diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2018-07-27 16:04:34 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-07-30 12:44:35 +0100 |
commit | ffb63803eac6ba97d1b9e1f3d648bc4d81bf0276 (patch) | |
tree | d29c106cf81ae93e47b30aaaf87e10bbcdfc10eb | |
parent | 96f011e628fe360644bfdd7650145b996d61740c (diff) | |
download | poky-ffb63803eac6ba97d1b9e1f3d648bc4d81bf0276.tar.gz |
shadow: upgrade 4.2.1 -> 4.6
The following patches are removed because problems have been fixed in this version.
0001-shadow-CVE-2017-12424
fix-installation-failure-with-subids-disabled.patch
usermod-fix-compilation-failure-with-subids-disabled.patch
CVE-2017-2616.patch
check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
0001-Do-not-read-login.defs-before-doing-chroot.patch
The following patches are rebased.
0001-Disable-use-of-syslog-for-sysroot.patch
0001-useradd-copy-extended-attributes-of-home.patch
0001-useradd.c-create-parent-directories-when-necessary.patch
allow-for-setting-password-in-clear-text.patch
(From OE-Core rev: 79dd22729d5b8a2f2cf4294ff6b261c9d6ecd977)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
14 files changed, 209 insertions, 375 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch index a6f604b652..aac2d42b12 100644 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch | |||
@@ -11,6 +11,7 @@ Upstream-Status: Inappropriate [disable feature] | |||
11 | 11 | ||
12 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | 12 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> |
13 | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> | 13 | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> |
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
14 | --- | 15 | --- |
15 | src/groupadd.c | 3 +++ | 16 | src/groupadd.c | 3 +++ |
16 | src/groupdel.c | 3 +++ | 17 | src/groupdel.c | 3 +++ |
@@ -22,7 +23,7 @@ Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> | |||
22 | 7 files changed, 21 insertions(+) | 23 | 7 files changed, 21 insertions(+) |
23 | 24 | ||
24 | diff --git a/src/groupadd.c b/src/groupadd.c | 25 | diff --git a/src/groupadd.c b/src/groupadd.c |
25 | index 39b4ec0..f716f57 100644 | 26 | index 63e1c48..a596c49 100644 |
26 | --- a/src/groupadd.c | 27 | --- a/src/groupadd.c |
27 | +++ b/src/groupadd.c | 28 | +++ b/src/groupadd.c |
28 | @@ -34,6 +34,9 @@ | 29 | @@ -34,6 +34,9 @@ |
@@ -36,7 +37,7 @@ index 39b4ec0..f716f57 100644 | |||
36 | #include <fcntl.h> | 37 | #include <fcntl.h> |
37 | #include <getopt.h> | 38 | #include <getopt.h> |
38 | diff --git a/src/groupdel.c b/src/groupdel.c | 39 | diff --git a/src/groupdel.c b/src/groupdel.c |
39 | index da99347..46a679c 100644 | 40 | index 70bed01..ababd81 100644 |
40 | --- a/src/groupdel.c | 41 | --- a/src/groupdel.c |
41 | +++ b/src/groupdel.c | 42 | +++ b/src/groupdel.c |
42 | @@ -34,6 +34,9 @@ | 43 | @@ -34,6 +34,9 @@ |
@@ -50,7 +51,7 @@ index da99347..46a679c 100644 | |||
50 | #include <fcntl.h> | 51 | #include <fcntl.h> |
51 | #include <grp.h> | 52 | #include <grp.h> |
52 | diff --git a/src/groupmems.c b/src/groupmems.c | 53 | diff --git a/src/groupmems.c b/src/groupmems.c |
53 | index e4f107f..95cb073 100644 | 54 | index fc91c8b..2842514 100644 |
54 | --- a/src/groupmems.c | 55 | --- a/src/groupmems.c |
55 | +++ b/src/groupmems.c | 56 | +++ b/src/groupmems.c |
56 | @@ -32,6 +32,9 @@ | 57 | @@ -32,6 +32,9 @@ |
@@ -64,7 +65,7 @@ index e4f107f..95cb073 100644 | |||
64 | #include <getopt.h> | 65 | #include <getopt.h> |
65 | #include <grp.h> | 66 | #include <grp.h> |
66 | diff --git a/src/groupmod.c b/src/groupmod.c | 67 | diff --git a/src/groupmod.c b/src/groupmod.c |
67 | index d9d3807..6229737 100644 | 68 | index 72daf2c..8965f9d 100644 |
68 | --- a/src/groupmod.c | 69 | --- a/src/groupmod.c |
69 | +++ b/src/groupmod.c | 70 | +++ b/src/groupmod.c |
70 | @@ -34,6 +34,9 @@ | 71 | @@ -34,6 +34,9 @@ |
@@ -78,7 +79,7 @@ index d9d3807..6229737 100644 | |||
78 | #include <fcntl.h> | 79 | #include <fcntl.h> |
79 | #include <getopt.h> | 80 | #include <getopt.h> |
80 | diff --git a/src/useradd.c b/src/useradd.c | 81 | diff --git a/src/useradd.c b/src/useradd.c |
81 | index e1ebf50..25679d8 100644 | 82 | index 3aaf45c..1ab9174 100644 |
82 | --- a/src/useradd.c | 83 | --- a/src/useradd.c |
83 | +++ b/src/useradd.c | 84 | +++ b/src/useradd.c |
84 | @@ -34,6 +34,9 @@ | 85 | @@ -34,6 +34,9 @@ |
@@ -92,7 +93,7 @@ index e1ebf50..25679d8 100644 | |||
92 | #include <ctype.h> | 93 | #include <ctype.h> |
93 | #include <errno.h> | 94 | #include <errno.h> |
94 | diff --git a/src/userdel.c b/src/userdel.c | 95 | diff --git a/src/userdel.c b/src/userdel.c |
95 | index 19b12bc..a083929 100644 | 96 | index c8de1d3..24d3ea9 100644 |
96 | --- a/src/userdel.c | 97 | --- a/src/userdel.c |
97 | +++ b/src/userdel.c | 98 | +++ b/src/userdel.c |
98 | @@ -34,6 +34,9 @@ | 99 | @@ -34,6 +34,9 @@ |
@@ -102,11 +103,11 @@ index 19b12bc..a083929 100644 | |||
102 | +/* Disable use of syslog since we're running this command against a sysroot */ | 103 | +/* Disable use of syslog since we're running this command against a sysroot */ |
103 | +#undef USE_SYSLOG | 104 | +#undef USE_SYSLOG |
104 | + | 105 | + |
106 | #include <assert.h> | ||
105 | #include <errno.h> | 107 | #include <errno.h> |
106 | #include <fcntl.h> | 108 | #include <fcntl.h> |
107 | #include <getopt.h> | ||
108 | diff --git a/src/usermod.c b/src/usermod.c | 109 | diff --git a/src/usermod.c b/src/usermod.c |
109 | index 685b50a..28e5cfc 100644 | 110 | index ccfbb99..24fb60d 100644 |
110 | --- a/src/usermod.c | 111 | --- a/src/usermod.c |
111 | +++ b/src/usermod.c | 112 | +++ b/src/usermod.c |
112 | @@ -34,6 +34,9 @@ | 113 | @@ -34,6 +34,9 @@ |
@@ -116,9 +117,9 @@ index 685b50a..28e5cfc 100644 | |||
116 | +/* Disable use of syslog since we're running this command against a sysroot */ | 117 | +/* Disable use of syslog since we're running this command against a sysroot */ |
117 | +#undef USE_SYSLOG | 118 | +#undef USE_SYSLOG |
118 | + | 119 | + |
120 | #include <assert.h> | ||
119 | #include <ctype.h> | 121 | #include <ctype.h> |
120 | #include <errno.h> | 122 | #include <errno.h> |
