emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
3,049 Commits 1 Branch 1 Tag
master
Commit Graph

3049 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Aleksa Sarai 6d8be68071 README: add Aleksa Sarai to author list 
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2018-02-16 17:56:36 +11:00
Aleksa Sarai fb28c99b8a newgidmap: enforce setgroups=deny if self-mapping a group 
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2018-02-16 17:56:35 +11:00
fariouche acaed3deab upstream merge 2018-01-23 23:10:19 +01:00
rahul bb47fdf25e indentation fix 2018-01-22 17:07:27 +05:30
rahul 97bb5b2b6d added a check to avoid freeing null pointer 2018-01-22 17:05:52 +05:30
Serge Hallyn c0f0c67864 Merge pull request #92 from IronicBadger/master 
Fixes mispelling of MAX_DAYS help text
 2018-01-18 22:42:12 -06:00
Alex Kretzschmar e91b0f0517 Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
Serge Hallyn 3f1f999e2d Merge pull request #90 from t8m/userdel-chroot 
Make userdel to work with -R.
 2018-01-08 22:57:43 -06:00
Serge Hallyn c63bc6bfaa Merge pull request #91 from kloeri/master 
Add note to passwd(1) that --maxdays -1 disables the setting.
 2018-01-08 22:56:23 -06:00
Bryan Østergaard a54907dce3 Add note to passwd(1) that --maxdays -1 disables the setting. 
This note already exists in chage(1).
 2018-01-03 18:36:40 +01:00
Tomas Mraz 2c57c399bf Make userdel to work with -R. 
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
 2017-12-21 09:12:58 +01:00
Josh Soref a063580dbb spelling: within 2017-10-22 21:37:53 +00:00
Josh Soref a2c6e429b3 spelling: various 2017-10-22 21:33:42 +00:00
Josh Soref f3e07f105e spelling: using 2017-10-22 21:31:09 +00:00
Josh Soref f21700d876 spelling: username 2017-10-22 21:31:35 +00:00
Josh Soref 34669aa651 spelling: unrecognized 2017-10-22 21:30:30 +00:00
Josh Soref 08248f0859 spelling: typical 2017-10-22 21:28:58 +00:00
Josh Soref 722be83a14 spelling: thanks 2017-10-22 21:24:49 +00:00
Josh Soref ea1a6e814b spelling: success 2017-10-22 21:23:13 +00:00
Josh Soref 2c930b19ba spelling: succeeded 2017-10-22 21:23:22 +00:00
Josh Soref 75e8eaad78 spelling: submitting 2017-10-22 21:23:03 +00:00
Josh Soref b74d6cfb98 spelling: spotted 2017-10-22 21:16:50 +00:00
Josh Soref a95d4ac1b5 spelling: spectacularly 2017-10-22 21:16:07 +00:00
Josh Soref b9c9d411ff spelling: similar 2017-10-22 21:14:37 +00:00
Josh Soref 05cc753275 spelling: session 2017-10-22 21:13:32 +00:00
Josh Soref af4a1c4e6b spelling: security 2017-10-22 21:13:23 +00:00
Josh Soref ef39098a1b spelling: rewritten 2017-10-22 21:11:59 +00:00
Josh Soref 6671b44434 spelling: remove 2017-10-22 21:12:29 +00:00
Josh Soref b2dbde4b8c spelling: really 2017-10-22 21:06:22 +00:00
Josh Soref 57cb36333b spelling: queried 2017-10-22 21:05:52 +00:00
Josh Soref bfacc99ac3 spelling: provided 2017-10-22 21:04:46 +00:00
Josh Soref e2192e119d spelling: poor 2017-10-22 21:15:45 +00:00
Josh Soref 4e0ac33eae spelling: password 2017-10-22 21:03:28 +00:00
Josh Soref 8078e5bd54 spelling: partially 2017-10-22 21:03:00 +00:00
Josh Soref 146a0da7b3 spelling: overridden 2017-10-22 21:01:25 +00:00
Josh Soref ad7b83fc86 spelling: output 2017-10-22 21:00:52 +00:00
Josh Soref c668c49a15 spelling: originally 2017-10-22 20:58:52 +00:00
Josh Soref 3574346318 spelling: options 2017-10-22 20:58:25 +00:00
Josh Soref 008be2848e spelling: nonexistent 2017-10-22 20:54:42 +00:00
Josh Soref 63261593c8 spelling: negative 2017-10-22 20:48:57 +00:00
Josh Soref 18b14eb4a8 spelling: necessary 2017-10-22 20:45:06 +00:00
Josh Soref 4724e503b0 spelling: multiple 2017-10-22 20:41:18 +00:00
Josh Soref 2c4d93c7cf spelling: moment 2017-10-22 20:39:14 +00:00
Josh Soref 148c1c0984 spelling: modification 2017-10-22 20:38:52 +00:00
Josh Soref 6bc784b95a spelling: missing 2017-10-22 20:37:31 +00:00
Josh Soref d275cce099 spelling: message 2017-10-22 20:34:22 +00:00
Josh Soref 5136659a59 spelling: maximum 2017-10-22 20:33:55 +00:00
Josh Soref 414816064f spelling: match 2017-10-22 20:33:00 +00:00
Josh Soref dcf96e43fa spelling: mapping 2017-10-22 20:32:45 +00:00
Josh Soref ea7d7bb644 spelling: many 2017-10-22 20:30:00 +00:00