Release 4.13

Signed-off-by: Serge Hallyn <serge@hallyn.com>
update changelog
2022-11-08 10:29:30 -06:00 · 2022-11-08 10:28:10 -06:00 · 2022-11-08 10:18:17 -06:00 · 2022-10-24 16:15:13 -05:00 · 2022-10-17 09:06:08 -05:00 · 2022-10-14 10:41:40 +02:00
45 changed files with 3770 additions and 859 deletions
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -36,3 +36,25 @@ jobs:

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
+
+  differential-shellcheck:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # Doc: https://github.com/redhat-plumbers-in-action/differential-shellcheck#usage
+      - name: Differential ShellCheck
+        uses: redhat-plumbers-in-action/differential-shellcheck@v3
+        with:
+          severity: warning
+          token: ${{ secrets.GITHUB_TOKEN }}
--- a/34
+++ b/34
@@ -1,3 +1,37 @@
+2022-11-08  Serge Hallyn <serge@hallyn.com>
+
+	* useradd.8: fix default group ID (Tim Biermann)
+	* Revert drop of subid_init() (Serge Hallyn)
+	* Georgian translation (NorwayFun)
+	* useradd: Avoid taking unneeded space: do not reset non-existent data
+	  in lastlog (David Kalnischkies)
+	* relax username restrictions (Alexander Kanavin)
+	* selinux: check MLS enabled before setting serange (genBTC)
+	* copy_tree: use fchmodat instead of chmod (Samanta Navarro)
+	* copy_tree: don't block on FIFOs (Samanta Navarro)
+	* add shell linter (Jan Macku)
+	* copy_tree: carefully treat permissions (Samanta Navarro)
+	* lib/commonio: make lock failures more detailed (Luca BRUNO)
+	* lib: use strzero and memzero where applicable (Christian Göttsche)
+	* Update Dutch translation (Frans Spiesschaert)
+	* Don't test for NULL before calling free (Alex Colomar)
+	* Use libc MAX() and MIN() (Alejandro Colomar)
+	* chage: Fix regression in print_date (Xiami)
+	* usermod: report error if homedir does not exist (Iker Pedrosa)
+	* libmisc: minimum id check for system accounts (Iker Pedrosa)
+	* fix usermod -rG x y wrongly adding a group (xyz)
+	* man: add missing space in useradd.8.xml (Iker Pedrosa)
+	* lastlog: check for localtime() return value (Iker Pedrosa)
+	* Raise limit for passwd and shadow entry length (Iker Pedrosa)
+	* Remove adduser-old.c (Alejandro Colomar)
+	* useradd: Fix buffer overflow when using a prefix (David Michael)
+	* Don't warn when failed to open /etc/nsswitch.conf (Serge Hallyn)
+
+2022-08-15  Serge Hallyn <serge@hallyn.com>
+
+	* Address CVE-2013-4235 (TOCTTOU when copying directories)
+	  (Christian Göttsche)
+
 2022-08-15  Serge Hallyn <serge@hallyn.com>

 	* Fix uk manpages
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@ m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.12.1], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.13], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -49,7 +49,7 @@ AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])

 AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes \
 	getentropy getrandom getspnam getusershell \
-	getutent initgroups lchown lckpwdf lstat lutimes \
+	getutent initgroups lckpwdf lutimes \
 	setgroups updwtmp updwtmpx innetgr getpwnam_r \
 	getpwuid_r getgrnam_r getgrgid_r getspnam_r \
 	memset_s explicit_bzero)
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -1,6 +1,6 @@
 # This is a dummy Makefile.am to get automake work flawlessly,
 # and also cooperate to make a distribution for `make dist'

-EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
+EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
 atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
 udbachk.tgz
--- a/contrib/adduser-old.c
+++ b/contrib/adduser-old.c
@@ -1,300 +0,0 @@
-/****
-** 03/17/96
-** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
-** --marekm
-**
-** 02/26/96
-** modified to call shadow utils (useradd,chage,passwd) on shadowed
-** systems - Cristian Gafton, gafton@sorosis.ro
-**
-** 6/27/95
-** shadow-adduser 1.4:
-**
-** now it copies the /etc/skel dir into the person's dir,
-** makes the mail folders, changed some defaults and made a 'make
-** install' just for the hell of it.
-**
-** Greg Gallagher
-** CIN.Net
-**
-** 1/28/95
-** shadow-adduser 1.3:
-**
-** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart
-** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
-** It was such a stupid bug that I would have never seen it myself.
-**
-**                                Brandon
-*****
-** 01/27/95
-**
-** shadow-adduser 1.2:
-** I took the C source from adduser-shadow (credits are below) and made
-** it a little more worthwhile.  Many small changes... Here's
-** the ones I can remember:
-**
-** Removed support for non-shadowed systems (if you don't have shadow,
-**     use the original adduser, don't get this shadow version!)
-** Added support for the correct /etc/shadow fields (Min days before
-**     password change, max days before password change, Warning days,
-**     and how many days from expiry date does the account go invalid)
-**     The previous version just left all of those fields blank.
-**     There is still one field left (expiry date for the account, period)
-**     which I have left blank because I do not use it and didn't want to
-**     spend any more time on this.  I'm sure someone will put it in and
-**     tack another plethora of credits on here. :)
-** Added in the password date field, which should always reflect the last
-**     date the password was changed, for expiry purposes.  "passwd" always
-**     updates this field, so the adduser program should set it up right
-**     initially (or a user could keep thier initial password forever ;)
-**     The number is in days since Jan 1st, 1970.
-**
-**                       Have fun with it, and someone please make
-**                       a real version(this is still just a hack)
-**                       for us all to use (and Email it to me???)
-**
-**                               Brandon
-**                                  photon@usis.com
-**
-*****
-** adduser 1.0: add a new user account (For systems not using shadow)
-** With a nice little interface and a will to do all the work for you.
-**
-** Craig Hagan
-** hagan@opine.cs.umass.edu
-**
-** Modified to really work, look clean, and find unused uid by Chris Cappuccio
-** chris@slinky.cs.umass.edu
-**
-*****
-**
-** 01/19/95
-**
-** FURTHER modifications to enable shadow passwd support (kludged, but
-** no more so than the original)  by Dan Crowson - dcrowson@mo.net
-**
-** Search on DAN for all changes...
-**
-*****
-**
-** cc -O -o adduser adduser.c
-** Use gcc if you have it... (political reasons beyond my control) (chris)
-**
-** I've gotten this program to work with success under Linux (without
-** shadow) and SunOS 4.1.3. I would assume it should work pretty well
-** on any system that uses no shadow. (chris)
-**
-** If you have no crypt() then try
-** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
-** I'm not sure how login operates with no crypt()... I guess
-** the same way we're doing it here.
-*/
-
-#include <pwd.h>
-#include <grp.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/types.h>
-#include <sys/timeb.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-
-#define DEFAULT_SHELL	"/bin/bash"  /* because BASH is your friend */
-#define DEFAULT_HOME	"/home"
-#define USERADD_PATH	"/usr/sbin/useradd"
-#define CHAGE_PATH	"/usr/sbin/chage"
-#define PASSWD_PATH	"/usr/bin/passwd"
-#define DEFAULT_GROUP	100
-
-#define DEFAULT_MAX_PASS 60
-#define DEFAULT_WARN_PASS 10
-/* if you use this feature, you will get a lot of complaints from users
-   who rarely use their accounts :)  (something like 3 months would be
-   more reasonable)  --marekm */
-#define DEFAULT_USER_DIE /* 10 */ 0
-
-void main()
-{
-	char foo[32];
-	char uname[9],person[32],dir[32],shell[32];
-	unsigned int group,min_pass,max_pass,warn_pass,user_die;
-	/* the group and uid of the new user */
-	int bad=0,done=0,correct=0,gets_warning=0;
-	char cmd[255];
-	struct group *grp;
-
-	/* flags, in order:
-	* bad to see if the username is in /etc/passwd, or if strange stuff has
-	* been typed if the user might be put in group 0
-	* done allows the program to exit when a user has been added
-	* correct loops until a password is found that isn't in /etc/passwd
-	* gets_warning allows the fflush to be skipped for the first gets
-	* so that output is still legible
-	*/
-
-	/* The real program starts HERE! */
-
-	if(geteuid()!=0)
-	{
-		printf("It seems you don't have access to add a new user.  Try\n");
-		printf("logging in as root or su root to gain super-user access.\n");
-		exit(1);
-	}
-
-	/* Sanity checks
-	*/
-
-	if (!(grp=getgrgid(DEFAULT_GROUP))){
-		printf("Error: the default group %d does not exist on this system!\n",
-				DEFAULT_GROUP);
-		printf("adduser must be recompiled.\n");
-		exit(1);
-	};
-
-	while(!correct) {		/* loop until a "good" uname is chosen */
-		while(!done) {
-			printf("\nLogin to add (^C to quit): ");
-			if(gets_warning)	/* if the warning was already shown */
-				fflush(stdout);	/* fflush stdout, otherwise set the flag */
-			else
-				gets_warning=1;
-
-			gets(uname);
-			if(!strlen(uname)) {
-				printf("Empty input.\n");
-				done=0;
-				continue;
-			};
-
-			/* what I saw here before made me think maybe I was running DOS */
-			/* might this be a solution? (chris) */
-			if (getpwnam(uname) != NULL) {
-				printf("That name is in use, choose another.\n");
-				done=0;
-			} else
-				done=1;
-		}; /* done, we have a valid new user name */
-
-		/* all set, get the rest of the stuff */
-		printf("\nEditing information for new user [%s]\n",uname);
-
-		printf("\nFull Name [%s]: ",uname);
-		gets(person);
-		if (!strlen(person)) {
-			bzero(person,sizeof(person));
-			strcpy(person,uname);
-		};
-
-		do {
-			bad=0;
-			printf("GID [%d]: ",DEFAULT_GROUP);
-			gets(foo);
-			if (!strlen(foo))
-				group=DEFAULT_GROUP;
-			else
-				if (isdigit (*foo)) {
-					group = atoi(foo);
-					if (! (grp = getgrgid (group))) {
-						printf("unknown gid %s\n",foo);
-						group=DEFAULT_GROUP;
-						bad=1;
-					};
-			} else
-				if ((grp = getgrnam (foo)))
-					group = grp->gr_gid;
-				else {
-					printf("unknown group %s\n",foo);
-					group=DEFAULT_GROUP;
-					bad=1;
-				}
-			if (group==0){	/* You're not allowed to make root group users! */
-				printf("Creation of root group users not allowed (must be done by hand)\n");
-				group=DEFAULT_GROUP;
-				bad=1;
-			};
-		} while(bad);
-
-
-		fflush(stdin);
-
-		printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
-		printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
-		fflush(stdout);
-		gets(dir);
-		if (!strlen(dir)) { /* hit return */
-			sprintf(dir,"%s/%s",DEFAULT_HOME,uname);
-			fflush(stdin);
-		} else
-			if (dir[strlen(dir)-1]=='/')
-				sprintf(dir+strlen(dir),"%s",uname);
-
-		printf("\nShell [%s]: ",DEFAULT_SHELL);
-		fflush(stdout);
-		gets(shell);
-		if (!strlen(shell))
-			sprintf(shell,"%s",DEFAULT_SHELL);
-
-		printf("\nMin. Password Change Days [0]: ");
-		gets(foo);
-		min_pass=atoi(foo);
-
-		printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
-		gets(foo);
-		if (strlen(foo) > 1)
-			max_pass = atoi(foo);
-		else
-			max_pass = DEFAULT_MAX_PASS;
-
-		printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
-		gets(foo);
-		warn_pass = atoi(foo);
-		if (warn_pass==0)
-			warn_pass = DEFAULT_WARN_PASS;
-
-		printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
-		gets(foo);
-		user_die = atoi(foo);
-		if (user_die == 0)
-			user_die = DEFAULT_USER_DIE;
-
-		printf("\nInformation for new user [%s] [%s]:\n",uname,person);
-		printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
-		printf("GID: [%d]\n",group);
-		printf("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
-				min_pass,max_pass,warn_pass,user_die);
-		printf("\nIs this correct? [y/N]: ");
-		fflush(stdout);
-		gets(foo);
-
-		done=bad=correct=(foo[0]=='y'||foo[0]=='Y');
-
-		if(bad!=1)
-			printf("\nUser [%s] not added\n",uname);
-    }
-
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
-			USERADD_PATH,group,dir,shell,person,uname);
-	printf("Calling useradd to add new user:\n%s\n",cmd);
-	if(system(cmd)){
-		printf("User add failed!\n");
-		exit(errno);
-	};
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
-			min_pass,max_pass,warn_pass,user_die,uname);
-	printf("%s\n",cmd);
-	if(system(cmd)){
-		printf("There was an error setting password expire values\n");
-		exit(errno);
-	};
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s %s",PASSWD_PATH,uname);
-	system(cmd);
-	printf("\nDone.\n");
-}
-
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -32,7 +32,7 @@

