From 759df7395908f18b3b68f28d043ac9ebd42dd0c8 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Fri, 30 Jul 2021 13:45:04 +0200 Subject: shadow: update 4.8.1 -> 4.9 Add a couple backports to fix builds. Drop 0002-Allow-for-setting-password-in-clear-text.patch; what it adds is horribly insecure and AB testing didn't reveal any regressions or use cases for it. Drop /etc/default/ tweaks as files are no longer installed there. Drop manpage alternatives as manpages are no longer installed. Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie --- .../0001-Disable-use-of-syslog-for-sysroot.patch | 29 +- ...tree-builds-with-respect-to-libsubid-incl.patch | 114 ++++++++ .../0001-libsubid-link-to-PAM-libraries.patch | 31 +++ ...-Allow-for-setting-password-in-clear-text.patch | 301 --------------------- ...fix-unexpected-open-failure-in-chroot-env.patch | 6 +- meta/recipes-extended/shadow/shadow.inc | 21 +- meta/recipes-extended/shadow/shadow_4.8.1.bb | 11 - meta/recipes-extended/shadow/shadow_4.9.bb | 11 + 8 files changed, 178 insertions(+), 346 deletions(-) create mode 100644 meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch create mode 100644 meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch delete mode 100644 meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch delete mode 100644 meta/recipes-extended/shadow/shadow_4.8.1.bb create mode 100644 meta/recipes-extended/shadow/shadow_4.9.bb (limited to 'meta/recipes-extended/shadow') diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch index ab317b9aa0..95728bcd3f 100644 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch @@ -1,4 +1,4 @@ -From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001 +From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001 From: Scott Garman Date: Thu, 14 Apr 2016 12:28:57 +0200 Subject: [PATCH] Disable use of syslog for sysroot @@ -19,12 +19,12 @@ Signed-off-by: Chen Qi src/groupmems.c | 3 +++ src/groupmod.c | 3 +++ src/useradd.c | 3 +++ - src/userdel.c | 3 +++ + src/userdel.c | 4 ++++ src/usermod.c | 3 +++ - 7 files changed, 21 insertions(+) + 7 files changed, 22 insertions(+) diff --git a/src/groupadd.c b/src/groupadd.c -index 2dd8eec..e9c4bb7 100644 +index d7f68b1..5fe5f43 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -34,6 +34,9 @@ @@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644 #include #include diff --git a/src/groupdel.c b/src/groupdel.c -index f941a84..5a70056 100644 +index 5c89312..2aefc5a 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -34,6 +34,9 @@ @@ -52,7 +52,7 @@ index f941a84..5a70056 100644 #include #include diff --git a/src/groupmems.c b/src/groupmems.c -index fc91c8b..2842514 100644 +index 654a8f3..6b2026b 100644 --- a/src/groupmems.c +++ b/src/groupmems.c @@ -32,6 +32,9 @@ @@ -66,7 +66,7 @@ index fc91c8b..2842514 100644 #include #include diff --git a/src/groupmod.c b/src/groupmod.c -index 1dca5fc..bc14438 100644 +index acd6f35..a2c5247 100644 --- a/src/groupmod.c +++ b/src/groupmod.c @@ -34,6 +34,9 @@ @@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644 #include #include diff --git a/src/useradd.c b/src/useradd.c -index 4af0f7c..1b7bf06 100644 +index 127177e..b80e505 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -34,6 +34,9 @@ @@ -94,21 +94,22 @@ index 4af0f7c..1b7bf06 100644 #include #include diff --git a/src/userdel.c b/src/userdel.c -index cc951e5..153e0be 100644 +index 79a7c89..c1e010a 100644 --- a/src/userdel.c +++ b/src/userdel.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" +@@ -31,6 +31,10 @@ + */ + #include ++ +/* Disable use of syslog since we're running this command against a sysroot */ +#undef USE_SYSLOG + #include + #include #include - #include diff --git a/src/usermod.c b/src/usermod.c -index 05b9871..21c6da9 100644 +index 03bb9b9..e15fdd4 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -34,6 +34,9 @@ diff --git a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch new file mode 100644 index 0000000000..c577be6505 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch @@ -0,0 +1,114 @@ +From eced8077b57946fe0b723e7c6c510e8f344ce89b Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Fri, 23 Jul 2021 17:51:13 -0500 +Subject: [PATCH] Fix out of tree builds with respect to libsubid includes + +There's a better way to do this, and I hope to clean that up, +but this fixes out of tree builds for me right now. + +Closes #386 + +Signed-off-by: Serge Hallyn +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/537b8cd90be7b47b45c45cfd27765ef85eb0ebf1] +Signed-off-by: Alexander Kanavin +--- + lib/Makefile.am | 2 ++ + libmisc/Makefile.am | 2 +- + libsubid/Makefile.am | 4 ++-- + src/Makefile.am | 6 ++++++ + 4 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index ecf3ee25..5ac2e111 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -10,6 +10,8 @@ if HAVE_VENDORDIR + libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" + endif + ++libshadow_la_CPPFLAGS += -I$(top_srcdir) ++ + libshadow_la_SOURCES = \ + commonio.c \ + commonio.h \ +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am +index 9766a7ec..9f237e0d 100644 +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -1,7 +1,7 @@ + + EXTRA_DIST = .indent.pro xgetXXbyYY.c + +-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS) ++AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS) + + noinst_LTLIBRARIES = libmisc.la + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index 189165b0..cdc41fe6 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -19,8 +19,8 @@ MISCLIBS = \ + $(LIBTCB) + + libsubid_la_LIBADD = \ +- $(top_srcdir)/lib/libshadow.la \ +- $(top_srcdir)/libmisc/libmisc.la \ ++ $(top_builddir)/lib/libshadow.la \ ++ $(top_builddir)/libmisc/libmisc.la \ + $(MISCLIBS) -ldl + + AM_CPPFLAGS = \ +diff --git a/src/Makefile.am b/src/Makefile.am +index 35027013..7c1a3491 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -10,6 +10,7 @@ sgidperms = 2755 + AM_CPPFLAGS = \ + -I${top_srcdir}/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -DLOCALEDIR=\"$(datadir)/locale\" + + # XXX why are login and su in /bin anyway (other than for +@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \ + list_subid_ranges_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + get_subid_owners_LDADD = \ +@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \ + get_subid_owners_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + new_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + new_subid_range_LDADD = \ +@@ -210,6 +214,7 @@ new_subid_range_LDADD = \ + free_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + free_subid_range_LDADD = \ +@@ -220,6 +225,7 @@ free_subid_range_LDADD = \ + + check_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libmisc + + check_subid_range_LDADD = \ +-- +2.31.1 + diff --git a/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch b/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch new file mode 100644 index 0000000000..ea7a99dbf7 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch @@ -0,0 +1,31 @@ +From 4f44617af3a0c59be267ac5fcc33586e3783f5e6 Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Fri, 23 Jul 2021 14:38:08 +0800 +Subject: [PATCH] libsubid: link to PAM libraries + +libsubid.so links to libmisc.a, which contains several routines referring to +PAM functions. + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/f4a84efb468b8be21be124700ce35159c444e9d6] +Signed-off-by: Alexander Kanavin +--- + libsubid/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index cdc41fe6..99308c1f 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -16,7 +16,8 @@ MISCLIBS = \ + $(LIBCRYPT) \ + $(LIBACL) \ + $(LIBATTR) \ +- $(LIBTCB) ++ $(LIBTCB) \ ++ $(LIBPAM) + + libsubid_la_LIBADD = \ + $(top_builddir)/lib/libshadow.la \ +-- +2.31.1 + diff --git a/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch deleted file mode 100644 index c6332e4f76..0000000000 --- a/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch +++ /dev/null @@ -1,301 +0,0 @@ -From a7d995228491ad5255ad86c1f04ba071f6880897 Mon Sep 17 00:00:00 2001 -From: Chen Qi -Date: Sat, 16 Nov 2013 15:27:47 +0800 -Subject: [PATCH] Allow for setting password in clear text - -Upstream-Status: Inappropriate [OE specific] - -Signed-off-by: Chen Qi - ---- - src/Makefile.am | 8 ++++---- - src/groupadd.c | 20 +++++++++++++++----- - src/groupmod.c | 20 +++++++++++++++----- - src/useradd.c | 21 +++++++++++++++------ - src/usermod.c | 20 +++++++++++++++----- - 5 files changed, 64 insertions(+), 25 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index f31fd7a..4a317a3 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -103,10 +103,10 @@ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) - chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) - expiry_LDADD = $(LDADD) $(LIBECONF) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) --groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) $(LIBCRYPT) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) - groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) --groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) $(LIBCRYPT) - grpck_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) - grpconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) - grpunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -@@ -127,9 +127,9 @@ su_SOURCES = \ - suauth.c - su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) - sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) --useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) $(LIBCRYPT) - userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) --usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) $(LIBCRYPT) - vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) - - install-am: all-am -diff --git a/src/groupadd.c b/src/groupadd.c -index e9c4bb7..d572c00 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -127,9 +127,10 @@ static /*@noreturn@*/void usage (int status) - (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" - " (non-unique) GID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); - (void) fputs (_(" -r, --system create a system account\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout); - (void) fputs ("\n", usageout); - exit (status); - } -@@ -391,13 +392,14 @@ static void process_flags (int argc, char **argv) - {"key", required_argument, NULL, 'K'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"system", no_argument, NULL, 'r'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:", -+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:", - long_options, NULL)) != -1) { - switch (c) { - case 'f': -@@ -449,12 +451,20 @@ static void process_flags (int argc, char **argv) - pflg = true; - group_passwd = optarg; - break; -+ case 'P': -+ pflg = true; -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ break; - case 'r': - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - default: - usage (E_USAGE); -@@ -588,7 +598,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("groupadd"); - #ifdef WITH_AUDIT -diff --git a/src/groupmod.c b/src/groupmod.c -index bc14438..25ccb44 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -138,8 +138,9 @@ static void usage (int status) - (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" - " PASSWORD\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs ("\n", usageout); - exit (status); - } -@@ -387,11 +388,12 @@ static void process_flags (int argc, char **argv) - {"new-name", required_argument, NULL, 'n'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {NULL, 0, NULL, '\0'} - }; -- while ((c = getopt_long (argc, argv, "g:hn:op:R:P:", -+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:", - long_options, NULL)) != -1) { - switch (c) { - case 'g': -@@ -418,9 +420,17 @@ static void process_flags (int argc, char **argv) - group_passwd = optarg; - pflg = true; - break; -+ case 'P': -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ pflg = true; -+ break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - default: - usage (E_USAGE); -@@ -761,7 +771,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("groupmod"); - #ifdef WITH_AUDIT -diff --git a/src/useradd.c b/src/useradd.c -index 1b7bf06..44f09e2 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -853,9 +853,10 @@ static void usage (int status) - (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" - " (non-unique) UID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); - (void) fputs (_(" -r, --system create a system account\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); - (void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout); - (void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout); -@@ -1133,9 +1134,10 @@ static void process_flags (int argc, char **argv) - {"no-user-group", no_argument, NULL, 'N'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"system", no_argument, NULL, 'r'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"user-group", no_argument, NULL, 'U'}, -@@ -1146,9 +1148,9 @@ static void process_flags (int argc, char **argv) - }; - while ((c = getopt_long (argc, argv, - #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:", - #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U", - #endif /* !WITH_SELINUX */ - long_options, NULL)) != -1) { - switch (c) { -@@ -1320,12 +1322,19 @@ static void process_flags (int argc, char **argv) - } - user_pass = optarg; - break; -+ case 'P': /* set clear text password */ -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ break; - case 'r': - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - case 's': - if ( ( !VALID (optarg) ) -@@ -2257,7 +2266,7 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -- prefix = process_prefix_flag("-P", argc, argv); -+ prefix = process_prefix_flag("-A", argc, argv); - - OPENLOG ("useradd"); - #ifdef WITH_AUDIT -diff --git a/src/usermod.c b/src/usermod.c -index 21c6da9..cffdb3e 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -431,8 +431,9 @@ static /*@noreturn@*/void usage (int status) - " new location (use only with -d)\n"), usageout); - (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); - (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); - (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout); -@@ -1010,8 +1011,9 @@ static void process_flags (int argc, char **argv) - {"move-home", no_argument, NULL, 'm'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"unlock", no_argument, NULL, 'U'}, -@@ -1027,7 +1029,7 @@ static void process_flags (int argc, char **argv) - {NULL, 0, NULL, '\0'} - }; - while ((c = getopt_long (argc, argv, -- "abc:d:e:f:g:G:hl:Lmop:R:s:u:UP:" -+ "abc:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:" - #ifdef ENABLE_SUBIDS - "v:w:V:W:" - #endif /* ENABLE_SUBIDS */ -@@ -1130,9 +1132,17 @@ static void process_flags (int argc, char **argv) - user_pass = optarg; - pflg = true; - break; -+ case 'P': -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ pflg = true; -+ break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - case 's': - if (!VALID (optarg)) { -@@ -2127,7 +2137,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("usermod"); - #ifdef WITH_AUDIT diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch index 9825216369..bd24626a26 100644 --- a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -1,4 +1,4 @@ -From 66533c7c6f347d257020675a1ed6e0c59cbbc3f0 Mon Sep 17 00:00:00 2001 +From 1422c24f7266b553c82100e3d18a10c55cd91063 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Thu, 17 Jul 2014 15:53:34 +0800 Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env @@ -21,10 +21,10 @@ Signed-off-by: Chen Qi 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c -index 16fa7e7..d6bc297 100644 +index cef404b..66908fb 100644 --- a/lib/commonio.c +++ b/lib/commonio.c -@@ -632,10 +632,18 @@ int commonio_open (struct commonio_db *db, int mode) +@@ -646,10 +646,18 @@ int commonio_open (struct commonio_db *db, int mode) db->cursor = NULL; db->changed = false; diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index a5d77ebfe2..2834509649 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ DEPENDS = "virtual/crypt" UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" -SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \ +SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}.tar.gz \ file://shadow-4.1.3-dots-in-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ + file://0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch \ + file://0001-libsubid-link-to-PAM-libraries.patch \ " SRC_URI:append:class-target = " \ @@ -23,15 +25,13 @@ SRC_URI:append:class-target = " \ SRC_URI:append:class-native = " \ file://0001-Disable-use-of-syslog-for-sysroot.patch \ - file://0002-Allow-for-setting-password-in-clear-text.patch \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ " SRC_URI:append:class-nativesdk = " \ file://0001-Disable-use-of-syslog-for-sysroot.patch \ " -SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480" -SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a" +SRC_URI[sha256sum] = "6c4627ff9c9422b96664517ae753c944f2902e92809d0698b65f5fef11985212" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ @@ -115,12 +115,6 @@ do_install() { # Use proper encryption for passwords sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs - # Now we don't have a mail system. Disable mail creation for now. - sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd - sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd - - # Use users group by default - sed -i 's,^GROUP=1000,GROUP=100,g' ${D}${sysconfdir}/default/useradd } do_install:append() { @@ -184,13 +178,6 @@ ALTERNATIVE:${PN}-base = "newgrp groups login su" ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login" ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su" -ALTERNATIVE:${PN}-doc = "passwd.5 getspnam.3 groups.1 su.1 nologin.8" -ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5" -ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3" -ALTERNATIVE_LINK_NAME[groups.1] = "${mandir}/man1/groups.1" -ALTERNATIVE_LINK_NAME[su.1] = "${mandir}/man1/su.1" -ALTERNATIVE_LINK_NAME[nologin.8] = "${mandir}/man8/nologin.8" - PACKAGE_WRITE_DEPS += "shadow-native" pkg_postinst:${PN}:class-target () { if [ "x$D" != "x" ]; then diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb deleted file mode 100644 index 2fbd81bf72..0000000000 --- a/meta/recipes-extended/shadow/shadow_4.8.1.bb +++ /dev/null @@ -1,11 +0,0 @@ -require shadow.inc - -# Build falsely assumes that if --enable-libpam is set, we don't need to link against -# libcrypt. This breaks chsh. -BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" - -BBCLASSEXTEND = "native nativesdk" - -# Severity is low and marked as closed and won't fix. -# https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_WHITELIST += "CVE-2013-4235" diff --git a/meta/recipes-extended/shadow/shadow_4.9.bb b/meta/recipes-extended/shadow/shadow_4.9.bb new file mode 100644 index 0000000000..2fbd81bf72 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.9.bb @@ -0,0 +1,11 @@ +require shadow.inc + +# Build falsely assumes that if --enable-libpam is set, we don't need to link against +# libcrypt. This breaks chsh. +BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" + +BBCLASSEXTEND = "native nativesdk" + +# Severity is low and marked as closed and won't fix. +# https://bugzilla.redhat.com/show_bug.cgi?id=884658 +CVE_CHECK_WHITELIST += "CVE-2013-4235" -- cgit 1.2.3-korg