Commit Graph

2362 Commits

Author SHA1 Message Date
Serge Hallyn
46ad1856ac
Merge pull request #277 from whzhe51/br_whzhe
gpasswd.c: fix memory leak in sg_adm
2020-10-02 19:37:20 -05:00
Serge Hallyn
9d3546c695
Merge pull request #281 from towerpark/fix-newxidmap-man
Fix the inaccurate description about ID range in man new{u,g}idmap
2020-10-01 13:26:11 -05:00
towerpark
287a9041a1 Fix the inaccurate description about the ID range to be verified against /etc/sub{u,g}id. 2020-09-26 21:01:01 +09:00
w00475903
22bfaf9e26 gpasswd.c: fix memory leak in sg_adm
Signed-off-by: whzhe <wanghongzhe@huawei.com>
2020-09-24 23:29:53 -04:00
Serge Hallyn
2748b4230a
Merge pull request #279 from juergenhoetzel/fix-de-translation
Fix incorrect translation (de)
2020-09-24 21:59:58 -05:00
Serge Hallyn
6bd08f7d18
Merge pull request #278 from edneville/104_su_waitpid
loop until waitpid returns pid_child or error
2020-09-24 21:58:35 -05:00
Juergen Hoetzel
00f01dd416 Fix incorrect translation (de) 2020-09-23 18:00:00 +02:00
ed neville
01a8df79b3 loop until waitpid returns pid_child or error
closes #104

Signed-off-by: ed neville <ed@s5h.net>
2020-09-20 23:04:11 +01:00
Serge Hallyn
9a10373ddb Revert "su.c: replace getopt with ad-hoc flag processing"
This reverts commit dc732e7734.
2020-08-28 15:16:11 -05:00
Serge Hallyn
b065fa4741 Revert "su.c: s/doshell/do_interactive_shell/"
This reverts commit 6f38f43fdd.
2020-08-28 15:16:04 -05:00
Serge Hallyn
3f35983656 Revert "su.c: implement --exec"
This reverts commit 4047d1fe8e.
2020-08-28 15:15:56 -05:00
Serge Hallyn
c32743808d Revert "Update su tests"
This reverts commit cf8101aaae.
2020-08-28 15:15:47 -05:00
Christian Brauner
ec98f190c1
Merge pull request #275 from hallyn/2020-08-27/test-su
Add tests on top of #254
2020-08-28 12:13:49 +02:00
Serge Hallyn
cf8101aaae Update su tests
Some of these tests seem wrong.  The assume that

    su -- -c command

should work, whereas -- should mean pass all remaining arguments
along to the command.

Add some new tests based on examples in Issue 253

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-08-27 23:59:07 -05:00
Vito Caputo
4047d1fe8e su.c: implement --exec
It's now possible to run commands as other users without shell
interpolation by using "--exec":

Read /etc/shadow as root without specifying user:
```
su --exec /bin/cat -- /etc/shadow
```

Or specify user:
```
su --exec /bin/cat root -- /etc/shadow
```
2020-08-27 23:43:32 -05:00
Vito Caputo
6f38f43fdd su.c: s/doshell/do_interactive_shell/
Mechanical rename distinguishing this variable from intended changes
supporting executing commands without using an interpretive shell
(i.e. no '/bin/sh -c').
2020-08-27 23:43:29 -05:00
Vito Caputo
dc732e7734 su.c: replace getopt with ad-hoc flag processing
In preparation for supporting --exec I was testing the robustness
of "--" handling and it became apparent that things are currently
a bit broken in `su`.

Since "--" is currently of limited utility, as the subsequent
words are simply passed to the shell after "-c","command_string",
it seems to have gone unnoticed for ages.

However, with --exec, it's expected that "--" would be an almost
required separator with every such usage, considering the
following flags must be passed verbatim to execve() and will
likely begin with hyphens looking indistinguishable from any
other flags in lieu of shell interpolation to worry about.

For some practical context of the existing situation, this
invocation doesn't work today:
```
  $ su --command ls -- flags for shell
  No passwd entry for user 'flags'
  $
```

This should just run ls as root with "flags","for","shell"
forwarded to the shell after "-c","ls".

The "--" should block "flags" from being treated as the user.
That particular issue isn't a getopt one per-se, it's arguably
just a bug in su.c's implementation.

It *seemed* like an easy fix for this would be to add a check if
argv[optind-1] were "--" before treating argv[optind] as USER.

But testing that fix revealed getopt was rearranging things when
encountering "--", the "--" would always separate the handled
opts from the unhandled ones.  USER would become shifted to
*after* "--" even when it occurred before it!

