Browse Source

shadow-utils package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 6 years ago
parent
commit
6fbae45e8c
  1. 100
      SOURCES/shadow-4.1.5-2ndskip.patch
  2. 42
      SOURCES/shadow-4.1.5-redhat.patch
  3. 23
      SOURCES/shadow-4.1.5-uflg.patch
  4. 32
      SOURCES/shadow-4.1.5.1-audit-owner.patch
  5. 2250
      SOURCES/shadow-4.1.5.1-audit-update.patch
  6. 20
      SOURCES/shadow-4.1.5.1-backup-mode.patch
  7. 44
      SOURCES/shadow-4.1.5.1-chgrp-guard.patch
  8. 195
      SOURCES/shadow-4.1.5.1-crypt-null.patch
  9. 138
      SOURCES/shadow-4.1.5.1-date-parsing.patch
  10. 35
      SOURCES/shadow-4.1.5.1-default-range.patch
  11. 23
      SOURCES/shadow-4.1.5.1-errmsg.patch
  12. 113
      SOURCES/shadow-4.1.5.1-goodname.patch
  13. 1213
      SOURCES/shadow-4.1.5.1-id-alloc.patch
  14. 20
      SOURCES/shadow-4.1.5.1-info-parent-dir.patch
  15. 121
      SOURCES/shadow-4.1.5.1-ingroup.patch
  16. 25
      SOURCES/shadow-4.1.5.1-ja-translation.patch
  17. 263
      SOURCES/shadow-4.1.5.1-lastlog-unexpire.patch
  18. 12
      SOURCES/shadow-4.1.5.1-logmsg.patch
  19. 84
      SOURCES/shadow-4.1.5.1-long-entry.patch
  20. 281
      SOURCES/shadow-4.1.5.1-manfix.patch
  21. 27
      SOURCES/shadow-4.1.5.1-merge-group.patch
  22. 15
      SOURCES/shadow-4.1.5.1-move-home.patch
  23. 86
      SOURCES/shadow-4.1.5.1-null-tm.patch
  24. 128
      SOURCES/shadow-4.1.5.1-orig-context.patch
  25. 289
      SOURCES/shadow-4.1.5.1-selinux-perms.patch
  26. 99
      SOURCES/shadow-4.1.5.1-selinux.patch
  27. 15
      SOURCES/shadow-4.1.5.1-userdel-helpfix.patch
  28. 63
      SOURCES/shadow-4.1.5.1-usermod-passwd.patch
  29. 72
      SOURCES/shadow-utils.login.defs
  30. 9
      SOURCES/shadow-utils.useradd
  31. 1086
      SPECS/shadow-utils.spec

100
SOURCES/shadow-4.1.5-2ndskip.patch

@ -0,0 +1,100 @@
diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c
--- shadow-4.1.5/src/grpconv.c.2ndskip 2012-06-18 13:08:34.438910815 +0200
+++ shadow-4.1.5/src/grpconv.c 2012-06-18 13:12:51.270764552 +0200
@@ -143,6 +143,7 @@ int main (int argc, char **argv)
struct group grent;
const struct sgrp *sg;
struct sgrp sgent;
+ char *np;
Prog = Basename (argv[0]);
@@ -184,20 +185,25 @@ int main (int argc, char **argv)
* Remove /etc/gshadow entries for groups not in /etc/group.
*/
(void) sgr_rewind ();
- while ((sg = sgr_next ()) != NULL) {
- if (gr_locate (sg->sg_name) != NULL) {
- continue;
- }
-
- if (sgr_remove (sg->sg_name) == 0) {
- /*
- * This shouldn't happen (the entry exists) but...
- */
- fprintf (stderr,
- _("%s: cannot remove entry '%s' from %s\n"),
- Prog, sg->sg_name, sgr_dbname ());
- fail_exit (3);
+ sg = sgr_next ();
+ np=NULL;
+ while (sg != NULL) {
+ np = strdup(sg->sg_name);
+ sg = sgr_next ();
+
+ if(gr_locate (np) == NULL) {
+ if (sgr_remove (np) == 0) {
+ /*
+ * This shouldn't happen (the entry exists) but...
+ */
+ fprintf (stderr,
+ _("%s: cannot remove entry '%s' from %s\n"),
+ Prog, np, sgr_dbname ());
+ free(np);
+ fail_exit (3);
+ }
}
+ free(np);
}
/*
diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c
--- shadow-4.1.5/src/pwconv.c.2ndskip 2012-06-18 11:23:33.938511797 +0200
+++ shadow-4.1.5/src/pwconv.c 2012-06-18 12:57:18.396426194 +0200
@@ -173,6 +173,7 @@ int main (int argc, char **argv)
struct passwd pwent;
const struct spwd *sp;
struct spwd spent;
+ char *np;
Prog = Basename (argv[0]);
@@ -223,20 +224,25 @@ int main (int argc, char **argv)
* Remove /etc/shadow entries for users not in /etc/passwd.
*/
(void) spw_rewind ();
- while ((sp = spw_next ()) != NULL) {
- if (pw_locate (sp->sp_namp) != NULL) {
- continue;
- }
-
- if (spw_remove (sp->sp_namp) == 0) {
- /*
- * This shouldn't happen (the entry exists) but...
- */
- fprintf (stderr,
- _("%s: cannot remove entry '%s' from %s\n"),
- Prog, sp->sp_namp, spw_dbname ());
- fail_exit (E_FAILURE);
+ sp = spw_next ();
+ np = NULL;
+ while (sp != NULL) {
+ np = strdup(sp->sp_namp);
+ sp = spw_next ();
+
+ if (pw_locate (np) == NULL) {
+ if (spw_remove (np) == 0) {
+ /*
+ * This shouldn't happen (the entry exists) but...
+ */
+ fprintf (stderr,
+ _("%s: cannot remove entry '%s' from %s\n"),
+ Prog, np, spw_dbname ());
+ free(np);
+ fail_exit (E_FAILURE);
+ }
}
+ free(np);
}
/*

42
SOURCES/shadow-4.1.5-redhat.patch

@ -0,0 +1,42 @@
diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8
diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
--- shadow-4.1.5/src/useradd.c.redhat 2011-12-09 23:23:15.000000000 +0100
+++ shadow-4.1.5/src/useradd.c 2012-03-19 09:50:05.227588669 +0100
@@ -93,7 +93,7 @@ const char *Prog;
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
@@ -103,7 +103,7 @@ static const char *def_expire = "";
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha
case 'M':
Mflg = true;
break;
+ case 'n':
case 'N':
Nflg = true;
break;

23
SOURCES/shadow-4.1.5-uflg.patch

@ -0,0 +1,23 @@
diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c
--- shadow-4.1.5/libmisc/find_new_gid.c.uflg 2011-07-30 01:10:27.000000000 +0200
+++ shadow-4.1.5/libmisc/find_new_gid.c 2012-03-19 12:51:46.090554116 +0100
@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group,
return -1;
}
} else {
- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+ gid_min = (gid_t) 1;
gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
if (gid_max < gid_min) {
@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group,
return 0;
}
+ /* if we did not find free preffered system gid, we start to look for
+ * one in the range assigned to dynamic system IDs */
+ if (sys_group)
+ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
/*
* Search the entire group file,

32
SOURCES/shadow-4.1.5.1-audit-owner.patch

@ -0,0 +1,32 @@
diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c
--- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100
+++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200
@@ -1513,6 +1513,14 @@ static void move_home (void)
fail_exit (E_HOMEDIR);
}
+#ifdef WITH_AUDIT
+ if (uflg || gflg) {
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "changing home directory owner",
+ user_newname, (unsigned int) user_newid, 1);
+ }
+#endif
+
if (rename (user_home, user_newhome) == 0) {
/* FIXME: rename above may have broken symlinks
* pointing to the user's home directory
@@ -1947,6 +1955,13 @@ int main (int argc, char **argv)
* ownership.
*
*/
+#ifdef WITH_AUDIT
+ if (uflg || gflg) {
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "changing home directory owner",
+ user_newname, (unsigned int) user_newid, 1);
+ }
+#endif
if (chown_tree (dflg ? user_newhome : user_home,
user_id,
uflg ? user_newid : (uid_t)-1,

