Commit Graph

3005 Commits

Author SHA1 Message Date
Iker Pedrosa
f6f14a2a83 doc: add license
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Iker Pedrosa
29df94eb4a doc: add releases
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Iker Pedrosa
6ceddd9205 doc: add Continuous Integration
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Iker Pedrosa
77c6cc9857 doc: add tests
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Iker Pedrosa
d40c58dc3b doc: add coding style
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Iker Pedrosa
1f15ea5955 doc: add build & install
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-04-03 10:42:22 -05:00
Serge Hallyn
30f3ea4bd3 trivial: vipw.8: fix grammar
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2023-04-03 13:06:14 +02:00
Christian Göttsche
2eee4c67f5 sssd: skip flushing if executable does not exist
Avoid unnecessary syslog output, like:

    Apr 01 13:35:09 dlaptop userdel[45872]: userdel: sss_cache exited with status 1
    Apr 01 13:35:09 dlaptop userdel[45872]: userdel: Failed to flush the sssd cache.
2023-04-03 13:05:30 +02:00
Christian Göttsche
2eaea70111 Overhaul valid_field()
e5905c4b ("Added control character check") introduced checking for
control characters but had the logic inverted, so it rejects all
characters that are not control ones.

Cast the character to `unsigned char` before passing to the character
checking functions to avoid UB.

Use strpbrk(3) for the illegal character test and return early.
2023-03-31 09:53:40 -05:00
Martin Kletzander
a5f9ef8b7f semanage: Do not set default SELinux range
Both semanage and libsemanage actually set the user's mls range to the
default of the seuser, which makes more sense and removes a bit of code
for usermod and useradd.  More fine-grained details must always be set
with some other tool
(semanage) anyway.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2023-03-31 16:13:02 +02:00
Michael Vetter
b44d7f78e0 Fix typo in groupadd usage 2023-03-31 16:04:42 +02:00
Christian Göttsche
189a01f7a7 ci: update Differential ShellCheck
Run on pushes and drop unnecessary write access.

Should avoid pull-requests comments like
https://github.com/shadow-maint/shadow/pull/695#issuecomment-1491876950
2023-03-31 15:54:39 +02:00
tomspiderlabs
e5905c4b84 Added control character check
Added control character check, returning -1 (to "err") if control characters are present.
2023-03-30 19:23:00 -05:00
Mike Gilbert
bd2d0079c9 usermod: respect --prefix for --gid option
The --gid option accepts a group name or id. When a name is provided, it
is resolved to an id by looking up the name in the group database
(/etc/group).

The --prefix option overides the location of the passwd and group
databases. I suspect the --gid option was overlooked when wiring up the
--prefix option.

useradd --gid already respects --prefix; this change makes usermod
behave the same way.

Fixes: b6b2c756c9
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
2023-03-29 09:05:23 +02:00
Alejandro Colomar
4c210a29bc Fix su(1) silent truncation
*  src/su.c (check_perms): Do not silently truncate user name.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
1d7d94ed7d Simplify is_my_tty()
This commit will serve to document why we shouldn't worry about the
truncation in the call to strlcpy(3).  Since we have one more byte in
tmptty than in full_tty, truncation will produce a string that is at
least one byte longer than full_tty.  Such a string could never compare
equal, so we're actually handling the truncation in a clever way.  Maybe
too clever, but that's why I'm documenting it here.

Now, about the simplification itself:

Since we made sure that both full_tty and tmptty are null-terminated, we
can call strcmp(3) instead of strncmp(3).  We can also simplify the
return logic avoiding one branch.

Cc: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
e27ca53091 Fix is_my_tty() buffer overrun
*  libmisc/utmp.c (is_my_tty): Declare the parameter as a char array,
   not char *, as it is not necessarily null-terminated.
   Avoid a read overrun when reading 'tty', which comes from
   'ut_utname'.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
664d361fa5 Add STRLEN(): a constexpr strlen(3) for string literals
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Alejandro Colomar
03af2940f7 Fix crash with large timestamps
*  libmisc/date_to_str.c (date_to_str): Do not crash if gmtime(3)
   returns NULL because the timestamp is far in the future.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
ea3d49506f Prefer strcpy(3) to strlcpy(3) when either works
* lib/gshadow.c (sgetsgent): Use strcpy(3) not strlcpy(3),
since the string is known to fit.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
a926a26f0c Fix change_field() buffer underrun
* lib/fields.c (change_field): Don't point
before array start; that has undefined behavior.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
690ca8c238 Omit unneeded test in change_field()
* fields.c (change_field): Omit unnecessary test.

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
Paul Eggert
5686d9162e Simplify change_field() by using strcpy
* lib/fields.c (change_field): Since we know the string fits,
use strcpy(3) rather than strlcpy(3).

Signed-off-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-28 13:00:38 +02:00
skyler-ferrante
c089196e15 Fix null dereference in basename
On older kernels (<=linux-5.17), argv[0] can be null. Basename would
call strrchr with null if argc==0. Fixes issue #680
2023-03-27 10:10:37 -05:00
Iker Pedrosa
300d6ef45c CI: script for local container build
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
d4f31a5b3e CI: build project in containers
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
411a66476d container: add fedora
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
3efab2039f container: add debian
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
baff19767d container: add alpine
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-26 12:45:34 -05:00
Iker Pedrosa
53a4bda9ba SECURITY.md: add Iker Pedrosa
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-20 10:54:45 -05:00
Christian Göttsche
f2c4949707 selinux: use type safe function pointer assignment 2023-03-20 08:47:52 +01:00
Christian Göttsche
37bf59067f Use strict prototype in definition
gettime.c:25:30: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
    /*@observer@*/time_t gettime ()
                                 ^
                                  void
2023-03-20 08:47:52 +01:00
Vinícius dos Santos Oliveira
e638841f5a Add .editorconfig 2023-03-02 16:33:06 -06:00
Serge Hallyn
61ca915ac5 run_some: fix shellcheck warning
shellcheck warns against using echo with flags, as posix sh won't
support it.  It suggests using printf, so let's do that.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
6d03bbea96 fail on any run_some test failure
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
add4ab4bf0 ignore first test in run_some
bc github...

For some reason, the first test - ONLY on github - seems to not
give the '$ ' prompt expected when you spawn 'su testsuite'.
So just run the first test twice, and ignore the first failure.
2023-02-27 21:38:45 -06:00
Serge Hallyn
4da831c02f swap first two tests - does the first one still fail?
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Serge Hallyn
421c6cf951 tests: remove some github runner PATH tweaking
It messes with the expected results.

We can do better than this in the expect scripts, but let's
get things running for now.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-27 21:38:45 -06:00
Alejandro Colomar
a72065a108 tests: Support git-worktree(1)
git-worktree(1) uses a regular file for <.git>, instead of a directory.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-27 14:16:50 -06:00
Serge Hallyn
4445cee19d tests: newuidmap and newgidmap: update expected fail message
The failure message got changed, but the tests looking for it did
not.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 21:46:29 -06:00
Serge Hallyn
aa15bc445e libsubid: include alloc.h
Fixes: efbbcade43: Use safer allocation macros
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 21:27:02 -06:00
Serge Hallyn
9a9e163e71 run_some: log stderr
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 20:11:14 -06:00
Vinícius dos Santos Oliveira
05e2adf509 Validate fds created by the user
write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
2023-02-24 16:20:57 -06:00
Serge Hallyn
7ff33fae6f get_pidfd_from_fd: return -1 on error, not 0
Fixes: 6974df39a: newuidmap and newgidmap: support passing pid as fd
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 13:54:54 -06:00
Serge Hallyn
17efd59252 g-h-a workflow: workaround
Skip updating grub packages that are currently breaking
apt-get dist-upgrade.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 13:27:57 -06:00
Serge Hallyn
e4e3212122 Fix regression in some translation strings
Fixes: d80df2c8a: Update translation
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 12:56:05 -06:00
Iker Pedrosa
3b3d3e5cd4 lib: bit_ceil_wrapul(): stop recursion
It should call bit_ceilul() instead of itself.

Fixes: 0712b236c3 ("Add bit manipulation functions")
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-02-24 12:44:14 -06:00
Iker Pedrosa
21d88b4525 lib: define ULONG_WIDTH if non-existent
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-02-24 12:44:14 -06:00
maqi
d80df2c8a0 Update translation 2023-02-24 12:41:50 -06:00
Serge Hallyn
6974df39a7 newuidmap and newgidmap: support passing pid as fd
Closes #635

newuidmap and newgidmap currently take an integner pid as
the first argument, determining the process id on which to
act.  Accept also "fd:N", where N must be an open file
descriptor to the /proc/pid directory for the process to
act upon.  This way, if you

exec 10</proc/99
newuidmap fd:10 100000 0 65536

and pid 99 dies and a new process happens to take pid 99 before
newuidmap happens to do its work, then since newuidmap will use
openat() using fd 10, it won't change the mapping for the new
process.

Example:

// terminal 1:
serge@jerom ~/src/nsexec$ ./nsexec -W -s 0 -S 0 -U
about to unshare with 10000000
Press any key to exec (I am 129176)

// terminal 2:
serge@jerom ~/src/shadow$ exec 10</proc/129176
serge@jerom ~/src/shadow$ sudo chown root src/newuidmap src/newgidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newuidmap
serge@jerom ~/src/shadow$ sudo chmod u+s src/newgidmap
serge@jerom ~/src/shadow$ ./src/newuidmap fd:10 0 100000 10
serge@jerom ~/src/shadow$ ./src/newgidmap fd:10 0 100000 10

// Terminal 1:
uid=0(root) gid=0(root) groups=0(root)

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-02-24 12:35:49 -06:00