rpms/shadow-utils/devel shadow-4.1.1-audit.patch, NONE, 1.1 shadow-4.1.1-redhat.patch, NONE, 1.1 shadow-4.1.1-selinux.patch, NONE, 1.1 shadow-4.1.1-sysAccountDownhill.patch, NONE, 1.1 .cvsignore, 1.17, 1.18 shadow-utils.spec, 1.112, 1.113 sources, 1.18, 1.19 shadow-4.0.18.1-findNewUidOnce.patch, 1.1, NONE shadow-4.0.18.1-mtime.patch, 1.1, NONE shadow-4.0.18.1-sysAccount.patch, 1.1, NONE shadow-4.0.3-noinst.patch, 1.3, NONE shadow-4.1.0-audit-newgrp.patch, 1.2, NONE shadow-4.1.0-fasterReset.patch, 1.1, NONE shadow-4.1.0-lOption.patch, 1.1, NONE shadow-4.1.0-redhat.patch, 1.1, NONE shadow-4.1.0-segfault.patch, 1.1, NONE shadow-4.1.0-selinux.patch, 1.2, NONE
Peter Vrabec (pvrabec)
fedora-extras-commits at redhat.com
Sat Apr 5 13:18:27 UTC 2008
Author: pvrabec
Update of /cvs/extras/rpms/shadow-utils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29821
Modified Files:
.cvsignore shadow-utils.spec sources
Added Files:
shadow-4.1.1-audit.patch shadow-4.1.1-redhat.patch
shadow-4.1.1-selinux.patch
shadow-4.1.1-sysAccountDownhill.patch
Removed Files:
shadow-4.0.18.1-findNewUidOnce.patch
shadow-4.0.18.1-mtime.patch shadow-4.0.18.1-sysAccount.patch
shadow-4.0.3-noinst.patch shadow-4.1.0-audit-newgrp.patch
shadow-4.1.0-fasterReset.patch shadow-4.1.0-lOption.patch
shadow-4.1.0-redhat.patch shadow-4.1.0-segfault.patch
shadow-4.1.0-selinux.patch
Log Message:
upgrade
shadow-4.1.1-audit.patch:
--- NEW FILE shadow-4.1.1-audit.patch ---
diff -up shadow-4.1.1/src/newgrp.c.audit shadow-4.1.1/src/newgrp.c
--- shadow-4.1.1/src/newgrp.c.audit 2008-04-03 15:20:25.000000000 +0200
+++ shadow-4.1.1/src/newgrp.c 2008-04-03 15:22:00.000000000 +0200
@@ -53,6 +53,10 @@ static GETGROUPS_T *grouplist;
static char *Prog;
static int is_newgrp;
+#ifdef WITH_AUDIT
+ char audit_buf[80];
+#endif
+
/* local function prototypes */
static void usage (void);
static void check_perms (const struct group *grp,
@@ -349,10 +353,9 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_AUDIT
- char audit_buf[80];
-
audit_help_open ();
#endif
+
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
textdomain (PACKAGE);
shadow-4.1.1-redhat.patch:
--- NEW FILE shadow-4.1.1-redhat.patch ---
diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_new_ids.c
--- shadow-4.1.1/libmisc/find_new_ids.c.redhat 2008-04-03 12:18:51.000000000 +0200
+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-03 13:30:44.000000000 +0200
@@ -26,11 +26,11 @@ int find_new_uid (int sys_user, uid_t *u
assert (uid != NULL);
if (sys_user == 0) {
- uid_min = getdef_unum ("UID_MIN", 1000);
+ uid_min = getdef_unum ("UID_MIN", 500);
uid_max = getdef_unum ("UID_MAX", 60000);
} else {
uid_min = getdef_unum ("SYS_UID_MIN", 1);
- uid_max = getdef_unum ("UID_MIN", 1000) - 1;
+ uid_max = getdef_unum ("UID_MIN", 500) - 1;
uid_max = getdef_unum ("SYS_UID_MAX", uid_max);
}
@@ -108,11 +108,11 @@ int find_new_gid (int sys_group, gid_t *
assert (gid != NULL);
if (sys_group == 0) {
- gid_min = getdef_unum ("GID_MIN", 1000);
+ gid_min = getdef_unum ("GID_MIN", 500);
gid_max = getdef_unum ("GID_MAX", 60000);
} else {
gid_min = getdef_unum ("SYS_GID_MIN", 1);
- gid_max = getdef_unum ("GID_MIN", 1000) - 1;
+ gid_max = getdef_unum ("GID_MIN", 500) - 1;
gid_max = getdef_unum ("SYS_GID_MAX", gid_max);
}
diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c
--- shadow-4.1.1/src/useradd.c.redhat 2008-03-08 23:42:05.000000000 +0100
+++ shadow-4.1.1/src/useradd.c 2008-04-03 14:07:32.000000000 +0200
@@ -82,7 +82,7 @@
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
-static const char *def_shell = "";
+static const char *def_shell = "/sbin/nologin";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";
@@ -94,7 +94,7 @@ static char def_file[] = USER_DEFAULTS_F
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
static const char *user_name = "";
-static const char *user_pass = "!";
+static const char *user_pass = "!!";
static uid_t user_id;
static gid_t user_gid;
static const char *user_comment = "";
@@ -130,6 +130,7 @@ static int
