]> granicus.if.org Git - shadow/log
shadow
5 years agoremove unused variables
Serge Hallyn [Sun, 13 Oct 2019 00:57:12 +0000 (19:57 -0500)]
remove unused variables

parent, user_id, and group_id are unused.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoMerge pull request #181 from pan93412/master
Serge Hallyn [Mon, 7 Oct 2019 14:00:19 +0000 (09:00 -0500)]
Merge pull request #181 from pan93412/master

l10n(zh_TW): update translations

5 years agol10n(zh_TW): update translations
pan93412 [Mon, 7 Oct 2019 10:26:33 +0000 (18:26 +0800)]
l10n(zh_TW): update translations

5 years agoMerge pull request #180 from thkukuk/libeconf
Serge Hallyn [Sun, 6 Oct 2019 03:34:29 +0000 (22:34 -0500)]
Merge pull request #180 from thkukuk/libeconf

Add support for a vendor directory and libeconf

5 years agoAdd support for a vendor directory and libeconf
Thorsten Kukuk [Fri, 20 Sep 2019 08:27:31 +0000 (10:27 +0200)]
Add support for a vendor directory and libeconf

With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.

5 years agoMerge pull request #177 from edneville/conflicts_between_system_users_useradd_and_pwck
Serge Hallyn [Sun, 6 Oct 2019 03:08:08 +0000 (22:08 -0500)]
Merge pull request #177 from edneville/conflicts_between_system_users_useradd_and_pwck

pwck.c: only check home dirs if set and not a system user

5 years agopwck.c: only check home dirs if set and not a system user
ed [Sun, 25 Aug 2019 19:11:24 +0000 (20:11 +0100)]
pwck.c: only check home dirs if set and not a system user

Closes #126

Changelog: pwck, better to look at array than to use strnlen.

5 years agoMerge pull request #176 from edneville/force_bad_name
Serge Hallyn [Fri, 4 Oct 2019 23:41:39 +0000 (16:41 -0700)]
Merge pull request #176 from edneville/force_bad_name

chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that…

5 years agochkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that do not conform...
ed [Fri, 23 Aug 2019 20:42:37 +0000 (21:42 +0100)]
chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that do not conform to standards

Closes #121.

Changelog: squashed commits fixing tab style
Changelog: update 'return true' to match file's style (no parens).

5 years agolib/sgetgrent.c: change to warn when data remains
ed@s5h.net [Thu, 22 Aug 2019 17:18:31 +0000 (18:18 +0100)]
lib/sgetgrent.c: change to warn when data remains

5 years agosgetpwent.c/sgetgrent.c: check for additional data at end of line
ed@s5h.net [Wed, 21 Aug 2019 19:47:11 +0000 (20:47 +0100)]
sgetpwent.c/sgetgrent.c: check for additional data at end of line

5 years agoMerge branch 'master' of git+ssh://github.com/shadow-maint/shadow
Serge Hallyn [Fri, 4 Oct 2019 23:28:34 +0000 (18:28 -0500)]
Merge branch 'master' of git+ssh://github.com/shadow-maint/shadow

5 years agoMerge pull request #173 from edneville/issue_105_106
Serge Hallyn [Thu, 8 Aug 2019 03:44:51 +0000 (22:44 -0500)]
Merge pull request #173 from edneville/issue_105_106

useradd.c: including directory name in directory existence error message

5 years agoMerge pull request #172 from edneville/master
Serge Hallyn [Thu, 8 Aug 2019 03:42:03 +0000 (22:42 -0500)]
Merge pull request #172 from edneville/master

chage.c: add support for YYYY-MM-DD date printing

5 years agoMerge pull request #171 from falconindy/master
Serge Hallyn [Thu, 8 Aug 2019 03:39:08 +0000 (22:39 -0500)]
Merge pull request #171 from falconindy/master

Honor --sbindir and --bindir for binary installation

5 years agosrc/useradd.c: including directory name in dir existence error. Prefixing output...
ed [Wed, 7 Aug 2019 18:41:12 +0000 (19:41 +0100)]
src/useradd.c: including directory name in dir existence error. Prefixing output lines with program name.

