$Id$
-shadow-4.1.0 -> shadow-4.1.1 UNRELEASED
+shadow-4.1.4.3 -> shadow-4.1.5 UNRELEASED
+
+*** security
+ * su -c could be abused by the executed command to invoke commands with
+ the caller privileges. See below.
+
+*** general
+ * report usage error to stderr, but report usage help to stdout (and return
+ zero) when explicitly requested (e.g. with --help).
+ * initial support for tcb (http://openwall.com/tcb/) for useradd,
+ userdel, usermod, chage, pwck, vipw.
+ * Added support for ACLs and Extended Attributes in useradd and usermod.
+ Support shall be enabled with the new --with-acl or --with-attr
+ configure options.
+ * Added diagnosis for lock failures.
+ * use libsemanage instead of the semanage tool.
+
+- chage
+ * Add --root option.
+- chfn
+ * Add --root option.
+- chgpasswd
+ * When the gshadow file exists but there are no gshadow entries, an entry
+ is created if the password is changed and group requires a
+ shadow entry.
+ * Add --root option.
+- chpasswd
+ * PAM enabled versions: restore the -e option to allow restoring
+ passwords without knowing those passwords. Restore together the -m
+ and -c options. (These options were removed in shadow-4.1.4 on PAM
+ enabled versions)
+ * When the shadow file exists but there are no shadow entries, an entry
+ is created if the password is changed and passwd requires a
+ shadow entry.
+ * Add --root option.
+- chsh
+ * Add --root option.
+- faillog
+ * The -l, -m, -r, -t options only act on the existing users, unless -a is
+ specified.
+ * Add --root option.
+- gpasswd
+ * Add --root option.
+- groupadd
+ * Add --root option.
+- groupdel
+ * Add --root option.
+- groupmems
+ * Fix parsing of gshadow entries.
+ * Add --root option.
+- groupmod
+ * Fixed groupmod when configured with --enable-account-tools-setuid.
+ * When the gshadow file exists but there are no gshadow entries, an entry
+ is created if the password is changed and group requires a
+ shadow entry.
+ * Add --root option.
+- grpck
+ * Add --root option.
+ * NIS entries were dropped by -s (sort).
+- grpconv
+ * Add --root option.
+- grpunconv
+ * Add --root option.
+- lastlog
+ * Add --root option.
+- login
+ * Fixed limits support (non PAM enabled versions only)
+ * Added support for infinite limits and group based limits (non PAM
+ enabled versions only)
+ * Fixed infinite loop when CONSOLE is configured with a colon-separated
+ list of TTYs.
+ * Fixed warning and support for CONSOLE_GROUPS for users member of more
+ than 16 groups.
+ * Do not log into utmp(x) or wtmp when PAM is enabled. This is done by
+ pam_lastlog.
+- newgrp, sg
+ * Fix parsing of gshadow entries.
+- newusers
+ * Add --root option.
+- passwd
+ * Add --root option.
+- pwpck
+ * NIS entries were dropped by -s (sort).
+ * Add --root option.
+- pwconv
+ * Add --root option.
+- pwunconv
+ * Add --root option.
+- useradd
+ * If the skeleton directory contained hardlinked files, copies of the
+ hardlink were removed from the skeleton directory.
+ * Add --root option.
+- userdel
+ * Check the existence of the user's mail spool before trying to remove
+ it. If it does not exist, a warning is issued, but no failure.
+ * Do not remove a group with the same name as the user (usergroup) if
+ this group isn't the user's primary group.
+ * Add --root option.
+ * Add --selinux-user option.
+- usermod
+ * Accept options in any order (username not necessarily at the end)
+ * When the shadow file exists but there are no shadow entries, an entry
+ is created if the password is changed and passwd requires a
+ shadow entry, or if aging features are used (-e or -f).
+ * Add --root option.
+- su
+ * Document the su exit values.
+ * When su receives a signal, wait for the child to terminate (after
+ sending a SIGTERM), and kill it only if it did not terminate by itself.
+ No delay will be enforced if the child cooperates.
