Commit Graph

483 Commits

Author SHA1 Message Date
Serge Hallyn
4abcbb056e Fix broken docbook translations
its by default does not support xml tags inside translatable
units.  Use custom its rules from

https://www.w3.org/TR/xml-i18n-bp/#relating-docbook-plus-its

to enable the tags which are in use by docbook.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-05-10 09:15:53 +02:00
Alejandro Colomar
0c4fa6ee0a libmisc, man: Drop old check and advice for complex character sets in passwords
Add the relevant XKCD to the passwd(1) manual page.  It already explains
most of the rationale behind this patch.

Add also reference to makepasswd(1), which is a good way to generate
strong passwords.  Personally, I commonly run `makepasswd --chars 64` to
create my passwords, or 32 for passwords I need to type interactively
often.

The strength of a password is an exponential formula, where the base is
the size of the character set, and the exponent is the length of the
password.  That already shows why long passwords of just lowercase
letters are better than short Pa$sw0rdZ3.  But an even more important
point is that humans, when forced to use symbols in a password, are more
likely to do trivial substitutions on simple passwords, which doesn't
increase strength, and can instead give a false sense of strength, which
is dangerous.

Closes: <https://github.com/shadow-maint/shadow/issues/688>
Link: <https://xkcd.com/936/>
Cc: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-04-27 09:16:08 +02:00
lilinjie
15a64f9e7f fix typos
Signed-off-by: lilinjie <lilinjie@uniontech.com>
2023-04-26 17:35:58 -05:00
Christian Göttsche
c80788a3ac useradd/usermod: add --selinux-range argument
Add a command line argument to useradd(8) and usermod(8) to specify the
MLS range for a SELinux user mapping.

Improves: #676
2023-04-19 09:19:19 +02:00
Serge Hallyn
30f3ea4bd3 trivial: vipw.8: fix grammar
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2023-04-03 13:06:14 +02:00
Serge Hallyn
6974df39a7 newuidmap and newgidmap: support passing pid as fd
Closes #635

newuidmap and newgidmap currently take an integner pid as
the first argument, determining the process id on which to
act.  Accept also "fd:N", where N must be an open file
descriptor to the /proc/pid directory for the process to
act upon.  This way, if you

exec 10</proc/99
newuidmap fd:10 100000 0 65536

and pid 99 dies and a new process happens to take pid 99 before
newuidmap happens to do its work, then since newuidmap will use
openat() using fd 10, it won't change the mapping for the new
process.

Example:

// terminal 1:
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
about to unshare with 10000000
Press any key to exec (I am 129176)

// terminal 2:
serge@jerom ~/src/shadow$ exec 10</proc/129176
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10

// Terminal 1:
uid=0(root) gid=0(root) groups=0(root)

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 12:35:49 -06:00
Martin Kletzander
ca9e309d30 Fix VPATH build
When trying to build shadow in a different directory I stumbled upon few
issues, this commit aims to fix all of them:

- The `subid.h` file is generated and hence in the build directory and
	not in the source directory, so use `$(builddir)` instead of
	`$(srcdir)`.

- Using `$<` instead of filenames utilises autotools to locate the files
  in either the source or build directory automatically.

- `xsltproc` needs to access the files in login.defs.d in either the
  source directory or the symlink in a language subdirectory, but it
	does not interpret the `--path` as prefix of the entity path, but
	rather a path under which to locate the basename of the entity
	from the XML file.  So specify the whole path to login.defs.d.

- The above point could be used to make the symlinks of login.defs.d
  and entity path specifications in the XMLs obsolete, but I trying
	not to propose possibly disrupting patches, so for the sake of
	simplicity just specify `$(srcdir)` when creating the symlink.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2023-02-13 10:01:17 +01:00
Serge Hallyn
1058872a0b Improve TTYGROUP description in login.defs manpage
Closes #457

The existing prose was confusing, or simply wrong.  Make it clear
that only the group ownership of the tty is affected, and how.
Also move the paragraph about defaults after the discussion of
acceptable TTYGROUPs, as this seems more natural.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-02 22:03:45 -06:00
Stefan Schubert
a27d5c51f1 Supporting vendor given -shells- configuration file 2023-01-26 22:45:32 -06:00
Samanta Navarro
b312bc0b4d Fix typos
Typos found with codespell.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-01-26 22:44:39 -06:00
ed neville
65470e5c7d changing lock mechanism
Systems can suffer power interruptions whilst .lock files are in /etc,
preventing scripts and other automation tools from updating shadow's
files which persist across boots.