5 years agochage.c: add support for YYYY-MM-DD date printing
ed [Tue, 6 Aug 2019 18:36:42 +0000 (19:36 +0100)]
chage.c: add support for YYYY-MM-DD date printing

5 years agoHonor --sbindir and --bindir for binary installation
Dave Reisner [Fri, 2 Aug 2019 22:45:19 +0000 (18:45 -0400)]
Honor --sbindir and --bindir for binary installation

Some distros don't care about the split between /bin, /sbin, /usr/bin,
and /usr/sbin, so let them easily stuff binaries wherever they want.

5 years agoFix failing chmod calls on installation for suidubins
Dave Reisner [Wed, 31 Jul 2019 17:09:36 +0000 (13:09 -0400)]
Fix failing chmod calls on installation for suidubins

suidubins should be suidusbins, since these binaries are installed
${prefix}/sbin. This historically hasn't broken the build because
chmod of newgidmap/newuidmap succeeds, causing make to think the command
succeeded. Configuring shadow with --with-fcaps removes these final two
entries and exposes the chmod failure to make.

5 years agoHonor --sbindir and --bindir for binary installation
Dave Reisner [Wed, 31 Jul 2019 17:09:36 +0000 (13:09 -0400)]
Honor --sbindir and --bindir for binary installation

Some distros don't care about the split between /bin, /sbin, /usr/bin,
and /usr/sbin, so let them easily stuff binaries wherever they want.

This also fixes a problem during installation where-in a loop of 'chmod
4755' calls will mostly fail. However, because the last two succeed
(newuidmap/newgidmap), make considers the command to be a success.
Somewhat not-amusingly, configuring shadow with --with-fcaps will cause
installation to fail because the final chmod call is now a failing one.

5 years agoMerge pull request #170 from stanislav-brabec/master
Serge Hallyn [Wed, 31 Jul 2019 15:40:43 +0000 (10:40 -0500)]
Merge pull request #170 from stanislav-brabec/master

Fixes of LASTLOG_UID_MAX and login.defs

5 years agologin.defs: Cosmetic space change
Stanislav Brabec [Fri, 26 Jul 2019 20:47:05 +0000 (22:47 +0200)]
login.defs: Cosmetic space change

Fix formatting of login.defs comments. Variables are preceeded by "#"
without space, comments are preceeded by "# ". It makes the file machine
parseable again.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
5 years agologin.defs: Really add LASTLOG_UID_MAX
Stanislav Brabec [Fri, 26 Jul 2019 20:34:59 +0000 (22:34 +0200)]
login.defs: Really add LASTLOG_UID_MAX

However 46331648 mentions adding of LASTLOG_UID_MAX to login.defs, it did
not happen.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
5 years agousermod.c: Fix invalid variable name
Stanislav Brabec [Fri, 26 Jul 2019 19:39:42 +0000 (21:39 +0200)]
usermod.c: Fix invalid variable name

Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
5 years agoMerge pull request #167 from yizhao1/fix
Serge Hallyn [Mon, 17 Jun 2019 14:06:43 +0000 (09:06 -0500)]
Merge pull request #167 from yizhao1/fix

configure.ac: fix configure error with dash

5 years agoconfigure.ac: fix configure error with dash
Yi Zhao [Mon, 17 Jun 2019 07:36:34 +0000 (15:36 +0800)]
configure.ac: fix configure error with dash

A configure error occurs when /bin/sh -> dash:
  checking for is_selinux_enabled in -lselinux... yes
  checking for semanage_connect in -lsemanage... yes
  configure: 16322: test: yesyes: unexpected operator

Use "=" instead of "==" since dash doesn't support this operator.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
5 years agorelease 4.7 4.7
Serge Hallyn [Thu, 13 Jun 2019 16:38:49 +0000 (11:38 -0500)]
release 4.7

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agogithub pages takes an index.html
Serge Hallyn [Sun, 9 Jun 2019 05:02:45 +0000 (00:02 -0500)]
github pages takes an index.html

Signed-off-by: Serge Hallyn <serge@hallyn.com>
5 years agoadd README.md for the homepage
Serge Hallyn [Sun, 9 Jun 2019 04:51:32 +0000 (23:51 -0500)]
add README.md for the homepage

Signed-off-by: Serge Hallyn <serge@hallyn.com>
5 years agoMerge pull request #161 from tabraham/master
Christian Brauner [Tue, 4 Jun 2019 11:31:08 +0000 (13:31 +0200)]
Merge pull request #161 from tabraham/master

lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD

5 years agolib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
Thomas Abraham [Mon, 6 May 2019 18:26:14 +0000 (14:26 -0400)]
lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD

If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it errors with ECHILD.

