There are no guarantees that fstatat() does not clobber the stat
buffer on errors.
Use a temporary buffer so that the following code sees correct
attributes of the source entry.
Link: <https://github.com/shadow-maint/shadow/issues/973>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 000619344ddb ("lib/copydir:copy_entry(): use temporary stat buffer")
Link: <https://github.com/shadow-maint/shadow/pull/974>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Adding function check_fds to new file fd.c. The function check_fds
should be called in every setuid/setgid program.
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: d2f2c1877a30 ("Adding checks for fd omission")
Link: <https://github.com/shadow-maint/shadow/pull/964>
Link: <https://inbox.sourceware.org/libc-alpha/ZeyujhVRsDTUNUtw@debian/T/>
[alx: It seems we shouldn't need this, as libc does it for us. But it ]
[ shouldn't hurt either. Let's be paranoic. ]
Cc: <Guillem Jover <guillem@hadrons.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>
Cc: Rich Felker <dalias@libc.org>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Cc: Thorsten Glaser <tg@mirbsd.de>
Cc: NRK <nrk@disroot.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: enh <enh@google.com>
Cc: Laurent Bercot <ska-dietlibc@skarnet.org>
Cc: Gabriel Ravier <gabravier@gmail.com>
Cc: Zack Weinberg <zack@owlfolio.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
This avoids using argv[0], which is controlled by the user,
and might inject arbitrary text in stderr and the logs.
Link: <https://github.com/shadow-maint/shadow/issues/959>
Link: <https://github.com/shadow-maint/shadow/pull/960>
Cc: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Karel Zak <kzak@redhat.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>
Cherry-picked-from: 89c4da43cbe8 ("src/vipw.c: Use string literals to initialize 'Prog'")
Link: <https://github.com/shadow-maint/shadow/pull/962>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Since we're checking for "vigr", it makes more sense to name the
variable accordingly.
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 0ab893a734b1 ("src/vipw.c: Reverse logic and variable name")
Link: <https://github.com/shadow-maint/shadow/pull/962>
[alx: This is needed by 89c4da43cbe8 ("src/vipw.c: Use string literals to initialize 'Prog'")
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Set Prog (program name) based on hardcoded value instead of argv[0].
This is to help prevent escape sequence injection.
Cherry-picked-from: e6c2e4393784 ("Hardcoding Prog to known value")
Link: <https://github.com/shadow-maint/shadow/issues/959>
Link: <https://github.com/shadow-maint/shadow/pull/960>
Cc: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Karel Zak <kzak@redhat.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Recently, we started using utmpx instead of utmp, and we updated
<./configure.ac> to do the checks for 'struct utmpx' instead of
'struct utmp'. However, I forgot to update the preprocessor
conditionals accordingly.
Fixes: 64bcb54fa962 ("lib/, src/, configure.ac: Use utmpx instead of utmp")
Link: <https://github.com/shadow-maint/shadow/pull/954>
Cc: Firas Khalil Khana <firasuke@gmail.com>
Cc: "A. Wilfox" <https://github.com/awilfox>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 1af6b68cbeb9 ("lib/utmp.c: Use the appropriate autotools macros for struct utmpx")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 2806b827d839 ("lib/utmp.c: Use defined() instead of #if[n]def")
[alx: This is needed by 1af6b68cbeb9 ("lib/utmp.c: Use the appropriate autotools macros for struct utmpx")]
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Indentation makes it clear which is which.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 7e94a2f4841a ("lib/utmp.c: Remove #endif comments")
[alx: This is needed by 1af6b68cbeb9 ("lib/utmp.c: Use the appropriate autotools macros for struct utmpx")]
Signed-off-by: Alejandro Colomar <alx@kernel.org>
A difference between 'struct utmp' and 'struct utmpx' is that
the former uses UT_LINESIZE for the size of its array members,
while the latter doesn't have a standard variable to get its
size. Therefore, we need to get the number of elements in
the array with NITEMS().
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cc: Firas Khalil Khana <firasuke@gmail.com>
Cc: "A. Wilfox" <https://github.com/awilfox>
Cherry-picked-from: 5ff6edf9f29e ("lib/utmp.c: Replace UT_LINESIZE by a NITEMS() calculation")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
utmpx is specified by POSIX as an XSI extension. That's more portable
than utmp, which is unavailable for example in musl libc. The manual
page specifies that in Linux (but it probably means in glibc), utmp and
utmpx (and the functions that use them) are identical, so this commit
shouldn't affect glibc systems.
Assume utmpx is always present.
Also, if utmpx is present, POSIX guarantees that some members exist:
- ut_user
- ut_id
- ut_line
- ut_pid
- ut_type
- ut_tv
So, rely on them unconditionally.
Fixes: 170b76cdd1a9 ("Disable utmpx permanently")
Closes: <https://github.com/shadow-maint/shadow/issues/945>
Reported-by: Firas Khalil Khana <firasuke@gmail.com>
Reported-by: "A. Wilfox" <https://github.com/awilfox>
Tested-by: Firas Khalil Khana <firasuke@gmail.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 64bcb54fa962 ("lib/, src/, configure.ac: Use utmpx instead of utmp")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
This changes pull some more dependencies. That's too much for a stable
branch, I think. If anyone needs them, please ask for them, but for now
let's keep them out.
