basebuilder_pel7x64builder0
6 years ago
31 changed files with 6923 additions and 0 deletions
@ -0,0 +1,100 @@ |
|||||||
|
diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c |
||||||
|
--- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200 |
||||||
|
+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200 |
||||||
|
@@ -143,6 +143,7 @@ int main (int argc, char **argv) |
||||||
|
struct group grent; |
||||||
|
const struct sgrp *sg; |
||||||
|
struct sgrp sgent; |
||||||
|
+ char *np; |
||||||
|
|
||||||
|
Prog = Basename (argv[0]); |
||||||
|
|
||||||
|
@@ -184,20 +185,25 @@ int main (int argc, char **argv) |
||||||
|
* Remove /etc/gshadow entries for groups not in /etc/group. |
||||||
|
*/ |
||||||
|
(void) sgr_rewind (); |
||||||
|
- while ((sg = sgr_next ()) != NULL) { |
||||||
|
- if (gr_locate (sg->sg_name) != NULL) { |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (sgr_remove (sg->sg_name) == 0) { |
||||||
|
- /* |
||||||
|
- * This shouldn't happen (the entry exists) but... |
||||||
|
- */ |
||||||
|
- fprintf (stderr, |
||||||
|
- _("%s: cannot remove entry '%s' from %s\n"), |
||||||
|
- Prog, sg->sg_name, sgr_dbname ()); |
||||||
|
- fail_exit (3); |
||||||
|
+ sg = sgr_next (); |
||||||
|
+ np=NULL; |
||||||
|
+ while (sg != NULL) { |
||||||
|
+ np = strdup(sg->sg_name); |
||||||
|
+ sg = sgr_next (); |
||||||
|
+ |
||||||
|
+ if(gr_locate (np) == NULL) { |
||||||
|
+ if (sgr_remove (np) == 0) { |
||||||
|
+ /* |
||||||
|
+ * This shouldn't happen (the entry exists) but... |
||||||
|
+ */ |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: cannot remove entry '%s' from %s\n"), |
||||||
|
+ Prog, np, sgr_dbname ()); |
||||||
|
+ free(np); |
||||||
|
+ fail_exit (3); |
||||||
|
+ } |
||||||
|
} |
||||||
|
+ free(np); |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c |
||||||
|
--- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200 |
||||||
|
+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200 |
||||||
|
@@ -173,6 +173,7 @@ int main (int argc, char **argv) |
||||||
|
struct passwd pwent; |
||||||
|
const struct spwd *sp; |
||||||
|
struct spwd spent; |
||||||
|
+ char *np; |
||||||
|
|
||||||
|
Prog = Basename (argv[0]); |
||||||
|
|
||||||
|
@@ -223,20 +224,25 @@ int main (int argc, char **argv) |
||||||
|
* Remove /etc/shadow entries for users not in /etc/passwd. |
||||||
|
*/ |
||||||
|
(void) spw_rewind (); |
||||||
|
- while ((sp = spw_next ()) != NULL) { |
||||||
|
- if (pw_locate (sp->sp_namp) != NULL) { |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (spw_remove (sp->sp_namp) == 0) { |
||||||
|
- /* |
||||||
|
- * This shouldn't happen (the entry exists) but... |
||||||
|
- */ |
||||||
|
- fprintf (stderr, |
||||||
|
- _("%s: cannot remove entry '%s' from %s\n"), |
||||||
|
- Prog, sp->sp_namp, spw_dbname ()); |
||||||
|
- fail_exit (E_FAILURE); |
||||||
|
+ sp = spw_next (); |
||||||
|
+ np = NULL; |
||||||
|
+ while (sp != NULL) { |
||||||
|
+ np = strdup(sp->sp_namp); |
||||||
|
+ sp = spw_next (); |
||||||
|
+ |
||||||
|
+ if (pw_locate (np) == NULL) { |
||||||
|
+ if (spw_remove (np) == 0) { |
||||||
|
+ /* |
||||||
|
+ * This shouldn't happen (the entry exists) but... |
||||||
|
+ */ |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: cannot remove entry '%s' from %s\n"), |
||||||
|
+ Prog, np, spw_dbname ()); |
||||||
|
+ free(np); |
||||||
|
+ fail_exit (E_FAILURE); |
||||||
|
+ } |
||||||
|
} |
||||||
|
+ free(np); |
||||||
|
} |
||||||
|
|
||||||
|
/* |
@ -0,0 +1,42 @@ |
|||||||
|
diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8 |
||||||
|
diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c |
||||||
|
--- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100 |
||||||
|
+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100 |
||||||
|
@@ -93,7 +93,7 @@ const char *Prog; |
||||||
|
static gid_t def_group = 100; |
||||||
|
static const char *def_gname = "other"; |
||||||
|
static const char *def_home = "/home"; |
||||||
|
-static const char *def_shell = ""; |
||||||
|
+static const char *def_shell = "/sbin/nologin"; |
||||||
|
static const char *def_template = SKEL_DIR; |
||||||
|
static const char *def_create_mail_spool = "no"; |
||||||
|
|
||||||
|
@@ -103,7 +103,7 @@ static const char *def_expire = ""; |
||||||
|
#define VALID(s) (strcspn (s, ":\n") == strlen (s)) |
||||||
|
|
||||||
|
static const char *user_name = ""; |
||||||
|
-static const char *user_pass = "!"; |
||||||
|
+static const char *user_pass = "!!"; |
||||||
|
static uid_t user_id; |
||||||
|
static gid_t user_gid; |
||||||
|
static const char *user_comment = ""; |
||||||
|
@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha |
||||||
|
}; |
||||||
|
while ((c = getopt_long (argc, argv, |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", |
||||||
|
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:", |
||||||
|
#else /* !WITH_SELINUX */ |
||||||
|
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", |
||||||
|
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U", |
||||||
|
#endif /* !WITH_SELINUX */ |
||||||
|
long_options, NULL)) != -1) { |
||||||
|
switch (c) { |
||||||
|
@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha |
||||||
|
case 'M': |
||||||
|
Mflg = true; |
||||||
|
break; |
||||||
|
+ case 'n': |
||||||
|
case 'N': |
||||||
|
Nflg = true; |
||||||
|
break; |
@ -0,0 +1,23 @@ |
|||||||
|
diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c |
||||||
|
--- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200 |
||||||
|
+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100 |
||||||
|
@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group, |
||||||
|
return -1; |
||||||
|
} |
||||||
|
} else { |
||||||
|
- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); |
||||||
|
+ gid_min = (gid_t) 1; |
||||||
|
gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; |
||||||
|
gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); |
||||||
|
if (gid_max < gid_min) { |
||||||
|
@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group, |
||||||
|
return 0; |
||||||
|
} |
||||||
|
|
||||||
|
+ /* if we did not find free preffered system gid, we start to look for |
||||||
|
+ * one in the range assigned to dynamic system IDs */ |
||||||
|
+ if (sys_group) |
||||||
|
+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); |
||||||
|
|
||||||
|
/* |
||||||
|
* Search the entire group file, |
@ -0,0 +1,32 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c |
||||||
|
--- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 |
||||||
|
@@ -1513,6 +1513,14 @@ static void move_home (void) |
||||||
|
fail_exit (E_HOMEDIR); |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ if (uflg || gflg) { |
||||||
|
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, |
||||||
|
+ "changing home directory owner", |
||||||
|
+ user_newname, (unsigned int) user_newid, 1); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
if (rename (user_home, user_newhome) == 0) { |
||||||
|
/* FIXME: rename above may have broken symlinks |
||||||
|
* pointing to the user's home directory |
||||||
|
@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) |
||||||
|
* ownership. |
||||||
|
* |
||||||
|
*/ |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ if (uflg || gflg) { |
||||||
|
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, |
||||||
|
+ "changing home directory owner", |
||||||
|
+ user_newname, (unsigned int) user_newid, 1); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
if (chown_tree (dflg ? user_newhome : user_home, |
||||||
|
user_id, |
||||||
|
uflg ? user_newid : (uid_t)-1, |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,20 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c |
||||||
|
--- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 |
||||||
|
@@ -301,15 +301,12 @@ static int create_backup (const char *ba |
||||||
|
struct utimbuf ub; |
||||||
|
FILE *bkfp; |
||||||
|
int c; |
||||||
|
- mode_t mask; |
||||||
|
|
||||||
|
if (fstat (fileno (fp), &sb) != 0) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
|
||||||
|
- mask = umask (077); |
||||||
|
- bkfp = fopen (backup, "w"); |
||||||
|
- (void) umask (mask); |
||||||
|
+ bkfp = fopen_set_perms (backup, "w", &sb); |
||||||
|
if (NULL == bkfp) { |
||||||
|
return -1; |
||||||
|
} |
@ -0,0 +1,44 @@ |
|||||||
|
diff -up shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard shadow-4.1.5.1/man/usermod.8.xml |
||||||
|
--- shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard 2016-05-04 13:44:17.267917583 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/usermod.8.xml 2016-05-04 13:44:17.284917968 +0200 |
||||||
|
@@ -198,6 +198,12 @@ |
||||||
|
The group ownership of files outside of the user's home directory |
||||||
|
must be fixed manually. |
||||||
|
</para> |
||||||
|
+ <para> |
||||||
|
+ The change of the group ownership of files inside of the user's |
||||||
|
+ home directory is also not done if the home dir owner uid is |
||||||
|
+ different from the current or new user id. This is safety measure |
||||||
|
+ for special home directories such as <filename>/</filename>. |
||||||
|
+ </para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
@@ -364,6 +370,12 @@ |
||||||
|
must be fixed manually. |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
+ The change of the user ownership of files inside of the user's |
||||||
|
+ home directory is also not done if the home dir owner uid is |
||||||
|
+ different from the current or new user id. This is safety measure |
||||||
|
+ for special home directories such as <filename>/</filename>. |
||||||
|
+ </para> |
||||||
|
+ <para> |
||||||
|
No checks will be performed with regard to the |
||||||
|
<option>UID_MIN</option>, <option>UID_MAX</option>, |
||||||
|
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option> |
||||||
|
diff -up shadow-4.1.5.1/src/usermod.c.chgrp-guard shadow-4.1.5.1/src/usermod.c |
||||||
|
--- shadow-4.1.5.1/src/usermod.c.chgrp-guard 2016-05-04 13:44:17.280917877 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/usermod.c 2016-05-04 13:44:17.285917991 +0200 |
||||||
|
@@ -1971,7 +1971,10 @@ int main (int argc, char **argv) |
||||||
|
} |
||||||
|
|
||||||
|
if (!mflg && (uflg || gflg)) { |
||||||
|
- if (access (dflg ? user_newhome : user_home, F_OK) == 0) { |
||||||
|
+ struct stat sb; |
||||||
|
+ |
||||||
|
+ if (stat (dflg ? user_newhome : user_home, &sb) == 0 && |
||||||
|
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) { |
||||||
|
/* |
||||||
|
* Change the UID on all of the files owned by |
||||||
|
* `user_id' to `user_newid' in the user's home |
@ -0,0 +1,195 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c |
||||||
|
--- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200 |
||||||
|
@@ -49,11 +49,10 @@ |
||||||
|
if (!cp) { |
||||||
|
/* |
||||||
|
* Single Unix Spec: crypt() may return a null pointer, |
||||||
|
- * and set errno to indicate an error. The caller doesn't |
||||||
|
- * expect us to return NULL, so... |
||||||
|
+ * and set errno to indicate an error. In this case return |
||||||
|
+ * the NULL so the caller can handle appropriately. |
||||||
|
*/ |
||||||
|
- perror ("crypt"); |
