- Update to 4.13:

* useradd.8: fix default group ID * Revert drop of subid_init() * Georgian translation * useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog * relax username restrictions * selinux: check MLS enabled before setting serange * copy_tree: use fchmodat instead of chmod * copy_tree: don't block on FIFOs * add shell linter * copy_tree: carefully treat permissions * lib/commonio: make lock failures more detailed * lib: use strzero and memzero where applicable * Update Dutch translation * Don't test for NULL before calling free * Use libc MAX() and MIN() * chage: Fix regression in print_date * usermod: report error if homedir does not exist * libmisc: minimum id check for system accounts * fix usermod -rG x y wrongly adding a group * man: add missing space in useradd.8.xml * lastlog: check for localtime() return value * Raise limit for passwd and shadow entry length * Remove adduser-old.c * useradd: Fix buffer overflow when using a prefix * Don't warn when failed to open /etc/nsswitch.conf - Remove patches we took from upstream pre-release: * shadow-copytree-usermod-fifo.patch * shadow-chage-format.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=133
2022-11-09 13:35:08 +00:00
parent 91f075eb3d
commit 8c1e3ce264
11 changed files with 67 additions and 251 deletions
--- a/chkname-regex.patch
+++ b/chkname-regex.patch
@@ -1,107 +0,0 @@
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
@@ -329,6 +329,13 @@ USERGROUPS_ENAB yes
 #
 #FORCE_SHADOW    yes
 +# User/group names must match the following regex expression.
 +# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
 +# but be aware that the result could depend on the locale settings.
 +#
 +#CHARACTER_CLASS                [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
 +CHARACTER_CLASS         [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
 +
 #
 # Allow newuidmap and newgidmap when running under an alternative
 # primary group.
 Index: lib/getdef.c
 ===================================================================
 --- lib/getdef.c.orig
 +++ lib/getdef.c
@@ -91,6 +91,7 @@ struct itemdef {
 #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
 static struct itemdef def_table[] = {
 +	{"CHARACTER_CLASS", NULL},
 	{"CHFN_RESTRICT", NULL},
 	{"CONSOLE_GROUPS", NULL},
 	{"CONSOLE", NULL},
 Index: libmisc/chkname.c
 ===================================================================
 --- libmisc/chkname.c.orig
 +++ libmisc/chkname.c
@@ -43,8 +43,11 @@
 #ident "$Id$"
 #include <ctype.h>
 +#include <regex.h>
 #include "defines.h"
 #include "chkname.h"
 +#include "getdef.h"
 +#include <stdio.h>
 int allow_bad_names = false;
@@ -54,24 +57,46 @@ static bool is_valid_name (const char *n
 		return true;
 	}
 -	/*
 -	 * User/group names must match [a-z_][a-z0-9_-]*[$]
 -	 */
 +	const char *class;
 +	regex_t reg;
 +	int result;
 +	char *buf;
 +
 +	/* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?.
 +	   This is the POSIX portable character class. The $ at the end is
 +	   needed for SAMBA. But user can also specify something else in
 +	   /etc/login.defs.  */
 +	class = getdef_str ("CHARACTER_CLASS");
 +	if (!class)
 +		class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?";
 +
 +	if (asprintf (&buf, "^%s$", class) < 0)
 +		return -1;
 +
 +	memset (&reg, 0, sizeof (regex_t));
 +	result = regcomp (&reg, buf, 0);
 +	free (buf);
 +
 +	if (result) {
 +		size_t length = regerror (result, &reg, NULL, 0);
 +		char *buffer = malloc (length);
 +		if (buffer == NULL)
 +			fputs ("running out of memory!\n", stderr);
 +
 +		/* else
 +		   {
 +		   regerror (result, &reg, buffer, length);
 +		   fprintf (stderr, _("Can't compile regular expression: %s\n"),
 +		   buffer);
 +		   } */
 -	if (('\0' == *name) ||
 -	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +		regfree(&reg);
 		return false;
 	}
 -	while ('\0' != *++name) {
 -		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
 -		      ( ('0' <= *name) && ('9' >= *name) ) ||
 -		      ('_' == *name) ||
 -		      ('-' == *name) ||
 -		      ( ('$' == *name) && ('\0' == *(name + 1)) )
 -		     )) {
 -			return false;
 -		}
 +	if (regexec (&reg, name, 0, NULL, 0) != 0) {
 +		regfree(&reg);
 +		return false;
 	}
 	return true;
--- a/shadow-4.12.3.tar.xz
+++ b/shadow-4.12.3.tar.xz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
 size 1747620
--- a/shadow-4.12.3.tar.xz.asc
+++ b/shadow-4.12.3.tar.xz.asc
@@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
 ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
 ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
 rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
 6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
 sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
 PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
 =WZd1
 -----END PGP SIGNATURE-----
--- a/shadow-4.13.tar.xz
+++ b/shadow-4.13.tar.xz
--- a/shadow-4.13.tar.xz.asc
+++ b/shadow-4.13.tar.xz.asc
@@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK
 ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5
 2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6
 P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL
 xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9
 tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D
 AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA==
 =33BL
 -----END PGP SIGNATURE-----
--- a/shadow-chage-format.patch
+++ b/shadow-chage-format.patch
@@ -1,29 +0,0 @@
 From e503fd574b7dbf6b21b1168e20938f0922807916 Mon Sep 17 00:00:00 2001
 From: Xiami <1927254+Xiami2012@users.noreply.github.com>
 Date: Wed, 5 Oct 2022 18:11:28 +0800
 Subject: [PATCH] chage: Fix regression in print_date
 Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f
 After removing snprintf, the format string should get unescaped once.
