$Id$
-shadow-4.1.0 -> shadow-4.1.1 UNRELEASED
+shadow-4.1.4.3 -> shadow-4.1.5 UNRELEASED
+
+*** security
+ * su -c could be abused by the executed command to invoke commands with
+ the caller privileges. See below.
+
+*** general
+ * report usage error to stderr, but report usage help to stdout (and return
+ zero) when explicitly requested (e.g. with --help).
+ * initial support for tcb (http://openwall.com/tcb/) for useradd,
+ userdel, usermod, chage, pwck, vipw.
+ * Added support for ACLs and Extended Attributes in useradd and usermod.
+ Support shall be enabled with the new --with-acl or --with-attr
+ configure options.
+ * Added diagnosis for lock failures.
+ * use libsemanage instead of the semanage tool.
+
+- chage
+ * Add --root option.
+- chfn
+ * Add --root option.
+- chgpasswd
+ * When the gshadow file exists but there are no gshadow entries, an entry
+ is created if the password is changed and group requires a
+ shadow entry.
+ * Add --root option.
+- chpasswd
+ * PAM enabled versions: restore the -e option to allow restoring
+ passwords without knowing those passwords. Restore together the -m
+ and -c options. (These options were removed in shadow-4.1.4 on PAM
+ enabled versions)
+ * When the shadow file exists but there are no shadow entries, an entry
+ is created if the password is changed and passwd requires a
+ shadow entry.
+ * Add --root option.
+- chsh
+ * Add --root option.
+- faillog
+ * The -l, -m, -r, -t options only act on the existing users, unless -a is
+ specified.
+ * Add --root option.
+- gpasswd
+ * Add --root option.
+- groupadd
+ * Add --root option.
+- groupdel
+ * Add --root option.
+- groupmems
+ * Fix parsing of gshadow entries.
+ * Add --root option.
+- groupmod
+ * Fixed groupmod when configured with --enable-account-tools-setuid.
+ * When the gshadow file exists but there are no gshadow entries, an entry
+ is created if the password is changed and group requires a
+ shadow entry.
+ * Add --root option.
+- grpck
+ * Add --root option.
+ * NIS entries were dropped by -s (sort).
+- grpconv
+ * Add --root option.
+- grpunconv
+ * Add --root option.
+- lastlog
+ * Add --root option.
+- login
+ * Fixed limits support (non PAM enabled versions only)
+ * Added support for infinite limits and group based limits (non PAM
+ enabled versions only)
+ * Fixed infinite loop when CONSOLE is configured with a colon-separated
+ list of TTYs.
+ * Fixed warning and support for CONSOLE_GROUPS for users member of more
+ than 16 groups.
+ * Do not log into utmp(x) or wtmp when PAM is enabled. This is done by
+ pam_lastlog.
+- newgrp, sg
+ * Fix parsing of gshadow entries.
+- newusers
+ * Add --root option.
+- passwd
+ * Add --root option.
+- pwpck
+ * NIS entries were dropped by -s (sort).
+ * Add --root option.
+- pwconv
+ * Add --root option.
+- pwunconv
+ * Add --root option.
+- useradd
+ * If the skeleton directory contained hardlinked files, copies of the
+ hardlink were removed from the skeleton directory.
+ * Add --root option.
+- userdel
+ * Check the existence of the user's mail spool before trying to remove
+ it. If it does not exist, a warning is issued, but no failure.
+ * Do not remove a group with the same name as the user (usergroup) if
+ this group isn't the user's primary group.
+ * Add --root option.
+ * Add --selinux-user option.
+- usermod
+ * Accept options in any order (username not necessarily at the end)
+ * When the shadow file exists but there are no shadow entries, an entry
+ is created if the password is changed and passwd requires a
+ shadow entry, or if aging features are used (-e or -f).
+ * Add --root option.
+- su
+ * Document the su exit values.
+ * When su receives a signal, wait for the child to terminate (after
+ sending a SIGTERM), and kill it only if it did not terminate by itself.
+ No delay will be enforced if the child cooperates.
+ * Default ENV_SUPATH is /sbin:/bin:/usr/sbin:/usr/bin
+ * Fixed infinite loop when CONSOLE is configured with a colon-separated
+ list of TTYs.
+ * Fixed warning and support for CONSOLE_GROUPS for users member of more
+ than 16 groups.
