diff options
| author | Balint Reczey <balint@balintreczey.hu> | 2022-11-10 16:28:31 +0100 |
|---|---|---|
| committer | Balint Reczey <balint@balintreczey.hu> | 2022-11-10 22:07:00 +0100 |
| commit | f960334281401c7ec0000f3520931ae943a4d800 (patch) | |
| tree | 9e9ff52884dbdd85531c12876cb98392025881ee | |
| parent | e4bc4e00d3dfaa757acf6573fa88af229ca7a0ec (diff) | |
| download | shadow-f960334281401c7ec0000f3520931ae943a4d800.tar.gz | |
Refresh patches
| -rw-r--r-- | debian/patches/0001-chage-Fix-regression-in-print_date.patch | 32 | ||||
| -rw-r--r-- | debian/patches/0002-copy_tree-use-fchmodat-instead-of-chmod.patch | 27 | ||||
| -rw-r--r-- | debian/patches/0003-copy_tree-do-not-block-on-fifos.patch | 53 | ||||
| -rw-r--r-- | debian/patches/008_login_log_failure_in_FTMP | 2 | ||||
| -rw-r--r-- | debian/patches/301_lastlog_faillog_do_not_reset_non-existent_data | 37 | ||||
| -rw-r--r-- | debian/patches/429_login_FAILLOG_ENAB | 10 | ||||
| -rw-r--r-- | debian/patches/463_login_delay_obeys_to_PAM | 14 | ||||
| -rw-r--r-- | debian/patches/501_commonio_group_shadow | 4 | ||||
| -rw-r--r-- | debian/patches/506_relaxed_usernames | 39 | ||||
| -rw-r--r-- | debian/patches/series | 4 |
10 files changed, 29 insertions, 193 deletions
diff --git a/debian/patches/0001-chage-Fix-regression-in-print_date.patch b/debian/patches/0001-chage-Fix-regression-in-print_date.patch deleted file mode 100644 index 969c139b..00000000 --- a/debian/patches/0001-chage-Fix-regression-in-print_date.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e503fd574b7dbf6b21b1168e20938f0922807916 Mon Sep 17 00:00:00 2001 -From: Xiami <1927254+Xiami2012@users.noreply.github.com> -Date: Wed, 5 Oct 2022 18:11:28 +0800 -Subject: [PATCH] chage: Fix regression in print_date - -Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f - -After removing snprintf, the format string should get unescaped once. - -Fixes #564 - -Reporter and patch author: DerMouse (github.com/DerMouse) ---- - src/chage.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/chage.c b/src/chage.c -index 8cf67794..01570d72 100644 ---- a/src/chage.c -+++ b/src/chage.c -@@ -228,7 +228,7 @@ static void print_date (time_t date) - if (NULL == tp) { - (void) printf ("time_t: %lu\n", (unsigned long)date); - } else { -- (void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp); -+ (void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp); - (void) puts (buf); - } - } --- -2.34.1 - diff --git a/debian/patches/0002-copy_tree-use-fchmodat-instead-of-chmod.patch b/debian/patches/0002-copy_tree-use-fchmodat-instead-of-chmod.patch deleted file mode 100644 index 5bc79ce3..00000000 --- a/debian/patches/0002-copy_tree-use-fchmodat-instead-of-chmod.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f3bdb28e57e5e38c1e89347976c7d61a181eec32 Mon Sep 17 00:00:00 2001 -From: Samanta Navarro <ferivoz@riseup.net> -Date: Sun, 4 Sep 2022 11:54:19 +0000 -Subject: [PATCH 1/2] copy_tree: use fchmodat instead of chmod - -Fixes regression introduced in faeab50e710131816b261de66141524898c2c487 -for setups configured without acl support. ---- - libmisc/copydir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libmisc/copydir.c b/libmisc/copydir.c -index 5605f6fe..b6025f4c 100644 ---- a/libmisc/copydir.c -+++ b/libmisc/copydir.c -@@ -529,7 +529,7 @@ static int copy_dir (const struct path_info *src, const struct path_info *dst, - || ( (perm_copy_path (src, dst, &ctx) != 0) - && (errno != 0)) - #else /* !WITH_ACL */ -- || (chmod (dst, statp->st_mode) != 0) -+ || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0) - #endif /* !WITH_ACL */ - #ifdef WITH_ATTR - /* --- -2.34.1 - diff --git a/debian/patches/0003-copy_tree-do-not-block-on-fifos.patch b/debian/patches/0003-copy_tree-do-not-block-on-fifos.patch deleted file mode 100644 index 68ed93e6..00000000 --- a/debian/patches/0003-copy_tree-do-not-block-on-fifos.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 10cd68e0f04b48363eb32d2c6e168b358fb27810 Mon Sep 17 00:00:00 2001 -From: Samanta Navarro <ferivoz@riseup.net> -Date: Sun, 4 Sep 2022 11:58:03 +0000 -Subject: [PATCH 2/2] copy_tree: do not block on fifos - -Fixes regression introduced in faeab50e710131816b261de66141524898c2c487. - -If a directory contains fifos, then openat blocks until the other side -of the fifo is connected as well. - -This means that users can prevent "usermod -m" from completing if their -home directories contain at least one fifo. ---- - libmisc/copydir.