Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2021-11-21 23:51:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow" Sun Nov 21 23:51:28 2021 rev:45 rq:932263 version:4.9 Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2021-09-22 22:12:47.508314781 +0200 +++ /work/SRC/openSUSE:Factory/.shadow.new.1895/shadow.changes 2021-11-21 23:51:38.722356755 +0100 @@ -1,0 +2,41 @@ +Thu Nov 18 13:46:03 UTC 2021 - Michael Vetter <[email protected]> + +- Fix segfaults in newgrp and pwck + * Add shadow-4.9-newgrp-segfault.patch + https://github.com/shadow-maint/shadow/pull/437 + * Add shadow-4.9-pwck-segfault.patch + https://github.com/shadow-maint/shadow/pull/445 + +------------------------------------------------------------------- +Tue Nov 16 15:58:46 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * shadow.service + +------------------------------------------------------------------- +Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec <[email protected]> + +- shadow-util-linux.patch: + * Remove the section patching lib/getdef.c in favor of the + upstream FOREIGNDEFS. + * Add LOGIN_KEEP_USERNAME to login.defs. + * Remove PREVENT_NO_AUTH from login.defs. Only used by the + unpackaged login and su. +- shadow-login_defs-unused-by-pam.patch: + * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, + YESCRYPT_COST_FACTOR, not supported by the current + configuratiton. +- Update login_defs-support-for-pam symbol to version 1.5.2 + (support for new variable HMAC_CRYPTO_ALGO). +- Update login_defs-support-for-util-linux to version 2.37 + (support for new variable LOGIN_KEEP_USERNAME). +- Refresh shadow-login_defs-comments.patch and + shadow-login_defs-suse.patch. +- Improve shadow-login_defs-check.sh: + * Add helper to import local new version in the parent dir. + * Fix spec editing sed expression. + * Add PREVENT_NO_AUTH to known unused variables. + * Update pam sed expression to find HMAC_CRYPTO_ALGO. + * Add more sanity checks. + +------------------------------------------------------------------- New: ---- shadow-4.9-newgrp-segfault.patch shadow-4.9-pwck-segfault.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.410354537 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.410354537 +0100 @@ -71,6 +71,10 @@ Patch14: shadow-4.9-sgent-free.patch # PATCH-FIX-UPSTREAM shadow-4.9-useradd-subuid.patch [email protected] -- Fix generating empty subid range and undeclared subid_count (boo#1190146) Patch15: shadow-4.9-useradd-subuid.patch +# PATCH-FIX-UPSTREAM shadow-4.9-newgrp-segfault.patch [email protected] -- Fix segfault in newgrp (gh#437) +Patch16: shadow-4.9-newgrp-segfault.patch +# PATCH-FIX-UPSTREAM shadow-4.9-pwck-segfault.patch [email protected] -- Fix segfault in pwck (gh#445) +Patch17: shadow-4.9-pwck-segfault.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -107,8 +111,8 @@ # encryption_method_nis.patch has to be ported! # Call shadow-login_defs-check.sh before! Group: System/Base -Provides: login_defs-support-for-pam = 1.3.1 -Provides: login_defs-support-for-util-linux = 2.36 +Provides: login_defs-support-for-pam = 1.5.2 +Provides: login_defs-support-for-util-linux = 2.37 BuildArch: noarch %description -n login_defs @@ -150,6 +154,8 @@ %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 +%patch17 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO ++++++ shadow-4.9-newgrp-segfault.patch ++++++ https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948 Index: shadow-4.9/src/newgrp.c =================================================================== --- shadow-4.9.orig/src/newgrp.c +++ shadow-4.9/src/newgrp.c @@ -163,8 +163,8 @@ static void check_perms (const struct gr spwd = xgetspnam (pwd->pw_name); if (NULL != spwd) { pwd->pw_passwd = xstrdup (spwd->sp_pwdp); + spw_free (spwd); } - spw_free (spwd); if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) { needspasswd = true; ++++++ shadow-4.9-pwck-segfault.patch ++++++ https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f Index: shadow-4.9/src/pwck.c =================================================================== --- shadow-4.9.orig/src/pwck.c +++ shadow-4.9/src/pwck.c @@ -857,6 +857,7 @@ int main (int argc, char **argv) * Get my name so that I can use it to report errors. */ Prog = Basename (argv[0]); + shadow_logfd = stderr; (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); ++++++ shadow-login_defs-check.sh ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.454354395 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.454354395 +0100 @@ -20,7 +20,18 @@ # Extract list of referenced variables. if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then echo "Checking out util-linux..." - osc co openSUSE:Factory