Commit Graph

2010 Commits

Author SHA1 Message Date
Josh Soref
4c22dcfbfd spelling: address 2017-10-22 07:55:43 +00:00
Josh Soref
4f459198db spelling: account 2017-10-22 07:52:04 +00:00
Serge Hallyn
c53e4c1d77
Merge pull request #97 from cyphar/newgidmap-secure-setgroups
newgidmap: enforce setgroups=deny if self-mapping a group
2018-02-16 08:40:39 -06:00
Aleksa Sarai
6d8be68071
README: add Aleksa Sarai to author list
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-16 17:56:36 +11:00
Aleksa Sarai
fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-16 17:56:35 +11:00
Serge Hallyn
c0f0c67864
Merge pull request #92 from IronicBadger/master
Fixes mispelling of MAX_DAYS help text
2018-01-18 22:42:12 -06:00
Alex Kretzschmar
e91b0f0517 Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
Serge Hallyn
3f1f999e2d
Merge pull request #90 from t8m/userdel-chroot
Make userdel to work with -R.
2018-01-08 22:57:43 -06:00
Serge Hallyn
c63bc6bfaa
Merge pull request #91 from kloeri/master
Add note to passwd(1) that --maxdays -1 disables the setting.
2018-01-08 22:56:23 -06:00
Bryan Østergaard
a54907dce3 Add note to passwd(1) that --maxdays -1 disables the setting.
This note already exists in chage(1).
2018-01-03 18:36:40 +01:00
Tomas Mraz
2c57c399bf Make userdel to work with -R.
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
2017-12-21 09:12:58 +01:00
Serge Hallyn
056f7352ef Merge pull request #86 from WheresAlice/master
Make language more inclusive
2017-10-06 17:47:31 -05:00
Serge Hallyn
0c2939b331 Merge pull request #82 from t8m/ingroup
newgrp: avoid unnecessary group lookups
2017-10-06 17:45:31 -05:00
Serge Hallyn
68e3d685fd Merge pull request #84 from jubalh/mentionman
Add note about conditional man pages
2017-10-06 17:43:47 -05:00
Serge Hallyn
0209d3f185 Merge pull request #85 from jubalh/nosilent
Add warning when turning off man switch
2017-09-29 10:08:47 -05:00
Michael Vetter
ef6890c31d Add error when turning off man switch
Print a warning and abort in case xsltproc is missing.
2017-09-29 11:01:39 +02:00
WheresAlice
1e98b3b559 Make language less binary 2017-09-20 17:00:29 +01:00
Michael Vetter
223238d265 Add note about conditional man pages
Closes https://github.com/shadow-maint/shadow/issues/83
2017-09-08 22:14:17 +02:00
Tomas Mraz
33f1f69e9c newgrp: avoid unnecessary group lookups
In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
2017-08-14 11:38:46 +02:00
Serge Hallyn
fb04f2723a nl.po: fix some missing newlines
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-07-16 17:09:00 -05:00
Serge Hallyn
78d4265f65 Import new Dutch translations.
Thanks to Frans Spiesschaert.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-07-16 16:46:21 -05:00
Serge Hallyn
c2aed5345e update changelog for last commit 2017-07-10 21:52:02 -05:00
sbts
2392894eb0 add error constant names to groupmod.8.xml This assists someone wanting to work out what may have caused the error 2017-07-10 21:50:49 -05:00
sbts
59fa2c0763 implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml 2017-07-10 21:50:49 -05:00
Serge Hallyn
7081b2df85 Merge pull request #74 from AdamMajer/upstream
support dynamically added users via pam_group
2017-06-15 22:41:25 -05:00
Serge Hallyn
1f34221552 Merge pull request #76 from edmorley/fix-changelog-dates
Correct wrong year in ChangeLog dates
2017-06-15 22:38:01 -05:00
Ed Morley
c43681a068 Correct wrong year in ChangeLog dates
The recently added entries were actually for 2017.
2017-06-15 14:34:46 +01:00
Adam Majer
992fab50ee support dynamically added users via pam_group
Dynamically added users via pam_group are not listed in groups
databases but are still valid.
2017-05-22 13:42:35 +02:00
Serge Hallyn
15be89f89d release 4.5 2017-05-17 14:33:02 -05:00
Serge Hallyn
d2902c8d3b update Changelog 2017-05-17 14:27:48 -05:00
Serge Hallyn
8e51ec9ee4 Merge pull request #72 from stoeckmann/su-regression
Reset pid_child only if waitpid was successful.
2017-05-14 11:41:40 -05:00
Tobias Stoeckmann
7d82f203ee Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.

This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.

Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2017-05-14 17:58:10 +02:00
Serge Hallyn
c07711de1d Merge pull request #71 from lamby/sp_lstchg-reproducible-857803
Make the sp_lstchg shadow field reproducible.
2017-04-19 17:11:32 -05:00
Chris Lamb
cb610d54b4 Make the sp_lstchg shadow field reproducible.
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

   username:17238:0:99999:7:::

whilst creating the same user tomorrow will result in:

    username:17239:0:99999:7:::

This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/

Signed-off-by: Chris Lamb <lamby@debian.org>
2017-04-10 22:29:21 +01:00
Serge Hallyn
2f36da5201 Merge pull request #70 from t8m/master
Fix buffer overflow if NULL line is present in db.
2017-04-01 15:46:05 -05:00
Tomas Mraz
954e3d2e71 Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
2017-03-31 16:25:06 +02:00
Serge Hallyn
830ae266c4 Merge pull request #68 from yurayko/master
updated russian translation
2017-03-27 08:24:40 -05:00
Serge Hallyn
6eae751e70 user_busy: fix missing close of subuid file on error
Closes #69

Reported-by: plenkow
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-03-23 17:07:46 -05:00
Yuri Kozlov
f0e0c35f2b Merge branch 'master' of https://github.com/yurayko/shadow 2017-03-18 10:42:12 +03:00
Yuri Kozlov
dc8253450d updated russian translation 2017-03-18 10:41:13 +03:00
yurayko
8d28d8cca0 Update ru.po 2017-03-18 11:27:34 +04:00
yurayko
274afc2c61 Update ru.po 2017-03-18 11:17:56 +04:00
Yuri Kozlov
5717fe9ca8 updated russian translation 2017-03-05 11:17:27 +03:00
Serge Hallyn
db57db52cf changelog for last commit 2017-02-23 13:44:27 -06:00
Tobias Stoeckmann
08fd4b69e8 su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
2017-02-23 09:47:29 -06:00
Serge Hallyn
24130c882d Merge pull request #67 from AdamMajer/upstream
Print error on exec failure + cosmetic changes
2017-02-21 14:37:42 -06:00
Adam Majer
759f94e17a Remove extra parenthesis 2017-02-20 14:50:30 +01:00
Adam Majer
90c0525c7e Remove unnecessary static variable usage 2017-02-20 14:48:55 +01:00
Josef Möllers
5ac4918bdd Add error handling in case exec fails
We should print error message if exec fails, for some reason.
2017-02-20 14:32:37 +01:00
Serge Hallyn
3f9af9deb9 Update changelog 2017-02-11 09:03:56 -06:00