configure.ac: release 4.8.1

This is mainly to revert the --sbindir/--bindir commit which broke some
distros

Signed-off-by: Serge Hallyn <shallyn@cisco.com>

ChangeLog

@@ -1,3 +1,23 @@
+2020-01-23  Serge Hallyn <serge@hallyn.com>
+
+	* selinux: inclue stdio (Michael Vetter)
+	* man: don't suggest making groupmems user-writeable (Michael Weiser)
+	* Makefile: bail out on error in for loops (Wolfgang Bumiller)
+	* Adding logging of SSH_ORIGINAL_COMMAND to nologin. (ed@s5h.net)
+	* add new HOME_MODE login.defs option (Duncan Overbruck)
+	* Add tty logging to useradd (ed@s5h.net)
+	* Useradd: make non-executable shell check only a warning (Tomas Mraz)
+	* Update Dutch translation (Frans-Spiesschaert)
+	* user_busy: Do not mistake a regular user process for a namespaced one (Tomas Mraz)
+	* Revert "Honor --sbindir and --bindir for binary installation" Patrick McLean)
+
+2019-12-20  Dave Reisner <dreisner@archlinux.org>
+
+	* Do not auto-enable acct_tools_setuid just because
+	  pam is enabled.  NOTE - any distros which are relying
+	  on this behavior will need to switch to configure
+	  --enable-account-tools-setuid
+
 2019-12-01  Serge Hallyn <serge@hallyn.com>
 
 	* Release 4.8

README

@@ -11,16 +11,16 @@ Releases
 	https://github.com/shadow-maint/shadow/releases
 
 Mailing lists
-	for general discuss: pkg-shadow-devel@lists.alioth.debian.org
-	commit list: pkg-shadow-commits@lists.alioth.debian.org
+	for general discuss: pkg-shadow-devel@alioth-lists.debian.net
+	commit list: pkg-shadow-commits@alioth-lists.debian.net
 
 Mailing lists subscription
-	http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
-	http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-commits
+	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel
+	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits
 
 Mailing lists archives:
-	http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/
-	http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/
+	http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/
+	http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/
 
 S/Key support:
 	Shadow can be built with S/Key support using the S/Key package from:
@@ -90,6 +90,7 @@ Martin Bene <mb@sime.com>
 Martin Mares <mj@gts.cz>
 Michael Meskes <meskes@topsystem.de>
 Michael Talbot-Wilson <mike@calypso.bns.com.au>
+Michael Vetter <jubalh@iodoru.org>
 Mike Frysinger <vapier@gentoo.org>
 Mike Pakovic <mpakovic@users.southeast.net>
 Nicolas François <nicolas.francois@centraliens.net>

configure.ac

@@ -1,6 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ([2.64])
-AC_INIT([shadow], [4.8], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.8.1], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AM_SILENT_RULES([yes])
@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
 	   *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
 	   ;;
 	 esac],
-	[enable_acct_tools_setuid="maybe"]
+	[enable_acct_tools_setuid="no"]
 )
 
 AC_ARG_ENABLE(utmpx,

etc/login.defs

@@ -195,12 +195,17 @@ KILLCHAR	025
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
 # 022 is the default value, but 027, or even 077, could be considered
 # for increased privacy. There is no One True Answer here: each sysadmin
 # must make up their mind.
 UMASK		022
 
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE	0700
+
 #
 # Password aging controls:
 #

lib/getdef.c

@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
 	{"FAKE_SHELL", NULL},
 	{"GID_MAX", NULL},
 	{"GID_MIN", NULL},
+	{"HOME_MODE", NULL},
 	{"HUSHLOGIN_FILE", NULL},
 	{"KILLCHAR", NULL},
 	{"LASTLOG_UID_MAX", NULL},

lib/selinux.c

@@ -31,13 +31,13 @@
 
 #ifdef WITH_SELINUX
 
+#include <stdio.h>
 #include "defines.h"
 
