pool/shadow
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1034857 from Base:System

Browse Source 
- Update to 4.13:
  * useradd.8: fix default group ID
  * Revert drop of subid_init()
  * Georgian translation
  * useradd: Avoid taking unneeded space: do not reset non-existent data
    in lastlog
  * relax username restrictions
  * selinux: check MLS enabled before setting serange
  * copy_tree: use fchmodat instead of chmod
  * copy_tree: don't block on FIFOs
  * add shell linter
  * copy_tree: carefully treat permissions
  * lib/commonio: make lock failures more detailed
  * lib: use strzero and memzero where applicable
  * Update Dutch translation
  * Don't test for NULL before calling free
  * Use libc MAX() and MIN()
  * chage: Fix regression in print_date
  * usermod: report error if homedir does not exist
  * libmisc: minimum id check for system accounts
  * fix usermod -rG x y wrongly adding a group
  * man: add missing space in useradd.8.xml
  * lastlog: check for localtime() return value
  * Raise limit for passwd and shadow entry length
  * Remove adduser-old.c
  * useradd: Fix buffer overflow when using a prefix
  * Don't warn when failed to open /etc/nsswitch.conf
- Remove patches we took from upstream pre-release:
  * shadow-copytree-usermod-fifo.patch
  * shadow-chage-format.patch

OBS-URL: https://build.opensuse.org/request/show/1034857
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=52
This commit is contained in:
Dominique Leuenberger 2022-11-12 16:39:48 +00:00 committed by Git OBS Bridge
commit c4ba14a87f
11 changed files with 67 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
chkname-regex.patch
View File

@ -1,107 +0,0 @@
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -329,6 +329,13 @@ USERGROUPS_ENAB yes
#
#FORCE_SHADOW yes
+# User/group names must match the following regex expression.
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
+# but be aware that the result could depend on the locale settings.
+#
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
+
#
# Allow newuidmap and newgidmap when running under an alternative
# primary group.
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -91,6 +91,7 @@ struct itemdef {
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
+ {"CHARACTER_CLASS", NULL},
{"CHFN_RESTRICT", NULL},
{"CONSOLE_GROUPS", NULL},
{"CONSOLE", NULL},
Index: libmisc/chkname.c
===================================================================
--- libmisc/chkname.c.orig
+++ libmisc/chkname.c
@@ -43,8 +43,11 @@
#ident "$Id$"
#include <ctype.h>
+#include <regex.h>
#include "defines.h"
#include "chkname.h"
+#include "getdef.h"
+#include <stdio.h>
int allow_bad_names = false;
@@ -54,24 +57,46 @@ static bool is_valid_name (const char *n
return true;
}
- /*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
+ const char *class;
+ regex_t reg;
+ int result;
+ char *buf;
+
+ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?.
+ This is the POSIX portable character class. The $ at the end is
+ needed for SAMBA. But user can also specify something else in
+ /etc/login.defs. */
+ class = getdef_str ("CHARACTER_CLASS");
+ if (!class)
+ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?";
+
+ if (asprintf (&buf, "^%s$", class) < 0)
+ return -1;
+
+ memset (&reg, 0, sizeof (regex_t));
+ result = regcomp (&reg, buf, 0);
+ free (buf);
+
+ if (result) {
+ size_t length = regerror (result, &reg, NULL, 0);
+ char *buffer = malloc (length);
+ if (buffer == NULL)
+ fputs ("running out of memory!\n", stderr);
+
+ /* else
+ {
+ regerror (result, &reg, buffer, length);
+ fprintf (stderr, _("Can't compile regular expression: %s\n"),
+ buffer);
+ } */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ regfree(&reg);
return false;
}
- while ('\0' != *++name) {
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
- )) {
- return false;
- }
+ if (regexec (&reg, name, 0, NULL, 0) != 0) {
+ regfree(&reg);
+ return false;
}
return true;

3
shadow-4.12.3.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
size 1747620

11
shadow-4.12.3.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
=WZd1
-----END PGP SIGNATURE-----

BIN
shadow-4.13.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

11
shadow-4.13.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK
ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5
2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6
P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL
xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9
tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D
AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA==
=33BL
-----END PGP SIGNATURE-----

29
shadow-chage-format.patch
View File

@ -1,29 +0,0 @@
From e503fd574b7dbf6b21b1168e20938f0922807916 Mon Sep 17 00:00:00 2001
From: Xiami <1927254+Xiami2012@users.noreply.github.com>
Date: Wed, 5 Oct 2022 18:11:28 +0800
Subject: [PATCH] chage: Fix regression in print_date
Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f
After removing snprintf, the format string should get unescaped once.
Fixes #564
Reporter and patch author: DerMouse (github.com/DerMouse)
---
src/chage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/chage.c b/src/chage.c
index 8cf677942..01570d725 100644
--- a/src/chage.c
+++ b/src/chage.c
@@ -228,7 +228,7 @@ static void print_date (time_t date)
if (NULL == tp) {
(void) printf ("time_t: %lu\n", (unsigned long)date);
} else {
- (void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp);
+ (void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp);
(void) puts (buf);
}
}

