mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-05 20:27:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

shadow: upgrade 4.2.1 -> 4.6

Browse Source 
The following patches are removed because problems have been fixed in this version.
  0001-shadow-CVE-2017-12424
  fix-installation-failure-with-subids-disabled.patch
  usermod-fix-compilation-failure-with-subids-disabled.patch
  CVE-2017-2616.patch
  check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
  0001-Do-not-read-login.defs-before-doing-chroot.patch

The following patches are rebased.
  0001-Disable-use-of-syslog-for-sysroot.patch
  0001-useradd-copy-extended-attributes-of-home.patch
  0001-useradd.c-create-parent-directories-when-necessary.patch
  allow-for-setting-password-in-clear-text.patch

(From OE-Core rev: 79dd22729d5b8a2f2cf4294ff6b261c9d6ecd977)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Chen Qi
2018-07-27 16:04:34 +08:00
committed by Richard Purdie
parent 96f011e628
commit ffb63803ea
14 changed files with 209 additions and 375 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
View File

@@ -11,6 +11,7 @@ Upstream-Status: Inappropriate [disable feature]
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/groupadd.c | 3 +++
src/groupdel.c | 3 +++
@@ -22,7 +23,7 @@ Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
7 files changed, 21 insertions(+)
diff --git a/src/groupadd.c b/src/groupadd.c
index 39b4ec0..f716f57 100644
index 63e1c48..a596c49 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -34,6 +34,9 @@
@@ -36,7 +37,7 @@ index 39b4ec0..f716f57 100644
#include <fcntl.h>
#include <getopt.h>
diff --git a/src/groupdel.c b/src/groupdel.c
index da99347..46a679c 100644
index 70bed01..ababd81 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -34,6 +34,9 @@
@@ -50,7 +51,7 @@ index da99347..46a679c 100644
#include <fcntl.h>
#include <grp.h>
diff --git a/src/groupmems.c b/src/groupmems.c
index e4f107f..95cb073 100644
index fc91c8b..2842514 100644
--- a/src/groupmems.c
+++ b/src/groupmems.c
@@ -32,6 +32,9 @@
@@ -64,7 +65,7 @@ index e4f107f..95cb073 100644
#include <getopt.h>
#include <grp.h>
diff --git a/src/groupmod.c b/src/groupmod.c
index d9d3807..6229737 100644
index 72daf2c..8965f9d 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -34,6 +34,9 @@
@@ -78,7 +79,7 @@ index d9d3807..6229737 100644
#include <fcntl.h>
#include <getopt.h>
diff --git a/src/useradd.c b/src/useradd.c
index e1ebf50..25679d8 100644
index 3aaf45c..1ab9174 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -34,6 +34,9 @@
@@ -92,7 +93,7 @@ index e1ebf50..25679d8 100644
#include <ctype.h>
#include <errno.h>
diff --git a/src/userdel.c b/src/userdel.c
index 19b12bc..a083929 100644
index c8de1d3..24d3ea9 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -34,6 +34,9 @@
@@ -102,11 +103,11 @@ index 19b12bc..a083929 100644
+/* Disable use of syslog since we're running this command against a sysroot */
+#undef USE_SYSLOG
+
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
diff --git a/src/usermod.c b/src/usermod.c
index 685b50a..28e5cfc 100644
index ccfbb99..24fb60d 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -34,6 +34,9 @@
@@ -116,9 +117,9 @@ index 685b50a..28e5cfc 100644
+/* Disable use of syslog since we're running this command against a sysroot */
+#undef USE_SYSLOG
+
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
--
2.1.0
2.11.0