Reverts: 9d5591fba90f ("src/passwd.c: check password length upper limit")
Reverts: dbdda2a48a77 ("lib/: Saturate addition to avoid overflow")
Reverts: 541d4dde23e8 ("src/chage.c: Unify long overflow checks in print_day_as_date()")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The passwd silently truncated the password length to PASS_MAX.
This patch introduces check that prints an error message
and exits the call.
Signed-off-by: Tomas Halman <tomas@halman.net>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: f024002b3d66 ("src/passwd.c: inconsistent password length limit")
Cc: Serge Hallyn <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/953>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The passwd utility had hardcoded limit for password lenght set
to 200 characters. In the agetpass.c is used PASS_MAX for
this purpose.
This patch moves the PASS_MAX definition to common place
and uses it in both places.
Signed-off-by: Tomas Halman <tomas@halman.net>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: f024002b3d66 ("src/passwd.c: inconsistent password length limit")
Cc: Serge Hallyn <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/953>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Days officially roll over at 00:00 UTC, not at 12:00 UTC. I see no
reason to add that half day.
Also, remove the comment. It's likely to get stale.
So, get_date() gets the number of seconds since the Epoch. I wonder how
that thing works, but I'll assume it's something similar to getdate(3)
+ mktime(3). After that, we need to convert seconds since Epoch to days
since Epoch. That should be a simple division, AFAICS, since Epoch is
"1970‐01‐01 00:00:00 +0000 (UTC)". See mktime(3).
Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Link: <https://github.com/shadow-maint/shadow/issues/939>
Reported-by: Michael Vetter <jubalh@iodoru.org>
Tested-by: Gus Kenion <https://github.com/kenion>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 1175932c0c86 ("lib/strtoday.c: strtoday(): Fix calculation")
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/942>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Before 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro"), this
code did use a length. It used a utmp(5) fixed-width buffer, so the
length matches the buffer size (there was no terminating NUL byte).
However, sysconf(_SC_LOGIN_NAME_MAX) returns a buffer size that accounts
for the terminating null byte; see sysconf(3). Thus, the commit that
introduced the call to sysconf(3), should have taken that detail into
account.
403a2e3771be ("lib/chkname.c: Take NUL byte into account"), by Tobias,
caught that bug in <lib/chkname.c>, but missed that the same commit that
introduced that bug, introduced the same bug in two other places.
This fixes all remaining calls to sysconf(_SC_LOGIN_NAME_MAX).
I still observe some suspicious code after this fix:
if (do_rlogin(hostname, username, max_size - 1, term, sizeof(term)))
...
login_prompt(username, max_size - 1);
We're passing size-1 to functions that want a size. But since the fix
to those will be different, let's do that in the following commits.
Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/issues/920#issuecomment-1926002209>
Link: <https://github.com/shadow-maint/shadow/pull/757>
Link: <https://github.com/shadow-maint/shadow/issues/674>
See-also: 403a2e3771be ("lib/chkname.c: Take NUL byte into account")
Fixes: 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 6551709e96b2 ("src/login.c: Fix off-by-one buggs")
Link: <https://github.com/shadow-maint/shadow/pull/936>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Very large values in /etc/shadow could lead to overflows. Make sure
that these calculations are saturated at LONG_MAX. Since entries are
based on days and not seconds since epoch, saturating won't hurt anyone.
Co-developed-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 674409e2265e ("lib/: Saturate addition to avoid overflow")
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/876>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The conversion from day to seconds can be done in print_date
(renamed to print_day_as_date for clarification). This has the nice
benefit that DAY multiplication and long to time_t conversion are done
at just one place.
Co-developed-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 20100e4b22c3 ("src/chage.c: Unify long overflow checks in print_day_as_date()")
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/876>
[alx: This is a pre-requisite for 674409e2265e ("lib/: Saturate addition to avoid overflow")]
Signed-off-by: Alejandro Colomar <alx@kernel.org>
SCALE is always DAY (and has to be always DAY), so replace it with DAY
in source code and remove unneeded calculations.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Link: <https://github.com/shadow-maint/shadow/pull/876>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: ecc3508877d2 ("lib/, src/: Remove SCALE definition")
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Link: <https://github.com/shadow-maint/shadow/pull/888>
Link: <https://github.com/shadow-maint/shadow/pull/876>
[alx: This is a pre-requisite for 674409e2265e ("lib/: Saturate addition to avoid overflow")]
Signed-off-by: Alejandro Colomar <alx@kernel.org>
ITI_AGING is not set through any build environment. If it would be set,
then timings in /etc/shadow would not fit anymore.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Cherry-picked-from: ab260fcd1f6f ("lib/defines.h: Remove ITI_AGING")
Link: <https://github.com/shadow-maint/shadow/pull/873>
Link: <https://github.com/shadow-maint/shadow/pull/876>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
[alx: This is a pre-requisite for 674409e2265e ("lib/: Saturate addition to avoid overflow")]
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The commit we're fixing mentions that it wanted to move 'chpasswd', but
it removed 'ch_g_passwd' from 'pamd_acct_tools_files' and added
'chpasswd' to 'pamd_files'. It seems it removed the wrong thing by
accident.
