Commit Graph

2322 Commits

Author SHA1 Message Date
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Christian Brauner
caefe9e8de
Merge pull request #164 from t8m/use-lckpwdf
Use lckpwdf() again if prefix is not set and fix a possible DoS in locking
2019-05-03 10:43:41 +02:00
Tomas Mraz
64d7688acb Do not fail locking if there is a stale lockfile.
As the lockfiles have PID in the name, there can be no conflict
in the name with other process, so there is no point in using
O_EXCL and it only can fail if there is a stale lockfile from
previous execution that crashed for some reason.
2019-05-02 14:39:01 +02:00
Tomas Mraz
408b8a5482 Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.

This reverts the implementation to use lckpwdf() if prefix option
is not used.
2019-05-02 14:33:06 +02:00
Christian Brauner
ce2941ca0d
Merge pull request #162 from jtojnar/check-correct-docbook
build: Check correct DocBook version
2019-04-30 20:39:22 +02:00
Jan Tojnar
47797ca665
build: Check correct DocBook version
The documentation uses DocBook 4.5 DOCTYPE but the configure script
checked for 4.1.2.
2019-04-30 20:35:07 +02:00
Thomas Abraham
1697c192ac lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it erros with ECHILD.
2019-04-25 14:56:22 -04:00
Serge Hallyn
5837240451 usermod: print "no changes" to stdout, not stderr
Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-04-21 17:28:12 -05:00
Serge Hallyn
2c8171f8c8
Merge pull request #146 from lamby/reproducible-shadow-files
Make the sp_lstchg shadow field reproducible (re. #71)
2019-04-21 17:13:58 -05:00
Serge Hallyn
fbb59823c5
Merge pull request #143 from t8m/fedora
usermod: Guard against unsafe change of ownership of home contents
2019-04-21 16:56:36 -05:00
Serge Hallyn
fe87a1ad96
Merge pull request #158 from nathanruiz/master
Fix chpasswd long line handling
2019-04-21 16:50:07 -05:00
Serge Hallyn
38e3e35c72
Merge pull request #156 from cvuillemez/no_flush_in_read_only
Do not flush nscd and sssd cache in read-only mode
2019-04-15 00:17:32 -05:00
Nathan Ruiz
a8f7132113 Fix chpasswd long line handling 2019-04-10 07:56:59 +10:00
Chris Lamb
3d921155e0 gettime: Use secure_getenv over getenv. 2019-03-31 16:00:01 +01:00
Chris Lamb
fe34a2a0e4 Make the sp_lstchg shadow field reproducible (re. #71)
From <https://github.com/shadow-maint/shadow/pull/71>:

```
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:

username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
```

This updated PR adds some missing calls to gettime (). This was originally
filed by Johannes Schauer in Debian as #917773 [2].

[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
[2] https://bugs.debian.org/917773
2019-03-31 16:00:01 +01:00
Christian Brauner
e24deea4c9
Merge pull request #157 from t8m/close-crash
Do not crash in commonio_close if database FILE not opened.
2019-03-25 12:56:55 -07:00
Tomas Mraz
d6276066dd Do not crash in commonio_close if database FILE not opened.
The db->fp can be NULL if commonio_unlock() is called when the
shadow file is opened but did not exist before.
2019-03-25 14:51:26 +01:00
Serge Hallyn
d2e1e9ce85 Add Christian to maintainers list
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 21:11:05 -05:00
Serge Hallyn
e61db2c618 README: Update the homepage link
and remove ftp.  Maybe i should run an ftp server for releases...