46
meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch
View File

@@ -1,46 +0,0 @@
From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001
From: Peter Kjellerstedt <pkj@axis.com>
Date: Thu, 11 Sep 2014 15:11:23 +0200
Subject: [PATCH] Do not read login.defs before doing chroot()
If "useradd --root <root> ..." was used, the login.defs file would still
be read from /etc/login.defs instead of <root>/etc/login.defs. This was
due to getdef_ulong() being called before process_root_flag().
Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html]
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
---
src/useradd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index a8a1f76..e1ebf50 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1993,9 +1993,11 @@ int main (int argc, char **argv)
#endif /* USE_PAM */
#endif /* ACCT_TOOLS_SETUID */
+#ifdef ENABLE_SUBIDS
/* Needed for userns check */
- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+ uid_t uid_min;
+ uid_t uid_max;
+#endif
/*
* Get my name so that I can use it to report errors.
@@ -2026,6 +2028,8 @@ int main (int argc, char **argv)
is_shadow_grp = sgr_file_present ();
#endif
#ifdef ENABLE_SUBIDS
+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
is_sub_uid = sub_uid_file_present () && !rflg &&
(!user_id || (user_id <= uid_max && user_id >= uid_min));
is_sub_gid = sub_gid_file_present () && !rflg &&
--
1.9.0

46
meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
View File

@@ -1,46 +0,0 @@
From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 31 Mar 2017 16:25:06 +0200
Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
CVE: CVE-2017-12424
Upstream-Status: Backport
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
lib/commonio.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/commonio.c b/lib/commonio.c
index b10da06..31edbaa 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
for (ptr = db->head;
(NULL != ptr)
#if KEEP_NIS_AT_END
- && (NULL != ptr->line)
- && ( ('+' != ptr->line[0])
- && ('-' != ptr->line[0]))
+ && ((NULL == ptr->line)
+ || (('+' != ptr->line[0])
+ && ('-' != ptr->line[0])))
#endif
;
ptr = ptr->next) {
n++;
}
#if KEEP_NIS_AT_END
- if ((NULL != ptr) && (NULL != ptr->line)) {
+ if (NULL != ptr) {
nis = ptr;
}
#endif
--
2.1.0

28
meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
View File

@@ -1,47 +1,41 @@
From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Tue, 7 Mar 2017 16:03:03 +0100
Subject: [PATCH] useradd: copy extended attributes of home
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The Home directory wasn't getting the extended attributes
of /etc/skel. This patch fixes that issue and adds the copy
of the extended attributes of the root of the home directory.
Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html]
Upstream-Status: Pending
Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/useradd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/useradd.c b/src/useradd.c
index a8a1f76..8aefb9c 100644
index e721e52..c74e491 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -52,6 +52,9 @@
#include <sys/stat.h>
#include <sys/types.h>
@@ -54,6 +54,9 @@
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
+#ifdef WITH_ATTR
+#include <attr/libattr.h>
+#endif
#include "chkname.h"
#include "defines.h"
#include "faillog.h"
@@ -1915,6 +1918,9 @@ static void create_home (void)
chown (user_home, user_id, user_gid);
chmod (user_home,
@@ -2042,6 +2045,9 @@ static void create_home (void)
(void) chown (prefix_user_home, user_id, user_gid);
chmod (prefix_user_home,
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+#ifdef WITH_ATTR
+ attr_copy_file (def_template, user_home, NULL, NULL);
+ attr_copy_file (def_template, user_home, NULL, NULL);
+#endif
home_added = true;
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,
--
2.9.3
2.11.0

