SHA256
1
0
forked from pool/shadow

Accepting request 932263 from Base:System

- Fix segfaults in newgrp and pwck
  * Add shadow-4.9-newgrp-segfault.patch 
    https://github.com/shadow-maint/shadow/pull/437
  * Add shadow-4.9-pwck-segfault.patch
    https://github.com/shadow-maint/shadow/pull/445

- Added hardening to systemd service(s) (bsc#1181400). Modified:
  * shadow.service

- shadow-util-linux.patch:
  * Remove the section patching lib/getdef.c in favor of the
    upstream FOREIGNDEFS.
  * Add LOGIN_KEEP_USERNAME to login.defs.
  * Remove PREVENT_NO_AUTH from login.defs. Only used by the
    unpackaged login and su.
- shadow-login_defs-unused-by-pam.patch:
  * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
    YESCRYPT_COST_FACTOR, not supported by the current
    configuratiton.
- Update login_defs-support-for-pam symbol to version 1.5.2
  (support for new variable HMAC_CRYPTO_ALGO).
- Update login_defs-support-for-util-linux to version 2.37
  (support for new variable LOGIN_KEEP_USERNAME).
- Refresh shadow-login_defs-comments.patch and
  shadow-login_defs-suse.patch.
- Improve shadow-login_defs-check.sh:
  * Add helper to import local new version in the parent dir.
  * Fix spec editing sed expression.
  * Add PREVENT_NO_AUTH to known unused variables.
  * Update pam sed expression to find HMAC_CRYPTO_ALGO.

OBS-URL: https://build.opensuse.org/request/show/932263
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=45
This commit is contained in:
Dominique Leuenberger 2021-11-21 22:51:28 +00:00 committed by Git OBS Bridge
commit 6f9efa1aed
10 changed files with 205 additions and 89 deletions

View File

@ -0,0 +1,15 @@
https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
Index: shadow-4.9/src/newgrp.c
===================================================================
--- shadow-4.9.orig/src/newgrp.c
+++ shadow-4.9/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct gr
spwd = xgetspnam (pwd->pw_name);
if (NULL != spwd) {
pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
+ spw_free (spwd);
}
- spw_free (spwd);
if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
needspasswd = true;

View File

@ -0,0 +1,14 @@
https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
Index: shadow-4.9/src/pwck.c
===================================================================
--- shadow-4.9.orig/src/pwck.c
+++ shadow-4.9/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
* Get my name so that I can use it to report errors.
*/
Prog = Basename (argv[0]);
+ shadow_logfd = stderr;
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);

View File

@ -20,7 +20,18 @@ which osc >/dev/null
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
echo "Checking out util-linux..."
osc co openSUSE:Factory util-linux
if test -d ../util-linux ; then
echo -n "../util-linux found. Are you preparing new version? (y/N) "
read
if test "${REPLY:0:1}" = "y" ; then
mkdir -p openSUSE:Factory
cp -a ../util-linux openSUSE:Factory/
else
osc co openSUSE:Factory util-linux
fi
else
osc co openSUSE:Factory util-linux
fi
cd openSUSE:Factory/util-linux
quilt setup -d BUILD util-linux.spec
cd BUILD/*
@ -43,7 +54,18 @@ cd ../../../..
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
echo "Checking out pam..."
osc co openSUSE:Factory pam
if test -d ../pam ; then
echo -n "../pam found. Are you preparing new version? (y/N) "
read
if test "${REPLY:0:1}" = "y" ; then
mkdir -p openSUSE:Factory
cp -a ../pam openSUSE:Factory/
else
osc co openSUSE:Factory pam
fi
else
osc co openSUSE:Factory pam
fi
cd openSUSE:Factory/pam
quilt setup -d BUILD pam.spec
cd BUILD/*
@ -54,7 +76,7 @@ fi
echo "Extracting variables from pam..."
cd openSUSE:Factory/pam/BUILD/*
grep -rh LOGIN_DEFS . |
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
cd ../../../..
@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
# In case of shadow, variables extraction is more complicated. The list
# depends on configure options, so we have to perform a fake build and
# extract variables from prepreocessed sources.
sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
echo "$0: Please fix sed expression modifying shadow.spec."
mv shadow.spec.shadow-login_defs-check-save shadow.spec
exit 1
fi
fi
osc build "$@" || :
echo "This build command was expected to fail."
echo ""
if osc build "$@" ; then
echo "This build command was expected to fail, but it succeeded."
echo "$0: Please fix sed expression modifying shadow.spec."
mv shadow.spec.shadow-login_defs-check-save shadow.spec
exit 1
else
echo "This build command was expected to fail."
echo ""
fi
mv shadow.spec.shadow-login_defs-check-save shadow.spec
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
@ -167,6 +201,8 @@ function falsematch() {
FTMP_FILE ) return 0 ;;
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
ISSUE_FILE ) return 0 ;;
# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
PREVENT_NO_AUTH ) return 0 ;;
* ) return 1 ;;
esac
}
@ -242,7 +278,7 @@ echo "Change in shadow.spec:"
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
echo "
If you ported encryption_method_nis.patch to the new pam version,
If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
please submit these updates:
Change in pam.spec:"
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec

View File

@ -13,38 +13,6 @@ Index: etc/login.defs
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB no
#
#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-#
# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
# to sulog file logging.
#
@@ -46,6 +35,15 @@ CONSOLE /etc/securetty
#CONSOLE console:tty01:tty02:tty03:tty04
#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+#
# If defined, all su(1) activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
@@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
@ -86,7 +54,7 @@ Index: etc/login.defs
GID_MIN 1000
GID_MAX 60000
# System accounts
@@ -190,7 +201,6 @@ LOGIN_TIMEOUT 60
@@ -196,7 +207,6 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
@ -94,7 +62,7 @@ Index: etc/login.defs
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
@@ -205,7 +215,6 @@ CHFN_RESTRICT rwh
@@ -211,7 +221,6 @@ CHFN_RESTRICT rwh
#MD5_CRYPT_ENAB no
#

View File

@ -67,7 +67,7 @@ Index: etc/login.defs
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -125,7 +128,7 @@
@@ -133,7 +136,7 @@ UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
@ -106,8 +106,8 @@ Index: etc/login.defs
+LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
@@ -201,18 +204,9 @@ LOGIN_TIMEOUT 60
# Tell login to only re-prompt for the password if authentication
@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
@ -128,7 +128,7 @@ Index: etc/login.defs
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
@@ -227,7 +221,7 @@ CHFN_RESTRICT rwh
@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
@ -137,7 +137,7 @@ Index: etc/login.defs
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -325,7 +319,7 @@ USERDEL_POSTCMD /usr/sbin/userde
@@ -303,7 +297,7 @@ USERDEL_POSTCMD /usr/sbin/userde
#
# This also enables userdel(8) to remove user groups if no members exist.
#
@ -146,7 +146,7 @@ Index: etc/login.defs
#
# If set to a non-zero number, the shadow utilities will make sure that
@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
@ -155,4 +155,3 @@ Index: etc/login.defs
#
# Force use shadow, even if shadow passwd & shadow group files are

View File

@ -1,6 +1,9 @@
Remove variables that are present in login.defs, but shadow with the
current configuration (e. g. with PAM) does not use them.
It also includes variables used by the current configuration, but deleted
in the spec file.
shadow-login_defs-unused-check.sh makes possible to verify that it is
still up to date.
@ -221,10 +224,38 @@ Index: etc/login.defs
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
@@ -382,17 +252,6 @@ CHFN_RESTRICT rwh
#YESCRYPT_COST_FACTOR 5
@@ -354,45 +224,6 @@ CHFN_RESTRICT rwh
#SHA_CRYPT_MAX_ROUNDS 5000
#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting). Default is none.
@ -239,7 +270,7 @@ Index: etc/login.defs
# Should login be allowed if we can't cd to the home directory?
# Default is no.
#
@@ -407,12 +266,6 @@ DEFAULT_HOME yes
@@ -407,12 +238,6 @@ DEFAULT_HOME yes
NONEXISTENT /nonexistent
#