121 | #include <fcntl.h> | ||
122 | -- | 123 | -- |
123 | 2.1.0 | 124 | 2.11.0 |
124 | 125 | ||
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch deleted file mode 100644 index 828b95a572..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Kjellerstedt <pkj@axis.com> | ||
3 | Date: Thu, 11 Sep 2014 15:11:23 +0200 | ||
4 | Subject: [PATCH] Do not read login.defs before doing chroot() | ||
5 | |||
6 | If "useradd --root <root> ..." was used, the login.defs file would still | ||
7 | be read from /etc/login.defs instead of <root>/etc/login.defs. This was | ||
8 | due to getdef_ulong() being called before process_root_flag(). | ||
9 | |||
10 | Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html] | ||
11 | |||
12 | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> | ||
13 | --- | ||
14 | src/useradd.c | 8 ++++++-- | ||
15 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/src/useradd.c b/src/useradd.c | ||
18 | index a8a1f76..e1ebf50 100644 | ||
19 | --- a/src/useradd.c | ||
20 | +++ b/src/useradd.c | ||
21 | @@ -1993,9 +1993,11 @@ int main (int argc, char **argv) | ||
22 | #endif /* USE_PAM */ | ||
23 | #endif /* ACCT_TOOLS_SETUID */ | ||
24 | |||
25 | +#ifdef ENABLE_SUBIDS | ||
26 | /* Needed for userns check */ | ||
27 | - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); | ||
28 | - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); | ||
29 | + uid_t uid_min; | ||
30 | + uid_t uid_max; | ||
31 | +#endif | ||
32 | |||
33 | /* | ||
34 | * Get my name so that I can use it to report errors. | ||
35 | @@ -2026,6 +2028,8 @@ int main (int argc, char **argv) | ||
36 | is_shadow_grp = sgr_file_present (); | ||
37 | #endif | ||
38 | #ifdef ENABLE_SUBIDS | ||
39 | + uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); | ||
40 | + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); | ||
41 | is_sub_uid = sub_uid_file_present () && !rflg && | ||
42 | (!user_id || (user_id <= uid_max && user_id >= uid_min)); | ||
43 | is_sub_gid = sub_gid_file_present () && !rflg && | ||
44 | -- | ||
45 | 1.9.0 | ||
46 | |||
diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 deleted file mode 100644 index 4d3e1e016c..0000000000 --- a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tomas Mraz <tmraz@fedoraproject.org> | ||
3 | Date: Fri, 31 Mar 2017 16:25:06 +0200 | ||
4 | Subject: [PATCH] Fix buffer overflow if NULL line is present in db. | ||
5 | |||
6 | If ptr->line == NULL for an entry, the first cycle will exit, | ||
7 | but the second one will happily write past entries buffer. | ||
8 | We actually do not want to exit the first cycle prematurely | ||
9 | on ptr->line == NULL. | ||
10 | Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> | ||
11 | |||
12 | CVE: CVE-2017-12424 | ||
13 | Upstream-Status: Backport | ||
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
15 | --- | ||
16 | lib/commonio.c | 8 ++++---- | ||
17 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/lib/commonio.c b/lib/commonio.c | ||
20 | index b10da06..31edbaa 100644 | ||
21 | --- a/lib/commonio.c | ||
22 | +++ b/lib/commonio.c | ||
23 | @@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *)) | ||
24 | for (ptr = db->head; | ||
25 | (NULL != ptr) | ||
26 | #if KEEP_NIS_AT_END | ||
27 | - && (NULL != ptr->line) | ||
28 | - && ( ('+' != ptr->line[0]) | ||
29 | - && ('-' != ptr->line[0])) | ||
30 | + && ((NULL == ptr->line) | ||
31 | + || (('+' != ptr->line[0]) | ||
32 | + && ('-' != ptr->line[0]))) | ||
33 | #endif | ||
34 | ; | ||
35 | ptr = ptr->next) { | ||
36 | n++; | ||
37 | } | ||
38 | #if KEEP_NIS_AT_END | ||
39 | - if ((NULL != ptr) && (NULL != ptr->line)) { | ||
40 | + if (NULL != ptr) { | ||
41 | nis = ptr; | ||
42 | } | ||
43 | #endif | ||
44 | -- | ||
45 | 2.1.0 | ||
46 | |||
diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch index 60a46e1257..474b3a257e 100644 --- a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch +++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch | |||
@@ -1,47 +1,41 @@ | |||
1 | From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> | ||
3 | Date: Tue, 7 Mar 2017 16:03:03 +0100 | ||
4 | Subject: [PATCH] useradd: copy extended attributes of home | 1 | Subject: [PATCH] useradd: copy extended attributes of home |
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | 2 | ||
9 | The Home directory wasn't getting the extended attributes | 3 | The Home directory wasn't getting the extended attributes |
10 | of /etc/skel. This patch fixes that issue and adds the copy | 4 | of /etc/skel. This patch fixes that issue and adds the copy |
11 | of the extended attributes of the root of the home directory. | 5 | of the extended attributes of the root of the home directory. |
12 | 6 | ||
13 | Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html] | 7 | Upstream-Status: Pending |
14 | 8 | ||
15 | Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b | ||
16 | Signed-off-by: José Bollo <jose.bollo@iot.bzh> | 9 | Signed-off-by: José Bollo <jose.bollo@iot.bzh> |
10 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
17 | --- | 11 | --- |
18 | src/useradd.c | 6 ++++++ | 12 | src/useradd.c | 6 ++++++ |
19 | 1 file changed, 6 insertions(+) | 13 | 1 file changed, 6 insertions(+) |
20 | 14 | ||
21 | diff --git a/src/useradd.c b/src/useradd.c | 15 | diff --git a/src/useradd.c b/src/useradd.c |
22 | index a8a1f76..8aefb9c 100644 | 16 | index e721e52..c74e491 100644 |
23 | --- a/src/useradd.c | 17 | --- a/src/useradd.c |
24 | +++ b/src/useradd.c | 18 | +++ b/src/useradd.c |
25 | @@ -52,6 +52,9 @@ | 19 | @@ -54,6 +54,9 @@ |
26 | #include <sys/stat.h> | 20 | #include <sys/wait.h> |
27 | #include <sys/types.h> | ||
28 | #include <time.h> | 21 | #include <time.h> |
22 | #include <unistd.h> | ||
29 | +#ifdef WITH_ATTR | 23 | +#ifdef WITH_ATTR |
30 | +#include <attr/libattr.h> | 24 | +#include <attr/libattr.h> |
31 | +#endif | 25 | +#endif |
32 | #include "chkname.h" | 26 | #include "chkname.h" |
33 | #include "defines.h" | 27 | #include "defines.h" |
34 | #include "faillog.h" | 28 | #include "faillog.h" |
