lib/list.c: is_on_list(): Move break condition to loop controlling expression

This change executes `i++` one more time before breaking, so we need to
update the `i+1` after the loop to just `i`.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/list.c: is_on_list(): Move code out of loop

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/list.c: is_on_list(): Remove unnecessary use of temporary variable

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sgetspent.c: sgetspent(): Explicitly use an empty string literal

cp can only be an empty string literal in that conditional.  Use a
string literal to be more explicit.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sgetspent.c: sgetspent(): Use NULL instead of 0 to mean a null pointer constant

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/port.c: getportent(): Call strpbrk(3) instead of open-coding it

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Call strsep(3) instead of open-coding it

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Call strchrnul(3) instead of open-coding it

Performance tests made in 2007 are obsolete.  We should assume libc is
reasonably fast today (otherwise, report a bug to libc).

$ git blame -- lib/sgetgrent.c | grep strchr
45c6603cc (nekral-guest      2007-10-07 11:44:02 +0000  30)  * WARNING: I profiled this once with and without strchr() calls
6f88bcf58 (nekral-guest      2008-05-26 08:31:14 +0000  97)  cp = strchr (cp, ':');

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Call gmtime_r(3) instead of gmtime(3)

It's trivial to do the change, and it removes a CodeQL warning.
We don't need to be reentrant, but it doesn't hurt either.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/time/day_to_str.[ch]: day_to_str(): Accept a day instead of a date, and rename function

It was always being called with 'day * DAY', so do that internally and
simplify.  This grabs some code from print_day_as_date().

Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/passwd.c: print_status(): Fix typo (bogus use of the comma operator)

Amazing that this triggered no warnings at all.

Fixes: 355ad6a9e089 ("Have a single definition of date_to_str()")
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/: Use DAY_TO_STR() instead of its pattern

Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/time/day_to_str.h: DAY_TO_STR(): Add macro

This macro ensures that the buffer is an array, and calculates the size.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/, po/: date_to_str(): Move function to header, and make inline

BTW, there's no translatable string in there.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: Invert logic to reduce indentation

Also, it was checking for >=0 for success, but since that code is for
opening a different tty as stdin, that was bogus.  But since it's
guaranteed to be either 0 or -1, this commit doesn't add any code to
make sure it's 0 (i.e., we could say !=0 instead of ==-1).  That's more
appropriate for a different commit.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Use int main(void) where appropriate

Remove /*ARGSUSED*/ comments.  Instead, use appropriate declarators for
main().  ISO C allows using int main(void) if the parameters are going
to be unused.

Also, do some cosmetic changes in the uses of argc and argv, to show
where they are used.

And use *argv[], instead of **argv.  Array notation is friendlier, IMO.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Clean up after previous removal of dead code

Just cosmetic changes.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Remove all code wrapped in defined(USE_NIS)

I don't find any way to enable USE_NIS, so it looks like it's all
dead code.  Bury it.

Closes: <https://github.com/shadow-maint/shadow/issues/909>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/passwd.c: Don't print the program name twice in a log entry

OPENLOG() already sets the program name as the prefix.

This resulted in entries like:

$ journalctl 2>/dev/null | grep passwd
Mar 03 01:09:47 debian passwd[140744]: passwd: can't view or modify password information for root

Fixes: 8e167d28afd6 ("[svn-upgrade] Integrating new upstream version, shadow (4.0.8)")
Signed-off-by: Alejandro Colomar <alx@kernel.org>

Noting copy_symlink behaviour

Mention that symlinks are modified when they prefix the skel directory.

Closes #933

share/containers/, .github/workflows/: Don't make(1) twice

It was being done so that the second one prints errors without races.
However, the same thing can be achieved by passing -Orecurse to make(1).

And this makes the logs even more readable, since there's no racy output
at all.