kflg = 0, /* specify a directory to fill new user directory */
lflg = 0, /* do not add user to lastlog database file */
mflg = 0, /* create user's home directory if it doesn't exist */
+ Mflg = 0, /* do NOT create user's home directory no matter what */
Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */
oflg = 0, /* permit non-unique user ID to be specified with -u */
rflg = 0, /* create a system account */
@@ -653,6 +654,7 @@ static void usage (void)
" faillog databases\n"
" -m, --create-home create home directory for the new user\n"
" account\n"
+ " -M, do not create user's home directory(overrides /etc/login.defs)\n"
" -N, --no-user-group do not create a group with the same name as\n"
" the user\n"
" -o, --non-unique allow create user with duplicate\n"
@@ -883,7 +885,7 @@ static void process_flags (int argc, cha
{NULL, 0, NULL, '\0'}
};
while ((c =
- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
long_options, NULL)) != -1) {
switch (c) {
case 'b':
@@ -1023,6 +1025,10 @@ static void process_flags (int argc, cha
case 'm':
mflg++;
break;
+ case 'M':
+ Mflg++;
+ break;
+ case 'n':
case 'N':
Nflg++;
break;
@@ -1076,6 +1082,9 @@ static void process_flags (int argc, cha
Uflg = getdef_bool ("USERGROUPS_ENAB");
}
+ if (mflg && Mflg) /* the admin is not decided .. create or not ? */
+ usage();
+
/*
* Certain options are only valid in combination with others.
* Check it here so that they can be specified in any order.
@@ -1625,6 +1634,14 @@ int main (int argc, char **argv)
}
#endif /* USE_PAM */
+ if (!rflg) /* for system accounts defaults are ignored and we
+ * do not create a home dir -- gafton */
+ if (getdef_bool("CREATE_HOME"))
+ mflg = 1;
+
+ if (Mflg) /* absolutely sure that we do not create home dirs */
+ mflg = 0;
+
/*
* See if we are messing with the defaults file, or creating
* a new user.
@@ -1724,27 +1741,22 @@ int main (int argc, char **argv)
("%s: warning: the home directory already exists.\n"
"Not copying any file from skel directory into it.\n"),
Prog);
-
- } else if (getdef_str ("CREATE_HOME")) {
- /*
- * RedHat added the CREATE_HOME option in login.defs in their
- * version of shadow-utils (which makes -m the default, with
- * new -M option to turn it off). Unfortunately, this
- * changes the way useradd works (it can be run by scripts
- * expecting some standard behaviour), compared to other
- * Unices and other Linux distributions, and also adds a lot
- * of confusion :-(.
- * So we now recognize CREATE_HOME and give a warning here
- * (better than "configuration error ... notify administrator"
- * errors in every program that reads /etc/login.defs). -MM
- */
- fprintf (stderr,
- _
- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"),
- Prog);
}
-
- create_mail ();
+ /* Warning removed to protect the innocent. */
+ /*
+ * The whole idea about breaking some stupid scripts by creating a new
+ * variable is crap - I could care less about the scripts. Historically
+ * adduser type programs have always created the home directories and
+ * I don't like the idea of providing a script when we can fix the
+ * binary itself. And if the scripts are using the right options to the
+ * useradd then they will not break. If not, they depend on unspecified
+ * behavior and they will break, but they were broken anyway to begin
+ * with --gafton
+ */
+
+ /* Do not create mail directory for system accounts */
+ if( !rflg )
+ create_mail ();
close_files ();
diff -up shadow-4.1.1/src/groupadd.c.redhat shadow-4.1.1/src/groupadd.c
diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8
--- shadow-4.1.1/man/useradd.8.redhat 2008-04-03 00:43:14.000000000 +0200
+++ shadow-4.1.1/man/useradd.8 2008-04-03 14:20:23.000000000 +0200
@@ -25,9 +25,9 @@ When invoked without the
\fB\-D\fR
option, the
\fBuseradd\fR
-command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the
+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the
\fBuseradd\fR
-command will update system files and may also create the new user\'s home directory and copy initial files\.
