-a option.
* NEWS, man/faillog.8.xml, src/faillog.c: Extend the -a option to
the non-display mode. This changes the default behavior of the -l,
-m, -r, -t options when -a is not specified (restrict to existing
users).
man/pwconv.8.xml, man/useradd.8.xml, man/userdel.8.xml,
man/usermod.8.xml, man/vipw.8.xml: Document the usage of the
TCB_AUTH_GROUP, TCB_SYMLINKS, and USE_TCB configuration
parameters.
* man/pwconv.8.xml, man/pwck.8.xml: Document the behavior when
USE_TCB is enabled.
translation.
* lib/tcbfuncs.c: Indicate the name of the program in error
messages. Avoid perror.
* src/useradd.c: Re-indent.
* src/useradd.c: Add more strings for translation. Indicate the
name of the program in error messages.
* src/userdel.c: Re-indent.
* src/userdel.c: Add more strings for translation. Indicate the
name of the program in error messages.
* lib/shadowio.c: Added brackets and parenthesis.
* lib/shadowio.c: Document the sections closed by #endif
* lib/shadowio.c: Avoid negation of comparisons.
* lib/shadowio.c: Avoid implicit conversion of integer to booleans
and booleans to integers.
* src/vipw.c: Avoid implicit conversion of pointers or integers to
booleans.
* src/vipw.c: Added brackets and parenthesis.
* src/vipw.c: Limit the definition of some variables and macros to
the WITH_TCB scope.
* src/vipw.c: Avoid assignment in comparisons.
* src/vipw.c: Replace PASSWD_FILE (resp. GROUP_FILE and
SGROUP_FILE) by pw_dbname () (resp. gr_dbname () and sgr_dbname ()).
This is more consistent with the shadow file handling and may be
useful to allow edition of another partition's files.
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
--preserve-environment. This sanitation was disabled on Debian
since quite some time with no reported issues, and sanitize_env()
documentation agrees that it should be useless as all modern
Unixes will handle setuid executables properly. This Fixes
Alioth#312287.
* src/su.c: Add more messages for translation.
* src/su.c: Ignore kill() return value when sending the TERM
signal. If it fails, a KILL should be sent anyway.
terminate (after sending a SIGTERM), and kill it only if it did
not terminate by itself. No delay will be enforced if the child
cooperates. See http://bugs.gentoo.org/282094
* NEWS, man/su.1.xml: Document su's exit values.
po/Makefile.in.in: Removing and restoring the config.xml file
broke parallel builds. Build the manpages based on *.xml-config
files instead of *.xml files. The *.xml do not include config.xml
anymore, which permits to run xml2po without needing to remove
config.xml. The config.xml is restored in the *.xml-config files.
* man/groupadd.8.xml: Implementation of the above.
* man/generate_mans.deps: Updated dependencies
spwd. (start with the primitive types)
* lib/shadowmem.c: Avoid memzero() on a possibly NULL pointer.
* lib/groupmem.c: Only copy the required fields of the struct
group. (start with the primitive types)
* lib/groupmem.c: Avoid memzero() on a possibly NULL pointer.
* lib/groupmem.c: Free gr_mem in addition to its elements.
* lib/sgroupio.c: The struct sgrp has no primitive types to be
copied initially.
* lib/sgroupio.c: Avoid memzero() on a possibly NULL pointer.
* lib/sgroupio.c: Free sg_mem and sg_add in addition to their
elements.
* lib/pwmem.c: Only copy the required fields of the struct
passwd. (start with the primitive types)
src/chpasswd.c, src/groupmems.c, src/usermod.c, src/chgpasswd.c,
src/vipw.c, src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c,
src/groupadd.c, src/chage.c, src/faillog.c, src/chsh.c: Use
booleans for tests.
* src/userdel.c, src/gpasswd.c, src/groupmems.c, src/usermod.c,
src/groupmod.c, src/passwd.c: Use a break even after usage().
src/newusers.c, src/chpasswd.c, src/groupmems.c, src/usermod.c,
src/chgpasswd.c, src/vipw.c, src/su.c, src/useradd.c,
src/groupmod.c, src/passwd.c, src/groupadd.c, src/chage.c,
src/faillog.c, src/chsh.c: If someone uses the -h/--help options,
the usage should not go to stderr nor should the utility exit with
non-zero status. All of the shadow utils do just this
unfortunately, so convert them over to sanity.
* man/groupmems.8.xml, man/gpasswd.1.xml: Added option -h/--help.
