From 51ee267bd30f9aa3ff92a601127fc13028c615d877ba91717b0070b617d5a43f Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 4 Aug 2023 15:48:26 +0000 Subject: [PATCH 1/6] - Update to 4.14.0: - Refresh useradd-default.patch - Remove upstreamed patches: * useradd-userkeleton.patch * shadow-audit-no-id.patch * shadow-fix-print-login-timeout.patch * shadow-CVE-2023-29383.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=149 --- my.patch | 16 +++ shadow-4.13.tar.xz | 3 - shadow-4.13.tar.xz.asc | 11 -- shadow-4.14.0.tar.gz | 3 + shadow-CVE-2023-29383.patch | 51 --------- shadow-audit-no-id.patch | 36 ------- shadow-fix-print-login-timeout.patch | 41 ------- shadow.changes | 11 ++ shadow.spec | 34 +++--- useradd-default.patch | 4 +- useradd-userkeleton.patch | 154 --------------------------- 11 files changed, 47 insertions(+), 317 deletions(-) create mode 100644 my.patch delete mode 100644 shadow-4.13.tar.xz delete mode 100644 shadow-4.13.tar.xz.asc create mode 100644 shadow-4.14.0.tar.gz delete mode 100644 shadow-CVE-2023-29383.patch delete mode 100644 shadow-audit-no-id.patch delete mode 100644 shadow-fix-print-login-timeout.patch delete mode 100644 useradd-userkeleton.patch diff --git a/my.patch b/my.patch new file mode 100644 index 0000000..572f354 --- /dev/null +++ b/my.patch @@ -0,0 +1,16 @@ +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am +index cc24901e..227d8fb4 100644 +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -17,9 +17,11 @@ libmisc_la_SOURCES = \ + age.c \ + agetpass.c \ + alloc.c \ ++ alloc.h \ + audit_help.c \ + basename.c \ + bit.c \ ++ bit.h \ + chkname.c \ + chkname.h \ + chowndir.c \ diff --git a/shadow-4.13.tar.xz b/shadow-4.13.tar.xz deleted file mode 100644 index 5c36f2b..0000000 --- a/shadow-4.13.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9afe245d79a2e7caac5f1ed62519b17416b057ec89df316df1c3935502f9dd2c -size 1762908 diff --git a/shadow-4.13.tar.xz.asc b/shadow-4.13.tar.xz.asc deleted file mode 100644 index ebdadeb..0000000 --- a/shadow-4.13.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmNqhwIACgkQNXDaFycK -ziTcAQgAuB+Q+bbDHqzcW50by/t/7WYiV9XRMroS51FglzrMl3w+W1m4dR3weGj5 -2n0n+J+SOFrqz+j8VGcdI9jsdjNVRau/ZXfzRRZHm9jmGXIKXXxtPKgAN6tK1lK6 -P8qUULJIK8fwreU6pqD4vm6hw2IbfUwG2wP6fEpwFwYW9hq9LWzbiyo5+V9d49zL -xJTYx64GbYekUi71GO+UoxWIbuoHqqtkwK213/dq34Ukk+gOTRGyTI7JJKv510+9 -tZSDDRS+zVXxttWQTng+3hTzdQZ6dYtnigxZGUPjyJieIOFvKljQdRsm3tOInK9D -AVM6K2qPqt6RmGRZ+i5FPryk/2JEeA== -=33BL ------END PGP SIGNATURE----- diff --git a/shadow-4.14.0.tar.gz b/shadow-4.14.0.tar.gz new file mode 100644 index 0000000..32f3b3e --- /dev/null +++ b/shadow-4.14.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d894c706156cdf69bc320cf3c587a7a93631046d21669960425e8874f992911 +size 3382521 diff --git a/shadow-CVE-2023-29383.patch b/shadow-CVE-2023-29383.patch deleted file mode 100644 index c4b06c5..0000000 --- a/shadow-CVE-2023-29383.patch +++ /dev/null @@ -1,51 +0,0 @@ -Index: shadow-4.13/lib/fields.c -=================================================================== ---- shadow-4.13.orig/lib/fields.c -+++ shadow-4.13/lib/fields.c -@@ -21,9 +21,9 @@ - * - * The supplied field is scanned for non-printable and other illegal - * characters. -- * + -1 is returned if an illegal character is present. -- * + 1 is returned if no illegal characters are present, but the field -- * contains a non-printable character. -+ * + -1 is returned if an illegal or control character is present. -+ * + 1 is returned if no illegal or control characters are present, -+ * but the field contains a non-printable character. - * + 0 is returned otherwise. - */ - int valid_field (const char *field, const char *illegal) -@@ -37,23 +37,22 @@ int valid_field (const char *field, cons - - /* For each character of field, search if