This commit replaces that mechanism with file locking to avoid problems
of power interruption/crashing.

Minor tweak to groupmems man page, requested by 'xx' on IRC.

Signed-off-by: ed neville <ed@s5h.net>
2022-12-29 13:58:49 -06:00
Andy Zaugg
e8d2bc8d8b Allow supplementary groups to be added via config file
Allow supplementary groups to be set via the /etc/default/useradd config
file. Allowing an administrator to set additonal groups via the GROUPS
configurable and control the default behaviour of useradd.
2022-11-18 15:10:56 -06:00
Iker Pedrosa
1e5f9a72b0 man: add missing space in useradd.8.xml
Resolves: https://github.com/shadow-maint/shadow/issues/580

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-10-07 12:35:35 +02:00
Alexander Kanavin
cfc981df2a shadow: use relaxed usernames
The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from Fedora [1] to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].

[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
2022-09-02 20:27:14 -05:00
Tim Biermann
eb3562f3c0 useradd.8.xml: fix default group id from 100 to 1000 according to bbf4b79 2022-08-21 13:17:38 -05:00
Serge Hallyn
68bf7189e0 uk has no limits.5 translation
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-12 13:24:24 -05:00
Serge Hallyn
ef79a4d8c8 Add uk to list of man subdirs
Closes #547

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-08-12 13:24:24 -05:00
Celeste Liu
6448da507e libmisc/root_flag: add tips for --root flag only support abspath
- Add tips in error message.
- Add tips in man.
- Add zh_CN and zh_TW for tips.

Signed-off-by: Celeste Liu <coelacanthus@outlook.com>
2022-08-06 15:04:06 -05:00
Jeremy Whiting
b5aba2624b Fix E_NAME_IN_USE documentation.
Since code gives this error if username or group name is already
used the documentation should reflect that.
2022-08-06 11:10:54 -05:00
Masatake YAMATO
3f7a72e967 useradd: add -F option for updating /etc/sub[ig]id for system accounts
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2022-08-01 15:45:10 +02:00
Masatake YAMATO
62d99ee3fc man (useradd): add a note about -r option and /etc/subuid and subgid
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2022-07-15 09:42:21 +02:00
Alexander Zhang
ad4ab16559 Fix typo 2022-07-08 09:34:40 +02:00
Yuri Chornoivan
f4cf8fe51c Complete Ukrainian translation 2022-05-24 07:52:36 -05:00
Yuri Chornoivan
a83533d97d Update Ukrainian translation 2022-05-24 07:52:36 -05:00
Yuri Chornoivan
b372b8a3be Add Ukrainian translation for man pages 2022-05-24 07:52:36 -05:00
Iker Pedrosa
edf5ea7974 man: correct "badname" option
Change "badnames" to "badname" as this is the accepted option name.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2022-05-06 10:13:51 -05:00
Adam Sampson
c9015a7e58 Fix syntax error in usermod man source.
Signed-off-by: Adam Sampson <ats@offog.org>
2022-03-07 19:39:49 -06:00
Markus Hiereth
3a091d5def Improve groupadd and useradd manpage
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-03-06 18:48:22 -06:00
Markus Hiereth
5f88f2cca7 update useradd homepage
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-03-06 18:37:39 -06:00
Markus Hiereth
2f30d235c2 Manpage improvements for usermod
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-03-06 18:12:13 -06:00
Markus Hiereth
10b2e1e7c5 Improve groups and id manpages
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-03-06 18:00:20 -06:00
Markus Hiereth
b3ce696f36 Improve pwck manpage
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2022-03-06 17:53:02 -06:00
Serge Hallyn
726abe8a32 configure.ac: fix occurance of with-pam (should be with-libpam)
Closes #500

Reported-by: dpa-github@aegee.org
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2022-02-04 12:28:18 -06:00
Serge Hallyn
e8a2cfa7dc
Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
Serge Hallyn
f93cf255d4 Update licensing info
Closes #238

Update all files to list SPDX license shortname.  Most files are
BSD 3 clause license.

