1-no-lock-dos.patch | 7 +- shadow-4.2.1-null-tm.patch | 35 +++--- shadow-4.3.1-audit-update.patch | 153 ++++++++++++++------------ shadow-4.3.1-manfix.patch | 51 +++++---- shadow-4.3.1-selinux-perms.patch | 21 ++-- shadow-4.5-crypt_h.patch | 41 +++++++ shadow-4.5-goodname.patch | 21 ++-- shadow-4.5-orig-context.patch | 35 +++--- shadow-4.5-selinux.patch | 14 ++- shadow-4.5-userdel-chroot.patch | 14 ++- shadow-4.5-usermod-unlock.patch | 7 +- shadow-utils.spec | 13 ++- 22 files changed, 307 insertions(+), 207 deletions(-) create mode 100644 shadow-4.5-crypt_h.patch diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch index 8a9cf68..5a8e444 100644 --- a/shadow-4.1.5-2ndskip.patch +++ b/shadow-4.1.5-2ndskip.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c ---- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 -+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 +Index: shadow-4.5/src/grpconv.c +=================================================================== +--- shadow-4.5.orig/src/grpconv.c ++++ shadow-4.5/src/grpconv.c @@ -143,6 +143,7 @@ int main (int argc, char **argv) struct group grent; const struct sgrp *sg; @@ -48,9 +49,10 @@ diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c } /* -diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c ---- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 -+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 +Index: shadow-4.5/src/pwconv.c +=================================================================== +--- shadow-4.5.orig/src/pwconv.c ++++ shadow-4.5/src/pwconv.c @@ -173,6 +173,7 @@ int main (int argc, char **argv) struct passwd pwent; const struct spwd *sp; diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.1.5-redhat.patch index a785b29..ef26cbd 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.1.5-redhat.patch @@ -1,8 +1,8 @@ -diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 -diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c ---- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 -+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 -@@ -93,7 +93,7 @@ const char *Prog; +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; static const char *def_home = "/home"; @@ -11,7 +11,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static const char *def_template = SKEL_DIR; static const char *def_create_mail_spool = "no"; -@@ -103,7 +103,7 @@ static const char *def_expire = ""; +@@ -108,7 +108,7 @@ static const char *def_expire = ""; #define VALID(s) (strcspn (s, ":\n") == strlen (s)) static const char *user_name = ""; @@ -20,7 +20,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha +@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX @@ -32,7 +32,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha +@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch index 45c677a..2a9d640 100644 --- a/shadow-4.1.5.1-default-range.patch +++ b/shadow-4.1.5.1-default-range.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c ---- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 -+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h goto done; } diff --git a/shadow-4.1.5.1-info-parent-dir.patch b/shadow-4.1.5.1-info-parent-dir.patch index b05e5bb..b3a525b 100644 --- a/shadow-4.1.5.1-info-parent-dir.patch +++ b/shadow-4.1.5.1-info-parent-dir.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml ---- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 -+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 -@@ -216,7 +216,15 @@ +Index: shadow-4.5/man/newusers.8.xml +=================================================================== +--- shadow-4.5.orig/man/newusers.8.xml ++++ shadow-4.5/man/newusers.8.xml +@@ -218,7 +218,15 @@ If this field does not specify an existing directory, the specified directory is created, with ownership set to the diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch index e440431..1c30198 100644 --- a/shadow-4.1.5.1-ingroup.patch +++ b/shadow-4.1.5.1-ingroup.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.ingroup 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2014-08-29 14:04:57.183849650 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -83,15 +83,29 @@ static void usage (void) } } @@ -52,7 +53,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c } endgrent (); return gr; -@@ -616,7 +624,7 @@ int main (int argc, char **argv) +@@ -630,7 +638,7 @@ int main (int argc, char **argv) * groups of the same GID like the requested group for * membership of the current user. */ diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index 7d5cbc8..ca7e57b 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -323,7 +323,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch index c87e232..f1790e2 100644 --- a/shadow-4.1.5.1-move-home.patch +++ b/shadow-4.1.5.1-move-home.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c ---- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 -+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 -@@ -1571,6 +1571,11 @@ static void move_home (void) +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c +@@ -1814,6 +1814,11 @@ static void move_home (void) Prog, user_home, user_newhome); fail_exit (E_HOMEDIR); } diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch index 8fcfd97..47eb6f6 100644 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ b/shadow-4.1.5.1-newgrp-grouplist.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c ---- shadow-4.1.5.1/src/newgrp.c.grouplist 2016-06-28 10:23:46.686334213 +0200 -+++ shadow-4.1.5.1/src/newgrp.c 2017-08-14 10:26:58.300757328 +0200 -@@ -382,6 +382,7 @@ int main (int argc, char **argv) +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c +@@ -396,6 +396,7 @@ int main (int argc, char **argv) { bool initflag = false; int i; @@ -9,7 +10,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c bool cflag = false; int err = 0; gid_t gid; -@@ -631,22 +632,36 @@ int main (int argc, char **argv) +@@ -645,22 +646,36 @@ int main (int argc, char **argv) goto failure; } @@ -57,7 +58,7 @@ diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c } #ifdef SHADOWGRP sgrp = getsgnam (group); -@@ -659,7 +674,9 @@ int main (int argc, char **argv) +@@ -673,7 +688,9 @@ int main (int argc, char **argv) /* * Check if the user is allowed to access this group. */ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch index b79baee..075f482 100644 --- a/shadow-4.1.5.1-userdel-helpfix.patch +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -1,7 +1,8 @@ -diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c ---- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 -+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 -@@ -130,8 +130,9 @@ static void usage (int status) +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c +@@ -143,8 +143,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); diff --git a/shadow-4.2.1-date-parsing.patch b/shadow-4.2.1-date-parsing.patch index 91a85ac..2a798d0 100644 --- a/shadow-4.2.1-date-parsing.patch +++ b/shadow-4.2.1-date-parsing.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y ---- shadow-4.2.1/libmisc/getdate.y.date-parsing 2014-03-01 18:50:05.000000000 +0100 -+++ shadow-4.2.1/libmisc/getdate.y 2014-11-26 14:58:21.208153924 +0100 +Index: shadow-4.5/libmisc/getdate.y +=================================================================== +--- shadow-4.5.orig/libmisc/getdate.y ++++ shadow-4.5/libmisc/getdate.y @@ -152,6 +152,7 @@ static int yyHaveDay; static int yyHaveRel; static int yyHaveTime; diff --git a/shadow-4.2.1-no-lock-dos.patch b/shadow-4.2.1-no-lock-dos.patch index 58fd605..c6873e9 100644 --- a/shadow-4.2.1-no-lock-dos.patch +++ b/shadow-4.2.1-no-lock-dos.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/lib/commonio.c.no-lock-dos shadow-4.2.1/lib/commonio.c ---- shadow-4.2.1/lib/commonio.c.no-lock-dos 2015-08-27 15:09:17.101537812 +0200 -+++ shadow-4.2.1/lib/commonio.c 2015-08-27 15:11:06.643011248 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -140,7 +140,10 @@ static int do_lock_file (const char *fil int retval; char buf[32]; diff --git a/shadow-4.2.1-null-tm.patch b/shadow-4.2.1-null-tm.patch index 15b7720..b1dd1c4 100644 --- a/shadow-4.2.1-null-tm.patch +++ b/shadow-4.2.1-null-tm.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c ---- shadow-4.2.1/src/faillog.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/faillog.c 2016-06-14 11:30:00.066890251 +0200 +Index: shadow-4.5/src/faillog.c +=================================================================== +--- shadow-4.5.orig/src/faillog.c ++++ shadow-4.5/src/faillog.c @@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s } @@ -18,9 +19,10 @@ diff -up shadow-4.2.1/src/faillog.c.null-tm shadow-4.2.1/src/faillog.c printf ("%-9s %5d %5d ", pw->pw_name, fl.fail_cnt, fl.fail_max); /* FIXME: cp is not defined ifndef HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c ---- shadow-4.2.1/src/chage.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/chage.c 2016-06-14 11:18:25.299366908 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -168,6 +168,10 @@ static void date_to_str (char *buf, size struct tm *tp; @@ -32,9 +34,10 @@ diff -up shadow-4.2.1/src/chage.c.null-tm shadow-4.2.1/src/chage.c #ifdef HAVE_STRFTIME (void) strftime (buf, maxsize, "%Y-%m-%d", tp); #else -diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c ---- shadow-4.2.1/src/lastlog.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/lastlog.c 2016-06-14 11:29:39.210423264 +0200 +Index: shadow-4.5/src/lastlog.c +=================================================================== +--- shadow-4.5.orig/src/lastlog.c ++++ shadow-4.5/src/lastlog.c @@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s ll_time = ll.ll_time; @@ -57,9 +60,10 @@ diff -up shadow-4.2.1/src/lastlog.c.null-tm shadow-4.2.1/src/lastlog.c if (ll.ll_time == (time_t) 0) { cp = _("**Never logged in**\0"); -diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c ---- shadow-4.2.1/src/passwd.c.null-tm 2014-03-01 19:59:51.000000000 +0100 -+++ shadow-4.2.1/src/passwd.c 2016-06-14 11:23:21.028969028 +0200 +Index: shadow-4.5/src/passwd.c +=================================================================== +--- shadow-4.5.orig/src/passwd.c ++++ shadow-4.5/src/passwd.c @@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to struct tm *tm; @@ -70,9 +74,10 @@ diff -up shadow-4.2.1/src/passwd.c.null-tm shadow-4.2.1/src/passwd.c #ifdef HAVE_STRFTIME (void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); #else /* !HAVE_STRFTIME */ -diff -up shadow-4.2.1/src/usermod.c.null-tm shadow-4.2.1/src/usermod.c ---- shadow-4.2.1/src/usermod.c.null-tm 2016-05-27 16:04:00.000000000 +0200 -+++ shadow-4.2.1/src/usermod.c 2016-06-14 11:24:50.974977059 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@ } else { time_t t = (time_t) date; diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.3.1-audit-update.patch index e708f75..8c72cf3 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.3.1-audit-update.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/audit_help.c ---- shadow-4.3.1/libmisc/audit_help.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/audit_help.c 2016-08-22 17:21:15.442291139 +0200 +Index: shadow-4.5/libmisc/audit_help.c +=================================================================== +--- shadow-4.5.orig/libmisc/audit_help.c ++++ shadow-4.5/libmisc/audit_help.c @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -50,9 +51,10 @@ diff -up shadow-4.3.1/libmisc/audit_help.c.audit-update shadow-4.3.1/libmisc/aud void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/cleanup_group.c ---- shadow-4.3.1/libmisc/cleanup_group.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_group.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_group.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_group.c ++++ shadow-4.5/libmisc/cleanup_group.c @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -131,9 +133,10 @@ diff -up shadow-4.3.1/libmisc/cleanup_group.c.audit-update shadow-4.3.1/libmisc/ SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/cleanup_user.c ---- shadow-4.3.1/libmisc/cleanup_user.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/libmisc/cleanup_user.c 2016-08-22 17:21:15.443291142 +0200 +Index: shadow-4.5/libmisc/cleanup_user.c +=================================================================== +--- shadow-4.5.orig/libmisc/cleanup_user.c ++++ shadow-4.5/libmisc/cleanup_user.c @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -181,10 +184,11 @@ diff -up shadow-4.3.1/libmisc/cleanup_user.c.audit-update shadow-4.3.1/libmisc/c SHADOW_AUDIT_FAILURE); #endif } -diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes.h ---- shadow-4.3.1/lib/prototypes.h.audit-update 2016-08-22 17:21:15.406291044 +0200 -+++ shadow-4.3.1/lib/prototypes.h 2016-08-22 17:21:15.443291142 +0200 -@@ -208,12 +208,21 @@ extern int audit_fd; +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h +@@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ #define AUDIT_NO_ID ((unsigned int) -1) @@ -206,9 +210,10 @@ diff -up shadow-4.3.1/lib/prototypes.h.audit-update shadow-4.3.1/lib/prototypes. void audit_logger_message (const char *message, shadow_audit_result result); #endif -diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c ---- shadow-4.3.1/src/gpasswd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/gpasswd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/gpasswd.c +=================================================================== +--- shadow-4.5.orig/src/gpasswd.c ++++ shadow-4.5/src/gpasswd.c @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -472,9 +477,10 @@ diff -up shadow-4.3.1/src/gpasswd.c.audit-update shadow-4.3.1/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c ---- shadow-4.3.1/src/groupadd.