83
meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
View File

@@ -1,17 +1,17 @@
Upstream-Status: Inappropriate [OE specific]
Subject: [PATCH] useradd.c: create parent directories when necessary
Subject: useradd.c: create parent directories when necessary
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------
1 file changed, 49 insertions(+), 23 deletions(-)
src/useradd.c | 82 +++++++++++++++++++++++++++++++++++++++--------------------
1 file changed, 54 insertions(+), 28 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 4bd969d..cb5dd6c 100644
index 7214e72..3aaf45c 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1896,6 +1896,35 @@ static void usr_update (void)
@@ -2021,6 +2021,35 @@ static void usr_update (void)
}
/*
@@ -47,63 +47,68 @@ index 4bd969d..cb5dd6c 100644
* create_home - create the user's home directory
*
* create_home() creates the user's home directory if it does not
@@ -1910,39 +1939,36 @@ static void create_home (void)
@@ -2038,42 +2067,39 @@ static void create_home (void)
fail_exit (E_HOMEDIR);
}
#endif
- /* XXX - create missing parent directories. --marekm */
- if (mkdir (user_home, 0) != 0) {
- if (mkdir (prefix_user_home, 0) != 0) {
- fprintf (stderr,
- _("%s: cannot create directory %s\n"),
- Prog, user_home);
-#ifdef WITH_AUDIT
- Prog, prefix_user_home);
+ mkdir_p(user_home);
+ }
+ if (access (prefix_user_home, F_OK) != 0) {
#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding home directory",
- user_name, (unsigned int) user_id,
- SHADOW_AUDIT_FAILURE);
-#endif
- fail_exit (E_HOMEDIR);
- }
- chown (user_home, user_id, user_gid);
- chmod (user_home,
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
-#ifdef WITH_ATTR
- attr_copy_file (def_template, user_home, NULL, NULL);
-#endif
- home_added = true;
+ mkdir_p(user_home);
+ }
+ if (access (user_home, F_OK) != 0) {
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,
"adding home directory",
user_name, (unsigned int) user_id,
- SHADOW_AUDIT_SUCCESS);
+ SHADOW_AUDIT_FAILURE);
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding home directory",
+ user_name, (unsigned int) user_id,
+ SHADOW_AUDIT_FAILURE);
#endif
-#ifdef WITH_SELINUX
- /* Reset SELinux to create files with default contexts */
- if (reset_selinux_file_context () != 0) {
- fail_exit (E_HOMEDIR);
- }
- (void) chown (prefix_user_home, user_id, user_gid);
- chmod (prefix_user_home,
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ fail_exit (E_HOMEDIR);
+ }
+ chown (user_home, user_id, user_gid);
+ chmod (user_home,
+ (void) chown (prefix_user_home, user_id, user_gid);
+ chmod (prefix_user_home,
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+#ifdef WITH_ATTR
#ifdef WITH_ATTR
- attr_copy_file (def_template, user_home, NULL, NULL);
+ attr_copy_file (def_template, user_home, NULL, NULL);
+#endif
#endif
- home_added = true;
+ home_added = true;
+#ifdef WITH_AUDIT
#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding home directory",
- user_name, (unsigned int) user_id,
- SHADOW_AUDIT_SUCCESS);
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding home directory",
+ user_name, (unsigned int) user_id,
+ SHADOW_AUDIT_SUCCESS);
#endif
+#ifdef WITH_SELINUX
#ifdef WITH_SELINUX
- /* Reset SELinux to create files with default contexts */
- if (reset_selinux_file_context () != 0) {
- fprintf (stderr,
- _("%s: cannot reset SELinux file creation context\n"),
- Prog);
- fail_exit (E_HOMEDIR);
- }
-#endif
+ /* Reset SELinux to create files with default contexts */
+ if (reset_selinux_file_context () != 0) {
+ fprintf (stderr,
+ _("%s: cannot reset SELinux file creation context\n"),
+ Prog);
+ fail_exit (E_HOMEDIR);
}
+#endif
@@ -111,5 +116,5 @@ index 4bd969d..cb5dd6c 100644
/*
--
1.7.9.5
2.11.0

64
meta/recipes-extended/shadow/files/CVE-2017-2616.patch
View File

@@ -1,64 +0,0 @@
shadow-4.2.1: Fix CVE-2017-2616
[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
CVE: CVE-2017-2616
bug: 855943
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/src/su.c b/src/su.c
index 3704217..1efcd61 100644
--- a/src/su.c
+++ b/src/su.c
@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
+ } else {
+ pid_child = 0;
}
} while (!stop);
}
- if (0 != caught) {
+ if (0 != caught && 0 != pid_child) {
(void) fputs ("\n", stderr);
(void) fputs (_("Session terminated, terminating shell..."),
stderr);
(void) kill (-pid_child, caught);
(void) signal (SIGALRM, kill_child);
+ (void) signal (SIGCHLD, catch_signals);
(void) alarm (2);
- (void) wait (&status);
+ sigemptyset (&ourset);
+ if ((sigaddset (&ourset, SIGALRM) != 0)
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+ kill_child (0);
+ } else {
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
+ sigsuspend (&ourset);
+ }
+ pid_child = 0;
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+ }
+
(void) fputs (_(" ...terminated.\n"), stderr);
}

