Commit Graph

1115 Commits

Author SHA1 Message Date
Iker Pedrosa
c6847011e8 Makefile: include libeconf dependency in new*idmap
new*idmap has a dependency with libeconf since commit
c464ec5570. I'm just adding it to the
Makefile to be able to compile in distributions that include libeconf.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-02 15:54:20 +02:00
Serge Hallyn
33c33a32a2 useradd: create /etc/default saving defaults.
Since bbf4b79, we stopped shipping /etc/default/useradd, and therefore
install of shadow does not auto-create /etc/default.  So when useradd
tries to save a new default, it needs to create the directory.

Closes #390.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-07-25 16:19:56 -05:00
Serge Hallyn
537b8cd90b Fix out of tree builds with respect to libsubid includes
There's a better way to do this, and I hope to clean that up,
but this fixes out of tree builds for me right now.

Closes #386

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-07-23 17:51:13 -05:00
Serge Hallyn
9eb191edc4
Merge pull request #359 from ikerexxe/rest_resource_leak
Fix covscan RESOURCE_LEAK
2021-06-24 13:14:15 -05:00
Iker Pedrosa
e65cc6aebc Fix covscan RESOURCE_LEAK
Error: RESOURCE_LEAK (CWE-772): [#def1]
shadow-4.8.1/lib/commonio.c:320: alloc_fn: Storage is returned from allocation function "fopen_set_perms".
shadow-4.8.1/lib/commonio.c:320: var_assign: Assigning: "bkfp" = storage returned from "fopen_set_perms(backup, "w", &sb)".
shadow-4.8.1/lib/commonio.c:329: noescape: Resource "bkfp" is not freed or pointed-to in "putc".
shadow-4.8.1/lib/commonio.c:334: noescape: Resource "bkfp" is not freed or pointed-to in "fflush".
shadow-4.8.1/lib/commonio.c:339: noescape: Resource "bkfp" is not freed or pointed-to in "fileno".
shadow-4.8.1/lib/commonio.c:342: leaked_storage: Variable "bkfp" going out of scope leaks the storage it points to.
  340|   	    || (fclose (bkfp) != 0)) {
  341|   		/* FIXME: unlink the backup file? */
  342|-> 		return -1;
  343|   	}
  344|

Error: RESOURCE_LEAK (CWE-772): [#def2]
shadow-4.8.1/libmisc/addgrps.c:69: alloc_fn: Storage is returned from allocation function "malloc".
shadow-4.8.1/libmisc/addgrps.c:69: var_assign: Assigning: "grouplist" = storage returned from "malloc(i * 4UL)".
shadow-4.8.1/libmisc/addgrps.c:73: noescape: Resource "grouplist" is not freed or pointed-to in "getgroups". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/libmisc/addgrps.c:126: leaked_storage: Variable "grouplist" going out of scope leaks the storage it points to.
  124|   	}
  125|
  126|-> 	return 0;
  127|   }
  128|   #else				/* HAVE_SETGROUPS && !USE_PAM */

Error: RESOURCE_LEAK (CWE-772): [#def3]
shadow-4.8.1/libmisc/chowntty.c:62: alloc_fn: Storage is returned from allocation function "getgr_nam_gid".
shadow-4.8.1/libmisc/chowntty.c:62: var_assign: Assigning: "grent" = storage returned from "getgr_nam_gid(getdef_str("TTYGROUP"))".
shadow-4.8.1/libmisc/chowntty.c:98: leaked_storage: Variable "grent" going out of scope leaks the storage it points to.
   96|   	 */
   97|   #endif
   98|-> }
   99|

Error: RESOURCE_LEAK (CWE-772): [#def4]
shadow-4.8.1/libmisc/copydir.c:742: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/libmisc/copydir.c:742: var_assign: Assigning: "ifd" = handle returned from "open(src, 0)".
shadow-4.8.1/libmisc/copydir.c:748: leaked_handle: Handle variable "ifd" going out of scope leaks the handle.
  746|   #ifdef WITH_SELINUX
  747|   	if (set_selinux_file_context (dst, NULL) != 0) {
  748|-> 		return -1;
  749|   	}
  750|   #endif				/* WITH_SELINUX */

Error: RESOURCE_LEAK (CWE-772): [#def5]
shadow-4.8.1/libmisc/copydir.c:751: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/libmisc/copydir.c:751: var_assign: Assigning: "ofd" = handle returned from "open(dst, 577, statp->st_mode & 0xfffU)".
shadow-4.8.1/libmisc/copydir.c:752: noescape: Resource "ofd" is not freed or pointed-to in "fchown_if_needed".
shadow-4.8.1/libmisc/copydir.c:775: leaked_handle: Handle variable "ofd" going out of scope leaks the handle.
  773|   	   ) {
  774|   		(void) close (ifd);
  775|-> 		return -1;
  776|   	}
  777|

Error: RESOURCE_LEAK (CWE-772): [#def7]
shadow-4.8.1/libmisc/idmapping.c:188: alloc_fn: Storage is returned from allocation function "xmalloc".
shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "buf" = storage returned from "xmalloc(bufsize)".
shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "pos" = "buf".
shadow-4.8.1/libmisc/idmapping.c:213: noescape: Resource "buf" is not freed or pointed-to in "write".
shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "pos" going out of scope leaks the storage it points to.
shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "buf" going out of scope leaks the storage it points to.
  217|   	}
  218|   	close(fd);
  219|-> }

