Commit Graph

2189 Commits

Author SHA1 Message Date
Dave Reisner
edf7547ad5 Fix failing chmod calls on installation for suidubins
suidubins should be suidusbins, since these binaries are installed
${prefix}/sbin. This historically hasn't broken the build because
chmod of newgidmap/newuidmap succeeds, causing make to think the command
succeeded. Configuring shadow with --with-fcaps removes these final two
entries and exposes the chmod failure to make.
2019-08-02 18:42:34 -04:00
Serge Hallyn
5afc1c5b5f
Merge pull request #170 from stanislav-brabec/master
Fixes of LASTLOG_UID_MAX and login.defs
2019-07-31 10:40:43 -05:00
Stanislav Brabec
3025fefc41 login.defs: Cosmetic space change
Fix formatting of login.defs comments. Variables are preceeded by "#"
without space, comments are preceeded by "# ". It makes the file machine
parseable again.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 22:47:05 +02:00
Stanislav Brabec
00a5cff244 login.defs: Really add LASTLOG_UID_MAX
However 46331648 mentions adding of LASTLOG_UID_MAX to login.defs, it did
not happen.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 22:34:59 +02:00
Stanislav Brabec
fc0ed79e5d usermod.c: Fix invalid variable name
Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 21:39:42 +02:00
Serge Hallyn
13c618465d
Merge pull request #167 from yizhao1/fix
configure.ac: fix configure error with dash
2019-06-17 09:06:43 -05:00
Yi Zhao
3c52a84ff8 configure.ac: fix configure error with dash
A configure error occurs when /bin/sh -> dash:
  checking for is_selinux_enabled in -lselinux... yes
  checking for semanage_connect in -lsemanage... yes
  configure: 16322: test: yesyes: unexpected operator

Use "=" instead of "==" since dash doesn't support this operator.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-17 15:42:07 +08:00
Serge Hallyn
2bb99b8fe6 release 4.7
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-06-13 11:38:49 -05:00
Serge Hallyn
d2808b1b51 github pages takes an index.html
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-06-09 00:02:45 -05:00
Serge Hallyn
b679cdbd3e add README.md for the homepage
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-06-08 23:51:32 -05:00
Christian Brauner
a5f034f272
Merge pull request #161 from tabraham/master
lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
2019-06-04 13:31:08 +02:00
Thomas Abraham
82fa6eccf9 lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it errors with ECHILD.
2019-05-06 14:26:14 -04:00
Thomas Abraham
8d39357c84 Revert "lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD"
This reverts commit 1697c192ac.
2019-05-06 14:23:58 -04:00
Serge Hallyn
aff40d8515 libmisc/btrfs: no sense trying to calculate 'btrfs' string
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-05-03 22:40:14 -07:00
Serge Hallyn
51cfc1f89a libmisc/btrfs: find btrfs command
Ubuntu for instance keeps it in /bin, not /sbin.  So look
for it in our usual places.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-05-03 22:39:53 -07:00
Serge Hallyn
816220f90c autoconf: fix cut-paste errors in btrfs detection
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-05-03 22:39:47 -07:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Christian Brauner
caefe9e8de
Merge pull request #164 from t8m/use-lckpwdf
Use lckpwdf() again if prefix is not set and fix a possible DoS in locking
2019-05-03 10:43:41 +02:00
Tomas Mraz
64d7688acb Do not fail locking if there is a stale lockfile.
As the lockfiles have PID in the name, there can be no conflict
in the name with other process, so there is no point in using
O_EXCL and it only can fail if there is a stale lockfile from
previous execution that crashed for some reason.
2019-05-02 14:39:01 +02:00
Tomas Mraz
408b8a5482 Use the lckpwdf() again if prefix is not set
The implementation of prefix option dropped the use of lckpwdf().
However that is incorrect as other tools manipulating the shadow passwords
such as PAM use lckpwdf() and do not know anything about the
shadow's own locking mechanism.