* NEWS, libmisc/find_new_gid.c, libmisc/find_new_uid.c: Since
system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
reverse order, accounts are packed close to SYS_?ID_MAX if
SYS_?ID_MIN is already used but there are still dome gaps.
getpwent / getgrent for system accounts. Trying the low-IDs with
getpwuid / getgrgid should be more efficient on LDAP configured
systems with many accounts.
libmisc/xgetpwuid.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c: Do
not limit the size of the buffer to hold the group or user
structure. It used to be limited to 16k, which caused issues with
groups having many users.
* man/su.1.xml: Improve the documentation of the su behavior
regarding environment variables.
* man/su.1.xml: Document that the login.defs file is used.
* po/shadow.pot, man/po/shadow-man-pages.pot: Regenerated.
* po/*.po, man/po/*.po: Updated PO files.
* man/passwd.1.xml: passwd -u does not reset the expiry field.
* NEWS, src/userdel.c: When USERGROUPS_ENAB is enabled, remove the
user's group when the user was the only member. This is still not
complete, as the user could have been specified twice in the
members.
* NEWS, src/userdel.c: Do not fail when -r is used and the home
directory does not exist.
Harmonize formatting of login.defs and default/useradd variables.
Use an <option> tag.
* man/usermod.8.xml: Added reference to gshadow(5).
* man/login.defs.d/USERDEL_CMD.xml: Shorten the lines of the
USERDEL_CMD example.
man/groupadd.8.xml, man/usermod.8.xml, man/chgpasswd.8.xml,
man/groupmod.8.xml: Added warning: passwords set with these tools
may not respect the password policy.
lib/prototypes.h: Move user_busy() to libmisc/user_busy.c.
* NEWS, libmisc/user_busy.c: On Linux, do not check if an user is
logged in with utmp, but check if the user is running some
processes. If not on Linux, continue to search for an utmp record,
but make sure the process recorded in the utmp entry is still
running.
shell as a shell script when the direct execution of the user's
shell failed with ENOEXEC and the user's shell has a shebang. The
interpreter might not be the right one. Executing the user's
shell with sh -c might be better, but I'm not sure we should try
harder when there is a failure. Note: The removed code was only
included #ifndef __linux__.
with a NULL argument.
* src/useradd.c: Replace PATH_MAX by a fixed constant. The buffer
was not meant as a storage for a path.
* src/useradd.c, src/newusers.c, src/chpasswd.c: Better detection
of fgets errors. Lines shall end with a \n, unless we reached the
end of file.
* libmisc/copydir.c: Avoid PATH_MAX. Support file paths with any
length. Added readlink_malloc().
and the password field in passwd is not 'x'.
* src/grpck.c: Warn if a group has an entry in group and gshadow,
and the password field in group is not 'x'.
man/login.defs.d/MD5_CRYPT_ENAB.xml,
man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml: Updated note for PAM
enabled versions. These variables are only used for group
passwords in this case.
changing the passwords with PAM.
* src/newusers.c: Split the usage string in smaller parts to
allow enabling single parts.
* man/newusers.8.xml: Indicate the options and configuration
variables valid for PAM and non-PAM versions.
* man/newusers.8.xml: Added pointer to /etc/pam.d/chpasswd.
libmisc/pam_pass_non_interractive.c, libmisc/Makefile.am: Renamed.
* libmisc/pam_pass_non_interractive.c, lib/prototypes.h:
non_interactive_password and non_interactive_pam_conv do not need
to be externally visible.
* libmisc/pam_pass_non_interractive.c: Added declaration of
ni_conv.
* libmisc/pam_pass_non_interractive.c: Only compile ifdef USE_PAM.
* libmisc/pam_pass_non_interractive.c, lib/prototypes.h:
Added do_pam_passwd_non_interractive().
* src/chpasswd.c: Use do_pam_passwd_non_interractive().
* man/chpasswd.8.xml: Describe the PAM enabled chpasswd behavior.
* man/chpasswd.8.xml: Differentiate the files and configurations
needed for PAM and non PAM versions.
instead of only the username.
* src/chpasswd.c: PAM enabled chpasswd do may change the password
database (for the user where the password update succeeded) even
if there were a failure for one user. Do not indicate that changes
were ignored.
unlink() in case of failure of fopen_set_perms() or
create_backup().
* lib/commonio.c: Should the backup file be unlink'ed in case of
failure of create_backup()?