Error: RESOURCE_LEAK (CWE-772): [#def8]
shadow-4.8.1/libmisc/list.c:211: alloc_fn: Storage is returned from allocation function "xstrdup".
shadow-4.8.1/libmisc/list.c:211: var_assign: Assigning: "members" = storage returned from "xstrdup(comma)".
shadow-4.8.1/libmisc/list.c:217: var_assign: Assigning: "cp" = "members".
shadow-4.8.1/libmisc/list.c:218: noescape: Resource "cp" is not freed or pointed-to in "strchr".
shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "members" going out of scope leaks the storage it points to.
  242|   	if ('\0' == *members) {
  243|   		*array = (char *) 0;
  244|-> 		return array;
  245|   	}
  246|

Error: RESOURCE_LEAK (CWE-772): [#def11]
shadow-4.8.1/libmisc/myname.c:61: alloc_fn: Storage is returned from allocation function "xgetpwnam".
shadow-4.8.1/libmisc/myname.c:61: var_assign: Assigning: "pw" = storage returned from "xgetpwnam(cp)".
shadow-4.8.1/libmisc/myname.c:67: leaked_storage: Variable "pw" going out of scope leaks the storage it points to.
   65|   	}
   66|
   67|-> 	return xgetpwuid (ruid);
   68|   }
   69|

Error: RESOURCE_LEAK (CWE-772): [#def12]
shadow-4.8.1/libmisc/user_busy.c:260: alloc_fn: Storage is returned from allocation function "opendir".
shadow-4.8.1/libmisc/user_busy.c:260: var_assign: Assigning: "task_dir" = storage returned from "opendir(task_path)".
shadow-4.8.1/libmisc/user_busy.c:262: noescape: Resource "task_dir" is not freed or pointed-to in "readdir".
shadow-4.8.1/libmisc/user_busy.c:278: leaked_storage: Variable "task_dir" going out of scope leaks the storage it points to.
  276|   					         _("%s: user %s is currently used by process %d\n"),
  277|   					         Prog, name, pid);
  278|-> 					return 1;
  279|   				}
  280|   			}

Error: RESOURCE_LEAK (CWE-772): [#def20]
shadow-4.8.1/src/newgrp.c:162: alloc_fn: Storage is returned from allocation function "xgetspnam".
shadow-4.8.1/src/newgrp.c:162: var_assign: Assigning: "spwd" = storage returned from "xgetspnam(pwd->pw_name)".
shadow-4.8.1/src/newgrp.c:234: leaked_storage: Variable "spwd" going out of scope leaks the storage it points to.
  232|   	}
  233|
  234|-> 	return;
  235|
  236|   failure:

Error: RESOURCE_LEAK (CWE-772): [#def21]
shadow-4.8.1/src/passwd.c:530: alloc_fn: Storage is returned from allocation function "xstrdup".
shadow-4.8.1/src/passwd.c:530: var_assign: Assigning: "cp" = storage returned from "xstrdup(crypt_passwd)".
shadow-4.8.1/src/passwd.c:551: noescape: Resource "cp" is not freed or pointed-to in "strlen".
shadow-4.8.1/src/passwd.c:554: noescape: Resource "cp" is not freed or pointed-to in "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/passwd.c:555: overwrite_var: Overwriting "cp" in "cp = newpw" leaks the storage that "cp" points to.
  553|   		strcpy (newpw, "!");
  554|   		strcat (newpw, cp);
  555|-> 		cp = newpw;
  556|   	}
  557|   	return cp;
2021-06-24 09:18:35 +02:00
Serge Hallyn
a026ea6bbf
Merge pull request #354 from ikerexxe/useradd_resource_leak
useradd.c: fix covscan RESOURCE_LEAK
2021-06-22 09:22:09 -05:00
Iker Pedrosa
1aed7ae945 useradd.c: fix covscan RESOURCE_LEAK
Error: RESOURCE_LEAK (CWE-772): [#def28]
shadow-4.8.1/src/useradd.c:1905: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/useradd.c:1905: var_assign: Assigning: "fd" = handle returned from "open("/var/log/faillog", 2)".
shadow-4.8.1/src/useradd.c:1906: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/useradd.c:1917: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 1915|   		/* continue */
 1916|   	}
 1917|-> }
 1918|
 1919|   static void lastlog_reset (uid_t uid)

Error: RESOURCE_LEAK (CWE-772): [#def29]
shadow-4.8.1/src/useradd.c:1938: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/useradd.c:1938: var_assign: Assigning: "fd" = handle returned from "open("/var/log/lastlog", 2)".
shadow-4.8.1/src/useradd.c:1939: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/useradd.c:1950: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 1948|   		/* continue */
 1949|   	}
 1950|-> }
 1951|
 1952|   static void tallylog_reset (const char *user_name)