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include "prototypes.h"
 
-
 static bool selinux_checked = false;
 static bool selinux_enabled;
 

libmisc/btrfs.c

@@ -7,7 +7,6 @@
 
 static bool path_exists(const char *p)
 {
-	int ret;
 	struct stat sb;
 
 	return stat(p, &sb) == 0;

libmisc/prefix_flag.c

@@ -166,7 +166,7 @@ extern struct group *prefix_getgrnam(const char *name)
 		fg = fopen(group_db_file, "rt");
 		if(!fg)
 			return NULL;
-		while(grp = fgetgrent(fg)) {
+		while((grp = fgetgrent(fg)) != NULL) {
 			if(!strcmp(name, grp->gr_name))
 				break;
 		}
@@ -186,7 +186,7 @@ extern struct group *prefix_getgrgid(gid_t gid)
 		fg = fopen(group_db_file, "rt");
 		if(!fg)
 			return NULL;
-		while(grp = fgetgrent(fg)) {
+		while((grp = fgetgrent(fg)) != NULL) {
 			if(gid == grp->gr_gid)
 				break;
 		}
@@ -206,7 +206,7 @@ extern struct passwd *prefix_getpwuid(uid_t uid)
 		fg = fopen(passwd_db_file, "rt");
 		if(!fg)
 			return NULL;
-		while(pwd = fgetpwent(fg)) {
+		while((pwd = fgetpwent(fg)) != NULL) {
 			if(uid == pwd->pw_uid)
 				break;
 		}
@@ -226,7 +226,7 @@ extern struct passwd *prefix_getpwnam(const char* name)
 		fg = fopen(passwd_db_file, "rt");
 		if(!fg)
 			return NULL;
-		while(pwd = fgetpwent(fg)) {
+		while((pwd = fgetpwent(fg)) != NULL) {
 			if(!strcmp(name, pwd->pw_name))
 				break;
 		}
@@ -246,7 +246,7 @@ extern struct spwd *prefix_getspnam(const char* name)
 		fg = fopen(spw_db_file, "rt");
 		if(!fg)
 			return NULL;
-		while(sp = fgetspent(fg)) {
+		while((sp = fgetspent(fg)) != NULL) {
 			if(!strcmp(name, sp->sp_namp))
 				break;
 		}

libmisc/user_busy.c

@@ -39,6 +39,7 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <fcntl.h>
+#include <unistd.h>
 #include "defines.h"
 #include "prototypes.h"
 #ifdef ENABLE_SUBIDS
@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
 #endif				/* !__linux__ */
 
 #ifdef __linux__
+#ifdef ENABLE_SUBIDS
+#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
+static int different_namespace (const char *sname)
+{
+	/* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
+	char path[41];
+	char buf[512], buf2[512];
+	ssize_t llen1, llen2;
+
+	snprintf (path, 41, "/proc/%s/ns/user", sname);
+
+	if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
+		return 0;
+
+	if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
+		return 0;
+
+	if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
+		return 0; /* same namespace */
+
+	return 1;
+}
+#endif                          /* ENABLE_SUBIDS */
+
+
 static int check_status (const char *name, const char *sname, uid_t uid)
 {
 	/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
 	FILE *sfile;
 
 	snprintf (status, 40, "/proc/%s/status", sname);
-	status[39] = '\0';
 