 /* local function prototypes */
 static int lrename (const char *, const char *);
-static int check_link_count (const char *file);
+static int check_link_count (const char *file, bool log);
 static int do_lock_file (const char *file, const char *lock, bool log);
 static /*@null@*/ /*@dependent@*/FILE *fopen_set_perms (
 	const char *name,
@@ -65,7 +65,6 @@ int lrename (const char *old, const char *new)
 	int res;
 	char *r = NULL;

-#if defined(S_ISLNK)
 #ifndef __GLIBC__
 	char resolved_path[PATH_MAX];
 #endif				/* !__GLIBC__ */
@@ -82,28 +81,35 @@ int lrename (const char *old, const char *new)
 			new = r;
 		}
 	}
-#endif				/* S_ISLNK */

 	res = rename (old, new);

 #ifdef __GLIBC__
-	if (NULL != r) {
-		free (r);
-	}
+	free (r);
 #endif				/* __GLIBC__ */

 	return res;
 }

-static int check_link_count (const char *file)
+static int check_link_count (const char *file, bool log)
 {
 	struct stat sb;

 	if (stat (file, &sb) != 0) {
+		if (log) {
+			(void) fprintf (shadow_logfd,
+			                "%s: %s file stat error: %s\n",
+			                shadow_progname, file, strerror (errno));
+		}
 		return 0;
 	}

 	if (sb.st_nlink != 2) {
+		if (log) {
+			(void) fprintf (shadow_logfd,
+			                "%s: %s: lock file already used (nlink: %u)\n",
+			                shadow_progname, file, sb.st_nlink);
+		}
 		return 0;
 	}

@@ -155,12 +161,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	close (fd);

 	if (link (file, lock) == 0) {
-		retval = check_link_count (file);
-		if ((0==retval) && log) {
-			(void) fprintf (shadow_logfd,
-			                "%s: %s: lock file already used\n",
-			                shadow_progname, file);
-		}
+		retval = check_link_count (file, log);
 		unlink (file);
 		return retval;
 	}
@@ -221,12 +222,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)

 	retval = 0;
 	if (link (file, lock) == 0) {
-		retval = check_link_count (file);
-		if ((0==retval) && log) {
-			(void) fprintf (shadow_logfd,
-			                "%s: %s: lock file already used\n",
-			                shadow_progname, file);
-		}
+		retval = check_link_count (file, log);
 	} else {
 		if (log) {
 			(void) fprintf (shadow_logfd,
@@ -339,9 +335,7 @@ static void free_linked_list (struct commonio_db *db)
 		p = db->head;
 		db->head = p->next;

-		if (NULL != p->line) {
-			free (p->line);
-		}
+		free (p->line);

 		if (NULL != p->eptr) {
 			db->ops->free (p->eptr);
@@ -397,10 +391,8 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 		err = 1;
 	}
 cleanup_ENOMEM:
-	if (file)
-		free(file);
-	if (lock)
-		free(lock);
+	free(file);
+	free(lock);
 	return err;
 }

@@ -1202,9 +1194,7 @@ int commonio_remove (struct commonio_db *db, const char *name)

 	commonio_del_entry (db, p);

-	if (NULL != p->line) {
-		free (p->line);
-	}
+	free (p->line);

 	if (NULL != p->eptr) {
 		db->ops->free (p->eptr);
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -205,22 +205,6 @@ static inline void memzero(void *ptr, size_t size)
 # define SEEK_END 2
 #endif

-#ifndef S_ISLNK
-#define S_ISLNK(x) (0)
-#endif
-
-#if HAVE_LCHOWN
-#define LCHOWN lchown
-#else
-#define LCHOWN chown
-#endif
-
-#if HAVE_LSTAT
-#define LSTAT lstat
-#else
-#define LSTAT stat
-#endif
-
 #if HAVE_TERMIOS_H
 # include <termios.h>
 # define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
@@ -326,14 +310,6 @@ extern char *strerror ();
 # define format_attr(type, index, check)
 #endif

-/* ! Arguments evaluated twice ! */
-#ifndef MIN
-#define MIN(a,b) (((a) < (b)) ? (a) : (b))
-#endif
-#ifndef MAX
-#define MAX(x,y) (((x) > (y)) ? (x) : (y))
-#endif
-
 /* Maximum length of usernames */
 #ifdef HAVE_UTMPX_H
 # include <utmpx.h>
@@ -351,6 +327,9 @@ extern char *strerror ();
 # endif
 #endif

+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
 #ifdef HAVE_SECURE_GETENV
 #  define shadow_getenv(name) secure_getenv(name)
 # else
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -388,10 +388,7 @@ int putdef_str (const char *name, const char *value)
 		return -1;
 	}

-	if (NULL != d->value) {
-		free (d->value);
-	}
-
+	free (d->value);
 	d->value = cp;
 	return 0;
 }
--- a/lib/groupio.c
+++ b/lib/groupio.c
@@ -418,9 +418,7 @@ static int split_groups (unsigned int max_members)
 		/* Shift all the members */
 		/* The number of members in new_gptr will be check later */
 		for (i = 0; NULL != new_gptr->gr_mem[i + max_members]; i++) {
-			if (NULL != new_gptr->gr_mem[i]) {
-				free (new_gptr->gr_mem[i]);
-			}
+			free (new_gptr->gr_mem[i]);
 			new_gptr->gr_mem[i] = new_gptr->gr_mem[i + max_members];
 			new_gptr->gr_mem[i + max_members] = NULL;
 		}
--- a/lib/groupmem.c
+++ b/lib/groupmem.c
@@ -80,7 +80,7 @@ void gr_free (/*@out@*/ /*@only@*/struct group *grent)
 {
 	free (grent->gr_name);
 	if (NULL != grent->gr_passwd) {
-		memzero (grent->gr_passwd, strlen (grent->gr_passwd));
+		strzero (grent->gr_passwd);
 		free (grent->gr_passwd);
 	}
 	gr_free_members(grent);
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -59,7 +59,6 @@ void nss_init(const char *nsswitch_path) {
 	//   subid:	files
 	nssfp = fopen(nsswitch_path, "r");
 	if (!nssfp) {
-		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
 		atomic_store(&nss_init_completed, true);
 		return;
 	}
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -483,7 +483,6 @@ extern bool valid (const char *, const struct passwd *);
 extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/void *xmalloc (size_t size)
  /*@ensures MaxSet(result) == (size - 1); @*/;
 extern /*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *);
-extern void xfree(void *ap);

 /* xgetpwnam.c */
 extern /*@null@*/ /*@only@*/struct passwd *xgetpwnam (const char *);
--- a/lib/pwio.c
+++ b/lib/pwio.c
@@ -56,7 +56,10 @@ static int passwd_put (const void *ent, FILE * file)
 	    || (pw->pw_gid == (gid_t)-1)
 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
 	    || (valid_field (pw->pw_dir, ":\n") == -1)
-	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
+	    || (valid_field (pw->pw_shell, ":\n") == -1)
+	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
+	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
+	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}

--- a/lib/pwmem.c
+++ b/lib/pwmem.c
@@ -73,7 +73,7 @@ void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent)
 	if (pwent != NULL) {
 		free (pwent->pw_name);
 		if (pwent->pw_passwd) {
-			memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+			strzero (pwent->pw_passwd);
 			free (pwent->pw_passwd);
 		}
 		free (pwent->pw_gecos);
--- a/lib/semanage.c
+++ b/lib/semanage.c
@@ -122,12 +122,14 @@ static int semanage_user_mod (semanage_handle_t *handle,
 		goto done;
 	}

-	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
-	if (ret != 0) {
-		fprintf (shadow_logfd,
-		         _("Could not set serange for %s\n"), login_name);
-		ret = 1;
-		goto done;
+	if (semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+		if (ret != 0) {
+			fprintf (shadow_logfd,
+			         _("Could not set serange for %s\n"), login_name);
+			ret = 1;
+			goto done;
+		}
 	}

 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
@@ -179,13 +181,14 @@ static int semanage_user_add (semanage_handle_t *handle,
 		goto done;
 	}

-	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
-	if (ret != 0) {
-		fprintf (shadow_logfd,
-		         _("Could not set serange for %s\n"),
-		         login_name);
-		ret = 1;
-		goto done;
+	if (semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+		if (ret != 0) {
+			fprintf (shadow_logfd,
+			         _("Could not set serange for %s\n"), login_name);
+			ret = 1;
+			goto done;
+		}
 	}

 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -54,8 +54,7 @@ static char **list (char *s)
 				rbuf = malloc (size * sizeof (char *));
 			}
 			if (!rbuf) {
-				if (members)
-					free (members);
+				free (members);
 				members = 0;
 				size = 0;
 				return (char **) 0;
@@ -89,8 +88,7 @@ struct group *sgetgrent (const char *buf)
 	if (strlen (buf) + 1 > size) {
 		/* no need to use realloc() here - just free it and
 		   allocate a larger block */
-		if (grpbuf)
-			free (grpbuf);
+		free (grpbuf);
 		size = strlen (buf) + 1000;	/* at least: strlen(buf) + 1 */
 		grpbuf = malloc (size);
 		if (!grpbuf) {
--- a/lib/sgetpwent.c
+++ b/lib/sgetpwent.c
@@ -16,6 +16,7 @@
 #include <stdio.h>
 #include <pwd.h>
 #include "prototypes.h"
+#include "shadowlog_internal.h"

 #define	NFIELDS	7

@@ -34,7 +35,7 @@
 struct passwd *sgetpwent (const char *buf)
 {
 	static struct passwd pwent;
-	static char pwdbuf[1024];
+	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
 	int i;
 	char *cp;
 	char *fields[NFIELDS];
@@ -44,8 +45,12 @@ struct passwd *sgetpwent (const char *buf)
 	 * the password structure remain valid.
 	 */

