diff options
| author |   Lars Wendler <polynomial-c@gentoo.org> | 2017-03-13 13:36:50 +0100 |
|---|---|---|
| committer | Lars Wendler <polynomial-c@gentoo.org> | 2017-03-13 13:38:29 +0100 |
| commit | 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03 (patch) | |
| tree | e9e85889471e3731c44ccedcd2fd59eacc115cc6 /sys-apps/shadow/files | |
| parent | dev-util/cmake: backport x32 support patches from upstream for testing (diff) | |
| download | gentoo-4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03.tar.gz gentoo-4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03.tar.bz2 gentoo-4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03.zip | |
sys-apps/shadow: Security cleanup (bug #610804).
Package-Manager: Portage-2.3.4, Repoman-2.3.2
Diffstat (limited to 'sys-apps/shadow/files')
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch | 41 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch | 76 |
2 files changed, 0 insertions, 117 deletions
diff --git a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch b/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch deleted file mode 100644 index f067caab204d..000000000000 --- a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 -From: James Le Cuirot <chewi@aura-online.co.uk> -Date: Sat, 23 Aug 2014 09:46:39 +0100 -Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF - -This built-in check is simpler than the previous method and, most -importantly, works when cross-compiling. - -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> ---- - configure.in | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/configure.in b/configure.in -index 1a3f841..4a4d6d0 100644 ---- a/configure.in -+++ b/configure.in -@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then - dnl - dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc - dnl -- AC_RUN_IFELSE([AC_LANG_SOURCE([ --#include <sys/types.h> --int main(void) { -- uid_t u; -- gid_t g; -- return (sizeof u < 4) || (sizeof g < 4); --} -- ])], [id32bit="yes"], [id32bit="no"]) -- -- if test "x$id32bit" = "xyes"; then -+ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) -+ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) -+ -+ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then - AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) - enable_subids="yes" - else --- -2.3.6 - diff --git a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch b/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch deleted file mode 100644 index 340424eb12e3..000000000000 --- a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Hank Leininger <hlein@korelogic.com> -Date: Mon, 6 Apr 2015 08:22:48 -0500 -Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not - like the user/group ownership of their target process. - -Currently the error is just: - -newuidmap: Target [pid] is owned by a different user - -With this patch it will be like: - -newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 - -Why is this useful? Well, in my case... - -The grsecurity kernel-hardening patch includes an option to make parts -of /proc unreadable, such as /proc/pid/ dirs for processes not owned by -the current uid. This comes with an option to make /proc/pid/ -directories readable by a specific gid; sysadmins and the like are then -put into that group so they can see a full 'ps'. - -This means that the check in new[ug]idmap fails, as in the above quoted -error - /proc/[targetpid] is owned by root, but the group is 99 so that -users in group 99 can see the process. - -Some Googling finds dozens of people hitting this problem, but not -*knowing* that they have hit this problem, because the errors and -circumstances are non-obvious. - -Some graceful way of handling this and not failing, will be next ;) But -in the meantime it'd be nice to have new[ug]idmap emit a more useful -error, so that it's easier to troubleshoot. - -Thanks! - -Signed-off-by: Hank Leininger <hlein@korelogic.com> -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> ---- - src/newgidmap.c | 6 ++++-- - src/newuidmap.c | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/newgidmap.c b/src/newgidmap.c -index a532b45..451c6a6 100644 ---- a/src/newgidmap.c -+++ b/src/newgidmap.c -@@ -161,8 +161,10 @@ int main(int argc, char **argv) - (getgid() != pw->pw_gid) || - (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { -- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), -- Prog, target); -+ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), -+ Prog, target, -+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, -+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); - return EXIT_FAILURE; - } - -diff --git a/src/newuidmap.c b/src/newuidmap.c -index 5150078..9c8bc1b 100644 ---- a/src/newuidmap.c -+++ b/src/newuidmap.c -@@ -161,8 +161,10 @@ int main(int argc, char **argv) - (getgid() != pw->pw_gid) || - (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { -- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), -- Prog, target); -+ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), -+ Prog, target, -+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, -+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); - return EXIT_FAILURE; - } - |