5 years agoRevert "lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD"
Thomas Abraham [Mon, 6 May 2019 18:23:58 +0000 (14:23 -0400)]
Revert "lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD"

This reverts commit 1697c192acc763682ee9883aa94fe871246403c0.

5 years agolibmisc/btrfs: no sense trying to calculate 'btrfs' string
Serge Hallyn [Sat, 4 May 2019 02:40:02 +0000 (19:40 -0700)]
libmisc/btrfs: no sense trying to calculate 'btrfs' string

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agolibmisc/btrfs: find btrfs command
Serge Hallyn [Sat, 4 May 2019 02:33:23 +0000 (19:33 -0700)]
libmisc/btrfs: find btrfs command

Ubuntu for instance keeps it in /bin, not /sbin.  So look
for it in our usual places.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoautoconf: fix cut-paste errors in btrfs detection
Serge Hallyn [Sat, 4 May 2019 02:09:58 +0000 (19:09 -0700)]
autoconf: fix cut-paste errors in btrfs detection

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoAdd autotools support for BtrFS option
Adam Majer [Wed, 23 Jan 2019 15:17:05 +0000 (16:17 +0100)]
Add autotools support for BtrFS option

Feature is enabled by default, if headers are available. It can be
turned off explictly.

5 years agoAdd support for btrfs subvolumes for user homes
Adam Majer [Mon, 21 Jan 2019 08:32:36 +0000 (09:32 +0100)]
Add support for btrfs subvolumes for user homes

new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.

5 years agoMerge pull request #164 from t8m/use-lckpwdf
Christian Brauner [Fri, 3 May 2019 08:43:41 +0000 (10:43 +0200)]
Merge pull request #164 from t8m/use-lckpwdf

Use lckpwdf() again if prefix is not set and fix a possible DoS in locking

5 years agoDo not fail locking if there is a stale lockfile.
Tomas Mraz [Thu, 2 May 2019 12:39:01 +0000 (14:39 +0200)]
Do not fail locking if there is a stale lockfile.

As the lockfiles have PID in the name, there can be no conflict
in the name with other process, so there is no point in using
O_EXCL and it only can fail if there is a stale lockfile from
previous execution that crashed for some reason.

5 years agoUse the lckpwdf() again if prefix is not set
Tomas Mraz [Thu, 2 May 2019 12:33:06 +0000 (14:33 +0200)]
Use the lckpwdf() again if prefix is not set

The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.

This reverts the implementation to use lckpwdf() if prefix option
is not used.

5 years agoMerge pull request #162 from jtojnar/check-correct-docbook
Christian Brauner [Tue, 30 Apr 2019 18:39:22 +0000 (20:39 +0200)]
Merge pull request #162 from jtojnar/check-correct-docbook

build: Check correct DocBook version

5 years agobuild: Check correct DocBook version
Jan Tojnar [Tue, 30 Apr 2019 18:35:07 +0000 (20:35 +0200)]
build: Check correct DocBook version

The documentation uses DocBook 4.5 DOCTYPE but the configure script
checked for 4.1.2.

5 years agolib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
Thomas Abraham [Thu, 25 Apr 2019 18:56:22 +0000 (14:56 -0400)]
lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD

If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it erros with ECHILD.

5 years agousermod: print "no changes" to stdout, not stderr
Serge Hallyn [Sun, 21 Apr 2019 22:28:12 +0000 (17:28 -0500)]
usermod: print "no changes" to stdout, not stderr

Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
5 years agoMerge pull request #146 from lamby/reproducible-shadow-files
Serge Hallyn [Sun, 21 Apr 2019 22:13:58 +0000 (17:13 -0500)]
Merge pull request #146 from lamby/reproducible-shadow-files

Make the sp_lstchg shadow field reproducible (re. #71)

5 years agoMerge pull request #143 from t8m/fedora
Serge Hallyn [Sun, 21 Apr 2019 21:56:36 +0000 (16:56 -0500)]
Merge pull request #143 from t8m/fedora

usermod: Guard against unsafe change of ownership of home contents

5 years agoMerge pull request #158 from nathanruiz/master
Serge Hallyn [Sun, 21 Apr 2019 21:50:07 +0000 (16:50 -0500)]
Merge pull request #158 from nathanruiz/master

