Let's follow the standard $id$salt$encrypted password format in
verification code.
The current code is useless and for example PWD-LOCK column is always
FALSE.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1581611
Signed-off-by: Karel Zak <kzak@redhat.com>
Punctuation marks have been left in the only argument of two-fonts
macros, instead of being separated from it to make the second one.
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Use the correct macro (I, B) for the font change of one argument, not
those that are used for alternating two fonts, like "BR", "IR", "RB",
or "RI".
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
login-utils/last.c: In function ‘list’:
login-utils/last.c:398:36: warning: argument to ‘sizeof’ in ‘strncat’ call
is the same expression as the source; did you mean to use the size of the
destination? [-Wsizeof-pointer-memaccess]
strncat(utline, p->ut_line, sizeof(p->ut_line));
The sizeof(utline) is defined as sizeof(p->ut_line) + 1, so the compiler got
that wrong. Lets truncate strncat() otherway around to keep gcc 8.1 happy.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Let's make it possible to use debug.h without environment variables.
Suggested-by: J William Piggott <elseifthen@gmx.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
We have command line option -H to disable hostname in login prompt.
Unfortunately, in same cases (e.g. telnetd) it's impossible to specify
login(1) command line options due to hardcoded execl()...
This patch introduces LOGIN_PLAIN_PROMPT boolean for /etc/login.defs
to suppress hostname in the prompt.
Signed-off-by: Karel Zak <kzak@redhat.com>
It seems better to deallocate logindefs.conf stuff in long time
running (=waiting) processes like login(1) and su(1).
Signed-off-by: Karel Zak <kzak@redhat.com>
* Start the ISO format flags at bit 0 instead of bit 1.
* Remove unnecessary _8601 from ISO format flag names to
avoid line wrapping and to ease readability.
* ISO timestamps have date-time-timzone in common, so move
the TIMEZONE flag to bit 2 causing all timestamp masks
to have the first three bits set and the last four bits
as timestamp 'options'.
* Change the 'SPACE' flag to a 'T' flag, because it makes
the code and comments more concise.
* Add common ISO timestamp masks.
* Implement the ISO timestamp masks in all applicable code
using the strxxx_iso() functions.
Signed-off-by: J William Piggott <elseifthen@gmx.com>
This new function returns the GMT offset relative to its
argument. It is used in this patch to fix two bugs:
1) On platforms that the tm struct excludes tm_gmtoff,
hwclock assumes a one hour DST offset. This can cause
an incorrect kernel timezone setting. For example:
Master branch tested with tm_gmtoff illustrates the correct offset:
$ TZ="Australia/Lord_Howe" hwclock --hctosys --test | grep settimeofday
Calling settimeofday(1507494204.192398, -660)
Master branch tested without tm_gmtoff has an incorrect offset:
$ TZ="Australia/Lord_Howe" hwclock --hctosys --test | grep settimeofday
Calling settimeofday(1507494249.193852, -690)
Patched tested without tm_gmtoff has the correct offset:
$ TZ="Australia/Lord_Howe" hwclock --hctosys --test | grep settimeofday
Calling settimeofday(1507494260.194208, -660)
2) ISO 8601 'extended' format requires all time elements
to use a colon (:).
Current invalid ISO 8601:
$ hwclock
2017-10-08 16:25:17.895462-0400
Patched:
$ hwclock
2017-10-08 16:25:34.141895-04:00
Also required by this change:
login-utils/last.c: increase ISO out_len and in_len by one to
accommodate the addition of the timezone colon.
Signed-off-by: J William Piggott <elseifthen@gmx.com>
The functions warnx(3) and gettext(3) are not safe to use within signal
handlers and should be avoided. Preparing the message beforehand and
calling write(2) as well as calling _exit(2) solves the problem.