||||||
|
- exit (EXIT_FAILURE); |
||||||
|
+ return cp; |
||||||
|
} |
||||||
|
|
||||||
|
/* The GNU crypt does not return NULL if the algorithm is not |
||||||
|
diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c |
||||||
|
--- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200 |
||||||
|
@@ -95,6 +95,7 @@ bool valid (const char *password, const |
||||||
|
*/ |
||||||
|
|
||||||
|
if ( (NULL != ent->pw_name) |
||||||
|
+ && (NULL != encrypted) |
||||||
|
&& (strcmp (encrypted, ent->pw_passwd) == 0)) { |
||||||
|
return true; |
||||||
|
} else { |
||||||
|
diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c |
||||||
|
--- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200 |
||||||
|
@@ -73,6 +73,7 @@ int pw_auth (const char *cipher, |
||||||
|
char prompt[1024]; |
||||||
|
char *clear = NULL; |
||||||
|
const char *cp; |
||||||
|
+ const char *encrypted; |
||||||
|
int retval; |
||||||
|
|
||||||
|
#ifdef SKEY |
||||||
|
@@ -177,7 +178,11 @@ int pw_auth (const char *cipher, |
||||||
|
* the results there as well. |
||||||
|
*/ |
||||||
|
|
||||||
|
- retval = strcmp (pw_encrypt (input, cipher), cipher); |
||||||
|
+ encrypted = pw_encrypt (input, cipher); |
||||||
|
+ if (encrypted!=NULL) |
||||||
|
+ retval = strcmp (encrypted, cipher); |
||||||
|
+ else |
||||||
|
+ retval = -1; |
||||||
|
|
||||||
|
#ifdef SKEY |
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c |
||||||
|
--- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200 |
||||||
|
@@ -469,6 +469,10 @@ int main (int argc, char **argv) |
||||||
|
#endif |
||||||
|
cp = pw_encrypt (newpwd, |
||||||
|
crypt_make_salt (crypt_method, arg)); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c |
||||||
|
--- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200 |
||||||
|
@@ -492,6 +492,10 @@ int main (int argc, char **argv) |
||||||
|
#endif |
||||||
|
cp = pw_encrypt (newpwd, |
||||||
|
crypt_make_salt(crypt_method, arg)); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c |
||||||
|
--- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200 |
||||||
|
@@ -939,6 +939,10 @@ static void change_passwd (struct group |
||||||
|
} |
||||||
|
|
||||||
|
cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); |
||||||
|
+ if (cp==NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
memzero (pass, sizeof pass); |
||||||
|
#ifdef SHADOWGRP |
||||||
|
if (is_shadowgrp) { |
||||||
|
diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c |
||||||
|
--- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200 |
||||||
|
@@ -184,7 +184,8 @@ static void check_perms (const struct gr |
||||||
|
cpasswd = pw_encrypt (cp, grp->gr_passwd); |
||||||
|
strzero (cp); |
||||||
|
|
||||||
|
- if (grp->gr_passwd[0] == '\0' || |
||||||
|
+ if (cpasswd == NULL || |
||||||
|
+ grp->gr_passwd[0] == '\0' || |
||||||
|
strcmp (cpasswd, grp->gr_passwd) != 0) { |
||||||
|
#ifdef WITH_AUDIT |
||||||
|
snprintf (audit_buf, sizeof(audit_buf), |
||||||
|
diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c |
||||||
|
--- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200 |
||||||
|
@@ -387,6 +387,7 @@ static int add_user (const char *name, u |
||||||
|
static void update_passwd (struct passwd *pwd, const char *password) |
||||||
|
{ |
||||||
|
void *crypt_arg = NULL; |
||||||
|
+ char *cp; |
||||||
|
if (crypt_method != NULL) { |
||||||
|
#ifdef USE_SHA_CRYPT |
||||||
|
if (sflg) { |
||||||
|
@@ -398,9 +399,13 @@ static void update_passwd (struct passwd |
||||||
|
if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) { |
||||||
|
pwd->pw_passwd = (char *)password; |
||||||
|
} else { |
||||||
|
- pwd->pw_passwd = pw_encrypt (password, |
||||||
|
- crypt_make_salt (crypt_method, |
||||||
|
- crypt_arg)); |
||||||
|
+ cp=pw_encrypt (password, crypt_make_salt (crypt_method, |
||||||
|
+ crypt_arg)); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+ pwd->pw_passwd = cp; |
||||||
|
} |
||||||
|
} |
||||||
|
#endif /* !USE_PAM */ |
||||||
|
@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw |
||||||
|
{ |
||||||
|
const struct spwd *sp; |
||||||
|
struct spwd spent; |
||||||
|
+ char *cp; |
||||||
|
|
||||||
|
#ifndef USE_PAM |
||||||
|
void *crypt_arg = NULL; |
||||||
|
@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw |
||||||
|
} else { |
||||||
|
const char *salt = crypt_make_salt (crypt_method, |
||||||
|
crypt_arg); |
||||||
|
- spent.sp_pwdp = pw_encrypt (password, salt); |
||||||
|
+ cp = pw_encrypt (password, salt); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+ spent.sp_pwdp = cp; |
||||||
|
} |
||||||
|
spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; |
||||||
|
if (0 == spent.sp_lstchg) { |
||||||
|
@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw |
||||||
|
spent.sp_pwdp = (char *)password; |
||||||
|
} else { |
||||||
|
const char *salt = crypt_make_salt (crypt_method, crypt_arg); |
||||||
|
- spent.sp_pwdp = pw_encrypt (password, salt); |
||||||
|
+ cp = pw_encrypt (password, salt); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+ spent.sp_pwdp = cp; |
||||||
|
} |
||||||
|
#else |
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c |
||||||
|
--- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200 |
||||||
|
@@ -242,7 +242,7 @@ static int new_password (const struct pa |
||||||
|
} |
||||||
|
|
||||||
|
cipher = pw_encrypt (clear, crypt_passwd); |
||||||
|
- if (strcmp (cipher, crypt_passwd) != 0) { |
||||||
|
+ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) { |
||||||
|
strzero (clear); |
||||||
|
strzero (cipher); |
||||||
|
SYSLOG ((LOG_WARN, "incorrect password for %s", |
||||||
|
@@ -349,6 +349,10 @@ static int new_password (const struct pa |
||||||
|
* Encrypt the password, then wipe the cleartext password. |
||||||
|
*/ |
||||||
|
cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL)); |
||||||
|
+ if (cp == NULL) { |
||||||
|
+ perror ("crypt"); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
memzero (pass, sizeof pass); |
||||||
|
|
||||||
|
#ifdef HAVE_LIBCRACK_HIST |
@ -0,0 +1,138 @@ |
|||||||
|
diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c |
||||||
|
--- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200 |
||||||
|
@@ -261,6 +261,7 @@ static int yyHaveDay; |
||||||
|
static int yyHaveRel; |
||||||
|
static int yyHaveTime; |
||||||
|
static int yyHaveZone; |
||||||
|
+static int yyHaveYear; |
||||||
|
static int yyTimezone; |
||||||
|
static int yyDay; |
||||||
|
static int yyHour; |
||||||
|
@@ -1730,6 +1731,7 @@ yyreduce: |
||||||
|
yyDay = (yyvsp[(3) - (5)].Number); |
||||||
|
yyYear = (yyvsp[(5) - (5)].Number); |
||||||
|
} |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
break; |
||||||
|
|
||||||
|
@@ -1740,6 +1742,7 @@ yyreduce: |
||||||
|
yyYear = (yyvsp[(1) - (3)].Number); |
||||||
|
yyMonth = -(yyvsp[(2) - (3)].Number); |
||||||
|
yyDay = -(yyvsp[(3) - (3)].Number); |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
break; |
||||||
|
|
||||||
|
@@ -1750,6 +1753,7 @@ yyreduce: |
||||||
|
yyDay = (yyvsp[(1) - (3)].Number); |
||||||
|
yyMonth = (yyvsp[(2) - (3)].Number); |
||||||
|
yyYear = -(yyvsp[(3) - (3)].Number); |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
break; |
||||||
|
|
||||||
|
@@ -1767,6 +1771,7 @@ yyreduce: |
||||||
|
yyMonth = (yyvsp[(1) - (4)].Number); |
||||||
|
yyDay = (yyvsp[(2) - (4)].Number); |
||||||
|
yyYear = (yyvsp[(4) - (4)].Number); |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
break; |
||||||
|
|
||||||
|
@@ -1784,6 +1789,7 @@ yyreduce: |
||||||
|
yyMonth = (yyvsp[(2) - (3)].Number); |
||||||
|
yyDay = (yyvsp[(1) - (3)].Number); |
||||||
|
yyYear = (yyvsp[(3) - (3)].Number); |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
break; |
||||||
|
|
||||||
|
@@ -1928,7 +1934,8 @@ yyreduce: |
||||||
|
case 49: |
||||||
|
#line 397 "getdate.y" |
||||||
|
{ |
||||||
|
- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) |
||||||
|
+ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear |
||||||
|
+ && (yyHaveDate != 0) && (yyHaveRel == 0)) |
||||||
|
yyYear = (yyvsp[(1) - (1)].Number); |
||||||
|
else |
||||||
|
{ |
||||||
|
@@ -2556,7 +2563,7 @@ yylex (void) |
||||||
|
return LookupWord (buff); |
||||||
|
} |
||||||
|
if (c != '(') |
||||||
|
- return *yyInput++; |
||||||
|
+ return (unsigned char)*yyInput++; |
||||||
|
Count = 0; |
||||||
|
do |
||||||
|
{ |
||||||
|
diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y |
||||||
|
--- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200 |
||||||
|
@@ -152,6 +152,7 @@ static int yyHaveDay; |
||||||
|
static int yyHaveRel; |
||||||
|
static int yyHaveTime; |
||||||
|
static int yyHaveZone; |
||||||
|
+static int yyHaveYear; |
||||||
|
static int yyTimezone; |
||||||
|
static int yyDay; |
||||||
|
static int yyHour; |
||||||
|
@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER { |
||||||
|
yyDay = $3; |
||||||
|
yyYear = $5; |
||||||
|
} |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
| tUNUMBER tSNUMBER tSNUMBER { |
||||||
|
/* ISO 8601 format. yyyy-mm-dd. */ |
||||||
|
yyYear = $1; |
||||||
|
yyMonth = -$2; |
||||||
|
yyDay = -$3; |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
| tUNUMBER tMONTH tSNUMBER { |
||||||
|
/* e.g. 17-JUN-1992. */ |
||||||
|
yyDay = $1; |
||||||
|
yyMonth = $2; |
||||||
|
yyYear = -$3; |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
| tMONTH tUNUMBER { |
||||||
|
yyMonth = $1; |
||||||
|
@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER { |
||||||
|
yyMonth = $1; |
||||||
|
yyDay = $2; |
||||||
|
yyYear = $4; |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
| tUNUMBER tMONTH { |
||||||
|
yyMonth = $2; |
||||||
|
@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER { |
||||||
|
yyMonth = $2; |
||||||
|
yyDay = $1; |
||||||
|
yyYear = $3; |
||||||
|
+ yyHaveYear++; |
||||||
|
} |
||||||
|
; |
||||||
|
|
||||||
|
@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT { |
||||||
|
|
||||||
|
number : tUNUMBER |
||||||
|
{ |
||||||
|
- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0)) |
||||||
|
+ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear |
||||||
|
+ && (yyHaveDate != 0) && (yyHaveRel == 0)) |
||||||
|
yyYear = $1; |
||||||
|
else |
||||||
|
{ |
||||||
|
@@ -802,7 +809,7 @@ yylex (void) |
||||||
|
return LookupWord (buff); |
||||||
|
} |
||||||
|
if (c != '(') |
||||||
|
- return *yyInput++; |
||||||
|
+ return (unsigned char)*yyInput++; |
||||||
|
Count = 0; |
||||||
|
do |
||||||
|
{ |
@ -0,0 +1,35 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c |
||||||
|
--- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 |
||||||
|
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h |
||||||
|
goto done; |
||||||
|
} |
||||||
|
|
||||||
|
+#if 0 |
||||||
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); |
||||||
|
if (ret != 0) { |
||||||
|
fprintf (stderr, |
||||||
|
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h |
||||||
|
ret = 1; |
||||||
|
goto done; |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
ret = semanage_seuser_set_sename (handle, seuser, seuser_name); |
||||||
|
if (ret != 0) { |
||||||
|
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h |
||||||
|
goto done; |
||||||