Error: RESOURCE_LEAK (CWE-772): [#def30]
shadow-4.8.1/src/useradd.c:2109: alloc_fn: Storage is returned from allocation function "strdup".
shadow-4.8.1/src/useradd.c:2109: var_assign: Assigning: "bhome" = storage returned from "strdup(prefix_user_home)".
shadow-4.8.1/src/useradd.c:2131: noescape: Resource "bhome" is not freed or pointed-to in "strtok".
shadow-4.8.1/src/useradd.c:2207: leaked_storage: Variable "bhome" going out of scope leaks the storage it points to.
 2205|   		}
 2206|   #endif
 2207|-> 	}
 2208|   }
 2209|
2021-06-15 09:40:40 +02:00
Iker Pedrosa
8281c82e32 usermod.c: fix covscan RESOURCE_LEAK
Error: RESOURCE_LEAK (CWE-772): [#def31]
shadow-4.8.1/src/usermod.c:813: alloc_fn: Storage is returned from allocation function "__gr_dup".
shadow-4.8.1/src/usermod.c:813: var_assign: Assigning: "ngrp" = storage returned from "__gr_dup(grp)".
shadow-4.8.1/src/usermod.c:892: leaked_storage: Variable "ngrp" going out of scope leaks the storage it points to.
  890|   		}
  891|   	}
  892|-> }
  893|
  894|   #ifdef SHADOWGRP

Error: RESOURCE_LEAK (CWE-772): [#def32]
shadow-4.8.1/src/usermod.c:933: alloc_fn: Storage is returned from allocation function "__sgr_dup".
shadow-4.8.1/src/usermod.c:933: var_assign: Assigning: "nsgrp" = storage returned from "__sgr_dup(sgrp)".
shadow-4.8.1/src/usermod.c:1031: leaked_storage: Variable "nsgrp" going out of scope leaks the storage it points to.
 1029|   		}
 1030|   	}
 1031|-> }
 1032|   #endif				/* SHADOWGRP */
 1033|

Error: RESOURCE_LEAK (CWE-772): [#def34]
shadow-4.8.1/src/usermod.c:1161: alloc_fn: Storage is returned from allocation function "getgr_nam_gid".
shadow-4.8.1/src/usermod.c:1161: var_assign: Assigning: "grp" = storage returned from "getgr_nam_gid(optarg)".
shadow-4.8.1/src/usermod.c:1495: leaked_storage: Variable "grp" going out of scope leaks the storage it points to.
 1493|   	}
 1494|   #endif				/* ENABLE_SUBIDS */
 1495|-> }
 1496|
 1497|   /*

Error: RESOURCE_LEAK (CWE-772): [#def35]
shadow-4.8.1/src/usermod.c:1991: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/usermod.c:1991: var_assign: Assigning: "fd" = handle returned from "open("/var/log/lastlog", 2)".
shadow-4.8.1/src/usermod.c:2000: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2000: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/usermod.c:2003: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2032: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 2030|   		}
 2031|   	}
 2032|-> }
 2033|
 2034|   /*

Error: RESOURCE_LEAK (CWE-772): [#def36]
shadow-4.8.1/src/usermod.c:2052: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/usermod.c:2052: var_assign: Assigning: "fd" = handle returned from "open("/var/log/faillog", 2)".
shadow-4.8.1/src/usermod.c:2061: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2061: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/usermod.c:2064: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2092: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 2090|   		}
 2091|   	}
 2092|-> }
 2093|
 2094|   #ifndef NO_MOVE_MAILBOX
2021-06-11 11:50:49 +02:00
Serge Hallyn
9d37173b24 usermod, newusers, prefix: enforce absolute paths for homedir
useradd already was enforcing this, but these were not.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-06-01 22:12:24 -05:00
Serge Hallyn
8eb6f8ace4
Merge pull request #327 from squat/bugfix_relative_prefix_path
fix: create relative home path correctly
2021-05-29 14:16:46 -05:00
Serge Hallyn
9d169ffc41 fix newusers when nss provides subids
Closes #331

1. drop 'has_any_range' nss method as it is not useful

2. do not try to create a subid range in newusers when using nss for
   subids, since that's not possible.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
(cherry picked from commit 88a434adbdcf4a8640793fd58bcd2ba77598349d)
2021-05-23 08:16:16 -05:00
Serge Hallyn
ea7af4e154
Merge pull request #340 from hallyn/2021-05-16/subidrange
Don't return owner in list_owner_ranges API call.
2021-05-22 18:16:43 -05:00
Serge Hallyn
3d670ba7ed nss/libsubid: simplify the ranges variable for list_owner_ranges
Following alexey-tikhonov's suggestion.

Since we've dropped the 'owner' field in the data returned for
get_subid_ranges, we can just return a single allocated array of
simple structs.  This means we can return a ** instead of ***, and
we can get rid of the subid_free_ranges() helper, since the caller
can just free() the returned data.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-22 17:59:57 -05:00
Serge Hallyn
663824ef4c Fix useradd with SUB_UID_COUNT=0
Closes #298

Fix useradd when SUB_UID_COUNT=0 in login.defs.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-22 11:42:02 -05:00
Serge Hallyn
322db32971 Don't return owner in list_owner_ranges API call.
Closes: 339

struct subordinate_range is pretty closely tied to the existing
subid code and /etc/subuid format, so it includes an owner.  Dropping
that or even renaming it is more painful than I'd first thought.
So introduce a 'struct subid_range' which is only the start and
count, leaving 'struct subordinate_range' as the owner, start and
count.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-16 21:49:53 -05:00
Serge Hallyn
2b22a6909d libsubid: don't print error messages on stderr by default
Closes #325

Add a new subid_init() function which can be used to specify the
stream on which error messages should be printed.  (If you want to
get fancy you can redirect that to memory :)  If subid_init() is
not called, use stderr.  If NULL is passed, then /dev/null will
be used.