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupadd.c 2016-08-22 17:21:15.444291144 +0200 +Index: shadow-4.5/src/groupadd.c +=================================================================== +--- shadow-4.5.orig/src/groupadd.c ++++ shadow-4.5/src/groupadd.c @@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -650,9 +656,10 @@ diff -up shadow-4.3.1/src/groupadd.c.audit-update shadow-4.3.1/src/groupadd.c } } -diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c ---- shadow-4.3.1/src/groupdel.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupdel.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupdel.c +=================================================================== +--- shadow-4.5.orig/src/groupdel.c ++++ shadow-4.5/src/groupdel.c @@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -822,9 +829,10 @@ diff -up shadow-4.3.1/src/groupdel.c.audit-update shadow-4.3.1/src/groupdel.c } #endif -diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c ---- shadow-4.3.1/src/groupmod.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/groupmod.c 2016-08-22 17:21:15.445291147 +0200 +Index: shadow-4.5/src/groupmod.c +=================================================================== +--- shadow-4.5.orig/src/groupmod.c ++++ shadow-4.5/src/groupmod.c @@ -438,7 +438,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } @@ -1018,9 +1026,10 @@ diff -up shadow-4.3.1/src/groupmod.c.audit-update shadow-4.3.1/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c ---- shadow-4.3.1/src/chage.c.audit-update 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chage.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/chage.c +=================================================================== +--- shadow-4.5.orig/src/chage.c ++++ shadow-4.5/src/chage.c @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1108,9 +1117,10 @@ diff -up shadow-4.3.1/src/chage.c.audit-update shadow-4.3.1/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c ---- shadow-4.3.1/src/newgrp.c.audit-update 2016-08-22 17:21:15.439291131 +0200 -+++ shadow-4.3.1/src/newgrp.c 2016-08-22 17:21:15.446291149 +0200 +Index: shadow-4.5/src/newgrp.c +=================================================================== +--- shadow-4.5.orig/src/newgrp.c ++++ shadow-4.5/src/newgrp.c @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1315,10 +1325,11 @@ diff -up shadow-4.3.1/src/newgrp.c.audit-update shadow-4.3.1/src/newgrp.c } #endif exit (EXIT_FAILURE); -diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c ---- shadow-4.3.1/src/useradd.c.audit-update 2016-08-22 17:21:15.410291055 +0200 -+++ shadow-4.3.1/src/useradd.c 2016-08-22 17:21:15.447291152 +0200 -@@ -222,6 +222,8 @@ static void create_mail (void); +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c +@@ -225,6 +225,8 @@ static void create_mail (void); */ static void fail_exit (int code) { @@ -1327,7 +1338,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c if (home_added) { if (rmdir (user_home) != 0) { fprintf (stderr, -@@ -235,12 +237,6 @@ static void fail_exit (int code) +@@ -238,12 +240,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1340,7 +1351,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -248,12 +244,6 @@ static void fail_exit (int code) +@@ -251,12 +247,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1353,7 +1364,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -261,12 +251,6 @@ static void fail_exit (int code) +@@ -264,12 +254,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1366,7 +1377,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -275,12 +259,6 @@ static void fail_exit (int code) +@@ -278,12 +262,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1379,7 +1390,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -290,12 +268,6 @@ static void fail_exit (int code) +@@ -293,12 +271,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1392,7 +1403,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c /* continue */ } } -@@ -303,20 +275,19 @@ static void fail_exit (int code) +@@ -306,20 +278,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1420,7 +1431,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -623,7 +594,7 @@ static int set_defaults (void) +@@ -626,7 +597,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1429,7 +1440,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -893,12 +864,6 @@ static void grp_update (void) +@@ -896,12 +867,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1442,7 +1453,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -912,18 +877,12 @@ static void grp_update (void) +@@ -915,18 +880,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1464,7 +1475,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -968,12 +927,6 @@ static void grp_update (void) +@@ -971,12 +930,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1477,7 +1488,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -987,18 +940,13 @@ static void grp_update (void) +@@ -990,18 +943,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1500,7 +1511,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1341,7 +1289,7 @@ static void process_flags (int argc, cha +@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1509,7 +1520,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1444,7 +1392,7 @@ static void close_files (void) +@@ -1447,7 +1395,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1518,7 +1529,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1457,7 +1405,7 @@ static void close_files (void) +@@ -1460,7 +1408,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1527,7 +1538,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1469,7 +1417,7 @@ static void close_files (void) +@@ -1472,7 +1420,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1536,7 +1547,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1483,7 +1431,7 @@ static void close_files (void) +@@ -1486,7 +1434,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1545,7 +1556,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1499,7 +1447,7 @@ static void close_files (void) +@@ -1502,7 +1450,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1554,7 +1565,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1513,7 +1461,7 @@ static void close_files (void) +@@ -1516,7 +1464,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1563,7 +1574,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1705,7 +1653,7 @@ static void grp_add (void) +@@ -1708,7 +1656,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1572,7 +1583,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1721,7 +1669,7 @@ static void grp_add (void) +@@ -1724,7 +1672,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1581,7 +1592,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1731,7 +1679,7 @@ static void grp_add (void) +@@ -1734,7 +1682,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1590,7 +1601,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1846,12 +1794,6 @@ static void usr_update (void) +@@ -1895,12 +1843,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1603,7 +1614,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1873,7 +1815,7 @@ static void usr_update (void) +@@ -1922,7 +1864,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1612,7 +1623,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1908,12 +1850,6 @@ static void create_home (void) +@@ -1957,12 +1899,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), Prog, user_home); @@ -1625,7 +1636,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_HOMEDIR); } chown (user_home, user_id, user_gid); -@@ -1921,8 +1857,8 @@ static void create_home (void) +@@ -1970,8 +1906,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1636,7 +1647,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2100,12 +2036,6 @@ int main (int argc, char **argv) +@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) */ if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); @@ -1649,7 +1660,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2121,12 +2051,6 @@ int main (int argc, char **argv) +@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1662,7 +1673,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2156,12 +2080,6 @@ int main (int argc, char **argv) +@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1675,7 +1686,7 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2225,9 +2143,10 @@ int main (int argc, char **argv) +@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1689,9 +1700,10 @@ diff -up shadow-4.3.1/src/useradd.c.audit-update shadow-4.3.1/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c ---- shadow-4.3.1/src/userdel.c.audit-update 2016-08-22 17:21:15.418291076 +0200 -+++ shadow-4.3.1/src/userdel.c 2016-08-22 17:21:15.447291152 +0200 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -214,9 +214,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ @@ -2019,9 +2031,10 @@ diff -up shadow-4.3.1/src/userdel.c.audit-update shadow-4.3.1/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -diff -up shadow-4.3.1/src/usermod.c.audit-update shadow-4.3.1/src/usermod.c ---- shadow-4.3.1/src/usermod.c.audit-update 2016-08-22 17:21:15.441291136 +0200 -+++ shadow-4.3.1/src/usermod.c 2016-08-22 17:21:15.448291155 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch index 4ca6054..cc62a86 100644 --- a/shadow-4.3.1-manfix.patch +++ b/shadow-4.3.1-manfix.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xml ---- shadow-4.3.1/man/groupmems.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/groupmems.8.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/groupmems.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupmems.8.xml ++++ shadow-4.5/man/groupmems.8.xml @@ -179,20 +179,10 @@ SETUP @@ -25,9 +26,10 @@ diff -up shadow-4.3.1/man/groupmems.8.xml.manfix shadow-4.3.1/man/groupmems.8.xm -diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml ---- shadow-4.3.1/man/chage.1.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/chage.1.xml 2016-08-22 17:08:48.486332066 +0200 +Index: shadow-4.5/man/chage.1.xml +=================================================================== +--- shadow-4.5.orig/man/chage.1.xml ++++ shadow-4.5/man/chage.1.xml @@ -102,6 +102,9 @@ Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format @@ -52,10 +54,11 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. -diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5 ---- shadow-4.3.1/man/ja/man5/login.defs.5.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/ja/man5/login.defs.5 2016-08-22 17:08:48.486332066 +0200 -@@ -147,10 +147,6 @@ 以下の参照表は、 +Index: shadow-4.5/man/ja/man5/login.defs.5 +=================================================================== +--- shadow-4.5.orig/man/ja/man5/login.defs.5 ++++ shadow-4.5/man/ja/man5/login.defs.5 +@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ shadow パスワード機能のどのプログラムが どのパラメータを使用するかを示したものである。 .na @@ -66,9 +69,10 @@ diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/l .IP groupadd 12 GID_MAX GID_MIN .IP newusers 12 -diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5.xml ---- shadow-4.3.1/man/login.defs.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/login.defs.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/login.defs.5.xml +=================================================================== +--- shadow-4.5.orig/man/login.defs.5.xml ++++ shadow-4.5/man/login.defs.5.xml @@ -162,6 +162,17 @@ long numeric parameters is machine-dependent. @@ -205,9 +209,10 @@ diff -up shadow-4.3.1/man/login.defs.5.xml.manfix shadow-4.3.1/man/login.defs.5. useradd -diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml ---- shadow-4.3.1/man/shadow.5.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/shadow.5.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/shadow.5.xml +=================================================================== +--- shadow-4.5.orig/man/shadow.5.xml ++++ shadow-4.5/man/shadow.5.xml @@ -208,8 +208,8 @@ @@ -219,9 +224,10 @@ diff -up shadow-4.3.1/man/shadow.5.xml.manfix shadow-4.3.1/man/shadow.5.xml An empty field means that there are no enforcement of an -diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml ---- shadow-4.3.1/man/useradd.8.xml.manfix 2016-08-22 17:08:48.446331961 +0200 -+++ shadow-4.3.1/man/useradd.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -347,6 +347,11 @@ is not enabled, no home directories are created. @@ -234,9 +240,10 @@ diff -up shadow-4.3.1/man/useradd.8.xml.manfix shadow-4.3.1/man/useradd.8.xml -diff -up shadow-4.3.1/man/usermod.8.xml.manfix shadow-4.3.1/man/usermod.8.xml ---- shadow-4.3.1/man/usermod.8.xml.manfix 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/man/usermod.8.xml 2016-08-22 17:08:48.487332069 +0200 +Index: shadow-4.5/man/usermod.8.xml +=================================================================== +--- shadow-4.5.orig/man/usermod.8.xml ++++ shadow-4.5/man/usermod.8.xml @@ -132,7 +132,8 @@ If the option is given, the contents of the current home directory will diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch index 9469a7e..8550150 100644 --- a/shadow-4.3.