From b4a2128e54c9228c1e81313bd3ced99b2cad737aa7670c85dda2a9c25e170d1a Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 30 May 2016 10:38:25 +0000 Subject: [PATCH 1/3] Accepting request 398913 from home:jubalh OBS-URL: https://build.opensuse.org/request/show/398913 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=21 --- Fix-user-busy-errors-at-userdel.patch | 42 +++++++ chkname-regex.diff | 91 --------------- chkname-regex.patch | 83 ++++++++++++++ ...od_nis.diff => encryption_method_nis.patch | 4 +- getdef-new-defs.diff => getdef-new-defs.patch | 8 +- shadow-4.1.5.1-audit-owner.patch | 31 +++++ shadow-4.1.5.1-backup-mode.patch | 7 +- shadow-4.1.5.1-errmsg.patch | 6 +- shadow-4.1.5.1-logmsg.patch | 7 +- shadow-4.1.5.1-manfix.patch | 16 +-- shadow-4.1.5.1-userdel-helpfix.patch | 14 +++ shadow-4.1.5.1.tar.bz2 | 3 - shadow-4.2.1-defs-chroot.patch | 23 ++++ shadow-4.2.1-merge-group.patch | 12 ++ shadow-4.2.1.tar.xz | 3 + ...login_defs.diff => shadow-login_defs.patch | 108 +++++++++--------- shadow.changes | 39 +++++++ shadow.spec | 48 +++++--- useradd-default.diff => useradd-default.patch | 2 +- useradd-mkdirs.diff => useradd-mkdirs.patch | 10 +- useradd-script.diff => useradd-script.patch | 6 +- userdel-scripts.diff => userdel-script.patch | 10 +- 22 files changed, 368 insertions(+), 205 deletions(-) create mode 100644 Fix-user-busy-errors-at-userdel.patch delete mode 100644 chkname-regex.diff create mode 100644 chkname-regex.patch rename encryption_method_nis.diff => encryption_method_nis.patch (72%) rename getdef-new-defs.diff => getdef-new-defs.patch (75%) create mode 100644 shadow-4.1.5.1-audit-owner.patch create mode 100644 shadow-4.1.5.1-userdel-helpfix.patch delete mode 100644 shadow-4.1.5.1.tar.bz2 create mode 100644 shadow-4.2.1-defs-chroot.patch create mode 100644 shadow-4.2.1-merge-group.patch create mode 100644 shadow-4.2.1.tar.xz rename shadow-login_defs.diff => shadow-login_defs.patch (75%) rename useradd-default.diff => useradd-default.patch (76%) rename useradd-mkdirs.diff => useradd-mkdirs.patch (89%) rename useradd-script.diff => useradd-script.patch (85%) rename userdel-scripts.diff => userdel-script.patch (82%) diff --git a/Fix-user-busy-errors-at-userdel.patch b/Fix-user-busy-errors-at-userdel.patch new file mode 100644 index 0000000..9b350eb --- /dev/null +++ b/Fix-user-busy-errors-at-userdel.patch @@ -0,0 +1,42 @@ +From 546e2ae44955510b06a922647796ec54744f10ce Mon Sep 17 00:00:00 2001 +From: Bastian Blank +Date: Tue, 17 Nov 2015 10:52:24 -0600 +Subject: [PATCH 17/17] Fix user busy errors at userdel + +Acked-by: Serge Hallyn +--- + libmisc/user_busy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- libmisc/user_busy.c ++++ libmisc/user_busy.c +@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) + if (stat ("/", &sbroot) != 0) { + perror ("stat (\"/\")"); + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + return 0; + } + +@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) + + if (check_status (name, tmp_d_name, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); +@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) + } + if (check_status (name, task_path+6, uid) != 0) { + (void) closedir (proc); ++#ifdef ENABLE_SUBIDS ++ sub_uid_close(); ++#endif + fprintf (stderr, + _("%s: user %s is currently used by process %d\n"), + Prog, name, pid); diff --git a/chkname-regex.diff b/chkname-regex.diff deleted file mode 100644 index 16a12bf..0000000 --- a/chkname-regex.diff +++ /dev/null @@ -1,91 +0,0 @@ ---- lib/getdef.c -+++ lib/getdef.c 2012/09/26 14:14:15 -@@ -51,6 +51,7 @@ - - #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) - static struct itemdef def_table[] = { -+ {"CHARACTER_CLASS", NULL}, - {"CHFN_RESTRICT", NULL}, - {"CONSOLE_GROUPS", NULL}, - {"CONSOLE", NULL}, ---- libmisc/chkname.c -+++ libmisc/chkname.c 2012/09/27 12:32:18 -@@ -43,31 +43,55 @@ - #ident "$Id: chkname.c 2828 2009-04-28 19:14:05Z nekral-guest $" - - #include -+#include - #include "defines.h" - #include "chkname.h" -+#include "getdef.h" -+#include - - static bool is_valid_name (const char *name) - { -- /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -- return false; -- } -+ const char *class; -+ regex_t reg; -+ int result; -+ char *buf; -+ -+ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?. -+ This is the POSIX portable character class. The $ at the end is -+ needed for SAMBA. But user can also specify something else in -+ /etc/login.defs. */ -+ class = getdef_str ("CHARACTER_CLASS"); -+ if (!class) -+ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?"; -+ -+ if (asprintf (&buf, "^%s$", class) < 0) -+ return -1; -+ -+ memset (®, 0, sizeof (regex_t)); -+ result = regcomp (®, buf, 0); -+ free (buf); -+ -+ if (result) -+ { -+ size_t length = regerror (result, ®, NULL, 0); -+ char *buffer = malloc (length); -+ if (buffer == NULL) -+ fputs ("running out of memory!\n", stderr); -+ -+ /* else -+ { -+ regerror (result, ®, buffer, length); -+ fprintf (stderr, _("Can't compile regular expression: %s\n"), -+ buffer); -+ } */ - -- while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -- return false; -- } -- } -+ return false; -+ } -+ -+ if (regexec (®, name, 0, NULL, 0) != 0) -+ return false; - -- return true; -+ return true; - } - - bool is_valid_user_name (const char *name) -@@ -96,4 +120,3 @@ - - return is_valid_name (name); - } -- diff --git a/chkname-regex.patch b/chkname-regex.patch new file mode 100644 index 0000000..81601b6 --- /dev/null +++ b/chkname-regex.patch @@ -0,0 +1,83 @@ +--- lib/getdef.c ++++ lib/getdef.c +@@ -51,6 +51,7 @@ struct itemdef { + + #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) + static struct itemdef def_table[] = { ++ {"CHARACTER_CLASS", NULL}, + {"CHFN_RESTRICT", NULL}, + {"CONSOLE_GROUPS", NULL}, + {"CONSOLE", NULL}, +--- libmisc/chkname.c ++++ libmisc/chkname.c +@@ -43,30 +43,57 @@ + #ident "$Id$" + + #include ++#include + #include "defines.h" + #include "chkname.h" ++#include "getdef.h" ++#include + + static bool is_valid_name (const char *name) + { +- /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ const char *class; ++ regex_t reg; ++ int result; ++ char *buf; ++ ++ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?. ++ This is the POSIX portable character class. The $ at the end is ++ needed for SAMBA. But user can also specify something else in ++ /etc/login.defs. */ ++ class = getdef_str ("CHARACTER_CLASS"); ++ if (!class) ++ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?"; ++ ++ if (asprintf (&buf, "^%s$", class) < 0) ++ return -1; ++ ++ memset (®, 0, sizeof (regex_t)); ++ result = regcomp (®, buf, 0); ++ free (buf); ++ ++ if (result) { ++ size_t length = regerror (result, ®, NULL, 0); ++ char *buffer = malloc (length); ++ if (buffer == NULL) ++ fputs ("running out of memory!\n", stderr); ++ ++ /* else ++ { ++ regerror (result, ®, buffer, length); ++ fprintf (stderr, _("Can't compile regular expression: %s\n"), ++ buffer); ++ } */ ++ ++ regfree(®); + return false; + } + +- while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { +- return false; +- } ++ if (regexec (®, name, 0, NULL, 0) != 0) { ++ regfree(®); ++ return false; + } + ++ regfree(®); + return true; + } diff --git a/encryption_method_nis.diff b/encryption_method_nis.patch similarity index 72% rename from encryption_method_nis.diff rename to encryption_method_nis.patch index 20114e5..47f6ab3 100644 --- a/encryption_method_nis.diff +++ b/encryption_method_nis.patch @@ -1,6 +1,6 @@ --- lib/getdef.c -+++ lib/getdef.c 2013/11/12 13:44:01 -@@ -57,6 +57,7 @@ ++++ lib/getdef.c +@@ -58,6 +58,7 @@ static struct itemdef def_table[] = { {"CREATE_HOME", NULL}, {"DEFAULT_HOME", NULL}, {"ENCRYPT_METHOD", NULL}, diff --git a/getdef-new-defs.diff b/getdef-new-defs.patch similarity index 75% rename from getdef-new-defs.diff rename to getdef-new-defs.patch index cd0a694..de311c1 100644 --- a/getdef-new-defs.diff +++ b/getdef-new-defs.patch @@ -1,6 +1,6 @@ --- lib/getdef.c -+++ lib/getdef.c 2012/11/13 16:26:34 -@@ -64,6 +64,7 @@ ++++ lib/getdef.c +@@ -65,6 +65,7 @@ static struct itemdef def_table[] = { {"FAKE_SHELL", NULL}, {"GID_MAX", NULL}, {"GID_MIN", NULL}, @@ -8,7 +8,7 @@ {"HUSHLOGIN_FILE", NULL}, {"KILLCHAR", NULL}, {"LOGIN_RETRIES", NULL}, -@@ -93,7 +94,10 @@ +@@ -100,7 +101,10 @@ static struct itemdef def_table[] = { {"UID_MAX", NULL}, {"UID_MIN", NULL}, {"UMASK", NULL}, @@ -19,7 +19,7 @@ {"USERGROUPS_ENAB", NULL}, #ifndef USE_PAM {"CHFN_AUTH", NULL}, -@@ -129,6 +133,10 @@ +@@ -136,6 +140,10 @@ static struct itemdef def_table[] = { {"TCB_SYMLINKS", NULL}, {"USE_TCB", NULL}, #endif diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch new file mode 100644 index 0000000..99f6303 --- /dev/null +++ b/shadow-4.1.5.1-audit-owner.patch @@ -0,0 +1,31 @@ +--- src/usermod.c ++++ src/usermod.c +@@ -1808,6 +1808,14 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif ++ + if (rename (user_home, user_newhome) == 0) { + /* FIXME: rename above may have broken symlinks + * pointing to the user's home directory +@@ -2254,6 +2262,13 @@ int main (int argc, char **argv) + * ownership. + * + */ ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif + if (chown_tree (dflg ? user_newhome : user_home, + user_id, + uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-backup-mode.patch b/shadow-4.1.5.1-backup-mode.patch index a8a5fa9..147618b 100644 --- a/shadow-4.1.5.1-backup-mode.patch +++ b/shadow-4.1.5.1-backup-mode.patch @@ -1,7 +1,6 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba +--- lib/commonio.c ++++ lib/commonio.c +@@ -301,15 +301,12 @@ static int create_backup (const char *backup, FILE * fp) struct utimbuf ub; FILE *bkfp; int c; diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch index bebfab4..f13e3d5 100644 --- a/shadow-4.1.5.1-errmsg.patch +++ b/shadow-4.1.5.1-errmsg.patch @@ -1,6 +1,6 @@ --- src/useradd.c -+++ src/useradd.c 2013/09/17 12:30:31 -@@ -1759,6 +1759,9 @@ ++++ src/useradd.c +@@ -1896,6 +1896,9 @@ static void create_home (void) if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX if (set_selinux_file_context (user_home) != 0) { @@ -10,7 +10,7 @@ fail_exit (E_HOMEDIR); } #endif -@@ -1788,6 +1791,9 @@ +@@ -1925,6 +1928,9 @@ static void create_home (void) #ifdef WITH_SELINUX /* Reset SELinux to create files with default contexts */ if (reset_selinux_file_context () != 0) { diff --git a/shadow-4.1.5.1-logmsg.patch b/shadow-4.1.5.1-logmsg.patch index e737839..e4c9b21 100644 --- a/shadow-4.1.5.1-logmsg.patch +++ b/shadow-4.1.5.1-logmsg.patch @@ -1,7 +1,6 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +--- src/useradd.c ++++ src/useradd.c +@@ -320,7 +320,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif diff --git a/shadow-4.1.5.1-manfix.patch b/shadow-4.1.5.1-manfix.patch index 46dbfc1..c091433 100644 --- a/shadow-4.1.5.1-manfix.patch +++ b/shadow-4.1.5.1-manfix.patch @@ -1,16 +1,6 @@ -diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 -@@ -161,7 +161,7 @@ - - - -- , -+ , - HOME_DIR - - -@@ -362,7 +362,7 @@ +--- man/useradd.8.xml ++++ man/useradd.8.xml +@@ -351,7 +351,7 @@ diff --git a/shadow-4.1.5.1-userdel-helpfix.patch b/shadow-4.1.5.1-userdel-helpfix.patch new file mode 100644 index 0000000..324f12f --- /dev/null +++ b/shadow-4.1.5.1-userdel-helpfix.patch @@ -0,0 +1,14 @@ +--- src/userdel.c ++++ src/userdel.c +@@ -143,8 +143,9 @@ static void usage (int status) + "\n" + "Options:\n"), + Prog); +- (void) fputs (_(" -f, --force force removal of files,\n" +- " even if not owned by user\n"), ++ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" ++ " e.g. removal of user still logged in\n" ++ " or files, even if not owned by the user\n"), + usageout); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout); diff --git a/shadow-4.1.5.1.tar.bz2 b/shadow-4.1.5.1.tar.bz2 deleted file mode 100644 index ff4486e..0000000 --- a/shadow-4.1.5.