From 8c1e3ce2649cede1e61f566411891aad89005515697966b739927ef91e7c9986 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Wed, 9 Nov 2022 13:35:08 +0000 Subject: [PATCH] - Update to 4.13: * useradd.8: fix default group ID * Revert drop of subid_init() * Georgian translation * useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog * relax username restrictions * selinux: check MLS enabled before setting serange * copy_tree: use fchmodat instead of chmod * copy_tree: don't block on FIFOs * add shell linter * copy_tree: carefully treat permissions * lib/commonio: make lock failures more detailed * lib: use strzero and memzero where applicable * Update Dutch translation * Don't test for NULL before calling free * Use libc MAX() and MIN() * chage: Fix regression in print_date * usermod: report error if homedir does not exist * libmisc: minimum id check for system accounts * fix usermod -rG x y wrongly adding a group * man: add missing space in useradd.8.xml * lastlog: check for localtime() return value * Raise limit for passwd and shadow entry length * Remove adduser-old.c * useradd: Fix buffer overflow when using a prefix * Don't warn when failed to open /etc/nsswitch.conf - Remove patches we took from upstream pre-release: * shadow-copytree-usermod-fifo.patch * shadow-chage-format.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=133 --- chkname-regex.patch | 107 ----------------------------- shadow-4.12.3.tar.xz | 3 - shadow-4.12.3.tar.xz.asc | 11 --- shadow-4.13.tar.xz | 3 + shadow-4.13.tar.xz.asc | 11 +++ shadow-chage-format.patch | 29 -------- shadow-copytree-usermod-fifo.patch | 50 -------------- shadow-prefix-overflow.patch | 25 ------- shadow.changes | 40 +++++++++++ shadow.spec | 28 +++----- useradd-userkeleton.patch | 11 ++- 11 files changed, 67 insertions(+), 251 deletions(-) delete mode 100644 chkname-regex.patch delete mode 100644 shadow-4.12.3.tar.xz delete mode 100644 shadow-4.12.3.tar.xz.asc create mode 100644 shadow-4.13.tar.xz create mode 100644 shadow-4.13.tar.xz.asc delete mode 100644 shadow-chage-format.patch delete mode 100644 shadow-copytree-usermod-fifo.patch delete mode 100644 shadow-prefix-overflow.patch diff --git a/chkname-regex.patch b/chkname-regex.patch deleted file mode 100644 index 1a985cb..0000000 --- a/chkname-regex.patch +++ /dev/null @@ -1,107 +0,0 @@ -Index: etc/login.defs -=================================================================== ---- etc/login.defs.orig -+++ etc/login.defs -@@ -329,6 +329,13 @@ USERGROUPS_ENAB yes - # - #FORCE_SHADOW yes - -+# User/group names must match the following regex expression. -+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, -+# but be aware that the result could depend on the locale settings. -+# -+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? -+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? -+ - # - # Allow newuidmap and newgidmap when running under an alternative - # primary group. -Index: lib/getdef.c -=================================================================== ---- lib/getdef.c.orig -+++ lib/getdef.c -@@ -91,6 +91,7 @@ struct itemdef { - - #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) - static struct itemdef def_table[] = { -+ {"CHARACTER_CLASS", NULL}, - {"CHFN_RESTRICT", NULL}, - {"CONSOLE_GROUPS", NULL}, - {"CONSOLE", NULL}, -Index: libmisc/chkname.c -=================================================================== ---- libmisc/chkname.c.orig -+++ libmisc/chkname.c -@@ -43,8 +43,11 @@ - #ident "$Id$" - - #include -+#include - #include "defines.h" - #include "chkname.h" -+#include "getdef.h" -+#include - - int allow_bad_names = false; - -@@ -54,24 +57,46 @@ static bool is_valid_name (const char *n - return true; - } - -- /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -+ const char *class; -+ regex_t reg; -+ int result; -+ char *buf; -+ -+ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?. -+ This is the POSIX portable character class. The $ at the end is -+ needed for SAMBA. But user can also specify something else in -+ /etc/login.defs. */ -+ class = getdef_str ("CHARACTER_CLASS"); -+ if (!class) -+ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?"; -+ -+ if (asprintf (&buf, "^%s$", class) < 0) -+ return -1; -+ -+ memset (®, 0, sizeof (regex_t)); -+ result = regcomp (®, buf, 0); -+ free (buf); -+ -+ if (result) { -+ size_t length = regerror (result, ®, NULL, 0); -+ char *buffer = malloc (length); -+ if (buffer == NULL) -+ fputs ("running out of memory!\n", stderr); -+ -+ /* else -+ { -+ regerror (result, ®, buffer, length); -+ fprintf (stderr, _("Can't compile regular expression: %s\n"), -+ buffer); -+ } */ - -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ regfree(®); - return false; - } - -- while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -- return false; -- } -+ if (regexec (®, name, 0, NULL, 0) != 0) { -+ regfree(®); -+ return false; - } - - return true; diff --git a/shadow-4.12.3.tar.xz b/shadow-4.12.3.tar.xz deleted file mode 100644 index 248f68c..0000000 --- a/shadow-4.12.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd -size 1747620 diff --git a/shadow-4.12.3.tar.xz.asc b/shadow-4.12.3.tar.xz.asc deleted file mode 100644 index 3a2e7e6..0000000 --- a/shadow-4.12.3.