50
shadow-copytree-usermod-fifo.patch
View File

@ -1,50 +0,0 @@
From 10cd68e0f04b48363eb32d2c6e168b358fb27810 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Sun, 4 Sep 2022 11:58:03 +0000
Subject: [PATCH] copy_tree: do not block on fifos
Fixes regression introduced in faeab50e710131816b261de66141524898c2c487.
If a directory contains fifos, then openat blocks until the other side
of the fifo is connected as well.
This means that users can prevent "usermod -m" from completing if their
home directories contain at least one fifo.
---
libmisc/copydir.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libmisc/copydir.c b/libmisc/copydir.c
index b6025f4c7..5fb47da01 100644
--- a/libmisc/copydir.c
+++ b/libmisc/copydir.c
@@ -126,12 +126,12 @@ static int perm_copy_path(const struct path_info *src,
{
int src_fd, dst_fd, ret;
- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
if (src_fd < 0) {
return -1;
}
- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
if (dst_fd < 0) {
(void) close (src_fd);
return -1;
@@ -152,12 +152,12 @@ static int attr_copy_path(const struct path_info *src,
{
int src_fd, dst_fd, ret;
- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
if (src_fd < 0) {
return -1;
}
- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
if (dst_fd < 0) {
(void) close (src_fd);
return -1;

25
shadow-prefix-overflow.patch
View File

@ -1,25 +0,0 @@
From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001
From: David Michael <fedora.dm0@gmail.com>
Date: Sun, 23 Oct 2022 18:51:33 -0400
Subject: [PATCH] useradd: Fix buffer overflow when using a prefix
The buffer length did not count the string's trailing null byte.
Signed-off-by: David Michael <fedora.dm0@gmail.com>
---
src/useradd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/useradd.c b/src/useradd.c
index 39a744ee0..7ea0a9c4d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2372,7 +2372,7 @@ static void create_mail (void)
if (NULL == spool) {
return;
}
- file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2);
+ file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3);
if (prefix[0])
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
else

40
shadow.changes
View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Tue Nov 8 21:15:44 UTC 2022 - Michael Vetter <mvetter@suse.com>
- Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data
in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
- Remove patches we took from upstream pre-release:
* shadow-copytree-usermod-fifo.patch
* shadow-chage-format.patch
* shadow-prefix-overflow.patch
- Remove chkname-regex.patch:
Upstream now also relaxed the usernames requirements.
They don't use regex for this but the result is similar.
Plus they also check that the name is less than 32 characters long.
- Rebase useradd-userkeleton.patch
-------------------------------------------------------------------
Mon Nov 7 11:20:36 UTC 2022 - Michael Vetter <mvetter@suse.com>

28
shadow.spec
View File

@ -22,7 +22,7 @@
%define no_config 1
%endif
Name: shadow
Version: 4.12.3
Version: 4.13
Release: 0
Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later
@ -45,26 +45,18 @@ Patch0: shadow-login_defs-unused-by-pam.patch
Patch1: userdel-script.patch
# PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
Patch2: useradd-script.patch
# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
Patch3: chkname-regex.patch
# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
Patch4: useradd-default.patch
Patch3: useradd-default.patch
# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
Patch5: shadow-util-linux.patch
Patch4: shadow-util-linux.patch
# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
Patch6: shadow-login_defs-comments.patch
Patch5: shadow-login_defs-comments.patch
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
Patch7: shadow-login_defs-suse.patch
Patch6: shadow-login_defs-suse.patch
# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321)
Patch8: useradd-userkeleton.patch
Patch7: useradd-userkeleton.patch
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
Patch9: disable_new_audit_function.patch
# PATCH-FIX-UPSTREAM shadow-prefix-overflow.patch mvetter@suse.com -- Fix buffer overflow when using --prefix in useradd
Patch10: https://github.com/shadow-maint/shadow/commit/eaebea55a495a56317ed85e959b3599f73c6bdf2.patch#/shadow-prefix-overflow.patch
# PATCH-FIX-UPSTREAM shadow-chage-format.patch mvetter@suse.com -- Fix chage format string
Patch11: https://github.com/shadow-maint/shadow/commit/e503fd574b7dbf6b21b1168e20938f0922807916.patch#/shadow-chage-format.patch
# PATCH-FIX-UPSTREAM shadow-copytree-usermod-fifo.patch mvetter@suse.com -- Fix regression when openat blocks
Patch12: https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810.patch#/shadow-copytree-usermod-fifo.patch
Patch8: disable_new_audit_function.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
BuildRequires: automake
@ -131,13 +123,9 @@ Development files for libsubid4.
%patch5
%patch6
%patch7
%patch8
%if 0%{?suse_version} < 1330
%patch9 -p1
%patch8 -p1
%endif
%patch10 -p1
%patch11 -p1
%patch12 -p1
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO

11
useradd-userkeleton.patch
View File

@ -100,7 +100,7 @@ Index: src/useradd.c
if (!out_create_mail_spool)
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
@@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
@@ -2758,6 +2793,8 @@ int main (int argc, char **argv)
if (home_added) {
copy_tree (def_template, prefix_user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
@ -113,7 +113,7 @@ Index: libmisc/copydir.c
===================================================================
--- libmisc/copydir.c.orig
+++ libmisc/copydir.c
@@ -453,6 +453,14 @@ static int copy_entry (const struct path
@@ -449,6 +449,14 @@ static int copy_entry (const struct path
}
/*
@ -128,7 +128,7 @@ Index: libmisc/copydir.c
* Copy any symbolic links
*/
@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i
gid_t old_gid, gid_t new_gid)
{
int err = 0;
@ -136,11 +136,10 @@ Index: libmisc/copydir.c
/*
* Create a new target directory, make it owned by
@@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i
return -1;
}
#endif /* WITH_SELINUX */
+
+ /*
+ * If the destination is already a directory, don't change it
+ * but copy into it (recursively).
@ -150,6 +149,6 @@ Index: libmisc/copydir.c
+ old_uid, new_uid, old_gid, new_gid) != 0);
+ }
+
if ( (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0)
|| (chownat_if_needed (dst, statp,
old_uid, new_uid, old_gid, new_gid) != 0)