Fix chpasswd long line handling

5 years agoMerge pull request #156 from cvuillemez/no_flush_in_read_only
Serge Hallyn [Mon, 15 Apr 2019 05:17:32 +0000 (00:17 -0500)]
Merge pull request #156 from cvuillemez/no_flush_in_read_only

Do not flush nscd and sssd cache in read-only mode

5 years agoFix chpasswd long line handling
Nathan Ruiz [Fri, 16 Nov 2018 05:41:30 +0000 (16:41 +1100)]
Fix chpasswd long line handling

5 years agogettime: Use secure_getenv over getenv.
Chris Lamb [Sun, 31 Mar 2019 14:59:45 +0000 (15:59 +0100)]
gettime: Use secure_getenv over getenv.

5 years agoMake the sp_lstchg shadow field reproducible (re. #71)
Chris Lamb [Wed, 2 Jan 2019 18:06:16 +0000 (18:06 +0000)]
Make the sp_lstchg shadow field reproducible (re. #71)

From <https://github.com/shadow-maint/shadow/pull/71>:

```
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:

username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
```

This updated PR adds some missing calls to gettime (). This was originally
filed by Johannes Schauer in Debian as #917773 [2].

[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
[2] https://bugs.debian.org/917773

5 years agoMerge pull request #157 from t8m/close-crash
Christian Brauner [Mon, 25 Mar 2019 19:56:55 +0000 (12:56 -0700)]
Merge pull request #157 from t8m/close-crash

Do not crash in commonio_close if database FILE not opened.

5 years agoDo not crash in commonio_close if database FILE not opened.
Tomas Mraz [Mon, 25 Mar 2019 13:51:26 +0000 (14:51 +0100)]
Do not crash in commonio_close if database FILE not opened.

The db->fp can be NULL if commonio_unlock() is called when the
shadow file is opened but did not exist before.

5 years agoAdd Christian to maintainers list
Serge Hallyn [Mon, 18 Mar 2019 02:11:05 +0000 (21:11 -0500)]
Add Christian to maintainers list

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoREADME: Update the homepage link
Serge Hallyn [Sun, 17 Mar 2019 16:43:07 +0000 (11:43 -0500)]
README: Update the homepage link

and remove ftp.  Maybe i should run an ftp server for releases...

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoREADME: Add Eric to contributors list
Serge Hallyn [Sun, 17 Mar 2019 16:39:24 +0000 (11:39 -0500)]
README: Add Eric to contributors list

subids were not a small amount of work.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
5 years agoDo not flush nscd and sssd cache in read-only mode
Charlie Vuillemez [Wed, 27 Feb 2019 16:28:39 +0000 (17:28 +0100)]
Do not flush nscd and sssd cache in read-only mode

Fix #155

signed-off-by: Charlie Vuillemez <cvuillemez@users.noreply.github.com>

5 years agoMerge pull request #153 from AlbanVidal/man-po-fr
Serge Hallyn [Tue, 19 Feb 2019 06:49:40 +0000 (00:49 -0600)]
Merge pull request #153 from AlbanVidal/man-po-fr

French man translation update

5 years agoFrench man translation update
Alban VIDAL [Mon, 11 Feb 2019 06:02:52 +0000 (07:02 +0100)]
French man translation update
- translated by Jean-Philippe MENGUAL
- proofread by the debian-l10n-french mailing list contributors

Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
5 years agoMerge pull request #151 from t8m/uid-count-default
Christian Brauner [Fri, 1 Feb 2019 08:11:27 +0000 (09:11 +0100)]
Merge pull request #151 from t8m/uid-count-default

Fix the default mentioned in man page for SUB_UID/GID_COUNT variables.

5 years agoFix the default mentioned in man page for SUB_UID/GID_COUNT variables.
Tomas Mraz [Thu, 31 Jan 2019 12:30:59 +0000 (13:30 +0100)]
Fix the default mentioned in man page for SUB_UID/GID_COUNT variables.

