In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.
This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.
Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:
username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:
username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.
This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
Signed-off-by: Chris Lamb <lamby@debian.org>
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
This reverts the behavior of "useradd --root" to using the settings
from login.defs in the target root directory, not the root of the
executed useradd command.
The useradd application resets the user data in /var/log/faillog, if it
exists and a new user is created.
pam_tally2 is used in many distributions.
Check for /var/log/tallylog and reset the user there.
Patch was written by Josef Moellers <jmoellers@suse.de>.
https://bugzilla.suse.com/show_bug.cgi?id=980486
These assignments were pasted as is into the Makefile and
ended up as part of a rule. (Usually the .PRECIOUS rule
which is why the build system never attempted to execute it
as commands, hiding the problem.)
Signed-off-by: Wolfgang Bumiller <wry.git@bumiller.com>
Reported-by: Rahel A <ra00177@surrey.ac.uk>
Some of the supplied tools use functions which are not signal-safe.
Most of the times it's exit() vs. _exit().
In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().
Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
Catch up with Automake's [1], which was part of v1.6b, cut 2002-07-28
[2]. Avoids:
$ autoreconf -v -f --install
...
libmisc/Makefile.am:4: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
...
src/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
...
Consolidating with the earlier AM_CPPFLAGS avoids:
$ autoreconf -v -f --install
src/Makefile.am:72: warning: AM_CPPFLAGS multiply defined in condition TRUE ...
src/Makefile.am:10: ... 'AM_CPPFLAGS' previously defined here
autoreconf-2.69: Leaving directory `.'
[1]: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=1415d22f6203206bc393fc4ea233123ba579222d
Summary: automake.in (generate_makefile): Suggest using AM_CPPFLAGS instead of INCLUDES
Date: 2002-07-09
[2]: http://git.savannah.gnu.org/cgit/automake.git/tag/?id=Release-1-6b
This functionality is useful because there is now a feature
of Linux-PAM's pam_lastlog module to block expired users (users
which did not login recently enough) from login. This commit
complements it so the sysadmin is able to unblock such expired user.
Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
We intend to not create subuids for system users. However we are
checking for command line flags after we check whether -r flag
was set, so it was never found to be true. Fix that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
user owned namespaces.
- Don't allocate a uid/gid map to system users.
Unfortunately checking for --system isn't quite enough as some
distribution wrappers always call useradd without --system and take care
of choosing a uid and gid themselves, so also check whether the
requested uid/gid is in the user range.
This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd. There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749
Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is helpful when using configuration management tools such as
Puppet, where you are managing the groups in a central location and you
don't need this safeguard.
Signed-off-by: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Currently the error is just:
newuidmap: Target [pid] is owned by a different user
With this patch it will be like:
newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
Why is this useful? Well, in my case...
The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid. This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.
This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.
Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.
Some graceful way of handling this and not failing, will be next ;) But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.
Thanks!
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
Prevent chmod failure message from displaying if the failure
was due to the backup file not existing.
If there is no backup file present and if no changes have been
made, then this error would always appear since the backup
file isn't created in this situation.
Signed-off-by: Duncan Eastoe <deastoe@Brocade.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Currently shadow fails to build from source and is flagged as
out-of-date. This is due to a usage of PATH_MAX, which is not defined
on GNU/Hurd. The attached patch solves this problem by allocating a
fixed number of 32 bytes for the string proc_dir_name in files
src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are
needed)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
* src/su.c: Terminate the child (if needed) before closing the PAM
session. This is probably more correct, and avoid reporting
termination from signals possibly sent by PAM modules (e.g. former
versions of pam_systemd). Debian#670132
* src/su.c: When a SIGTSTP is caught, reset caught to 0. There is
no need to kill the child in such case after su is resumed. This
remove the "Session terminated, terminating shell...
...terminated." messages in such case.
* src/useradd.c: Change message in case of find_new_sub_uids /
find_new_sub_gids failure. This complements the messages already
provided by these APIs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
* Changelog: Update documentation of 2013-07-28 mancha entry.
* lib/prototypes.h, lib/encrypt.c: Update splint marker,
pw_encrypt can return NULL.