181
meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
View File

@@ -1,21 +1,21 @@
Upstream-Status: Inappropriate [OE specific]
Subject: [PATCH] Allow for setting password in clear text
Allow for setting password in clear text.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/Makefile.am | 8 ++++----
src/groupadd.c | 8 +++++++-
src/groupmod.c | 8 +++++++-
src/useradd.c | 9 +++++++--
src/usermod.c | 8 +++++++-
5 files changed, 32 insertions(+), 9 deletions(-)
src/Makefile.am | 8 ++++----
src/groupadd.c | 20 +++++++++++++++-----
src/groupmod.c | 20 +++++++++++++++-----
src/useradd.c | 21 +++++++++++++++------
src/usermod.c | 20 +++++++++++++++-----
5 files changed, 64 insertions(+), 25 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 25e288d..856b087 100644
index 3c98a8d..b8093d5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
@@ -93,10 +93,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
@@ -28,9 +28,9 @@ index 25e288d..856b087 100644
grpck_LDADD = $(LDADD) $(LIBSELINUX)
grpconv_LDADD = $(LDADD) $(LIBSELINUX)
grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
@@ -111,9 +111,9 @@ su_SOURCES = \
@@ -117,9 +117,9 @@ su_SOURCES = \
suauth.c
su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
sulogin_LDADD = $(LDADD) $(LIBCRYPT)
-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT)
@@ -41,33 +41,39 @@ index 25e288d..856b087 100644
install-am: all-am
diff --git a/src/groupadd.c b/src/groupadd.c
index f716f57..4e28c26 100644
index b57006c..63e1c48 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status)
@@ -123,9 +123,10 @@ static /*@noreturn@*/void usage (int status)
(void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
" (non-unique) GID\n"), usageout);
(void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout);
+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout);
(void) fputs (_(" -r, --system create a system account\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
- (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout);
+ (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout);
(void) fputs ("\n", usageout);
@@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv)
exit (status);
}
@@ -387,13 +388,14 @@ static void process_flags (int argc, char **argv)
{"key", required_argument, NULL, 'K'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+ {"clear-password", required_argument, NULL, 'P'},
{"system", no_argument, NULL, 'r'},
{"root", required_argument, NULL, 'R'},
- {"prefix", required_argument, NULL, 'P'},
+ {"prefix", required_argument, NULL, 'A'},
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:",
+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:",
- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:",
+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:",
long_options, NULL)) != -1) {
switch (c) {
case 'f':
@@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv)
@@ -445,12 +447,20 @@ static void process_flags (int argc, char **argv)
pflg = true;
group_passwd = optarg;
break;
@@ -78,32 +84,57 @@ index f716f57..4e28c26 100644
case 'r':
rflg = true;
break;
case 'R': /* no-op, handled in process_root_flag () */
break;
- case 'P': /* no-op, handled in process_prefix_flag () */
+ case 'A': /* no-op, handled in process_prefix_flag () */
+ fprintf (stderr,
+ _("%s: -A is deliberately not supported \n"),
+ Prog);
+ exit (E_BAD_ARG);
break;
default:
usage (E_USAGE);
@@ -584,7 +594,7 @@ int main (int argc, char **argv)
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
- prefix = process_prefix_flag ("-P", argc, argv);
+ prefix = process_prefix_flag ("-A", argc, argv);
OPENLOG ("groupadd");
#ifdef WITH_AUDIT
diff --git a/src/groupmod.c b/src/groupmod.c
index d9d3807..68f49d1 100644
index b293b98..72daf2c 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -127,6 +127,7 @@ static void usage (int status)
@@ -134,8 +134,9 @@ static void usage (int status)
(void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout);
(void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
" PASSWORD\n"), usageout);
+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
(void) fputs ("\n", usageout);
exit (status);
@@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv)
}
@@ -383,11 +384,12 @@ static void process_flags (int argc, char **argv)
{"new-name", required_argument, NULL, 'n'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+ {"clear-password", required_argument, NULL, 'P'},
{"root", required_argument, NULL, 'R'},
- {"prefix", required_argument, NULL, 'P'},
+ {"prefix", required_argument, NULL, 'A'},
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "g:hn:op:R:",
+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:",
- while ((c = getopt_long (argc, argv, "g:hn:op:R:P:",
+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:",
long_options, NULL)) != -1) {
switch (c) {
case 'g':
@@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv)
@@ -414,9 +416,17 @@ static void process_flags (int argc, char **argv)
group_passwd = optarg;
pflg = true;
break;
@@ -113,40 +144,65 @@ index d9d3807..68f49d1 100644
+ break;
case 'R': /* no-op, handled in process_root_flag () */
break;
