The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.
An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.
Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.
It's probably very minor security bug.
Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
This adds a concise description of a tool to its usage text.
A first form of this patch was proposed by Steven Honeyman
(see http://www.spinics.net/lists/util-linux-ng/msg09994.html).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Shell null check is redundant. The shell can be null only after
ask_new_shell returned such, and that is checked earlier in program
logic.
Secondly the check_shell does not need to return values, in such cases
the program can simply exit.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Rename prompt() to ask_new_shell(). Remove fixed size buffer and
allocate path to new shell, that should make Hurd people happy. Use
strutils.h for white space trimming.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Earlier setting a /bin/sh was impossible for users that had nothing set
as shell, as that was seen as no change.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Use of fgets() can make a single long line to be understood as two
entries, and someone could play tricks with the remainder part of the
buffer.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Fixing plain typos, miswordings, inconsistent periods, some missing
angular brackets, and a proper pluralization (even when it involves
a constant, because for some languages the precise value matters).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
* rename --disable-require-password to --disable-chsh-chfn-password
* is_local() is really unnecessary when linked with libuser
* fix set_value_libuser() returns codes
* fix chfn.c, there is no 'pw', but oldf.pw
* don't link with PAM when--disable-chsh-chfn-password
Signed-off-by: Karel Zak <kzak@redhat.com>
This is based directly on lchsh which is a part of libuser. libuser.{c,h}
exist because exactly the same code is needed for both chsh and chfn.
[kzak@redhat.com: cleanup err() usage]
Signed-off-by: Cody Maloney <cmaloney@theoreticalchaos.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
This makes it easier to add support for libuser, which needs the same PAM
authentication. Also removes duplicate code between chsh and chfn.
Signed-off-by: Cody Maloney <cmaloney@theoreticalchaos.com>
[kzak@redhat.com: - cleanup lscpu(1) usage text
- use <disk> rather than <device> in partx(8)
usage text]
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Solaris lacks err, errx, warn and warnx. This also means the err.h header
doesn't exist. Removed err.h include from all files, and included err.h from
c.h instead if it exists, otherwise alternatives are provided.
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
Check for crypt.h existence, and use it if available over using unistd.h
for which a certain feature level has to be set to export a definition
for crypt. On Solaris this set causes a standards conflict in the
headers, because at the time of this check C99 mode is already enabled,
which implies certain standards non-compatible with _XOPEN_SOURCE.
92 #define _XOPEN_SOURCE
93 #include <unistd.h>
configure:16259: gcc -std=gnu99 -c -g -O2 conftest.c >&5
In file included from /usr/include/unistd.h:18,
from conftest.c:93:
/prefix/gentoo/usr/lib/gcc/i386-pc-solaris2.10/4.4.5/include-fixed/sys/feature_tests.h:341:2: error: #error "Compiler or options invalid for pre-UNIX 03 X/Open applications and pre-2001 POSIX applications"
configure.ac: improve crypt check
login-utils/my_crypt.h: replace old GNU_LIBRARY check with autoconf
define for crypt.h
[kzak@redhat.com: - remove my_crypt.h]
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
$ chsh
chsh: can only change local entries; use ypchsh instead.
The 'ypchsh' is an external util that does not have to be installed.
Addresses: http://bugzilla.redhat.com/show_bug.cgi?id=497329
Signed-off-by: Karel Zak <kzak@redhat.com>
Unfortunately, the current libselinux implementation of
is_selinux_enabled() returns -1 on error. This behavior is
undocumented.
The proper solution is to use "if (is_selinux_enabled() > 0)".
Signed-off-by: Karel Zak <kzak@redhat.com>
Add a missing period, a missing space, a comma and a word for clarity,
plus a period and an uppercase letter to match surrounding messages.
Further add a missing call to gettext, and undo an unneeded linewrap.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
used when the PAM transaction be terminated.
This patch also cleanup PAM code in chsh(1).
Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
Co-Author: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
chsh(1) uses empty shell setting (pw->pw_shell="") as a synonym for
/bin/sh. This convention is silly and unnecessary. (The vsftpd server
will not run if the shell assigned to user "ftp" is a null string --
according to bug rh#103004).
Signed-off-by: Karel Zak <kzak@redhat.com>