 	sfile = fopen (status, "r");
 	if (NULL == sfile) {
@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
 	while (fgets (line, sizeof (line), sfile) == line) {
 		if (strncmp (line, "Uid:\t", 5) == 0) {
 			unsigned long ruid, euid, suid;
+
 			assert (uid == (unsigned long) uid);
+			(void) fclose (sfile);
 			if (sscanf (line,
 			            "Uid:\t%lu\t%lu\t%lu\n",
 			            &ruid, &euid, &suid) == 3) {
 				if (   (ruid == (unsigned long) uid)
 				    || (euid == (unsigned long) uid)
-				    || (suid == (unsigned long) uid)
-#ifdef ENABLE_SUBIDS
-				    || have_sub_uids(name, ruid, 1)
-				    || have_sub_uids(name, euid, 1)
-				    || have_sub_uids(name, suid, 1)
-#endif				/* ENABLE_SUBIDS */
-				   ) {
-					(void) fclose (sfile);
+				    || (suid == (unsigned long) uid) ) {
 					return 1;
 				}
+#ifdef ENABLE_SUBIDS
+				if (    different_namespace (sname)
+				     && (   have_sub_uids(name, ruid, 1)
+				         || have_sub_uids(name, euid, 1)
+				         || have_sub_uids(name, suid, 1))
+				   ) {
+					return 1;
+				}
+#endif				/* ENABLE_SUBIDS */
 			} else {
 				/* Ignore errors. This is just a best effort. */
 			}
-			(void) fclose (sfile);
 			return 0;
 		}
 	}

man/cs/man8/groupmems.8

@@ -46,7 +46,7 @@ Vypíše seznam členů skupiny.
 Příkaz
 \fBgroupmems\fR
 by měl mít nastavena práva
-2770
+2710
 a měl by jej vlastnit uživatel
 \fIroot\fR
 a skupina
@@ -58,7 +58,7 @@ spravovat členství ve skupinách.
 .sp
 .nf
 	$ groupadd \-r groups
-	$ chmod 2770 groupmems
+	$ chmod 2710 groupmems
 	$ chown root.groups groupmems
 	$ groupmems \-g groups \-a gk4
 

man/groupmems.8.xml

@@ -180,7 +180,7 @@
     <title>SETUP</title>
     <para>
       The <command>groupmems</command> executable should be in mode
-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
       <emphasis>groups</emphasis>. The system administrator can add users to
       group <emphasis>groups</emphasis> to allow or disallow them using the
       <command>groupmems</command> utility to manage their own group
@@ -189,7 +189,7 @@
 
     <programlisting>
 	$ groupadd -r groups
-	$ chmod 2770 groupmems
+	$ chmod 2710 groupmems
 	$ chown root.groups groupmems
 	$ groupmems -g groups -a gk4
     </programlisting>

man/login.defs.5.xml

@@ -50,6 +50,7 @@
 <!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
 <!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
 <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
 <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
 <!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
 <!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
@@ -185,6 +186,7 @@
       &FAKE_SHELL;
       &FTMP_FILE;
       &GID_MAX; <!-- documents also GID_MIN -->
+      &HOME_MODE;
       &HUSHLOGIN_FILE;
       &ISSUE_FILE;
       &KILLCHAR;
@@ -401,6 +403,7 @@
 	    ENCRYPT_METHOD
 	    GID_MAX GID_MIN
 	    MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+	    HOME_MODE
 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
 	    SHA_CRYPT_MIN_ROUNDS</phrase>
@@ -481,6 +484,7 @@
 	  <para>
 	    CREATE_HOME
 	    GID_MAX GID_MIN
+	    HOME_MODE
 	    LASTLOG_UID_MAX
 	    MAIL_DIR MAX_MEMBERS_PER_GROUP
 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE

man/login.defs.d/HOME_MODE.xml

@@ -0,0 +1,43 @@
+<!--
+   Copyright (c) 1991 - 1993, Julianne Frances Haugh
+   Copyright (c) 1991 - 1993, Chip Rosenthal
+   Copyright (c) 2007 - 2009, Nicolas François
+   All rights reserved.
+  
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+  
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+  <term><option>HOME_MODE</option> (number)</term>
+  <listitem>
+    <para>
+      The mode for new home directories. If not specified,
+      the <option>UMASK</option> is used to create the mode.
+    </para>
+    <para>
+      <command>useradd</command> and <command>newusers</command> use this
+      to set the mode of the home directory they create.
+    </para>
+  </listitem>
+</varlistentry>

