Commit Graph

1074 Commits

Author SHA1 Message Date
ed
4c9ec2f5a4 Adding logging of SSH_ORIGINAL_COMMAND to nologin.
If SSH_ORIGINAL_COMMAND is set, it will be added to the syslog entry.

Closes #123.

Changelog: (SEH squashed commit): Fixing indentation
Changelog: (SEH) break up long line
2020-01-11 14:46:52 -06:00
Wolfgang Bumiller
258944e331 Makefile: bail out on error in for-loops
`make` runs each line in a shell and bails out on error,
however, the shell is not started with `-e`, so commands in
`for` loops can fail without the error actually causing
`make` to bail out with a failure status.

For instance, the following make snippet will end
successfully, printing 'SUCCESS', despite the first `chmod`
failing:

    all:
        touch a b
        for i in a-missing-file a b; do \
            chmod 666 $$i; \
        done
        @echo SUCCESS

To prevent wrong paths in install scripts from remaining
unnoticed, let's activate `set -e` in the `for` loop
subshells.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-12-19 18:54:30 +01:00
Patrick McLean
3cc3948d71 Revert "Honor --sbindir and --bindir for binary installation"
This reverts commit e293aa9cfc.

See https://github.com/shadow-maint/shadow/issues/196

Some distros still care about `/bin` vs `/usr/bin`. This commit makes
it so all binaries are always installed to `/bin`/`/sbin`. The only way to
restore the previous behaviour of installing some binaries to
`/usr/bin`/`/usr/sbin` is to revert the patch.
2019-12-01 13:59:52 -08:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Lars Wendler
19bac44dde
build: Make build/installation of su and its support files optional
Enabled by default
This is necessary because coreutils and util-linux can also provide su

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
2019-11-19 11:28:45 +01:00
Michael Vetter
115a4e89e2 Fix typo in access of shell command
Fix typo in 88fa0651bf.
For some reason my git push -f seems not to have worked.
2019-11-12 08:38:08 +01:00
Todd C. Miller
7eca1112fb Fix vipw not resuming correctly when suspended
Closes #185

If vipw is suspended (e.g. via control-Z) and then resumed, it often gets
immediately suspended. This is easier to reproduce on a multi-core system.

root@buster:~# /usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw
root@buster:~# fg
/usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw

root@buster:~# fg
[vipw resumes on the second fg]

The problem is that vipw forks a child process and calls waitpid() with the
WUNTRACED flag. When the child process (running the editor) is suspended, the
parent sends itself SIGSTOP to suspend the main vipw process. However, because
the main vipw is in the same process group as the editor which received the ^Z,
the kernel already sent the main vipw SIGTSTP.

If the main vipw receives SIGTSTP before the child, it will be suspended and
then, once resumed, will proceed to suspend itself again.

To fix this, run the child process in its own process group as the foreground
process group. That way, control-Z will only affect the child process and the
parent can use the existing logic to suspend the parent.
2019-11-11 20:19:57 -06:00
Serge Hallyn
e97df9b1ec
Merge pull request #187 from jubalh/useradd-s
useradd: check for valid shell argument
2019-11-11 18:10:56 -06:00
Michael Vetter
88fa0651bf useradd: check for valid shell argument
Check whether shell argument given with `-s` is actually present and executable.
And is not a directory.

Fix https://github.com/shadow-maint/shadow/issues/186
2019-11-11 13:46:25 +01:00
Christian Göttsche
cbd2472b7c migrate to new SELinux api
Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies.
Switch to `selinux_check_access()`.

Also use the libselinux log callback and log if available to audit.
This makes it easier for users to catch SELinux denials.

Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier.
Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2019-10-22 14:56:31 +02:00
Serge Hallyn
4e1da34601 compile warnings: Zflg unused when !selinux
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:51 -05:00
Serge Hallyn
b03df41906 remove unused variables
parent, user_id, and group_id are unused.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:32 -05:00
Serge Hallyn
991fee82df
Merge pull request #180 from thkukuk/libeconf
Add support for a vendor directory and libeconf
2019-10-05 22:34:29 -05:00
Thorsten Kukuk
b52ce71c27 Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
2019-10-05 22:17:49 -05:00
Serge Hallyn
e78d22469f
Merge pull request #177 from edneville/conflicts_between_system_users_useradd_and_pwck
pwck.c: only check home dirs if set and not a system user
2019-10-05 22:08:08 -05:00
ed
c4e8b411d4 pwck.c: only check home dirs if set and not a system user
Closes #126

Changelog: pwck, better to look at array than to use strnlen.
2019-10-05 22:04:37 -05:00
Serge Hallyn
3a51b90145
Merge pull request #176 from edneville/force_bad_name
chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that…
2019-10-04 16:41:39 -07:00
ed
a2cd3e9ef0 chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that do not conform to standards
Closes #121.