util-linux + if test -d ../util-linux ; then + echo -n "../util-linux found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../util-linux openSUSE:Factory/ + else + osc co openSUSE:Factory util-linux + fi + else + osc co openSUSE:Factory util-linux + fi cd openSUSE:Factory/util-linux quilt setup -d BUILD util-linux.spec cd BUILD/* @@ -43,7 +54,18 @@ # Extract list of referenced variables. if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then echo "Checking out pam..." - osc co openSUSE:Factory pam + if test -d ../pam ; then + echo -n "../pam found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../pam openSUSE:Factory/ + else + osc co openSUSE:Factory pam + fi + else + osc co openSUSE:Factory pam + fi cd openSUSE:Factory/pam quilt setup -d BUILD pam.spec cd BUILD/* @@ -54,7 +76,7 @@ echo "Extracting variables from pam..." cd openSUSE:Factory/pam/BUILD/* grep -rh LOGIN_DEFS . | - sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | + sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst cd ../../../.. @@ -66,12 +88,24 @@ # In case of shadow, variables extraction is more complicated. The list # depends on configure options, so we have to perform a fake build and # extract variables from prepreocessed sources. - sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec +# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec + sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec + if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + fi fi - osc build "$@" || : - echo "This build command was expected to fail." - echo "" + if osc build "$@" ; then + echo "This build command was expected to fail, but it succeeded." + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + else + echo "This build command was expected to fail." + echo "" + fi mv shadow.spec.shadow-login_defs-check-save shadow.spec BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p') @@ -167,6 +201,8 @@ FTMP_FILE ) return 0 ;; # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec. ISSUE_FILE ) return 0 ;; +# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec. + PREVENT_NO_AUTH ) return 0 ;; * ) return 1 ;; esac } @@ -242,7 +278,7 @@ sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec echo " -If you ported encryption_method_nis.patch to the new pam version, +If you ported shadow-login_defs-unused-by-pam.patch to the new pam version, please submit these updates: Change in pam.spec:" sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec ++++++ shadow-login_defs-comments.patch ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.458354382 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.462354369 +0100 @@ -13,38 +13,6 @@ # # Delay in seconds before being allowed another attempt after a login failure -@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB no - # - - # --# Limit the highest user ID number for which the lastlog entries should --# be updated. --# --# No LASTLOG_UID_MAX means that there is no user ID limit for writing --# lastlog entries. --# --#LASTLOG_UID_MAX -- --# - # Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition - # to sulog file logging. - # -@@ -46,6 +35,15 @@ CONSOLE /etc/securetty - #CONSOLE console:tty01:tty02:tty03:tty04 - - # -+# Limit the highest user ID number for which the lastlog entries should -+# be updated. -+# -+# No LASTLOG_UID_MAX means that there is no user ID limit for writing -+# lastlog entries. -+# -+#LASTLOG_UID_MAX -+ -+# - # If defined, all su(1) activity is logged to this file. - # - #SULOG_FILE /var/log/sulog @@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin #ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin @@ -86,7 +54,7 @@ GID_MIN 1000 GID_MAX 60000 # System accounts -@@ -190,7 +201,6 @@ LOGIN_TIMEOUT 60 +@@ -196,7 +207,6 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # @@ -94,7 +62,7 @@ # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. # It supports passwords of unlimited length and longer salt strings. -@@ -205,7 +215,6 @@ CHFN_RESTRICT rwh +@@ -211,7 +221,6 @@ CHFN_RESTRICT rwh #MD5_CRYPT_ENAB no # ++++++ shadow-login_defs-suse.patch ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.466354356 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.466354356 +0100 @@ -67,7 +67,7 @@ # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. -@@ -125,7 +128,7 @@ +@@ -133,7 +136,7 @@ UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. @@ -106,8 +106,8 @@ +LOGIN_RETRIES 3 # - # Max time in seconds for login(1) -@@ -201,18 +204,9 @@ LOGIN_TIMEOUT 60 + # Tell login to only re-prompt for the password if authentication +@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # @@ -128,7 +128,7 @@ # # If set to MD5, MD5-based