man/login.defs.d/UMASK.xml

@@ -37,7 +37,8 @@
     </para>
     <para>
       <command>useradd</command> and <command>newusers</command> use this
-      mask to set the mode of the home directory they create
+      mask to set the mode of the home directory they create if
+      <option>HOME_MODE</option> is not set.
     </para>
     <para condition="no_pam">
       It is also used by <command>login</command> to define users' initial

man/newgidmap.1.xml

@@ -33,6 +33,13 @@
 ]>
 
 <refentry id='newgidmap.1'>
+  <refentryinfo>
+    <author>
+      <firstname>Eric</firstname>
+      <surname>Biederman</surname>
+      <contrib>Creation, 2013</contrib>
+    </author>
+  </refentryinfo>
   <refmeta>
     <refentrytitle>newgidmap</refentrytitle>
     <manvolnum>1</manvolnum>

man/newuidmap.1.xml

@@ -33,6 +33,13 @@
 ]>
 
 <refentry id='newuidmap.1'>
+  <refentryinfo>
+    <author>
+      <firstname>Eric</firstname>
+      <surname>Biederman</surname>
+      <contrib>Creation, 2013</contrib>
+    </author>
+  </refentryinfo>
   <refmeta>
     <refentrytitle>newuidmap</refentrytitle>
     <manvolnum>1</manvolnum>

man/newusers.8.xml

@@ -32,6 +32,7 @@
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
 <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
 <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
 <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
 <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
@@ -382,6 +383,7 @@
     </variablelist>
     <variablelist>
       &GID_MAX; <!-- documents also GID_MIN -->
+      &HOME_MODE;
       &MAX_MEMBERS_PER_GROUP;
     </variablelist>
     <variablelist condition="no_pam">

man/nologin.8.xml

@@ -72,6 +72,9 @@
       <citerefentry><refentrytitle>nologin</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>.
     </para>
+    <para>
+      If <command>SSH_ORIGINAL_COMMAND</command> is populated it will be logged.
+    </para>
   </refsect1>
 
   <refsect1 id='see_also'>

man/po/da.po

@@ -6980,7 +6980,7 @@ msgstr ""
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
@@ -6992,7 +6992,7 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/de.po

@@ -8878,14 +8878,14 @@ msgstr "EINRICHTUNG"
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
 "utility to manage their own group membership list."
 msgstr ""
 "Die ausführbare Datei <command>groupmems</command> sollte die Rechte "
-"<literal>2770</literal> haben und dem Benutzer <emphasis>root</emphasis> und "
+"<literal>2710</literal> haben und dem Benutzer <emphasis>root</emphasis> und "
 "der Gruppe <emphasis>groups</emphasis> gehören. Der Systemadministrator kann "
 "Benutzer der Gruppe <emphasis>groups</emphasis> hinzufügen, um ihnen zu "
 "ermöglichen, mit <command>groupmems</command> die Mitgliederliste ihrer "
@@ -8896,14 +8896,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/fr.po

@@ -8701,14 +8701,14 @@ msgstr "CONFIGURATION"
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
 "utility to manage their own group membership list."
 msgstr ""
 "L'exécutable <command>groupmems</command> doit être installé en mode "
-"<literal>2770</literal> avec pour utilisateur <emphasis>root</emphasis> et "
+"<literal>2710</literal> avec pour utilisateur <emphasis>root</emphasis> et "
 "pour groupe <emphasis>groups</emphasis>. L'administrateur système peut "
 "ajouter des utilisateurs au groupe <emphasis>groups</emphasis> pour leur "
 "permettre ou leur interdire d'utiliser <command>groupmems</command> pour "
@@ -8719,14 +8719,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/it.po