* lib/encrypt.c: Fix outdated statement on GNU crypt.
* src/chgpasswd.c: Improve diagnostic to user when pw_encrypt
fails and use fail_exit() instead of exit().
* src/chpasswd.c: Likewise.
* src/newusers.c: Likewise.
* src/passwd.c: Likewise when new password is encrypted.
* src/newgrp.c: Improve diagnostic to user and syslog when
pw_encrypt fails. Do not apply 1s penalty as this is not an
invalid password issue.
* src/passwd.c: Likewise when password is checked.
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
enabled. This is not done by pam_lastlog. This was broken on
2011-07-23.
* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
This is done by pam_lastlog.
* lib/commonio.c: Avoid multiple statements per line.
* lib/commonio.c: Ignore fclose return value when the file was
open read only or was not changed, or if an error is already
reported.
annotations.
* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
Ignore return value of spw_rewind, pw_rewind, sgr_rewind, and
gr_rewind.
* lib/commonio.h: Both head and tail cannot be owned. Set tail as
dependent.
* src/expiry.c: Ignore return value of expire ().
* src/expiry.c: The catch_signals function does not use its sig
parameter.
* src/userdel.c: Last audit_logger parameter is a
shadow_audit_result, use SHADOW_AUDIT_FAILURE instead of 0.
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
src/usermod.c: Provide the PAM error
message instead of our own, and log error to syslog.
* src/groupmems.c: Exit with exit rather than fail_exit in usage().
* src/newusers.c: Check the number of arguments.
* src/newusers.c: Do not create the home directory when it is not
changed.
* src/useradd.c: Set the group password to "!" rather "x" if there
are no gshadow file.
* src/pwck.c: optind cannot be greater than argc.
* src/pwck.c: If spw_opened, then is_shadow is implicitly set.
* src/pwck.c: Do not report passwd entry without x password and a
shadow entry in --quiet mode (no interaction with the caller)
* src/pwck.c: Do not check if the last password change is in the
future if the time is set to 0.
audit after the potential chroot.
* src/groupadd.c: Check atexit failures.
* src/groupadd.c: Return E_SUCCESS instead of exit'ing at the end
of main().
* lib/prototypes, libmisc/basename.c (Basename): Input is a
constant string.
* lib/prototypes.h, lib/spawn.h, lib/spawn.c, src/userdel.c,
lib/nscd.c, lib/Makefile.am: Delete spawn.h. Move from spawn.h to
prototypes.h.
* src/userdel.c: Remove unused variables.
* lib/nscd.c: Remove unused header files.
* lib/nscd.c: Add the program name to error messages.
* lib/nscd.c: Indicate when nscd does not terminate normally (signal).
* lib/spawn.c: Updated header.
* lib/spawn.c: Flush stdout and stderr to avoid inheriting from
ongoing buffers.
* lib/spawn.c: Avoid implicit conversion of pointer to boolean.
* lib/spawn.c: Replace perror by a complete message.
* lib/spawn.c: Continue to wait for the child if another child
terminates.
* lib/prototypes.h: The name field from cleanup_info_mod is a
constant string. (username).
* src/grpconv.c: At the end of main, the passwd and shadow files
are locked. No need to check before unlocking. No need to set the
lock as false neither since there cannot be anymore failures.
strtoday(). But we need to support "-1" specifically.
* src/chage.c: Fix usage: LOGIN is mandatory.
* src/chage.c: Display disabled expiry or last change as "-1"
instead of 1969-12-31. 1969-12-31 is still supported as input from
the user.
* src/chage.c: Exit cleanly with fail_exit() (lock files were not
removed).
USER_DEFAULTS_FILE.
* src/useradd.c: Fix cut&paste issue causing bad warning when
the useradd.default file contains an invalid INACTIVE= value.
* src/useradd.c: Added missing end of line for rename errors.
* src/useradd.c: Added -D synopsis to the usage message.
* src/useradd.c: Do not scale_age(-1), just use -1.
* src/useradd.c: Added FIXME to be fixed later.
* src/useradd.c: Allow -e -1 when there is no shadow file.
* src/useradd.c: Fail, but do not print the usage message when the
-e argument is not valid.