This patch also fixes up the 'Prog', which previously had to be
defined by any program linking against libsubid.  Now, by default
in libsubid it will show (subid).  Once subid_init() is called,
it will use the first variable passed to subid_init().

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-15 12:38:55 -05:00
Christian Göttsche
eb1d2de0e9 set_selinux_file_context(): prepare context for actual file type
Search the SELinux selabel database for the file type to be created.
Not specifying the file mode can cause an incorrect file context to be
returned.

Also prepare contexts in commonio_close() for the generic database
filename, not with the backup suffix appended, to ensure the desired
file context after the final rename.

Closes: #322

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
c0aa8a876e vipw[selinux]: do not use deprecated typedef and skip context translation
This retrieved context is just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))

The typedef security_context_t is deprecated, see
9eb9c93275

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Christian Göttsche
6e4b2fe25d struct commonio_db[selinux]: do not use deprecated type security_context_t
The typedef security_context_t is deprecated, see
9eb9c93275

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Lucas Servén Marín
2c542f6c65
fix: create relative home path correctly
Currently, supplying a relative path via the --prefix flag to the
useradd command triggers a bug in the creation of home directories. The
code seems to unintentionally prepend a leading "/" to all paths,
quietly transforming a relative prefixed home path into an absolute
path. This can be seen in the following strace logs from running
"useradd --create-home --prefix tmp/root squat":

```
access("tmp/root//home/squat", F_OK)    = -1 ENOENT (No such file or directory)
access("/mp", F_OK)                     = 0
access("/mp/root", F_OK)                = 0
access("/mp/root/home", F_OK)           = 0
access("/mp/root/home/squat", F_OK)     = -1 ENOENT (No such file or directory)
mkdir("/mp/root/home/squat", 000)       = 0
chown("/mp/root/home/squat", 0, 0)      = 0
chmod("/mp/root/home/squat", 0755)      = 0
chown("tmp/root//home/squat", 1000, 1000) = -1 ENOENT (No such file or directory)
chmod("tmp/root//home/squat", 0700)     = -1 ENOENT (No such file or directory)
```

Note that the relative path is correctly probed in the beginning and it
is only during the recursive creation that the path is turned into an
absolute path. This invocation results in the creation of a "/mp"
hierarchy in the root of the filesystem.

Similar problems occur when using `--prefix ./tmp/root`.

This commit fixes the handling of relative paths by not assuming that
the given path is anchored with a "/".

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-04-29 15:06:53 +02:00
Serge Hallyn
0f4347d148 clean up libsubid headers
Move libsubid/api.h into libsubid/subid.h, and document the api in subid.h

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-16 21:03:08 -05:00
Serge Hallyn
8492dee663 subids: support nsswitch
Closes #154

When starting any operation to do with subuid delegation, check
nsswitch for a module to use.  If none is specified, then use
the traditional /etc/subuid and /etc/subgid files.

Currently only one module is supported, and there is no fallback
to the files on errors.  Several possibilities could be considered:

1. in case of connection error, fall back to files
2. in case of unknown user, also fall back to files

etc...

When non-files nss module is used, functions to edit the range
are not supported.  It may make sense to support it, but it also
may make sense to require another tool to be used.

libsubordinateio also uses the nss_ helpers.  This is how for instance
lxc could easily be converted to supporting nsswitch.

Add a set of test cases, including a dummy libsubid_zzz module.  This
hardcodes values such that:

'ubuntu' gets 200000 - 300000
'user1' gets 100000 - 165536
'error' emulates an nss module error
'unknown' emulates a user unknown to the nss module
'conn' emulates a connection error ot the nss module

Changes to libsubid:

Change the list_owner_ranges api: return a count instead of making the array
null terminated.

This is a breaking change, so bump the libsubid abi major number.

Rename free_subuid_range and free_subgid_range to ungrant_subuid_range,
because otherwise it's confusing with free_subid_ranges which frees
    memory.

Run libsubid tests in jenkins

Switch argument order in find_subid_owners

Move the db locking into subordinateio.c

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-16 21:02:37 -05:00
Serge Hallyn
514c1328b6 try again to fix libmisc sharing problem
Issue #297 reported seeing

*** Warning: Linking the shared library libsubid.la against the
*** static library ../libmisc/libmisc.a is not portable!

which commit b5fb1b38ee was supposed
to fix.  But a few commits later it's back.  So try to fix it
in the way the bug reporter suggested.  This broke builds some
other ways, namely a few missing library specifications, so add
those.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-11 17:42:04 -05:00
Haelwenn Monnier
b865e14f25
login & su: Treat an empty passwd field as invalid (#315)
* login & su: Treat an empty passwd field as invalid

Otherwise it's treated like the “require no password” clause while it probably
should be treated like a normal su that can't validate anyway.

A similar change should be done for USE_PAM.