it appears in the list - * of illegal characters. */ -+ if (illegal && NULL != strpbrk (field, illegal)) { -+ return -1; -+ } -+ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { -- if (strchr (illegal, *cp) != NULL) { -+ unsigned char c = *cp; -+ if (!isprint (c)) { -+ err = 1; -+ } -+ if (iscntrl (c)) { - err = -1; - break; - } - } - -- if (0 == err) { -- /* Search if there are some non-printable characters */ -- for (cp = field; '\0' != *cp; cp++) { -- if (!isprint (*cp)) { -- err = 1; -- break; -- } -- } -- } -- - return err; - } - diff --git a/shadow-audit-no-id.patch b/shadow-audit-no-id.patch deleted file mode 100644 index e79fcda..0000000 --- a/shadow-audit-no-id.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3cfc7955b33c85472a7cf11a0ecf1c6851db7c26 Mon Sep 17 00:00:00 2001 -From: Michael Vetter -Date: Thu, 15 Dec 2022 11:52:58 +0100 -Subject: [PATCH] Fix useradd audit event logging of ID field - -When useradd sends its ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd. - -The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is - -Patch by Steve Grubb (afaik). - -Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1713432 ---- - src/useradd.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/useradd.c b/src/useradd.c -index e59e47681..87abd6e33 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2225,9 +2225,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) - #endif /* ENABLE_SUBIDS */ - - #ifdef WITH_AUDIT -+ /* -+ * Even though we have the ID of the user, we won't send it now -+ * because its not written to disk yet. After close_files it is -+ * and we can use the real ID thereafter. -+ */ - audit_logger (AUDIT_ADD_USER, Prog, - "adding user", -- user_name, (unsigned int) user_id, -+ user_name, AUDIT_NO_ID, - SHADOW_AUDIT_SUCCESS); - #endif - /* diff --git a/shadow-fix-print-login-timeout.patch b/shadow-fix-print-login-timeout.patch deleted file mode 100644 index 7a6dcbd..0000000 --- a/shadow-fix-print-login-timeout.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 670cae834827a8f794e6f7464fa57790d911b63c Mon Sep 17 00:00:00 2001 -From: SoumyaWind <121475834+SoumyaWind@users.noreply.github.com> -Date: Tue, 27 Dec 2022 17:40:17 +0530 -Subject: [PATCH] shadow: Fix can not print full login timeout message - -Login timed out message prints only first few bytes when write is immediately followed by exit. -Calling exit from new handler provides enough time to display full message. ---- - src/login.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/login.c b/src/login.c -index 116e2cb36..c55f4de0a 100644 ---- a/src/login.c -+++ b/src/login.c -@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user); - - static void init_env (void); - static void alarm_handler (int); -+static void exit_handler (int); - - /* - * usage - print login command usage and exit -@@ -391,11 +392,16 @@ static void init_env (void) - #endif /* !USE_PAM */ - } - -+static void exit_handler (unused int sig) -+{ -+ _exit (0); -+} - - static void alarm_handler (unused int sig) - { - write (STDERR_FILENO, tmsg, strlen (tmsg)); -- _exit (0); -+ signal(SIGALRM, exit_handler); -+ alarm(2); - } - - #ifdef USE_PAM diff --git a/shadow.changes b/shadow.changes index 67d8d7c..b8aa697 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter + +- Update to 4.14.0: +- Refresh useradd-default.patch +- Remove upstreamed patches: + * useradd-userkeleton.patch + * shadow-audit-no-id.patch + * shadow-fix-print-login-timeout.patch + * shadow-CVE-2023-29383.patch + ------------------------------------------------------------------- Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index 90580cb..01f6f1f 100644 --- a/shadow.spec +++ b/shadow.spec @@ -22,15 +22,17 @@ %define no_config 1 %endif Name: shadow -Version: 4.13 +Version: 