Commit Graph

2848 Commits

Author SHA1 Message Date
Guillem Jover
2a5b8810bb agetpass: Hook into build-system
Signed-off-by: Guillem Jover <guillem@hadrons.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
Alejandro Colomar
ab91ec10b4 Hide [[gnu::malloc(deallocator)]] in a macro
Clang doesn't implement this attribute and reports an error.  Work
around it by hiding it in a macro that will be empty in clang.

Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
Alejandro Colomar
554f86bafa Replace the deprecated getpass(3) by our agetpass()
getpass(3) is broken in all implementations; in some, more than
others, but somewhat broken in all of them.  Check the immediate
previous commit, which added the functions, for more details.
Check also the Linux man-pages commit that marked it as
deprecated, for more details:
7ca189099d73bde954eed2d7fc21732bcc8ddc6b.

Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b>
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
Alex Colomar
155c9421b9 libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely
There are several issues with getpass(3).

Many implementations of it share the same issues that the infamous
gets(3).  In glibc it's not so terrible, since it's a wrapper
around getline(3).  But it still has an important bug:

If the password is long enough, getline(3) will realloc(3) memory,
and prefixes of the password will be laying around in some
deallocated memory.

See the getpass(3) manual page for more details, and especially
the commit that marked it as deprecated, which links to a long
discussion in the linux-man@ mailing list.

So, readpassphrase(3bsd) is preferrable, which is provided by
libbsd on GNU systems.  However, using readpassphrase(3) directly
is a bit verbose, so we can write our own wrapper with a simpler
interface similar to that of getpass(3).

One of the benefits of writing our own interface around
readpassphrase(3) is that we can hide there any checks that should
be done always and which would be error-prone to repeat every
time.  For example, check that there was no truncation in the
password.

Also, use malloc(3) to get the buffer, instead of using a global
buffer.  We're not using a multithreaded program (and it wouldn't
make sense to do so), but it's nice to know that the visibility of
our passwords is as limited as possible.

erase_pass() is a clean-up function that handles all clean-up
correctly, including zeroing the entire buffer, and then
free(3)ing the memory.  By using [[gnu::malloc(erase_pass)]], we
make sure that we don't leak the buffers in any case, since the
compiler will be able to enforce clean up.

Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b>
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
Alex Colomar
8cce4557e0 Don't 'else' after a 'noreturn' call
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-05 10:47:19 +01:00
Iker Pedrosa
99ce21a313 CI: add libbsd and pkg-config dependencies
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-11-28 09:07:41 -06:00
Florian Weimer
a281f241b5 Fix HAVE_SHADOWGRP configure check
The missing #include <gshadow.h> causes the configure check to fail
spuriously, resulting in HAVE_SHADOWGRP not being defined even
on systems that actually have sgetsgent (such as current glibc).
2022-11-21 08:06:14 -06:00
Andy Zaugg
e8d2bc8d8b Allow supplementary groups to be added via config file
Allow supplementary groups to be set via the /etc/default/useradd config
file. Allowing an administrator to set additonal groups via the GROUPS
configurable and control the default behaviour of useradd.
2022-11-18 15:10:56 -06:00
Iker Pedrosa
e0524e813a useradd: check if subid range exists for user
Check if a user already has a subid range before assigning one.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-11-18 09:04:42 -06:00
Serge Hallyn
24b44b686e Release 4.13
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-11-08 10:29:30 -06:00
Serge Hallyn
690bd8a878 update changelog 2022-11-08 10:28:10 -06:00
Serge Hallyn
90424e7c20 Don't warn when failed to open /etc/nsswitch.conf
Maybe we should have a debug mode where it's still printed, but
we don't, so let's be quieter.

Closes #557
2022-11-08 10:18:17 -06:00
David Michael
eaebea55a4 useradd: Fix buffer overflow when using a prefix
The buffer length did not count the string's trailing null byte.

Signed-off-by: David Michael <fedora.dm0@gmail.com>
2022-10-24 16:15:13 -05:00
Alejandro Colomar
0336454503 adduser-old.c: Remove program
This program has 10 calls to gets(3) according to grep(1).  That
makes it a very unsafe program which should not be used at all.
Let's kill the program already.

See what gets(3) has to say:

SYNOPSIS
       #include <stdio.h>

       [[deprecated]] char *gets(char *s);

DESCRIPTION
       Never use this function.

       ...

BUGS
       Never use gets().  Because it is impossible to tell with‐
       out knowing the  data  in  advance  how  many  characters
       gets()  will  read,  and  because gets() will continue to
       store characters past the end of the buffer,  it  is  ex‐
       tremely dangerous to use.  It has been used to break com‐
       puter security.  Use fgets() instead.

