From 222cf772685dcf20bc69e3d3899bcfb11bee00c0 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Fri, 19 Aug 2022 09:26:50 +0200 Subject: shadow: update 4.11.1 -> 4.12.1 Combine two username relaxing patches into one, rebase, and submit upstream. (From OE-Core rev: 6f0042be60582669d317b9ff2e1b8034ab2a01d3) Signed-off-by: Alexander Kanavin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- .../files/0001-shadow-use-relaxed-usernames.patch | 104 +++++++++++++++++++ .../files/shadow-4.1.3-dots-in-usernames.patch | 27 ----- .../shadow/files/shadow-relaxed-usernames.patch | 111 --------------------- meta/recipes-extended/shadow/shadow.inc | 8 +- meta/recipes-extended/shadow/shadow_4.11.1.bb | 11 -- meta/recipes-extended/shadow/shadow_4.12.1.bb | 11 ++ 6 files changed, 118 insertions(+), 154 deletions(-) create mode 100644 meta/recipes-extended/shadow/files/0001-shadow-use-relaxed-usernames.patch delete mode 100644 meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch delete mode 100644 meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch delete mode 100644 meta/recipes-extended/shadow/shadow_4.11.1.bb create mode 100644 meta/recipes-extended/shadow/shadow_4.12.1.bb (limited to 'meta/recipes-extended/shadow') diff --git a/meta/recipes-extended/shadow/files/0001-shadow-use-relaxed-usernames.patch b/meta/recipes-extended/shadow/files/0001-shadow-use-relaxed-usernames.patch new file mode 100644 index 0000000000..6c7abcef1d --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-shadow-use-relaxed-usernames.patch @@ -0,0 +1,104 @@ +From b182c52d63bea0f08e1befcec5c3797dd97cdef5 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 16 Aug 2022 13:46:22 +0200 +Subject: [PATCH] shadow: use relaxed usernames + +The groupadd from shadow does not allow upper case group names, the +same is true for the upstream shadow. But distributions like +Debian/Ubuntu/CentOS has their own way to cope with this problem, +this patch is picked up from CentOS release 7.0 to relax the usernames +restrictions to allow the upper case group names, and the relaxation is +POSIX compliant because POSIX indicate that usernames are composed of +characters from the portable filename character set [A-Za-z0-9._-]. + +Upstream-Status: Submitted [https://github.com/shadow-maint/shadow/pull/551] + +Signed-off-by: Shan Hai +Signed-off-by: Alexander Kanavin +--- + libmisc/chkname.c | 29 ++++++++++++++++++----------- + man/groupadd.8.xml | 6 ------ + man/useradd.8.xml | 6 ------ + 3 files changed, 18 insertions(+), 23 deletions(-) + +diff --git a/libmisc/chkname.c b/libmisc/chkname.c +index cb002a14..c0306c5a 100644 +--- a/libmisc/chkname.c ++++ b/libmisc/chkname.c +@@ -32,21 +32,28 @@ static bool is_valid_name (const char *name) + } + + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { + return false; + } + + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { + return false; + } + } +diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml +index 26671f92..3eacaa09 100644 +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -63,12 +63,6 @@ + values from the system. The new group will be entered into the system + files as needed. + +- +- Groupnames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- + + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index c7f95b47..e056d141 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -691,12 +691,6 @@ + the user account creation request. + + +- +- Usernames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- + + Usernames may only be up to 32 characters long. + +-- +2.30.2 + diff --git a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch deleted file mode 100644 index a7bb0a9290..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch +++ /dev/null @@ -1,27 +0,0 @@ -# commit message copied from openembedded: -# commit 246c80637b135f3a113d319b163422f98174ee6c -# Author: Khem Raj -# Date: Wed Jun 9 13:37:03 2010 -0700 -# -# shadow-4.1.4.2: Add patches to support dots in login id. -# -# Signed-off-by: Khem Raj -# -# comment added by Kevin Tian , 2010-08-11 - -Upstream-Status: Pending - -Signed-off-by: Scott Garman - -Index: shadow-4.1.4.2/libmisc/chkname.c -=================================================================== ---- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 -+++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 -@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || -+ ('.' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) - )) { - return false; diff --git a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch b/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch deleted file mode 100644 index cc833362e9..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch +++ /dev/null @@ -1,111 +0,0 @@ -From ca472d6866e545aaa70a70020e3226f236a8aafc Mon Sep 17 00:00:00 2001 -From: Shan Hai -Date: Tue, 13 Sep 2016 13:45:46 +0800 -Subject: [PATCH] shadow: use relaxed usernames - -The groupadd from shadow does not allow upper case group names, the -same is true for the upstream shadow. But distributions like -Debian/Ubuntu/CentOS has their own way to cope with this problem, -this patch is picked up from CentOS release 7.0 to relax the usernames -restrictions to allow the upper case group names, and the relaxation is -POSIX compliant because POSIX indicate that usernames are composed of -characters from the portable filename character set [A-Za-z0-9._-]. - -Upstream-Status: Pending - -Signed-off-by: Shan Hai - ---- - libmisc/chkname.c | 30 ++++++++++++++++++------------ - man/groupadd.8.xml | 6 ------ - man/useradd.8.xml | 8 +------- - 3 files changed, 19 insertions(+), 25 deletions(-) - -diff --git a/libmisc/chkname.c b/libmisc/chkname.c -index 90f185c..65762b4 100644 ---- a/libmisc/chkname.c -+++ b/libmisc/chkname.c -@@ -55,22 +55,28 @@ static bool is_valid_name (const char *name) - } - - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { - return false; - } - - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ('.' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { - return false; - } - } -diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml -index 1e58f09..d804b61 100644 ---- a/man/groupadd.8.xml -+++ b/man/groupadd.8.xml -@@ -272,12 +272,6 @@ - - - CAVEATS -- -- Groupnames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- - - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. - -diff --git a/man/useradd.8.xml b/man/useradd.8.xml -index a16d730..c0bd777 100644 ---- a/man/useradd.8.xml -+++ b/man/useradd.8.xml -@@ -366,7 +366,7 @@ - - - -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from /etc/login.defs - () is set to - yes. -@@ -660,12 +660,6 @@ - the user account creation request. - - -- -- Usernames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- - - Usernames may only be up to 32 characters long. - diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index f5fdf436f7..fbb1d395ff 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -11,10 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b \ DEPENDS = "virtual/crypt" UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" -SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}.tar.gz \ - file://shadow-4.1.3-dots-in-usernames.patch \ +SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \ + file://0001-shadow-use-relaxed-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://shadow-relaxed-usernames.patch \ file://useradd \ " @@ -30,8 +29,7 @@ SRC_URI:append:class-native = " \ SRC_URI:append:class-nativesdk = " \ file://0001-Disable-use-of-syslog-for-sysroot.patch \ " - -SRC_URI[sha256sum] = "f262089be6a1011d50ec7849e14571b7b2e788334368f3dccb718513f17935ed" +SRC_URI[sha256sum] = "9fdb73b5d2b44e8ba9fcee1b4493ac75dd5040bda35b9ac8b06570cd192e7ee3" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ diff --git a/meta/recipes-extended/shadow/shadow_4.11.1.bb b/meta/recipes-extended/shadow/shadow_4.11.1.bb deleted file mode 100644 index 40b11345c9..0000000000 --- a/meta/recipes-extended/shadow/shadow_4.11.1.bb +++ /dev/null @@ -1,11 +0,0 @@ -require shadow.inc - -# Build falsely assumes that if --enable-libpam is set, we don't need to link against -# libcrypt. This breaks chsh. -BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" - -BBCLASSEXTEND = "native nativesdk" - -# Severity is low and marked as closed and won't fix. -# https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_IGNORE += "CVE-2013-4235" diff --git a/meta/recipes-extended/shadow/shadow_4.12.1.bb b/meta/recipes-extended/shadow/shadow_4.12.1.bb new file mode 100644 index 0000000000..40b11345c9 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.12.1.bb @@ -0,0 +1,11 @@ +require shadow.inc + +# Build falsely assumes that if --enable-libpam is set, we don't need to link against +# libcrypt. This breaks chsh. +BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" + +BBCLASSEXTEND = "native nativesdk" + +# Severity is low and marked as closed and won't fix. +# https://bugzilla.redhat.com/show_bug.cgi?id=884658 +CVE_CHECK_IGNORE += "CVE-2013-4235" -- cgit v1.2.3-54-g00ecf