5 years agoMerge pull request #148 from AlbanVidal/master
Serge Hallyn [Sun, 27 Jan 2019 04:58:53 +0000 (22:58 -0600)]
Merge pull request #148 from AlbanVidal/master

Sync po files from template "shadow.pot" file

5 years agoSync po files from pot shadow.pot file
Alban VIDAL [Sat, 19 Jan 2019 12:32:42 +0000 (13:32 +0100)]
Sync po files from pot shadow.pot file

Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
5 years agousermod: Guard against unsafe change of ownership of home directory content
Tomas Mraz [Tue, 18 Dec 2018 15:32:13 +0000 (16:32 +0100)]
usermod: Guard against unsafe change of ownership of home directory content

In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.

5 years agologin.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
Tomas Mraz [Wed, 28 Nov 2018 13:57:16 +0000 (14:57 +0100)]
login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.

As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.

5 years agoidmap: always seteuid to the owner of the namespace
Giuseppe Scrivano [Tue, 20 Nov 2018 19:43:43 +0000 (20:43 +0100)]
idmap: always seteuid to the owner of the namespace

simplify the condition for setting the euid of the process.  Now it is
always set when we are running as root, the issue was introduced with
the commit 52c081b02c4ca4432330ee336a60f6f803431e63

Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if
   it currently == 0 (i.e. really was setuid-*root*).

Closes: https://github.com/genuinetools/img/issues/191
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
6 years agoMerge pull request #138 from brauner/2018-10-27/setuid_fscaps
Serge Hallyn [Sun, 28 Oct 2018 00:00:23 +0000 (19:00 -0500)]
Merge pull request #138 from brauner/2018-10-27/setuid_fscaps

new{g,u}idmap: align setuid and fscaps behavior

6 years agonew{g,u}idmap: align setuid and fscaps behavior
Christian Brauner [Sat, 27 Oct 2018 16:23:50 +0000 (18:23 +0200)]
new{g,u}idmap: align setuid and fscaps behavior

Commit 1ecca8439d5 ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
does contain a wrong commit message, is lacking an explanation of the
issue, misses some simplifications and hardening features. This commit
tries to rectify this.

In (crazy) environment where all capabilities are dropped from the
capability bounding set apart from CAP_SET{G,U}ID setuid- and
fscaps-based new{g,u}idmap binaries behave differently when writing
complex mappings for an unprivileged user:

1. newuidmap is setuid

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

First file_ns_capable(file, ns, CAP_SYS_ADMIN) is hit. This calls into
cap_capable() and hits the loop

for (;;) {
        /* Do we have the necessary capabilities? */
        if (ns == cred->user_ns)
                return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

        /*
         * If we're already at a lower level than we're looking for,
         * we're done searching.
         */
        if (ns->level <= cred->user_ns->level)
                return -EPERM;

        /*
         * The owner of the user namespace in the parent of the
         * user namespace has all caps.
        */
        if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
                return 0;

        /*
         * If you have a capability in a parent user ns, then you have
         * it over all children user namespaces as well.
        */
        ns = ns->parent;
}

The first check fails and falls through to the end of the loop and
retrieves the parent user namespace and checks whether CAP_SYS_ADMIN is
available there which isn't.

2. newuidmap has CAP_SETUID as fscaps set

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

The first file_ns_capable() check for CAP_SYS_ADMIN is passed since the
euid has not been changed:

if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
        return 0;

Now new_idmap_permitted() is hit which calls ns_capable(ns->parent,
CAP_SET{G,U}ID). This check passes since CAP_SET{G,U}ID is available in
the parent user namespace.
Now file_ns_capable(file, ns->parent, CAP_SETUID) is hit and the
cap_capable() loop (see above) is entered again. This passes

if (ns == cred->user_ns)
        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

since CAP_SET{G,U}ID is available in the parent user namespace. Now the
mapping can be written.

There is no need for this descrepancy between setuid and fscaps based
new{g,u}idmap binaries. The solution is to do a
seteuid() back to the unprivileged uid and PR_SET_KEEPCAPS to keep
CAP_SET{G,U}ID. The seteuid() will cause the
file_ns_capable(file, ns, CAP_SYS_ADMIN) check to pass and the
PR_SET_KEEPCAPS for CAP_SET{G,U}ID will cause the CAP_SET{G,U}ID to
pass.

