Commit Graph

2553 Commits

Author SHA1 Message Date
Tobias Stoeckmann
624d57c08c Improve child error handling
Always set SIGCHLD handler to default, even if the caller of vipw has
set SIGCHLD to ignore. If SIGCHLD is ignored no zombie processes would
be created, which in turn could mean that kill is called with an already
recycled pid.

Proof of Concept:

1. Compile nochld:
 --
 #include <signal.h>
 #include <unistd.h>
 int main(void) {
 char *argv[] = { "vipw", NULL };
 signal(SIGCHLD, SIG_IGN);
 execvp("vipw", argv);
 return 1;
 }
 --
2. Run nochld
3. Suspend child vi, which suspends vipw too:
`kill -STOP childpid`
4. Kill vi:
`kill -9 childpid`
5. You can see with ps that childpid is no zombie but disappeared
6. Bring vipw back into foreground
`fg`

The kill call sends SIGCONT to "childpid" which in turn could have been
already recycled for another process.

This is definitely not a vulnerability. It would take super user
operations, at which point an attacker would have already elevated
permissions.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2021-11-14 12:01:32 +01:00
Serge Hallyn
387da46d73
Merge pull request #423 from lrh2000/su-fix-sigkill
su: Fix never alarmed SIGKILL when session terminates
2021-10-31 12:36:03 -05:00
Serge Hallyn
b17a17c93d
Merge pull request #432 from galaxy4public/tcb-missing-chmod
Add missing chmod() for shadowtcb_move()
2021-10-30 11:02:12 -05:00
Serge Hallyn
1ff0b37134
Merge pull request #433 from stoeckmann/hushed
Handle malformed lines in hushlogins file.
2021-10-30 09:34:55 -05:00
Tobias Stoeckmann
63a96706b1 Handle malformed lines in hushlogins file.
If a line in hushlogins file, e.g. /etc/hushlogins, starts with
'\0', then current code performs an out of boundary write.
If the line lacks a newline at the end, then another character is
overridden.

With strcspn both cases are solved.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2021-10-29 19:50:38 +02:00
(GalaxyMaster)
a97399dd0a Add missing chmod()
During shadowtcb_move() the directory is temporarily changed to be
owned by root:root with permissions 0700.  After the change is done,
the ownership and permissions were supposed to be restored.  The
call for chown() was there, but the chmod() call was missing.  This
resulted in the broken TCB functionality.  The added chmod() fixes
the issue.
2021-10-28 11:16:59 +11:00
Serge Hallyn
f2476d3ce8
Merge pull request #430 from galaxy4public/libsubid-static
Fixes the linking issues when libsubid is static and linked to
2021-10-27 08:31:23 -05:00
(GalaxyMaster)
fc832e4648 Fixes the linking issues when libsubid is static and linked to
binaries that also define the Prog and shadow_logfd variables.
2021-10-27 20:14:42 +11:00
Serge Hallyn
7d02af944f
Merge pull request #422 from ikerexxe/home_selinux_user
Create the home and mail directories with SELinux user label
2021-10-26 20:08:21 -05:00
Serge Hallyn
82b5983301 Add Christian Brauner to SECURITY.md
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-10-25 14:26:37 -05:00
Iker Pedrosa
234af5cf67 semanage: close the selabel handle
Close the selabel handle to update the file_context. This means that the
file_context will be remmaped and used by selabel_lookup() to return
the appropriate context to label the home folder.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-10-25 09:55:31 +02:00
Iker Pedrosa
09c752f00f useradd: create directories after the SELinux user
Create the home and mail folders after the SELinux user has been set for
the added user. This will allow the folders to be created with the
SELinux user label.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-10-25 09:55:27 +02:00
Ruihan Li
5b4082d007 su: Fix never alarmed SIGKILL when session terminates
The buggy code was introduced nearly 5 years ago at the
commit 08fd4b69e8. The
desired behavior is that SIGKILL will be sent to the
child if it does not exit within 2 seconds after it
receives SIGTERM. However, SIGALRM is masked while
waiting for the child so it cannot wake the program
up after 2 seconds to send SIGKILL.

An example shows the buggy behavior, which exists in
Ubuntu 18.04 LTS (with login 1:4.5-1ubuntu2).
```bash
user1@localhost:~$ su user2 -c '
_term() {
  echo SIGTERM received
}
trap _term TERM

while true; do
  sleep 1
  echo still alive
done'
Password:
still alive

Session terminated, terminating shell...Terminated
SIGTERM received
still alive
still alive
still alive
still alive
```
(SIGTERM is sent in another user1's terminal by
executing `killall su`.)