-	if (strlen (buf) >= sizeof pwdbuf)
+	if (strlen (buf) >= sizeof pwdbuf) {
+		fprintf (shadow_logfd,
+		         "%s: Too long passwd entry encountered, file corruption?\n",
+		         shadow_progname);
 		return 0;	/* fail if too long */
+	}
 	strcpy (pwdbuf, buf);

 	/*
--- a/lib/sgetspent.c
+++ b/lib/sgetspent.c
@@ -16,6 +16,7 @@

 #include <sys/types.h>
 #include "prototypes.h"
+#include "shadowlog_internal.h"
 #include "defines.h"
 #include <stdio.h>
 #define	FIELDS	9
@@ -25,7 +26,7 @@
 */
 struct spwd *sgetspent (const char *string)
 {
-	static char spwbuf[1024];
+	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
@@ -37,6 +38,9 @@ struct spwd *sgetspent (const char *string)
 	 */

 	if (strlen (string) >= sizeof spwbuf) {
+		fprintf (shadow_logfd,
+		         "%s: Too long passwd entry encountered, file corruption?\n",
+		         shadow_progname);
 		return 0;	/* fail if too long */
 	}
 	strcpy (spwbuf, string);
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -128,7 +128,7 @@ void sgr_free (/*@out@*/ /*@only@*/struct sgrp *sgent)
 	size_t i;
 	free (sgent->sg_name);
 	if (NULL != sgent->sg_passwd) {
-		memzero (sgent->sg_passwd, strlen (sgent->sg_passwd));
+		strzero (sgent->sg_passwd);
 		free (sgent->sg_passwd);
 	}
 	for (i = 0; NULL != sgent->sg_adm[i]; i++) {
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -56,7 +56,9 @@ static int shadow_put (const void *ent, FILE * file)

 	if (   (NULL == sp)
 	    || (valid_field (sp->sp_namp, ":\n") == -1)
-	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
+	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
+	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
+	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}

--- a/lib/shadowmem.c
+++ b/lib/shadowmem.c
@@ -59,7 +59,7 @@ void spw_free (/*@out@*/ /*@only@*/struct spwd *spent)
 	if (spent != NULL) {
 		free (spent->sp_namp);
 		if (NULL != spent->sp_pwdp) {
-			memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+			strzero (spent->sp_pwdp);
 			free (spent->sp_pwdp);
 		}
 		free (spent);
--- a/lib/tcbfuncs.c
+++ b/lib/tcbfuncs.c
@@ -380,9 +380,7 @@ shadowtcb_status shadowtcb_set_user (const char* name)
 		return SHADOWTCB_SUCCESS;
 	}

-	if (NULL != stored_tcb_user) {
-		free (stored_tcb_user);
-	}
+	free (stored_tcb_user);

 	stored_tcb_user = strdup (name);
 	if (NULL == stored_tcb_user) {
--- a/libmisc/chkname.c
+++ b/libmisc/chkname.c
@@ -32,26 +32,44 @@ static bool is_valid_name (const char *name)
 	}

 	/*
-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
-	 */
+         * User/group names must match gnu e-regex:
+         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+         *
+         * as a non-POSIX, extension, allow "$" as the last char for
+         * sake of Samba 3.x "add machine script"
+         *
+         * Also do not allow fully numeric names or just "." or "..".
+         */
+	int numeric;

-	if (('\0' == *name) ||
-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+	if ('\0' == *name ||
+	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+			      '\0' == name[1])) ||
+	    !((*name >= 'a' && *name <= 'z') ||
+	      (*name >= 'A' && *name <= 'Z') ||
+	      (*name >= '0' && *name <= '9') ||
+	      *name == '_' ||
+	      *name == '.')) {
 		return false;
 	}

+	numeric = isdigit(*name);
+
 	while ('\0' != *++name) {
-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
-		      ( ('0' <= *name) && ('9' >= *name) ) ||
-		      ('_' == *name) ||
-		      ('-' == *name) ||
-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+		if (!((*name >= 'a' && *name <= 'z') ||
+		      (*name >= 'A' && *name <= 'Z') ||
+		      (*name >= '0' && *name <= '9') ||
+		      *name == '_' ||
+		      *name == '.' ||
+		      *name == '-' ||
+		      (*name == '$' && name[1] == '\0')
 		     )) {
 			return false;
 		}
+		numeric &= isdigit(*name);
 	}

-	return true;
+	return !numeric;
 }

 bool is_valid_user_name (const char *name)
--- a/libmisc/chowndir.c
+++ b/libmisc/chowndir.c
@@ -17,6 +17,112 @@
 #include "defines.h"
 #include <fcntl.h>
 #include <stdio.h>
+#include <unistd.h>
+
+static int chown_tree_at (int at_fd,
+                const char *path,
+                uid_t old_uid,
+                uid_t new_uid,
+                gid_t old_gid,
+                gid_t new_gid)
+{
+	DIR *dir;
+	const struct dirent *ent;
+	struct stat dir_sb;
+	int dir_fd, rc = 0;
+
+	dir_fd = openat (at_fd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+	if (dir_fd < 0) {
+		return -1;
+	}
+
+	dir = fdopendir (dir_fd);
+	if (!dir) {
+		(void) close (dir_fd);
+		return -1;
+	}
+
+	/*
+	 * Open the directory and read each entry.  Every entry is tested
+	 * to see if it is a directory, and if so this routine is called
+	 * recursively.  If not, it is checked to see if an ownership
+	 * shall be changed.
+	 */
+	while ((ent = readdir (dir))) {
+		uid_t tmpuid = (uid_t) -1;
+		gid_t tmpgid = (gid_t) -1;
+		struct stat ent_sb;
+
+		/*
+		 * Skip the "." and ".." entries
+		 */
+		if (   (strcmp (ent->d_name, ".") == 0)
+		    || (strcmp (ent->d_name, "..") == 0)) {
+			continue;
+		}
+
+		rc = fstatat (dirfd(dir), ent->d_name, &ent_sb, AT_SYMLINK_NOFOLLOW);
+		if (rc < 0) {
+			break;
+		}
+
+		if (S_ISDIR (ent_sb.st_mode)) {
+			/*
+			 * Do the entire subdirectory.
+			 */
+			rc = chown_tree_at (dirfd(dir), ent->d_name, old_uid, new_uid, old_gid, new_gid);
+			if (0 != rc) {
+				break;
+			}
+		}
+
+		/*
+		 * By default, the IDs are not changed (-1).
+		 *
+		 * If the file is not owned by the user, the owner is not
+		 * changed.
+		 *
+		 * If the file is not group-owned by the group, the
+		 * group-owner is not changed.
+		 */
+		if (((uid_t) -1 == old_uid) || (ent_sb.st_uid == old_uid)) {
+			tmpuid = new_uid;
+		}
+		if (((gid_t) -1 == old_gid) || (ent_sb.st_gid == old_gid)) {
+			tmpgid = new_gid;
+		}
+		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
+			rc = fchownat (dirfd(dir), ent->d_name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
+			if (0 != rc) {
+				break;
+			}
+		}
+	}
+
+	/*
+	 * Now do the root of the tree
+	 */
+	if ((0 == rc) && (fstat (dirfd(dir), &dir_sb) == 0)) {
+		uid_t tmpuid = (uid_t) -1;
+		gid_t tmpgid = (gid_t) -1;
+		if (((uid_t) -1 == old_uid) || (dir_sb.st_uid == old_uid)) {
+			tmpuid = new_uid;
+		}
+		if (((gid_t) -1 == old_gid) || (dir_sb.st_gid == old_gid)) {
+			tmpgid = new_gid;
+		}
+		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
+			rc = fchown (dirfd(dir), tmpuid, tmpgid);
+		}
+	} else {
+		rc = -1;
+	}
+
+	(void) closedir (dir);
+
+	return rc;
+}
+
 /*
 * chown_tree - change ownership of files in a directory tree
 *
@@ -36,143 +142,5 @@ int chown_tree (const char *root,
                gid_t old_gid,
                gid_t new_gid)
 {
-	char *new_name;
-	size_t new_name_len;
-	int rc = 0;
-	struct dirent *ent;
-	struct stat sb;
-	DIR *dir;
-
-	new_name = malloc (1024);
-	if (NULL == new_name) {
-		return -1;
-	}
-	new_name_len = 1024;
-
-	/*
-	 * Make certain the directory exists.  This routine is called
-	 * directly by the invoker, or recursively.
-	 */
-
-	if (access (root, F_OK) != 0) {
-		free (new_name);
-		return -1;
-	}
-
-	/*
-	 * Open the directory and read each entry.  Every entry is tested
-	 * to see if it is a directory, and if so this routine is called
-	 * recursively.  If not, it is checked to see if an ownership
-	 * shall be changed.
-	 */
-
-	dir = opendir (root);
-	if (NULL == dir) {
-		free (new_name);
-		return -1;
-	}
-
-	while ((ent = readdir (dir))) {
-		size_t ent_name_len;
-		uid_t tmpuid = (uid_t) -1;
-		gid_t tmpgid = (gid_t) -1;
-
-		/*
-		 * Skip the "." and ".." entries
-		 */
-
-		if (   (strcmp (ent->d_name, ".") == 0)
-		    || (strcmp (ent->d_name, "..") == 0)) {
-			continue;
-		}
-
-		/*
-		 * Make the filename for both the source and the
-		 * destination files.
-		 */
-
-		ent_name_len = strlen (root) + strlen (ent->d_name) + 2;
-		if (ent_name_len > new_name_len) {
-			/*@only@*/char *tmp = realloc (new_name, ent_name_len);
-			if (NULL == tmp) {
-				rc = -1;
-				break;
-			}
-			new_name = tmp;
-			new_name_len = ent_name_len;
-		}
-
-		(void) snprintf (new_name, new_name_len, "%s/%s", root, ent->d_name);
-
-		/* Don't follow symbolic links! */
-		if (LSTAT (new_name, &sb) == -1) {
-			continue;
-		}
-
-		if (S_ISDIR (sb.st_mode) && !S_ISLNK (sb.st_mode)) {
-
-			/*
-			 * Do the entire subdirectory.
-			 */
-
-			rc = chown_tree (new_name, old_uid, new_uid,
-			                 old_gid, new_gid);
-			if (0 != rc) {
-				break;
-			}
-		}
-#ifndef HAVE_LCHOWN
-		/* don't use chown (follows symbolic links!) */
-		if (S_ISLNK (sb.st_mode)) {
-			continue;
-		}
-#endif
-		/*
-		 * By default, the IDs are not changed (-1).
-		 *
-		 * If the file is not owned by the user, the owner is not
-		 * changed.
-		 *
-		 * If the file is not group-owned by the group, the
-		 * group-owner is not changed.
-		 */
-		if (((uid_t) -1 == old_uid) || (sb.st_uid == old_uid)) {
-			tmpuid = new_uid;
-		}
-		if (((gid_t) -1 == old_gid) || (sb.st_gid == old_gid)) {
-			tmpgid = new_gid;
-		}
-		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
-			rc = LCHOWN (new_name, tmpuid, tmpgid);
-			if (0 != rc) {
-				break;
-			}
-		}
-	}
-
-	free (new_name);
-	(void) closedir (dir);
-
-	/*
-	 * Now do the root of the tree
-	 */
-
-	if ((0 == rc) && (stat (root, &sb) == 0)) {
-		uid_t tmpuid = (uid_t) -1;
-		gid_t tmpgid = (gid_t) -1;
-		if (((uid_t) -1 == old_uid) || (sb.st_uid == old_uid)) {
-			tmpuid = new_uid;
-		}
-		if (((gid_t) -1 == old_gid) || (sb.st_gid == old_gid)) {
-			tmpgid = new_gid;
-		}
-		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
-			rc = LCHOWN (root, tmpuid, tmpgid);
-		}
-	} else {
-		rc = -1;
-	}
-
-	return rc;
+	return chown_tree_at (AT_FDCWD, root, old_uid, new_uid, old_gid, new_gid);
 }
-
--- a/libmisc/copydir.c
+++ b/libmisc/copydir.c
@@ -47,42 +47,43 @@ struct link_name {
 };
 static /*@exposed@*/struct link_name *links;