Fixes: 1ecca8439d5 ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
6 years agoMerge pull request #136 from giuseppe/fcap-newuidmap-newgidmap
Serge Hallyn [Sat, 27 Oct 2018 16:26:31 +0000 (11:26 -0500)]
Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap

newuidmap/newgidmap: install with file capabilities

6 years agoMerge pull request #132 from giuseppe/no-cap-sys-admin
Serge Hallyn [Sat, 27 Oct 2018 16:22:37 +0000 (11:22 -0500)]
Merge pull request #132 from giuseppe/no-cap-sys-admin

newuidmap/newgidmap: do not require CAP_SYS_ADMIN in the parent user namespace

6 years agonewuidmap/newgidmap: install with file capabilities
Giuseppe Scrivano [Wed, 24 Oct 2018 09:08:28 +0000 (11:08 +0200)]
newuidmap/newgidmap: install with file capabilities

do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
6 years agoMerge pull request #118 from AdelieLinux/utmpx-only-support
Serge Hallyn [Wed, 24 Oct 2018 03:35:19 +0000 (22:35 -0500)]
Merge pull request #118 from AdelieLinux/utmpx-only-support

[WIP] Support systems that only have utmpx

6 years agoMerge pull request #133 from t8m/trivial
Serge Hallyn [Wed, 24 Oct 2018 03:21:12 +0000 (22:21 -0500)]
Merge pull request #133 from t8m/trivial

Fix some issues found in Coverity scan.

6 years agonew[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS
Giuseppe Scrivano [Mon, 8 Oct 2018 16:18:18 +0000 (18:18 +0200)]
new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS

if the euid!=owner of the userns, the kernel returns EPERM when trying
to write the uidmap and there is no CAP_SYS_ADMIN in the parent
namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
6 years agoMerge pull request #128 from jhrozek/sssd
Serge Hallyn [Thu, 18 Oct 2018 19:26:38 +0000 (12:26 -0700)]
Merge pull request #128 from jhrozek/sssd

Flush sssd caches in addition to nscd caches

6 years agouseradd: fix segfault trying to overwrite const data with mkstemp
Tomas Mraz [Fri, 12 Oct 2018 08:14:02 +0000 (10:14 +0200)]
useradd: fix segfault trying to overwrite const data with mkstemp

Also fix memory leaks in error paths.

6 years agoFix some issues found in Coverity scan.
Tomas Mraz [Wed, 10 Oct 2018 10:22:04 +0000 (12:22 +0200)]
Fix some issues found in Coverity scan.

6 years agoFlush sssd caches in addition to nscd caches
Jakub Hrozek [Wed, 12 Sep 2018 12:22:11 +0000 (14:22 +0200)]
Flush sssd caches in addition to nscd caches

Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.

6 years agoMerge pull request #122 from ivladdalvi/nologin-uid
Serge Hallyn [Mon, 13 Aug 2018 23:37:02 +0000 (18:37 -0500)]
Merge pull request #122 from ivladdalvi/nologin-uid

Log UID in nologin

6 years agoLog UID in nologin
Vladimir Ivanov [Fri, 3 Aug 2018 01:44:16 +0000 (09:44 +0800)]
Log UID in nologin

Sometimes getlogin() may fail, e.g., in a chroot() environment or due to NSS
misconfiguration. Loggin UID allows for investigation and troubleshooting in
such situation.

6 years agoMerge pull request #116 from LionNatsu/master
Serge Hallyn [Sat, 11 Aug 2018 05:40:02 +0000 (00:40 -0500)]
Merge pull request #116 from LionNatsu/master

po/zh_CN: update

6 years agoMerge pull request #119 from mvo5/su-l
Serge Hallyn [Sat, 11 Aug 2018 05:39:07 +0000 (00:39 -0500)]
Merge pull request #119 from mvo5/su-l

su.c: run pam_getenvlist() after setup_env

6 years agosu.c: run pam_getenvlist() after setup_env
Michael Vogt [Mon, 25 Jun 2018 14:00:17 +0000 (16:00 +0200)]
su.c: run pam_getenvlist() after setup_env

When "su -l" is used the behaviour is described as similar to
a direct login. However login.c is doing a setup_env(pw) and then a
pam_getenvlist() in this scenario. But su.c is doing it the other
way around. Which means that the value of PATH from /etc/environment
is overriden. I think this is a bug because:

The man-page claims that "-l": "provides an environment similar
to what the user would expect had the user logged in directly."

And login.c is using the PATH from /etc/environment.