Fixes: 97f79e3b2715 ("CI: Make build logs more readable")
Link: <https://github.com/shadow-maint/shadow/pull/702>
Link: <https://github.com/nginx/unit/pull/1123>
Acked-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Andrew Clayton <a.clayton@nginx.com>
Cc: Konstantin Pavlov <thresh@nginx.com>
Cc: Dylan Arbour <https://github.com/arbourd>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/idmapping.c: get_map_ranges(): Merge two input checks into a simpler one

Previously, we were performing the following two checks:

-       if (ranges != ((argc + 2) / 3)) {
-       if ((ranges * 3) > argc) {

Let's draw a table of the possible input that would pass the first check:

argc: 0 1 2 3 4 5 6 7 8 9
rng: 0 1 1 1 2 2 2 3 3 3
a+2/3*3:0 3 3 3 6 6 6 9 9 9 <-- this is  roundup(argc, 3);
a+2/3: 0 1 1 1 2 2 2 3 3 3 <-- this is  roundup(argc, 3) / 3;
rng*3: 0 3 3 3 6 6 6 9 9 9

From those, let's extract those that would also pass the second check:

argc: 0     3     6     9
rng: 0     1     2     3
rng*3: 0     3     6     9

We can see that there's a simple check for this input:

+       if (ranges * 3 != argc) {

As a sanity check, let's draw a table of the acceptable input with that
check:

rng: 0     1     2     3
rng*3: 0     3     6     9
argc: 0     3     6     9

Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

Adding checks for fd omission

Adding function check_fds to new file fd.c. The function check_fds
should be called in every setuid/setgid program.

Co-developed-by: Alejandro Colomar <alx@kernel.org>

tests/unit/test_zustr2stp.c: Test ZUSTR2STP()

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/zustr2stp.[ch]: Remove zustr2stp(); keep ZUSTR2STP()

The function should never be used; it's always used via its wrapper
macro.  To simplify, and reduce chances of confusion: remove the
function, and implement the macro directly in terms of
stpcpy(mempcpy(strnlen())).

Update the documentation, and improve the example, which was rather
confusing.

Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

configure.ac: Release 4.15.0

Signed-off-by: Serge Hallyn <serge@hallyn.com>

src/vipw.c: Use string literals to initialize 'Prog'

This avoids using argv[0], which is controlled by the user,
and might inject arbitrary text in stderr and the logs.

Link: <https://github.com/shadow-maint/shadow/issues/959>
Link: <https://github.com/shadow-maint/shadow/pull/960>
Cc: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Karel Zak <kzak@redhat.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/vipw.c: Reverse logic and variable name

Since we're checking for "vigr", it makes more sense to name the
variable accordingly.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

Hardcoding Prog to known value

See #959. We now set Prog (program name) based on hardcoded value instead
of argv[0]. This is to help prevent escape sequence injection.

share/containers/: trap(1) to see the cmocka logs

Reviewed-by: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

share/containers/: Specify one argument per line

Reviewed-by: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

.github/workflows/runner.yml: trap(1) to see the testsuite log

Otherwise, 'cat testsuite.log' isn't run, since 'set -e' aborts the
script earlier.

Reviewed-by: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

configure.ac: release 4.15.0-rc3

Signed-off-by: Serge Hallyn <serge@hallyn.com>

lib/utmp.c: Use the appropriate autotools macros for struct utmpx

Recently, we started using utmpx instead of utmp, and we updated
<./configure.ac> to do the checks for 'struct utmpx' instead of
'struct utmp'.  However, I forgot to update the preprocessor
conditionals accordingly.

Fixes: 64bcb54fa962 ("lib/, src/, configure.ac: Use utmpx instead of utmp")
Link: <https://github.com/shadow-maint/shadow/pull/954>
Cc: Firas Khalil Khana <firasuke@gmail.com>
Cc: "A. Wilfox" <https://github.com/awilfox>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: Use defined() instead of #if[n]def

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: Remove #endif comments

Indentation makes it clear which is which.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: Merge preprocessor conditionals

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: Indent nested preprocessor conditionals

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: Replace UT_LINESIZE by a NITEMS() calculation

A difference between 'struct utmp' and 'struct utmpx' is that
the former uses UT_LINESIZE for the size of its array members,
while the latter doesn't have a standard variable to get its
size.  Therefore, we need to get the number of elements in
the array with NITEMS().

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sizeof.h: memberof(): Add macro

This macro is useful to get the size of a member of a structure
without having a variable of that type.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/utmp.c: get_session_host(): Reduce scope of variable

This silences a warning about an unused variable.

Tested-by: Firas Khalil Khana <firasuke@gmail.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/, configure.ac: Use utmpx instead of utmp

utmpx is specified by POSIX as an XSI extension.  That's more portable
than utmp, which is unavailable for example in musl libc.  The manual
page specifies that in Linux (but it probably means in glibc), utmp and
utmpx (and the functions that use them) are identical, so this commit
shouldn't affect glibc systems.

Assume utmpx is always present.