4.14.0 Release: 0 Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause AND GPL-2.0-or-later Group: System/Base URL: https://github.com/shadow-maint/shadow -Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +#Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/ +#Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz +Source0: https://github.com/shadow-maint/shadow/archive/refs/tags/4.14.0-rc1.tar.gz#/shadow-%{version}.tar.gz Source1: pamd.tar.bz2 -Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +#Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source3: %{name}.keyring Source4: shadow.service Source5: shadow.timer @@ -46,26 +48,22 @@ Patch2: shadow-util-linux.patch Patch3: shadow-login_defs-comments.patch # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs. Patch4: shadow-login_defs-suse.patch -# PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321) (gh/shadow-maint/shadow#591) -Patch5: useradd-userkeleton.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. -Patch6: disable_new_audit_function.patch -# PATCH-FIX-UPSTREAM shadow-audit-no-id.patch mvetter@suse.com -- Fix useradd audit event logging of ID field (bsc#1205502) (gh/shadow-maint/shadow#606) -Patch7: shadow-audit-no-id.patch -# PATCH-FIX-UPSTREAM shadow-fix-print-login-timeout.patch mvetter@suse.com -- Fix print full login timeout message (gh/shadow-maint/shadow#621) -Patch8: shadow-fix-print-login-timeout.patch -# PATCH-FIX-UPSTREAM shadow-CVE-2023-29383.patch mvetter@suse.com -- Check control chracters in chfn (bsc#1210507) -Patch9: shadow-CVE-2023-29383.patch +Patch5: disable_new_audit_function.patch +Patch6: my.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake BuildRequires: libacl-devel BuildRequires: libattr-devel +BuildRequires: libbsd-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libtool BuildRequires: pam-devel BuildRequires: xz +# todo +BuildRequires: byacc Requires: login_defs >= %{version} Requires(pre): group(root) Requires(pre): group(shadow) @@ -113,19 +111,16 @@ Requires: libsubid4 = %{version} Development files for libsubid4. %prep -%setup -q -a 1 +%setup -q -a 1 -n shadow-4.14.0-rc1 %patch0 %patch1 %patch2 %patch3 %patch4 -%patch5 %if 0%{?suse_version} < 1330 -%patch6 -p1 +%patch5 -p1 %endif -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%patch6 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO @@ -148,7 +143,8 @@ autoreconf -fvi --without-libcrack \ --with-group-name-max-length=32 \ --enable-vendordir=%{_distconfdir} -%make_build +#%make_build +make -j1 # --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336 %install diff --git a/useradd-default.patch b/useradd-default.patch index ed8e29e..8e633d0 100644 --- a/useradd-default.patch +++ b/useradd-default.patch @@ -2,12 +2,12 @@ Index: src/useradd.c =================================================================== --- src/useradd.c.orig +++ src/useradd.c -@@ -101,7 +101,7 @@ FILE *shadow_logfd = NULL; +@@ -87,7 +87,7 @@ const char *Prog; /* * These defaults are used if there is no defaults file. */ -static gid_t def_group = 1000; +static gid_t def_group = 100; + static const char *def_groups = ""; static const char *def_gname = "other"; static const char *def_home = "/home"; - static const char *def_shell = "/bin/bash"; diff --git a/useradd-userkeleton.patch b/useradd-userkeleton.patch deleted file mode 100644 index 32d83bc..0000000 --- a/useradd-userkeleton.patch +++ /dev/null @@ -1,154 +0,0 @@ -Copy also skeleton files from /usr/etc/skel (boo#1173321) - ---- - etc/useradd | 1 + - src/useradd.c | 37 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 38 insertions(+) - -Index: src/useradd.c -=================================================================== ---- src/useradd.c.orig -+++ src/useradd.c -@@ -61,6 +61,9 @@ - #ifndef