Commit Graph

358 Commits

Author SHA1 Message Date
Duncan Overbruck
a847899b52
add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
2020-01-11 22:27:39 +01:00
Michael Vetter
b1a5cda91e selinux: include stdio
We use fprintf(), stderr etc, so we should include stdio.h.
2019-12-17 13:40:47 +01:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Christian Göttsche
cbd2472b7c migrate to new SELinux api
Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies.
Switch to `selinux_check_access()`.

Also use the libselinux log callback and log if available to audit.
This makes it easier for users to catch SELinux denials.

Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier.
Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2019-10-22 14:56:31 +02:00
Serge Hallyn
a0efca4581 remove unused fn commonio_next
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:51 -05:00
Serge Hallyn
991fee82df
Merge pull request #180 from thkukuk/libeconf
Add support for a vendor directory and libeconf
2019-10-05 22:34:29 -05:00
Thorsten Kukuk
b52ce71c27 Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
2019-10-05 22:17:49 -05:00
ed@s5h.net
1cbb562c23 lib/sgetgrent.c: change to warn when data remains 2019-10-04 18:30:41 -05:00
ed@s5h.net
558977bb2b sgetpwent.c/sgetgrent.c: check for additional data at end of line 2019-10-04 18:30:38 -05:00
Christian Brauner
a5f034f272
Merge pull request #161 from tabraham/master
lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
2019-06-04 13:31:08 +02:00
Thomas Abraham
82fa6eccf9 lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it errors with ECHILD.
2019-05-06 14:26:14 -04:00
Thomas Abraham
8d39357c84 Revert "lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD"
This reverts commit 1697c192ac.
2019-05-06 14:23:58 -04:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Tomas Mraz
64d7688acb Do not fail locking if there is a stale lockfile.
As the lockfiles have PID in the name, there can be no conflict
in the name with other process, so there is no point in using
O_EXCL and it only can fail if there is a stale lockfile from
previous execution that crashed for some reason.
2019-05-02 14:39:01 +02:00
Tomas Mraz
408b8a5482 Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.

This reverts the implementation to use lckpwdf() if prefix option
is not used.
2019-05-02 14:33:06 +02:00
Thomas Abraham
1697c192ac lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it erros with ECHILD.
2019-04-25 14:56:22 -04:00
Chris Lamb
3d921155e0 gettime: Use secure_getenv over getenv. 2019-03-31 16:00:01 +01:00
Tomas Mraz
d6276066dd Do not crash in commonio_close if database FILE not opened.
The db->fp can be NULL if commonio_unlock() is called when the
shadow file is opened but did not exist before.
2019-03-25 14:51:26 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Serge Hallyn
ff8b1ebafa
Merge pull request #118 from AdelieLinux/utmpx-only-support
[WIP] Support systems that only have utmpx
2018-10-23 22:35:19 -05:00
Serge Hallyn
83f1380600
Merge pull request #133 from t8m/trivial
Fix some issues found in Coverity scan.
2018-10-23 22:21:12 -05:00
Tomas Mraz
fb97da1ce1 Fix some issues found in Coverity scan. 2018-10-10 12:22:04 +02:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
A. Wilcox
99dbd4b9ee
Support systems that only have utmpx
This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/
2018-06-24 00:13:12 -05:00
fariouche
65b4f58703 add --prefix option: some fixes + fixed pwd.lock file location 2018-03-28 21:14:12 +02:00
fariouche
54551c7d6e Merge remote-tracking branch 'upstream/master' 2018-03-28 21:11:36 +02:00
fariouche
acaed3deab upstream merge 2018-01-23 23:10:19 +01:00
Josh Soref
ea1a6e814b spelling: success 2017-10-22 21:23:13 +00:00
Josh Soref
57cb36333b spelling: queried 2017-10-22 21:05:52 +00:00
Josh Soref
414816064f spelling: match 2017-10-22 20:33:00 +00:00
Josh Soref
74fcf6f28d spelling: interactive 2017-10-22 20:24:32 +00:00
Josh Soref
452b9c26e4 spelling: categories 2017-10-22 08:08:07 +00:00
Chris Lamb
cb610d54b4 Make the sp_lstchg shadow field reproducible.
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

   username:17238:0:99999:7:::

whilst creating the same user tomorrow will result in:

    username:17239:0:99999:7:::