35 | @@ -1915,6 +1918,9 @@ static void create_home (void) | 29 | @@ -2042,6 +2045,9 @@ static void create_home (void) |
36 | chown (user_home, user_id, user_gid); | 30 | (void) chown (prefix_user_home, user_id, user_gid); |
37 | chmod (user_home, | 31 | chmod (prefix_user_home, |
38 | 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | 32 | 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); |
39 | +#ifdef WITH_ATTR | 33 | +#ifdef WITH_ATTR |
40 | + attr_copy_file (def_template, user_home, NULL, NULL); | 34 | + attr_copy_file (def_template, user_home, NULL, NULL); |
41 | +#endif | 35 | +#endif |
42 | home_added = true; | 36 | home_added = true; |
43 | #ifdef WITH_AUDIT | 37 | #ifdef WITH_AUDIT |
44 | audit_logger (AUDIT_ADD_USER, Prog, | 38 | audit_logger (AUDIT_ADD_USER, Prog, |
45 | -- | 39 | -- |
46 | 2.9.3 | 40 | 2.11.0 |
47 | 41 | ||
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch index 2f084b4e9b..7024136593 100644 --- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch +++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch | |||
@@ -1,17 +1,17 @@ | |||
1 | Upstream-Status: Inappropriate [OE specific] | 1 | Subject: [PATCH] useradd.c: create parent directories when necessary |
2 | 2 | ||
3 | Subject: useradd.c: create parent directories when necessary | 3 | Upstream-Status: Inappropriate [OE specific] |
4 | 4 | ||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | 5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
6 | --- | 6 | --- |
7 | src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ | 7 | src/useradd.c | 82 +++++++++++++++++++++++++++++++++++++++-------------------- |
8 | 1 file changed, 49 insertions(+), 23 deletions(-) | 8 | 1 file changed, 54 insertions(+), 28 deletions(-) |
9 | 9 | ||
10 | diff --git a/src/useradd.c b/src/useradd.c | 10 | diff --git a/src/useradd.c b/src/useradd.c |
11 | index 4bd969d..cb5dd6c 100644 | 11 | index 7214e72..3aaf45c 100644 |
12 | --- a/src/useradd.c | 12 | --- a/src/useradd.c |
13 | +++ b/src/useradd.c | 13 | +++ b/src/useradd.c |
14 | @@ -1896,6 +1896,35 @@ static void usr_update (void) | 14 | @@ -2021,6 +2021,35 @@ static void usr_update (void) |
15 | } | 15 | } |
16 | 16 | ||
17 | /* | 17 | /* |
@@ -47,63 +47,68 @@ index 4bd969d..cb5dd6c 100644 | |||
47 | * create_home - create the user's home directory | 47 | * create_home - create the user's home directory |
48 | * | 48 | * |
49 | * create_home() creates the user's home directory if it does not | 49 | * create_home() creates the user's home directory if it does not |
50 | @@ -1910,39 +1939,36 @@ static void create_home (void) | 50 | @@ -2038,42 +2067,39 @@ static void create_home (void) |
51 | fail_exit (E_HOMEDIR); | 51 | fail_exit (E_HOMEDIR); |
52 | } | 52 | } |
53 | #endif | 53 | #endif |
54 | - /* XXX - create missing parent directories. --marekm */ | 54 | - /* XXX - create missing parent directories. --marekm */ |
55 | - if (mkdir (user_home, 0) != 0) { | 55 | - if (mkdir (prefix_user_home, 0) != 0) { |
56 | - fprintf (stderr, | 56 | - fprintf (stderr, |
57 | - _("%s: cannot create directory %s\n"), | 57 | - _("%s: cannot create directory %s\n"), |
58 | - Prog, user_home); | 58 | - Prog, prefix_user_home); |
59 | -#ifdef WITH_AUDIT | 59 | + mkdir_p(user_home); |
60 | + } | ||
61 | + if (access (prefix_user_home, F_OK) != 0) { | ||
62 | #ifdef WITH_AUDIT | ||
60 | - audit_logger (AUDIT_ADD_USER, Prog, | 63 | - audit_logger (AUDIT_ADD_USER, Prog, |
61 | - "adding home directory", | 64 | - "adding home directory", |
62 | - user_name, (unsigned int) user_id, | 65 | - user_name, (unsigned int) user_id, |
63 | - SHADOW_AUDIT_FAILURE); | 66 | - SHADOW_AUDIT_FAILURE); |
64 | -#endif | 67 | + audit_logger (AUDIT_ADD_USER, Prog, |
65 | - fail_exit (E_HOMEDIR); | 68 | + "adding home directory", |
66 | - } | 69 | + user_name, (unsigned int) user_id, |
67 | - chown (user_home, user_id, user_gid); | 70 | + SHADOW_AUDIT_FAILURE); |
68 | - chmod (user_home, | ||
69 | - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | ||
70 | -#ifdef WITH_ATTR | ||
71 | - attr_copy_file (def_template, user_home, NULL, NULL); | ||
72 | -#endif | ||
73 | - home_added = true; | ||
74 | + mkdir_p(user_home); | ||
75 | + } | ||
76 | + if (access (user_home, F_OK) != 0) { | ||
77 | #ifdef WITH_AUDIT | ||
78 | audit_logger (AUDIT_ADD_USER, Prog, | ||
79 | "adding home directory", | ||
80 | user_name, (unsigned int) user_id, | ||
81 | - SHADOW_AUDIT_SUCCESS); | ||
82 | + SHADOW_AUDIT_FAILURE); | ||
83 | #endif | 71 | #endif |
84 | -#ifdef WITH_SELINUX | ||
85 | - /* Reset SELinux to create files with default contexts */ | ||
86 | - if (reset_selinux_file_context () != 0) { | ||
87 | - fail_exit (E_HOMEDIR); | 72 | - fail_exit (E_HOMEDIR); |
88 | - } | 73 | - } |
74 | - (void) chown (prefix_user_home, user_id, user_gid); | ||
75 | - chmod (prefix_user_home, | ||
76 | - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | ||
89 | + fail_exit (E_HOMEDIR); | 77 | + fail_exit (E_HOMEDIR); |
90 | + } | 78 | + } |
91 | + chown (user_home, user_id, user_gid); | 79 | + (void) chown (prefix_user_home, user_id, user_gid); |
92 | + chmod (user_home, | 80 | + chmod (prefix_user_home, |
93 | + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | 81 | + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); |
94 | +#ifdef WITH_ATTR | 82 | #ifdef WITH_ATTR |
83 | - attr_copy_file (def_template, user_home, NULL, NULL); | ||
95 | + attr_copy_file (def_template, user_home, NULL, NULL); | 84 | + attr_copy_file (def_template, user_home, NULL, NULL); |
96 | +#endif | 85 | #endif |
86 | - home_added = true; | ||
97 | + home_added = true; | 87 | + home_added = true; |
98 | +#ifdef WITH_AUDIT | 88 | #ifdef WITH_AUDIT |
89 | - audit_logger (AUDIT_ADD_USER, Prog, | ||
90 | - "adding home directory", | ||
91 | - user_name, (unsigned int) user_id, | ||
92 | - SHADOW_AUDIT_SUCCESS); | ||
99 | + audit_logger (AUDIT_ADD_USER, Prog, | 93 | + audit_logger (AUDIT_ADD_USER, Prog, |
100 | + "adding home directory", | 94 | + "adding home directory", |
101 | + user_name, (unsigned int) user_id, | 95 | + user_name, (unsigned int) user_id, |