* su & login: Introduce PREVENT_NO_AUTH
2021-03-28 22:16:03 -05:00
Serge Hallyn
697901a328
Merge pull request #303 from breard-r/yescrypt
Add yescrypt support
2021-03-28 22:13:56 -05:00
Serge Hallyn
7273c25cc2
Merge pull request #308 from martijndegouw/relaxgidcheck
newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID
2021-03-02 12:42:25 -06:00
ikerexxe
0409c91a7f userdel: clarify "-f" usage
src/userdel.c: clarify the examples for "-f" option
2021-02-23 12:21:42 +01:00
Martijn de Gouw
c464ec5570 newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID
Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-02-08 13:32:18 +01:00
Geert Ijewski
fe159b7668 usermod: check if shell exists & is executable 2021-02-07 19:26:55 +01:00
Rodolphe Bréard
5cd04d03f9 Add yescrypt support 2021-02-01 22:11:10 +01:00
Serge Hallyn
0dffc7c612 useradd: don't try to create 0 subuids
Closes #289

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-01-01 13:10:12 -06:00
Serge Hallyn
c917ed7b76
Merge pull request #302 from whzhe51/br_master
useradd.c:fix memleaks of grp
2020-12-27 00:37:46 -06:00
Serge Hallyn
08f5577018
Merge pull request #301 from whzhe51/br_whzhe
useradd.c:fix memleak in get_groups
2020-12-27 00:31:30 -06:00
Serge Hallyn
1021195bfe
Merge pull request #299 from lnussel/master
useradd: use built-in settings by default
2020-12-27 00:26:47 -06:00
whzhe
fd9d79a1a3 useradd.c:fix memleak in get_groups
Signed-off-by: whzhe <wanghongzhe@huawei.com>
2020-12-20 22:05:03 -05:00
whzhe51
c44b71cec2 useradd.c:fix memleaks of grp
Signed-off-by: whzhe51 <wanghongzhe@huawei.com>
2020-12-20 20:14:49 -05:00
Ludwig Nussel
bbf4b79bc4 useradd: use built-in settings by default
Avoids installing inconsistent settings. The correct ones would be
written as soon as an admin uses useradd -D to modify the defaults.
2020-12-04 09:20:18 +01:00
ikerexxe
abb5c99114 useradd: log exit code when failing
src/useradd.c: log exit code when failing
2020-11-17 16:58:40 +01:00
Serge Hallyn
e7938d5a30
Merge pull request #291 from ikerexxe/covscan_issues
Two covscan issues
2020-11-08 16:33:55 -06:00
ikerexxe
569bd1d54f useradd: free grp to avoid leak
covscan issue:
Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
src/useradd.c:728: alloc_fn: Storage is returned from allocation function "get_local_group".
src/useradd.c:728: var_assign: Assigning: "grp" = storage returned from "get_local_group(list)".
src/useradd.c:728: overwrite_var: Overwriting "grp" in "grp = get_local_group(list)" leaks the storage that "grp" points to.
726|   		 * GID values, otherwise the string is looked up as is.
727|   		 */
728|-> 		grp = get_local_group (list);
729|
730|   		/*
2020-10-27 11:42:34 +01:00
ikerexxe
2df8c0728d newgrp: delete dead code
covscan issue:
Error: CLANG_WARNING: [#def31]
src/newgrp.c:448:2: warning: Value stored to 'gid' is never read [deadcode.DeadStores]
	gid = getgid ();
2020-10-27 11:42:08 +01:00
Jamin W. Collins
bd4dc81a82 add parsing support for advertised force long opt
Existing help output advertises --force as a long opt.

  -f, --force                   delete group even if it is the primary group of a user

But errors when the long opt is used.

groupdel: unrecognized option '--force'

Signed-off-by: Jamin W. Collins <jamin.collins@gmail.com>
2020-10-17 09:18:30 -07:00
w00475903
e24700fd5d xfree: move xfree() function to xmalloc.c
Signed-off-by: whzhe <wanghongzhe@huawei.com>
2020-10-15 21:52:06 -04:00
Michael Mullin
dfd19fc35b Use {} to kep more in line with code style 2020-10-03 14:23:06 -04:00
Michael Mullin
0407fa8813 Fix the undefined xfree issue 2020-10-03 14:19:46 -04:00
Serge Hallyn
46ad1856ac
Merge pull request #277 from whzhe51/br_whzhe
gpasswd.c: fix memory leak in sg_adm
2020-10-02 19:37:20 -05:00
w00475903
22bfaf9e26 gpasswd.c: fix memory leak in sg_adm
Signed-off-by: whzhe <wanghongzhe@huawei.com>
2020-09-24 23:29:53 -04:00
ed neville
01a8df79b3 loop until waitpid returns pid_child or error
closes #104

Signed-off-by: ed neville <ed@s5h.net>
2020-09-20 23:04:11 +01:00
Serge Hallyn
9a10373ddb Revert "su.c: replace getopt with ad-hoc flag processing"
This reverts commit dc732e7734.
2020-08-28 15:16:11 -05:00
Serge Hallyn
b065fa4741 Revert "su.c: s/doshell/do_interactive_shell/"
This reverts commit 6f38f43fdd.
2020-08-28 15:16:04 -05:00
Serge Hallyn
3f35983656 Revert "su.c: implement --exec"
This reverts commit 4047d1fe8e.
2020-08-28 15:15:56 -05:00
Christian Brauner
ec98f190c1
Merge pull request #275 from hallyn/2020-08-27/test-su
Add tests on top of #254
2020-08-28 12:13:49 +02:00
Vito Caputo
4047d1fe8e su.c: implement --exec
It's now possible to run commands as other users without shell
interpolation by using "--exec":

