diff options
Diffstat (limited to 'debian/patches/userns/06_userns_userdel')
-rw-r--r-- | debian/patches/userns/06_userns_userdel | 236 |
1 files changed, 236 insertions, 0 deletions
diff --git a/debian/patches/userns/06_userns_userdel b/debian/patches/userns/06_userns_userdel new file mode 100644 index 00000000..16e7051e --- /dev/null +++ b/debian/patches/userns/06_userns_userdel @@ -0,0 +1,236 @@ +From ebiederm@xmission.com Tue Jan 22 09:18:47 2013 +Return-Path: <ebiederm@xmission.com> +X-Original-To: serge@hallyn.com +Delivered-To: serge@hallyn.com +Received: by mail.hallyn.com (Postfix, from userid 5001) + id F2E6AC80F6; Tue, 22 Jan 2013 09:18:46 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail +X-Spam-Level: +X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00 + autolearn=no version=3.3.1 +Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) + (using TLSv1 with cipher AES256-SHA (256/256 bits)) + (No client certificate requested) + by mail.hallyn.com (Postfix) with ESMTPS id 996B1C80D1 + for <serge@hallyn.com>; Tue, 22 Jan 2013 09:18:42 +0000 (UTC) +Received: from out03.mta.xmission.com ([166.70.13.233]) + by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) + (Exim 4.76) + (envelope-from <ebiederm@xmission.com>) + id 1TxZyW-0008Bi-3X; Tue, 22 Jan 2013 02:17:00 -0700 +Received: from in02.mta.xmission.com ([166.70.13.52]) + by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) + (Exim 4.76) + (envelope-from <ebiederm@xmission.com>) + id 1TxZyU-0005NA-Qm; Tue, 22 Jan 2013 02:16:59 -0700 +Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com) + by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) + (Exim 4.76) + (envelope-from <ebiederm@xmission.com>) + id 1TxZyQ-0004qs-T1; Tue, 22 Jan 2013 02:16:58 -0700 +From: ebiederm@xmission.com (Eric W. Biederman) +To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net> +Cc: <Pkg-shadow-devel@lists.alioth.debian.org>, Linux Containers <containers@lists.linux-foundation.org>, "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>, "Serge E. Hallyn" <serge@hallyn.com> +References: <87d2wxshu0.fsf@xmission.com> +Date: Tue, 22 Jan 2013 01:16:51 -0800 +In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of + "Tue, 22 Jan 2013 01:11:19 -0800") +Message-ID: <878v7lr30c.fsf@xmission.com> +User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) +MIME-Version: 1.0 +Content-Type: text/plain +X-XM-AID: U2FsdGVkX1/1l7dElNy9uNLAXx8eC28OMs/pxPM8NEo= +X-SA-Exim-Connect-IP: 98.207.153.68 +X-SA-Exim-Mail-From: ebiederm@xmission.com +Subject: [PATCH 06/11] userdel: Add support for removing subordinate user and group ids. +X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700) +X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) +X-UID: 2076 +Status: O +Content-Length: 5573 +Lines: 186 + + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +--- + src/userdel.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 115 insertions(+), 0 deletions(-) + +Index: shadow/src/userdel.c +=================================================================== +--- shadow.orig/src/userdel.c 2013-02-01 15:27:52.380080367 -0600 ++++ shadow/src/userdel.c 2013-02-01 15:27:52.372080367 -0600 +@@ -65,6 +65,7 @@ + #endif /* WITH_TCB */ + /*@-exitarg@*/ + #include "exitcodes.h" ++#include "subordinateio.h" + + /* + * exit status values +@@ -75,6 +76,8 @@ + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't remove home directory */ + #define E_SE_UPDATE 14 /* can't update SELinux user mapping */ ++#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ ++#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */ + + /* + * Global variables +@@ -96,9 +99,13 @@ + static bool is_shadow_grp; + static bool sgr_locked = false; + #endif /* SHADOWGRP */ ++static bool is_sub_uid; ++static