Overview

Request 764969 superseded

- bsc#1160729: Make valid shell check only a warning
* Add shadow-4.8-shell-check.patch

- Update to 4.8:
* Initial optional bcrypt support.
* Make build/install of 'su' optional.
* Fix for vipw not resuming correctly when suspended
* Sync password field descriptions in manpages
* Check for valid shell argument in useradd
* Allow translation of new strings through POTFILES.in
* Migrate to itstool for translations
* Migrate to new SELinux api
* Support --enable-vendordir
* pwck: Only check homedir if set and not a system user
* Support nonstandard usernames
* sget{pw,gr}ent: check for data at EOL
* Add YYY-MM-DD support in chage
* Fix failing chmod calls for suidubins
* Fix --sbindir and --bindir for binary installations
* Fix LASTLOG_UID_MAX in login.defs
* Fix configure error with dash
- Remove because upstreamed:
* libeconf.patch
* shadow-usermod-variable.patch
- Rebase:
* shadow-login_defs-unused-by-pam.patch
* chkname-regex.patch
* shadow-util-linux.patch
* shadow-login_defs-comments.patch
- Add shadow-4.8-selinux-include.patch

Dominique Leuenberger's avatar
Dominique Leuenberger (dimstar) -
reviewer 
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/chpasswd is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/groupadd is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/groupdel is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/groupmod is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/newusers is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/useradd is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/userdel is packaged with setuid/setgid bits (04755)
[  120s] shadow.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/usermod is packaged with setuid/setgid bits (04755)

Please link-up with sec team about that

Dominique Leuenberger's avatar
Dominique Leuenberger (dimstar_suse) -
reviewer target maintainer

Need sec involvement for suid binaries (or packaging change)

Dominique Leuenberger's avatar
Dominique Leuenberger (dimstar) -
reviewer

This change causes openQA failures, as:

2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 RpmDb.cc(doInstallPackage):2123 THROW:    Subprocess failed. Error: RPM failed: groupadd -r -g 65533 nogroup
2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 groupadd -r -g 65534 nobody
2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 useradd -r -s /sbin/nologin -c "nobody" -g nobody -d /var/lib/nobody -u 65534 nobody
2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 useradd: invalid shell '/sbin/nologin'
2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 error: %prein(system-user-nobody-20170617-9.55.noarch) scriptlet failed, exit status 3
2019-12-30 11:28:11 <5> install(3531) [zypp] Exception.cc(log):166 error: system-user-nobody-20170617-9.55.noarch: install failed
Dominique Leuenberger's avatar
Dominique Leuenberger (dimstar) -
reviewer

I somewhat think it's checking against /etc/shells - which means we need to adapt aaa_base to add /sbin/nologin there as a valid shell

Michael Vetter's avatar
Michael Vetter (jubalh) -
author source maintainer

https://github.com/openSUSE/aaa_base/pull/67

Ludwig Nussel's avatar
Ludwig Nussel (lnussel) -

huh, you created https://github.com/shadow-maint/shadow/pull/187 yourself, you should know it's not /etc/shells but needs to be an executable. Means the failure is probably due to missing util-linux. The change to require an existing shell in useradd is harmful for initial installation.

Michael Vetter's avatar
Michael Vetter (jubalh) -
author source maintainer

https://github.com/shadow-maint/shadow/issues/207

Request History
Michael Vetter's avatar

jubalh created request

- bsc#1160729: Make valid shell check only a warning
* Add shadow-4.8-shell-check.patch

- Update to 4.8:
* Initial optional bcrypt support.
* Make build/install of 'su' optional.
* Fix for vipw not resuming correctly when suspended
* Sync password field descriptions in manpages
* Check for valid shell argument in useradd
* Allow translation of new strings through POTFILES.in
* Migrate to itstool for translations
* Migrate to new SELinux api
* Support --enable-vendordir
* pwck: Only check homedir if set and not a system user
* Support nonstandard usernames
* sget{pw,gr}ent: check for data at EOL
* Add YYY-MM-DD support in chage
* Fix failing chmod calls for suidubins
* Fix --sbindir and --bindir for binary installations
* Fix LASTLOG_UID_MAX in login.defs
* Fix configure error with dash
- Remove because upstreamed:
* libeconf.patch
* shadow-usermod-variable.patch
- Rebase:
* shadow-login_defs-unused-by-pam.patch
* chkname-regex.patch
* shadow-util-linux.patch
* shadow-login_defs-comments.patch
- Add shadow-4.8-selinux-include.patch

Factory Auto's avatar

factory-auto added opensuse-review-team as a reviewer

Please review sources

Factory Auto's avatar

factory-auto accepted review

Check script succeeded

Saul Goodman's avatar

licensedigger accepted review

ok

Ismail Dönmez's avatar

namtrac accepted review

Dominique Leuenberger's avatar

dimstar_suse set openSUSE:Factory:Staging:B as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:B"

Dominique Leuenberger's avatar

dimstar_suse accepted review

Picked "openSUSE:Factory:Staging:B"

Dominique Leuenberger's avatar

dimstar_suse added factory-staging as a reviewer

Being evaluated by group "factory-staging"

Dominique Leuenberger's avatar

dimstar_suse accepted review

Unstaged from project "openSUSE:Factory:Staging:B"

Michael Vetter's avatar

jubalh superseded request

superseded by 765745

openSUSE Build Service is sponsored by
Places