Commit Graph

70 Commits

Author SHA1 Message Date
Alejandro Colomar
c643845100 autoconf: Remove AC_ISC_POSIX
INTERACTIVE Systems Corporation Unix is no longer sold, and Sun
said (long ago) that it would drop support for it on 2006-07-23.
So this macro has been obsolete for more than a decade.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
3d392c6e05 autoconf: Remove AC_TYPE_MODE_T
'mode_t' is defined by POSIX.1-2001 in <sys/types.h>.
It's unlikely to be missing.

See mode_t(3).

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
80d419124e autoconf: Remove AC_TYPE_PID_T
'pid_t' is defined by POSIX.1-2001 in <sys/types.h>.
It's unlikely to be missing.

See pid_t(3).

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
602d280aa3 autoconf: Remove AC_TYPE_OFF_T
'off_t' is defined by POSIX.1-2001 in <sys/types.h>.
It's unlikely to be missing.

See off_t(3).

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
ccb09d9f5f autoconf: Remove AC_TYPE_UID_T
'uid_t' is defined by POSIX.1-2001 in <sys/types.h>.
It's unlikely to be missing.

See uid_t(3).

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
2e1da29fc1 Remove unused autoconf check: ruserok(3)
The macro HAVE_RUSEROK is not being used anywhere.

As the Linux manual page says, ruserok(3) is present on the BDSs, Solaris, and many other systems.  This function appeared in 4.2BSD.  So we probably can rely on its existence.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
4504a1a4bf Remove unused autoconf check: getaddrinfo(3)
The macro HAVE_GETADDRINFO is not being used anywhere.

BTW, the function is defined by POSIX.1-2001 and RFC 2553, so it's likely that it is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
98e10715ff Remove unused autoconf check: sigaction(3)
The macro HAVE_SIGACTION is not being used anywhere.

BTW, the function is defined by SVr4 and POSIX.1-2001, so it's likely that it is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
eefaf55b1b Remove unused autoconf check: gettimeofday(3)
The macro HAVE_GETTIMEOFDAY is not being used anywhere.

BTW, the function is defined by SVr4, 4.3BSD, and POSIX.1-2001, so
it's likely that it is always available.

POSIX.1-2008 marks it as obsolete, but only because
clock_gettime(2) provides more precission.  Since gettimeofday(3)
is in use by many big projects, and it has no obvious dangers,
it's likely that it will continue to exist even if it's outside of
the POSIX standard.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
f741643d75 Remove unused autoconf check: gethostname(3)
The macro HAVE_GETHOSTNAME is not being used anywhere.

BTW, the function is defined by SVr4, 4.4BSD, and POSIX.1-2001, so
it's likely that it is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
88bd05020c Remove unused autoconf check: dlopen(3)
BTW, it was unnecessary, since POSIX.1-2001 defines the function.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
20a39fbbab Remove unused autoconf check: strchr(3)
The only place where the check was used was removed in 4e1afcd66.

BTW, it was unnecessary, since strchr(3) is defined by:
POSIX.1-2001, C89, SVr4, and 4.3BSD.  Enough to rely on it.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
9e788adf56 Remove AC_HEADER_SYS_WAIT
GNU autoconf documentation marks this macro as obsolescent, as
current systems are compatible with POSIX.

Simplify code to unconditionally include <sys/wait.h>, and don't
redefine WIFEXITSTATUS() and WIFEXITED(), since they are mandated
by POSIX.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Alejandro Colomar
79e28694ef Remove AC_HEADER_DIRENT
POSIX.1-2001 defines 'struct dirent' in <dirent.h>.  It replaces
the old 'struct direct' found in BSDs.  All of the systems that I
checked (including FreeBSD, NetBSD, and OpenBSD), now provide
<dirent.h> with 'struct dirent', as mandated by POSIX.

Since autoconf first checks <dirent.h> and only if it's missing it
checks other header files, it's clear that it will always find
<dirent.h>, so let's simplify.

GNU autoconf documentation declares this macro as obsolescent, and
acknowledges that all current systems with directory libraries
have <dirent.h>:
<https://www.gnu.org/software/autoconf/manual/autoconf-2.70/html_node/Particular-Headers.html>

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Serge Hallyn
98f943f2a5
Merge pull request #481 from alejandro-colomar/STDC_HEADERS
Assume C89 is available
2022-01-03 09:37:06 -06:00
Christian Göttsche
7a799ebb2c Ensure memory cleaning
Compilers are allowed to and do optimize memset(3) calls away for
pointers not accessed in the future. Since the memzero wrappers purpose
is exactly to unconditionally override memory (e.g. for stored
passwords) do not implement via regular memset(3), but via either
memset_s(3), explicit_bzero(3) or a hand written implementation using
volatile pointers.