SKEL_DIR - #define SKEL_DIR "/etc/skel" - #endif -+#ifndef USRSKELDIR -+#define USRSKELDIR "/usr/etc/skel" -+#endif - #ifndef USER_DEFAULTS_FILE - #define USER_DEFAULTS_FILE "/etc/default/useradd" - #define NEW_USER_FILE "/etc/default/nuaddXXXXXX" -@@ -84,6 +87,7 @@ static const char *def_gname = "other"; - static const char *def_home = "/home"; - static const char *def_shell = "/bin/bash"; - static const char *def_template = SKEL_DIR; -+static const char *def_usrtemplate = USRSKELDIR; - static const char *def_create_mail_spool = "yes"; - static const char *def_log_init = "yes"; - -@@ -188,6 +192,7 @@ static bool home_added = false; - #define DINACT "INACTIVE=" - #define DEXPIRE "EXPIRE=" - #define DSKEL "SKEL=" -+#define DUSRSKEL "USRSKEL=" - #define DCREATE_MAIL_SPOOL "CREATE_MAIL_SPOOL=" - #define DLOG_INIT "LOG_INIT=" - -@@ -461,6 +466,29 @@ static void get_defaults (void) - } - - /* -+ * Default Usr Skeleton information -+ */ -+ else if (MATCH (buf, DUSRSKEL)) { -+ if ('\0' == *cp) { -+ cp = USRSKELDIR; /* XXX warning: const */ -+ } -+ -+ if(prefix[0]) { -+ size_t len; -+ int wlen; -+ char* _def_usrtemplate; /* avoid const warning */ -+ -+ len = strlen(prefix) + strlen(cp) + 2; -+ _def_usrtemplate = xmalloc(len); -+ wlen = snprintf(_def_usrtemplate, len, "%s/%s", prefix, cp); -+ assert (wlen == (int) len -1); -+ def_usrtemplate = _def_usrtemplate; -+ } -+ else { -+ def_usrtemplate = xstrdup (cp); -+ } -+ } -+ /* - * Create by default user mail spool or not ? - */ - else if (MATCH (buf, DCREATE_MAIL_SPOOL)) { -@@ -502,6 +530,7 @@ static void show_defaults (void) - printf ("EXPIRE=%s\n", def_expire); - printf ("SHELL=%s\n", def_shell); - printf ("SKEL=%s\n", def_template); -+ printf ("USRSKEL=%s\n", def_usrtemplate); - printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool); - printf ("LOG_INIT=%s\n", def_log_init); - } -@@ -530,6 +559,7 @@ static int set_defaults (void) - bool out_expire = false; - bool out_shell = false; - bool out_skel = false; -+ bool out_usrskel = false; - bool out_create_mail_spool = false; - bool out_log_init = false; - size_t len; -@@ -643,6 +673,9 @@ static int set_defaults (void) - } else if (!out_skel && MATCH (buf, DSKEL)) { - fprintf (ofp, DSKEL "%s\n", def_template); - out_skel = true; -+ } else if (!out_usrskel && MATCH (buf, DUSRSKEL)) { -+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate); -+ out_usrskel = true; - } else if (!out_create_mail_spool - && MATCH (buf, DCREATE_MAIL_SPOOL)) { - fprintf (ofp, -@@ -678,6 +711,8 @@ static int set_defaults (void) - fprintf (ofp, DSHELL "%s\n", def_shell); - if (!out_skel) - fprintf (ofp, DSKEL "%s\n", def_template); -+ if (!out_usrskel) -+ fprintf (ofp, DUSRSKEL "%s\n", def_usrtemplate); - - if (!out_create_mail_spool) - fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool); -@@ -2758,6 +2793,8 @@ int main (int argc, char **argv) - if (home_added) { - copy_tree (def_template, prefix_user_home, false, true, - (uid_t)-1, user_id, (gid_t)-1, user_gid); -+ copy_tree (def_usrtemplate, prefix_user_home, false, false, -+ (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, - _("%s: warning: the home directory %s already exists.\n" -Index: libmisc/copydir.c -=================================================================== ---- libmisc/copydir.c.orig -+++ libmisc/copydir.c -@@ -449,6 +449,14 @@ static int copy_entry (const struct path - } - - /* -+ * If the destination already exists do nothing. -+ * This is after the copy_dir above to still iterate into subdirectories. -+ */ -+ if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) { -+ return 0; -+ } -+ -+ /* - * Copy any symbolic links - */ - -@@ -507,6 +515,7 @@ static int copy_dir (const struct path_i - gid_t old_gid, gid_t new_gid) - { - int err = 0; -+ struct stat