- case 'P': /* no-op, handled in process_prefix_flag () */
+ case 'A': /* no-op, handled in process_prefix_flag () */
+ fprintf (stderr,
+ _("%s: -A is deliberately not supported \n"),
+ Prog);
+ exit (E_BAD_ARG);
break;
default:
usage (E_USAGE);
@@ -757,7 +767,7 @@ int main (int argc, char **argv)
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
- prefix = process_prefix_flag ("-P", argc, argv);
+ prefix = process_prefix_flag ("-A", argc, argv);
OPENLOG ("groupmod");
#ifdef WITH_AUDIT
diff --git a/src/useradd.c b/src/useradd.c
index b3bd451..4416f90 100644
index c74e491..7214e72 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -776,6 +776,7 @@ static void usage (int status)
@@ -829,9 +829,10 @@ static void usage (int status)
(void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
" (non-unique) UID\n"), usageout);
(void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout);
+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout);
(void) fputs (_(" -r, --system create a system account\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
(void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout);
@@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv)
(void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout);
(void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout);
@@ -1104,9 +1105,10 @@ static void process_flags (int argc, char **argv)
{"no-user-group", no_argument, NULL, 'N'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+ {"clear-password", required_argument, NULL, 'P'},
{"system", no_argument, NULL, 'r'},
{"root", required_argument, NULL, 'R'},
- {"prefix", required_argument, NULL, 'P'},
+ {"prefix", required_argument, NULL, 'A'},
{"shell", required_argument, NULL, 's'},
@@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv)
{"uid", required_argument, NULL, 'u'},
{"user-group", no_argument, NULL, 'U'},
@@ -1117,9 +1119,9 @@ static void process_flags (int argc, char **argv)
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:",
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U",
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv)
@@ -1285,12 +1287,19 @@ static void process_flags (int argc, char **argv)
}
user_pass = optarg;
break;
@@ -156,36 +212,62 @@ index b3bd451..4416f90 100644
case 'r':
rflg = true;
break;
case 'R': /* no-op, handled in process_root_flag () */
break;
- case 'P': /* no-op, handled in process_prefix_flag () */
+ case 'A': /* no-op, handled in process_prefix_flag () */
+ fprintf (stderr,
+ _("%s: -A is deliberately not supported \n"),
+ Prog);
+ exit (E_BAD_ARG);
break;
case 's':
if ( ( !VALID (optarg) )
@@ -2148,7 +2157,7 @@ int main (int argc, char **argv)
process_root_flag ("-R", argc, argv);
- prefix = process_prefix_flag("-P", argc, argv);
+ prefix = process_prefix_flag("-A", argc, argv);
OPENLOG ("useradd");
#ifdef WITH_AUDIT
diff --git a/src/usermod.c b/src/usermod.c
index e7d4351..b79f7a3 100644
index e571426..ccfbb99 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status)
@@ -424,8 +424,9 @@ static /*@noreturn@*/void usage (int status)
" new location (use only with -d)\n"), usageout);
(void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout);
(void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout);
+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout);
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
@@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv)
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
@@ -1002,8 +1003,9 @@ static void process_flags (int argc, char **argv)
{"move-home", no_argument, NULL, 'm'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+ {"clear-password", required_argument, NULL, 'P'},
{"root", required_argument, NULL, 'R'},
- {"prefix", required_argument, NULL, 'P'},
+ {"prefix", required_argument, NULL, 'A'},
{"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'},
@@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv)
{"unlock", no_argument, NULL, 'U'},
@@ -1019,7 +1021,7 @@ static void process_flags (int argc, char **argv)
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U"
+ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U"
- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UP:"
+ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:"
#ifdef ENABLE_SUBIDS
"v:w:V:W:"
#endif /* ENABLE_SUBIDS */
@@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv)
@@ -1119,9 +1121,17 @@ static void process_flags (int argc, char **argv)
user_pass = optarg;
pflg = true;
break;
@@ -195,7 +277,24 @@ index e7d4351..b79f7a3 100644
+ break;
case 'R': /* no-op, handled in process_root_flag () */
break;
- case 'P': /* no-op, handled in process_prefix_flag () */
+ case 'A': /* no-op, handled in process_prefix_flag () */
+ fprintf (stderr,
+ _("%s: -A is deliberately not supported \n"),
+ Prog);
+ exit (E_BAD_ARG);
break;
case 's':
if (!VALID (optarg)) {
@@ -2098,7 +2108,7 @@ int main (int argc, char **argv)
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
- prefix = process_prefix_flag ("-P", argc, argv);
+ prefix = process_prefix_flag ("-A", argc, argv);
OPENLOG ("usermod");
#ifdef WITH_AUDIT
--
1.7.9.5
2.11.0