Here is the desired behavior, which shows what the
commit fixes.
```bash
user1@localhost:~$ su user2 -c '
_term() {
  echo SIGTERM received
}
trap _term TERM

while true; do
  sleep 1
  echo still alive
done'
Password:
still alive

Session terminated, terminating shell...Terminated
SIGTERM received
still alive
still alive
 ...killed.
user1@localhost:~$ echo $?
255
```
2021-10-25 13:39:41 +08:00
Serge Hallyn
cdc8c1e25b
Create SECURITY.md
Barebones to unblock current reporters.
2021-10-23 09:34:48 -05:00
Serge Hallyn
4bec156db1
Merge pull request #426 from hallyn/2021-10-15/man 2021-10-20 15:16:06 -05:00
Serge Hallyn
33f85e93a1 manpages: fix 'File Formats and Conversions"
Closes #416

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-10-15 16:28:12 -05:00
Serge Hallyn
6be18d45e1 initial github actions attempt
Closes #415
2021-10-15 16:21:19 -05:00
Andy Zaugg
7e2b522a15 Added a new configurable LOG_INIT to useradd
In some circumstances I want the default behaviour of useradd to
not add user entries to the lastlog and faillog databases. Allowing
this options behaviour to be controlled by the config file
/etc/default/useradd.
2021-10-15 16:20:52 -05:00
Andy Zaugg
d7e2bd6fe1 Added documentation around CREATE_MAIL_SPOOL
Adding documentation aroud the parameter CREATE_MAIL_SPOOL in the
/etc/default/useradd file
2021-10-15 16:20:52 -05:00
Serge Hallyn
4ad2697cc4
Merge pull request #412 from ljmf00/fix-trailing-whitespaces
treewide: remove trailing whitespaces
2021-09-27 10:12:24 -05:00
Serge Hallyn
5bb28a0a7f
Merge pull request #417 from jubalh/doublefree
Only free sgent if it was initialized
2021-09-27 10:10:22 -05:00
Serge Hallyn
4b85dc66d4
Merge pull request #420 from AZaugg/issue419
Fix parentheses in configure.ac
2021-09-27 08:48:24 -05:00
Andy Zaugg
049f9a7f6b Fix parentheses in configure.ac
Resolving issue https://github.com/shadow-maint/shadow/issues/419
2021-09-22 09:42:15 -07:00
Michael Vetter
117bc66c6f Only free sgent if it was initialized
`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true.
So we should also only attempt to free it if this is actually the case.

Can otherwise lead to:
```
free() double free detected in tcache 2 (gpasswd)
```
2021-09-20 11:04:50 +02:00
Serge Hallyn
26bbee8c86
Merge pull request #414 from Frans-Spiesschaert/new_dutch_po_branch
updated Dutch translation
2021-09-14 10:01:17 -05:00
Frans Spiesschaert
ab9fad7943 updated Dutch translation 2021-09-13 21:05:45 +02:00
Luís Ferreira
7903557988
treewide: remove trailing whitespaces
Signed-off-by: Luís Ferreira <contact@lsferreira.net>
2021-09-13 17:23:17 +01:00
Serge Hallyn
0e0101043b
Merge pull request #405 from a1346054/master
Minor cleanups
2021-09-13 10:57:38 -05:00
Serge Hallyn
fb582ce72f
Merge pull request #411 from ljmf00/ignore-check-subid
git: ignore generated check_subid_range
2021-09-13 10:37:59 -05:00
Luís Ferreira
679a29da7e
git: ignore generated check_subid_range
Signed-off-by: Luís Ferreira <contact@lsferreira.net>
2021-09-13 16:17:49 +01:00
a1346054
d7c9550b7f fix spelling 2021-09-13 15:11:40 +00:00
Serge Hallyn
e385338ee8
Merge pull request #410 from paulmenzel/use-https-urls-in-readme
Use HTTPS URLs in README, where possible
2021-09-12 10:50:09 -05:00
Paul Menzel
2b6312b337 README: Use HTTPS URLs where possible
The GitHub and Debian permanently moved to HTTPS URLs and redirect
there. The Gentoo URL does not redirect to HTTPS, but still use it to
address certain kinds of attacks. Lastly, the NetBSD URL is only
available using HTTP.
2021-09-12 12:06:02 +02:00
a1346054
ecfcaed0b5 fix some shellcheck-identified issues in scripts 2021-08-18 18:21:06 +00:00
a1346054
f20c688a18 use a geographically close URL 2021-08-18 18:07:50 +00:00
a1346054
7687ae4dbd fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00
Serge Hallyn
4624e9fca1 Revert "useradd.c:fix memleaks of grp"
In some cases, the value which was being freed is not actually
safe to free.