2250
SOURCES/shadow-4.1.5.1-audit-update.patch

File diff suppressed because it is too large Load Diff

20
SOURCES/shadow-4.1.5.1-backup-mode.patch

@ -0,0 +1,20 @@
diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c
--- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200
+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200
@@ -301,15 +301,12 @@ static int create_backup (const char *ba
struct utimbuf ub;
FILE *bkfp;
int c;
- mode_t mask;
if (fstat (fileno (fp), &sb) != 0) {
return -1;
}
- mask = umask (077);
- bkfp = fopen (backup, "w");
- (void) umask (mask);
+ bkfp = fopen_set_perms (backup, "w", &sb);
if (NULL == bkfp) {
return -1;
}

44
SOURCES/shadow-4.1.5.1-chgrp-guard.patch

@ -0,0 +1,44 @@
diff -up shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard shadow-4.1.5.1/man/usermod.8.xml
--- shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard 2016-05-04 13:44:17.267917583 +0200
+++ shadow-4.1.5.1/man/usermod.8.xml 2016-05-04 13:44:17.284917968 +0200
@@ -198,6 +198,12 @@
The group ownership of files outside of the user's home directory
must be fixed manually.
</para>
+ <para>
+ The change of the group ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -364,6 +370,12 @@
must be fixed manually.
</para>
<para>
+ The change of the user ownership of files inside of the user's
+ home directory is also not done if the home dir owner uid is
+ different from the current or new user id. This is safety measure
+ for special home directories such as <filename>/</filename>.
+ </para>
+ <para>
No checks will be performed with regard to the
<option>UID_MIN</option>, <option>UID_MAX</option>,
<option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
diff -up shadow-4.1.5.1/src/usermod.c.chgrp-guard shadow-4.1.5.1/src/usermod.c
--- shadow-4.1.5.1/src/usermod.c.chgrp-guard 2016-05-04 13:44:17.280917877 +0200
+++ shadow-4.1.5.1/src/usermod.c 2016-05-04 13:44:17.285917991 +0200
@@ -1971,7 +1971,10 @@ int main (int argc, char **argv)
}
if (!mflg && (uflg || gflg)) {
- if (access (dflg ? user_newhome : user_home, F_OK) == 0) {
+ struct stat sb;
+
+ if (stat (dflg ? user_newhome : user_home, &sb) == 0 &&
+ ((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
/*
* Change the UID on all of the files owned by
* `user_id' to `user_newid' in the user's home

195
SOURCES/shadow-4.1.5.1-crypt-null.patch

@ -0,0 +1,195 @@
diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c
--- shadow-4.1.5.1/lib/encrypt.c.crypt-null 2010-08-22 15:05:02.000000000 +0200
+++ shadow-4.1.5.1/lib/encrypt.c 2013-07-25 12:27:30.438355782 +0200
@@ -49,11 +49,10 @@
if (!cp) {
/*
* Single Unix Spec: crypt() may return a null pointer,
- * and set errno to indicate an error. The caller doesn't
- * expect us to return NULL, so...
+ * and set errno to indicate an error. In this case return
+ * the NULL so the caller can handle appropriately.
*/
- perror ("crypt");
- exit (EXIT_FAILURE);
+ return cp;
}
/* The GNU crypt does not return NULL if the algorithm is not
diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c
--- shadow-4.1.5.1/libmisc/valid.c.crypt-null 2010-08-22 21:14:41.000000000 +0200
+++ shadow-4.1.5.1/libmisc/valid.c 2013-07-25 12:27:30.440355847 +0200
@@ -95,6 +95,7 @@ bool valid (const char *password, const
*/
if ( (NULL != ent->pw_name)
+ && (NULL != encrypted)
&& (strcmp (encrypted, ent->pw_passwd) == 0)) {
return true;
} else {
diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c
--- shadow-4.1.5.1/lib/pwauth.c.crypt-null 2009-07-13 00:24:48.000000000 +0200
+++ shadow-4.1.5.1/lib/pwauth.c 2013-07-25 12:27:30.438355782 +0200
@@ -73,6 +73,7 @@ int pw_auth (const char *cipher,
char prompt[1024];
char *clear = NULL;
const char *cp;
+ const char *encrypted;
int retval;
#ifdef SKEY
@@ -177,7 +178,11 @@ int pw_auth (const char *cipher,
* the results there as well.
*/
- retval = strcmp (pw_encrypt (input, cipher), cipher);
+ encrypted = pw_encrypt (input, cipher);
+ if (encrypted!=NULL)
+ retval = strcmp (encrypted, cipher);
+ else
+ retval = -1;
#ifdef SKEY
/*
diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c
--- shadow-4.1.5.1/src/chgpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100
+++ shadow-4.1.5.1/src/chgpasswd.c 2013-07-25 12:27:30.440355847 +0200
@@ -469,6 +469,10 @@ int main (int argc, char **argv)
#endif
cp = pw_encrypt (newpwd,
crypt_make_salt (crypt_method, arg));
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
}
/*
diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c
--- shadow-4.1.5.1/src/chpasswd.c.crypt-null 2011-12-09 22:31:40.000000000 +0100
+++ shadow-4.1.5.1/src/chpasswd.c 2013-07-25 12:27:30.440355847 +0200
@@ -492,6 +492,10 @@ int main (int argc, char **argv)
#endif
cp = pw_encrypt (newpwd,
crypt_make_salt(crypt_method, arg));
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
}
/*
diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c
--- shadow-4.1.5.1/src/gpasswd.c.crypt-null 2011-11-19 23:55:04.000000000 +0100
+++ shadow-4.1.5.1/src/gpasswd.c 2013-07-25 12:27:30.441355866 +0200
@@ -939,6 +939,10 @@ static void change_passwd (struct group
}
cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
+ if (cp==NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
memzero (pass, sizeof pass);
#ifdef SHADOWGRP
if (is_shadowgrp) {
diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c
--- shadow-4.1.5.1/src/newgrp.c.crypt-null 2011-07-30 03:50:01.000000000 +0200
+++ shadow-4.1.5.1/src/newgrp.c 2013-07-25 12:27:30.442355881 +0200
@@ -184,7 +184,8 @@ static void check_perms (const struct gr
cpasswd = pw_encrypt (cp, grp->gr_passwd);
strzero (cp);
- if (grp->gr_passwd[0] == '\0' ||
+ if (cpasswd == NULL ||
+ grp->gr_passwd[0] == '\0' ||
strcmp (cpasswd, grp->gr_passwd) != 0) {
#ifdef WITH_AUDIT
snprintf (audit_buf, sizeof(audit_buf),
diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c
--- shadow-4.1.5.1/src/newusers.c.crypt-null 2011-12-09 22:31:40.000000000 +0100
+++ shadow-4.1.5.1/src/newusers.c 2013-07-25 12:27:30.442355881 +0200
@@ -387,6 +387,7 @@ static int add_user (const char *name, u
static void update_passwd (struct passwd *pwd, const char *password)
{
void *crypt_arg = NULL;
+ char *cp;
if (crypt_method != NULL) {
#ifdef USE_SHA_CRYPT
if (sflg) {
@@ -398,9 +399,13 @@ static void update_passwd (struct passwd
if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
pwd->pw_passwd = (char *)password;
} else {
- pwd->pw_passwd = pw_encrypt (password,
- crypt_make_salt (crypt_method,
- crypt_arg));
+ cp=pw_encrypt (password, crypt_make_salt (crypt_method,
+ crypt_arg));
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
+ pwd->pw_passwd = cp;
}
}
#endif /* !USE_PAM */
@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw
{
const struct spwd *sp;
struct spwd spent;
+ char *cp;
#ifndef USE_PAM
void *crypt_arg = NULL;
@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw
} else {
const char *salt = crypt_make_salt (crypt_method,
crypt_arg);
- spent.sp_pwdp = pw_encrypt (password, salt);
+ cp = pw_encrypt (password, salt);
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
+ spent.sp_pwdp = cp;
}
spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
if (0 == spent.sp_lstchg) {
@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw
spent.sp_pwdp = (char *)password;
} else {
const char *salt = crypt_make_salt (crypt_method, crypt_arg);
- spent.sp_pwdp = pw_encrypt (password, salt);
+ cp = pw_encrypt (password, salt);
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
+ spent.sp_pwdp = cp;
}
#else
/*
diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c
--- shadow-4.1.5.1/src/passwd.c.crypt-null 2012-02-13 21:32:01.000000000 +0100
+++ shadow-4.1.5.1/src/passwd.c 2013-07-25 12:27:30.443355896 +0200
@@ -242,7 +242,7 @@ static int new_password (const struct pa
}
cipher = pw_encrypt (clear, crypt_passwd);
- if (strcmp (cipher, crypt_passwd) != 0) {
+ if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) {
strzero (clear);
strzero (cipher);
SYSLOG ((LOG_WARN, "incorrect password for %s",
@@ -349,6 +349,10 @@ static int new_password (const struct pa
* Encrypt the password, then wipe the cleartext password.
*/
cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
+ if (cp == NULL) {
+ perror ("crypt");
+ exit (EXIT_FAILURE);
+ }
memzero (pass, sizeof pass);
#ifdef HAVE_LIBCRACK_HIST