+ * Default ENV_SUPATH is /sbin:/bin:/usr/sbin:/usr/bin
+ * Fixed infinite loop when CONSOLE is configured with a colon-separated
+ list of TTYs.
+ * Fixed warning and support for CONSOLE_GROUPS for users member of more
+ than 16 groups.
+ * Do not forward the controlling terminal to commands executed with -c.
+ This prevents tty hijacking which could lead to execution with the
+ caller's privileges.
+ * Close PAM sessions as root. This will be more friendly to PAM modules
+ like pam_mount or pam_systemd.
+ * Added support for PAM modules which change PAM_USER.
+
+*** translation
+ * Updated Brazilian Portuguese translation.
+ * Updated Catalan translation.
+ * Updated Czech translation.
+ * Updated Danish translation.
+ * Updated French translation.
+ * Updated French man pages translation.
+ * Updated German translation.
+ * Updated German man pages translation.
+ * Updated Japanese translation.
+ * Updated Kazakh translation.
+ * Updated Portuguese translation.
+ * Updated Russian translation.
+ * Updated Simplified Chinese translation.
+ * Updated Simplified Chinese man pages translation.
+ * Updated Swedish translation.
+ * Updated Vietnamese translation.
+
+shadow-4.1.4.2 -> shadow-4.1.4.3 2011-02-15
+
+*** security
+- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
+ to create users or groups in a NIS environment.
+
+shadow-4.1.4.1 -> shadow-4.1.4.2 2009-07-24
+
+- general
+ * Improved support for large groups (impacts most user/group management
+ tools).
+
+- addition of system users or groups
+ * Speed improvement. This should be noticeable in case of LDAP configured
+ systems. This should impact useradd, groupadd, and newusers
+ * Since system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
+ reverse order, accounts are packed close to SYS_?ID_MAX if SYS_?ID_MIN
+ is already used but there are still dome gaps.
+
+- login
+ * Add support for shells being a shell script without a shebang.
+- su
+ * Preserve the DISPLAY and XAUTHORITY environment variables. This was
+ only the case in the non PAM enabled versions.
+ * Add support for shells being a shell script without a shebang.
+
+*** translation
+ * The Finnish translation of passwd(1) was outdated and is no more
+ distributed.
+
+shadow-4.1.4 -> shadow-4.1.4.1 2009-05-22
+
+- login
+ * Fix failures with empty usernames on non PAM versions.
+ * Fix CONSOLE (securetty) support on non PAM versions.
+- newgrp
+ * Return the exit status of the child.
+- userdel
+ * On Linux, do not check if an user is logged in with utmp, but check if
+ the user is running some processes.
+ * If not on Linux, continue to search for an utmp record, but make sure
+ the process recorded in the utmp entry is still running.
+ * Report failures to remove the user's mailbox
+ * When USERGROUPS_ENAB is enabled, remove the user's group when the
+ user was the only member.
+ * Do not fail when -r is used and the home directory does not exist.
+- usermod
+ * Check if the user is busy when the user's UID, name or home directory
+ is changed.
+
+shadow-4.1.3.1 -> shadow-4.1.4 2009-05-10
+
+- packaging
+ * Enable --enable-account-tools-setuid by default for PAM builds.
+ * Add configure option --enable-utmpx, disabled by default to mimic
+ the previous behavior on Linux (where utmp and utmpx are identical).
+ * Fix build failure on non-PAM systems when --without-pam is not
+ specified.
+
+- chpasswd
+ * Change the passwords using PAM. This permits to define the password
+ policy in a central place. The -c/--crypt-method, -e/--encrypted,
+ -m/--md5 and -s/--sha-rounds options are no more supported on PAM
+ enabled systems.
+- grpck
+ * Warn if a group has an entry in group and gshadow, and the password
+ field in group is not 'x'.
+- login
+ * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
+ lead to DOS attacks.
+ * (PAM) Even if the user was already authenticated (-f flag), ask the
+ user to update his authentication token if needed.
+- lastlog
+ * Fix regression causing empty reports.
+- newusers
+ * Change the passwords using PAM. This permits to define the password
+ policy in a central place. The -c/--crypt-method and -s/--sha-rounds
+ options are no more supported on PAM enabled systems.
