- Update to 4.14.0:
- Refresh useradd-default.patch - Remove upstreamed patches: * useradd-userkeleton.patch * shadow-audit-no-id.patch * shadow-fix-print-login-timeout.patch * shadow-CVE-2023-29383.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=149
This commit is contained in:
parent
de2ffbd8a7
commit
51ee267bd3
16
my.patch
Normal file
16
my.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
|
||||
index cc24901e..227d8fb4 100644
|
||||
--- a/libmisc/Makefile.am
|
||||
+++ b/libmisc/Makefile.am
|
||||
@@ -17,9 +17,11 @@ libmisc_la_SOURCES = \
|
||||
age.c \
|
||||
agetpass.c \
|
||||
alloc.c \
|
||||
+ alloc.h \
|
||||
audit_help.c \
|
||||
basename.c \
|
||||
bit.c \
|
||||
+ bit.h \
|
||||
chkname.c \
|
||||
chkname.h \
|
||||
chowndir.c \
|
BIN
shadow-4.13.tar.xz
(Stored with Git LFS)
BIN
shadow-4.13.tar.xz
(Stored with Git LFS)
Binary file not shown.
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK
|
||||
ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5
|
||||
2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6
|
||||
P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL
|
||||
xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9
|
||||
tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D
|
||||
AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA==
|
||||
=33BL
|
||||
-----END PGP SIGNATURE-----
|
3
shadow-4.14.0.tar.gz
Normal file
3
shadow-4.14.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6d894c706156cdf69bc320cf3c587a7a93631046d21669960425e8874f992911
|
||||
size 3382521
|
@ -1,51 +0,0 @@
|
||||
Index: shadow-4.13/lib/fields.c
|
||||
===================================================================
|
||||
--- shadow-4.13.orig/lib/fields.c
|
||||
+++ shadow-4.13/lib/fields.c
|
||||
@@ -21,9 +21,9 @@
|
||||
*
|
||||
* The supplied field is scanned for non-printable and other illegal
|
||||
* characters.
|
||||
- * + -1 is returned if an illegal character is present.
|
||||
- * + 1 is returned if no illegal characters are present, but the field
|
||||
- * contains a non-printable character.
|
||||
+ * + -1 is returned if an illegal or control character is present.
|
||||
+ * + 1 is returned if no illegal or control characters are present,
|
||||
+ * but the field contains a non-printable character.
|
||||
* + 0 is returned otherwise.
|
||||
*/
|
||||
int valid_field (const char *field, const char *illegal)
|
||||
@@ -37,23 +37,22 @@ int valid_field (const char *field, cons
|
||||
|
||||
/* For each character of field, search if it appears in the list
|
||||
* of illegal characters. */
|
||||
+ if (illegal && NULL != strpbrk (field, illegal)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ /* Search if there are non-printable or control characters */
|
||||
for (cp = field; '\0' != *cp; cp++) {
|
||||
- if (strchr (illegal, *cp) != NULL) {
|
||||
+ unsigned char c = *cp;
|
||||
+ if (!isprint (c)) {
|
||||
+ err = 1;
|
||||
+ }
|
||||
+ if (iscntrl (c)) {
|
||||
err = -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
- if (0 == err) {
|
||||
- /* Search if there are some non-printable characters */
|
||||
- for (cp = field; '\0' != *cp; cp++) {
|
||||
- if (!isprint (*cp)) {
|
||||
- err = 1;
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
return err;
|
||||
}
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 3cfc7955b33c85472a7cf11a0ecf1c6851db7c26 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Vetter <jubalh@iodoru.org>
|
||||
Date: Thu, 15 Dec 2022 11:52:58 +0100
|
||||
Subject: [PATCH] Fix useradd audit event logging of ID field
|
||||
|
||||
When useradd sends its ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd.
|
||||
|
||||
The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is
|
||||
|
||||
Patch by Steve Grubb (afaik).
|
||||
|
||||
Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713432
|
||||
---
|
||||
src/useradd.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index e59e47681..87abd6e33 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2225,9 +2225,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
|
||||
#ifdef WITH_AUDIT
|
||||
+ /*
|
||||
+ * Even though we have the ID of the user, we won't send it now
|
||||
+ * because its not written to disk yet. After close_files it is
|
||||
+ * and we can use the real ID thereafter.
