Commit Graph

3049 Commits

Author SHA1 Message Date
Serge Hallyn
30f3ea4bd3 trivial: vipw.8: fix grammar
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2023-04-03 13:06:14 +02:00
Christian Göttsche
2eee4c67f5 sssd: skip flushing if executable does not exist
Avoid unnecessary syslog output, like:

    Apr 01 13:35:09 dlaptop userdel[45872]: userdel: sss_cache exited with status 1
    Apr 01 13:35:09 dlaptop userdel[45872]: userdel: Failed to flush the sssd cache.
2023-04-03 13:05:30 +02:00
Christian Göttsche
2eaea70111 Overhaul valid_field()
e5905c4b ("Added control character check") introduced checking for
control characters but had the logic inverted, so it rejects all
characters that are not control ones.

Cast the character to `unsigned char` before passing to the character
checking functions to avoid UB.

Use strpbrk(3) for the illegal character test and return early.
2023-03-31 09:53:40 -05:00
Martin Kletzander
a5f9ef8b7f semanage: Do not set default SELinux range
Both semanage and libsemanage actually set the user's mls range to the
default of the seuser, which makes more sense and removes a bit of code
for usermod and useradd.  More fine-grained details must always be set
with some other tool
(semanage) anyway.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2023-03-31 16:13:02 +02:00
Michael Vetter
b44d7f78e0 Fix typo in groupadd usage 2023-03-31 16:04:42 +02:00
Christian Göttsche
189a01f7a7 ci: update Differential ShellCheck
Run on pushes and drop unnecessary write access.

Should avoid pull-requests comments like
https://github.com/shadow-maint/shadow/pull/695#issuecomment-1491876950
2023-03-31 15:54:39 +02:00
tomspiderlabs
e5905c4b84 Added control character check
Added control character check, returning -1 (to "err") if control characters are present.
2023-03-30 19:23:00 -05:00
Mike Gilbert
bd2d0079c9 usermod: respect --prefix for --gid option
The --gid option accepts a group name or id. When a name is provided, it
is resolved to an id by looking up the name in the group database
(/etc/group).

The --prefix option overides the location of the passwd and group
databases. I suspect the --gid option was overlooked when wiring up the
--prefix option.

useradd --gid already respects --prefix; this change makes usermod
behave the same way.

Fixes: b6b2c756c9
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
2023-03-29 09:05:23 +02:00
Alejandro Colomar
4c210a29bc Fix su(1) silent truncation
*  src/su.c (check_perms): Do not silently truncate user name.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
1d7d94ed7d Simplify is_my_tty()
This commit will serve to document why we shouldn't worry about the
truncation in the call to strlcpy(3).  Since we have one more byte in
tmptty than in full_tty, truncation will produce a string that is at
least one byte longer than full_tty.  Such a string could never compare
equal, so we're actually handling the truncation in a clever way.  Maybe
too clever, but that's why I'm documenting it here.

Now, about the simplification itself:

Since we made sure that both full_tty and tmptty are null-terminated, we
can call strcmp(3) instead of strncmp(3).  We can also simplify the
return logic avoiding one branch.

Cc: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
e27ca53091 Fix is_my_tty() buffer overrun
*  libmisc/utmp.c (is_my_tty): Declare the parameter as a char array,
   not char *, as it is not necessarily null-terminated.
   Avoid a read overrun when reading 'tty', which comes from
   'ut_utname'.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
664d361fa5 Add STRLEN(): a constexpr strlen(3) for string literals
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
03af2940f7 Fix crash with large timestamps
*  libmisc/date_to_str.c (date_to_str): Do not crash if gmtime(3)
   returns NULL because the timestamp is far in the future.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
ea3d49506f Prefer strcpy(3) to strlcpy(3) when either works
* lib/gshadow.c (sgetsgent): Use strcpy(3) not strlcpy(3),
since the string is known to fit.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
a926a26f0c Fix change_field() buffer underrun
* lib/fields.c (change_field): Don't point
before array start; that has undefined behavior.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
690ca8c238 Omit unneeded test in change_field()
* fields.c (change_field): Omit unnecessary test.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
5686d9162e Simplify change_field() by using strcpy
* lib/fields.c (change_field): Since we know the string fits,
use strcpy(3) rather than strlcpy(3).

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
skyler-ferrante
c089196e15 Fix null dereference in basename
On older kernels (<=linux-5.17), argv[0] can be null. Basename would
call strrchr with null if argc==0. Fixes issue #680
2023-03-27 10:10:37 -05:00
Iker Pedrosa
300d6ef45c CI: script for local container build
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
d4f31a5b3e CI: build project in containers
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
411a66476d container: add fedora
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
3efab2039f container: add debian
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
baff19767d container: add alpine
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
53a4bda9ba SECURITY.md: add Iker Pedrosa
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-20 10:54:45 -05:00
Christian Göttsche
f2c4949707 selinux: use type safe function pointer assignment 2023-03-20 08:47:52 +01:00
Christian Göttsche
37bf59067f Use strict prototype in definition
gettime.c:25:30: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
    /*@observer@*/time_t gettime ()
                                 ^
                                  void
2023-03-20 08:47:52 +01:00
Vinícius dos Santos Oliveira
e638841f5a Add .editorconfig 2023-03-02 16:33:06 -06:00
Serge Hallyn
61ca915ac5 run_some: fix shellcheck warning
shellcheck warns against using echo with flags, as posix sh won't
support it.  It suggests using printf, so let's do that.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
6d03bbea96 fail on any run_some test failure
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
add4ab4bf0 ignore first test in run_some
bc github...