138
SOURCES/shadow-4.1.5.1-date-parsing.patch

@ -0,0 +1,138 @@
diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c
--- shadow-4.1.5.1/libmisc/getdate.c.date-parsing 2008-06-14 00:07:51.000000000 +0200
+++ shadow-4.1.5.1/libmisc/getdate.c 2014-08-29 13:41:22.553267506 +0200
@@ -261,6 +261,7 @@ static int yyHaveDay;
static int yyHaveRel;
static int yyHaveTime;
static int yyHaveZone;
+static int yyHaveYear;
static int yyTimezone;
static int yyDay;
static int yyHour;
@@ -1730,6 +1731,7 @@ yyreduce:
yyDay = (yyvsp[(3) - (5)].Number);
yyYear = (yyvsp[(5) - (5)].Number);
}
+ yyHaveYear++;
}
break;
@@ -1740,6 +1742,7 @@ yyreduce:
yyYear = (yyvsp[(1) - (3)].Number);
yyMonth = -(yyvsp[(2) - (3)].Number);
yyDay = -(yyvsp[(3) - (3)].Number);
+ yyHaveYear++;
}
break;
@@ -1750,6 +1753,7 @@ yyreduce:
yyDay = (yyvsp[(1) - (3)].Number);
yyMonth = (yyvsp[(2) - (3)].Number);
yyYear = -(yyvsp[(3) - (3)].Number);
+ yyHaveYear++;
}
break;
@@ -1767,6 +1771,7 @@ yyreduce:
yyMonth = (yyvsp[(1) - (4)].Number);
yyDay = (yyvsp[(2) - (4)].Number);
yyYear = (yyvsp[(4) - (4)].Number);
+ yyHaveYear++;
}
break;
@@ -1784,6 +1789,7 @@ yyreduce:
yyMonth = (yyvsp[(2) - (3)].Number);
yyDay = (yyvsp[(1) - (3)].Number);
yyYear = (yyvsp[(3) - (3)].Number);
+ yyHaveYear++;
}
break;
@@ -1928,7 +1934,8 @@ yyreduce:
case 49:
#line 397 "getdate.y"
{
- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
+ if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear
+ && (yyHaveDate != 0) && (yyHaveRel == 0))
yyYear = (yyvsp[(1) - (1)].Number);
else
{
@@ -2556,7 +2563,7 @@ yylex (void)
return LookupWord (buff);
}
if (c != '(')
- return *yyInput++;
+ return (unsigned char)*yyInput++;
Count = 0;
do
{
diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y
--- shadow-4.1.5.1/libmisc/getdate.y.date-parsing 2008-05-26 10:57:51.000000000 +0200
+++ shadow-4.1.5.1/libmisc/getdate.y 2014-08-29 13:40:37.502229879 +0200
@@ -152,6 +152,7 @@ static int yyHaveDay;
static int yyHaveRel;
static int yyHaveTime;
static int yyHaveZone;
+static int yyHaveYear;
static int yyTimezone;
static int yyDay;
static int yyHour;
@@ -293,18 +294,21 @@ date : tUNUMBER '/' tUNUMBER {
yyDay = $3;
yyYear = $5;
}
+ yyHaveYear++;
}
| tUNUMBER tSNUMBER tSNUMBER {
/* ISO 8601 format. yyyy-mm-dd. */
yyYear = $1;
yyMonth = -$2;
yyDay = -$3;
+ yyHaveYear++;
}
| tUNUMBER tMONTH tSNUMBER {
/* e.g. 17-JUN-1992. */
yyDay = $1;
yyMonth = $2;
yyYear = -$3;
+ yyHaveYear++;
}
| tMONTH tUNUMBER {
yyMonth = $1;
@@ -314,6 +318,7 @@ date : tUNUMBER '/' tUNUMBER {
yyMonth = $1;
yyDay = $2;
yyYear = $4;
+ yyHaveYear++;
}
| tUNUMBER tMONTH {
yyMonth = $2;
@@ -323,6 +328,7 @@ date : tUNUMBER '/' tUNUMBER {
yyMonth = $2;
yyDay = $1;
yyYear = $3;
+ yyHaveYear++;
}
;
@@ -395,7 +401,8 @@ relunit : tUNUMBER tYEAR_UNIT {
number : tUNUMBER
{
- if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
+ if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear
+ && (yyHaveDate != 0) && (yyHaveRel == 0))
yyYear = $1;
else
{
@@ -802,7 +809,7 @@ yylex (void)
return LookupWord (buff);
}
if (c != '(')
- return *yyInput++;
+ return (unsigned char)*yyInput++;
Count = 0;
do
{

35
SOURCES/shadow-4.1.5.1-default-range.patch

@ -0,0 +1,35 @@
diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c
--- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100
+++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {
@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
goto done;
}
+#if 0
ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
if (ret != 0) {
fprintf (stderr,
@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
ret = 1;
goto done;
}
+#endif
ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
if (ret != 0) {

23
SOURCES/shadow-4.1.5.1-errmsg.patch

@ -0,0 +1,23 @@
diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100
+++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200
@@ -1760,6 +1760,9 @@ static void create_home (void)
if (access (user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
if (set_selinux_file_context (user_home, NULL) != 0) {
+ fprintf (stderr,
+ _("%s: cannot set SELinux context for home directory %s\n"),
+ Prog, user_home);
fail_exit (E_HOMEDIR);
}
#endif
@@ -1789,6 +1792,9 @@ static void create_home (void)
#ifdef WITH_SELINUX
/* Reset SELinux to create files with default contexts */
if (reset_selinux_file_context () != 0) {
+ fprintf (stderr,
+ _("%s: cannot reset SELinux file creation context\n"),
+ Prog);
fail_exit (E_HOMEDIR);
}
#endif

113
SOURCES/shadow-4.1.5.1-goodname.patch

@ -0,0 +1,113 @@
diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c
--- shadow-4.1.5.1/libmisc/chkname.c.goodname 2009-07-13 00:24:45.000000000 +0200
+++ shadow-4.1.5.1/libmisc/chkname.c 2018-04-24 16:32:40.970529916 +0200
@@ -49,25 +49,44 @@
static bool is_valid_name (const char *name)
{
/*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ * User/group names must match gnu e-regex:
+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+ *
+ * as a non-POSIX, extension, allow "$" as the last char for
+ * sake of Samba 3.x "add machine script"
+ *
+ * Also do not allow fully numeric names or just "." or "..".
+ */
+ int numeric;
+
+ if ('\0' == *name ||
+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+ '\0' == name[1])) ||
+ !((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.')) {
return false;
}
+ numeric = isdigit(*name);
+
while ('\0' != *++name) {
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
+ if (!((*name >= 'a' && *name <= 'z') ||
+ (*name >= 'A' && *name <= 'Z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' ||
+ *name == '.' ||
+ *name == '-' ||
+ (*name == '$' && name[1] == '\0')
)) {
return false;
}
+ numeric &= isdigit(*name);
}
- return true;
+ return !numeric || getenv("SHADOW_ALLOW_ALL_NUMERIC_USER") != NULL;
}
bool is_valid_user_name (const char *name)
diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml
--- shadow-4.1.5.1/man/groupadd.8.xml.goodname 2012-05-25 13:45:27.000000000 +0200
+++ shadow-4.1.5.1/man/groupadd.8.xml 2012-09-19 18:43:53.492160653 +0200
@@ -259,10 +259,14 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
- Groupnames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Groupnames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Dashes are not allowed at the beginning of the groupname.
+ Fully numeric groupnames and groupnames . or .. are
+ also disallowed.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
</para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml
--- shadow-4.1.5.1/man/useradd.8.xml.goodname 2012-05-25 13:45:29.000000000 +0200
+++ shadow-4.1.5.1/man/useradd.8.xml 2012-09-19 18:43:53.493160675 +0200
@@ -366,7 +366,7 @@
</term>
<listitem>
<para>
- Do no create the user's home directory, even if the system
+ Do not create the user's home directory, even if the system
wide setting from <filename>/etc/login.defs</filename>
(<option>CREATE_HOME</option>) is set to
<replaceable>yes</replaceable>.
@@ -654,10 +654,16 @@
</para>
<para>
- Usernames must start with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ Usernames may contain only lower and upper case letters, digits,
+ underscores, or dashes. They can end with a dollar sign.
+
+ Dashes are not allowed at the beginning of the username.
+ Fully numeric usernames and usernames . or .. are
+ also disallowed. It is not recommended to use usernames beginning
+ with . character as their home directories will be hidden in
+ the <command>ls</command> output.
+
+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
</para>
<para>
Usernames may only be up to 32 characters long.