@@ -9254,14 +9254,14 @@ msgstr "CONFIGURAZIONE"
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
 "utility to manage their own group membership list."
 msgstr ""
 "L'eseguibile <command>groupmems</command> dovrebbe avere i permessi "
-"<literal>2770</literal> ed essere di proprietà di <emphasis>root</emphasis> "
+"<literal>2710</literal> ed essere di proprietà di <emphasis>root</emphasis> "
 "e del gruppo <emphasis>groups</emphasis>. L'amministratore di sistema può "
 "aggiungere utenti al gruppo <emphasis>groups</emphasis> per permettere loro "
 "di poter gestire l'elenco di membri del proprio gruppo tramite il comando "
@@ -9272,14 +9272,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "        $ groupadd -r groups\n"
-"        $ chmod 2770 groupmems\n"
+"        $ chmod 2710 groupmems\n"
 "        $ chown root.groups groupmems\n"
 "        $ groupmems -g groups -a gk4\n"
 "    "

man/po/pl.po

@@ -7558,7 +7558,7 @@ msgstr ""
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
@@ -7570,14 +7570,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/ru.po

@@ -9292,14 +9292,14 @@ msgstr "НАСТРОЙКА"
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
 "utility to manage their own group membership list."
 msgstr ""
 "Исполняемый файл программы <command>groupmems</command> должен иметь права "
-"<literal>2770</literal>, принадлежать пользователю <emphasis>root</emphasis> "
+"<literal>2710</literal>, принадлежать пользователю <emphasis>root</emphasis> "
 "и группе <emphasis>groups</emphasis>. Системный администратор может "
 "добавлять пользователей в группу <emphasis>groups</emphasis>, разрешая или "
 "запрещая им запускать программу <command>groupmems</command> для управления "
@@ -9311,14 +9311,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/shadow-man-pages.pot

@@ -4233,12 +4233,12 @@ msgid "SETUP"
 msgstr ""
 
 #: groupmems.8.xml:181(para)
-msgid "The <command>groupmems</command> executable should be in mode <literal>2770</literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</emphasis>. The system administrator can add users to group <emphasis>groups</emphasis> to allow or disallow them using the <command>groupmems</command> utility to manage their own group membership list."
+msgid "The <command>groupmems</command> executable should be in mode <literal>2710</literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</emphasis>. The system administrator can add users to group <emphasis>groups</emphasis> to allow or disallow them using the <command>groupmems</command> utility to manage their own group membership list."
 msgstr ""
 
 #: groupmems.8.xml:190(programlisting)
 #, no-wrap
-msgid "\n\t$ groupadd -r groups\n\t$ chmod 2770 groupmems\n\t$ chown root.groups groupmems\n\t$ groupmems -g groups -a gk4\n    "
+msgid "\n\t$ groupadd -r groups\n\t$ chmod 2710 groupmems\n\t$ chown root.groups groupmems\n\t$ groupmems -g groups -a gk4\n    "
 msgstr ""
 
 #: groupmems.8.xml:222(para)

man/po/sv.po

@@ -7780,7 +7780,7 @@ msgstr ""
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
@@ -7792,14 +7792,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/po/zh_CN.po

@@ -7960,7 +7960,7 @@ msgstr ""
 
 #: groupmems.8.xml:181(para)
 msgid ""
-"The <command>groupmems</command> executable should be in mode <literal>2770</"
+"The <command>groupmems</command> executable should be in mode <literal>2710</"
 "literal> as user <emphasis>root</emphasis> and in group <emphasis>groups</"
 "emphasis>. The system administrator can add users to group <emphasis>groups</"
 "emphasis> to allow or disallow them using the <command>groupmems</command> "
@@ -7972,14 +7972,14 @@ msgstr ""
 msgid ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "
 msgstr ""
 "\n"
 "\t$ groupadd -r groups\n"
-"\t$ chmod 2770 groupmems\n"
+"\t$ chmod 2710 groupmems\n"
 "\t$ chown root.groups groupmems\n"
 "\t$ groupmems -g groups -a gk4\n"
 "    "

