forked from pool/shadow
Accepting request 1034857 from Base:System
- Update to 4.13: * useradd.8: fix default group ID * Revert drop of subid_init() * Georgian translation * useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog * relax username restrictions * selinux: check MLS enabled before setting serange * copy_tree: use fchmodat instead of chmod * copy_tree: don't block on FIFOs * add shell linter * copy_tree: carefully treat permissions * lib/commonio: make lock failures more detailed * lib: use strzero and memzero where applicable * Update Dutch translation * Don't test for NULL before calling free * Use libc MAX() and MIN() * chage: Fix regression in print_date * usermod: report error if homedir does not exist * libmisc: minimum id check for system accounts * fix usermod -rG x y wrongly adding a group * man: add missing space in useradd.8.xml * lastlog: check for localtime() return value * Raise limit for passwd and shadow entry length * Remove adduser-old.c * useradd: Fix buffer overflow when using a prefix * Don't warn when failed to open /etc/nsswitch.conf - Remove patches we took from upstream pre-release: * shadow-copytree-usermod-fifo.patch * shadow-chage-format.patch OBS-URL: https://build.opensuse.org/request/show/1034857 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=52
This commit is contained in:
commit
c4ba14a87f
@ -1,107 +0,0 @@
|
||||
Index: etc/login.defs
|
||||
===================================================================
|
||||
--- etc/login.defs.orig
|
||||
+++ etc/login.defs
|
||||
@@ -329,6 +329,13 @@ USERGROUPS_ENAB yes
|
||||
#
|
||||
#FORCE_SHADOW yes
|
||||
|
||||
+# User/group names must match the following regex expression.
|
||||
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
|
||||
+# but be aware that the result could depend on the locale settings.
|
||||
+#
|
||||
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
|
||||
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
|
||||
+
|
||||
#
|
||||
# Allow newuidmap and newgidmap when running under an alternative
|
||||
# primary group.
|
||||
Index: lib/getdef.c
|
||||
===================================================================
|
||||
--- lib/getdef.c.orig
|
||||
+++ lib/getdef.c
|
||||
@@ -91,6 +91,7 @@ struct itemdef {
|
||||
|
||||
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
|
||||
static struct itemdef def_table[] = {
|
||||
+ {"CHARACTER_CLASS", NULL},
|
||||
{"CHFN_RESTRICT", NULL},
|
||||
{"CONSOLE_GROUPS", NULL},
|
||||
{"CONSOLE", NULL},
|
||||
Index: libmisc/chkname.c
|
||||
===================================================================
|
||||
--- libmisc/chkname.c.orig
|
||||
+++ libmisc/chkname.c
|
||||
@@ -43,8 +43,11 @@
|
||||
#ident "$Id$"
|
||||
|
||||
#include <ctype.h>
|
||||
+#include <regex.h>
|
||||
#include "defines.h"
|
||||
#include "chkname.h"
|
||||
+#include "getdef.h"
|
||||
+#include <stdio.h>
|
||||
|
||||
int allow_bad_names = false;
|
||||
|
||||
@@ -54,24 +57,46 @@ static bool is_valid_name (const char *n
|
||||
return true;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * User/group names must match [a-z_][a-z0-9_-]*[$]
|
||||
- */
|
||||
+ const char *class;
|
||||
+ regex_t reg;
|
||||
+ int result;
|
||||
+ char *buf;
|
||||
+
|
||||
+ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?.
