66b1a59efe
spelling: cumulative
2017-10-22 18:33:13 +00:00
bd4750126b
spelling: created
2017-10-22 08:23:57 +00:00
0fba6bd347
spelling: conversation
2017-10-22 18:32:19 +00:00
eb9db854d7
spelling: constraints
2017-10-22 21:07:23 +00:00
7d68d59cc2
spelling: configuration
2017-10-22 18:31:51 +00:00
f9311ba61d
spelling: conditionally
2017-10-22 18:31:24 +00:00
60d2888605
spelling: comment
2017-10-22 18:25:35 +00:00
c2ada4c306
spelling: command
2017-10-22 18:25:46 +00:00
310ef194a1
spelling: close
2017-10-22 18:25:14 +00:00
daf30eff79
spelling: chpasswd
2017-10-22 18:23:41 +00:00
a90585f1d6
spelling: checking
2017-10-22 18:22:12 +00:00
4be6d423e4
spelling: changed
2017-10-22 08:24:23 +00:00
2db724bc50
spelling: change
2017-10-22 08:24:59 +00:00
452b9c26e4
spelling: categories
2017-10-22 08:08:07 +00:00
d0c05b0143
spelling: cannot
2017-10-22 08:05:45 +00:00
36aeb4e9ee
spelling: built
2017-10-22 18:41:48 +00:00
f8d4b66edd
spelling: better
2017-10-22 08:05:08 +00:00
483de7d614
spelling: beginning
2017-10-22 08:04:51 +00:00
a95ed40bf0
spelling: available
2017-10-22 08:02:00 +00:00
686efcfcb1
spelling: attributes
2017-10-22 07:59:41 +00:00
bd6f2760a3
spelling: at the
2017-10-22 08:00:59 +00:00
15631009b4
spelling: applied
2017-10-22 07:57:56 +00:00
8eb822ebf3
spelling: anonymous
2017-10-22 07:56:49 +00:00
aa95b1b763
spelling: always
2017-10-22 07:56:16 +00:00
92e3a5e386
spelling: allowed
2017-10-22 07:56:05 +00:00
4c22dcfbfd
spelling: address
2017-10-22 07:55:43 +00:00
4f459198db
spelling: account
2017-10-22 07:52:04 +00:00
c53e4c1d77
Merge pull request #97 from cyphar/newgidmap-secure-setgroups
...
newgidmap: enforce setgroups=deny if self-mapping a group
2018-02-16 08:40:39 -06:00
6d8be68071
README: add Aleksa Sarai to author list
...
Signed-off-by: Aleksa Sarai <asarai@suse.de >
2018-02-16 17:56:36 +11:00
fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group
...
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com >
Signed-off-by: Aleksa Sarai <asarai@suse.de >
2018-02-16 17:56:35 +11:00
c0f0c67864
Merge pull request #92 from IronicBadger/master
...
Fixes mispelling of MAX_DAYS help text
2018-01-18 22:42:12 -06:00
e91b0f0517
Fixes mispelling of MAX_DAYS help text
2018-01-17 12:21:48 +00:00
3f1f999e2d
Merge pull request #90 from t8m/userdel-chroot
...
Make userdel to work with -R.
2018-01-08 22:57:43 -06:00
c63bc6bfaa
Merge pull request #91 from kloeri/master
...
Add note to passwd(1) that --maxdays -1 disables the setting.
2018-01-08 22:56:23 -06:00
a54907dce3
Add note to passwd(1) that --maxdays -1 disables the setting.
...
This note already exists in chage(1).
2018-01-03 18:36:40 +01:00
2c57c399bf
Make userdel to work with -R.
...
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
2017-12-21 09:12:58 +01:00
056f7352ef
Merge pull request #86 from WheresAlice/master
...
Make language more inclusive
2017-10-06 17:47:31 -05:00
0c2939b331
Merge pull request #82 from t8m/ingroup
...
newgrp: avoid unnecessary group lookups
2017-10-06 17:45:31 -05:00
68e3d685fd
Merge pull request #84 from jubalh/mentionman
...
Add note about conditional man pages
2017-10-06 17:43:47 -05:00
0209d3f185
Merge pull request #85 from jubalh/nosilent
...
Add warning when turning off man switch
2017-09-29 10:08:47 -05:00
ef6890c31d
Add error when turning off man switch
...
Print a warning and abort in case xsltproc is missing.
2017-09-29 11:01:39 +02:00
1e98b3b559
Make language less binary
2017-09-20 17:00:29 +01:00
223238d265
Add note about conditional man pages
...
Closes https://github.com/shadow-maint/shadow/issues/83
2017-09-08 22:14:17 +02:00
33f1f69e9c
newgrp: avoid unnecessary group lookups
...
In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
2017-08-14 11:38:46 +02:00
fb04f2723a
nl.po: fix some missing newlines
...
Signed-off-by: Serge Hallyn <serge@hallyn.com >
2017-07-16 17:09:00 -05:00
78d4265f65
Import new Dutch translations.
...
Thanks to Frans Spiesschaert.
Signed-off-by: Serge Hallyn <serge@hallyn.com >
2017-07-16 16:46:21 -05:00
c2aed5345e
update changelog for last commit
2017-07-10 21:52:02 -05:00
2392894eb0
add error constant names to groupmod.8.xml This assists someone wanting to work out what may have caused the error
2017-07-10 21:50:49 -05:00
59fa2c0763
implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml
2017-07-10 21:50:49 -05:00
7081b2df85
Merge pull request #74 from AdamMajer/upstream
...
support dynamically added users via pam_group
2017-06-15 22:41:25 -05:00
