From 243c6a72cfd1ea2d03ba0517afbca05b8ab5fd76 Mon Sep 17 00:00:00 2001 From: qsw333 Date: Tue, 7 Nov 2023 17:22:07 +0800 Subject: [PATCH 1/2] backport some patches --- ...-buffer-overflow-when-using-a-prefix.patch | 29 +++++ ...cumentation-around-CREATE_MAIL_SPOOL.patch | 28 +++++ ...port-Address-minor-compiler-warnings.patch | 0 backport-Avoid-races-in-chown_tree.patch | 4 +- backport-Avoid-races-in-copy_tree.patch | 10 +- backport-CVE-2013-4235.patch | 34 ++++++ ...regular-file-pre-exists-in-copy_tree.patch | 0 ...port-Fix-parentheses-in-configure.ac.patch | 27 +++++ ...e-malformed-lines-in-hushlogins-file.patch | 34 ++++++ backport-Improve-child-error-handling.patch | 62 ++++++++++ ...nly-free-sgent-if-it-was-initialized.patch | 43 +++++++ backport-Require-symlink-support.patch | 18 +-- ...heck-NULL-before-freeing-passwd-data.patch | 70 ++++++++++++ ...minimum-id-check-for-system-accounts.patch | 58 ++++++++++ ...ile.in-switch-from-xml2po-to-itstool.patch | 45 ++++++++ ...-run_parts-for-groupadd-and-groupdel.patch | 4 +- ...LS-enablement-before-setting-serange.patch | 60 ++++++++++ ...check-if-subid-range-exists-for-user.patch | 39 +++++++ shadow.spec | 106 ++++++++++-------- 19 files changed, 606 insertions(+), 65 deletions(-) create mode 100644 backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch create mode 100644 backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch rename backport-Address-minor-complier-warnings.patch => backport-Address-minor-compiler-warnings.patch (100%) create mode 100644 backport-CVE-2013-4235.patch rename backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch => backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch (100%) create mode 100644 backport-Fix-parentheses-in-configure.ac.patch create mode 100644 backport-Handle-malformed-lines-in-hushlogins-file.patch create mode 100644 backport-Improve-child-error-handling.patch create mode 100644 backport-Only-free-sgent-if-it-was-initialized.patch create mode 100644 backport-lib-check-NULL-before-freeing-passwd-data.patch create mode 100644 backport-libmisc-minimum-id-check-for-system-accounts.patch create mode 100644 backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch create mode 100644 backport-useradd-check-MLS-enablement-before-setting-serange.patch create mode 100644 backport-useradd-check-if-subid-range-exists-for-user.patch diff --git a/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch new file mode 100644 index 0000000..76ff976 --- /dev/null +++ b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch @@ -0,0 +1,29 @@ +From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Sun, 23 Oct 2022 18:51:33 -0400 +Subject: [PATCH] useradd: Fix buffer overflow when using a prefix + +The buffer length did not count the string's trailing null byte. + +Signed-off-by: David Michael + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 + +--- + src/useradd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 39a744ee0..7ea0a9c4d 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2372,7 +2372,7 @@ static void create_mail (void) + if (NULL == spool) { + return; + } +- file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2); ++ file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3); + if (prefix[0]) + sprintf (file, "%s/%s/%s", prefix, spool, user_name); + else diff --git a/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch b/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch new file mode 100644 index 0000000..8cb1e69 --- /dev/null +++ b/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch @@ -0,0 +1,28 @@ +From aff4989d1acf3afc718813144658c295d8d10f20 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg +Date: Mon, 20 Sep 2021 20:41:50 -0700 +Subject: [PATCH] Added documentation around CREATE_MAIL_SPOOL + +Adding documentation aroud the parameter CREATE_MAIL_SPOOL in the +/etc/default/useradd file + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/aff4989d1acf3afc718813144658c295d8d10f20 + +--- + man/login.defs.d/MAIL_DIR.xml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/man/login.defs.d/MAIL_DIR.xml b/man/login.defs.d/MAIL_DIR.xml +index 60b82d6b1..b5adb888b 100644 +--- a/man/login.defs.d/MAIL_DIR.xml ++++ b/man/login.defs.d/MAIL_DIR.xml +@@ -35,6 +35,8 @@ + The mail spool directory. This is needed to manipulate the mailbox + when its corresponding user account is modified or deleted. If not + specified, a compile-time default is used. ++ The parameter CREATE_MAIL_SPOOL in /etc/default/useradd ++ determines whether the mail spool should be created. + + + diff --git a/backport-Address-minor-complier-warnings.patch b/backport-Address-minor-compiler-warnings.patch similarity index 100% rename from