-static int copy_entry (const char *src, const char *dst,
+struct path_info {
+	const char *full_path;
+	int dirfd;
+	const char *name;
+};
+
+static int copy_entry (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid);
-static int copy_dir (const char *src, const char *dst,
+static int copy_dir (const struct path_info *src, const struct path_info *dst,
                     bool reset_selinux,
-                     const struct stat *statp, const struct timeval mt[],
+                     const struct stat *statp, const struct timespec mt[],
                     uid_t old_uid, uid_t new_uid,
                     gid_t old_gid, gid_t new_gid);
-#ifdef	S_IFLNK
 static /*@null@*/char *readlink_malloc (const char *filename);
-static int copy_symlink (const char *src, const char *dst,
+static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                         unused bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid);
-#endif				/* S_IFLNK */
-static int copy_hardlink (const char *dst,
+static int copy_hardlink (const struct path_info *dst,
                          unused bool reset_selinux,
                          struct link_name *lp);
-static int copy_special (const char *src, const char *dst,
+static int copy_special (const struct path_info *src, const struct path_info *dst,
                         bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid);
-static int copy_file (const char *src, const char *dst,
+static int copy_file (const struct path_info *src, const struct path_info *dst,
                      bool reset_selinux,
-                      const struct stat *statp, const struct timeval mt[],
+                      const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid);
-static int chown_if_needed (const char *dst, const struct stat *statp,
+static int chownat_if_needed (const struct path_info *dst, const struct stat *statp,
                            uid_t old_uid, uid_t new_uid,
                            gid_t old_gid, gid_t new_gid);
-static int lchown_if_needed (const char *dst, const struct stat *statp,
-                             uid_t old_uid, uid_t new_uid,
-                             gid_t old_gid, gid_t new_gid);
 static int fchown_if_needed (int fdst, const struct stat *statp,
                             uid_t old_uid, uid_t new_uid,
                             gid_t old_gid, gid_t new_gid);
@@ -114,10 +115,61 @@ static void error_acl (unused struct error_context *ctx, const char *fmt, ...)
 }

 static struct error_context ctx = {
-	error_acl
+	error_acl, NULL, NULL
 };
 #endif				/* WITH_ACL || WITH_ATTR */

+#ifdef WITH_ACL
+static int perm_copy_path(const struct path_info *src,
+						  const struct path_info *dst,
+						  struct error_context *errctx)
+{
+	int src_fd, dst_fd, ret;
+
+	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
+		return -1;
+	}
+
+	ret = perm_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, errctx);
+	(void) close (src_fd);
+	(void) close (dst_fd);
+	return ret;
+}
+#endif				/* WITH_ACL */
+
+#ifdef WITH_ATTR
+static int attr_copy_path(const struct path_info *src,
+						  const struct path_info *dst,
+						  int (*callback) (const char *, struct error_context *),
+						  struct error_context *errctx)
+{
+	int src_fd, dst_fd, ret;
+
+	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
+		return -1;
+	}
+
+	ret = attr_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, callback, errctx);
+	(void) close (src_fd);
+	(void) close (dst_fd);
+	return ret;
+}
+#endif				/* WITH_ATTR */
+
 /*
 * remove_link - delete a link from the linked list
 */
@@ -190,51 +242,36 @@ static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, c
 	return NULL;
 }

-/*
- * copy_tree - copy files in a directory tree
- *
- *	copy_tree() walks a directory tree and copies ordinary files
- *	as it goes.
- *
- *	When reset_selinux is enabled, extended attributes (and thus
- *	SELinux attributes) are not copied.
- *
- *	old_uid and new_uid are used to set the ownership of the copied
- *	files. Unless old_uid is set to -1, only the files owned by
- *	old_uid have their ownership changed to new_uid. In addition, if
- *	new_uid is set to -1, no ownership will be changed.
- *
- *	The same logic applies for the group-ownership and
- *	old_gid/new_gid.
- */
-int copy_tree (const char *src_root, const char *dst_root,
+static int copy_tree_impl (const struct path_info *src, const struct path_info *dst,
               bool copy_root, bool reset_selinux,
               uid_t old_uid, uid_t new_uid,
               gid_t old_gid, gid_t new_gid)
 {
-	int err = 0;
+	int dst_fd, src_fd, err = 0;
 	bool set_orig = false;
-	struct dirent *ent;
+	const struct dirent *ent;
 	DIR *dir;

 	if (copy_root) {
 		struct stat sb;
-		if (access (dst_root, F_OK) == 0) {
+
+		if (   fstatat (dst->dirfd, dst->name, &sb, 0) == 0
+		    || errno != ENOENT) {
 			return -1;
 		}

-		if (LSTAT (src_root, &sb) == -1) {
+		if (fstatat (src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 			return -1;
 		}

 		if (!S_ISDIR (sb.st_mode)) {
 			fprintf (log_get_logfd(),
 			         "%s: %s is not a directory",
-			         log_get_progname(), src_root);
+			         log_get_progname(), src->full_path);
 			return -1;
 		}

-		return copy_entry (src_root, dst_root, reset_selinux,
+		return copy_entry (src, dst, reset_selinux,
 		                   old_uid, new_uid, old_gid, new_gid);
 	}

@@ -244,8 +281,14 @@ int copy_tree (const char *src_root, const char *dst_root,
 	 * target is created.  It assumes the target directory exists.
 	 */

-	if (   (access (src_root, F_OK) != 0)
-	    || (access (dst_root, F_OK) != 0)) {
+	src_fd = openat (src->dirfd, src->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat (dst->dirfd, dst->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
 		return -1;
 	}

@@ -256,14 +299,16 @@ int copy_tree (const char *src_root, const char *dst_root,
 	 * regular files (and directories ...) are copied, and no file
 	 * is made set-ID.
 	 */
-	dir = opendir (src_root);
+	dir = fdopendir (src_fd);
 	if (NULL == dir) {
+		(void) close (src_fd);
+		(void) close (dst_fd);
 		return -1;
 	}

 	if (src_orig == NULL) {
-		src_orig = src_root;
-		dst_orig = dst_root;
+		src_orig = src->full_path;
+		dst_orig = dst->full_path;
 		set_orig = true;
 	}
 	while ((0 == err) && (ent = readdir (dir)) != NULL) {
@@ -276,8 +321,8 @@ int copy_tree (const char *src_root, const char *dst_root,
 			char *dst_name;
 			size_t src_len = strlen (ent->d_name) + 2;
 			size_t dst_len = strlen (ent->d_name) + 2;
-			src_len += strlen (src_root);
-			dst_len += strlen (dst_root);
+			src_len += strlen (src->full_path);
+			dst_len += strlen (dst->full_path);

 			src_name = (char *) malloc (src_len);
 			dst_name = (char *) malloc (dst_len);
@@ -289,25 +334,32 @@ int copy_tree (const char *src_root, const char *dst_root,
 				 * Build the filename for both the source and
 				 * the destination files.
 				 */
-				(void) snprintf (src_name, src_len, "%s/%s",
-				                 src_root, ent->d_name);
-				(void) snprintf (dst_name, dst_len, "%s/%s",
-				                 dst_root, ent->d_name);
+				struct path_info src_entry, dst_entry;

-				err = copy_entry (src_name, dst_name,
+				(void) snprintf (src_name, src_len, "%s/%s",
+				                 src->full_path, ent->d_name);
+				(void) snprintf (dst_name, dst_len, "%s/%s",
+				                 dst->full_path, ent->d_name);
+
+				src_entry.full_path = src_name;
+				src_entry.dirfd = dirfd(dir);
+				src_entry.name = ent->d_name;
+
+				dst_entry.full_path = dst_name;
+				dst_entry.dirfd = dst_fd;
+				dst_entry.name = ent->d_name;
+
+				err = copy_entry (&src_entry, &dst_entry,
 				                  reset_selinux,
 				                  old_uid, new_uid,
 				                  old_gid, new_gid);
 			}
-			if (NULL != src_name) {
-				free (src_name);
-			}
-			if (NULL != dst_name) {
-				free (dst_name);
-			}
+			free (src_name);
+			free (dst_name);
 		}
 	}
 	(void) closedir (dir);
+	(void) close (dst_fd);

 	if (set_orig) {
 		src_orig = NULL;
@@ -354,7 +406,7 @@ int copy_tree (const char *src_root, const char *dst_root,
 *	old_gid) will be modified, unless old_uid (resp. old_gid) is set
 *	to -1.
 */
-static int copy_entry (const char *src, const char *dst,
+static int copy_entry (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid)
@@ -362,32 +414,32 @@ static int copy_entry (const char *src, const char *dst,
 	int err = 0;
 	struct stat sb;
 	struct link_name *lp;
-	struct timeval mt[2];
+	struct timespec mt[2];

-	if (LSTAT (src, &sb) == -1) {
+	if (fstatat(src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 		/* If we cannot stat the file, do not care. */
 	} else {
 #ifdef HAVE_STRUCT_STAT_ST_ATIM
 		mt[0].tv_sec  = sb.st_atim.tv_sec;
-		mt[0].tv_usec = sb.st_atim.tv_nsec / 1000;
+		mt[0].tv_nsec = sb.st_atim.tv_nsec;
 #else				/* !HAVE_STRUCT_STAT_ST_ATIM */
 		mt[0].tv_sec  = sb.st_atime;
 # ifdef HAVE_STRUCT_STAT_ST_ATIMENSEC
-		mt[0].tv_usec = sb.st_atimensec / 1000;
+		mt[0].tv_nsec = sb.st_atimensec;
 # else				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
-		mt[0].tv_usec = 0;
+		mt[0].tv_nsec = 0;
 # endif				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
 #endif				/* !HAVE_STRUCT_STAT_ST_ATIM */

 #ifdef HAVE_STRUCT_STAT_ST_MTIM
 		mt[1].tv_sec  = sb.st_mtim.tv_sec;
-		mt[1].tv_usec = sb.st_mtim.tv_nsec / 1000;
+		mt[1].tv_nsec = sb.st_mtim.tv_nsec;
 #else				/* !HAVE_STRUCT_STAT_ST_MTIM */
 		mt[1].tv_sec  = sb.st_mtime;
 # ifdef HAVE_STRUCT_STAT_ST_MTIMENSEC
-		mt[1].tv_usec = sb.st_mtimensec / 1000;
+		mt[1].tv_nsec = sb.st_mtimensec;
 # else				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
-		mt[1].tv_usec = 0;
+		mt[1].tv_nsec = 0;
 # endif				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
 #endif				/* !HAVE_STRUCT_STAT_ST_MTIM */

@@ -396,7 +448,6 @@ static int copy_entry (const char *src, const char *dst,
 			                old_uid, new_uid, old_gid, new_gid);
 		}

