pool/shadow
SHA256
11
0
Fork 2
Code Issues Pull Requests Activity

Accepting request 999092 from Base:System

Browse Source 
- Update to 4.12.3:
  Revert removal of subid_init, which should have bumped soname.
  So note that 4.12 through 4.12.2 were broken for subid users.

- Update to 4.12.2:
  * Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
- Refresh useradd-userkeleton.patch:
  LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
  Let's use fstatat() now.

- Update to 4.12.1:
  * Fix uk manpages
- Remove shadow-4.12-remove-uk.patch: fixed upstream

- Update to 4.12:
  * Add absolute path hint to --root
  * Various cleanups
  * Fix Ubuntu release used in CI tests
  * add -F options to userad
  * useradd manpage updates
  * Check for ownerid (not just username) in subid ranges
  * Declare file local functions static
  * Use strict prototypes
  * Do not drop const qualifier for Basename
  * Constify various pointers
  * Don't return uninitialized memory
  * Don't let compiler optimize away memory cleaning
  * Remove many obsolete compatibility checks  and defines
  * Modify ID range check in useradd
  * Use "extern "C"" to make libsubid easier to use from C++

OBS-URL: https://build.opensuse.org/request/show/999092
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=48
This commit is contained in:
Dominique Leuenberger
2022-08-26 07:08:03 +00:00
committed by Git OBS Bridge
parent d2ca3da6d4 2fcb52ebdf
commit 58b710d489
7 changed files with 155 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
shadow-4.11.1.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:41f093ce58b2ae5f389a1c5553e0c18bc73e6fe27f66273891991198a7707c95
size 1656584

11
shadow-4.11.1.tar.xz.asc
View File

@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmHSaooACgkQNXDaFycK
ziQEowf8CnA6H9sohv45+YPfwzFs9Drj4iUX8q/v6z0SwzWtY2NeKGazABryeu9Q
DadmXeSFqIUQgzMWV1FMNwP0wFACSxsodfzusRQ/eKHjG4+5elVAqXHnxhJDZqvt
83iWXtGd+/L9mlpKfaWhSrSI/VPfzUQYYrmz/cMbkP3ijPmaCvW1Ke5pWrnhky5I
Iur+BqkiA5+Gi/mChhDZzBuE3eaIDRPVOYkmL5tyDjK7SyFmsM0lhGNwZQ525gDJ
9/NbkIAgz59lfcLZXjZ9Ui4hTh+YKjlSbsMlmo6Bpp29crwzfC3ppe69mwBywA3K
nt2BZxeFv3mkBnQXPabCBE8gaR8ZIQ==
=8xjr
-----END PGP SIGNATURE-----

3
shadow-4.12.3.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
size 1747620

11
shadow-4.12.3.tar.xz.asc Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
=WZd1
-----END PGP SIGNATURE-----

95
shadow.changes
View File

@@ -1,3 +1,98 @@
-------------------------------------------------------------------
Mon Aug 22 13:59:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
-------------------------------------------------------------------
Fri Aug 19 06:32:28 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
- Refresh useradd-userkeleton.patch:
LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
Let's use fstatat() now.
-------------------------------------------------------------------
Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12.1:
* Fix uk manpages
- Remove shadow-4.12-remove-uk.patch: fixed upstream
-------------------------------------------------------------------
Fri Aug 12 06:05:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use "extern "C"" to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Add fedora to CI builds
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
- Add shadow-4.12-remove-uk.patch:
Disable non working Ukranian translation for now
https://github.com/shadow-maint/shadow/issues/547
-------------------------------------------------------------------
Tue Aug 9 06:29:07 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Remove duplicate pam.d/useradd entry
- Provide /etc/login.defs.d on SLE15 since we support and use it
-------------------------------------------------------------------
Mon Aug 8 13:00:46 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Use %_pam_vendordir macro
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 12 16:52:39 UTC 2022 - Stanislav Brabec <sbrabec@suse.com> Wed Jan 12 16:52:39 UTC 2022 - Stanislav Brabec <sbrabec@suse.com>