* src/useradd.c: No need to check for oflg since uflg is
already checked.
save_caller_context() is allocated and freed.
* src/su.c: Added missing #endif indication
* src/su.c save_caller_context(): password only needed if
SU_ACCESS and !USE_PAM.
instead of 'x'. Only when it is confirmed that a shadow entry is
(will be) added, set the passwd's password to 'x'.
* src/newusers.c: An invalid line is an error. A failure needs to
be reported.
* lib/Makefile.am: Added lib/spawn.c and lib/spawn.h.
* lib/nscd.c, lib/spawn.c, lib/spawn.h: It is not possible to
differentiate between an nscd failure, and a failure to execute
due to no nscd with posix_spawn. Use our own run_command routine.
* src/userdel.c: Use run_command()
* src/usermod.c (date_to_str): buf needs to be unique (e.g.
independent from negativ), and is an out buffer.
* src/usermod.c: Ignore return value from snprintf, and force
nul-termination of buffer.
* src/usermod.c: Improve memory management.
* src/usermod.c: An audit bloc was not reachable, moved above on
success to move the home directory.
* src/usermod.c: Ignore close() return value for the mailbox
(opened read only).
set to 'x' in passwd and there are no entry in shadow for the
user.
* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is
set to 'x' in group and there are no entry in gshadow for the
group.
options are provided.
* src/pwunconv.c: Re-indent.
* src/pwunconv.c: Open the shadow file read only.
* src/grpunconv.c: Exit after printing usage when arguments or
options are provided.
* src/grpunconv.c: Open the gshadow file read only.
not return.
* src/chpasswd.c: Reindent.
* src/chpasswd.c: Remove dead code. No need to set crypt_method
to NULL when it is already NULL. sflg is only set if crypt_method
is not NULL.
return.
* src/faillog.c: Fix message: this is faillog, not lastlog.
* src/faillog.c: Check that there are no extra arguments after
parsing the options.
not return.
* src/chgpasswd.c: Split usage in smaller parts. Those parts are
already translated for chpasswd. Usage is now closer to
chpasswd's.
* src/chgpasswd.c: Remove dead code. No need to set crypt_method
to NULL when it is already NULL. sflg is only set if crypt_method
is not NULL.
* src/grpck.c: Avoid implicit conversion of pointer to boolean.
* src/grpck.c: Remove dead code. argc cannot be lower than optind.
Avoid checking twice in a row for NULL != list[i].
exists but there are no shadow entries, an entry has to be created
if the password is changed and passwd requires a shadow entry, or
if aging features are used (-e or -f). Document this and also that
-e and -f require a shadow file.
provided. Update the error message.
* src/usermod.c (process_flags): Check option compatibility and
dependency before options are discarded when no changes are
requested.
* src/su.c: Added function prototypes.
* src/su.c: Rename shellstr parameter to shellname to avoid
collision with static variable.
* NEWS, src/su.c: Added support for PAM modules which change
PAM_USER.
child and listening for signal in the parent from run_shell().
prepare_pam_close_session() is now executed before the creation of
the pam session and before the UID is changed. This allows to
close the session as root.
use the pwent global variable to communicate between APIs of
different files. Added boolean parameter su_to_root to
check_su_auth().
* src/su.c (check_perms): Return the passwd entry of the finally
authenticated user. Remove usage of the pwent variable.
* src/su.c: The password of the caller is the one from the
spwd structure only if the passwd's password is 'x'.
after the switch to the final subsystem. The previous architecture
forced to always change the environment (the shell starts with a
'*' and was thus restricted, and change_environment could not be
reset to false).
definition of shellstr, PATH and IFS is not influenced (getenv,
getdef, restricted_shell) by and does not influence (addenv does
not change environ) the authentication. And the authentication
does not overwrite those definitions. This will ease an extraction
from the big main() function.
commands executed with -c. This prevents tty hijacking which could
lead to execution with the caller's privileges. This required to
forward signals from the terminal (SIGINT, SIGQUIT, SIGTSTP) to
the executed command.
selinux_file_context renamed set_selinux_file_context.
* lib/protoypes.h, libmisc/copydir.c, src/useradd.c:
Added reset_selinux_file_context.
