Commit Graph

393 Commits

Author SHA1 Message Date
Serge Hallyn
9d169ffc41 fix newusers when nss provides subids
Closes #331

1. drop 'has_any_range' nss method as it is not useful

2. do not try to create a subid range in newusers when using nss for
   subids, since that's not possible.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
(cherry picked from commit 88a434adbdcf4a8640793fd58bcd2ba77598349d)
2021-05-23 08:16:16 -05:00
Serge Hallyn
3d670ba7ed nss/libsubid: simplify the ranges variable for list_owner_ranges
Following alexey-tikhonov's suggestion.

Since we've dropped the 'owner' field in the data returned for
get_subid_ranges, we can just return a single allocated array of
simple structs.  This means we can return a ** instead of ***, and
we can get rid of the subid_free_ranges() helper, since the caller
can just free() the returned data.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-22 17:59:57 -05:00
Serge Hallyn
322db32971 Don't return owner in list_owner_ranges API call.
Closes: 339

struct subordinate_range is pretty closely tied to the existing
subid code and /etc/subuid format, so it includes an owner.  Dropping
that or even renaming it is more painful than I'd first thought.
So introduce a 'struct subid_range' which is only the start and
count, leaving 'struct subordinate_range' as the owner, start and
count.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-16 21:49:53 -05:00
Serge Hallyn
f9831a4a1a
Merge pull request #335 from hallyn/2021-05-08/stderr
[WIP] libsubid: don't print error messages on stderr by default
2021-05-16 21:44:22 -05:00
Serge Hallyn
2b22a6909d libsubid: don't print error messages on stderr by default
Closes #325

Add a new subid_init() function which can be used to specify the
stream on which error messages should be printed.  (If you want to
get fancy you can redirect that to memory :)  If subid_init() is
not called, use stderr.  If NULL is passed, then /dev/null will
be used.

This patch also fixes up the 'Prog', which previously had to be
defined by any program linking against libsubid.  Now, by default
in libsubid it will show (subid).  Once subid_init() is called,
it will use the first variable passed to subid_init().

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-15 12:38:55 -05:00
Serge Hallyn
ca1d912e6b
Merge pull request #333 from ikerexxe/hmac_crypto_algo
login.defs: include HMAC_CRYPTO_ALGO key
2021-05-08 16:35:05 -05:00
Iker Pedrosa
b8cbc2c113 login.defs: include HMAC_CRYPTO_ALGO key
Include the new HMAC_CRYPTO_ALGO key that is needed by pam_timestamp to
select the algorithm that is going to be used to calculate the message
authentication code.

pam_timestamp is currently using an embedded algorithm to calculate the
HMAC message, but the idea is to improve this behaviour by relying on
openssl's implementation. On top of that, the ability to change the
algorithm with a simple configuration change allows to simplify the
process of removing unsecure algorithms.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
2021-05-06 17:31:53 +02:00
Christian Göttsche
dfe95bd08b selinux: only open selabel database once
Once opened, keep the selabel database open for further lookups.
Register an exit handler to close the database.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
eb1d2de0e9 set_selinux_file_context(): prepare context for actual file type
Search the SELinux selabel database for the file type to be created.
Not specifying the file mode can cause an incorrect file context to be
returned.

Also prepare contexts in commonio_close() for the generic database
filename, not with the backup suffix appended, to ensure the desired
file context after the final rename.

Closes: #322

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
5f7649fb37 selinux.c: use modern selabel interface instead of deprecated matchpathcon
matchpathcon(3) is deprecated in favor of selabel_lookup(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
e367d111e5 selinux.c:reset_selinux_file_context(): do not fail in permissive mode
Return 0 on setfscreatecon(3) failure, like set_selinux_file_context().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
95fd179683 selinux.c: do not use deprecated typedef and skip context translation
These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))

The typedef security_context_t is deprecated, see
9eb9c93275

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
6e4b2fe25d struct commonio_db[selinux]: do not use deprecated type security_context_t
The typedef security_context_t is deprecated, see
9eb9c93275

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Serge Hallyn
8492dee663 subids: support nsswitch
Closes #154

When starting any operation to do with subuid delegation, check
nsswitch for a module to use.  If none is specified, then use
the traditional /etc/subuid and /etc/subgid files.