backport-Address-minor-complier-warnings.patch rename to backport-Address-minor-compiler-warnings.patch diff --git a/backport-Avoid-races-in-chown_tree.patch b/backport-Avoid-races-in-chown_tree.patch index 9484aa4..8d6cb51 100644 --- a/backport-Avoid-races-in-chown_tree.patch +++ b/backport-Avoid-races-in-chown_tree.patch @@ -48,10 +48,10 @@ index 0edc3b609..d31618a56 100644 - char *new_name; - size_t new_name_len; - int rc = 0; -- struct dirent *ent; +- struct DIRECT *ent; - struct stat sb; DIR *dir; -+ const struct dirent *ent; ++ const struct DIRECT *ent; + struct stat dir_sb; + int dir_fd, rc = 0; diff --git a/backport-Avoid-races-in-copy_tree.patch b/backport-Avoid-races-in-copy_tree.patch index ab2cc17..340c2c2 100644 --- a/backport-Avoid-races-in-copy_tree.patch +++ b/backport-Avoid-races-in-copy_tree.patch @@ -168,8 +168,8 @@ index e753d7cf0..5605f6fe0 100644 - int err = 0; + int dst_fd, src_fd, err = 0; bool set_orig = false; -- struct dirent *ent; -+ const struct dirent *ent; +- struct DIRECT *ent; ++ const struct DIRECT *ent; DIR *dir; if (copy_root) { @@ -187,10 +187,10 @@ index e753d7cf0..5605f6fe0 100644 } if (!S_ISDIR (sb.st_mode)) { - fprintf (log_get_logfd(), + fprintf (show_logfd, "%s: %s is not a directory", -- log_get_progname(), src_root); -+ log_get_progname(), src->full_path); +- Prog,src_root); ++ Prog, src->full_path); return -1; } diff --git a/backport-CVE-2013-4235.patch b/backport-CVE-2013-4235.patch new file mode 100644 index 0000000..9506bc1 --- /dev/null +++ b/backport-CVE-2013-4235.patch @@ -0,0 +1,34 @@ +From b4472167c2f5057d56686d3349a9b55fc508efe6 Mon Sep 17 00:00:00 2001 +From: ed neville +Date: Fri, 31 Dec 2021 22:40:13 +0000 +Subject: [PATCH] Adding nofollow to opens + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/b4472167c2f5057d56686d3349a9b55fc508efe6 + +--- + libmisc/copydir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libmisc/copydir.c b/libmisc/copydir.c +index f2130bcac..a296d925d 100644 +--- a/libmisc/copydir.c ++++ b/libmisc/copydir.c +@@ -741,7 +741,7 @@ static int copy_file (const char *src, const char *dst, + char buf[1024]; + ssize_t cnt; + +- ifd = open (src, O_RDONLY); ++ ifd = open (src, O_RDONLY|O_NOFOLLOW); + if (ifd < 0) { + return -1; + } +@@ -751,7 +751,7 @@ static int copy_file (const char *src, const char *dst, + return -1; + } + #endif /* WITH_SELINUX */ +- ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC, statp->st_mode & 07777); ++ ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777); + if ( (ofd < 0) + || (fchown_if_needed (ofd, statp, + old_uid, new_uid, old_gid, new_gid) != 0) diff --git a/backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch b/backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch similarity index 100% rename from backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch rename to backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch diff --git a/backport-Fix-parentheses-in-configure.ac.patch b/backport-Fix-parentheses-in-configure.ac.patch new file mode 100644 index 0000000..bf37375 --- /dev/null +++ b/backport-Fix-parentheses-in-configure.ac.patch @@ -0,0 +1,27 @@ +From 049f9a7f6b320c728a6274299041e360381d7cd5 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg +Date: Tue, 21 Sep 2021 21:51:10 -0700 +Subject: [PATCH] Fix parentheses in configure.ac + +Resolving issue https://github.com/shadow-maint/shadow/issues/419 + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/049f9a7f6b320c728a6274299041e360381d7cd5 + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 994836bda..6cbb6bd27 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -345,7 +345,7 @@ if test "$with_sssd" = "yes"; then + [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) + fi + +-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) ++AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])) + AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) + + dnl Check for some functions in libc first, only if not found check for diff --git a/backport-Handle-malformed-lines-in-hushlogins-file.patch b/backport-Handle-malformed-lines-in-hushlogins-file.patch new file mode 100644 index 0000000..49b2d10 --- /dev/null +++ b/backport-Handle-malformed-lines-in-hushlogins-file.patch @@ -0,0 +1,34 @@ +From 63a96706b1205f91c4a57de21ac56e996d270ff1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Fri, 29 Oct 2021 19:44:46 +0200 +Subject: [PATCH] Handle malformed lines in hushlogins file. + +If a line in hushlogins file, e.g. /etc/hushlogins, starts with +'\0', then current code performs an out of boundary write. +If the line lacks a newline at the end, then another character is +overridden. + +With strcspn both cases are solved. + +Signed-off-by: Tobias Stoeckmann + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/63a96706b1205f91c4a57de21ac56e996d270ff1 + +--- + libmisc/hushed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libmisc/hushed.c b/libmisc/hushed.c +index b71b99ce2..3c3adafca 100644 +--- a/libmisc/hushed.c ++++ b/libmisc/hushed.c +@@ -90,7 +90,7 @@ bool hushed (const char *username) + return false; + } + for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) { +- buf[strlen (buf) - 1] = '\0'; ++ buf[strcspn (buf, "\n")] = '\0'; + found = (strcmp (buf, pw->pw_shell) == 0) || + (strcmp (buf, pw->pw_name) == 0); + } diff --git a/backport-Improve-child-error-handling.patch b/backport-Improve-child-error-handling.patch new file mode 100644 index 0000000..cdebe8d --- /dev/null +++ b/backport-Improve-child-error-handling.patch @@ -0,0 +1,62 @@ +From 624d57c08caceed306212d24c2147f6273f3fc4b Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 14 Nov 2021 12:01:32 +0100 +Subject: [PATCH] Improve child error handling + +Always set SIGCHLD handler to default, even if the caller of vipw has +set SIGCHLD to ignore. If SIGCHLD is ignored no zombie processes would +be created, which in turn could mean that kill is called with an already +recycled pid. + +Proof of Concept: + +1. Compile nochld: + -- + #include + #include + int main(void) { + char *argv[] = { "vipw", NULL }; + signal(SIGCHLD, SIG_IGN); + execvp("vipw", argv); + return 1; + } + -- +2. Run nochld +3. Suspend child vi, which suspends vipw too: +`kill -STOP childpid` +4. Kill vi: +`kill -9 childpid` +5. You can see with ps that childpid is no zombie but disappeared +6. Bring vipw back into foreground +`fg` + +The kill call sends SIGCONT to "childpid" which in turn could have been +already recycled for another process. + +This is definitely not a vulnerability. It would take super user +operations, at which point an attacker would have already elevated +permissions. + +Signed-off-by: Tobias Stoeckmann + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/624d57c08caceed306212d24c2147f6273f3fc4b + +--- + src/vipw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/vipw.c b/src/vipw.c +index 94185c3df..1a69ef285 100644 +--- a/src/vipw.c ++++ b/src/vipw.c +@@ -349,6 +349,9 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) + sigprocmask(SIG_BLOCK, &mask, &omask); + } + ++ /* set SIGCHLD to default for waitpid */ ++ signal(SIGCHLD, SIG_DFL); ++ + for (;;) { + pid = waitpid (pid, &status, WUNTRACED); + if ((pid != -1) && (WIFSTOPPED (status) != 0)) { diff --git a/backport-Only-free-sgent-if-it-was-initialized.patch b/backport-Only-free-sgent-if-it-was-initialized.patch new file mode 100644 index 0000000..ad29342 --- /dev/null +++ b/backport-Only-free-sgent-if-it-was-initialized.patch @@ -0,0 +1,43 @@ +From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001 +From: Michael Vetter +Date: Mon, 20 Sep 2021 11:04:50 +0200 +Subject: [PATCH] Only free sgent if it was initialized + +`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true. +So we should also only attempt to free it if this is actually the case. + +Can otherwise lead to: +``` +free() double free detected in tcache 2 (gpasswd) +``` + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 + +--- + src/gpasswd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index a43d9a590..04bed83d6 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -1207,11 +1207,13 @@ int main (int argc, char **argv) + sssd_flush_cache (SSSD_DB_GROUP); + + #ifdef SHADOWGRP +- if (sgent.sg_adm) { +- xfree(sgent.sg_adm); +- } +- if (sgent.sg_mem) { +- xfree(sgent.sg_mem); ++ if (is_shadowgrp) { ++ if (sgent.sg_adm) { ++ xfree(sgent.sg_adm); ++ } ++ if (sgent.sg_mem) { ++ xfree(sgent.sg_mem); ++ } + } + #endif + if (grent.gr_mem) { diff --git a/backport-Require-symlink-support.patch b/backport-Require-symlink-support.patch index c333465..3e4f891 100644 --- a/backport-Require-symlink-support.patch +++ b/backport-Require-symlink-support.patch @@ -21,15 +21,15 @@ diff --git a/configure.ac b/configure.ac index b9a2263bb..7e954c29c 100644 --- a/configure.ac +++ b/configure.ac -@@ -49,7 +49,7 @@ AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])]) +@@ -53,7 +53,7 @@ AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])]) - AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes \ - getentropy getrandom getspnam getusershell \ -- getutent initgroups lchown lckpwdf lstat lutimes \ -+ getutent initgroups lckpwdf lutimes \ - setgroups updwtmp updwtmpx innetgr getpwnam_r \ - getpwuid_r getgrnam_r getgrgid_r getspnam_r \ - memset_s explicit_bzero) + AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes getgroups \ + gethostname getentropy getrandom getspnam gettimeofday getusershell \ +- getutent initgroups lchown lckpwdf lstat lutimes memcpy memset \ ++ getutent initgroups lckpwdf lutimes memcpy memset \ + setgroups sigaction strchr updwtmp updwtmpx innetgr getpwnam_r \ + getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo ruserok\ + dlopen) diff --git a/lib/commonio.c b/lib/commonio.c index 9e0fde600..80288d644 100644 --- a/lib/commonio.c @@ -55,7 +55,7 @@ index 4a2b90c9e..ee33aa0da 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -205,22 +205,6 @@ static inline void memzero(void *ptr, size_t size) - # define SEEK_END 2 + # endif #endif -#ifndef S_ISLNK diff --git a/backport-lib-check-NULL-before-freeing-passwd-data.patch b/backport-lib-check-NULL-before-freeing-passwd-data.patch new file mode 100644 index 0000000..8164fff --- /dev/null +++ b/backport-lib-check-NULL-before-freeing-passwd-data.patch @@ -0,0 +1,70 @@ +From d594243fbbdabc73fdee50886f6dd11867b5cfab Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 18 Nov 2021 16:48:26 +0100 +Subject: [PATCH] lib: check NULL before freeing passwd data + +Add an additional NULL check condition in spw_free() and pw_free() to +avoid freeing an already empty pointer. + +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/d594243fbbdabc73fdee50886f6dd11867b5cfab + +--- + lib/pwmem.c | 18 ++++++++++-------- + lib/shadowmem.c | 12 +++++++----- + 2 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/lib/pwmem.c b/lib/pwmem.c +index 17d2eb219..9f184d5e1 100644 +--- a/lib/pwmem.c ++++ b/lib/pwmem.c +@@ -93,14 +93,16 @@ + + void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent) + { +- free (pwent->pw_name); +- if (pwent->pw_passwd) { +- memzero (pwent->pw_passwd, strlen (pwent->pw_passwd)); +- free (pwent->pw_passwd); ++ if (pwent != NULL) { ++ free (pwent->pw_name); ++ if (pwent->pw_passwd) { ++ memzero (pwent->pw_passwd, strlen (pwent->pw_passwd)); ++ free (pwent->pw_passwd); ++ } ++ free (pwent->pw_gecos); ++ free (pwent->pw_dir); ++ free (pwent->pw_shell); ++ free (pwent); + } +- free (pwent->pw_gecos); +- free (pwent->pw_dir); +- free (pwent->pw_shell); +- free (pwent); + } + +diff --git a/lib/shadowmem.c b/lib/shadowmem.c +index 8989598f8..1d047cc04 100644 +--- a/lib/shadowmem.c ++++ b/lib/shadowmem.c +@@ -79,11 +79,13 @@ + + void spw_free (/*@out@*/ /*@only@*/struct spwd *spent) + { +- free (spent->sp_namp); +- if (NULL != spent->sp_pwdp) { +- memzero (spent->sp_pwdp, strlen (spent->sp_pwdp)); +- free (spent->sp_pwdp); ++ if (spent != NULL) { ++ free (spent->sp_namp); ++ if (NULL != spent->sp_pwdp) { ++ memzero (spent->sp_pwdp, strlen (spent->sp_pwdp)); ++ free (spent->sp_pwdp); ++ } ++ free (spent); + } +- free (spent); + } + diff --git a/backport-libmisc-minimum-id-check-for-system-accounts.patch b/backport-libmisc-minimum-id-check-for-system-accounts.patch new file mode 100644 index 0000000..b899cbb --- /dev/null +++ b/backport-libmisc-minimum-id-check-for-system-accounts.patch @@ -0,0 +1,58 @@ +From d324c6776b3a1d4ac22bced543f72dc5dd366927 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 6 Oct 2022 11:21:18 +0200 +Subject: [PATCH] libmisc: minimum id check for system accounts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The minimum id allocation for system accounts shouldn't be 0 as this is +reserved for root. + +Signed-off-by: Tomáš Mráz +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/d324c6776b3a1d4ac22bced543f72dc5dd366927 + +--- + libmisc/find_new_gid.c | 7 +++++++ + libmisc/find_new_uid.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c +index 666b61078..65ab5d013 100644 +--- a/libmisc/find_new_gid.c ++++ b/libmisc/find_new_gid.c +@@ -60,6 +60,13 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id, + (unsigned long) *max_id); + return EINVAL; + } ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (gid_t) 1; ++ } + } else { + /* Non-system groups */ + +diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c +index 322d15ab7..5f7e74b53 100644 +--- a/libmisc/find_new_uid.c ++++ b/libmisc/find_new_uid.c +@@ -60,6 +60,13 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id, + (unsigned long) *max_id); + return EINVAL; + } ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (uid_t) 1; ++ } + } else { + /* Non-system users */ + diff --git a/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch b/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch new file mode 100644 index 0000000..4f06e84 --- /dev/null +++ b/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch @@ -0,0 +1,45 @@ +From 02b200c9aa501ad4e1651c553cea1aaf9e5e0f4f Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Sat, 14 Aug 2021 14:24:03 -0500 +Subject: [PATCH] man/po/Makefile.in: switch from xml2po to itstool + +xml2po is deprecated. We've previously