1213
SOURCES/shadow-4.1.5.1-id-alloc.patch

File diff suppressed because it is too large Load Diff

20
SOURCES/shadow-4.1.5.1-info-parent-dir.patch

@ -0,0 +1,20 @@
diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml
--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir 2012-05-25 13:45:28.000000000 +0200
+++ shadow-4.1.5.1/man/newusers.8.xml 2012-09-19 18:46:35.651613365 +0200
@@ -216,7 +216,15 @@
<para>
If this field does not specify an existing directory, the
specified directory is created, with ownership set to the
- user being created or updated and its primary group.
+ user being created or updated and its primary group. Note
+ that newusers does not create parent directories of the new
+ user's home directory. The newusers command will fail to
+ create the home directory if the parent directories do not
+ exist, and will send a message to stderr informing the user
+ of the failure. The newusers command will not halt or return
+ a failure to the calling shell if it fails to create the home
+ directory, it will continue to process the batch of new users
+ specified.
</para>
<para>
If the home directory of an existing user is changed,

121
SOURCES/shadow-4.1.5.1-ingroup.patch

@ -0,0 +1,121 @@
diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c
--- shadow-4.1.5.1/src/newgrp.c.ingroup 2018-04-24 16:55:24.546677529 +0200
+++ shadow-4.1.5.1/src/newgrp.c 2018-04-24 16:58:17.113445562 +0200
@@ -83,15 +83,29 @@ static void usage (void)
}
}
+static bool ingroup(const char *name, struct group *gr)
+{
+ char **look;
+ bool notfound = true;
+
+ look = gr->gr_mem;
+ while (*look && notfound)
+ notfound = strcmp (*look++, name);
+
+ return !notfound;
+}
+
/*
- * find_matching_group - search all groups of a given group id for
+ * find_matching_group - search all groups of a gr's group id for
* membership of a given username
+ * but check gr itself first
*/
-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid)
+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr)
{
- struct group *gr;
- char **look;
- bool notfound = true;
+ gid_t gid = gr->gr_gid;
+
+ if (ingroup(name, gr))
+ return gr;
setgrent ();
while ((gr = getgrent ()) != NULL) {
@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc
* A group with matching GID was found.
* Test for membership of 'name'.
*/
- look = gr->gr_mem;
- while ((NULL != *look) && notfound) {
- notfound = (strcmp (*look, name) != 0);
- look++;
- }
- if (!notfound) {
+ if (ingroup(name, gr))
break;
- }
}
endgrent ();
return gr;
@@ -373,6 +381,7 @@ int main (int argc, char **argv)
{
bool initflag = false;
int i;
+ bool is_member = false;
bool cflag = false;
int err = 0;
gid_t gid;
@@ -611,22 +620,36 @@ int main (int argc, char **argv)
goto failure;
}
+#ifdef HAVE_SETGROUPS
+ /* when using pam_group, she will not be listed in the groups
+ * database. However getgroups() will return the group. So
+ * if she is listed there already it is ok to grant membership.
+ */
+ for (i = 0; i < ngroups; i++) {
+ if (grp->gr_gid == grouplist[i]) {
+ is_member = true;
+ break;
+ }
+ }
+#endif /* HAVE_SETGROUPS */
/*
* For splitted groups (due to limitations of NIS), check all
* groups of the same GID like the requested group for
* membership of the current user.
*/
- grp = find_matching_group (name, grp->gr_gid);
- if (NULL == grp) {
- /*
- * No matching group found. As we already know that
- * the group exists, this happens only in the case
- * of a requested group where the user is not member.
- *
- * Re-read the group entry for further processing.
- */
- grp = xgetgrnam (group);
- assert (NULL != grp);
+ if (!is_member) {
+ grp = find_matching_group (name, grp);
+ if (NULL == grp) {
+ /*
+ * No matching group found. As we already know that
+ * the group exists, this happens only in the case
+ * of a requested group where the user is not member.
+ *
+ * Re-read the group entry for further processing.
+ */
+ grp = xgetgrnam (group);
+ assert (NULL != grp);
+ }
}
#ifdef SHADOWGRP
sgrp = getsgnam (group);
@@ -639,7 +662,9 @@ int main (int argc, char **argv)
/*
* Check if the user is allowed to access this group.
*/
- check_perms (grp, pwd, group);
+ if (!is_member) {
+ check_perms (grp, pwd, group);
+ }
/*
* all successful validations pass through this point. The group id

25
SOURCES/shadow-4.1.5.1-ja-translation.patch

@ -0,0 +1,25 @@
From f2ce4cc54edc7dfeb6b12f3e8fff98255a9f477d Mon Sep 17 00:00:00 2001
From: Taizo Ito <taizo.ito@hde.co.jp>
Date: Tue, 17 Mar 2015 13:51:27 +0900
Subject: [PATCH 1/1] typo in japanese man page of useradd

---
po/ja.po | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/po/ja.po b/po/ja.po
index a68a698..0c21c29 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -2047,7 +2047,7 @@ msgid " -s, --shell SHELL login shell of the new account\n"
msgstr " -s, --shell SHELL 新アカウントのログインシェル\n"
msgid " -u, --uid UID user ID of the new account\n"
-msgstr " -u, --iud UID 新アカウントのユーザ ID\n"
+msgstr " -u, --uid UID 新アカウントのユーザ ID\n"
msgid ""
" -U, --user-group create a group with the same name as the "
--
1.8.3.1