+command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default.
.SH "OPTIONS"
.PP
The options which apply to the
@@ -84,7 +84,7 @@ The number of days after a password expi
.PP
\fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR
.RS 4
-The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in
+The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\.
\fI/etc/default/useradd\fR\.
.RE
.PP
@@ -100,6 +100,13 @@ option\. The default is for the user to
Display help message and exit\.
.RE
.PP
+\fB-M\fR
+.RS 4
+The user\'s home directory will not be created, even if the system wide settings from
+\fI/etc/login.defs\fR
+is to create home dirs\.
+.RE
+.PP
\fB\-m\fR, \fB\-\-create\-home\fR
.RS 4
The user\'s home directory will be created if it does not exist\. The files contained in
@@ -174,6 +181,19 @@ The encrypted password, as returned by
\fBcrypt\fR(3)\. The default is to disable the account\.
.RE
.PP
+\fB-r\fR
+.RS 4
+This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in
+\fI/etc/login.defs\fR
+and whose password does not expire\. Note that
+\fBuseradd\fR
+will not create a home directory for such an user, regardless of the default setting in
+\fI/etc/login.defs\fR\.
+You have to specify
+\fB-m\fR
+option if you want a home directory for a system account to be created\. This is an option added by Red Hat\.
+.RE
+.PP
\fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR
.RS 4
The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\.
@@ -244,6 +264,8 @@ The name of a new user\'s login shell\.
The system administrator is responsible for placing the default user files in the
\fI/etc/skel/\fR
directory\.
+.br
+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\.
.SH "CAVEATS"
.PP
You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\.
@@ -381,6 +403,11 @@ Secure user account information\.
Group account information\.
.RE
.PP
+\fI/etc/gshadow\fR
+.RS 4
+Secure group account information\.
+.RE
+.PP
\fI/etc/default/useradd\fR
.RS 4
Default values for account creation\.
diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8
--- shadow-4.1.1/man/groupadd.8.redhat 2008-04-03 00:42:54.000000000 +0200
+++ shadow-4.1.1/man/groupadd.8 2008-04-03 14:27:04.000000000 +0200
@@ -14,7 +14,7 @@
groupadd \- create a new group
.SH "SYNOPSIS"
.HP 9
-\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
.SH "DESCRIPTION"
.PP
The
@@ -34,11 +34,22 @@ This option causes the command to simply
is turned off)\.
.RE
.PP
+\fB-r\fR
+.RS 4
+This flag instructs
+\fBgroupadd\fR
+to add a system account\. The first available
+\fIgid\fR
+lower than 499 will be automatically selected unless the
+\fB-g\fR
+option is also given on the command line\. This is an option added by Red Hat\.
+.RE
+.PP
\fB\-g\fR, \fB\-\-gid\fR \fIGID\fR
.RS 4
The numerical value of the group\'s ID\. This value must be unique, unless the
\fB\-o\fR
-option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\.
+option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 499 and greater than every other group\. Values between 0 and 500 are typically reserved for system accounts\.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
shadow-4.1.1-selinux.patch:
--- NEW FILE shadow-4.1.1-selinux.patch ---
diff -up /dev/null shadow-4.1.1/libmisc/system.c
--- /dev/null 2008-03-19 11:34:26.687502959 +0100
+++ shadow-4.1.1/libmisc/system.c 2008-04-05 14:55:29.000000000 +0200
@@ -0,0 +1,37 @@
+#include <config.h>
+
+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $"
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include "prototypes.h"
+#include "defines.h"
+
+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr)
+{
+ int status = -1;
+ int fd;
+ pid_t pid;
+
+ pid = fork();
+ if (pid < 0)
+ return -1;
+
+ if (pid) { /* Parent */
+ waitpid(pid, &status, 0);
+ return status;
+ }
+
+ fd = open("/dev/null", O_RDWR);
+ /* Child */
+ dup2(fd,0); // Close Stdin
+ if (ignore_stderr)
+ dup2(fd,2); // Close Stderr
+
+ execve(command, (char *const *) argv, (char *const *) env);
+ fprintf (stderr,
+ _("Failed to exec '%s'\n"), argv[0]);
+ exit (-1);
+}
+
diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c
--- shadow-4.1.1/libmisc/copydir.c.selinux 2008-01-06 13:02:04.000000000 +0100
+++ shadow-4.1.1/libmisc/copydir.c 2008-04-05 14:55:29.000000000 +0200
@@ -82,7 +82,7 @@ static int copy_file (const char *src, c
* symlink, directory, ...
