Commit Graph

868 Commits

Author SHA1 Message Date
Serge Hallyn
5b017af90d Merge pull request #29 from hemio-ev/lower-su-syslog-priority
Reduces syslog priority of common usage events
2016-08-05 11:59:15 -05:00
Serge Hallyn
ca0ccaba27 Merge pull request #24 from stoeckmann/typos
Fixed typos in new{g,u}idmap tools.
2016-08-04 23:39:25 -05:00
Michael Herold
61fc90b268 Reduces syslog priority of common usage events
- Log INFO instead of ERR on `su missing-user`
- Log NOTICE/WARN instead of ERR on pam_authenticate failure (wrong password for example)
2016-08-04 22:17:31 +02:00
Tobias Stoeckmann
dd50014055 Fixed signal races in shadow tools.
Some of the supplied tools use functions which are not signal-safe.

Most of the times it's exit() vs. _exit().

In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().

Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
2016-07-02 18:11:09 +02:00
Tobias Stoeckmann
a84b0cafdd Fixed typos in new{g,u}idmap tools.
Fixed small typos in manual pages and code comments.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2016-07-02 16:39:18 +02:00
Tomas Mraz
66897b6f6d Add ability to clear or set lastlog record for user via lastlog command
This functionality is useful because there is now a feature
of Linux-PAM's pam_lastlog module to block expired users (users
which did not login recently enough) from login. This commit
complements it so the sysadmin is able to unblock such expired user.

Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
2016-03-03 15:37:01 +01:00
Serge Hallyn
af064545bf useradd: respect -r flag when allocating subuids
We intend to not create subuids for system users. However we are
checking for command line flags after we check whether -r flag
was set, so it was never found to be true.  Fix that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-18 09:20:43 -08:00
Stéphane Graber
65c2617140
Tweak uid/gid map default configuration
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
   user owned namespaces.
 - Don't allocate a uid/gid map to system users.
   Unfortunately checking for --system isn't quite enough as some
   distribution wrappers always call useradd without --system and take care
   of choosing a uid and gid themselves, so also check whether the
   requested uid/gid is in the user range.

This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2016-02-15 18:11:10 -05:00
Serge Hallyn
e01bad7d3c Merge pull request #4 from xnox/master
Make shadow more robust in hostile environments
2015-11-12 23:07:29 -06:00
Serge Hallyn
f68f813073 Fix a resource leak in syslog_sg
Reported at https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=315135&group_id=30580
by Alejandro Joya (afjoyacr-guest)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-08-06 00:25:01 -05:00
Serge Hallyn
a887847ca2 Don't limit subuid/subgid support to local users
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd.  There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749

Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-07-20 12:14:26 -05:00
Jesse W. Hathaway
3c32fd4a29 Allow deleting the group even if it is the primary group of a user
This is helpful when using configuration management tools such as
Puppet, where you are managing the groups in a central location and you
don't need this safeguard.

Signed-off-by: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-06-16 14:18:44 -05:00
Hank Leininger
884895ae25 Expand the error message when newuidmap / newgidmap do not like the user/group ownership of their target process.
Currently the error is just:

newuidmap: Target [pid] is owned by a different user

With this patch it will be like:

newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99

Why is this useful?  Well, in my case...

The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid.  This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.

This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.

Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.

Some graceful way of handling this and not failing, will be next ;)  But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.

Thanks!

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 08:23:36 -05:00
Dimitri John Ledkov
ee43f47f45
Do not fail on missing files in /etc/, create them instead.
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
2015-02-27 17:01:29 +00:00
Duncan Eastoe
17887b216d Suppress pwconv passwd- chmod failure message
Prevent chmod failure message from displaying if the failure
was due to the backup file not existing.

If there is no backup file present and if no changes have been
made, then this error would always appear since the backup
file isn't created in this situation.

