From 56a1b1be9d9b3661cc4f2ab036312d47892c4118 Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Tue, 21 Apr 2020 10:13:36 +0200 Subject: [PATCH] sys-apps/shadow: Security cleanup Bug: https://bugs.gentoo.org/702252 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler --- sys-apps/shadow/Manifest | 2 - .../shadow/files/shadow-4.7-optional_su.patch | 130 ---------- sys-apps/shadow/shadow-4.6.ebuild | 214 ---------------- sys-apps/shadow/shadow-4.7-r2.ebuild | 236 ------------------ 4 files changed, 582 deletions(-) delete mode 100644 sys-apps/shadow/files/shadow-4.7-optional_su.patch delete mode 100644 sys-apps/shadow/shadow-4.6.ebuild delete mode 100644 sys-apps/shadow/shadow-4.7-r2.ebuild diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 37a6f8d77683..c224c0d1a240 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -1,4 +1,2 @@ -DIST shadow-4.6.tar.gz 3804282 BLAKE2B 268c90e7daba138827aec6039f428f52cdcf7929743fa1f49f801cc669de7456ec5a69531194cdb29f051ce7d0b2f1e966fdf2513a9fc8f7fbdeb29d786a509f SHA512 36358333e7f03ef558772f3361bc5851a7d7fd3d85c993a6b732e37304b8068b2893d55607b9bfe8b8eed616a687264f947ff66cefc74ea1a48ba9396d464714 -DIST shadow-4.7.tar.gz 3833335 BLAKE2B 8e030d3dcc5eb76332ff76aad8e9141edb4ae660f56dd3b420968c538d3022a72ab620710b9274b9afb44f497399f5c4ceef339b7d2c52106b9b8368ff127654 SHA512 9b134dc90d8fb39bc72db69ddb78cef6263921c8a2f00abc00ac796bf468ac18393399920eec14bd2a78b814a06fc18eb6f5685ede13fe222fc66b2e411cbb01 DIST shadow-4.8.1.tar.xz 1611196 BLAKE2B 952707cdd55dc6c00dcbc60dbc3bf84ac618dbe916b36d993802b3ce42594de332a9bc22933a28881af3d317a340eab017ada55511b4e4fbc3ca6b422c4bc254 SHA512 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b DIST shadow-4.8.tar.xz 1609060 BLAKE2B 9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f SHA512 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece diff --git a/sys-apps/shadow/files/shadow-4.7-optional_su.patch b/sys-apps/shadow/files/shadow-4.7-optional_su.patch deleted file mode 100644 index 472846460776..000000000000 --- a/sys-apps/shadow/files/shadow-4.7-optional_su.patch +++ /dev/null @@ -1,130 +0,0 @@ -From ddb0553b2e559fd431fe8b460c37cb7fef8c06ee Mon Sep 17 00:00:00 2001 -From: Lars Wendler -Date: Tue, 19 Nov 2019 10:57:06 +0100 -Subject: [PATCH] build: Make build/installation of su and its support files - optional - -Enabled by default -This is necessary because coreutils and util-linux can also provide su - -Signed-off-by: Lars Wendler ---- - configure.ac | 7 +++++++ - etc/pam.d/Makefile.am | 7 +++++-- - man/Makefile.am | 5 ++++- - src/Makefile.am | 10 ++++++++-- - 4 files changed, 24 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 67625564..5629df98 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -286,6 +286,9 @@ AC_ARG_WITH(sssd, - AC_ARG_WITH(group-name-max-length, - [AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])], - [with_group_name_max_length=$withval], [with_group_name_max_length=yes]) -+AC_ARG_WITH(su, -+ [AC_HELP_STRING([--with-su], [build and install su program and man page @<:@default=yes@:>@])], -+ [with_su=$withval], [with_su=yes]) - - if test "$with_group_name_max_length" = "no" ; then - with_group_name_max_length=0 -@@ -313,6 +316,9 @@ if test "$with_sssd" = "yes"; then - [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) - fi - -+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) -+AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) -+ - dnl Check for some functions in libc first, only if not found check for - dnl other libraries. This should prevent linking libnsl if not really - dnl needed (Linux glibc, Irix), but still link it if needed (Solaris). -@@ -719,4 +725,5 @@ echo " nscd support: $with_nscd" - echo " sssd support: $with_sssd" - echo " subordinate IDs support: $enable_subids" - echo " use file caps: $with_fcaps" -+echo " install su: $with_su" - echo -diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am -index d967eb95..38ff26ae 100644 ---- a/etc/pam.d/Makefile.am -+++ b/etc/pam.d/Makefile.am -@@ -6,8 +6,7 @@ pamd_files = \ - chsh \ - groupmems \ - login \ -- passwd \ -- su -+ passwd - - pamd_acct_tools_files = \ - chage \ -@@ -29,4 +28,8 @@ pamd_DATA += $(pamd_acct_tools_files) - endif - endif - -+if WITH_SU -+pamd_files += su -+endif -+ - EXTRA_DIST = $(pamd_files) $(pamd_acct_tools_files) -diff --git a/man/Makefile.am b/man/Makefile.am -index 3f040e05..8b64feba 100644 ---- a/man/Makefile.am -+++ b/man/Makefile.am -@@ -41,7 +41,6 @@ man_MANS = \ - man1/sg.1 \ - man3/shadow.3 \ - man5/shadow.5 \ -- man1/su.1 \ - man5/suauth.5 \ - man8/useradd.8 \ - man8/userdel.8 \ -@@ -54,6 +53,10 @@ man_nopam = \ - man5/login.access.5 \ - man5/porttime.5 - -+if WITH_SU -+man_MANS += man1/su.1 -+endif -+ - if !USE_PAM - man_MANS += $(man_nopam) - endif -diff --git a/src/Makefile.am b/src/Makefile.am -index 34690ced..06ee9545 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -23,12 +23,15 @@ AM_CPPFLAGS = \ - # and installation would be much simpler (just two directories, - # $prefix/bin and $prefix/sbin, no install-data hacks...) - --bin_PROGRAMS = groups login su -+bin_PROGRAMS = groups login - sbin_PROGRAMS = nologin - ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd - if ENABLE_SUBIDS - ubin_PROGRAMS += newgidmap newuidmap - endif -+if WITH_SU -+bin_PROGRAMS += su -+endif - usbin_PROGRAMS = \ - chgpasswd \ - chpasswd \ -@@ -52,8 +55,11 @@ usbin_PROGRAMS = \ - # id and groups are from gnu, sulogin from sysvinit - noinst_PROGRAMS = id sulogin - --suidbins = su -+suidbins = - suidubins = chage chfn chsh expiry gpasswd newgrp -+if WITH_SU -+suidbins += su -+endif - if !WITH_TCB - suidubins += passwd - endif --- -2.24.0 - diff --git a/sys-apps/shadow/shadow-4.6.ebuild b/sys-apps/shadow/shadow-4.6.ebuild deleted file mode 100644 index 759aeb931840..000000000000 --- a/sys-apps/shadow/shadow-4.6.ebuild +++ /dev/null @@ -1,214 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit libtool pam - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="https://github.com/shadow-maint/shadow" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86" -IUSE="acl audit +cracklib nls pam selinux skey split-usr xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) - -RDEPEND="acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) - pam? ( sys-libs/pam:0= ) - skey? ( sys-auth/skey:0= ) - selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= - ) - nls? ( virtual/libintl ) - xattr? ( sys-apps/attr:0= )" -DEPEND="${RDEPEND} - app-arch/xz-utils - nls? ( sys-devel/gettext )" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20150213 )" - -PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" -) - -src_prepare() { - default - #eautoreconf - elibtoolize -} - -src_configure() { - local myeconfargs=( - --without-group-name-max-length - --without-tcb - --enable-shared=no - --enable-static=yes - $(use_with acl) - $(use_with audit) - $(use_with cracklib libcrack) - $(use_with pam libpam) - $(use_with skey) - $(use_with selinux) - $(use_enable nls) - $(use_with elibc_glibc nscd) - $(use_with xattr attr) - ) - econf "${myeconfargs[@]}" - - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - has ${l} ${LINGUAS-${l}} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=$1 val=$2 - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED%/}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED%/}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED%/}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED%/}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - if use split-usr ; then - # move passwd to / to help recover broke systems #64441 - dodir /bin - mv "${ED%/}"/usr/bin/passwd "${ED%/}"/bin/ || die - dosym ../../bin/passwd /usr/bin/passwd - fi - - cd "${S}" || die - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chpasswd chgpasswd newusers; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chage chsh chfn \ - user{add,del,mod} group{add,del,mod} ; do - newpamd "${FILESDIR}"/pam.d-include/shadow ${x} - done - - # comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED%/}"/etc/login.defs || die - - # remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED%/}"/usr/share/man \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED%/}"/etc/pam.d/{login,passwd,su} || die - fi - - # Remove manpages that are handled by other packages - find "${ED%/}"/usr/share/man \ - '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ - -delete - - cd "${S}" || die - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc || die - dodoc HOWTO README* WISHLIST *.txt -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -} diff --git a/sys-apps/shadow/shadow-4.7-r2.ebuild b/sys-apps/shadow/shadow-4.7-r2.ebuild deleted file mode 100644 index f30ee5ed23c7..000000000000 --- a/sys-apps/shadow/shadow-4.7-r2.ebuild +++ /dev/null @@ -1,236 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools libtool pam - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="https://github.com/shadow-maint/shadow" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -IUSE="acl audit +cracklib nls pam selinux skey split-usr +su xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) - -BDEPEND=" - app-arch/xz-utils - sys-devel/gettext -" -COMMON_DEPEND=" - acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) - nls? ( virtual/libintl ) - pam? ( sys-libs/pam:0= ) - skey? ( sys-auth/skey:0= ) - selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= - ) - xattr? ( sys-apps/attr:0= ) -" -DEPEND="${COMMON_DEPEND} - >=sys-kernel/linux-headers-4.14 -" -RDEPEND="${COMMON_DEPEND} - pam? ( >=sys-auth/pambase-20150213 ) - su? ( !sys-apps/util-linux[su(-)] ) -" - -PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" - "${FILESDIR}/${PN}-4.7-optional_su.patch" -) - -src_prepare() { - default - eautoreconf - #elibtoolize -} - -src_configure() { - local myeconfargs=( - --with-btrfs - --without-group-name-max-length - --without-tcb - --enable-shared=no - --enable-static=yes - $(use_enable nls) - $(use_with acl) - $(use_with audit) - $(use_with cracklib libcrack) - $(use_with elibc_glibc nscd) - $(use_with pam libpam) - $(use_with selinux) - $(use_with skey) - $(use_with su) - $(use_with xattr attr) - ) - econf "${myeconfargs[@]}" - - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - has ${l} ${LINGUAS-${l}} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=$1 val=$2 - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - if use split-usr ; then - # move passwd to / to help recover broke systems #64441 - # We cannot simply remove this or else net-misc/scponly - # and other tools will break because of hardcoded passwd - # location - dodir /bin - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym ../../bin/passwd /usr/bin/passwd - fi - - cd "${S}" || die - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chpasswd chgpasswd newusers; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chage chsh chfn \ - user{add,del,mod} group{add,del,mod} ; do - newpamd "${FILESDIR}"/pam.d-include/shadow ${x} - done - - # comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED}"/etc/login.defs || die - - # remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED}"/usr/share/man -type f \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED}"/etc/pam.d/{login,passwd} || die - if use su ; then - rm "${ED}"/etc/pam.d/su || die - fi - fi - - # Remove manpages that are handled by other packages - find "${ED}"/usr/share/man \ - '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ - -delete - - cd "${S}" || die - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc || die - dodoc HOWTO README* WISHLIST *.txt -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - [[ ! -f "${EROOT}"/etc/subgid ]] && - touch "${EROOT}"/etc/subgid - [[ ! -f "${EROOT}"/etc/subuid ]] && - touch "${EROOT}"/etc/subuid - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -} -- 2.26.2