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:aa32333748d68b58ed3a83625f0165e0f6b9dc4639e6377c9300c6bf4fe978fb -size 2193325 diff --git a/shadow-4.2.1-defs-chroot.patch b/shadow-4.2.1-defs-chroot.patch new file mode 100644 index 0000000..f6f2cb1 --- /dev/null +++ b/shadow-4.2.1-defs-chroot.patch @@ -0,0 +1,23 @@ +--- src/useradd.c ++++ src/useradd.c +@@ -2054,8 +2054,8 @@ int main (int argc, char **argv) + #endif /* ACCT_TOOLS_SETUID */ + + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; + + /* + * Get my name so that I can use it to report errors. +@@ -2073,6 +2073,9 @@ int main (int argc, char **argv) + audit_help_open (); + #endif + ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ + sys_ngroups = sysconf (_SC_NGROUPS_MAX); + user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); + /* diff --git a/shadow-4.2.1-merge-group.patch b/shadow-4.2.1-merge-group.patch new file mode 100644 index 0000000..11169b8 --- /dev/null +++ b/shadow-4.2.1-merge-group.patch @@ -0,0 +1,12 @@ +--- lib/groupio.c ++++ lib/groupio.c +@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry *merge_group_entries ( + errno = ENOMEM; + return NULL; + } +- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); +- new_line[new_line_len] = '\0'; ++ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); + + /* Concatenate the 2 list of members */ + for (i=0; NULL != gptr1->gr_mem[i]; i++); diff --git a/shadow-4.2.1.tar.xz b/shadow-4.2.1.tar.xz new file mode 100644 index 0000000..d5488a6 --- /dev/null +++ b/shadow-4.2.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 +size 1594536 diff --git a/shadow-login_defs.diff b/shadow-login_defs.patch similarity index 75% rename from shadow-login_defs.diff rename to shadow-login_defs.patch index f109374..b9a8ca5 100644 --- a/shadow-login_defs.diff +++ b/shadow-login_defs.patch @@ -1,31 +1,31 @@ --- etc/login.defs -+++ etc/login.defs 2013/02/05 12:16:54 -@@ -1,8 +1,6 @@ ++++ etc/login.defs +@@ -1,8 +1,5 @@ # # /etc/login.defs - Configuration control definitions for the shadow package. - # --# $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $ +-# +-# $Id$ -# # # Delay in seconds before being allowed another attempt after a login failure -@@ -12,11 +10,6 @@ +@@ -12,11 +9,6 @@ FAIL_DELAY 3 # --# Enable logging and display of /var/log/faillog login failure info. +-# Enable logging and display of /var/log/faillog login(1) failure info. -# -FAILLOG_ENAB yes - -# - # Enable display of unknown usernames when login failures are recorded. + # Enable display of unknown usernames when login(1) failures are recorded. # LOG_UNKFAIL_ENAB no -@@ -27,34 +20,6 @@ +@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no # --# Enable logging and display of /var/log/lastlog login time info. +-# Enable logging and display of /var/log/lastlog login(1) time info. -# -LASTLOG_ENAB yes - @@ -48,45 +48,45 @@ -PORTTIME_CHECKS_ENAB yes - -# --# Enable setting of ulimit, umask, and niceness from passwd gecos field. +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. -# -QUOTAS_ENAB yes - -# - # Enable "syslog" logging of su activity - in addition to sulog file logging. - # SYSLOG_SG_ENAB does the same for newgrp and sg. + # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. + # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). # -@@ -82,75 +47,31 @@ +@@ -82,75 +46,31 @@ MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # --# If defined, this file will be output before each login prompt. +-# If defined, this file will be output before each login(1) prompt. -# -#ISSUE_FILE /etc/issue - -# # If defined, file which maps tty line to TERM environment parameter. - # Each line of the file is in a format something like "vt100 tty01". + # Each line of the file is in a format similar to "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # --# If defined, login failures will be logged here in a utmp format. --# last, when invoked as lastb, will read /var/log/btmp, so... +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# --# If defined, name of file whose presence which will inhibit non-root --# logins. The contents of this file should be a message indicating +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For --# example, if this is defined as "su" then a "ps" will display the --# command is "-su". If not defined, then "ps" would display the +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su @@ -122,7 +122,7 @@ -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 -+#HUSHLOGIN_FILE .hushlogin ++# HUSHLOGIN_FILE .hushlogin +HUSHLOGIN_FILE /etc/hushlogins # @@ -140,8 +140,8 @@ # # Terminal permissions -@@ -164,24 +85,20 @@ - # TTYPERM to either 622 or 600. +@@ -164,24 +84,20 @@ ENV_PATH PATH=/bin:/usr/bin + # set TTYPERM to either 622 or 600. # TTYGROUP tty -TTYPERM 0600 @@ -164,9 +164,9 @@ KILLCHAR 025 -#ULIMIT 2097152 - # Default initial "umask" value used by login on non-PAM enabled systems. - # Default "umask" value for pam_umask on PAM enabled systems. -@@ -197,49 +114,44 @@ + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. +@@ -197,35 +113,25 @@ UMASK 022 # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. @@ -187,12 +187,12 @@ -SU_WHEEL_ONLY no - -# --# If compiled with cracklib support, where are the dictionaries +-# If compiled with cracklib support, sets the path to the dictionaries -# -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# - # Min/max values for automatic uid selection in useradd + # Min/max values for automatic uid selection in useradd(8) # +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for +# UIDs for dynamically allocated administrative and system accounts. @@ -206,9 +206,12 @@ -SYS_UID_MAX 999 +SYS_UID_MIN 100 +SYS_UID_MAX 499 - + # Extra per user uids + SUB_UID_MIN 100000 + SUB_UID_MAX 600100000 +@@ -234,11 +140,16 @@ SUB_UID_COUNT 65536 # - # Min/max values for automatic gid selection in groupadd + # Min/max values for automatic gid selection in groupadd(8) # +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for +# GIDs for dynamically allocated administrative and system groups. @@ -222,16 +225,19 @@ -SYS_GID_MAX 999 +SYS_GID_MIN 100 +SYS_GID_MAX 499 - + # Extra per user group ids + SUB_GID_MIN 100000 + SUB_GID_MAX 600100000 +@@ -247,7 +158,7 @@ SUB_GID_COUNT 65536 # - # Max number of login retries if password is bad + # Max number of login(1) retries if password is bad # -LOGIN_RETRIES 5 +LOGIN_RETRIES 3 # - # Max time in seconds for login -@@ -247,28 +159,6 @@ + # Max time in seconds for login(1) +@@ -255,28 +166,6 @@ LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 # @@ -252,15 +258,15 @@ -#PASS_MAX_LEN 8 - -# --# Require password before chfn/chsh can make any changes. +-# Require password before chfn(1)/chsh(1) can make any changes. -# -CHFN_AUTH yes - -# - # Which fields may be changed by regular users using chfn - use + # Which fields may be changed by regular users using chfn(1) - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. -@@ -277,29 +167,6 @@ +@@ -285,28 +174,6 @@ CHFN_AUTH yes CHFN_RESTRICT rwh # @@ -281,16 +287,15 @@ -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# --# This variable is deprecated. You should use ENCRYPT_METHOD. +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. -# -#MD5_CRYPT_ENAB no - -# --# Only works if compiled with ENCRYPTMETHOD_SELECT defined: - # If set to MD5 , MD5-based algorithm will be used for encrypting password + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: + # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password - # If set to SHA512, SHA512-based algorithm will be used for encrypting password -@@ -309,7 +176,8 @@ +@@ -317,7 +184,8 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # @@ -300,7 +305,7 @@ # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -@@ -345,16 +212,12 @@ +@@ -353,16 +221,12 @@ CHFN_RESTRICT rwh DEFAULT_HOME yes # @@ -319,18 +324,18 @@ #USERDEL_CMD /usr/sbin/userdel_local # -@@ -364,7 +227,7 @@ +@@ -372,7 +236,7 @@ ENVIRON_FILE /etc/environment # - # This also enables userdel to remove user groups if no members exist. + # This also enables userdel(8) to remove user groups if no members exist. # -USERGROUPS_ENAB yes +USERGROUPS_ENAB no # - # If set to a non-nul number, the shadow utilities will make sure that -@@ -383,5 +246,41 @@ - # This option is overridden with the -M or -m flags on the useradd command - # line. + # If set to a non-zero number, the shadow utilities will make sure that +@@ -391,5 +255,40 @@ USERGROUPS_ENAB yes + # This option is overridden with the -M or -m flags on the useradd(8) + # command-line. # -#CREATE_HOME yes +CREATE_HOME no @@ -342,7 +347,7 @@ +# +#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? +CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? -+ + +# +# If defined, this command is run when adding a group. +# It should rebuild any NIS database etc. to add the @@ -370,4 +375,3 @@ +# account from it. +# +USERDEL_POSTCMD /usr/sbin/userdel-post.local - diff --git a/shadow.changes b/shadow.changes index ac59286..15e7de3 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com + +- bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch +- Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits. + Remove the files used to circumvent the check. +- Remove: + * shadow-rpmlintrc + * shadow-subids + * shadow-subids.easy + * shadow-subids.secure + * shadow-subids.paranoid + +------------------------------------------------------------------- +Thu May 19 12:28:47 UTC 2016 - christian.brauner@mailbox.org + +- Update to shadow-4.2.1: + - add support for subuids/subgids via newuidmap/newgidmap +- Rename chkname-regex.diff to chkname-regex.patch +- Rename encryption_method_nis.diff to encryption_method_nis.patch +- Rename getdef-new-defs.diff to getdef-new-defs.patch +- Rename shadow-login_defs.diff to shadow-login_defs.patch +- Rename userdel-scripts.diff to userdel-script.patch +- Rename useradd-script.diff to useradd-script.patch +- Rename useradd-default.diff to useradd-default.patch +- Rename useradd-mkdirs.diff to useradd-mkdirs.patch +- Add fixes from Red Hat/Fedora: + - shadow-4.1.5.1-audit-owner.patch.patch: + - log owner changes for home directory + - shadow-4.1.5.1-userdel-helpfix.patch.patch: + - give a hint about what happens when you force the removal of a user + - shadow-4.2.1-defs-chroot.patch.patch: + - initialize uid_t uid_min and uid_t uid_max not before we need them + - shadow-4.2.1-merge-group.patch.patch: + - simplify by using a single call to snprintf() +- Add upstream fix + - Fix-user-busy-errors-at-userdel.patch: + - call sub_uid_close() + ------------------------------------------------------------------- Fri Jan 15 11:08:29 UTC 2016 - fvogt@suse.com diff --git a/shadow.spec b/shadow.spec index a22e246..577defb 100644 --- a/shadow.spec +++ b/shadow.spec @@ -20,10 +20,10 @@ Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause and GPL-2.0+ Group: System/Base Name: shadow -Version: 4.1.5.1 +Version: 4.2.1 Release: 0 Url: http://pkg-shadow.alioth.debian.org/ -Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 +Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz Source1: pamd.tar.bz2 Source2: README.changes-pwdutils Source3: useradd.local @@ -31,18 +31,23 @@ Source4: userdel-pre.local Source5: userdel-post.local Source6: shadow.service Source7: shadow.timer -Patch: shadow-login_defs.diff -Patch1: userdel-scripts.diff -Patch2: useradd-script.diff -Patch3: chkname-regex.diff -Patch4: useradd-default.diff -Patch5: getdef-new-defs.diff +Patch: shadow-login_defs.patch +Patch1: userdel-script.patch +Patch2: useradd-script.patch +Patch3: chkname-regex.patch +Patch4: useradd-default.patch +Patch5: getdef-new-defs.patch Patch6: shadow-4.1.5.1-manfix.patch Patch7: shadow-4.1.5.1-logmsg.patch Patch8: shadow-4.1.5.1-errmsg.patch Patch9: shadow-4.1.5.1-backup-mode.patch -Patch10: encryption_method_nis.diff -Patch11: useradd-mkdirs.diff +Patch10: encryption_method_nis.patch +Patch11: useradd-mkdirs.patch +Patch12: shadow-4.1.5.1-audit-owner.patch +Patch13: shadow-4.1.5.1-userdel-helpfix.patch +Patch14: shadow-4.2.1-defs-chroot.patch +Patch15: shadow-4.2.1-merge-group.patch +Patch16: Fix-user-busy-errors-at-userdel.patch BuildRequires: audit-devel BuildRequires: libacl-devel BuildRequires: libattr-devel @@ -67,12 +72,17 @@ group accounts. %patch3 -p0 %patch4 -p0 %patch5 -p0 -%patch6 -p1 -%patch7 -p1 +%patch6 -p0 +%patch7 -p0 %patch8 -p0 -%patch9 -p1 +%patch9 -p0 %patch10 -p0 -%patch11 -p1 +%patch11 -p0 +%patch12 -p0 +%patch13 -p0 +%patch14 -p0 +%patch15 -p0 +%patch16 -p0 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO @@ -181,6 +191,8 @@ rm -rf $RPM_BUILD_ROOT %set_permissions /usr/bin/gpasswd %set_permissions /usr/bin/newgrp %set_permissions /usr/bin/passwd +%set_permissions /usr/bin/newgidmap +%set_permissions /usr/bin/newuidmap %service_add_post shadow.service shadow.timer @@ -192,6 +204,8 @@ rm -rf $RPM_BUILD_ROOT %verify_permissions /usr/bin/gpasswd %verify_permissions /usr/bin/newgrp %verify_permissions /usr/bin/passwd +%verify_permissions /usr/bin/newgidmap +%verify_permissions /usr/bin/newuidmap %preun %service_del_preun shadow.service shadow.timer @@ -225,6 +239,8 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp %attr(4755,root,shadow) %{_bindir}/passwd +%attr(0755,root,shadow) %{_bindir}/newgidmap +%attr(0755,root,shadow) %{_bindir}/newuidmap %{_bindir}/sg %{_sbindir}/groupadd %{_sbindir}/groupdel @@ -268,6 +284,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/usermod.8* %{_mandir}/man8/vigr.8* %{_mandir}/man8/vipw.8* +%{_mandir}/man5/subuid.5* +%{_mandir}/man5/subgid.5* +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* %{_unitdir}/* diff --git a/useradd-default.diff b/useradd-default.patch similarity index 76% rename from useradd-default.diff rename to useradd-default.patch index 9ec3288..f0f94a1 100644 --- a/useradd-default.diff +++ b/useradd-default.patch @@ -1,5 +1,5 @@ --- etc/useradd -+++ etc/useradd 2012/11/13 09:29:57 ++++ etc/useradd @@ -1,5 +1,5 @@ # useradd defaults file -GROUP=1000 diff --git a/useradd-mkdirs.diff b/useradd-mkdirs.patch similarity index 89% rename from useradd-mkdirs.diff rename to useradd-mkdirs.patch index 261bc0f..bc2458f 100644 --- a/useradd-mkdirs.diff +++ b/useradd-mkdirs.patch @@ -1,8 +1,6 @@ -diff --git a/src/useradd.c b/src/useradd.c -index fa93853..a9f8caa 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -1757,6 +1757,13 @@ static void usr_update (void) +--- src/useradd.c ++++ src/useradd.c +@@ -1894,6 +1894,13 @@ static void usr_update (void) static void create_home (void) { if (access (user_home, F_OK) != 0) { @@ -16,7 +14,7 @@ index fa93853..a9f8caa 100644 #ifdef WITH_SELINUX if (set_selinux_file_context (user_home) != 0) { fprintf (stderr, -@@ -1765,19 +1772,42 @@ static void create_home (void) +@@ -1902,19 +1909,42 @@ static void create_home (void) fail_exit (E_HOMEDIR); } #endif diff --git a/useradd-script.diff b/useradd-script.patch similarity index 85% rename from useradd-script.diff rename to useradd-script.patch index b6ad5f2..22f99e2 100644 --- a/useradd-script.diff +++ b/useradd-script.patch @@ -1,6 +1,6 @@ --- src/useradd.c -+++ src/useradd.c 2012/09/26 13:06:50 -@@ -1845,6 +1845,30 @@ ++++ src/useradd.c +@@ -1982,6 +1982,30 @@ static void create_mail (void) } /* @@ -31,7 +31,7 @@ * main - useradd command */ int main (int argc, char **argv) -@@ -2076,6 +2100,7 @@ +@@ -2242,6 +2266,7 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); diff --git a/userdel-scripts.diff b/userdel-script.patch similarity index 82% rename from userdel-scripts.diff rename to userdel-script.patch index d44833a..f06f2fa 100644 --- a/userdel-scripts.diff +++ b/userdel-script.patch @@ -1,6 +1,6 @@ --- src/userdel.c -+++ src/userdel.c 2012/09/25 13:46:38 -@@ -635,13 +635,13 @@ ++++ src/userdel.c +@@ -762,13 +762,13 @@ static void update_user (void) * cron, at, or print jobs. */ @@ -16,7 +16,7 @@ if (NULL == cmd) { return; } -@@ -1032,9 +1032,10 @@ +@@ -1163,9 +1163,10 @@ int main (int argc, char **argv) } /* @@ -29,7 +29,7 @@ open_files (); update_user (); update_groups (); -@@ -1137,7 +1138,7 @@ +@@ -1268,7 +1269,7 @@ int main (int argc, char **argv) * Cancel any crontabs or at jobs. Have to do this before we remove * the entry from /etc/passwd. */ @@ -38,7 +38,7 @@ close_files (); #ifdef WITH_TCB -@@ -1147,6 +1148,8 @@ +@@ -1278,6 +1279,8 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); From be3678aaf020dd19be01ebf2db6c1e55121c9a42b975423554d55936b9955b71 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 30 May 2016 11:56:16 +0000 Subject: [PATCH 2/3] - shadow 4.2.1 requested by fate#320422 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=22 --- shadow.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/shadow.changes b/shadow.changes index 15e7de3..55d7482 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,6 +1,7 @@ ------------------------------------------------------------------- Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com +- shadow 4.2.1 requested by fate#320422 - bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch - Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits. Remove the files used to circumvent the check. From 8017d9a3dede1e77a24f47fe3ed11baee7f74133d0c98ab66ec365c565c0f60e Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Tue, 31 May 2016 06:53:18 +0000 Subject: [PATCH 3/3] - Add package dependency for aaa_base, fixing bnc#899409 (was done by tbehrens@suse.com but not submitted to Factory) OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=23 --- shadow.changes | 6 ++++++ shadow.spec | 1 + 2 files changed, 7 insertions(+) diff --git a/shadow.changes b/shadow.changes index 55d7482..79fb4e5 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 31 06:48:41 UTC 2016 - mvetter@suse.com + +- Add package dependency for aaa_base, fixing bnc#899409 + (was done by tbehrens@suse.com but not submitted to Factory) + ------------------------------------------------------------------- Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com diff --git a/shadow.spec b/shadow.spec index 577defb..57c2f4b 100644 --- a/shadow.spec +++ b/shadow.spec @@ -48,6 +48,7 @@ Patch13: shadow-4.1.5.1-userdel-helpfix.patch Patch14: shadow-4.2.1-defs-chroot.patch Patch15: shadow-4.2.1-merge-group.patch Patch16: Fix-user-busy-errors-at-userdel.patch +Requires: aaa_base BuildRequires: audit-devel BuildRequires: libacl-devel BuildRequires: libattr-devel