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK -ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB -ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv -rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs -6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp -sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF -PEy7hhvMAd7X5Rtz/GVtfas+UUfekA== -=WZd1 ------END PGP SIGNATURE----- diff --git a/shadow-4.13.tar.xz b/shadow-4.13.tar.xz new file mode 100644 index 0000000..5c36f2b --- /dev/null +++ b/shadow-4.13.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9afe245d79a2e7caac5f1ed62519b17416b057ec89df316df1c3935502f9dd2c +size 1762908 diff --git a/shadow-4.13.tar.xz.asc b/shadow-4.13.tar.xz.asc new file mode 100644 index 0000000..ebdadeb --- /dev/null +++ b/shadow-4.13.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK +ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5 +2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6 +P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL +xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9 +tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D +AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA== +=33BL +-----END PGP SIGNATURE----- diff --git a/shadow-chage-format.patch b/shadow-chage-format.patch deleted file mode 100644 index a84796f..0000000 --- a/shadow-chage-format.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e503fd574b7dbf6b21b1168e20938f0922807916 Mon Sep 17 00:00:00 2001 -From: Xiami <1927254+Xiami2012@users.noreply.github.com> -Date: Wed, 5 Oct 2022 18:11:28 +0800 -Subject: [PATCH] chage: Fix regression in print_date - -Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f - -After removing snprintf, the format string should get unescaped once. - -Fixes #564 - -Reporter and patch author: DerMouse (github.com/DerMouse) ---- - src/chage.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/chage.c b/src/chage.c -index 8cf677942..01570d725 100644 ---- a/src/chage.c -+++ b/src/chage.c -@@ -228,7 +228,7 @@ static void print_date (time_t date) - if (NULL == tp) { - (void) printf ("time_t: %lu\n", (unsigned long)date); - } else { -- (void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp); -+ (void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp); - (void) puts (buf); - } - } diff --git a/shadow-copytree-usermod-fifo.patch b/shadow-copytree-usermod-fifo.patch deleted file mode 100644 index aae1169..0000000 --- a/shadow-copytree-usermod-fifo.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 10cd68e0f04b48363eb32d2c6e168b358fb27810 Mon Sep 17 00:00:00 2001 -From: Samanta Navarro -Date: Sun, 4 Sep 2022 11:58:03 +0000 -Subject: [PATCH] copy_tree: do not block on fifos - -Fixes regression introduced in faeab50e710131816b261de66141524898c2c487. - -If a directory contains fifos, then openat blocks until the other side -of the fifo is connected as well. - -This means that users can prevent "usermod -m" from completing if their -home directories contain at least one fifo. ---- - libmisc/copydir.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libmisc/copydir.c b/libmisc/copydir.c -index b6025f4c7..5fb47da01 100644 ---- a/libmisc/copydir.c -+++ b/libmisc/copydir.c -@@ -126,12 +126,12 @@ static int perm_copy_path(const struct path_info *src, - { - int src_fd, dst_fd, ret; - -- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (src_fd < 0) { - return -1; - } - -- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (dst_fd < 0) { - (void) close (src_fd); - return -1; -@@ -152,12 +152,12 @@ static int attr_copy_path(const struct path_info *src, - { - int src_fd, dst_fd, ret; - -- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (src_fd < 0) { - return -1; - } - -- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (dst_fd < 0) { - (void) close (src_fd); - return -1; diff --git a/shadow-prefix-overflow.patch b/shadow-prefix-overflow.patch deleted file mode 100644 index b3cb0ee..0000000 --- a/shadow-prefix-overflow.patch +++ /dev/null @@ -1,25 +0,0 @@ -From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Sun, 23 Oct 2022 18:51:33 -0400 -Subject: [PATCH] useradd: Fix buffer overflow when using a prefix - -The buffer length did not count the string's trailing null byte. - -Signed-off-by: David Michael ---- - src/useradd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/useradd.c b/src/useradd.c -index 39a744ee0..7ea0a9c4d 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2372,7 +2372,7 @@ static void create_mail (void) - if (NULL == spool) { - return; - } -- file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2); -+ file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3); - if (prefix[0]) - sprintf (file, "%s/%s/%s", prefix, spool, user_name); - else diff --git a/shadow.changes b/shadow.changes index 4f5874a..d08cb82 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Tue Nov 8 21:15:44 UTC 2022 - Michael Vetter + +- Update to 4.13: + * useradd.8: fix default group ID + * Revert drop of subid_init() + * Georgian translation + * useradd: Avoid taking unneeded space: do not reset non-existent data + in lastlog + * relax username restrictions + * selinux: check MLS enabled before setting serange + * copy_tree: use fchmodat instead of chmod + * copy_tree: don't block on