|
||||
+ This is the POSIX portable character class. The $ at the end is
|
||||
+ needed for SAMBA. But user can also specify something else in
|
||||
+ /etc/login.defs. */
|
||||
+ class = getdef_str ("CHARACTER_CLASS");
|
||||
+ if (!class)
|
||||
+ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?";
|
||||
+
|
||||
+ if (asprintf (&buf, "^%s$", class) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
+ memset (®, 0, sizeof (regex_t));
|
||||
+ result = regcomp (®, buf, 0);
|
||||
+ free (buf);
|
||||
+
|
||||
+ if (result) {
|
||||
+ size_t length = regerror (result, ®, NULL, 0);
|
||||
+ char *buffer = malloc (length);
|
||||
+ if (buffer == NULL)
|
||||
+ fputs ("running out of memory!\n", stderr);
|
||||
+
|
||||
+ /* else
|
||||
+ {
|
||||
+ regerror (result, ®, buffer, length);
|
||||
+ fprintf (stderr, _("Can't compile regular expression: %s\n"),
|
||||
+ buffer);
|
||||
+ } */
|
||||
|
||||
- if (('\0' == *name) ||
|
||||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
|
||||
+ regfree(®);
|
||||
return false;
|
||||
}
|
||||
|
||||
- while ('\0' != *++name) {
|
||||
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
|
||||
- ( ('0' <= *name) && ('9' >= *name) ) ||
|
||||
- ('_' == *name) ||
|
||||
- ('-' == *name) ||
|
||||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
|
||||
- )) {
|
||||
- return false;
|
||||
- }
|
||||
+ if (regexec (®, name, 0, NULL, 0) != 0) {
|
||||
+ regfree(®);
|
||||
+ return false;
|
||||
}
|
||||
|
||||
return true;
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
|
||||
size 1747620
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
|
||||
ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
|
||||
ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
|
||||
rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
|
||||
6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
|
||||
sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
|
||||
PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
|
||||
=WZd1
|
||||
-----END PGP SIGNATURE-----
|
BIN
shadow-4.13.tar.xz
(Stored with Git LFS)
Normal file
BIN
shadow-4.13.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
11
shadow-4.13.tar.xz.asc
Normal file
11
shadow-4.13.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK
|
||||
ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5
|
||||
2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6
|
||||
P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL
|
||||
xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9
|
||||
tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D
|
||||
AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA==
|
||||
=33BL
|
||||
-----END PGP SIGNATURE-----
|
@ -1,29 +0,0 @@
|
||||
From e503fd574b7dbf6b21b1168e20938f0922807916 Mon Sep 17 00:00:00 2001
|
||||
From: Xiami <1927254+Xiami2012@users.noreply.github.com>
|
||||
Date: Wed, 5 Oct 2022 18:11:28 +0800
|
||||
Subject: [PATCH] chage: Fix regression in print_date
|
||||
|
||||
Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f
|
||||
|
||||
After removing snprintf, the format string should get unescaped once.
|
||||
|
||||
Fixes #564
|
||||
|
||||
Reporter and patch author: DerMouse (github.com/DerMouse)
|
||||
---
|
||||
src/chage.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/chage.c b/src/chage.c
|
||||
index 8cf677942..01570d725 100644
|
||||
--- a/src/chage.c
|
||||
+++ b/src/chage.c
|
||||
@@ -228,7 +228,7 @@ static void print_date (time_t date)
|
||||
if (NULL == tp) {
|
||||
(void) printf ("time_t: %lu\n", (unsigned long)date);
|
||||
} else {
|
||||
- (void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp);
|
||||
+ (void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp);
|
||||
(void) puts (buf);
|
||||
}
|
||||
}
|
@ -1,50 +0,0 @@
|
||||
From 10cd68e0f04b48363eb32d2c6e168b358fb27810 Mon Sep 17 00:00:00 2001
|
||||
From: Samanta Navarro <ferivoz@riseup.net>
|
||||
Date: Sun, 4 Sep 2022 11:58:03 +0000
|
||||
Subject: [PATCH] copy_tree: do not block on fifos
|
||||
|
||||
Fixes regression introduced in faeab50e710131816b261de66141524898c2c487.
|
||||
|
||||
If a directory contains fifos, then openat blocks until the other side
|
||||
of the fifo is connected as well.
|
||||
|
||||
This means that users can prevent "usermod -m" from completing if their
|
||||
home directories contain at least one fifo.