*
*/
-static int selinux_file_context (const char *dst_name)
+int selinux_file_context (const char *dst_name)
{
security_context_t scontext = NULL;
@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con
src_orig = 0;
dst_orig = 0;
}
+
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
+#endif
+
return err;
}
diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am
--- shadow-4.1.1/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100
+++ shadow-4.1.1/libmisc/Makefile.am 2008-04-05 14:55:29.000000000 +0200
@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \
setugid.c \
setupenv.c \
shell.c \
+ system.c \
strtoday.c \
sub.c \
sulog.c \
diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c
--- shadow-4.1.1/src/useradd.c.selinux 2008-04-05 14:55:29.000000000 +0200
+++ shadow-4.1.1/src/useradd.c 2008-04-05 14:55:29.000000000 +0200
@@ -101,6 +101,7 @@ static const char *user_comment = "";
static const char *user_home = "";
static const char *user_shell = "";
static const char *create_mail_spool = "";
+static const char *user_selinux = "";
static long user_expire = -1;
static int is_shadow_pwd;
@@ -173,6 +174,7 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+static void selinux_update_mapping (void);
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -373,6 +375,7 @@ static void get_defaults (void)
def_create_mail_spool = xstrdup (cp);
}
}
+ fclose(fp);
}
/*
@@ -665,6 +668,9 @@ static void usage (void)
" -s, --shell SHELL the login shell for the new user account\n"
" -u, --uid UID force use the UID for the new user account\n"
" -U, --user-group create a group with the same name as the user\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -880,12 +886,19 @@ static void process_flags (int argc, cha
{"password", required_argument, NULL, 'p'},
{"system", no_argument, NULL, 'r'},
{"shell", required_argument, NULL, 's'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"uid", required_argument, NULL, 'u'},
{"user-group", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c =
+#ifdef WITH_SELINUX
+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:",
+#else
getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'b':
@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha
case 'U':
Uflg++;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled() > 0)
+ user_selinux = optarg;
+ else {
+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -1476,6 +1500,33 @@ static void usr_update (void)
grp_update ();
}
+static void selinux_update_mapping () {
+
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled() <= 0) return;
+
+ if (*user_selinux) { /* must be done after passwd write() */
+ const char *argv[7];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system(argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "adding SELinux user mapping", user_name, user_id, 0);
+#endif
+ }
+ }
+#endif
+
+}
/*
* create_home - create the user's home directory
*
@@ -1485,7 +1536,11 @@ static void usr_update (void)
*/
static void create_home (void)
{
+
if (access (user_home, F_OK)) {
+#ifdef WITH_SELINUX
+ selinux_file_context (user_home);
+#endif
/* XXX - create missing parent directories. --marekm */
if (mkdir (user_home, 0)) {
fprintf (stderr,
@@ -1507,6 +1562,10 @@ static void create_home (void)
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"adding home directory", user_name, user_id, 1);
#endif
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
+#endif
}
}
@@ -1760,6 +1819,8 @@ int main (int argc, char **argv)
close_files ();
+ selinux_update_mapping();
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c
--- shadow-4.1.1/src/usermod.c.selinux 2008-02-24 13:35:13.000000000 +0100
+++ shadow-4.1.1/src/usermod.c 2008-04-05 14:55:29.000000000 +0200
@@ -91,6 +91,7 @@ static char *user_newcomment;
static char *user_home;
static char *user_newhome;
static char *user_shell;
+static const char *user_selinux = "";
static char *user_newshell;
static long user_expire;
static long user_newexpire;
@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+static void selinux_update_mapping (void);