[kzak@redhat.com: - use program_invocation_short_name rather than argv[0],
- use ignore_result() to keep compiler happy]
Signed-off-by: Karel Zak <kzak@redhat.com>
We want to use waitpid() only when child is terminated or stopped to
pick up child status, otherwise PTY proxy has to be active. This is
difference between "su" and "su --pty". For "su" we keep parent all
time in waitpid().
It would be possible to use separate code based on signalfd_siginfo,
but it seems better to keep all this stuff on one place -- it means
wait_for_child().
Signed-off-by: Karel Zak <kzak@redhat.com>
Not sure why I have problem with this years ago for script(1), but it
seems .fd=-1 is really enough to the ignore the FD.
Reported-by: Vaclav Dolezal <vdolezal@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
The signal mask is used by pty_init_slave(), but it has never been
uninitialized before fork(), so child gets 0 as a mask :-(
Note that script(1) has no this issue because it opens signal-fd
before fork().
Reported-by: Vaclav Dolezal <vdolezal@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Add conditional -lutil to runuser when needed to avoid linking error.
login-utils/su-common.o: In function `pty_create':
login-utils/su-common.c:269: undefined reference to `openpty'
login-utils/su-common.c:273: undefined reference to `openpty'
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This patch a little bit reorders signals initialization. The original
code unblocks SIGINT SIGQUIT before signal handler is set for the
signals. It means there is a small possible race.
It seems better to compose wanted mask, setup handlers and then
unblock all the wanted signals.
Signed-off-by: Karel Zak <kzak@redhat.com>
The patch from master branch, somehow lost during su refactoring
rebase.
Reported-by: Tobias Stöckmann <tobias@stoeckmann.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
* setup logindefs loader by function rather than by global pointer
* move basic booleans to the su_context struct
Signed-off-by: Karel Zak <kzak@redhat.com>
Yes, I know... this patch is horrible. We all hate this in git
history, but the original indention from coreutils has been so
crazy...
Signed-off-by: Karel Zak <kzak@redhat.com>
Less code, less bugs. And if there are bugs at least share them with all
other programs that use getusershell(3) from libc.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This should make leaking end of /etc/shadow file more unlikely.
Notice that there is now way to tell to editors they should ensure none it
does not leak any buffers, drop cores, and so on, when editing sensitive
data. In short this change is addressing the issue only partially.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* 'help' of https://github.com/rudimeier/util-linux:
setpriv: silence compiler warning
misc: consolidate macro style USAGE_HELP_OPTIONS
blockdev: correct man page name in --help
Under strange circumstances, the output of command 'last reboot'
showed the last time as a negative time, with both the hours and the
mins value having a minus sign. Example, taken from my workstation:
$last reboot
[...]
reboot system boot 4.4.0-79-generic Wed Jun 14 09:20 - 07:33 (-1:-47)
[...]
I am aware this should happen only infrequently. Nevertheless, I
propose a more robust behaviour: show a minus sign only for the most
significant value (days or hours) and show the rest always as
positive. In the special case of ((secs < 0) && (secs >= -59)), print
mins as "-00".
Signed-off-by: Karel Zak <kzak@redhat.com>
It seems that on some systems (e.g. RHEL7) the libc function
getaddrinfo() is not able to translate ::ffff: address to IPv4. The
result is 0.0.0.0 host address in the last(1) and utmpdump(1) output.
/sbin/login -h "::ffff:192.168.1.7"
utmpdump:
[7] [03926] [1 ] [user1 ] [pts/1 ] [::ffff:192.168.1.7 ] [0.0.0.0 ] [Thu May 12 17:49:50 2016 ]
Not sure if this is about order of the getaddrinfo() results, system
configuration or libc version. It's irrelevant for login(1). We have
to be robust enough to write usable address to log files everywhere.
