| Commit message (Collapse) | Author | Age | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function behaves like strlcpy(3bsd) and strlcat(3bsd), except
that it is faster.
- It doesn't need to traverse the whole dest string for
concatenation.
- The user doesn't need to recalculate the buffer remaining size
for concatenation (that's an issue with strcpy(3bsd), when tried
to use instead of strlcat(3bsd) to overcome performance issues).
This function only has an (obvious) issue compared to
strlcpy(3bsd)/strlcat(3bsd): When the memory is realloc(3)ated,
the end pointer needs to be recalculated. In those cases, it is
safer to use the BSD functions, even if slightly slower.
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This function implements the strscpy(9) API, as specified in the
Debian manual page strscpy(9). This function was originally added
to the Linux kernel for internal use.
Link: <https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html>
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
| |
|
|
|
|
| |
The missing #include <gshadow.h> causes the configure check to fail
spuriously, resulting in HAVE_SHADOWGRP not being defined even
on systems that actually have sgetsgent (such as current glibc).
|
| |
|
|
|
|
| |
Allow supplementary groups to be set via the /etc/default/useradd config
file. Allowing an administrator to set additonal groups via the GROUPS
configurable and control the default behaviour of useradd.
|
| |
|
|
|
|
|
|
| |
Check if a user already has a subid range before assigning one.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| | |
|
| |
|
|
|
|
|
| |
Maybe we should have a debug mode where it's still printed, but
we don't, so let's be quieter.
Closes #557
|
| |
|
|
|
|
| |
The buffer length did not count the string's trailing null byte.
Signed-off-by: David Michael <fedora.dm0@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This program has 10 calls to gets(3) according to grep(1). That
makes it a very unsafe program which should not be used at all.
Let's kill the program already.
See what gets(3) has to say:
SYNOPSIS
#include <stdio.h>
[[deprecated]] char *gets(char *s);
DESCRIPTION
Never use this function.
...
BUGS
Never use gets(). Because it is impossible to tell with‐
out knowing the data in advance how many characters
gets() will read, and because gets() will continue to
store characters past the end of the buffer, it is ex‐
tremely dangerous to use. It has been used to break com‐
puter security. Use fgets() instead.
For more information, see CWE‐242 (aka "Use of Inherently
Dangerous Function") at http://cwe.mitre.org/data/defini‐
tions/242.html
Acked-by: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
| |
|
|
|
|
|
|
|
|
| |
Moreover, include checks to prevent writing entries longer than the
length limit.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1422497
Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://github.com/shadow-maint/shadow/issues/580
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
| |
add into group `x`
|
| |
|
|
|
|
|
|
| |
The minimum id allocation for system accounts shouldn't be 0 as this is
reserved for root.
Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
| |
Report error if usermod asked for moving homedir and it does not exist.
Signed-off-by: Tomáš Mráz <tm@t8m.info>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Introduced by c6c8130db4319613a91dd07bbb845f6c33c5f79f
After removing snprintf, the format string should get unescaped once.
Fixes #564
Reporter and patch author: DerMouse (github.com/DerMouse)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc, musl, FreeBSD, and OpenBSD define the MAX() and MIN()
macros in <sys/param.h> with the same definition that we use.
Let's not redefine it here and use the system one, as it's
effectively the same as we define (modulo whitespace).
See:
shadow (previously):
alx@asus5775:~/src/shadow/shadow$ grepc -ktm MAX
./lib/defines.h:318:#define MAX(x,y) (((x) > (y)) ? (x) : (y))
glibc:
alx@asus5775:~/src/gnu/glibc$ grepc -ktm -x 'sys/param.h$' MAX
./misc/sys/param.h:103:#define MAX(a,b) (((a)>(b))?(a):(b))
musl:
alx@asus5775:~/src/musl/musl$ grepc -ktm -x 'sys/param.h$' MAX
./include/sys/param.h:19:#define MAX(a,b) (((a)>(b))?(a):(b))
OpenBSD:
alx@asus5775:~/src/bsd/openbsd/src$ grepc -ktm -x 'sys/param.h$' MAX
./sys/sys/param.h:193:#define MAX(a,b) (((a)>(b))?(a):(b))
FreeBSD:
alx@asus5775:~/src/bsd/freebsd/freebsd-src$ grepc -ktm -x 'sys/param.h$' MAX
./sys/sys/param.h:333:#define MAX(a,b) (((a)>(b))?(a):(b))
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
free(3) accepts NULL, since the oldest ISO C. I guess the
paranoid code was taking care of prehistoric implementations of
free(3). I've never known of an implementation that doesn't
conform to this, so let's simplify this.
Remove xfree(3), which was effectively an equivalent of free(3).