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c ---- shadow-4.3.1/src/chgpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chgpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chgpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chgpasswd.c ++++ shadow-4.5/src/chgpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -147,9 +148,10 @@ diff -up shadow-4.3.1/src/chgpasswd.c.selinux-perms shadow-4.3.1/src/chgpasswd.c /* * The updated group file entry is then put back and will * be written to the group file later, after all the -diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c ---- shadow-4.3.1/src/chpasswd.c.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/chpasswd.c 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/chpasswd.c +=================================================================== +--- shadow-4.5.orig/src/chpasswd.c ++++ shadow-4.5/src/chpasswd.c @@ -39,6 +39,13 @@ #include #include @@ -257,9 +259,10 @@ diff -up shadow-4.3.1/src/chpasswd.c.selinux-perms shadow-4.3.1/src/chpasswd.c /* * The updated password file entry is then put back and will * be written to the password file later, after all the -diff -up shadow-4.3.1/src/Makefile.am.selinux-perms shadow-4.3.1/src/Makefile.am ---- shadow-4.3.1/src/Makefile.am.selinux-perms 2016-08-15 06:00:59.000000000 +0200 -+++ shadow-4.3.1/src/Makefile.am 2016-08-22 17:25:46.825011776 +0200 +Index: shadow-4.5/src/Makefile.am +=================================================================== +--- shadow-4.5.orig/src/Makefile.am ++++ shadow-4.5/src/Makefile.am @@ -87,9 +87,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX) diff --git a/shadow-4.5-crypt_h.patch b/shadow-4.5-crypt_h.patch new file mode 100644 index 0000000..c8d19e4 --- /dev/null +++ b/shadow-4.5-crypt_h.patch @@ -0,0 +1,41 @@ +Index: shadow-4.5/configure.ac +=================================================================== +--- shadow-4.5.orig/configure.ac ++++ shadow-4.5/configure.ac +@@ -32,9 +32,9 @@ AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_HEADER_STDBOOL + +-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \ +- utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \ +- utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ ++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \ ++ utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \ ++ paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \ + locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \ + attr/error_context.h) + +Index: shadow-4.5/lib/defines.h +=================================================================== +--- shadow-4.5.orig/lib/defines.h ++++ shadow-4.5/lib/defines.h +@@ -4,6 +4,8 @@ + #ifndef _DEFINES_H_ + #define _DEFINES_H_ + ++#include "config.h" ++ + #if HAVE_STDBOOL_H + # include + #else +@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok () + # include + #endif + ++#if HAVE_CRYPT_H ++# include /* crypt(3) may be defined in here */ ++#endif ++ + #if TIME_WITH_SYS_TIME + # include + # include diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch index bf02257..215f658 100644 --- a/shadow-4.5-goodname.patch +++ b/shadow-4.5-goodname.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c ---- shadow-4.5/libmisc/chkname.c.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/chkname.c 2017-09-15 17:06:29.917939977 +0200 +Index: shadow-4.5/libmisc/chkname.c +=================================================================== +--- shadow-4.5.orig/libmisc/chkname.c ++++ shadow-4.5/libmisc/chkname.c @@ -47,27 +47,46 @@ #include "chkname.h" @@ -59,9 +60,10 @@ diff -up shadow-4.5/libmisc/chkname.c.goodname shadow-4.5/libmisc/chkname.c } bool is_valid_user_name (const char *name) -diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml ---- shadow-4.5/man/groupadd.8.xml.goodname 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/man/groupadd.8.xml 2017-08-14 10:27:24.657391521 +0200 +Index: shadow-4.5/man/groupadd.8.xml +=================================================================== +--- shadow-4.5.orig/man/groupadd.8.xml ++++ shadow-4.5/man/groupadd.8.xml @@ -256,12 +256,6 @@ CAVEATS @@ -75,9 +77,10 @@ diff -up shadow-4.5/man/groupadd.8.xml.goodname shadow-4.5/man/groupadd.8.xml Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -diff -up shadow-4.5/man/useradd.8.xml.goodname shadow-4.5/man/useradd.8.xml ---- shadow-4.5/man/useradd.8.xml.goodname 2016-08-15 04:48:14.000000000 +0200 -+++ shadow-4.5/man/useradd.8.xml 2017-08-14 10:27:24.667391382 +0200 +Index: shadow-4.5/man/useradd.8.xml +=================================================================== +--- shadow-4.5.orig/man/useradd.8.xml ++++ shadow-4.5/man/useradd.8.xml @@ -633,12 +633,6 @@ diff --git a/shadow-4.5-orig-context.patch b/shadow-4.5-orig-context.patch index c935658..a1c2235 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.5-orig-context.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c ---- shadow-4.5/lib/commonio.c.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/commonio.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/commonio.c +=================================================================== +--- shadow-4.5.orig/lib/commonio.c ++++ shadow-4.5/lib/commonio.c @@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/commonio.c.orig-context shadow-4.5/lib/commonio.c errors++; } #endif -diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c ---- shadow-4.5/libmisc/copydir.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/libmisc/copydir.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/libmisc/copydir.c +=================================================================== +--- shadow-4.5.orig/libmisc/copydir.c ++++ shadow-4.5/libmisc/copydir.c @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -58,9 +60,10 @@ diff -up shadow-4.5/libmisc/copydir.c.orig-context shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h ---- shadow-4.5/lib/prototypes.h.orig-context 2017-05-17 21:19:44.000000000 +0200 -+++ shadow-4.5/lib/prototypes.h 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/prototypes.h +=================================================================== +--- shadow-4.5.orig/lib/prototypes.h ++++ shadow-4.5/lib/prototypes.h @@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ @@ -70,9 +73,10 @@ diff -up shadow-4.5/lib/prototypes.h.orig-context shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.orig-context 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/selinux.c 2017-07-20 16:47:41.102186239 +0200 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -114,9 +118,10 @@ diff -up shadow-4.5/lib/selinux.c.orig-context shadow-4.5/lib/selinux.c } /* -diff -up shadow-4.5/src/useradd.c.orig-context shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.orig-context 2017-07-20 16:47:41.102186239 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:50:28.226198387 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -1945,7 +1945,7 @@ static void create_home (void) { if (access (user_home, F_OK) != 0) { diff --git a/shadow-4.5-selinux.patch b/shadow-4.5-selinux.patch index cd190cc..cd1a3b4 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.5-selinux.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c ---- shadow-4.5/lib/semanage.c.selinux 2014-09-01 16:36:40.000000000 +0200 -+++ shadow-4.5/lib/semanage.c 2017-07-20 16:40:49.680297319 +0200 +Index: shadow-4.5/lib/semanage.c +=================================================================== +--- shadow-4.5.orig/lib/semanage.c ++++ shadow-4.5/lib/semanage.c @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -22,9 +23,10 @@ diff -up shadow-4.5/lib/semanage.c.selinux shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -diff -up shadow-4.5/src/useradd.c.selinux shadow-4.5/src/useradd.c ---- shadow-4.5/src/useradd.c.selinux 2017-07-20 16:40:49.677297246 +0200 -+++ shadow-4.5/src/useradd.c 2017-07-20 16:44:58.195275331 +0200 +Index: shadow-4.5/src/useradd.c +=================================================================== +--- shadow-4.5.orig/src/useradd.c ++++ shadow-4.5/src/useradd.c @@ -2042,6 +2042,7 @@ static void create_mail (void) */ int main (int argc, char **argv) diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch index 37700c3..7d170fa 100644 --- a/shadow-4.5-userdel-chroot.patch +++ b/shadow-4.5-userdel-chroot.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c ---- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 -+++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 +Index: shadow-4.5/lib/selinux.c +=================================================================== +--- shadow-4.5.orig/lib/selinux.c ++++ shadow-4.5/lib/selinux.c @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; @@ -19,9 +20,10 @@ diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c return 1; } } -diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c ---- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 -+++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 +Index: shadow-4.5/src/userdel.c +=================================================================== +--- shadow-4.5.orig/src/userdel.c ++++ shadow-4.5/src/userdel.c @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; diff --git a/shadow-4.5-usermod-unlock.patch b/shadow-4.5-usermod-unlock.patch index d37b4aa..e2d70b5 100644 --- a/shadow-4.5-usermod-unlock.patch +++ b/shadow-4.5-usermod-unlock.patch @@ -1,6 +1,7 @@ -diff -up shadow-4.5/src/usermod.c.unlock shadow-4.5/src/usermod.c ---- shadow-4.5/src/usermod.c.unlock 2017-07-20 16:52:23.641969174 +0200 -+++ shadow-4.5/src/usermod.c 2017-07-20 16:54:08.109477127 +0200 +Index: shadow-4.5/src/usermod.c +=================================================================== +--- shadow-4.5.orig/src/usermod.c ++++ shadow-4.5/src/usermod.c @@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas strcat (buf, pw_pass); pw_pass = buf; diff --git a/shadow-utils.spec b/shadow-utils.spec index 25ccdb1..4d8e3f7 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -30,6 +30,7 @@ Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch +Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -80,6 +81,7 @@ are used for managing group accounts. %patch29 -p1 -b .null-tm %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot +%patch32 -p1 -b .crypt_h iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -107,11 +109,11 @@ autoreconf --without-libpam \ --disable-shared \ --with-group-name-max-length=32 -make +%make_build %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd @@ -235,6 +237,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Tue Feb 06 2018 Björn Esser - 2:4.5-9 +- Add patch to include crypt.h, if present +- Use %%make_{build,install} macros +- Refresh other patches for proper alignment + * Sat Jan 20 2018 Björn Esser - 2:4.5-8 - Rebuilt for switch to libxcrypt From eb66bf0ca58367e34d70d32a9409e23b9471bc11 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Wed, 14 Feb 2018 08:49:44 +0100 Subject: [PATCH 21/31] Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko --- shadow-utils.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 4d8e3f7..dc69b3f 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,9 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do echo "%%lang($lang) $dir/man*/*" >> shadow.lang done -%clean -rm -rf $RPM_BUILD_ROOT - %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README From 8d62f944dd9b0145014a181f95d1b9aedb25a19b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 1 Mar 2018 13:11:34 +0100 Subject: [PATCH 22/31] Add gcc buildrequires --- shadow-utils.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index dc69b3f..c0020f6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -34,6 +34,7 @@ Patch32: shadow-4.5-crypt_h.patch License: BSD and GPLv2+ Group: System Environment/Base +BuildRequires: gcc BuildRequires: libselinux-devel >= 1.25.2-1 BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel From 4cb5077b6837710a35e77801194b4e6e5ed50a7a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 20 Apr 2018 16:23:31 +0200 Subject: [PATCH 23/31] Raise limit for passwd and shadow entry length - also prevent writing longer entries (#1422497) --- shadow-4.5-long-entry.patch | 84 +++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 8 +++- 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 shadow-4.5-long-entry.patch diff --git a/shadow-4.5-long-entry.patch b/shadow-4.5-long-entry.patch new file mode 100644 index 0000000..8670e75 --- /dev/null +++ b/shadow-4.5-long-entry.patch @@ -0,0 +1,84 @@ +diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h +--- shadow-4.5/lib/defines.h.