If we change the command to specify the user, it works as-is:
```
  $ su --command ls root -- flags for shell
  Password:
  testfile
  $

```

But what's rather surprising is how that works; the argv winds up:

"su","--command","ls","--","root","flags","for","shell"

with optind pointing at "root".

That arrangement of argv is indistinguishable from omitting the
user and having "root","flags","for","shell" as the stuff after
"--".

This makes it non-trivial to fix the bug of omitting user
treating the first word after "--" as the user, which one could
argue is a potentially serious security bug if you omit the user,
expect the command to run as root, and the first word after "--"
is a valid user, and what follows that something valid and
potentially destructive not only running in unintended form but
as whatever user happened to be the first word after "--".

So, it seems like something important to fix, and getopt seems to
be getting in the way of fixing it properly without being more
trouble than replacing getopt.

In disbelief of what I was seeing getopt doing with argv here, I
took a glance at the getopt source and found the following:

```
      /* The special ARGV-element '--' means premature end of options.
	 Skip it like a null option,
	 then exchange with previous non-options as if it were an option,
	 then skip everything else like a non-option.  */

      if (d->optind != argc && !strcmp (argv[d->optind], "--"))
```

I basically never use getopt personally because ages ago it
annoyed me with its terrible API for what little it brought to
the table, and this brings it to a whole new level of awful.
2020-08-27 23:43:25 -05:00
Serge Hallyn
291c6fcc87
Merge pull request #267 from stoeckmann/chage
chage: Prevent signed integer overflows.
2020-08-13 00:34:19 -05:00
Serge Hallyn
94d40b4521
Merge pull request #273 from edneville/trailing_n_in_help_typo
Removing trailing n typo
2020-08-13 00:11:24 -05:00
ed neville
3c9836a298 Removing trailing n typo
Signed-off-by: ed neville <ed@s5h.net>
2020-08-12 17:53:28 +01:00
Serge Hallyn
a271076041
Merge pull request #263 from edneville/261_grpck_questionable_warning
Option to suppress group/gshadow inconsistencies
2020-08-11 13:58:22 -05:00
ed neville
e8c44a4c12 Option to suppress group/gshadow inconsistencies
'gshadow' man page suggests that "You should use the same list of users
as in /etc/group", but not must.

Closes #261
2020-08-11 13:53:48 -05:00
Serge Hallyn
d041eec354
Merge pull request #270 from darktemplarbasealt/fix_resource_leak
Fix potential resource leak in set_selinux_file_context function
2020-08-10 20:34:50 -05:00
Serge Hallyn
b215e9d02c
Merge pull request #268 from stoeckmann/chfn
chfn: Prevent buffer overflow.
2020-08-10 13:45:15 -05:00
Christian Brauner
994a3b463c
Merge pull request #272 from ikerexxe/useradd_covscan
useradd: check return value from chmod and log it
2020-08-10 12:34:52 +02:00
ikerexxe
508b968cb1 useradd: check return value from chmod and log it
covscan was complaining abot calling chmod and ignoring the return
value:
Error: CHECKED_RETURN (CWE-252):
shadow-4.6/src/useradd.c:2084: check_return: Calling
"chmod(prefix_user_home, mode)" without checking return value. This
library function may fail and return an error code.
2082|   		mode_t mode = getdef_num ("HOME_MODE",
2083|   		                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
2084|-> 		chmod (prefix_user_home, mode);
2085|   		home_added = true;
2086|   #ifdef WITH_AUDIT
2020-08-10 11:44:00 +02:00
Christian Brauner
6afa2aaf9d
Merge pull request #271 from hallyn/2020-08-08/groupmembers
add -U option to groupadd and groupmod
2020-08-10 10:22:45 +02:00
Serge Hallyn
342c934a35 add -U option to groupadd and groupmod
Add a -U option which adds new usernames as members.  For groupmod,
also add -a (append), without which existing members are removed.

Closes #265
2020-08-09 22:11:33 -05:00
Aleksei Nikiforov
49930bd3a6 Fix potential resource leak in set_selinux_file_context function 2020-08-04 10:24:46 +03:00
Serge Hallyn
7ea342579e useradd: suggest --badnames when given a bad name
Closes #266
2020-07-31 21:29:21 -05:00
Tobias Stoeckmann
875d2d49c1 chfn: Prevent buffer overflow.
This is a stability fix, not a security fix, because the affected -o
option can only be used by root and it takes a modified passwd file.

If a gecos field for a user has BUFSIZ characters without commas and an
equals sign (i.e. a huge slop/extra field) and chfn is called with -o,
then a buffer overflow occurs.

It is not possible to trigger this with shadow tools. Therefore, the
passwd file must be modified manually.