Currently only one module is supported, and there is no fallback
to the files on errors.  Several possibilities could be considered:

1. in case of connection error, fall back to files
2. in case of unknown user, also fall back to files

etc...

When non-files nss module is used, functions to edit the range
are not supported.  It may make sense to support it, but it also
may make sense to require another tool to be used.

libsubordinateio also uses the nss_ helpers.  This is how for instance
lxc could easily be converted to supporting nsswitch.

Add a set of test cases, including a dummy libsubid_zzz module.  This
hardcodes values such that:

'ubuntu' gets 200000 - 300000
'user1' gets 100000 - 165536
'error' emulates an nss module error
'unknown' emulates a user unknown to the nss module
'conn' emulates a connection error ot the nss module

Changes to libsubid:

Change the list_owner_ranges api: return a count instead of making the array
null terminated.

This is a breaking change, so bump the libsubid abi major number.

Rename free_subuid_range and free_subgid_range to ungrant_subuid_range,
because otherwise it's confusing with free_subid_ranges which frees
    memory.

Run libsubid tests in jenkins

Switch argument order in find_subid_owners

Move the db locking into subordinateio.c

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-16 21:02:37 -05:00
Haelwenn Monnier
b865e14f25
login & su: Treat an empty passwd field as invalid (#315)
* login & su: Treat an empty passwd field as invalid

Otherwise it's treated like the “require no password” clause while it probably
should be treated like a normal su that can't validate anyway.

A similar change should be done for USE_PAM.

* su & login: Introduce PREVENT_NO_AUTH
2021-03-28 22:16:03 -05:00
Serge Hallyn
697901a328
Merge pull request #303 from breard-r/yescrypt
Add yescrypt support
2021-03-28 22:13:56 -05:00
Martijn de Gouw
c464ec5570 newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID
Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-02-08 13:32:18 +01:00
Rodolphe Bréard
5cd04d03f9 Add yescrypt support 2021-02-01 22:11:10 +01:00
ikerexxe
fb0f702cbf commonio: force lock file sync
lib/commonio.c: after writing to the lock file, force a file sync to
the storage system.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
2020-11-05 17:15:56 +01:00
w00475903
e24700fd5d xfree: move xfree() function to xmalloc.c
Signed-off-by: whzhe <wanghongzhe@huawei.com>
2020-10-15 21:52:06 -04:00
Karel Zak
3f09f7b6fb getdefs: add foreign (non-shadow-utils) items
The login.defs is shared between more upstream projects (util-linux,
etc.). We need to improve compatibility between the projects do not
report valid, but foreign items.

Addresses: https://github.com/shadow-maint/shadow/issues/276
Signed-off-by: Karel Zak <kzak@redhat.com>
2020-10-08 12:30:53 +02:00
ikerexxe
87257a49a1 lib/sssd: redirect warning message to file
Instead of printing warning in stderr print it to file. This way the
user is not spammed with unnecessary messages when updating packages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
2020-10-02 16:09:42 +02:00
Serge Hallyn
d041eec354
Merge pull request #270 from darktemplarbasealt/fix_resource_leak
Fix potential resource leak in set_selinux_file_context function
2020-08-10 20:34:50 -05:00
Serge Hallyn
342c934a35 add -U option to groupadd and groupmod
Add a -U option which adds new usernames as members.  For groupmod,
also add -a (append), without which existing members are removed.

Closes #265
2020-08-09 22:11:33 -05:00
Aleksei Nikiforov
49930bd3a6 Fix potential resource leak in set_selinux_file_context function 2020-08-04 10:24:46 +03:00
Serge Hallyn
6baeb25038
Merge pull request #234 from edneville/79_userdel
Adding run-parts for userdel
2020-06-10 00:31:10 -05:00
ed
32cfa176f2 Adding run-parts style for pre and post useradd/del
Signed-off-by: ed neville <ed@s5h.net>
2020-06-10 00:26:55 -05:00
Serge Hallyn
0a7888b1fa Create a new libsubid
Closes #154

Currently this has three functions: one which returns the
list of subuid ranges for a user, one returning the subgids,
and one which frees the ranges lists.