Changelog: squashed commits fixing tab style
Changelog: update 'return true' to match file's style (no parens).
2019-10-04 18:40:41 -05:00
Serge Hallyn
a74587a4ea
Merge pull request #173 from edneville/issue_105_106
useradd.c: including directory name in directory existence error message
2019-08-07 22:44:51 -05:00
Serge Hallyn
1e13749483
Merge pull request #172 from edneville/master
chage.c: add support for YYYY-MM-DD date printing
2019-08-07 22:42:03 -05:00
ed
23262b249c src/useradd.c: including directory name in dir existence error. Prefixing output lines with program name. 2019-08-07 19:41:12 +01:00
ed
5687be5f31 chage.c: add support for YYYY-MM-DD date printing 2019-08-06 19:40:36 +01:00
Dave Reisner
e293aa9cfc Honor --sbindir and --bindir for binary installation
Some distros don't care about the split between /bin, /sbin, /usr/bin,
and /usr/sbin, so let them easily stuff binaries wherever they want.
2019-08-02 18:45:19 -04:00
Dave Reisner
edf7547ad5 Fix failing chmod calls on installation for suidubins
suidubins should be suidusbins, since these binaries are installed
${prefix}/sbin. This historically hasn't broken the build because
chmod of newgidmap/newuidmap succeeds, causing make to think the command
succeeded. Configuring shadow with --with-fcaps removes these final two
entries and exposes the chmod failure to make.
2019-08-02 18:42:34 -04:00
Stanislav Brabec
fc0ed79e5d usermod.c: Fix invalid variable name
Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 21:39:42 +02:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Serge Hallyn
5837240451 usermod: print "no changes" to stdout, not stderr
Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-04-21 17:28:12 -05:00
Serge Hallyn
2c8171f8c8
Merge pull request #146 from lamby/reproducible-shadow-files
Make the sp_lstchg shadow field reproducible (re. #71)
2019-04-21 17:13:58 -05:00
Serge Hallyn
fbb59823c5
Merge pull request #143 from t8m/fedora
usermod: Guard against unsafe change of ownership of home contents
2019-04-21 16:56:36 -05:00
Serge Hallyn
fe87a1ad96
Merge pull request #158 from nathanruiz/master
Fix chpasswd long line handling
2019-04-21 16:50:07 -05:00
Nathan Ruiz
a8f7132113 Fix chpasswd long line handling 2019-04-10 07:56:59 +10:00
Chris Lamb
fe34a2a0e4 Make the sp_lstchg shadow field reproducible (re. #71)
From <https://github.com/shadow-maint/shadow/pull/71>:

```
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:

username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
```

This updated PR adds some missing calls to gettime (). This was originally
filed by Johannes Schauer in Debian as #917773 [2].

[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
[2] https://bugs.debian.org/917773
2019-03-31 16:00:01 +01:00
Charlie Vuillemez
dd2033c40c Do not flush nscd and sssd cache in read-only mode
Fix #155