|
||||
---
|
||||
libmisc/copydir.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libmisc/copydir.c b/libmisc/copydir.c
|
||||
index b6025f4c7..5fb47da01 100644
|
||||
--- a/libmisc/copydir.c
|
||||
+++ b/libmisc/copydir.c
|
||||
@@ -126,12 +126,12 @@ static int perm_copy_path(const struct path_info *src,
|
||||
{
|
||||
int src_fd, dst_fd, ret;
|
||||
|
||||
- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (src_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (dst_fd < 0) {
|
||||
(void) close (src_fd);
|
||||
return -1;
|
||||
@@ -152,12 +152,12 @@ static int attr_copy_path(const struct path_info *src,
|
||||
{
|
||||
int src_fd, dst_fd, ret;
|
||||
|
||||
- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (src_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (dst_fd < 0) {
|
||||
(void) close (src_fd);
|
||||
return -1;
|
@ -1,25 +0,0 @@
|
||||
From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001
|
||||
From: David Michael <fedora.dm0@gmail.com>
|
||||
Date: Sun, 23 Oct 2022 18:51:33 -0400
|
||||
Subject: [PATCH] useradd: Fix buffer overflow when using a prefix
|
||||
|
||||
The buffer length did not count the string's trailing null byte.
|
||||
|
||||
Signed-off-by: David Michael <fedora.dm0@gmail.com>
|
||||
---
|
||||
src/useradd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/useradd.c b/src/useradd.c
|
||||
index 39a744ee0..7ea0a9c4d 100644
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -2372,7 +2372,7 @@ static void create_mail (void)
|
||||
if (NULL == spool) {
|
||||
return;
|
||||
}
|
||||
- file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2);
|
||||
+ file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3);
|
||||
if (prefix[0])
|
||||
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
|
||||
else
|
@ -1,3 +1,43 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 8 21:15:44 UTC 2022 - Michael Vetter <mvetter@suse.com>
|
||||
|
||||
- Update to 4.13:
|
||||
* useradd.8: fix default group ID
|
||||
* Revert drop of subid_init()
|
||||
* Georgian translation
|
||||
* useradd: Avoid taking unneeded space: do not reset non-existent data
|
||||
in lastlog
|
||||
* relax username restrictions
|
||||
* selinux: check MLS enabled before setting serange
|
||||
* copy_tree: use fchmodat instead of chmod
|
||||
* copy_tree: don't block on FIFOs
|
||||
* add shell linter
|
||||
* copy_tree: carefully treat permissions
|
||||
* lib/commonio: make lock failures more detailed
|
||||
* lib: use strzero and memzero where applicable
|
||||
* Update Dutch translation
|
||||
* Don't test for NULL before calling free
|
||||
* Use libc MAX() and MIN()
|
||||
* chage: Fix regression in print_date
|
||||
* usermod: report error if homedir does not exist
|
||||
* libmisc: minimum id check for system accounts
|
||||
* fix usermod -rG x y wrongly adding a group
|
||||
* man: add missing space in useradd.8.xml
|
||||
* lastlog: check for localtime() return value
|
||||
* Raise limit for passwd and shadow entry length
|
||||
* Remove adduser-old.c
|
||||
* useradd: Fix buffer overflow when using a prefix
|
||||
* Don't warn when failed to open /etc/nsswitch.conf
|
||||
- Remove patches we took from upstream pre-release:
|
||||
* shadow-copytree-usermod-fifo.patch
|
||||
* shadow-chage-format.patch
|
||||
* shadow-prefix-overflow.patch
|
||||
- Remove chkname-regex.patch:
|
||||
Upstream now also relaxed the usernames requirements.
|
||||
They don't use regex for this but the result is similar.
|
||||
Plus they also check that the name is less than 32 characters long.