The solution is to detect IPv4-mapping-to-IPv6 and use IPv4 for utmp.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1296233
Signed-off-by: Karel Zak <kzak@redhat.com>
changed in include/c.h and applied via sed:
sed -i 's/fprintf.*\(USAGE_MAN_TAIL.*\)/printf(\1/' $(git ls-files -- "*.c")
sed -i 's/print_usage_help_options\(.*\);/printf(USAGE_HELP_OPTIONS\1);/' $(git ls-files -- "*.c")
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Now we are always using the same text also for commands
which had still hardcoded descriptions or where we can't
use the standard print_usage_help_options macro.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Consolidate --help and --version descriptions. We are
now able to align them to the other options.
We changed include/c.h. The rest of this patch was
generated by sed, plus manually setting the right
alignment numbers. We do not change anything but
white spaces in the --help output.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
This patch is trivial and changes nothing, because
we were always using usage(stdout)
Now all our usage() functions look very similar. If wanted we
could auto-generate another big cosmetical patch to remove all
the useless "FILE *out" constants and use printf and puts
rather than their f* friends. Such patch could be automatically
synchronized with the translation project (newlines!) to not
make the translators sick.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
We are using better/shorter error messages and somtimes
also errtryhelp().
Here we fix all cases where the usage function took
an int argument for exit_code.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
* '170622' of github.com:jwpi/util-linux:
Docs: move option naming to howto-contribute.txt
Docs: update howto-usage-function.txt
Docs: add a comment for constants to boilerplate.c
include/c.h: add USAGE_COMMANDS and USAGE_COLUMNS
Also we don't print the usage text on stderr anymore.
Note, the usage text could be improved, currently it
does not describe any options. I have only added a
pointer to the man page.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
* add --disable-makeinstall-chown to travis non-root mode
* use "if MAKEINSTALL_DO_SETUID" for chown root:root
Signed-off-by: Karel Zak <kzak@redhat.com>
(Original patch and commit message edited by Rudi.)
gcc-7 adds -Wimplicit-fallthrough=3 to our default flag -Wextra.
This warning can be silenced by using comment /* fallthrough */
which is also recognized by other tools like coverity. There are
also other valid comments (see man gcc-7) but we consolidate this
style now.
We could have also used __attribute__((fallthrough)) but the comment
looks nice and does not need to be ifdef'ed for compatibility.
Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=7652
Reference: https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Reviewed-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Suggested-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
../login-utils/last.c: In function ‘main’:
../login-utils/last.c:624:23: warning: ‘%s’ directive writing up to 31 bytes into a region of size 27 [-Wformat-overflow=]
sprintf(path, "/dev/%s", ut->ut_line);
^~ ~~
../login-utils/last.c:624:3: note: ‘sprintf’ output between 6 and 37 bytes into a destination of size 32
sprintf(path, "/dev/%s", ut->ut_line);
../libblkid/src/devname.c: In function 'probe_one':
../libblkid/src/devname.c:166:29: warning: '%s' directive writing up to 255 bytes into a region of size 245 [-Wformat-overflow=]
sprintf(path, "/sys/block/%s/slaves", de->d_name);
^~
../libblkid/src/devname.c:166:3: note: 'sprintf' output between 19 and 274 bytes into a destination of size 256
sprintf(path, "/sys/block/%s/slaves", de->d_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
* global variables are always initialized by NULL
* it seems we need it as global variable due to libreadline, then use it as
global everywhere in the same .c file.
Signed-off-by: Karel Zak <kzak@redhat.com>
Let's use two functions is_known_shell() and print_shells() to make
the code more readable and to avoid complex semantic of the original
get_shell_list().
