In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.
This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.
Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:
username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:
username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.
This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
Signed-off-by: Chris Lamb <lamby@debian.org>
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
This reverts the behavior of "useradd --root" to using the settings
from login.defs in the target root directory, not the root of the
executed useradd command.
The useradd application resets the user data in /var/log/faillog, if it
exists and a new user is created.
pam_tally2 is used in many distributions.
Check for /var/log/tallylog and reset the user there.
Patch was written by Josef Moellers <jmoellers@suse.de>.
https://bugzilla.suse.com/show_bug.cgi?id=980486
These assignments were pasted as is into the Makefile and
ended up as part of a rule. (Usually the .PRECIOUS rule
which is why the build system never attempted to execute it
as commands, hiding the problem.)
Signed-off-by: Wolfgang Bumiller <wry.git@bumiller.com>
Reported-by: Rahel A <ra00177@surrey.ac.uk>
Some of the supplied tools use functions which are not signal-safe.
Most of the times it's exit() vs. _exit().
In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().
Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
Catch up with Automake's [1], which was part of v1.6b, cut 2002-07-28
[2]. Avoids:
$ autoreconf -v -f --install
...
libmisc/Makefile.am:4: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
...
src/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
...
Consolidating with the earlier AM_CPPFLAGS avoids:
$ autoreconf -v -f --install
src/Makefile.am:72: warning: AM_CPPFLAGS multiply defined in condition TRUE ...
src/Makefile.am:10: ... 'AM_CPPFLAGS' previously defined here
autoreconf-2.69: Leaving directory `.'
[1]: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=1415d22f6203206bc393fc4ea233123ba579222d
Summary: automake.in (generate_makefile): Suggest using AM_CPPFLAGS instead of INCLUDES
Date: 2002-07-09
[2]: http://git.savannah.gnu.org/cgit/automake.git/tag/?id=Release-1-6b
This functionality is useful because there is now a feature
of Linux-PAM's pam_lastlog module to block expired users (users
which did not login recently enough) from login. This commit
complements it so the sysadmin is able to unblock such expired user.
Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
We intend to not create subuids for system users. However we are
checking for command line flags after we check whether -r flag
was set, so it was never found to be true. Fix that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
user owned namespaces.
- Don't allocate a uid/gid map to system users.
Unfortunately checking for --system isn't quite enough as some
distribution wrappers always call useradd without --system and take care
of choosing a uid and gid themselves, so also check whether the
requested uid/gid is in the user range.
This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd. There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749
Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is helpful when using configuration management tools such as
Puppet, where you are managing the groups in a central location and you
don't need this safeguard.
Signed-off-by: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Currently the error is just:
newuidmap: Target [pid] is owned by a different user
With this patch it will be like:
newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
Why is this useful? Well, in my case...
The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid. This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.
This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.
Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.
Some graceful way of handling this and not failing, will be next ;) But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.
Thanks!
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
Prevent chmod failure message from displaying if the failure
was due to the backup file not existing.
If there is no backup file present and if no changes have been
made, then this error would always appear since the backup
file isn't created in this situation.
Signed-off-by: Duncan Eastoe <deastoe@Brocade.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Currently shadow fails to build from source and is flagged as
out-of-date. This is due to a usage of PATH_MAX, which is not defined
on GNU/Hurd. The attached patch solves this problem by allocating a
fixed number of 32 bytes for the string proc_dir_name in files
src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are
needed)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
* src/su.c: Terminate the child (if needed) before closing the PAM
session. This is probably more correct, and avoid reporting
termination from signals possibly sent by PAM modules (e.g. former
versions of pam_systemd). Debian#670132
* src/su.c: When a SIGTSTP is caught, reset caught to 0. There is
no need to kill the child in such case after su is resumed. This
remove the "Session terminated, terminating shell...
...terminated." messages in such case.
* src/useradd.c: Change message in case of find_new_sub_uids /
find_new_sub_gids failure. This complements the messages already
provided by these APIs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
* Changelog: Update documentation of 2013-07-28 mancha entry.
* lib/prototypes.h, lib/encrypt.c: Update splint marker,
pw_encrypt can return NULL.
* lib/encrypt.c: Fix outdated statement on GNU crypt.
* src/chgpasswd.c: Improve diagnostic to user when pw_encrypt
fails and use fail_exit() instead of exit().
* src/chpasswd.c: Likewise.
* src/newusers.c: Likewise.
* src/passwd.c: Likewise when new password is encrypted.
* src/newgrp.c: Improve diagnostic to user and syslog when
pw_encrypt fails. Do not apply 1s penalty as this is not an
invalid password issue.
* src/passwd.c: Likewise when password is checked.
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
enabled. This is not done by pam_lastlog. This was broken on
2011-07-23.
* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
This is done by pam_lastlog.
* lib/commonio.c: Avoid multiple statements per line.
* lib/commonio.c: Ignore fclose return value when the file was
open read only or was not changed, or if an error is already
reported.
annotations.
* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
Ignore return value of spw_rewind, pw_rewind, sgr_rewind, and
gr_rewind.
* lib/commonio.h: Both head and tail cannot be owned. Set tail as
dependent.
* src/expiry.c: Ignore return value of expire ().
* src/expiry.c: The catch_signals function does not use its sig
parameter.
* src/userdel.c: Last audit_logger parameter is a
shadow_audit_result, use SHADOW_AUDIT_FAILURE instead of 0.
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
src/usermod.c: Provide the PAM error
message instead of our own, and log error to syslog.
* src/groupmems.c: Exit with exit rather than fail_exit in usage().
* src/newusers.c: Check the number of arguments.
* src/newusers.c: Do not create the home directory when it is not
changed.
* src/useradd.c: Set the group password to "!" rather "x" if there
are no gshadow file.
* src/pwck.c: optind cannot be greater than argc.
* src/pwck.c: If spw_opened, then is_shadow is implicitly set.
* src/pwck.c: Do not report passwd entry without x password and a
shadow entry in --quiet mode (no interaction with the caller)
* src/pwck.c: Do not check if the last password change is in the
future if the time is set to 0.