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -320,6 +322,9 @@ static void usage (void)
" -s, --shell SHELL new login shell for the user account\n"
" -u, --uid UID new UID for the user account\n"
" -U, --unlock unlock the user account\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user new selinux user mapping for the user account\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -846,13 +851,20 @@ static void process_flags (int argc, cha
{"move-home", no_argument, NULL, 'm'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'},
{"unlock", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c =
- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
+#ifdef WITH_SELINUX
+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
+#else
+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'a':
@@ -953,6 +965,16 @@ static void process_flags (int argc, cha
case 'U':
Uflg++;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled() > 0)
+ user_selinux = optarg;
+ else {
+ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog);
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -1530,6 +1552,8 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ selinux_update_mapping();
+
if (mflg)
move_home ();
@@ -1558,3 +1582,62 @@ int main (int argc, char **argv)
exit (E_SUCCESS);
/* NOT REACHED */
}
+
+static void selinux_update_mapping () {
+#ifdef WITH_SELINUX
+ const char *argv[7];
+
+ if (is_selinux_enabled() <= 0) return;
+
+ if (*user_selinux) {
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system(argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system(argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ", user_name, user_id, 0);
+#endif
+ }
+ }
+ }
+
+ if (dflg || *user_selinux) {
+ argv[0] = "/usr/sbin/genhomedircon";
+ argv[1] = NULL;
+ if(safe_system(argv[0], argv, NULL,0)) {
+ fprintf (stderr,
+ _("%s: warning: unable to relabel the homedir %s for %s.\n"),
+ Prog, user_home, user_name);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "relabeling home directory", user_name, user_id, 0);
+#endif
+ }
+
+ argv[0] = "/sbin/restorecon";
+ argv[1] = "-F";
+ argv[2] = "-R";
+ argv[3] = user_home;
+ argv[4] = NULL;
+ if (safe_system(argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: unable to relabel the homedir %s for %s.\n"),
+ Prog, user_home, user_name);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "relabeling home directory", user_name, user_id, 0);
+#endif
+ }
+ }
+#endif
+}
diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c
--- shadow-4.1.1/src/userdel.c.selinux 2008-03-08 21:48:26.000000000 +0100
+++ shadow-4.1.1/src/userdel.c 2008-04-05 14:55:29.000000000 +0200
@@ -809,6 +809,17 @@ int main (int argc, char **argv)
#endif
}
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled() > 0) {
+ const char *argv[5];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-d";
+ argv[3] = user_name;
+ argv[4] = NULL;
+ safe_system(argv[0], argv, NULL, 1);
+ }
+#endif
/*
* Cancel any crontabs or at jobs. Have to do this before we remove
* the entry from /etc/passwd.
diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8
--- shadow-4.1.1/man/useradd.8.selinux 2008-04-05 14:55:29.000000000 +0200
+++ shadow-4.1.1/man/useradd.8 2008-04-05 15:00:03.000000000 +0200
@@ -219,6 +219,11 @@ options are not specified) is defined by
variable in
\fIlogin\.defs\fR\.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
+.RS 4
+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
+.RE
.SS "Changing the default values"
.PP
When invoked with only the
diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml
--- shadow-4.1.1/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100
+++ shadow-4.1.1/man/usermod.8.xml 2008-04-05 14:55:29.000000000 +0200
@@ -245,6 +245,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave this
+ field the blank, which causes the system to select the default
+ SELinux user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8
--- shadow-4.1.1/man/usermod.8.selinux 2008-04-03 00:43:16.000000000 +0200
+++ shadow-4.1.1/man/usermod.8 2008-04-05 14:55:29.000000000 +0200
@@ -133,6 +133,11 @@ Note: if you wish to unlock the account