algorithm will be used for encrypting password -@@ -227,7 +221,7 @@ CHFN_RESTRICT rwh +@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # @@ -137,7 +137,7 @@ # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -@@ -325,7 +319,7 @@ USERDEL_POSTCMD /usr/sbin/userde +@@ -303,7 +297,7 @@ USERDEL_POSTCMD /usr/sbin/userde # # This also enables userdel(8) to remove user groups if no members exist. # @@ -146,7 +146,7 @@ # # If set to a non-zero number, the shadow utilities will make sure that -@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes +@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes # This option is overridden with the -M or -m flags on the useradd(8) # command-line. # @@ -155,4 +155,3 @@ # # Force use shadow, even if shadow passwd & shadow group files are - ++++++ shadow-login_defs-unused-by-pam.patch ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.470354343 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.474354330 +0100 @@ -1,6 +1,9 @@ Remove variables that are present in login.defs, but shadow with the current configuration (e. g. with PAM) does not use them. +It also includes variables used by the current configuration, but deleted +in the spec file. + shadow-login_defs-unused-check.sh makes possible to verify that it is still up to date. @@ -221,10 +224,38 @@ # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. -@@ -382,17 +252,6 @@ CHFN_RESTRICT rwh - #YESCRYPT_COST_FACTOR 5 +@@ -354,45 +224,6 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MAX_ROUNDS 5000 # +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- +-# +-# Only works if ENCRYPT_METHOD is set to YESCRYPT. +-# +-# Define the YESCRYPT cost factor. +-# With a higher cost factor, it is more difficult to brute-force the password. +-# However, more CPU time and more memory will be needed to authenticate users +-# if this value is increased. +-# +-# If not specified, a cost factor of 5 will be used. +-# The value must be within the 1-11 range. +-# +-#YESCRYPT_COST_FACTOR 5 +- +-# -# List of groups to add to the user's supplementary group set -# when logging in from the console (as determined by the CONSOLE -# setting). Default is none. @@ -239,7 +270,7 @@ # Should login be allowed if we can't cd to the home directory? # Default is no. # -@@ -407,12 +266,6 @@ DEFAULT_HOME yes +@@ -407,12 +238,6 @@ DEFAULT_HOME yes NONEXISTENT /nonexistent # ++++++ shadow-util-linux.patch ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.478354318 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.478354318 +0100 @@ -109,39 +109,32 @@ # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new -Index: lib/getdef.c -=================================================================== ---- lib/getdef.c.orig -+++ lib/getdef.c -@@ -67,6 +67,7 @@ struct itemdef { - {"LOGIN_STRING", NULL}, \ - {"MAIL_CHECK_ENAB", NULL}, \ - {"MOTD_FILE", NULL}, \ -+ {"MOTD_FIRSTONLY", NULL}, \ - {"NOLOGINS_FILE", NULL}, \ - {"OBSCURE_CHECKS_ENAB", NULL}, \ - {"PASS_ALWAYS_WARN", NULL}, \ -@@ -91,6 +92,7 @@ struct itemdef { +@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536 + LOGIN_RETRIES 5 - #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) - static struct itemdef def_table[] = { -+ {"ALWAYS_SET_PATH", NULL}, - {"CHARACTER_CLASS", NULL}, - {"CHFN_RESTRICT", NULL}, - {"CONSOLE_GROUPS", NULL}, -@@ -99,6 +101,7 @@ static struct itemdef def_table[] = { - {"DEFAULT_HOME", NULL}, - {"ENCRYPT_METHOD", NULL}, - {"ENV_PATH", NULL}, -+ {"ENV_ROOTPATH", NULL}, - {"ENV_SUPATH", NULL}, - {"ERASECHAR", NULL}, - {"FAIL_DELAY", NULL}, -@@ -110,6 +113,7 @@ static struct itemdef def_table[] = { - {"KILLCHAR", NULL}, - {"LASTLOG_UID_MAX", NULL}, - {"LOGIN_RETRIES", NULL}, -+ {"LOGIN_PLAIN_PROMPT", NULL}, - {"LOGIN_TIMEOUT", NULL}, - {"LOG_OK_LOGINS", NULL}, - {"LOG_UNKFAIL_ENAB", NULL}, + # ++# Tell login to only re-prompt for the password if authentication ++# failed, but the username is valid. The default value is no. ++# ++LOGIN_KEEP_USERNAME no ++ ++# + # Max time in seconds for login(1) + # + LOGIN_TIMEOUT 60 +@@ -315,15 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO + #GRANT_AUX_GROUP_SUBIDS yes + + # +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +- +-PREVENT_NO_AUTH superuser +- +-# + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message + # authentication code. ++++++ shadow.service ++++++ --- /var/tmp/diff_new_pack.6pnoVk/_old 2021-11-21 23:51:39.494354266 +0100 +++ /var/tmp/diff_new_pack.6pnoVk/_new 2021-11-21 23:51:39.498354253 +0100 @@ -2,6 +2,19 @@ Description=Verify integrity of password and group files [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=/usr/sbin/pwck -r ExecStart=/usr/sbin/grpck -r
