- Update to 4.14.0:

- Refresh useradd-default.patch
- Remove upstreamed patches:
  * useradd-userkeleton.patch
  * shadow-audit-no-id.patch
  * shadow-fix-print-login-timeout.patch
  * shadow-CVE-2023-29383.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=149
This commit is contained in:
Michael Vetter 2023-08-04 15:48:26 +00:00 committed by Git OBS Bridge
parent de2ffbd8a7
commit 51ee267bd3
11 changed files with 47 additions and 317 deletions

16
my.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
index cc24901e..227d8fb4 100644
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@@ -17,9 +17,11 @@ libmisc_la_SOURCES = \
age.c \
agetpass.c \
alloc.c \
+ alloc.h \
audit_help.c \
basename.c \
bit.c \
+ bit.h \
chkname.c \
chkname.h \
chowndir.c \

BIN
shadow-4.13.tar.xz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK
ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5
2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6
P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL
xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9
tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D
AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA==
=33BL
-----END PGP SIGNATURE-----

3
shadow-4.14.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6d894c706156cdf69bc320cf3c587a7a93631046d21669960425e8874f992911
size 3382521

View File

@ -1,51 +0,0 @@
Index: shadow-4.13/lib/fields.c
===================================================================
--- shadow-4.13.orig/lib/fields.c
+++ shadow-4.13/lib/fields.c
@@ -21,9 +21,9 @@
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
@@ -37,23 +37,22 @@ int valid_field (const char *field, cons
/* For each character of field, search if it appears in the list
* of illegal characters. */
+ if (illegal && NULL != strpbrk (field, illegal)) {
+ return -1;
+ }
+
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
- if (strchr (illegal, *cp) != NULL) {
+ unsigned char c = *cp;
+ if (!isprint (c)) {
+ err = 1;
+ }
+ if (iscntrl (c)) {
err = -1;
break;
}
}
- if (0 == err) {
- /* Search if there are some non-printable characters */
- for (cp = field; '\0' != *cp; cp++) {
- if (!isprint (*cp)) {
- err = 1;
- break;
- }
- }
- }
-
return err;
}

View File

@ -1,36 +0,0 @@
From 3cfc7955b33c85472a7cf11a0ecf1c6851db7c26 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Thu, 15 Dec 2022 11:52:58 +0100
Subject: [PATCH] Fix useradd audit event logging of ID field
When useradd sends its ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd.
The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is
Patch by Steve Grubb (afaik).
Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713432
---
src/useradd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index e59e47681..87abd6e33 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2225,9 +2225,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
+ /*
+ * Even though we have the ID of the user, we won't send it now
+ * because its not written to disk yet. After close_files it is
+ * and we can use the real ID thereafter.
+ */
audit_logger (AUDIT_ADD_USER, Prog,
"adding user",
- user_name, (unsigned int) user_id,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
/*

View File

@ -1,41 +0,0 @@
From 670cae834827a8f794e6f7464fa57790d911b63c Mon Sep 17 00:00:00 2001
From: SoumyaWind <121475834+SoumyaWind@users.noreply.github.com>
Date: Tue, 27 Dec 2022 17:40:17 +0530
Subject: [PATCH] shadow: Fix can not print full login timeout message
Login timed out message prints only first few bytes when write is immediately followed by exit.
Calling exit from new handler provides enough time to display full message.
---
src/login.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/login.c b/src/login.c
index 116e2cb36..c55f4de0a 100644
--- a/src/login.c
+++ b/src/login.c
@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user);
static void init_env (void);
static void alarm_handler (int);
+static void exit_handler (int);
/*
* usage - print login command usage and exit
@@ -391,11 +392,16 @@ static void init_env (void)
#endif /* !USE_PAM */
}
+static void exit_handler (unused int sig)
+{
+ _exit (0);
+}
static void alarm_handler (unused int sig)
{
write (STDERR_FILENO, tmsg, strlen (tmsg));
- _exit (0);
+ signal(SIGALRM, exit_handler);
+ alarm(2);
}
#ifdef USE_PAM