replaced xml2po with +itstool in man/generate_translations.mak, but there was still +an instance of it that only is exercised for 'make dist'. +Update that one. Now 'make dist' succeeds on a ubuntu focal +or newer host where xml2po is not available. + +Signed-off-by: Serge Hallyn + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/02b200c9aa501ad4e1651c553cea1aaf9e5e0f4f + +--- + man/po/Makefile.in | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/man/po/Makefile.in b/man/po/Makefile.in +index deaa87058..f194957b4 100644 +--- a/man/po/Makefile.in ++++ b/man/po/Makefile.in +@@ -90,9 +90,17 @@ $(DOMAIN).pot-update: $(XMLFILES) $(srcdir)/XMLFILES remove-potcdate.sed + @set -e; tmpdir=`pwd`; \ + echo "cd $(top_srcdir)/man"; \ + cd $(top_srcdir)/man; \ +- echo "xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES))"; \ +- xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES)); \ +- cd $$tmpdir ++ files=""; \ ++ for file in $(notdir $(XMLFILES)); do \ ++ if grep -q SHADOW-CONFIG-HERE $$file ; then \ ++ sed -e 's/^/%config;/' $$file > $$file.out; \ ++ else \ ++ sed -e 's/^\(/\1 [%config;]>/' $$file > $$file.out; \ ++ fi; \ ++ files="$$files $$file.out"; \ ++ done; \ ++ itstool -d -o $$tmpdir/$(DOMAIN).po $$files; \ ++ cd $$tmpdir; \ + test ! -f $(DOMAIN).po || { \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \ diff --git a/backport-run_parts-for-groupadd-and-groupdel.patch b/backport-run_parts-for-groupadd-and-groupdel.patch index 07b30bd..0036363 100644 --- a/backport-run_parts-for-groupadd-and-groupdel.patch +++ b/backport-run_parts-for-groupadd-and-groupdel.patch @@ -56,9 +56,9 @@ index 311421014..2eda1c680 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -34,6 +34,7 @@ + #ifdef SHADOWGRP #include "sgroupio.h" #endif - #include "shadowlog.h" +#include "run_part.h" /* @@ -92,9 +92,9 @@ index fdccf5e15..bae4367ba 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -32,6 +32,7 @@ + #ifdef SHADOWGRP #include "sgroupio.h" #endif - #include "shadowlog.h" +#include "run_part.h" /* * Global variables diff --git a/backport-useradd-check-MLS-enablement-before-setting-serange.patch b/backport-useradd-check-MLS-enablement-before-setting-serange.patch new file mode 100644 index 0000000..02d3841 --- /dev/null +++ b/backport-useradd-check-MLS-enablement-before-setting-serange.patch @@ -0,0 +1,60 @@ +From 23634d8de7d01ed65bd70e316d4da4fe4d9b370d Mon Sep 17 00:00:00 2001 +From: genBTC +Date: Tue, 23 Aug 2022 10:25:51 -0400 +Subject: [PATCH] useradd: check MLS enablement before setting serange + Resolves: https://github.com/shadow-maint/shadow/issues/552 + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/23634d8de7d01ed65bd70e316d4da4fe4d9b370d + +--- + lib/semanage.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/lib/semanage.c b/lib/semanage.c +index 54f996238..082a6e8ee 100644 +--- a/lib/semanage.c ++++ b/lib/semanage.c +@@ -122,12 +122,14 @@ static int semanage_user_mod (semanage_handle_t *handle, + goto done; + } + +- ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); +- if (ret != 0) { +- fprintf (shadow_logfd, +- _("Could not set serange for %s\n"), login_name); +- ret = 1; +- goto done; ++ if (semanage_mls_enabled(handle)) { ++ ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf (shadow_logfd, ++ _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } + } + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); +@@ -179,13 +181,14 @@ static int semanage_user_add (semanage_handle_t *handle, + goto done; + } + +- ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); +- if (ret != 0) { +- fprintf (shadow_logfd, +- _("Could not set serange for %s\n"), +- login_name); +- ret = 1; +- goto done; ++ if (semanage_mls_enabled(handle)) { ++ ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf (shadow_logfd, ++ _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } + } + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); diff --git a/backport-useradd-check-if-subid-range-exists-for-user.patch b/backport-useradd-check-if-subid-range-exists-for-user.patch new file mode 100644 index 0000000..c5c03ad --- /dev/null +++ b/backport-useradd-check-if-subid-range-exists-for-user.patch @@ -0,0 +1,39 @@ +From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 24 Oct 2022 10:46:36 +0200 +Subject: [PATCH] useradd: check if subid range exists for user + +Check if a user already has a subid range before assigning one. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929 + +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 + +--- + src/useradd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 7ea0a9c4d..e784d6029 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) + fail_exit (E_PW_UPDATE); + } + #ifdef ENABLE_SUBIDS +- if (is_sub_uid && ++ if (is_sub_uid && !local_sub_uid_assigned(user_name) && + (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), + Prog, sub_uid_dbname ()); + fail_exit (E_SUB_UID_UPDATE); + } +- if (is_sub_gid && ++ if (is_sub_gid && !local_sub_gid_assigned(user_name) && + (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), diff --git a/shadow.spec b/shadow.spec index 1019b64..5ed78a2 100644 --- a/shadow.spec +++ b/shadow.spec @@ -37,50 +37,62 @@ Patch17: newgrp-fix-segmentation-fault.patch Patch18: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch Patch19: shadow-add-sm3-crypt-support.patch Patch20: backport-useradd-modify-check-ID-range-for-system-users.patch -Patch21: backport-Add-header-guards.patch -Patch22: backport-Change-to-strncat.patch -Patch23: backport-Do-not-return-garbage-in-run_parts.patch -Patch24: backport-Handle-ERANGE-error-correctly.patch -Patch25: backport-Initialize-local-variables.patch -Patch26: backport-Remove-commented-out-code-and-FIXMEs.patch -Patch27: backport-Remove-redeclared-variable.patch -Patch28: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch -Patch29: backport-passwd-erase-password-copy-on-all-error-branches.patch -Patch30: backport-chpasswd-add-get_salt-for-generating-salt-value.patch -Patch31: backport-chpasswd-fix-function-problem-with-R-parameter.patch -Patch32: backport-Fix-off-by-one-mistakes.patch -Patch33: backport-Fix-typos-in-length-calculations.patch -Patch34: backport-Correctly-handle-illegal-system-file-in-tz.patch -Patch35: backport-Explicitly-override-only-newlines.patch -Patch36: backport-Prevent-out-of-boundary-access.patch -Patch37: backport-Added-control-character-check.patch -Patch38: backport-Overhaul-valid_field.patch -Patch39: backport-Read-whole-line-in-yes_or_no.patch -Patch40: backport-commonio-free-removed-database-entries.patch -Patch41: backport-semanage-disconnect-to-free-libsemanage-internals.patch -Patch42: shadow-Remove-encrypted-passwd-for-useradd-gr.patch -Patch43: backport-process_prefix_flag-Drop-privileges.patch -Patch44: backport-chsh-Verify-that-login-shell-path-is-absolute.patch -Patch45: backport-Plug-econf-memory-leaks.patch -Patch46: backport-def_load-avoid-NULL-deref.patch -Patch47: backport-Check-if-crypt_method-null-before-dereferencing.patch -Patch48: backport-usermod-fix-off-by-one-issues.patch -Patch49: backport-gpasswd-1-Fix-password-leak.patch -Patch50: backport-chgpasswd-fix-segfault-in-command-line-options.patch -Patch51: backport-chpasswd-add-IS_CRYPT_METHOD.patch -Patch52: backport-Fix-yescrypt-support.patch -Patch53: backport-newgrp-fix-potential-string-injection.patch -Patch54: backport-script-to-kill-subjects-processes-from-userdel.patch -Patch55: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch -Patch56: backport-Address-minor-complier-warnings.patch -Patch57: backport-Avoid-races-in-chown_tree.patch -Patch58: backport-Avoid-races-in-copy_tree.patch -Patch59: backport-Avoid-races-in-remove_tree.patch -Patch60: backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch -Patch61: backport-lib-btrfs-avoid-NULL-dereference.patch -Patch62: backport-More-robust-file-content-copy-in-copy_tree.patch -Patch63: backport-Require-symlink-support.patch -Patch64: backport-run_parts-for-groupadd-and-groupdel.patch +Patch21: backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch +Patch22: backport-Only-free-sgent-if-it-was-initialized.patch +Patch23: backport-Fix-parentheses-in-configure.ac.patch +Patch24: backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch +Patch26: backport-Handle-malformed-lines-in-hushlogins-file.patch +Patch27: backport-Improve-child-error-handling.patch +Patch28: backport-lib-check-NULL-before-freeing-passwd-data.patch +Patch29: backport-CVE-2013-4235.patch +Patch30: backport-Add-header-guards.patch +Patch31: backport-Change-to-strncat.patch +Patch32: backport-Handle-ERANGE-error-correctly.patch +Patch33: backport-Do-not-return-garbage-in-run_parts.patch +Patch34: backport-Initialize-local-variables.patch +Patch35: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch +Patch36: backport-passwd-erase-password-copy-on-all-error-branches.patch +Patch37: backport-Remove-commented-out-code-and-FIXMEs.patch +Patch38: backport-Remove-redeclared-variable.patch +Patch39: backport-chpasswd-add-get_salt-for-generating-salt-value.patch +Patch40: backport-chpasswd-fix-function-problem-with-R-parameter.patch +Patch41: backport-script-to-kill-subjects-processes-from-userdel.patch +Patch42: backport-Avoid-races-in-chown_tree.patch +Patch43: backport-Avoid-races-in-remove_tree.patch +Patch44: backport-Require-symlink-support.patch +Patch45: backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch +Patch46: backport-More-robust-file-content-copy-in-copy_tree.patch +Patch47: backport-Address-minor-compiler-warnings.patch +Patch48: backport-Avoid-races-in-copy_tree.patch +Patch49: backport-useradd-check-MLS-enablement-before-setting-serange.patch +Patch50: backport-libmisc-minimum-id-check-for-system-accounts.patch +Patch51: backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch +Patch52: backport-useradd-check-if-subid-range-exists-for-user.patch +Patch53: backport-Fix-off-by-one-mistakes.patch +Patch54: backport-Fix-typos-in-length-calculations.patch +Patch55: backport-Correctly-handle-illegal-system-file-in-tz.patch +Patch56: backport-Explicitly-override-only-newlines.patch +Patch57: backport-Prevent-out-of-boundary-access.patch +Patch58: backport-Added-control-character-check.patch +Patch59: backport-Overhaul-valid_field.patch +Patch60: backport-Read-whole-line-in-yes_or_no.patch +Patch61: backport-run_parts-for-groupadd-and-groupdel.patch +Patch62: backport-commonio-free-removed-database-entries.patch +Patch63: backport-semanage-disconnect-to-free-libsemanage-internals.patch +Patch64: backport-process_prefix_flag-Drop-privileges.patch +Patch65: backport-chsh-Verify-that-login-shell-path-is-absolute.patch +Patch66: backport-Plug-econf-memory-leaks.patch +Patch67: backport-def_load-avoid-NULL-deref.patch +Patch68: backport-Check-if-crypt_method-null-before-dereferencing.patch +Patch69: backport-usermod-fix-off-by-one-issues.patch +Patch70: backport-gpasswd-1-Fix-password-leak.patch +Patch71: backport-chgpasswd-fix-segfault-in-command-line-options.patch +Patch72: backport-chpasswd-add-IS_CRYPT_METHOD.patch +Patch73: backport-Fix-yescrypt-support.patch +Patch74: backport-newgrp-fix-potential-string-injection.patch +Patch75: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch +Patch76: shadow-Remove-encrypted-passwd-for-useradd-gr.patch +Patch77: backport-lib-btrfs-avoid-NULL-dereference.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -93,8 +105,8 @@ Requires(pre): coreutils Requires(post): coreutils Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Provides: shadow-utils -Obsoletes: shadow-utils +Provides: shadow-utils = %{version}-%{release} +Obsoletes: shadow-utils < %{version}-%{release} %description This package includes the necessary programs for converting plain @@ -247,7 +259,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_mandir}/*/* %changelog -* Tue Nov 17 2023 wangyunjia - 2:4.9-14 +* Tue Nov 17 2023 wangqingsan - 2:4.9-14 - backport some patches * Wed Sep 20 2023 wangyunjia - 2:4.9-13 -- Gitee From 1a2ba5c12eca73fa3a3255c4a93282e88b73a05e Mon Sep 17 00:00:00 2001 From: qsw33 Date: Wed, 8 Nov 2023 20:36:16 +0800 Subject: [PATCH 2/2] backport some patches --- ...-buffer-overflow-when-using-a-prefix.patch | 6 ++--- backport-Avoid-races-in-copy_tree.patch | 4 +-- backport-Avoid-races-in-remove_tree.patch | 4 +-- backport-Require-symlink-support.patch | 6 ++--- ...-run_parts-for-groupadd-and-groupdel.patch | 4 +-- chpasswd.sh | 26 +++++++++++++++++++ shadow.spec | 14 ++++++---- 7 files changed, 47 insertions(+), 17 deletions(-) create mode 100644 chpasswd.sh diff --git a/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch index 76ff976..f8ee5f7 100644 --- a/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch +++ b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch @@ -7,7 +7,7 @@ The buffer length did not count the string's trailing null byte. Signed-off-by: David Michael -Conflict: NA +Conflict: if(prefix[0]) There is no space after it. Reference: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 --- @@ -20,10 +20,10 @@ index 39a744ee0..7ea0a9c4d 100644 +++ b/src/useradd.c @@ -2372,7 +2372,7 @@ static void create_mail (void) if (NULL == spool) { - return; + spool = "/var/mail"; } - file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2); + file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3); - if (prefix[0]) + if(prefix[0]) sprintf (file, "%s/%s/%s", prefix, spool, user_name); else diff --git a/backport-Avoid-races-in-copy_tree.patch b/backport-Avoid-races-in-copy_tree.patch index 340c2c2..cfb19ae 100644 --- a/backport-Avoid-races-in-copy_tree.patch +++ b/backport-Avoid-races-in-copy_tree.patch @@ -187,9 +187,9 @@ index e753d7cf0..5605f6fe0 100644 } if (!S_ISDIR (sb.st_mode)) { - fprintf (show_logfd, + fprintf (shadow_logfd, "%s: %s is not a directory", -- Prog,src_root); +- Prog, src_root); + Prog, src->full_path); return -1; } diff --git a/backport-Avoid-races-in-remove_tree.patch b/backport-Avoid-races-in-remove_tree.patch index 3d44b53..a101474 100644 --- a/backport-Avoid-races-in-remove_tree.patch +++ b/backport-Avoid-races-in-remove_tree.patch @@ -43,10 +43,10 @@ index 