* src/useradd.c: Check the return value of
set_selinux_file_context and reset_selinux_file_context.
* libmisc/copydir.c: Check the return value of
reset_selinux_file_context.
boolean.
* libmisc/basename.c: Avoid implicit conversion of pointer to
boolean.
* libmisc/basename.c, lib/prototypes.h (Basename): Return a
constant string.
* libmisc/basename.c, libmisc/obscure.c, lib/prototypes.h,
libmisc/xmalloc.c, libmisc/getdate.h, libmisc/system.c,
libmisc/getgr_nam_gid.c, libmisc/failure.c, libmisc/valid.c: Add
splint annotations.
* libmisc/chowndir.c: Avoid memory leak.
* libmisc/chowndir.c: Do not check *printf/*puts return value.
* libmisc/chowntty.c: Avoid implicit conversion between integer
types.
* libmisc/obscure.c: Return a bool when possible instead of int.
* libmisc/shell.c: Do not check *printf/*puts return value.
* libmisc/shell.c: Do not check execle return value.
* libmisc/setupenv.c: Avoid implicit conversion between integer
types.
* libmisc/xmalloc.c: size should not be zero to avoid returning
NULL pointers.
* libmisc/hushed.c: Do not check *printf/*puts return value.
* libmisc/system.c: Avoid implicit conversion of integer to
boolean. safe_system last argument is a boolean.
* libmisc/system.c: Check return value of dup2.
* libmisc/system.c: Do not check *printf/*puts return value.
* libmisc/system.c: Do not check execve return value.
* libmisc/salt.c: Do not check *printf/*puts return value.
* libmisc/loginprompt.c: Do not check gethostname return value.
* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Do not check
gr_rewind/pw_rewind return value.
* libmisc/ttytype.c: Limit the number of parsed characters in the
sscanf format.
* libmisc/ttytype.c: Test if a type was really read.
* libmisc/sub.c: Do not check *printf/*puts return value.
* libmisc/sub.c: Avoid implicit conversion of integer to boolean.
* src/userdel.c: Fix typo in comment.
* src/userdel.c: Avoid implicit conversion of boolean to integer.
* src/userdel.c: safe_system last argument is a boolean.
* src/newusers.c: Avoid implicit conversion of boolean to integer.
* src/newusers.c: Avoid implicit conversion of integer to boolean.
* src/usermod.c: Add brackets.
* src/usermod.c: Avoid implicit conversion of characters or
integers to booleans.
* src/vipw.c: Avoid implicit conversion of integer to boolean.
* src/su.c: Avoid implicit conversion of integer to boolean.
* src/su.c: Add brackets.
* src/useradd.c: Avoid implicit conversion of characters or
integers to booleans.
instead of an int.
* libmisc/obscure.c, libmisc/tz.c, src/passwd.c, lib/encrypt.c,
libmisc/copydir.c, lib/prototypes.h: Add splint annotations.
* libmisc/tz.c: Fix some const issues.
* libmisc/tz.c: Avoid multi-statements lines.
* libmisc/tz.c: Add brackets.
* libmisc/copydir.c: Do not check *printf/*puts return value.
* libmisc/copydir.c: Fail if we cannot set or reset the SELinux
fscreate context.
* libmisc/copydir.c: Use xmalloc instead of malloc.
* libmisc/copydir.c: Do not check lutimes return value
* src/vipw.c: Avoid implicit conversion of integer to boolean.
* src/su.c (iswheel): Return a bool instead of an int.
* src/passwd.c: Remove insert_crypt_passwd(). Use xstrdup instead.
* src/passwd.c: Return constant strings when sufficient.
* src/passwd.c: Do not check *printf/*puts return value.
* src/passwd.c: Avoid implicit conversion of character to boolean.
* src/passwd.c: Do not check sleep return value.
* src/sulogin.c: Do not check *printf/*puts return value.
* lib/encrypt.c: Do not check fprintf return value.
copy the extended attributes (the SELinux context is hence reset)
* src/usermod.c: Copy the extended attributes.
