was considering an empty string as if it were a number.
strisdigit() does not consider an empty string to be numeric.
I think it will not affect the behavior in either case, as they should
sooner or later result in an error somewhere. And it seems (IMO)
surprising to treat empty strings as numeric strings, so let's not do
it.
lib/string/strspn/, lib/, src/: stprspn(), strrspn_(): Split API into function and macro
This provides a safer and more consistent API.
We had the strrspn(3) function as it was for compatibility with Oracle
Solaris, but let's not repeat their mistake. Nevertheless, name our
function strrspn_() with a trailing underscore, to differentiate it from
the one in Solaris, since it's slightly different.
lib/string/strchr/: strrcspn(), stprcspn(): Add function and macro
These APIs are to strrspn(), like strcspn() is to strspn().
They are like strcspn(3), but search from the end of the string.
The function is meant for internal use, and consistency with libc.
The macro is meant for normal use, since it returns a pointer,
which is what algorithms using this need.
pw_auth()'s $4 was always being specified as NULL. Remove the
parameter. Instead, set a local variable to NULL at function entry, and
remove code that never runs (conditional on $4 != NULL).
Reviewed-by: Sam James <sam@gentoo.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
Todd C. Miller [Fri, 24 Jan 2025 02:11:09 +0000 (19:11 -0700)]
src/vipw.c: Restore the original terminal pgrp after editing
This fixes a problem when the shell is not in monitor mode (job control
enabled) which resulted in the terminal pgrp being set to an invalid
value once vipw exited.
configure.ac, lib/, src/: Use gid_t instead of GETGROUPS_T
Autoconf's NEWS file says
*** AC_FUNC_GETGROUPS and AC_TYPE_GETGROUPS no longer run test programs.
These macros were testing for OS bugs that we believe are at least
twenty years in the past. Most operating systems are now trusted to
provide an accurate prototype for getgroups in unistd.h, and to
implement it as specified in POSIX.
Since 'list' is used for a comma/colon-separated-value list, grouplist
is incorrect and inconsistent. grouplist is not a list, but an array.
Use the more common convention of just using plural. Also, use 'gids'
to distinguish it from other group representations.
We can calculate an upper bound of the number of added groups by
counting the number of delimiters in the string (plus one for the
element after the last delimiter). This avoids reallocating +1 in a
loop.
lib/, src/: Replace redundant checks by actual error handling
setgroups(2) already performs a test to check if the number of groups is
too large. Don't do that ourselves, and also don't do it for every
iteration. Just let setgroups(2) do it once.
Instead of our check, let's report errors from setgroups(2).
Call it regardless of having added any groups. If the group list is the
same that getgroups(3) gave us, setgroups(3) will be a no-op, and it
simplifies the surrounding code, by removing the 'added' variable, and
allowing to call lsearch(3) instead of lfind(3).
getgroups(0, NULL) returns the number of groups, so that we can allocate
at once. This might fail if there's a race and the number of users
grows while we're allocating, but if that happens, failing is probably a
good thing to do.
There was some comment saying it doesn't work on some systems, but
according to gnulib, that's only NeXTstep 3.2, which we don't support.
This originates from a typo in this project, which was later copied by
glibc, and so the typo was set in stone. The typo was eventually fixed
in shadow, but glibc had already set the name in stone, so we should
just learn to live with it.
$ grep -rn -C3 sg_name ChangeLog
1607-
1608-2011-07-30 Nicolas François <nicolas.francois@centraliens.net>
1609-
1610: * src/chgpasswd.c: Fix typo sp -> sg. sg_namp -> sg_name
1611- * src/chgpasswd.c: Always update the group file when SHADOWGRP is
1612- not enabled.
1613-
This is a scripted change:
$ find lib* src -type f \
| xargs sed -i 's/\<sg_name\>/sg_namp/g';
If we are not interested in the amount of errors but only if errors
exist, use a flag instead of a counter. This eliminates the chance of
signed integer overflows and better reflects the meaning of variable.
Keeping variable name and basically copied from src/faillog.c.
If crypt fails, pw_encrypt calls exit. This has the consequence that the
plaintext password is not cleared.
A valid password can fail if the underlying library does not support it.
One such example is SHA512, for which the password must not be longer
than 256 characters on musl. A password longer than this with glibc
works, so it is actually possible that a user, running passwd, tries to
enter the old password but the musl-based passwd binary simply exits.
Let passwd clear the password before exiting.
src/login_nopam.c: list_match(): Use iteration instead of recursion
The recursive nature of list_match() triggered regression during
refactoring. In Linux-PAM, the same code exists which could lead to
stack overflow because <access.conf> could be arbitrarily long.
Use an iterative approach for easier refactoring, to support long
lines in the future and to stay in sync with Linux-PAM.
If passwd is called with -P, then PAM handling is disabled
(src/passwd.c line 749). The manual page claims that host files would
be used, which is not true.
The PAM support was only enabled with configure option
--enable-account-tools-setuid. The other account tools would use PAM
then to verify that the user is granted elevated permissions for
actions which normally only root can do.
In chage, however, any non-root user who does not specify the -l
command line option is denied access in check_perms. The check for
being root or not is done with getuid, so non-root users cannot
change user account's aging information in any possible way since
more than 18 years by now.
It's safe to say that nobody misses this non-existing feature. Biggest
benefit is to get chage out of the ACCT_TOOLS_SETUID group of tools.
The nusers variable could, in theory, overflow and trigger an out of
boundary access if a huge amount of entries is added. Realistically,
this is not possible with current systems because way too much data
would be involved.
But let's better be safe than sorry and use correct data types.
Huge files could trigger signed integer overflows if enough lines are
within the file. Use intmax_t which is at least 64 bit to move this
event far into the future.
Support for /etc/suauth only exists if su is installed without
PAM support. If su is not installed (--without-su) or if PAM
support is enabled (default), do not install suauth.5 manual
page.
The SU_ACCESS preprocessor definition is used to decide if
feature exists or not. See links for more details.
Serge Hallyn [Sat, 11 Jan 2025 21:35:01 +0000 (15:35 -0600)]
add and use a login.defs.test with CREATE_HOME set
I suspect this is not a big deal, and most distributions just ship their own
version verbatim like debian/login.defs. But if there is a distro - or even a
person - using this as is from upstream, then we dont' want to break them. So
let's undo this and use an etc/login.defs.test for the testing if needed.
Changelog: 01/13: move etc/login.defs.test to tests/system/etc/login.defs per
suggestion.
Iker Pedrosa [Fri, 22 Nov 2024 09:28:48 +0000 (10:28 +0100)]
etc/login.defs: enable CREATE_HOME
In order to have consistent behaviour among all distributions, the same
configuration needs to be shared. That is why we are going to use the
`etc/login.defs` file and enable CREATE_HOME so that the home dir is
created automatically. This is not the default configuration used in all
distributions, but it is the most common one.
Iker Pedrosa [Wed, 20 Nov 2024 09:41:10 +0000 (10:41 +0100)]
tests: basic group deletion
This is the transformation to Python of the test located in
`tests/grouptools/groupdel/01_groupdel_delete_group/groupdel.test`,
which checks that `groupdel` is able to delete a group.
Iker Pedrosa [Wed, 20 Nov 2024 09:13:33 +0000 (10:13 +0100)]
tests: change GID of a group
This is the transformation to Python of the test located in
`tests/grouptools/groupmod/01_groupmod_change_gid/groupmod.test`, which
checks that `groupmod` is able to change the GID of a group.
Iker Pedrosa [Tue, 19 Nov 2024 15:18:45 +0000 (16:18 +0100)]
tests: basic group creation
This is the transformation to Python of the test located in
`tests/grouptools/groupadd/02_groupadd_add_group_GID_MIN/groupadd.test`,
which checks that `groupadd` is able to create a new group.
Iker Pedrosa [Tue, 19 Nov 2024 09:19:09 +0000 (10:19 +0100)]
tests: delete user and homedir
This is the transformation to Python of the test located in
`tests/usertools/01/18_userdel_remove_homedir.test`, which checks that
`userdel` is able to delete a user and its homedir. The test checks that
the user, the group and the home folder don't exist.
Iker Pedrosa [Wed, 13 Nov 2024 15:24:55 +0000 (16:24 +0100)]
tests: rename user
This is the transformation to Python of the test located in
`tests/usertools/01/10_usermod_rename_user.test`, which checks that
`usermod` is able to rename a user. The test checks that the new user,
the group and home folder exists.
Iker Pedrosa [Wed, 20 Nov 2024 13:58:54 +0000 (14:58 +0100)]
tests: recreate deleted user
This is the transformation to Python of the test located in
`tests/usertools/01/02_useradd_recreate_deleted_user.test`, which checks
that `useradd` is able to create again a removed user.
Iker Pedrosa [Fri, 8 Nov 2024 11:15:52 +0000 (12:15 +0100)]
tests: basic user creation
This is the transformation to Python of the test located in
`tests/usertools/01/01_useradd_add_user.test`, which checks that
`useradd` is able to create a new user and its corresponding group and
home folder.
Iker Pedrosa [Mon, 7 Oct 2024 13:44:17 +0000 (15:44 +0200)]
Tests: implement system test framework
As discussed at length, this is the implementation of the new system
tests framework for shadow. This is a proof of concept that contains the
key elements to be able to run basic user (i.e. useradd, usermod) and
group (i.e. usermod) tests. If you like the framework the rest of the
functionality will be added in the future.
Some useful facts:
* It is implemented in python
* It is based on pytest and pytest-mh
* It works on all the distributions that are part of our CI
* It can be run in the cloud (VM or container) as well as on-premises
* After the execution of each test the environment is cleaned up
* Logs and other artifacts for failed tests are collected
* It has a rich API that can be extended and extended to cover new
functionalities
With glibc we can use "e" in mode argument to set O_CLOEXEC on
opened files. The /etc/shadow and /etc/gshadow file handles should
be protected to make sure that they are never passed to child
processes by accident.
Calling exit might trigger cleanup functions registered through
atexit. Since some programs use this mechanism, be extra cautious to
never release passwd/group locks too early.
The list_match function handles EXCEPT entries through recursive
calls. It calls itself with NULL, which was then passed to strtok so
parsing continued at current position.
Replacing strtok with strsep, this means that EXCEPT entries never
match, because strsep(NULL, ...) always returns NULL, i.e. the
code treats everything after EXCEPT as non-existing.
Fix this by passing current list pointer to recursive call.
Fixes: 90afe61003ef (2024-07-04; "lib/, src/: Use strsep(3) instead of strtok(3)") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
lib/chkname.c: login_name_max_size(): Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX)
GNU Hurd doesn't define LOGIN_NAME_MAX. GNU Hurd recommends having no
system limits. When a program needs a limit, because it needs to
validate user input, it is recommended that each program defines its own
limit macros. The rationale is that this avoids hard-coded limits in
ABIs, which cannot be modified ever.
However, that doesn't mean that programs should have no limits at all.
We use this limit for validating user input, and so we shouldn't allow
anything just because the system doesn't want to set a limit.
So, when sysconf(2) returns -1, either due to an error or due to a claim
for no limits, we must fall back to the LOGIN_NAME_MAX value. And if
the system doesn't define that value, we must define it ourselves (we're
more or less free to choose any value, so let's pick the one that glibc
provides nowadays).
Fixes: 6a1f45d932c8 (2024-02-04; "lib/chkname.c: Support unlimited user name lengths") Closes: <https://github.com/shadow-maint/shadow/issues/1166> Cc: Chris Hofstaedtler <zeha@debian.org> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
projects / thirdparty / shadow.git / log
