Debian Bug report logs - #472575
/usr/bin/passwd needs patch for better SE Linux support

version graph

Package: passwd; Maintainer for passwd is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for passwd is src:shadow.

Reported by: Russell Coker <russell@coker.com.au>

Date: Mon, 24 Mar 2008 23:54:02 UTC

Severity: normal

Found in version shadow/1:4.0.18.1-7

Fixed in version shadow/1:4.1.1-1

Done: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 10:51:54 +1100
Package: passwd
Version: 1:4.0.18.1-7
Severity: normal

The following patch makes the SE Linux tests more strict, when the real UID
(the return value of getuid()) is 0 SE Linux checks will be performed.

With this patch if you are running the Strict SE Linux policy a shell user
who gains UID==0 (EG by exploiting a SUID root binary) can't change the root
password.  With SE Linux Strict policy a user who has UID==0 and the role
user_r can do little damage to the system.

I'll send a patch for unstable shortly (this patch may work with unstable
but I haven't had a chance to test it).

diff -ru shadow-4.0.18.1.org/src/passwd.c shadow-4.0.18.1/src/passwd.c
--- shadow-4.0.18.1.org/src/passwd.c	2006-07-29 03:40:15.000000000 +1000
+++ shadow-4.0.18.1/src/passwd.c	2008-03-24 23:11:01.000000000 +1100
@@ -40,7 +40,9 @@
 #include <sys/types.h>
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
+#include <selinux/flask.h>
 #include <selinux/av_permissions.h>
+#include <selinux/context.h>
 #endif
 #include <time.h>
 #include "defines.h"
@@ -567,6 +569,49 @@
 	return val;
 }
 
+#ifdef WITH_SELINUX
+int
+check_selinux_access(const char *change_user, int change_uid, unsigned int access)
+{
+	int status = -1;
+	security_context_t user_context;
+	const char *user;
+
+	/* if in permissive mode then allow the operation */
+	if (security_getenforce() == 0)
+		return 0;
+
+	/* get the context of the process which executed passwd */
+	if (getprevcon(&user_context))
+		return -1;
+
+	/* get the "user" portion of the context (the part before the first
+	   colon) */
+	context_t c;
+	c = context_new(user_context);
+	user = context_user_get(c);
+
+	/* if changing a password for an account with UID==0 or for an account
+	   where the identity matches then return success */
+	if (change_uid != 0 && strcmp(change_user, user) == 0) {
+		status = 0;
+	} else {
+		struct av_decision avd;
+		int retval;
+		retval = security_compute_av(user_context, user_context,
+				SECCLASS_PASSWD, access, &avd);
+		if ((retval == 0) &&
+    			((access & avd.allowed) == access)) {
+			status = 0;
+		}
+	}
+	context_free(c);
+	freecon(user_context);
+	return status;
+}
+
+#endif
+
 /*
  * passwd - change a user's password file information
  *
@@ -792,21 +837,32 @@
 		exit (E_NOPERM);
 	}
 #ifdef WITH_SELINUX
-	/*
-	 * If the UID of the user does not match the current real UID,
-	 * check if the change is allowed by SELinux policy.
-	 */
-	if ((pw->pw_uid != getuid ())
-	    && (is_selinux_enabled () > 0 ?
-		(selinux_check_passwd_access (PASSWD__PASSWD) != 0) :
-		!amroot)) {
-#else
+	/* only do this check when getuid()==0 because it's a pre-condition for
+	   changing a password without entering the old one */
+	if ((is_selinux_enabled() > 0) && (getuid() == 0) &&
+	  (check_selinux_access(name, pw->pw_uid, PASSWD__PASSWD) != 0))
+	{
+		security_context_t user_context;
+		if (getprevcon(&user_context) < 0) {
+			user_context = strdup("Unknown user context");
+		}
+		syslog(LOG_ALERT,
+		"%s is not authorized to change the password of %s",
+		user_context, name);
+		fprintf(stderr, _("%s: %s is not authorized to change the "
+			"password of %s\n"),
+		Prog, user_context, name);
+		freecon(user_context);
+		exit(1);
+	}
+
+#endif
+
 	/*
 	 * If the UID of the user does not match the current real UID,
 	 * check if I'm root.
 	 */
 	if (!amroot && pw->pw_uid != getuid ()) {
-#endif
 		fprintf (stderr,
 			 _
 			 ("%s: You may not view or modify password information for %s.\n"),

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages passwd depends on:
ii  debianutils            2.17              Miscellaneous utilities specific t
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libpam-modules         0.79-5            Pluggable Authentication Modules f
ii  libpam0g               0.79-5            Pluggable Authentication Modules l
ii  libselinux1            2.0.15-2.etch1    SELinux shared libraries
ii  login                  1:4.0.18.1-7.1    system login tools

passwd recommends no packages.

