nekral-guest [Tue, 20 Nov 2007 12:59:20 +0000 (12:59 +0000)]
* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
encryption algorithm is chosen for the passwords. Document the new
-c and -s options. Add a reference to login.defs(5).
* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
variables.
* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
Document the relationship with PAM for MD5_CRYPT_ENAB and
ENCRYPT_METHOD.
nekral-guest [Tue, 20 Nov 2007 09:33:52 +0000 (09:33 +0000)]
* lib/prototypes.h, libmisc/salt.c: Add parameters to
crypt_make_salt to force the crypt method and number of rounds.
* libmisc/salt.c: Add parameter to SHA_salt_rounds to force the
number of rounds.
* libmisc/salt.c, lib/getdef.c: ENCRYPT_METHOD and MD5_CRYPT_ENAB
are needed also when USE_PAM (e.g. for chpasswd).
* src/newusers.c, src/gpasswd.c: Use the new crypt_make_salt prototype.
* src/chpasswd.c, src/chgpasswd.c: Add option -c, --crypt-method
and -s, --sha-rounds to specify the crypt method and number of
rounds in case of one of the SHA methods. The new prototype of
crypt_make_salt simplifies the handling of -m, --md5.
nekral-guest [Tue, 20 Nov 2007 00:05:54 +0000 (00:05 +0000)]
* libmisc/salt.c: The salt has a random size (between 8 and 16
bytes).
* lib/getdef.c, etc/login.defs: Add definitions for
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS.
* libmisc/salt.c: Use SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS
to add a random number of rounds if needed.
nekral-guest [Mon, 19 Nov 2007 22:34:48 +0000 (22:34 +0000)]
* libmisc/salt.c (MAGNUM): Terminate the array with nul (the array
is then used with strcat).
* libmisc/salt.c (crypt_make_salt): Initialize result[0] to nul at
the beginning (was not initialized when USE_PAM).
* libmisc/salt.c (crypt_make_salt): Check that ENCRYPT_METHOD is a
valid crypt method.
nekral-guest [Mon, 19 Nov 2007 22:14:19 +0000 (22:14 +0000)]
Add support for SHA256 and SHA512 encrypt methods. Apply RedHat's patch
shadow-4.0.18.1-sha256.patch. Thanks to Peter Vrabec. Hardly no changes
except re-indent and changes related to recent modifications (max_salt_len
in crypt_make_salt). Changes in lib/defines.h not applied (definition of
ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
nekral-guest [Mon, 19 Nov 2007 20:25:36 +0000 (20:25 +0000)]
Fix some compilation warnings:
* src/login.c: "dereferencing type-punned pointer will break
strict-aliasing rules", add a variable indirection: ptr_pam_user.
* lib/commonio.c: do not initialize the sb stat structure.
* lib/pwio.c, lib/shadowio.c, lib/sgroupio.c, lib/groupio.c:
initialize the security context if WITH_SELINUX.
* lib/nscd.c: The service argument is not const (used in the exec*
parameters). This matches with the prototype definition.
* src/groupmems.c: Avoid ++i when i is also used in the same line.
* src/newusers.c: i is positive every time it is compared. Add
cast to unsigned int.
* src/nologin.c: Use a main() prototype with no arguments.
* libmisc/getdate.y: Initialize the type and value fields of the
terminating entry for each TABLE.
* libmisc/tz.c: Use "TZ=CST6CDT" as the default timezone.
nekral-guest [Mon, 19 Nov 2007 01:16:42 +0000 (01:16 +0000)]
* man/pl/Makefile.am: Add getspnam.3 to EXTRA_DIST since it is
generated with shadow.3.
* man/generate_translations.mak: Clean all the manpages, based on
$(EXTRA_DIST), not $(man_MANS).
nekral-guest [Sun, 18 Nov 2007 23:15:26 +0000 (23:15 +0000)]
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
nekral-guest [Sun, 18 Nov 2007 22:58:31 +0000 (22:58 +0000)]
Some fixes for the manpages:
* man/pl/pl.po: Fix typo: chgpassw -> chgpasswd.