Read /etc/shadow as root without specifying user:
```
su --exec /bin/cat -- /etc/shadow
```

Or specify user:
```
su --exec /bin/cat root -- /etc/shadow
```
2020-08-27 23:43:32 -05:00
Vito Caputo
6f38f43fdd su.c: s/doshell/do_interactive_shell/
Mechanical rename distinguishing this variable from intended changes
supporting executing commands without using an interpretive shell
(i.e. no '/bin/sh -c').
2020-08-27 23:43:29 -05:00
Vito Caputo
dc732e7734 su.c: replace getopt with ad-hoc flag processing
In preparation for supporting --exec I was testing the robustness
of "--" handling and it became apparent that things are currently
a bit broken in `su`.

Since "--" is currently of limited utility, as the subsequent
words are simply passed to the shell after "-c","command_string",
it seems to have gone unnoticed for ages.

However, with --exec, it's expected that "--" would be an almost
required separator with every such usage, considering the
following flags must be passed verbatim to execve() and will
likely begin with hyphens looking indistinguishable from any
other flags in lieu of shell interpolation to worry about.

For some practical context of the existing situation, this
invocation doesn't work today:
```
  $ su --command ls -- flags for shell
  No passwd entry for user 'flags'
  $
```

This should just run ls as root with "flags","for","shell"
forwarded to the shell after "-c","ls".

The "--" should block "flags" from being treated as the user.
That particular issue isn't a getopt one per-se, it's arguably
just a bug in su.c's implementation.

It *seemed* like an easy fix for this would be to add a check if
argv[optind-1] were "--" before treating argv[optind] as USER.

But testing that fix revealed getopt was rearranging things when
encountering "--", the "--" would always separate the handled
opts from the unhandled ones.  USER would become shifted to
*after* "--" even when it occurred before it!

If we change the command to specify the user, it works as-is:
```
  $ su --command ls root -- flags for shell
  Password:
  testfile
  $

```

But what's rather surprising is how that works; the argv winds up:

"su","--command","ls","--","root","flags","for","shell"

with optind pointing at "root".

That arrangement of argv is indistinguishable from omitting the
user and having "root","flags","for","shell" as the stuff after
"--".

This makes it non-trivial to fix the bug of omitting user
treating the first word after "--" as the user, which one could
argue is a potentially serious security bug if you omit the user,
expect the command to run as root, and the first word after "--"
is a valid user, and what follows that something valid and
potentially destructive not only running in unintended form but
as whatever user happened to be the first word after "--".

So, it seems like something important to fix, and getopt seems to
be getting in the way of fixing it properly without being more
trouble than replacing getopt.

In disbelief of what I was seeing getopt doing with argv here, I
took a glance at the getopt source and found the following:

```
      /* The special ARGV-element '--' means premature end of options.
	 Skip it like a null option,
	 then exchange with previous non-options as if it were an option,
	 then skip everything else like a non-option.  */

      if (d->optind != argc && !strcmp (argv[d->optind], "--"))
```

I basically never use getopt personally because ages ago it
annoyed me with its terrible API for what little it brought to
the table, and this brings it to a whole new level of awful.
2020-08-27 23:43:25 -05:00
Serge Hallyn
291c6fcc87
Merge pull request #267 from stoeckmann/chage
chage: Prevent signed integer overflows.
2020-08-13 00:34:19 -05:00
ed neville
3c9836a298 Removing trailing n typo
Signed-off-by: ed neville <ed@s5h.net>
2020-08-12 17:53:28 +01:00
Serge Hallyn
a271076041
Merge pull request #263 from edneville/261_grpck_questionable_warning
Option to suppress group/gshadow inconsistencies
2020-08-11 13:58:22 -05:00
ed neville
e8c44a4c12 Option to suppress group/gshadow inconsistencies
'gshadow' man page suggests that "You should use the same list of users
as in /etc/group", but not must.

Closes #261
2020-08-11 13:53:48 -05:00
Serge Hallyn
b215e9d02c
Merge pull request #268 from stoeckmann/chfn
chfn: Prevent buffer overflow.
2020-08-10 13:45:15 -05:00
Christian Brauner
994a3b463c
Merge pull request #272 from ikerexxe/useradd_covscan
useradd: check return value from chmod and log it
2020-08-10 12:34:52 +02:00
ikerexxe
508b968cb1 useradd: check return value from chmod and log it
covscan was complaining abot calling chmod and ignoring the return
value:
Error: CHECKED_RETURN (CWE-252):
shadow-4.6/src/useradd.c:2084: check_return: Calling
"chmod(prefix_user_home, mode)" without checking return value. This
library function may fail and return an error code.
2082|   		mode_t mode = getdef_num ("HOME_MODE",
2083|   		                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
2084|-> 		chmod (prefix_user_home, mode);
2085|   		home_added = true;
2086|   #ifdef WITH_AUDIT
2020-08-10 11:44:00 +02:00
Serge Hallyn
342c934a35 add -U option to groupadd and groupmod
Add a -U option which adds new usernames as members.  For groupmod,
also add -a (append), without which existing members are removed.