Closes #394

This reverts commit c44b71cec2.
2021-08-14 19:37:24 -05:00
Serge Hallyn
009e09fd58
Merge pull request #400 from floppym/sha-rounds
libmisc: fix default value in SHA_get_salt_rounds()
2021-08-14 19:29:54 -05:00
Serge Hallyn
a5bf83d2e7
Merge pull request #401 from hallyn/2021-08-14/dropxml2po
man/po/Makefile.in: switch from xml2po to itstool
2021-08-14 19:28:18 -05:00
Serge Hallyn
4bcbe13689
Merge pull request #403 from hallyn/2021-08-14/fixnosubuidbuild
useradd.c: Fix undeclared subuid_count when not using subids
2021-08-14 19:28:07 -05:00
Serge Hallyn
049b08481a useradd.c: Fix undeclared subuid_count when not using subids
subuid_count won't get used by usr_update(), but since we're passing it
as an argument we have to make sure it's always defined.  So just define
it as pre-set to 0.

Closes #402

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-08-14 19:25:51 -05:00
Serge Hallyn
02b200c9aa man/po/Makefile.in: switch from xml2po to itstool
xml2po is deprecated.  We've previously replaced xml2po with
itstool in man/generate_translations.mak, but there was still
an instance of it that only is exercised for 'make dist'.
Update that one.  Now 'make dist' succeeds on a ubuntu focal
or newer host where xml2po is not available.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-08-14 14:51:08 -05:00
Mike Gilbert
234e8fa7b1 libmisc: fix default value in SHA_get_salt_rounds()
If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
use SHA_ROUNDS_DEFAULT.

Previously, the code fell through, calling shadow_random(-1, -1). This
ultimately set rounds = (unsigned long) -1, which ends up being a very
large number! This then got capped to SHA_ROUNDS_MAX later in the
function.

The new behavior matches BCRYPT_get_salt_rounds().

Bug: https://bugs.gentoo.org/808195
Fixes: https://github.com/shadow-maint/shadow/issues/393
2021-08-14 13:43:26 -04:00
Serge Hallyn
c4539fc4f9
Merge pull request #399 from ikerexxe/useradd_empty_subid_range
useradd: avoid generating an empty subid range
2021-08-14 09:23:26 -05:00
Iker Pedrosa
9dd720a285 useradd: avoid generating an empty subid range
useradd generates an empty subid range when adding a new user. This is
caused because there are two variables, one local and the other one
global, that have a very similar name and they are used indistinctly in
the code. The local variable loads the SUB_*ID_COUNT configuration from
the login.defs file, while the global variable, which holds a value of
0, is used to generate the subid range. Causing the empty subid range
problem.

I've merged the two variables in the local one and removed the global
variable. I prefer to do it this way to reduce the scope of it but I'm
open to doing it the other way round.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1990653

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-10 10:04:39 +02:00
Serge Hallyn
1c1e0b0c68
Merge pull request #397 from ikerexxe/revert_local_groups_check
usermod: allow all group types with -G option
2021-08-04 10:41:56 -05:00
Serge Hallyn
adb83f7796
Merge pull request #398 from Dzejrou/master
passwd: handle NULL pw_passwd when printing password status
2021-08-04 10:38:30 -05:00
Serge Hallyn
28a02dc83e
Merge pull request #396 from floppym/libcrack
libsubid: fix build with libcrack
2021-08-04 10:37:08 -05:00
Serge Hallyn
e318bb9b06
Merge pull request #395 from ikerexxe/downstream_4_9
Makefile: include libeconf dependency in new*idmap
2021-08-04 10:36:44 -05:00
Jaroslav Jindrak
05388f748d passwd: handle NULL pw_passwd when printing password status
When the -S and -a options are used for passwd to list the status
of all passwords, there is a chance the pw_passwd field of struct
passwd will be NULL. This can be due to 'files compat' being set
for passwd in /etc/nsswitch.conf and the usage of some features
not available in the 'files' mode (e.g. a plus sign at the start
of a line).

Example:

germ161:~ # grep passwd /etc/nsswitch.conf
passwd: files compat
germ161:~ # rpm -qa shadow
shadow-4.2.1-34.20.x86_64
germ161:~ # grep passwd /etc/nsswitch.conf
passwd: files compat
germ161:~ # grep + /etc/passwd
+@nisgroup
germ161:~ # passwd -S -a > /dev/null
Segmentation fault (core dumped)

With this commit:

germ161:~ # passwd -S -a > /dev/null
passwd: malformed password data obtained for user +@nisgroup
2021-08-03 20:03:46 +02:00