diff --git a/backport-Create-parent-dirs-for-useradd-m.patch b/backport-Create-parent-dirs-for-useradd-m.patch new file mode 100644 index 0000000000000000000000000000000000000000..94c0cf6a94af3757b1761bcbe4988e120fc31722 --- /dev/null +++ b/backport-Create-parent-dirs-for-useradd-m.patch @@ -0,0 +1,93 @@ +From b3b6d9d77c1d18b98670b97157777bb74092cd69 Mon Sep 17 00:00:00 2001 +From: Michael Vetter +Date: Tue, 15 May 2018 17:25:52 +0200 +Subject: [PATCH] Create parent dirs for useradd -m + +Equivalent of `mkdir -p`. It will create all parent directories. +Example: `useradd -d /home2/testu1 -m testu1` + +Based on https://github.com/shadow-maint/shadow/pull/2 by Thorsten Kukuk +and Thorsten Behrens which was Code from pwdutils 3.2.2 with slight adaptations. + +Adapted to so it applies to current code. +--- + src/useradd.c | 50 +++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 43 insertions(+), 7 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index e721e52b..ca90f076 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2018,6 +2018,19 @@ static void usr_update (void) + static void create_home (void) + { + if (access (prefix_user_home, F_OK) != 0) { ++ char path[strlen (prefix_user_home) + 2]; ++ char *bhome, *cp; ++ ++ path[0] = '\0'; ++ bhome = strdup (prefix_user_home); ++ if (!bhome) { ++ fprintf (stderr, ++ _("%s: error while duplicating string %s\n"), ++ Prog, user_home); ++ fail_exit (E_HOMEDIR); ++ } ++ ++bhome; ++ + #ifdef WITH_SELINUX + if (set_selinux_file_context (prefix_user_home) != 0) { + fprintf (stderr, +@@ -2026,19 +2039,42 @@ static void create_home (void) + fail_exit (E_HOMEDIR); + } + #endif +- /* XXX - create missing parent directories. --marekm */ +- if (mkdir (prefix_user_home, 0) != 0) { ++ ++ /* Check for every part of the path, if the directory ++ exists. If not, create it with permissions 755 and ++ owner root:root. ++ */ ++ cp = strtok (bhome, "/"); ++ while (cp) { ++ strcat (path, "/"); ++ strcat (path, cp); ++ if (access (path, F_OK) != 0) { ++ if (mkdir (path, 0) != 0) { + fprintf (stderr, +- _("%s: cannot create directory %s\n"), +- Prog, prefix_user_home); ++ _("%s: cannot create directory %s\n"), ++ Prog, path); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); ++ "adding home directory", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_FAILURE); + #endif + fail_exit (E_HOMEDIR); + } ++ if (chown (path, 0, 0) < 0) { ++ fprintf (stderr, ++ _("%s: warning: chown on `%s' failed: %m\n"), ++ Prog, path); ++ } ++ if (chmod (path, 0755) < 0) { ++ fprintf (stderr, ++ _("%s: warning: chmod on `%s' failed: %m\n"), ++ Prog, path); ++ } ++ } ++ cp = strtok (NULL, "/"); ++ } ++ + (void) chown (prefix_user_home, user_id, user_gid); + chmod (prefix_user_home, + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); +-- +2.20.1 + diff --git a/backport-Fix-yescrypt-support.patch b/backport-Fix-yescrypt-support.patch new file mode 100644 index 0000000000000000000000000000000000000000..198a03e2a7eca1701bc6e6fd2a0c282140d9f859 --- /dev/null +++ b/backport-Fix-yescrypt-support.patch @@ -0,0 +1,34 @@ +From 29da702491eea314b915ea9c7a83c9af80cf5797 Mon Sep 17 00:00:00 2001 +From: Bernd Kuhls +Date: Sun, 9 Jul 2023 10:55:03 +0200 +Subject: [PATCH] Fix yescrypt support + +Fixes build error: +newusers.c: In function 'update_passwd': +newusers.c:433:21: error: 'sflg' undeclared (first use in this function); did you mean 'rflg'? + +introduced by +https://github.com/shadow-maint/shadow/commit/5cd04d03f94622c12220d4a6352824af081b8531 +which forgot to define sflg for these configure options: + +--without-sha-crypt --without-bcrypt --with-yescrypt +--- + src/newusers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/newusers.c b/src/newusers.c +index 7cb8434b..08f79798 100644 +--- a/src/newusers.c ++++ b/src/newusers.c +@@ -60,7 +60,7 @@ static bool rflg = false; /* create a system account */ + #ifndef USE_PAM + static /*@null@*//*@observer@*/char *crypt_method = NULL; + #define cflg (NULL != crypt_method) +-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) ++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) + static bool sflg = false; + #endif + #ifdef USE_SHA_CRYPT +-- +2.20.1 + diff --git a/backport-newgrp-fix-potential-string-injection.patch b/backport-newgrp-fix-potential-string-injection.patch new file mode 100644 index 0000000000000000000000000000000000000000..272a31d36523c9712d64cda2a483e4c8535c069d --- /dev/null +++ b/backport-newgrp-fix-potential-string-injection.patch @@ -0,0 +1,58 @@ +From 9df4801e0b65073cc8a9031b22a73532ef7fdc2c Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Fri, 21 Jul 2023 14:55:19 +0200 +Subject: [PATCH] newgrp: fix potential string injection + +Since newgrp is setuid-root, any write() system calls it does in order +to print error messages will be done as the root user. + +Unprivileged users can get newgrp to print essentially arbitrary strings +to any open file in this way by passing those strings as argv[0] when +calling execve(). For example: + + $ setpid() { (exec -a $1$'\n:' newgrp '' 2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; } + $ setpid 31000 + $ readlink /proc/self + 31001 + +This is not a vulnerability in newgrp; it is a bug in the Linux kernel. + +However, this type of bug is not new [1] and it makes sense to try to +mitigate these types of bugs in userspace where possible. + +[1]: https://lwn.net/Articles/476947/ + +Signed-off-by: Vegard Nossum +--- + src/newgrp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/newgrp.c b/src/newgrp.c +index babb28e9..f786a96f 100644 +--- a/src/newgrp.c ++++ b/src/newgrp.c +@@ -417,11 +417,18 @@ int main (int argc, char **argv) + * but we do not need to restore the previous process persona and we + * don't need to re-exec anything. -- JWP + */ +- Prog = Basename (argv[0]); ++ ++ /* ++ * Ensure that "Prog" is always either "newgrp" or "sg" to avoid ++ * injecting arbitrary strings into our stderr/stdout, as this can ++ * be an exploit vector. ++ */ ++ is_newgrp = (strcmp (Basename (argv[0]), "newgrp") == 0); ++ Prog = is_newgrp ? "newgrp" : "sg"; ++ + log_set_progname(Prog); + log_set_logfd(stderr); +- is_newgrp = (strcmp (Prog, "newgrp") == 0); +- OPENLOG (is_newgrp ? "newgrp" : "sg"); ++ OPENLOG (Prog); + argc--; + argv++; + +-- +2.20.1 + diff --git a/shadow.spec b/shadow.spec index e1a717633587f1ebb91bd8a9e457e68469a4b7e1..a69e58f0773117bb9add14ab9e2c1afc131470a9 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.13 -Release: 7 +Release: 8 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -32,6 +32,9 @@ Patch12: backport-semanage-disconnect-to-free-libsemanage-internals.patch Patch13: backport-run_parts-for-groupadd-and-groupdel.patch Patch14: shadow-Remove-encrypted-passwd-for-useradd-gr.patch Patch15: backport-chgpasswd-fix-segfault-in-command-line-options.patch +Patch16: backport-Fix-yescrypt-support.patch +Patch17: backport-newgrp-fix-potential-string-injection.patch +Patch18: backport-Create-parent-dirs-for-useradd-m.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -199,6 +202,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Wed Sep 20 2023 lvgenggeng - 2:4.13-8 +- backport patches from upstream + * Wed Sep 20 2023 lvgenggeng - 2:4.13-7 - backport patches from upstream