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/defines.h 2018-04-20 11:53:07.419308212 +0200 +@@ -382,4 +382,7 @@ extern char *strerror (); + # endif + #endif + ++/* Maximum length of passwd entry */ ++#define PASSWD_ENTRY_MAX_LENGTH 32768 ++ + #endif /* _DEFINES_H_ */ +diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c +--- shadow-4.5/lib/pwio.c.long-entry 2015-11-17 17:45:15.000000000 +0100 ++++ shadow-4.5/lib/pwio.c 2018-04-20 12:10:24.400837235 +0200 +@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, + || (pw->pw_gid == (gid_t)-1) + || (valid_field (pw->pw_gecos, ":\n") == -1) + || (valid_field (pw->pw_dir, ":\n") == -1) +- || (valid_field (pw->pw_shell, ":\n") == -1)) { ++ || (valid_field (pw->pw_shell, ":\n") == -1) ++ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + ++ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + ++ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + +diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c +--- shadow-4.5/lib/sgetpwent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetpwent.c 2018-04-20 12:16:31.911513808 +0200 +@@ -57,7 +57,7 @@ + struct passwd *sgetpwent (const char *buf) + { + static struct passwd pwent; +- static char pwdbuf[1024]; ++ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; + register int i; + register char *cp; + char *fields[NFIELDS]; +@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu + * the password structure remain valid. + */ + +- if (strlen (buf) >= sizeof pwdbuf) ++ if (strlen (buf) >= sizeof pwdbuf) { ++ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); + return 0; /* fail if too long */ ++ } + strcpy (pwdbuf, buf); + + /* +diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c +--- shadow-4.5/lib/sgetspent.c.long-entry 2014-09-01 16:36:40.000000000 +0200 ++++ shadow-4.5/lib/sgetspent.c 2018-04-20 12:16:54.505056257 +0200 +@@ -48,7 +48,7 @@ + */ + struct spwd *sgetspent (const char *string) + { +- static char spwbuf[1024]; ++ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; + static struct spwd spwd; + char *fields[FIELDS]; + char *cp; +@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri + */ + + if (strlen (string) >= sizeof spwbuf) { ++ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); + return 0; /* fail if too long */ + } + strcpy (spwbuf, string); +diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c +--- shadow-4.5/lib/shadowio.c.long-entry 2016-12-07 06:30:41.000000001 +0100 ++++ shadow-4.5/lib/shadowio.c 2018-04-20 12:12:03.292171667 +0200 +@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, + + if ( (NULL == sp) + || (valid_field (sp->sp_namp, ":\n") == -1) +- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { ++ || (valid_field (sp->sp_pwdp, ":\n") == -1) ++ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + ++ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { + return -1; + } + diff --git a/shadow-utils.spec b/shadow-utils.spec index c0020f6..883e02c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.5 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -31,6 +31,7 @@ Patch29: shadow-4.2.1-null-tm.patch Patch30: shadow-4.1.5.1-newgrp-grouplist.patch Patch31: shadow-4.5-userdel-chroot.patch Patch32: shadow-4.5-crypt_h.patch +Patch33: shadow-4.5-long-entry.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -83,6 +84,7 @@ are used for managing group accounts. %patch30 -p1 -b .grouplist %patch31 -p1 -b .userdel-chroot %patch32 -p1 -b .crypt_h +%patch33 -p1 -b .long-entry iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -235,6 +237,10 @@ done %{_mandir}/man8/vigr.8* %changelog +* Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 +- Raise limit for passwd and shadow entry length but also prevent + writing longer entries (#1422497) + * Tue Feb 06 2018 Björn Esser - 2:4.5-9 - Add patch to include crypt.h, if present - Use %%make_{build,install} macros From 38a12ac864a9292512ca74dc0f00b88ef71f371b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2018 15:25:08 +0200 Subject: [PATCH 24/31] update to current upstream release 4.6 --- .gitignore | 2 + shadow-4.1.5-2ndskip.patch | 102 ----- shadow-4.1.5.1-ingroup.patch | 64 ---- shadow-4.1.5.1-move-home.patch | 16 - shadow-4.1.5.1-newgrp-grouplist.patch | 71 ---- shadow-4.5-userdel-chroot.patch | 74 ---- ...ate.patch => shadow-4.6-audit-update.patch | 359 +++++++++--------- shadow-4.6-getenforce.patch | 21 + shadow-4.6-move-home.patch | 15 + ...ext.patch => shadow-4.6-orig-context.patch | 49 ++- ....5-redhat.patch => shadow-4.6-redhat.patch | 19 +- ...-selinux.patch => shadow-4.6-selinux.patch | 26 +- shadow-4.6-usermod-crash.patch | 42 ++ shadow-utils.spec | 29 +- sources | 4 +- 15 files changed, 312 insertions(+), 581 deletions(-) delete mode 100644 shadow-4.1.5-2ndskip.patch delete mode 100644 shadow-4.1.5.1-ingroup.patch delete mode 100644 shadow-4.1.5.1-move-home.patch delete mode 100644 shadow-4.1.5.1-newgrp-grouplist.patch delete mode 100644 shadow-4.5-userdel-chroot.patch rename shadow-4.3.1-audit-update.patch => shadow-4.6-audit-update.patch (88%) create mode 100644 shadow-4.6-getenforce.patch create mode 100644 shadow-4.6-move-home.patch rename shadow-4.5-orig-context.patch => shadow-4.6-orig-context.patch (65%) rename shadow-4.1.5-redhat.patch => shadow-4.6-redhat.patch (60%) rename shadow-4.5-selinux.patch => shadow-4.6-selinux.patch (75%) create mode 100644 shadow-4.6-usermod-crash.patch diff --git a/.gitignore b/.gitignore index d1e7d76..3b04b1e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ shadow-4.1.4.2.tar.bz2 /shadow-4.3.1.tar.gz /shadow-4.5.tar.xz /shadow-4.5.tar.xz.asc +/shadow-4.6.tar.xz +/shadow-4.6.tar.xz.asc diff --git a/shadow-4.1.5-2ndskip.patch b/shadow-4.1.5-2ndskip.patch deleted file mode 100644 index 5a8e444..0000000 --- a/shadow-4.1.5-2ndskip.patch +++ /dev/null @@ -1,102 +0,0 @@ -Index: shadow-4.5/src/grpconv.c -=================================================================== ---- shadow-4.5.orig/src/grpconv.c -+++ shadow-4.5/src/grpconv.c -@@ -143,6 +143,7 @@ int main (int argc, char **argv) - struct group grent; - const struct sgrp *sg; - struct sgrp sgent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -184,20 +185,25 @@ int main (int argc, char **argv) - * Remove /etc/gshadow entries for groups not in /etc/group. - */ - (void) sgr_rewind (); -- while ((sg = sgr_next ()) != NULL) { -- if (gr_locate (sg->sg_name) != NULL) { -- continue; -- } -- -- if (sgr_remove (sg->sg_name) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sg->sg_name, sgr_dbname ()); -- fail_exit (3); -+ sg = sgr_next (); -+ np=NULL; -+ while (sg != NULL) { -+ np = strdup(sg->sg_name); -+ sg = sgr_next (); -+ -+ if(gr_locate (np) == NULL) { -+ if (sgr_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, sgr_dbname ()); -+ free(np); -+ fail_exit (3); -+ } - } -+ free(np); - } - - /* -Index: shadow-4.5/src/pwconv.c -=================================================================== ---- shadow-4.5.orig/src/pwconv.c -+++ shadow-4.5/src/pwconv.c -@@ -173,6 +173,7 @@ int main (int argc, char **argv) - struct passwd pwent; - const struct spwd *sp; - struct spwd spent; -+ char *np; - - Prog = Basename (argv[0]); - -@@ -223,20 +224,25 @@ int main (int argc, char **argv) - * Remove /etc/shadow entries for users not in /etc/passwd. - */ - (void) spw_rewind (); -- while ((sp = spw_next ()) != NULL) { -- if (pw_locate (sp->sp_namp) != NULL) { -- continue; -- } -- -- if (spw_remove (sp->sp_namp) == 0) { -- /* -- * This shouldn't happen (the entry exists) but... -- */ -- fprintf (stderr, -- _("%s: cannot remove entry '%s' from %s\n"), -- Prog, sp->sp_namp, spw_dbname ()); -- fail_exit (E_FAILURE); -+ sp = spw_next (); -+ np = NULL; -+ while (sp != NULL) { -+ np = strdup(sp->sp_namp); -+ sp = spw_next (); -+ -+ if (pw_locate (np) == NULL) { -+ if (spw_remove (np) == 0) { -+ /* -+ * This shouldn't happen (the entry exists) but... -+ */ -+ fprintf (stderr, -+ _("%s: cannot remove entry '%s' from %s\n"), -+ Prog, np, spw_dbname ()); -+ free(np); -+ fail_exit (E_FAILURE); -+ } - } -+ free(np); - } - - /* diff --git a/shadow-4.1.5.1-ingroup.patch b/shadow-4.1.5.1-ingroup.patch deleted file mode 100644 index 1c30198..0000000 --- a/shadow-4.1.5.1-ingroup.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -83,15 +83,29 @@ static void usage (void) - } - } - -+static bool ingroup(const char *name, struct group *gr) -+{ -+ char **look; -+ bool notfound = true; -+ -+ look = gr->gr_mem; -+ while (*look && notfound) -+ notfound = strcmp (*look++, name); -+ -+ return !notfound; -+} -+ - /* -- * find_matching_group - search all groups of a given group id for -+ * find_matching_group - search all groups of a gr's group id for - * membership of a given username -+ * but check gr itself first - */ --static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) -+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) - { -- struct group *gr; -- char **look; -- bool notfound = true; -+ gid_t gid = gr->gr_gid; -+ -+ if (ingroup(name, gr)) -+ return gr; - - setgrent (); - while ((gr = getgrent ()) != NULL) { -@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc - * A group with matching GID was found. - * Test for membership of 'name'. - */ -- look = gr->gr_mem; -- while ((NULL != *look) && notfound) { -- notfound = (strcmp (*look, name) != 0); -- look++; -- } -- if (!notfound) { -+ if (ingroup(name, gr)) - break; -- } - } - endgrent (); - return gr; -@@ -630,7 +638,7 @@ int main (int argc, char **argv) - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp->gr_gid); -+ grp = find_matching_group (name, grp); - if (NULL == grp) { - /* - * No matching group found. As we already know that diff --git a/shadow-4.1.5.1-move-home.patch b/shadow-4.1.5.1-move-home.patch deleted file mode 100644 index f1790e2..0000000 --- a/shadow-4.1.5.1-move-home.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -1814,6 +1814,11 @@ static void move_home (void) - Prog, user_home, user_newhome); - fail_exit (E_HOMEDIR); - } -+ } else { -+ fprintf (stderr, -+ _("%s: The previous home directory (%s) does " -+ "not exist or is inaccessible. Move cannot be completed.\n"), -+ Prog, user_home); - } - } - diff --git a/shadow-4.1.5.1-newgrp-grouplist.patch b/shadow-4.1.5.1-newgrp-grouplist.patch deleted file mode 100644 index 47eb6f6..0000000 --- a/shadow-4.1.5.1-newgrp-grouplist.patch +++ /dev/null @@ -1,71 +0,0 @@ -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c -@@ -396,6 +396,7 @@ int main (int argc, char **argv) - { - bool initflag = false; - int i; -+ bool is_member = false; - bool cflag = false; - int err = 0; - gid_t gid; -@@ -645,22 +646,36 @@ int main (int argc, char **argv) - goto failure; - } - -+#ifdef HAVE_SETGROUPS -+ /* when using pam_group, she will not be listed in the groups -+ * database. However getgroups() will return the group. So -+ * if she is listed there already it is ok to grant membership. -+ */ -+ for (i = 0; i < ngroups; i++) { -+ if (grp->gr_gid == grouplist[i]) { -+ is_member = true; -+ break; -+ } -+ } -+#endif /* HAVE_SETGROUPS */ - /* - * For splitted groups (due to limitations of NIS), check all - * groups of the same GID like the requested group for - * membership of the current user. - */ -- grp = find_matching_group (name, grp); -- if (NULL == grp) { -- /* -- * No matching group found. As we already know that -- * the group exists, this happens only in the case -- * of a requested group where the user is not member. -- * -- * Re-read the group entry for further processing. -- */ -- grp = xgetgrnam (group); -- assert (NULL != grp); -+ if (!is_member) { -+ grp = find_matching_group (name, grp); -+ if (NULL == grp) { -+ /* -+ * No matching group found. As we already know that -+ * the group exists, this happens only in the case -+ * of a requested group where the user is not member. -+ * -+ * Re-read the group entry for further processing. -+ */ -+ grp = xgetgrnam (group); -+ assert (NULL != grp); -+ } - } - #ifdef SHADOWGRP - sgrp = getsgnam (group); -@@ -673,7 +688,9 @@ int main (int argc, char **argv) - /* - * Check if the user is allowed to access this group. - */ -- check_perms (grp, pwd, group); -+ if (!is_member) { -+ check_perms (grp, pwd, group); -+ } - - /* - * all successful validations pass through this point. The group id diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch deleted file mode 100644 index 7d170fa..0000000 --- a/shadow-4.5-userdel-chroot.patch +++ /dev/null @@ -1,74 +0,0 @@ -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c -@@ -75,7 +75,7 @@ int set_selinux_file_context (const char - } - return 0; - error: -- if (security_getenforce () != 0) { -+ if (security_getenforce () > 0) { - return 1; - } - return 0; -@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) - selinux_checked = true; - } - if (selinux_enabled) { -- if (setfscreatecon (NULL) != 0) { -+ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { - return 1; - } - } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -96,6 +96,7 @@ static char *user_home; - static bool fflg = false; - static bool rflg = false; - static bool Zflg = false; -+static bool Rflg = false; - - static bool is_shadow_pwd; - -@@ -958,6 +959,7 @@ int main (int argc, char **argv) - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ -+ Rflg = true; - break; - #ifdef WITH_SELINUX - case 'Z': -@@ -1032,9 +1034,12 @@ int main (int argc, char **argv) - */ - user_name = argv[argc - 1]; - { -- struct passwd *pwd; -- pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ -+ const struct passwd *pwd; -+ -+ pw_open(O_RDONLY); -+ pwd = pw_locate (user_name); /* we care only about local users */ - if (NULL == pwd) { -+ pw_close(); - fprintf (stderr, _("%s: user '%s' does not exist\n"), - Prog, user_name); - #ifdef WITH_AUDIT -@@ -1048,6 +1053,7 @@ int main (int argc, char **argv) - user_id = pwd->pw_uid; - user_gid = pwd->pw_gid; - user_home = xstrdup (pwd->pw_dir); -+ pw_close(); - } - #ifdef WITH_TCB - if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { -@@ -1079,7 +1085,7 @@ int main (int argc, char **argv) - * Note: This is a best effort basis. The user may log in between, - * a cron job may be started on her behalf, etc. - */ -- if (user_busy (user_name, user_id) != 0) { -+ if (!Rflg && user_busy (user_name, user_id) != 0) { - if (!fflg) { - #ifdef WITH_AUDIT - audit_logger (AUDIT_DEL_USER, Prog, diff --git a/shadow-4.3.1-audit-update.patch b/shadow-4.6-audit-update.patch similarity index 88% rename from shadow-4.3.1-audit-update.patch rename to shadow-4.6-audit-update.patch index 8c72cf3..b9d0a67 100644 --- a/shadow-4.3.1-audit-update.patch +++ b/shadow-4.6-audit-update.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/libmisc/audit_help.c -=================================================================== ---- shadow-4.5.orig/libmisc/audit_help.c -+++ shadow-4.5/libmisc/audit_help.c +diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c +--- shadow-4.6/libmisc/audit_help.