]> git.ipfire.org Git - thirdparty/shadow.git/log
thirdparty/shadow.git
2 years agoFix su(1) silent truncation
Alejandro Colomar [Mon, 13 Mar 2023 00:21:42 +0000 (01:21 +0100)] 
Fix su(1) silent truncation

*  src/su.c (check_perms): Do not silently truncate user name.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoSimplify is_my_tty()
Alejandro Colomar [Sun, 12 Mar 2023 23:59:22 +0000 (00:59 +0100)] 
Simplify is_my_tty()

This commit will serve to document why we shouldn't worry about the
truncation in the call to strlcpy(3).  Since we have one more byte in
tmptty than in full_tty, truncation will produce a string that is at
least one byte longer than full_tty.  Such a string could never compare
equal, so we're actually handling the truncation in a clever way.  Maybe
too clever, but that's why I'm documenting it here.

Now, about the simplification itself:

Since we made sure that both full_tty and tmptty are null-terminated, we
can call strcmp(3) instead of strncmp(3).  We can also simplify the
return logic avoiding one branch.

Cc: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoFix is_my_tty() buffer overrun
Alejandro Colomar [Sun, 12 Mar 2023 23:41:00 +0000 (00:41 +0100)] 
Fix is_my_tty() buffer overrun

*  libmisc/utmp.c (is_my_tty): Declare the parameter as a char array,
   not char *, as it is not necessarily null-terminated.
   Avoid a read overrun when reading 'tty', which comes from
   'ut_utname'.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoAdd STRLEN(): a constexpr strlen(3) for string literals
Alejandro Colomar [Mon, 13 Mar 2023 00:51:12 +0000 (01:51 +0100)] 
Add STRLEN(): a constexpr strlen(3) for string literals

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoFix crash with large timestamps
Alejandro Colomar [Sun, 12 Mar 2023 23:05:04 +0000 (00:05 +0100)] 
Fix crash with large timestamps

*  libmisc/date_to_str.c (date_to_str): Do not crash if gmtime(3)
   returns NULL because the timestamp is far in the future.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoPrefer strcpy(3) to strlcpy(3) when either works
Paul Eggert [Sat, 11 Mar 2023 08:02:45 +0000 (00:02 -0800)] 
Prefer strcpy(3) to strlcpy(3) when either works

* lib/gshadow.c (sgetsgent): Use strcpy(3) not strlcpy(3),
since the string is known to fit.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoFix change_field() buffer underrun
Paul Eggert [Sat, 11 Mar 2023 21:43:36 +0000 (13:43 -0800)] 
Fix change_field() buffer underrun

* lib/fields.c (change_field): Don't point
before array start; that has undefined behavior.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoOmit unneeded test in change_field()
Paul Eggert [Sat, 11 Mar 2023 21:41:54 +0000 (13:41 -0800)] 
Omit unneeded test in change_field()

* fields.c (change_field): Omit unnecessary test.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoSimplify change_field() by using strcpy
Paul Eggert [Sat, 11 Mar 2023 08:01:02 +0000 (00:01 -0800)] 
Simplify change_field() by using strcpy

* lib/fields.c (change_field): Since we know the string fits,
use strcpy(3) rather than strlcpy(3).

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoFix null dereference in basename
skyler-ferrante [Wed, 22 Mar 2023 16:46:56 +0000 (12:46 -0400)] 
Fix null dereference in basename

On older kernels (<=linux-5.17), argv[0] can be null. Basename would
call strrchr with null if argc==0. Fixes issue #680

2 years agoCI: script for local container build
Iker Pedrosa [Tue, 14 Mar 2023 11:23:50 +0000 (12:23 +0100)] 
CI: script for local container build

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoCI: build project in containers
Iker Pedrosa [Fri, 3 Mar 2023 14:30:55 +0000 (15:30 +0100)] 
CI: build project in containers

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agocontainer: add fedora
Iker Pedrosa [Fri, 3 Mar 2023 11:44:10 +0000 (12:44 +0100)] 
container: add fedora

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agocontainer: add debian
Iker Pedrosa [Fri, 3 Mar 2023 14:20:41 +0000 (15:20 +0100)] 
container: add debian

Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agocontainer: add alpine
Iker Pedrosa [Fri, 3 Mar 2023 12:10:12 +0000 (13:10 +0100)] 
container: add alpine

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoSECURITY.md: add Iker Pedrosa
Iker Pedrosa [Mon, 20 Mar 2023 15:46:43 +0000 (16:46 +0100)] 
SECURITY.md: add Iker Pedrosa

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoselinux: use type safe function pointer assignment
Christian Göttsche [Mon, 6 Mar 2023 15:50:47 +0000 (16:50 +0100)] 
selinux: use type safe function pointer assignment

2 years agoUse strict prototype in definition
Christian Göttsche [Mon, 6 Mar 2023 15:50:30 +0000 (16:50 +0100)] 
Use strict prototype in definition

    gettime.c:25:30: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
    /*@observer@*/time_t gettime ()
                                 ^
                                  void