Signed-off-by: Karel Zak <kzak@redhat.com>
sys-utils/prlimit.c: In function 'do_prlimit':
sys-utils/prlimit.c:367:16: warning: format '%ju' expects argument of type 'uintmax_t', but argument 2 has type 'rlim_t {aka long long unsigned int}' [-Wformat=]
printf("<%ju", new->rlim_cur);
lib/plymouth-ctrl.c: In function 'open_un_socket_and_connect':
lib/plymouth-ctrl.c:88:20: warning: passing argument 2 of 'connect' from incompatible pointer type [-Wincompatible-pointer-types]
ret = connect(fd, &su, offsetof(struct sockaddr_un, sun_path) + 1 + strlen(su.sun_path+1));
^
In file included from lib/plymouth-ctrl.c:35:0:
/usr/include/sys/socket.h:314:5: note: expected 'const struct sockaddr *' but argument is of type 'struct sockaddr_un *'
int connect (int, const struct sockaddr *, socklen_t);
login-utils/last.c: In function 'list':
login-utils/last.c:506:54: warning: pointer targets in passing argument 4 of 'dns_lookup' differ in signedness [-Wpointer-sign]
r = dns_lookup(domain, sizeof(domain), ctl->useip, p->ut_addr_v6);
^
login-utils/last.c:291:12: note: expected 'int32_t * {aka int *}' but argument is of type 'unsigned int *'
static int dns_lookup(char *result, int size, int useip, int32_t *a)
^~~~~~~~~~
In file included from sys-utils/hwclock-cmos.c:92:0:
sys-utils/hwclock.h:67:32: warning: 'struct timeval' declared inside parameter list will not be visible outside of this definition or declaration
extern double time_diff(struct timeval subtrahend, struct timeval subtractor);
misc-utils/test_uuidd.c: In function 'create_nthreads':
misc-utils/test_uuidd.c:187:19: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
proc->pid, (int) th->tid, th->index));
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
The default readline tab completion that offers file listing from current
directory does not make any sense in this context.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The readline offers editing capabilities while the user is entering the
line, unlike fgets(3) and getline(3) that were used earlier.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Hopefully these changes are unreachable code, but better safe than sorry
when dealing with setuid root code that is installed everywhere. Quite
obviously the introduced abort() calls protect from impossible inputs.
Secondly set all possible data to be read-only in attempt to make it more
difficult to alter anything at all.
Reference: https://www.securecoding.cert.org/confluence/display/c/DCL00-C.+Const-qualify+immutable+objects
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Use xstrcpy() to explicitly terminate the domain string.
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
If the file /etc/hushlogins exists and a line starts with '\0', the
login tools are prone to an off-by-one read.
I see no reliability issue with this, as it would clearly need a
hostile action from a system administrator. But for the sake of
correctness, I've sent this patch nonetheless.
text-utils/tailf.c:69:21: warning: Using plain integer as NULL pointer
Since many 'struct option' has used zero as NULL make them more readable in
same go by reindenting, and using named argument requirements.
Reference: https://lwn.net/Articles/93577/
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Local timegm() is a replacement function in cases it is missing from libc
implementation. Hopefully the replacement is never, or very rarely, used.
CC: Ruediger Meier <ruediger.meier@ga-group.nl>
Reviewed-by: J William Piggott <elseifthen@gmx.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* 'shadow-man' of https://github.com/andhe/util-linux:
chsh: use -h as shorthand for --help instead of -u
man: chsh(1): add login.defs to SEE ALSO
man: chfn(1): add chsh and login.defs to SEE ALSO
This makes --time-format=iso timestamp to look the same as login/logout
times. When --time-format=noformat is used the file creation time not
printed. There is no change to default format.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* the variable definition with hidden type is always horrible, for
example:
int func() {
LIST_HEAD(foo);
...
}
the more readable is:
int func() {
struct list_head foo;
INIT_LIST_HEAD(&foo);
...
}
* the name LIST_HEAD conflict with /usr/include/sys/queue.h
* we use it only on two places in sulogin
Signed-off-by: Karel Zak <kzak@redhat.com>
Use consistent terminology for set-user-ID and set-group-ID bits.
There's much inconsistency in the pages. "suid",
"set-user-identifier", "setuid". Stick with one terminology,
"set-user-ID" and set-grout-ID, as suggested in man-pages(7).
Signed-off-by: <mtk.man-pages@gmail.com>
In the majority of pages, pathnames are formatted as Italic,
which is the norm. However, there are several cases where they
are formatted as bold. This patch fixes a number of those
exceptions.
