diff --git a/my.patch b/my.patch new file mode 100644 index 0000000..572f354 --- /dev/null +++ b/my.patch @@ -0,0 +1,16 @@ +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am +index cc24901e..227d8fb4 100644 +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -17,9 +17,11 @@ libmisc_la_SOURCES = \ + age.c \ + agetpass.c \ + alloc.c \ ++ alloc.h \ + audit_help.c \ + basename.c \ + bit.c \ ++ bit.h \ + chkname.c \ + chkname.h \ + chowndir.c \ diff --git a/shadow-4.13.tar.xz b/shadow-4.13.tar.xz deleted file mode 100644 index 5c36f2b..0000000 --- a/shadow-4.13.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9afe245d79a2e7caac5f1ed62519b17416b057ec89df316df1c3935502f9dd2c -size 1762908 diff --git a/shadow-4.13.tar.xz.asc b/shadow-4.13.tar.xz.asc deleted file mode 100644 index ebdadeb..0000000 --- a/shadow-4.13.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK -ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5 -2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6 -P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL -xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9 -tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D -AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA== -=33BL ------END PGP SIGNATURE----- diff --git a/shadow-4.14.0.tar.gz b/shadow-4.14.0.tar.gz new file mode 100644 index 0000000..32f3b3e --- /dev/null +++ b/shadow-4.14.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d894c706156cdf69bc320cf3c587a7a93631046d21669960425e8874f992911 +size 3382521 diff --git a/shadow-CVE-2023-29383.patch b/shadow-CVE-2023-29383.patch deleted file mode 100644 index c4b06c5..0000000 --- a/shadow-CVE-2023-29383.patch +++ /dev/null @@ -1,51 +0,0 @@ -Index: shadow-4.13/lib/fields.c -=================================================================== ---- shadow-4.13.orig/lib/fields.c -+++ shadow-4.13/lib/fields.c -@@ -21,9 +21,9 @@ - * - * The supplied field is scanned for non-printable and other illegal - * characters. -- * + -1 is returned if an illegal character is present. -- * + 1 is returned if no illegal characters are present, but the field -- * contains a non-printable character. -+ * + -1 is returned if an illegal or control character is present. -+ * + 1 is returned if no illegal or control characters are present, -+ * but the field contains a non-printable character. - * + 0 is returned otherwise. - */ - int valid_field (const char *field, const char *illegal) -@@ -37,23 +37,22 @@ int valid_field (const char *field, cons - - /* For each character of field, search if it appears in the list - * of illegal characters. */ -+ if (illegal && NULL != strpbrk (field, illegal)) { -+ return -1; -+ } -+ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { -- if (strchr (illegal, *cp) != NULL) { -+ unsigned char c = *cp; -+ if (!isprint (c)) { -+ err = 1; -+ } -+ if (iscntrl (c)) { - err = -1; - break; - } - } - -- if (0 == err) { -- /* Search if there are some non-printable characters */ -- for (cp = field; '\0' != *cp; cp++) { -- if (!isprint (*cp)) { -- err = 1; -- break; -- } -- } -- } -- - return err; - } - diff --git a/shadow-audit-no-id.patch b/shadow-audit-no-id.patch deleted file mode 100644 index e79fcda..0000000 --- a/shadow-audit-no-id.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3cfc7955b33c85472a7cf11a0ecf1c6851db7c26 Mon Sep 17 00:00:00 2001 -From: Michael Vetter -Date: Thu, 15 Dec 2022 11:52:58 +0100 -Subject: [PATCH] Fix useradd audit event logging of ID field - -When useradd sends its ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd. - -The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is - -Patch by Steve Grubb (afaik). - -Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713432 ---- - src/useradd.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/useradd.c b/src/useradd.c -index e59e47681..87abd6e33 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2225,9 +2225,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) - #endif /* ENABLE_SUBIDS */ - - #ifdef WITH_AUDIT -+ /* -+ * Even though we have the ID of the user, we won't send it now -+ * because its not written to disk yet. After close_files it is -+ * and we can use the real ID thereafter. -+ */ - audit_logger (AUDIT_ADD_USER, Prog, - "adding user", -- user_name, (unsigned int) user_id, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif - /* diff --git a/shadow-fix-print-login-timeout.patch b/shadow-fix-print-login-timeout.patch deleted file mode 100644 index 7a6dcbd..0000000 --- a/shadow-fix-print-login-timeout.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 670cae834827a8f794e6f7464fa57790d911b63c Mon Sep 17 00:00:00 2001 -From: SoumyaWind <121475834+SoumyaWind@users.noreply.github.com> -Date: Tue, 27 Dec 2022 17:40:17 +0530 -Subject: [PATCH] shadow: Fix can not print full login timeout message - -Login timed out message prints only first few bytes when write is immediately followed by exit. -Calling exit from new handler provides enough time to display full message. ---- - src/login.