signed-off-by: Charlie Vuillemez <cvuillemez@users.noreply.github.com>
2019-02-27 17:40:04 +01:00
Tomas Mraz
5b41b7d1b1 usermod: Guard against unsafe change of ownership of home directory content
In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.
2018-12-18 16:32:13 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Serge Hallyn
bb3f810611
Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap
newuidmap/newgidmap: install with file capabilities
2018-10-27 11:26:31 -05:00
Serge Hallyn
d5255da20b
Merge pull request #132 from giuseppe/no-cap-sys-admin
newuidmap/newgidmap: do not require CAP_SYS_ADMIN in the parent user namespace
2018-10-27 11:22:37 -05:00
Giuseppe Scrivano
70971457b7
newuidmap/newgidmap: install with file capabilities
do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-24 23:10:59 +02:00
Serge Hallyn
ff8b1ebafa
Merge pull request #118 from AdelieLinux/utmpx-only-support
[WIP] Support systems that only have utmpx
2018-10-23 22:35:19 -05:00
Serge Hallyn
83f1380600
Merge pull request #133 from t8m/trivial
Fix some issues found in Coverity scan.
2018-10-23 22:21:12 -05:00
Giuseppe Scrivano
1ecca8439d
new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS
if the euid!=owner of the userns, the kernel returns EPERM when trying
to write the uidmap and there is no CAP_SYS_ADMIN in the parent
namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-22 16:57:50 +02:00
Tomas Mraz
10e388efc2 useradd: fix segfault trying to overwrite const data with mkstemp
Also fix memory leaks in error paths.
2018-10-12 10:14:02 +02:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
Serge Hallyn
6bf2d74dfc
Merge pull request #122 from ivladdalvi/nologin-uid
Log UID in nologin
2018-08-13 18:37:02 -05:00
Vladimir Ivanov
4be18d3299 Log UID in nologin
Sometimes getlogin() may fail, e.g., in a chroot() environment or due to NSS
misconfiguration. Loggin UID allows for investigation and troubleshooting in
such situation.
2018-08-13 16:46:04 +08:00
Michael Vogt
89b96cb85c su.c: run pam_getenvlist() after setup_env
When "su -l" is used the behaviour is described as similar to
a direct login. However login.c is doing a setup_env(pw) and then a
pam_getenvlist() in this scenario. But su.c is doing it the other
way around. Which means that the value of PATH from /etc/environment
is overriden. I think this is a bug because:

The man-page claims that "-l": "provides an environment similar
to what the user would expect had the user logged in directly."

And login.c is using the PATH from /etc/environment.

This will fix:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390
2018-06-25 16:00:21 +02:00
A. Wilcox
99dbd4b9ee
Support systems that only have utmpx
This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/
2018-06-24 00:13:12 -05:00
Michael Vetter
b3b6d9d77c Create parent dirs for useradd -m
Equivalent of `mkdir -p`. It will create all parent directories.
Example: `useradd -d /home2/testu1 -m testu1`

Based on https://github.com/shadow-maint/shadow/pull/2 by Thorsten Kukuk
and Thorsten Behrens which was Code from pwdutils 3.2.2 with slight adaptations.

Adapted to so it applies to current code.
2018-05-15 17:30:34 +02:00
fariouche
73a876a056 Fix usermod crash
Return newly allocated pointers when the caller will free them.

Closes #110
2018-05-08 21:17:46 -05:00
Serge Hallyn
164dcfe65b
Merge pull request #103 from HarmtH/be-predictable
su.c: be more predictable
2018-03-29 23:10:51 -07:00
Serge Hallyn
fb356b1344
Merge pull request #21 from fariouche/master
Add --prefix argument
2018-03-29 22:36:28 -07:00
fariouche
65b4f58703 add --prefix option: some fixes + fixed pwd.lock file location 2018-03-28 21:14:12 +02:00
fariouche
54551c7d6e Merge remote-tracking branch 'upstream/master' 2018-03-28 21:11:36 +02:00
Harm te Hennepe
d877e3fcac su.c: be more predictable
Always parse first non-option as username.
2018-03-27 00:57:21 +02:00
Harm te Hennepe
dbfe7dd42e su.c: fix '--' slurping
All arguments are already reordered and parsed by getopt_long since e663c69, so manual '--' slurping is wrong.

Closes #101
2018-03-26 22:37:56 +02:00
Serge Hallyn
45b4187596 pwconv and grpconv: rewind after deleting an entry
Otherwise our spw_next() will cause us to skip an entry.
Ideally we'd be able to do an swp_rewind(1), but I don't
see a helper for this.

Closes #60

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-25 09:18:22 -05:00
Serge Hallyn
44c63795a7 userdel: fix wrong variable name in tcb case
Found in mandriva distro patch, and with a test build.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 23:44:09 -05:00
Serge Hallyn
36244ac1ff src/Makefile.am: tcb fixes from mandriva
1. suidubins -= was breaking build with WITH_TCB.
2. stick libtcb at end of ldlibs list.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 23:41:23 -05:00
Serge Hallyn
d3790feac0 pwck.c: do not pass O_CREAT
It causes a crash later when we try to close files.