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter <jubalh@iodoru.org>
- Update to 4.14.0:
- Refresh useradd-default.patch
- Remove upstreamed patches:
* useradd-userkeleton.patch
* shadow-audit-no-id.patch
* shadow-fix-print-login-timeout.patch
* shadow-CVE-2023-29383.patch
-------------------------------------------------------------------
Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter <mvetter@suse.com>

View File

@ -22,15 +22,17 @@
%define no_config 1
%endif
Name: shadow
Version: 4.13
Version: 4.14.0
Release: 0
Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later
Group: System/Base
URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
#Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/
#Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz
Source0: https://github.com/shadow-maint/shadow/archive/refs/tags/4.14.0-rc1.tar.gz#/shadow-%{version}.tar.gz
Source1: pamd.tar.bz2
Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
#Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
Source3: %{name}.keyring
Source4: shadow.service
Source5: shadow.timer
@ -46,26 +48,22 @@ Patch2: shadow-util-linux.patch
Patch3: shadow-login_defs-comments.patch
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
Patch4: shadow-login_defs-suse.patch
# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321) (gh/shadow-maint/shadow#591)
Patch5: useradd-userkeleton.patch
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
Patch6: disable_new_audit_function.patch
# PATCH-FIX-UPSTREAM shadow-audit-no-id.patch mvetter@suse.com -- Fix useradd audit event logging of ID field (bsc#1205502) (gh/shadow-maint/shadow#606)
Patch7: shadow-audit-no-id.patch
# PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621)
Patch8: shadow-fix-print-login-timeout.patch
# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch mvetter@suse.com -- Check control chracters in chfn (bsc#1210507)
Patch9: shadow-CVE-2023-29383.patch
Patch5: disable_new_audit_function.patch
Patch6: my.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libbsd-devel
BuildRequires: libselinux-devel
BuildRequires: libsemanage-devel
BuildRequires: libtool
BuildRequires: pam-devel
BuildRequires: xz
# todo
BuildRequires: byacc
Requires: login_defs >= %{version}
Requires(pre): group(root)
Requires(pre): group(shadow)
@ -113,19 +111,16 @@ Requires: libsubid4 = %{version}
Development files for libsubid4.
%prep
%setup -q -a 1
%setup -q -a 1 -n shadow-4.14.0-rc1
%patch0
%patch1
%patch2
%patch3
%patch4
%patch5
%if 0%{?suse_version} < 1330
%patch6 -p1
%patch5 -p1
%endif
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch6 -p1
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO
@ -148,7 +143,8 @@ autoreconf -fvi
--without-libcrack \
--with-group-name-max-length=32 \
--enable-vendordir=%{_distconfdir}
%make_build
#%make_build
make -j1
# --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
%install

View File

@ -2,12 +2,12 @@ Index: src/useradd.c
===================================================================
--- src/useradd.c.orig
+++ src/useradd.c
@@ -101,7 +101,7 @@ FILE *shadow_logfd = NULL;
@@ -87,7 +87,7 @@ const char *Prog;
/*
* These defaults are used if there is no defaults file.
*/
-static gid_t def_group = 1000;
+static gid_t def_group = 100;
static const char *def_groups = "";
static const char *def_gname = "other";
static const char *def_home = "/home";
static const char *def_shell = "/bin/bash";