value from
\fI/etc/default/useradd\fR)\.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
+.RS 4
+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
+.RE
.SH "CAVEATS"
.PP
diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml
--- shadow-4.1.1/man/useradd.8.xml.selinux 2008-02-25 22:01:23.000000000 +0100
+++ shadow-4.1.1/man/useradd.8.xml 2008-04-05 14:55:29.000000000 +0200
@@ -326,6 +326,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave this
+ field blank, which causes the system to select the default SELinux
+ user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
<refsect2 id='changing_the_default_values'>
diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h
--- shadow-4.1.1/lib/defines.h.selinux 2008-02-03 18:52:52.000000000 +0100
+++ shadow-4.1.1/lib/defines.h 2008-04-05 14:55:29.000000000 +0200
@@ -321,4 +321,7 @@ extern char *strerror ();
# define unused
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
#endif /* _DEFINES_H_ */
diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h
--- shadow-4.1.1/lib/prototypes.h.selinux 2008-03-18 00:01:32.000000000 +0100
+++ shadow-4.1.1/lib/prototypes.h 2008-04-05 15:03:41.000000000 +0200
@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro
long int uid, long int gid);
extern int remove_tree (const char *root);
+#ifdef WITH_SELINUX
+extern int selinux_file_context (const char *dst_name);
+#endif
+
/* encrypt.c */
extern char *pw_encrypt (const char *, const char *);
@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str
/* shell.c */
extern int shell (const char *, const char *, char *const *);
+/* system.c */
+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
+
/* strtoday.c */
extern long strtoday (const char *);
shadow-4.1.1-sysAccountDownhill.patch:
--- NEW FILE shadow-4.1.1-sysAccountDownhill.patch ---
diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/libmisc/find_new_ids.c
--- shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill 2008-04-04 21:46:08.000000000 +0200
+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-04 21:50:04.000000000 +0200
@@ -22,6 +22,7 @@ int find_new_uid (int sys_user, uid_t *u
{
const struct passwd *pwd;
uid_t uid_min, uid_max, user_id;
+ char * index;
assert (uid != NULL);
@@ -32,6 +33,8 @@ int find_new_uid (int sys_user, uid_t *u
uid_min = getdef_unum ("SYS_UID_MIN", 1);
uid_max = getdef_unum ("UID_MIN", 500) - 1;
uid_max = getdef_unum ("SYS_UID_MAX", uid_max);
+ index = alloca (sizeof (char) * uid_max +1);
+ memset (index, 0, sizeof (char) * uid_max + 1);
}
if ( (NULL != preferred_uid)
@@ -61,8 +64,24 @@ int find_new_uid (int sys_user, uid_t *u
pw_rewind ();
while ( ((pwd = getpwent ()) != NULL)
|| ((pwd = pw_next ()) != NULL)) {
- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
- user_id = pwd->pw_uid + 1;
+ if (sys_user == 0) {
+ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
+ user_id = pwd->pw_uid + 1;
+ }
+ }
+ else {
+ /* create index of occupied system accounts UIDs */
+ if (pwd->pw_uid <= uid_max)
+ index[pwd->pw_uid] = 1;
+ }
+ }
+
+ /* find free system account */
+ if(sys_user) {
+ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--);
+ if ( user_id < uid_min ) {
+ fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr);
+ return -1;
}
}
@@ -104,6 +123,7 @@ int find_new_gid (int sys_group, gid_t *
{
const struct group *grp;
gid_t gid_min, gid_max, group_id;
+ char * index;
assert (gid != NULL);
@@ -114,6 +134,8 @@ int find_new_gid (int sys_group, gid_t *
gid_min = getdef_unum ("SYS_GID_MIN", 1);
gid_max = getdef_unum ("GID_MIN", 500) - 1;
gid_max = getdef_unum ("SYS_GID_MAX", gid_max);
+ index = alloca (sizeof (char) * gid_max +1);
+ memset (index, 0, sizeof (char) * gid_max + 1);
}
if ( (NULL != preferred_gid)
@@ -142,11 +164,27 @@ int find_new_gid (int sys_group, gid_t *
gr_rewind ();
while ( ((grp = getgrent ()) != NULL)
|| ((grp = gr_next ()) != NULL)) {
- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
- group_id = grp->gr_gid + 1;
+ if (sys_group == 0) {
+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
+ group_id = grp->gr_gid + 1;
+ }
+ }
+ else {