man/subgid.5.xml

@@ -32,6 +32,13 @@
 <!-- SHADOW-CONFIG-HERE -->
 ]>
 <refentry id='subgid.5'>
+  <refentryinfo>
+    <author>
+      <firstname>Eric</firstname>
+      <surname>Biederman</surname>
+      <contrib>Creation, 2013</contrib>
+    </author>
+  </refentryinfo>
   <refmeta>
     <refentrytitle>subgid</refentrytitle>
     <manvolnum>5</manvolnum>

man/subuid.5.xml

@@ -32,6 +32,13 @@
 <!-- SHADOW-CONFIG-HERE -->
 ]>
 <refentry id='subuid.5'>
+  <refentryinfo>
+    <author>
+      <firstname>Eric</firstname>
+      <surname>Biederman</surname>
+      <contrib>Creation, 2013</contrib>
+    </author>
+  </refentryinfo>
   <refmeta>
     <refentrytitle>subuid</refentrytitle>
     <manvolnum>5</manvolnum>

man/useradd.8.xml

@@ -32,6 +32,7 @@
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
 <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
 <!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
 <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
 <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
@@ -681,6 +682,7 @@
     <variablelist>
       &CREATE_HOME;
       &GID_MAX; <!-- documents also GID_MIN -->
+      &HOME_MODE;
       &LASTLOG_UID_MAX;
       &MAIL_DIR;
       &MAX_MEMBERS_PER_GROUP;

man/usermod.8.xml

@@ -118,16 +118,6 @@
 	  </para>
 	</listitem>
       </varlistentry>
-      <varlistentry>
-	<term>
-	  <option>-b</option>, <option>--badnames</option>
-	</term>
-	<listitem>
-	  <para>
-	    Allow names that do not conform to standards.
-	  </para>
-	</listitem>
-      </varlistentry>
       <varlistentry>
 	<term>
 	  <option>-c</option>, <option>--comment</option>&nbsp;<replaceable>COMMENT</replaceable>

po/fr.po

@@ -9701,14 +9701,14 @@ msgstr ""
 
 #~ msgid ""
 #~ "The <command>groupmems</command> executable should be in mode "
-#~ "<literal>2770</literal> as user <emphasis>root</emphasis> and in group "
+#~ "<literal>2710</literal> as user <emphasis>root</emphasis> and in group "
 #~ "<emphasis>groups</emphasis>. The system administrator can add users to "
 #~ "group <emphasis>groups</emphasis> to allow or disallow them using the "
 #~ "<command>groupmems</command> utility to manage their own group membership "
 #~ "list."
 #~ msgstr ""
 #~ "L'exécutable <command>groupmems</command> doit être installé en mode "
-#~ "<literal>2770</literal> avec pour utilisateur <emphasis>root</emphasis> "
+#~ "<literal>2710</literal> avec pour utilisateur <emphasis>root</emphasis> "
 #~ "et pour groupe <emphasis>groups</emphasis>. L'administrateur système peut "
 #~ "ajouter des utilisateurs au groupe <emphasis>groups</emphasis> pour leur "
 #~ "permettre ou leur interdire d'utiliser <command>groupmems</command> pour "
@@ -9717,14 +9717,14 @@ msgstr ""
 #~ msgid ""
 #~ "\n"
 #~ "\t$ groupadd -r groups\n"
-#~ "\t$ chmod 2770 groupmems\n"
+#~ "\t$ chmod 2710 groupmems\n"
 #~ "\t$ chown root.groups groupmems\n"
 #~ "\t$ groupmems -g groups -a gk4\n"
 #~ "    "
 #~ msgstr ""
 #~ "\n"
 #~ "\t$ groupadd -r groups\n"
-#~ "\t$ chmod 2770 groupmems\n"
+#~ "\t$ chmod 2710 groupmems\n"
 #~ "\t$ chown root.groups groupmems\n"
 #~ "\t$ groupmems -g groups -a gk4\n"
 #~ "    "

src/Makefile.am

@@ -2,8 +2,8 @@
 EXTRA_DIST = \
 	.indent.pro
 
-ubindir = ${bindir}
-usbindir = ${sbindir}
+ubindir = ${prefix}/bin
+usbindir = ${prefix}/sbin
 suidperms = 4755
 sgidperms = 2755
 