+- pwck
+ * Warn if an user has an entry in passwd and shadow, and the password
+ field in passwd is not 'x'.
+
+*** translation
+ - Updated Czech translation
+ - Updated French translation
+ - Updated German translation
+ - Updated Japanese translation
+ - Updated Korean translation
+ - Updated Portuguese translation
+ - Updated Russian translation
+
+shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15
+
+*** security:
+- Due to bad parsing of octal permissions, the permissions on tty (login)
+ but also UMASK were set wrongly (and weirdly). Only shadow-4.1.3 was
+ affected.
+
+*** general
+- login
+ * Fix regression when no user is specified on the command line.
+- userdel
+ * Fixed SE Linux support
+- vipw
+ * SE Linux: Set the default context to the context of the file being
+ edited. This ensures that the backup file inherit from the file's
+ context.
+
+*** translation
+ - Updated Norwegian Bokmål translation
+
+shadow-4.1.2.2 -> shadow-4.1.3 2009-04-12
+
+*** general:
+- packaging
+ * Fixed support for OpenPAM.
+ * Fixed support for uclibc.
+ * Added configure --enable-account-tools-setuid (default) /
+ --disable-account-tools-setuid options. This permits to disable the
+ PAM authentication of the caller for chage, chgpasswd, chpasswd,
+ groupadd, groupdel, groupmod, newusers, useradd, userdel, and usermod.
+ This authentication is not necessary when these tools are not
+ installed setuid root.
+ * Added configure --with-group-name-max-length (default) /
+ --without-group-name-max-length options. This permits to configure the maximum length allowed for group names:
+ <no option> -> default of 16 (like today)
+ --with-group-name-max-length -> default of 16
+ --without-group-name-max-length -> no max length
+ --with-group-name-max-length=n > max is set to n
+ No sanity checking is performed on n so people could do
+ something neat like --with-group-name-max-length=MAX_INT
+- addition of users or groups
+ * Speed improvement in case UID_MAX/SYS_UID_MAX/GID_MAX/SYS_GID_MAX is
+ used for an user/group. This should be noticeable in case of LDAP
+ configured systems. This should impact useradd, groupadd, and newusers
+- error handling improvement
+ * Make sure errors and incomplete changes are reported to syslog and
+ audit in case of unexpected failures.
+ * Report system inconsistencies to syslog and audit.
+ * Only report success to syslog and audit if the changes are really
+ performed in the system databases.
+ This is still not complete.
+- /etc/login.defs
+ * New CREATE_HOME variable to tell useradd to create a home directory by
+ default.
+- Translations
+ * New Kazakh translation.
+ * Spanish manpages are no more distributed. They are outdated. Please
+ contact pkg-shadow-devel@lists.alioth.debian.org if you wish to
+ provide updates.
+
+- faillog
+ * Accept users specified as a numerical UID, or ranges of users (-user,
+ user-, user1-user2).
+ * -l, -m, and -r now apply not only to existing users, but to all the
+ specified UIDs.
+ * Options can be specified in any order.
+- gpasswd
+ * Added support for long options --add (-a), --delete (-d),
+ --remove-password (-r), --restrict (-R), --administrators (-A), and
+ --members (-M).
+ * Added support for usernames with arbitrary length.
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * Log permission denied to syslog and audit.
+- groupadd
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * Speedup (see "addition of users or groups" above).
+ * do not create groups with GID set to (gid_t)-1.
+ * Allocate system group GIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- groupdel
+ * audit logging improvements.
+ * error handling improvement (see above).
+- groupmems
+ * Check if user exist before they are added to groups.
+ * Avoid segfault in case the specified group does not exist in /etc/group.
+ * Everybody is allowed to list the users of a group.
+ * /etc/group is open readonly when one just wants to list the users of a
+ group.
+ * Added syslog support.
+ * Use the groupmems PAM service name instead of groupmod.
+ * Fix segmentation faults when adding or removing users from a group.
+ * Added support for shadow groups.
+ * Added support long options --add (-a), --delete (-d), --purge (-p),
+ --list (-l), --group (-g).
+- groupmod
+ * audit logging improvements.
+ * error handling improvement (see above).