dst_sb; - - /* - * Create a new target directory, make it owned by -@@ -518,6 +527,15 @@ static int copy_dir (const struct path_i - return -1; - } - #endif /* WITH_SELINUX */ -+ /* -+ * If the destination is already a directory, don't change it -+ * but copy into it (recursively). -+ */ -+ if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) { -+ return (copy_tree (src, dst, false, reset_selinux, -+ old_uid, new_uid, old_gid, new_gid) != 0); -+ } -+ - if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0) - || (chownat_if_needed (dst, statp, - old_uid, new_uid, old_gid, new_gid) != 0) From d8c5f764faaa2e6f66c5a67a5335fc54f9fe8d20753484ca1a9a4f01e5d283ab Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 14 Aug 2023 13:58:58 +0000 Subject: [PATCH 2/6] - Dont build lastlog (lastlog.legacy) anymore since we use lastlog2 by default now. OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=150 --- my.patch | 16 ---------------- shadow-4.14.0.tar.gz | 3 --- shadow-4.14.0.tar.xz | 3 +++ shadow.changes | 2 ++ shadow.spec | 28 ++++------------------------ 5 files changed, 9 insertions(+), 43 deletions(-) delete mode 100644 my.patch delete mode 100644 shadow-4.14.0.tar.gz create mode 100644 shadow-4.14.0.tar.xz diff --git a/my.patch b/my.patch deleted file mode 100644 index 572f354..0000000 --- a/my.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am -index cc24901e..227d8fb4 100644 ---- a/libmisc/Makefile.am -+++ b/libmisc/Makefile.am -@@ -17,9 +17,11 @@ libmisc_la_SOURCES = \ - age.c \ - agetpass.c \ - alloc.c \ -+ alloc.h \ - audit_help.c \ - basename.c \ - bit.c \ -+ bit.h \ - chkname.c \ - chkname.h \ - chowndir.c \ diff --git a/shadow-4.14.0.tar.gz b/shadow-4.14.0.tar.gz deleted file mode 100644 index 32f3b3e..0000000 --- a/shadow-4.14.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6d894c706156cdf69bc320cf3c587a7a93631046d21669960425e8874f992911 -size 3382521 diff --git a/shadow-4.14.0.tar.xz b/shadow-4.14.0.tar.xz new file mode 100644 index 0000000..2437aaf --- /dev/null +++ b/shadow-4.14.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b76d61c06f6ffea93a2585630c18cf5f6c6da7f2a4fb5979424f21fed5299b07 +size 1787272 diff --git a/shadow.changes b/shadow.changes index b8aa697..7b9b6d8 100644 --- a/shadow.changes +++ b/shadow.changes @@ -8,6 +8,8 @@ Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter * shadow-audit-no-id.patch * shadow-fix-print-login-timeout.patch * shadow-CVE-2023-29383.patch +- Dont build lastlog (lastlog.legacy) anymore since we + use lastlog2 by default now. ------------------------------------------------------------------- Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index 01f6f1f..d439664 100644 --- a/shadow.spec +++ b/shadow.spec @@ -30,7 +30,7 @@ Group: System/Base URL: https://github.com/shadow-maint/shadow #Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/ #Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz -Source0: https://github.com/shadow-maint/shadow/archive/refs/tags/4.14.0-rc1.tar.gz#/shadow-%{version}.tar.gz +Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc4/shadow-4.14.0-rc4.tar.xz#/shadow-%{version}.tar.xz Source1: pamd.tar.bz2 #Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source3: %{name}.keyring @@ -50,20 +50,18 @@ Patch3: shadow-login_defs-comments.patch Patch4: shadow-login_defs-suse.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. Patch5: disable_new_audit_function.patch -Patch6: my.