Closes #96

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 20:29:48 -05:00
Serge Hallyn
b63aca9a2c src/Makefile.am: drop duplicate inclusion of chage
Closes #80

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 16:27:20 -05:00
Serge Hallyn
8f2f2a0d9d
Merge pull request #98 from jsoref/spelling
Spelling
2018-03-24 15:54:51 -05:00
Serge Hallyn
5f3e3c2c62
Merge pull request #93 from rahul1809/master
Double freeing up pointers , Causing Segmentation fault
2018-02-19 14:45:13 -06:00
Aleksa Sarai
fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-16 17:56:35 +11:00
fariouche
acaed3deab upstream merge 2018-01-23 23:10:19 +01:00
rahul
bb47fdf25e indentation fix 2018-01-22 17:07:27 +05:30
rahul
97bb5b2b6d added a check to avoid freeing null pointer 2018-01-22 17:05:52 +05:30
Alex Kretzschmar
e91b0f0517 Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
Tomas Mraz
2c57c399bf Make userdel to work with -R.
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
2017-12-21 09:12:58 +01:00
Josh Soref
34669aa651 spelling: unrecognized 2017-10-22 21:30:30 +00:00
Josh Soref
6671b44434 spelling: remove 2017-10-22 21:12:29 +00:00
Josh Soref
60891cd197 spelling: logout 2017-10-22 20:28:57 +00:00
Josh Soref
74fcf6f28d spelling: interactive 2017-10-22 20:24:32 +00:00
Josh Soref
62ace035c6 spelling: getxxyyy 2017-10-22 19:16:30 +00:00
Josh Soref
4be6d423e4 spelling: changed 2017-10-22 08:24:23 +00:00
Josh Soref
d0c05b0143 spelling: cannot 2017-10-22 08:05:45 +00:00
Serge Hallyn
056f7352ef Merge pull request #86 from WheresAlice/master
Make language more inclusive
2017-10-06 17:47:31 -05:00
WheresAlice
1e98b3b559 Make language less binary 2017-09-20 17:00:29 +01:00
Tomas Mraz
33f1f69e9c newgrp: avoid unnecessary group lookups
In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
2017-08-14 11:38:46 +02:00
sbts
59fa2c0763 implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml 2017-07-10 21:50:49 -05:00
Adam Majer
992fab50ee support dynamically added users via pam_group
Dynamically added users via pam_group are not listed in groups
databases but are still valid.
2017-05-22 13:42:35 +02:00
Tobias Stoeckmann
7d82f203ee Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.

This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.

Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2017-05-14 17:58:10 +02:00
Chris Lamb
cb610d54b4 Make the sp_lstchg shadow field reproducible.
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

   username:17238:0:99999:7:::

whilst creating the same user tomorrow will result in:

    username:17239:0:99999:7:::

This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/

Signed-off-by: Chris Lamb <lamby@debian.org>
2017-04-10 22:29:21 +01:00
fariouche
b6b2c756c9 add --prefix option 2017-03-01 22:51:09 +01:00
Tobias Stoeckmann
08fd4b69e8 su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
2017-02-23 09:47:29 -06:00
Adam Majer
759f94e17a Remove extra parenthesis 2017-02-20 14:50:30 +01:00
Adam Majer
90c0525c7e Remove unnecessary static variable usage 2017-02-20 14:48:55 +01:00
Josef Möllers
5ac4918bdd Add error handling in case exec fails
We should print error message if exec fails, for some reason.
2017-02-20 14:32:37 +01:00
David Michael
c6b0664f52 useradd: Read defaults after changing root directories
This reverts the behavior of "useradd --root" to using the settings
from login.defs in the target root directory, not the root of the
executed useradd command.
2017-02-11 08:59:49 -06:00
Josef Moellers
e36c0a418a Deleted a misplaced semicolon. 2017-02-11 08:55:07 -06:00
Micah Anderson
578d495f91 Last bits of enabling subuids
This patch has been carried by Debian, originally
submitted to BTS in #739981
2017-01-18 18:06:05 +01:00
Serge Hallyn
5fc99f02cf Merge pull request #58 from juiceme/master
shadow: Add auditing support to su
2016-12-21 12:41:39 -06:00
Serge Hallyn
411f540590 Fix s/from/to/ in usermod.c error message
Closes #49

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2016-12-21 12:40:08 -06:00
Michael Vetter
b2bd56a012 Reset user in tallylog
The useradd application resets the user data in /var/log/faillog, if it
exists and a new user is created.

pam_tally2 is used in many distributions.

Check for /var/log/tallylog and reset the user there.