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/login.c b/src/login.c -index 116e2cb36..c55f4de0a 100644 ---- a/src/login.c -+++ b/src/login.c -@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user); - - static void init_env (void); - static void alarm_handler (int); -+static void exit_handler (int); - - /* - * usage - print login command usage and exit -@@ -391,11 +392,16 @@ static void init_env (void) - #endif /* !USE_PAM */ - } - -+static void exit_handler (unused int sig) -+{ -+ _exit (0); -+} - - static void alarm_handler (unused int sig) - { - write (STDERR_FILENO, tmsg, strlen (tmsg)); -- _exit (0); -+ signal(SIGALRM, exit_handler); -+ alarm(2); - } - - #ifdef USE_PAM diff --git a/shadow.changes b/shadow.changes index 67d8d7c..b8aa697 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter + +- Update to 4.14.0: +- Refresh useradd-default.patch +- Remove upstreamed patches: + * useradd-userkeleton.patch + * shadow-audit-no-id.patch + * shadow-fix-print-login-timeout.patch + * shadow-CVE-2023-29383.patch + ------------------------------------------------------------------- Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index 90580cb..01f6f1f 100644 --- a/shadow.spec +++ b/shadow.spec @@ -22,15 +22,17 @@ %define no_config 1 %endif Name: shadow -Version: 4.13 +Version: 4.14.0 Release: 0 Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause AND GPL-2.0-or-later Group: System/Base URL: https://github.com/shadow-maint/shadow -Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +#Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/ +#Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz +Source0: https://github.com/shadow-maint/shadow/archive/refs/tags/4.14.0-rc1.tar.gz#/shadow-%{version}.tar.gz Source1: pamd.tar.bz2 -Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +#Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source3: %{name}.keyring Source4: shadow.service Source5: shadow.timer @@ -46,26 +48,22 @@ Patch2: shadow-util-linux.patch Patch3: shadow-login_defs-comments.patch # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs. Patch4: shadow-login_defs-suse.patch -# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321) (gh/shadow-maint/shadow#591) -Patch5: useradd-userkeleton.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. -Patch6: disable_new_audit_function.patch -# PATCH-FIX-UPSTREAM shadow-audit-no-id.patch mvetter@suse.com -- Fix useradd audit event logging of ID field (bsc#1205502) (gh/shadow-maint/shadow#606) -Patch7: shadow-audit-no-id.patch -# PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621) -Patch8: shadow-fix-print-login-timeout.patch -# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch mvetter@suse.com -- Check control chracters in chfn (bsc#1210507) -Patch9: shadow-CVE-2023-29383.patch +Patch5: disable_new_audit_function.patch +Patch6: my.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake BuildRequires: libacl-devel BuildRequires: libattr-devel +BuildRequires: libbsd-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libtool BuildRequires: pam-devel BuildRequires: xz +# todo +BuildRequires: byacc Requires: login_defs >= %{version} Requires(pre): group(root) Requires(pre): group(shadow) @@ -113,19 +111,16 @@ Requires: libsubid4 = %{version} Development files for libsubid4. %prep -%setup -q -a 1 +%setup -q -a 1 -n shadow-4.14.0-rc1 %patch0 %patch1 %patch2 %patch3 %patch4 -%patch5 %if 0%{?suse_version} < 1330 -%patch6 -p1 +%patch5 -p1 %endif -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%patch6 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO @@ -148,7 +143,8 @@ autoreconf -fvi --without-libcrack \ --with-group-name-max-length=32 \ --enable-vendordir=%{_distconfdir} -%make_build +#%make_build +make -j1 # --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336 %install diff --git a/useradd-default.patch b/useradd-default.patch index ed8e29e..8e633d0 100644 --- a/useradd-default.patch +++ b/useradd-default.patch @@ -2,12 +2,12 @@ Index: src/useradd.c =================================================================== --- src/useradd.c.orig +++ src/useradd.c -@@ -101,7 +101,7 @@ FILE *shadow_logfd = NULL; +@@ -87,7 +87,7 @@ const char *Prog; /* * These defaults are used if there is no defaults file. */ -static gid_t def_group = 1000; +static gid_t def_group = 100; + static const char *def_groups = ""; static const char *def_gname = "other"; static const char *def_home = "/home"; - static const char *def_shell = "/bin/bash"; diff --git a/useradd-userkeleton.patch b/useradd-userkeleton.patch deleted file mode 100644 index 32d83bc..0000000 --- a/useradd-userkeleton.patch +++ /dev/null @@ -1,154 +0,0 @@ -Copy also skeleton files from /usr/etc/skel (boo#1173321) - ---- - etc/useradd | 1 + - src/useradd.c | 37 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 38 insertions(+) - -Index: src/useradd.c -=================================================================== ---- src/useradd.c.orig -+++ src/useradd.c -@@ -61,6 +61,9 @@ - #ifndef SKEL_DIR - #define SKEL_DIR "/etc/skel" - #endif -+#ifndef USRSKELDIR -+#define USRSKELDIR "/usr/etc/skel" -+#endif - #ifndef USER_DEFAULTS_FILE - #define USER_DEFAULTS_FILE "/etc/default/useradd" - #define NEW_USER_FILE "/etc/default/nuaddXXXXXX" -@@ -84,6 +87,7 @@ static const char *def_gname = "other"; - static const char *def_home = "/home"; - static const char *def_shell = "/bin/bash"; - static const char *def_template = SKEL_DIR; -+static const char *def_usrtemplate = USRSKELDIR; - static const char *def_create_mail_spool = "yes"; - static const char *def_log_init = "yes"; - -@@ -188,6 +192,7 @@ static bool home_added = false; - #define DINACT "INACTIVE=" - #define DEXPIRE "EXPIRE=" - #define DSKEL "SKEL=" -+#define DUSRSKEL "USRSKEL=" - #define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL=" - #define DLOG_INIT "LOG_INIT=" - -@@ -461,6 +466,29 @@ static void get_defaults (void) - } - - /* -+ * Default Usr Skeleton information -+ */ -+ else if (MATCH (buf, DUSRSKEL)) { -+ if ('\0' == *cp) { -+ cp = USRSKELDIR; /* XXX warning: const */ -+ } -+ -+ if(prefix[0]) { -+ size_t len; -+ int wlen; -+ char* _def_usrtemplate; /* avoid const warning */ -+ -+ len = strlen(prefix) + strlen(cp) + 2; -+ _def_usrtemplate = xmalloc(len); -+ wlen = snprintf(_def_usrtemplate, len, "%s/%s", prefix, cp); -+ assert (wlen == (int) len -1); -+ def_usrtemplate = _def_usrtemplate; -+ } -+ else { -+ def_usrtemplate = xstrdup (cp); -+ } -+ } -+ /* - * Create by default user mail spool or not ? - */ - else if (MATCH (buf, DCREATE_MAIL_SPOOL)) { -@@ -502,6 +530,7 @@ static void show_defaults (void) - printf ("EXPIRE=%s\n", def_expire); - printf ("SHELL=%s\n", def_shell); - printf ("SKEL=%s\n", def_template); -+ printf ("USRSKEL=%s\n", def_usrtemplate); - printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool); - printf ("LOG_INIT=%s\n", def_log_init); - } -@@ -530,6 +559,7 @@ static int set_defaults (void) - bool out_expire = false; - bool out_shell = false; - bool out_skel = false; -+ bool out_usrskel = false; - bool out_create_mail_spool = false; - bool out_log_init = false; - size_t len; -@@ -643,6 +673,9 @@ static int set_defaults (void) - } else if (!out_skel && MATCH (buf, DSKEL)) { - fprintf (ofp, DSKEL "%s\n", def_template); - out_skel = true; -+ } else if (!out_usrskel && MATCH (buf, DUSRSKEL)) { -+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate); -+ out_usrskel = true; - } else if (!out_create_mail_spool - && MATCH (buf, DCREATE_MAIL_SPOOL)) { - fprintf (ofp, -@@ -678,6 +711,8 @@ static int set_defaults (void) - fprintf (ofp, DSHELL "%s\n", def_shell); - if (!out_skel) - fprintf (ofp, DSKEL "%s\n", def_template); -+ if (!out_usrskel) -+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate); - - if (!out_create_mail_spool) - fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool); -@@ -2758,6 +2793,8 @@ int main (int argc, char **argv) - if (home_added) { - copy_tree (def_template, prefix_user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); -+ copy_tree (def_usrtemplate, prefix_user_home, false, false, -+ (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, - _("%s: warning: the home directory %s already exists.\n" -Index: libmisc/copydir.c -=================================================================== ---- libmisc/copydir.c.orig -+++ libmisc/copydir.c -@@ -449,6 +449,14 @@ static int copy_entry (const struct path - } - - /* -+ * If the destination already exists do nothing. -+ * This is after the copy_dir above to still iterate into subdirectories. -+ */ -+ if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) { -+ return 0; -+ } -+ -+ /* - * Copy any symbolic links - */ - -@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i - gid_t old_gid, gid_t new_gid) - { - int err = 0; -+ struct stat dst_sb; - - /* - * Create a new target directory, make it owned by -@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i - return -1; - } - #endif /* WITH_SELINUX */ -+ /* -+ * If the destination is already a directory, don't change it -+ * but copy into it (recursively). -+ */ -+ if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) { -+ return (copy_tree (src, dst, false, reset_selinux, -+ old_uid, new_uid, old_gid, new_gid) != 0); -+ } -+ - if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0) - || (chownat_if_needed (dst, statp, - old_uid, new_uid, old_gid, new_gid) != 0)