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
| | |
|
| |
|
|
|
| |
Use memzero when operating in a buffer of known size to clear all bytes
and avoid leaking the size of the stored data.
|
| |
|
|
|
| |
Replace `memzero (s, strlen(s))` with just the internal wrapper
`strzero (s)` where the underlying allocated size is not known.
|
| |
|
|
|
|
|
|
| |
This tweaks the database locking logic so that failures in the
link-checking paths are more detailed.
The rationale for this is that I've experienced a non-deterministic
bug which seems to be coming from this logic, and I'd like to get
more details about the actual failing condition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The setuid, setgid, and sticky bits are not copied during copy_tree.
Also start with very restrictive permissions before setting ownerships.
This prevents situations in which users in a group with less permissions
than others could win a race in opening the file before permissions are
removed again.
Proof of concept:
$ echo $HOME
/home/uwu
$ install -o uwu -g fandom -m 604 /dev/null /home/uwu/owo
$ ls -l /home/uwu/owo
-rw----r-- 1 uwu fandom 0 Sep 4 00:00 /home/uwu/owo
If /tmp is on another filesystem, then "usermod -md /tmp/uwu uwu" leads
to this temporary situation:
$ ls -l /tmp/uwu/owo
-rw----r-- 1 root root 0 Sep 4 00:00 /tmp/uwu/owo
This means that between openat and chownat_if_needed a user of group
fandom could open /tmp/uwu/owo and read the content when it is finally
written into the file.
|
| |
|
|
|
|
|
|
| |
It performs differential ShellCheck scans and report results directly in pull request.
documentation: https://github.com/redhat-plumbers-in-action/differential-shellcheck
Signed-off-by: Jan Macku <jamacku@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes regression introduced in faeab50e710131816b261de66141524898c2c487.
If a directory contains fifos, then openat blocks until the other side
of the fifo is connected as well.
This means that users can prevent "usermod -m" from completing if their
home directories contain at least one fifo.
|
| |
|
|
|
| |
Fixes regression introduced in faeab50e710131816b261de66141524898c2c487
for setups configured without acl support.
|
| |
|
|
| |
https://github.com/shadow-maint/shadow/issues/552
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from Fedora [1] to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].
[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
|
| |
|
| |
po: Georgian translation
|
| |
|
| |
po: Georgian translation
|
| |
|
|
|
|
|
| |
useradd does not create the files if they don't exist, but if they exist
it will reset user data even if the data did not exist before creating
a hole and an explicitly zero'd data point resulting (especially for
high UIDs) in a lot of zeros ending up in containers and tarballs.
|
| |
|
|
|
|
|
|
| |
As rbalint points out, this was an exported fn. It also is
the only way for a libsubid user to do what it does, so let's
not drop it.
This reverts commit 477c8e6f42df1e17e45584e74988eb46a11e6caa.
|
| | |
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.
Introduce a path_info struct with the full path and dirfd and name
information for *at() functions, since the full path is needed for link
resolution, SELinux label lookup and ACL attributes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
copydir.c:666:44: warning: unsigned conversion from 'int' to '__mode_t' {aka 'unsigned int'} changes value from '-4096' to '4294963200' [-Wsign-conversion]
666 | if ( (mknod (dst, statp->st_mode & ~07777, statp->st_rdev) != 0)
| ^
copydir.c:116:1: warning: missing initializer for field 'quote' of 'struct error_context' [-Wmissing-field-initializers]
116 | };
| ^
In file included from copydir.c:27:
/usr/include/attr/error_context.h:30:23: note: 'quote' declared here
30 | const char *(*quote) (struct error_context *, const char *);
| ^~~~~
|
| |
|
|
|
| |
Bail out on read(2) failure, continue on EINTR, support short writes and
increase chunk size.
|
| |
|
|
|
| |
Similar to the default behavior of mkdir(2), symlink(2), link(2) and
mknod(2).
|
| |
|
|
|
|
| |
Require lstat(2), lchown(2), S_IFLNK and S_ISLNK from POSIX.1-2001.
Already unconditionally used in lib/tcbfuncs.c and lib/run_part.c.
|
| |
|
|
|
|
| |
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.
|
| |
|
|
|
|
| |
Use *at() functions to pin the directory operating in to avoid being
redirected by unprivileged users replacing parts of paths by symlinks to
privileged files.
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
|
|
| |
Closes #547
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
| |
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
| |
|
|
|
|
|
|
| |
- Add tips in error message.
- Add tips in man.
- Add zh_CN and zh_TW for tips.
Signed-off-by: Celeste Liu <coelacanthus@outlook.com>
|
| |
|
|
|
|
|
|
|
| |
Allow the compiler to verify the format string against the supplied
arguments.
chage.c:239:51: warning: format not a string literal, format string not checked [-Wformat-nonliteral]
239 | (void) strftime (buf, sizeof buf, format, tp);
| ^~~~~~
|