This reverts the implementation to use lckpwdf() if prefix option
is not used.
2019-05-02 14:33:06 +02:00
Christian Brauner
ce2941ca0d
Merge pull request #162 from jtojnar/check-correct-docbook
build: Check correct DocBook version
2019-04-30 20:39:22 +02:00
Jan Tojnar
47797ca665
build: Check correct DocBook version
The documentation uses DocBook 4.5 DOCTYPE but the configure script
checked for 4.1.2.
2019-04-30 20:35:07 +02:00
Thomas Abraham
1697c192ac lib/spawn.c run_command: don't loop forever if waitpid() is returning ECHILD
If SIGCHILD is being ignored, waitpid() will forever error with ECHILD and
this loop with never end, so don't loop if it erros with ECHILD.
2019-04-25 14:56:22 -04:00
Serge Hallyn
5837240451 usermod: print "no changes" to stdout, not stderr
Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-04-21 17:28:12 -05:00
Serge Hallyn
2c8171f8c8
Merge pull request #146 from lamby/reproducible-shadow-files
Make the sp_lstchg shadow field reproducible (re. #71)
2019-04-21 17:13:58 -05:00
Serge Hallyn
fbb59823c5
Merge pull request #143 from t8m/fedora
usermod: Guard against unsafe change of ownership of home contents
2019-04-21 16:56:36 -05:00
Serge Hallyn
fe87a1ad96
Merge pull request #158 from nathanruiz/master
Fix chpasswd long line handling
2019-04-21 16:50:07 -05:00
Serge Hallyn
38e3e35c72
Merge pull request #156 from cvuillemez/no_flush_in_read_only
Do not flush nscd and sssd cache in read-only mode
2019-04-15 00:17:32 -05:00
Nathan Ruiz
a8f7132113 Fix chpasswd long line handling 2019-04-10 07:56:59 +10:00
Chris Lamb
3d921155e0 gettime: Use secure_getenv over getenv. 2019-03-31 16:00:01 +01:00
Chris Lamb
fe34a2a0e4 Make the sp_lstchg shadow field reproducible (re. #71)
From <https://github.com/shadow-maint/shadow/pull/71>:

```
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:

username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
```

This updated PR adds some missing calls to gettime (). This was originally
filed by Johannes Schauer in Debian as #917773 [2].

[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
[2] https://bugs.debian.org/917773
2019-03-31 16:00:01 +01:00
Christian Brauner
e24deea4c9
Merge pull request #157 from t8m/close-crash
Do not crash in commonio_close if database FILE not opened.
2019-03-25 12:56:55 -07:00
Tomas Mraz
d6276066dd Do not crash in commonio_close if database FILE not opened.
The db->fp can be NULL if commonio_unlock() is called when the
shadow file is opened but did not exist before.
2019-03-25 14:51:26 +01:00
Serge Hallyn
d2e1e9ce85 Add Christian to maintainers list
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 21:11:05 -05:00
Serge Hallyn
e61db2c618 README: Update the homepage link
and remove ftp.  Maybe i should run an ftp server for releases...

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 11:48:05 -05:00
Serge Hallyn
c40c49536e README: Add Eric to contributors list
subids were not a small amount of work.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-03-17 11:39:24 -05:00
Charlie Vuillemez
dd2033c40c Do not flush nscd and sssd cache in read-only mode
Fix #155

signed-off-by: Charlie Vuillemez <cvuillemez@users.noreply.github.com>
2019-02-27 17:40:04 +01:00
Serge Hallyn
d66a1fe069
Merge pull request #153 from AlbanVidal/man-po-fr
French man translation update
2019-02-19 00:49:40 -06:00
Alban VIDAL
beb75c6fd6 French man translation update
- translated by Jean-Philippe MENGUAL
- proofread by the debian-l10n-french mailing list contributors

Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
2019-02-11 07:02:52 +01:00
Christian Brauner
c0c2b99164
Merge pull request #151 from t8m/uid-count-default
Fix the default mentioned in man page for SUB_UID/GID_COUNT variables.
2019-02-01 09:11:27 +01:00
Tomas Mraz
ebad423023 Fix the default mentioned in man page for SUB_UID/GID_COUNT variables. 2019-01-31 13:30:59 +01:00
Serge Hallyn
c5898d9f02
Merge pull request #148 from AlbanVidal/master
Sync po files from template "shadow.pot" file
2019-01-26 22:58:53 -06:00
Alban VIDAL
ee87cda65d Sync po files from pot shadow.pot file
Signed-off-by: Alban VIDAL <alban.vidal@zordhak.fr>
2019-01-19 13:32:42 +01:00
Tomas Mraz
5b41b7d1b1 usermod: Guard against unsafe change of ownership of home directory content
In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.
2018-12-18 16:32:13 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Giuseppe Scrivano
59c2dabb26 idmap: always seteuid to the owner of the namespace
simplify the condition for setting the euid of the process.  Now it is
always set when we are running as root, the issue was introduced with
the commit 52c081b02c

Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if
   it currently == 0 (i.e. really was setuid-*root*).

Closes: https://github.com/genuinetools/img/issues/191

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-11-24 17:30:46 -06:00
Serge Hallyn
42324e5017
Merge pull request #138 from brauner/2018-10-27/setuid_fscaps
new{g,u}idmap: align setuid and fscaps behavior
2018-10-27 19:00:23 -05:00
Christian Brauner
52c081b02c
new{g,u}idmap: align setuid and fscaps behavior
Commit 1ecca8439d ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
does contain a wrong commit message, is lacking an explanation of the
issue, misses some simplifications and hardening features. This commit
tries to rectify this.

In (crazy) environment where all capabilities are dropped from the
capability bounding set apart from CAP_SET{G,U}ID setuid- and
fscaps-based new{g,u}idmap binaries behave differently when writing
complex mappings for an unprivileged user:

1. newuidmap is setuid

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

First file_ns_capable(file, ns, CAP_SYS_ADMIN) is hit. This calls into
cap_capable() and hits the loop

for (;;) {
        /* Do we have the necessary capabilities? */
        if (ns == cred->user_ns)
                return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

        /*
         * If we're already at a lower level than we're looking for,
         * we're done searching.
         */
        if (ns->level <= cred->user_ns->level)
                return -EPERM;

        /*
         * The owner of the user namespace in the parent of the
         * user namespace has all caps.
        */
        if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
                return 0;

        /*
         * If you have a capability in a parent user ns, then you have
         * it over all children user namespaces as well.
        */
        ns = ns->parent;
}

The first check fails and falls through to the end of the loop and
retrieves the parent user namespace and checks whether CAP_SYS_ADMIN is
available there which isn't.

2. newuidmap has CAP_SETUID as fscaps set

unshare -U sleep infinity &
newuidmap $? 0 100000 65536

The first file_ns_capable() check for CAP_SYS_ADMIN is passed since the
euid has not been changed:

if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
        return 0;

Now new_idmap_permitted() is hit which calls ns_capable(ns->parent,
CAP_SET{G,U}ID). This check passes since CAP_SET{G,U}ID is available in
the parent user namespace.
Now file_ns_capable(file, ns->parent, CAP_SETUID) is hit and the
cap_capable() loop (see above) is entered again. This passes

if (ns == cred->user_ns)
        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

since CAP_SET{G,U}ID is available in the parent user namespace. Now the
mapping can be written.

There is no need for this descrepancy between setuid and fscaps based
new{g,u}idmap binaries. The solution is to do a
seteuid() back to the unprivileged uid and PR_SET_KEEPCAPS to keep
CAP_SET{G,U}ID. The seteuid() will cause the
file_ns_capable(file, ns, CAP_SYS_ADMIN) check to pass and the
PR_SET_KEEPCAPS for CAP_SET{G,U}ID will cause the CAP_SET{G,U}ID to
pass.

Fixes: 1ecca8439d ("new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2018-10-28 01:27:48 +02:00
Serge Hallyn
bb3f810611
Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap
newuidmap/newgidmap: install with file capabilities
2018-10-27 11:26:31 -05:00