@@ -136,17 +136,17 @@ install-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 	ln -sf newgrp	$(DESTDIR)$(ubindir)/sg
 	ln -sf vipw	$(DESTDIR)$(usbindir)/vigr
-	for i in $(suidbins); do \
+	set -e; for i in $(suidbins); do \
 		chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \
 	done
-	for i in $(suidubins); do \
+	set -e; for i in $(suidubins); do \
 		chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
-	for i in $(suidusbins); do \
+	set -e; for i in $(suidusbins); do \
 		chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
 	done
 if WITH_TCB
-	for i in $(shadowsgidubins); do \
+	set -e; for i in $(shadowsgidubins); do \
 		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
 		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done

src/faillog.c

@@ -561,7 +561,7 @@ static void set_locktime (long locktime)
 int main (int argc, char **argv)
 {
 	long fail_locktime;
-	short fail_max;
+	short fail_max = 0; // initialize to silence compiler warning
 	long days;
 
 	/*

src/login.c

@@ -235,7 +235,7 @@ static void bad_time_notify (void)
 
 static void check_nologin (bool login_to_root)
 {
-	char *fname;
+	const char *fname;
 
 	/*
 	 * Check to see if system is turned off for non-root users.
@@ -375,7 +375,7 @@ static void process_flags (int argc, char *const *argv)
 static void init_env (void)
 {
 #ifndef USE_PAM
-	char *cp;
+	const char *cp;
 #endif
 	char *tmp;
 

src/newgrp.c

@@ -400,6 +400,7 @@ int main (int argc, char **argv)
 	int err = 0;
 	gid_t gid;
 	char *cp;
+	char *progbase;
 	const char *name, *prog;
 	char *group = NULL;
 	char *command = NULL;
@@ -806,7 +807,7 @@ int main (int argc, char **argv)
 	 * Now I try to find the basename of the login shell. This will
 	 * become argv[0] of the spawned command.
 	 */
-	cp = Basename ((char *) prog);
+	progbase = (char *) Basename ((char *) prog);
 
 	/*
 	 * Switch back to her home directory if i am doing login
@@ -844,7 +845,7 @@ int main (int argc, char **argv)
 	 * Exec the login shell and go away. We are trying to get back to
 	 * the previous environment which should be the user's login shell.
 	 */
-	err = shell (prog, initflag ? (char *) 0 : cp, newenvp);
+	err = shell (prog, initflag ? (char *) 0 : progbase, newenvp);
 	exit ((err == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
 	/*@notreached@*/
       failure:

src/newusers.c

@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
 		if (   ('\0' != fields[5][0])
 		    && (access (newpw.pw_dir, F_OK) != 0)) {
 /* FIXME: should check for directory */
-			mode_t msk = 0777 & ~getdef_num ("UMASK",
-			                                 GETDEF_DEFAULT_UMASK);
-			if (mkdir (newpw.pw_dir, msk) != 0) {
+			mode_t mode = getdef_num ("HOME_MODE",
+			                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+			if (mkdir (newpw.pw_dir, mode) != 0) {
 				fprintf (stderr,
 				         _("%s: line %d: mkdir %s failed: %s\n"),
 				         Prog, line, newpw.pw_dir,

