If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
This reverts the behavior of "useradd --root" to using the settings
from login.defs in the target root directory, not the root of the
executed useradd command.
Without this patch, PAM enabled builds crash when encountering an
invalid key in login.defs or key overrides because of array overflows
To reproduce, simply
useradd -K Windows=broken
Signed-off-by: Bernhard Rosenkränzer <bero@lindev.ch>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Previously, the allocation was optimized for an outdated
deployment style (that of /etc/group alongside nss_db). The issue
here is that this results in extremely poor performance when using
SSSD, Winbind or nss_ldap.
There were actually two serious bugs here that have been addressed:
1) Running getgrent() loops won't work in most SSSD or Winbind
environments, as full group enumeration is disabled by default.
This could easily result in auto-allocating a group that was
already in use. (This might result in a security issue as well, if
the shared GID is a privileged group).
2) For system groups, the loop was always iterating through the
complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this
means hundreds of round-trips to LDAP (unless the GIDs were
specifically configured to be ignored by the SSSD or winbindd).
To a user with a slow connection to their LDAP server, this would
appear as if groupadd -r was hung. (Though it would eventually
complete).
This patch changes the algorithm to be more favorable for LDAP
environments, at the expense of some performance when using nss_db.
Given that the DB is a local service, this should have a negligible
effect from a user's perspective.
With the new algorithm, we simply first iterate through all entries
in the local database with gr_next(), recording the IDs that are in
use. We then start from the highest presumed-available entry and
call getgrgid() to see if it is available. We continue this until
we come to the first unused GID. We then select that and return it.
If we make it through all the remaining IDs without finding a free
one, we start over from the beginning of the range and try to find
room in one of the gaps in the range.
The patch was originally written by Stephen Gallagher and applied
identically also to the user allocation by Tomáš Mráz.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
The useradd application resets the user data in /var/log/faillog, if it
exists and a new user is created.
pam_tally2 is used in many distributions.
Check for /var/log/tallylog and reset the user there.
Patch was written by Josef Moellers <jmoellers@suse.de>.
https://bugzilla.suse.com/show_bug.cgi?id=980486
Otherwise we get build warnings like:
sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
Enable the automake feature to produce silent output by default.
When compiling code, we now see things like:
$ make
CC addgrps.o
CC age.o
CC audit_help.o
...
This can be disabled via configure's --disable-silent-rules or
by passing V=1 to make.
Custom output (like in the man subdirs) don't (yet) respect this
feature. More work will be needed to clean those up.
Since xz is fairly common nowadays, and is typically smaller/faster than
bzip2 for people to decompress, switch shadow over too. We also merge
the two init locations into configure.ac to match newer autotools style.
The min automake version is bumped to 1.11 too since that's when xz was
released.
The autoconf/automake guys want AC_INIT to be passed the details of the
package directly rather than going through AM_INIT_AUTOMAKE. Update them
both to use the newer style.
This also allows us to pass in contact details for the project.
We set the minimum autoconf version to 2.64 as that's the first one to
support passing the homepage URL in to AC_INIT. That's a pretty old
release by now, so it shouldn't be a problem.