* src/useradd.c: Only reset the SELinux context.
libmisc/sulog.c, libmisc/hushed.c, libmisc/failure.c,
libmisc/loginprompt.c, libmisc/ttytype.c,
libmisc/pam_pass_non_interractive.c, src/userdel.c, src/login.c,
lib/commonio.c, lib/commonio.h: Fix some const issues.
* libmisc/motd.c: Avoid multi-statements lines.
* libmisc/motd.c: Support long MOTD_FILE.
* libmisc/list.c, lib/prototypes.h: Revert previous change.
dup_list and is_on_list are used with members as defined for the
group structure, and thus even if the list is not modified, the
list elements cannot be constant strings.
* libmisc/system.c: Avoid C++ comments.
* src/vipw.c: WITH_TCB cannot be tested inside a gettextized
string. Split the Usage string.
* lib/commonio.h: Re-indent.
* src/useradd.c: spool is a constant string.
* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false
2010-04-04 Nicolas François <nicolas.francois@centraliens.net>
* src/usermod.c: move_home() is only called if mflg is set.
* src/usermod.c: Fail is -m is provided but the old home directory
is not a directory.
* src/usermod.c: Use the previous improvement of copy_tree to
provide better error diagnosis.
* src/usermod.c: When rename() is used, also change the ownership.
* src/usermod.c: Do not change the ownership of the root directory
twice.
* src/usermod.c: When -u is provided, only change the ownership of
the home directory if it is a directory.
* src/usermod.c: Also change ownerships when -g is used.
2010-04-04 Nicolas François <nicolas.francois@centraliens.net>
* lib/prototypes.h, libmisc/copydir.c: Add the old UID and GID to
copy_tree to detect when ownership shall be changed.
* libmisc/copydir.c: Document the behavior when the IDs are set to
-1.
* lib/prototypes.h, libmisc/copydir.c (copy_tree): Add parameter
copy_root.
* libmisc/copydir.c: error() and ctx can be static.
* libmisc/copydir.c (copy_hardlink): Remove parameter src.
2010-04-04 Nicolas François <nicolas.francois@centraliens.net>
* libmisc/chowndir.c: Dynamically allocate memory to support
path longer than 1024 characters.
* libmisc/chowndir.c: Fix typos in documentation.
* libmisc/chowndir.c: Support and document the behavior when a old
or new ID is set to -1.
* libmisc/chowndir.c: Improved error detection when chown fails.
* libmisc/chowndir.c: Harmonize error handling strategy when an
error occurs: stop changing ownership as soon as an error was
detected.
* src/login_nopam.c: Limit the scope of variables end, lineno, i,
str_len.
* src/logoutd.c: Limit the scope of variable c.
* src/vipw.c: Re-indent.
* src/vipw.c: Close the file after the creation of the backup.
* src/useradd.c (set_default): Close input file on failure.
* src/useradd.c: Limit the scope of variables spool, file, fd, gr,
gid, mode.
* src/passwd.c: Limit the scope of variables last and ok.
* src/chage.c: Fix typo (non breaking space).
* src/login.c: Limit the scope of variables erasechar killchar, c,
failed.
* src/groups.c: Limit the scope of variable ngroups, pri_grp, i.
* src/id.c: Limit the scope of variable i.
they are already specified in number of days since Epoch. Return
-2 in case of errors to support the specification of -1.
* src/usermod.c, src/useradd.c: Adapt to the new error value of
strtoday().
* src/chage.c: Remove isnum(). Adapt to the new error value of
strtoday(). Support for numerical dates is moved to strtoday().
* src/pwck.c: Add support for TCB.
* src/pwck.c: Use spw_dbname() instead of spw_file since TCB
changes from a file to another depending on the user. Also use
pw_dbname() for consistency.
-a option.
* NEWS, man/faillog.8.xml, src/faillog.c: Extend the -a option to
the non-display mode. This changes the default behavior of the -l,
-m, -r, -t options when -a is not specified (restrict to existing
users).
translation.
* lib/tcbfuncs.c: Indicate the name of the program in error
messages. Avoid perror.
* src/useradd.c: Re-indent.
* src/useradd.c: Add more strings for translation. Indicate the
name of the program in error messages.
* src/userdel.c: Re-indent.