|
} |
||||||
|
|
||||||
|
+#if 0 |
||||||
|
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); |
||||||
|
if (ret != 0) { |
||||||
|
fprintf (stderr, |
||||||
|
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h |
||||||
|
ret = 1; |
||||||
|
goto done; |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
ret = semanage_seuser_set_sename (handle, seuser, seuser_name); |
||||||
|
if (ret != 0) { |
@ -0,0 +1,23 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c |
||||||
|
--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 |
||||||
|
@@ -1760,6 +1760,9 @@ static void create_home (void) |
||||||
|
if (access (user_home, F_OK) != 0) { |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
if (set_selinux_file_context (user_home, NULL) != 0) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: cannot set SELinux context for home directory %s\n"), |
||||||
|
+ Prog, user_home); |
||||||
|
fail_exit (E_HOMEDIR); |
||||||
|
} |
||||||
|
#endif |
||||||
|
@@ -1789,6 +1792,9 @@ static void create_home (void) |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
/* Reset SELinux to create files with default contexts */ |
||||||
|
if (reset_selinux_file_context () != 0) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: cannot reset SELinux file creation context\n"), |
||||||
|
+ Prog); |
||||||
|
fail_exit (E_HOMEDIR); |
||||||
|
} |
||||||
|
#endif |
@ -0,0 +1,113 @@ |
|||||||
|
diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c |
||||||
|
--- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/libmisc/chkname.c 2018-04-24 16:32:40.970529916 +0200 |
||||||
|
@@ -49,25 +49,44 @@ |
||||||
|
static bool is_valid_name (const char *name) |
||||||
|
{ |
||||||
|
/* |
||||||
|
- * User/group names must match [a-z_][a-z0-9_-]*[$] |
||||||
|
- */ |
||||||
|
- if (('\0' == *name) || |
||||||
|
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { |
||||||
|
+ * User/group names must match gnu e-regex: |
||||||
|
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? |
||||||
|
+ * |
||||||
|
+ * as a non-POSIX, extension, allow "$" as the last char for |
||||||
|
+ * sake of Samba 3.x "add machine script" |
||||||
|
+ * |
||||||
|
+ * Also do not allow fully numeric names or just "." or "..". |
||||||
|
+ */ |
||||||
|
+ int numeric; |
||||||
|
+ |
||||||
|
+ if ('\0' == *name || |
||||||
|
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || |
||||||
|
+ '\0' == name[1])) || |
||||||
|
+ !((*name >= 'a' && *name <= 'z') || |
||||||
|
+ (*name >= 'A' && *name <= 'Z') || |
||||||
|
+ (*name >= '0' && *name <= '9') || |
||||||
|
+ *name == '_' || |
||||||
|
+ *name == '.')) { |
||||||
|
return false; |
||||||
|
} |
||||||
|
|
||||||
|
+ numeric = isdigit(*name); |
||||||
|
+ |
||||||
|
while ('\0' != *++name) { |
||||||
|
- if (!(( ('a' <= *name) && ('z' >= *name) ) || |
||||||
|
- ( ('0' <= *name) && ('9' >= *name) ) || |
||||||
|
- ('_' == *name) || |
||||||
|
- ('-' == *name) || |
||||||
|
- ( ('$' == *name) && ('\0' == *(name + 1)) ) |
||||||
|
+ if (!((*name >= 'a' && *name <= 'z') || |
||||||
|
+ (*name >= 'A' && *name <= 'Z') || |
||||||
|
+ (*name >= '0' && *name <= '9') || |
||||||
|
+ *name == '_' || |
||||||
|
+ *name == '.' || |
||||||
|
+ *name == '-' || |
||||||
|
+ (*name == '$' && name[1] == '\0') |
||||||
|
)) { |
||||||
|
return false; |
||||||
|
} |
||||||
|
+ numeric &= isdigit(*name); |
||||||
|
} |
||||||
|
|
||||||
|
- return true; |
||||||
|
+ return !numeric || getenv("SHADOW_ALLOW_ALL_NUMERIC_USER") != NULL; |
||||||
|
} |
||||||
|
|
||||||
|
bool is_valid_user_name (const char *name) |
||||||
|
diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml |
||||||
|
--- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/groupadd.8.xml 2012-09-19 18:43:53.492160653 +0200 |
||||||
|
@@ -259,10 +259,14 @@ |
||||||
|
<refsect1 id='caveats'> |
||||||
|
<title>CAVEATS</title> |
||||||
|
<para> |
||||||
|
- Groupnames must start with a lower case letter or an underscore, |
||||||
|
- followed by lower case letters, digits, underscores, or dashes. |
||||||
|
- They can end with a dollar sign. |
||||||
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]? |
||||||
|
+ Groupnames may contain only lower and upper case letters, digits, |
||||||
|
+ underscores, or dashes. They can end with a dollar sign. |
||||||
|
+ |
||||||
|
+ Dashes are not allowed at the beginning of the groupname. |
||||||
|
+ Fully numeric groupnames and groupnames . or .. are |
||||||
|
+ also disallowed. |
||||||
|
+ |
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. |
||||||
|
diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml |
||||||
|
--- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/useradd.8.xml 2012-09-19 18:43:53.493160675 +0200 |
||||||
|
@@ -366,7 +366,7 @@ |
||||||
|
</term> |
||||||
|
<listitem> |
||||||
|
<para> |
||||||
|
- Do no create the user's home directory, even if the system |
||||||
|
+ Do not create the user's home directory, even if the system |
||||||
|
wide setting from <filename>/etc/login.defs</filename> |
||||||
|
(<option>CREATE_HOME</option>) is set to |
||||||
|
<replaceable>yes</replaceable>. |
||||||
|
@@ -654,10 +654,16 @@ |
||||||
|
</para> |
||||||
|
|
||||||
|
<para> |
||||||
|
- Usernames must start with a lower case letter or an underscore, |
||||||
|
- followed by lower case letters, digits, underscores, or dashes. |
||||||
|
- They can end with a dollar sign. |
||||||
|
- In regular expression terms: [a-z_][a-z0-9_-]*[$]? |
||||||
|
+ Usernames may contain only lower and upper case letters, digits, |
||||||
|
+ underscores, or dashes. They can end with a dollar sign. |
||||||
|
+ |
||||||
|
+ Dashes are not allowed at the beginning of the username. |
||||||
|
+ Fully numeric usernames and usernames . or .. are |
||||||
|
+ also disallowed. It is not recommended to use usernames beginning |
||||||
|
+ with . character as their home directories will be hidden in |
||||||
|
+ the <command>ls</command> output. |
||||||
|
+ |
||||||
|
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
Usernames may only be up to 32 characters long. |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,20 @@ |
|||||||
|
diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml |
||||||
|
--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200 |
||||||
|
@@ -216,7 +216,15 @@ |
||||||
|
<para> |
||||||
|
If this field does not specify an existing directory, the |
||||||
|
specified directory is created, with ownership set to the |
||||||
|
- user being created or updated and its primary group. |
||||||
|
+ user being created or updated and its primary group. Note |
||||||
|
+ that newusers does not create parent directories of the new |
||||||
|
+ user's home directory. The newusers command will fail to |
||||||
|
+ create the home directory if the parent directories do not |
||||||
|
+ exist, and will send a message to stderr informing the user |
||||||
|
+ of the failure. The newusers command will not halt or return |
||||||
|
+ a failure to the calling shell if it fails to create the home |
||||||
|
+ directory, it will continue to process the batch of new users |
||||||
|
+ specified. |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
If the home directory of an existing user is changed, |
@ -0,0 +1,121 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c |
||||||
|
--- shadow-4.1.5.1/src/newgrp.c.ingroup 2018-04-24 16:55:24.546677529 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/newgrp.c 2018-04-24 16:58:17.113445562 +0200 |
||||||
|
@@ -83,15 +83,29 @@ static void usage (void) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+static bool ingroup(const char *name, struct group *gr) |
||||||
|
+{ |
||||||
|
+ char **look; |
||||||
|
+ bool notfound = true; |
||||||
|
+ |
||||||
|
+ look = gr->gr_mem; |
||||||
|
+ while (*look && notfound) |
||||||
|
+ notfound = strcmp (*look++, name); |
||||||
|
+ |
||||||
|
+ return !notfound; |
||||||
|
+} |
||||||
|
+ |
||||||
|
/* |
||||||
|
- * find_matching_group - search all groups of a given group id for |
||||||
|
+ * find_matching_group - search all groups of a gr's group id for |
||||||
|
* membership of a given username |
||||||
|
+ * but check gr itself first |
||||||
|
*/ |
||||||
|
-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid) |
||||||
|
+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr) |
||||||
|
{ |
||||||
|
- struct group *gr; |
||||||
|
- char **look; |
||||||
|
- bool notfound = true; |
||||||
|
+ gid_t gid = gr->gr_gid; |
||||||
|
+ |
||||||
|
+ if (ingroup(name, gr)) |
||||||
|
+ return gr; |
||||||
|
|
||||||
|
setgrent (); |
||||||
|
while ((gr = getgrent ()) != NULL) { |
||||||
|
@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc |
||||||
|
* A group with matching GID was found. |
||||||
|
* Test for membership of 'name'. |
||||||
|
*/ |
||||||
|
- look = gr->gr_mem; |
||||||
|
- while ((NULL != *look) && notfound) { |
||||||
|
- notfound = (strcmp (*look, name) != 0); |
||||||
|
- look++; |
||||||
|
- } |
||||||
|
- if (!notfound) { |
||||||
|
+ if (ingroup(name, gr)) |
||||||
|
break; |
||||||
|
- } |
||||||
|
} |
||||||
|
endgrent (); |
||||||
|
return gr; |
||||||
|
@@ -373,6 +381,7 @@ int main (int argc, char **argv) |
||||||
|
{ |
||||||
|
bool initflag = false; |
||||||
|
int i; |
||||||
|
+ bool is_member = false; |
||||||
|
bool cflag = false; |
||||||
|
int err = 0; |
||||||
|
gid_t gid; |
||||||
|
@@ -611,22 +620,36 @@ int main (int argc, char **argv) |
||||||
|
goto failure; |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef HAVE_SETGROUPS |
||||||
|
+ /* when using pam_group, she will not be listed in the groups |
||||||
|
+ * database. However getgroups() will return the group. So |
||||||
|
+ * if she is listed there already it is ok to grant membership. |
||||||
|
+ */ |
||||||
|
+ for (i = 0; i < ngroups; i++) { |
||||||
|
+ if (grp->gr_gid == grouplist[i]) { |
||||||
|
+ is_member = true; |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif /* HAVE_SETGROUPS */ |
||||||
|
/* |
||||||
|
* For splitted groups (due to limitations of NIS), check all |
||||||
|
* groups of the same GID like the requested group for |
||||||
|
* membership of the current user. |
||||||
|
*/ |
||||||
|
- grp = find_matching_group (name, grp->gr_gid); |
||||||
|
- if (NULL == grp) { |
||||||
|
- /* |
||||||
|
- * No matching group found. As we already know that |
||||||
|
- * the group exists, this happens only in the case |
||||||
|
- * of a requested group where the user is not member. |
||||||
|
- * |
||||||
|
- * Re-read the group entry for further processing. |
||||||
|
- */ |
||||||
|
- grp = xgetgrnam (group); |
||||||
|
- assert (NULL != grp); |
||||||
|
+ if (!is_member) { |
||||||
|
+ grp = find_matching_group (name, grp); |
||||||
|
+ if (NULL == grp) { |
||||||
|
+ /* |
||||||
|
+ * No matching group found. As we already know that |
||||||
|
+ * the group exists, this happens only in the case |
||||||
|
+ * of a requested group where the user is not member. |
||||||
|
+ * |
||||||
|
+ * Re-read the group entry for further processing. |
||||||
|
+ */ |
||||||
|
+ grp = xgetgrnam (group); |
||||||
|
+ assert (NULL != grp); |
||||||