41
meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
View File

@@ -1,41 +0,0 @@
From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
From: James Le Cuirot <chewi@aura-online.co.uk>
Date: Sat, 23 Aug 2014 09:46:39 +0100
Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
This built-in check is simpler than the previous method and, most
importantly, works when cross-compiling.
Upstream-Status: Accepted
[https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f]
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
configure.in | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/configure.in b/configure.in
index 1a3f841..4a4d6d0 100644
--- a/configure.in
+++ b/configure.in
@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
dnl
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
dnl
- AC_RUN_IFELSE([AC_LANG_SOURCE([
-#include <sys/types.h>
-int main(void) {
- uid_t u;
- gid_t g;
- return (sizeof u < 4) || (sizeof g < 4);
-}
- ])], [id32bit="yes"], [id32bit="no"])
-
- if test "x$id32bit" = "xyes"; then
+ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
+ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
+
+ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
enable_subids="yes"
else

28
meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch
View File

@@ -1,28 +0,0 @@
Upstream-Status: Pending
Subject: fix installation failure with subids disabled
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/Makefile.am | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 25e288d..076f8ef 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -52,7 +52,10 @@ usbin_PROGRAMS = \
noinst_PROGRAMS = id sulogin
suidbins = su
-suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap
+suidubins = chage chfn chsh expiry gpasswd newgrp passwd
+if ENABLE_SUBIDS
+suidubins += newgidmap newuidmap
+endif
if ACCT_TOOLS_SETUID
suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
endif
--
1.7.9.5

33
meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch
View File

@@ -1,33 +0,0 @@
Upstream-Status: Pending
usermod: fix compilation failure with subids disabled
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/usermod.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/usermod.c b/src/usermod.c
index e7d4351..685b50a 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv)
Prog, (unsigned long) user_newid);
exit (E_UID_IN_USE);
}
-
+#ifdef ENABLE_SUBIDS
if ( (vflg || Vflg)
&& !is_sub_uid) {
fprintf (stderr,
@@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv)
Prog, sub_gid_dbname (), "-w", "-W");
exit (E_USAGE);
}
+#endif
}
/*
--
1.7.9.5

0
meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb → meta/recipes-extended/shadow/shadow-securetty_4.6.bb
View File

0
meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb → meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
View File

13
meta/recipes-extended/shadow/shadow.inc
View File

@@ -9,16 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \
DEPENDS = "virtual/crypt"
UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \
file://shadow-4.1.3-dots-in-usernames.patch \
file://usermod-fix-compilation-failure-with-subids-disabled.patch \
file://fix-installation-failure-with-subids-disabled.patch \
file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
file://CVE-2017-2616.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
"
@@ -38,8 +31,8 @@ SRC_URI_append_class-nativesdk = " \
file://0001-Disable-use-of-syslog-for-sysroot.patch \
"
SRC_URI[md5sum] = "2bfafe7d4962682d31b5eba65dba4fc8"
SRC_URI[sha256sum] = "3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41"
SRC_URI[md5sum] = "36feb15665338ae3de414f2a88e434db"
SRC_URI[sha256sum] = "4668f99bd087399c4a586084dc3b046b75f560720d83e92fd23bf7a89dda4d31"
# Additional Policy files for PAM
PAM_SRC_URI = "file://pam.d/chfn \

0
meta/recipes-extended/shadow/shadow_4.2.1.bb → meta/recipes-extended/shadow/shadow_4.6.bb
View File