Patch was written by Josef Moellers <jmoellers@suse.de>.

https://bugzilla.suse.com/show_bug.cgi?id=980486
2016-12-21 12:36:11 -06:00
Jussi Ohenoja
a3bf32fe87 shadow: Add auditing support to su
This patch extends the auditing feature used in login to su.

Signed-off-by: Jussi Ohenoja <jussi.ohenoja@nokia.com>
2016-12-13 18:44:19 +02:00
Serge Hallyn
9e93c984f7 Merge pull request #17 from wking/includes-to-am-cppflags
*/Makefile.am: Replace INCLUDES with AM_CPPFLAGS
2016-12-07 00:01:54 -06:00
Serge Hallyn
d886cf40ef Merge pull request #48 from t8m/fedora
Four simple patches from the Fedora package to merge
2016-12-02 16:14:24 -06:00
Tomas Mraz
2b820c534d Audit the home directory ownership change. 2016-11-15 16:03:40 +01:00
Tomas Mraz
765993846d Print error message if SELinux file context manipulation fails. 2016-11-15 16:00:51 +01:00
Wolfgang Bumiller
61abb4645c buildsys: fix suidubins assignments
These assignments were pasted as is into the Makefile and
ended up as part of a rule. (Usually the .PRECIOUS rule
which is why the build system never attempted to execute it
as commands, hiding the problem.)

Signed-off-by: Wolfgang Bumiller <wry.git@bumiller.com>
Reported-by: Rahel A <ra00177@surrey.ac.uk>
2016-11-05 16:09:07 +01:00
Matias A. Fonzo
b7fffe8f7e Remove non-POSIX option in chmod(1) used for src/Makefile.am 2016-10-18 15:46:27 -03:00
Serge Hallyn
6564241674 Merge pull request #33 from t8m/master
Fix regression in useradd not loading defaults properly.
2016-09-21 09:12:15 -05:00
Adam Sampson
924cc34647 Use sizeof rather than hardcoding snprintf's size argument. 2016-09-20 08:04:14 +01:00
Serge Hallyn
67d2bb6e0a su.c: fix missing length argument to snprintf 2016-09-18 21:31:18 -05:00
Tomas Mraz
507f96cdeb Fix regression in useradd not loading defaults properly.
The get_defaults() has to be called before processing the flags.

Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
2016-08-25 11:20:34 +02:00
Serge Hallyn
5b017af90d Merge pull request #29 from hemio-ev/lower-su-syslog-priority
Reduces syslog priority of common usage events
2016-08-05 11:59:15 -05:00
Serge Hallyn
ca0ccaba27 Merge pull request #24 from stoeckmann/typos
Fixed typos in new{g,u}idmap tools.
2016-08-04 23:39:25 -05:00
Michael Herold
61fc90b268 Reduces syslog priority of common usage events
- Log INFO instead of ERR on `su missing-user`
- Log NOTICE/WARN instead of ERR on pam_authenticate failure (wrong password for example)
2016-08-04 22:17:31 +02:00
Tobias Stoeckmann
dd50014055 Fixed signal races in shadow tools.
Some of the supplied tools use functions which are not signal-safe.

Most of the times it's exit() vs. _exit().

In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().

Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
2016-07-02 18:11:09 +02:00
Tobias Stoeckmann
a84b0cafdd Fixed typos in new{g,u}idmap tools.
Fixed small typos in manual pages and code comments.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2016-07-02 16:39:18 +02:00
W. Trevor King
c07397695a */Makefile.am: Replace INCLUDES with AM_CPPFLAGS
Catch up with Automake's [1], which was part of v1.6b, cut 2002-07-28
[2].  Avoids:

  $ autoreconf -v -f --install
  ...
  libmisc/Makefile.am:4: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...
  src/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...

Consolidating with the earlier AM_CPPFLAGS avoids:

  $ autoreconf -v -f --install
  src/Makefile.am:72: warning: AM_CPPFLAGS multiply defined in condition TRUE ...
  src/Makefile.am:10: ... 'AM_CPPFLAGS' previously defined here
  autoreconf-2.69: Leaving directory `.'