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 11:48:05 -05:00
Serge Hallyn
c40c49536e README: Add Eric to contributors list
subids were not a small amount of work.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 11:39:24 -05:00
Charlie Vuillemez
dd2033c40c Do not flush nscd and sssd cache in read-only mode
Fix #155

signed-off-by: Charlie Vuillemez <cvuillemez@users.noreply.github.com>
2019-02-27 17:40:04 +01:00
Serge Hallyn
d66a1fe069
Merge pull request #153 from AlbanVidal/man-po-fr
French man translation update
2019-02-19 00:49:40 -06:00
Alban VIDAL
beb75c6fd6 French man translation update
- translated by Jean-Philippe MENGUAL
- proofread by the debian-l10n-french mailing list contributors

Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
2019-02-11 07:02:52 +01:00
Christian Brauner
c0c2b99164
Merge pull request #151 from t8m/uid-count-default
Fix the default mentioned in man page for SUB_UID/GID_COUNT variables.
2019-02-01 09:11:27 +01:00
Tomas Mraz
ebad423023 Fix the default mentioned in man page for SUB_UID/GID_COUNT variables. 2019-01-31 13:30:59 +01:00
Serge Hallyn
c5898d9f02
Merge pull request #148 from AlbanVidal/master
Sync po files from template "shadow.pot" file
2019-01-26 22:58:53 -06:00
Alban VIDAL
ee87cda65d Sync po files from pot shadow.pot file
Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
2019-01-19 13:32:42 +01:00
Tomas Mraz
5b41b7d1b1 usermod: Guard against unsafe change of ownership of home directory content
In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.
2018-12-18 16:32:13 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Giuseppe Scrivano
59c2dabb26 idmap: always seteuid to the owner of the namespace
simplify the condition for setting the euid of the process.  Now it is
always set when we are running as root, the issue was introduced with
the commit 52c081b02c

Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if
   it currently == 0 (i.e. really was setuid-*root*).

Closes: https://github.com/genuinetools/img/issues/191

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-11-24 17:30:46 -06:00
Serge Hallyn
42324e5017
Merge pull request #138 from brauner/2018-10-27/setuid_fscaps
new{g,u}idmap: align setuid and fscaps behavior
2018-10-27 19:00:23 -05:00
Christian Brauner
52c081b02c
new{g,u}idmap: align setuid and fscaps behavior
Commit 1ecca8439d ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
does contain a wrong commit message, is lacking an explanation of the
issue, misses some simplifications and hardening features. This commit
tries to rectify this.

In (crazy) environment where all capabilities are dropped from the
capability bounding set apart from CAP_SET{G,U}ID setuid- and
fscaps-based new{g,u}idmap binaries behave differently when writing
complex mappings for an unprivileged user:

1. newuidmap is setuid

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

First file_ns_capable(file, ns, CAP_SYS_ADMIN) is hit. This calls into
cap_capable() and hits the loop

for (;;) {
        /* Do we have the necessary capabilities? */
        if (ns == cred->user_ns)
                return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

        /*
         * If we're already at a lower level than we're looking for,
         * we're done searching.
         */
        if (ns->level <= cred->user_ns->level)
                return -EPERM;

        /*
         * The owner of the user namespace in the parent of the
         * user namespace has all caps.
        */
        if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
                return 0;

        /*
         * If you have a capability in a parent user ns, then you have
         * it over all children user namespaces as well.
        */
        ns = ns->parent;
}

The first check fails and falls through to the end of the loop and
retrieves the parent user namespace and checks whether CAP_SYS_ADMIN is
available there which isn't.

2. newuidmap has CAP_SETUID as fscaps set

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

The first file_ns_capable() check for CAP_SYS_ADMIN is passed since the
euid has not been changed:

if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
        return 0;

Now new_idmap_permitted() is hit which calls ns_capable(ns->parent,
CAP_SET{G,U}ID). This check passes since CAP_SET{G,U}ID is available in
the parent user namespace.
Now file_ns_capable(file, ns->parent, CAP_SETUID) is hit and the
cap_capable() loop (see above) is entered again. This passes

if (ns == cred->user_ns)
        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

since CAP_SET{G,U}ID is available in the parent user namespace. Now the
mapping can be written.