* man/pl/Makefile.am: Fix typo: chgpassw -> chgpasswd.
* man/de/de.po: groups shall not be translated (for command,
refname, or refentrytitle).
nekral-guest [Sat, 17 Nov 2007 21:24:06 +0000 (21:24 +0000)]
Make sure that the prefix is the name of a directory (not only the
beginning of a directory).
Openwall patch shadow-4.0.4.1-owl-userdel-path_prefix.diff.
nekral-guest [Sat, 17 Nov 2007 21:03:33 +0000 (21:03 +0000)]
* src/newgrp.c: Do not give an indication that the group has no
password.
* src/newgrp.c: Do not only bail on syslog if the password is not
valid. Also give an indication to the user on stderr.
nekral-guest [Sat, 17 Nov 2007 20:28:32 +0000 (20:28 +0000)]
Last parts of the Openwall patch shadow-4.0.4.1-owl-chage-drop-priv.diff:
* src/chage.c: Make chage -l also drop the saved GID.
* src/chage.c: Prefer setregid/setreuid to setgid/setuid.
nekral-guest [Sat, 17 Nov 2007 20:09:54 +0000 (20:09 +0000)]
* src/chage.c: Remove cleanup(). pw_lock is never called. Replace
cleanup(2) by spw_unlock and remove the calls to cleanup(1).
* src/chage.c: Remove variable pwrw. It is always set to 0. The
password database is always read only.
nekral-guest [Sat, 17 Nov 2007 18:45:22 +0000 (18:45 +0000)]
* man/generate_translations.mak: Generic rules for all the
generated translated manpages (if ENABLE_REGENERATE_MAN).
* man/Makefile.am: Removed rules for all the generated translated
manpages.
* man/sv/Makefile.am, man/de/Makefile.am, man/fr/Makefile.am,
man/pl/Makefile.am, man/ru/Makefile.am, man/it/Makefile.am:
Include generate_translations.mak to handle the generated
translations (XML and roff files).
* man/Makefile.am: Translated XML files moved from the CLEANFILES
variable of man/Makefile.am to the various languages Makefiles.
nekral-guest [Sat, 17 Nov 2007 18:13:17 +0000 (18:13 +0000)]
Fixes from Openwall patch shadow-4.0.4.1-alt-man.diff:
* man/useradd.8.xml: Indicate that the NIS caveats is also valid
for any external database as LDAP.
* man/groupadd.8.xml: Likewise.
* man/groupadd.8.xml: Reorder and reformat the caveats bullets.
nekral-guest [Sat, 17 Nov 2007 17:47:02 +0000 (17:47 +0000)]
Start applying Debian patch 409_man_generate_from_PO:
* NEWS: Applied Debian patch 409_man_generate_from_PO to
automatically generate the translated manpages from the POs.
* man/Makefile.am: Replace the individual rules for the generation
of the manpages (from XML) by a generic Makefile rule an
dependencies for the linked manpages.
nekral-guest [Sat, 17 Nov 2007 17:19:44 +0000 (17:19 +0000)]
Avoid terminating the PAM library in the forked child. This is done later
in the parent after closing the PAM session.
This fixes http://bugs.debian.org/412061.
Debian patch 405_su_no_pam_end_before_exec.
nekral-guest [Sat, 17 Nov 2007 16:05:54 +0000 (16:05 +0000)]
Log an error if the password entry could not be
found (respect LOG_UNKFAIL_ENAB to avoid logging a password). This
fixes the Debian bug http://bugs.debian.org/451521
nekral-guest [Sat, 17 Nov 2007 14:33:26 +0000 (14:33 +0000)]
Validate that two of the -L, -p, and -U options are not used at the same
time after the parsing of options. -U used to be allowed after -p or -L,
but not before.
nekral-guest [Sat, 17 Nov 2007 14:21:05 +0000 (14:21 +0000)]
Make usermod -d and -m work independant of the argument order. Thanks to
Justin Pryzby <jpryzby+d@quoininc.com> for the patch. This fixes Debian's
bug #451518.
nekral-guest [Sat, 17 Nov 2007 14:04:05 +0000 (14:04 +0000)]
* NEWS, lib/nscd.c: Execute nscd -i instead of using the private
glibc socket to flush the nscd tables. This comes from the RedHat
patch shadow-4.0.16-nscd.c.