|
+ } |
||||||
|
} |
||||||
|
#ifdef SHADOWGRP |
||||||
|
sgrp = getsgnam (group); |
||||||
|
@@ -639,7 +662,9 @@ int main (int argc, char **argv) |
||||||
|
/* |
||||||
|
* Check if the user is allowed to access this group. |
||||||
|
*/ |
||||||
|
- check_perms (grp, pwd, group); |
||||||
|
+ if (!is_member) { |
||||||
|
+ check_perms (grp, pwd, group); |
||||||
|
+ } |
||||||
|
|
||||||
|
/* |
||||||
|
* all successful validations pass through this point. The group id |
@ -0,0 +1,25 @@ |
|||||||
|
From f2ce4cc54edc7dfeb6b12f3e8fff98255a9f477d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Taizo Ito <taizo.ito@hde.co.jp> |
||||||
|
Date: Tue, 17 Mar 2015 13:51:27 +0900 |
||||||
|
Subject: [PATCH 1/1] typo in japanese man page of useradd |
||||||
|
|
||||||
|
--- |
||||||
|
po/ja.po | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/po/ja.po b/po/ja.po |
||||||
|
index a68a698..0c21c29 100644 |
||||||
|
--- a/po/ja.po |
||||||
|
+++ b/po/ja.po |
||||||
|
@@ -2047,7 +2047,7 @@ msgid " -s, --shell SHELL login shell of the new account\n" |
||||||
|
msgstr " -s, --shell SHELL 新アカウントのログインシェル\n" |
||||||
|
|
||||||
|
msgid " -u, --uid UID user ID of the new account\n" |
||||||
|
-msgstr " -u, --iud UID 新アカウントのユーザ ID\n" |
||||||
|
+msgstr " -u, --uid UID 新アカウントのユーザ ID\n" |
||||||
|
|
||||||
|
msgid "" |
||||||
|
" -U, --user-group create a group with the same name as the " |
||||||
|
-- |
||||||
|
1.8.3.1 |
||||||
|
|
@ -0,0 +1,263 @@ |
|||||||
|
diff -up shadow-4.1.5.1/man/lastlog.8.xml.unexpire shadow-4.1.5.1/man/lastlog.8.xml |
||||||
|
--- shadow-4.1.5.1/man/lastlog.8.xml.unexpire 2012-05-25 13:45:28.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/lastlog.8.xml 2016-04-28 15:09:11.026084219 +0200 |
||||||
|
@@ -105,6 +105,17 @@ |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term> |
||||||
|
+ <option>-C</option>, <option>--clear</option> |
||||||
|
+ </term> |
||||||
|
+ <listitem> |
||||||
|
+ <para> |
||||||
|
+ Clear lastlog record of an user. This option can be used only together |
||||||
|
+ with <option>-u</option> (<option>--user</option>)). |
||||||
|
+ </para> |
||||||
|
+ </listitem> |
||||||
|
+ </varlistentry> |
||||||
|
+ <varlistentry> |
||||||
|
+ <term> |
||||||
|
<option>-h</option>, <option>--help</option> |
||||||
|
</term> |
||||||
|
<listitem> |
||||||
|
@@ -124,6 +135,17 @@ |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
+ <varlistentry> |
||||||
|
+ <term> |
||||||
|
+ <option>-S</option>, <option>--set</option> |
||||||
|
+ </term> |
||||||
|
+ <listitem> |
||||||
|
+ <para> |
||||||
|
+ Set lastlog record of an user to the current time. This option can be |
||||||
|
+ used only together with <option>-u</option> (<option>--user</option>)). |
||||||
|
+ </para> |
||||||
|
+ </listitem> |
||||||
|
+ </varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term> |
||||||
|
<option>-t</option>, <option>--time</option> |
||||||
|
diff -up shadow-4.1.5.1/src/lastlog.c.unexpire shadow-4.1.5.1/src/lastlog.c |
||||||
|
--- shadow-4.1.5.1/src/lastlog.c.unexpire 2011-11-06 21:54:18.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/lastlog.c 2016-04-28 15:49:30.253371990 +0200 |
||||||
|
@@ -55,6 +55,13 @@ |
||||||
|
#endif |
||||||
|
|
||||||
|
/* |
||||||
|
+ * Needed for systems with older audit library. |
||||||
|
+ */ |
||||||
|
+#ifndef AUDIT_ACCT_UNLOCK |
||||||
|
+#define AUDIT_ACCT_UNLOCK 1136 |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
+/* |
||||||
|
* Global variables |
||||||
|
*/ |
||||||
|
const char *Prog; /* Program name */ |
||||||
|
@@ -71,6 +78,8 @@ static struct stat statbuf; /* fstat buf |
||||||
|
static bool uflg = false; /* print only an user of range of users */ |
||||||
|
static bool tflg = false; /* print is restricted to most recent days */ |
||||||
|
static bool bflg = false; /* print excludes most recent days */ |
||||||
|
+static bool Cflg = false; /* clear record for user */ |
||||||
|
+static bool Sflg = false; /* set record for user */ |
||||||
|
|
||||||
|
#define NOW (time ((time_t *) 0)) |
||||||
|
|
||||||
|
@@ -83,8 +92,10 @@ static /*@noreturn@*/void usage (int sta |
||||||
|
"Options:\n"), |
||||||
|
Prog); |
||||||
|
(void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout); |
||||||
|
+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout); |
||||||
|
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout); |
||||||
|
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
||||||
|
+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout); |
||||||
|
(void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout); |
||||||
|
(void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout); |
||||||
|
(void) fputs ("\n", usageout); |
||||||
|
@@ -194,6 +205,80 @@ static void print (void) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+static void update_one (/*@null@*/const struct passwd *pw) |
||||||
|
+{ |
||||||
|
+ off_t offset; |
||||||
|
+ struct lastlog ll; |
||||||
|
+ int err; |
||||||
|
+ |
||||||
|
+ if (NULL == pw) { |
||||||
|
+ return; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ offset = (off_t) pw->pw_uid * sizeof (ll); |
||||||
|
+ /* fseeko errors are not really relevant for us. */ |
||||||
|
+ err = fseeko (lastlogfile, offset, SEEK_SET); |
||||||
|
+ assert (0 == err); |
||||||
|
+ |
||||||
|
+ memzero (&ll, sizeof (ll)); |
||||||
|
+ |
||||||
|
+ if (Sflg) { |
||||||
|
+ ll.ll_time = NOW; |
||||||
|
+#ifdef HAVE_LL_HOST |
||||||
|
+ strcpy (ll.ll_host, "localhost"); |
||||||
|
+#endif |
||||||
|
+ strcpy (ll.ll_line, "lastlog"); |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, |
||||||
|
+ "clearing-lastlog", |
||||||
|
+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); |
||||||
|
+#endif |
||||||
|
+ } |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ else { |
||||||
|
+ audit_logger (AUDIT_ACCT_UNLOCK, Prog, |
||||||
|
+ "refreshing-lastlog", |
||||||
|
+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: Failed to update the entry for UID %lu\n"), |
||||||
|
+ Prog, (unsigned long int)pw->pw_uid); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void update (void) |
||||||
|
+{ |
||||||
|
+ const struct passwd *pwent; |
||||||
|
+ |
||||||
|
+ if (!uflg) /* safety measure */ |
||||||
|
+ return; |
||||||
|
+ |
||||||
|
+ if (has_umin && has_umax && (umin == umax)) { |
||||||
|
+ update_one (getpwuid ((uid_t)umin)); |
||||||
|
+ } else { |
||||||
|
+ setpwent (); |
||||||
|
+ while ( (pwent = getpwent ()) != NULL ) { |
||||||
|
+ if ((has_umin && (pwent->pw_uid < (uid_t)umin)) |
||||||
|
+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) { |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ update_one (pwent); |
||||||
|
+ } |
||||||
|
+ endpwent (); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: Failed to update the lastlog file\n"), |
||||||
|
+ Prog); |
||||||
|
+ exit (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
int main (int argc, char **argv) |
||||||
|
{ |
||||||
|
/* |
||||||
|
@@ -208,18 +293,24 @@ int main (int argc, char **argv) |
||||||
|
|
||||||
|
process_root_flag ("-R", argc, argv); |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_help_open (); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
{ |
||||||
|
int c; |
||||||
|
static struct option const longopts[] = { |
||||||
|
{"before", required_argument, NULL, 'b'}, |
||||||
|
+ {"clear", no_argument, NULL, 'C'}, |
||||||
|
{"help", no_argument, NULL, 'h'}, |
||||||
|
{"root", required_argument, NULL, 'R'}, |
||||||
|
+ {"set", no_argument, NULL, 'S'}, |
||||||
|
{"time", required_argument, NULL, 't'}, |
||||||
|
{"user", required_argument, NULL, 'u'}, |
||||||
|
{NULL, 0, NULL, '\0'} |
||||||
|
}; |
||||||
|
|
||||||
|
- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts, |
||||||
|
+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts, |
||||||
|
NULL)) != -1) { |
||||||
|
switch (c) { |
||||||
|
case 'b': |
||||||
|
@@ -235,11 +326,21 @@ int main (int argc, char **argv) |
||||||
|
bflg = true; |
||||||
|
break; |
||||||
|
} |
||||||
|
+ case 'C': |
||||||
|
+ { |
||||||
|
+ Cflg = true; |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
case 'h': |
||||||
|
usage (EXIT_SUCCESS); |
||||||
|
/*@notreached@*/break; |
||||||
|
case 'R': /* no-op, handled in process_root_flag () */ |
||||||
|
break; |
||||||
|
+ case 'S': |
||||||
|
+ { |
||||||
|
+ Sflg = true; |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
case 't': |
||||||
|
{ |
||||||
|
unsigned long days; |
||||||
|
@@ -294,9 +395,21 @@ int main (int argc, char **argv) |
||||||
|
Prog, argv[optind]); |
||||||
|
usage (EXIT_FAILURE); |
||||||
|
} |
||||||
|
+ if (Cflg && Sflg) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: Option -C cannot be used together with option -S\n"), |
||||||
|
+ Prog); |
||||||
|
+ usage (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
+ if ((Cflg || Sflg) && !uflg) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: Options -C and -S require option -u to specify the user\n"), |
||||||
|
+ Prog); |
||||||
|
+ usage (EXIT_FAILURE); |
||||||
|
+ } |
||||||
|
} |
||||||
|
|
||||||
|
- lastlogfile = fopen (LASTLOG_FILE, "r"); |
||||||
|
+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r"); |
||||||
|
if (NULL == lastlogfile) { |
||||||
|
perror (LASTLOG_FILE); |
||||||
|
exit (EXIT_FAILURE); |
||||||
|
@@ -310,7 +423,10 @@ int main (int argc, char **argv) |
||||||
|
exit (EXIT_FAILURE); |
||||||
|
} |
||||||
|
|
||||||
|
- print (); |
||||||
|
+ if (Cflg || Sflg) |
||||||
|
+ update (); |
||||||
|
+ else |
||||||
|
+ print (); |
||||||
|
|
||||||
|
(void) fclose (lastlogfile); |
||||||
|
|
||||||
|
diff -up shadow-4.1.5.1/src/Makefile.am.unexpire shadow-4.1.5.1/src/Makefile.am |
||||||
|
--- shadow-4.1.5.1/src/Makefile.am.unexpire 2011-11-18 22:23:30.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/Makefile.am 2016-04-28 15:09:11.027084241 +0200 |
||||||
|
@@ -90,6 +90,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) |
||||||
|
grpck_LDADD = $(LDADD) $(LIBSELINUX) |
||||||
|
grpconv_LDADD = $(LDADD) $(LIBSELINUX) |
||||||
|
grpunconv_LDADD = $(LDADD) $(LIBSELINUX) |
||||||
|
+lastlog_LDADD = $(LDADD) $(LIBAUDIT) |
||||||
|
login_SOURCES = \ |
||||||
|
login.c \ |
||||||
|
login_nopam.c |
||||||
|
diff -up shadow-4.1.5.1/src/Makefile.in.unexpire shadow-4.1.5.1/src/Makefile.in |
||||||
|
--- shadow-4.1.5.1/src/Makefile.in.unexpire 2012-05-25 13:56:51.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/Makefile.in 2016-04-28 15:09:11.027084241 +0200 |
||||||
|
@@ -162,7 +162,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1) |
||||||
|
$(top_builddir)/lib/libshadow.la |
||||||
|
lastlog_SOURCES = lastlog.c |
||||||
|
lastlog_OBJECTS = lastlog.$(OBJEXT) |
||||||
|
-lastlog_LDADD = $(LDADD) |
||||||
|
+lastlog_LDADD = $(LDADD) $(LIBAUDIT) |
||||||
|
lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ |
||||||
|
$(top_builddir)/libmisc/libmisc.a \ |
||||||
|
$(top_builddir)/lib/libshadow.la |
@ -0,0 +1,12 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c |
||||||
|
--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 |
||||||
|
@@ -275,7 +275,7 @@ static void fail_exit (int code) |
||||||
|