bool is_sub_gid; + static bool pw_locked = false; + static bool gr_locked = false; + static bool spw_locked = false; ++static bool sub_uid_locked = false; ++static bool sub_gid_locked = false; + + /* local function prototypes */ + static void usage (int status); +@@ -437,6 +444,34 @@ + sgr_locked = false; + } + #endif /* SHADOWGRP */ ++ ++ if (is_sub_uid) { ++ if (sub_uid_close () == 0) { ++ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ())); ++ fail_exit (E_SUB_UID_UPDATE); ++ } ++ if (sub_uid_unlock () == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); ++ /* continue */ ++ } ++ sub_uid_locked = false; ++ } ++ ++ if (is_sub_gid) { ++ if (sub_gid_close () == 0) { ++ fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ()); ++ SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ())); ++ fail_exit (E_SUB_GID_UPDATE); ++ } ++ if (sub_gid_unlock () == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); ++ /* continue */ ++ } ++ sub_gid_locked = false; ++ } + } + + /* +@@ -474,6 +509,20 @@ + } + } + #endif /* SHADOWGRP */ ++ if (sub_uid_locked) { ++ if (sub_uid_unlock () == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); ++ /* continue */ ++ } ++ } ++ if (sub_gid_locked) { ++ if (sub_gid_unlock () == 0) { ++ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); ++ SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); ++ /* continue */ ++ } ++ } + + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, +@@ -595,6 +644,58 @@ + } + } + #endif /* SHADOWGRP */ ++ if (is_sub_uid) { ++ if (sub_uid_lock () == 0) { ++ fprintf (stderr, ++ _("%s: cannot lock %s; try again later.\n"), ++ Prog, sub_uid_dbname ()); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_DEL_USER, Prog, ++ "locking subordinate user file", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); ++#endif /* WITH_AUDIT */ ++ fail_exit (E_SUB_UID_UPDATE); ++ } ++ sub_uid_locked = true; ++ if (sub_uid_open (O_RDWR) == 0) { ++ fprintf (stderr, ++ _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_DEL_USER, Prog, ++ "opening subordinate user file", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); ++#endif /* WITH_AUDIT */ ++ fail_exit (E_SUB_UID_UPDATE); ++ } ++ } ++ if (is_sub_gid) { ++ if (sub_gid_lock () == 0) { ++ fprintf (stderr, ++ _("%s: cannot lock %s; try again later.\n"), ++ Prog, sub_gid_dbname ()); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_DEL_USER, Prog, ++ "locking subordinate group file", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); ++#endif /* WITH_AUDIT */ ++ fail_exit (E_SUB_GID_UPDATE); ++ } ++ sub_gid_locked = true; ++ if (sub_gid_open (O_RDWR) == 0) { ++ fprintf (stderr, ++ _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_DEL_USER, Prog, ++ "opening subordinate group file", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); ++#endif /* WITH_AUDIT */ ++ fail_exit (E_SUB_GID_UPDATE); ++ } ++ } + } + + /* +@@ -619,6 +720,18 @@ + Prog, user_name, spw_dbname ()); + fail_exit (E_PW_UPDATE); + } ++ if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) { ++ fprintf (stderr, ++ _("%s: cannot remove entry %lu from %s\n"), ++ Prog, (unsigned long)user_id, sub_uid_dbname ()); ++ fail_exit (E_SUB_UID_UPDATE); ++ } ++ if (is_sub_gid && sub_gid_remove(user_name, 0, ULONG_MAX) == 0) { ++ fprintf (stderr, ++ _("%s: cannot remove entry %lu from %s\n"), ++ Prog, (unsigned long)user_id, sub_gid_dbname ()); ++ fail_exit (E_SUB_GID_UPDATE); ++ } + #ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_USER, Prog, + "deleting user entries", +@@ -966,6 +1079,8 @@ + #ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); + #endif /* SHADOWGRP */ ++ is_sub_uid = sub_uid_file_present (); ++ is_sub_gid = sub_gid_file_present (); + + /* + * Start with a quick check to see if the user exists. |