102 | + SHADOW_AUDIT_SUCCESS); | 96 | + SHADOW_AUDIT_SUCCESS); |
103 | #endif | 97 | #endif |
104 | +#ifdef WITH_SELINUX | 98 | #ifdef WITH_SELINUX |
99 | - /* Reset SELinux to create files with default contexts */ | ||
100 | - if (reset_selinux_file_context () != 0) { | ||
101 | - fprintf (stderr, | ||
102 | - _("%s: cannot reset SELinux file creation context\n"), | ||
103 | - Prog); | ||
104 | - fail_exit (E_HOMEDIR); | ||
105 | - } | ||
106 | -#endif | ||
105 | + /* Reset SELinux to create files with default contexts */ | 107 | + /* Reset SELinux to create files with default contexts */ |
106 | + if (reset_selinux_file_context () != 0) { | 108 | + if (reset_selinux_file_context () != 0) { |
109 | + fprintf (stderr, | ||
110 | + _("%s: cannot reset SELinux file creation context\n"), | ||
111 | + Prog); | ||
107 | + fail_exit (E_HOMEDIR); | 112 | + fail_exit (E_HOMEDIR); |
108 | } | 113 | } |
109 | +#endif | 114 | +#endif |
@@ -111,5 +116,5 @@ index 4bd969d..cb5dd6c 100644 | |||
111 | 116 | ||
112 | /* | 117 | /* |
113 | -- | 118 | -- |
114 | 1.7.9.5 | 119 | 2.11.0 |
115 | 120 | ||
diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch deleted file mode 100644 index ee728f0952..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | shadow-4.2.1: Fix CVE-2017-2616 | ||
2 | |||
3 | [No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943 | ||
4 | |||
5 | su: properly clear child PID | ||
6 | |||
7 | If su is compiled with PAM support, it is possible for any local user | ||
8 | to send SIGKILL to other processes with root privileges. There are | ||
9 | only two conditions. First, the user must be able to perform su with | ||
10 | a successful login. This does NOT have to be the root user, even using | ||
11 | su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL | ||
12 | can only be sent to processes which were executed after the su process. | ||
13 | It is not possible to send SIGKILL to processes which were already | ||
14 | running. I consider this as a security vulnerability, because I was | ||
15 | able to write a proof of concept which unlocked a screen saver of | ||
16 | another user this way. | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686] | ||
19 | CVE: CVE-2017-2616 | ||
20 | bug: 855943 | ||
21 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
22 | |||
23 | diff --git a/src/su.c b/src/su.c | ||
24 | index 3704217..1efcd61 100644 | ||
25 | --- a/src/su.c | ||
26 | +++ b/src/su.c | ||
27 | @@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) | ||
28 | /* wake child when resumed */ | ||
29 | kill (pid, SIGCONT); | ||
30 | stop = false; | ||
31 | + } else { | ||
32 | + pid_child = 0; | ||
33 | } | ||
34 | } while (!stop); | ||
35 | } | ||
36 | |||
37 | - if (0 != caught) { | ||
38 | + if (0 != caught && 0 != pid_child) { | ||
39 | (void) fputs ("\n", stderr); | ||
40 | (void) fputs (_("Session terminated, terminating shell..."), | ||
41 | stderr); | ||
42 | (void) kill (-pid_child, caught); | ||
43 | |||
44 | (void) signal (SIGALRM, kill_child); | ||
45 | + (void) signal (SIGCHLD, catch_signals); | ||
46 | (void) alarm (2); | ||
47 | |||
48 | - (void) wait (&status); | ||
49 | + sigemptyset (&ourset); | ||
50 | + if ((sigaddset (&ourset, SIGALRM) != 0) | ||
51 | + || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { | ||
52 | + fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); | ||
53 | + kill_child (0); | ||
54 | + } else { | ||
55 | + while (0 == waitpid (pid_child, &status, WNOHANG)) { | ||
56 | + sigsuspend (&ourset); | ||
57 | + } | ||
58 | + pid_child = 0; | ||
59 | + (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); | ||
60 | + } | ||
61 | + | ||
62 | (void) fputs (_(" ...terminated.\n"), stderr); | ||
63 | } | ||
64 | |||
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch index 615c6e002d..fa7eb07aa5 100644 --- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch +++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch | |||
@@ -1,21 +1,21 @@ | |||
1 | Upstream-Status: Inappropriate [OE specific] | 1 | Subject: [PATCH] Allow for setting password in clear text |
2 | 2 | ||
3 | Allow for setting password in clear text. | 3 | Upstream-Status: Inappropriate [OE specific] |
4 | 4 | ||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | 5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
6 | --- | 6 | --- |
7 | src/Makefile.am | 8 ++++---- | 7 | src/Makefile.am | 8 ++++---- |
8 | src/groupadd.c | 8 +++++++- | 8 | src/groupadd.c | 20 +++++++++++++++----- |
9 | src/groupmod.c | 8 +++++++- | 9 | src/groupmod.c | 20 +++++++++++++++----- |
10 | src/useradd.c | 9 +++++++-- | 10 | src/useradd.c | 21 +++++++++++++++------ |
11 | src/usermod.c | 8 +++++++- | 11 | src/usermod.c | 20 +++++++++++++++----- |
12 | 5 files changed, 32 insertions(+), 9 deletions(-) | 12 | 5 files changed, 64 insertions(+), 25 deletions(-) |
13 | 13 | ||
14 | diff --git a/src/Makefile.am b/src/Makefile.am | 14 | diff --git a/src/Makefile.am b/src/Makefile.am |
15 | index 25e288d..856b087 100644 | 15 | index 3c98a8d..b8093d5 100644 |
16 | --- a/src/Makefile.am | 16 | --- a/src/Makefile.am |
17 | +++ b/src/Makefile.am | 17 | +++ b/src/Makefile.am |
18 | @@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) | 18 | @@ -93,10 +93,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) |
19 | chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) | 19 | chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
20 | chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) | 20 | chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) |
21 | gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) | 21 | gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) |
@@ -28,9 +28,9 @@ index 25e288d..856b087 100644 | |||
28 | grpck_LDADD = $(LDADD) $(LIBSELINUX) | 28 | grpck_LDADD = $(LDADD) $(LIBSELINUX) |
29 | grpconv_LDADD = $(LDADD) $(LIBSELINUX) | 29 | grpconv_LDADD = $(LDADD) $(LIBSELINUX) |
30 | grpunconv_LDADD = $(LDADD) $(LIBSELINUX) | 30 | grpunconv_LDADD = $(LDADD) $(LIBSELINUX) |