* libmisc/chowntty.c, libmisc/rlogin.c, libmisc/sub.c,
src/newusers.c, libmisc/sulog.c, libmisc/system.c, src/logoutd.c,
src/groups.c, src/id.c, lib/encrypt.c, libmisc/audit_help.c,
libmisc/limits.c: Return EXIT_FAILURE instead of 1, and
EXIT_SUCCESS instead of 0.
* libmisc/audit_help.c: Replace an fprintf() by fputs().
* libmisc/audit_help.c: Remove documentation of the audit_logger
returned values. The function returns void.
* libmisc/system.c: Only return status if waitpid succeeded.
Return -1 otherwise.
with PAM.
* src/chpasswd.c: Split the usage string in smaller parts to
allows enabling single parts.
* src/chpasswd.c: Do not set a global lock on the password files.
This is done by PAM each time a password is updated.
man/useradd.8.xml: Added note to warn about insecurity in using
--password.
* man/groupmod.8.xml: Removed not regarding default if --password
is not used. This was a cut&paste from groupadd.8.xml.
* man/passwd.1.xml: Split some paragraphs.
* man/passwd.1.xml: Recommend other encryption methods than DES.
* libmisc/copydir.c: Added assert to help splint.
* libmisc/copydir.c: Free allocated structures in cas of failure.
* libmisc/copydir.c: Avoid implicit conversion of pointers to
booleans.
* libmisc/copydir.c: Use buffers of size PATH_MAX instead of 1024
for filenames.
* libmisc/copydir.c: Use fchmod and fchown to change the mode of
the opened file.
* libmisc/copydir.c: Indicate the mode to open(), even if we chmod
later.
* src/useradd.c: Replace peror by an strerror and avoid an
intermediate buffer.
* src/useradd.c: Save errno between the failure and the report by
perror/strerror.
* src/useradd.c: Prefer xmalloc to malloc.
limit with getlog() / getulong(). This also means, in case of
non-PAM enabled systems, that the umask specified on the GECOS
fields should start with a 0 if specified in octal. (it used to be
force to octal). Do the appropriate cast and range checking.
lib/pwio.c, lib/pwio.h, lib/shadowio.c, lib/shadowio.h: Added
splint annotations. The *_locate() and *_next() functions
currently return an observer. As the structure are often modified
by the caller, it could maybe be changed to exposed later. (and
non-const).
* src/newgrp.c: audit_buf is only used in newgrp. Make it static.
* src/newgrp.c: Ignore the return value of fputs().
* src/newgrp.c: Use exit(EXIT_FAILURE) instead of exit(1).
* libmisc/setupenv.c: Added brackets and parenthesis.
* libmisc/setupenv.c: Ignore the return value of fclose (file
opened read-only)
* libmisc/setupenv.c: Ignore the return value of puts().
* libmisc/setupenv.c:Avoid implicit conversion of pointers to
booleans.
* libmisc/age.c: Added brackets and parenthesis.
* libmisc/age.c: Ignore the return value of fclose (file opened
read-only)
* libmisc/age.c: Ignore puts() return value.
* libmisc/age.c: Use exit(EXIT_FAILURE) instead of exit(1).
* libmisc/age.c: Avoid assignments in comparisons.
* src/lastlog.c: Added splint annotations.
* src/lastlog.c: Avoid global pwent.
* src/lastlog.c: Cast ID to ulongs and use ulong formats for IDs.
* src/lastlog.c: Avoid assignment in comparisons.
* src/lastlog.c: Ignore fclose() return value since the file is
only opened for reading.
used_gids.
* libmisc/find_new_gid.c: Use getdef_ulong and cast to git_t to
get GID values.
* libmisc/find_new_gid.c: Use UL as a prefix for ulong values.
* libmisc/find_new_uid.c: Likewise.
default to 32.
* libmisc/chkname.c: Use USER_NAME_MAX_LENGTH.
* src/login.c: Use USER_NAME_MAX_LENGTH instead of the default 32.
username also needs to be bigger than USER_NAME_MAX_LENGTH because
it has to be nul-terminated.
change the terminal configuration. setup_tty() is just a best
effort configuration of the terminal.
* src/login.c: Ignore failures when setting the terminal
configuration.
* src/login.c: Fail if the ERASECHAR or KILLCHAR configurations
are not compatible with a cc_t type.
* lib/shadowio.c: Use spw_free() for shadow_free().
* lib/groupmem.c: Added gr_free().
* lib/groupio.c: Use gr_free() for group_free().
* lib/pwmem.c: Include define.h before prototypes.h
* lib/pwmem.c: Added pw_free().
* lib/pwio.c: Use pw_free() for passwd_free().
* lib/sgroupio.c: Added sgr_free().