|
||||
+ */
|
||||
audit_logger (AUDIT_ADD_USER, Prog,
|
||||
"adding user",
|
||||
- user_name, (unsigned int) user_id,
|
||||
+ user_name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_SUCCESS);
|
||||
#endif
|
||||
/*
|
@ -1,41 +0,0 @@
|
||||
From 670cae834827a8f794e6f7464fa57790d911b63c Mon Sep 17 00:00:00 2001
|
||||
From: SoumyaWind <121475834+SoumyaWind@users.noreply.github.com>
|
||||
Date: Tue, 27 Dec 2022 17:40:17 +0530
|
||||
Subject: [PATCH] shadow: Fix can not print full login timeout message
|
||||
|
||||
Login timed out message prints only first few bytes when write is immediately followed by exit.
|
||||
Calling exit from new handler provides enough time to display full message.
|
||||
---
|
||||
src/login.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/login.c b/src/login.c
|
||||
index 116e2cb36..c55f4de0a 100644
|
||||
--- a/src/login.c
|
||||
+++ b/src/login.c
|
||||
@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user);
|
||||
|
||||
static void init_env (void);
|
||||
static void alarm_handler (int);
|
||||
+static void exit_handler (int);
|
||||
|
||||
/*
|
||||
* usage - print login command usage and exit
|
||||
@@ -391,11 +392,16 @@ static void init_env (void)
|
||||
#endif /* !USE_PAM */
|
||||
}
|
||||
|
||||
+static void exit_handler (unused int sig)
|
||||
+{
|
||||
+ _exit (0);
|
||||
+}
|
||||
|
||||
static void alarm_handler (unused int sig)
|
||||
{
|
||||
write (STDERR_FILENO, tmsg, strlen (tmsg));
|
||||
- _exit (0);
|
||||
+ signal(SIGALRM, exit_handler);
|
||||
+ alarm(2);
|
||||
}
|
||||
|
||||
#ifdef USE_PAM
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter <jubalh@iodoru.org>
|
||||
|
||||
- Update to 4.14.0:
|
||||
- Refresh useradd-default.patch
|
||||
- Remove upstreamed patches:
|
||||
* useradd-userkeleton.patch
|
||||
* shadow-audit-no-id.patch
|
||||
* shadow-fix-print-login-timeout.patch
|
||||
* shadow-CVE-2023-29383.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter <mvetter@suse.com>
|
||||
|
||||
|
34
shadow.spec
34
shadow.spec
@ -22,15 +22,17 @@
|
||||
%define no_config 1
|
||||
%endif
|
||||
Name: shadow
|
||||
Version: 4.13
|
||||
Version: 4.14.0
|
||||
Release: 0
|
||||
Summary: Utilities to Manage User and Group Accounts
|
||||
License: BSD-3-Clause AND GPL-2.0-or-later
|
||||
Group: System/Base
|
||||
URL: https://github.com/shadow-maint/shadow
|
||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||
#Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/
|
||||
#Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz
|
||||
Source0: https://github.com/shadow-maint/shadow/archive/refs/tags/4.14.0-rc1.tar.gz#/shadow-%{version}.tar.gz
|
||||
Source1: pamd.tar.bz2
|
||||
Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||
#Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||
Source3: %{name}.keyring
|
||||
Source4: shadow.service
|
||||
Source5: shadow.timer
|
||||
@ -46,26 +48,22 @@ Patch2: shadow-util-linux.patch
|
||||
Patch3: shadow-login_defs-comments.patch
|
||||
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
|
||||
Patch4: shadow-login_defs-suse.patch
|
||||
# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321) (gh/shadow-maint/shadow#591)
|
||||
Patch5: useradd-userkeleton.patch
|
||||
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
|
||||
Patch6: disable_new_audit_function.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-audit-no-id.patch mvetter@suse.com -- Fix useradd audit event logging of ID field (bsc#1205502) (gh/shadow-maint/shadow#606)
|
||||
Patch7: shadow-audit-no-id.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621)
|
||||
Patch8: shadow-fix-print-login-timeout.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch mvetter@suse.com -- Check control chracters in chfn (bsc#1210507)
|
||||
Patch9: shadow-CVE-2023-29383.patch
|
||||
Patch5: disable_new_audit_function.patch
|
||||
Patch6: my.patch
|
||||
BuildRequires: audit-devel > 2.3
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libacl-devel
|
||||
BuildRequires: libattr-devel
|
||||
BuildRequires: libbsd-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: xz
|
||||
# todo
|
||||
BuildRequires: byacc
|
||||
Requires: login_defs >= %{version}
|
||||
Requires(pre): group(root)
|
||||
Requires(pre): group(shadow)
|
||||
@ -113,19 +111,16 @@ Requires: libsubid4 = %{version}
|
||||
Development files for libsubid4.