Signed-off-by: Michael Kerrisk <mtk.man-pages@gmail.com>
If timeout happens while waiting in prompt, bail out instead
of retrying.
Reported-by: Bjørn Mork <bjorn@mork.no>
Addresses: http://bugs.debian.org/846107
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
This makes the caller bail out early instead of evaluating the
input as a password.
Reported-by: Bjørn Mork <bjorn@mork.no>
Addresses: http://bugs.debian.org/846112
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Now the build will fail on many non-Linux systems because
utmpx.h is available everywhere but we still use non-POSIX
features. We'll fix this next commit.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
This include was removed in a365953a but we will need it again
when we move from utmp.h to utmpx.h.
On Linux (glibc, musl) the struct lastlog is defined in utmp.h
and lastlog.h just includes utmp.h.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Conflicts:
login-utils/login.c
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
strlen() is not smarter than strncpy(). Bytes that follow a null byte
are not compared anyway.
BTW avoid using the defined sizes.
CC: Ondrej Oprala <ooprala@redhat.com>
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
_HAVE_UT_TV is glibc only. Moreover we want to move to utmpx where
timeval is standard.
Now utmp/subsecond (1173d0a6) should work on all supported systems.
CC: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Most pages in util-linux follow the standard convention
of formatting page cross references in bold. Fix the
few exceptions that use italic.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This patch does only the following:
* Order SEE ALSO entries first by section name, then alphabetically
within section
* Adds one or two missing commas in SEE ALSO lists
* Removes one or two periods that were (inconsistently) used
at the end of SEE ALSO lists.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This patch add libseccomp based syscalls filter to disable TIOCSTI
ioctl in su/runuser children.
IMHO it is not elegant solution due to dependence on libseccomp
(--without-seccomp if hate it)... but there is nothing better for now.
Addresses: CVE-2016-2779
Signed-off-by: Karel Zak <kzak@redhat.com>
.. and add notes about differences between the utuils.
Reported-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
The if clause change is pretty trivial. Moving the macro near to where it
is used makes sense to people who want to read the code. And finally the
comment about user list was at wrong spot.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* 'write-improvements' of git://github.com/kerolasa/lelux-utiliteetit:
lib: try to find tty in get_terminal_name()
write: stop removing and adding /dev/ in front of tty string
write: tell when effective gid and tty path group mismatch
write: improve coding style
write: remove PUTC macro
write: make timestamp to be obviously just a clock time
write: remove unnecessary utmp variables
write: improve function and variable names
write: add control structure to clarify what is going on
write: run atexit() checks at the end of execution
write: use xstrncpy() from strutils.h
write: set atime value in term_chk() only when needed
write: remove pointless fileno(3) calls
write: get rid of function prototypes
write: remove unused variable
This change fixes compiler option -Werror=nonnull option warning:
login-utils/sulogin-consoles.c: In function 'append_console':
login-utils/sulogin-consoles.c:324:14: warning: nonnull argument 'consoles'
compared to NULL [-Wnonnull-compare]
The NULL check done with list_empty() looks valid, so it is best to remove
the function attribute that allows compiler to optimize the check away.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Try all standard terminal input/output file descriptors when finding tty
name in get_germinal_name(). This should make all invocations of the
function as robust as they can get.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Tell that the old textual format that does not use full utmp time precision,
and has issues with timezones. Warn also that the textual format may become
incompatible, although there are no plans in foreseeable future to do so.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Newer 'struct utmp' is using 'struct timeval' to represent login and logout
times, so include the maximum accuracy to textual utmp format. Notice that
this change does not remove support of converting earlier textual formats
back to binary. But conversions from binary to former format will no longer
be available.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Converting a time structure from text format that has timezone markup is
practically impossible. See reference links for more information. This
leads to situation where multiple utmpdump(1) conversions from binary to
text and back make timestamps to shift amount of timezone offset to UTC-0.