+ * Do not forward the controlling terminal to commands executed with -c.
+ This prevents tty hijacking which could lead to execution with the
+ caller's privileges.
+ * Close PAM sessions as root. This will be more friendly to PAM modules
+ like pam_mount or pam_systemd.
+ * Added support for PAM modules which change PAM_USER.
+
+*** translation
+ * Updated Brazilian Portuguese translation.
+ * Updated Catalan translation.
+ * Updated Czech translation.
+ * Updated Danish translation.
+ * Updated French translation.
+ * Updated French man pages translation.
+ * Updated German translation.
+ * Updated German man pages translation.
+ * Updated Japanese translation.
+ * Updated Kazakh translation.
+ * Updated Portuguese translation.
+ * Updated Russian translation.
+ * Updated Simplified Chinese translation.
+ * Updated Simplified Chinese man pages translation.
+ * Updated Swedish translation.
+ * Updated Vietnamese translation.
+
+shadow-4.1.4.2 -> shadow-4.1.4.3 2011-02-15
+
+*** security
+- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
+ to create users or groups in a NIS environment.
+
+shadow-4.1.4.1 -> shadow-4.1.4.2 2009-07-24
+
+- general
+ * Improved support for large groups (impacts most user/group management
+ tools).
+
+- addition of system users or groups
+ * Speed improvement. This should be noticeable in case of LDAP configured
+ systems. This should impact useradd, groupadd, and newusers
+ * Since system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
+ reverse order, accounts are packed close to SYS_?ID_MAX if SYS_?ID_MIN
+ is already used but there are still dome gaps.
+
+- login
+ * Add support for shells being a shell script without a shebang.
+- su
+ * Preserve the DISPLAY and XAUTHORITY environment variables. This was
+ only the case in the non PAM enabled versions.
+ * Add support for shells being a shell script without a shebang.
+
+*** translation
+ * The Finnish translation of passwd(1) was outdated and is no more
+ distributed.
+
+shadow-4.1.4 -> shadow-4.1.4.1 2009-05-22
+
+- login
+ * Fix failures with empty usernames on non PAM versions.
+ * Fix CONSOLE (securetty) support on non PAM versions.
+- newgrp
+ * Return the exit status of the child.
+- userdel
+ * On Linux, do not check if an user is logged in with utmp, but check if
+ the user is running some processes.
+ * If not on Linux, continue to search for an utmp record, but make sure
+ the process recorded in the utmp entry is still running.
+ * Report failures to remove the user's mailbox
+ * When USERGROUPS_ENAB is enabled, remove the user's group when the
+ user was the only member.
+ * Do not fail when -r is used and the home directory does not exist.
+- usermod
+ * Check if the user is busy when the user's UID, name or home directory
+ is changed.
+
+shadow-4.1.3.1 -> shadow-4.1.4 2009-05-10
+
+- packaging
+ * Enable --enable-account-tools-setuid by default for PAM builds.
+ * Add configure option --enable-utmpx, disabled by default to mimic
+ the previous behavior on Linux (where utmp and utmpx are identical).
+ * Fix build failure on non-PAM systems when --without-pam is not
+ specified.
+
+- chpasswd
+ * Change the passwords using PAM. This permits to define the password
+ policy in a central place. The -c/--crypt-method, -e/--encrypted,
+ -m/--md5 and -s/--sha-rounds options are no more supported on PAM
+ enabled systems.
+- grpck
+ * Warn if a group has an entry in group and gshadow, and the password
+ field in group is not 'x'.
+- login
+ * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
+ lead to DOS attacks.
+ * (PAM) Even if the user was already authenticated (-f flag), ask the
+ user to update his authentication token if needed.
+- lastlog
+ * Fix regression causing empty reports.
+- newusers
+ * Change the passwords using PAM. This permits to define the password
+ policy in a central place. The -c/--crypt-method and -s/--sha-rounds
+ options are no more supported on PAM enabled systems.
+- pwck
+ * Warn if an user has an entry in passwd and shadow, and the password
+ field in passwd is not 'x'.
+
+*** translation
+ - Updated Czech translation
+ - Updated French translation
+ - Updated German translation
+ - Updated Japanese translation
+ - Updated Korean translation
+ - Updated Portuguese translation
+ - Updated Russian translation
+
+shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15
+
+*** security:
+- Due to bad parsing of octal permissions, the permissions on tty (login)
+ but also UMASK were set wrongly (and weirdly). Only shadow-4.1.3 was
+ affected.