       For more information, see CWE‐242 (aka "Use of Inherently
       Dangerous Function") at http://cwe.mitre.org/data/defini‐
       tions/242.html

Acked-by: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-10-17 09:06:08 -05:00
Iker Pedrosa
16afe18142 Raise limit for passwd and shadow entry length
Moreover, include checks to prevent writing entries longer than the
length limit.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1422497

Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-14 10:41:40 +02:00
Iker Pedrosa
fbf275da19 lastlog: check for localtime() return value
Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-07 09:53:02 -05:00
Iker Pedrosa
1e5f9a72b0 man: add missing space in useradd.8.xml
Resolves: https://github.com/shadow-maint/shadow/issues/580

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-07 12:35:35 +02:00
xyz
e5db28a4bf fix usermod -rG x y while user y is not in group x will cause user y add into group x 2022-10-06 20:29:44 -05:00
Iker Pedrosa
d324c6776b libmisc: minimum id check for system accounts
The minimum id allocation for system accounts shouldn't be 0 as this is
reserved for root.

Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-06 20:09:35 -05:00
Iker Pedrosa
ead03afeba usermod: report error if homedir does not exist
Report error if usermod asked for moving homedir and it does not exist.

Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-06 20:08:51 -05:00
Xiami
e503fd574b chage: Fix regression in print_date
Introduced by c6c8130db4

After removing snprintf, the format string should get unescaped once.

Fixes #564

Reporter and patch author: DerMouse (github.com/DerMouse)
2022-10-05 12:43:45 +02:00
Alejandro Colomar
3dc1754e50 Use libc MAX() and MIN()
glibc, musl, FreeBSD, and OpenBSD define the MAX() and MIN()
macros in <sys/param.h> with the same definition that we use.
Let's not redefine it here and use the system one, as it's
effectively the same as we define (modulo whitespace).

See:

shadow (previously):

alx@asus5775:~/src/shadow/shadow$ grepc -ktm MAX
./lib/defines.h:318:#define MAX(x,y) (((x) > (y)) ? (x) : (y))

glibc:

alx@asus5775:~/src/gnu/glibc$ grepc -ktm -x 'sys/param.h$' MAX
./misc/sys/param.h:103:#define MAX(a,b) (((a)>(b))?(a):(b))

musl:

alx@asus5775:~/src/musl/musl$ grepc -ktm -x 'sys/param.h$' MAX
./include/sys/param.h:19:#define MAX(a,b) (((a)>(b))?(a):(b))

OpenBSD:

alx@asus5775:~/src/bsd/openbsd/src$ grepc -ktm -x 'sys/param.h$' MAX
./sys/sys/param.h:193:#define	MAX(a,b) (((a)>(b))?(a):(b))

FreeBSD:

alx@asus5775:~/src/bsd/freebsd/freebsd-src$ grepc -ktm -x 'sys/param.h$' MAX
./sys/sys/param.h:333:#define	MAX(a,b) (((a)>(b))?(a):(b))

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-30 16:13:36 -05:00
Alex Colomar
0d9799de04 Don't test for NULL before calling free(3)
free(3) accepts NULL, since the oldest ISO C.  I guess the
paranoid code was taking care of prehistoric implementations of
free(3).  I've never known of an implementation that doesn't
conform to this, so let's simplify this.

Remove xfree(3), which was effectively an equivalent of free(3).

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-29 16:03:53 +02:00
Frans Spiesschaert
1b0e189e35 updated Dutch translation 2022-09-27 16:01:31 -05:00
Christian Göttsche
8e53db927a lib: use memzero where applicable
Use memzero when operating in a buffer of known size to clear all bytes
and avoid leaking the size of the stored data.
2022-09-27 16:52:06 +02:00
Christian Göttsche
e74bfe2c75 lib: use strzero where applicable
Replace `memzero (s, strlen(s))` with just the internal wrapper
`strzero (s)` where the underlying allocated size is not known.
2022-09-27 16:52:06 +02:00
Luca BRUNO
14e7caf6b2 lib/commonio: make lock failures more detailed
This tweaks the database locking logic so that failures in the
link-checking paths are more detailed.
The rationale for this is that I've experienced a non-deterministic
bug which seems to be coming from this logic, and I'd like to get
more details about the actual failing condition.
2022-09-15 10:31:13 -05:00
Samanta Navarro
cde221b858 copy_tree: carefully treat permissions
The setuid, setgid, and sticky bits are not copied during copy_tree.

Also start with very restrictive permissions before setting ownerships.

This prevents situations in which users in a group with less permissions
than others could win a race in opening the file before permissions are
removed again.

Proof of concept:

$ echo $HOME
/home/uwu
$ install -o uwu -g fandom -m 604 /dev/null /home/uwu/owo
$ ls -l /home/uwu/owo
-rw----r-- 1 uwu fandom 0 Sep  4 00:00 /home/uwu/owo

If /tmp is on another filesystem, then "usermod -md /tmp/uwu uwu" leads
to this temporary situation:

$ ls -l /tmp/uwu/owo
-rw----r-- 1 root root  0 Sep  4 00:00 /tmp/uwu/owo

This means that between openat and chownat_if_needed a user of group
fandom could open /tmp/uwu/owo and read the content when it is finally
written into the file.
2022-09-14 10:11:32 +02:00
Jan Macku
f33e7def06 ci(lint): add shell linter - Differential ShellCheck
It performs differential ShellCheck scans and report results directly in pull request.

documentation: https://github.com/redhat-plumbers-in-action/differential-shellcheck

Signed-off-by: Jan Macku <jamacku@redhat.com>
2022-09-12 19:29:24 -05:00
Samanta Navarro
10cd68e0f0 copy_tree: do not block on fifos
Fixes regression introduced in faeab50e71.