Also, if utmpx is present, POSIX guarantees that some members exist:

-  ut_user
-  ut_id
-  ut_line
-  ut_pid
-  ut_type
-  ut_tv

So, rely on them unconditionally.

Fixes: 170b76cdd1a9 ("Disable utmpx permanently")
Closes: <https://github.com/shadow-maint/shadow/issues/945>
Reported-by: Firas Khalil Khana <firasuke@gmail.com>
Reported-by: "A. Wilfox" <https://github.com/awilfox>
Tested-by: Firas Khalil Khana <firasuke@gmail.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: get_date(): Fix calculation

Instead of adding 1, we should add the value the we stored previously in
the variable.

Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Closes: <https://github.com/shadow-maint/shadow/issues/939>
Link: <https://github.com/shadow-maint/shadow/pull/942>
Reported-by: Michael Vetter <jubalh@iodoru.org>
Reported-by: Gus Kenion <https://github.com/kenion>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/passwd.c: check password length upper limit

The passwd silently truncated the password length to PASS_MAX.
This patch introduces check that prints an error message
and exits the call.

Signed-off-by: Tomas Halman <tomas@halman.net>

src/passwd.c: inconsistent password length limit

The passwd utility had hardcoded limit for password lenght set
to 200 characters. In the agetpass.c is used PASS_MAX for
this purpose.

This patch moves the PASS_MAX definition to common place
and uses it in both places.

Signed-off-by: Tomas Halman <tomas@halman.net>

release 4.15.0-rc2

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Update Georgian translation

lib/chkname.c: is_valid_user_name(): Avoid a cast

By using a temporary vairable, we can remove a cast.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/chkname.c: is_valid_user_name(): Remove unnecessary check

If (maxsize == -1), then ((size_t)maxsize == SIZE_MAX).  And no size can
ever be >= SIZE_MAX, so it will never return false if sysconf(3) reports
an unlimited user-name size via returning -1.  Well, to be pedantic,
that disallows a user-name siz of precisely SIZE_MAX bytes when
sysconf(3) returns -1.  However, that's probably a good thing; such a
long user name might trigger Undefined Behavior somewhere else, so be
cautious and disallow it.  I hope nobody will be using the entire
address space for a user name.

The commit that introduced that check missed that this code had always
supported unlimited user-name sizes since it was introduced by Iker in
3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro"), and
6be85b0bafb5 ("lib/chkname.c: Use tmp variable to avoid a -Wsign-compare
warning") even clarified this in the commit message.

So, while the code in 6a1f45d932c8 ("lib/chkname.c: Support unlimited
user name lengths") wasn't bad per se, the commit message was incorrect.
What that patch did was adding code for handling EINVAL (or any other
errors that a future kernel might add).

To be more pedantically correct, that commit also allowed (under certain
circumstances, user names of SIZE_MAX bytes, but those were originally
allowed (by accident), and only became disallowed in 403a2e3771be
("lib/chkname.c: Take NUL byte into account").  But again, let's
disallow those, just to be cautious.

Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/pull/935#discussion_r1477429492>
See-also: 6be85b0bafb5 ("lib/chkname.c: Use tmp variable to avoid a -Wsign-compare warning")
Fixes: 6a1f45d932c8 ("lib/chkname.c: Support unlimited user name lengths")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/login.c: Fix off-by-one bugss

These functions expect a size, not a length.  Don't subtract 1 to the
size.

Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/issues/920#issuecomment-1926002209>
Link: <https://github.com/shadow-maint/shadow/pull/757>
Link: <https://github.com/shadow-maint/shadow/issues/674>
See-also: 0656a90bfd0d ("src/login.c: Fix off-by-one buggs")
See-also: 403a2e3771be ("lib/chkname.c: Take NUL byte into account")
Fixes: 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Don't say 'len' where 'size' is meant

Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Fixes: 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Fixes: 6be85b0bafb5 ("lib/chkname.c: Use tmp variable to avoid a -Wsign-compare warning")
See-also: 403a2e3771be ("lib/chkname.c: Take NUL byte into account")
See-also: 6a1f45d932c8 ("lib/chkname.c: Support unlimited user name lengths")
Fixes: 95ea61009da8 ("lib/chkname.c: Use precise comment")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/login.c: Fix off-by-one buggs

Before 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro"), this
code did use a length.  It used a utmp(5) fixed-width buffer, so the
length matches the buffer size (there was no terminating NUL byte).
However, sysconf(_SC_LOGIN_NAME_MAX) returns a buffer size that accounts
for the terminating null byte; see sysconf(3).  Thus, the commit that
introduced the call to sysconf(3), should have taken that detail into
account.