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 472575@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Russell Coker <russell@coker.com.au>, 472575@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 11:03:37 +0100
On Tue, Mar 25, 2008 at 10:51:54AM +1100, russell@coker.com.au wrote:
> 
> The following patch makes the SE Linux tests more strict, when the real UID
> (the return value of getuid()) is 0 SE Linux checks will be performed.
> 
> With this patch if you are running the Strict SE Linux policy a shell user
> who gains UID==0 (EG by exploiting a SUID root binary) can't change the root
> password.  With SE Linux Strict policy a user who has UID==0 and the role
> user_r can do little damage to the system.

Thanks for the patch. I will commit it for 4.1.1.

> I'll send a patch for unstable shortly (this patch may work with unstable
> but I haven't had a chance to test it).

That is not necessary. The patch is clear, and I will port it to 4.1.1.

Is this something that should be also applied to the other tools of the
shadow toolsuite?

(usermod, userdel, newusers, chpasswd could all be used to change the
user's password; chage, or chfn could also do some harm by locking the
account, the password or some logins (but I don't know if root would be
affected))

Just to understand a bit more SE Linux, why don't you want to protect against
changes to non-root accounts?
(If I understand correctly, an extra command is needed to get the user_r
role, and you don't want to force admins to use this command for every
changes, only the ones which may endanger the system. Is that right?)

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 472575@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 472575@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 22:46:49 +1100
On Tuesday 25 March 2008 21:03, Nicolas François 
<nicolas.francois@centraliens.net> wrote:
> > I'll send a patch for unstable shortly (this patch may work with unstable
> > but I haven't had a chance to test it).
>
> That is not necessary. The patch is clear, and I will port it to 4.1.1.

Thanks!  I won't be able to test it for some days however due to the lack of 
2.4.24 Xen kernel support in Debian.  The Etch kernel has an older version of 
the SE Linux code and doesn't work properly with Unstable SE Linux.

> Is this something that should be also applied to the other tools of the
> shadow toolsuite?

Yes, something similar (but not quite the same) needs to be applied to chfn 
and chsh.

> (usermod, userdel, newusers, chpasswd could all be used to change the
> user's password; chage, or chfn could also do some harm by locking the
> account, the password or some logins (but I don't know if root would be
> affected))

usermod, userdel, newusers, and chpasswd are (or at least should be) already 
covered.  There is a separate domain for sys-admin password manipulation 
programs which can only be entered by the sys-admin.

The difficulty comes when one program is used by an unprivileged user to 
change their own password and also by the sys-admin.  It would make sense to 
me to have two versions of passwd and crontab to avoid this confusion, but 
it's probably decades too late to revise this decision.

> Just to understand a bit more SE Linux, why don't you want to protect
> against changes to non-root accounts?

There is already code to validate the non-root user's password before changing 
it.  That is sufficient.

The idea is that to change a password you must know the old password or have 
suitable sys-admin rights.

> (If I understand correctly, an extra command is needed to get the user_r
> role, and you don't want to force admins to use this command for every
> changes, only the ones which may endanger the system. Is that right?)

Changing other user's password will be done from sysadm_r and it requires no 
special effort once you are logged in with that role.  In some configurations 
you can't login directly as sysadm_r in which case you need to use 
the "newrole" program first (in a similar way to logging in as non-root and 
running "su -" before sys-admin work).





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 472575@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 472575@bugs.debian.org
Cc: Russell Coker <russell@coker.com.au>
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 18:08:41 +0100
[Message part 1 (text/plain, inline)]
Quoting Nicolas François (nicolas.francois@centraliens.net):

> > password.  With SE Linux Strict policy a user who has UID==0 and the role
> > user_r can do little damage to the system.
> 
> Thanks for the patch. I will commit it for 4.1.1.


Is there any need to discuss this with other distros?

(context for Russel: we are now upstream for shadow so we do our best
to sync our improvements with other vendors who use it...."we"==mostly
Nicolas François and a very little part of /me)

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 472575@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Christian Perrier <bubulle@debian.org>
Cc: 472575@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Wed, 26 Mar 2008 08:09:41 +1100
On Wednesday 26 March 2008 04:08, Christian Perrier <bubulle@debian.org> 
wrote:
> Quoting Nicolas François (nicolas.francois@centraliens.net):
> > > password.  With SE Linux Strict policy a user who has UID==0 and the
> > > role user_r can do little damage to the system.
> >
> > Thanks for the patch. I will commit it for 4.1.1.
>
> Is there any need to discuss this with other distros?

