From 9746faa35dbdc52b41b7c9f88b89f5071bc0a12e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 11 2022 18:37:27 +0000 Subject: import shadow-utils-4.9-3.el9 --- diff --git a/SOURCES/shadow-4.9-getsubids.patch b/SOURCES/shadow-4.9-getsubids.patch new file mode 100644 index 0000000..b9f2449 --- /dev/null +++ b/SOURCES/shadow-4.9-getsubids.patch @@ -0,0 +1,245 @@ +diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml +--- shadow-4.9/man/getsubids.1.xml.getsubids 2021-11-18 16:27:33.951053120 +0100 ++++ shadow-4.9/man/getsubids.1.xml 2021-11-18 16:27:33.951053120 +0100 +@@ -0,0 +1,141 @@ ++ ++ ++ ++]> ++ ++ ++ ++ ++ Iker ++ Pedrosa ++ Creation, 2021 ++ ++ ++ ++ getsubids ++ 1 ++ User Commands ++ shadow-utils ++ &SHADOW_UTILS_VERSION; ++ ++ ++ getsubids ++ get the subordinate id ranges for a user ++ ++ ++ ++ ++ getsubids ++ ++ options ++ ++ ++ USER ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ The getsubids command lists the subordinate user ID ++ ranges for a given user. The subordinate group IDs can be listed using ++ the option. ++ ++ ++ ++ ++ OPTIONS ++ ++ The options which apply to the getsubids command are: ++ ++ ++ ++ ++ ++ ++ ++ ++ List the subordinate group ID ranges. ++ ++ ++ ++ ++ ++ ++ ++ EXAMPLE ++ ++ For example, to obtain the subordinate UIDs of the testuser: ++ ++ ++ ++$ getsubids testuser ++0: testuser 100000 65536 ++ ++ ++ ++ This command output provides (in order from left to right) the list ++ index, username, UID range start, and number of UIDs in range. ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ login.defs5 ++ , ++ ++ newgidmap1 ++ , ++ ++ newuidmap1 ++ , ++ ++ subgid5 ++ , ++ ++ subuid5 ++ , ++ ++ useradd8 ++ , ++ ++ userdel8 ++ . ++ ++ usermod8 ++ , ++ ++ ++ +diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am +--- shadow-4.9/man/Makefile.am.getsubids 2021-07-22 23:55:35.000000000 +0200 ++++ shadow-4.9/man/Makefile.am 2021-11-18 16:27:33.951053120 +0100 +@@ -62,6 +62,7 @@ man_MANS += $(man_nopam) + endif + + man_subids = \ ++ man1/getsubids.1 \ + man1/newgidmap.1 \ + man1/newuidmap.1 \ + man5/subgid.5 \ +@@ -80,6 +81,7 @@ man_XMANS = \ + expiry.1.xml \ + faillog.5.xml \ + faillog.8.xml \ ++ getsubids.1.xml \ + gpasswd.1.xml \ + groupadd.8.xml \ + groupdel.8.xml \ +diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c +--- shadow-4.9/src/getsubids.c.getsubids 2021-11-18 16:27:33.951053120 +0100 ++++ shadow-4.9/src/getsubids.c 2021-11-18 16:27:33.951053120 +0100 +@@ -0,0 +1,46 @@ ++#include ++#include ++#include ++#include "subid.h" ++#include "prototypes.h" ++ ++const char *Prog; ++FILE *shadow_logfd = NULL; ++ ++void usage(void) ++{ ++ fprintf(stderr, "Usage: %s [-g] user\n", Prog); ++ fprintf(stderr, " list subuid ranges for user\n"); ++ fprintf(stderr, " pass -g to list subgid ranges\n"); ++ exit(EXIT_FAILURE); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ int i, count=0; ++ struct subid_range *ranges; ++ const char *owner; ++ ++ Prog = Basename (argv[0]); ++ shadow_logfd = stderr; ++ if (argc < 2) ++ usage(); ++ owner = argv[1]; ++ if (argc == 3 && strcmp(argv[1], "-g") == 0) { ++ owner = argv[2]; ++ count = get_subgid_ranges(owner, &ranges); ++ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) { ++ usage(); ++ } else { ++ count = get_subuid_ranges(owner, &ranges); ++ } ++ if (!ranges) { ++ fprintf(stderr, "Error fetching ranges\n"); ++ exit(1); ++ } ++ for (i = 0; i < count; i++) { ++ printf("%d: %s %lu %lu\n", i, owner, ++ ranges[i].start, ranges[i].count); ++ } ++ return 0; ++} +diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c +diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am +--- shadow-4.9/src/Makefile.am.getsubids 2021-11-18 16:27:33.943053061 +0100 ++++ shadow-4.9/src/Makefile.am 2021-11-18 16:28:03.647272392 +0100 +@@ -157,8 +157,8 @@ if FCAPS + setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap + endif + +-noinst_PROGRAMS += list_subid_ranges \ +- get_subid_owners \ ++bin_PROGRAMS += getsubids ++noinst_PROGRAMS += get_subid_owners \ + new_subid_range \ + free_subid_range \ + check_subid_range +@@ -174,13 +174,13 @@ MISCLIBS = \ + $(LIBCRYPT) \ + $(LIBTCB) + +-list_subid_ranges_LDADD = \ ++getsubids_LDADD = \ + $(top_builddir)/lib/libshadow.la \ + $(top_builddir)/libmisc/libmisc.la \ + $(top_builddir)/libsubid/libsubid.la \ + $(MISCLIBS) -ldl + +-list_subid_ranges_CPPFLAGS = \ ++getsubids_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ + -I$(top_srcdir)/libsubid diff --git a/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch b/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch new file mode 100644 index 0000000..658156a --- /dev/null +++ b/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch @@ -0,0 +1,13 @@ +diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c +--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100 ++++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100 +@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent() + if(!passwd_db_file) { + return getpwent(); + } ++ if (!fp_pwent) { ++ return NULL; ++ } + return fgetpwent(fp_pwent); + } + extern void prefix_endpwent() diff --git a/SOURCES/shadow-4.9-move-create-home.patch b/SOURCES/shadow-4.9-move-create-home.patch index 94bb84c..0ed6ea7 100644 --- a/SOURCES/shadow-4.9-move-create-home.patch +++ b/SOURCES/shadow-4.9-move-create-home.patch @@ -1,8 +1,22 @@ +From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 8 Oct 2021 13:09:59 +0200 +Subject: [PATCH] useradd: create directories after the SELinux user + +Create the home and mail folders after the SELinux user has been set for +the added user. This will allow the folders to be created with the +SELinux user label. + +Signed-off-by: Iker Pedrosa +--- + src/useradd.c | 46 +++++++++++++++++++++++----------------------- + 1 file changed, 23 insertions(+), 23 deletions(-) + diff --git a/src/useradd.c b/src/useradd.c -index baeffb35..02e1402c 100644 +index 6269c01c..b463a170 100644 --- a/src/useradd.c +++ b/src/useradd.c -@@ -2644,27 +2644,12 @@ int main (int argc, char **argv) +@@ -2670,27 +2670,12 @@ int main (int argc, char **argv) usr_update (); @@ -34,17 +48,14 @@ index baeffb35..02e1402c 100644 /* * tallylog_reset needs to be able to lookup * a valid existing user name, -@@ -2695,9 +2680,24 @@ int main (int argc, char **argv) - exit(1); +@@ -2716,15 +2701,30 @@ int main (int argc, char **argv) } + #endif /* WITH_SELINUX */ -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + if (mflg) { + create_home (); + if (home_added) { -+ copy_tree (def_template, prefix_user_home, false, true, ++ copy_tree (def_template, prefix_user_home, false, false, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, @@ -59,6 +70,19 @@ index baeffb35..02e1402c 100644 + if (!rflg) { + create_mail (); + } ++ + if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name, + "useradd")) { + exit(1); + } +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); +- return E_SUCCESS; } + +-- +2.31.1 + diff --git a/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch b/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch new file mode 100644 index 0000000..49332a1 --- /dev/null +++ b/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch @@ -0,0 +1,35 @@ +From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 10 Nov 2021 12:02:04 +0100 +Subject: [PATCH] newgrp: fix segmentation fault + +Fix segmentation fault in newgrp when xgetspnam() returns a NULL value +that is immediately freed. + +The error was committed in +https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553 + +Signed-off-by: Iker Pedrosa +--- + src/newgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/newgrp.c b/src/newgrp.c +index 730f47e8..566f1c89 100644 +--- a/src/newgrp.c ++++ b/src/newgrp.c +@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp, + spwd = xgetspnam (pwd->pw_name); + if (NULL != spwd) { + pwd->pw_passwd = xstrdup (spwd->sp_pwdp); ++ spw_free (spwd); + } +- spw_free (spwd); + + if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) { + needspasswd = true; +-- +2.31.1 + diff --git a/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch b/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch new file mode 100644 index 0000000..e7761b7 --- /dev/null +++ b/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch @@ -0,0 +1,30 @@ +From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 15 Nov 2021 12:40:15 +0100 +Subject: [PATCH] pwck: fix segfault when calling fprintf() + +As shadow_logfd variable is not set at the beginning of the program if +something fails and fprintf() is called a segmentation fault happens. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339 + +Signed-off-by: Iker Pedrosa +--- + src/pwck.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pwck.c b/src/pwck.c +index 4248944a..4ce86af2 100644 +--- a/src/pwck.c ++++ b/src/pwck.c +@@ -857,6 +857,7 @@ int main (int argc, char **argv) + * Get my name so that I can use it to report errors. + */ + Prog = Basename (argv[0]); ++ shadow_logfd = stderr; + + (void) setlocale (LC_ALL, ""); + (void) bindtextdomain (PACKAGE, LOCALEDIR); +-- +2.31.1 + diff --git a/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch b/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch new file mode 100644 index 0000000..e8251f2 --- /dev/null +++ b/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch @@ -0,0 +1,30 @@ +From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Sat, 14 Aug 2021 19:37:24 -0500 +Subject: [PATCH] Revert "useradd.c:fix memleaks of grp" + +In some cases, the value which was being freed is not actually +safe to free. + +Closes #394 + +This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5. +--- + src/useradd.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/useradd.c b/src/useradd.c +index f90127cd..0d3f390d 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -413,7 +413,6 @@ static void get_defaults (void) + } else { + def_group = grp->gr_gid; + def_gname = xstrdup (grp->gr_name); +- gr_free(grp); + } + } + +-- +2.31.1 + diff --git a/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch b/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch new file mode 100644 index 0000000..11a23e4 --- /dev/null +++ b/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch @@ -0,0 +1,61 @@ +From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 8 Oct 2021 13:13:13 +0200 +Subject: [PATCH] semanage: close the selabel handle + +Close the selabel handle to update the file_context. This means that the +file_context will be remmaped and used by selabel_lookup() to return +the appropriate context to label the home folder. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081 + +Signed-off-by: Iker Pedrosa +--- + lib/prototypes.h | 1 + + lib/selinux.c | 5 +++++ + lib/semanage.c | 1 + + 3 files changed, 7 insertions(+) + +diff --git a/lib/prototypes.h b/lib/prototypes.h +index 1d1586d4..b697e0ec 100644 +--- a/lib/prototypes.h ++++ b/lib/prototypes.h +@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const + /* selinux.c */ + #ifdef WITH_SELINUX + extern int set_selinux_file_context (const char *dst_name, mode_t mode); ++extern void reset_selinux_handle (void); + extern int reset_selinux_file_context (void); + extern int check_selinux_permit (const char *perm_name); + #endif +diff --git a/lib/selinux.c b/lib/selinux.c +index c83545f9..b075d4c0 100644 +--- a/lib/selinux.c ++++ b/lib/selinux.c +@@ -50,6 +50,11 @@ static void cleanup(void) + } + } + ++void reset_selinux_handle (void) ++{ ++ cleanup(); ++} ++ + /* + * set_selinux_file_context - Set the security context before any file or + * directory creation. +diff --git a/lib/semanage.c b/lib/semanage.c +index 0d30456a..a5bf9218 100644 +--- a/lib/semanage.c ++++ b/lib/semanage.c +@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name) + } + + ret = 0; ++ reset_selinux_handle(); + + done: + semanage_seuser_key_free (key); +-- +2.31.1 + diff --git a/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch b/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch new file mode 100644 index 0000000..f6b9827 --- /dev/null +++ b/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch @@ -0,0 +1,13 @@ +diff --git a/src/useradd.c b/src/useradd.c +index b463a170..f7c97958 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2704,7 +2704,7 @@ int main (int argc, char **argv) + if (mflg) { + create_home (); + if (home_added) { +- copy_tree (def_template, prefix_user_home, false, false, ++ copy_tree (def_template, prefix_user_home, false, true, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec index e9cb766..aa46a17 100644 --- a/SPECS/shadow-utils.spec +++ b/SPECS/shadow-utils.spec @@ -1,8 +1,9 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.9 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 +License: BSD and GPLv2+ URL: https://github.com/shadow-maint/shadow Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc @@ -20,7 +21,7 @@ Source6: shadow-utils.HOME_MODE.xml Patch0: shadow-4.9-redhat.patch # Be more lenient with acceptable user/group names - non upstreamable Patch1: shadow-4.8-goodname.patch -# Move create home to the end of main - upstreamability unknown +# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Patch2: shadow-4.9-move-create-home.patch # SElinux related - upstreamability unknown Patch3: shadow-4.9-default-range.patch @@ -52,20 +53,46 @@ Patch15: shadow-4.9-usermod-allow-all-group-types.patch Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch # https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch +# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545 +Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch +# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba +Patch19: shadow-4.9-revert-useradd-fix-memleak.patch +# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2 +Patch20: shadow-4.9-useradd-copy-tree-argument.patch +# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f +Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch +# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948 +Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch +# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734 +Patch23: shadow-4.9-getsubids.patch +# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83 +Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch + +### Dependencies ### +Requires: audit-libs >= 1.6.5 +Requires: libselinux >= 1.25.2-1 +Requires: setup -License: BSD and GPLv2+ -BuildRequires: make +### Build Dependencies ### +BuildRequires: audit-libs-devel >= 1.6.5 +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: docbook-dtds +BuildRequires: docbook-style-xsl +BuildRequires: flex BuildRequires: gcc +BuildRequires: gettext-devel +BuildRequires: itstool +BuildRequires: libacl-devel +BuildRequires: libattr-devel BuildRequires: libselinux-devel >= 1.25.2-1 -BuildRequires: audit-libs-devel >= 1.6.5 BuildRequires: libsemanage-devel -BuildRequires: libacl-devel, libattr-devel -BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds -BuildRequires: autoconf, automake, libtool, gettext-devel -BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool -Requires: libselinux >= 1.25.2-1 -Requires: audit-libs >= 1.6.5 -Requires: setup +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: make + +### Provides ### Provides: shadow = %{epoch}:%{version}-%{release} %description @@ -117,6 +144,13 @@ Development files for shadow-utils-subid. %patch15 -p1 -b .usermod-allow-all-group-types %patch16 -p1 -b .useradd-avoid-generating-empty-subid-range %patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds +%patch18 -p1 -b .semanage-close-the-selabel-handle +%patch19 -p1 -b .revert-useradd-fix-memleak +%patch20 -p1 -b .useradd-copy-tree-argument +%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf +%patch22 -p1 -b .newgrp-fix-segmentation-fault +%patch23 -p1 -b .getsubids +%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -279,12 +313,23 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %files subid %{_libdir}/libsubid.so.* +%{_bindir}/getsubids +%{_mandir}/man1/getsubids.1* %files subid-devel %{includesubiddir}/subid.h %{_libdir}/libsubid.so %changelog +* Thu Dec 2 2021 Iker Pedrosa - 2:4.9-3 +- getsubids: provide system binary and man page. Resolves: #2013015 +- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081 +- useradd: revert fix memleak of grp. Resolves: #2020238 +- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #2024834 +- pwck: fix segfault when calling fprintf() +- newgrp: fix segmentation fault +- Clean spec file: organize dependencies and move License location + * Tue Aug 17 2021 Iker Pedrosa - 2:4.9-2 - libmisc: fix default value in SHA_get_salt_rounds(). Resolves: #1993919