View File

@ -1,154 +0,0 @@
Copy also skeleton files from /usr/etc/skel (boo#1173321)
---
etc/useradd | 1 +
src/useradd.c | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
Index: src/useradd.c
===================================================================
--- src/useradd.c.orig
+++ src/useradd.c
@@ -61,6 +61,9 @@
#ifndef SKEL_DIR
#define SKEL_DIR "/etc/skel"
#endif
+#ifndef USRSKELDIR
+#define USRSKELDIR "/usr/etc/skel"
+#endif
#ifndef USER_DEFAULTS_FILE
#define USER_DEFAULTS_FILE "/etc/default/useradd"
#define NEW_USER_FILE "/etc/default/nuaddXXXXXX"
@@ -84,6 +87,7 @@ static const char *def_gname = "other";
static const char *def_home = "/home";
static const char *def_shell = "/bin/bash";
static const char *def_template = SKEL_DIR;
+static const char *def_usrtemplate = USRSKELDIR;
static const char *def_create_mail_spool = "yes";
static const char *def_log_init = "yes";
@@ -188,6 +192,7 @@ static bool home_added = false;
#define DINACT "INACTIVE="
#define DEXPIRE "EXPIRE="
#define DSKEL "SKEL="
+#define DUSRSKEL "USRSKEL="
#define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL="
#define DLOG_INIT "LOG_INIT="
@@ -461,6 +466,29 @@ static void get_defaults (void)
}
/*
+ * Default Usr Skeleton information
+ */
+ else if (MATCH (buf, DUSRSKEL)) {
+ if ('\0' == *cp) {
+ cp = USRSKELDIR; /* XXX warning: const */
+ }
+
+ if(prefix[0]) {
+ size_t len;
+ int wlen;
+ char* _def_usrtemplate; /* avoid const warning */
+
+ len = strlen(prefix) + strlen(cp) + 2;
+ _def_usrtemplate = xmalloc(len);
+ wlen = snprintf(_def_usrtemplate, len, "%s/%s", prefix, cp);
+ assert (wlen == (int) len -1);
+ def_usrtemplate = _def_usrtemplate;
+ }
+ else {
+ def_usrtemplate = xstrdup (cp);
+ }
+ }
+ /*
* Create by default user mail spool or not ?
*/
else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
@@ -502,6 +530,7 @@ static void show_defaults (void)
printf ("EXPIRE=%s\n", def_expire);
printf ("SHELL=%s\n", def_shell);
printf ("SKEL=%s\n", def_template);
+ printf ("USRSKEL=%s\n", def_usrtemplate);
printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
printf ("LOG_INIT=%s\n", def_log_init);
}
@@ -530,6 +559,7 @@ static int set_defaults (void)
bool out_expire = false;
bool out_shell = false;
bool out_skel = false;
+ bool out_usrskel = false;
bool out_create_mail_spool = false;
bool out_log_init = false;
size_t len;
@@ -643,6 +673,9 @@ static int set_defaults (void)
} else if (!out_skel && MATCH (buf, DSKEL)) {
fprintf (ofp, DSKEL "%s\n", def_template);
out_skel = true;
+ } else if (!out_usrskel && MATCH (buf, DUSRSKEL)) {
+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate);
+ out_usrskel = true;
} else if (!out_create_mail_spool
&& MATCH (buf, DCREATE_MAIL_SPOOL)) {
fprintf (ofp,
@@ -678,6 +711,8 @@ static int set_defaults (void)
fprintf (ofp, DSHELL "%s\n", def_shell);
if (!out_skel)
fprintf (ofp, DSKEL "%s\n", def_template);
+ if (!out_usrskel)
+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate);
if (!out_create_mail_spool)
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
@@ -2758,6 +2793,8 @@ int main (int argc, char **argv)
if (home_added) {
copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
+ copy_tree (def_usrtemplate, prefix_user_home, false, false,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
} else {
fprintf (stderr,
_("%s: warning: the home directory %s already exists.\n"
Index: libmisc/copydir.c
===================================================================
--- libmisc/copydir.c.orig
+++ libmisc/copydir.c
@@ -449,6 +449,14 @@ static int copy_entry (const struct path
}
/*
+ * If the destination already exists do nothing.
+ * This is after the copy_dir above to still iterate into subdirectories.
+ */
+ if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
+ return 0;
+ }
+
+ /*
* Copy any symbolic links
*/
@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i
gid_t old_gid, gid_t new_gid)
{
int err = 0;
+ struct stat dst_sb;
/*
* Create a new target directory, make it owned by
@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i
return -1;
}
#endif /* WITH_SELINUX */
+ /*
+ * If the destination is already a directory, don't change it
+ * but copy into it (recursively).
+ */
+ if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
+ return (copy_tree (src, dst, false, reset_selinux,
+ old_uid, new_uid, old_gid, new_gid) != 0);
+ }
+
if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0)
|| (chownat_if_needed (dst, statp,
old_uid, new_uid, old_gid, new_gid) != 0)