+
+*** general
+- login
+ * Fix regression when no user is specified on the command line.
+- userdel
+ * Fixed SE Linux support
+- vipw
+ * SE Linux: Set the default context to the context of the file being
+ edited. This ensures that the backup file inherit from the file's
+ context.
+
+*** translation
+ - Updated Norwegian Bokmål translation
+
+shadow-4.1.2.2 -> shadow-4.1.3 2009-04-12
*** general:
- packaging
- * Do not install the shadow library per default.
+ * Fixed support for OpenPAM.
+ * Fixed support for uclibc.
+ * Added configure --enable-account-tools-setuid (default) /
+ --disable-account-tools-setuid options. This permits to disable the
+ PAM authentication of the caller for chage, chgpasswd, chpasswd,
+ groupadd, groupdel, groupmod, newusers, useradd, userdel, and usermod.
+ This authentication is not necessary when these tools are not
+ installed setuid root.
+ * Added configure --with-group-name-max-length (default) /
+ --without-group-name-max-length options. This permits to configure the maximum length allowed for group names:
+ <no option> -> default of 16 (like today)
+ --with-group-name-max-length -> default of 16
+ --without-group-name-max-length -> no max length
+ --with-group-name-max-length=n > max is set to n
+ No sanity checking is performed on n so people could do
+ something neat like --with-group-name-max-length=MAX_INT
+- addition of users or groups
+ * Speed improvement in case UID_MAX/SYS_UID_MAX/GID_MAX/SYS_GID_MAX is
+ used for an user/group. This should be noticeable in case of LDAP
+ configured systems. This should impact useradd, groupadd, and newusers
+- error handling improvement
+ * Make sure errors and incomplete changes are reported to syslog and
+ audit in case of unexpected failures.
+ * Report system inconsistencies to syslog and audit.
+ * Only report success to syslog and audit if the changes are really
+ performed in the system databases.
+ This is still not complete.
+- /etc/login.defs
+ * New CREATE_HOME variable to tell useradd to create a home directory by
+ default.
+- Translations
+ * New Kazakh translation.
+ * Spanish manpages are no more distributed. They are outdated. Please
+ contact pkg-shadow-devel@lists.alioth.debian.org if you wish to
+ provide updates.
+
+- faillog
+ * Accept users specified as a numerical UID, or ranges of users (-user,
+ user-, user1-user2).
+ * -l, -m, and -r now apply not only to existing users, but to all the
+ specified UIDs.
+ * Options can be specified in any order.
+- gpasswd
+ * Added support for long options --add (-a), --delete (-d),
+ --remove-password (-r), --restrict (-R), --administrators (-A), and
+ --members (-M).
+ * Added support for usernames with arbitrary length.
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * Log permission denied to syslog and audit.
+- groupadd
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * Speedup (see "addition of users or groups" above).
+ * do not create groups with GID set to (gid_t)-1.
+ * Allocate system group GIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- groupdel
+ * audit logging improvements.
+ * error handling improvement (see above).
+- groupmems
+ * Check if user exist before they are added to groups.
+ * Avoid segfault in case the specified group does not exist in /etc/group.
+ * Everybody is allowed to list the users of a group.
+ * /etc/group is open readonly when one just wants to list the users of a
+ group.
+ * Added syslog support.
+ * Use the groupmems PAM service name instead of groupmod.
+ * Fix segmentation faults when adding or removing users from a group.
+ * Added support for shadow groups.
+ * Added support long options --add (-a), --delete (-d), --purge (-p),
+ --list (-l), --group (-g).
+- groupmod
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * do not create groups with GID set to (gid_t)-1.
+- grpck
+ * warn for groups with GID set to (gid_t)-1.
+- login
+ * Restore the echoctl, echoke, onclr flags to the terminal termio flags.
+ Reset echoprt, noflsh, tostop. This behavior seems to have change by
+ mistake in earlier releases (4.0.8, for no obvious reason).
+- newusers
+ * Implement the -r, --system option.
+ * Speedup (see "addition of users or groups" above).
+ * do not create users with UID set to (gid_t)-1.
+ * do not create groups with GID set to (gid_t)-1.