* lib/commonio.c: Forbid inheritance of the passwd and group files
to the spawed processes (like nscd). This comes from the RedHat
patch shadow-4.0.17-notInheritFd.patch.
* lib/nscd.h: Update header.
nekral-guest [Sat, 17 Nov 2007 11:42:47 +0000 (11:42 +0000)]
* src/usermod.c (fail_exit): Add static variables pw_locked,
spw_locked, gr_locked, and sgr_locked to indicate which files must
be unlocked.
* src/usermod.c (open_files, close_files): Open and close the
group files as well as the passwd files. This permit to check if
the group files modification are allowed before writing the passwd
files.
* src/usermod.c (grp_update, update_gshadow, update_group): Do not
return a status code, but call fail_exit() in case of error. The
group files are no more opened and closed in update_gshadow() and
update_group().
* src/usermod.c (main): move the call to grp_update between
open_files and close_files.
* src/usermod.c: Differentiate failure to add a group entry and
failure to add a shadow group entry.
nekral-guest [Fri, 16 Nov 2007 22:59:14 +0000 (22:59 +0000)]
* lib/commonio.c (next_entry_by_name): New function.
* NEWS, lib/commonio.c (commonio_update): When an entry is updated, make
sure that there are no other entry with the same name. This fixes
an infinite loop in userdel and usermod when an (erroneous) group
file contains two entries with the same name.
(https://bugzilla.redhat.com/show_bug.cgi?id=240915)
nekral-guest [Fri, 16 Nov 2007 19:02:00 +0000 (19:02 +0000)]
* libmisc/salt.c: Make sure the salt string is terminated at the
right place (either 8th, or 11th position).
* NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
not need 15 chars. No need for a temporary buffer.
This change the fix committed on 2007-11-10. The salt provided to
pw_encrypt could have been too long.
nekral-guest [Fri, 16 Nov 2007 11:32:42 +0000 (11:32 +0000)]
Add support for systems with no innetgr(). On those systems, username
with an @ will be treated like any other username (i.e. lookup in the
local database for an user with an @). Thanks to Mike Frysinger for the
patch.
nekral-guest [Wed, 14 Nov 2007 13:46:15 +0000 (13:46 +0000)]
Declare the child and pid variable at the beginning of a block. This
fixes a compilation issue with gcc 2.95. The intent is the same as
Gentoo's patch shadow-4.0.12-gcc2.patch.
nekral-guest [Sat, 10 Nov 2007 18:54:40 +0000 (18:54 +0000)]
Don't ask for a password if there are no group passwords. Just directly
give up. This comes from the Fedora's patch shadow-4.0.13-newgrpPwd.patch,
and seems to be the only part with an effect.
nekral-guest [Sat, 10 Nov 2007 15:51:38 +0000 (15:51 +0000)]
Allow non numerical group identifier to be specified with useradd's -g
option. Applied Debian patch 397_non_numerical_identifier. Thanks also to
Greg Schafer <gschafer@zip.com.au>.
nekral-guest [Sat, 27 Oct 2007 23:19:32 +0000 (23:19 +0000)]
Remove the generate_translations.mak inclusion. This file does not exist
and will be introduced later when the Debian patch
409_man_generate_from_PO will be included.
nekral-guest [Sat, 27 Oct 2007 19:45:21 +0000 (19:45 +0000)]
Add support for 2 new resource limits. Thanks to Justin Bronder for the
patch. This was reported in the Debian bug #442334.
This only impact shadow when it is not compiled with PAM support.