commit: 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> AuthorDate: Mon Mar 13 12:36:50 2017 +0000 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> CommitDate: Mon Mar 13 12:38:29 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5d0eac
sys-apps/shadow: Security cleanup (bug #610804). Package-Manager: Portage-2.3.4, Repoman-2.3.2 sys-apps/shadow/Manifest | 1 - .../files/shadow-4.2.1-cross-size-checks.patch | 41 ---- ...4.2.1-verbose-error-when-uid-doesnt-match.patch | 76 -------- sys-apps/shadow/shadow-4.2.1-r2.ebuild | 214 --------------------- 4 files changed, 332 deletions(-) diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 251f1ce80a1..df4f7606de4 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -1,2 +1 @@ -DIST shadow-4.2.1.tar.xz 1594536 SHA256 3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 SHA512 7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 WHIRLPOOL 032857f5fae8486cc3dd11303bfa7da55019000ce8ad7bac2f398f9f9764c8659e20a1547d05c5e4f366db749a52afb3083017faf14f6a72ee48345dcd1f86aa DIST shadow-4.4.tar.gz 3706812 SHA256 2398fe436e548786c17ec387b4c41f5339f72ec9ee2f3f7a6e0cc2cb240bb482 SHA512 c1e0f65a4fbd0f9d8de38e488b4a374cac5c476180e233269fc666988d9201c0dcc694605c5e54d54f81039c2e30c95b14c12f10adef749a45cc31f0b4b5d5a6 WHIRLPOOL a22fc0f90ec0623cbbcef253378a16ad605cf71345074880e3fd12fb5914058d3e721f378730c9684497cc597595b7defc7e710206268ae320a090c8c35fd41e diff --git a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch b/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch deleted file mode 100644 index f067caab204..00000000000 --- a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 -From: James Le Cuirot <[email protected]> -Date: Sat, 23 Aug 2014 09:46:39 +0100 -Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF - -This built-in check is simpler than the previous method and, most -importantly, works when cross-compiling. - -Signed-off-by: Serge Hallyn <[email protected]> ---- - configure.in | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/configure.in b/configure.in -index 1a3f841..4a4d6d0 100644 ---- a/configure.in -+++ b/configure.in -@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then - dnl - dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc - dnl -- AC_RUN_IFELSE([AC_LANG_SOURCE([ --#include <sys/types.h> --int main(void) { -- uid_t u; -- gid_t g; -- return (sizeof u < 4) || (sizeof g < 4); --} -- ])], [id32bit="yes"], [id32bit="no"]) -- -- if test "x$id32bit" = "xyes"; then -+ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) -+ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) -+ -+ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then - AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) - enable_subids="yes" - else --- -2.3.6 - diff --git a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch b/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch deleted file mode 100644 index 340424eb12e..00000000000 --- a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Hank Leininger <[email protected]> -Date: Mon, 6 Apr 2015 08:22:48 -0500 -Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not - like the user/group ownership of their target process. - -Currently the error is just: - -newuidmap: Target [pid] is owned by a different user - -With this patch it will be like: - -newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 - -Why is this useful? Well, in my case... - -The grsecurity kernel-hardening patch includes an option to make parts -of /proc unreadable, such as /proc/pid/ dirs for processes not owned by -the current uid. This comes with an option to make /proc/pid/ -directories readable by a specific gid; sysadmins and the like are then -put into that group so they can see a full 'ps'. - -This means that the check in new[ug]idmap fails, as in the above quoted -error - /proc/[targetpid] is owned by root, but the group is 99 so that -users in group 99 can see the process. - -Some Googling finds dozens of people hitting this problem, but not -*knowing* that they have hit this problem, because the errors and -circumstances are non-obvious. - -Some graceful way of handling this and not failing, will be next ;) But -in the meantime it'd be nice to have new[ug]idmap emit a more useful -error, so that it's easier to troubleshoot. - -Thanks! - -Signed-off-by: Hank Leininger <[email protected]> -Signed-off-by: Serge Hallyn <[email protected]> ---- - src/newgidmap.c | 6 ++++-- - src/newuidmap.c | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/newgidmap.c b/src/newgidmap.c -index a532b45..451c6a6 100644 ---- a/src/newgidmap.c -+++ b/src/newgidmap.c -@@ -161,8 +161,10 @@ int main(int argc, char **argv) - (getgid() != pw->pw_gid) || - (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { -- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), -- Prog, target); -+ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), -+ Prog, target, -+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, -+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); - return EXIT_FAILURE; - } - -diff --git a/src/newuidmap.c b/src/newuidmap.c -index 5150078..9c8bc1b 100644 ---- a/src/newuidmap.c -+++ b/src/newuidmap.c -@@ -161,8 +161,10 @@ int main(int argc, char **argv) - (getgid() != pw->pw_gid) || - (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { -- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), -- Prog, target); -+ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), -+ Prog, target, -+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, -+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); - return EXIT_FAILURE; - } - diff --git a/sys-apps/shadow/shadow-4.2.1-r2.ebuild b/sys-apps/shadow/shadow-4.2.1-r2.ebuild deleted file mode 100644 index 0e9e3a4d4e5..00000000000 --- a/sys-apps/shadow/shadow-4.2.1-r2.ebuild +++ /dev/null @@ -1,214 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" - -inherit eutils libtool pam multilib autotools - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="http://shadow.pld.org.pl/ http://pkg-shadow.alioth.debian.org/"; -SRC_URI="http://pkg-shadow.alioth.debian.org/releases/${P}.tar.xz"; - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" -IUSE="acl audit cracklib nls pam selinux skey xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) -IUSE+=" $(printf 'linguas_%s ' ${LANGS[*]})" - -RDEPEND="acl? ( sys-apps/acl ) - audit? ( sys-process/audit ) - cracklib? ( >=sys-libs/cracklib-2.7-r3 ) - pam? ( virtual/pam ) - skey? ( sys-auth/skey ) - selinux? ( - >=sys-libs/libselinux-1.28 - sys-libs/libsemanage - ) - nls? ( virtual/libintl ) - xattr? ( sys-apps/attr )" -DEPEND="${RDEPEND} - app-arch/xz-utils - sys-devel/gettext" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20150213 )" - -PATCHES=( - "${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch - "${FILESDIR}"/${P}-cross-size-checks.patch - "${FILESDIR}"/${P}-verbose-error-when-uid-doesnt-match.patch -) - -src_prepare() { - epatch "${PATCHES[@]}" - epatch_user - # https://github.com/shadow-maint/shadow/pull/5 - mv configure.{in,ac} || die - eautoreconf - #elibtoolize -} - -src_configure() { - econf \ - --without-group-name-max-length \ - --without-tcb \ - --enable-shared=no \ - --enable-static=yes \ - $(use_with acl) \ - $(use_with audit) \ - $(use_with cracklib libcrack) \ - $(use_with pam libpam) \ - $(use_with skey) \ - $(use_with selinux) \ - $(use_enable nls) \ - $(use_with elibc_glibc nscd) \ - $(use_with xattr attr) - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - use linguas_${l} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=$1 val=$2 - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - # move passwd to / to help recover broke systems #64441 - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym /bin/passwd /usr/bin/passwd - - cd "${S}" - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chpasswd chgpasswd newusers; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chage chsh chfn \ - user{add,del,mod} group{add,del,mod} ; do - newpamd "${FILESDIR}"/pam.d-include/shadow ${x} - done - - # comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED}"/etc/login.defs || die - - # remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED}"/usr/share/man \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED}"/etc/pam.d/{login,passwd,su} || die - fi - - # Remove manpages that are handled by other packages - find "${ED}"/usr/share/man \ - '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ - -delete - - cd "${S}" - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc - dodoc HOWTO README* WISHLIST *.txt -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -}