+ * Allocate system account UIDs/GIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- passwd
+ * For compatibility with other passwd version, the --lock an --unlock
+ options do not lock or unlock the user account anymore. They only
+ lock or unlock the user's password.
+- pwck
+ * warn for users with UID set to (uid_t)-1.
+- su
+ * Preserve COLORTERM in addition to TERM when su is called with the -l
+ option.
- useradd
- * New option -l to avoid adding the user to the lastlog and faillog databases.
+ * audit logging improvements.
+ * Speedup (see "addition of users or groups" above).
+ * See CREATE_HOME above.
+ * New -M/--no-create-home option to disable CREATE_HOME.
+ * do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
+ * Allocate system user UIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- userdel
+ * audit logging improvements.
+ * Do not fail if the removed user is not in the shadow database.
+ * When the user's group shall be removed, do not fail if this group is
+ not in the gshadow file.
+ * Delete the SELinux user mapping for user's login.
- usermod
- * Keep the access and modification time of files when moving an user's home
- directory.
+ * Allow adding LDAP users (or any user not present in the local passwd
+ file) to local groups
+ * do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
+
+shadow-4.1.2.1 -> shadow-4.1.2.2 23-11-2008
+
+*** security
+- Fix a race condition in login that could lead to gaining ownership or
+ changing mode of arbitrary files.
+- Fix a possible login DOS, which could be caused by injecting forged
+ entries in utmp.
+
+shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
+
+*** security
+- Fix an "audit log injection" vulnerability in login.
+ This vulnerability makes it easier for attackers to hide activities by
+ modifying portions of log events, e.g. by appending an addr= statement
+ to the login name.
+
+shadow-4.1.1 -> shadow-4.1.2 25-05-2008
+
+*** security:
+- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
+ chgpasswd; and also passwd if configured without PAM support).
+ The number of rounds and number of salt bytes was fixed to their lower
+ allowed values (resp. configurable and 8), hence voiding some of the
+ advantages of this encryption method. Dictionary attacks with
+ precomputed tables were easier than expected, but still harder than with
+ the MD5 (or DES) methods.
+
+*** general:
+- packaging
+ * Distribute the chfn, chsh, and userdel PAM configuration file.
+ * Fix the detection of the audit, pam, and selinux library and header
+ file; and fail if the feature is requested but not present on the
+ system.
+ * Fix build failure when configured with audit support.
+- chfn
+ * Allow non-US-ASCII characters in the GECOS fields ("name", "room
+ number", and "other info" fields).
+- login
+ * Do not fail if a shell option, specified after --, has more than 2
+ letters.
- su
- * su's arguments are now reordered. If needed, use -- to separate su's
- options from the shell's options.
+ * If the SULOG_FILE does not exist when an su session is logged, make
+ sure the file is created with group root, instead of using the group
+ of the caller.
+- vipw
+ * Resume properly after ^Z.
+
+*** documentation:
+- Document the -r, --system option in the useradd, groupadd, and newusers
+ manpages.
+- Document the -c, --crypt-method and -s, --sha-rounds options in the
+ newusers manpage.
+- Document the -k, --skel option in the useradd manpage.
+- Tag the section which require --enable-shadowgrp or --with-sha-crypt
+ accordingly.
+
+shadow-4.1.0 -> shadow-4.1.1 02-04-2008
+
+*** general:
+- security
+ * Do not seed the random number generator each time, and use the time in
+ microseconds to avoid having the same salt for different passwords
+ generated in the same second.
+- packaging
+ * Do not install the shadow library per default.
+- general
+ * Do not translate the messages sent to syslog. This avoids logging
+ PAM error messages in the users's locale.
+- etc/login.defs
+ * Set GID_MIN to the same value as UID_MIN by default (1000).
+ * Added variables SYS_UID_MIN (100), SYS_UID_MAX (999), SYS_GID_MIN (100),
+ SYS_GID_MAX (999) for system accounts.
+- etc/useradd
+ * /etc/default/useradd now defines HOME as /home to match FHS.
+- chage
+ * Fix bug which forbid to set the aging information of an account with a
+ passwd entry, but no shadow entry.
+- faillog
+ * faillog -r now only reset the entries of existing users. This makes
+ faillog faster.
+- gpasswd
+ * Fix failures when the gshadow file is not present.
