nekral-guest [Sun, 18 Nov 2007 23:15:26 +0000 (23:15 +0000)]
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
nekral-guest [Sun, 18 Nov 2007 22:58:31 +0000 (22:58 +0000)]
Some fixes for the manpages:
* man/pl/pl.po: Fix typo: chgpassw -> chgpasswd.
* man/pl/Makefile.am: Fix typo: chgpassw -> chgpasswd.
* man/de/de.po: groups shall not be translated (for command,
refname, or refentrytitle).
nekral-guest [Sat, 17 Nov 2007 21:24:06 +0000 (21:24 +0000)]
Make sure that the prefix is the name of a directory (not only the
beginning of a directory).
Openwall patch shadow-4.0.4.1-owl-userdel-path_prefix.diff.
nekral-guest [Sat, 17 Nov 2007 21:03:33 +0000 (21:03 +0000)]
* src/newgrp.c: Do not give an indication that the group has no
password.
* src/newgrp.c: Do not only bail on syslog if the password is not
valid. Also give an indication to the user on stderr.
nekral-guest [Sat, 17 Nov 2007 20:28:32 +0000 (20:28 +0000)]
Last parts of the Openwall patch shadow-4.0.4.1-owl-chage-drop-priv.diff:
* src/chage.c: Make chage -l also drop the saved GID.
* src/chage.c: Prefer setregid/setreuid to setgid/setuid.
nekral-guest [Sat, 17 Nov 2007 20:09:54 +0000 (20:09 +0000)]
* src/chage.c: Remove cleanup(). pw_lock is never called. Replace
cleanup(2) by spw_unlock and remove the calls to cleanup(1).
* src/chage.c: Remove variable pwrw. It is always set to 0. The
password database is always read only.
nekral-guest [Sat, 17 Nov 2007 18:45:22 +0000 (18:45 +0000)]
* man/generate_translations.mak: Generic rules for all the
generated translated manpages (if ENABLE_REGENERATE_MAN).
* man/Makefile.am: Removed rules for all the generated translated
manpages.
* man/sv/Makefile.am, man/de/Makefile.am, man/fr/Makefile.am,
man/pl/Makefile.am, man/ru/Makefile.am, man/it/Makefile.am:
Include generate_translations.mak to handle the generated
translations (XML and roff files).
* man/Makefile.am: Translated XML files moved from the CLEANFILES
variable of man/Makefile.am to the various languages Makefiles.
nekral-guest [Sat, 17 Nov 2007 18:13:17 +0000 (18:13 +0000)]
Fixes from Openwall patch shadow-4.0.4.1-alt-man.diff:
* man/useradd.8.xml: Indicate that the NIS caveats is also valid
for any external database as LDAP.
* man/groupadd.8.xml: Likewise.
* man/groupadd.8.xml: Reorder and reformat the caveats bullets.
nekral-guest [Sat, 17 Nov 2007 17:47:02 +0000 (17:47 +0000)]
Start applying Debian patch 409_man_generate_from_PO:
* NEWS: Applied Debian patch 409_man_generate_from_PO to
automatically generate the translated manpages from the POs.
* man/Makefile.am: Replace the individual rules for the generation
of the manpages (from XML) by a generic Makefile rule an
dependencies for the linked manpages.
nekral-guest [Sat, 17 Nov 2007 17:19:44 +0000 (17:19 +0000)]
Avoid terminating the PAM library in the forked child. This is done later
in the parent after closing the PAM session.
This fixes http://bugs.debian.org/412061.
Debian patch 405_su_no_pam_end_before_exec.
nekral-guest [Sat, 17 Nov 2007 16:05:54 +0000 (16:05 +0000)]
Log an error if the password entry could not be
found (respect LOG_UNKFAIL_ENAB to avoid logging a password). This
fixes the Debian bug http://bugs.debian.org/451521
nekral-guest [Sat, 17 Nov 2007 14:33:26 +0000 (14:33 +0000)]
Validate that two of the -L, -p, and -U options are not used at the same
time after the parsing of options. -U used to be allowed after -p or -L,
but not before.
nekral-guest [Sat, 17 Nov 2007 14:21:05 +0000 (14:21 +0000)]
Make usermod -d and -m work independant of the argument order. Thanks to
Justin Pryzby <jpryzby+d@quoininc.com> for the patch. This fixes Debian's
bug #451518.
nekral-guest [Sat, 17 Nov 2007 14:04:05 +0000 (14:04 +0000)]
* NEWS, lib/nscd.c: Execute nscd -i instead of using the private
glibc socket to flush the nscd tables. This comes from the RedHat
patch shadow-4.0.16-nscd.c.