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/audit_help.c 2018-05-28 15:01:09.913717564 +0200 @@ -68,7 +68,7 @@ void audit_help_open (void) * This function will log a message to the audit system using a predefined * message format. Parameter usage is as follows: @@ -51,10 +50,9 @@ Index: shadow-4.5/libmisc/audit_help.c void audit_logger_message (const char *message, shadow_audit_result result) { if (audit_fd < 0) { -Index: shadow-4.5/libmisc/cleanup_group.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_group.c -+++ shadow-4.5/libmisc/cleanup_group.c +diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c +--- shadow-4.6/libmisc/cleanup_group.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_group.c 2018-05-28 15:01:09.913717564 +0200 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle gr_dbname (), info->action)); @@ -133,10 +131,9 @@ Index: shadow-4.5/libmisc/cleanup_group.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/libmisc/cleanup_user.c -=================================================================== ---- shadow-4.5.orig/libmisc/cleanup_user.c -+++ shadow-4.5/libmisc/cleanup_user.c +diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c +--- shadow-4.6/libmisc/cleanup_user.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/cleanup_user.c 2018-05-28 15:01:09.913717564 +0200 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl pw_dbname (), info->action)); @@ -184,10 +181,9 @@ Index: shadow-4.5/libmisc/cleanup_user.c SHADOW_AUDIT_FAILURE); #endif } -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h +diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.audit-update 2018-05-28 15:01:09.901717309 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 15:01:09.913717564 +0200 @@ -211,12 +211,21 @@ extern int audit_fd; extern void audit_help_open (void); /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ @@ -210,10 +206,9 @@ Index: shadow-4.5/lib/prototypes.h void audit_logger_message (const char *message, shadow_audit_result result); #endif -Index: shadow-4.5/src/gpasswd.c -=================================================================== ---- shadow-4.5.orig/src/gpasswd.c -+++ shadow-4.5/src/gpasswd.c +diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c +--- shadow-4.6/src/gpasswd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/gpasswd.c 2018-05-28 15:01:09.914717585 +0200 @@ -137,7 +137,7 @@ static void usage (int status) (void) fputs (_(" -d, --delete USER remove USER from GROUP\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); @@ -477,11 +472,10 @@ Index: shadow-4.5/src/gpasswd.c SHADOW_AUDIT_SUCCESS); #endif } -Index: shadow-4.5/src/groupadd.c -=================================================================== ---- shadow-4.5.orig/src/groupadd.c -+++ shadow-4.5/src/groupadd.c -@@ -127,6 +127,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c +--- shadow-4.6/src/groupadd.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupadd.c 2018-05-28 15:02:53.137910337 +0200 +@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -497,7 +491,7 @@ Index: shadow-4.5/src/groupadd.c /* * new_grent - initialize the values in a group file entry * -@@ -210,7 +219,7 @@ static void grp_update (void) +@@ -213,7 +222,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); @@ -506,7 +500,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP /* -@@ -220,7 +229,7 @@ static void grp_update (void) +@@ -223,7 +232,7 @@ static void grp_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); @@ -515,7 +509,7 @@ Index: shadow-4.5/src/groupadd.c } #endif /* SHADOWGRP */ } -@@ -244,7 +253,7 @@ static void check_new_name (void) +@@ -247,7 +256,7 @@ static void check_new_name (void) fprintf (stderr, _("%s: '%s' is not a valid group name\n"), Prog, group_name); @@ -524,7 +518,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -260,11 +269,11 @@ static void close_files (void) +@@ -263,11 +272,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -538,7 +532,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -282,11 +291,11 @@ static void close_files (void) +@@ -285,11 +294,11 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -553,7 +547,7 @@ Index: shadow-4.5/src/groupadd.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -300,12 +309,6 @@ static void close_files (void) +@@ -303,12 +312,6 @@ static void close_files (void) #endif /* SHADOWGRP */ /* Report success at the system level */ @@ -566,7 +560,7 @@ Index: shadow-4.5/src/groupadd.c SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); -@@ -323,7 +326,7 @@ static void open_files (void) +@@ -326,7 +329,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -575,7 +569,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_group, NULL); -@@ -333,7 +336,7 @@ static void open_files (void) +@@ -336,7 +339,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -584,7 +578,7 @@ Index: shadow-4.5/src/groupadd.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -349,7 +352,7 @@ static void open_files (void) +@@ -352,7 +355,7 @@ static void open_files (void) if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -593,7 +587,7 @@ Index: shadow-4.5/src/groupadd.c } #ifdef SHADOWGRP -@@ -359,7 +362,7 @@ static void open_files (void) +@@ -362,7 +365,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -602,7 +596,7 @@ Index: shadow-4.5/src/groupadd.c } } #endif /* SHADOWGRP */ -@@ -489,7 +492,7 @@ static void check_flags (void) +@@ -495,7 +498,7 @@ static void check_flags (void) fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name); @@ -610,8 +604,8 @@ Index: shadow-4.5/src/groupadd.c + fail_exit (E_NAME_IN_USE); } - if (gflg && (getgrgid (group_id) != NULL)) { -@@ -508,7 +511,7 @@ static void check_flags (void) + if (gflg && (prefix_getgrgid (group_id) != NULL)) { +@@ -514,7 +517,7 @@ static void check_flags (void) fprintf (stderr, _("%s: GID '%lu' already exists\n"), Prog, (unsigned long int) group_id); @@ -620,7 +614,7 @@ Index: shadow-4.5/src/groupadd.c } } } -@@ -536,7 +539,7 @@ static void check_perms (void) +@@ -542,7 +545,7 @@ static void check_perms (void) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -629,7 +623,7 @@ Index: shadow-4.5/src/groupadd.c } retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh); -@@ -556,7 +559,7 @@ static void check_perms (void) +@@ -562,7 +565,7 @@ static void check_perms (void) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -638,7 +632,7 @@ Index: shadow-4.5/src/groupadd.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -588,7 +591,7 @@ int main (int argc, char **argv) +@@ -595,7 +598,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -647,7 +641,7 @@ Index: shadow-4.5/src/groupadd.c } /* -@@ -610,7 +613,7 @@ int main (int argc, char **argv) +@@ -617,7 +620,7 @@ int main (int argc, char **argv) if (!gflg) { if (find_new_gid (rflg, &group_id, NULL) < 0) { @@ -656,11 +650,10 @@ Index: shadow-4.5/src/groupadd.c } } -Index: shadow-4.5/src/groupdel.c -=================================================================== ---- shadow-4.5.orig/src/groupdel.c -+++ shadow-4.5/src/groupdel.c -@@ -102,6 +102,15 @@ static /*@noreturn@*/void usage (int sta +diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c +--- shadow-4.6/src/groupdel.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupdel.c 2018-05-28 15:01:09.914717585 +0200 +@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta exit (status); } @@ -676,7 +669,7 @@ Index: shadow-4.5/src/groupdel.c /* * grp_update - update group file entries * -@@ -128,7 +137,7 @@ static void grp_update (void) +@@ -131,7 +140,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); @@ -685,7 +678,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP -@@ -140,7 +149,7 @@ static void grp_update (void) +@@ -143,7 +152,7 @@ static void grp_update (void) fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); @@ -694,7 +687,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -159,12 +168,12 @@ static void close_files (void) +@@ -162,12 +171,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); @@ -709,7 +702,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -184,12 +193,12 @@ static void close_files (void) +@@ -187,12 +196,12 @@ static void close_files (void) fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); @@ -725,7 +718,7 @@ Index: shadow-4.5/src/groupdel.c group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -203,13 +212,6 @@ static void close_files (void) +@@ -206,13 +215,6 @@ static void close_files (void) } #endif /* SHADOWGRP */ @@ -739,7 +732,7 @@ Index: shadow-4.5/src/groupdel.c SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); del_cleanup (cleanup_report_del_group); } -@@ -226,7 +228,7 @@ static void open_files (void) +@@ -229,7 +231,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -748,7 +741,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP -@@ -235,7 +237,7 @@ static void open_files (void) +@@ -238,7 +240,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -757,7 +750,7 @@ Index: shadow-4.5/src/groupdel.c } add_cleanup (cleanup_unlock_gshadow, NULL); } -@@ -253,7 +255,7 @@ static void open_files (void) +@@ -256,7 +258,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); @@ -766,7 +759,7 @@ Index: shadow-4.5/src/groupdel.c } #ifdef SHADOWGRP if (is_shadow_grp) { -@@ -262,7 +264,7 @@ static void open_files (void) +@@ -265,7 +267,7 @@ static void open_files (void) _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); @@ -775,7 +768,7 @@ Index: shadow-4.5/src/groupdel.c } } #endif /* SHADOWGRP */ -@@ -303,7 +305,7 @@ static void group_busy (gid_t gid) +@@ -306,7 +308,7 @@ static void group_busy (gid_t gid) fprintf (stderr, _("%s: cannot remove the primary group of user '%s'\n"), Prog, pwd->pw_name); @@ -784,7 +777,7 @@ Index: shadow-4.5/src/groupdel.c } /* -@@ -384,7 +386,7 @@ int main (int argc, char **argv) +@@ -391,7 +393,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot setup cleanup service.\n"), Prog); @@ -793,7 +786,7 @@ Index: shadow-4.5/src/groupdel.c } process_flags (argc, argv); -@@ -398,7 +400,7 @@ int main (int argc, char **argv) +@@ -405,7 +407,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); @@ -802,7 +795,7 @@ Index: shadow-4.5/src/groupdel.c } retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); -@@ -419,7 +421,7 @@ int main (int argc, char **argv) +@@ -426,7 +428,7 @@ int main (int argc, char **argv) if (NULL != pamh) { (void) pam_end (pamh, retval); } @@ -811,7 +804,7 @@ Index: shadow-4.5/src/groupdel.c } (void) pam_end (pamh, retval); #endif /* USE_PAM */ -@@ -439,7 +441,7 @@ int main (int argc, char **argv) +@@ -446,7 +448,7 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group '%s' does not exist\n"), Prog, group_name); @@ -820,7 +813,7 @@ Index: shadow-4.5/src/groupdel.c } group_id = grp->gr_gid; -@@ -463,7 +465,7 @@ int main (int argc, char **argv) +@@ -470,7 +472,7 @@ int main (int argc, char **argv) _("%s: %s is the NIS master\n"), Prog, nis_master); } @@ -829,11 +822,10 @@ Index: shadow-4.5/src/groupdel.c } #endif -Index: shadow-4.5/src/groupmod.c -=================================================================== ---- shadow-4.5.orig/src/groupmod.c -+++ shadow-4.5/src/groupmod.c -@@ -438,7 +438,7 @@ static void close_files (void) +diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c +--- shadow-4.6/src/groupmod.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/groupmod.c 2018-05-28 15:01:09.915717607 +0200 +@@ -449,7 +449,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -842,7 +834,7 @@ Index: shadow-4.5/src/groupmod.c info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -461,7 +461,7 @@ static void close_files (void) +@@ -472,7 +472,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -851,7 +843,7 @@ Index: shadow-4.5/src/groupmod.c info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -484,7 +484,7 @@ static void close_files (void) +@@ -495,7 +495,7 @@ static void close_files (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -860,7 +852,7 @@ Index: shadow-4.5/src/groupmod.c info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); -@@ -499,8 +499,8 @@ static void close_files (void) +@@ -510,8 +510,8 @@ static void close_files (void) } #ifdef WITH_AUDIT @@ -871,7 +863,7 @@ Index: shadow-4.5/src/groupmod.c group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -512,6 +512,8 @@ static void close_files (void) +@@ -523,6 +523,8 @@ static void close_files (void) */ static void prepare_failure_reports (void) { @@ -880,7 +872,7 @@ Index: shadow-4.5/src/groupmod.c info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; -@@ -524,76 +526,106 @@ static void prepare_failure_reports (voi +@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi #endif info_passwd.audit_msg = xmalloc (512); @@ -1014,7 +1006,7 @@ Index: shadow-4.5/src/groupmod.c "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; -@@ -601,6 +633,11 @@ static void prepare_failure_reports (voi +@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; @@ -1026,10 +1018,9 @@ Index: shadow-4.5/src/groupmod.c // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); -Index: shadow-4.5/src/chage.c -=================================================================== ---- shadow-4.5.orig/src/chage.c -+++ shadow-4.5/src/chage.c +diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c +--- shadow-4.6/src/chage.