user_name, AUDIT_NO_ID, |
||||||
|
SHADOW_AUDIT_FAILURE); |
||||||
|
#endif |
||||||
|
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name)); |
||||||
|
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code)); |
||||||
|
exit (code); |
||||||
|
} |
||||||
|
|
@ -0,0 +1,84 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/defines.h.long-entry shadow-4.1.5.1/lib/defines.h |
||||||
|
--- shadow-4.1.5.1/lib/defines.h.long-entry 2011-09-18 22:44:10.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/defines.h 2018-04-24 16:34:31.261417493 +0200 |
||||||
|
@@ -382,4 +382,7 @@ extern char *strerror (); |
||||||
|
# endif |
||||||
|
#endif |
||||||
|
|
||||||
|
+/* Maximum length of passwd entry */ |
||||||
|
+#define PASSWD_ENTRY_MAX_LENGTH 32768 |
||||||
|
+ |
||||||
|
#endif /* _DEFINES_H_ */ |
||||||
|
diff -up shadow-4.1.5.1/lib/pwio.c.long-entry shadow-4.1.5.1/lib/pwio.c |
||||||
|
--- shadow-4.1.5.1/lib/pwio.c.long-entry 2011-02-16 21:32:24.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/pwio.c 2018-04-24 16:34:31.263417454 +0200 |
||||||
|
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, |
||||||
|
|| (pw->pw_gid == (gid_t)-1) |
||||||
|
|| (valid_field (pw->pw_gecos, ":\n") == -1) |
||||||
|
|| (valid_field (pw->pw_dir, ":\n") == -1) |
||||||
|
- || (valid_field (pw->pw_shell, ":\n") == -1)) { |
||||||
|
+ || (valid_field (pw->pw_shell, ":\n") == -1) |
||||||
|
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) + |
||||||
|
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) + |
||||||
|
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
|
||||||
|
diff -up shadow-4.1.5.1/lib/sgetpwent.c.long-entry shadow-4.1.5.1/lib/sgetpwent.c |
||||||
|
--- shadow-4.1.5.1/lib/sgetpwent.c.long-entry 2009-04-06 06:28:53.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/sgetpwent.c 2018-04-24 16:34:31.263417454 +0200 |
||||||
|
@@ -57,7 +57,7 @@ |
||||||
|
struct passwd *sgetpwent (const char *buf) |
||||||
|
{ |
||||||
|
static struct passwd pwent; |
||||||
|
- static char pwdbuf[1024]; |
||||||
|
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH]; |
||||||
|
register int i; |
||||||
|
register char *cp; |
||||||
|
char *fields[NFIELDS]; |
||||||
|
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu |
||||||
|
* the password structure remain valid. |
||||||
|
*/ |
||||||
|
|
||||||
|
- if (strlen (buf) >= sizeof pwdbuf) |
||||||
|
+ if (strlen (buf) >= sizeof pwdbuf) { |
||||||
|
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n"); |
||||||
|
return 0; /* fail if too long */ |
||||||
|
+ } |
||||||
|
strcpy (pwdbuf, buf); |
||||||
|
|
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/lib/sgetspent.c.long-entry shadow-4.1.5.1/lib/sgetspent.c |
||||||
|
--- shadow-4.1.5.1/lib/sgetspent.c.long-entry 2009-04-12 04:46:43.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/sgetspent.c 2018-04-24 16:34:31.264417435 +0200 |
||||||
|
@@ -48,7 +48,7 @@ |
||||||
|
*/ |
||||||
|
struct spwd *sgetspent (const char *string) |
||||||
|
{ |
||||||
|
- static char spwbuf[1024]; |
||||||
|
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH]; |
||||||
|
static struct spwd spwd; |
||||||
|
char *fields[FIELDS]; |
||||||
|
char *cp; |
||||||
|
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri |
||||||
|
*/ |
||||||
|
|
||||||
|
if (strlen (string) >= sizeof spwbuf) { |
||||||
|
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n"); |
||||||
|
return 0; /* fail if too long */ |
||||||
|
} |
||||||
|
strcpy (spwbuf, string); |
||||||
|
diff -up shadow-4.1.5.1/lib/shadowio.c.long-entry shadow-4.1.5.1/lib/shadowio.c |
||||||
|
--- shadow-4.1.5.1/lib/shadowio.c.long-entry 2011-02-16 21:32:24.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/shadowio.c 2018-04-24 16:34:31.265417416 +0200 |
||||||
|
@@ -78,7 +78,9 @@ static int shadow_put (const void *ent, |
||||||
|
|
||||||
|
if ( (NULL == sp) |
||||||
|
|| (valid_field (sp->sp_namp, ":\n") == -1) |
||||||
|
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) { |
||||||
|
+ || (valid_field (sp->sp_pwdp, ":\n") == -1) |
||||||
|
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) + |
||||||
|
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,281 @@ |
|||||||
|
diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml |
||||||
|
--- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/chage.1.xml 2018-04-24 16:43:48.545743715 +0200 |
||||||
|
@@ -102,6 +102,9 @@ |
||||||
|
Set the number of days since January 1st, 1970 when the password |
||||||
|
was last changed. The date may also be expressed in the format |
||||||
|
YYYY-MM-DD (or the format more commonly used in your area). |
||||||
|
+ If the <replaceable>LAST_DAY</replaceable> is set to |
||||||
|
+ <emphasis>0</emphasis> the user is forced to change his password |
||||||
|
+ on the next log on. |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
@@ -123,6 +126,13 @@ |
||||||
|
<replaceable>EXPIRE_DATE</replaceable> will remove an account |
||||||
|
expiration date. |
||||||
|
</para> |
||||||
|
+ <para> |
||||||
|
+ For example the following command can be used |
||||||
|
+ to set an account to expire in 180 days: |
||||||
|
+ </para> |
||||||
|
+ <programlisting> |
||||||
|
+ chage -E $(date -d +180days +%Y-%m-%d) |
||||||
|
+ </programlisting> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
diff -up shadow-4.1.5.1/man/groupmems.8.xml.manfix shadow-4.1.5.1/man/groupmems.8.xml |
||||||
|
--- shadow-4.1.5.1/man/groupmems.8.xml.manfix 2012-05-25 13:45:28.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/groupmems.8.xml 2015-12-18 12:27:08.466909647 +0100 |
||||||
|
@@ -194,6 +194,13 @@ |
||||||
|
$ chown root.groups groupmems |
||||||
|
$ groupmems -g groups -a gk4 |
||||||
|
</programlisting> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ In the Red Hat Enterprise Linux 7 the <command>groupmems</command> |
||||||
|
+ command is not setuid and regular users cannot use it to manipulate |
||||||
|
+ the membership of their own group. This might change in future |
||||||
|
+ major releases of the Red Hat Enterprise Linux. |
||||||
|
+ </para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1 id='configuration'> |
||||||
|
diff -up shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix shadow-4.1.5.1/man/ja/man5/login.defs.5 |
||||||
|
--- shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix 2012-05-25 13:45:27.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/ja/man5/login.defs.5 2015-12-18 12:34:08.080715842 +0100 |
||||||
|
@@ -147,10 +147,6 @@ 以下の参照表は、 |
||||||
|
shadow パスワード機能のどのプログラムが |
||||||
|
どのパラメータを使用するかを示したものである。 |
||||||
|
.na |
||||||
|
-.IP chfn 12 |
||||||
|
-CHFN_AUTH CHFN_RESTRICT |
||||||
|
-.IP chsh 12 |
||||||
|
-CHFN_AUTH |
||||||
|
.IP groupadd 12 |
||||||
|
GID_MAX GID_MIN |
||||||
|
.IP newusers 12 |
||||||
|
diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml |
||||||
|
--- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200 |
||||||
|
@@ -160,6 +160,17 @@ |
||||||
|
long numeric parameters is machine-dependent. |
||||||
|
</para> |
||||||
|
|
||||||
|
+ <para> |
||||||
|
+ Please note that the parameters in this configuration file control the |
||||||
|
+ behavior of the tools from the shadow-utils component. None of these |
||||||
|
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the |
||||||
|
+ passwd command) should be configured elsewhere. The only values that |
||||||
|
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis> |
||||||
|
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module, |
||||||
|
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to |
||||||
|
+ pam(8) for more information. |
||||||
|
+ </para> |
||||||
|
+ |
||||||
|
<para>The following configuration items are provided:</para> |
||||||
|
|
||||||
|
<variablelist remap='IP'> |
||||||
|
@@ -248,26 +258,6 @@ |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
- <term>chfn</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- <phrase condition="no_pam">CHFN_AUTH</phrase> |
||||||
|
- CHFN_RESTRICT |
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase> |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
- <varlistentry> |
||||||
|
- <term>chgpasswd</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB |
||||||
|
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS |
||||||
|
- SHA_CRYPT_MIN_ROUNDS</phrase> |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
- <varlistentry> |
||||||
|
<term>chpasswd</term> |
||||||
|
<listitem> |
||||||
|
<para> |
||||||
|
@@ -278,14 +268,6 @@ |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
- <varlistentry condition="no_pam"> |
||||||
|
- <term>chsh</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- CHSH_AUTH LOGIN_STRING |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) --> |
||||||
|
<!-- faillog: no variables --> |
||||||
|
<varlistentry> |
||||||
|
@@ -346,34 +328,6 @@ |
||||||
|
</varlistentry> |
||||||
|
<!-- id: no variables --> |
||||||
|
<!-- lastlog: no variables --> |
||||||
|
- <varlistentry> |
||||||
|
- <term>login</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase> |
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME |
||||||
|
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH |
||||||
|
- ENV_TZ ENVIRON_FILE</phrase> |
||||||
|
- ERASECHAR FAIL_DELAY |
||||||
|
- <phrase condition="no_pam">FAILLOG_ENAB</phrase> |
||||||
|
- FAKE_SHELL |
||||||
|
- <phrase condition="no_pam">FTMP_FILE</phrase> |
||||||
|
- HUSHLOGIN_FILE |
||||||
|
- <phrase condition="no_pam">ISSUE_FILE</phrase> |
||||||
|
- KILLCHAR |
||||||
|
- <phrase condition="no_pam">LASTLOG_ENAB</phrase> |
||||||
|
- LOGIN_RETRIES |
||||||
|
- <phrase condition="no_pam">LOGIN_STRING</phrase> |
||||||
|
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB |
||||||
|
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE |
||||||
|
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB |
||||||
|
- QUOTAS_ENAB</phrase> |
||||||
|
- TTYGROUP TTYPERM TTYTYPE_FILE |
||||||
|
- <phrase condition="no_pam">ULIMIT UMASK</phrase> |
||||||
|
- USERGROUPS_ENAB |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
<!-- logoutd: no variables --> |
||||||
|
<varlistentry> |
||||||
|
<term>newgrp / sg</term> |
||||||
|
@@ -399,17 +353,6 @@ |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
<!-- nologin: no variables --> |
||||||
|
- <varlistentry condition="no_pam"> |
||||||
|
- <term>passwd</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB |
||||||
|
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN |
||||||
|
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS |
||||||
|
- SHA_CRYPT_MIN_ROUNDS</phrase> |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term>pwck</term> |
||||||
|
<listitem> |
||||||
|
@@ -436,32 +379,6 @@ |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
- <varlistentry> |
||||||
|
- <term>su</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- <phrase condition="no_pam">CONSOLE</phrase> |
||||||
|
- CONSOLE_GROUPS DEFAULT_HOME |
||||||
|
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase> |
||||||
|
- ENV_PATH ENV_SUPATH |
||||||
|
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB |
||||||