31 | @@ -111,9 +111,9 @@ su_SOURCES = \ | 31 | @@ -117,9 +117,9 @@ su_SOURCES = \ |
32 | suauth.c | 32 | suauth.c |
33 | su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) | 33 | su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) |
34 | sulogin_LDADD = $(LDADD) $(LIBCRYPT) | 34 | sulogin_LDADD = $(LDADD) $(LIBCRYPT) |
35 | -useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) | 35 | -useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) |
36 | +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) | 36 | +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) |
@@ -41,33 +41,39 @@ index 25e288d..856b087 100644 | |||
41 | 41 | ||
42 | install-am: all-am | 42 | install-am: all-am |
43 | diff --git a/src/groupadd.c b/src/groupadd.c | 43 | diff --git a/src/groupadd.c b/src/groupadd.c |
44 | index f716f57..4e28c26 100644 | 44 | index b57006c..63e1c48 100644 |
45 | --- a/src/groupadd.c | 45 | --- a/src/groupadd.c |
46 | +++ b/src/groupadd.c | 46 | +++ b/src/groupadd.c |
47 | @@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) | 47 | @@ -123,9 +123,10 @@ static /*@noreturn@*/void usage (int status) |
48 | (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" | 48 | (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" |
49 | " (non-unique) GID\n"), usageout); | 49 | " (non-unique) GID\n"), usageout); |
50 | (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); | 50 | (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); |
51 | + (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); | 51 | + (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); |
52 | (void) fputs (_(" -r, --system create a system account\n"), usageout); | 52 | (void) fputs (_(" -r, --system create a system account\n"), usageout); |
53 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | 53 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
54 | - (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout); | ||
55 | + (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout); | ||
54 | (void) fputs ("\n", usageout); | 56 | (void) fputs ("\n", usageout); |
55 | @@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) | 57 | exit (status); |
58 | } | ||
59 | @@ -387,13 +388,14 @@ static void process_flags (int argc, char **argv) | ||
56 | {"key", required_argument, NULL, 'K'}, | 60 | {"key", required_argument, NULL, 'K'}, |
57 | {"non-unique", no_argument, NULL, 'o'}, | 61 | {"non-unique", no_argument, NULL, 'o'}, |
58 | {"password", required_argument, NULL, 'p'}, | 62 | {"password", required_argument, NULL, 'p'}, |
59 | + {"clear-password", required_argument, NULL, 'P'}, | 63 | + {"clear-password", required_argument, NULL, 'P'}, |
60 | {"system", no_argument, NULL, 'r'}, | 64 | {"system", no_argument, NULL, 'r'}, |
61 | {"root", required_argument, NULL, 'R'}, | 65 | {"root", required_argument, NULL, 'R'}, |
66 | - {"prefix", required_argument, NULL, 'P'}, | ||
67 | + {"prefix", required_argument, NULL, 'A'}, | ||
62 | {NULL, 0, NULL, '\0'} | 68 | {NULL, 0, NULL, '\0'} |
63 | }; | 69 | }; |
64 | 70 | ||
65 | - while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", | 71 | - while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:", |
66 | + while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", | 72 | + while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:", |
67 | long_options, NULL)) != -1) { | 73 | long_options, NULL)) != -1) { |
68 | switch (c) { | 74 | switch (c) { |
69 | case 'f': | 75 | case 'f': |
70 | @@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) | 76 | @@ -445,12 +447,20 @@ static void process_flags (int argc, char **argv) |
71 | pflg = true; | 77 | pflg = true; |
72 | group_passwd = optarg; | 78 | group_passwd = optarg; |
73 | break; | 79 | break; |
@@ -78,32 +84,57 @@ index f716f57..4e28c26 100644 | |||
78 | case 'r': | 84 | case 'r': |
79 | rflg = true; | 85 | rflg = true; |
80 | break; | 86 | break; |
87 | case 'R': /* no-op, handled in process_root_flag () */ | ||
88 | break; | ||
89 | - case 'P': /* no-op, handled in process_prefix_flag () */ | ||
90 | + case 'A': /* no-op, handled in process_prefix_flag () */ | ||
91 | + fprintf (stderr, | ||
92 | + _("%s: -A is deliberately not supported \n"), | ||
93 | + Prog); | ||
94 | + exit (E_BAD_ARG); | ||
95 | break; | ||
96 | default: | ||
97 | usage (E_USAGE); | ||
98 | @@ -584,7 +594,7 @@ int main (int argc, char **argv) | ||
99 | (void) textdomain (PACKAGE); | ||
100 | |||
101 | process_root_flag ("-R", argc, argv); | ||
102 | - prefix = process_prefix_flag ("-P", argc, argv); | ||
103 | + prefix = process_prefix_flag ("-A", argc, argv); | ||
104 | |||
105 | OPENLOG ("groupadd"); | ||
106 | #ifdef WITH_AUDIT | ||
81 | diff --git a/src/groupmod.c b/src/groupmod.c | 107 | diff --git a/src/groupmod.c b/src/groupmod.c |
82 | index d9d3807..68f49d1 100644 | 108 | index b293b98..72daf2c 100644 |
83 | --- a/src/groupmod.c | 109 | --- a/src/groupmod.c |
84 | +++ b/src/groupmod.c | 110 | +++ b/src/groupmod.c |
85 | @@ -127,6 +127,7 @@ static void usage (int status) | 111 | @@ -134,8 +134,9 @@ static void usage (int status) |
86 | (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); | 112 | (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); |
87 | (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" | 113 | (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" |
88 | " PASSWORD\n"), usageout); | 114 | " PASSWORD\n"), usageout); |
89 | + (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); | 115 | + (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); |
90 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | 116 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
117 | - (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
118 | + (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
91 | (void) fputs ("\n", usageout); | 119 | (void) fputs ("\n", usageout); |
92 | exit (status); | 120 | exit (status); |
93 | @@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) | 121 | } |
122 | @@ -383,11 +384,12 @@ static void process_flags (int argc, char **argv) | ||