The easiest way to make multiple conversions to work without timeshifts is
to always use UTC-0 timezone. Downside of this approach is that the textual
format is less human readable than local timestamps would be.
Reference: http://www.catb.org/esr/time-programming/#_strptime_3_and_getdate_3
Reference: http://man7.org/linux/man-pages/man3/strptime.3.html
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* selinux/av_permissions.h and magic constants are deprecated, the
recommended solution is to use string_to_security_class() and
string_to_av_perm() to get access vector
* it also seems that selinux_check_passwd_access() does exactly the
same as our checkAccess(), let's use it.
Signed-off-by: Karel Zak <kzak@redhat.com>
Fix various typos in error messages, warnings, debug strings,
comments and names of static functions.
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
The plymouth support depends on Linux specific SOCK_* flags and all
the feature is probably unnecessary in some cases (non-plymouth
distros, etc.)
Signed-off-by: Karel Zak <kzak@redhat.com>
- describe difference between login and logout time formats in struct last_timefmt
- use strtime_iso()
- rename LAST_TIMEFTM_SHORT_CTIME to LAST_TIMEFTM_SHORT
- rename LAST_TIMEFTM_FULL_CTIME to LAST_TIMEFTM_CTIME
- add LAST_TIMEFTM_HHMM for internal purpose (logout format for "--time-format short")
Signed-off-by: Karel Zak <kzak@redhat.com>
for stopping plymouthd. That do not depend on the existence of
the plymouth binary if it e.g. becomes uninstalled or an other
service is providing plymouthd facilities.
[kzak@redhat.com: - fix compiler warnings [-Wpointer-sign]
- use sizeof() for write_all()
- cast to char* for read_all]
Signed-off-by: Werner Fink <werner@suse.de>
Signed-off-by: Karel Zak <kzak@redhat.com>
The close at exit specifier "e" is glibc extension, so use it only if when
the extension is available.
Proposed-by: Ruediger Meier <sweet_f_a@gmx.de>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
If the root account is locked and no password was provided then the terminal
line is not set back to do echo of the input. This correct a small overlook
in commit 7ff1162e67
Signed-off-by: Werner Fink <werner@suse.de>
This happens on Debian kFreeBSD and probably on Hurd too since
cde7699c. One should review this issue to fix it properly.
CC: Werner Fink <werner@suse.de>
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Commit 11b86e1733 changed printf() to puts() in favour of more simple
function, but forgot that puts() adds a new line to end of string. That new
line is neither needed, or expected, so use fputs() that is both a simple
printing function and comes without new line side effect.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
clang warning:
libmount/src/tab.c:1833:6: warning: variable 'rc' is used uninitialized whenever
'if' condition is true [-Wsometimes-uninitialized]
if (!mpc)
^~~~
icc printf warnings:
libmount/src/monitor.c(348): warning #2279: printf/scanf format not a string literal and no format arguments
DBG(MONITOR, ul_debugobj(mn, status == 1 ? " success" : " nothing"));
^
login-utils/vipw.c(348): warning #2279: printf/scanf format not a string literal and no format arguments
: _("You are using shadow passwords on this system.\n"));
^
icc enum warnings:
disk-utils/fdisk-menu.c(150): warning #188: enumerated type mixed with another type
.exclude = FDISK_DISKLABEL_GPT | FDISK_DISKLABEL_BSD,
^
libsmartcols/src/table_print.c(750): warning #188: enumerated type mixed with another type
&width, align,
^
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
The file is no portable (#ifdef HAVE_SYS_SYSMACROS_H is necessary),
but needed on many places. It seems better to keep it in c.h.