263
SOURCES/shadow-4.1.5.1-lastlog-unexpire.patch

@ -0,0 +1,263 @@
diff -up shadow-4.1.5.1/man/lastlog.8.xml.unexpire shadow-4.1.5.1/man/lastlog.8.xml
--- shadow-4.1.5.1/man/lastlog.8.xml.unexpire 2012-05-25 13:45:28.000000000 +0200
+++ shadow-4.1.5.1/man/lastlog.8.xml 2016-04-28 15:09:11.026084219 +0200
@@ -105,6 +105,17 @@
</varlistentry>
<varlistentry>
<term>
+ <option>-C</option>, <option>--clear</option>
+ </term>
+ <listitem>
+ <para>
+ Clear lastlog record of an user. This option can be used only together
+ with <option>-u</option> (<option>--user</option>)).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>-h</option>, <option>--help</option>
</term>
<listitem>
@@ -124,6 +135,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-S</option>, <option>--set</option>
+ </term>
+ <listitem>
+ <para>
+ Set lastlog record of an user to the current time. This option can be
+ used only together with <option>-u</option> (<option>--user</option>)).
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>-t</option>, <option>--time</option>
diff -up shadow-4.1.5.1/src/lastlog.c.unexpire shadow-4.1.5.1/src/lastlog.c
--- shadow-4.1.5.1/src/lastlog.c.unexpire 2011-11-06 21:54:18.000000000 +0100
+++ shadow-4.1.5.1/src/lastlog.c 2016-04-28 15:49:30.253371990 +0200
@@ -55,6 +55,13 @@
#endif
/*
+ * Needed for systems with older audit library.
+ */
+#ifndef AUDIT_ACCT_UNLOCK
+#define AUDIT_ACCT_UNLOCK 1136
+#endif
+
+/*
* Global variables
*/
const char *Prog; /* Program name */
@@ -71,6 +78,8 @@ static struct stat statbuf; /* fstat buf
static bool uflg = false; /* print only an user of range of users */
static bool tflg = false; /* print is restricted to most recent days */
static bool bflg = false; /* print excludes most recent days */
+static bool Cflg = false; /* clear record for user */
+static bool Sflg = false; /* set record for user */
#define NOW (time ((time_t *) 0))
@@ -83,8 +92,10 @@ static /*@noreturn@*/void usage (int sta
"Options:\n"),
Prog);
(void) fputs (_(" -b, --before DAYS print only lastlog records older than DAYS\n"), usageout);
+ (void) fputs (_(" -C, --clear clear lastlog record of an user (usable only with -u)\n"), usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ (void) fputs (_(" -S, --set set lastlog record to current time (usable only with -u)\n"), usageout);
(void) fputs (_(" -t, --time DAYS print only lastlog records more recent than DAYS\n"), usageout);
(void) fputs (_(" -u, --user LOGIN print lastlog record of the specified LOGIN\n"), usageout);
(void) fputs ("\n", usageout);
@@ -194,6 +205,80 @@ static void print (void)
}
}
+static void update_one (/*@null@*/const struct passwd *pw)
+{
+ off_t offset;
+ struct lastlog ll;
+ int err;
+
+ if (NULL == pw) {
+ return;
+ }
+
+ offset = (off_t) pw->pw_uid * sizeof (ll);
+ /* fseeko errors are not really relevant for us. */
+ err = fseeko (lastlogfile, offset, SEEK_SET);
+ assert (0 == err);
+
+ memzero (&ll, sizeof (ll));
+
+ if (Sflg) {
+ ll.ll_time = NOW;
+#ifdef HAVE_LL_HOST
+ strcpy (ll.ll_host, "localhost");
+#endif
+ strcpy (ll.ll_line, "lastlog");
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ACCT_UNLOCK, Prog,
+ "clearing-lastlog",
+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
+#endif
+ }
+#ifdef WITH_AUDIT
+ else {
+ audit_logger (AUDIT_ACCT_UNLOCK, Prog,
+ "refreshing-lastlog",
+ pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
+ }
+#endif
+
+ if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) {
+ fprintf (stderr,
+ _("%s: Failed to update the entry for UID %lu\n"),
+ Prog, (unsigned long int)pw->pw_uid);
+ exit (EXIT_FAILURE);
+ }
+}
+
+static void update (void)
+{
+ const struct passwd *pwent;
+
+ if (!uflg) /* safety measure */
+ return;
+
+ if (has_umin && has_umax && (umin == umax)) {
+ update_one (getpwuid ((uid_t)umin));
+ } else {
+ setpwent ();
+ while ( (pwent = getpwent ()) != NULL ) {
+ if ((has_umin && (pwent->pw_uid < (uid_t)umin))
+ || (has_umax && (pwent->pw_uid > (uid_t)umax))) {
+ continue;
+ }
+ update_one (pwent);
+ }
+ endpwent ();
+ }
+
+ if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) {
+ fprintf (stderr,
+ _("%s: Failed to update the lastlog file\n"),
+ Prog);
+ exit (EXIT_FAILURE);
+ }
+}
+
int main (int argc, char **argv)
{
/*
@@ -208,18 +293,24 @@ int main (int argc, char **argv)
process_root_flag ("-R", argc, argv);
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
{
int c;
static struct option const longopts[] = {
{"before", required_argument, NULL, 'b'},
+ {"clear", no_argument, NULL, 'C'},
{"help", no_argument, NULL, 'h'},
{"root", required_argument, NULL, 'R'},
+ {"set", no_argument, NULL, 'S'},
{"time", required_argument, NULL, 't'},
{"user", required_argument, NULL, 'u'},
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts,
+ while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts,
NULL)) != -1) {
switch (c) {
case 'b':
@@ -235,11 +326,21 @@ int main (int argc, char **argv)
bflg = true;
break;
}
+ case 'C':
+ {
+ Cflg = true;
+ break;
+ }
case 'h':
usage (EXIT_SUCCESS);
/*@notreached@*/break;
case 'R': /* no-op, handled in process_root_flag () */
break;
+ case 'S':
+ {
+ Sflg = true;
+ break;
+ }
case 't':
{
unsigned long days;
@@ -294,9 +395,21 @@ int main (int argc, char **argv)
Prog, argv[optind]);
usage (EXIT_FAILURE);
}
+ if (Cflg && Sflg) {
+ fprintf (stderr,
+ _("%s: Option -C cannot be used together with option -S\n"),
+ Prog);
+ usage (EXIT_FAILURE);
+ }
+ if ((Cflg || Sflg) && !uflg) {
+ fprintf (stderr,
+ _("%s: Options -C and -S require option -u to specify the user\n"),
+ Prog);
+ usage (EXIT_FAILURE);
+ }
}
- lastlogfile = fopen (LASTLOG_FILE, "r");
+ lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r");
if (NULL == lastlogfile) {
perror (LASTLOG_FILE);
exit (EXIT_FAILURE);
@@ -310,7 +423,10 @@ int main (int argc, char **argv)
exit (EXIT_FAILURE);
}
- print ();
+ if (Cflg || Sflg)
+ update ();
+ else
+ print ();
(void) fclose (lastlogfile);
diff -up shadow-4.1.5.1/src/Makefile.am.unexpire shadow-4.1.5.1/src/Makefile.am
--- shadow-4.1.5.1/src/Makefile.am.unexpire 2011-11-18 22:23:30.000000000 +0100
+++ shadow-4.1.5.1/src/Makefile.am 2016-04-28 15:09:11.027084241 +0200
@@ -90,6 +90,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID)
grpck_LDADD = $(LDADD) $(LIBSELINUX)
grpconv_LDADD = $(LDADD) $(LIBSELINUX)
grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
+lastlog_LDADD = $(LDADD) $(LIBAUDIT)
login_SOURCES = \
login.c \
login_nopam.c
diff -up shadow-4.1.5.1/src/Makefile.in.unexpire shadow-4.1.5.1/src/Makefile.in
--- shadow-4.1.5.1/src/Makefile.in.unexpire 2012-05-25 13:56:51.000000000 +0200
+++ shadow-4.1.5.1/src/Makefile.in 2016-04-28 15:09:11.027084241 +0200
@@ -162,7 +162,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1)
$(top_builddir)/lib/libshadow.la
lastlog_SOURCES = lastlog.c
lastlog_OBJECTS = lastlog.$(OBJEXT)
-lastlog_LDADD = $(LDADD)
+lastlog_LDADD = $(LDADD) $(LIBAUDIT)
lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/libmisc/libmisc.a \
$(top_builddir)/lib/libshadow.la

12
SOURCES/shadow-4.1.5.1-logmsg.patch

@ -0,0 +1,12 @@
diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100
+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100
@@ -275,7 +275,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
- SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
+ SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
exit (code);
}

84
SOURCES/shadow-4.1.5.1-long-entry.patch

@ -0,0 +1,84 @@
diff -up shadow-4.1.5.1/lib/defines.h.long-entry shadow-4.1.5.1/lib/defines.h
--- shadow-4.1.5.1/lib/defines.h.long-entry 2011-09-18 22:44:10.000000000 +0200
+++ shadow-4.1.5.1/lib/defines.h 2018-04-24 16:34:31.261417493 +0200
@@ -382,4 +382,7 @@ extern char *strerror ();
# endif
#endif
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
#endif /* _DEFINES_H_ */
diff -up shadow-4.1.5.1/lib/pwio.c.long-entry shadow-4.1.5.1/lib/pwio.c
--- shadow-4.1.5.1/lib/pwio.c.long-entry 2011-02-16 21:32:24.000000000 +0100
+++ shadow-4.1.5.1/lib/pwio.c 2018-04-24 16:34:31.263417454 +0200
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
|| (pw->pw_gid == (gid_t)-1)
|| (valid_field (pw->pw_gecos, ":\n") == -1)
|| (valid_field (pw->pw_dir, ":\n") == -1)
- || (valid_field (pw->pw_shell, ":\n") == -1)) {
+ || (valid_field (pw->pw_shell, ":\n") == -1)
+ || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
+ strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
+ strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}
diff -up shadow-4.1.5.1/lib/sgetpwent.c.long-entry shadow-4.1.5.1/lib/sgetpwent.c
--- shadow-4.1.5.1/lib/sgetpwent.c.long-entry 2009-04-06 06:28:53.000000000 +0200
+++ shadow-4.1.5.1/lib/sgetpwent.c 2018-04-24 16:34:31.263417454 +0200
@@ -57,7 +57,7 @@
struct passwd *sgetpwent (const char *buf)
{
static struct passwd pwent;
- static char pwdbuf[1024];
+ static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
register int i;
register char *cp;
char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
* the password structure remain valid.
*/
- if (strlen (buf) >= sizeof pwdbuf)
+ if (strlen (buf) >= sizeof pwdbuf) {
+ fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
return 0; /* fail if too long */
+ }
strcpy (pwdbuf, buf);
/*
diff -up shadow-4.1.5.1/lib/sgetspent.c.long-entry shadow-4.1.5.1/lib/sgetspent.c
--- shadow-4.1.5.1/lib/sgetspent.c.long-entry 2009-04-12 04:46:43.000000000 +0200
+++ shadow-4.1.5.1/lib/sgetspent.c 2018-04-24 16:34:31.264417435 +0200
@@ -48,7 +48,7 @@
*/
struct spwd *sgetspent (const char *string)
{
- static char spwbuf[1024];
+ static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
static struct spwd spwd;
char *fields[FIELDS];
char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
*/
if (strlen (string) >= sizeof spwbuf) {
+ fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
return 0; /* fail if too long */
}
strcpy (spwbuf, string);
diff -up shadow-4.1.5.1/lib/shadowio.c.long-entry shadow-4.1.5.1/lib/shadowio.c
--- shadow-4.1.5.1/lib/shadowio.c.long-entry 2011-02-16 21:32:24.000000000 +0100
+++ shadow-4.1.5.1/lib/shadowio.c 2018-04-24 16:34:31.265417416 +0200
@@ -78,7 +78,9 @@ static int shadow_put (const void *ent,
if ( (NULL == sp)
|| (valid_field (sp->sp_namp, ":\n") == -1)
- || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
+ || (valid_field (sp->sp_pwdp, ":\n") == -1)
+ || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
+ 1000 > PASSWD_ENTRY_MAX_LENGTH)) {
return -1;
}