[1]: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=1415d22f6203206bc393fc4ea233123ba579222d
     Summary: automake.in (generate_makefile): Suggest using AM_CPPFLAGS instead of INCLUDES
     Date: 2002-07-09
[2]: http://git.savannah.gnu.org/cgit/automake.git/tag/?id=Release-1-6b
2016-04-29 17:30:18 -07:00
Tomas Mraz
66897b6f6d Add ability to clear or set lastlog record for user via lastlog command
This functionality is useful because there is now a feature
of Linux-PAM's pam_lastlog module to block expired users (users
which did not login recently enough) from login. This commit
complements it so the sysadmin is able to unblock such expired user.

Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
2016-03-03 15:37:01 +01:00
Serge Hallyn
af064545bf useradd: respect -r flag when allocating subuids
We intend to not create subuids for system users. However we are
checking for command line flags after we check whether -r flag
was set, so it was never found to be true.  Fix that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-18 09:20:43 -08:00
Stéphane Graber
65c2617140
Tweak uid/gid map default configuration
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
   user owned namespaces.
 - Don't allocate a uid/gid map to system users.
   Unfortunately checking for --system isn't quite enough as some
   distribution wrappers always call useradd without --system and take care
   of choosing a uid and gid themselves, so also check whether the
   requested uid/gid is in the user range.

This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2016-02-15 18:11:10 -05:00
Serge Hallyn
e01bad7d3c Merge pull request #4 from xnox/master
Make shadow more robust in hostile environments
2015-11-12 23:07:29 -06:00
Serge Hallyn
f68f813073 Fix a resource leak in syslog_sg
Reported at https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=315135&group_id=30580
by Alejandro Joya (afjoyacr-guest)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-08-06 00:25:01 -05:00
Serge Hallyn
a887847ca2 Don't limit subuid/subgid support to local users
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd.  There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749

Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-07-20 12:14:26 -05:00
Jesse W. Hathaway
3c32fd4a29 Allow deleting the group even if it is the primary group of a user
This is helpful when using configuration management tools such as
Puppet, where you are managing the groups in a central location and you
don't need this safeguard.

Signed-off-by: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-06-16 14:18:44 -05:00
Hank Leininger
884895ae25 Expand the error message when newuidmap / newgidmap do not like the user/group ownership of their target process.
Currently the error is just:

newuidmap: Target [pid] is owned by a different user

With this patch it will be like:

newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99

Why is this useful?  Well, in my case...

The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid.  This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.

This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.

Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.

Some graceful way of handling this and not failing, will be next ;)  But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.

Thanks!

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 08:23:36 -05:00
Dimitri John Ledkov
ee43f47f45
Do not fail on missing files in /etc/, create them instead.
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
2015-02-27 17:01:29 +00:00
Duncan Eastoe
17887b216d Suppress pwconv passwd- chmod failure message
Prevent chmod failure message from displaying if the failure
was due to the backup file not existing.

If there is no backup file present and if no changes have been
made, then this error would always appear since the backup
file isn't created in this situation.

