Pat Riehecky [Tue, 10 Mar 2026 14:47:26 +0000 (09:47 -0500)]
subid: use is_same_user() for owner resolution in find_range
Replace the resolution in find_range with is_same_user(). The
actualy results should be the same.
Previously, find_range performed its own getpwnam() based UID lookup to
handle entries recorded by UID or by username. This duplicated logic
centralized in is_same_user().
is_same_user() resolves ownership by username, UID, and overlapping
entries, making find_range consistent with how ownership is determined
elsewhere.
Reviewed-by: Alejandro Colomar <alx@kernel.org> Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
Pat Riehecky [Tue, 10 Mar 2026 14:42:48 +0000 (09:42 -0500)]
subid: use is_same_user() for owner resolution in range queries
Replace direct owner string comparison in range_exists, get_owner_id,
list_owner_ranges, and new_subid_range with is_same_user().
Previously, ownership checks required a literal match against the owner
field. This created a situation where if entries were recorded by UID and
by username not all would be identified.
is_same_user() resolves ownership by username, UID, and overlapping
entries, making range queries consistent with how ownership is determined
elsewhere.
Fixes: 0a7888b1 (2020-06-07; "Create a new libsubid") CC: Serge Hallyn <serge@hallyn.com> Reviewed-by: Alejandro Colomar <alx@kernel.org> Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
Pat Riehecky [Tue, 10 Mar 2026 14:39:57 +0000 (09:39 -0500)]
subid: Add is_same_user for unified ID lookups
Each identifier is resolved via getpw_uid_or_nam and compared
numerically. Accepts usernames, numeric UIDs, or a mix of both.
Numeric resolution ensures stale entries for deleted users cannot
produce false matches, and handles systems with overlapping UIDs.
We do not perform a streq(3) on the passed strings themselves.
In this way we ensure the user is resolvable on the system
eliminating the ability to return results from deleted users
with stale entries.
Returns false if either identifier cannot be resolved, or if the
resolved UIDs do not match.
Reviewed-by: Alejandro Colomar <alx@kernel.org> Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
aborah-sudo [Wed, 25 Mar 2026 04:19:33 +0000 (09:49 +0530)]
Tests: Add a new user with a specified existing numerical primary group
This is the transformation to Python of the test located in
`tests/usertools/01/07_useradd_numerical_primary_group.test`, which checks that `useradd` can add a new user with valid existing group as primary
* Run vipw on passwd file and add a user
* Run vipw on shadow file and add a user
* Run vipw on group file and add a group
* Run vipw on gshadow file and add a group
tests/system/tests/test_chgpasswd.py: change multiple group passwords interactive
This is the transformation to Python of the test located in
`tests/grouptools/chgpasswd/02_chgpasswd_multiple_groups/chgpasswd.test`,
which checks that `chgpasswd` is able to change the password of multiple
groups in batch.
tests/system/tests/test_gpasswd.py: add user as group administrator
This is the transformation to Python of the test located in
`tests/grouptools/gpasswd/50_gpasswd_change_admin_list/gpasswd.test`,
which checks that `gpasswd` is able to add a user as a group
administrator.
tests/system/tests/test_gpasswd.py: add user to group membership as root user
This is the transformation to Python of the test located in
`tests/grouptools/gpasswd/31_gpasswd_add_user_to_group/gpasswd.test`,
which checks that `gpasswd` is able to add a user to a group membership
running as root.
tests/system/tests/test_chpasswd.py: change multiple user passwords interactive
This is the transformation to Python of the test located in
`tests/usertools/chpasswd/02_chpasswd_multiple_users/chpasswd.test`,
which checks that `chpasswd` is able to change the password of multiple
users in batch.