-#ifdef	S_IFLNK
 		/*
 		 * Copy any symbolic links
 		 */
@@ -405,13 +456,12 @@ static int copy_entry (const char *src, const char *dst,
 			err = copy_symlink (src, dst, reset_selinux, &sb, mt,
 			                    old_uid, new_uid, old_gid, new_gid);
 		}
-#endif				/* S_IFLNK */

 		/*
 		 * See if this is a previously copied link
 		 */

-		else if ((lp = check_link (src, &sb)) != NULL) {
+		else if ((lp = check_link (src->full_path, &sb)) != NULL) {
 			err = copy_hardlink (dst, reset_selinux, lp);
 		}

@@ -450,9 +500,9 @@ static int copy_entry (const char *src, const char *dst,
 *
 *	Return 0 on success, -1 on error.
 */
-static int copy_dir (const char *src, const char *dst,
+static int copy_dir (const struct path_info *src, const struct path_info *dst,
                     bool reset_selinux,
-                     const struct stat *statp, const struct timeval mt[],
+                     const struct stat *statp, const struct timespec mt[],
                     uid_t old_uid, uid_t new_uid,
                     gid_t old_gid, gid_t new_gid)
 {
@@ -464,19 +514,18 @@ static int copy_dir (const char *src, const char *dst,
 	 */

 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFDIR) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFDIR) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	if (   (mkdir (dst, statp->st_mode) != 0)
-	    || (chown_if_needed (dst, statp,
+	if (   (mkdirat (dst->dirfd, dst->name, 0700) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
+	    || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
 #ifdef WITH_ACL
-	    || (   (perm_copy_file (src, dst, &ctx) != 0)
+	    || (   (perm_copy_path (src, dst, &ctx) != 0)
 	        && (errno != 0))
-#else				/* !WITH_ACL */
-	    || (chmod (dst, statp->st_mode) != 0)
-#endif				/* !WITH_ACL */
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -486,19 +535,18 @@ static int copy_dir (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_file (src, dst, NULL, &ctx) != 0)
+	        && (attr_copy_path (src, dst, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
-	    || (copy_tree (src, dst, false, reset_selinux,
+	    || (copy_tree_impl (src, dst, false, reset_selinux,
 	                   old_uid, new_uid, old_gid, new_gid) != 0)
-	    || (utimes (dst, mt) != 0)) {
+	    || (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
 		err = -1;
 	}

 	return err;
 }

-#ifdef	S_IFLNK
 /*
 * readlink_malloc - wrapper for readlink
 *
@@ -545,9 +593,9 @@ static /*@null@*/char *readlink_malloc (const char *filename)
 *
 *	Return 0 on success, -1 on error.
 */
-static int copy_symlink (const char *src, const char *dst,
+static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                         unused bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid)
 {
@@ -565,7 +613,7 @@ static int copy_symlink (const char *src, const char *dst,
 	 * destination directory name.
 	 */

-	oldlink = readlink_malloc (src);
+	oldlink = readlink_malloc (src->full_path);
 	if (NULL == oldlink) {
 		return -1;
 	}
@@ -585,13 +633,13 @@ static int copy_symlink (const char *src, const char *dst,
 	}

 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFLNK) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFLNK) != 0) {
 		free (oldlink);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	if (   (symlink (oldlink, dst) != 0)
-	    || (lchown_if_needed (dst, statp,
+	if (   (symlinkat (oldlink, dst->dirfd, dst->name) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)) {
 		/* FIXME: there are no modes on symlinks, right?
 		 *        ACL could be copied, but this would be much more
@@ -605,18 +653,12 @@ static int copy_symlink (const char *src, const char *dst,
 	}
 	free (oldlink);

-#ifdef HAVE_LUTIMES
-	/* 2007-10-18: We don't care about
-	 *  exit status of lutimes because
-	 *  it returns ENOSYS on many system
-	 *  - not implemented
-	 */
-	(void) lutimes (dst, mt);
-#endif				/* HAVE_LUTIMES */
+	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
+		return -1;
+	}

 	return 0;
 }
-#endif				/* S_IFLNK */

 /*
 * copy_hardlink - copy a hardlink
@@ -625,13 +667,13 @@ static int copy_symlink (const char *src, const char *dst,
 *
 *	Return 0 on success, -1 on error.
 */
-static int copy_hardlink (const char *dst,
+static int copy_hardlink (const struct path_info *dst,
                          unused bool reset_selinux,
                          struct link_name *lp)
 {
 	/* FIXME: selinux, ACL, Extended Attributes needed? */

-	if (link (lp->ln_name, dst) != 0) {
+	if (linkat (AT_FDCWD, lp->ln_name, dst->dirfd, dst->name, 0) != 0) {
 		return -1;
 	}

@@ -655,29 +697,28 @@ static int copy_hardlink (const char *dst,
 *
 *	Return 0 on success, -1 on error.
 */
-static int copy_special (const char *src, const char *dst,
+static int copy_special (const struct path_info *src, const struct path_info *dst,
                         bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;

 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, statp->st_mode & S_IFMT) != 0) {
+	if (set_selinux_file_context (dst->full_path, statp->st_mode & S_IFMT) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */

-	if (   (mknod (dst, statp->st_mode & ~07777, statp->st_rdev) != 0)
-	    || (chown_if_needed (dst, statp,
+	if (   (mknodat (dst->dirfd, dst->name, statp->st_mode & ~07777U, statp->st_rdev) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
+	    || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
 #ifdef WITH_ACL
-	    || (   (perm_copy_file (src, dst, &ctx) != 0)
+	    || (   (perm_copy_path (src, dst, &ctx) != 0)
 	        && (errno != 0))
-#else				/* !WITH_ACL */
-	    || (chmod (dst, statp->st_mode & 07777) != 0)
-#endif				/* !WITH_ACL */
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -687,16 +728,52 @@ static int copy_special (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_file (src, dst, NULL, &ctx) != 0)
+	        && (attr_copy_path (src, dst, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
-	    || (utimes (dst, mt) != 0)) {
+		|| (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
 		err = -1;
 	}

 	return err;
 }

+/*
+ * full_write - write entire buffer
+ *
+ * Write up to count bytes from the buffer starting at buf to the
+ * file referred to by the file descriptor fd.
+ * Retry in case of a short write.
+ *
+ * Returns the number of bytes written on success, -1 on error.
+ */
+static ssize_t full_write(int fd, const void *buf, size_t count) {
+	ssize_t written = 0;
+
+	while (count > 0) {
+		ssize_t res;
+
+		res = write(fd, buf, count);
+		if (res < 0) {
+			if (errno == EINTR) {
+				continue;
+			}
+
+			return res;
+		}
+
+		if (res == 0) {
+			break;
+		}
+
+		written += res;
+		buf = (const unsigned char*)buf + res;
+		count -= (size_t)res;
+	}
+
+	return written;
+}
+
 /*
 * copy_file - copy a file
 *
@@ -707,38 +784,35 @@ static int copy_special (const char *src, const char *dst,
 *
 *	Return 0 on success, -1 on error.
 */
-static int copy_file (const char *src, const char *dst,
+static int copy_file (const struct path_info *src, const struct path_info *dst,
                      bool reset_selinux,
-                      const struct stat *statp, const struct timeval mt[],
+                      const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 	int ifd;
 	int ofd;
-	char buf[1024];
-	ssize_t cnt;

-	ifd = open (src, O_RDONLY|O_NOFOLLOW);
+	ifd = openat (src->dirfd, src->name, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
 	if (ifd < 0) {
 		return -1;
 	}
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFREG) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFREG) != 0) {
 		(void) close (ifd);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777);
+	ofd = openat (dst->dirfd, dst->name, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC | O_NOFOLLOW | O_CLOEXEC, 0600);
 	if (   (ofd < 0)
 	    || (fchown_if_needed (ofd, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)
-#ifdef WITH_ACL
-	    || (   (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0)
-	        && (errno != 0))
-#else				/* !WITH_ACL */
 	    || (fchmod (ofd, statp->st_mode & 07777) != 0)
-#endif				/* !WITH_ACL */
+#ifdef WITH_ACL
+	    || (   (perm_copy_fd (src->full_path, ifd, dst->full_path, ofd, &ctx) != 0)
+	        && (errno != 0))
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -748,7 +822,7 @@ static int copy_file (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_fd (src, ifd, dst, ofd, NULL, &ctx) != 0)
+	        && (attr_copy_fd (src->full_path, ifd, dst->full_path, ofd, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
 	   ) {
@@ -759,8 +833,24 @@ static int copy_file (const char *src, const char *dst,
 		return -1;
 	}

-	while ((cnt = read (ifd, buf, sizeof buf)) > 0) {
-		if (write (ofd, buf, (size_t)cnt) != cnt) {
+	while (true) {
+		char buf[8192];
+		ssize_t cnt;
+
+		cnt = read (ifd, buf, sizeof buf);
+		if (cnt < 0) {
+			if (errno == EINTR) {
+				continue;
+			}
+			(void) close (ofd);
+			(void) close (ifd);
+			return -1;
+		}
+		if (cnt == 0) {
+			break;
+		}
+
+		if (full_write (ofd, buf, (size_t)cnt) < 0) {
 			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
@@ -768,23 +858,13 @@ static int copy_file (const char *src, const char *dst,
 	}

 	(void) close (ifd);
-
-#ifdef HAVE_FUTIMES
-	if (futimes (ofd, mt) != 0) {
-		(void) close (ofd);
-		return -1;
-	}
-#endif				/* HAVE_FUTIMES */
-
 	if (close (ofd) != 0) {
 		return -1;
 	}

-#ifndef HAVE_FUTIMES
-	if (utimes(dst, mt) != 0) {
+	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
 		return -1;
 	}
-#endif				/* !HAVE_FUTIMES */

 	return err;
 }
@@ -819,7 +899,70 @@ static int chown_function ## _if_needed (type_dst dst,                 \
 	return chown_function (dst, tmpuid, tmpgid);                   \
 }

-def_chown_if_needed (chown, const char *)
-def_chown_if_needed (lchown, const char *)
 def_chown_if_needed (fchown, int)

+static int chownat_if_needed (const struct path_info *dst,
+							  const struct stat *statp,
+                              uid_t old_uid, uid_t new_uid,
+                              gid_t old_gid, gid_t new_gid)
+{
+	uid_t tmpuid = (uid_t) -1;
+	gid_t tmpgid = (gid_t) -1;
+
+	/* Use new_uid if old_uid is set to -1 or if the file was
+	 * owned by the user. */
+	if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) {
+		tmpuid = new_uid;
+	}
+	/* Otherwise, or if new_uid was set to -1, we keep the same
+	 * owner. */
+	if ((uid_t) -1 == tmpuid) {
+		tmpuid = statp->st_uid;
+	}
+
+	if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) {
+		tmpgid = new_gid;
+	}
+	if ((gid_t) -1 == tmpgid) {
+		tmpgid = statp->st_gid;
+	}
+
+	return fchownat (dst->dirfd, dst->name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
+}
+
+/*
+ * copy_tree - copy files in a directory tree
+ *
+ *	copy_tree() walks a directory tree and copies ordinary files
+ *	as it goes.
+ *
+ *	When reset_selinux is enabled, extended attributes (and thus
+ *	SELinux attributes) are not copied.
+ *
+ *	old_uid and new_uid are used to set the ownership of the copied
+ *	files. Unless old_uid is set to -1, only the files owned by
+ *	old_uid have their ownership changed to new_uid. In addition, if
+ *	new_uid is set to -1, no ownership will be changed.
+ *
+ *	The same logic applies for the group-ownership and
+ *	old_gid/new_gid.
+ */
+int copy_tree (const char *src_root, const char *dst_root,
+               bool copy_root, bool reset_selinux,
+               uid_t old_uid, uid_t new_uid,
+               gid_t old_gid, gid_t new_gid)
+{
+	const struct path_info src = {
+		.full_path = src_root,
+		.dirfd = AT_FDCWD,
+		.name = src_root
+	};
+	const struct path_info dst = {
+		.full_path = dst_root,
+		.dirfd = AT_FDCWD,
+		.name = dst_root
+	};
+
+	return copy_tree_impl(&src, &dst, copy_root, reset_selinux,
+						  old_uid, new_uid, old_gid, new_gid);
+}
--- a/libmisc/find_new_gid.c
+++ b/libmisc/find_new_gid.c
@@ -60,6 +60,13 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
                            (unsigned long) *max_id);
 			return EINVAL;
 		}
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (gid_t) 1;
+		}
 	} else {
 		/* Non-system groups */