+ * do not create groups with GID set to (gid_t)-1.
+- grpck
+ * warn for groups with GID set to (gid_t)-1.
+- login
+ * Restore the echoctl, echoke, onclr flags to the terminal termio flags.
+ Reset echoprt, noflsh, tostop. This behavior seems to have change by
+ mistake in earlier releases (4.0.8, for no obvious reason).
+- newusers
+ * Implement the -r, --system option.
+ * Speedup (see "addition of users or groups" above).
+ * do not create users with UID set to (gid_t)-1.
+ * do not create groups with GID set to (gid_t)-1.
+ * Allocate system account UIDs/GIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- passwd
+ * For compatibility with other passwd version, the --lock an --unlock
+ options do not lock or unlock the user account anymore. They only
+ lock or unlock the user's password.
+- pwck
+ * warn for users with UID set to (uid_t)-1.
+- su
+ * Preserve COLORTERM in addition to TERM when su is called with the -l
+ option.
+- useradd
+ * audit logging improvements.
+ * Speedup (see "addition of users or groups" above).
+ * See CREATE_HOME above.
+ * New -M/--no-create-home option to disable CREATE_HOME.
+ * do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
+ * Allocate system user UIDs in reverse order. This could be useful
+ later to increase the static IDs range.
+- userdel
+ * audit logging improvements.
+ * Do not fail if the removed user is not in the shadow database.
+ * When the user's group shall be removed, do not fail if this group is
+ not in the gshadow file.
+ * Delete the SELinux user mapping for user's login.
+- usermod
+ * Allow adding LDAP users (or any user not present in the local passwd
+ file) to local groups
+ * do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
+
+shadow-4.1.2.1 -> shadow-4.1.2.2 23-11-2008
+
+*** security
+- Fix a race condition in login that could lead to gaining ownership or
+ changing mode of arbitrary files.
+- Fix a possible login DOS, which could be caused by injecting forged
+ entries in utmp.
+
+shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
+
+*** security
+- Fix an "audit log injection" vulnerability in login.
+ This vulnerability makes it easier for attackers to hide activities by
+ modifying portions of log events, e.g. by appending an addr= statement
+ to the login name.
+
+shadow-4.1.1 -> shadow-4.1.2 25-05-2008
+
+*** security:
+- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
+ chgpasswd; and also passwd if configured without PAM support).
+ The number of rounds and number of salt bytes was fixed to their lower
+ allowed values (resp. configurable and 8), hence voiding some of the
+ advantages of this encryption method. Dictionary attacks with
+ precomputed tables were easier than expected, but still harder than with
+ the MD5 (or DES) methods.
+
+*** general:
+- packaging
+ * Distribute the chfn, chsh, and userdel PAM configuration file.
+ * Fix the detection of the audit, pam, and selinux library and header
+ file; and fail if the feature is requested but not present on the
+ system.
+ * Fix build failure when configured with audit support.
+- chfn
+ * Allow non-US-ASCII characters in the GECOS fields ("name", "room
+ number", and "other info" fields).
+- login
+ * Do not fail if a shell option, specified after --, has more than 2
+ letters.
+- su
+ * If the SULOG_FILE does not exist when an su session is logged, make
+ sure the file is created with group root, instead of using the group
+ of the caller.
+- vipw
+ * Resume properly after ^Z.
+
+*** documentation:
+- Document the -r, --system option in the useradd, groupadd, and newusers
+ manpages.
+- Document the -c, --crypt-method and -s, --sha-rounds options in the
+ newusers manpage.
+- Document the -k, --skel option in the useradd manpage.
+- Tag the section which require --enable-shadowgrp or --with-sha-crypt
+ accordingly.
+
+shadow-4.1.0 -> shadow-4.1.1 02-04-2008
*** general:
- security
generated in the same second.
- packaging
* Do not install the shadow library per default.
+- general
+ * Do not translate the messages sent to syslog. This avoids logging
+ PAM error messages in the users's locale.
+- etc/login.defs
+ * Set GID_MIN to the same value as UID_MIN by default (1000).