|
||||
|
||||
%prep
|
||||
%setup -q -a 1
|
||||
%setup -q -a 1 -n shadow-4.14.0-rc1
|
||||
%patch0
|
||||
%patch1
|
||||
%patch2
|
||||
%patch3
|
||||
%patch4
|
||||
%patch5
|
||||
%if 0%{?suse_version} < 1330
|
||||
%patch6 -p1
|
||||
%patch5 -p1
|
||||
%endif
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch6 -p1
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
mv -v doc/HOWTO.utf8 doc/HOWTO
|
||||
@ -148,7 +143,8 @@ autoreconf -fvi
|
||||
--without-libcrack \
|
||||
--with-group-name-max-length=32 \
|
||||
--enable-vendordir=%{_distconfdir}
|
||||
%make_build
|
||||
#%make_build
|
||||
make -j1
|
||||
# --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
|
||||
|
||||
%install
|
||||
|
@ -2,12 +2,12 @@ Index: src/useradd.c
|
||||
===================================================================
|
||||
--- src/useradd.c.orig
|
||||
+++ src/useradd.c
|
||||
@@ -101,7 +101,7 @@ FILE *shadow_logfd = NULL;
|
||||
@@ -87,7 +87,7 @@ const char *Prog;
|
||||
/*
|
||||
* These defaults are used if there is no defaults file.
|
||||
*/
|
||||
-static gid_t def_group = 1000;
|
||||
+static gid_t def_group = 100;
|
||||
static const char *def_groups = "";
|
||||
static const char *def_gname = "other";
|
||||
static const char *def_home = "/home";
|
||||
static const char *def_shell = "/bin/bash";
|
||||
|
@ -1,154 +0,0 @@
|
||||
Copy also skeleton files from /usr/etc/skel (boo#1173321)
|
||||
|
||||
---
|
||||
etc/useradd | 1 +
|
||||
src/useradd.c | 37 +++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 38 insertions(+)
|
||||
|
||||
Index: src/useradd.c
|
||||
===================================================================
|
||||
--- src/useradd.c.orig
|
||||
+++ src/useradd.c
|
||||
@@ -61,6 +61,9 @@
|
||||
#ifndef SKEL_DIR
|
||||
#define SKEL_DIR "/etc/skel"
|
||||
#endif
|
||||
+#ifndef USRSKELDIR
|
||||
+#define USRSKELDIR "/usr/etc/skel"
|
||||
+#endif
|
||||
#ifndef USER_DEFAULTS_FILE
|
||||
#define USER_DEFAULTS_FILE "/etc/default/useradd"
|
||||
#define NEW_USER_FILE "/etc/default/nuaddXXXXXX"
|
||||
@@ -84,6 +87,7 @@ static const char *def_gname = "other";
|
||||
static const char *def_home = "/home";
|
||||
static const char *def_shell = "/bin/bash";
|
||||
static const char *def_template = SKEL_DIR;
|
||||
+static const char *def_usrtemplate = USRSKELDIR;
|
||||
static const char *def_create_mail_spool = "yes";
|
||||
static const char *def_log_init = "yes";
|
||||
|
||||
@@ -188,6 +192,7 @@ static bool home_added = false;
|
||||
#define DINACT "INACTIVE="
|
||||
#define DEXPIRE "EXPIRE="
|
||||
#define DSKEL "SKEL="
|
||||
+#define DUSRSKEL "USRSKEL="
|
||||
#define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL="
|
||||
#define DLOG_INIT "LOG_INIT="
|
||||
|
||||
@@ -461,6 +466,29 @@ static void get_defaults (void)
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Default Usr Skeleton information
|
||||
+ */
|
||||
+ else if (MATCH (buf, DUSRSKEL)) {
|
||||
+ if ('\0' == *cp) {
|
||||
+ cp = USRSKELDIR; /* XXX warning: const */
|
||||
+ }
|
||||
+
|
||||
+ if(prefix[0]) {
|
||||
+ size_t len;
|
||||
+ int wlen;
|
||||
+ char* _def_usrtemplate; /* avoid const warning */
|
||||
+
|
||||
+ len = strlen(prefix) + strlen(cp) + 2;
|
||||
+ _def_usrtemplate = xmalloc(len);
|
||||
+ wlen = snprintf(_def_usrtemplate, len, "%s/%s", prefix, cp);
|
||||
+ assert (wlen == (int) len -1);
|
||||
+ def_usrtemplate = _def_usrtemplate;
|
||||
+ }
|
||||
+ else {
|
||||
+ def_usrtemplate = xstrdup (cp);
|
||||
+ }
|
||||
+ }
|
||||
+ /*
|
||||
* Create by default user mail spool or not ?