--- a/libmisc/find_new_uid.c
+++ b/libmisc/find_new_uid.c
@@ -60,6 +60,13 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
                            (unsigned long) *max_id);
 			return EINVAL;
 		}
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (uid_t) 1;
+		}
 	} else {
 		/* Non-system users */

--- a/libmisc/remove_tree.c
+++ b/libmisc/remove_tree.c
@@ -11,6 +11,7 @@

 #ident "$Id$"

+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -21,6 +22,72 @@
 #include "prototypes.h"
 #include "defines.h"

+static int remove_tree_at (int at_fd, const char *path, bool remove_root)
+{
+	DIR *dir;
+	const struct dirent *ent;
+	int dir_fd, rc = 0;
+
+	dir_fd = openat (at_fd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+	if (dir_fd < 0) {
+		return -1;
+	}
+
+	dir = fdopendir (dir_fd);
+	if (!dir) {
+		(void) close (dir_fd);
+		return -1;
+	}
+
+	/*
+	 * Open the source directory and delete each entry.
+	 */
+	while ((ent = readdir (dir))) {
+		struct stat ent_sb;
+
+		/*
+		 * Skip the "." and ".." entries
+		 */
+		if (strcmp (ent->d_name, ".") == 0 ||
+		    strcmp (ent->d_name, "..") == 0) {
+			continue;
+		}
+
+		rc = fstatat (dirfd(dir), ent->d_name, &ent_sb, AT_SYMLINK_NOFOLLOW);
+		if (rc < 0) {
+			break;
+		}
+
+		if (S_ISDIR (ent_sb.st_mode)) {
+			/*
+			 * Recursively delete this directory.
+			 */
+			if (remove_tree_at (dirfd(dir), ent->d_name, true) != 0) {
+				rc = -1;
+				break;
+			}
+		} else {
+			/*
+			 * Delete the file.
+			 */
+			if (unlinkat (dirfd(dir), ent->d_name, 0) != 0) {
+				rc = -1;
+				break;
+			}
+		}
+	}
+
+	(void) closedir (dir);
+
+	if (remove_root && (0 == rc)) {
+		if (unlinkat (at_fd, path, AT_REMOVEDIR) != 0) {
+			rc = -1;
+		}
+	}
+
+	return rc;
+}
+
 /*
 * remove_tree - delete a directory tree
 *
@@ -28,83 +95,7 @@
 *	and directories.
 *	At the end, it deletes the root directory itself.
 */
-
 int remove_tree (const char *root, bool remove_root)
 {
-	char *new_name = NULL;
-	int err = 0;
-	struct dirent *ent;
-	struct stat sb;
-	DIR *dir;
-
-	/*
-	 * Open the source directory and read each entry.  Every file
-	 * entry in the directory is copied with the UID and GID set
-	 * to the provided values.  As an added security feature only
-	 * regular files (and directories ...) are copied, and no file
-	 * is made set-ID.
-	 */
-	dir = opendir (root);
-	if (NULL == dir) {
-		return -1;
-	}
-
-	while ((ent = readdir (dir))) {
-		size_t new_len = strlen (root) + strlen (ent->d_name) + 2;
-
-		/*
-		 * Skip the "." and ".." entries
-		 */
-
-		if (strcmp (ent->d_name, ".") == 0 ||
-		    strcmp (ent->d_name, "..") == 0) {
-			continue;
-		}
-
-		/*
-		 * Make the filename for the current entry.
-		 */
-
-		free (new_name);
-		new_name = (char *) malloc (new_len);
-		if (NULL == new_name) {
-			err = -1;
-			break;
-		}
-		(void) snprintf (new_name, new_len, "%s/%s", root, ent->d_name);
-		if (LSTAT (new_name, &sb) == -1) {
-			continue;
-		}
-
-		if (S_ISDIR (sb.st_mode)) {
-			/*
-			 * Recursively delete this directory.
-			 */
-			if (remove_tree (new_name, true) != 0) {
-				err = -1;
-				break;
-			}
-		} else {
-			/*
-			 * Delete the file.
-			 */
-			if (unlink (new_name) != 0) {
-				err = -1;
-				break;
-			}
-		}
-	}
-	if (NULL != new_name) {
-		free (new_name);
-	}
-	(void) closedir (dir);
-
-	if (remove_root && (0 == err)) {
-		if (rmdir (root) != 0) {
-			err = -1;
-		}
-	}
-
-	return err;
+	return remove_tree_at (AT_FDCWD, root, remove_root);
 }
-
--- a/libmisc/utmp.c
+++ b/libmisc/utmp.c
@@ -19,6 +19,7 @@
 #endif

 #include <assert.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
--- a/libmisc/xmalloc.c
+++ b/libmisc/xmalloc.c
@@ -44,10 +44,3 @@
 {
 	return strcpy (xmalloc (strlen (str) + 1), str);
 }
-
-void xfree(void *ap)
-{
-	if (ap) {
-		free(ap);
-	}
-}
--- a/libsubid/api.c
+++ b/libsubid/api.c
@@ -17,6 +17,31 @@
 #include "subid.h"
 #include "shadowlog.h"

+bool subid_init(const char *progname, FILE * logfd)
+{
+	FILE *shadow_logfd;
+	if (progname) {
+		progname = strdup(progname);
+		if (!progname)
+			return false;
+		log_set_progname(progname);
+	} else {
+		log_set_progname("(libsubid)");
+	}
+
+	if (logfd) {
+		log_set_logfd(logfd);
+		return true;
+	}
+	shadow_logfd = fopen("/dev/null", "w");
+	if (!shadow_logfd) {
+		log_set_logfd(stderr);
+		return false;
+	}
+	log_set_logfd(shadow_logfd);
+	return true;
+}
+
 static
 int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
 {
--- a/libsubid/subid.h.in
+++ b/libsubid/subid.h.in
@@ -39,6 +39,22 @@ enum subid_status {
 extern "C" {
 #endif

+/*
+ * subid_init: initialize libsubid
+ *
+ * @progname: Name to display as program.  If NULL, then "(libsubid)" will be
+ *            shown in error messages.
+ * @logfd:    Open file pointer to pass error messages to.  If NULL, then
+ *            /dev/null will be opened and messages will be sent there.  The
+ *            default if libsubid_init() is not called is stderr (2).
+ *
+ * This function does not need to be called.  If not called, then the defaults
+ * will be used.
+ *
+ * Returns false if an error occurred.
+ */
+bool subid_init(const char *progname, FILE *logfd);
+
 /*
 * subid_get_uid_ranges: return a list of UID ranges for a user
 *
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
@@ -64,10 +64,12 @@
      files as needed.
    </para>
     <para>
-       Groupnames must start with a lower case letter or an underscore,
-       followed by lower case letters, digits, underscores, or dashes.
-       They can end with a dollar sign.
-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+       Groupnames may contain only lower and upper case letters, digits,
+       underscores, or dashes. They can end with a dollar sign.
+
+       Dashes are not allowed at the beginning of the groupname.
+       Fully numeric groupnames and groupnames . or .. are
+       also disallowed.
     </para>
     <para>
       Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -248,7 +248,7 @@
 	    command line), useradd will set the primary group of the new
 	    user to the value specified by the <option>GROUP</option>
 	    variable in <filename>/etc/default/useradd</filename>, or
-	    100 by default.
+	    1000 by default.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -522,7 +522,7 @@
            the system will use the <option>SHELL</option> variable specified
 	    in <filename>/etc/default/useradd</filename>, or, if that is as
 	    well not set, the field for the login shell in <filename>/etc/passwd
-	    </filename>remains empty.
+	    </filename> remains empty.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -692,10 +692,14 @@
    </para>

    <para>
-      Usernames must start with a lower case letter or an underscore,
-      followed by lower case letters, digits, underscores, or dashes.
-      They can end with a dollar sign.
-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      Usernames may contain only lower and upper case letters, digits,
+      underscores, or dashes. They can end with a dollar sign.
+
+      Dashes are not allowed at the beginning of the username.
+      Fully numeric usernames and usernames . or .. are
+      also disallowed. It is not recommended to use usernames beginning
+      with . character as their home directories will be hidden in
+      the <command>ls</command> output.
    </para>
    <para>
      Usernames may only be up to 32 characters long.
--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -15,6 +15,7 @@ hu
 id
 it
 ja
+ka
 kk
 km
 ko
--- a/po/ka.po
+++ b/po/ka.po
--- a/po/nl.po
+++ b/po/nl.po
@@ -1,14 +1,14 @@
 # dutch po-file for shadow
 # Copyright (C) 2004 Free Software Foundation, Inc.
 # Bart Cornelis <cobaco@linux.be>, 2004, 2006.
-# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014-2021.
+# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014-2022.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: shadow 4.9\n"
+"Project-Id-Version: shadow 4.12.2\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2022-07-27 22:49+0800\n"
-"PO-Revision-Date: 2021-09-13 21:00+0200\n"
+"PO-Revision-Date: 2022-09-27 17:08+0200\n"
 "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
 "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
 "Language: nl\n"
@@ -541,10 +541,10 @@ msgstr "%s: optie '%s' vereist een argument\n"
 msgid "%s: failed to drop privileges (%s)\n"
 msgstr "%s: afgeven van rechten is mislukt (%s)\n"

-#, fuzzy, c-format
-#| msgid "%s: invalid chroot path '%s'\n"
+#, c-format
 msgid "%s: invalid chroot path '%s', only absolute paths are supported.\n"
-msgstr "%s: ongeldig chroot-pad '%s'\n"
+msgstr ""
+"%s: ongeldig chroot-pad '%s', enkel absolute paden worden ondersteund.\n"

 #, c-format
 msgid "%s: cannot access chroot directory %s: %s\n"
@@ -1800,9 +1800,8 @@ msgstr ""
 "%s: Doelproces %u is van een andere gebruiker: uid:%lu pw_uid:%lu st_uid:"
 "%lu, gid:%lu pw_gid:%lu st_gid:%lu\n"

-#, fuzzy
 msgid "  -b, --badname                 allow bad names\n"
-msgstr "  -b, --badname                slechte namen toestaan\n"
+msgstr "  -b, --badname                 slechte namen toestaan\n"

 msgid "  -r, --system                  create system accounts\n"
 msgstr "  -r, --system                  systeem-accounts aanmaken\n"
@@ -1993,10 +1992,9 @@ msgstr "Het wachtwoord van %s kan niet veranderd worden.\n"
 msgid "The password for %s cannot be changed yet.\n"
 msgstr "Het wachtwoord van %s kan nog niet veranderd worden.\n"