39
shadow.spec
View File

@@ -22,20 +22,20 @@
%define no_config 1 %define no_config 1
%endif %endif
Name: shadow Name: shadow
Version: 4.11.1 Version: 4.12.3
Release: 0 Release: 0
Summary: Utilities to Manage User and Group Accounts Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later License: BSD-3-Clause AND GPL-2.0-or-later
Group: System/Base Group: System/Base
URL: https://github.com/shadow-maint/shadow URL: https://github.com/shadow-maint/shadow
Source: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz Source: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
Source1: pamd.tar.bz2 Source1: pamd.tar.bz2
Source3: useradd.local Source3: useradd.local
Source4: userdel-pre.local Source4: userdel-pre.local
Source5: userdel-post.local Source5: userdel-post.local
Source6: shadow.service Source6: shadow.service
Source7: shadow.timer Source7: shadow.timer
Source42: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc Source42: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
Source43: %{name}.keyring Source43: %{name}.keyring
# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches. # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
Source44: shadow-login_defs-check.sh Source44: shadow-login_defs-check.sh
@@ -231,9 +231,11 @@ rm %{buildroot}/%{_libdir}/libsubid.{la,a}
# Move /etc to /usr/etc # Move /etc to /usr/etc
if [ ! -d %{buildroot}%{_distconfdir} ]; then if [ ! -d %{buildroot}%{_distconfdir} ]; then
mkdir -p %{buildroot}%{_distconfdir} mkdir -p %{buildroot}%{_distconfdir}
mv %{buildroot}%{_sysconfdir}/{login.defs,pam.d} %{buildroot}%{_distconfdir} mkdir -p %{buildroot}%{_pam_vendordir}
mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir}
mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
fi fi
mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
%find_lang shadow %find_lang shadow
@@ -299,19 +301,18 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
%if %{defined no_config} %if %{defined no_config}
%{_distconfdir}/pam.d/chage %{_pam_vendordir}/chage
%{_distconfdir}/pam.d/chfn %{_pam_vendordir}/chfn
%{_distconfdir}/pam.d/chsh %{_pam_vendordir}/chsh
%{_distconfdir}/pam.d/passwd %{_pam_vendordir}/passwd
%{_distconfdir}/pam.d/useradd %{_pam_vendordir}/chpasswd
%{_distconfdir}/pam.d/chpasswd %{_pam_vendordir}/groupadd
%{_distconfdir}/pam.d/groupadd %{_pam_vendordir}/groupdel
%{_distconfdir}/pam.d/groupdel %{_pam_vendordir}/groupmod
%{_distconfdir}/pam.d/groupmod %{_pam_vendordir}/newusers
%{_distconfdir}/pam.d/newusers %{_pam_vendordir}/useradd
%{_distconfdir}/pam.d/useradd %{_pam_vendordir}/userdel
%{_distconfdir}/pam.d/userdel %{_pam_vendordir}/usermod
%{_distconfdir}/pam.d/usermod
%else %else
%config %{_sysconfdir}/pam.d/chage %config %{_sysconfdir}/pam.d/chage
%config %{_sysconfdir}/pam.d/chfn %config %{_sysconfdir}/pam.d/chfn
@@ -389,8 +390,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
%{_unitdir}/* %{_unitdir}/*
%files -n login_defs %files -n login_defs
%if %{defined no_config}
%dir %{_sysconfdir}/login.defs.d %dir %{_sysconfdir}/login.defs.d
%if %{defined no_config}
%attr(0644,root,root) %{_distconfdir}/login.defs %attr(0644,root,root) %{_distconfdir}/login.defs
%else %else
%attr(0644,root,root) %config %{_sysconfdir}/login.defs %attr(0644,root,root) %config %{_sysconfdir}/login.defs