+ * When a password is moved to the gshadow file, use "x" instead of "!"
+ to indicate that the password is shadowed (consistency with grpconv).
+ * Make sure the group and gshadow files are unlocked on exit.
+- groupadd
+ * New option -p/--password to specify an encrypted password.
+ * New option -r, --system for system accounts.
+- groupdel
+ * Do not fail if the group does not exist in the gshadow file.
+ * Do not rewrite the group or gshadow file in case of error.
+ * Make sure the group and gshadow files are unlocked on exit.
+ * Fail if the system is not configured to support split groups and
+ different group entries have the name of the group to be deleted.
+- groupmems
+ * Fix buffer overflow when adding an user to a group. Thanks to Peter Vrabec.
+- groupmod
+ * New option -p/--password to specify an encrypted password.
+ * Make sure the group and gshadow files are unlocked on exit.
+ * When the GID of a group is changed, update also the GID of the passwd
+ entries of the users whose primary group is the group being modified.
+- grpck
+ * Fix logging of changes to syslog when a group file is provided,
+ without a gshadow file.
- lastlog
* Accept users specified as a numerical UID, or ranges of users (-user,
user-, user1-user2).
+- login
+ * Use PATH and SUPATH to set the PATH environment variable, even when
+ support for PAM is enabled.
+ * If started as init, start a new session.
+- newgrp
+ * Fix segfault when an user returns to an unknown GID (either the user
+ was deleted during the user's newgrp session or the user's passwd
+ entry referenced an invalid group). Add a syslog warning in that case.
+ * Use the correct AUDIT_CHGRP_ID event instead of AUDIT_USER_START, when
+ changing the user space group ID with newgrp or sg.
+- newusers
+ * The new users are no more added to the list of members of their groups
+ because the membership is already set by their primary group.
+ * Added support for gshadow.
+ * Avoid using the same salt for different passwords.
+ * Fix support for the NONE crypt method.
+ * newusers will behave more like useradd regarding the choice of UID or
+ GID or regarding the validity of user and group names.
+ * New option -r, --system for system accounts.
+ * Make sure the passwd, group, shadow, and gshadow files are unlocked on
+ exit.
- passwd
* Make sure that no more than one username argument was provided.
+ * Make SE Linux tests more strict, when the real UID is 0 SE Linux
+ checks will be performed.
+- pwck
+ * Fix logging of changes to syslog when a passwd file is provided,
+ without a shadow file.
- su
- * If started as init, start a new session.
+ * su's arguments are now reordered. If needed, use -- to separate su's
+ options from the shell's options.
- sulogin
* If started as init, start a new session.
-- login
- * Use PATH and SUPATH to set the PATH environment variable, even when
- support for PAM is enabled.
+- useradd
+ * New option -l to avoid adding the user to the lastlog and faillog databases.
+ * Fix the handling of the --defaults option (it required an argument,
+ but should behave as -D)
+ * Document the --defaults option, which was already described in the
+ useradd's Usage information.
+ * New option -r, --system for system accounts.
+ * New options -U, --user-group and -N, --no-user-group. These options
+ should replace nflg from the previous versions. Please set any -n
+ option to deprecated because its meaning differs from one distribution
+ to the other.
+ * Make sure the passwd, group, shadow, and gshadow files are unlocked on
+ exit.
+- usermod
+ * Keep the access and modification time of files when moving an user's home
+ directory.
+ * Check that the new fields set with -u, -s, -l, -g, -f, -e, -d, and -c
+ differ from the old ones. If a requested new value is equal to the old
+ one, no changes will be performed for that field. If no fields are
+ changed, usermod will exist successfully with a warning. This avoids
+ logging changes to syslog when there are actually no changes.
+ * Fix the handling of -a when a user is being renamed (with -l)
- vipw/vigr
* Recommend editing the shadowed (resp. regular) file if the regular (resp.
shadowed) file was edited.
-- newusers
- * The new users are no more added to the list of members of their groups
- because the membership is already set by their primary group.
- * Added support for gshadow.
-- chage
- * Fix bug which forbid to set the aging information of an account with a
- passwd entry, but no shadow entry.
-shadow-4.0.18.2 -> shadow-4.1.0 09-12-2008
+shadow-4.0.18.2 -> shadow-4.1.0 09-12-2007
*** security:
- chgpasswd
projects / shadow / blobdiff