Signed-off-by: Karel Zak <kzak@redhat.com>
BSD/Linux systems stick major/minor/makedev in sysmacros.h. Newer Linux
libraries have been moving away from including sysmacros.h implicitly via
sys/types.h, so include it directly.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
This include was added just one month ago in 5a971329 but I don't see
what it was good for. It's missing in musl libc.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
We were missing our nice compliler warnings for many programs
and libs. See next commits how many trivial and non-trival
warnings have to be fixed.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
This was a major showstopper when building on a system where
LTLIBINTL libs are needed (e.g. OSX). Maybe there are a few test
programs which wouldn't need LDADD ... never mind.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
__P() is used for compatibility with old K&R C compilers. With
ANSI C this macro has no effect.
This fixes a compilation error with musl libc because of undeclared
__P.
Ref:
https://lists.samba.org/archive/samba-technical/2015-June/108042.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
This patch does not change any su/runuser behaviour, code changes:
* don't use huge groups[NGROUPS_MAX]; the array has 256k, but we need
it only occasionally when -G/-g specified.
* the current code uses groups[0] for -g and the rest for -G, this patch adds
'gid' to remember -g argument to avoid memmove()
* add function add_supp_group() to simplify su_main()
* add note about -G and -g relation to the man pages (undocumented now)
Signed-off-by: Karel Zak <kzak@redhat.com>
This small patch improves the console detection code and also avoids not
existing device nodes due strdup() which is used in canonicalize_path().
Beside this now the code for emergeny mount does work if enabled at
configure time.
Signed-off-by: Werner Fink <werner@suse.de>
on ppc64:
$ lslogins kzak
$ lslogins: cannot allocate 85899345920 bytes: Cannot allocate memory
because
(int *) len
where len is pointer to size_t is bad idea...
Signed-off-by: Karel Zak <kzak@redhat.com>
sysconf(_SC_GETPW_R_SIZE_MAX) returns initial suggested size for pwd
buffer (see getpwnam_r man page or POSIX). This is not large enough in
some cases.
Yes, this sysconf option is misnamed (should be _SC_GETPW_R_SIZE_MIN).
Signed-off-by: Karel Zak <kzak@redhat.com>
This makes silly practical jokes impossible, like for example symlinking
/dev/null or dev/random to /etc/nologin.txt
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.
An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.
Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.
It's probably very minor security bug.
Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
The last/lastb(1) from sysvinit has been around for about two years,
and the better implementation is already part of releases 2.24 to 2.26.
It should be safe to remove the unused last code from the source tree.
Reference: ce60272039
Signed-off-by: Sami Kerola <sami.kerola@lastminute.com>
Some installations and distributions don't use a root account password
for security reasons and use sudo instead. In that case, asking for the
password makes no sense, and it is not even considered as valid as it's just
"*" or "!".
In these cases --force is required to just start a root shell and no
ask for password.
I don't think it's a good idea to automatically start root shell when
locked account is detected. It's possible that the machine is on
public place and for example Ubuntu uses root account disabled by
default (and also Fedora when installed by yum/dnf without anaconda).
The --force option forces admins to think about it...
The distro maintainers can also use --force in their initscripts or
systemd emergency.service if they believe that promiscuous setting is
the right thing for the distro.
Addresses: https://bugs.debian.org/326678
Signed-off-by: Karel Zak <kzak@redhat.com>
The getline function distinguishes between the allocated and read
lenghts, and we should not mix them up, as we might end up processing
junk.
Signed-off-by: Guillem Jover <guillem@hadrons.org>
* according to "man getpwnam" 16384 bytes is enough to store one
passwd entry (let's use 2*BUFSIZE to avoid magic numbers in code)
* don't use strcpy() to set empty password
Signed-off-by: Karel Zak <kzak@redhat.com>
It is just luck if two time() calls happen within the same
second. Introduced in 31d28e09.