I have fixed this unlikely case the easiest and cleanest way possible.
Since chfn bails out if more than 80 characters excluding commas are
supposed to be written into gecos field, we can stop processing early on
if -o argument is too long.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2020-07-12 19:09:14 +02:00
Tobias Stoeckmann
83aa88466d chage: Prevent signed integer overflows.
This is merely a stability fix, not a security fix.

As the root user, it is possible to set time values which later on
result in signed integer overflows.

For this to work, an sgetspent implementation must be used which
supports long values (glibc on amd64 only parses 32 bit, not 64).
Either use musl or simply call configure with following environment
variable:

$ ac_cv_func_sgetspent=no ./configure

Also it is recommended to compile with -fsanitize=undefined or
-ftrapv to see these issues easily.

Examples to trigger issues when calling "chage -l user":

$ chage -d 9223372036854775807 user

$ chage -d 106751991167300 user
$ chage -M 9999 user

$ chage -d 90000000000000 user
$ chage -I 90000000000000 user
$ chage -M 9999 user

$ chage -E 9223372036854775807 user

While at it, I fixed casting issues which could lead to signed integer
overflows on systems which still have a 32 bit time_t.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2020-07-12 17:56:38 +02:00
Serge Hallyn
607f1dd549 libsubid: fix a prototype in api.h
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-06-19 22:09:20 -05:00
Serge Hallyn
6baeb25038
Merge pull request #234 from edneville/79_userdel
Adding run-parts for userdel
2020-06-10 00:31:10 -05:00
ed
32cfa176f2 Adding run-parts style for pre and post useradd/del
Signed-off-by: ed neville <ed@s5h.net>
2020-06-10 00:26:55 -05:00
Serge Hallyn
b01bd3b139
Merge pull request #250 from hallyn/libsubid
[strawman] Implement libsubid
2020-06-08 00:10:16 -05:00
Serge Hallyn
0a7888b1fa Create a new libsubid
Closes #154

Currently this has three functions: one which returns the
list of subuid ranges for a user, one returning the subgids,
and one which frees the ranges lists.

I might be mistaken about what -disable-man means;  some of
the code suggests it means just don't re-generate them, but
not totally ignore them.  But that doesn't seem to really work,
so let's just ignore man/ when -disable-man.

Remove --disable-shared.  I'm not sure why it was there, but it stems
from long, long ago, and I suspect it comes from some ancient
toolchain bug.

Create a tests/run_some, a shorter version of run_all.  I'll
slowly add tests to this as I verify they work, then I can
work on fixing the once which don't.

Also, don't touch man/ if not -enable-man.

Changelog:
	Apr 22: change the subid list api as recomended by Dan Walsh.
	Apr 23: implement get_subid_owner
	Apr 24: implement range add/release
	Apr 25: finish tests and rebase
	May 10: make @owner const

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:11:58 -05:00
Serge Hallyn
43a917cce5 configure: define abi versions
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:07:23 -05:00
Serge Hallyn
089cf55e2c drop svn complications from test runner
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-06-07 12:07:14 -05:00
Serge Hallyn
316a153abb tests: use git to determine top_dir
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-06-07 12:07:09 -05:00
Serge Hallyn
6e6494680d trivial: drop useless version-info from libshadow_la_LDFLAGS
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:07:00 -05:00
Serge Hallyn
6155e91f4e
Merge pull request #262 from andydna/master
correct grammar in shadow(5)
2020-06-06 12:59:59 -05:00
andydna
967bfb0376 correct grammar in shadow(5) 2020-06-04 22:29:15 -05:00
Serge Hallyn
9cb21c2bdf
Merge pull request #259 from Inrin/lastlog_MaxPadding
Add maximum padding to fit IPv6-Addresses
2020-05-28 14:45:23 -05:00
Serge Hallyn
5cb839d977
Merge pull request #257 from Frans-Spiesschaert/new_dutch_po_branch
(nl) updated Dutch translation
2020-05-26 14:48:48 -05:00
Inrin
b128222477
Add maximum padding to fit IPv6-Addresses
We use a fixed padding for the From column to fit the maximum of a
minimized IPv6-LL-Address and it's interface.
2020-05-24 23:48:25 +02:00
Frans Spiesschaert
fc95155aa4 (nl) updated Dutch translation 2020-05-24 15:26:06 +02:00
Serge Hallyn
320707fcb0
Merge pull request #251 from lifecrisis/nonexistent
Add "NONEXISTENT" to "login.defs"
2020-05-11 09:13:34 -05:00
Jason Franklin
4086aed1ed
Update the "README" file 2020-05-11 09:27:01 -04:00
Jason Franklin
096dad6305
Add "NONEXISTENT.xml" to "man/Makefile.am" 2020-05-11 09:27:00 -04:00