* lib/sgroupio.c: Use sgr_free() for gshadow_free().
* lib/prototypes.h: Added gr_free(), pw_free(), sgr_free(),
spw_free().
is always coming from xgetpwnam. There is no need to copy pwd to
pwent, this was not a good idea anyway as the strings from pwd
were not duplicated.
* src/login.c: Always free the pwd and spwd structure when we
retrieve a new one. This will clear the password of the previous
user from the memory.
* src/login.c: user_passwd is used to keep point to the password
of the user being authenticated.
* src/login.c: (non PAM) Fail if the user's entry cannot be found
after the user updated her password (if expire() requested an
update).
* src/login.c: If the user does not exist on the system, there is
no need to build a pwd structure (with shell).
username as first parameter of failtmp to avoid issues with
non-null terminated ut_user, unavailability of ut_user, incomplete
username (that should not happen currently).
terminal termio flags. Reset echoprt, noflsh, tostop. This
behavior seems to have change by mistake in earlier releases
(4.0.8, for no obvious reason).
SELinux user for user's login.
* NEWS, src/usermod.c, man/usermod.8.xml: Likewise.
* libmisc/system.c, libmisc/Makefile.am, lib/prototypes.h: Added
safe_system(). Used to run semanage.
* lib/prototypes.h, libmisc/copydir.c: Make a
selinux_file_context() an extern function.
* libmisc/copydir.c: Reset SELinux to create files with default
contexts at the end of copy_tree().
* NEWS, src/userdel.c: Delete the SELinux user mapping for user's
login.
never set ifndef USE_PAM. Change the prototype of setup_uid_gid()
when USE_PAM is not defined. This permits to remove add_groups
from PAM builds. setup_uid_gid is already subject to
HAVE_INITGROUPS.
ifndef USE_PAM.
* lib/prototypes.h: Remove the declaration of add_cons_grps(). The
function does not exist.
* libmisc/age.c (setup_uid_gid): is_console is never set ifndef
USE_PAM. Change the prototype of setup_uid_gid() when USE_PAM is
not defined. This permits to remove add_groups from PAM builds.
setup_uid_gid is already subject to HAVE_INITGROUPS.
* libmisc/pwd2spwd.c (pwd_to_spwd): pwd_to_spwd() is not used in
PAM builds.
src/passwd.c, src/pwck.c, src/pwconv.c, src/useradd.c,
src/usermod.c: On Jan 01, 1970, do not set the sp_lstchg field to
0 (which means that the password shall be changed during the next
login), but use -1 (password aging disabled).
* src/passwd.c: Do not check sp_min if sp_lstchg is null or -1.
value should be -1 (no aging) rather than 0 (password must be
changed).
* src/chage.c: For password expiration and inactivity, indicate
that the password must be changed when sp_lstchg is null rather
than indicating that expiration and inactivity are not enabled.
database before calling spw_remove().
* NEWS, src/userdel.c: When the user's group is removed, make sure
the group is in the gshadow database before calling sgr_remove().
* src/userdel.c: Improve warning's wording.
expansion. Make sure config.xml does not exist when the POT file
is created in order to keep the configurations in the POT file
* man/generate_translations.mak: make sure config.xml does not
exist neither when the translated XML is generated. Add the
missing %config; (strip out by xml2po). and make sure config.xml
is present when the translated manpage is generated.
* man/generate_mans.mak: config.xml is needed for the generation
of manpages (already in the .deps for the English manpages, but
needed for the translations).
* man/Makefile.am: Added missing CREATE_HOME.xml.
as newgrp.
* man/login.defs.5.xml: vipw does not use any variable.
* man/login.defs.5.xml: In PAM enabled configurations, login still
uses some login.defs variables.
users with -u.
* src/faillog.c: Do not call print_one() for users which do not
exist.
* src/faillog.c: Make sure the user's entry is not outside the
faillog file and initialize the faillog structure in that case.
* src/faillog.c: Move print_one() closer to print().
* src/faillog.c: reset(), setmax(), set_locktime() can also change
entries of user which do not exist.
* src/faillog.c: reset(), setmax() and set_locktime() shall not
create entries for users which have no entries if the value has to
be set to 0.
* src/faillog.c: reset(), setmax() and set_locktime(): better
handling of users whose entry is outside the faillog file.
* src/faillog.c: Improved option handling. Options can now be
specified in any order.
* src/faillog.c: Improved warnings when options are not
compatible or when the faillog cannot be open with the right mode.
* src/faillog.c: Only fstat the faillog file once.