For some reason, the first test - ONLY on github - seems to not
give the '$ ' prompt expected when you spawn 'su testsuite'.
So just run the first test twice, and ignore the first failure.
2023-02-27 21:38:45 -06:00
Serge Hallyn
4da831c02f swap first two tests - does the first one still fail?
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
421c6cf951 tests: remove some github runner PATH tweaking
It messes with the expected results.

We can do better than this in the expect scripts, but let's
get things running for now.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Alejandro Colomar
a72065a108 tests: Support git-worktree(1)
git-worktree(1) uses a regular file for <.git>, instead of a directory.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-27 14:16:50 -06:00
Serge Hallyn
4445cee19d tests: newuidmap and newgidmap: update expected fail message
The failure message got changed, but the tests looking for it did
not.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 21:46:29 -06:00
Serge Hallyn
aa15bc445e libsubid: include alloc.h
Fixes: efbbcade43: Use safer allocation macros
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 21:27:02 -06:00
Serge Hallyn
9a9e163e71 run_some: log stderr
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 20:11:14 -06:00
Vinícius dos Santos Oliveira
05e2adf509 Validate fds created by the user
write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
2023-02-24 16:20:57 -06:00
Serge Hallyn
7ff33fae6f get_pidfd_from_fd: return -1 on error, not 0
Fixes: 6974df39a: newuidmap and newgidmap: support passing pid as fd
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 13:54:54 -06:00
Serge Hallyn
17efd59252 g-h-a workflow: workaround
Skip updating grub packages that are currently breaking
apt-get dist-upgrade.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 13:27:57 -06:00
Serge Hallyn
e4e3212122 Fix regression in some translation strings
Fixes: d80df2c8a: Update translation
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 12:56:05 -06:00
Iker Pedrosa
3b3d3e5cd4 lib: bit_ceil_wrapul(): stop recursion
It should call bit_ceilul() instead of itself.

Fixes: 0712b236c3 ("Add bit manipulation functions")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-02-24 12:44:14 -06:00
Iker Pedrosa
21d88b4525 lib: define ULONG_WIDTH if non-existent
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-02-24 12:44:14 -06:00
maqi
d80df2c8a0 Update translation 2023-02-24 12:41:50 -06:00
Serge Hallyn
6974df39a7 newuidmap and newgidmap: support passing pid as fd
Closes #635

newuidmap and newgidmap currently take an integner pid as
the first argument, determining the process id on which to
act.  Accept also "fd:N", where N must be an open file
descriptor to the /proc/pid directory for the process to
act upon.  This way, if you

exec 10</proc/99
newuidmap fd:10 100000 0 65536

and pid 99 dies and a new process happens to take pid 99 before
newuidmap happens to do its work, then since newuidmap will use
openat() using fd 10, it won't change the mapping for the new
process.

Example:

// terminal 1:
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
about to unshare with 10000000
Press any key to exec (I am 129176)

// terminal 2:
serge@jerom ~/src/shadow$ exec 10</proc/129176
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10

// Terminal 1:
uid=0(root) gid=0(root) groups=0(root)

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 12:35:49 -06:00
Alejandro Colomar
7668f77439 Fix use-after-free of pointer after realloc(3)
We can't use a pointer that was input to realloc(3), nor any pointers
that point to reallocated memory, without making sure that the memory
wasn't moved.  If we do, the Behavior is Undefined.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Alejandro Colomar
efbbcade43 Use safer allocation macros
Use of these macros, apart from the benefits mentioned in the commit
that adds the macros, has some other good side effects:

-  Consistency in getting the size of the object from sizeof(type),
   instead of a mix of sizeof(type) sometimes and sizeof(*p) other
   times.

-  More readable code: no casts, and no sizeof(), so also shorter lines
   that we don't need to cut.

-  Consistency in using array allocation calls for allocations of arrays
   of objects, even when the object size is 1.

Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Alejandro Colomar
6e58c12752 libmisc: Add safer allocation macros
This macros have several benefits over the standard functions:

-  The type of the allocated object (not the pointer) is specified as an
   argument, which improves readability:
   -  It is directly obvious what is the type of the object just by
      reading the macro call.
   -  It allows grepping for all allocations of a given type.

   This is admittedly similar to using sizeof() to get the size of the
   object, but we'll see why this is better.

-  In the case of reallocation macros, an extra check is performed to
   make sure that the previous pointer was compatible with the allocated
   type, which can avoid some mistakes.

-  The cast is performed automatically, with a pointer type derived from
   the type of the object.  This is the best point of this macro, since
   it does an automatic cast, where there's no chance of typos.

   Usually, programmers have to decide whether to cast or not the result
   of malloc(3).  Casts usually hide warnings, so are to be avoided.
   However, these functions already return a void *, so a cast doesn't
   really add much danger.  Moreover, a cast can even add warnings in
   this exceptional case, if the type of the cast is different than the
   type of the assigned pointer.  Performing a manual cast is still not
   perfect, since there are chances that a mistake will be done, and
   even ignoring accidents, they clutter code, hurting readability.
   And now we have a cast that is synced with sizeof.

-  Whenever the type of the object changes, since we perform an explicit
   cast to the old type, there will be a warning due to type mismatch in
   the assignment, so we'll be able to see all lines that are affected
   by such a change.  This is especially important, since changing the
   type of a variable and missing to update an allocation call far away
   from the declaration is easy, and the consequences can be quite bad.

Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Alejandro Colomar
f332379ea0 Use xreallocarray() instead of its pattern
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Alejandro Colomar
190a702225 Use reallocarrayf() instead of its pattern
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Alejandro Colomar
191f04f7dc Use *array() allocation functions where appropriate
This prevents overflow from multiplication.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00