Closes #265
2020-08-09 22:11:33 -05:00
Serge Hallyn
7ea342579e useradd: suggest --badnames when given a bad name
Closes #266
2020-07-31 21:29:21 -05:00
Tobias Stoeckmann
875d2d49c1 chfn: Prevent buffer overflow.
This is a stability fix, not a security fix, because the affected -o
option can only be used by root and it takes a modified passwd file.

If a gecos field for a user has BUFSIZ characters without commas and an
equals sign (i.e. a huge slop/extra field) and chfn is called with -o,
then a buffer overflow occurs.

It is not possible to trigger this with shadow tools. Therefore, the
passwd file must be modified manually.

I have fixed this unlikely case the easiest and cleanest way possible.
Since chfn bails out if more than 80 characters excluding commas are
supposed to be written into gecos field, we can stop processing early on
if -o argument is too long.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2020-07-12 19:09:14 +02:00
Tobias Stoeckmann
83aa88466d chage: Prevent signed integer overflows.
This is merely a stability fix, not a security fix.

As the root user, it is possible to set time values which later on
result in signed integer overflows.

For this to work, an sgetspent implementation must be used which
supports long values (glibc on amd64 only parses 32 bit, not 64).
Either use musl or simply call configure with following environment
variable:

$ ac_cv_func_sgetspent=no ./configure

Also it is recommended to compile with -fsanitize=undefined or
-ftrapv to see these issues easily.

Examples to trigger issues when calling "chage -l user":

$ chage -d 9223372036854775807 user

$ chage -d 106751991167300 user
$ chage -M 9999 user

$ chage -d 90000000000000 user
$ chage -I 90000000000000 user
$ chage -M 9999 user

$ chage -E 9223372036854775807 user

While at it, I fixed casting issues which could lead to signed integer
overflows on systems which still have a 32 bit time_t.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2020-07-12 17:56:38 +02:00
Serge Hallyn
6baeb25038
Merge pull request #234 from edneville/79_userdel
Adding run-parts for userdel
2020-06-10 00:31:10 -05:00
ed
32cfa176f2 Adding run-parts style for pre and post useradd/del
Signed-off-by: ed neville <ed@s5h.net>
2020-06-10 00:26:55 -05:00
Serge Hallyn
0a7888b1fa Create a new libsubid
Closes #154

Currently this has three functions: one which returns the
list of subuid ranges for a user, one returning the subgids,
and one which frees the ranges lists.

I might be mistaken about what -disable-man means;  some of
the code suggests it means just don't re-generate them, but
not totally ignore them.  But that doesn't seem to really work,
so let's just ignore man/ when -disable-man.

Remove --disable-shared.  I'm not sure why it was there, but it stems
from long, long ago, and I suspect it comes from some ancient
toolchain bug.

Create a tests/run_some, a shorter version of run_all.  I'll
slowly add tests to this as I verify they work, then I can
work on fixing the once which don't.

Also, don't touch man/ if not -enable-man.

Changelog:
	Apr 22: change the subid list api as recomended by Dan Walsh.
	Apr 23: implement get_subid_owner
	Apr 24: implement range add/release
	Apr 25: finish tests and rebase
	May 10: make @owner const

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2020-06-07 12:11:58 -05:00
Inrin
b128222477
Add maximum padding to fit IPv6-Addresses
We use a fixed padding for the From column to fit the maximum of a
minimized IPv6-LL-Address and it's interface.
2020-05-24 23:48:25 +02:00
Jason Franklin
c040058fe3
Check for "NONEXISTENT" in "src/pwck.c" 2020-05-11 09:26:43 -04:00
Serge Hallyn
f929bfd90b
Merge pull request #237 from ikerexxe/usermod_fails
Check only local groups when adding new supplementary groups to a user
2020-05-01 22:26:41 -05:00
blueskycs2c
1d8487d851 check_uid_range : warnings go to stderr 2020-04-20 10:16:19 +08:00
Christian Brauner
52aba825af
Merge pull request #245 from hallyn/2020-04-17/libmisc
remove unused and misleading 'owner' argument from find_new_sub*
2020-04-18 12:32:38 +02:00
Serge Hallyn
25b1a8d591 remove unused and misleading 'owner' argument from find_new_sub*
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-04-17 16:32:44 -05:00
blueskycs2c
00e629c0ba print a warning from useradd if -u is used with uid number outside range. 2020-04-11 22:45:54 +08:00
ikerexxe
8762f465d4 useradd: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
2020-03-30 13:08:30 +02:00
ikerexxe
140510de9d usermod: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
2020-03-30 13:07:32 +02:00
Geoffrey Krug
2a991a3ce9 Removed hard-coded default mail spool in useradd
The useradd program should be consistent with userdel and usermod and use the
MAIL_SPOOL_DIR variable as the default spool, if it is defined. Otherwise,
don't create a new mailbox, because it won't be cleaned up by userdel when run
with the -r flag.
2020-03-11 20:00:09 +00:00
Serge Hallyn
3f2bbcfa91
Merge pull request #229 from edneville/130_segfaults_on_strftime
Fix segfault on strftime
2020-03-09 13:17:11 -05:00
ed
8a2e3d500c Replacing exit with return 2020-03-09 18:01:32 +00:00
ed@s5h.net
c667083c81 Fix segfault when time is unreadable
Adding myself to contributors