2 years agoAdd .editorconfig
Vinícius dos Santos Oliveira [Sat, 25 Feb 2023 14:35:05 +0000 (11:35 -0300)] 
Add .editorconfig

2 years agorun_some: fix shellcheck warning
Serge Hallyn [Tue, 28 Feb 2023 03:16:38 +0000 (21:16 -0600)] 
run_some: fix shellcheck warning

shellcheck warns against using echo with flags, as posix sh won't
support it.  It suggests using printf, so let's do that.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agofail on any run_some test failure
Serge Hallyn [Tue, 28 Feb 2023 02:33:12 +0000 (20:33 -0600)] 
fail on any run_some test failure

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoignore first test in run_some
Serge Hallyn [Mon, 27 Feb 2023 21:05:47 +0000 (15:05 -0600)] 
ignore first test in run_some

bc github...

For some reason, the first test - ONLY on github - seems to not
give the '$ ' prompt expected when you spawn 'su testsuite'.
So just run the first test twice, and ignore the first failure.

2 years agoswap first two tests - does the first one still fail?
Serge Hallyn [Mon, 27 Feb 2023 20:24:11 +0000 (14:24 -0600)] 
swap first two tests - does the first one still fail?

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agotests: remove some github runner PATH tweaking
Serge Hallyn [Sat, 25 Feb 2023 04:25:58 +0000 (22:25 -0600)] 
tests: remove some github runner PATH tweaking

It messes with the expected results.

We can do better than this in the expect scripts, but let's
get things running for now.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agotests: Support git-worktree(1)
Alejandro Colomar [Sun, 26 Feb 2023 14:39:15 +0000 (15:39 +0100)] 
tests: Support git-worktree(1)

git-worktree(1) uses a regular file for <.git>, instead of a directory.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agotests: newuidmap and newgidmap: update expected fail message
Serge Hallyn [Sat, 25 Feb 2023 03:26:01 +0000 (21:26 -0600)] 
tests: newuidmap and newgidmap: update expected fail message

The failure message got changed, but the tests looking for it did
not.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agolibsubid: include alloc.h
Serge Hallyn [Sat, 25 Feb 2023 03:10:57 +0000 (21:10 -0600)] 
libsubid: include alloc.h

Fixes: efbbcade43: Use safer allocation macros
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agorun_some: log stderr
Serge Hallyn [Fri, 24 Feb 2023 23:52:25 +0000 (17:52 -0600)] 
run_some: log stderr

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoValidate fds created by the user
Vinícius dos Santos Oliveira [Fri, 24 Feb 2023 21:06:02 +0000 (18:06 -0300)] 
Validate fds created by the user

write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.

2 years agoget_pidfd_from_fd: return -1 on error, not 0
Serge Hallyn [Fri, 24 Feb 2023 19:52:32 +0000 (13:52 -0600)] 
get_pidfd_from_fd: return -1 on error, not 0

Fixes: 6974df39a: newuidmap and newgidmap: support passing pid as fd
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agog-h-a workflow: workaround
Serge Hallyn [Fri, 24 Feb 2023 19:17:42 +0000 (13:17 -0600)] 
g-h-a workflow: workaround

Skip updating grub packages that are currently breaking
apt-get dist-upgrade.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoFix regression in some translation strings
Serge Hallyn [Fri, 24 Feb 2023 18:51:54 +0000 (12:51 -0600)] 
Fix regression in some translation strings

Fixes: d80df2c8a: Update translation
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agolib: bit_ceil_wrapul(): stop recursion
Iker Pedrosa [Wed, 22 Feb 2023 09:54:28 +0000 (10:54 +0100)] 
lib: bit_ceil_wrapul(): stop recursion

It should call bit_ceilul() instead of itself.

Fixes: 0712b236c3bc ("Add bit manipulation functions")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agolib: define ULONG_WIDTH if non-existent
Iker Pedrosa [Tue, 21 Feb 2023 16:35:48 +0000 (17:35 +0100)] 
lib: define ULONG_WIDTH if non-existent

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2 years agoUpdate translation
maqi [Thu, 23 Feb 2023 10:21:13 +0000 (18:21 +0800)] 
Update translation

2 years agonewuidmap and newgidmap: support passing pid as fd
Serge Hallyn [Tue, 7 Feb 2023 04:49:42 +0000 (22:49 -0600)] 
newuidmap and newgidmap: support passing pid as fd

Closes #635

newuidmap and newgidmap currently take an integner pid as
the first argument, determining the process id on which to
act.  Accept also "fd:N", where N must be an open file
descriptor to the /proc/pid directory for the process to
act upon.  This way, if you

exec 10</proc/99
newuidmap fd:10 100000 0 65536

and pid 99 dies and a new process happens to take pid 99 before
newuidmap happens to do its work, then since newuidmap will use
openat() using fd 10, it won't change the mapping for the new
process.

Example:

// terminal 1:
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
about to unshare with 10000000
Press any key to exec (I am 129176)

// terminal 2:
serge@jerom ~/src/shadow$ exec 10</proc/129176
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10

// Terminal 1:
uid=0(root) gid=0(root) groups=0(root)

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoFix use-after-free of pointer after realloc(3)
Alejandro Colomar [Sat, 4 Feb 2023 23:01:13 +0000 (00:01 +0100)] 
Fix use-after-free of pointer after realloc(3)

We can't use a pointer that was input to realloc(3), nor any pointers
that point to reallocated memory, without making sure that the memory
wasn't moved.  If we do, the Behavior is Undefined.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse safer allocation macros
Alejandro Colomar [Sat, 4 Feb 2023 21:41:18 +0000 (22:41 +0100)] 
Use safer allocation macros

Use of these macros, apart from the benefits mentioned in the commit
that adds the macros, has some other good side effects:

-  Consistency in getting the size of the object from sizeof(type),
   instead of a mix of sizeof(type) sometimes and sizeof(*p) other
   times.

-  More readable code: no casts, and no sizeof(), so also shorter lines
   that we don't need to cut.

-  Consistency in using array allocation calls for allocations of arrays
   of objects, even when the object size is 1.

Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agolibmisc: Add safer allocation macros
Alejandro Colomar [Wed, 1 Feb 2023 15:30:52 +0000 (16:30 +0100)] 
libmisc: Add safer allocation macros

This macros have several benefits over the standard functions:

-  The type of the allocated object (not the pointer) is specified as an
   argument, which improves readability:
   -  It is directly obvious what is the type of the object just by
      reading the macro call.
   -  It allows grepping for all allocations of a given type.

   This is admittedly similar to using sizeof() to get the size of the
   object, but we'll see why this is better.

-  In the case of reallocation macros, an extra check is performed to
   make sure that the previous pointer was compatible with the allocated
   type, which can avoid some mistakes.

-  The cast is performed automatically, with a pointer type derived from
   the type of the object.  This is the best point of this macro, since
   it does an automatic cast, where there's no chance of typos.

   Usually, programmers have to decide whether to cast or not the result
   of malloc(3).  Casts usually hide warnings, so are to be avoided.
   However, these functions already return a void *, so a cast doesn't
   really add much danger.  Moreover, a cast can even add warnings in
   this exceptional case, if the type of the cast is different than the
   type of the assigned pointer.  Performing a manual cast is still not
   perfect, since there are chances that a mistake will be done, and
   even ignoring accidents, they clutter code, hurting readability.
   And now we have a cast that is synced with sizeof.

-  Whenever the type of the object changes, since we perform an explicit
   cast to the old type, there will be a warning due to type mismatch in
   the assignment, so we'll be able to see all lines that are affected
   by such a change.  This is especially important, since changing the
   type of a variable and missing to update an allocation call far away
   from the declaration is easy, and the consequences can be quite bad.

Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse xreallocarray() instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 22:43:26 +0000 (23:43 +0100)] 
Use xreallocarray() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse reallocarrayf() instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 21:52:13 +0000 (22:52 +0100)] 
Use reallocarrayf() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse *array() allocation functions where appropriate
Alejandro Colomar [Sat, 4 Feb 2023 20:47:01 +0000 (21:47 +0100)] 
Use *array() allocation functions where appropriate

This prevents overflow from multiplication.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse xcalloc(3) instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 20:43:43 +0000 (21:43 +0100)] 
Use xcalloc(3) instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agolibmisc: Add safer allocation functions
Alejandro Colomar [Sat, 4 Feb 2023 20:13:59 +0000 (21:13 +0100)] 
libmisc: Add safer allocation functions

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agolibmisc: Move xmalloc.c to alloc.c
Alejandro Colomar [Sun, 19 Feb 2023 19:40:16 +0000 (20:40 +0100)] 
libmisc: Move xmalloc.c to alloc.c

We'll expand the contents in a following commit, so let's move the file
to a more generic name, have a dedicated header, and update includes.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Use the new header for xstrdup()

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse calloc(3) instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 20:43:43 +0000 (21:43 +0100)] 
Use calloc(3) instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse reallocarray(3) instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 22:20:38 +0000 (23:20 +0100)] 
Use reallocarray(3) instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse reallocf(3) instead of its pattern
Alejandro Colomar [Sat, 4 Feb 2023 20:25:04 +0000 (21:25 +0100)] 
Use reallocf(3) instead of its pattern

In addition, don't set local variables just before return.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agomalloc(3) already sets errno to ENOMEM
Alejandro Colomar [Sat, 4 Feb 2023 22:37:55 +0000 (23:37 +0100)] 
malloc(3) already sets errno to ENOMEM

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRely on realloc(NULL, ...) being equivalent to malloc(...)
Alejandro Colomar [Sat, 4 Feb 2023 20:21:36 +0000 (21:21 +0100)] 
Rely on realloc(NULL, ...) being equivalent to malloc(...)

This is guaranteed by ISO C.  Now that we require ISO C (and even POSIX)
to compile, we can simplify this code.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agolibmisc: agetpass(): Fix bug detecting truncation
Alejandro Colomar [Sun, 19 Feb 2023 18:26:56 +0000 (19:26 +0100)] 
libmisc: agetpass(): Fix bug detecting truncation

On 2/19/23 18:09, David Mudrich wrote:
> I am working on a RAM based Linux OS from source, and try to use
> latest versions of all software.  I found shadow needs libbsd's
> readpassphrase(3) as superior alternative to getpass(3).  While
> considering if I a) include libbsd, or include libbsd's code of
> readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3)
> never returns \n or \r
> <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c>
> line 122, while agetpass() uses a check for \n in agetpass.c line 108.
> I assume it always fails.

Indeed, it always failed.  I made a mistake when writing agetpass(),
assuming that readpassphrase(3) would keep newlines.

>
> I propose a check of len == PASS_MAX - 1, with false positive error for
> exactly PASS_MAX - 1 long passwords.

Instead, I added an extra byte to the allocation to allow a maximum
password length of PASS_MAX (which is the maximum for getpass(3), which
we're replacing.

While doing that, I notice that my previous implementation also had
another bug (minor): The maximum password length was PASS_MAX - 1
instead of PASS_MAX.  That's also fixed in this commit.

Reported-by: David Mudrich <dmudrich@gmx.de>
Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely")
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agofind_new_[gu]id(): Skip over IDs that are reserved for legacy reasons
Martin Kletzander [Wed, 1 Feb 2023 14:36:41 +0000 (15:36 +0100)] 
find_new_[gu]id(): Skip over IDs that are reserved for legacy reasons

Some programs don't support `(uint16_t) -1` or `(uint32_t) -1` as user
or group IDs.  This is because `-1` is used as an error code or as an
unspecified ID, e.g. in `chown(2)` parameters, and in the past, `gid_t`
and `uid_t` have changed width.  For legacy reasons, those values have
been kept reserved in programs today (for example systemd does this; see
the documentation in the link below).

This should not be confused with catching overflow in the ID values,
since that is already caught by our ERANGE checks.  This is about not
using reserved values that have been reserved for legacy reasons.

Link: <https://systemd.io/UIDS-GIDS/>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2 years agoFix comments
Samanta Navarro [Thu, 16 Feb 2023 11:57:03 +0000 (11:57 +0000)] 
Fix comments

These comments should indicate which functions they really wrap.
An alternative would be to remove the line completely to avoid
future copy&paste mistakes.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoFix grammar
Samanta Navarro [Thu, 16 Feb 2023 11:54:14 +0000 (11:54 +0000)] 
Fix grammar

Use proper grammar (third-person singular).

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoFix typo
Samanta Navarro [Thu, 16 Feb 2023 11:53:52 +0000 (11:53 +0000)] 
Fix typo

It should be "if" not "is".

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoFix typos
Samanta Navarro [Thu, 16 Feb 2023 11:52:23 +0000 (11:52 +0000)] 
Fix typos

It is a user, not an user.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoUse stpecpy() where appropriate
Alejandro Colomar [Fri, 10 Feb 2023 21:52:25 +0000 (22:52 +0100)] 
Use stpecpy() where appropriate

This function simplifies the calculation of the bounds of the buffer for
catenating strings.  It would also reduce error checking, but we don't
care about truncation in this specific code. :)

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd stpecpy()
Alejandro Colomar [Fri, 10 Feb 2023 21:34:37 +0000 (22:34 +0100)] 
Add stpecpy()

strncat(3), strlcpy(3), and many other functions are often misused for
catenating strings, when they should never be used for that.  strlcat(3)
is good.  However, there's no equivalent to strlcat(3) similar to
snprintf(3).  Let's add stpecpy(), which is similar to strlcat(3), but
it is also the only function compatible with stpeprintf(), which makes
it more useful than strlcat(3).

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd mempcpy(3)
Alejandro Colomar [Fri, 10 Feb 2023 21:16:21 +0000 (22:16 +0100)] 
Add mempcpy(3)

We'll use it for implementing stpecpy(), and may be interesting to have
it around.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRemove unnecessary NUL terminators
Alejandro Colomar [Sun, 29 Jan 2023 23:56:57 +0000 (00:56 +0100)] 
Remove unnecessary NUL terminators

All the string-copying functions called above do terminate the strings
they create with a NUL byte.  Writing it again at the end of the buffer
is unnecessary paranoid code.  Let's remove it.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse stpeprintf() where appropriate
Alejandro Colomar [Sun, 29 Jan 2023 23:54:07 +0000 (00:54 +0100)] 
Use stpeprintf() where appropriate

This function allows reducing error checking (since errors are
propagated across chained calls), and also simplifies the calculation of
the start and end of the buffer where the string should be written.

Moreover, the new code is more optimized, since many calls to strlen(3)
have been removed.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd stpeprintf()
Alejandro Colomar [Sun, 29 Jan 2023 23:19:56 +0000 (00:19 +0100)] 
Add stpeprintf()

[v]stpeprintf() are similar to [v]snprintf(3), but they allow chaining.
[v]snprintf(3) are very dangerous for catenating strings, since the
obvious ways to do it invoke Undefined Behavior, and the ways that avoid
UB are very error-prone.

Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoagetpass.c: Use SPDX tags
Alejandro Colomar [Sun, 29 Jan 2023 20:44:17 +0000 (21:44 +0100)] 
agetpass.c: Use SPDX tags

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoFix VPATH build
Martin Kletzander [Tue, 7 Feb 2023 08:34:59 +0000 (09:34 +0100)] 
Fix VPATH build

When trying to build shadow in a different directory I stumbled upon few
issues, this commit aims to fix all of them:

- The `subid.h` file is generated and hence in the build directory and
not in the source directory, so use `$(builddir)` instead of
`$(srcdir)`.

- Using `$<` instead of filenames utilises autotools to locate the files
  in either the source or build directory automatically.

- `xsltproc` needs to access the files in login.defs.d in either the
  source directory or the symlink in a language subdirectory, but it
does not interpret the `--path` as prefix of the entity path, but
rather a path under which to locate the basename of the entity
from the XML file.  So specify the whole path to login.defs.d.

- The above point could be used to make the symlinks of login.defs.d
  and entity path specifications in the XMLs obsolete, but I trying
not to propose possibly disrupting patches, so for the sake of
simplicity just specify `$(srcdir)` when creating the symlink.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2 years agottytype(): Fix race
Alejandro Colomar [Fri, 3 Feb 2023 19:32:12 +0000 (20:32 +0100)] 
ttytype(): Fix race

The intention of the code is just to not report an error message when
'typefile' doesn't exist.  If we call access(2) and then fopen(2),
there's a race.  It's not a huge problem, and the worst thing that can
happen is reporting an error when the file has been removed after
access(2).  It's not a problem, but we can fix the race and at the same
time clarify the intention of not warning about ENOENT and also remove
one syscall.  Seems like a win-win.

Suggested-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRemove superfluous casts
Alejandro Colomar [Wed, 1 Feb 2023 12:50:48 +0000 (13:50 +0100)] 
Remove superfluous casts

-  Every non-const pointer converts automatically to void *.
-  Every pointer converts automatically to void *.
-  void * converts to any other pointer.
-  const void * converts to any other const pointer.
-  Integer variables convert to each other.

I changed the declaration of a few variables in order to allow removing
a cast.

However, I didn't attempt to edit casts inside comparisons, since they
are very delicate.  I also kept casts in variadic functions, since they
are necessary, and in allocation functions, because I have other plans
for them.

I also changed a few casts to int that are better as ptrdiff_t.

This change has triggered some warnings about const correctness issues,
which have also been fixed in this patch (see for example src/login.c).

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agorun on github runner
Serge Hallyn [Thu, 9 Feb 2023 14:38:02 +0000 (08:38 -0600)] 
run on github runner

2 years agotests: print default timeout message to stderr
Serge Hallyn [Wed, 8 Feb 2023 03:12:59 +0000 (21:12 -0600)] 
tests: print default timeout message to stderr

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agouse self-hosted runner for testsuite
Serge Hallyn [Mon, 30 Jan 2023 02:13:52 +0000 (20:13 -0600)] 
use self-hosted runner for testsuite

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoUse the noreturn attribute, rather than comments
Alejandro Colomar [Tue, 7 Feb 2023 18:50:36 +0000 (19:50 +0100)] 
Use the noreturn attribute, rather than comments

This will allow the compiler to understand these functions better.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agolib/defines.h: Add NORETURN attribute macro
Alejandro Colomar [Tue, 7 Feb 2023 18:39:36 +0000 (19:39 +0100)] 
lib/defines.h: Add NORETURN attribute macro

We could use the standard (C11) _Noreturn qualifier, but it will be
deprecated in C23, and replaced by C++'s [[noreturn]], which is
compatible with the GCC attribute, so let's directly use the attribute,
and in the future we'll be able to switch to [[]].

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAssume getutent(3) exists (remove dead code)
Alejandro Colomar [Tue, 7 Feb 2023 17:37:23 +0000 (18:37 +0100)] 
Assume getutent(3) exists (remove dead code)

Recently, we removed support for 'struct utmpx'.  We did it because utmp
and utmpx are identical, and while POSIX specifies utmpx (and not utmp),
GNU/Linux documentation seems to favor utmp.  Also, this project
defaulted to utmp, so changing to utmpx would be more dangerous than
keeping old defaults, even if it's supposed to be the same.

Now, I just found more code that didn't make much sense: lib/utent.c
provides definitions for getutent(3) and friends in case the system
doesn't provide them, but we don't provide prototypes for those
definitions, so code using the functions would have never compiled.

Let's just remove these definitions as dead code.

Fixes: 3be7b9d75a6b ("Remove traces of utmpx")
Fixes: 170b76cdd1a9 ("Disable utmpx permanently")
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoHandle reallocf(3) errors
Alejandro Colomar [Thu, 2 Feb 2023 11:31:54 +0000 (12:31 +0100)] 
Handle reallocf(3) errors

Reported-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoFix memory leaks by replacing realloc(3) with reallocf(3)
Alejandro Colomar [Wed, 1 Feb 2023 23:59:55 +0000 (00:59 +0100)] 
Fix memory leaks by replacing realloc(3) with reallocf(3)

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRemove unused function: gr_append_member()
Alejandro Colomar [Fri, 3 Feb 2023 14:27:40 +0000 (15:27 +0100)] 
Remove unused function: gr_append_member()

Reported-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoImprove TTYGROUP description in login.defs manpage
Serge Hallyn [Thu, 2 Feb 2023 18:27:23 +0000 (12:27 -0600)] 
Improve TTYGROUP description in login.defs manpage

Closes #457

The existing prose was confusing, or simply wrong.  Make it clear
that only the group ownership of the tty is affected, and how.
Also move the paragraph about defaults after the discussion of
acceptable TTYGROUPs, as this seems more natural.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2 years agoRemove superfluous casts to 'void*'
Alejandro Colomar [Wed, 1 Feb 2023 12:50:48 +0000 (13:50 +0100)] 
Remove superfluous casts to 'void*'

Every non-const pointer converts automatically to it.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoCall NULL by its name
Alejandro Colomar [Wed, 1 Feb 2023 01:50:14 +0000 (02:50 +0100)] 
Call NULL by its name

In variadic functions we still do the cast.  In POSIX, it's not
necessary, since NULL is required to be of type 'void *', and 'void *'
is guaranteed to have the same alignment and representation as 'char *'.
However, since ISO C still doesn't mandate that, and moreover they're
doing dubious stuff by adding nullptr, let's be on the cautious side.
Also, C++ requires that NULL is _not_ 'void *', but either plain 0 or
some magic stuff.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse freezero(3) where suitable
Alejandro Colomar [Wed, 1 Feb 2023 19:29:29 +0000 (20:29 +0100)] 
Use freezero(3) where suitable

It originated in OpenBSD, and is available in libbsd.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoPrevent out of boundary access
Samanta Navarro [Mon, 30 Jan 2023 11:54:49 +0000 (11:54 +0000)] 
Prevent out of boundary access

If lines start with '\0' then it is possible to trigger out of
boundary accesses.

Check if indices are valid before accessing them.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoExplicitly override only newlines
Samanta Navarro [Mon, 30 Jan 2023 11:53:47 +0000 (11:53 +0000)] 
Explicitly override only newlines

Override only newlines with '\0' to avoid undesired truncation of
actual line content.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoCorrectly handle illegal system file in tz
Samanta Navarro [Fri, 27 Jan 2023 11:57:51 +0000 (11:57 +0000)] 
Correctly handle illegal system file in tz

If the file referenced by ENV_TZ has a zero length string, then an out
of boundary write occurs. Also the result can be wrong because it is
assumed that the file will always end with a newline.

Only override a newline character with '\0' to avoid these cases.

This cannot be considered to be security relevant because login.defs
and its contained references to system files should be trusted to begin
with.

Proof of Concept:

1. Compile shadow's su with address sanitizer and --without-libpam

2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname

3. Prepare /etc/tzname to contain a '\0' byte at the beginning

`python -c "print('\x00')" > /etc/tzname`

4. Use su

`su -l`

You can see the following output:

`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'`

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoleading_zerosul(): Fix bug
Alejandro Colomar [Tue, 31 Jan 2023 15:47:40 +0000 (16:47 +0100)] 
leading_zerosul(): Fix bug

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUnoptimize the higher part of the domain of csrand_uniform()
Alejandro Colomar [Mon, 30 Jan 2023 12:13:36 +0000 (13:13 +0100)] 
Unoptimize the higher part of the domain of csrand_uniform()

__int128, which is needed for optimizing that part of the range, is not
always available.  We need the unoptimized version for portability
reasons.

Closes: <https://github.com/shadow-maint/shadow/issues/634>
Fixes: 1a0e13f94edc ("Optimize csrand_uniform()")
Reported-by: Adam Sampson <ats@offog.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd bit manipulation functions
Alejandro Colomar [Mon, 30 Jan 2023 11:43:34 +0000 (12:43 +0100)] 
Add bit manipulation functions

We do need the unoptimized version of csrand_uniform() for high values
of `n`, since the optimized version depends on having __int128, and it's
not available on several platforms, including ARMv7, IA32, and MK68k.

This reverts commit 848f53c1d3c1362c86d3baab6906e1e4419d2634; however,
I applied some tweaks to the reverted commit.

Reported-by: Adam Sampson <ats@offog.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRevert "Add bit manipulation functions"
Alejandro Colomar [Thu, 19 Jan 2023 03:23:44 +0000 (04:23 +0100)] 
Revert "Add bit manipulation functions"

Now that we optimized csrand_uniform(), we don't need these functions.

This reverts commit 7c8fe291b1260e127c10562bfd7616961013730f.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoOptimize csrand_uniform()
Alejandro Colomar [Wed, 18 Jan 2023 12:26:47 +0000 (13:26 +0100)] 
Optimize csrand_uniform()

Use a different algorithm to minimize rejection.  This is essentially
the same algorithm implemented in the Linux kernel for
__get_random_u32_below(), but written in a more readable way, and
avoiding microopimizations that make it less readable.

Which (the Linux kernel implementation) is itself based on Daniel
Lemire's algorithm from "Fast Random Integer Generation in an Interval",
linked below.  However, I couldn't really understand that paper very
much, so I had to reconstruct the proofs from scratch, just from what I
could understand from the Linux kernel implementation source code.

I constructed some graphical explanation of how it works, and why it
is optimal, because I needed to visualize it to understand it.  It is
published in the GitHub pull request linked below.

Here goes a wordy explanation of why this algorithm based on
multiplication is better optimized than my original implementation based
on masking.

masking:

It discards the extra bits of entropy that are not necessary for
this operation.  This works as if dividing the entire space of
possible csrand() values into smaller spaces of a size that is
a smaller power of 2.  Each of those smaller spaces has a
rejection band, so we get as many rejection bands as spaces
there are.  For smaller values of 'n', the size of each
rejection band is smaller, but having more rejection bands
compensates for this, and results in the same inefficiency as
for large values of 'n'.

multiplication:

It divides the entire space of possible random numbers in
chunks of size exactly 'n', so that there is only one rejection
band that is the remainder of `2^64 % n`.  The worst case is
still similar to the masking algorithm, a rejection band that is
almost half the entire space (n = 2^63 + 1), but for lower
values of 'n', by only having one small rejection band, it is
much faster than the masking algorithm.

This algorithm, however, has one caveat: the implementation
is harder to read, since it relies on several bitwise tricky
operations to perform operations like `2^64 % n`, `mult % 2^64`,
and `mult / 2^64`.  And those operations are different depending
on the number of bits of the maximum possible random number
generated by the function.  This means that while this algorithm
could also be applied to get uniform random numbers in the range
[0, n-1] quickly from a function like rand(3), which only
produces 31 bits of (non-CS) random numbers, it would need to be
implemented differently.  However, that's not a concern for us,
it's just a note so that nobody picks this code and expects it
to just work with rand(3) (which BTW I tried for testing it, and
got a bit confused until I realized this).

Finally, here's some light testing of this implementation, just to know
that I didn't goof it.  I pasted this function into a standalone
program, and run it many times to find if it has any bias (I tested also
to see how many iterations it performs, and it's also almost always 1,
but that test is big enough to not paste it here).

int main(int argc, char *argv[])
{
printf("%lu\n", csrand_uniform(atoi(argv[1])));
}

$ seq 1 1000 | while read _; do ./a.out 3; done | grep 1 | wc -l
341
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 1 | wc -l
339
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 1 | wc -l
338
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 2 | wc -l
336
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 2 | wc -l
328
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 2 | wc -l
335
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 0 | wc -l
332
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 0 | wc -l
331
$ seq 1 1000 | while read _; do ./a.out 3; done | grep 0 | wc -l
327

This isn't a complete test for a cryptographically-secure random number
generator, of course, but I leave that for interested parties.

Link: <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9a688bcb19348862afe30d7c85bc37c4c293471>
Link: <https://github.com/shadow-maint/shadow/pull/624#discussion_r1059574358>
Link: <https://arxiv.org/abs/1805.10941>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: Björn Esser <besser82@fedoraproject.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Joseph Myers <joseph@codesourcery.com>
Cc: Sam James <sam@gentoo.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
[Daniel Lemire: Added link to research paper in source code]
Cc: Daniel Lemire <daniel@lemire.me>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse WIDTHOF() instead of its expansion
Alejandro Colomar [Wed, 18 Jan 2023 11:40:01 +0000 (12:40 +0100)] 
Use WIDTHOF() instead of its expansion

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd WIDTHOF() to get the width in bits
Alejandro Colomar [Wed, 18 Jan 2023 11:38:18 +0000 (12:38 +0100)] 
Add WIDTHOF() to get the width in bits

It is common to use the expression 'sizeof(x) * CHAR_BIT' to mean the
width in bits of a type or object.  Now that there are _WIDTH macros for
some types, indicating the number of bits that they use, it makes sense
to wrap this calculation in a macro of a similar name.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoRewrite csrand_interval() as a wrapper around csrand_uniform()
Alejandro Colomar [Fri, 30 Dec 2022 18:46:09 +0000 (19:46 +0100)] 
Rewrite csrand_interval() as a wrapper around csrand_uniform()

The old code didn't produce very good random numbers.  It had a bias.
And that was from performing some unnecessary floating-point
calculations that overcomplicate the problem.

Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: Björn Esser <besser82@fedoraproject.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Joseph Myers <joseph@codesourcery.com>
Cc: Sam James <sam@gentoo.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd csrand_uniform()
Alejandro Colomar [Fri, 30 Dec 2022 18:46:09 +0000 (19:46 +0100)] 
Add csrand_uniform()

This API is similar to arc4random_uniform(3).  However, for an input of
0, this function is equivalent to csrand(), while arc4random_uniform(0)
returns 0.

This function will be used to reimplement csrand_interval() as a wrapper
around this one.

The current implementation of csrand_interval() doesn't produce very good
random numbers.  It has a bias.  And that comes from performing some
unnecessary floating-point calculations that overcomplicate the problem.

Looping until the random number hits within bounds is unbiased, and
truncating unwanted bits makes the overhead of the loop very small.

We could reduce loop overhead even more, by keeping unused bits of the
random number, if the width of the mask is not greater than
ULONG_WIDTH/2, however, that complicates the code considerably, and I
prefer to be a bit slower but have simple code.

BTW, Björn really deserves the copyright for csrand() (previously known
as read_random_bytes()), since he rewrote it almost from scratch last
year, and I kept most of its contents.  Since he didn't put himself in
the copyright back then, and BSD-3-Clause doesn't allow me to attribute
derived works, I won't add his name, but if he asks, he should be put in
the copyright too.

Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: Björn Esser <besser82@fedoraproject.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Joseph Myers <joseph@codesourcery.com>
Cc: Sam James <sam@gentoo.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoAdd bit manipulation functions
Alejandro Colomar [Fri, 30 Dec 2022 22:00:14 +0000 (23:00 +0100)] 
Add bit manipulation functions

These functions implement bit manipulation APIs, which will be added to
C23, so that in the far future, we will be able to replace our functions
by the standard ones, just by adding the stdc_ prefix, and including
<stdbit.h>.

However, we need to avoid UB for an input of 0, so slightly deviate from
C23, and use a different name (with _wrap) for distunguishing our API
from the standard one.

Cc: Joseph Myers <joseph@codesourcery.com>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoMove csrand() to a new file csrand.c
Alejandro Colomar [Fri, 30 Dec 2022 18:46:09 +0000 (19:46 +0100)] 
Move csrand() to a new file csrand.c

A set of APIs similar to arc4random(3) is complex enough to deserve its
own file.

Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: Björn Esser <besser82@fedoraproject.org>
Cc: Yann Droneaud <ydroneaud@opteya.com>
Cc: Joseph Myers <joseph@codesourcery.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse naming consistent with other common functions
Alejandro Colomar [Fri, 30 Dec 2022 18:42:17 +0000 (19:42 +0100)] 
Use naming consistent with other common functions

arc4random(3) returns a number.
arc4random_buf(3) fills a buffer.
arc4random_uniform(3) returns a number less than a bound.

and I'd add a hypothetical one which we use:

*_interval() should return a number within the interval [min, max].

In reality, the function being called csrand() in this patch is not
really cryptographically secure, since it had a bias, but a subsequent
patch will fix that.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoFix types of the csrand_interval() API
Alejandro Colomar [Fri, 30 Dec 2022 17:50:21 +0000 (18:50 +0100)] 
Fix types of the csrand_interval() API

We were always casting the result to u_long.  Better just use that type
in the function.  Since we're returning u_long, it makes sense to also
specify the input as u_long.  In fact, that'll help for doing bitwise
operations inside this function.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoUse a more precise name for a CSPRNG API with an interval
Alejandro Colomar [Fri, 30 Dec 2022 17:46:22 +0000 (18:46 +0100)] 
Use a more precise name for a CSPRNG API with an interval

I have plans to split this function in smaller functions that implement
bits of this functionallity, to simplify the implementation.  So, let's
use names that distinguish them.

This one produces a number within an interval, so make that clear.  Also
make clear that the function produces cryptographically-secure numbers.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2 years agoSupporting vendor given -shells- configuration file
Stefan Schubert [Mon, 28 Nov 2022 16:18:09 +0000 (17:18 +0100)] 
Supporting vendor given -shells- configuration file

2 years agolibmisc: fix grammar
Samanta Navarro [Fri, 30 Dec 2022 11:51:42 +0000 (11:51 +0000)] 
libmisc: fix grammar

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoFix typos
Samanta Navarro [Fri, 30 Dec 2022 11:51:29 +0000 (11:51 +0000)] 
Fix typos

Typos found with codespell.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2 years agoDeclare constant data structure const
Christian Göttsche [Tue, 24 Jan 2023 15:50:49 +0000 (16:50 +0100)] 
Declare constant data structure const

    ./lib/pam_defs.h:18:24: warning: ‘conv’ defined but not used [-Wunused-variable]
       18 | static struct pam_conv conv = {
          |                        ^~~~