 Fixes #564
 Reporter and patch author: DerMouse (github.com/DerMouse)
 ---
 src/chage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/chage.c b/src/chage.c
 index 8cf677942..01570d725 100644
 --- a/src/chage.c
 +++ b/src/chage.c
@@ -228,7 +228,7 @@ static void print_date (time_t date)
 	if (NULL == tp) {
 		(void) printf ("time_t: %lu\n", (unsigned long)date);
 	} else {
 -		(void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp);
 +		(void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp);
 		(void) puts (buf);
 	}
 }
--- a/shadow-copytree-usermod-fifo.patch
+++ b/shadow-copytree-usermod-fifo.patch
@@ -1,50 +0,0 @@
 From 10cd68e0f04b48363eb32d2c6e168b358fb27810 Mon Sep 17 00:00:00 2001
 From: Samanta Navarro <ferivoz@riseup.net>
 Date: Sun, 4 Sep 2022 11:58:03 +0000
 Subject: [PATCH] copy_tree: do not block on fifos
 Fixes regression introduced in faeab50e710131816b261de66141524898c2c487.
 If a directory contains fifos, then openat blocks until the other side
 of the fifo is connected as well.
 This means that users can prevent "usermod -m" from completing if their
 home directories contain at least one fifo.
 ---
 libmisc/copydir.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/libmisc/copydir.c b/libmisc/copydir.c
 index b6025f4c7..5fb47da01 100644
 --- a/libmisc/copydir.c
 +++ b/libmisc/copydir.c
@@ -126,12 +126,12 @@ static int perm_copy_path(const struct path_info *src,
 {
 	int src_fd, dst_fd, ret;
 -	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 +	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (src_fd < 0) {
 		return -1;
 	}
 -	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 +	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (dst_fd < 0) {
 		(void) close (src_fd);
 		return -1;
@@ -152,12 +152,12 @@ static int attr_copy_path(const struct path_info *src,
 {
 	int src_fd, dst_fd, ret;
 -	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 +	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (src_fd < 0) {
 		return -1;
 	}
 -	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 +	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (dst_fd < 0) {
 		(void) close (src_fd);
 		return -1;
--- a/shadow-prefix-overflow.patch
+++ b/shadow-prefix-overflow.patch
@@ -1,25 +0,0 @@
 From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001
 From: David Michael <fedora.dm0@gmail.com>
 Date: Sun, 23 Oct 2022 18:51:33 -0400
 Subject: [PATCH] useradd: Fix buffer overflow when using a prefix
 The buffer length did not count the string's trailing null byte.
 Signed-off-by: David Michael <fedora.dm0@gmail.com>
 ---
 src/useradd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 39a744ee0..7ea0a9c4d 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2372,7 +2372,7 @@ static void create_mail (void)
 		if (NULL == spool) {
 			return;
 		}
 -		file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2);
 +		file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3);
 		if (prefix[0])
 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
 		else
--- a/shadow.changes
+++ b/shadow.changes
@@ -1,3 +1,43 @@
 -------------------------------------------------------------------
 Tue Nov  8 21:15:44 UTC 2022 - Michael Vetter <mvetter@suse.com>
 - Update to 4.13:
  * useradd.8: fix default group ID
  * Revert drop of subid_init()
  * Georgian translation
  * useradd: Avoid taking unneeded space: do not reset non-existent data
    in lastlog
  * relax username restrictions
  * selinux: check MLS enabled before setting serange
  * copy_tree: use fchmodat instead of chmod
  * copy_tree: don't block on FIFOs
  * add shell linter
  * copy_tree: carefully treat permissions
  * lib/commonio: make lock failures more detailed
  * lib: use strzero and memzero where applicable
  * Update Dutch translation
  * Don't test for NULL before calling free
  * Use libc MAX() and MIN()
  * chage: Fix regression in print_date
  * usermod: report error if homedir does not exist
  * libmisc: minimum id check for system accounts
  * fix usermod -rG x y wrongly adding a group
  * man: add missing space in useradd.8.xml
  * lastlog: check for localtime() return value
  * Raise limit for passwd and shadow entry length
  * Remove adduser-old.c
  * useradd: Fix buffer overflow when using a prefix
  * Don't warn when failed to open /etc/nsswitch.conf
 - Remove patches we took from upstream pre-release:
  * shadow-copytree-usermod-fifo.patch
  * shadow-chage-format.patch
  * shadow-prefix-overflow.patch
 - Remove chkname-regex.patch:
  Upstream now also relaxed the usernames requirements.