|
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase> |
||||||
|
- SULOG_FILE SU_NAME |
||||||
|
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase> |
||||||
|
- SYSLOG_SU_ENAB |
||||||
|
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase> |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
- <varlistentry> |
||||||
|
- <term>sulogin</term> |
||||||
|
- <listitem> |
||||||
|
- <para> |
||||||
|
- ENV_HZ |
||||||
|
- <phrase condition="no_pam">ENV_TZ</phrase> |
||||||
|
- </para> |
||||||
|
- </listitem> |
||||||
|
- </varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term>useradd</term> |
||||||
|
<listitem> |
||||||
|
diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml |
||||||
|
--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2015-12-17 14:05:47.930742412 +0100 |
||||||
|
+++ shadow-4.1.5.1/man/useradd.8.xml 2015-12-17 14:05:47.945742754 +0100 |
||||||
|
@@ -134,8 +134,8 @@ |
||||||
|
<replaceable>HOME_DIR</replaceable> is not specified. |
||||||
|
<replaceable>BASE_DIR</replaceable> is |
||||||
|
concatenated with the account name to define the home directory. |
||||||
|
- If the <option>-m</option> option is not used, |
||||||
|
- <replaceable>BASE_DIR</replaceable> must exist. |
||||||
|
+ The <replaceable>BASE_DIR</replaceable> must exist otherwise |
||||||
|
+ the home directory cannot be created. |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
If this option is not specified, <command>useradd</command> |
||||||
|
@@ -161,7 +161,7 @@ |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term> |
||||||
|
- <option>-d</option>, <option>--home</option> |
||||||
|
+ <option>-d</option>, <option>--home-dir</option> |
||||||
|
<replaceable>HOME_DIR</replaceable> |
||||||
|
</term> |
||||||
|
<listitem> |
||||||
|
@@ -171,8 +171,7 @@ |
||||||
|
login directory. The default is to append the |
||||||
|
<replaceable>LOGIN</replaceable> name to |
||||||
|
<replaceable>BASE_DIR</replaceable> and use that as the login |
||||||
|
- directory name. The directory <replaceable>HOME_DIR</replaceable> |
||||||
|
- does not have to exist but will not be created if it is missing. |
||||||
|
+ directory name. |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
@@ -358,11 +357,16 @@ |
||||||
|
<option>CREATE_HOME</option> is not enabled, no home |
||||||
|
directories are created. |
||||||
|
</para> |
||||||
|
+ <para> |
||||||
|
+ The directory where the user's home directory is created must |
||||||
|
+ exist and have proper SELinux context and permissions. Otherwise |
||||||
|
+ the user's home directory cannot be created or accessed. |
||||||
|
+ </para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term> |
||||||
|
- <option>-M</option> |
||||||
|
+ <option>-M</option>, <option>--no-create-home</option> |
||||||
|
</term> |
||||||
|
<listitem> |
||||||
|
<para> |
||||||
|
diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml |
||||||
|
--- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200 |
||||||
|
@@ -132,7 +132,8 @@ |
||||||
|
If the <option>-m</option> |
||||||
|
option is given, the contents of the current home directory will |
||||||
|
be moved to the new home directory, which is created if it does |
||||||
|
- not already exist. |
||||||
|
+ not already exist. If the current home directory does not exist |
||||||
|
+ the new home directory will not be created. |
||||||
|
</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
@@ -261,7 +262,8 @@ |
||||||
|
<listitem> |
||||||
|
<para> |
||||||
|
Move the content of the user's home directory to the new |
||||||
|
- location. |
||||||
|
+ location. If the current home directory does not exist |
||||||
|
+ the new home directory will not be created. |
||||||
|
</para> |
||||||
|
<para> |
||||||
|
This option is only valid in combination with the |
@ -0,0 +1,27 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c |
||||||
|
--- shadow-4.1.5.1/lib/groupio.c.merge-group 2011-02-16 21:32:24.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/groupio.c 2013-01-29 13:56:43.049275513 +0100 |
||||||
|
@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry * |
||||||
|
|
||||||
|
/* Concatenate the 2 lines */ |
||||||
|
new_line_len = strlen (gr1->line) + strlen (gr2->line) +1; |
||||||
|
- new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*)); |
||||||
|
+ new_line = (char *)malloc (new_line_len + 1); |
||||||
|
if (NULL == new_line) { |
||||||
|
errno = ENOMEM; |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); |
||||||
|
+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); |
||||||
|
new_line[new_line_len] = '\0'; |
||||||
|
|
||||||
|
/* Concatenate the 2 list of members */ |
||||||
|
@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry * |
||||||
|
members++; |
||||||
|
} |
||||||
|
} |
||||||
|
- new_members = (char **)malloc ( (members+1) * sizeof(char*) ); |
||||||
|
+ new_members = (char **)calloc (members+1, sizeof(char*)); |
||||||
|
if (NULL == new_members) { |
||||||
|
free (new_line); |
||||||
|
errno = ENOMEM; |
@ -0,0 +1,15 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c |
||||||
|
--- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200 |
||||||
|
@@ -1571,6 +1571,11 @@ static void move_home (void) |
||||||
|
Prog, user_home, user_newhome); |
||||||
|
fail_exit (E_HOMEDIR); |
||||||
|
} |
||||||
|
+ } else { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: The previous home directory (%s) does " |
||||||
|
+ "not exist or is inaccessible. Move cannot be completed.\n"), |
||||||
|
+ Prog, user_home); |
||||||
|
} |
||||||
|
} |
||||||
|
|
@ -0,0 +1,86 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/faillog.c.null-tm shadow-4.1.5.1/src/faillog.c |
||||||
|
--- shadow-4.1.5.1/src/faillog.c.null-tm 2011-11-19 23:54:47.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/faillog.c 2016-06-14 11:54:58.582314219 +0200 |
||||||
|
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s |
||||||
|
} |
||||||
|
|
||||||
|
tm = localtime (&fl.fail_time); |
||||||
|
+ if (tm == NULL) { |
||||||
|
+ cp = "(unknown)"; |
||||||
|
+ } else { |
||||||
|
#ifdef HAVE_STRFTIME |
||||||
|
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); |
||||||
|
- cp = ptime; |
||||||
|
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm); |
||||||
|
+ cp = ptime; |
||||||
|
#endif |
||||||
|
+ } |
||||||
|
printf ("%-9s %5d %5d ", |
||||||
|
pw->pw_name, fl.fail_cnt, fl.fail_max); |
||||||
|
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */ |
||||||
|
diff -up shadow-4.1.5.1/src/chage.c.null-tm shadow-4.1.5.1/src/chage.c |
||||||
|
--- shadow-4.1.5.1/src/chage.c.null-tm 2016-05-04 13:44:55.639787900 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/chage.c 2016-06-14 11:54:58.583314243 +0200 |
||||||
|
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size |
||||||
|
struct tm *tp; |
||||||
|
|
||||||
|
tp = gmtime (&date); |
||||||
|
+ if (tp == NULL) { |
||||||
|
+ (void) snprintf (buf, maxsize, "(unknown)"); |
||||||
|
+ return; |
||||||
|
+ } |
||||||
|
#ifdef HAVE_STRFTIME |
||||||
|
(void) strftime (buf, maxsize, "%Y-%m-%d", tp); |
||||||
|
#else |
||||||
|
diff -up shadow-4.1.5.1/src/lastlog.c.null-tm shadow-4.1.5.1/src/lastlog.c |
||||||
|
--- shadow-4.1.5.1/src/lastlog.c.null-tm 2016-05-04 13:44:55.647788082 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/lastlog.c 2016-06-14 11:54:58.584314267 +0200 |
||||||
|
@@ -165,13 +165,17 @@ static void print_one (/*@null@*/const s |
||||||
|
|
||||||
|
ll_time = ll.ll_time; |
||||||
|
tm = localtime (&ll_time); |
||||||
|
+ if (tm == NULL) { |
||||||
|
+ cp = "(unknown)"; |
||||||
|
+ } else { |
||||||
|
#ifdef HAVE_STRFTIME |
||||||
|
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); |
||||||
|
- cp = ptime; |
||||||
|
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm); |
||||||
|
+ cp = ptime; |
||||||
|
#else |
||||||
|
- cp = asctime (tm); |
||||||
|
- cp[24] = '\0'; |
||||||
|
+ cp = asctime (tm); |
||||||
|
+ cp[24] = '\0'; |
||||||
|
#endif |
||||||
|
+ } |
||||||
|
|
||||||
|
if (ll.ll_time == (time_t) 0) { |
||||||
|
cp = _("**Never logged in**\0"); |
||||||
|
diff -up shadow-4.1.5.1/src/passwd.c.null-tm shadow-4.1.5.1/src/passwd.c |
||||||
|
--- shadow-4.1.5.1/src/passwd.c.null-tm 2016-05-04 13:44:55.634787787 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/passwd.c 2016-06-14 11:54:58.584314267 +0200 |
||||||
|
@@ -438,6 +438,9 @@ static /*@observer@*/const char *date_to |
||||||
|
struct tm *tm; |
||||||
|
|
||||||
|
tm = gmtime (&t); |
||||||
|
+ if (tm == NULL) { |
||||||
|
+ return "(unknown)"; |
||||||
|
+ } |
||||||
|
#ifdef HAVE_STRFTIME |
||||||
|
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm); |
||||||
|
#else /* !HAVE_STRFTIME */ |
||||||
|
diff -up shadow-4.1.5.1/src/usermod.c.null-tm shadow-4.1.5.1/src/usermod.c |
||||||
|
--- shadow-4.1.5.1/src/usermod.c.null-tm 2016-05-04 13:44:55.648788104 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/usermod.c 2016-06-14 11:54:58.585314291 +0200 |
||||||
|
@@ -186,6 +186,10 @@ static void date_to_str (/*@unique@*//*@ |
||||||
|
} else { |
||||||
|
time_t t = (time_t) date; |
||||||
|
tp = gmtime (&t); |
||||||
|
+ if (tp == NULL) { |
||||||
|
+ strncpy (buf, "unknown", maxsize); |
||||||
|
+ return; |
||||||
|
+ } |
||||||
|
#ifdef HAVE_STRFTIME |
||||||
|
strftime (buf, maxsize, "%Y-%m-%d", tp); |
||||||
|
#else |
@ -0,0 +1,128 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c |
||||||
|
--- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100 |
||||||
|
@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db * |
||||||
|
snprintf (buf, sizeof buf, "%s-", db->filename); |
||||||
|
|
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (buf) != 0) { |
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) { |
||||||
|
errors++; |
||||||
|
} |
||||||
|
#endif |
||||||
|
@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db * |
||||||
|
snprintf (buf, sizeof buf, "%s+", db->filename); |
||||||
|
|
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (buf) != 0) { |
||||||
|
+ if (set_selinux_file_context (buf, db->filename) != 0) { |
||||||
|
errors++; |
||||||
|
} |
||||||
|
#endif |
||||||
|
diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c |
||||||
|
--- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100 |
||||||
|
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co |
||||||
|
*/ |
||||||
|
|
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (dst) != 0) { |
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
#endif /* WITH_SELINUX */ |
||||||
|
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (dst) != 0) { |
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) { |
||||||
|
free (oldlink); |
||||||
|
return -1; |
||||||
|
} |
||||||
|
@@ -684,7 +684,7 @@ static int copy_special (const char *src |
||||||
|
int err = 0; |
||||||
|
|
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (dst) != 0) { |
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
#endif /* WITH_SELINUX */ |
||||||
|
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c |
||||||
|
return -1; |
||||||
|
} |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (dst) != 0) { |
||||||
|