+ * Added variables SYS_UID_MIN (100), SYS_UID_MAX (999), SYS_GID_MIN (100),
+ SYS_GID_MAX (999) for system accounts.
+- etc/useradd
+ * /etc/default/useradd now defines HOME as /home to match FHS.
- chage
* Fix bug which forbid to set the aging information of an account with a
passwd entry, but no shadow entry.
+- faillog
+ * faillog -r now only reset the entries of existing users. This makes
+ faillog faster.
+- gpasswd
+ * Fix failures when the gshadow file is not present.
+ * When a password is moved to the gshadow file, use "x" instead of "!"
+ to indicate that the password is shadowed (consistency with grpconv).
+ * Make sure the group and gshadow files are unlocked on exit.
- groupadd
* New option -p/--password to specify an encrypted password.
+ * New option -r, --system for system accounts.
+- groupdel
+ * Do not fail if the group does not exist in the gshadow file.
+ * Do not rewrite the group or gshadow file in case of error.
+ * Make sure the group and gshadow files are unlocked on exit.
+ * Fail if the system is not configured to support split groups and
+ different group entries have the name of the group to be deleted.
+- groupmems
+ * Fix buffer overflow when adding an user to a group. Thanks to Peter Vrabec.
- groupmod
* New option -p/--password to specify an encrypted password.
+ * Make sure the group and gshadow files are unlocked on exit.
+ * When the GID of a group is changed, update also the GID of the passwd
+ entries of the users whose primary group is the group being modified.
- grpck
* Fix logging of changes to syslog when a group file is provided,
without a gshadow file.
-- login
- * Use PATH and SUPATH to set the PATH environment variable, even when
- support for PAM is enabled.
- lastlog
* Accept users specified as a numerical UID, or ranges of users (-user,
user-, user1-user2).
+- login
+ * Use PATH and SUPATH to set the PATH environment variable, even when
+ support for PAM is enabled.
+ * If started as init, start a new session.
- newgrp
* Fix segfault when an user returns to an unknown GID (either the user
was deleted during the user's newgrp session or the user's passwd
entry referenced an invalid group). Add a syslog warning in that case.
+ * Use the correct AUDIT_CHGRP_ID event instead of AUDIT_USER_START, when
+ changing the user space group ID with newgrp or sg.
- newusers
* The new users are no more added to the list of members of their groups
because the membership is already set by their primary group.
* Added support for gshadow.
* Avoid using the same salt for different passwords.
+ * Fix support for the NONE crypt method.
+ * newusers will behave more like useradd regarding the choice of UID or
+ GID or regarding the validity of user and group names.
+ * New option -r, --system for system accounts.
+ * Make sure the passwd, group, shadow, and gshadow files are unlocked on
+ exit.
- passwd
* Make sure that no more than one username argument was provided.
+ * Make SE Linux tests more strict, when the real UID is 0 SE Linux
+ checks will be performed.
- pwck
* Fix logging of changes to syslog when a passwd file is provided,
without a shadow file.
- su
* su's arguments are now reordered. If needed, use -- to separate su's
options from the shell's options.
- * If started as init, start a new session.
- sulogin
* If started as init, start a new session.
- useradd
but should behave as -D)
* Document the --defaults option, which was already described in the
useradd's Usage information.
+ * New option -r, --system for system accounts.
+ * New options -U, --user-group and -N, --no-user-group. These options
+ should replace nflg from the previous versions. Please set any -n
+ option to deprecated because its meaning differs from one distribution
+ to the other.
+ * Make sure the passwd, group, shadow, and gshadow files are unlocked on
+ exit.
- usermod
* Keep the access and modification time of files when moving an user's home
directory.
one, no changes will be performed for that field. If no fields are
changed, usermod will exist successfully with a warning. This avoids
logging changes to syslog when there are actually no changes.
+ * Fix the handling of -a when a user is being renamed (with -l)
- vipw/vigr
* Recommend editing the shadowed (resp. regular) file if the regular (resp.
shadowed) file was edited.
-shadow-4.0.18.2 -> shadow-4.1.0 09-12-2008
+shadow-4.0.18.2 -> shadow-4.1.0 09-12-2007
*** security:
- chgpasswd