403a2e3771be ("lib/chkname.c: Take NUL byte into account"), by Tobias,
caught that bug in <lib/chkname.c>, but missed that the same commit that
introduced that bug, introduced the same bug in two other places.
This fixes all remaining calls to sysconf(_SC_LOGIN_NAME_MAX).

I still observe some suspicious code after this fix:

if (do_rlogin(hostname, username, max_size - 1, term, sizeof(term)))

...

login_prompt(username, max_size - 1);

We're passing size-1 to functions that want a size.  But since the fix
to those will be different, let's do that in the following commits.

Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/issues/920#issuecomment-1926002209>
Link: <https://github.com/shadow-maint/shadow/pull/757>
Link: <https://github.com/shadow-maint/shadow/issues/674>
See-also: 403a2e3771be ("lib/chkname.c: Take NUL byte into account")
Fixes: 3b7cc053872c ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

usermod: refuse invalid uidmaps during --add-sub{u,g}ids

It is slightly confusing to allow adding these only to later refuse them.

Here is a (lightly tested :) patch to also refuse them when adding.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

lib/strtoday.c: strtoday(): Fix calculation

Days officially roll over at 00:00 UTC, not at 12:00 UTC.  I see no
reason to add that half day.

Also, remove the comment.  It's likely to get stale.

So, get_date() gets the number of seconds since the Epoch.  I wonder how
that thing works, but I'll assume it's something similar to getdate(3)
+ mktime(3).  After that, we need to convert seconds since Epoch to days
since Epoch.  That should be a simple division, AFAICS, since Epoch is
"1970‐01‐01 00:00:00 +0000 (UTC)".  See mktime(3).

Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Link: <https://github.com/shadow-maint/shadow/issues/939>
Reported-by: Michael Vetter <jubalh@iodoru.org>
Tested-by: Gus Kenion <https://github.com/kenion>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Saturate addition to avoid overflow

Very large values in /etc/shadow could lead to overflows.  Make sure
that these calculations are saturated at LONG_MAX.  Since entries are
based on days and not seconds since epoch, saturating won't hurt anyone.

Co-developed-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/chage.c: Unify long overflow checks in print_day_as_date()

The conversion from day to seconds can be done in print_date
(renamed to print_day_as_date for clarification).  This has the nice
benefit that DAY multiplication and long to time_t conversion are done
at just one place.

Co-developed-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

etc/pam.d/Makefile.am: Fix typo

The commit we're fixing mentions that it wanted to move 'chpasswd', but
it removed 'ch_g_passwd' from 'pamd_acct_tools_files' and added
'chpasswd' to 'pamd_files'.  It seems it removed the wrong thing by
accident.

Fixes: 341d80c2c751 ("Makefile: move chpasswd and newusers to pamd target")
Link: <https://github.com/shadow-maint/shadow/pull/928#discussion_r1487687347>
Link: <https://github.com/shadow-maint/shadow/issues/926#issuecomment-1941324761>
Reported-by: Dominique Leuenberger <dleuenberger@suse.com>
Reported-by: Michael Vetter <jubalh@iodoru.org>
Cc: David Runge <dvzrv@archlinux.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Tested-by: Michael Vetter <jubalh@iodoru.org>
Reviewed-by: Michael Vetter <jubalh@iodoru.org>
Reviewed-by: loqs <https://github.com/loqs>
Co-developed-by: Dominique Leuenberger <dleuenberger@suse.com>
Signed-off-by: Dominique Leuenberger <dleuenberger@suse.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

AUTHORS.md: Format list

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/chkname.c: Use precise comment

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

lib/chkname.c: Support unlimited user name lengths

If the system does not have a user name length limit, support it
accordingly. If the system has no _SC_LOGIN_NAME_MAX, use
LOGIN_NAME_MAX constant instead.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

lib/chkname.c: Take NUL byte into account

The _SC_LOGIN_NAME_MAX value includes space for the NUL byte. The length
of name must smaller than this value to be valid.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

release 4.15.0-rc1

Signed-off-by: Serge Hallyn <serge@hallyn.com>

src/sulogin.c: Remove unused variable

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

src/sulogin.c: Simplify password handling

The password returned by agetpass can be used directly without copying
it into a char array first.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

src/sulogin.c: Use a do-while loop

Clarify how this endless while(true) loop can be stopped by using a
boolean variable as condition and turn it into a do-while loop.