* src/userdel.c: Add more strings for translation. Indicate the
name of the program in error messages.
* src/vipw.c: Avoid implicit conversion of pointers or integers to
booleans.
* src/vipw.c: Added brackets and parenthesis.
* src/vipw.c: Limit the definition of some variables and macros to
the WITH_TCB scope.
* src/vipw.c: Avoid assignment in comparisons.
* src/vipw.c: Replace PASSWD_FILE (resp. GROUP_FILE and
SGROUP_FILE) by pw_dbname () (resp. gr_dbname () and sgr_dbname ()).
This is more consistent with the shadow file handling and may be
useful to allow edition of another partition's files.
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
--preserve-environment. This sanitation was disabled on Debian
since quite some time with no reported issues, and sanitize_env()
documentation agrees that it should be useless as all modern
Unixes will handle setuid executables properly. This Fixes
Alioth#312287.
* src/su.c: Add more messages for translation.
* src/su.c: Ignore kill() return value when sending the TERM
signal. If it fails, a KILL should be sent anyway.
terminate (after sending a SIGTERM), and kill it only if it did
not terminate by itself. No delay will be enforced if the child
cooperates. See http://bugs.gentoo.org/282094
* NEWS, man/su.1.xml: Document su's exit values.
src/chpasswd.c, src/groupmems.c, src/usermod.c, src/chgpasswd.c,
src/vipw.c, src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c,
src/groupadd.c, src/chage.c, src/faillog.c, src/chsh.c: Use
booleans for tests.
* src/userdel.c, src/gpasswd.c, src/groupmems.c, src/usermod.c,
src/groupmod.c, src/passwd.c: Use a break even after usage().
src/newusers.c, src/chpasswd.c, src/groupmems.c, src/usermod.c,
src/chgpasswd.c, src/vipw.c, src/su.c, src/useradd.c,
src/groupmod.c, src/passwd.c, src/groupadd.c, src/chage.c,
src/faillog.c, src/chsh.c: If someone uses the -h/--help options,
the usage should not go to stderr nor should the utility exit with
non-zero status. All of the shadow utils do just this
unfortunately, so convert them over to sanity.
* man/groupmems.8.xml, man/gpasswd.1.xml: Added option -h/--help.
* NEWS, src/userdel.c: When USERGROUPS_ENAB is enabled, remove the
user's group when the user was the only member. This is still not
complete, as the user could have been specified twice in the
members.
* NEWS, src/userdel.c: Do not fail when -r is used and the home
directory does not exist.
lib/prototypes.h: Move user_busy() to libmisc/user_busy.c.
* NEWS, libmisc/user_busy.c: On Linux, do not check if an user is
logged in with utmp, but check if the user is running some
processes. If not on Linux, continue to search for an utmp record,
but make sure the process recorded in the utmp entry is still
running.
with a NULL argument.
* src/useradd.c: Replace PATH_MAX by a fixed constant. The buffer
was not meant as a storage for a path.
* src/useradd.c, src/newusers.c, src/chpasswd.c: Better detection
of fgets errors. Lines shall end with a \n, unless we reached the
end of file.
* libmisc/copydir.c: Avoid PATH_MAX. Support file paths with any
length. Added readlink_malloc().
and the password field in passwd is not 'x'.
* src/grpck.c: Warn if a group has an entry in group and gshadow,
and the password field in group is not 'x'.
changing the passwords with PAM.
* src/newusers.c: Split the usage string in smaller parts to
allow enabling single parts.
* man/newusers.8.xml: Indicate the options and configuration
variables valid for PAM and non-PAM versions.
* man/newusers.8.xml: Added pointer to /etc/pam.d/chpasswd.
libmisc/pam_pass_non_interractive.c, libmisc/Makefile.am: Renamed.
* libmisc/pam_pass_non_interractive.c, lib/prototypes.h:
non_interactive_password and non_interactive_pam_conv do not need
to be externally visible.
* libmisc/pam_pass_non_interractive.c: Added declaration of
ni_conv.
* libmisc/pam_pass_non_interractive.c: Only compile ifdef USE_PAM.