src/nologin.c

@@ -45,9 +45,14 @@ int main (void)
 	if (NULL == user) {
 		user = "UNKNOWN";
 	}
+
+	char *ssh_origcmd = getenv("SSH_ORIGINAL_COMMAND");
 	uid = getuid (); /* getuid() is always successful */
 	openlog ("nologin", LOG_CONS, LOG_AUTH);
-	syslog (LOG_CRIT, "Attempted login by %s (UID: %d) on %s", user, uid, tty);
+	syslog (LOG_CRIT, "Attempted login by %s (UID: %d) on %s%s%s",
+	        user, uid, tty,
+		(ssh_origcmd ? " SSH_ORIGINAL_COMMAND=" : ""),
+		(ssh_origcmd ? ssh_origcmd : ""));
 	closelog ();
 
 	printf ("%s", "This account is currently not available.\n");

src/useradd.c

@@ -223,7 +223,7 @@ static void open_files (void);
 static void open_shadow (void);
 static void faillog_reset (uid_t);
 static void lastlog_reset (uid_t);
-static void tallylog_reset (char *);
+static void tallylog_reset (const char *);
 static void usr_update (void);
 static void create_home (void);
 static void create_mail (void);
@@ -1328,15 +1328,22 @@ static void process_flags (int argc, char **argv)
 				if (   ( !VALID (optarg) )
 				    || (   ('\0' != optarg[0])
 				        && ('/'  != optarg[0])
-				        && ('*'  != optarg[0]) )
-				    || (stat(optarg, &st) != 0)
-				    || (S_ISDIR(st.st_mode))
-				    || (access(optarg, X_OK) != 0)) {
+				        && ('*'  != optarg[0]) )) {
 					fprintf (stderr,
 					         _("%s: invalid shell '%s'\n"),
 					         Prog, optarg);
 					exit (E_BAD_ARG);
 				}
+				if (    '\0' != optarg[0]
+				     && '*'  != optarg[0]
+				     && strcmp(optarg, "/sbin/nologin") != 0
+				     && (   stat(optarg, &st) != 0
+				         || S_ISDIR(st.st_mode)
+				         || access(optarg, X_OK) != 0)) {
+					fprintf (stderr,
+					         _("%s: Warning: missing or non-executable shell '%s'\n"),
+					         Prog, optarg);
+				}
 				user_shell = optarg;
 				def_shell = optarg;
 				sflg = true;
@@ -1912,7 +1919,7 @@ static void lastlog_reset (uid_t uid)
 	}
 }
 
-static void tallylog_reset (char *user_name)
+static void tallylog_reset (const char *user_name)
 {
 	const char pam_tally2[] = "/sbin/pam_tally2";
 	const char *pname;
@@ -1968,6 +1975,7 @@ static void usr_update (void)
 {
 	struct passwd pwent;
 	struct spwd spent;
+	char *tty;
 
 	/*
 	 * Fill in the password structure with any new fields, making
@@ -1980,10 +1988,12 @@ static void usr_update (void)
 	 * Create a syslog entry. We need to do this now in case anything
 	 * happens so we know what we were trying to accomplish.
 	 */
+	tty=ttyname (STDIN_FILENO);
 	SYSLOG ((LOG_INFO,
-	         "new user: name=%s, UID=%u, GID=%u, home=%s, shell=%s",
+	         "new user: name=%s, UID=%u, GID=%u, home=%s, shell=%s, from=%s",
 	         user_name, (unsigned int) user_id,
-	         (unsigned int) user_gid, user_home, user_shell));
+	         (unsigned int) user_gid, user_home, user_shell,
+	         tty ? tty : "none" ));
 
 	/*
 	 * Initialize faillog and lastlog entries for this UID in case
@@ -2152,8 +2162,9 @@ static void create_home (void)
 		}
 
 		(void) chown (prefix_user_home, user_id, user_gid);
-		chmod (prefix_user_home,
-		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+		mode_t mode = getdef_num ("HOME_MODE",
+		                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+		chmod (prefix_user_home, mode);
 		home_added = true;
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_ADD_USER, Prog,