04bc7fc4a..3d76b95e0 100644 { - char *new_name = NULL; - int err = 0; -- struct dirent *ent; +- struct DIRECT *ent; - struct stat sb; DIR *dir; -+ const struct dirent *ent; ++ const struct DIRECT *ent; + int dir_fd, rc = 0; - /* diff --git a/backport-Require-symlink-support.patch b/backport-Require-symlink-support.patch index 3e4f891..2cc2f57 100644 --- a/backport-Require-symlink-support.patch +++ b/backport-Require-symlink-support.patch @@ -24,11 +24,11 @@ index b9a2263bb..7e954c29c 100644 @@ -53,7 +53,7 @@ AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])]) AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes getgroups \ - gethostname getentropy getrandom getspnam gettimeofday getusershell \ + gethostname getentropy getrandom getspnam gettimeofday getusershell \ - getutent initgroups lchown lckpwdf lstat lutimes memcpy memset \ + getutent initgroups lckpwdf lutimes memcpy memset \ - setgroups sigaction strchr updwtmp updwtmpx innetgr getpwnam_r \ - getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo ruserok\ + setgroups sigaction strchr updwtmp updwtmpx innetgr getpwnam_r \ + getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo ruserok \ dlopen) diff --git a/lib/commonio.c b/lib/commonio.c index 9e0fde600..80288d644 100644 diff --git a/backport-run_parts-for-groupadd-and-groupdel.patch b/backport-run_parts-for-groupadd-and-groupdel.patch index 0036363..178630e 100644 --- a/backport-run_parts-for-groupadd-and-groupdel.patch +++ b/backport-run_parts-for-groupadd-and-groupdel.patch @@ -56,7 +56,7 @@ index 311421014..2eda1c680 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -34,6 +34,7 @@ - #ifdef SHADOWGRP + #ifdef SHADOWGRP #include "sgroupio.h" #endif +#include "run_part.h" @@ -92,7 +92,7 @@ index fdccf5e15..bae4367ba 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -32,6 +32,7 @@ - #ifdef SHADOWGRP + #ifdef SHADOWGRP #include "sgroupio.h" #endif +#include "run_part.h" diff --git a/chpasswd.sh b/chpasswd.sh new file mode 100644 index 0000000..e99847d --- /dev/null +++ b/chpasswd.sh @@ -0,0 +1,26 @@ +# chpasswd(8) completion -*- shell-script -*- + +_chpasswd() +{ + local cur prev words cword split + _init_completion -s || return + + case $prev in + -c|--crypt) + COMPREPLY=( $( compgen -W 'DES MD5 NONE SHA256 SHA512 SM3' \ + -- "$cur" ) ) + return + ;; + -s|--sha-rounds) + return + ;; + esac + + $split && return + + COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) + [[ $COMPREPLY == *= ]] && compopt -o nospace +} && +complete -F _chpasswd chpasswd + +# ex: filetype=sh diff --git a/shadow.spec b/shadow.spec index 5ed78a2..1a884a3 100644 --- a/shadow.spec +++ b/shadow.spec @@ -12,6 +12,7 @@ Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Source6: chpasswd Source7: newusers +Source8: chpasswd.sh %global includesubiddir %{_includedir}/shadow @@ -90,8 +91,8 @@ Patch71: backport-chgpasswd-fix-segfault-in-command-line-options.patch Patch72: backport-chpasswd-add-IS_CRYPT_METHOD.patch Patch73: backport-Fix-yescrypt-support.patch Patch74: backport-newgrp-fix-potential-string-injection.patch -Patch75: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch -Patch76: shadow-Remove-encrypted-passwd-for-useradd-gr.patch +Patch75: shadow-Remove-encrypted-passwd-for-useradd-gr.patch +Patch76: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch Patch77: backport-lib-btrfs-avoid-NULL-dereference.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel @@ -105,8 +106,8 @@ Requires(pre): coreutils Requires(post): coreutils Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Provides: shadow-utils = %{version}-%{release} -Obsoletes: shadow-utils < %{version}-%{release} +Provides: shadow-utils +Obsoletes: shadow-utils %description This package includes the necessary programs for converting plain @@ -155,6 +156,8 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd install -p -c -m 0644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/chpasswd install -p -c -m 0644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/newusers +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/bash_completion.d +install -p -c -m 0644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d/chpasswd.sh ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8 @@ -249,6 +252,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_sysconfdir}/pam.d/chpasswd %{_sysconfdir}/pam.d/groupmems %{_sysconfdir}/pam.d/newusers +%{_sysconfdir}/bash_completion.d/chpasswd.sh %files subid-devel %{_libdir}/libsubid.so.* @@ -259,7 +263,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_mandir}/*/* %changelog -* Tue Nov 17 2023 wangqingsan - 2:4.9-14 +* Wed Nov 8 2023 wangqingsan - 2:4.9-14 - backport some patches * Wed Sep 20 2023 wangyunjia - 2:4.9-13 -- Gitee