I might be mistaken about what -disable-man means;  some of
the code suggests it means just don't re-generate them, but
not totally ignore them.  But that doesn't seem to really work,
so let's just ignore man/ when -disable-man.

Remove --disable-shared.  I'm not sure why it was there, but it stems
from long, long ago, and I suspect it comes from some ancient
toolchain bug.

Create a tests/run_some, a shorter version of run_all.  I'll
slowly add tests to this as I verify they work, then I can
work on fixing the once which don't.

Also, don't touch man/ if not -enable-man.

Changelog:
	Apr 22: change the subid list api as recomended by Dan Walsh.
	Apr 23: implement get_subid_owner
	Apr 24: implement range add/release
	Apr 25: finish tests and rebase
	May 10: make @owner const

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:11:58 -05:00
Serge Hallyn
6e6494680d trivial: drop useless version-info from libshadow_la_LDFLAGS
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:07:00 -05:00
Jason Franklin
c56fe7117b
Add "NONEXISTENT" to def_table 2020-05-11 09:26:42 -04:00
Michael Vetter
992c1723af Remove unused 'buf' in shadow.c 2020-04-25 12:23:10 +02:00
Michael Vetter
8eee5d03fd Remove unused variable 'cpp' 2020-04-25 12:10:39 +02:00
Serge Hallyn
25b1a8d591 remove unused and misleading 'owner' argument from find_new_sub*
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-04-17 16:32:44 -05:00
Duncan Overbruck
085d04c3dd
add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
2020-01-12 16:18:32 +01:00
Serge Hallyn
93f1f35123 Revert "add new HOME_MODE login.defs(5) option"
Missing file

This reverts commit a847899b52.
2020-01-12 07:56:19 -06:00
Duncan Overbruck
a847899b52
add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
2020-01-11 22:27:39 +01:00
Michael Vetter
b1a5cda91e selinux: include stdio
We use fprintf(), stderr etc, so we should include stdio.h.
2019-12-17 13:40:47 +01:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Christian Göttsche
cbd2472b7c migrate to new SELinux api
Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies.
Switch to `selinux_check_access()`.

Also use the libselinux log callback and log if available to audit.
This makes it easier for users to catch SELinux denials.

Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier.
Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2019-10-22 14:56:31 +02:00
Serge Hallyn
a0efca4581 remove unused fn commonio_next
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:51 -05:00
Serge Hallyn
991fee82df
Merge pull request #180 from thkukuk/libeconf
Add support for a vendor directory and libeconf
2019-10-05 22:34:29 -05:00
Thorsten Kukuk
b52ce71c27 Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
2019-10-05 22:17:49 -05:00
ed@s5h.net
1cbb562c23 lib/sgetgrent.c: change to warn when data remains 2019-10-04 18:30:41 -05:00
ed@s5h.net
558977bb2b sgetpwent.c/sgetgrent.c: check for additional data at end of line 2019-10-04 18:30:38 -05:00
Christian Brauner
a5f034f272
Merge pull request #161 from tabraham/master
lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
2019-06-04 13:31:08 +02:00
Thomas Abraham
82fa6eccf9 lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it errors with ECHILD.
2019-05-06 14:26:14 -04:00
Thomas Abraham
8d39357c84 Revert "lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD"
This reverts commit 1697c192ac.
2019-05-06 14:23:58 -04:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Tomas Mraz
64d7688acb Do not fail locking if there is a stale lockfile.
As the lockfiles have PID in the name, there can be no conflict
in the name with other process, so there is no point in using
O_EXCL and it only can fail if there is a stale lockfile from
previous execution that crashed for some reason.
2019-05-02 14:39:01 +02:00