emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
2,027 Commits 1 Branch 1 Tag 20 MiB
310ef194a1
Commit Graph

2027 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Josh Soref
310ef194a1 spelling: close 2017-10-22 18:25:14 +00:00
Josh Soref
daf30eff79 spelling: chpasswd 2017-10-22 18:23:41 +00:00
Josh Soref
a90585f1d6 spelling: checking 2017-10-22 18:22:12 +00:00
Josh Soref
4be6d423e4 spelling: changed 2017-10-22 08:24:23 +00:00
Josh Soref
2db724bc50 spelling: change 2017-10-22 08:24:59 +00:00
Josh Soref
452b9c26e4 spelling: categories 2017-10-22 08:08:07 +00:00
Josh Soref
d0c05b0143 spelling: cannot 2017-10-22 08:05:45 +00:00
Josh Soref
36aeb4e9ee spelling: built 2017-10-22 18:41:48 +00:00
Josh Soref
f8d4b66edd spelling: better 2017-10-22 08:05:08 +00:00
Josh Soref
483de7d614 spelling: beginning 2017-10-22 08:04:51 +00:00
Josh Soref
a95ed40bf0 spelling: available 2017-10-22 08:02:00 +00:00
Josh Soref
686efcfcb1 spelling: attributes 2017-10-22 07:59:41 +00:00
Josh Soref
bd6f2760a3 spelling: at the 2017-10-22 08:00:59 +00:00
Josh Soref
15631009b4 spelling: applied 2017-10-22 07:57:56 +00:00
Josh Soref
8eb822ebf3 spelling: anonymous 2017-10-22 07:56:49 +00:00
Josh Soref
aa95b1b763 spelling: always 2017-10-22 07:56:16 +00:00
Josh Soref
92e3a5e386 spelling: allowed 2017-10-22 07:56:05 +00:00
Josh Soref
4c22dcfbfd spelling: address 2017-10-22 07:55:43 +00:00
Josh Soref
4f459198db spelling: account 2017-10-22 07:52:04 +00:00
Serge Hallyn
c53e4c1d77
Merge pull request #97 from cyphar/newgidmap-secure-setgroups 
newgidmap: enforce setgroups=deny if self-mapping a group
 2018-02-16 08:40:39 -06:00
Aleksa Sarai
6d8be68071
README: add Aleksa Sarai to author list 
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2018-02-16 17:56:36 +11:00
Aleksa Sarai
fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group 
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2018-02-16 17:56:35 +11:00
Serge Hallyn
c0f0c67864
Merge pull request #92 from IronicBadger/master 
Fixes mispelling of MAX_DAYS help text
 2018-01-18 22:42:12 -06:00
Alex Kretzschmar
e91b0f0517 Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
Serge Hallyn
3f1f999e2d
Merge pull request #90 from t8m/userdel-chroot 
Make userdel to work with -R.
 2018-01-08 22:57:43 -06:00
Serge Hallyn
c63bc6bfaa
Merge pull request #91 from kloeri/master 
Add note to passwd(1) that --maxdays -1 disables the setting.
 2018-01-08 22:56:23 -06:00
Bryan Østergaard
a54907dce3 Add note to passwd(1) that --maxdays -1 disables the setting. 
This note already exists in chage(1).
 2018-01-03 18:36:40 +01:00
Tomas Mraz
2c57c399bf Make userdel to work with -R. 
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
 2017-12-21 09:12:58 +01:00
Serge Hallyn
056f7352ef Merge pull request #86 from WheresAlice/master 
Make language more inclusive
 2017-10-06 17:47:31 -05:00
Serge Hallyn
0c2939b331 Merge pull request #82 from t8m/ingroup 
newgrp: avoid unnecessary group lookups
 2017-10-06 17:45:31 -05:00
Serge Hallyn
68e3d685fd Merge pull request #84 from jubalh/mentionman 
Add note about conditional man pages
 2017-10-06 17:43:47 -05:00
Serge Hallyn
0209d3f185 Merge pull request #85 from jubalh/nosilent 
Add warning when turning off man switch
 2017-09-29 10:08:47 -05:00
Michael Vetter
ef6890c31d Add error when turning off man switch 
Print a warning and abort in case xsltproc is missing.
 2017-09-29 11:01:39 +02:00
WheresAlice
1e98b3b559 Make language less binary 2017-09-20 17:00:29 +01:00
Michael Vetter
223238d265 Add note about conditional man pages 
Closes https://github.com/shadow-maint/shadow/issues/83
 2017-09-08 22:14:17 +02:00
Tomas Mraz
33f1f69e9c newgrp: avoid unnecessary group lookups 
In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
 2017-08-14 11:38:46 +02:00
Serge Hallyn
fb04f2723a nl.po: fix some missing newlines 
Signed-off-by: Serge Hallyn <serge@hallyn.com>
 2017-07-16 17:09:00 -05:00
Serge Hallyn
78d4265f65 Import new Dutch translations. 
Thanks to Frans Spiesschaert.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
 2017-07-16 16:46:21 -05:00
Serge Hallyn
c2aed5345e update changelog for last commit 2017-07-10 21:52:02 -05:00
sbts
2392894eb0 add error constant names to groupmod.8.xml This assists someone wanting to work out what may have caused the error 2017-07-10 21:50:49 -05:00
sbts
59fa2c0763 implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml 2017-07-10 21:50:49 -05:00
Serge Hallyn
7081b2df85 Merge pull request #74 from AdamMajer/upstream 
support dynamically added users via pam_group
 2017-06-15 22:41:25 -05:00
Serge Hallyn
1f34221552 Merge pull request #76 from edmorley/fix-changelog-dates 
Correct wrong year in ChangeLog dates
 2017-06-15 22:38:01 -05:00
Ed Morley
c43681a068 Correct wrong year in ChangeLog dates 
The recently added entries were actually for 2017.
 2017-06-15 14:34:46 +01:00
Adam Majer
992fab50ee support dynamically added users via pam_group 
Dynamically added users via pam_group are not listed in groups
databases but are still valid.
 2017-05-22 13:42:35 +02:00
Serge Hallyn
15be89f89d release 4.5 2017-05-17 14:33:02 -05:00
Serge Hallyn
d2902c8d3b update Changelog 2017-05-17 14:27:48 -05:00
Serge Hallyn
8e51ec9ee4 Merge pull request #72 from stoeckmann/su-regression 
Reset pid_child only if waitpid was successful.
 2017-05-14 11:41:40 -05:00
Tobias Stoeckmann
7d82f203ee Reset pid_child only if waitpid was successful. 
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.

This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.

Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 2017-05-14 17:58:10 +02:00
Serge Hallyn
c07711de1d Merge pull request #71 from lamby/sp_lstchg-reproducible-857803 
Make the sp_lstchg shadow field reproducible.
 2017-04-19 17:11:32 -05:00