Signed-off-by: Duncan Eastoe <deastoe@Brocade.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-02-17 10:15:02 -06:00
James Le Cuirot
420943657c Fix building without subordinate IDs support
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-04 17:29:23 -05:00
Serge Hallyn
4911773b77 From: Svante Signell <svante.signell@gmail.com>
Currently shadow fails to build from source and is flagged as
out-of-date. This is due to a usage of PATH_MAX, which is not defined
on GNU/Hurd. The attached patch solves this problem by allocating a
fixed number of 32 bytes for the string proc_dir_name in files
src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are
needed)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-26 16:48:56 -05:00
Nicolas François
5e87ff0615 Improve vipw error report when editor fails
* src/vipw.c: After waitpid(), use errno only if waitpid returned
	-1. Debian#688260
	* src/vipw.c: Likewise for system().
2013-08-25 16:27:58 +02:00
Nicolas François
6f8dd000f6 Improve diagnostic.
* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
	when option -v/-V (-w/-W) are provided.
2013-08-15 17:30:19 +02:00
Nicolas François
2e46882a9b Fix parse of ranges.
* src/usermod.c: Fix parse of ranges. The hyphen might be followed
	by a negative integer.
2013-08-15 17:30:19 +02:00
Nicolas François
00f573fce2 Fix copyright dates. 2013-08-13 23:13:26 +02:00
Nicolas François
9951b1f569 Fail in case arguments are provided after options.
* src/vipw.c: Fail in case arguments are provided after options.
	Debian#677812
2013-08-13 23:13:09 +02:00
Nicolas François
8781aff637 Terminate the child before closing the PAM session.
* src/su.c: Terminate the child (if needed) before closing the PAM
	session. This is probably more correct, and avoid reporting
	termination from signals possibly sent by PAM modules (e.g. former
	versions of pam_systemd). Debian#670132
2013-08-13 19:48:53 +02:00
Nicolas François
a5e3dbb0e3 Reset caught variable when signal is handled by su.
* src/su.c: When a SIGTSTP is caught, reset caught to 0. There is
	no need to kill the child in such case after su is resumed. This
	remove the "Session terminated, terminating shell...
	...terminated." messages in such case.
2013-08-13 19:42:50 +02:00
Nicolas François
9126425a21 Improve error reporting.
* src/useradd.c: Change message in case of find_new_sub_uids /
	find_new_sub_gids failure. This complements the messages already
	provided by these APIs.
2013-08-13 00:13:12 +02:00
Nicolas François
d611d54ed4 Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 15:46:59 +02:00
Nicolas François
1fb1486c8a Ignore generated newgidmap and newuidmap 2013-08-11 14:48:39 +02:00
Nicolas François
94c52130be Fix typos.
* src/usermod.c: Fix typos.
2013-08-06 22:29:40 +02:00
Nicolas François
95d1e146b2 Fix typos.
* man/login.defs.d/SUB_GID_COUNT.xml: Fix typo.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/login.defs.d/SUB_UID_COUNT.xml: Fix copy-paste issue from
	SUB_GID_COUNT.
	* man/newgidmap.1.xml: Fix Typo.
	* src/useradd.c: Fix typos.
	* lib/subordinateio.c: Fix typos.
2013-08-06 20:59:13 +02:00
Eric W. Biederman
673c2a6f9a newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:46 -05:00
Serge Hallyn
c485cfabd8 usermod: add v:w:V:W: to getopt
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Serge Hallyn
5f2e4b18f8 Add LIBSELINUX to newuidmap and newgidmap LDADD
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
2cc8c2c0dc newusers: Add support for assiging subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
d5b3092331 usermod: Add support for subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
87253ca906 useradd: Add support for subordinate user identifiers
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
7296cbdbfe userdel: Add support for removing subordinate user and group ids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Nicolas François
e8ab31d009 Review 52a38d5509
* Changelog: Update documentation of 2013-07-28  mancha entry.
	* lib/prototypes.h, lib/encrypt.c: Update splint marker,
	pw_encrypt can return NULL.
	* lib/encrypt.c: Fix outdated statement on GNU crypt.
	* src/chgpasswd.c: Improve diagnostic to user when pw_encrypt
	fails and use fail_exit() instead of exit().
	* src/chpasswd.c: Likewise.
	* src/newusers.c: Likewise.
	* src/passwd.c: Likewise when new password is encrypted.
	* src/newgrp.c: Improve diagnostic to user and syslog when
	pw_encrypt fails.  Do not apply 1s penalty as this is not an
	invalid password issue.
	* src/passwd.c: Likewise when password is checked.
2013-08-04 00:27:53 +02:00
mancha
52a38d5509 crypt() in glibc/eglibc 2.17 now fails if passed
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
2013-07-28 18:41:11 +02:00
Colin Watson
d172cccd07 Kill the child process group, rather than just the immediate child;
this is needed now that su no longer starts a controlling terminal
when not running an interactive shell (closes: Debian#713979)
2013-07-28 14:38:12 +02:00
nekral-guest
9151e673e4 * NEWS: Set release date. 2012-05-25 11:51:53 +00:00
nekral-guest
f100b5ea7e * src/su.c: non PAM enabled versions: do not fail if su is called
without a controlling terminal. Ignore ENXIO errors when opening
	/dev/tty.
2012-05-20 16:15:14 +00:00
nekral-guest
8690c74d6a * src/useradd.c: Cleanup, return code 13 no more used.
* man/useradd.8.xml: Document return code 14, and remove return
	code 13.
2012-05-20 12:26:54 +00:00
nekral-guest
1a7960421e * src/useradd.c: Keep the default file as much as possible to
avoid issue in case of crash. Use link instead of rename.
2012-05-18 20:28:16 +00:00
nekral-guest
1e0450dfb1 * src/pwunconv.c: Do not check spw_close() return value (file is
opened readonly).
	* src/grpunconv.c: Do not check sgr_close() return value (file is
	opened readonly).
2012-05-18 19:32:32 +00:00
nekral-guest
17deaa39f5 * NEWS, src/userdel.c: Fix segfault when userdel removes the
user's group.
2012-05-18 18:56:24 +00:00
nekral-guest
f243d4077d * NEWS, src/login.c: Log in utmp / utmpx / wtmp also when PAM is
enabled. This is not done by pam_lastlog. This was broken on
	2011-07-23.
	* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
	This is done by pam_lastlog.
2012-05-18 17:57:52 +00:00
nekral-guest
0c1cbaede8 2012-02-13 Mike Frysinger <vapier@gentoo.org>
* src/passwd.c: (non PAM flavour) Report permission denied when
	access to /etc/shadow fails with EACCES.
2012-02-13 20:32:00 +00:00
nekral-guest
cc8be680ca * src/vipw.c: Do not use a hardcoded program name in the usage
message.
2011-12-09 21:35:57 +00:00
nekral-guest
a92f55b609 * src/newusers.c, src/chpasswd.c, src/chgpasswd.c: Harmonize
usage messages.
2011-12-09 21:31:39 +00:00
nekral-guest
360f12cd44 * src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
SELinux user mapping for the modified user.
	* src/useradd.c: Zflg is #defined as user_selinux non empty.
2011-11-21 22:02:15 +00:00