Iker Pedrosa [Mon, 23 Feb 2026 13:35:28 +0000 (14:35 +0100)]
tests/system/tests/test_passwd.py: lock user password
This is the transformation to Python of the test located in
`tests/passwd/06_passwd_-l_root_lock_account/passwd.test`,
which checks that `passwd` is able to lock a user's password.
tests/system/tests/test_passwd.py: change user password as root in interactive mode
This is the transformation to Python of the test located in
`tests/passwd/18_passwd_root_change_password_user/passwd.test`,
which checks that `passwd` is able to change a user's password running
as root in interactive mode.
aborah-sudo [Mon, 23 Mar 2026 05:12:09 +0000 (10:42 +0530)]
Tests: Add a new user with a specified non-existing primary group
This is the transformation to Python of the test located in
`tests/usertools/01/06_useradd_invalid_named_primary_group.test`, which checks that `useradd` can not add a new user with invalid existing group as primary
aborah-sudo [Tue, 17 Mar 2026 05:22:28 +0000 (10:52 +0530)]
Tests: Add a new user with a valid existing group as primary
This is the transformation to Python of the test located in
`tests/usertools/01/08_useradd_named_primary_group.test`, which checks that `useradd` can add a new user with a valid existing group as primary
aborah-sudo [Fri, 13 Mar 2026 05:33:10 +0000 (11:03 +0530)]
Tests: Add a new user with a specified non-existing gid
This is the transformation to Python of the test located in
`tests/usertools/01/05_useradd_invalid_numeric_primary_group.test`, which checks that `useradd` fails to create a new user with non-existing group
If a new shadow entry is created, the passwd entry's password hash is
moved into shadow file and replaced with an "x". If this happens, update
the passwd file as well, otherwise the "x" is not written to disk.
Verify that sysconf does not return -1. It is not important if it's due
to an error or due to a missing upper boundary. In both cases, fall back
to a constant value.
Verify that sysconf does not return -1. It is not important if it's due
to an error or due to a missing upper boundary. In both cases, fall back
to a constant value.
strchriscntrl: reject C1 control bytes (0x80-0x9F)
glibc's iscntrl() does not classify C1 control bytes as control
characters in any locale. The iscntrl() check was added as part of the
fix for CVE-2023-29383, which blocked C0 control characters, but C1
bytes were never considered.
The byte 0x9B is the C1 encoding of CSI (Control Sequence Introducer),
equivalent to ESC [. On terminals that interpret C1 codes (VTE-based
terminals such as GNOME Terminal, Tilix, Terminator, XFCE Terminal),
an attacker can inject terminal escape sequences into GECOS fields via
chfn. This allows visual spoofing of /etc/passwd output, for example
making a user's UID appear as 0 when viewed with cat.
Explicitly check for bytes in the 0x80-0x9F range in strchriscntrl()
so that valid_field() returns -1 (rejected) instead of 1 (non-ASCII
warning) for these bytes.
Before (unpatched chfn accepts C1 bytes and writes them to /etc/passwd):
If -e 0 or -f 0 are supplied but no shadow entry exists, these flags are
silently ignored. Internally, the supplied values (0) are compared with
static long values which are initially 0 as well. If they are identical,
usermod drops the flags.
This does not match usermod's manual page, which states that a missing
shadow entry is created. This is also true for any other valid command
line values, e.g. -e 1 or -f 1.
aborah-sudo [Wed, 11 Mar 2026 08:27:42 +0000 (13:57 +0530)]
Tests: Add user with existing UID without -o flag
This is the transformation to Python of the test located in
`04_useradd_add_user_with_existing_UID_fail`, which checks that `useradd` fails to create a new user with existing UID without -o flag
aborah-sudo [Mon, 9 Mar 2026 05:50:21 +0000 (11:20 +0530)]
Tests: Add a new user with specified UID and GID
This is the transformation to Python of the test located in
`tests/usertools/01/04_useradd_specified_UID_and_GID.test`,
which checks that `useradd` is able to create a new user with specified uid and gid
lib/io/syslog.h: SYSLOG_C(): Split code to helper macro
The name of this macro makes it more evident what it does. It's a
C-locale version of syslog(3). We need to implement it as a macro
so that arguments such as strerror(3) are evaluated after setting
the C locale. This would be impossible with a function.
aborah-sudo [Mon, 2 Mar 2026 07:04:18 +0000 (12:34 +0530)]
Tests: Create user with comment, expiredate, inactive, shell and custom home
This is the transformation to Python of the test located in
`tests/usertools/01/03_useradd_additional_options.test`, which checks that
`useradd` is able to create a new user with comment, expiredate, inactive, shell and custom home
Chen Qi [Wed, 11 Feb 2026 05:17:04 +0000 (05:17 +0000)]
Fix build failure on hosts with gcc 10
We cannot just uname these unused parameters because gcc 10
need them. There will be error like below with gcc 10:
lib/copydir.c:103:11: error: parameter name omitted
The Debian bullseye uses gcc 10 by default.