Which other distros are you referring to?  Red Hat appears to use a different 
source base for passwd (and in any case a large part of my patch was copied 
from their code).  Who else has SE Linux support?

> (context for Russel: we are now upstream for shadow so we do our best
> to sync our improvements with other vendors who use it...."we"==mostly
> Nicolas François and a very little part of /me)

For distros using SE Linux my patch will never cause any problems (if the 
previous code worked) and will stop some cases where machines can get owned.




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 472575@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: 472575@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 22:41:52 +0100
[Message part 1 (text/plain, inline)]
Quoting Russell Coker (russell@coker.com.au):

> Which other distros are you referring to?  Red Hat appears to use a different 
None specific. Gentoo uses "our" shadow but I have no idea whether
they have SE Linux support.

I suspect that Fedora will probably resync at some moment with shadow
upstream (if not already done) and maybe Redhat will as well.

However, I'm mostly ignorant when it comes at what/who/whatever about
SELinux....so just wanted to play the Candide role here
(not sure if you guys use that expression in English.....Candide being
a character from Voltaire).



-- 


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 472575@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: russell@coker.com.au, 472575@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Tue, 25 Mar 2008 23:49:54 +0100
Hello,

You also mentioned a dependency on the kernel, is there a need for
a versioned dependency on libselinux1-dev with your patch?


The remaining of the mail is not directly related to your patch, but is
still related to SE Linux support in shadow.

On Wed, Mar 26, 2008 at 08:09:41AM +1100, russell@coker.com.au wrote:
> On Wednesday 26 March 2008 04:08, Christian Perrier <bubulle@debian.org> 
> wrote:
> > Quoting Nicolas François (nicolas.francois@centraliens.net):
> > > > password.  With SE Linux Strict policy a user who has UID==0 and the
> > > > role user_r can do little damage to the system.
> > >
> > > Thanks for the patch. I will commit it for 4.1.1.
> >
> > Is there any need to discuss this with other distros?
> 
> Which other distros are you referring to?  Red Hat appears to use a different 
> source base for passwd (and in any case a large part of my patch was copied 
> from their code).  Who else has SE Linux support?

I merged a lot of patches from Fedora to upstream. Some patches remain,
like shadow-4.1.0-selinux.patch. But Fedora should basically use the same
source for shadow. However, Fedora does not install passwd from the
shadow sources but from another source package.

From my understanding, shadow-4.1.0-selinux.patch permits to define the
SE Linux user used to create, move, delete files in useradd, usermod,
userdel (file context?). It uses semanage, genhomedircon, restorecon.

Maybe this is not useful in Debian because useradd, usermod, and userdel
are compiled with PAM support and pam_selinux may provide the same
support.

From the above, it may be obvious (or not, eh, I don't even know!) that I
don't really understand SE Linux and even less the tools and APIs used for
SE Linux.

I would like to review the WITH_SELINUX parts of shadow for a latter
release, because I fear it is not really consistent from one tool to
another.

Russel, if you think I should also apply shadow-4.1.0-selinux.patch
upstream, I will apply it blindly.

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 472575@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Christian Perrier <bubulle@debian.org>
Cc: 472575@bugs.debian.org, Joshua Brindle <method@manicmethod.com>
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Wed, 26 Mar 2008 16:17:54 +1100
On Wednesday 26 March 2008 08:41, Christian Perrier <bubulle@debian.org> 
wrote:
> None specific. Gentoo uses "our" shadow but I have no idea whether
> they have SE Linux support.

They do.  Joshua is a good person to talk to about this.

> I suspect that Fedora will probably resync at some moment with shadow
> upstream (if not already done) and maybe Redhat will as well.

Let's cross that bridge when we come to it.  But currently Red Hat have better 
SE Linux support and I'm trying to get Debian to catch up.  So this patch and 
some others that I will likely send in the near future will make things 
easier for a Red Hat merge.

> However, I'm mostly ignorant when it comes at what/who/whatever about
> SELinux....so just wanted to play the Candide role here
> (not sure if you guys use that expression in English.....Candide being
> a character from Voltaire).

http://en.wikipedia.org/wiki/Candide




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #45 received at 472575@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 472575@bugs.debian.org, Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: [Pkg-shadow-devel] Bug#472575: Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Date: Wed, 26 Mar 2008 16:25:11 +1100
On Wednesday 26 March 2008 09:49, Nicolas François 
<nicolas.francois@centraliens.net> wrote:
> You also mentioned a dependency on the kernel, is there a need for
> a versioned dependency on libselinux1-dev with your patch?