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/chage.c 2018-05-28 15:01:09.915717607 +0200 @@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int #ifdef WITH_AUDIT @@ -1117,10 +1108,9 @@ Index: shadow-4.5/src/chage.c user_name, (unsigned int) user_uid, 1); } #endif -Index: shadow-4.5/src/newgrp.c -=================================================================== ---- shadow-4.5.orig/src/newgrp.c -+++ shadow-4.5/src/newgrp.c +diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c +--- shadow-4.6/src/newgrp.c.audit-update 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/newgrp.c 2018-05-28 15:01:09.915717607 +0200 @@ -206,11 +206,12 @@ static void check_perms (const struct gr strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT @@ -1203,7 +1193,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -456,7 +457,7 @@ int main (int argc, char **argv) +@@ -457,7 +458,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL, @@ -1212,7 +1202,7 @@ Index: shadow-4.5/src/newgrp.c #endif SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); -@@ -572,15 +573,26 @@ int main (int argc, char **argv) +@@ -573,15 +574,26 @@ int main (int argc, char **argv) perror ("getgroups"); #ifdef WITH_AUDIT if (group) { @@ -1243,7 +1233,7 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -@@ -721,10 +733,10 @@ int main (int argc, char **argv) +@@ -738,10 +750,10 @@ int main (int argc, char **argv) perror ("setgid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1256,7 +1246,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -733,10 +745,10 @@ int main (int argc, char **argv) +@@ -750,10 +762,10 @@ int main (int argc, char **argv) perror ("setuid"); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1269,7 +1259,7 @@ Index: shadow-4.5/src/newgrp.c #endif exit (EXIT_FAILURE); } -@@ -750,10 +762,10 @@ int main (int argc, char **argv) +@@ -767,10 +779,10 @@ int main (int argc, char **argv) execl (SHELL, "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), @@ -1282,7 +1272,7 @@ Index: shadow-4.5/src/newgrp.c #endif perror (SHELL); exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -817,11 +829,11 @@ int main (int argc, char **argv) +@@ -834,11 +846,11 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT @@ -1296,7 +1286,7 @@ Index: shadow-4.5/src/newgrp.c #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -845,15 +857,24 @@ int main (int argc, char **argv) +@@ -862,15 +874,24 @@ int main (int argc, char **argv) closelog (); #ifdef WITH_AUDIT if (NULL != group) { @@ -1325,20 +1315,19 @@ Index: shadow-4.5/src/newgrp.c } #endif exit (EXIT_FAILURE); -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -225,6 +225,8 @@ static void create_mail (void); +diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.audit-update 2018-05-28 15:01:09.903717352 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 15:06:36.824662074 +0200 +@@ -229,6 +229,8 @@ static void create_mail (void); */ static void fail_exit (int code) { + int type; + if (home_added) { - if (rmdir (user_home) != 0) { + if (rmdir (prefix_user_home) != 0) { fprintf (stderr, -@@ -238,12 +240,6 @@ static void fail_exit (int code) +@@ -242,12 +244,6 @@ static void fail_exit (int code) if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); @@ -1351,7 +1340,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -251,12 +247,6 @@ static void fail_exit (int code) +@@ -255,12 +251,6 @@ static void fail_exit (int code) if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); @@ -1364,7 +1353,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -264,12 +254,6 @@ static void fail_exit (int code) +@@ -268,12 +258,6 @@ static void fail_exit (int code) if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); @@ -1377,7 +1366,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -278,12 +262,6 @@ static void fail_exit (int code) +@@ -282,12 +266,6 @@ static void fail_exit (int code) if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); @@ -1390,7 +1379,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -293,12 +271,6 @@ static void fail_exit (int code) +@@ -297,12 +275,6 @@ static void fail_exit (int code) if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); @@ -1403,7 +1392,7 @@ Index: shadow-4.5/src/useradd.c /* continue */ } } -@@ -306,20 +278,19 @@ static void fail_exit (int code) +@@ -310,20 +282,19 @@ static void fail_exit (int code) if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); @@ -1431,7 +1420,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -626,7 +597,7 @@ static int set_defaults (void) +@@ -673,7 +644,7 @@ static int set_defaults (void) } #ifdef WITH_AUDIT audit_logger (AUDIT_USYS_CONFIG, Prog, @@ -1440,7 +1429,7 @@ Index: shadow-4.5/src/useradd.c NULL, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -896,12 +867,6 @@ static void grp_update (void) +@@ -950,12 +921,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1453,7 +1442,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -915,18 +880,12 @@ static void grp_update (void) +@@ -969,18 +934,12 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), ngrp->gr_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name)); @@ -1475,7 +1464,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -971,12 +930,6 @@ static void grp_update (void) +@@ -1025,12 +984,6 @@ static void grp_update (void) _("%s: Out of memory. Cannot update %s.\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1488,7 +1477,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_GRP_UPDATE); /* XXX */ } -@@ -990,18 +943,13 @@ static void grp_update (void) +@@ -1044,18 +997,13 @@ static void grp_update (void) _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), nsgrp->sg_name); SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name)); @@ -1511,7 +1500,7 @@ Index: shadow-4.5/src/useradd.c SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, -@@ -1344,7 +1292,7 @@ static void process_flags (int argc, cha +@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1520,7 +1509,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1447,7 +1395,7 @@ static void close_files (void) +@@ -1522,7 +1470,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1529,7 +1518,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1460,7 +1408,7 @@ static void close_files (void) +@@ -1535,7 +1483,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1538,7 +1527,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1472,7 +1420,7 @@ static void close_files (void) +@@ -1547,7 +1495,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1547,7 +1536,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1486,7 +1434,7 @@ static void close_files (void) +@@ -1561,7 +1509,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1556,7 +1545,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1502,7 +1450,7 @@ static void close_files (void) +@@ -1577,7 +1525,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1565,7 +1554,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1516,7 +1464,7 @@ static void close_files (void) +@@ -1591,7 +1539,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1574,7 +1563,7 @@ Index: shadow-4.5/src/useradd.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1708,7 +1656,7 @@ static void grp_add (void) +@@ -1783,7 +1731,7 @@ static void grp_add (void) Prog, gr_dbname (), grp.gr_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1583,7 +1572,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1724,7 +1672,7 @@ static void grp_add (void) +@@ -1799,7 +1747,7 @@ static void grp_add (void) Prog, sgr_dbname (), sgrp.sg_name); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1592,7 +1581,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif -@@ -1734,7 +1682,7 @@ static void grp_add (void) +@@ -1809,7 +1757,7 @@ static void grp_add (void) SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, @@ -1601,7 +1590,7 @@ Index: shadow-4.5/src/useradd.c grp.gr_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif -@@ -1895,12 +1843,6 @@ static void usr_update (void) +@@ -1970,12 +1918,6 @@ static void usr_update (void) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, spw_dbname (), spent.sp_namp); @@ -1614,7 +1603,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_PW_UPDATE); } #ifdef ENABLE_SUBIDS -@@ -1922,7 +1864,7 @@ static void usr_update (void) +@@ -1997,7 +1939,7 @@ static void usr_update (void) #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, @@ -1623,10 +1612,10 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -1957,12 +1899,6 @@ static void create_home (void) +@@ -2032,12 +1974,6 @@ static void create_home (void) fprintf (stderr, _("%s: cannot create directory %s\n"), - Prog, user_home); + Prog, prefix_user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", @@ -1635,8 +1624,8 @@ Index: shadow-4.5/src/useradd.c -#endif fail_exit (E_HOMEDIR); } - chown (user_home, user_id, user_gid); -@@ -1970,8 +1906,8 @@ static void create_home (void) + (void) chown (prefix_user_home, user_id, user_gid); +@@ -2045,8 +1981,8 @@ static void create_home (void) 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); home_added = true; #ifdef WITH_AUDIT @@ -1647,9 +1636,9 @@ Index: shadow-4.5/src/useradd.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif -@@ -2151,12 +2087,6 @@ int main (int argc, char **argv) +@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) */ - if (getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ + if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, @@ -1660,7 +1649,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } -@@ -2172,12 +2102,6 @@ int main (int argc, char **argv) +@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); @@ -1673,7 +1662,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_NAME_IN_USE); } } -@@ -2207,12 +2131,6 @@ int main (int argc, char **argv) +@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) fprintf (stderr, _("%s: UID %lu is not unique\n"), Prog, (unsigned long) user_id); @@ -1686,7 +1675,7 @@ Index: shadow-4.5/src/useradd.c fail_exit (E_UID_IN_USE); } } -@@ -2285,9 +2203,10 @@ int main (int argc, char **argv) +@@ -2365,9 +2283,10 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -1700,11 +1689,10 @@ Index: shadow-4.5/src/useradd.c #endif /* WITH_AUDIT */ rv = E_SE_UPDATE; } -Index: shadow-4.5/src/userdel.c -=================================================================== ---- shadow-4.5.orig/src/userdel.c -+++ shadow-4.5/src/userdel.c -@@ -214,9 +214,9 @@ static void update_groups (void) +diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c +--- shadow-4.6/src/userdel.c.audit-update 2018-05-28 15:01:09.909717479 +0200 ++++ shadow-4.6/src/userdel.c 2018-05-28 15:01:09.916717628 +0200 +@@ -219,9 +219,9 @@ static void update_groups (void) * Update the DBM group file with the new entry as well. */ #ifdef WITH_AUDIT @@ -1717,7 +1705,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n", -@@ -276,9 +276,9 @@ static void update_groups (void) +@@ -281,9 +281,9 @@ static void update_groups (void) exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1730,7 +1718,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n", -@@ -355,9 +355,9 @@ static void remove_usergroup (void) +@@ -360,9 +360,9 @@ static void remove_usergroup (void) } #ifdef WITH_AUDIT @@ -1743,7 +1731,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -373,9 +373,9 @@ static void remove_usergroup (void) +@@ -378,9 +378,9 @@ static void remove_usergroup (void) fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT @@ -1756,7 +1744,7 @@ Index: shadow-4.5/src/userdel.c SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, -@@ -537,7 +537,7 @@ static void fail_exit (int code) +@@ -542,7 +542,7 @@ static void fail_exit (int code) #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1765,7 +1753,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -557,24 +557,12 @@ static void open_files (void) +@@ -562,24 +562,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); @@ -1790,7 +1778,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { -@@ -582,12 +570,6 @@ static void open_files (void) +@@ -587,12 +575,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); @@ -1803,7 +1791,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } spw_locked = true; -@@ -595,12 +577,6 @@ static void open_files (void) +@@ -600,12 +582,6 @@ static void open_files (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1816,7 +1804,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_PW_UPDATE); } } -@@ -608,23 +584,11 @@ static void open_files (void) +@@ -613,23 +589,11 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); @@ -1840,7 +1828,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP -@@ -633,24 +597,12 @@ static void open_files (void) +@@ -638,24 +602,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); @@ -1865,7 +1853,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_GRP_UPDATE); } } -@@ -661,24 +613,12 @@ static void open_files (void) +@@ -666,24 +618,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); @@ -1890,7 +1878,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_UID_UPDATE); } } -@@ -687,24 +627,12 @@ static void open_files (void) +@@ -692,24 +632,12 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); @@ -1915,7 +1903,7 @@ Index: shadow-4.5/src/userdel.c fail_exit (E_SUB_GID_UPDATE); } } -@@ -749,7 +677,7 @@ static void update_user (void) +@@ -754,7 +682,7 @@ static void update_user (void) #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1924,7 +1912,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ -@@ -843,7 +771,7 @@ static int remove_mailbox (void) +@@ -862,7 +790,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1933,7 +1921,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -859,7 +787,7 @@ static int remove_mailbox (void) +@@ -879,7 +807,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1942,7 +1930,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -869,8 +797,8 @@ static int remove_mailbox (void) +@@ -889,8 +817,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1953,7 +1941,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -887,7 +815,7 @@ static int remove_mailbox (void) +@@ -908,7 +836,7 @@ static int remove_mailbox (void) mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1962,7 +1950,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -902,7 +830,7 @@ static int remove_mailbox (void) +@@ -925,7 +853,7 @@ static int remove_mailbox (void) SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno))); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1971,7 +1959,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -912,8 +840,8 @@ static int remove_mailbox (void) +@@ -935,8 +863,8 @@ static int remove_mailbox (void) #ifdef WITH_AUDIT else { @@ -1982,7 +1970,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1111,7 +1039,7 @@ int main (int argc, char **argv) +@@ -1149,7 +1077,7 @@ int main (int argc, char **argv) Prog, user_name); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -1991,7 +1979,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1155,7 +1083,7 @@ int main (int argc, char **argv) +@@ -1205,7 +1133,7 @@ int main (int argc, char **argv) if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -2000,7 +1988,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -1232,8 +1160,8 @@ int main (int argc, char **argv) +@@ -1282,8 +1210,8 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT else { @@ -2011,7 +1999,7 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_SUCCESS); } -@@ -1242,7 +1170,7 @@ int main (int argc, char **argv) +@@ -1292,7 +1220,7 @@ int main (int argc, char **argv) #ifdef WITH_AUDIT if (0 != errors) { audit_logger (AUDIT_DEL_USER, Prog, @@ -2020,7 +2008,7 @@ Index: shadow-4.5/src/userdel.c user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); } -@@ -1255,8 +1183,8 @@ int main (int argc, char **argv) +@@ -1305,8 +1233,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2031,11 +2019,10 @@ Index: shadow-4.5/src/userdel.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -Index: shadow-4.5/src/usermod.c -=================================================================== ---- shadow-4.5.orig/src/usermod.c -+++ shadow-4.5/src/usermod.c -@@ -447,8 +447,8 @@ static char *new_pw_passwd (char *pw_pas +diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.audit-update 2018-05-28 15:01:09.912717543 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:08:25.424969050 +0200 +@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2046,7 +2033,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname)); strcpy (buf, "!"); -@@ -467,8 +467,8 @@ static char *new_pw_passwd (char *pw_pas +@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2057,7 +2044,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); s = pw_pass; -@@ -479,7 +479,7 @@ static char *new_pw_passwd (char *pw_pas +@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas } else if (pflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, @@ -2066,7 +2053,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, "change user '%s' password", user_newname)); -@@ -508,8 +508,8 @@ static void new_pwent (struct passwd *pw +@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw fail_exit (E_NAME_IN_USE); } #ifdef WITH_AUDIT @@ -2077,7 +2064,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -529,8 +529,8 @@ static void new_pwent (struct passwd *pw +@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw if (uflg) { #ifdef WITH_AUDIT @@ -2088,7 +2075,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -540,8 +540,8 @@ static void new_pwent (struct passwd *pw +@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw } if (gflg) { #ifdef WITH_AUDIT @@ -2099,7 +2086,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -551,8 +551,8 @@ static void new_pwent (struct passwd *pw +@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw } if (cflg) { #ifdef WITH_AUDIT @@ -2110,7 +2097,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif pwent->pw_gecos = user_newcomment; -@@ -560,8 +560,8 @@ static void new_pwent (struct passwd *pw +@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw if (dflg) { #ifdef WITH_AUDIT @@ -2121,7 +2108,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -571,8 +571,8 @@ static void new_pwent (struct passwd *pw +@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw } if (sflg) { #ifdef WITH_AUDIT @@ -2132,7 +2119,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -602,8 +602,8 @@ static void new_spent (struct spwd *spen +@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen if (fflg) { #ifdef WITH_AUDIT @@ -2143,7 +2130,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -619,8 +619,8 @@ static void new_spent (struct spwd *spen +@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen date_to_str (old_exp, sizeof(old_exp), user_expire * DAY); #ifdef WITH_AUDIT @@ -2154,7 +2141,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif SYSLOG ((LOG_INFO, -@@ -703,9 +703,9 @@ static /*@noreturn@*/void fail_exit (int +@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT @@ -2167,7 +2154,7 @@ Index: shadow-4.5/src/usermod.c #endif exit (code); } -@@ -759,9 +759,12 @@ static void update_group (void) +@@ -765,9 +765,12 @@ static void update_group (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2183,7 +2170,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in group '%s'", -@@ -775,9 +778,11 @@ static void update_group (void) +@@ -781,9 +784,11 @@ static void update_group (void) ngrp->gr_mem = del_list (ngrp->gr_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2198,7 +2185,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from group '%s'", -@@ -790,9 +795,11 @@ static void update_group (void) +@@ -796,9 +801,11 @@ static void update_group (void) ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2213,7 +2200,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to group '%s'", user_newname, ngrp->gr_name)); -@@ -867,9 +874,10 @@ static void update_gshadow (void) +@@ -873,9 +880,10 @@ static void update_gshadow (void) nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2227,7 +2214,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change admin '%s' to '%s' in shadow group '%s'", -@@ -889,9 +897,10 @@ static void update_gshadow (void) +@@ -895,9 +903,10 @@ static void update_gshadow (void) user_newname); changed = true; #ifdef WITH_AUDIT @@ -2241,7 +2228,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "change '%s' to '%s' in shadow group '%s'", -@@ -905,9 +914,10 @@ static void update_gshadow (void) +@@ -911,9 +920,10 @@ static void update_gshadow (void) nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name); changed = true; #ifdef WITH_AUDIT @@ -2255,7 +2242,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'", -@@ -920,9 +930,10 @@ static void update_gshadow (void) +@@ -926,9 +936,10 @@ static void update_gshadow (void) nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname); changed = true; #ifdef WITH_AUDIT @@ -2269,7 +2256,7 @@ Index: shadow-4.5/src/usermod.c #endif SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'", user_newname, nsgrp->sg_name)); -@@ -1758,8 +1769,8 @@ static void move_home (void) +@@ -1789,8 +1800,8 @@ static void move_home (void) #ifdef WITH_AUDIT if (uflg || gflg) { @@ -2280,7 +2267,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -1777,8 +1788,8 @@ static void move_home (void) +@@ -1808,8 +1819,8 @@ static void move_home (void) fail_exit (E_HOMEDIR); } #ifdef WITH_AUDIT @@ -2291,8 +2278,8 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); #endif -@@ -1797,9 +1808,9 @@ static void move_home (void) - Prog, user_home); +@@ -1828,9 +1839,9 @@ static void move_home (void) + Prog, prefix_user_home); } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, @@ -2303,7 +2290,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); -@@ -2003,8 +2014,8 @@ static void move_mailbox (void) +@@ -2045,8 +2056,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2314,7 +2301,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2022,8 +2033,8 @@ static void move_mailbox (void) +@@ -2072,8 +2083,8 @@ static void move_mailbox (void) } #ifdef WITH_AUDIT else { @@ -2325,7 +2312,7 @@ Index: shadow-4.5/src/usermod.c user_newname, (unsigned int) user_newid, 1); } #endif -@@ -2215,8 +2226,8 @@ int main (int argc, char **argv) +@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); #ifdef WITH_AUDIT @@ -2336,7 +2323,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2228,8 +2239,8 @@ int main (int argc, char **argv) +@@ -2280,8 +2291,8 @@ int main (int argc, char **argv) _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -2347,7 +2334,7 @@ Index: shadow-4.5/src/usermod.c user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ -@@ -2267,8 +2278,8 @@ int main (int argc, char **argv) +@@ -2319,8 +2330,8 @@ int main (int argc, char **argv) */ #ifdef WITH_AUDIT if (uflg || gflg) { diff --git a/shadow-4.6-getenforce.patch b/shadow-4.6-getenforce.patch new file mode 100644 index 0000000..8a55bf5 --- /dev/null +++ b/shadow-4.6-getenforce.patch @@ -0,0 +1,21 @@ +diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.getenforce 2018-05-28 15:10:15.870315221 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 15:10:15.894315731 +0200 +@@ -75,7 +75,7 @@ int set_selinux_file_context (const char + } + return 0; + error: +- if (security_getenforce () != 0) { ++ if (security_getenforce () > 0) { + return 1; + } + return 0; +@@ -95,7 +95,7 @@ int reset_selinux_file_context (void) + selinux_checked = true; + } + if (selinux_enabled) { +- if (setfscreatecon (NULL) != 0) { ++ if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { + return 1; + } + } diff --git a/shadow-4.6-move-home.patch b/shadow-4.6-move-home.patch new file mode 100644 index 0000000..cff9561 --- /dev/null +++ b/shadow-4.6-move-home.patch @@ -0,0 +1,15 @@ +diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.move-home 2018-05-28 14:59:05.594076665 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:00:28.479837392 +0200 +@@ -1845,6 +1845,11 @@ static void move_home (void) + Prog, prefix_user_home, prefix_user_newhome); + fail_exit (E_HOMEDIR); + } ++ } else { ++ fprintf (stderr, ++ _("%s: The previous home directory (%s) does " ++ "not exist or is inaccessible. Move cannot be completed.\n"), ++ Prog, prefix_user_home); + } + } + diff --git a/shadow-4.5-orig-context.patch b/shadow-4.6-orig-context.patch similarity index 65% rename from shadow-4.5-orig-context.patch rename to shadow-4.6-orig-context.patch index a1c2235..ea522e7 100644 --- a/shadow-4.5-orig-context.patch +++ b/shadow-4.6-orig-context.patch @@ -1,8 +1,7 @@ -Index: shadow-4.5/lib/commonio.c -=================================================================== ---- shadow-4.5.orig/lib/commonio.c -+++ shadow-4.5/lib/commonio.c -@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * +diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c +--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 +@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX @@ -11,7 +10,7 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db * +@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX @@ -20,10 +19,9 @@ Index: shadow-4.5/lib/commonio.c errors++; } #endif -Index: shadow-4.5/libmisc/copydir.c -=================================================================== ---- shadow-4.5.orig/libmisc/copydir.c -+++ shadow-4.5/libmisc/copydir.c +diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c +--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ @@ -60,11 +58,10 @@ Index: shadow-4.5/libmisc/copydir.c return -1; } #endif /* WITH_SELINUX */ -Index: shadow-4.5/lib/prototypes.h -=================================================================== ---- shadow-4.5.orig/lib/prototypes.h -+++ shadow-4.5/lib/prototypes.h -@@ -311,7 +311,7 @@ extern /*@observer@*/const char *crypt_m +diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h +--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 +@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX @@ -73,10 +70,9 @@ Index: shadow-4.5/lib/prototypes.h extern int reset_selinux_file_context (void); #endif -Index: shadow-4.5/lib/selinux.c -=================================================================== ---- shadow-4.5.orig/lib/selinux.c -+++ shadow-4.5/lib/selinux.c +diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c +--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context @@ -118,16 +114,15 @@ Index: shadow-4.5/lib/selinux.c } /* -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -1945,7 +1945,7 @@ static void create_home (void) +diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 +@@ -2020,7 +2020,7 @@ static void create_home (void) { - if (access (user_home, F_OK) != 0) { + if (access (prefix_user_home, F_OK) != 0) { #ifdef WITH_SELINUX -- if (set_selinux_file_context (user_home) != 0) { -+ if (set_selinux_file_context (user_home, NULL) != 0) { +- if (set_selinux_file_context (prefix_user_home) != 0) { ++ if (set_selinux_file_context (prefix_user_home, NULL) != 0) { fprintf (stderr, _("%s: cannot set SELinux context for home directory %s\n"), Prog, user_home); diff --git a/shadow-4.1.5-redhat.patch b/shadow-4.6-redhat.patch similarity index 60% rename from shadow-4.1.5-redhat.patch rename to shadow-4.6-redhat.patch index ef26cbd..7a8be2e 100644 --- a/shadow-4.1.5-redhat.patch +++ b/shadow-4.6-redhat.