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake BuildRequires: libacl-devel BuildRequires: libattr-devel +# we need libbsd or glibc >= 2.38 BuildRequires: libbsd-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libtool BuildRequires: pam-devel BuildRequires: xz -# todo -BuildRequires: byacc Requires: login_defs >= %{version} Requires(pre): group(root) Requires(pre): group(shadow) @@ -111,7 +109,7 @@ Requires: libsubid4 = %{version} Development files for libsubid4. %prep -%setup -q -a 1 -n shadow-4.14.0-rc1 +%setup -q -a 1 -n shadow-4.14.0-rc4 %patch0 %patch1 %patch2 @@ -120,7 +118,6 @@ Development files for libsubid4. %if 0%{?suse_version} < 1330 %patch5 -p1 %endif -%patch6 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO @@ -143,8 +140,7 @@ autoreconf -fvi --without-libcrack \ --with-group-name-max-length=32 \ --enable-vendordir=%{_distconfdir} -#%make_build -make -j1 +%make_build # --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336 %install @@ -226,12 +222,6 @@ if [ ! -d %{buildroot}%{_distconfdir} ]; then fi mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d -%if 0%{?suse_version} >= 1599 -# Rename lastlog to lastlog.legacy, as it got replaced by lastlog2 -mv %{buildroot}/%{_bindir}/lastlog %{buildroot}/%{_bindir}/lastlog.legacy -mv %{buildroot}/%{_mandir}/man8/lastlog.8 %{buildroot}/%{_mandir}/man8/lastlog.legacy.8 -%endif - %find_lang shadow %pre @@ -331,11 +321,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm %verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd %verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap %verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap -%if 0%{?suse_version} >= 1599 -%{_bindir}/lastlog.legacy -%else -%{_bindir}/lastlog -%endif %{_bindir}/sg %{_bindir}/getsubids %attr(0755,root,root) %{_sbindir}/groupadd @@ -367,11 +352,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm %{_mandir}/man8/groupdel.8%{?ext_man} %{_mandir}/man8/groupmod.8%{?ext_man} %{_mandir}/man8/grpck.8%{?ext_man} -%if 0%{?suse_version} >= 1599 -%{_mandir}/man8/lastlog.legacy.8%{?ext_man} -%else -%{_mandir}/man8/lastlog.8%{?ext_man} -%endif %{_mandir}/man8/newusers.8%{?ext_man} %{_mandir}/man8/pwck.8%{?ext_man} %{_mandir}/man8/pwconv.8%{?ext_man} From 87279e85bbb0dc528c09dc576674e8e6bbdd7bc57e5d4c04b07d29302b8ae088 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Thu, 17 Aug 2023 07:04:09 +0000 Subject: [PATCH 3/6] * configure: add with-libbsd option * Code cleanup * Replace utmp interface #757 * new option enable-logind #674 * shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh * chsh: warn if root sets a shell not listed in /etc/shells #535 * newgrp: fix potential string injection * lastlog: fix alignment of Latest header * Fix yescrypt support #748 * chgpasswd: Fix segfault in command-line options * gpasswd: Fix password leak * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627) * usermod: fix off-by-one issues #701 * ch(g)passwd: Check selinux permissions upon startup #675 * sub_[ug]id_{add,remove}: fix return values * chsh: Verify that login shell path is absolute #730 * process_prefix_flag: Drop privileges * run_parts for groupadd and groupdel #706 * newgrp/useradd: always set SIGCHLD to default * useradd/usermod: add --selinux-range argument #698 * sssd: skip flushing if executable does not exist #699 * semanage: Do not set default SELinux range #676 * Add control character check #687 * usermod: respect --prefix for --gid option * Fix null dereference in basename * newuidmap and newgidmap: support passing pid as fd * Prevent out of boundary access #633 * Explicitly override only newlines #633 * Correctly handle illegal system file in tz #633 * Supporting vendor given -shells- configuration file #599 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=151 --- shadow-4.14.0.tar.xz | 4 ++-- shadow-4.14.0.tar.xz.asc | 11 +++++++++++ shadow.changes | 36 +++++++++++++++++++++++++++++++++++- shadow.spec | 8 +++----- 4 files changed, 51 insertions(+), 8 deletions(-) create mode 100644 shadow-4.14.0.tar.xz.asc diff --git a/shadow-4.14.0.tar.xz b/shadow-4.14.0.tar.xz index 2437aaf..379d278 100644 --- a/shadow-4.14.0.tar.xz +++ b/shadow-4.14.0.