This will fix:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390

6 years agoSupport systems that only have utmpx
A. Wilcox [Sun, 24 Jun 2018 05:13:12 +0000 (00:13 -0500)]
Support systems that only have utmpx

This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/

6 years agoMerge pull request #117 from rindeal/ENABLE_SUBIDS
Serge Hallyn [Tue, 19 Jun 2018 12:17:57 +0000 (08:17 -0400)]
Merge pull request #117 from rindeal/ENABLE_SUBIDS

fix unguarded ENABLE_SUBIDS code

6 years agofix unguarded ENABLE_SUBIDS code
Jan Chren (rindeal) [Mon, 18 Jun 2018 13:51:27 +0000 (15:51 +0200)]
fix unguarded ENABLE_SUBIDS code

6 years agopo/zh_CN: update
Lion Yang [Sat, 16 Jun 2018 10:26:28 +0000 (18:26 +0800)]
po/zh_CN: update

6 years agoMerge pull request #112 from jubalh/useradd-mkdirs
Serge Hallyn [Wed, 23 May 2018 14:57:40 +0000 (09:57 -0500)]
Merge pull request #112 from jubalh/useradd-mkdirs

Create parent dirs for useradd -m

6 years agoCreate parent dirs for useradd -m
Michael Vetter [Tue, 15 May 2018 15:25:52 +0000 (17:25 +0200)]
Create parent dirs for useradd -m

Equivalent of `mkdir -p`. It will create all parent directories.
Example: `useradd -d /home2/testu1 -m testu1`

Based on https://github.com/shadow-maint/shadow/pull/2 by Thorsten Kukuk
and Thorsten Behrens which was Code from pwdutils 3.2.2 with slight adaptations.

Adapted to so it applies to current code.

6 years agousermod: prevent a segv
Serge Hallyn [Wed, 9 May 2018 02:37:55 +0000 (21:37 -0500)]
usermod: prevent a segv

in the case where prefix does not exist.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
6 years agoFix usermod crash
fariouche [Wed, 9 May 2018 02:17:46 +0000 (21:17 -0500)]
Fix usermod crash

Return newly allocated pointers when the caller will free them.

Closes #110

6 years agorelease 4.6 4.6
Serge Hallyn [Sun, 29 Apr 2018 16:41:41 +0000 (11:41 -0500)]
release 4.6

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
6 years agoMerge pull request #103 from HarmtH/be-predictable
Serge Hallyn [Fri, 30 Mar 2018 06:10:51 +0000 (23:10 -0700)]
Merge pull request #103 from HarmtH/be-predictable

su.c: be more predictable

6 years agoMerge pull request #21 from fariouche/master
Serge Hallyn [Fri, 30 Mar 2018 05:36:28 +0000 (22:36 -0700)]
Merge pull request #21 from fariouche/master

Add --prefix argument

6 years agoMerge pull request #102 from HarmtH/fix-dashdash-slurp
Serge Hallyn [Thu, 29 Mar 2018 22:45:54 +0000 (15:45 -0700)]
Merge pull request #102 from HarmtH/fix-dashdash-slurp

su.c: fix '--' slurping

6 years agoadd --prefix option: some fixes + fixed pwd.lock file location
fariouche [Wed, 28 Mar 2018 19:14:12 +0000 (21:14 +0200)]
add --prefix option: some fixes + fixed pwd.lock file location

6 years agoMerge remote-tracking branch 'upstream/master'
fariouche [Wed, 28 Mar 2018 19:11:36 +0000 (21:11 +0200)]
Merge remote-tracking branch 'upstream/master'

6 years agosu.c: be more predictable
Harm te Hennepe [Mon, 26 Mar 2018 22:45:03 +0000 (00:45 +0200)]
su.c: be more predictable

Always parse first non-option as username.

6 years agosu.c: fix '--' slurping
Harm te Hennepe [Mon, 26 Mar 2018 20:37:56 +0000 (22:37 +0200)]
su.c: fix '--' slurping

All arguments are already reordered and parsed by getopt_long since e663c69, so manual '--' slurping is wrong.

Closes #101

6 years agopwconv and grpconv: rewind after deleting an entry
Serge Hallyn [Sun, 25 Mar 2018 14:18:22 +0000 (09:18 -0500)]
pwconv and grpconv: rewind after deleting an entry

Otherwise our spw_next() will cause us to skip an entry.
Ideally we'd be able to do an swp_rewind(1), but I don't
see a helper for this.

Closes #60

Signed-off-by: Serge Hallyn <shallyn@cisco.com>