Suggested-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

tests/unit/test_atoi_strtoi.c: Test strtou_noneg()

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/atoi/strtou_noneg.[ch]: Add strtou_noneg()

It's like strtou_(), but rejects negative input, instead of silently
converting it to unsigned.

Link: <https://softwareengineering.stackexchange.com/a/449060/332848>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

tests/unit/Makefile.am: tfix

Fix typo.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

tests/unit/test_atoi_strtoi.c: Test strtoi_()

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/atoi/strtoi.[ch]: strtoi_(), strtou_(): Add functions

These functions are identical to strtoi(3bsd) and strtou(3bsd), except
for one important thing: if both ERANGE and ENOTSUP conditions happen,
the BSD functions report ENOTSUP, which is bogus; our strtoi_() and
strtou_() report ERANGE.

Link: <https://lists.sr.ht/~hallyn/shadow/%3CZZoQDms6Sv6e5SPE%40debian%3E>
Link: <https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=57828>
Cc: Thorsten Glaser <tg@mirbsd.de>
Cc: christos <christos@netbsd.org>
Cc: roy <roy@netbsd.org>
Cc: Guillem Jover <guillem@hadrons.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/passwd.c: implement reading password from pipe

New option --stdin/-t is available for root user. It is useful
for automation/setup and it makes shadow utils passwd more versatile.

Signed-off-by: Tomas Halman <tomas@halman.net>

lib/agetpass.[ch]: add function ro read from pipe

Add alternative function to agetpass for reading password
from stdin or pipe.

Signed-off-by: Tomas Halman <tomas@halman.net>

Makefile: move chpasswd and newusers to pamd target

Install pam configs for chpasswd and newusers when using ./configure --with-libpam --disable-account-tools-setuid.
Fixes https://github.com/shadow-maint/shadow/issues/810.

Tested-by: David Runge <dvzrv@archlinux.org>

lib/, src/: Make the use of MAYBE_UNUSED macro consistent

There is an inconsistent use of the MAYBE_UNUSED macro. Sometimes the
`int unused(x)` form is used form and others the `unused int x`. We'd
like to use the second form always.

Related-To: https://github.com/shadow-maint/shadow/issues/918
Suggested-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Pablo Saavedra <psaavedra@igalia.com>

lib/, src/: Rename 'unused' macro as 'MAYBE_UNUSED'

Related-To: https://github.com/shadow-maint/shadow/issues/918
Suggested-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Pablo Saavedra <psaavedra@igalia.com>

Fix Build error 'parameter name omitted' in logind

Fixes #918 by adding the omitted parameter name in
active_sessions_count().

Signed-off-by: Pablo Saavedra <psaavedra@igalia.com>

src/sulogin.c: pw_entry(): Report errors by returning -1

Cc: Samanta Navarro <ferivoz@riseup.net>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/passwd.c: Remove comments about flags that don't exist

Those flags have never existed, AFAICS.

Closes: <https://github.com/shadow-maint/shadow/issues/929>
Cc: Tomas Halman <tomas@halman.net>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

Link correctly with libdl

This fixes build with glibc-2.33 (newer glibc merged libdl and libpthread
into libc):
```
libtool: link: x86_64-pc-linux-gnu-gcc -isystem /usr/include/bsd -DLIBBSD_OVERLAY -O2 -pipe -Wl,-O1 -o login login.o login_nopam.o  -Wl,--as-needed ../lib/.libs/libshadow.a -lcrypt -lsystemd -lpam -lpam_misc -lbsd
/usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: ../lib/.libs/libshadow.a(libshadow_la-nss.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5'
/usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: /lib64/libdl.so.2: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
```

In Debian, the needed macro from libtool seems to be in libltdl-dev.

Signed-off-by: Sam James <sam@gentoo.org>

autogen.sh: CFLAGS: Use -Wno-unknown-attributes; Clang doesn't know [[gnu::access()]]

Signed-off-by: Alejandro Colomar <alx@kernel.org>

autogen.sh: CFLAGS: Add some -Werror=... flags that will be default soon

Clang 16 and GCC 14 have upgraded several warnings to errors by default.
Also, there are new warnings that will be requirements of ISO C23.  Add
all of those to our build.

Use Clang's -Wno-unknown-attribute-option, to ignore warnings that are
exclusive of GCC.  Sadly, GCC doesn't have such an option.