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libmisc/copydir.c b/libmisc/copydir.c -index b6025f4c..5fb47da0 100644 ---- a/libmisc/copydir.c -+++ b/libmisc/copydir.c -@@ -126,12 +126,12 @@ static int perm_copy_path(const struct path_info *src, - { - int src_fd, dst_fd, ret; - -- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (src_fd < 0) { - return -1; - } - -- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (dst_fd < 0) { - (void) close (src_fd); - return -1; -@@ -152,12 +152,12 @@ static int attr_copy_path(const struct path_info *src, - { - int src_fd, dst_fd, ret; - -- src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (src_fd < 0) { - return -1; - } - -- dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); -+ dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC); - if (dst_fd < 0) { - (void) close (src_fd); - return -1; --- -2.34.1 - diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP index c9e1ac6c..0946ca06 100644 --- a/debian/patches/008_login_log_failure_in_FTMP +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -6,7 +6,7 @@ Notes: --- a/src/login.c +++ b/src/login.c -@@ -829,6 +829,24 @@ +@@ -827,6 +827,24 @@ (void) puts (""); (void) puts (_("Login incorrect")); diff --git a/debian/patches/301_lastlog_faillog_do_not_reset_non-existent_data b/debian/patches/301_lastlog_faillog_do_not_reset_non-existent_data deleted file mode 100644 index d5ccbddb..00000000 --- a/debian/patches/301_lastlog_faillog_do_not_reset_non-existent_data +++ /dev/null @@ -1,37 +0,0 @@ -From ebf9b232b012725d2be5e750876c7336cf1c37fd Mon Sep 17 00:00:00 2001 -From: David Kalnischkies <david@kalnischkies.de> -Date: Wed, 24 Aug 2022 13:21:01 +0200 -Subject: [PATCH] useradd: Do not reset non-existent data in {last,fail}log - -useradd does not create the files if they don't exist, but if they exist -it will reset user data even if the data did not exist before creating -a hole and an explicitly zero'd data point resulting (especially for -high UIDs) in a lot of zeros ending up in containers and tarballs. ---- - src/useradd.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -1996,8 +1996,9 @@ static void faillog_reset (uid_t uid) - struct faillog fl; - int fd; - off_t offset_uid = (off_t) (sizeof fl) * uid; -+ struct stat st; - -- if (access (FAILLOG_FILE, F_OK) != 0) { -+ if (stat (FAILLOG_FILE, &st) != 0 || st.st_size <= offset_uid) { - return; - } - -@@ -2033,8 +2034,9 @@ static void lastlog_reset (uid_t uid) - int fd; - off_t offset_uid = (off_t) (sizeof ll) * uid; - uid_t max_uid; -+ struct stat st; - -- if (access (LASTLOG_FILE, F_OK) != 0) { -+ if (stat (LASTLOG_FILE, &st) != 0 || st.st_size <= offset_uid) { - return; - } - diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB index efc5c97b..d8e60349 100644 --- a/debian/patches/429_login_FAILLOG_ENAB +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -20,7 +20,7 @@ Note: It could be removed if pam_tally could report the number of failures static void bad_time_notify (void); static void check_nologin (bool login_to_root); #else -@@ -789,6 +789,9 @@ +@@ -787,6 +787,9 @@ SYSLOG ((LOG_NOTICE, "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", failcount, fromhost, failent_user)); @@ -30,7 +30,7 @@ Note: It could be removed if pam_tally could report the number of failures fprintf (stderr, _("Maximum number of tries exceeded (%u)\n"), failcount); -@@ -806,6 +809,14 @@ +@@ -804,6 +807,14 @@ pam_strerror (pamh, retcode))); failed = true; } @@ -45,7 +45,7 @@ Note: It could be removed if pam_tally could report the number of failures if (!failed) { break; -@@ -829,6 +840,10 @@ +@@ -827,6 +838,10 @@ (void) puts (""); (void) puts (_("Login incorrect")); @@ -56,7 +56,7 @@ Note: It could be removed if pam_tally could report the number of failures if (getdef_str("FTMP_FILE") != NULL) { #ifdef USE_UTMPX struct utmpx *failent = -@@ -1299,6 +1314,7 @@ +@@ -1295,6 +1310,7 @@ */ #ifndef USE_PAM motd (); /* print the message of the day */ @@ -64,7 +64,7 @@ Note: It could be removed if pam_tally could report the number of failures if ( getdef_bool ("FAILLOG_ENAB") && (0 != faillog.fail_cnt)) { failprint (&faillog); -@@ -1311,6 +1327,7 @@ +@@ -1307,6 +1323,7 @@ username, (int) faillog.fail_cnt)); } } diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM index 0207d4b1..ab32c2a9 100644 --- a/debian/patches/463_login_delay_obeys_to_PAM +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -9,7 +9,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs --- a/src/login.c +++ b/src/login.c -@@ -514,7 +514,6 @@ +@@ -512,7 +512,6 @@ #if !defined(USE_PAM) char ptime[80]; #endif @@ -17,7 +17,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs unsigned int retries; bool subroot = false; #ifndef USE_PAM -@@ -539,6 +538,7 @@ +@@ -537,6 +536,7 @@ pid_t child; char *pam_user = NULL; #else @@ -25,7 +25,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs struct spwd *spwd = NULL; #endif /* -@@ -703,7 +703,6 @@ +@@ -701,7 +701,6 @@ } environ = newenvp; /* make new environment active */ @@ -33,7 +33,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs retries = getdef_unum ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM -@@ -719,8 +718,7 @@ +@@ -717,8 +716,7 @@ /* * hostname & tty are either set to NULL or their correct values, @@ -43,7 +43,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs * * PAM_RHOST and PAM_TTY are used for authentication, only use * information coming from login or from the caller (e.g. no utmp) -@@ -729,10 +727,6 @@ +@@ -727,10 +725,6 @@ PAM_FAIL_CHECK; retcode = pam_set_item (pamh, PAM_TTY, tty); PAM_FAIL_CHECK; @@ -54,7 +54,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs /* if fflg, then the user has already been authenticated */ if (!fflg) { unsigned int failcount = 0; -@@ -773,12 +767,6 @@ +@@ -771,12 +765,6 @@ bool failed = false; failcount++; @@ -67,7 +67,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs retcode = pam_authenticate (pamh, 0); -@@ -1114,14 +1102,17 @@ +@@ -1110,14 +1098,17 @@ free (username); username = NULL; diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow index 0b6ccc5c..cfdf10c3 100644 --- a/debian/patches/501_commonio_group_shadow +++ b/debian/patches/501_commonio_group_shadow @@ -12,7 +12,7 @@ Fixes: #166793 #include "nscd.h" #include "sssd.h" #ifdef WITH_TCB -@@ -976,12 +977,23 @@ +@@ -970,12 +971,23 @@ goto fail; } } else { @@ -49,7 +49,7 @@ Fixes: #166793 NULL, /* head */ --- a/lib/shadowio.c +++ b/lib/shadowio.c -@@ -82,7 +82,7 @@ +@@ -84,7 +84,7 @@ #ifdef WITH_SELINUX NULL, /* scontext */ #endif /* WITH_SELINUX */ diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames index 06b31ff6..b8b1ce17 100644 --- a/debian/patches/506_relaxed_usernames +++ b/debian/patches/506_relaxed_usernames @@ -23,11 +23,11 @@ Details: +#if 0 /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ -@@ -50,6 +51,26 @@ - return false; - } + * User/group names must match gnu e-regex: + * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? +@@ -52,8 +53,28 @@ + *name == '.')) { + return false; } +#endif + /* @@ -50,19 +50,15 @@ Details: + name++; + } while ('\0' != *name); - return true; - } +- numeric = isdigit(*name); ++ int numeric = isdigit(*name); + + while ('\0' != *++name) { + if (!((*name >= 'a' && *name <= 'z') || --- a/man/useradd.8.xml +++ b/man/useradd.8.xml -@@ -698,12 +698,20 @@ - </para> - - <para> -- Usernames must start with a lower case letter or an underscore, -+ It is usually recommended to only use usernames that begin with a lower case letter or an underscore, - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? +@@ -708,6 +708,14 @@ + the <command>ls</command> output. </para> <para> + On Debian, the only constraints are that usernames must neither start @@ -78,15 +74,8 @@ Details: </refsect1> --- a/man/groupadd.8.xml +++ b/man/groupadd.8.xml -@@ -64,12 +64,18 @@ - files as needed. - </para> - <para> -- Groupnames must start with a lower case letter or an underscore, -+ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore, - followed by lower case letters, digits, underscores, or dashes. - They can end with a dollar sign. - In regular expression terms: [a-z_][a-z0-9_-]*[$]? +@@ -72,6 +72,12 @@ + also disallowed. </para> <para> + On Debian, the only constraints are that groupnames must neither start diff --git a/debian/patches/series b/debian/patches/series index 3d7e73cd..503940b4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,11 +2,7 @@ #900_testsuite_groupmems #901_testsuite_gcov -0001-chage-Fix-regression-in-print_date.patch -0002-copy_tree-use-fchmodat-instead-of-chmod.patch -0003-copy_tree-do-not-block-on-fifos.patch 008_login_log_failure_in_FTMP -301_lastlog_faillog_do_not_reset_non-existent_data 401_cppw_src.dpatch # 402 should be merged in 401, but should be reviewed by SE Linux experts first 402_cppw_selinux |