-#, fuzzy, c-format
-#| msgid "%s: shadow passwords required for -e\n"
+#, c-format
 msgid "%s: malformed password data obtained for user %s\n"
-msgstr "%s: shadow-wachtwoorden zijn vereist voor -e\n"
+msgstr "%s: misvormde wachtwoordgegevens verkregen voor gebruiker %s\n"

 #, c-format
 msgid ""
@@ -2070,10 +2068,9 @@ msgstr "ongeldige regel in het wachtwoordbestand"
 msgid "duplicate password entry"
 msgstr "identieke regel in wachtwoordbestand"

-#, fuzzy, c-format
-#| msgid "%s: invalid user name '%s': use --badname to ignore\n"
+#, c-format
 msgid "invalid user name '%s': use --badname to ignore\n"
-msgstr "%s: ongeldige gebruikersnaam '%s': gebruik --badname om te negeren\n"
+msgstr "ongeldige gebruikersnaam '%s': gebruik --badname om te negeren\n"

 #, c-format
 msgid "invalid user ID '%lu'\n"
@@ -2295,10 +2292,9 @@ msgstr "%s: de %s-instellingen in %s zullen genegeerd worden\n"
 msgid "%s: cannot create new defaults file: %s\n"
 msgstr "%s: kan geen nieuw bestand met standaardwaarden aanmaken: %s\n"

-#, fuzzy, c-format
-#| msgid "%s: cannot create new defaults file\n"
+#, c-format
 msgid "%s: cannot create directory for defaults file\n"
-msgstr "%s: kan geen nieuw bestand met standaardwaarden aanmaken\n"
+msgstr "%s: kan geen map aanmaken voor bestand met standaardwaarden\n"

 #, c-format
 msgid "%s: cannot create new defaults file\n"
@@ -2346,9 +2342,8 @@ msgstr ""
 "\n"
 "Opties:\n"

-#, fuzzy
 msgid "      --badname                 do not check for bad names\n"
-msgstr "      --badname                niet op slechte namen controleren\n"
+msgstr "      --badname                 niet op slechte namen controleren\n"

 msgid ""
 "  -b, --base-dir BASE_DIR       base directory for the home directory of "
@@ -2599,14 +2594,9 @@ msgstr ""
 msgid "Setting mailbox file permissions"
 msgstr "Bestandsrechten van postvak-bestand worden ingesteld"

-#, fuzzy, c-format
-#| msgid ""
-#| "%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d "
-#| "range.\n"
+#, c-format
 msgid "%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"
-msgstr ""
-"%s waarschuwing: %s zijn/haar uid %d valt buiten het bereik SYS_UID_MIN %d "
-"en SYS_UID_MAX %d.\n"
+msgstr "%s waarschuwing: %s zijn/haar uid %d is groter dan SYS_UID_MAX %d.\n"

 #, c-format
 msgid ""
@@ -2828,20 +2818,13 @@ msgstr ""
 "  -p, --password WACHTWOORD     versleuteld wachtwoord als nieuw wachtwoord\n"
 "                                gebruiken\n"

-#, fuzzy
-#| msgid ""
-#| "  -a, --append                  append the user to the supplemental "
-#| "GROUPS\n"
-#| "                                mentioned by the -G option without "
-#| "removing\n"
-#| "                                the user from other groups\n"
 msgid ""
 "  -r, --remove                  remove the user from only the supplemental "
 "GROUPS\n"
 "                                mentioned by the -G option without removing\n"
 "                                the user from other groups\n"
 msgstr ""
-"  -a, --append                  gebruiker toevoegen aan de bijkomende "
+"  -r, --remove                  gebruiker verwijderen uit de bijkomende "
 "GROEPEN,\n"
 "                                vermeld bij de optie -G, zonder hem/haar\n"
 "                                te verwijderen uit andere groepen\n"
@@ -2907,7 +2890,7 @@ msgstr "%s: geen opties\n"

 #, c-format
 msgid "%s: %s and %s are mutually exclusive flags\n"
-msgstr ""
+msgstr "%s: %s en %s zijn elkaar uitsluitende vlaggen\n"

 #, c-format
 msgid "%s: the -L, -p, and -U flags are exclusive\n"
@@ -3082,22 +3065,3 @@ msgstr "%s: kan %s niet herstellen: %s (uw aanpassingen staan in %s)\n"
 #, c-format
 msgid "%s: failed to find tcb directory for %s\n"
 msgstr "%s: tcb-map van %s vinden is mislukt\n"
-
-#~ msgid "Usage: id\n"
-#~ msgstr "Gebruik: id\n"
-
-#, c-format
-#~ msgid "Last login: %.19s on %s"
-#~ msgstr "Laatst aangemeld: %.19s om %s"
-
-#, c-format
-#~ msgid "%s: invalid user name '%s'\n"
-#~ msgstr "%s: ongeldige gebruikersnaam '%s'\n"
-
-#, c-format
-#~ msgid "%s: password expiry information changed.\n"
-#~ msgstr "%s: gegevens in verband met wachtwoordverloop zijn gewijzigd.\n"
-
-#, c-format
-#~ msgid "invalid user name '%s'\n"
-#~ msgstr "ongeldige gebruikersnaam '%s'\n"
--- a/src/chage.c
+++ b/src/chage.c
@@ -228,7 +228,7 @@ static void print_date (time_t date)
 	if (NULL == tp) {
 		(void) printf ("time_t: %lu\n", (unsigned long)date);
 	} else {
-		(void) strftime (buf, sizeof buf, iflg ? "%%Y-%%m-%%d" : "%%b %%d, %%Y", tp);
+		(void) strftime (buf, sizeof buf, iflg ? "%Y-%m-%d" : "%b %d, %Y", tp);
 		(void) puts (buf);
 	}
 }
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -1186,17 +1186,11 @@ int main (int argc, char **argv)

 #ifdef SHADOWGRP
 	if (is_shadowgrp) {
-		if (sgent.sg_adm) {
-			xfree(sgent.sg_adm);
-		}
-		if (sgent.sg_mem) {
-			xfree(sgent.sg_mem);
-		}
+		free(sgent.sg_adm);
+		free(sgent.sg_mem);
 	}
 #endif
-	if (grent.gr_mem) {
-		xfree(grent.gr_mem);
-	}
+	free(grent.gr_mem);
 	exit (E_SUCCESS);
 }

--- a/src/lastlog.c
+++ b/src/lastlog.c
@@ -150,9 +150,12 @@ static void print_one (/*@null@*/const struct passwd *pw)

 	ll_time = ll.ll_time;
 	tm = localtime (&ll_time);
-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
-	cp = ptime;
-
+	if (tm == NULL) {
+		cp = "(unknown)";
+	} else {
+		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+		cp = ptime;
+	}
 	if (ll.ll_time == (time_t) 0) {
 		cp = _("**Never logged in**\0");
 	}
--- a/src/login.c
+++ b/src/login.c
@@ -419,9 +419,7 @@ static void get_pam_user (char **ptr_pam_user)
 	retcode = pam_get_item (pamh, PAM_USER, (const void **)&ptr_user);
 	PAM_FAIL_CHECK;

-	if (NULL != *ptr_pam_user) {
-		free (*ptr_pam_user);
-	}
+	free (*ptr_pam_user);
 	if (NULL != ptr_user) {
 		*ptr_pam_user = xstrdup ((const char *)ptr_user);
 	} else {
@@ -872,9 +870,7 @@ int main (int argc, char **argv)
 	 * PAM APIs.
 	 */
 	get_pam_user (&pam_user);
-	if (NULL != username) {
-		free (username);
-	}
+	free (username);
 	username = xstrdup (pam_user);
 	failent_user = get_failent_user (username);

--- a/src/newusers.c
+++ b/src/newusers.c
@@ -285,8 +285,7 @@ static int add_group (const char *name, const char *gid, gid_t *ngid, uid_t uid)
 		fprintf (stderr,
 		         _("%s: invalid group name '%s'\n"),
 		         Prog, grent.gr_name);
-		if (grent.gr_name)
-			free (grent.gr_name);
+		free (grent.gr_name);
 		return -1;
 	}

--- a/src/sulogin.c
+++ b/src/sulogin.c
@@ -216,7 +216,7 @@ static void catch_signals (unused int sig)
 		sleep (2);
 		(void) puts (_("Login incorrect"));
 	}
-	strzero (pass);
+	memzero (pass, sizeof pass);
 	(void) alarm (0);
 	(void) signal (SIGALRM, SIG_DFL);
 	environ = newenvp;	/* make new environment active */
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1996,8 +1996,9 @@ static void faillog_reset (uid_t uid)
 	struct faillog fl;
 	int fd;
 	off_t offset_uid = (off_t) (sizeof fl) * uid;
+	struct stat st;

-	if (access (FAILLOG_FILE, F_OK) != 0) {
+	if (stat (FAILLOG_FILE, &st) != 0 || st.st_size <= offset_uid) {
 		return;
 	}

@@ -2033,8 +2034,9 @@ static void lastlog_reset (uid_t uid)
 	int fd;
 	off_t offset_uid = (off_t) (sizeof ll) * uid;
 	uid_t max_uid;
+	struct stat st;

-	if (access (LASTLOG_FILE, F_OK) != 0) {
+	if (stat (LASTLOG_FILE, &st) != 0 || st.st_size <= offset_uid) {
 		return;
 	}

@@ -2370,7 +2372,7 @@ static void create_mail (void)
 		if (NULL == spool) {
 			return;
 		}
-		file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2);
+		file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3);
 		if (prefix[0])
 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
 		else
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -716,7 +716,7 @@ static void update_group (void)
 		* If rflg+Gflg  is passed in AKA -rG invert is_member flag, which removes
 		* mentioned groups while leaving the others.
 		*/
-		if (Gflg && rflg && was_member) {
+		if (Gflg && rflg) {
 			is_member = !is_member;
 		}

@@ -765,7 +765,7 @@ static void update_group (void)
 				         "delete '%s' from group '%s'",
 				         user_name, ngrp->gr_name));
 			}
-		} else {
+		} else if (is_member) {
 			/* User was not a member but is now a member this
 			 * group.
 			 */
@@ -839,7 +839,7 @@ static void update_gshadow (void)
 		* If rflg+Gflg  is passed in AKA -rG invert is_member, to remove targeted
 		* groups while leaving the user apart of groups not mentioned
 		*/
-		if (Gflg && rflg && was_member) {
+		if (Gflg && rflg) {
 			is_member = !is_member;
 		}