The dependency on the kernel is for getting SE Linux working in Unstable and 
therefore being able to properly test the code.

There is no dependency on libselinux1-dev AFAIK, or at least nothing newer 
than Etch.

> From my understanding, shadow-4.1.0-selinux.patch permits to define the
> SE Linux user used to create, move, delete files in useradd, usermod,
> userdel (file context?). It uses semanage, genhomedircon, restorecon.
>
> Maybe this is not useful in Debian because useradd, usermod, and userdel
> are compiled with PAM support and pam_selinux may provide the same
> support.

Support in useradd and usermod is required to correctly label or relabel the 
contents of the user home directory.

userdel should not need SE Linux support, and according to a brief scan of the 
Fedora man page it appears not to have it.

> I would like to review the WITH_SELINUX parts of shadow for a latter
> release, because I fear it is not really consistent from one tool to
> another.

The overall design of shadow is lacking in this regard.  Working with design 
mistakes from decades ago limits us.

> Russel, if you think I should also apply shadow-4.1.0-selinux.patch
> upstream, I will apply it blindly.

I have not reviewed it.  Having more code from the Red Hat branch would be a 
good thing, Dan can probably give some advice.

I will eventually review more of that code and submit patches as appropriate.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#472575; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #50 received at 472575@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: control@bugs.debian.org
Cc: 472575@bugs.debian.org
Subject: setting package to passwd shadow login, tagging 472575
Date: Wed, 26 Mar 2008 23:01:49 +0100
# Automatically generated email from bts, devscripts version 2.10.19
#
# shadow (1:4.1.1~rc1-1) UNRELEASED; urgency=low
#
#  * New upstream release. This closes the following bugs:
#    - Fix errors when gpasswd is called without a gshadow file.
#      Closes: #467236, #467488
#    - Fix newgrp segfault when the primary group is not listed in /etc/groups.
#      Closes: #461670
#    - Fix infinite loop in usermod when two groups have the same name.
#      Closes: #470745
#    - Make SE Linux tests more strict, when the real UID is 0 SE Linux checks
#      will be performed. Closes: #472575
#    - Remove patches applied upstream:
#      + debian/patches/451_login_PATH
#      + debian/patches/462_warn_to_edit_shadow
#      + debian/patches/467_useradd_-r_LSB
#      + debian/patches/466_fflush-prompt
#      + debian/patches/480_getopt_args_reorder
#      + debian/patches/496_login_init_session
#      + debian/patches/408_passwd_check_arguments
#      + debian/patches/412_lastlog_-u_numerical_range
#      + debian/patches/407_adduser_disable_PUG_with-n
#    - Updated patches:
#      + debian/patches/504_undef_USE_PAM.nolibpam
#        $(LIBCRYPT) $(LIBSKEY) $(LIBMD) are no more included in libshadow.la.
#        Avoid link to unneeded libraries (spotted by dpkg-shlibdeps).
#      + debian/patches/501_commonio_group_shadow
#      + debian/patches/429_login_FAILLOG_ENAB
#      + debian/patches/542_useradd-O_option
#      + debian/patches/401_cppw_src.dpatch
#      + debian/patches/428_grpck_add_prune_option
#    - Updated translations:
#      + Korean. Closes: #471935
#      + Portuguese. Closes: #472244
#      + Russian. Closes: #472506
#

package passwd shadow login
tags 472575 + pending





Tags added: pending Request was from Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Wed, 26 Mar 2008 23:39:06 GMT) Full text and rfc822 format available.

Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #57 received at 472575-close@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: 472575-close@bugs.debian.org
Subject: Bug#472575: fixed in shadow 1:4.1.1-1
Date: Thu, 03 Apr 2008 00:17:15 +0000
Source: shadow
Source-Version: 1:4.1.1-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.1.1-1_i386.deb
  to pool/main/s/shadow/login_4.1.1-1_i386.deb
passwd_4.1.1-1_i386.deb
  to pool/main/s/shadow/passwd_4.1.1-1_i386.deb
shadow_4.1.1-1.diff.gz
  to pool/main/s/shadow/shadow_4.1.1-1.diff.gz
shadow_4.1.1-1.dsc
  to pool/main/s/shadow/shadow_4.1.1-1.dsc
shadow_4.1.1.orig.tar.gz
  to pool/main/s/shadow/shadow_4.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472575@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 03 Apr 2008 01:31:10 +0200
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 445484 461374 461670 467236 467488 470745 471802 471935 472244 472506 472575 472951 473279 473555 473646
Changes: 
 shadow (1:4.1.1-1) unstable; urgency=low
 .
   * New upstream release. This closes the following bugs:
     - Fix errors when gpasswd is called without a gshadow file.
       Closes: #467236, #467488
     - Fix newgrp segfault when the primary group is not listed in /etc/groups.
       Closes: #461670
     - Fix infinite loop in usermod when two groups have the same name.
       Closes: #470745
     - Make SE Linux tests more strict, when the real UID is 0 SE Linux checks
       will be performed. Closes: #472575
     - Option --password added to groupadd / groupmod (like useradd / usermod).
       Closes: #445484
     - Remove patches applied upstream:
       + debian/patches/451_login_PATH
       + debian/patches/462_warn_to_edit_shadow
       + debian/patches/467_useradd_-r_LSB
       + debian/patches/466_fflush-prompt
       + debian/patches/480_getopt_args_reorder
       + debian/patches/496_login_init_session
       + debian/patches/408_passwd_check_arguments
       + debian/patches/412_lastlog_-u_numerical_range
       + debian/patches/407_adduser_disable_PUG_with-n
     - Updated patches:
       + debian/patches/504_undef_USE_PAM.nolibpam
         $(LIBCRYPT) $(LIBSKEY) $(LIBMD) are no more included in libshadow.la.
         Avoid link to unneeded libraries (spotted by dpkg-shlibdeps).
       + debian/patches/501_commonio_group_shadow
       + debian/patches/429_login_FAILLOG_ENAB
       + debian/patches/542_useradd-O_option
       + debian/patches/401_cppw_src.dpatch
       + debian/patches/428_grpck_add_prune_option
     - Updated translations:
       + Basque. Closes: #473555
       + German. Closes: #473646
       + Italian. Closes: #472951
       + Korean. Closes: #471935
       + Portuguese. Closes: #472244
       + Russian. Closes: #472506
       + Slovak. Closes: #471802
       + Turkish. Closes: #473279
   * debian/watch: Add a watch file for shadow.
   * debian/rules, debian/recode_manpages.sh: Do not recode the manpages.
     Keep them in UTF-8.
   * debian/rules, debian/control: login (>= 970502-1) was already provided
     by login in Hamm. libpam-modules (>= 0.72-5) was already provided by
     libpam-modules in Potato. libpam-runtime (>= 0.76-14) was already provided
     by libpam-runtime in Sarge (now oldstable). Simplify the dependencies.
   * debian/control: Move the dependency on libpam-modules from Depends to
     Pre-Depends. The login package is Essential, and without libpam-modules,
     login or su are not functional. Thanks to Steve Langasek for pointing this
     out.
   * debian/control: There's no need for a dependency on login (now that it is
     unversionned; see above) in the passwd package.
   * debian/control: The passwd's Replaces on manpages-de can be versionned
     again. The su(1) manpage was removed from manpages-de.
   * debian/securetty.linux: Added ttyUSB0, ttyUSB1, ttyUSB2, and MPC5200
     serial ports (ttyPSC0, ttyPSC1, ttyPSC2, ttyPSC3, ttyPSC4, ttyPSC5).
     Closes: #461374
   * debian/control: Change XS-X-Vcs-Svn to Vcs-Svn.  Update the link to the
     new repository layout.  Add a Vcs-Browser field.
   * debian/control: Added Homepage field.
   * debian/passwd.postrm: Removed (was empty).
Files: 
 2edb489bd07a9a09e378cc3a53da7315 1160 admin required shadow_4.1.1-1.dsc
 ae893c18fdb0a89bc7991ba1098f1446 2720267 admin required shadow_4.1.1.orig.tar.gz
 f6b6241d60ae93cf59d5c7076c863c75 76018 admin required shadow_4.1.1-1.diff.gz
 d396813553676b7114aef714d961ab2d 851106 admin required passwd_4.1.1-1_i386.deb
 057b56c6f418289d873fc7aceceeb3a5 857970 admin required login_4.1.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH9B3ZWgo5mup89a0RAri3AJ4y/H5GADTWIfgFta0julvrwQ4/SgCfc1MI
GBlVDL6jN7+HGYZgygtYLX8=
=fzF5
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 May 2008 09:54:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:57:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.