94 | {"new-name", required_argument, NULL, 'n'}, | 123 | {"new-name", required_argument, NULL, 'n'}, |
95 | {"non-unique", no_argument, NULL, 'o'}, | 124 | {"non-unique", no_argument, NULL, 'o'}, |
96 | {"password", required_argument, NULL, 'p'}, | 125 | {"password", required_argument, NULL, 'p'}, |
97 | + {"clear-password", required_argument, NULL, 'P'}, | 126 | + {"clear-password", required_argument, NULL, 'P'}, |
98 | {"root", required_argument, NULL, 'R'}, | 127 | {"root", required_argument, NULL, 'R'}, |
128 | - {"prefix", required_argument, NULL, 'P'}, | ||
129 | + {"prefix", required_argument, NULL, 'A'}, | ||
99 | {NULL, 0, NULL, '\0'} | 130 | {NULL, 0, NULL, '\0'} |
100 | }; | 131 | }; |
101 | - while ((c = getopt_long (argc, argv, "g:hn:op:R:", | 132 | - while ((c = getopt_long (argc, argv, "g:hn:op:R:P:", |
102 | + while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", | 133 | + while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:", |
103 | long_options, NULL)) != -1) { | 134 | long_options, NULL)) != -1) { |
104 | switch (c) { | 135 | switch (c) { |
105 | case 'g': | 136 | case 'g': |
106 | @@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) | 137 | @@ -414,9 +416,17 @@ static void process_flags (int argc, char **argv) |
107 | group_passwd = optarg; | 138 | group_passwd = optarg; |
108 | pflg = true; | 139 | pflg = true; |
109 | break; | 140 | break; |
@@ -113,40 +144,65 @@ index d9d3807..68f49d1 100644 | |||
113 | + break; | 144 | + break; |
114 | case 'R': /* no-op, handled in process_root_flag () */ | 145 | case 'R': /* no-op, handled in process_root_flag () */ |
115 | break; | 146 | break; |
147 | - case 'P': /* no-op, handled in process_prefix_flag () */ | ||
148 | + case 'A': /* no-op, handled in process_prefix_flag () */ | ||
149 | + fprintf (stderr, | ||
150 | + _("%s: -A is deliberately not supported \n"), | ||
151 | + Prog); | ||
152 | + exit (E_BAD_ARG); | ||
153 | break; | ||
116 | default: | 154 | default: |
155 | usage (E_USAGE); | ||
156 | @@ -757,7 +767,7 @@ int main (int argc, char **argv) | ||
157 | (void) textdomain (PACKAGE); | ||
158 | |||
159 | process_root_flag ("-R", argc, argv); | ||
160 | - prefix = process_prefix_flag ("-P", argc, argv); | ||
161 | + prefix = process_prefix_flag ("-A", argc, argv); | ||
162 | |||
163 | OPENLOG ("groupmod"); | ||
164 | #ifdef WITH_AUDIT | ||
117 | diff --git a/src/useradd.c b/src/useradd.c | 165 | diff --git a/src/useradd.c b/src/useradd.c |
118 | index b3bd451..4416f90 100644 | 166 | index c74e491..7214e72 100644 |
119 | --- a/src/useradd.c | 167 | --- a/src/useradd.c |
120 | +++ b/src/useradd.c | 168 | +++ b/src/useradd.c |
121 | @@ -776,6 +776,7 @@ static void usage (int status) | 169 | @@ -829,9 +829,10 @@ static void usage (int status) |
122 | (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" | 170 | (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" |
123 | " (non-unique) UID\n"), usageout); | 171 | " (non-unique) UID\n"), usageout); |
124 | (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); | 172 | (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); |
125 | + (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); | 173 | + (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); |
126 | (void) fputs (_(" -r, --system create a system account\n"), usageout); | 174 | (void) fputs (_(" -r, --system create a system account\n"), usageout); |
127 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | 175 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
176 | - (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
177 | + (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
128 | (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); | 178 | (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); |
129 | @@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv) | 179 | (void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout); |
180 | (void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout); | ||
181 | @@ -1104,9 +1105,10 @@ static void process_flags (int argc, char **argv) | ||
130 | {"no-user-group", no_argument, NULL, 'N'}, | 182 | {"no-user-group", no_argument, NULL, 'N'}, |
131 | {"non-unique", no_argument, NULL, 'o'}, | 183 | {"non-unique", no_argument, NULL, 'o'}, |
132 | {"password", required_argument, NULL, 'p'}, | 184 | {"password", required_argument, NULL, 'p'}, |
133 | + {"clear-password", required_argument, NULL, 'P'}, | 185 | + {"clear-password", required_argument, NULL, 'P'}, |
134 | {"system", no_argument, NULL, 'r'}, | 186 | {"system", no_argument, NULL, 'r'}, |
135 | {"root", required_argument, NULL, 'R'}, | 187 | {"root", required_argument, NULL, 'R'}, |
188 | - {"prefix", required_argument, NULL, 'P'}, | ||
189 | + {"prefix", required_argument, NULL, 'A'}, | ||
136 | {"shell", required_argument, NULL, 's'}, | 190 | {"shell", required_argument, NULL, 's'}, |
137 | @@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv) | 191 | {"uid", required_argument, NULL, 'u'}, |
192 | {"user-group", no_argument, NULL, 'U'}, | ||
193 | @@ -1117,9 +1119,9 @@ static void process_flags (int argc, char **argv) | ||
138 | }; | 194 | }; |
139 | while ((c = getopt_long (argc, argv, | 195 | while ((c = getopt_long (argc, argv, |
140 | #ifdef WITH_SELINUX | 196 | #ifdef WITH_SELINUX |
141 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", | 197 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", |
142 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", | 198 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:", |
143 | #else /* !WITH_SELINUX */ | 199 | #else /* !WITH_SELINUX */ |
144 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", | 200 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", |
145 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", | 201 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U", |
146 | #endif /* !WITH_SELINUX */ | 202 | #endif /* !WITH_SELINUX */ |
147 | long_options, NULL)) != -1) { | 203 | long_options, NULL)) != -1) { |
148 | switch (c) { | 204 | switch (c) { |