Signed-off-by: Duncan Eastoe <deastoe@Brocade.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-02-17 10:15:02 -06:00
James Le Cuirot
420943657c Fix building without subordinate IDs support
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-04 17:29:23 -05:00
Serge Hallyn
4911773b77 From: Svante Signell <svante.signell@gmail.com>
Currently shadow fails to build from source and is flagged as
out-of-date. This is due to a usage of PATH_MAX, which is not defined
on GNU/Hurd. The attached patch solves this problem by allocating a
fixed number of 32 bytes for the string proc_dir_name in files
src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are
needed)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-26 16:48:56 -05:00
Nicolas François
5e87ff0615 Improve vipw error report when editor fails
* src/vipw.c: After waitpid(), use errno only if waitpid returned
	-1. Debian#688260
	* src/vipw.c: Likewise for system().
2013-08-25 16:27:58 +02:00
Nicolas François
6f8dd000f6 Improve diagnostic.
* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
	when option -v/-V (-w/-W) are provided.
2013-08-15 17:30:19 +02:00
Nicolas François
2e46882a9b Fix parse of ranges.
* src/usermod.c: Fix parse of ranges. The hyphen might be followed
	by a negative integer.
2013-08-15 17:30:19 +02:00
Nicolas François
00f573fce2 Fix copyright dates. 2013-08-13 23:13:26 +02:00
Nicolas François
9951b1f569 Fail in case arguments are provided after options.
* src/vipw.c: Fail in case arguments are provided after options.
	Debian#677812
2013-08-13 23:13:09 +02:00
Nicolas François
8781aff637 Terminate the child before closing the PAM session.
* src/su.c: Terminate the child (if needed) before closing the PAM
	session. This is probably more correct, and avoid reporting
	termination from signals possibly sent by PAM modules (e.g. former
	versions of pam_systemd). Debian#670132
2013-08-13 19:48:53 +02:00
Nicolas François
a5e3dbb0e3 Reset caught variable when signal is handled by su.
* src/su.c: When a SIGTSTP is caught, reset caught to 0. There is
	no need to kill the child in such case after su is resumed. This
	remove the "Session terminated, terminating shell...
	...terminated." messages in such case.
2013-08-13 19:42:50 +02:00
Nicolas François
9126425a21 Improve error reporting.
* src/useradd.c: Change message in case of find_new_sub_uids /
	find_new_sub_gids failure. This complements the messages already
	provided by these APIs.
2013-08-13 00:13:12 +02:00
Nicolas François
d611d54ed4 Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 15:46:59 +02:00
Nicolas François
1fb1486c8a Ignore generated newgidmap and newuidmap 2013-08-11 14:48:39 +02:00
Nicolas François
94c52130be Fix typos.
* src/usermod.c: Fix typos.
2013-08-06 22:29:40 +02:00
Nicolas François
95d1e146b2 Fix typos.
* man/login.defs.d/SUB_GID_COUNT.xml: Fix typo.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/login.defs.d/SUB_UID_COUNT.xml: Fix copy-paste issue from
	SUB_GID_COUNT.
	* man/newgidmap.1.xml: Fix Typo.
	* src/useradd.c: Fix typos.
	* lib/subordinateio.c: Fix typos.
2013-08-06 20:59:13 +02:00
Eric W. Biederman
673c2a6f9a newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:46 -05:00
Serge Hallyn
c485cfabd8 usermod: add v:w:V:W: to getopt
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Serge Hallyn
5f2e4b18f8 Add LIBSELINUX to newuidmap and newgidmap LDADD
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
2cc8c2c0dc newusers: Add support for assiging subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
d5b3092331 usermod: Add support for subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
87253ca906 useradd: Add support for subordinate user identifiers
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
7296cbdbfe userdel: Add support for removing subordinate user and group ids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Nicolas François
e8ab31d009 Review 52a38d5509
* Changelog: Update documentation of 2013-07-28  mancha entry.
	* lib/prototypes.h, lib/encrypt.c: Update splint marker,
	pw_encrypt can return NULL.
	* lib/encrypt.c: Fix outdated statement on GNU crypt.
	* src/chgpasswd.c: Improve diagnostic to user when pw_encrypt
	fails and use fail_exit() instead of exit().
	* src/chpasswd.c: Likewise.
	* src/newusers.c: Likewise.
	* src/passwd.c: Likewise when new password is encrypted.
	* src/newgrp.c: Improve diagnostic to user and syslog when
	pw_encrypt fails.  Do not apply 1s penalty as this is not an
	invalid password issue.
	* src/passwd.c: Likewise when password is checked.
2013-08-04 00:27:53 +02:00
mancha
52a38d5509 crypt() in glibc/eglibc 2.17 now fails if passed
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
2013-07-28 18:41:11 +02:00
Colin Watson
d172cccd07 Kill the child process group, rather than just the immediate child;
this is needed now that su no longer starts a controlling terminal
when not running an interactive shell (closes: Debian#713979)
2013-07-28 14:38:12 +02:00
nekral-guest
9151e673e4 * NEWS: Set release date. 2012-05-25 11:51:53 +00:00
nekral-guest
f100b5ea7e * src/su.c: non PAM enabled versions: do not fail if su is called
without a controlling terminal. Ignore ENXIO errors when opening
	/dev/tty.
2012-05-20 16:15:14 +00:00
nekral-guest
8690c74d6a * src/useradd.c: Cleanup, return code 13 no more used.
* man/useradd.8.xml: Document return code 14, and remove return
	code 13.
2012-05-20 12:26:54 +00:00
nekral-guest
1a7960421e * src/useradd.c: Keep the default file as much as possible to
avoid issue in case of crash. Use link instead of rename.
2012-05-18 20:28:16 +00:00
nekral-guest
1e0450dfb1 * src/pwunconv.c: Do not check spw_close() return value (file is
opened readonly).
	* src/grpunconv.c: Do not check sgr_close() return value (file is
	opened readonly).
2012-05-18 19:32:32 +00:00