* man/faillog.8.xml: Improved documentation.
compiled when disabled at configuration time.
* src/chgpasswd.c: Make sure the SHA related variables is not
compiled when disabled at configuration time.
* src/chgpasswd.c: Fix the test for getlong() failure.
clash with the structure.
* src/lastlog.c: check the offset in print_one() so that it is
used for the display of one entry or a set of entries.
* src/lastlog.c: Do not loop over the whole user database when -u
is used with a single user.
* src/lastlog.c: Check the size of the lastlog file so that we
can identify failures to read.
when the changes are committed to the system. Do not log failure
for on-memory changes to audit or syslog. Make sure failures and
inconsistencies will be reported in case of unexpected failures
(e.g. malloc failures). Only specify an audit message if it is not
implicitly implied by the type argument. Removed fail_exit
(replaced by atexit(do_cleanups)). Log failures in case of
permission denied.
messages not related to an account.
* lib/prototypes.h, libmisc/cleanup.c, libmisc/cleanup_group.c,
libmisc/cleanup_user.c, libmisc/Makefile.am: Added stack of
cleanup functions to be executed on exit.
* NEWS, src/groupadd.c, src/groupdel.c, src/groupmod.c: Only
report success to audit and syslog when the changes are committed
to the system. Do not log failure for on-memory changes to audit
or syslog. Make sure failures and inconsistencies will be reported
in case of unexpected failures (e.g. malloc failures). Only
specify an audit message if it is not implicitly implied by the
type argument. Removed fail_exit (replaced by atexit(do_cleanups)).
configure option. The configure behavior encoded is:
<no option> -> default of 16 (like today);
--with-group-name-max-length -> default of 16;
--without-group-name-max-length -> no max length;
--with-group-name-max-length=n > max is set to n.
utmp.c to chowntty.c. checkutmp() now only uses an existing utmp
entry if the pid matches and ut_line matches with the current tty.
This fixes a possible DOS when entries can be forged in the utmp
file.
* libmisc/chowntty.c, src/login.c, lib/prototypes.h: Remove the
tty argument from chown_tty. chown_tty always changes stdin and
does not need this argument anymore.
man/grpck.8.xml: Sorted SEE ALSO references.
* man/gshadow.5.xml: Added reference to grpck(8) and grpconv(8).
* man/pwck.8.xml: Added reference to grpck(8).
* man/shadow.5.xml: Added reference to pwck(8).
* man/passwd.5.xml: Added reference to pwck(8).
* man/grpck.8.xml: Added reference to pwck(8).
parameter of -f. Fix the getopt optstring, remove the parsing of
username in the -f processing block, and remove unnecessary checks
(username cannot be parsed twice anymore), better documentation of
the synopsis.
caller, not the user login tries to authenticate.
* src/login.c: Use pwd->pw_name instead of pwd->pw_uid. This might
be more precise (name must be unique, uid might not be).
* src/pwck.c: Only unlock files if they were locked before (e.g.
not in read-only mode).
* src/pwck.c: Quote the username in error messages (harmonization
with other messages).
* libmisc/find_new_gid.c: Fixed typo (s/grp->gr_gid/group_id/).
* libmisc/find_new_gid.c: Likewise.
to create a home directory for new users.
* src/useradd.c, man/useradd.8.xml: New -M/--no-create-home option
and CREATE_HOME usage. System accounts are not impacted by
CREATE_HOME.
* man/useradd.8.xml: Indicate that a new group is created by
default.
* src/useradd.c: Removed TODO item (moved to the TODO file).
Thanks to Peter Vrabec.
* NEWS, libmisc/find_new_gid.c, libmisc/find_new_uid.c: Build an
index of used IDs to avoid a database request for each id in the
allowed range (when the highest allowed ID is already used).
This speedups the addition of users or groups when the highest
allowed ID is already used. The additional memory usage of the
tools should be acceptable when UID_MAX/SYS_UID_MAX are set to a
reasonable number.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/chfn.c,
src/groupmems.c, src/usermod.c, src/groupdel.c, src/chgpasswd.c,
src/useradd.c, src/groupmod.c, src/groupadd.c, src/chage.c,
src/chsh.c: If the username cannot be determined, report it as
such (not a PAM authentication failure).
--disable-account-tools-setuid options. This permits to disable
the PAM authentication of the caller for chage, chgpasswd,
chpasswd, groupadd, groupdel, groupmod, newusers, useradd,
userdel, and usermod. This authentication is not necessary when
these tools are not installed setuid root.
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.