|
||||
- Rebase useradd-userkeleton.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 7 11:20:36 UTC 2022 - Michael Vetter <mvetter@suse.com>
|
||||
|
||||
|
28
shadow.spec
28
shadow.spec
@ -22,7 +22,7 @@
|
||||
%define no_config 1
|
||||
%endif
|
||||
Name: shadow
|
||||
Version: 4.12.3
|
||||
Version: 4.13
|
||||
Release: 0
|
||||
Summary: Utilities to Manage User and Group Accounts
|
||||
License: BSD-3-Clause AND GPL-2.0-or-later
|
||||
@ -45,26 +45,18 @@ Patch0: shadow-login_defs-unused-by-pam.patch
|
||||
Patch1: userdel-script.patch
|
||||
# PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
|
||||
Patch2: useradd-script.patch
|
||||
# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
|
||||
Patch3: chkname-regex.patch
|
||||
# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
|
||||
Patch4: useradd-default.patch
|
||||
Patch3: useradd-default.patch
|
||||
# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
|
||||
Patch5: shadow-util-linux.patch
|
||||
Patch4: shadow-util-linux.patch
|
||||
# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
|
||||
Patch6: shadow-login_defs-comments.patch
|
||||
Patch5: shadow-login_defs-comments.patch
|
||||
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
|
||||
Patch7: shadow-login_defs-suse.patch
|
||||
Patch6: shadow-login_defs-suse.patch
|
||||
# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321)
|
||||
Patch8: useradd-userkeleton.patch
|
||||
Patch7: useradd-userkeleton.patch
|
||||
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
|
||||
Patch9: disable_new_audit_function.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-prefix-overflow.patch mvetter@suse.com -- Fix buffer overflow when using --prefix in useradd
|
||||
Patch10: https://github.com/shadow-maint/shadow/commit/eaebea55a495a56317ed85e959b3599f73c6bdf2.patch#/shadow-prefix-overflow.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-chage-format.patch mvetter@suse.com -- Fix chage format string
|
||||
Patch11: https://github.com/shadow-maint/shadow/commit/e503fd574b7dbf6b21b1168e20938f0922807916.patch#/shadow-chage-format.patch
|
||||
# PATCH-FIX-UPSTREAM shadow-copytree-usermod-fifo.patch mvetter@suse.com -- Fix regression when openat blocks
|
||||
Patch12: https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810.patch#/shadow-copytree-usermod-fifo.patch
|
||||
Patch8: disable_new_audit_function.patch
|
||||
BuildRequires: audit-devel > 2.3
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -131,13 +123,9 @@ Development files for libsubid4.
|
||||
%patch5
|
||||
%patch6
|
||||
%patch7
|
||||
%patch8
|
||||
%if 0%{?suse_version} < 1330
|
||||
%patch9 -p1
|
||||
%patch8 -p1
|
||||
%endif
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||
mv -v doc/HOWTO.utf8 doc/HOWTO
|
||||
|
@ -100,7 +100,7 @@ Index: src/useradd.c
|
||||
|
||||
if (!out_create_mail_spool)
|
||||
fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
|
||||
@@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
|
||||
@@ -2758,6 +2793,8 @@ int main (int argc, char **argv)
|
||||
if (home_added) {
|
||||
copy_tree (def_template, prefix_user_home, false, true,
|
||||
(uid_t)-1, user_id, (gid_t)-1, user_gid);
|
||||
@ -113,7 +113,7 @@ Index: libmisc/copydir.c
|
||||
===================================================================
|
||||
--- libmisc/copydir.c.orig
|
||||
+++ libmisc/copydir.c
|
||||
@@ -453,6 +453,14 @@ static int copy_entry (const struct path
|
||||
@@ -449,6 +449,14 @@ static int copy_entry (const struct path
|
||||
}
|
||||
|
||||
/*
|
||||
@ -128,7 +128,7 @@ Index: libmisc/copydir.c
|
||||
* Copy any symbolic links
|
||||
*/
|
||||
|
||||
@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
|
||||
@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
@ -136,11 +136,10 @@ Index: libmisc/copydir.c
|
||||
|
||||
/*
|
||||
* Create a new target directory, make it owned by
|
||||
@@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
|
||||
@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
+
|
||||
+ /*
|
||||
+ * If the destination is already a directory, don't change it
|
||||
+ * but copy into it (recursively).
|
||||
@ -150,6 +149,6 @@ Index: libmisc/copydir.c
|
||||
+ old_uid, new_uid, old_gid, new_gid) != 0);
|
||||
+ }
|
||||
+
|
||||
if ( (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
|
||||
if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0)
|
||||
|| (chownat_if_needed (dst, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
||||
|
Loading…
Reference in New Issue
Block a user