52
useradd-userkeleton.patch
View File

@@ -27,7 +27,7 @@ Index: src/useradd.c
static const char *def_create_mail_spool = "yes"; static const char *def_create_mail_spool = "yes";
static const char *def_log_init = "yes"; static const char *def_log_init = "yes";
@@ -185,6 +189,7 @@ static bool home_added = false; @@ -188,6 +192,7 @@ static bool home_added = false;
#define DINACT "INACTIVE=" #define DINACT "INACTIVE="
#define DEXPIRE "EXPIRE=" #define DEXPIRE "EXPIRE="
#define DSKEL "SKEL=" #define DSKEL "SKEL="
@@ -35,7 +35,7 @@ Index: src/useradd.c
#define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL=" #define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL="
#define DLOG_INIT "LOG_INIT=" #define DLOG_INIT "LOG_INIT="
@@ -458,6 +463,29 @@ static void get_defaults (void) @@ -461,6 +466,29 @@ static void get_defaults (void)
} }
/* /*
@@ -45,7 +45,7 @@ Index: src/useradd.c
+ if ('\0' == *cp) { + if ('\0' == *cp) {
+ cp = USRSKELDIR; /* XXX warning: const */ + cp = USRSKELDIR; /* XXX warning: const */
+ } + }
+ +
+ if(prefix[0]) { + if(prefix[0]) {
+ size_t len; + size_t len;
+ int wlen; + int wlen;
@@ -65,7 +65,7 @@ Index: src/useradd.c
* Create by default user mail spool or not ? * Create by default user mail spool or not ?
*/ */
else if (MATCH (buf, DCREATE_MAIL_SPOOL)) { else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
@@ -499,6 +527,7 @@ static void show_defaults (void) @@ -502,6 +530,7 @@ static void show_defaults (void)
printf ("EXPIRE=%s\n", def_expire); printf ("EXPIRE=%s\n", def_expire);
printf ("SHELL=%s\n", def_shell); printf ("SHELL=%s\n", def_shell);
printf ("SKEL=%s\n", def_template); printf ("SKEL=%s\n", def_template);
@@ -73,7 +73,7 @@ Index: src/useradd.c
printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool); printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
printf ("LOG_INIT=%s\n", def_log_init); printf ("LOG_INIT=%s\n", def_log_init);
} }
@@ -527,6 +556,7 @@ static int set_defaults (void) @@ -530,6 +559,7 @@ static int set_defaults (void)
bool out_expire = false; bool out_expire = false;
bool out_shell = false; bool out_shell = false;
bool out_skel = false; bool out_skel = false;
@@ -81,7 +81,7 @@ Index: src/useradd.c
bool out_create_mail_spool = false; bool out_create_mail_spool = false;
bool out_log_init = false; bool out_log_init = false;
size_t len; size_t len;
@@ -640,6 +670,9 @@ static int set_defaults (void) @@ -643,6 +673,9 @@ static int set_defaults (void)
} else if (!out_skel && MATCH (buf, DSKEL)) { } else if (!out_skel && MATCH (buf, DSKEL)) {
fprintf (ofp, DSKEL "%s\n", def_template); fprintf (ofp, DSKEL "%s\n", def_template);
out_skel = true; out_skel = true;
@@ -91,7 +91,7 @@ Index: src/useradd.c
} else if (!out_create_mail_spool } else if (!out_create_mail_spool
&& MATCH (buf, DCREATE_MAIL_SPOOL)) { && MATCH (buf, DCREATE_MAIL_SPOOL)) {
fprintf (ofp, fprintf (ofp,
@@ -675,6 +708,8 @@ static int set_defaults (void) @@ -678,6 +711,8 @@ static int set_defaults (void)
fprintf (ofp, DSHELL "%s\n", def_shell); fprintf (ofp, DSHELL "%s\n", def_shell);
if (!out_skel) if (!out_skel)
fprintf (ofp, DSKEL "%s\n", def_template); fprintf (ofp, DSKEL "%s\n", def_template);
@@ -100,7 +100,7 @@ Index: src/useradd.c
if (!out_create_mail_spool) if (!out_create_mail_spool)
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool); fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
@@ -2739,6 +2774,8 @@ int main (int argc, char **argv) @@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
if (home_added) { if (home_added) {
copy_tree (def_template, prefix_user_home, false, true, copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid); (uid_t)-1, user_id, (gid_t)-1, user_gid);
@@ -113,22 +113,22 @@ Index: libmisc/copydir.c
=================================================================== ===================================================================
--- libmisc/copydir.c.orig --- libmisc/copydir.c.orig
+++ libmisc/copydir.c +++ libmisc/copydir.c
@@ -395,6 +395,14 @@ static int copy_entry (const char *src, @@ -453,6 +453,14 @@ static int copy_entry (const struct path
old_uid, new_uid, old_gid, new_gid);
} }
+ /* /*
+ * If the destination already exists do nothing. + * If the destination already exists do nothing.
+ * This is after the copy_dir above to still iterate into subdirectories. + * This is after the copy_dir above to still iterate into subdirectories.
+ */ + */
+ if (LSTAT (dst, &sb) != -1) { + if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
+ return 0; + return 0;
+ } + }
+ +
#ifdef S_IFLNK + /*
/*
* Copy any symbolic links * Copy any symbolic links
@@ -456,6 +464,7 @@ static int copy_dir (const char *src, co */
@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
gid_t old_gid, gid_t new_gid) gid_t old_gid, gid_t new_gid)
{ {
int err = 0; int err = 0;
@@ -136,20 +136,20 @@ Index: libmisc/copydir.c
/* /*
* Create a new target directory, make it owned by * Create a new target directory, make it owned by
@@ -467,6 +476,16 @@ static int copy_dir (const char *src, co @@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
return -1; return -1;
} }
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
+ +
+ /* + /*
+ * If the destination is already a directory, don't change it + * If the destination is already a directory, don't change it
+ * but copy into it (recursively). + * but copy into it (recursively).
+ */ + */
+ if (LSTAT (dst, &dst_sb) == 0 && S_ISDIR(dst_sb.st_mode)) { + if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
+ return (copy_tree (src, dst, false, reset_selinux, + return (copy_tree (src, dst, false, reset_selinux,
+ old_uid, new_uid, old_gid, new_gid) != 0); + old_uid, new_uid, old_gid, new_gid) != 0);
+ } + }
+ +
if ( (mkdir (dst, statp->st_mode) != 0) if ( (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
|| (chown_if_needed (dst, statp, || (chownat_if_needed (dst, statp,
old_uid, new_uid, old_gid, new_gid) != 0) old_uid, new_uid, old_gid, new_gid) != 0)