Closes #130
2020-03-07 17:08:19 +00:00
blueskycs2c
e5bb71b2fd modify #endif does not match condition of #if in passwd.c 2020-03-05 10:51:39 +08:00
ikerexxe
8a1e92aff1 useradd: generate /var/spool/mail/$USER with the proper SELinux user identity
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
2020-02-19 15:28:41 +01:00
Tomas Mraz
4ed08824e5 Make the check for non-executable shell only a warning.
Although it is a good idea to check for an inadvertent typo
in the shell name it is possible that the shell might not be present
on the system yet when the user is added.
2020-01-16 12:59:29 +01:00
Duncan Overbruck
085d04c3dd
add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
2020-01-12 16:18:32 +01:00
Serge Hallyn
ed4a0157c4 silence more compiler warnings
And don't reuse the cp variable for two different purposes.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-01-12 08:20:50 -06:00
Serge Hallyn
93f1f35123 Revert "add new HOME_MODE login.defs(5) option"
Missing file

This reverts commit a847899b52.
2020-01-12 07:56:19 -06:00
Serge Hallyn
0512c187c8
Merge pull request #204 from edneville/198_user_add_tty_logging
Adding tty logging to the useradd command
2020-01-12 07:19:18 -06:00
ed
f32d4a359b Adding tty logging to the useradd command
This commit adds a from= field to the end of the useradd log entry.
Casting user_name to tallylog_reset to silence a compiler warning.

Changelog: Fixing tabs
Changelog: Changing function prototype to const char* to match user_name declaration.
2020-01-12 07:08:05 -06:00
Duncan Overbruck
a847899b52
add new HOME_MODE login.defs(5) option
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
2020-01-11 22:27:39 +01:00
ed
4c9ec2f5a4 Adding logging of SSH_ORIGINAL_COMMAND to nologin.
If SSH_ORIGINAL_COMMAND is set, it will be added to the syslog entry.

Closes #123.

Changelog: (SEH squashed commit): Fixing indentation
Changelog: (SEH) break up long line
2020-01-11 14:46:52 -06:00
Wolfgang Bumiller
258944e331 Makefile: bail out on error in for-loops
`make` runs each line in a shell and bails out on error,
however, the shell is not started with `-e`, so commands in
`for` loops can fail without the error actually causing
`make` to bail out with a failure status.

For instance, the following make snippet will end
successfully, printing 'SUCCESS', despite the first `chmod`
failing:

    all:
        touch a b
        for i in a-missing-file a b; do \
            chmod 666 $$i; \
        done
        @echo SUCCESS

To prevent wrong paths in install scripts from remaining
unnoticed, let's activate `set -e` in the `for` loop
subshells.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-12-19 18:54:30 +01:00
Patrick McLean
3cc3948d71 Revert "Honor --sbindir and --bindir for binary installation"
This reverts commit e293aa9cfc.

See https://github.com/shadow-maint/shadow/issues/196

Some distros still care about `/bin` vs `/usr/bin`. This commit makes
it so all binaries are always installed to `/bin`/`/sbin`. The only way to
restore the previous behaviour of installing some binaries to
`/usr/bin`/`/usr/sbin` is to revert the patch.
2019-12-01 13:59:52 -08:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Lars Wendler
19bac44dde
build: Make build/installation of su and its support files optional
Enabled by default
This is necessary because coreutils and util-linux can also provide su

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
2019-11-19 11:28:45 +01:00
Michael Vetter
115a4e89e2 Fix typo in access of shell command
Fix typo in 88fa0651bf.
For some reason my git push -f seems not to have worked.
2019-11-12 08:38:08 +01:00
Todd C. Miller
7eca1112fb Fix vipw not resuming correctly when suspended
Closes #185

If vipw is suspended (e.g. via control-Z) and then resumed, it often gets
immediately suspended. This is easier to reproduce on a multi-core system.

root@buster:~# /usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw
root@buster:~# fg
/usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw

root@buster:~# fg
[vipw resumes on the second fg]

The problem is that vipw forks a child process and calls waitpid() with the
WUNTRACED flag. When the child process (running the editor) is suspended, the
parent sends itself SIGSTOP to suspend the main vipw process. However, because
the main vipw is in the same process group as the editor which received the ^Z,
the kernel already sent the main vipw SIGTSTP.

If the main vipw receives SIGTSTP before the child, it will be suspended and
then, once resumed, will proceed to suspend itself again.

To fix this, run the child process in its own process group as the foreground
process group. That way, control-Z will only affect the child process and the
parent can use the existing logic to suspend the parent.
2019-11-11 20:19:57 -06:00
Serge Hallyn
e97df9b1ec
Merge pull request #187 from jubalh/useradd-s
useradd: check for valid shell argument
2019-11-11 18:10:56 -06:00
Michael Vetter
88fa0651bf useradd: check for valid shell argument
Check whether shell argument given with `-s` is actually present and executable.
And is not a directory.

Fix https://github.com/shadow-maint/shadow/issues/186
2019-11-11 13:46:25 +01:00