Most of the changes are done manually. Some changes in tests/unit
are done via the following shell command:
sed -i -e 's#void \*\*#MAYBE_UNUSED void \*\* _1#g' tests/unit/test_*.c
Hadi Chokr [Thu, 12 Feb 2026 11:17:52 +0000 (12:17 +0100)]
tests: add privileged useradd test for BTRFS subvolume homes
Add a privileged system test that verifies useradd can create home
directories as BTRFS subvolumes.
This test requires elevated privileges to use:
The BTRFS filesystem Framework class to create a /home directory on
BTRFS and check if the Users Home directory is a BTRFS Subvolume.
The test is intentionally isolated and excluded from default test runs
to prevent accidental execution on host systems.
Hadi Chokr [Thu, 12 Feb 2026 11:16:39 +0000 (12:16 +0100)]
tests: add privileged topology and test configuration
Extend the Python system test framework with a dedicated privileged
topology and configuration, while keeping privileged tests excluded
by default. And include a BTRFS Framework class for BTRFS Operations.
This ensures:
- Clear separation between safe and destructive tests
- No accidental execution of privileged tests in normal CI or local runs
- Explicit opt-in for privileged environments
Hadi Chokr [Thu, 12 Feb 2026 11:14:54 +0000 (12:14 +0100)]
doc: document privileged containers and privileged system tests
Document the distinction between unprivileged and privileged execution
modes for containers and system tests.
Add explicit warnings that privileged tests must never be run on the
host system, as they may mount filesystems, create loop devices, or
modify kernel-visible state.
Provide clear guidance on when privileged tests are acceptable and how
to execute them safely in disposable environments.
Hadi Chokr [Thu, 12 Feb 2026 11:13:46 +0000 (12:13 +0100)]
share: add privileged container support for CI and system tests
Introduce opt-in privileged container execution for CI and local runs.
This enables filesystem-level tests (e.g. BTRFS, mounts) while keeping
unprivileged execution as the default and safe path.
Changes include:
- Separate privileged and unprivileged builders
- Conditional Ansible roles and inventories
- Privileged test execution wiring
- --privileged support in container-build.sh
A one-liner macro is simpler, and works just fine.
We don't need the function at all, since we don't use it as a callback.
The macro changes the return type, but we don't really care about that
detail; we could cast it to bool, but we don't really need that, so keep
it simple.
lib/defines.h, lib/, src/: Redefine SYSLOG() as a variadic macro
The double parentheses were used to fake a variadic macro with a
non-variadic one. With a variadic macro, we remove the weird double
parentheses that were needed to call this macro, which BTW were
error-prone. This would have prevented the bug fixed in 3f5ae5d5f1fd
(2025-09-10; "src/su.c: Fix incorrect (non-matching) parentheses").
usermod: Add option to automatically find subordinate IDs
Tools such as useradd(8) automatically select subordinate UID and GID
ranges based on settings in login.defs.
But when one wants to add subordinate IDs to an existing user, these
ranges have to be specified manually using the -w and -v options
of usermod(8).
Add a new -S / --add-subids option to usermod(8) which will, just like
useradd(8), find a range based on the settings in login.defs.
Signed-off-by: Richard Weinberger <richard@nod.at>
lib/string/README: streq(3) and strnul(3) are in libc
streq(3) and strnul(3) are now part of a libc implementation: gnulib.
They are also documented in a manual page. Thus, refer to them as
streq(3) and strnul(3).
It has been deprecated for a very long time. In fact, the first commit
that documented MD5_CRYPT_ENAB already documented it as deprecated. 6e3ad7a27546 (2007-11-20).
Password expiration is deprecated, and will be eventually removed.
The functionality of expiry(1) is the most superfluous of password
expiry and can be removed early. This shouldn't conflict with any
existing regulations about password expiry.
Iker Pedrosa [Fri, 6 Feb 2026 15:31:56 +0000 (16:31 +0100)]
lib/chkhash.c: fix yescrypt hash length comment
Fix misleading comment that stated "43-char (minimum) hash" when
the actual regex pattern requires exactly 43 characters. Update
comment to accurately reflect the implementation behavior.
projects / thirdparty / shadow.git / log