+ /* create index of occupied system accounts GIDs */
+ if (grp->gr_gid <= gid_max)
+ index[grp->gr_gid] = 1;
}
}
+ /* find free system account */
+ if(sys_group) {
+ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--);
+ if ( group_id < gid_min ) {
+ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr);
+ return -1;
+ }
+ }
+
/*
* If a group with GID equal to GID_MAX exists, the above algorithm
* will give us GID_MAX+1 even if not unique. Search for the first
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/shadow-utils/devel/.cvsignore,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- .cvsignore 12 Dec 2007 15:07:44 -0000 1.17
+++ .cvsignore 5 Apr 2008 13:17:48 -0000 1.18
@@ -1,3 +1,3 @@
shadow-4.0.17-login.defs
shadow-4.0.18.1-useradd
-shadow-4.1.0.tar.bz2
+shadow-4.1.1.tar.bz2
Index: shadow-utils.spec
===================================================================
RCS file: /cvs/extras/rpms/shadow-utils/devel/shadow-utils.spec,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -r1.112 -r1.113
--- shadow-utils.spec 7 Mar 2008 15:06:15 -0000 1.112
+++ shadow-utils.spec 5 Apr 2008 13:17:48 -0000 1.113
@@ -4,34 +4,28 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
-Version: 4.1.0
-Release: 5%{?dist}
+Version: 4.1.1
+Release: 1%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
Source1: shadow-4.0.17-login.defs
Source2: shadow-4.0.18.1-useradd
-Patch0: shadow-4.1.0-redhat.patch
-Patch1: shadow-4.0.3-noinst.patch
-Patch2: shadow-4.1.0-goodname.patch
-Patch3: shadow-4.1.0-lOption.patch
-Patch4: shadow-4.1.0-selinux.patch
-Patch5: shadow-4.0.18.1-sysAccount.patch
-Patch6: shadow-4.0.18.1-findNewUidOnce.patch
-Patch7: shadow-4.0.18.1-mtime.patch
-Patch8: shadow-4.1.0-audit-newgrp.patch
-Patch9: shadow-4.1.0-segfault.patch
-Patch10: shadow-4.1.0-fasterReset.patch
+Patch0: shadow-4.1.1-redhat.patch
+Patch1: shadow-4.1.1-audit.patch
+Patch3: shadow-4.1.0-goodname.patch
+Patch4: shadow-4.1.1-selinux.patch
+Patch5: shadow-4.1.1-sysAccountDownhill.patch
License: BSD
Group: System Environment/Base
BuildRequires: autoconf, automake, libtool, gettext-devel
BuildRequires: libselinux-devel >= 1.25.2-1
-BuildRequires: audit-libs-devel >= 1.0.10
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: audit-libs-devel >= 1.6.5
Requires: libselinux >= 1.25.2-1
-Requires: audit-libs >= 1.0.10
+Requires: audit-libs >= 1.6.5
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
The shadow-utils package includes the necessary programs for
@@ -48,16 +42,11 @@
%prep
%setup -q -n shadow-%{version}
%patch0 -p1 -b .redhat
-%patch1 -p1 -b .noinst
-%patch2 -p1 -b .goodname
-%patch3 -p1 -b .lOption
+%patch1 -p1 -b .audit
+%patch3 -p1 -b .goodname
%patch4 -p1 -b .selinux
-%patch5 -p1 -b .sysAccount
-%patch6 -p1 -b .findNewUidOnce
-%patch7 -p1 -b .mtime
-%patch8 -p1 -b .auditNewgrp
-%patch9 -p1 -b .segfault
-%patch10 -p1 -b .fasterReset
+%patch5 -p1 -b .sysAccountDownhill
+
rm po/*.gmo
rm po/stamp-po
@@ -197,6 +186,9 @@
%{_mandir}/man8/vigr.8*
%changelog
+* Mon Apr 07 2008 Peter Vrabec <pvrabec at redhat.com> 2:4.1.1-1
+- upgrade
+
* Fri Mar 07 2008 Peter Vrabec <pvrabec at redhat.com> 2:4.1.0-5
- improve newgrp audit patch
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/shadow-utils/devel/sources,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sources 12 Dec 2007 15:07:44 -0000 1.18
+++ sources 5 Apr 2008 13:17:48 -0000 1.19
@@ -1,3 +1,3 @@
e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs
ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd
-dd6ca3ac424b447962d7a7af923b7bda shadow-4.1.0.tar.bz2
+b1aa30abb3cce16a37b53e45e1ec70a4 shadow-4.1.1.tar.bz2
--- shadow-4.0.18.1-findNewUidOnce.patch DELETED ---
--- shadow-4.0.18.1-mtime.patch DELETED ---
--- shadow-4.0.18.1-sysAccount.patch DELETED ---
--- shadow-4.0.3-noinst.patch DELETED ---
--- shadow-4.1.0-audit-newgrp.patch DELETED ---
--- shadow-4.1.0-fasterReset.patch DELETED ---
--- shadow-4.1.0-lOption.patch DELETED ---
--- shadow-4.1.0-redhat.patch DELETED ---
--- shadow-4.1.0-segfault.patch DELETED ---
--- shadow-4.1.0-selinux.patch DELETED ---
More information about the fedora-extras-commits
mailing list