281
SOURCES/shadow-4.1.5.1-manfix.patch

@ -0,0 +1,281 @@
diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml
--- shadow-4.1.5.1/man/chage.1.xml.manfix 2012-05-25 13:45:27.000000000 +0200
+++ shadow-4.1.5.1/man/chage.1.xml 2018-04-24 16:43:48.545743715 +0200
@@ -102,6 +102,9 @@
Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
+ If the <replaceable>LAST_DAY</replaceable> is set to
+ <emphasis>0</emphasis> the user is forced to change his password
+ on the next log on.
</para>
</listitem>
</varlistentry>
@@ -123,6 +126,13 @@
<replaceable>EXPIRE_DATE</replaceable> will remove an account
expiration date.
</para>
+ <para>
+ For example the following command can be used
+ to set an account to expire in 180 days:
+ </para>
+ <programlisting>
+ chage -E $(date -d +180days +%Y-%m-%d)
+ </programlisting>
</listitem>
</varlistentry>
<varlistentry>
diff -up shadow-4.1.5.1/man/groupmems.8.xml.manfix shadow-4.1.5.1/man/groupmems.8.xml
--- shadow-4.1.5.1/man/groupmems.8.xml.manfix 2012-05-25 13:45:28.000000000 +0200
+++ shadow-4.1.5.1/man/groupmems.8.xml 2015-12-18 12:27:08.466909647 +0100
@@ -194,6 +194,13 @@
$ chown root.groups groupmems
$ groupmems -g groups -a gk4
</programlisting>
+
+ <para>
+ In the Red Hat Enterprise Linux 7 the <command>groupmems</command>
+ command is not setuid and regular users cannot use it to manipulate
+ the membership of their own group. This might change in future
+ major releases of the Red Hat Enterprise Linux.
+ </para>
</refsect1>
<refsect1 id='configuration'>
diff -up shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix shadow-4.1.5.1/man/ja/man5/login.defs.5
--- shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix 2012-05-25 13:45:27.000000000 +0200
+++ shadow-4.1.5.1/man/ja/man5/login.defs.5 2015-12-18 12:34:08.080715842 +0100
@@ -147,10 +147,6 @@ 以下の参照表は、
shadow パスワード機能のどのプログラムが
どのパラメータを使用するかを示したものである。
.na
-.IP chfn 12
-CHFN_AUTH CHFN_RESTRICT
-.IP chsh 12
-CHFN_AUTH
.IP groupadd 12
GID_MAX GID_MIN
.IP newusers 12
diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml
--- shadow-4.1.5.1/man/login.defs.5.xml.manfix 2012-05-25 13:45:28.000000000 +0200
+++ shadow-4.1.5.1/man/login.defs.5.xml 2014-08-29 13:31:38.364812323 +0200
@@ -160,6 +160,17 @@
long numeric parameters is machine-dependent.
</para>
+ <para>
+ Please note that the parameters in this configuration file control the
+ behavior of the tools from the shadow-utils component. None of these
+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
+ passwd command) should be configured elsewhere. The only values that
+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
+ pam(8) for more information.
+ </para>
+
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
@@ -248,26 +258,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>chfn</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
- CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>chgpasswd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>chpasswd</term>
<listitem>
<para>
@@ -278,14 +268,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry condition="no_pam">
- <term>chsh</term>
- <listitem>
- <para>
- CHSH_AUTH LOGIN_STRING
- </para>
- </listitem>
- </varlistentry>
<!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
<!-- faillog: no variables -->
<varlistentry>
@@ -346,34 +328,6 @@
</varlistentry>
<!-- id: no variables -->
<!-- lastlog: no variables -->
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
<!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
@@ -399,17 +353,6 @@
</listitem>
</varlistentry>
<!-- nologin: no variables -->
- <varlistentry condition="no_pam">
- <term>passwd</term>
- <listitem>
- <para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
- SHA_CRYPT_MIN_ROUNDS</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>pwck</term>
<listitem>
@@ -436,32 +379,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>
diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml
--- shadow-4.1.5.1/man/useradd.8.xml.manfix 2015-12-17 14:05:47.930742412 +0100
+++ shadow-4.1.5.1/man/useradd.8.xml 2015-12-17 14:05:47.945742754 +0100
@@ -134,8 +134,8 @@
<replaceable>HOME_DIR</replaceable> is not specified.
<replaceable>BASE_DIR</replaceable> is
concatenated with the account name to define the home directory.
- If the <option>-m</option> option is not used,
- <replaceable>BASE_DIR</replaceable> must exist.
+ The <replaceable>BASE_DIR</replaceable> must exist otherwise
+ the home directory cannot be created.
</para>
<para>
If this option is not specified, <command>useradd</command>
@@ -161,7 +161,7 @@
</varlistentry>
<varlistentry>
<term>
- <option>-d</option>, <option>--home</option>
+ <option>-d</option>, <option>--home-dir</option>
<replaceable>HOME_DIR</replaceable>
</term>
<listitem>
@@ -171,8 +171,7 @@
login directory. The default is to append the
<replaceable>LOGIN</replaceable> name to
<replaceable>BASE_DIR</replaceable> and use that as the login
- directory name. The directory <replaceable>HOME_DIR</replaceable>
- does not have to exist but will not be created if it is missing.
+ directory name.
</para>
</listitem>
</varlistentry>
@@ -358,11 +357,16 @@
<option>CREATE_HOME</option> is not enabled, no home
directories are created.
</para>
+ <para>
+ The directory where the user's home directory is created must
+ exist and have proper SELinux context and permissions. Otherwise
+ the user's home directory cannot be created or accessed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>-M</option>
+ <option>-M</option>, <option>--no-create-home</option>
</term>
<listitem>
<para>
diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml
--- shadow-4.1.5.1/man/usermod.8.xml.manfix 2012-05-25 13:45:29.000000000 +0200
+++ shadow-4.1.5.1/man/usermod.8.xml 2014-08-29 13:33:40.814632618 +0200
@@ -132,7 +132,8 @@
If the <option>-m</option>
option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does
- not already exist.
+ not already exist. If the current home directory does not exist
+ the new home directory will not be created.
</para>
</listitem>
</varlistentry>
@@ -261,7 +262,8 @@
<listitem>
<para>
Move the content of the user's home directory to the new
- location.
+ location. If the current home directory does not exist
+ the new home directory will not be created.
</para>
<para>
This option is only valid in combination with the

27
SOURCES/shadow-4.1.5.1-merge-group.patch

@ -0,0 +1,27 @@
diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c
--- shadow-4.1.5.1/lib/groupio.c.merge-group 2011-02-16 21:32:24.000000000 +0100
+++ shadow-4.1.5.1/lib/groupio.c 2013-01-29 13:56:43.049275513 +0100
@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry *
/* Concatenate the 2 lines */
new_line_len = strlen (gr1->line) + strlen (gr2->line) +1;
- new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*));
+ new_line = (char *)malloc (new_line_len + 1);
if (NULL == new_line) {
errno = ENOMEM;
return NULL;
}
- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
new_line[new_line_len] = '\0';
/* Concatenate the 2 list of members */
@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry *
members++;
}
}
- new_members = (char **)malloc ( (members+1) * sizeof(char*) );
+ new_members = (char **)calloc (members+1, sizeof(char*));
if (NULL == new_members) {
free (new_line);
errno = ENOMEM;