+ if (set_selinux_file_context (dst, NULL) != 0) { |
||||||
|
return -1; |
||||||
|
} |
||||||
|
#endif /* WITH_SELINUX */ |
||||||
|
diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h |
||||||
|
--- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100 |
||||||
|
@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m |
||||||
|
|
||||||
|
/* selinux.c */ |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
-extern int set_selinux_file_context (const char *dst_name); |
||||||
|
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name); |
||||||
|
extern int reset_selinux_file_context (void); |
||||||
|
#endif |
||||||
|
|
||||||
|
diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c |
||||||
|
--- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100 |
||||||
|
@@ -50,7 +50,7 @@ static bool selinux_enabled; |
||||||
|
* Callers may have to Reset SELinux to create files with default |
||||||
|
* contexts with reset_selinux_file_context |
||||||
|
*/ |
||||||
|
-int set_selinux_file_context (const char *dst_name) |
||||||
|
+int set_selinux_file_context (const char *dst_name, const char *orig_name) |
||||||
|
{ |
||||||
|
/*@null@*/security_context_t scontext = NULL; |
||||||
|
|
||||||
|
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char |
||||||
|
if (selinux_enabled) { |
||||||
|
/* Get the default security context for this file */ |
||||||
|
if (matchpathcon (dst_name, 0, &scontext) < 0) { |
||||||
|
- if (security_getenforce () != 0) { |
||||||
|
- return 1; |
||||||
|
- } |
||||||
|
+ /* We could not get the default, copy the original */ |
||||||
|
+ if (orig_name == NULL) |
||||||
|
+ goto error; |
||||||
|
+ if (getfilecon (orig_name, &scontext) < 0) |
||||||
|
+ goto error; |
||||||
|
} |
||||||
|
/* Set the security context for the next created file */ |
||||||
|
- if (setfscreatecon (scontext) < 0) { |
||||||
|
- if (security_getenforce () != 0) { |
||||||
|
- return 1; |
||||||
|
- } |
||||||
|
- } |
||||||
|
+ if (setfscreatecon (scontext) < 0) |
||||||
|
+ goto error; |
||||||
|
freecon (scontext); |
||||||
|
} |
||||||
|
return 0; |
||||||
|
+ error: |
||||||
|
+ if (security_getenforce () != 0) { |
||||||
|
+ return 1; |
||||||
|
+ } |
||||||
|
+ return 0; |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c |
||||||
|
--- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100 |
||||||
|
@@ -1759,7 +1759,7 @@ static void create_home (void) |
||||||
|
{ |
||||||
|
if (access (user_home, F_OK) != 0) { |
||||||
|
#ifdef WITH_SELINUX |
||||||
|
- if (set_selinux_file_context (user_home) != 0) { |
||||||
|
+ if (set_selinux_file_context (user_home, NULL) != 0) { |
||||||
|
fail_exit (E_HOMEDIR); |
||||||
|
} |
||||||
|
#endif |
@ -0,0 +1,289 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/chgpasswd.c.selinux-perms shadow-4.1.5.1/src/chgpasswd.c |
||||||
|
--- shadow-4.1.5.1/src/chgpasswd.c.selinux-perms 2016-05-04 13:44:55.633787764 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/chgpasswd.c 2016-05-30 12:01:30.421587253 +0200 |
||||||
|
@@ -39,6 +39,13 @@ |
||||||
|
#include <pwd.h> |
||||||
|
#include <stdio.h> |
||||||
|
#include <stdlib.h> |
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+#include <selinux/selinux.h> |
||||||
|
+#include <selinux/avc.h> |
||||||
|
+#endif |
||||||
|
+#ifdef WITH_LIBAUDIT |
||||||
|
+#include <libaudit.h> |
||||||
|
+#endif |
||||||
|
#ifdef ACCT_TOOLS_SETUID |
||||||
|
#ifdef USE_PAM |
||||||
|
#include "pam_defs.h" |
||||||
|
@@ -76,6 +83,9 @@ static bool sgr_locked = false; |
||||||
|
#endif |
||||||
|
static bool gr_locked = false; |
||||||
|
|
||||||
|
+/* The name of the caller */ |
||||||
|
+static char *myname = NULL; |
||||||
|
+ |
||||||
|
/* local function prototypes */ |
||||||
|
static void fail_exit (int code); |
||||||
|
static /*@noreturn@*/void usage (int status); |
||||||
|
@@ -300,6 +310,63 @@ static void check_perms (void) |
||||||
|
#endif /* ACCT_TOOLS_SETUID */ |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+static int |
||||||
|
+log_callback (int type, const char *fmt, ...) |
||||||
|
+{ |
||||||
|
+ int audit_fd; |
||||||
|
+ va_list ap; |
||||||
|
+ |
||||||
|
+ va_start(ap, fmt); |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_fd = audit_open(); |
||||||
|
+ |
||||||
|
+ if (audit_fd >= 0) { |
||||||
|
+ char *buf; |
||||||
|
+ |
||||||
|
+ if (vasprintf (&buf, fmt, ap) < 0) |
||||||
|
+ goto ret; |
||||||
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, |
||||||
|
+ NULL, 0); |
||||||
|
+ audit_close(audit_fd); |
||||||
|
+ free(buf); |
||||||
|
+ goto ret; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+#endif |
||||||
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); |
||||||
|
+ret: |
||||||
|
+ va_end(ap); |
||||||
|
+ return 0; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void |
||||||
|
+selinux_check_root (void) |
||||||
|
+{ |
||||||
|
+ int status = -1; |
||||||
|
+ security_context_t user_context; |
||||||
|
+ union selinux_callback old_callback; |
||||||
|
+ |
||||||
|
+ if (is_selinux_enabled() < 1) |
||||||
|
+ return; |
||||||
|
+ |
||||||
|
+ old_callback = selinux_get_callback(SELINUX_CB_LOG); |
||||||
|
+ /* setup callbacks */ |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); |
||||||
|
+ if ((status = getprevcon(&user_context)) < 0) { |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); |
||||||
|
+ |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback); |
||||||
|
+ freecon(user_context); |
||||||
|
+ if (status != 0 && security_getenforce() != 0) |
||||||
|
+ exit(1); |
||||||
|
+} |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
/* |
||||||
|
* open_files - lock and open the group databases |
||||||
|
*/ |
||||||
|
@@ -393,6 +460,7 @@ int main (int argc, char **argv) |
||||||
|
|
||||||
|
const struct group *gr; |
||||||
|
struct group newgr; |
||||||
|
+ struct passwd *pw = NULL; |
||||||
|
int errors = 0; |
||||||
|
int line = 0; |
||||||
|
|
||||||
|
@@ -408,8 +476,33 @@ int main (int argc, char **argv) |
||||||
|
|
||||||
|
OPENLOG ("chgpasswd"); |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_help_open (); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
+ /* |
||||||
|
+ * Determine the name of the user that invoked this command. This |
||||||
|
+ * is really hit or miss because there are so many ways that command |
||||||
|
+ * can be executed and so many ways to trip up the routines that |
||||||
|
+ * report the user name. |
||||||
|
+ */ |
||||||
|
+ pw = get_my_pwent (); |
||||||
|
+ if (NULL == pw) { |
||||||
|
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"), |
||||||
|
+ Prog); |
||||||
|
+ SYSLOG ((LOG_WARN, |
||||||
|
+ "Cannot determine the user name of the caller (UID %lu)", |
||||||
|
+ (unsigned long) getuid ())); |
||||||
|
+ exit (E_NOPERM); |
||||||
|
+ } |
||||||
|
+ myname = xstrdup (pw->pw_name); |
||||||
|
+ |
||||||
|
check_perms (); |
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+ selinux_check_root (); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
#ifdef SHADOWGRP |
||||||
|
is_shadow_grp = sgr_file_present (); |
||||||
|
#endif |
||||||
|
@@ -533,6 +626,15 @@ int main (int argc, char **argv) |
||||||
|
newgr.gr_passwd = cp; |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ { |
||||||
|
+ |
||||||
|
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog, |
||||||
|
+ "change-password", |
||||||
|
+ myname, AUDIT_NO_ID, gr->gr_name, |
||||||
|
+ SHADOW_AUDIT_SUCCESS); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
/* |
||||||
|
* The updated group file entry is then put back and will |
||||||
|
* be written to the group file later, after all the |
||||||
|
diff -up shadow-4.1.5.1/src/chpasswd.c.selinux-perms shadow-4.1.5.1/src/chpasswd.c |
||||||
|
--- shadow-4.1.5.1/src/chpasswd.c.selinux-perms 2016-05-04 13:44:55.633787764 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/chpasswd.c 2016-05-30 12:01:42.877859957 +0200 |
||||||
|
@@ -39,6 +39,13 @@ |
||||||
|
#include <pwd.h> |
||||||
|
#include <stdio.h> |
||||||
|
#include <stdlib.h> |
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+#include <selinux/selinux.h> |
||||||
|
+#include <selinux/avc.h> |
||||||
|
+#endif |
||||||
|
+#ifdef WITH_LIBAUDIT |
||||||
|
+#include <libaudit.h> |
||||||
|
+#endif |
||||||
|
#ifdef USE_PAM |
||||||
|
#include "pam_defs.h" |
||||||
|
#endif /* USE_PAM */ |
||||||
|
@@ -297,6 +304,63 @@ static void check_perms (void) |
||||||
|
#endif /* USE_PAM */ |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+static int |
||||||
|
+log_callback (int type, const char *fmt, ...) |
||||||
|
+{ |
||||||
|
+ int audit_fd; |
||||||
|
+ va_list ap; |
||||||
|
+ |
||||||
|
+ va_start(ap, fmt); |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_fd = audit_open(); |
||||||
|
+ |
||||||
|
+ if (audit_fd >= 0) { |
||||||
|
+ char *buf; |
||||||
|
+ |
||||||
|
+ if (vasprintf (&buf, fmt, ap) < 0) |
||||||
|
+ goto ret; |
||||||
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, |
||||||
|
+ NULL, 0); |
||||||
|
+ audit_close(audit_fd); |
||||||
|
+ free(buf); |
||||||
|
+ goto ret; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+#endif |
||||||
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); |
||||||
|
+ret: |
||||||
|
+ va_end(ap); |
||||||
|
+ return 0; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void |
||||||
|
+selinux_check_root (void) |
||||||
|
+{ |
||||||
|
+ int status = -1; |
||||||
|
+ security_context_t user_context; |
||||||
|
+ union selinux_callback old_callback; |
||||||
|
+ |
||||||
|
+ if (is_selinux_enabled() < 1) |
||||||
|
+ return; |
||||||
|
+ |
||||||
|
+ old_callback = selinux_get_callback(SELINUX_CB_LOG); |
||||||
|
+ /* setup callbacks */ |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); |
||||||
|
+ if ((status = getprevcon(&user_context)) < 0) { |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); |
||||||
|
+ |
||||||
|
+ selinux_set_callback(SELINUX_CB_LOG, old_callback); |
||||||
|
+ freecon(user_context); |
||||||
|
+ if (status != 0 && security_getenforce() != 0) |
||||||
|
+ exit(1); |
||||||
|
+} |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
/* |
||||||
|
* open_files - lock and open the password databases |
||||||
|
*/ |
||||||
|
@@ -405,8 +469,16 @@ int main (int argc, char **argv) |
||||||
|
|
||||||
|
OPENLOG ("chpasswd"); |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_help_open (); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
check_perms (); |
||||||
|
|
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+ selinux_check_root (); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
#ifdef USE_PAM |
||||||
|
if (!use_pam) |
||||||
|
#endif /* USE_PAM */ |
||||||
|
@@ -563,6 +635,11 @@ int main (int argc, char **argv) |
||||||
|
newpw.pw_passwd = cp; |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, |
||||||
|
+ "updating-password", |
||||||
|
+ pw->pw_name, (unsigned int) pw->pw_uid, 1); |
||||||
|
+#endif |
||||||
|
/* |
||||||
|
* The updated password file entry is then put back and will |
||||||
|
* be written to the password file later, after all the |
||||||
|
diff -up shadow-4.1.5.1/src/Makefile.am.selinux-perms shadow-4.1.5.1/src/Makefile.am |