149 | @@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv) | 205 | @@ -1285,12 +1287,19 @@ static void process_flags (int argc, char **argv) |
150 | } | 206 | } |
151 | user_pass = optarg; | 207 | user_pass = optarg; |
152 | break; | 208 | break; |
@@ -156,36 +212,62 @@ index b3bd451..4416f90 100644 | |||
156 | case 'r': | 212 | case 'r': |
157 | rflg = true; | 213 | rflg = true; |
158 | break; | 214 | break; |
215 | case 'R': /* no-op, handled in process_root_flag () */ | ||
216 | break; | ||
217 | - case 'P': /* no-op, handled in process_prefix_flag () */ | ||
218 | + case 'A': /* no-op, handled in process_prefix_flag () */ | ||
219 | + fprintf (stderr, | ||
220 | + _("%s: -A is deliberately not supported \n"), | ||
221 | + Prog); | ||
222 | + exit (E_BAD_ARG); | ||
223 | break; | ||
224 | case 's': | ||
225 | if ( ( !VALID (optarg) ) | ||
226 | @@ -2148,7 +2157,7 @@ int main (int argc, char **argv) | ||
227 | |||
228 | process_root_flag ("-R", argc, argv); | ||
229 | |||
230 | - prefix = process_prefix_flag("-P", argc, argv); | ||
231 | + prefix = process_prefix_flag("-A", argc, argv); | ||
232 | |||
233 | OPENLOG ("useradd"); | ||
234 | #ifdef WITH_AUDIT | ||
159 | diff --git a/src/usermod.c b/src/usermod.c | 235 | diff --git a/src/usermod.c b/src/usermod.c |
160 | index e7d4351..b79f7a3 100644 | 236 | index e571426..ccfbb99 100644 |
161 | --- a/src/usermod.c | 237 | --- a/src/usermod.c |
162 | +++ b/src/usermod.c | 238 | +++ b/src/usermod.c |
163 | @@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) | 239 | @@ -424,8 +424,9 @@ static /*@noreturn@*/void usage (int status) |
164 | " new location (use only with -d)\n"), usageout); | 240 | " new location (use only with -d)\n"), usageout); |
165 | (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); | 241 | (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); |
166 | (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); | 242 | (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); |
167 | + (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); | 243 | + (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); |
168 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | 244 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
245 | - (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
246 | + (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); | ||
169 | (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); | 247 | (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); |
170 | (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); | 248 | (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); |
171 | @@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) | 249 | (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout); |
250 | @@ -1002,8 +1003,9 @@ static void process_flags (int argc, char **argv) | ||
172 | {"move-home", no_argument, NULL, 'm'}, | 251 | {"move-home", no_argument, NULL, 'm'}, |
173 | {"non-unique", no_argument, NULL, 'o'}, | 252 | {"non-unique", no_argument, NULL, 'o'}, |
174 | {"password", required_argument, NULL, 'p'}, | 253 | {"password", required_argument, NULL, 'p'}, |
175 | + {"clear-password", required_argument, NULL, 'P'}, | 254 | + {"clear-password", required_argument, NULL, 'P'}, |
176 | {"root", required_argument, NULL, 'R'}, | 255 | {"root", required_argument, NULL, 'R'}, |
256 | - {"prefix", required_argument, NULL, 'P'}, | ||
257 | + {"prefix", required_argument, NULL, 'A'}, | ||
177 | {"shell", required_argument, NULL, 's'}, | 258 | {"shell", required_argument, NULL, 's'}, |
178 | {"uid", required_argument, NULL, 'u'}, | 259 | {"uid", required_argument, NULL, 'u'}, |
179 | @@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) | 260 | {"unlock", no_argument, NULL, 'U'}, |
261 | @@ -1019,7 +1021,7 @@ static void process_flags (int argc, char **argv) | ||
180 | {NULL, 0, NULL, '\0'} | 262 | {NULL, 0, NULL, '\0'} |
181 | }; | 263 | }; |
182 | while ((c = getopt_long (argc, argv, | 264 | while ((c = getopt_long (argc, argv, |
183 | - "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" | 265 | - "ac:d:e:f:g:G:hl:Lmop:R:s:u:UP:" |
184 | + "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" | 266 | + "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:" |
185 | #ifdef ENABLE_SUBIDS | 267 | #ifdef ENABLE_SUBIDS |
186 | "v:w:V:W:" | 268 | "v:w:V:W:" |
187 | #endif /* ENABLE_SUBIDS */ | 269 | #endif /* ENABLE_SUBIDS */ |
188 | @@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) | 270 | @@ -1119,9 +1121,17 @@ static void process_flags (int argc, char **argv) |
189 | user_pass = optarg; | 271 | user_pass = optarg; |
190 | pflg = true; | 272 | pflg = true; |
191 | break; | 273 | break; |
@@ -195,7 +277,24 @@ index e7d4351..b79f7a3 100644 | |||
195 | + break; | 277 | + break; |
196 | case 'R': /* no-op, handled in process_root_flag () */ | 278 | case 'R': /* no-op, handled in process_root_flag () */ |
197 | break; | 279 | break; |
280 | - case 'P': /* no-op, handled in process_prefix_flag () */ | ||
281 | + case 'A': /* no-op, handled in process_prefix_flag () */ | ||
282 | + fprintf (stderr, | ||
283 | + _("%s: -A is deliberately not supported \n"), | ||
284 | + Prog); | ||
285 | + exit (E_BAD_ARG); | ||
286 | break; | ||
198 | case 's': | 287 | case 's': |
288 | if (!VALID (optarg)) { | ||
289 | @@ -2098,7 +2108,7 @@ int main (int argc, char **argv) | ||
290 | (void) textdomain (PACKAGE); | ||
291 | |||
292 | process_root_flag ("-R", argc, argv); | ||
293 | - prefix = process_prefix_flag ("-P", argc, argv); | ||
294 | + prefix = process_prefix_flag ("-A", argc, argv); | ||
295 | |||
296 | OPENLOG ("usermod"); | ||
297 | #ifdef WITH_AUDIT | ||
199 | -- | 298 | -- |
200 | 1.7.9.5 | 299 | 2.11.0 |
201 | 300 | ||
diff --git a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch deleted file mode 100644 index 185590cabd..0000000000 --- a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 | ||
2 | From: James Le Cuirot <chewi@aura-online.co.uk> | ||
3 | Date: Sat, 23 Aug 2014 09:46:39 +0100 | ||
4 | Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF | ||