15
SOURCES/shadow-4.1.5.1-move-home.patch

@ -0,0 +1,15 @@
diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c
--- shadow-4.1.5.1/src/usermod.c.move-home 2014-08-29 13:31:38.000000000 +0200
+++ shadow-4.1.5.1/src/usermod.c 2014-08-29 14:14:13.860671177 +0200
@@ -1571,6 +1571,11 @@ static void move_home (void)
Prog, user_home, user_newhome);
fail_exit (E_HOMEDIR);
}
+ } else {
+ fprintf (stderr,
+ _("%s: The previous home directory (%s) does "
+ "not exist or is inaccessible. Move cannot be completed.\n"),
+ Prog, user_home);
}
}

86
SOURCES/shadow-4.1.5.1-null-tm.patch

@ -0,0 +1,86 @@
diff -up shadow-4.1.5.1/src/faillog.c.null-tm shadow-4.1.5.1/src/faillog.c
--- shadow-4.1.5.1/src/faillog.c.null-tm 2011-11-19 23:54:47.000000000 +0100
+++ shadow-4.1.5.1/src/faillog.c 2016-06-14 11:54:58.582314219 +0200
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
}
tm = localtime (&fl.fail_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+ cp = ptime;
#endif
+ }
printf ("%-9s %5d %5d ",
pw->pw_name, fl.fail_cnt, fl.fail_max);
/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
diff -up shadow-4.1.5.1/src/chage.c.null-tm shadow-4.1.5.1/src/chage.c
--- shadow-4.1.5.1/src/chage.c.null-tm 2016-05-04 13:44:55.639787900 +0200
+++ shadow-4.1.5.1/src/chage.c 2016-06-14 11:54:58.583314243 +0200
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
struct tm *tp;
tp = gmtime (&date);
+ if (tp == NULL) {
+ (void) snprintf (buf, maxsize, "(unknown)");
+ return;
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
#else
diff -up shadow-4.1.5.1/src/lastlog.c.null-tm shadow-4.1.5.1/src/lastlog.c
--- shadow-4.1.5.1/src/lastlog.c.null-tm 2016-05-04 13:44:55.647788082 +0200
+++ shadow-4.1.5.1/src/lastlog.c 2016-06-14 11:54:58.584314267 +0200
@@ -165,13 +165,17 @@ static void print_one (/*@null@*/const s
ll_time = ll.ll_time;
tm = localtime (&ll_time);
+ if (tm == NULL) {
+ cp = "(unknown)";
+ } else {
#ifdef HAVE_STRFTIME
- strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
- cp = ptime;
+ strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ cp = ptime;
#else
- cp = asctime (tm);
- cp[24] = '\0';
+ cp = asctime (tm);
+ cp[24] = '\0';
#endif
+ }
if (ll.ll_time == (time_t) 0) {
cp = _("**Never logged in**\0");
diff -up shadow-4.1.5.1/src/passwd.c.null-tm shadow-4.1.5.1/src/passwd.c
--- shadow-4.1.5.1/src/passwd.c.null-tm 2016-05-04 13:44:55.634787787 +0200
+++ shadow-4.1.5.1/src/passwd.c 2016-06-14 11:54:58.584314267 +0200
@@ -438,6 +438,9 @@ static /*@observer@*/const char *date_to
struct tm *tm;
tm = gmtime (&t);
+ if (tm == NULL) {
+ return "(unknown)";
+ }
#ifdef HAVE_STRFTIME
(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
#else /* !HAVE_STRFTIME */
diff -up shadow-4.1.5.1/src/usermod.c.null-tm shadow-4.1.5.1/src/usermod.c
--- shadow-4.1.5.1/src/usermod.c.null-tm 2016-05-04 13:44:55.648788104 +0200
+++ shadow-4.1.5.1/src/usermod.c 2016-06-14 11:54:58.585314291 +0200
@@ -186,6 +186,10 @@ static void date_to_str (/*@unique@*//*@
} else {
time_t t = (time_t) date;
tp = gmtime (&t);
+ if (tp == NULL) {
+ strncpy (buf, "unknown", maxsize);
+ return;
+ }
#ifdef HAVE_STRFTIME
strftime (buf, maxsize, "%Y-%m-%d", tp);
#else

128
SOURCES/shadow-4.1.5.1-orig-context.patch

@ -0,0 +1,128 @@
diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c
--- shadow-4.1.5.1/lib/commonio.c.orig-context 2012-09-19 20:27:16.000000000 +0200
+++ shadow-4.1.5.1/lib/commonio.c 2013-02-20 15:20:55.064962324 +0100
@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s-", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db *
snprintf (buf, sizeof buf, "%s+", db->filename);
#ifdef WITH_SELINUX
- if (set_selinux_file_context (buf) != 0) {
+ if (set_selinux_file_context (buf, db->filename) != 0) {
errors++;
}
#endif
diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c
--- shadow-4.1.5.1/libmisc/copydir.c.orig-context 2012-02-13 20:16:32.000000000 +0100
+++ shadow-4.1.5.1/libmisc/copydir.c 2013-02-20 15:19:01.495623232 +0100
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
*/
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
free (oldlink);
return -1;
}
@@ -684,7 +684,7 @@ static int copy_special (const char *src
int err = 0;
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
return -1;
}
#ifdef WITH_SELINUX
- if (set_selinux_file_context (dst) != 0) {
+ if (set_selinux_file_context (dst, NULL) != 0) {
return -1;
}
#endif /* WITH_SELINUX */
diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h
--- shadow-4.1.5.1/lib/prototypes.h.orig-context 2012-01-08 17:04:29.000000000 +0100
+++ shadow-4.1.5.1/lib/prototypes.h 2013-02-20 15:24:17.251126575 +0100
@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m
/* selinux.c */
#ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
extern int reset_selinux_file_context (void);
#endif
diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c
--- shadow-4.1.5.1/lib/selinux.c.orig-context 2012-01-08 17:35:44.000000000 +0100
+++ shadow-4.1.5.1/lib/selinux.c 2013-02-20 15:16:40.383716877 +0100
@@ -50,7 +50,7 @@ static bool selinux_enabled;
* Callers may have to Reset SELinux to create files with default
* contexts with reset_selinux_file_context
*/
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
{
/*@null@*/security_context_t scontext = NULL;
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
+ /* We could not get the default, copy the original */
+ if (orig_name == NULL)
+ goto error;
+ if (getfilecon (orig_name, &scontext) < 0)
+ goto error;
}
/* Set the security context for the next created file */
- if (setfscreatecon (scontext) < 0) {
- if (security_getenforce () != 0) {
- return 1;
- }
- }
+ if (setfscreatecon (scontext) < 0)
+ goto error;
freecon (scontext);
}
return 0;
+ error:
+ if (security_getenforce () != 0) {
+ return 1;
+ }
+ return 0;
}
/*
diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.orig-context 2012-09-19 20:23:33.000000000 +0200
+++ shadow-4.1.5.1/src/useradd.c 2013-02-20 15:19:31.221235459 +0100
@@ -1759,7 +1759,7 @@ static void create_home (void)
{
if (access (user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
- if (set_selinux_file_context (user_home) != 0) {
+ if (set_selinux_file_context (user_home, NULL) != 0) {
fail_exit (E_HOMEDIR);
}
#endif