Fixes: 341d80c2c751 ("Makefile: move chpasswd and newusers to pamd target")
Link: <https://github.com/shadow-maint/shadow/pull/928#discussion_r1487687347>
Link: <https://github.com/shadow-maint/shadow/issues/926#issuecomment-1941324761>
Reported-by: Dominique Leuenberger <dleuenberger@suse.com>
Reported-by: Michael Vetter <jubalh@iodoru.org>
Cc: David Runge <dvzrv@archlinux.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Tested-by: Michael Vetter <jubalh@iodoru.org>
Reviewed-by: Michael Vetter <jubalh@iodoru.org>
Reviewed-by: loqs <https://github.com/loqs>
Co-developed-by: Dominique Leuenberger <dleuenberger@suse.com>
Signed-off-by: Dominique Leuenberger <dleuenberger@suse.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 7eb10e6298aa ("etc/pam.d/Makefile.am: Fix typo")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The _SC_LOGIN_NAME_MAX value includes space for the NUL byte. The
length of name must smaller than this value to be valid.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Cherry-picked-from: 403a2e3771be ("lib/chkname.c: Take NUL byte into account")
Link: <https://github.com/shadow-maint/shadow/pull/935>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
I used size_t because:
sysconf(3) can return -1 if the value is not supported, but then it can
only mean that there's no limit. Having no limit is the same as having
a limit of SIZE_MAX (to which -1 is converted).
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 6be85b0bafb5 ("lib/chkname.c: Use tmp variable to avoid a -Wsign-compare warning")
[alx: This is to cherry-pick the next commit without conflict]
Link: <https://github.com/shadow-maint/shadow/pull/801>
Link: <https://github.com/shadow-maint/shadow/pull/935>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
This fixes build with glibc-2.33 (newer glibc merged libdl and libpthread
into libc):
```
libtool: link: x86_64-pc-linux-gnu-gcc -isystem /usr/include/bsd -DLIBBSD_OVERLAY -O2 -pipe -Wl,-O1 -o login login.o login_nopam.o -Wl,--as-needed ../lib/.libs/libshadow.a -lcrypt -lsystemd -lpam -lpam_misc -lbsd
/usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: ../lib/.libs/libshadow.a(libshadow_la-nss.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5'
/usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: /lib64/libdl.so.2: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
```
In Debian, the needed macro from libtool seems to be in libltdl-dev.
Signed-off-by: Sam James <sam@gentoo.org>
Cc: Iker Pedrosa <ikerpedrosam@gmail.com>
Cherry-picked-from: 0f4e59fd00cf ("Link correctly with libdl")
Link: <https://github.com/shadow-maint/shadow/pull/917>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
If reallocation fails in function list, then reset the size to 0 again.
Without the reset, the next call assumes that `members` points to
a memory location with reserved space.
Also use size_t instead of int for size to prevent signed integer
overflows. The length of group lines is not limited.
Fixes 45c0003e53ab671c63dcd530fd9f3245d3b29e76 (4.14 release series)
Proof of Concept:
- Prepare a group file (one long group line and a shorter one, both with a list of users)
$ echo -n "root❌0:" > /tmp/uwu
$ yes , | tr -d '\n' | dd of=/tmp/uwu bs=10 count=3145728 seek=1 conv=notrunc iflag=fullblock
$ echo -e "\nbin❌1:," >> /tmp/uwu
- Run grpck with tight memory constraints
$ ulimit -d 102400
$ grpck /tmp/uwu
Segmentation fault (core dumped)
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Cherry-picked-from: a9e07c0feb43 ("lib/sgetgrent.c: fix null pointer dereference")
Link: <https://github.com/shadow-maint/shadow/pull/904>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Fixes: 74c17c716 ("Add support for skeleton files from /usr/etc/skel")
Signed-off-by: Johannes Segitz <jsegitz@suse.com>
Cherry-picked-from: 48aa12af31c0b72872b411857d03a518a4200a3d
Link: <https://github.com/shadow-maint/shadow/pull/812>
Reviewed-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
The separation was unnecessary, and caused build problems. Let's go
wild and obliterate the library. The files are moved to libshadow.
Scripted change:
$ find libmisc/ -type f \
| grep '\.[chy]$' \
| xargs mv -t lib;
Plus updating the Makefile and other references. While at it, I've
sorted the sources lists.
Link: <https://github.com/shadow-maint/shadow/pull/792>
Reported-by: David Seifert <soap@gentoo.org>
Cc: Sam James <sam@gentoo.org>
Cc: Christian Bricart <christian@bricart.de>
Cc: Michael Vetter <jubalh@iodoru.org>
Cc: Robert Förster <Dessa@gmake.de>
[ soap tested the Gentoo package ]
Tested-by: David Seifert <soap@gentoo.org>
Acked-by: David Seifert <soap@gentoo.org>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Iker Pedrosa <ipedrosa@redhat.com>
Acked-by: <lslebodn@fedoraproject.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