See https://wiki.sei.cmu.edu/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations
2022-01-03 15:09:39 +01:00
Serge Hallyn
eccf1c569c configure.ac and changelog: release 4.11.1
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-01-02 21:08:26 -06:00
Serge Hallyn
8736e4a37e configure.ac and changelog: release 4.11
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-01-02 21:06:36 -06:00
Alejandro Colomar
4e1afcd662 Assume STDC_HEADERS will always be defined
We're in 2021.  C89 is everywhere; in fact, there are many other
assumptions in the code that wouldn't probably hold on
pre-standard C environments.  Let's simplify and assume that C89
is available.

The specific assumptions are that:
- <string.h>, and <stdlib.h> are available
- strchr(3), strrchr(3), and strtok(3) are available
- isalpha(3), isspace(3), isdigit(3), and isupper(3) are available

I think we can safely assume we have all of those.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-29 02:39:04 +01:00
Serge Hallyn
e668c7e725
Merge pull request #479 from alejandro-colomar/getgroups
Remove HAVE_GETGROUPS ifdefs
2021-12-27 19:12:24 -06:00
Serge Hallyn
9e5a852ee0
Merge pull request #480 from alejandro-colomar/memcpy
Remove HAVE_MEMCPY and HAVE_MEMSET ifdefs
2021-12-27 19:10:48 -06:00
Alejandro Colomar
b7e12ec04e Remove HAVE_MEMSET ifdefs
memset(3) has been in standard C since C89.  It is also in
POSIX.1-2001, in SVr4, and in 4.3BSD (see memset(3) and memset(3p)).
We can assume that this function is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-27 21:52:00 +01:00
Alejandro Colomar
047bfc47c6 Remove HAVE_MEMCPY ifdefs
memcpy(3) has been in standard C since C89.  It is also in
POSIX.1-2001, in SVr4, and in 4.3BSD (see memcpy(3) and memcpy(3p)).
We can assume that this function is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-27 21:38:47 +01:00
Alejandro Colomar
913e16ce20 Remove HAVE_GETGROUPS ifdefs
getgroups(2) has been in POSIX since POSIX.1-2001.  It is also in
in SVr4 and in 4.3BSD (see getgroups(2) and getgroups(3p)).
We can assume that this function is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-27 21:17:50 +01:00
Alejandro Colomar
3e602b58a2 Remove HAVE_STRFTIME ifdefs
strftime(3) has been in standard C since C89.  It is also in
POSIX.1-2001, and in SVr4 (see strftime(3) and strftime(3p)).
We can assume that this function is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-27 20:50:13 +01:00
Sam James
e0d66b4be1 libsubid: fix defining SONAME version
We were overriding this when --enable-shared was passed. We can actually
just dump the conditional logic as libtool will do the right thing for
us here anyway.

Without this patch, libsubid is installed as .0.

Signed-off-by: Sam James <sam@gentoo.org>
2021-12-20 01:37:42 +00:00
Serge Hallyn
868d7b34ea configure.ac and changelog: release 4.9
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-19 14:09:08 -06:00
Serge Hallyn
0c9f641408 Show libsubid api version in subid.h
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-05 08:02:57 -06:00
Serge Hallyn
32f641b207 Change the subid export symbols
Rename libsubid symbols to all be prefixed with subid_.

Don't export anything but the subid_*.

Closes #443

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-11-27 14:56:03 -06:00
Andy Zaugg
049f9a7f6b Fix parentheses in configure.ac
Resolving issue https://github.com/shadow-maint/shadow/issues/419
2021-09-22 09:42:15 -07:00
Serge Hallyn
fa986b1d73 Respect --enable-static=no in libsubid
libsubid's Makefile.am was always setting enable-shared in its LDFLAGS.
Do that only if not building static.

Closes #387

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2021-07-25 12:21:55 -05:00
Serge Hallyn
6f9124b7f7 configure.ac: get ready to release 4.9
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-07-22 16:50:51 -05:00
Björn Esser
c93897a8d7
lib/defines.h: Include <crypt.h> if present on the system.
The functions crypt(3), crypt_gensalt(3), and their
feature test macros may be defined in there.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-04 13:01:21 +02:00
Björn Esser
c82ed0c15e
libmisc/salt.c: Use secure system ressources to obtain random bytes.
In a previous commit we introduced /dev/urandom as a source to obtain
random bytes from.  This may not be available on all systems, or when
operating inside of a chroot.

Almost all systems provide functions to obtain random bytes from
secure system ressources.  Thus we should prefer to use these, and
fall back to /dev/urandom, if there is no such function present, as
a last resort.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-07-04 13:00:32 +02:00
Serge Hallyn
3d670ba7ed nss/libsubid: simplify the ranges variable for list_owner_ranges
Following alexey-tikhonov's suggestion.

Since we've dropped the 'owner' field in the data returned for
get_subid_ranges, we can just return a single allocated array of
simple structs.  This means we can return a ** instead of ***, and
we can get rid of the subid_free_ranges() helper, since the caller
can just free() the returned data.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-22 17:59:57 -05:00
Serge Hallyn
8492dee663 subids: support nsswitch
Closes #154

When starting any operation to do with subuid delegation, check
nsswitch for a module to use.  If none is specified, then use
the traditional /etc/subuid and /etc/subgid files.