* libmisc/pam_pass_non_interractive.c, lib/prototypes.h:
Added do_pam_passwd_non_interractive().
* src/chpasswd.c: Use do_pam_passwd_non_interractive().
instead of only the username.
* src/chpasswd.c: PAM enabled chpasswd do may change the password
database (for the user where the password update succeeded) even
if there were a failure for one user. Do not indicate that changes
were ignored.
* libmisc/chowntty.c, libmisc/rlogin.c, libmisc/sub.c,
src/newusers.c, libmisc/sulog.c, libmisc/system.c, src/logoutd.c,
src/groups.c, src/id.c, lib/encrypt.c, libmisc/audit_help.c,
libmisc/limits.c: Return EXIT_FAILURE instead of 1, and
EXIT_SUCCESS instead of 0.
* libmisc/audit_help.c: Replace an fprintf() by fputs().
* libmisc/audit_help.c: Remove documentation of the audit_logger
returned values. The function returns void.
* libmisc/system.c: Only return status if waitpid succeeded.
Return -1 otherwise.
with PAM.
* src/chpasswd.c: Split the usage string in smaller parts to
allows enabling single parts.
* src/chpasswd.c: Do not set a global lock on the password files.
This is done by PAM each time a password is updated.
* src/useradd.c: Replace peror by an strerror and avoid an
intermediate buffer.
* src/useradd.c: Save errno between the failure and the report by
perror/strerror.
* src/useradd.c: Prefer xmalloc to malloc.
* src/newgrp.c: audit_buf is only used in newgrp. Make it static.
* src/newgrp.c: Ignore the return value of fputs().
* src/newgrp.c: Use exit(EXIT_FAILURE) instead of exit(1).
* src/lastlog.c: Added splint annotations.
* src/lastlog.c: Avoid global pwent.
* src/lastlog.c: Cast ID to ulongs and use ulong formats for IDs.
* src/lastlog.c: Avoid assignment in comparisons.
* src/lastlog.c: Ignore fclose() return value since the file is
only opened for reading.
default to 32.
* libmisc/chkname.c: Use USER_NAME_MAX_LENGTH.
* src/login.c: Use USER_NAME_MAX_LENGTH instead of the default 32.
username also needs to be bigger than USER_NAME_MAX_LENGTH because
it has to be nul-terminated.
change the terminal configuration. setup_tty() is just a best
effort configuration of the terminal.
* src/login.c: Ignore failures when setting the terminal
configuration.
* src/login.c: Fail if the ERASECHAR or KILLCHAR configurations
are not compatible with a cc_t type.
of global utent/utxent variables. Only reuse the ut_id and maybe
the ut_host fields from utmp.
* lib/prototypes.h, libmisc/utmp.c: Removed checkutmp(),
setutmp(), setutmpx().
* lib/prototypes.h, libmisc/utmp.c: Added get_current_utmp(),
prepare_utmp(), prepare_utmpx(), setutmp(), setutmpx().
* libmisc/utmp.c (is_my_tty): Only compare the name of the utmp
line with ttyname(). (No stat of the two terminals to compare the
devices).
* libmisc/utmp.c: Use getaddrinfo() to get the address of the
host.
* configure.in: Check for getaddrinfo().
* configure.in: Use AC_CHECK_MEMBERS to check for the existence of
fields in the utmp/utmpx structures.
* configure.in: Reject systems with utmpx support but no ut_id
field in utmp. This could be fixed later if needed.
* src/login.c: Use the new utmp functions. This also simplifies
the failtmp() handling.
* src/login.c: passwd_free() renamed to pw_free() and
shadow_free() renamed to spw_free()
is always coming from xgetpwnam. There is no need to copy pwd to
pwent, this was not a good idea anyway as the strings from pwd
were not duplicated.
* src/login.c: Always free the pwd and spwd structure when we
retrieve a new one. This will clear the password of the previous
user from the memory.
* src/login.c: user_passwd is used to keep point to the password
of the user being authenticated.
* src/login.c: (non PAM) Fail if the user's entry cannot be found
after the user updated her password (if expire() requested an
update).
* src/login.c: If the user does not exist on the system, there is
no need to build a pwd structure (with shell).