||||||
|
--- shadow-4.1.5.1/src/Makefile.am.selinux-perms 2016-05-04 13:44:55.647788082 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/Makefile.am 2016-05-27 16:04:49.446582632 +0200 |
||||||
|
@@ -79,9 +79,9 @@ endif |
||||||
|
|
||||||
|
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
||||||
|
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
||||||
|
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) |
||||||
|
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
||||||
|
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) |
||||||
|
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
||||||
|
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
||||||
|
diff -up shadow-4.1.5.1/src/Makefile.in.selinux-perms shadow-4.1.5.1/src/Makefile.in |
||||||
|
--- shadow-4.1.5.1/src/Makefile.in.selinux-perms 2016-05-04 13:44:55.647788082 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/Makefile.in 2016-05-27 16:04:49.447582654 +0200 |
||||||
|
@@ -437,9 +437,9 @@ AM_CPPFLAGS = -DLOCALEDIR=\"$(datadir)/l |
||||||
|
@USE_PAM_TRUE@LIBCRYPT_NOPAM = |
||||||
|
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
||||||
|
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
||||||
|
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) |
||||||
|
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
||||||
|
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT) |
||||||
|
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) |
||||||
|
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
||||||
|
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) |
@ -0,0 +1,99 @@ |
|||||||
|
diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c |
||||||
|
--- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100 |
||||||
|
+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200 |
||||||
|
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, |
||||||
|
|
||||||
|
ret = 0; |
||||||
|
|
||||||
|
+ /* drop obsolete matchpathcon cache */ |
||||||
|
+ matchpathcon_fini(); |
||||||
|
+ |
||||||
|
done: |
||||||
|
semanage_seuser_key_free (key); |
||||||
|
semanage_handle_destroy (handle); |
||||||
|
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name) |
||||||
|
} |
||||||
|
|
||||||
|
ret = 0; |
||||||
|
+ |
||||||
|
+ /* drop obsolete matchpathcon cache */ |
||||||
|
+ matchpathcon_fini(); |
||||||
|
+ |
||||||
|
done: |
||||||
|
semanage_handle_destroy (handle); |
||||||
|
return ret; |
||||||
|
diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c |
||||||
|
--- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200 |
||||||
|
@@ -1850,6 +1850,7 @@ static void create_mail (void) |
||||||
|
*/ |
||||||
|
int main (int argc, char **argv) |
||||||
|
{ |
||||||
|
+ int rv = E_SUCCESS; |
||||||
|
#ifdef ACCT_TOOLS_SETUID |
||||||
|
#ifdef USE_PAM |
||||||
|
pam_handle_t *pamh = NULL; |
||||||
|
@@ -2037,10 +2038,33 @@ int main (int argc, char **argv) |
||||||
|
|
||||||
|
usr_update (); |
||||||
|
|
||||||
|
+ close_files (); |
||||||
|
+ |
||||||
|
+ nscd_flush_cache ("passwd"); |
||||||
|
+ nscd_flush_cache ("group"); |
||||||
|
+ |
||||||
|
+#ifdef WITH_SELINUX |
||||||
|
+ if (Zflg && *user_selinux) { |
||||||
|
+ if (is_selinux_enabled () > 0) { |
||||||
|
+ if (set_seuser (user_name, user_selinux) != 0) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), |
||||||
|
+ Prog, user_name, user_selinux); |
||||||
|
+#ifdef WITH_AUDIT |
||||||
|
+ audit_logger (AUDIT_ADD_USER, Prog, |
||||||
|
+ "adding SELinux user mapping", |
||||||
|
+ user_name, (unsigned int) user_id, 0); |
||||||
|
+#endif /* WITH_AUDIT */ |
||||||
|
+ rv = E_SE_UPDATE; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
if (mflg) { |
||||||
|
create_home (); |
||||||
|
if (home_added) { |
||||||
|
- copy_tree (def_template, user_home, false, false, |
||||||
|
+ copy_tree (def_template, user_home, false, true, |
||||||
|
(uid_t)-1, user_id, (gid_t)-1, user_gid); |
||||||
|
} else { |
||||||
|
fprintf (stderr, |
||||||
|
@@ -2056,27 +2080,6 @@ int main (int argc, char **argv) |
||||||
|
create_mail (); |
||||||
|
} |
||||||
|
|
||||||
|
- close_files (); |
||||||
|
- |
||||||
|
-#ifdef WITH_SELINUX |
||||||
|
- if (Zflg) { |
||||||
|
- if (set_seuser (user_name, user_selinux) != 0) { |
||||||
|
- fprintf (stderr, |
||||||
|
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), |
||||||
|
- Prog, user_name, user_selinux); |
||||||
|
-#ifdef WITH_AUDIT |
||||||
|
- audit_logger (AUDIT_ADD_USER, Prog, |
||||||
|
- "adding SELinux user mapping", |
||||||
|
- user_name, (unsigned int) user_id, 0); |
||||||
|
-#endif /* WITH_AUDIT */ |
||||||
|
- fail_exit (E_SE_UPDATE); |
||||||
|
- } |
||||||
|
- } |
||||||
|
-#endif /* WITH_SELINUX */ |
||||||
|
- |
||||||
|
- nscd_flush_cache ("passwd"); |
||||||
|
- nscd_flush_cache ("group"); |
||||||
|
- |
||||||
|
- return E_SUCCESS; |
||||||
|
+ return rv; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,15 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c |
||||||
|
--- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200 |
||||||
|
+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100 |
||||||
|
@@ -130,8 +130,9 @@ static void usage (int status) |
||||||
|
"\n" |
||||||
|
"Options:\n"), |
||||||
|
Prog); |
||||||
|
- (void) fputs (_(" -f, --force force removal of files,\n" |
||||||
|
- " even if not owned by user\n"), |
||||||
|
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" |
||||||
|
+ " e.g. removal of user still logged in\n" |
||||||
|
+ " or files, even if not owned by the user\n"), |
||||||
|
usageout); |
||||||
|
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout); |
||||||
|
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout); |
@ -0,0 +1,63 @@ |
|||||||
|
diff -up shadow-4.1.5.1/src/usermod.c.passwd shadow-4.1.5.1/src/usermod.c |
||||||
|
--- shadow-4.1.5.1/src/usermod.c.passwd 2015-12-17 14:05:47.959743073 +0100 |
||||||
|
+++ shadow-4.1.5.1/src/usermod.c 2015-12-18 12:42:28.290405529 +0100 |
||||||
|
@@ -360,14 +360,17 @@ static char *new_pw_passwd (char *pw_pas |
||||||
|
strcat (buf, pw_pass); |
||||||
|
pw_pass = buf; |
||||||
|
} else if (Uflg && pw_pass[0] == '!') { |
||||||
|
- char *s; |
||||||
|
+ char *s = pw_pass; |
||||||
|
|
||||||
|
- if (pw_pass[1] == '\0') { |
||||||
|
+ while ('!' == *s) |
||||||
|
+ ++s; |
||||||
|
+ |
||||||
|
+ if (*s == '\0') { |
||||||
|
fprintf (stderr, |
||||||
|
_("%s: unlocking the user's password would result in a passwordless account.\n" |
||||||
|
"You should set a password with usermod -p to unlock this user's password.\n"), |
||||||
|
Prog); |
||||||
|
- return pw_pass; |
||||||
|
+ return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef WITH_AUDIT |
||||||
|
@@ -376,12 +379,15 @@ static char *new_pw_passwd (char *pw_pas |
||||||
|
user_newname, (unsigned int) user_newid, 1); |
||||||
|
#endif |
||||||
|
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname)); |
||||||
|
- s = pw_pass; |
||||||
|
- while ('\0' != *s) { |
||||||
|
- *s = *(s + 1); |
||||||
|
- s++; |
||||||
|
- } |
||||||
|
+ memmove (pw_pass, s, strlen (s) + 1); |
||||||
|
} else if (pflg) { |
||||||
|
+ if (strchr (user_pass, ':') != NULL) { |
||||||
|
+ fprintf (stderr, |
||||||
|
+ _("%s: The password field cannot contain a colon character.\n"), |
||||||
|
+ Prog); |
||||||
|
+ return NULL; |
||||||
|
+ |
||||||
|
+ } |
||||||
|
#ifdef WITH_AUDIT |
||||||
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog, |
||||||
|
"updating-password", |
||||||
|
@@ -430,6 +436,8 @@ static void new_pwent (struct passwd *pw |
||||||
|
if ( (!is_shadow_pwd) |
||||||
|
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) { |
||||||
|
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd); |
||||||
|
+ if (pwent->pw_passwd == NULL) |
||||||
|
+ fail_exit (E_PW_UPDATE); |
||||||
|
} |
||||||
|
|
||||||
|
if (uflg) { |
||||||
|
@@ -544,6 +552,8 @@ static void new_spent (struct spwd *spen |
||||||
|
* + aging has been requested |
||||||
|
*/ |
||||||
|
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp); |
||||||
|
+ if (spent->sp_pwdp == NULL) |
||||||
|
+ fail_exit(E_PW_UPDATE); |
||||||
|
|
||||||
|
if (pflg) { |
||||||
|
spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE; |
@ -0,0 +1,72 @@ |
|||||||
|
# |
||||||
|
# Please note that the parameters in this configuration file control the |
||||||
|
# behavior of the tools from the shadow-utils component. None of these |
||||||
|
# tools uses the PAM mechanism, and the utilities that use PAM (such as the |
||||||
|
# passwd command) should therefore be configured elsewhere. Refer to |
||||||
|
# /etc/pam.d/system-auth for more information. |
||||||
|
# |
||||||
|
|
||||||
|
# *REQUIRED* |
||||||
|
# Directory where mailboxes reside, _or_ name of file, relative to the |
||||||
|
# home directory. If you _do_ define both, MAIL_DIR takes precedence. |
||||||
|
# QMAIL_DIR is for Qmail |
||||||
|
# |
||||||
|
#QMAIL_DIR Maildir |
||||||
|
MAIL_DIR /var/spool/mail |
||||||
|
#MAIL_FILE .mail |
||||||
|
|
||||||
|
# Password aging controls: |
||||||
|
# |
||||||
|
# PASS_MAX_DAYS Maximum number of days a password may be used. |
||||||
|
# PASS_MIN_DAYS Minimum number of days allowed between password changes. |
||||||
|
# PASS_MIN_LEN Minimum acceptable password length. |
||||||
|
# PASS_WARN_AGE Number of days warning given before a password expires. |
||||||
|
# |
||||||
|
PASS_MAX_DAYS 99999 |
||||||
|
PASS_MIN_DAYS 0 |
||||||
|
PASS_MIN_LEN 5 |
||||||
|
PASS_WARN_AGE 7 |
||||||
|
|
||||||
|
# |
||||||
|
# Min/max values for automatic uid selection in useradd |
||||||
|
# |
||||||
|
UID_MIN 1000 |
||||||
|
UID_MAX 60000 |
||||||
|
# System accounts |
||||||
|
SYS_UID_MIN 201 |
||||||
|
SYS_UID_MAX 999 |
||||||
|
|
||||||
|
# |
||||||
|
# Min/max values for automatic gid selection in groupadd |
||||||
|
# |
||||||
|
GID_MIN 1000 |
||||||
|
GID_MAX 60000 |
||||||
|
# System accounts |
||||||
|
SYS_GID_MIN 201 |
||||||
|
SYS_GID_MAX 999 |
||||||
|
|
||||||
|
# |
||||||
|
# If defined, this command is run when removing a user. |
||||||
|
# It should remove any at/cron/print jobs etc. owned by |
||||||
|
# the user to be removed (passed as the first argument). |
||||||
|
# |
||||||
|
#USERDEL_CMD /usr/sbin/userdel_local |
||||||
|
|
||||||
|
# |
||||||
|
# If useradd should create home directories for users by default |
||||||
|
# On RH systems, we do. This option is overridden with the -m flag on |
||||||
|
# useradd command line. |
||||||
|
# |
||||||
|
CREATE_HOME yes |
||||||
|
|
||||||
|
# The permission mask is initialized to this value. If not specified, |
||||||
|
# the permission mask will be initialized to 022. |
||||||
|
UMASK 077 |
||||||
|
|
||||||
|
# This enables userdel to remove user groups if no members exist. |
||||||
|
# |
||||||
|
USERGROUPS_ENAB yes |
||||||
|
|
||||||
|
# Use SHA512 to encrypt password. |
||||||
|
ENCRYPT_METHOD SHA512 |
||||||
|
|
@ -0,0 +1,9 @@ |
|||||||
|
# useradd defaults file |
||||||
|
GROUP=100 |
||||||
|
HOME=/home |
||||||
|
INACTIVE=-1 |
||||||
|
EXPIRE= |
||||||
|
SHELL=/bin/bash |
||||||
|
SKEL=/etc/skel |
||||||
|
CREATE_MAIL_SPOOL=yes |
||||||
|
|
Loading…
Reference in new issue