Actually I don't like adding another global variable but this
way we avoid bigger refactoring. IMO it's questionable why
lastdate, lastdown, etc. are initialized with current time() at
all. It looks unsafe to print "still running" always when
logout_time = now.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
last(1) uses a global list of entries, this is unnecessary and it's
also mistake because the pointer to the list is not set to NULL when
last(1) opens another utmp file. For example:
last -f /var/log/wtmp -f /var/log/wtmp-20150220
ends with unexpected free() call or sometimes with never ending loop.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1201033
Signed-off-by: Karel Zak <kzak@redhat.com>
* check for timer_create()
* define dependence on timer_create() for flock
* rename CLOCKGETTIME_LIBS to REALTIME_LIBS
Signed-off-by: Karel Zak <kzak@redhat.com>
As said in include/c.h the usleep() is marked as obsolete, so do the same
that most of the other util-linux calls do with this interface.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The message "stat failed %s" seems to say that stat() failed to
do something, or failed to pass a test, but of course it means
that the statting of something failed. So say so. Also make
two very similar messages equal to this one.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Transform some of them into copyright lines.
Also fix three header lines and snip some trailing whitespace.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
This change fixes all shadow declarations. The worth while to mention
fix is with libfdisk sun geometry. It comes from bitops.h cpu_to_be16
macro that further expands from include/bits/byteswap.h that has the
shadowing.
libfdisk/src/sun.c:961:173: warning: declaration of '__v' shadows a previous local [-Wshadow]
libfdisk/src/sun.c:961:69: warning: shadowed declaration is here [-Wshadow]
libfdisk/src/sun.c:961:178: warning: declaration of '__x' shadows a previous local [-Wshadow]
libfdisk/src/sun.c:961:74: warning: shadowed declaration is here [-Wshadow]
That could have caused earlier some unexpected results.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This adds a concise description of a tool to its usage text.
A first form of this patch was proposed by Steven Honeyman
(see http://www.spinics.net/lists/util-linux-ng/msg09994.html).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
The 'if' clauses that have termination as either of the control flow
results will never need 'else'. Making the termination to happen true
flow is enough.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Shell null check is redundant. The shell can be null only after
ask_new_shell returned such, and that is checked earlier in program
logic.
Secondly the check_shell does not need to return values, in such cases
the program can simply exit.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Rename prompt() to ask_new_shell(). Remove fixed size buffer and
allocate path to new shell, that should make Hurd people happy. Use
strutils.h for white space trimming.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Earlier setting a /bin/sh was impossible for users that had nothing set
as shell, as that was seen as no change.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Use of fgets() can make a single long line to be understood as two
entries, and someone could play tricks with the remainder part of the
buffer.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The add_missing() and find_field() functions are needed when input data
is incomplete, such as in case when chfn is instructed to change only
selected fields with command line options.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This change is a little bit messy, and requires a comment the struct
finfo should not have 'struct passwd *pw' as it's member. The earlier
struct design would have been burden to maintain, and confusing to use.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Commit db433bf737 changed -u for --help to
-h, that is not true. The -h is short hand for --home-phone. And the
--version is accompanied with -v not -V.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The left and right white space trimming can be done with strutils.h
[lr]trim_whitespace() functions.
As a minor fix when user input exceeds maxium allowed gecos field length
the remaining characters in stdin are purged so that re-prompting works
correctly.
Additionally the prompt() is made to add message to check_gecos_string(),
so that there are less similar strings for translation project to deal.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This commit changes journal messages in individual user printout the
following way.
Dec 13 16:02:05 systemd[324]:Time has been changed (old)
Dec 13 16:02:05 systemd[324]: Time has been changed (new)
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Karel Zak
Bjarni Ingi Gislason
Sami Kerola
Ruediger Meier
Samuel Thibault
J William Piggott
Tobias Stoeckmann
coastal-hiker
Yuri Chornoivan
Andreas Henriksson
Sébastien Helleu
Michael Kerrisk
Sebastian Rasmussen
Werner Fink
Ruediger Meier
Mike Frysinger
Yuriy M. Kaminskiy
Romain Naour
Filipe Brandenburger
Benno Schulenberg
James Clarke
Chen Qi
Sami Kerola
Guillem Jover
Bill Pemberton