View File

@ -109,39 +109,32 @@ Index: etc/login.defs
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -67,6 +67,7 @@ struct itemdef {
{"LOGIN_STRING", NULL}, \
{"MAIL_CHECK_ENAB", NULL}, \
{"MOTD_FILE", NULL}, \
+ {"MOTD_FIRSTONLY", NULL}, \
{"NOLOGINS_FILE", NULL}, \
{"OBSCURE_CHECKS_ENAB", NULL}, \
{"PASS_ALWAYS_WARN", NULL}, \
@@ -91,6 +92,7 @@ struct itemdef {
@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536
LOGIN_RETRIES 5
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
+ {"ALWAYS_SET_PATH", NULL},
{"CHARACTER_CLASS", NULL},
{"CHFN_RESTRICT", NULL},
{"CONSOLE_GROUPS", NULL},
@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
{"DEFAULT_HOME", NULL},
{"ENCRYPT_METHOD", NULL},
{"ENV_PATH", NULL},
+ {"ENV_ROOTPATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL},
{"LOGIN_RETRIES", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOGIN_TIMEOUT", NULL},
{"LOG_OK_LOGINS", NULL},
{"LOG_UNKFAIL_ENAB", NULL},
#
+# Tell login to only re-prompt for the password if authentication
+# failed, but the username is valid. The default value is no.
+#
+LOGIN_KEEP_USERNAME no
+
+#
# Max time in seconds for login(1)
#
LOGIN_TIMEOUT 60
@@ -315,15 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO
#GRANT_AUX_GROUP_SUBIDS yes
#
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-
-PREVENT_NO_AUTH superuser
-
-#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Thu Nov 18 13:46:03 UTC 2021 - Michael Vetter <mvetter@suse.com>
- Fix segfaults in newgrp and pwck
* Add shadow-4.9-newgrp-segfault.patch
https://github.com/shadow-maint/shadow/pull/437
* Add shadow-4.9-pwck-segfault.patch
https://github.com/shadow-maint/shadow/pull/445
-------------------------------------------------------------------
Tue Nov 16 15:58:46 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* shadow.service
-------------------------------------------------------------------
Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
- shadow-util-linux.patch:
* Remove the section patching lib/getdef.c in favor of the
upstream FOREIGNDEFS.
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
- shadow-login_defs-unused-by-pam.patch:
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
- Update login_defs-support-for-pam symbol to version 1.5.2
(support for new variable HMAC_CRYPTO_ALGO).
- Update login_defs-support-for-util-linux to version 2.37
(support for new variable LOGIN_KEEP_USERNAME).
- Refresh shadow-login_defs-comments.patch and
shadow-login_defs-suse.patch.
- Improve shadow-login_defs-check.sh:
* Add helper to import local new version in the parent dir.
* Fix spec editing sed expression.
* Add PREVENT_NO_AUTH to known unused variables.
* Update pam sed expression to find HMAC_CRYPTO_ALGO.
* Add more sanity checks.
-------------------------------------------------------------------
Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>

View File

@ -2,6 +2,19 @@
Description=Verify integrity of password and group files
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=read-only
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=oneshot
ExecStart=/usr/sbin/pwck -r
ExecStart=/usr/sbin/grpck -r

View File

@ -71,6 +71,10 @@ Patch13: shadow-passwd-handle-null.patch
Patch14: shadow-4.9-sgent-free.patch
# PATCH-FIX-UPSTREAM shadow-4.9-useradd-subuid.patch mvetter@suse.de -- Fix generating empty subid range and undeclared subid_count (boo#1190146)
Patch15: shadow-4.9-useradd-subuid.patch
# PATCH-FIX-UPSTREAM shadow-4.9-newgrp-segfault.patch mvetter@suse.de -- Fix segfault in newgrp (gh#437)
Patch16: shadow-4.9-newgrp-segfault.patch
# PATCH-FIX-UPSTREAM shadow-4.9-pwck-segfault.patch mvetter@suse.de -- Fix segfault in pwck (gh#445)
Patch17: shadow-4.9-pwck-segfault.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
BuildRequires: automake
@ -107,8 +111,8 @@ Summary: The login.defs configuration file
# encryption_method_nis.patch has to be ported!
# Call shadow-login_defs-check.sh before!
Group: System/Base
Provides: login_defs-support-for-pam = 1.3.1
Provides: login_defs-support-for-util-linux = 2.36
Provides: login_defs-support-for-pam = 1.5.2
Provides: login_defs-support-for-util-linux = 2.37
BuildArch: noarch
%description -n login_defs
@ -150,6 +154,8 @@ Development files for libsubid3.
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO