Karel Zak [Thu, 19 Feb 2026 11:20:28 +0000 (12:20 +0100)]
login: use original FQDN for PAM_RHOST
When login -h <remotehost> is invoked, init_remote_info() strips the
local domain suffix from the hostname (FQDN to short name) before
storing it in cxt->hostname. This truncated value is then used for
PAM_RHOST, which can bypass pam_access host deny rules that match on
the FQDN.
Preserve the original -h hostname in a new cmd_hostname field and use
it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
and logging unchanged.
Note, the real-world impact is low -- login -h is only used by legacy
telnet/rlogin daemons, and exploitation requires FQDN-specific
pam_access rules on a system still using these obsolete services.
Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me> Signed-off-by: Karel Zak <kzak@redhat.com>
Using the Linux Crypto API stores hash sums of read chunks in memory. It
trusts that get_digest is called as often as "read blocks" exist in file.
It becomes an issue with files which have less content than st_size
suggests, e.g. files in sysfs. Eventually, the iterator n will be
eq->blocksmax, because the EOF is never noticed. Writing this next hash
sum into memory would lead to an out of boundary write.
Verify that n is less than eq->blocksmax. If this is not true anymore,
treat it as an error so files are considered to be not equal. This is
much safer than erroneously treating them as equal.
Seen compiler warning with GCC 15.2.1 and glibc 2.43:
```
text-utils/pg.c: In function ‘prompt’:
text-utils/pg.c:621:24: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
621 | if ((p = strstr(pstring, "%d")) == NULL) {
| ^
```
This happens if strstr is actually a preprocessor definition with a
__glibc_const_generic. For this, __GLIBC_USE (ISOC23) must be true.
Setting the pointer to const does not hurt and clarifies that the
content is not modfied.
Karel Zak [Wed, 18 Feb 2026 11:36:16 +0000 (12:36 +0100)]
Merge branch 'PR/pidfd-utils-have-defines' of https://github.com/karelzak/util-linux-work
* 'PR/pidfd-utils-have-defines' of https://github.com/karelzak/util-linux-work:
pidfd-utils: move USE_PIDFD_INO_SUPPORT after syscall fallbacks
pidfd-utils: define HAVE_PIDFD_* when syscall fallbacks are used
Karel Zak [Wed, 18 Feb 2026 09:59:30 +0000 (10:59 +0100)]
nsenter: use USE_NAMESPACE_ID_SUPPORT macro for nsid feature
Replace direct HAVE_STRUCT_NSFS_FILE_HANDLE ifdefs with a
feature-specific USE_NAMESPACE_ID_SUPPORT macro that also
requires HAVE_PIDFD_OPEN, since the namespace ID support
depends on pidfd_open().
Addresses: https://github.com/util-linux/util-linux/pull/4044 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Wed, 18 Feb 2026 09:47:19 +0000 (10:47 +0100)]
nsenter: fix minor issues with namespace ID support
- fix pidfd_self FD leak when ioctl(PIDFD_GET_MNT_NAMESPACE) fails
- fix "namesapces" typo in man page
- document "./" disambiguation for files starting with ":"
- use standard C initializer = { 0 } instead of = {}
Addresses: https://github.com/util-linux/util-linux/pull/4044 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 17 Feb 2026 11:33:58 +0000 (12:33 +0100)]
setpriv: use AppArmor LSM-specific proc interface
Remove the check for /sys/kernel/security/apparmor (securityfs) before
writing to the proc attr interface. The securityfs check fails in
environments where AppArmor is enabled but securityfs is not mounted
(e.g., containers, WSL2, embedded systems).
Use the LSM-specific /proc/self/attr/apparmor/exec interface introduced
in Linux 5.8 (kernel commit 6413f852ce08) which is not affected by LSM
load ordering issues. Fall back to the legacy /proc/self/attr/exec for
older kernels.
Fixes: https://github.com/util-linux/util-linux/issues/4033 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 17 Feb 2026 10:35:17 +0000 (11:35 +0100)]
lib/netlink: set SOCK_CLOEXEC on netlink socket
Set SOCK_CLOEXEC when creating the NETLINK_ROUTE socket in
ul_nl_open() to prevent the file descriptor from leaking to
child processes across execv().
In agetty, the netlink socket used to monitor IP address changes
for \4/\6 issue escapes was inherited by the login program, causing
SELinux AVC denials (local_login_t denied read/write on getty_t's
netlink_route_socket).
Fixes: https://github.com/util-linux/util-linux/issues/4032 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 17 Feb 2026 10:20:38 +0000 (11:20 +0100)]
libblkid: (btrfs) use BTRFS_NR_SB_LOG_ZONES and rep->zones
Use the BTRFS_NR_SB_LOG_ZONES constant instead of a hardcoded 2 when
calling blkdev_get_zonereport() to be consistent with the rest of the
function that already uses this constant.
Replace the pointer arithmetic (struct blk_zone *)(rep + 1) with the
more readable rep->zones flexible array member access.
Addresses: https://github.com/util-linux/util-linux/pull/3995 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 17 Feb 2026 10:09:09 +0000 (11:09 +0100)]
blkid: move error checks before JSON output initialization
Move the lowprobe and lookup error checks (missing device and missing
search type) before the JSON writer initialization. This prevents
partial JSON output being written to stdout before errx() terminates
the program.
Addresses: https://github.com/util-linux/util-linux/pull/4036 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 17 Feb 2026 09:56:23 +0000 (10:56 +0100)]
Merge branch 'master' of https://github.com/aschnell/util-linux
* 'master' of https://github.com/aschnell/util-linux:
avoid repetitive code
always use array with name in json output
updated test case
include device in json output and use json array when needed
If dmesg uses a pager, some of its error messages end up in the pager
output. Use the pager only for data that is supposed to be paged and
print error messages before the pager is started or after it is shut
down again.
Karel Zak [Mon, 16 Feb 2026 13:43:00 +0000 (14:43 +0100)]
prlimit: raise a nicer error message when modifying NOFILE
When attempting to set RLIMIT_NOFILE to a value exceeding the kernel's
fs.nr_open limit, prlimit(2) returns EPERM. This can mislead users into
thinking they need elevated permissions, even when running as root.
Add a check to detect when the requested NOFILE limit exceeds
fs.nr_open and provide a clear error message indicating the actual
constraint. The check is optional: if /proc/sys/fs/nr_open cannot be
read (e.g., /proc not mounted), the validation is silently skipped to
avoid introducing a hard dependency on /proc.
The nr_open value is cached and read only once per prlimit invocation
for efficiency when setting multiple limits.
Addresses: https://github.com/util-linux/util-linux/issues/4017 Co-authored-by: krajpuro <krajpuro@akamai.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Michael Trapp [Tue, 10 Feb 2026 14:39:21 +0000 (15:39 +0100)]
libuuid: reset initial cont-clock time on service start
When uuidd starts with --cont-clock enabled and reads a stale timestamp
from the state file, the continuous clock logic would apply a backwards
offset (default 2 hours), causing generated UUIDs to have incorrect
timestamps in the past.
Fix this by resetting last_clock_reg to the current time when the saved
timestamp is older than the current clock. This prevents the backwards
offset from being applied at service start.
Karel Zak [Mon, 16 Feb 2026 12:30:55 +0000 (13:30 +0100)]
blkzone: make N/A string translatable
The "N/A" string for write pointer should be marked for translation
to support localization, following the pattern used elsewhere in
util-linux (e.g., blockdev.c).
Karel Zak [Mon, 16 Feb 2026 10:11:59 +0000 (11:11 +0100)]
Merge branch 'feat/3971' of https://github.com/echoechoin/util-linux
* 'feat/3971' of https://github.com/echoechoin/util-linux:
column: add bash-completion for table-header-as-columns
column: add option '--table-header-as-columns' for using first line as table columns names.
Karel Zak [Mon, 16 Feb 2026 09:45:27 +0000 (10:45 +0100)]
lib/pager: Rename caught_signal to pager_caught_signal
The variable name caught_signal is too generic. Rename it to
pager_caught_signal to follow the existing naming convention in the
file where pager-related static variables use the pager_ prefix
(pager_process, pager_argv, etc.).
Karel Zak [Mon, 16 Feb 2026 09:44:03 +0000 (10:44 +0100)]
Merge branch 'pager_fd' of https://github.com/stoeckmann/util-linux
* 'pager_fd' of https://github.com/stoeckmann/util-linux:
lib/pager: Use original stderr in pager_close
lib/pager: Use pager_open/close for pager_redirect
lib/pager: Clear potential stdout/stderr errors
lib/pager: Flush outputs in pager_close
lib/pager: Improve signal handling in pager_close
Karel Zak [Mon, 16 Feb 2026 09:18:56 +0000 (10:18 +0100)]
dmesg: update prepare_buffer() comment
The function was renamed from process_buffer() to prepare_buffer()
and no longer handles printing. Update the comment to reflect that
it only reads and prepares the message buffer.
Karel Zak [Mon, 16 Feb 2026 09:04:43 +0000 (10:04 +0100)]
dmesg: improve buffer size error message
Improve the error message when buffer size is too large to include
the maximum allowed size. This helps users understand what the actual
limit is rather than just reporting an invalid value.
Before: invalid buffer size argument: '...'
After: buffer size ... is too large (maximum is ...)
Karel Zak [Mon, 16 Feb 2026 08:58:17 +0000 (09:58 +0100)]
Merge branch 'lsfd--SIOCGSKNS-based-SOCK_NETNS' of https://github.com/masatake/util-linux
* 'lsfd--SIOCGSKNS-based-SOCK_NETNS' of https://github.com/masatake/util-linux:
lsfd: fill SOCK.NETNS even when sock_diag netlink can't report sockets
tests: (test_mkfds:netns) conditionally report EPERM when ioctl(SIOCGSKNS) fails
tests: (test_mkfd::tcp-bare) new factory creating an unbound/unconnected TCP socket
lsfd: add inspect_target_fd method to file_class
lsfd: (refactor) make call_with_foreign_fd reusable
lsfd: make pidfd for the target process available while collecting fds
lsfd: (comment) update the description of sock_xinfo::netns_inode
lsfd: (cosmetic) delete an empty line
Wilfred Mallawa [Thu, 12 Feb 2026 03:02:03 +0000 (13:02 +1000)]
blkzone: don't show wptr when zones are full
blkzone report displays the write pointer when zones are full, however, the
writepointer value is not accurate for full zones as all zone LBAs have been
written. Instead, fix this so that we show "N/A" for the writepointer field
if the zone condition is full.
While we are at it, extend this behavior for convetional zones instead
of displaying 0 for the writepointer.
Having restored stdout/stderr before calling wait_for_pager allows
potential error messages to be printed on terminal instead of being lost
due to an already closed pipe stderr.
Although dup2 closes the target descriptor, make sure that the pipe
is closed even if dup2 fails.
With everything in place, call exit after restoring the original signal
handlers. This way, signals received between wait_for_pager and signal
restoration are processed as well. A race condition exists if multiple
signals are received, which would allow original handlers to be
processed before exit is called, yet the overhead of properly blocking
signals and unblocking them is most likely not worth the effort.
If __setup_pager is unable to spawn a new process, close the duplicated
file descriptors on error path. Also, for the sake of completeness,
clear all other fields in pager_process as well.
Clear stdout/stderr errors which might have occurred in communication
with pager. Since output is flushed and file descriptors replaced, the
information is meaningless.
During pager_close execution, incoming signals can have different
effects:
For one, waitpid might be called multiple times. In this case,
stdout/stderr are closed two times, leading to failing system calls.
Also, the original stdout/stderr can be closed by the signal handler
when waitpid succeeded already and dup2 calls were performed. The signal
handler erroneously tries to signal EOF to the child this way.
To fix these issues, only set a flag and perform wait_for_pager exactly
once. If one of these signals is received during the operation, call
_exit to imitate the signal handling behavior as good as possible.
The buffer size can be specified as 32 bit unsigned int with command
line argument. In read_syslog_buffer, the allocation is increased by 8
bytes. This means that an unsigned integer overflow could occur, leading
to less amount of memory allocated than expected.
Please note that this does not lead to a security issue, just an incomplete
message.
Have a strict separation between preparing the buffer and printing
content of buffer. This will help in further changes to more efficiently
prepare output, i.e. pager setup.
Karel Zak [Wed, 4 Feb 2026 09:48:48 +0000 (10:48 +0100)]
Merge branch 'dmesg_oob' of https://github.com/stoeckmann/util-linux
* 'dmesg_oob' of https://github.com/stoeckmann/util-linux:
dmesg: Check if file is too large
dmesg: Only check for newline if input exists
dmesg: Check input length before calling strtol
Karel Zak [Wed, 4 Feb 2026 08:53:51 +0000 (09:53 +0100)]
Merge branch 'check_test_coverage' of https://github.com/cgoesche/util-linux-fork
* 'check_test_coverage' of https://github.com/cgoesche/util-linux-fork:
tests: search for all executable scripts in test subdirs
build-sys: add a target for tools/testcoverage.sh
tools: (get-options.sh) refine regex for unsupported programs to avoid false positives
tools: expand relative paths provided by $top_srcdir for robustness
tools: helper script to generate a test coverage report
tools: (get-options.sh) ensure functionality for out-of-tree builds
Masatake YAMATO [Sat, 29 Nov 2025 22:28:33 +0000 (07:28 +0900)]
lsfd: fill SOCK.NETNS even when sock_diag netlink can't report sockets
lsfd could not fill SOCK.NETNS when socket netns information was not
available via sock_diag netlink. Although TCP sockets support sock_diag,
unbound/unconnected TCP sockets are not reported there, so SOCK.NETNS
remained empty for them.
lsfd already obtained socket netns information via ioctl(SIOCGSKNS) in
load_fdsk_xinfo(), called from collect_file_symlink(). That information
was only used to enumerate network namespaces on the target system and
was not associated with socket objects. Use it to fill SOCK.NETNS.