  They don't use regex for this but the result is similar.
  Plus they also check that the name is less than 32 characters long.
 - Rebase useradd-userkeleton.patch 
 -------------------------------------------------------------------
 Mon Nov  7 11:20:36 UTC 2022 - Michael Vetter <mvetter@suse.com>
--- a/shadow.spec
+++ b/shadow.spec
@@ -22,7 +22,7 @@
  %define no_config 1
 %endif
 Name:           shadow
-Version:        4.12.3
+Version:        4.13
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
@@ -45,26 +45,18 @@ Patch0:         shadow-login_defs-unused-by-pam.patch
 Patch1:         userdel-script.patch
 # PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
 Patch2:         useradd-script.patch
 # PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
 Patch3:         chkname-regex.patch
 # PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
-Patch4:         useradd-default.patch
+Patch3:         useradd-default.patch
 # PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
-Patch5:         shadow-util-linux.patch
+Patch4:         shadow-util-linux.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
-Patch6:         shadow-login_defs-comments.patch
+Patch5:         shadow-login_defs-comments.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
-Patch7:         shadow-login_defs-suse.patch
+Patch6:         shadow-login_defs-suse.patch
 # PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321)
-Patch8:         useradd-userkeleton.patch
+Patch7:         useradd-userkeleton.patch
 # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
-Patch9:         disable_new_audit_function.patch
+Patch8:         disable_new_audit_function.patch
 # PATCH-FIX-UPSTREAM shadow-prefix-overflow.patch mvetter@suse.com -- Fix buffer overflow when using --prefix in useradd
 Patch10:        https://github.com/shadow-maint/shadow/commit/eaebea55a495a56317ed85e959b3599f73c6bdf2.patch#/shadow-prefix-overflow.patch
 # PATCH-FIX-UPSTREAM shadow-chage-format.patch mvetter@suse.com -- Fix chage format string
 Patch11:        https://github.com/shadow-maint/shadow/commit/e503fd574b7dbf6b21b1168e20938f0922807916.patch#/shadow-chage-format.patch
 # PATCH-FIX-UPSTREAM shadow-copytree-usermod-fifo.patch mvetter@suse.com -- Fix regression when openat blocks
 Patch12:        https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810.patch#/shadow-copytree-usermod-fifo.patch
 BuildRequires:  audit-devel > 2.3
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -131,13 +123,9 @@ Development files for libsubid4.
 %patch5
 %patch6
 %patch7
 %patch8
 %if 0%{?suse_version} < 1330
-%patch9 -p1
+%patch8 -p1
 %endif
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 mv -v doc/HOWTO.utf8 doc/HOWTO
--- a/useradd-userkeleton.patch
+++ b/useradd-userkeleton.patch
@@ -100,7 +100,7 @@ Index: src/useradd.c
 	if (!out_create_mail_spool)
 		fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
-@@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
+@@ -2758,6 +2793,8 @@ int main (int argc, char **argv)
 		if (home_added) {
 			copy_tree (def_template, prefix_user_home, false, true,
 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
@@ -113,7 +113,7 @@ Index: libmisc/copydir.c
 ===================================================================
 --- libmisc/copydir.c.orig
 +++ libmisc/copydir.c
-@@ -453,6 +453,14 @@ static int copy_entry (const struct path
+@@ -449,6 +449,14 @@ static int copy_entry (const struct path
 		}
 		/*
@@ -128,7 +128,7 @@ Index: libmisc/copydir.c
 		 * Copy any symbolic links
 		 */
-@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
+@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i
                      gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
@@ -136,11 +136,10 @@ Index: libmisc/copydir.c
 	/*
 	 * Create a new target directory, make it owned by
-@@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
+@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
 +
 +        /*
 +         * If the destination is already a directory, don't change it
 +         * but copy into it (recursively).
@@ -150,6 +149,6 @@ Index: libmisc/copydir.c
 +                           old_uid, new_uid, old_gid, new_gid) != 0);
 +        }
 +
- 	if (   (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
+ 	if (   (mkdirat (dst->dirfd, dst->name, 0700) != 0)
 	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)