There is no need for this descrepancy between setuid and fscaps based
new{g,u}idmap binaries. The solution is to do a
seteuid() back to the unprivileged uid and PR_SET_KEEPCAPS to keep
CAP_SET{G,U}ID. The seteuid() will cause the
file_ns_capable(file, ns, CAP_SYS_ADMIN) check to pass and the
PR_SET_KEEPCAPS for CAP_SET{G,U}ID will cause the CAP_SET{G,U}ID to
pass.

Fixes: 1ecca8439d ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2018-10-28 01:27:48 +02:00
Serge Hallyn
bb3f810611
Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap
newuidmap/newgidmap: install with file capabilities
2018-10-27 11:26:31 -05:00
Serge Hallyn
d5255da20b
Merge pull request #132 from giuseppe/no-cap-sys-admin
newuidmap/newgidmap: do not require CAP_SYS_ADMIN in the parent user namespace
2018-10-27 11:22:37 -05:00
Giuseppe Scrivano
70971457b7
newuidmap/newgidmap: install with file capabilities
do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-24 23:10:59 +02:00
Serge Hallyn
ff8b1ebafa
Merge pull request #118 from AdelieLinux/utmpx-only-support
[WIP] Support systems that only have utmpx
2018-10-23 22:35:19 -05:00
Serge Hallyn
83f1380600
Merge pull request #133 from t8m/trivial
Fix some issues found in Coverity scan.
2018-10-23 22:21:12 -05:00
Giuseppe Scrivano
1ecca8439d
new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS
if the euid!=owner of the userns, the kernel returns EPERM when trying
to write the uidmap and there is no CAP_SYS_ADMIN in the parent
namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-22 16:57:50 +02:00
Serge Hallyn
58ee899dce
Merge pull request #128 from jhrozek/sssd
Flush sssd caches in addition to nscd caches
2018-10-18 12:26:38 -07:00
Tomas Mraz
10e388efc2 useradd: fix segfault trying to overwrite const data with mkstemp
Also fix memory leaks in error paths.
2018-10-12 10:14:02 +02:00
Tomas Mraz
fb97da1ce1 Fix some issues found in Coverity scan. 2018-10-10 12:22:04 +02:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
Serge Hallyn
6bf2d74dfc
Merge pull request #122 from ivladdalvi/nologin-uid
Log UID in nologin
2018-08-13 18:37:02 -05:00
Vladimir Ivanov
4be18d3299 Log UID in nologin
Sometimes getlogin() may fail, e.g., in a chroot() environment or due to NSS
misconfiguration. Loggin UID allows for investigation and troubleshooting in
such situation.
2018-08-13 16:46:04 +08:00
Serge Hallyn
0d725c1e60
Merge pull request #116 from LionNatsu/master
po/zh_CN: update
2018-08-11 00:40:02 -05:00
Serge Hallyn
3c69af9ed3
Merge pull request #119 from mvo5/su-l
su.c: run pam_getenvlist() after setup_env
2018-08-11 00:39:07 -05:00
Michael Vogt
89b96cb85c su.c: run pam_getenvlist() after setup_env
When "su -l" is used the behaviour is described as similar to
a direct login. However login.c is doing a setup_env(pw) and then a
pam_getenvlist() in this scenario. But su.c is doing it the other
way around. Which means that the value of PATH from /etc/environment
is overriden. I think this is a bug because:

The man-page claims that "-l": "provides an environment similar
to what the user would expect had the user logged in directly."

And login.c is using the PATH from /etc/environment.

This will fix:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390
2018-06-25 16:00:21 +02:00
A. Wilcox
99dbd4b9ee
Support systems that only have utmpx
This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/
2018-06-24 00:13:12 -05:00
Serge Hallyn
67ec1a5266
Merge pull request #117 from rindeal/ENABLE_SUBIDS
fix unguarded ENABLE_SUBIDS code
2018-06-19 08:17:57 -04:00
Jan Chren (rindeal)
2fd5815546 fix unguarded ENABLE_SUBIDS code 2018-06-18 15:51:27 +02:00