289
SOURCES/shadow-4.1.5.1-selinux-perms.patch

@ -0,0 +1,289 @@
diff -up shadow-4.1.5.1/src/chgpasswd.c.selinux-perms shadow-4.1.5.1/src/chgpasswd.c
--- shadow-4.1.5.1/src/chgpasswd.c.selinux-perms 2016-05-04 13:44:55.633787764 +0200
+++ shadow-4.1.5.1/src/chgpasswd.c 2016-05-30 12:01:30.421587253 +0200
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
#include "pam_defs.h"
@@ -76,6 +83,9 @@ static bool sgr_locked = false;
#endif
static bool gr_locked = false;
+/* The name of the caller */
+static char *myname = NULL;
+
/* local function prototypes */
static void fail_exit (int code);
static /*@noreturn@*/void usage (int status);
@@ -300,6 +310,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the group databases
*/
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
const struct group *gr;
struct group newgr;
+ struct passwd *pw = NULL;
int errors = 0;
int line = 0;
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
OPENLOG ("chgpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
+ /*
+ * Determine the name of the user that invoked this command. This
+ * is really hit or miss because there are so many ways that command
+ * can be executed and so many ways to trip up the routines that
+ * report the user name.
+ */
+ pw = get_my_pwent ();
+ if (NULL == pw) {
+ fprintf (stderr, _("%s: Cannot determine your user name.\n"),
+ Prog);
+ SYSLOG ((LOG_WARN,
+ "Cannot determine the user name of the caller (UID %lu)",
+ (unsigned long) getuid ()));
+ exit (E_NOPERM);
+ }
+ myname = xstrdup (pw->pw_name);
+
check_perms ();
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif
@@ -533,6 +626,15 @@ int main (int argc, char **argv)
newgr.gr_passwd = cp;
}
+#ifdef WITH_AUDIT
+ {
+
+ audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+ "change-password",
+ myname, AUDIT_NO_ID, gr->gr_name,
+ SHADOW_AUDIT_SUCCESS);
+ }
+#endif
/*
* The updated group file entry is then put back and will
* be written to the group file later, after all the
diff -up shadow-4.1.5.1/src/chpasswd.c.selinux-perms shadow-4.1.5.1/src/chpasswd.c
--- shadow-4.1.5.1/src/chpasswd.c.selinux-perms 2016-05-04 13:44:55.633787764 +0200
+++ shadow-4.1.5.1/src/chpasswd.c 2016-05-30 12:01:42.877859957 +0200
@@ -39,6 +39,13 @@
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#endif
+#ifdef WITH_LIBAUDIT
+#include <libaudit.h>
+#endif
#ifdef USE_PAM
#include "pam_defs.h"
#endif /* USE_PAM */
@@ -297,6 +304,63 @@ static void check_perms (void)
#endif /* USE_PAM */
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef WITH_AUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ goto ret;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap);
+ return 0;
+}
+
+static void
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ exit(1);
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ if (status != 0 && security_getenforce() != 0)
+ exit(1);
+}
+#endif
+
/*
* open_files - lock and open the password databases
*/
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
check_perms ();
+#ifdef WITH_SELINUX
+ selinux_check_root ();
+#endif
+
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
@@ -563,6 +635,11 @@ int main (int argc, char **argv)
newpw.pw_passwd = cp;
}
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "updating-password",
+ pw->pw_name, (unsigned int) pw->pw_uid, 1);
+#endif
/*
* The updated password file entry is then put back and will
* be written to the password file later, after all the
diff -up shadow-4.1.5.1/src/Makefile.am.selinux-perms shadow-4.1.5.1/src/Makefile.am
--- shadow-4.1.5.1/src/Makefile.am.selinux-perms 2016-05-04 13:44:55.647788082 +0200
+++ shadow-4.1.5.1/src/Makefile.am 2016-05-27 16:04:49.446582632 +0200
@@ -79,9 +79,9 @@ endif
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
diff -up shadow-4.1.5.1/src/Makefile.in.selinux-perms shadow-4.1.5.1/src/Makefile.in
--- shadow-4.1.5.1/src/Makefile.in.selinux-perms 2016-05-04 13:44:55.647788082 +0200
+++ shadow-4.1.5.1/src/Makefile.in 2016-05-27 16:04:49.447582654 +0200
@@ -437,9 +437,9 @@ AM_CPPFLAGS = -DLOCALEDIR=\"$(datadir)/l
@USE_PAM_TRUE@LIBCRYPT_NOPAM =
chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

99
SOURCES/shadow-4.1.5.1-selinux.patch

@ -0,0 +1,99 @@
diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c
--- shadow-4.1.5.1/lib/semanage.c.selinux 2012-01-08 17:35:44.000000000 +0100
+++ shadow-4.1.5.1/lib/semanage.c 2014-09-10 10:11:55.417506128 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
ret = 0;
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_seuser_key_free (key);
semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
}
ret = 0;
+
+ /* drop obsolete matchpathcon cache */
+ matchpathcon_fini();
+
done:
semanage_handle_destroy (handle);
return ret;
diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.selinux 2014-09-10 10:10:18.791280619 +0200
+++ shadow-4.1.5.1/src/useradd.c 2014-09-10 10:10:18.798280781 +0200
@@ -1850,6 +1850,7 @@ static void create_mail (void)
*/
int main (int argc, char **argv)
{
+ int rv = E_SUCCESS;
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
@@ -2037,10 +2038,33 @@ int main (int argc, char **argv)
usr_update ();
+ close_files ();
+
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
+#ifdef WITH_SELINUX
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ if (set_seuser (user_name, user_selinux) != 0) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+#endif /* WITH_AUDIT */
+ rv = E_SE_UPDATE;
+ }
+ }
+ }
+#endif
+
if (mflg) {
create_home ();
if (home_added) {
- copy_tree (def_template, user_home, false, false,
+ copy_tree (def_template, user_home, false, true,
(uid_t)-1, user_id, (gid_t)-1, user_gid);
} else {
fprintf (stderr,
@@ -2056,27 +2080,6 @@ int main (int argc, char **argv)
create_mail ();
}
- close_files ();
-
-#ifdef WITH_SELINUX
- if (Zflg) {
- if (set_seuser (user_name, user_selinux) != 0) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
- }
- }
-#endif /* WITH_SELINUX */
-
- nscd_flush_cache ("passwd");
- nscd_flush_cache ("group");
-
- return E_SUCCESS;
+ return rv;
}

15
SOURCES/shadow-4.1.5.1-userdel-helpfix.patch

@ -0,0 +1,15 @@
diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c
--- shadow-4.1.5.1/src/userdel.c.userdel 2012-05-25 13:51:55.000000000 +0200
+++ shadow-4.1.5.1/src/userdel.c 2014-02-12 11:40:30.707686132 +0100
@@ -130,8 +130,9 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -f, --force force removal of files,\n"
- " even if not owned by user\n"),
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
+ " e.g. removal of user still logged in\n"
+ " or files, even if not owned by the user\n"),
usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);

63
SOURCES/shadow-4.1.5.1-usermod-passwd.patch

@ -0,0 +1,63 @@
diff -up shadow-4.1.5.1/src/usermod.c.passwd shadow-4.1.5.1/src/usermod.c
--- shadow-4.1.5.1/src/usermod.c.passwd 2015-12-17 14:05:47.959743073 +0100
+++ shadow-4.1.5.1/src/usermod.c 2015-12-18 12:42:28.290405529 +0100
@@ -360,14 +360,17 @@ static char *new_pw_passwd (char *pw_pas
strcat (buf, pw_pass);
pw_pass = buf;
} else if (Uflg && pw_pass[0] == '!') {
- char *s;
+ char *s = pw_pass;
- if (pw_pass[1] == '\0') {
+ while ('!' == *s)
+ ++s;
+
+ if (*s == '\0') {
fprintf (stderr,
_("%s: unlocking the user's password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user's password.\n"),
Prog);
- return pw_pass;
+ return NULL;
}
#ifdef WITH_AUDIT
@@ -376,12 +379,15 @@ static char *new_pw_passwd (char *pw_pas
user_newname, (unsigned int) user_newid, 1);
#endif
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
- s = pw_pass;
- while ('\0' != *s) {
- *s = *(s + 1);
- s++;
- }
+ memmove (pw_pass, s, strlen (s) + 1);
} else if (pflg) {
+ if (strchr (user_pass, ':') != NULL) {
+ fprintf (stderr,
+ _("%s: The password field cannot contain a colon character.\n"),
+ Prog);
+ return NULL;
+
+ }
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"updating-password",
@@ -430,6 +436,8 @@ static void new_pwent (struct passwd *pw
if ( (!is_shadow_pwd)
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
+ if (pwent->pw_passwd == NULL)
+ fail_exit (E_PW_UPDATE);
}
if (uflg) {
@@ -544,6 +552,8 @@ static void new_spent (struct spwd *spen
* + aging has been requested
*/
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+ if (spent->sp_pwdp == NULL)
+ fail_exit(E_PW_UPDATE);
if (pflg) {
spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;

72
SOURCES/shadow-utils.login.defs

@ -0,0 +1,72 @@
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

9
SOURCES/shadow-utils.useradd

@ -0,0 +1,9 @@
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

1086
SPECS/shadow-utils.spec

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save