If a directory contains fifos, then openat blocks until the other side
of the fifo is connected as well.

This means that users can prevent "usermod -m" from completing if their
home directories contain at least one fifo.
2022-09-09 15:19:12 +02:00
Samanta Navarro
f3bdb28e57 copy_tree: use fchmodat instead of chmod
Fixes regression introduced in faeab50e71
for setups configured without acl support.
2022-09-09 15:19:12 +02:00
genBTC
23634d8de7 useradd: check MLS enablement before setting serange Resolves: https://github.com/shadow-maint/shadow/issues/552 2022-09-02 20:29:34 -05:00
Alexander Kanavin
cfc981df2a shadow: use relaxed usernames
The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from Fedora [1] to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].

[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
2022-09-02 20:27:14 -05:00
NorwayFun
9e1c0ffef4 po: Georgian translation
po: Georgian translation
2022-09-02 20:21:42 -05:00
NorwayFun
78378400b9 po: Georgian translation
po: Georgian translation
2022-09-02 20:21:42 -05:00
David Kalnischkies
ebf9b232b0 useradd: Do not reset non-existent data in {last,fail}log
useradd does not create the files if they don't exist, but if they exist
it will reset user data even if the data did not exist before creating
a hole and an explicitly zero'd data point resulting (especially for
high UIDs) in a lot of zeros ending up in containers and tarballs.
2022-08-31 16:13:46 +02:00
Serge Hallyn
7136e24f8a Revert "Drop unused function subid_init()"
As rbalint points out, this was an exported fn.  It also is
the only way for a libsubid user to do what it does, so let's
not drop it.

This reverts commit 477c8e6f42.
2022-08-21 13:20:56 -05:00
Tim Biermann
eb3562f3c0 useradd.8.xml: fix default group id from 100 to 1000 according to bbf4b79 2022-08-21 13:17:38 -05:00
Serge Hallyn
238aa92948 Release 4.12.2 with CVE fix
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-18 16:54:21 -05:00
Christian Göttsche
faeab50e71 Avoid races in copy_tree()
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.

Introduce a path_info struct with the full path and dirfd and name
information for *at() functions, since the full path is needed for link
resolution, SELinux label lookup and ACL attributes.
2022-08-17 12:34:01 -05:00
Christian Göttsche
6cbec2d0aa Address minor compiler warnings
copydir.c:666:44: warning: unsigned conversion from 'int' to '__mode_t' {aka 'unsigned int'} changes value from '-4096' to '4294963200' [-Wsign-conversion]
      666 |         if (   (mknod (dst, statp->st_mode & ~07777, statp->st_rdev) != 0)
          |                                            ^

    copydir.c:116:1: warning: missing initializer for field 'quote' of 'struct error_context' [-Wmissing-field-initializers]
      116 | };
          | ^
    In file included from copydir.c:27:
    /usr/include/attr/error_context.h:30:23: note: 'quote' declared here
       30 |         const char *(*quote) (struct error_context *, const char *);
          |                       ^~~~~
2022-08-17 12:34:01 -05:00
Christian Göttsche
f606314f0c More robust file content copy in copy_tree()
Bail out on read(2) failure, continue on EINTR, support short writes and
increase chunk size.
2022-08-17 12:34:01 -05:00
Christian Göttsche
1d281273b1 Fail if regular file pre-exists in copy_tree()
Similar to the default behavior of mkdir(2), symlink(2), link(2) and
mknod(2).
2022-08-17 12:34:01 -05:00
Christian Göttsche
dab764d019 Require symlink support
Require lstat(2), lchown(2), S_IFLNK and S_ISLNK from POSIX.1-2001.

Already unconditionally used in lib/tcbfuncs.c and lib/run_part.c.
2022-08-17 12:34:01 -05:00
Christian Göttsche
f6f8bcd2a5 Avoid races in remove_tree()
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.
2022-08-17 12:34:01 -05:00
Christian Göttsche
e9ae247cb1 Avoid races in chown_tree()
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.
2022-08-17 12:34:01 -05:00
Serge Hallyn
4b3dde0b11 Release 4.12
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-15 12:16:41 -05:00
Serge Hallyn
68bf7189e0 uk has no limits.5 translation
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-12 13:24:24 -05:00
Serge Hallyn
ef79a4d8c8 Add uk to list of man subdirs
Closes #547

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-12 13:24:24 -05:00
Serge Hallyn
25337787e7 Release 4.12
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-11 11:04:18 -05:00