@@ -1882,6 +1882,11 @@ static void move_home (void)
 			         Prog, prefix_user_home, prefix_user_newhome);
 			fail_exit (E_HOMEDIR);
 		}
+	} else {
+		fprintf (stderr,
+		         _("%s: The previous home directory (%s) does not "
+		           "exist or is inaccessible. Move cannot be completed.\n"),
+		         Prog, prefix_user_home);
 	}
 }
Author	SHA1	Message	Date
Serge Hallyn	24b44b686e	Release 4.13 Signed-off-by: Serge Hallyn <serge@hallyn.com>	2022-11-08 10:29:30 -06:00
Serge Hallyn	690bd8a878	update changelog	2022-11-08 10:28:10 -06:00
Serge Hallyn	90424e7c20	Don't warn when failed to open /etc/nsswitch.conf Maybe we should have a debug mode where it's still printed, but we don't, so let's be quieter. Closes #557	2022-11-08 10:18:17 -06:00
David Michael	eaebea55a4	useradd: Fix buffer overflow when using a prefix The buffer length did not count the string's trailing null byte. Signed-off-by: David Michael <fedora.dm0@gmail.com>	2022-10-24 16:15:13 -05:00
Alejandro Colomar	0336454503	adduser-old.c: Remove program This program has 10 calls to gets(3) according to grep(1). That makes it a very unsafe program which should not be used at all. Let's kill the program already. See what gets(3) has to say: SYNOPSIS #include <stdio.h> [[deprecated]] char gets(char s); DESCRIPTION Never use this function. ... BUGS Never use gets(). Because it is impossible to tell with‐ out knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is ex‐ tremely dangerous to use. It has been used to break com‐ puter security. Use fgets() instead. For more information, see CWE‐242 (aka "Use of Inherently Dangerous Function") at http://cwe.mitre.org/data/defini‐ tions/242.html Acked-by: "Serge E. Hallyn" <serge@hallyn.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>	2022-10-17 09:06:08 -05:00
Iker Pedrosa	16afe18142	Raise limit for passwd and shadow entry length Moreover, include checks to prevent writing entries longer than the length limit. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1422497 Signed-off-by: Tomáš Mráz <tm@t8m.info> Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2022-10-14 10:41:40 +02:00
Iker Pedrosa	fbf275da19	lastlog: check for localtime() return value Signed-off-by: Tomáš Mráz <tm@t8m.info> Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2022-10-07 09:53:02 -05:00
Iker Pedrosa	1e5f9a72b0	man: add missing space in useradd.8.xml Resolves: https://github.com/shadow-maint/shadow/issues/580 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2022-10-07 12:35:35 +02:00
xyz	e5db28a4bf	fix `usermod -rG x y` while user `y` is not in group `x` will cause user `y` add into group `x`	2022-10-06 20:29:44 -05:00
Iker Pedrosa	d324c6776b	libmisc: minimum id check for system accounts The minimum id allocation for system accounts shouldn't be 0 as this is reserved for root. Signed-off-by: Tomáš Mráz <tm@t8m.info> Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2022-10-06 20:09:35 -05:00
Iker Pedrosa	ead03afeba	usermod: report error if homedir does not exist Report error if usermod asked for moving homedir and it does not exist. Signed-off-by: Tomáš Mráz <tm@t8m.info> Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>	2022-10-06 20:08:51 -05:00
Xiami	e503fd574b	chage: Fix regression in print_date Introduced by `c6c8130db4` After removing snprintf, the format string should get unescaped once. Fixes #564 Reporter and patch author: DerMouse (github.com/DerMouse)	2022-10-05 12:43:45 +02:00
Alejandro Colomar	3dc1754e50	Use libc MAX() and MIN() glibc, musl, FreeBSD, and OpenBSD define the MAX() and MIN() macros in <sys/param.h> with the same definition that we use. Let's not redefine it here and use the system one, as it's effectively the same as we define (modulo whitespace). See: shadow (previously): alx@asus5775:~/src/shadow/shadow$ grepc -ktm MAX ./lib/defines.h:318:#define MAX(x,y) (((x) > (y)) ? (x) : (y)) glibc: alx@asus5775:~/src/gnu/glibc$ grepc -ktm -x 'sys/param.h$' MAX ./misc/sys/param.h:103:#define MAX(a,b) (((a)>(b))?(a):(b)) musl: alx@asus5775:~/src/musl/musl$ grepc -ktm -x 'sys/param.h$' MAX ./include/sys/param.h:19:#define MAX(a,b) (((a)>(b))?(a):(b)) OpenBSD: alx@asus5775:~/src/bsd/openbsd/src$ grepc -ktm -x 'sys/param.h$' MAX ./sys/sys/param.h:193:#define MAX(a,b) (((a)>(b))?(a):(b)) FreeBSD: alx@asus5775:~/src/bsd/freebsd/freebsd-src$ grepc -ktm -x 'sys/param.h$' MAX ./sys/sys/param.h:333:#define MAX(a,b) (((a)>(b))?(a):(b)) Signed-off-by: Alejandro Colomar <alx@kernel.org>	2022-09-30 16:13:36 -05:00
Alex Colomar	0d9799de04	Don't test for NULL before calling free(3) free(3) accepts NULL, since the oldest ISO C. I guess the paranoid code was taking care of prehistoric implementations of free(3). I've never known of an implementation that doesn't conform to this, so let's simplify this. Remove xfree(3), which was effectively an equivalent of free(3). Signed-off-by: Alejandro Colomar <alx@kernel.org>	2022-09-29 16:03:53 +02:00
Frans Spiesschaert	1b0e189e35	updated Dutch translation	2022-09-27 16:01:31 -05:00
Christian Göttsche	8e53db927a	lib: use memzero where applicable Use memzero when operating in a buffer of known size to clear all bytes and avoid leaking the size of the stored data.	2022-09-27 16:52:06 +02:00
Christian Göttsche	e74bfe2c75	lib: use strzero where applicable Replace `memzero (s, strlen(s))` with just the internal wrapper `strzero (s)` where the underlying allocated size is not known.	2022-09-27 16:52:06 +02:00
Luca BRUNO	14e7caf6b2	lib/commonio: make lock failures more detailed This tweaks the database locking logic so that failures in the link-checking paths are more detailed. The rationale for this is that I've experienced a non-deterministic bug which seems to be coming from this logic, and I'd like to get more details about the actual failing condition.	2022-09-15 10:31:13 -05:00
Samanta Navarro	cde221b858	copy_tree: carefully treat permissions The setuid, setgid, and sticky bits are not copied during copy_tree. Also start with very restrictive permissions before setting ownerships. This prevents situations in which users in a group with less permissions than others could win a race in opening the file before permissions are removed again. Proof of concept: $ echo $HOME /home/uwu $ install -o uwu -g fandom -m 604 /dev/null /home/uwu/owo $ ls -l /home/uwu/owo -rw----r-- 1 uwu fandom 0 Sep 4 00:00 /home/uwu/owo If /tmp is on another filesystem, then "usermod -md /tmp/uwu uwu" leads to this temporary situation: $ ls -l /tmp/uwu/owo -rw----r-- 1 root root 0 Sep 4 00:00 /tmp/uwu/owo This means that between openat and chownat_if_needed a user of group fandom could open /tmp/uwu/owo and read the content when it is finally written into the file.	2022-09-14 10:11:32 +02:00
Jan Macku	f33e7def06	ci(lint): add shell linter - Differential ShellCheck It performs differential ShellCheck scans and report results directly in pull request. documentation: https://github.com/redhat-plumbers-in-action/differential-shellcheck Signed-off-by: Jan Macku <jamacku@redhat.com>	2022-09-12 19:29:24 -05:00
Samanta Navarro	10cd68e0f0	copy_tree: do not block on fifos Fixes regression introduced in `faeab50e71`. If a directory contains fifos, then openat blocks until the other side of the fifo is connected as well. This means that users can prevent "usermod -m" from completing if their home directories contain at least one fifo.	2022-09-09 15:19:12 +02:00
Samanta Navarro	f3bdb28e57	copy_tree: use fchmodat instead of chmod Fixes regression introduced in `faeab50e71` for setups configured without acl support.	2022-09-09 15:19:12 +02:00
genBTC	23634d8de7	useradd: check MLS enablement before setting serange Resolves: https://github.com/shadow-maint/shadow/issues/552	2022-09-02 20:29:34 -05:00
Alexander Kanavin	cfc981df2a	shadow: use relaxed usernames The groupadd from shadow does not allow upper case group names, the same is true for the upstream shadow. But distributions like Debian/Ubuntu/CentOS has their own way to cope with this problem, this patch is picked up from Fedora [1] to relax the usernames restrictions to allow the upper case group names, and the relaxation is POSIX compliant because POSIX indicate that usernames are composed of characters from the portable filename character set [A-Za-z0-9._-]. [1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8-goodname.patch Signed-off-by: Alexander Kanavin <alex@linutronix.de>	2022-09-02 20:27:14 -05:00
NorwayFun	9e1c0ffef4	po: Georgian translation po: Georgian translation	2022-09-02 20:21:42 -05:00
NorwayFun	78378400b9	po: Georgian translation po: Georgian translation	2022-09-02 20:21:42 -05:00
David Kalnischkies	ebf9b232b0	useradd: Do not reset non-existent data in {last,fail}log useradd does not create the files if they don't exist, but if they exist it will reset user data even if the data did not exist before creating a hole and an explicitly zero'd data point resulting (especially for high UIDs) in a lot of zeros ending up in containers and tarballs.	2022-08-31 16:13:46 +02:00
Serge Hallyn	7136e24f8a	Revert "Drop unused function subid_init()" As rbalint points out, this was an exported fn. It also is the only way for a libsubid user to do what it does, so let's not drop it. This reverts commit `477c8e6f42`.	2022-08-21 13:20:56 -05:00
Tim Biermann	eb3562f3c0	useradd.8.xml: fix default group id from 100 to 1000 according to `bbf4b79`	2022-08-21 13:17:38 -05:00
Serge Hallyn	238aa92948	Release 4.12.2 with CVE fix Signed-off-by: Serge Hallyn <serge@hallyn.com>	2022-08-18 16:54:21 -05:00
Christian Göttsche	faeab50e71	Avoid races in copy_tree() Use at() functions to pin the directory operating in to avoid being redirected by unprivileged users replacing parts of paths by symlinks to privileged files. Introduce a path_info struct with the full path and dirfd and name information for at() functions, since the full path is needed for link resolution, SELinux label lookup and ACL attributes.	2022-08-17 12:34:01 -05:00
Christian Göttsche	6cbec2d0aa	Address minor compiler warnings copydir.c:666:44: warning: unsigned conversion from 'int' to '__mode_t' {aka 'unsigned int'} changes value from '-4096' to '4294963200' [-Wsign-conversion] 666 \| if ( (mknod (dst, statp->st_mode & ~07777, statp->st_rdev) != 0) \| ^ copydir.c:116:1: warning: missing initializer for field 'quote' of 'struct error_context' [-Wmissing-field-initializers] 116 \| }; \| ^ In file included from copydir.c:27: /usr/include/attr/error_context.h:30:23: note: 'quote' declared here 30 \| const char (quote) (struct error_context , const char ); \| ^~~~~	2022-08-17 12:34:01 -05:00
Christian Göttsche	f606314f0c	More robust file content copy in copy_tree() Bail out on read(2) failure, continue on EINTR, support short writes and increase chunk size.	2022-08-17 12:34:01 -05:00
Christian Göttsche	1d281273b1	Fail if regular file pre-exists in copy_tree() Similar to the default behavior of mkdir(2), symlink(2), link(2) and mknod(2).	2022-08-17 12:34:01 -05:00
Christian Göttsche	dab764d019	Require symlink support Require lstat(2), lchown(2), S_IFLNK and S_ISLNK from POSIX.1-2001. Already unconditionally used in lib/tcbfuncs.c and lib/run_part.c.	2022-08-17 12:34:01 -05:00
Christian Göttsche	f6f8bcd2a5	Avoid races in remove_tree() Use *at() functions to pin the directory operating in to avoid being redirected by unprivileged users replacing parts of paths by symlinks to privileged files.	2022-08-17 12:34:01 -05:00
Christian Göttsche	e9ae247cb1	Avoid races in chown_tree() Use *at() functions to pin the directory operating in to avoid being redirected by unprivileged users replacing parts of paths by symlinks to privileged files.	2022-08-17 12:34:01 -05:00