5 | |||
6 | This built-in check is simpler than the previous method and, most | ||
7 | importantly, works when cross-compiling. | ||
8 | |||
9 | Upstream-Status: Accepted | ||
10 | [https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f] | ||
11 | |||
12 | Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> | ||
13 | --- | ||
14 | configure.in | 14 ++++---------- | ||
15 | 1 file changed, 4 insertions(+), 10 deletions(-) | ||
16 | |||
17 | diff --git a/configure.in b/configure.in | ||
18 | index 1a3f841..4a4d6d0 100644 | ||
19 | --- a/configure.in | ||
20 | +++ b/configure.in | ||
21 | @@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then | ||
22 | dnl | ||
23 | dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc | ||
24 | dnl | ||
25 | - AC_RUN_IFELSE([AC_LANG_SOURCE([ | ||
26 | -#include <sys/types.h> | ||
27 | -int main(void) { | ||
28 | - uid_t u; | ||
29 | - gid_t g; | ||
30 | - return (sizeof u < 4) || (sizeof g < 4); | ||
31 | -} | ||
32 | - ])], [id32bit="yes"], [id32bit="no"]) | ||
33 | - | ||
34 | - if test "x$id32bit" = "xyes"; then | ||
35 | + AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) | ||
36 | + AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) | ||
37 | + | ||
38 | + if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then | ||
39 | AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) | ||
40 | enable_subids="yes" | ||
41 | else | ||
diff --git a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch deleted file mode 100644 index 02cb91aafd..0000000000 --- a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Subject: fix installation failure with subids disabled | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/Makefile.am | 5 ++++- | ||
8 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/src/Makefile.am b/src/Makefile.am | ||
11 | index 25e288d..076f8ef 100644 | ||
12 | --- a/src/Makefile.am | ||
13 | +++ b/src/Makefile.am | ||
14 | @@ -52,7 +52,10 @@ usbin_PROGRAMS = \ | ||
15 | noinst_PROGRAMS = id sulogin | ||
16 | |||
17 | suidbins = su | ||
18 | -suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap | ||
19 | +suidubins = chage chfn chsh expiry gpasswd newgrp passwd | ||
20 | +if ENABLE_SUBIDS | ||
21 | +suidubins += newgidmap newuidmap | ||
22 | +endif | ||
23 | if ACCT_TOOLS_SETUID | ||
24 | suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod | ||
25 | endif | ||
26 | -- | ||
27 | 1.7.9.5 | ||
28 | |||
diff --git a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch deleted file mode 100644 index 37dc153fca..0000000000 --- a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | usermod: fix compilation failure with subids disabled | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/usermod.c | 3 ++- | ||
8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/src/usermod.c b/src/usermod.c | ||
11 | index e7d4351..685b50a 100644 | ||
12 | --- a/src/usermod.c | ||
13 | +++ b/src/usermod.c | ||
14 | @@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv) | ||
15 | Prog, (unsigned long) user_newid); | ||
16 | exit (E_UID_IN_USE); | ||
17 | } | ||
18 | - | ||
19 | +#ifdef ENABLE_SUBIDS | ||
20 | if ( (vflg || Vflg) | ||
21 | && !is_sub_uid) { | ||
22 | fprintf (stderr, | ||
23 | @@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv) | ||
24 | Prog, sub_gid_dbname (), "-w", "-W"); | ||
25 | exit (E_USAGE); | ||
26 | } | ||
27 | +#endif | ||
28 | } | ||
29 | |||
30 | /* | ||
31 | -- | ||
32 | 1.7.9.5 | ||
33 | |||
diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb index c78f888cf4..c78f888cf4 100644 --- a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb +++ b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb | |||
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index ef014628f6..ef014628f6 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb | |||
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 6efe4a9119..0fa80a282a 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -9,16 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ | |||
9 | DEPENDS = "virtual/crypt" | 9 | DEPENDS = "virtual/crypt" |
10 | 10 | ||
11 | UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" | 11 | UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" |
12 | 12 | SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \ | |
13 | SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \ | ||
14 | file://shadow-4.1.3-dots-in-usernames.patch \ | 13 | file://shadow-4.1.3-dots-in-usernames.patch \ |
15 | file://usermod-fix-compilation-failure-with-subids-disabled.patch \ | ||
16 | file://fix-installation-failure-with-subids-disabled.patch \ | ||
17 | file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ | ||
18 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ | ||
19 | file://0001-useradd-copy-extended-attributes-of-home.patch \ | 14 | file://0001-useradd-copy-extended-attributes-of-home.patch \ |
20 | file://0001-shadow-CVE-2017-12424 \ | ||
21 | file://CVE-2017-2616.patch \ | ||
22 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 15 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
23 | " | 16 | " |
24 | 17 | ||
@@ -38,8 +31,8 @@ SRC_URI_append_class-nativesdk = " \ | |||
38 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ | 31 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ |
39 | " | 32 | " |
40 | 33 | ||
41 | SRC_URI[md5sum] = "2bfafe7d4962682d31b5eba65dba4fc8" | 34 | SRC_URI[md5sum] = "36feb15665338ae3de414f2a88e434db" |
42 | SRC_URI[sha256sum] = "3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41" | 35 | SRC_URI[sha256sum] = "4668f99bd087399c4a586084dc3b046b75f560720d83e92fd23bf7a89dda4d31" |
43 | 36 | ||
44 | # Additional Policy files for PAM | 37 | # Additional Policy files for PAM |
45 | PAM_SRC_URI = "file://pam.d/chfn \ | 38 | PAM_SRC_URI = "file://pam.d/chfn \ |
diff --git a/meta/recipes-extended/shadow/shadow_4.2.1.bb b/meta/recipes-extended/shadow/shadow_4.6.bb index 5675cb8cc9..5675cb8cc9 100644 --- a/meta/recipes-extended/shadow/shadow_4.2.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.6.bb | |||