The exceptions are:

serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause
contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause
lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD
libmisc/salt.c: * SPDX-License-Identifier: Unlicense
src/login_nopam.c: * SPDX-License-Identifier: Unlicense
src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause
src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-23 19:36:50 -06:00
Andy Zaugg
aaaaf21b6f Adding new option -rG to usermod
Adding a new switch -rG, which provides a similar feature set to
-aG, allowing a person to list exactly what groups to remove a
user from.

https://github.com/shadow-maint/shadow/issues/337
2021-12-13 21:42:48 -08:00
Iker Pedrosa
585b6f00f5 man: getsubids define -h
Define -h option behaviour in getsubids man page.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-12-10 16:14:13 +01:00
Serge Hallyn
445e97ba7c Update email address for Julie Haugh 2021-12-04 22:20:23 -06:00
Iker Pedrosa
3b6ccf642c getsubids: system binary for user's sub*ids
Rename list_subid_ranges to getsubids to provide a system binary to
check the sub*ids of a user. The intention is to provide this binary
with any distribution that includes the subid feature, so that system
administrators can check the subid ranges of a given user.

Finally, add a man page to explain the behaviour of getsubids.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1980780

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-11-17 16:35:50 +01:00
Serge Hallyn
33f85e93a1 manpages: fix 'File Formats and Conversions"
Closes #416

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-10-15 16:28:12 -05:00
Andy Zaugg
7e2b522a15 Added a new configurable LOG_INIT to useradd
In some circumstances I want the default behaviour of useradd to
not add user entries to the lastlog and faillog databases. Allowing
this options behaviour to be controlled by the config file
/etc/default/useradd.
2021-10-15 16:20:52 -05:00
Andy Zaugg
d7e2bd6fe1 Added documentation around CREATE_MAIL_SPOOL
Adding documentation aroud the parameter CREATE_MAIL_SPOOL in the
/etc/default/useradd file
2021-10-15 16:20:52 -05:00
Serge Hallyn
02b200c9aa man/po/Makefile.in: switch from xml2po to itstool
xml2po is deprecated.  We've previously replaced xml2po with
itstool in man/generate_translations.mak, but there was still
an instance of it that only is exercised for 'make dist'.
Update that one.  Now 'make dist' succeeds on a ubuntu focal
or newer host where xml2po is not available.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-08-14 14:51:08 -05:00
Serge Hallyn
5939e066db
Merge pull request #353 from ikerexxe/man_subid
man: improve subid documentation
2021-06-22 09:20:11 -05:00
Iker Pedrosa
0faec51bf0 man: definition and configuration of subid
Define the subid functionality and explain the way to configure its
delegation.
2021-06-16 12:25:06 +02:00
Iker Pedrosa
68ebbf9360 man: clarify subid delegation behaviour
Following the discussion https://github.com/shadow-maint/shadow/pull/345
I have changed the documentation to clarify the behaviour of subid
delegation when any subid source except files is configured.
2021-06-15 09:25:48 +02:00
tzccinct
83db204477 man: use the consistent value 0 to disable PASS_MIN_DAYS restriction 2021-06-12 12:55:57 +09:00
Iker Pedrosa
d5b15f8633 man: clarify subid delegation
Clarify that the subid delegation can only come from one source.
Moreover, add an example of what might happen if the subid source is NSS
and useradd is executed.

Related: https://github.com/shadow-maint/shadow/issues/331
2021-05-24 12:43:40 +02:00
Iker Pedrosa
b8cbc2c113 login.defs: include HMAC_CRYPTO_ALGO key
Include the new HMAC_CRYPTO_ALGO key that is needed by pam_timestamp to
select the algorithm that is going to be used to calculate the message
authentication code.

pam_timestamp is currently using an embedded algorithm to calculate the
HMAC message, but the idea is to improve this behaviour by relying on
openssl's implementation. On top of that, the ability to change the
algorithm with a simple configuration change allows to simplify the
process of removing unsecure algorithms.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
2021-05-06 17:31:53 +02:00
Serge Hallyn
186b1b7ac1 manpages: mention NSS in new[ug]idmap manpages
Closes #328

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-04 14:39:26 -05:00