This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/

Signed-off-by: Chris Lamb <lamby@debian.org>
2017-04-10 22:29:21 +01:00
Tomas Mraz
954e3d2e71 Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
2017-03-31 16:25:06 +02:00
fariouche
b6b2c756c9 add --prefix option 2017-03-01 22:51:09 +01:00
Bernhard Rosenkränzer
c33ceddc26 Don't crash on bogus keys in login.defs if PAM is enabled
Without this patch, PAM enabled builds crash when encountering an
invalid key in login.defs or key overrides because of array overflows

To reproduce, simply
	useradd -K Windows=broken

Signed-off-by: Bernhard Rosenkränzer <bero@lindev.ch>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-01-29 14:47:24 -06:00
Serge Hallyn
5701e147ef Update _COMMONIO_H and _SHADOWIO_H to drop leading underscore
Closes #23

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2016-12-21 12:45:50 -06:00
Mike Frysinger
32c0b283ef include getdef.h for getdef_bool prototype
Otherwise we get build warnings like:
sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
2016-12-05 17:15:29 -05:00
Tomas Mraz
6401c5b4ee snprintf() always terminates output with \0 2016-11-15 16:05:44 +01:00
Tomas Mraz
4471e5419d Keep the permissions of the original file when creating a backup. 2016-11-15 16:04:24 +01:00
Sebastian Krahmer
1d5a926cc2 Simplify getulong
Use strtoul to read an unsigned long, rather than reading
a signed long long and casting it.

https://bugzilla.suse.com/show_bug.cgi?id=979282
2016-08-03 11:51:07 -05:00
Serge Hallyn
e01bad7d3c Merge pull request #4 from xnox/master
Make shadow more robust in hostile environments
2015-11-12 23:07:29 -06:00
Tobias Stoeckmann
c17f5ec460 Free memory on error path
When multiple entries with the same name are encountered, nentry is
not properly freed, which results in a memory leak.
2015-07-12 14:30:32 +02:00
Tobias Stoeckmann
df5dafe049 Clear passwords on __gr_dup/__pw_dup errors.
The functions __gr_dup and __pw_dup do not explicitly zero the
memory which hold the passwords after free. The gr_free and pw_free
functions do this explicitly.

To guarantee same behaviour, it's possible to call these *_free
functions directly from __*_dup, because the memory is initialized
with zeros at the beginning. Calling free(NULL) has no negative
effect and can be considered safe these days.
2015-07-11 13:00:13 +02:00
Dimitri John Ledkov
bab349b46e
Create dbs with correct permissions. 2015-02-27 17:01:31 +00:00
Dimitri John Ledkov
46a72bc342
Force use shadow, even if missing. 2015-02-27 17:01:30 +00:00
Dimitri John Ledkov
71c6165dcd
Do not report unknown settings, when compiled with PAM.
When compiled with PAM certain settings are not used, however they are
still defined in the stock login.defs file. Thus every command reports
them as "unknown setting contact administrator".

Alternative would be to parse stock login.defs and comment out/remove
settings that are not applied, when compiled with PAM.
2015-02-27 17:01:28 +00:00
Dimitri John Ledkov
51c1fc93e3
Do not bail out on missing login.defs.
For most operations tools have compiled-in defaults, and thus can
operate without login.defs present.
2015-02-27 17:01:27 +00:00
Bostjan Skufca
1d049b6aed sub[ug]id: compare range before comparing username/UID, to avoid unnecessary syscalls
Change suggested by Nicolas François as performance optimization.
Performance penalty would be really noticeable when usernames are
stored in remote databases (ldap).

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-17 15:48:24 -05:00