* lib/commonio.c: Forbid inheritance of the passwd and group files
to the spawed processes (like nscd). This comes from the RedHat
patch shadow-4.0.17-notInheritFd.patch.
* lib/nscd.h: Update header.
nekral-guest [Sat, 17 Nov 2007 11:42:47 +0000 (11:42 +0000)]
* src/usermod.c (fail_exit): Add static variables pw_locked,
spw_locked, gr_locked, and sgr_locked to indicate which files must
be unlocked.
* src/usermod.c (open_files, close_files): Open and close the
group files as well as the passwd files. This permit to check if
the group files modification are allowed before writing the passwd
files.
* src/usermod.c (grp_update, update_gshadow, update_group): Do not
return a status code, but call fail_exit() in case of error. The
group files are no more opened and closed in update_gshadow() and
update_group().
* src/usermod.c (main): move the call to grp_update between
open_files and close_files.
* src/usermod.c: Differentiate failure to add a group entry and
failure to add a shadow group entry.
nekral-guest [Fri, 16 Nov 2007 22:59:14 +0000 (22:59 +0000)]
* lib/commonio.c (next_entry_by_name): New function.
* NEWS, lib/commonio.c (commonio_update): When an entry is updated, make
sure that there are no other entry with the same name. This fixes
an infinite loop in userdel and usermod when an (erroneous) group
file contains two entries with the same name.
(https://bugzilla.redhat.com/show_bug.cgi?id=240915)
nekral-guest [Fri, 16 Nov 2007 19:02:00 +0000 (19:02 +0000)]
* libmisc/salt.c: Make sure the salt string is terminated at the
right place (either 8th, or 11th position).
* NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
not need 15 chars. No need for a temporary buffer.
This change the fix committed on 2007-11-10. The salt provided to
pw_encrypt could have been too long.
nekral-guest [Fri, 16 Nov 2007 11:32:42 +0000 (11:32 +0000)]
Add support for systems with no innetgr(). On those systems, username
with an @ will be treated like any other username (i.e. lookup in the
local database for an user with an @). Thanks to Mike Frysinger for the
patch.
nekral-guest [Wed, 14 Nov 2007 13:46:15 +0000 (13:46 +0000)]
Declare the child and pid variable at the beginning of a block. This
fixes a compilation issue with gcc 2.95. The intent is the same as
Gentoo's patch shadow-4.0.12-gcc2.patch.
nekral-guest [Sat, 10 Nov 2007 18:54:40 +0000 (18:54 +0000)]
Don't ask for a password if there are no group passwords. Just directly
give up. This comes from the Fedora's patch shadow-4.0.13-newgrpPwd.patch,
and seems to be the only part with an effect.
nekral-guest [Sat, 10 Nov 2007 15:51:38 +0000 (15:51 +0000)]
Allow non numerical group identifier to be specified with useradd's -g
option. Applied Debian patch 397_non_numerical_identifier. Thanks also to
Greg Schafer <gschafer@zip.com.au>.
nekral-guest [Sat, 27 Oct 2007 23:19:32 +0000 (23:19 +0000)]
Remove the generate_translations.mak inclusion. This file does not exist
and will be introduced later when the Debian patch
409_man_generate_from_PO will be included.
nekral-guest [Sat, 27 Oct 2007 19:45:21 +0000 (19:45 +0000)]
Add support for 2 new resource limits. Thanks to Justin Bronder for the
patch. This was reported in the Debian bug #442334.
This only impact shadow when it is not compiled with PAM support.
nekral-guest [Fri, 12 Oct 2007 22:36:26 +0000 (22:36 +0000)]
If compiled without PAM support, enforce the limits from /etc/limits when
one of the -, -l, or --login options is set, even if called by root.
Thanks to Justin Bronder.
nekral-guest [Sun, 7 Oct 2007 14:36:51 +0000 (14:36 +0000)]
Commit the last version from the PLD CVS repository.
(last changelog entry: 2007-02-01)
This also adds the files which were present in the CVS repository, but not
present in the shadow archives.