Currently only one module is supported, and there is no fallback
to the files on errors.  Several possibilities could be considered:

1. in case of connection error, fall back to files
2. in case of unknown user, also fall back to files

etc...

When non-files nss module is used, functions to edit the range
are not supported.  It may make sense to support it, but it also
may make sense to require another tool to be used.

libsubordinateio also uses the nss_ helpers.  This is how for instance
lxc could easily be converted to supporting nsswitch.

Add a set of test cases, including a dummy libsubid_zzz module.  This
hardcodes values such that:

'ubuntu' gets 200000 - 300000
'user1' gets 100000 - 165536
'error' emulates an nss module error
'unknown' emulates a user unknown to the nss module
'conn' emulates a connection error ot the nss module

Changes to libsubid:

Change the list_owner_ranges api: return a count instead of making the array
null terminated.

This is a breaking change, so bump the libsubid abi major number.

Rename free_subuid_range and free_subgid_range to ungrant_subuid_range,
because otherwise it's confusing with free_subid_ranges which frees
    memory.

Run libsubid tests in jenkins

Switch argument order in find_subid_owners

Move the db locking into subordinateio.c

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-16 21:02:37 -05:00
Serge Hallyn
514c1328b6 try again to fix libmisc sharing problem
Issue #297 reported seeing

*** Warning: Linking the shared library libsubid.la against the
*** static library ../libmisc/libmisc.a is not portable!

which commit b5fb1b38ee was supposed
to fix.  But a few commits later it's back.  So try to fix it
in the way the bug reporter suggested.  This broke builds some
other ways, namely a few missing library specifications, so add
those.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-11 17:42:04 -05:00
Rodolphe Bréard
5cd04d03f9 Add yescrypt support 2021-02-01 22:11:10 +01:00
Serge Hallyn
0a7888b1fa Create a new libsubid
Closes #154

Currently this has three functions: one which returns the
list of subuid ranges for a user, one returning the subgids,
and one which frees the ranges lists.

I might be mistaken about what -disable-man means;  some of
the code suggests it means just don't re-generate them, but
not totally ignore them.  But that doesn't seem to really work,
so let's just ignore man/ when -disable-man.

Remove --disable-shared.  I'm not sure why it was there, but it stems
from long, long ago, and I suspect it comes from some ancient
toolchain bug.

Create a tests/run_some, a shorter version of run_all.  I'll
slowly add tests to this as I verify they work, then I can
work on fixing the once which don't.

Also, don't touch man/ if not -enable-man.

Changelog:
	Apr 22: change the subid list api as recomended by Dan Walsh.
	Apr 23: implement get_subid_owner
	Apr 24: implement range add/release
	Apr 25: finish tests and rebase
	May 10: make @owner const

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:11:58 -05:00
Serge Hallyn
43a917cce5 configure: define abi versions
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:07:23 -05:00
Serge Hallyn
2cc7da6058 configure.ac: release 4.8.1
This is mainly to revert the --sbindir/--bindir commit which broke some
distros

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-01-23 14:56:43 -06:00
Dave Reisner
66b7bc0dcf Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
Here's a sad story:

* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
installed with file caps rather than setuid.
* https://bugs.archlinux.org/task/63248 is filed to take advantage of
this.
* The arch maintainer of the 'shadow' package notices that this doesn't
work, and submits a pull request to fix this in shadow.
* edf7547ad5 is merged, fixing the post install hooks.

The problem here is that distros have been building shadow with PAM for
O(years), but the install hooks have silently failed due to the
combination of the directory mismatch (suidubins vs suidsbins) and later
success with setuid'ing newgidmap/newuidmap.

With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
who never built shadow explicitly with --enable-account-tools-setuid are
now getting setuid account tools, and don't have PAM configuration
suitable for use with setuid account management tools.

It's entirely unclear to me why you'd want this, but I assume there's
some reason out there for it existing. Regardless, setuid binaries are
dangerous and shouldn't be enabled by default without good reason.

[1] https://bugs.archlinux.org/task/64836
[2] https://bugs.gentoo.org/702252
2019-12-16 14:22:32 -05:00
Serge Hallyn
81de782d1e Release 4.8
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-12-01 11:36:13 -06:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Lars Wendler
19bac44dde
build: Make build/installation of su and its support files optional
Enabled by default
This is necessary because coreutils and util-linux can also provide su

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
2019-11-19 11:28:45 +01:00
Thorsten Kukuk
b52ce71c27 Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
2019-10-05 22:17:49 -05:00
Yi Zhao
3c52a84ff8 configure.ac: fix configure error with dash
A configure error occurs when /bin/sh -> dash:
  checking for is_selinux_enabled in -lselinux... yes
  checking for semanage_connect in -lsemanage... yes
  configure: 16322: test: yesyes: unexpected operator

Use "=" instead of "==" since dash doesn't support this operator.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-17 15:42:07 +08:00
Serge Hallyn
2bb99b8fe6 release 4.7
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-06-13 11:38:49 -05:00
Serge Hallyn
816220f90c autoconf: fix cut-paste errors in btrfs detection
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-05-03 22:39:47 -07:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00