Move the netns lookup to sock_class->inspect_target_fd. The new helper
get_netns_from_socket() retrieves the netns inode via ioctl(SIOCGSKNS),
and sock_inspect_target_fd() stores it in sock->netns_inode. Then
sock_fill_column() uses sock->netns_inode for SOCK.NETNS when present.
* lsfd-cmd/sock.h (struct sock::netns_inode): new member
* lsfd-cmd/lsfd.c (collect_file_symlink): stop calling load_fdsk_xinfo()
* lsfd-cmd/sock-xinfo.c (load_fdsk_xinfo_cb): remove
* lsfd-cmd/sock.c: add get_netns_from_socket(), sock_inspect_target_fd()
and wire inspect_target_fd in sock_class; use netns_inode in
sock_fill_column() for SOCK.NETNS
* tests/ts/lsfd/mkfds-tcp-bare: add test case
Masatake YAMATO [Mon, 1 Dec 2025 21:19:27 +0000 (06:19 +0900)]
lsfd: add inspect_target_fd method to file_class
lsfd has mainly used the following information sources:
* stat(2) of readlink(/proc/$pid/fd/$fd),
* values in /proc/$pid/fdinfo/$fd, and
* netlink diag.
The new method adds a new information source, file descriptors
imported from the target process. lsfd uses pidfd_getfd(2) to import
the specified fd from the target process.
In the inspect_target_fd method, the imported file descriptor can be
used freely. For example, you can call ioctl(2) on it to obtain extra
information.
tests: search for all executable scripts in test subdirs
Instead of looking for scripts that contain ts_init()
look for all executable scripts as some of them contain
helper functions with commands and long options.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
tools: helper script to generate a test coverage report
This script uses a heuristic approach to determine an approx.
test coverage of all util-linux tools. It does this by simply
looking at all the test scripts for a given tool and compares
the long options seen in them with all available ones for the
concerned tool. It also reports if a tool is either missing a
test subdirectory in tests/ts or doesn't have any test script
at all.
This script is not necessarily intended to be ran for build
tests but rather for code quality checks and to help util-linux
developers to get a better overview of their testing infrastructure
and plan accordingly for improvements.
It will potentially also help in keeping the tools stable and
detect regressions more efficiently.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
WanBingjiang [Tue, 3 Feb 2026 01:49:47 +0000 (09:49 +0800)]
hexdump: add fetch_more_extents to retrieve all file extents
Add fetch_more_extents() so FIEMAP can fetch extents in batches beyond
the initial fixed batch, instead of being limited to FIEMAP_EXTENTS_BATCH
extents only.
lib/pager: Call _exit in signal handler, not raise
The signals are registered without SA_RESETHAND, which means that the
same signal handler is called over and over again.
This just works because eventually, the waitpid call will fail, leading
to a suppressed error message (because stderr is already closed) and
then an _exit(EXIT_FAILURE) call.
Just call _exit(EXIT_FAILURE) directly to avoid unneeded and failing
system calls.
If PAGER contains any slash in program part, avoid resolving it with
PATH environment variable. Even if it is found there (in a
subdirectory), sh -c won't execute it.
Ameer Hamza [Mon, 2 Feb 2026 16:16:50 +0000 (21:16 +0500)]
libblkid: zfs: fix unaligned memory access on SPARC
SPARC requires aligned memory access for uint32_t values. The ZFS code
was directly dereferencing uint32_t pointers that could be unaligned due
to XDR encoding, causing SIGBUS crashes. Introduce copy_be32_to_cpu()
helper using memcpy to safely read from potentially unaligned memory.
Karel Zak [Mon, 2 Feb 2026 12:46:44 +0000 (13:46 +0100)]
Merge branch 'tests_convert_to_long_opts' of https://github.com/cgoesche/util-linux-fork
* 'tests_convert_to_long_opts' of https://github.com/cgoesche/util-linux-fork: (26 commits)
tests: (waitpid) use long options to improve test coverage report
tests: use long options globally in test scripts
tests: (setarch) use long options to improve test coverage report
tests: (script) use long options to improve test coverage report
tests: (rev) use long options to improve test coverage report
tests: (rename) use long options to improve test coverage report
tests: (mount) use long options to improve test coverage report
tests: (more) use long options to improve test coverage report
tests: (lsns) use long options to improve test coverage report
tests: (lsmem) use long options to improve test coverage report
tests: (lscpu) use long options to improve test coverage report
tests: (lsclocks) use long options to improve test coverage report
tests: (losetup) use long options to improve test coverage report
tests: (logger) use long options to improve test coverage report
tests: (ipcs) use long options to improve test coverage report
tests: (ionice) use long options to improve test coverage report
tests: (hexdump) use long options to improve test coverage report
tests: (getopt) use long options to improve test coverage report
tests: (findmnt) use long options to improve test coverage report
tests: (fdisk) use long options to improve test coverage report
...