FIFOs + * add shell linter + * copy_tree: carefully treat permissions + * lib/commonio: make lock failures more detailed + * lib: use strzero and memzero where applicable + * Update Dutch translation + * Don't test for NULL before calling free + * Use libc MAX() and MIN() + * chage: Fix regression in print_date + * usermod: report error if homedir does not exist + * libmisc: minimum id check for system accounts + * fix usermod -rG x y wrongly adding a group + * man: add missing space in useradd.8.xml + * lastlog: check for localtime() return value + * Raise limit for passwd and shadow entry length + * Remove adduser-old.c + * useradd: Fix buffer overflow when using a prefix + * Don't warn when failed to open /etc/nsswitch.conf +- Remove patches we took from upstream pre-release: + * shadow-copytree-usermod-fifo.patch + * shadow-chage-format.patch + * shadow-prefix-overflow.patch +- Remove chkname-regex.patch: + Upstream now also relaxed the usernames requirements. + They don't use regex for this but the result is similar. + Plus they also check that the name is less than 32 characters long. +- Rebase useradd-userkeleton.patch + ------------------------------------------------------------------- Mon Nov 7 11:20:36 UTC 2022 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index 1cd492f..ccd8d33 100644 --- a/shadow.spec +++ b/shadow.spec @@ -22,7 +22,7 @@ %define no_config 1 %endif Name: shadow -Version: 4.12.3 +Version: 4.13 Release: 0 Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause AND GPL-2.0-or-later @@ -45,26 +45,18 @@ Patch0: shadow-login_defs-unused-by-pam.patch Patch1: userdel-script.patch # PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD. Patch2: useradd-script.patch -# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex. -Patch3: chkname-regex.patch # PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000. -Patch4: useradd-default.patch +Patch3: useradd-default.patch # PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific. -Patch5: shadow-util-linux.patch +Patch4: shadow-util-linux.patch # PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments. -Patch6: shadow-login_defs-comments.patch +Patch5: shadow-login_defs-comments.patch # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs. -Patch7: shadow-login_defs-suse.patch +Patch6: shadow-login_defs-suse.patch # PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321) -Patch8: useradd-userkeleton.patch +Patch7: useradd-userkeleton.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. -Patch9: disable_new_audit_function.patch -# PATCH-FIX-UPSTREAM shadow-prefix-overflow.patch mvetter@suse.com -- Fix buffer overflow when using --prefix in useradd -Patch10: https://github.com/shadow-maint/shadow/commit/eaebea55a495a56317ed85e959b3599f73c6bdf2.patch#/shadow-prefix-overflow.patch -# PATCH-FIX-UPSTREAM shadow-chage-format.patch mvetter@suse.com -- Fix chage format string -Patch11: https://github.com/shadow-maint/shadow/commit/e503fd574b7dbf6b21b1168e20938f0922807916.patch#/shadow-chage-format.patch -# PATCH-FIX-UPSTREAM shadow-copytree-usermod-fifo.patch mvetter@suse.com -- Fix regression when openat blocks -Patch12: https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810.patch#/shadow-copytree-usermod-fifo.patch +Patch8: disable_new_audit_function.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -131,13 +123,9 @@ Development files for libsubid4. %patch5 %patch6 %patch7 -%patch8 %if 0%{?suse_version} < 1330 -%patch9 -p1 +%patch8 -p1 %endif -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO diff --git a/useradd-userkeleton.patch b/useradd-userkeleton.patch index 0b22f76..32d83bc 100644 --- a/useradd-userkeleton.patch +++ b/useradd-userkeleton.patch @@ -100,7 +100,7 @@ Index: src/useradd.c if (!out_create_mail_spool) fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool); -@@ -2756,6 +2791,8 @@ int main (int argc, char **argv) +@@ -2758,6 +2793,8 @@ int main (int argc, char **argv) if (home_added) { copy_tree (def_template, prefix_user_home, false, true, (uid_t)-1, user_id, (gid_t)-1, user_gid); @@ -113,7 +113,7 @@ Index: libmisc/copydir.c =================================================================== --- libmisc/copydir.c.orig +++ libmisc/copydir.c -@@ -453,6 +453,14 @@ static int copy_entry (const struct path +@@ -449,6 +449,14 @@ static int copy_entry (const struct path } /* @@ -128,7 +128,7 @@ Index: libmisc/copydir.c * Copy any symbolic links */ -@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i +@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i gid_t old_gid, gid_t new_gid) { int err = 0; @@ -136,11 +136,10 @@ Index: libmisc/copydir.c /* * Create a new target directory, make it owned by -@@ -522,6 +531,16 @@ static int copy_dir (const struct path_i +@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i return -1; } #endif /* WITH_SELINUX */ -+ + /* + * If the destination is already a directory, don't change it + * but copy into it (recursively). @@ -150,6 +149,6 @@ Index: libmisc/copydir.c + old_uid, new_uid, old_gid, new_gid) != 0); + } + - if ( (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0) + if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0) || (chownat_if_needed (dst, statp, old_uid, new_uid, old_gid, new_gid) != 0)