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b76d61c06f6ffea93a2585630c18cf5f6c6da7f2a4fb5979424f21fed5299b07 -size 1787272 +oid sha256:87e1c5cc10109536132f1b4e29b6df6edc99b70f36f71ff042c2783f2fa01d4f +size 1787892 diff --git a/shadow-4.14.0.tar.xz.asc b/shadow-4.14.0.tar.xz.asc new file mode 100644 index 0000000..a768a37 --- /dev/null +++ b/shadow-4.14.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmTcOGUACgkQNXDaFycK +ziRQVwgAyUZhhaLuXEHU6D3OwiK7frZa1qYMFpmJw/+jDr4T25TDRqXz331qSjiQ +WkDxcLECImPmpL9zvLn+lIvfzXZRdxOAwBRV9wvOqma4gOgE5av+g7b4MvBVdoiT +1JmDxjg/N9wdXz8plvD8Kwv9IGLBpe2e0ZuIazIVtxkY9A0xUVuz4kqBEsznVCdn +C+x5iFpLahFg18U6DivTPvF7dMV30l1s+hkIDkiMxStmb6OtIezmu1GsTxJyIMnT ++PNQw5crHccfCfLQRH+eKHIGTqaibIawJWUS0lAzbQqq1J/kGo8aKg46JgEm7WtU +0T14PVza1VqVNXAK8f0GlrVL82+iow== +=blJ0 +-----END PGP SIGNATURE----- diff --git a/shadow.changes b/shadow.changes index 7b9b6d8..a37ff11 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,7 +1,41 @@ ------------------------------------------------------------------- -Thu Aug 3 17:09:55 UTC 2023 - Michael Vetter +Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter - Update to 4.14.0: + * configure: add with-libbsd option + * Code cleanup + * Replace utmp interface #757 + * new option enable-logind #674 + * shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh + * chsh: warn if root sets a shell not listed in /etc/shells #535 + * newgrp: fix potential string injection + * lastlog: fix alignment of Latest header + * Fix yescrypt support #748 + * chgpasswd: Fix segfault in command-line options + * gpasswd: Fix password leak + * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627) + * usermod: fix off-by-one issues #701 + * ch(g)passwd: Check selinux permissions upon startup #675 + * sub_[ug]id_{add,remove}: fix return values + * chsh: Verify that login shell path is absolute #730 + * process_prefix_flag: Drop privileges + * run_parts for groupadd and groupdel #706 + * newgrp/useradd: always set SIGCHLD to default + * useradd/usermod: add --selinux-range argument #698 + * sssd: skip flushing if executable does not exist #699 + * semanage: Do not set default SELinux range #676 + * Add control character check #687 + * usermod: respect --prefix for --gid option + * Fix null dereference in basename + * newuidmap and newgidmap: support passing pid as fd + * Prevent out of boundary access #633 + * Explicitly override only newlines #633 + * Correctly handle illegal system file in tz #633 + * Supporting vendor given -shells- configuration file #599 + * Warn if failed to read existing /etc/nsswitch.conf + * chfn: new_fields: fix wrong fields printed + * Allow supplementary groups to be added via config file #586 + * useradd: check if subid range exists for user #592 (rh#2012929) - Refresh useradd-default.patch - Remove upstreamed patches: * useradd-userkeleton.patch diff --git a/shadow.spec b/shadow.spec index d439664..fede1a6 100644 --- a/shadow.spec +++ b/shadow.spec @@ -28,11 +28,9 @@ Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause AND GPL-2.0-or-later Group: System/Base URL: https://github.com/shadow-maint/shadow -#Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz/ -#Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc1/shadow-4.14.0-rc1.tar.xz#/shadow-%{version}.tar.xz -Source0: https://github.com/shadow-maint/shadow/releases/download/4.14.0-rc4/shadow-4.14.0-rc4.tar.xz#/shadow-%{version}.tar.xz +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source1: pamd.tar.bz2 -#Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source3: %{name}.keyring Source4: shadow.service Source5: shadow.timer @@ -109,7 +107,7 @@ Requires: libsubid4 = %{version} Development files for libsubid4. %prep -%setup -q -a 1 -n shadow-4.14.0-rc4 +%setup -q -a 1 %patch0 %patch1 %patch2 From 1108d9a8b36c96faaf82db19ef776c0aed64fd7aa418966a9cc41c60a3fb7023 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Thu, 17 Aug 2023 07:07:20 +0000 Subject: [PATCH 4/6] - This release depends either on libbsd or on glibc >= 2.38 which only recently got released. libbsd (and libmd) would be new packages in our ring0 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=152 --- shadow.changes | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shadow.changes b/shadow.changes index a37ff11..1805cde 100644 --- a/shadow.changes +++ b/shadow.changes @@ -44,6 +44,9 @@ Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter * shadow-CVE-2023-29383.patch - Dont build lastlog (lastlog.legacy) anymore since we use lastlog2 by default now. +- This release depends either on libbsd or on glibc >= 2.38 + which only recently got released. libbsd (and libmd) would be + new packages in our ring0 ------------------------------------------------------------------- Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter From 2745f98eaf410450a67d76347e0e634380b73422894c4eec83f42c8b9b3a6676 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Thu, 17 Aug 2023 10:17:53 +0000 Subject: [PATCH 5/6] - Remove dependency on libbsd: On Tumbleweed we have glibc 2.38 already thus string functions like strlcpy will be present and won't be needed from libbsd. `readpassphrase()` is then the only function from libbsd not present. Upstream shadow has an in tree copy of it, that is used when the `--without-libbsd` flag is passed along. By relying on glibc 2.38 we don't need to add libbsd and libmd to our ring0 but can't easily upgrade on SLE. OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=153 --- shadow.changes | 12 ++++++++++++ shadow.spec | 3 +-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/shadow.changes b/shadow.changes index 1805cde..8091866 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Aug 17 10:14:14 UTC 2023 - Michael Vetter + +- Remove dependency on libbsd: + On Tumbleweed we have glibc 2.38 already thus string functions + like strlcpy will be present and won't be needed from libbsd. + `readpassphrase()` is then the only function from libbsd not present. + Upstream shadow has an in tree copy of it, that is used when the + `--without-libbsd` flag is passed along. + By relying on glibc 2.38 we don't need to add libbsd and libmd + to our ring0 but can't easily upgrade on SLE. + ------------------------------------------------------------------- Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index fede1a6..3562d06 100644 --- a/shadow.spec +++ b/shadow.spec @@ -53,8 +53,6 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: libacl-devel BuildRequires: libattr-devel -# we need libbsd or glibc >= 2.38 -BuildRequires: libbsd-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libtool @@ -136,6 +134,7 @@ autoreconf -fvi --with-nscd \ --with-selinux \ --without-libcrack \ + --without-libbsd \ --with-group-name-max-length=32 \ --enable-vendordir=%{_distconfdir} %make_build From 89d6ca85a0b24b48184932211d76b58a9d1df07107fc611b389d946a630227a1 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Thu, 17 Aug 2023 10:24:51 +0000 Subject: [PATCH 6/6] OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=154 --- shadow.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shadow.spec b/shadow.spec index 3562d06..802890c 100644 --- a/shadow.spec +++ b/shadow.spec @@ -58,6 +58,8 @@ BuildRequires: libsemanage-devel BuildRequires: libtool BuildRequires: pam-devel BuildRequires: xz +# we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions +BuildRequires: glibc-devel >= 2.38 Requires: login_defs >= %{version} Requires(pre): group(root) Requires(pre): group(shadow)