Link: <https://wiki.gentoo.org/wiki/Modern_C_porting#What_changed.3F>
Link: <https://github.com/shadow-maint/shadow/issues/922>
Suggested-by: Sam James <sam@gentoo.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/usermod.c: grp_update(): Remove scope of variable, and fix const correctness

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/useradd.c: get_defaults(): Use const temporary pointer to fix const correctness

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/su.c: Use const_cast() to silence -Wincompatible-pointer-types-discards-qualifiers

argv is passed to execve(3), which for historic reasons is non-const,
but doesn't modify the strings.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/cast.h: const_cast(): Add macro for dropping 'const'

Uses of this macro indicate a code smell, but in some cases, libc
functions require breaking const correctness.  Use this macro to wrap
casts in such cases, so that we limit the danger of the cast.

It only permits discarding const.  Discarding any other qualifiers, or
doing other type changes should result in a compile-time error.

Link: <https://software.codidact.com/posts/286575/287345#answer-287345>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/must_be.h: is_same_type(): Add macro

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/must_be.h: is_same_typeof(): Rename macro

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/su.c: do_check_perms(): Fix -Wincompatible-pointer-types bug

Fixes: ef95bb7ed139 ("src/su.c: Fix type of variable")
Closes: <https://github.com/shadow-maint/shadow/issues/915>
Reported-by: Sam James <sam@gentoo.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

tests/unit/test_atoi_strtou_noneg.c: Test strtou[l]l_noneg()

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Replace strtou[l]l(3) by strtou[l]l_noneg()

strtou[l]l(3) silently converts negative numbers into positive.  This
behavior is wrong: a negative value should be parsed as a negative
value, which would underflow unsigned (long) long, and so would return
the smallest possible value, 0, and set errno to ERANGE to report an
error.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/atoi/strtou_noneg.[ch]: Add strtou[l]l_noneg()

These functions reject negative numbers, instead of silently converting
them into unsigned, which strtou[l]l(3) do.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: Free previously allocated memory

The sulogin program calls pw_entry in a loop while incorrect root
passwords are entered.

Free the previously allocated memory to avoid memory exhaustion.

Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

src/sulogin.c: Remove 'static' from local variable, but keep initialization

We don't need 'static', because it's in main(), which is only called
once.  However, we will need initialization as if it were 'static', so
use ={} to initialize it.  This will allow freeing the pointers before
they have been allocated.

Cc: Samanta Navarro <ferivoz@riseup.net>
Suggested-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: Remove 'static' from a temporary variable

There's no need to keep 'pass' in .bss:

$ grep -nC3 '\<pass\>' src/sulogin.c
58-/*ARGSUSED*/ int main (int argc, char **argv)
59-{
60- int     err = 0;
61: char    pass[BUFSIZ];
62- char    **envp = environ;
63- TERMIO  termio;
64-#ifndef USE_PAM
--
166-#endif
167- exit (0);
168- }
169: STRTCPY(pass, cp);
170- erase_pass (cp);
171-
172: if (valid (pass, &pwent)) { /* check encrypted passwords ... */
173- break; /* ... encrypted passwords matched */
174- }
175-
176- sleep (2);
177- (void) puts (_("Login incorrect"));
178- }
179: MEMZERO(pass);
180- (void) alarm (0);
181- (void) signal (SIGALRM, SIG_DFL);
182- environ = newenvp; /* make new environment active */

Cc: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: Align local variables

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: Make static variables local to main()

Those variables are only used in main().  Restrict their scope.
Keep them static (.bss), as changing that may be dangerous.

Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/sulogin.c: pw_entry(): Don't else after return

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/, po/: pw_entry(): Move function to src/sulogin.c

That's the only file where it's called, and it's a delicate function.
Reduce the chances that other files call it.

Link: <https://github.com/shadow-maint/shadow/pull/908>
Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, tests/: addsl(): Add addsl(), a variadic macro

Add a variadic macro addsl() that accepts an arbitrary number of
addends, instead of having specific versions like addsl2() or addsl3().

It is internally implemented by the addslN() function, which itself
calls addsl2().  addsl3() is now obsolete and thus removed.

Code should just call addsl().

Link: <https://github.com/shadow-maint/shadow/pull/882#discussion_r1437155212>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, tests/: addsl2(): Rename addsl() to addsl2()

This is for consistency with addsl3(), and in preparation for the
following commit, which will unify the interface into a single addsl()
macro.

Signed-off-by: Alejandro Colomar <alx@kernel.org>