|
||||
*/
|
||||
else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
|
||||
@@ -502,6 +530,7 @@ static void show_defaults (void)
|
||||
printf ("EXPIRE=%s\n", def_expire);
|
||||
printf ("SHELL=%s\n", def_shell);
|
||||
printf ("SKEL=%s\n", def_template);
|
||||
+ printf ("USRSKEL=%s\n", def_usrtemplate);
|
||||
printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
|
||||
printf ("LOG_INIT=%s\n", def_log_init);
|
||||
}
|
||||
@@ -530,6 +559,7 @@ static int set_defaults (void)
|
||||
bool out_expire = false;
|
||||
bool out_shell = false;
|
||||
bool out_skel = false;
|
||||
+ bool out_usrskel = false;
|
||||
bool out_create_mail_spool = false;
|
||||
bool out_log_init = false;
|
||||
size_t len;
|
||||
@@ -643,6 +673,9 @@ static int set_defaults (void)
|
||||
} else if (!out_skel && MATCH (buf, DSKEL)) {
|
||||
fprintf (ofp, DSKEL "%s\n", def_template);
|
||||
out_skel = true;
|
||||
+ } else if (!out_usrskel && MATCH (buf, DUSRSKEL)) {
|
||||
+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate);
|
||||
+ out_usrskel = true;
|
||||
} else if (!out_create_mail_spool
|
||||
&& MATCH (buf, DCREATE_MAIL_SPOOL)) {
|
||||
fprintf (ofp,
|
||||
@@ -678,6 +711,8 @@ static int set_defaults (void)
|
||||
fprintf (ofp, DSHELL "%s\n", def_shell);
|
||||
if (!out_skel)
|
||||
fprintf (ofp, DSKEL "%s\n", def_template);
|
||||
+ if (!out_usrskel)
|
||||
+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate);
|
||||
|
||||
if (!out_create_mail_spool)
|
||||
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
|
||||
@@ -2758,6 +2793,8 @@ int main (int argc, char **argv)
|
||||
if (home_added) {
|
||||
copy_tree (def_template, prefix_user_home, false, true,
|
||||
(uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
+ copy_tree (def_usrtemplate, prefix_user_home, false, false,
|
||||
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
} else {
|
||||
fprintf (stderr,
|
||||
_("%s: warning: the home directory %s already exists.\n"
|
||||
Index: libmisc/copydir.c
|
||||
===================================================================
|
||||
--- libmisc/copydir.c.orig
|
||||
+++ libmisc/copydir.c
|
||||
@@ -449,6 +449,14 @@ static int copy_entry (const struct path
|
||||
}
|
||||
|
||||
/*
|
||||
+ * If the destination already exists do nothing.
|
||||
+ * This is after the copy_dir above to still iterate into subdirectories.
|
||||
+ */
|
||||
+ if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Copy any symbolic links
|
||||
*/
|
||||
|
||||
@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
+ struct stat dst_sb;
|
||||
|
||||
/*
|
||||
* Create a new target directory, make it owned by
|
||||
@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
+ /*
|
||||
+ * If the destination is already a directory, don't change it
|
||||
+ * but copy into it (recursively).
|
||||
+ */
|
||||
+ if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
|
||||
+ return (copy_tree (src, dst, false, reset_selinux,
|
||||
+ old_uid, new_uid, old_gid, new_gid) != 0);
|
||||
+ }
|
||||
+
|
||||
if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0)
|
||||
|| (chownat_if_needed (dst, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
Loading…
Reference in New Issue
Block a user