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c +diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.redhat 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:37:16.695651258 +0200 @@ -98,7 +98,7 @@ const char *Prog; static gid_t def_group = 100; static const char *def_gname = "other"; @@ -20,19 +19,19 @@ Index: shadow-4.5/src/useradd.c static uid_t user_id; static gid_t user_gid; static const char *user_comment = ""; -@@ -1059,9 +1059,9 @@ static void process_flags (int argc, cha +@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:", #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { -@@ -1212,6 +1212,7 @@ static void process_flags (int argc, cha +@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha case 'M': Mflg = true; break; diff --git a/shadow-4.5-selinux.patch b/shadow-4.6-selinux.patch similarity index 75% rename from shadow-4.5-selinux.patch rename to shadow-4.6-selinux.patch index cd1a3b4..dfd5140 100644 --- a/shadow-4.5-selinux.patch +++ b/shadow-4.6-selinux.patch @@ -1,7 +1,6 @@ -Index: shadow-4.5/lib/semanage.c -=================================================================== ---- shadow-4.5.orig/lib/semanage.c -+++ shadow-4.5/lib/semanage.c +diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c +--- shadow-4.6/lib/semanage.c.selinux 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/lib/semanage.c 2018-05-28 13:38:20.551008911 +0200 @@ -294,6 +294,9 @@ int set_seuser (const char *login_name, ret = 0; @@ -23,11 +22,10 @@ Index: shadow-4.5/lib/semanage.c done: semanage_handle_destroy (handle); return ret; -Index: shadow-4.5/src/useradd.c -=================================================================== ---- shadow-4.5.orig/src/useradd.c -+++ shadow-4.5/src/useradd.c -@@ -2042,6 +2042,7 @@ static void create_mail (void) +diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c +--- shadow-4.6/src/useradd.c.selinux 2018-05-28 13:43:30.996748997 +0200 ++++ shadow-4.6/src/useradd.c 2018-05-28 13:44:04.645486199 +0200 +@@ -2120,6 +2120,7 @@ static void create_mail (void) */ int main (int argc, char **argv) { @@ -35,14 +33,14 @@ Index: shadow-4.5/src/useradd.c #ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; -@@ -2262,27 +2263,11 @@ int main (int argc, char **argv) +@@ -2342,27 +2343,11 @@ int main (int argc, char **argv) usr_update (); - if (mflg) { - create_home (); - if (home_added) { -- copy_tree (def_template, user_home, false, false, +- copy_tree (def_template, prefix_user_home, false, false, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, @@ -66,7 +64,7 @@ Index: shadow-4.5/src/useradd.c /* * tallylog_reset needs to be able to lookup * a valid existing user name, -@@ -2293,8 +2278,9 @@ int main (int argc, char **argv) +@@ -2373,8 +2358,9 @@ int main (int argc, char **argv) } #ifdef WITH_SELINUX @@ -78,7 +76,7 @@ Index: shadow-4.5/src/useradd.c fprintf (stderr, _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); -@@ -2303,14 +2289,31 @@ int main (int argc, char **argv) +@@ -2383,14 +2369,31 @@ int main (int argc, char **argv) "adding SELinux user mapping", user_name, (unsigned int) user_id, 0); #endif /* WITH_AUDIT */ @@ -95,7 +93,7 @@ Index: shadow-4.5/src/useradd.c + if (mflg) { + create_home (); + if (home_added) { -+ copy_tree (def_template, user_home, false, true, ++ copy_tree (def_template, prefix_user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/shadow-4.6-usermod-crash.patch b/shadow-4.6-usermod-crash.patch new file mode 100644 index 0000000..d2861b3 --- /dev/null +++ b/shadow-4.6-usermod-crash.patch @@ -0,0 +1,42 @@ +diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c +--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/libmisc/prefix_flag.c 2018-05-28 15:14:10.642302440 +0200 +@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi + { + long long int gid; + char *endptr; ++ struct group *g; + + if (NULL == grname) { + return NULL; +@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi + && (gid == (gid_t)gid)) { + return prefix_getgrgid ((gid_t) gid); + } +- return prefix_getgrnam (grname); ++ g = prefix_getgrnam (grname); ++ return g ? __gr_dup(g) : NULL; + } + else + return getgr_nam_gid(grname); +diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c +--- shadow-4.6/src/usermod.c.usermod-crash 2018-05-28 15:12:37.920332763 +0200 ++++ shadow-4.6/src/usermod.c 2018-05-28 15:15:50.337422470 +0200 +@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha + prefix_user_home = xmalloc(len); + wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home); + assert (wlen == (int) len -1); ++ if (user_newhome) { ++ len = strlen(prefix) + strlen(user_newhome) + 2; ++ prefix_user_newhome = xmalloc(len); ++ wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); ++ assert (wlen == (int) len -1); ++ } + +- len = strlen(prefix) + strlen(user_newhome) + 2; +- prefix_user_newhome = xmalloc(len); +- wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome); +- assert (wlen == (int) len -1); + } + else { + prefix_user_home = user_home; diff --git a/shadow-utils.spec b/shadow-utils.spec index 883e02c..35732ac 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.5 -Release: 10%{?dist} +Version: 4.6 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -10,28 +10,26 @@ Source2: shadow-utils.useradd Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0: shadow-4.1.5-redhat.patch +Patch0: shadow-4.6-redhat.patch Patch1: shadow-4.5-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch -Patch6: shadow-4.5-selinux.patch -Patch7: shadow-4.1.5-2ndskip.patch -Patch10: shadow-4.5-orig-context.patch +Patch6: shadow-4.6-selinux.patch +Patch10: shadow-4.6-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch14: shadow-4.1.5.1-default-range.patch Patch15: shadow-4.3.1-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch19: shadow-4.2.1-date-parsing.patch -Patch20: shadow-4.1.5.1-ingroup.patch -Patch21: shadow-4.1.5.1-move-home.patch -Patch22: shadow-4.3.1-audit-update.patch +Patch21: shadow-4.6-move-home.patch +Patch22: shadow-4.6-audit-update.patch Patch23: shadow-4.5-usermod-unlock.patch Patch24: shadow-4.2.1-no-lock-dos.patch Patch28: shadow-4.3.1-selinux-perms.patch Patch29: shadow-4.2.1-null-tm.patch -Patch30: shadow-4.1.5.1-newgrp-grouplist.patch -Patch31: shadow-4.5-userdel-chroot.patch +Patch31: shadow-4.6-getenforce.patch Patch32: shadow-4.5-crypt_h.patch Patch33: shadow-4.5-long-entry.patch +Patch34: shadow-4.6-usermod-crash.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -67,24 +65,22 @@ are used for managing group accounts. %patch1 -p1 -b .goodname %patch2 -p1 -b .info-parent-dir %patch6 -p1 -b .selinux -%patch7 -p1 -b .2ndskip %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg %patch14 -p1 -b .default-range %patch15 -p1 -b .manfix %patch17 -p1 -b .userdel %patch19 -p1 -b .date-parsing -%patch20 -p1 -b .ingroup %patch21 -p1 -b .move-home %patch22 -p1 -b .audit-update %patch23 -p1 -b .unlock %patch24 -p1 -b .no-lock-dos %patch28 -p1 -b .selinux-perms %patch29 -p1 -b .null-tm -%patch30 -p1 -b .grouplist -%patch31 -p1 -b .userdel-chroot +%patch31 -p1 -b .getenforce %patch32 -p1 -b .crypt_h %patch33 -p1 -b .long-entry +%patch34 -p1 -b .usermod-crash iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -237,6 +233,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Mon May 28 2018 Tomáš Mráz - 2:4.6-1 +- update to current upstream release 4.6 + * Fri Apr 20 2018 Tomáš Mráz - 2:4.5-10 - Raise limit for passwd and shadow entry length but also prevent writing longer entries (#1422497) diff --git a/sources b/sources index a50063e..2093465 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (shadow-4.5.tar.xz) = e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 -SHA512 (shadow-4.5.tar.xz.asc) = 42739e5e36e0dd1ff8e9d8721f5b4b222113afd91c927b580bc0b587d59dcdecdf938c978405b80f15a70b17f2d0589f8b6277e0e9bd23a5f3c2fc924c9b1e24 +SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631 +SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed From 0aa80600347bf2cf430a3017b26ad495a40eb628 Mon Sep 17 00:00:00 2001 From: Jason Tibbitts Date: Tue, 10 Jul 2018 01:20:51 -0500 Subject: [PATCH 25/31] Remove needless use of %defattr --- shadow-utils.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 35732ac..509265c 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -183,7 +183,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do done %files -f shadow.lang -%defattr(-,root,root) %doc NEWS doc/HOWTO README %{!?_licensedir:%global license %%doc} %license gpl-2.0.txt shadow-bsd.txt From 8362f15341f867d3bdd5a6d09eb53b4752bf3b34 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 14 Jul 2018 06:02:14 +0000 Subject: [PATCH 26/31] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- shadow-utils.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 509265c..8587c71 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -232,6 +232,9 @@ done %{_mandir}/man8/vigr.8* %changelog +* Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Mon May 28 2018 Tomáš Mráz - 2:4.6-1 - update to current upstream release 4.6 From f0fc249a12652b4b7b83e2c504187ce6352f2ecb Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:12:27 -0400 Subject: [PATCH 27/31] initial build steps for the package on centos7 Signed-off-by: Vincent Batts --- shadow-utils.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 8587c71..9b9e883 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -97,6 +97,10 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %endif +rm aclocal.m4 +aclocal +libtoolize --force + autoreconf %configure \ --enable-shadowgrp \ From 6a08374eef51fdd1f9e882c7e9a47d893ab53e12 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:14:39 -0400 Subject: [PATCH 28/31] spec: fetch sources from github if needed there is the 'sources' file that fedpkg uses, but for now allow fetching from the source URLs to build. Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shadow-utils.spec b/shadow-utils.spec index 9b9e883..1ab546d 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,3 +1,6 @@ +# they warn against doing this ... +%define _disable_source_fetch 0 + Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 From 354422003508b31a08c8779b5e3851cc1ed97133 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:35:53 -0400 Subject: [PATCH 29/31] spec: subpackage of newuidmap and newgidmap and have the main package depend on them for consistent experience. Though this may hae the side effect of yum wanting to use the main shadow as an upgrade to the shadow 4.1 that centos/rhel are using ... Built local rpm with: ```shell rpmbuild \ --define "_sourcedir $(pwd)" \ --define "_specdir $(pwd)" \ --define "_builddir $(pwd)" \ --define "_srcrpmdir $(pwd)" \ --define "_rpmdir $(pwd)" \ --nodeps \ -ba \ shadow-utils.spec ``` Signed-off-by: Vincent Batts --- shadow-utils.spec | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index 1ab546d..e8bc3a4 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -48,6 +48,7 @@ Requires: audit-libs >= 1.6.5 Requires: setup Requires(pre): coreutils Requires(post): coreutils +Requires: %{name}-newxidmap = %{version}-%{release} Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -62,6 +63,11 @@ for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts. +%package newxidmap +Summary: only the newuidmapp and newgidmap from shadow-utils +%description newxidmap +%{summary}. + %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat @@ -200,8 +206,6 @@ done %attr(4755,root,root) %{_bindir}/gpasswd %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp -%attr(4755,root,root) %{_bindir}/newgidmap -%attr(4755,root,root) %{_bindir}/newuidmap %{_sbindir}/adduser %attr(0755,root,root) %{_sbindir}/user* %attr(0755,root,root) %{_sbindir}/group* @@ -217,8 +221,6 @@ done %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/sg.1* %{_mandir}/man1/newgrp.1* -%{_mandir}/man1/newgidmap.1* -%{_mandir}/man1/newuidmap.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/shadow.5* %{_mandir}/man5/login.defs.5* @@ -238,6 +240,12 @@ done %{_mandir}/man8/vipw.8* %{_mandir}/man8/vigr.8* +%files newxidmap +%attr(4755,root,root) %{_bindir}/newgidmap +%attr(4755,root,root) %{_bindir}/newuidmap +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* + %changelog * Sat Jul 14 2018 Fedora Release Engineering - 2:4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 7f73f07a1aea7eadfb9f74c5c262e3ebad9d69b9 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 2 Oct 2018 04:49:10 -0400 Subject: [PATCH 30/31] source file is confusing the lookaside on copr Signed-off-by: Vincent Batts --- sources => sources.bak | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources => sources.bak (100%) diff --git a/sources b/sources.bak similarity index 100% rename from sources rename to sources.bak From 3815c0b5ba14330979f63089b7d44cd95b25f38a Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Tue, 9 Oct 2018 10:15:32 -0400 Subject: [PATCH 31/31] change package name so "shadow-utils" won't attempt to update Signed-off-by: Vincent Batts --- shadow-utils.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shadow-utils.spec b/shadow-utils.spec index e8bc3a4..40be79a 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,8 +1,9 @@ # they warn against doing this ... %define _disable_source_fetch 0 +%define srcname shadow-utils Summary: Utilities for managing accounts and shadow password files -Name: shadow-utils +Name: %{srcname}46 Version: 4.6 Release: 2%{?dist} Epoch: 2